Xiaomi R4A Gigabit International CFeon Chip - Can't unbrick 2nd time

I have a new Xiaomi 4A Gigabit Edition, international version. I tried to flash OpenWrt using the OpenWRTInvasion method, twice.

Both times I bricked the device, and the first time I was able to recover it using the TinyPXE method and global firmware 3.0.24.

The second time I used the firmware listed on the OpenWrt Wiki - openwrt-22.03.0-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin.

Also bricked, boot loop.

However, when unbricking the second time with the same method and same firmware that worked before, the device goes from the failsafe orange flash to the fast purple flash which I believe indicates incompatible software.

I tried also using the MiWifiRepairTool.x86 with the chinese and global firmwares, same result as the TinyPXE method.

I've since opened up the router and found the CFeon chip OX128A-104HIP :roll_eyes: , so I know OpenWrt won't work with this chip unpatched. Yeah I know - should have done that first :face_with_head_bandage:

Any ideas as to what else I can try to unbrick?

I read through Xiaomi R4A (v3.0.27) cannot debrick? - For Developers - OpenWrt Forum and have more or less the same problem.

I suspect the newer open-wrt images destroy the partitioning, and the xiaomi bootloader stores some values there. Seems the defaults are not enough to recover the device if bricked.

I'll try to fashion a serial connection to this device and see what the output is...

The new flash chip EN25QX128A, current official openwrt fw not support yet.
If you still could debrick the device, 2 solutions:

  1. install my build for the chip.
  2. patch the SPI flash driver and build the fw by yourself.

@RadioOperator thanks for the tips. Also, your posts in other threads on this topic have been very helpful :+1:

Unfortunately - the problem at the moment is the unbricking. I can get the device into recovery mode and have a dnsmasq process with tftp/bootp enabled on a linux laptop to serve the firmware.

However, the device no longer accepts any firmware, even the version that previously worked. I'm guessing the bootloader used a partition on the chip to store some values and that last version destroyed that space.

I'm arranging a uart interface to the header on the router board, will hopefully know more if I can get it right...

understand. If all methods not success, the last chance is flashing the chip by SPI programmer tools.

1 Like

your bootloader still there, please try to backup it, maybe using the bootloader CLI in:

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   9: Load Boot Loader code then write to Flash via TFTP. 

please try above [2] to load my code first to see what happened.

Tried your code with dnsmasq-dhcp/tftp and router in recovery mode, no change - not accepted by the router.

I'll try get into the bootloader cli sometime this weekend.

I used to have a usb/uart adapter years ago. It seems it has gone for a walk in the meantime, so I'm going to make one with an arduino that I have here. Once that is done I should be able to get into the bootloader.

@RadioOperator thanks again for your help so far :smile:

what factory fw version no in your original R4A?

I've checked, both v3.0.24 and v2.28.69 factory fw, do not have the p/n EN25QX128A in the spi flash chip list. That means they do not work on the device with the new flash.

The original firmware was v3.0.31. I can't find this software available anywhere.

However: when I tried to flash OpenWrt the first time (before I understood the chip difference), I bricked the device. That time, I was able to unbrick using v3.0.24. The router worked perfectly again.

Now, I have bricked the device again after trying another (latest) version of OpenWrt. But this time, v3.0.24 doesn't work to unbrick it - same method and fw version as before :person_shrugging:

If you know how I can find the factory fw v3.0.31...?

I do not know how to find fw 3.0.31.

Hi, your current status: the bootloader is original, and you donot have a factroy fw which is working on the EN25QX128A chip.

Flash openwrt (my code) from the original bootloader, does not work, because openwrt code cannot pass the fw verifications.

To debrick it to factory fw, you have to find v3.0.31 or later. Still cannot find it on google. If you success debrick it to factory fw, then you could use the OpenWRTInvasion install openwrt.

To install openwrt by bootloader, you have to reflash a new bootloader(via original bootloader CLI if possible, dangerous!!!) which supports openwrt upgrade and the new chip. Then install openwrt by the new bootloader. If you have the SPI programmer tools, please backup your flash chip first, then flash the new bootloader by the tools.

If you have a programmer a solution would be to replace the flash memory with another compatible with U-Boot

https://4pda.to/forum/index.php?showtopic=988197&st=10060

I don't have a programmer (yet).

However, I did manage to fashion a usb to uart adapter out of an arduino leonardo and was able to connect to the uart header on the board and see the output. The last openwrt image did flash correctly but is incompatible with this CFeon chip....old news for everyone :stuck_out_tongue:

I'm going to try and restore the factory firmware that worked before using the failsafe recovery method, just to see if there is any output that might provide a clue as to why it is rejected now.

After that, I'll try to flash @RadioOperator 's image via TFTP.

Well, got the output of the recovery mode. For basically any image (even the stock 3.0.24 image that worked the first time), all proceeds normally until the flash write begins, and then we get:

Abort: image size larger than 1769472!

Flash write failed!
========Upgrade fail!========

Not sure what changed when attempting the openwrt flash on this device, but it now seems to think it can only handle an image of 1.7Mb...!

I tried to flash @RadioOperator's image from the bootloader prompt, but I couldn't get my arduino to TX. Probably because the arduino outputs 5v and not 3.3v

Decided to get a 3.3v usb-ttl adapter, will try with that..

check the bootloader uart log when power on. seems not get the chip ID.

any openwrt image(include mine), cannot flash into the chip, because the bootloader will reject it, only factory fw could pass.

Ordered a proper USB/TTL adapter, should be here in a couple of days.

Meanwhile, as @RadioOperator says, the bootloader log does not get the chip ID:

...
flash manufacture id: 1c, device id 71 18
Warning: un-recognized chip ID, please update bootloader!
============================================ 
Ralink UBoot Version: 5.0.0.0
-------------------------------------------- 
...

Could I then reflash the bootloader (risky, I know) with an alternate software like breed?
From what I read here, this should be possible. There are options to do it in the U-boot CLI list (7 & 9):

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial. 
   9: Load Boot Loader code then write to Flash via TFTP. 

I also read elsewhere (can't find the link now) that the xiamo flash partitions include a partition reserved for uboot env variables, that gets wiped out when loading the newer OpenWRT versions...will try to find the link that describes that behaviour. That could explain why I was able to unbrick the first time, but the second time it won't work because it is using default variables, such as rejecting firmware larger than 1.7MB...!

Wonder if there is a tiny 1.7MB generic firmware that includes a tftp client :stuck_out_tongue:

This means your bootloader does not know your Chip is EN25QX128A - 16MB, so cannot calculated the total size of the flash, so the bootloader take the minimum (maybe 4MB), then give that uploaded fw could not larger than 1.7MB.

did you flash the bootloader with others? I think factory bootloader does not like that.

My 4AG bootloader log:

***************************
Board power on Occurred
***************************
flash manufacture id: c8, device id 40 18
find flash: GD25Q128C
============================================ 
Ralink UBoot Version: 5.0.0.0
-------------------------------------------- 
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection 

Your current status is your 4AG got a wrong bootloader! You have to solve this first.

About the Breed bootloader, I do not it well, maybe it works, please check it carefully.

Anyway, if you totally bricked your 4AG and the bootloader also not work, you have to buy a SPI programmer to recover it.

If you want to fully back to the factory fw, you have to get:

  1. factory fw 3.0.31, maybe newer. Currently we cannot find it.
  2. factory booloader for the EN25QX128A chip, maybe someone could dump a copy for you.

If you want to use openwrt on it, no need to care the factory fw:

  1. flash a bootloader which can work for the chip using the current bootloader (select [9]).
  2. flash my openwrt build by the new bootloader.

I have built a 4AG bootloader my personal use, also added EN25QX128A support, but I donot have the device for testing, it works on my 4AG. But I'm not sure if it could ok for your 4AG, if not work, you have a big risk. The original source code from:
https://github.com/shibajee/u-boot_mod

Definitely want to use openwrt on it...the factory firmware is practically useless for my needs. So, as soon as my usb-ttl adapter arrives, I'll try loading a new bootloader and your openwrt build.

I'm also probably going to buy a Programmer at some point so if this goes bad I'll use it to learn how to use the programmer :stuck_out_tongue:

@RadioOperator thanks for your awesome help mate, I appreciate it :+1: