However, when unbricking the second time with the same method and same firmware that worked before, the device goes from the failsafe orange flash to the fast purple flash which I believe indicates incompatible software.
I tried also using the MiWifiRepairTool.x86 with the chinese and global firmwares, same result as the TinyPXE method.
I've since opened up the router and found the CFeon chip OX128A-104HIP , so I know OpenWrt won't work with this chip unpatched. Yeah I know - should have done that first
I suspect the newer open-wrt images destroy the partitioning, and the xiaomi bootloader stores some values there. Seems the defaults are not enough to recover the device if bricked.
I'll try to fashion a serial connection to this device and see what the output is...
@RadioOperator thanks for the tips. Also, your posts in other threads on this topic have been very helpful
Unfortunately - the problem at the moment is the unbricking. I can get the device into recovery mode and have a dnsmasq process with tftp/bootp enabled on a linux laptop to serve the firmware.
However, the device no longer accepts any firmware, even the version that previously worked. I'm guessing the bootloader used a partition on the chip to store some values and that last version destroyed that space.
I'm arranging a uart interface to the header on the router board, will hopefully know more if I can get it right...
your bootloader still there, please try to backup it, maybe using the bootloader CLI in:
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
9: Load Boot Loader code then write to Flash via TFTP.
please try above [2] to load my code first to see what happened.
Tried your code with dnsmasq-dhcp/tftp and router in recovery mode, no change - not accepted by the router.
I'll try get into the bootloader cli sometime this weekend.
I used to have a usb/uart adapter years ago. It seems it has gone for a walk in the meantime, so I'm going to make one with an arduino that I have here. Once that is done I should be able to get into the bootloader.
I've checked, both v3.0.24 and v2.28.69 factory fw, do not have the p/n EN25QX128A in the spi flash chip list. That means they do not work on the device with the new flash.
The original firmware was v3.0.31. I can't find this software available anywhere.
However: when I tried to flash OpenWrt the first time (before I understood the chip difference), I bricked the device. That time, I was able to unbrick using v3.0.24. The router worked perfectly again.
Now, I have bricked the device again after trying another (latest) version of OpenWrt. But this time, v3.0.24 doesn't work to unbrick it - same method and fw version as before
If you know how I can find the factory fw v3.0.31...?
Hi, your current status: the bootloader is original, and you donot have a factroy fw which is working on the EN25QX128A chip.
Flash openwrt (my code) from the original bootloader, does not work, because openwrt code cannot pass the fw verifications.
To debrick it to factory fw, you have to find v3.0.31 or later. Still cannot find it on google. If you success debrick it to factory fw, then you could use the OpenWRTInvasion install openwrt.
To install openwrt by bootloader, you have to reflash a new bootloader(via original bootloader CLI if possible, dangerous!!!) which supports openwrt upgrade and the new chip. Then install openwrt by the new bootloader. If you have the SPI programmer tools, please backup your flash chip first, then flash the new bootloader by the tools.
However, I did manage to fashion a usb to uart adapter out of an arduino leonardo and was able to connect to the uart header on the board and see the output. The last openwrt image did flash correctly but is incompatible with this CFeon chip....old news for everyone
I'm going to try and restore the factory firmware that worked before using the failsafe recovery method, just to see if there is any output that might provide a clue as to why it is rejected now.
After that, I'll try to flash @RadioOperator 's image via TFTP.
Well, got the output of the recovery mode. For basically any image (even the stock 3.0.24 image that worked the first time), all proceeds normally until the flash write begins, and then we get:
Not sure what changed when attempting the openwrt flash on this device, but it now seems to think it can only handle an image of 1.7Mb...!
I tried to flash @RadioOperator's image from the bootloader prompt, but I couldn't get my arduino to TX. Probably because the arduino outputs 5v and not 3.3v
Decided to get a 3.3v usb-ttl adapter, will try with that..
Could I then reflash the bootloader (risky, I know) with an alternate software like breed?
From what I read here, this should be possible. There are options to do it in the U-boot CLI list (7 & 9):
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
I also read elsewhere (can't find the link now) that the xiamo flash partitions include a partition reserved for uboot env variables, that gets wiped out when loading the newer OpenWRT versions...will try to find the link that describes that behaviour. That could explain why I was able to unbrick the first time, but the second time it won't work because it is using default variables, such as rejecting firmware larger than 1.7MB...!
Wonder if there is a tiny 1.7MB generic firmware that includes a tftp client
This means your bootloader does not know your Chip is EN25QX128A - 16MB, so cannot calculated the total size of the flash, so the bootloader take the minimum (maybe 4MB), then give that uploaded fw could not larger than 1.7MB.
did you flash the bootloader with others? I think factory bootloader does not like that.
My 4AG bootloader log:
***************************
Board power on Occurred
***************************
flash manufacture id: c8, device id 40 18
find flash: GD25Q128C
============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
If you want to fully back to the factory fw, you have to get:
factory fw 3.0.31, maybe newer. Currently we cannot find it.
factory booloader for the EN25QX128A chip, maybe someone could dump a copy for you.
If you want to use openwrt on it, no need to care the factory fw:
flash a bootloader which can work for the chip using the current bootloader (select [9]).
flash my openwrt build by the new bootloader.
I have built a 4AG bootloader my personal use, also added EN25QX128A support, but I donot have the device for testing, it works on my 4AG. But I'm not sure if it could ok for your 4AG, if not work, you have a big risk. The original source code from: https://github.com/shibajee/u-boot_mod
Definitely want to use openwrt on it...the factory firmware is practically useless for my needs. So, as soon as my usb-ttl adapter arrives, I'll try loading a new bootloader and your openwrt build.
I'm also probably going to buy a Programmer at some point so if this goes bad I'll use it to learn how to use the programmer
@RadioOperator thanks for your awesome help mate, I appreciate it
, so I know OpenWrt won't work with this chip unpatched. Yeah I know - should have done that first 
