Xiaomi Wifi Mini SPI debricked from bad bootloader

Hello folks,

earlier today I flashed the WRTnode u-boot bootloader since recommended on the Xiaomi Wifi Mini OpenWrt wiki page.

The router now hangs upon power on and I am unable to make any selection or pressing the reset button upon power on and as fast as I can. It will just default to nand flash boot and die there.

You choosed 3

 0 
   
3: System Boot system code via Flash.

 netboot_common, argc= 1

I tried restoring it via stock fw using a USB key but it won't be loaded and router will get stuck at the very same point.

I have dumped mtd0 the u-boot partition before flashing the bad u-boot, and I am aware I could restore the dumped partition via SPI using flashrom. I have a Pomona clip 5250, though flashrom doesn't seem to be able to read the chip.

I am either reading the wrong chip or the pins layout is wrong. If we look at this picture, the chip I am trying to read is the one on the far right side at the very end of the picture. It is between FM2 and FM1. Is it the right one?

If so, could anyone help me with the pins layout for the Pomona clip 5250?

Here is the full boot hang log.

Any help will be highly appreciated.

You can still download the firmware with tftp and flash memory is supported by flashrom

Hello @susy,

how can I upload the firmware via tftp if the router doesn't obtain an IP address?

Also, what to you mean with "flash memory is supported by flashrom" ?

From the boot logs I posted I am unable to select any options, and I need help in figuring out which is the chip I need to read and flash with flashrom. I would also need help for the pins layout.

Alright, I tried scanning the ethernet and wan using wireshark and it doesn't seem to acquire any sort of IP address. Unless I am doing it wrong, I guess there is no way I could debrick it via tftp..

Please correct me if I am wrong.

Finally brought it back to life. I big thanks goes out to @danitool, as welll as @icon from the #coreboot channel. Couldn't have done it without their help.

I am leaving my notes here as reference in the case someone else will end up in the same situation in the future. I will make a decent wiki article at some point.

- SPI pin layout on the RPI3 and Pomona Clip 5250

1 CS    RED     24
2 MISO  YELLOW  21
4 GND   GREEN   20
5 MOSI  WHITE   19
6 SCLK  BLACK   23
8 BROWN 3.3v    17

- SPI chip datasheet can be found here:
http://www.winbond.com/resource-files/w25q128fv_revhh1_100913_website1.pdf


- Take few backups of the SPI chip 

# flashrom -c "W25Q128.V" -p linux_spi:dev=/dev/spidev0.0 -r factory.rom

- Verify it

# flashrom -p linux_spi:dev=/dev/spidev0.0 -v factory.rom

- md5sum it 

# md5sum factory.rom

- Debrick process: 

- Padding the bootloader dumped image size

# dd if=/dev/zero bs=1M count=16 of=padded.bin 

# dd if=u-boot.bin conv=notrunc of=padded.bin 

# echo "00000:2ffff uboot" > u-boot.layout 

- Flashing just the u-boot region so that wifi calibration and whatever else the chip contains won't be erased

# flashrom -c "W25Q128.V" -p linux_spi:dev=/dev/spidev0.0 -f -l u-boot.layout -i uboot -w padded.bin

- Additional notes: In my case the flashing verification has failed, however it did also fail quite few times when dumping the spi chip rom. In the end it did work smoothly regardless the failed verification error.

raspberrypi64:~/uboot-stock-xiaomi$ sudo flashrom -c "W25Q128.V" -p linux_spi:dev=/dev/spidev0.0 -f -l u
-boot.layout -i uboot -w padded.bin
flashrom v0.9.9-r1955 on Linux 4.10.17-v8 (aarch64)
flashrom is free software, get the source code at https://flashrom.org

Using region: "uboot".
Calibrating delay loop... delay loop is unreliable, trying to continue OK.
Found Winbond flash chip "W25Q128.V" (16384 kB, SPI) on linux_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... FAILED at 0x00034cb0! Expected=0xff, Found=0xfe, failed byte count from 0x00000000-0x00ffffff: 0xfd
Your flash chip is in an unknown state.

I'm having this issue and it's a new one for me but willing to learn though. Can you please provide the detailed guide and tools required to fix this issue.

Using Arduino for serial connection, the logs below were captured:

U-Boot 1.1.3 (Jan 28 2016 - 18:16:3▒)

Board: Rali▒k A▒SoC▒DR▒M:  128 MB
Power on mem▒▒▒ test. Memory size= 128 MB...OK!
reloc▒te_code Pointer a▒▒▒68000
enable ephy ▒▒▒▒▒..done. rf reg 29 = 5
SSC disabled.
**************▒▒▒▒▒▒**********
Software System Reset Occurred
*******▒▒▒▒▒▒*****************
spi_wait_nsec: 29
spi device id▒▒▒栴0 18 0 0 (40180000)
find flash: W25Q128BV
ra▒▒▒▒▒▒ad: from:30000 len:1000
raspi▒▒▒▒▒ from:30000 len:1000
=========▒▒▒▒▒▒=============================
Ralink UBoot Version▒▒▒▒▒▒S.1
--------------------------------------------
                                             ▒▒▒▒à7620_MP (Port5<->None)
DRAM component: 1024 Mbits D▒Ҭ▒▒▒dth 16
DRAM bus: 16 bit
Total memory: 128 MBytes
                        ▒▒▒▒▒▒ component: SPI Flash
Date:Jan 28 2016  Time:18:16:▒▒▒▒▒▒==========================================
icache▒▒▒▒▒▒:512, ways:4, linesz:32 ,total:65536
dcache: sets:2▒▒▒▒▒▒ys:4, linesz:32 ,total:32768

 ##### The CPU fre񠽠▒▒0 MHZ ####
 estimate memory size =128 Mbytes

Please choose the operation:
   1: ▒▒▒▒system code to SDRAM via TFTP.
   2: Load system c▒▒▒▒▒en write to Flash via TFTP.
   3: Boot system code▒▒▒▒▒lash (default).
   7: Load Boot Loader code then write to Flash via▒▒▒▒▒▒l.
   9: Load Boot Loader code then write to Flas▒▒▒▒TFTP.


3: System Boot system code via Flash.▒▒▒▒▒to boot Recovery System
raspi_read: from:3000▒▒▒▒▒10000
Erasing SPI Flash...
raspi_erase: offs▒▒▒▒▒▒ len:10000
.
Writing to SPI Flash...
r▒▒▒▒▒▒rite: to:30000 len:10000
.
done
## Booting▒▒▒▒▒▒ at bccd0000 ...
raspi_read: from:cd0000 len:40
▒▒▒▒▒gic Number,A24F2BCB, try to reboot
raspi_read: fr▒▒▒▒00 len:10000
Erasing SPI Flash▒▒▒▒▒▒aspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
▒▒▒▒▒▒write: to:30000 len:10000
.
done