The original firmware was v3.0.31. I can't find this software available anywhere.
However: when I tried to flash OpenWrt the first time (before I understood the chip difference), I bricked the device. That time, I was able to unbrick using v3.0.24. The router worked perfectly again.
Now, I have bricked the device again after trying another (latest) version of OpenWrt. But this time, v3.0.24 doesn't work to unbrick it - same method and fw version as before
If you know how I can find the factory fw v3.0.31...?
Hi, your current status: the bootloader is original, and you donot have a factroy fw which is working on the EN25QX128A chip.
Flash openwrt (my code) from the original bootloader, does not work, because openwrt code cannot pass the fw verifications.
To debrick it to factory fw, you have to find v3.0.31 or later. Still cannot find it on google. If you success debrick it to factory fw, then you could use the OpenWRTInvasion install openwrt.
To install openwrt by bootloader, you have to reflash a new bootloader(via original bootloader CLI if possible, dangerous!!!) which supports openwrt upgrade and the new chip. Then install openwrt by the new bootloader. If you have the SPI programmer tools, please backup your flash chip first, then flash the new bootloader by the tools.
However, I did manage to fashion a usb to uart adapter out of an arduino leonardo and was able to connect to the uart header on the board and see the output. The last openwrt image did flash correctly but is incompatible with this CFeon chip....old news for everyone
I'm going to try and restore the factory firmware that worked before using the failsafe recovery method, just to see if there is any output that might provide a clue as to why it is rejected now.
After that, I'll try to flash @RadioOperator 's image via TFTP.
Well, got the output of the recovery mode. For basically any image (even the stock 3.0.24 image that worked the first time), all proceeds normally until the flash write begins, and then we get:
Not sure what changed when attempting the openwrt flash on this device, but it now seems to think it can only handle an image of 1.7Mb...!
I tried to flash @RadioOperator's image from the bootloader prompt, but I couldn't get my arduino to TX. Probably because the arduino outputs 5v and not 3.3v
Decided to get a 3.3v usb-ttl adapter, will try with that..
Could I then reflash the bootloader (risky, I know) with an alternate software like breed?
From what I read here, this should be possible. There are options to do it in the U-boot CLI list (7 & 9):
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
I also read elsewhere (can't find the link now) that the xiamo flash partitions include a partition reserved for uboot env variables, that gets wiped out when loading the newer OpenWRT versions...will try to find the link that describes that behaviour. That could explain why I was able to unbrick the first time, but the second time it won't work because it is using default variables, such as rejecting firmware larger than 1.7MB...!
Wonder if there is a tiny 1.7MB generic firmware that includes a tftp client
This means your bootloader does not know your Chip is EN25QX128A - 16MB, so cannot calculated the total size of the flash, so the bootloader take the minimum (maybe 4MB), then give that uploaded fw could not larger than 1.7MB.
did you flash the bootloader with others? I think factory bootloader does not like that.
My 4AG bootloader log:
***************************
Board power on Occurred
***************************
flash manufacture id: c8, device id 40 18
find flash: GD25Q128C
============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
If you want to fully back to the factory fw, you have to get:
factory fw 3.0.31, maybe newer. Currently we cannot find it.
factory booloader for the EN25QX128A chip, maybe someone could dump a copy for you.
If you want to use openwrt on it, no need to care the factory fw:
flash a bootloader which can work for the chip using the current bootloader (select [9]).
flash my openwrt build by the new bootloader.
I have built a 4AG bootloader my personal use, also added EN25QX128A support, but I donot have the device for testing, it works on my 4AG. But I'm not sure if it could ok for your 4AG, if not work, you have a big risk. The original source code from: https://github.com/shibajee/u-boot_mod
Definitely want to use openwrt on it...the factory firmware is practically useless for my needs. So, as soon as my usb-ttl adapter arrives, I'll try loading a new bootloader and your openwrt build.
I'm also probably going to buy a Programmer at some point so if this goes bad I'll use it to learn how to use the programmer
@RadioOperator thanks for your awesome help mate, I appreciate it
Well...got a new usb-ttl adapter, set to 3.3v operation. Hooked it up as follows:
USB GND to R4A GND
USB TX to R4A RX
USB RX to R4A TX.
Using picocom on linux, seeing the output perfectly.
But I can't interrupt the boot sequence. I see the menu with options 1-9, I'm already hitting one of the options but nothing happens, the boot sequence continues. I can see the TX light on the adapter flashing every time I hit a key, but the device doesnt react.
Xaiomi builds the bootloader with bootdelay=0, which means it will not pause to consider entering the menu.
The bootloader can be patched with a non zero bootdelay but installing the new bootloader into the flash requires either a chip programmer or successfully booting OpenWrt and using mtd.
@RadioOperator thanks very much for your continuing input, I appreciate it very much
Currently I've ordered a chip programmer and am waiting for it to arrive, hopefully next week. In the present state I can't do anything without it since the recovery refuses to load anything larger than 1.7MB and the bootloader doesnt allow the boot menu to be used.
With the SPI programmer I'll be able to dump the code and set the bootdelay, which should then allow me to unbrick the device and try other things...and also learn something about using SPI programmers
