Xiaomi WiFi Router 3G V2

Hello,
I would also like to know the procedure.
And the necessary equipment. Is it essential to have a ch341a programmer?
Or possibility to inject attached .bin files directly from the interface?
Thank you.

Yes you need a ch341a programmer as no other way has been found to interrupt the boot process.

1 Like

Thx... i order one, and i must patient.

@Gingernut, which program did you use to flash your router?

I have successfully read the chip numerous times with flashrom (on debian linux), AsProgrammer 1.4.1 and CH341A Programmer (both on Windows), but cannot write anything into the chip.

I'm using a CH341A programmer with black PCB and a new clip (my old one is rather flaky). Is my programmer broken? O.o

EDIT: Forgot to mention, my SPI is detected as GD25Q128C, but the physical marking is GD25Q127C. A commit for flashrom on chromiumos project mentioned this and it's likely a rename?

EDIT2: Seems to be a defective programmer, different md5sum for each read. Waiting for a new one...

Sorry to hear that.

I used Tftpd32 server on windows.

I also tried to use tftpd32 and tftpd64, but face with "wrong checksum" when providing the image (holding reset while powering the router).

I mean the app to dump the content of and write to the SPI flash...

I just followed Rogerpueyo's instructions on his Xiaomi Router 4A gigabit thread.

I did it all from Windows and used a USB 3 port to power the CH341A programmer, which to my superise, didn't need any additional power.

1 Like

Well Done, I have the same router and wasn't able to get uboot to pause for 5 seconds even with replacing off with " 5". Would have be willing to copy an spi dump of your flash?

I wrote to mine by setting chip type as
flashrom --programmer ch341a_spi -w image.bin -V -c GD25B128B/GD25Q128B

My new programmer arrived today, and I have successfully flashed it under a debian VM with flashrom.

I used this: flashrom --programmer ch341a_spi --read r3gv2.bin -c "GD25Q128C" to read, and flashrom --programmer ch341a_spi --write r3gv2-edited.bin -c "GD25Q128C" to write.

Using CH341A Programmer and AsProgrammer in Windows still produce different md5 for each readings, whereas flashrom produce the same md5...

2 Likes

Did your flash work? ie were you able to enter the uboot menu? If so could you post your r3gv2-edited.bin file somewhere. My unit has the latest firmware and I think they may have defeated the edit the text method that we are using.

Yes, I was able to enter the menu.

I tinkered around first, and what I was able to found out, if I booted the stock firmware or change the uboot env (like to toggle uart_en and ssh_en from 0 to 1), the menu somehow will no longer respond to my command. I flashed the edited backup three times total before I was able to flash openwrt via TFTP.

Here's my dump and openwrt by @Gingernut all in one place:

https://drive.google.com/drive/folders/1FwiBe9vZy02jAwgGKt8qKI5Of38DDDXK?usp=sharing

The .md5sum files contain the expected md5 for each file, so you sure that the file is not corrupted while downloading.

2 Likes

Hi Guys,

What exactly did you change in the flash to make this work?
I've tried a couple of things, but so far I am not able to do anything in the boot menu.

Update: so what I tried and not working:

$ xxd r3gv2_original.bin | grep bootdelay
00019690: 626f 6f74 6465 6c61 7900 0000 6f66 6600  bootdelay...off.
$ xxd r3gv2_modified.bin | grep bootdelay
00019690: 626f 6f74 6465 6c61 7900 0000 2e2e 3500  bootdelay.....5.

$ xxd r3gv2_original.bin | grep boot_wait
0001c8d0: 5632 0062 6f6f 745f 7761 6974 3d6f 6666  V2.boot_wait=off
$ xxd r3gv2_modified.bin | grep boot_wait
0001c8d0: 5632 0062 6f6f 745f 7761 6974 3d6f 6e2e  V2.boot_wait=on.

Update2: I made a mistake there when edited the the file, I changed the string "off" to "..5" and dots are 2e in the hex (LOL) ... changed those to zeros and flashed again... but still, there is no countdown at the bootloader.

$ xxd r3gv2_modified.bin | grep bootdelay
00019690: 626f 6f74 6465 6c61 7900 0000 0000 3500  bootdelay.....5.

I only changed the bootdelay string from off to 5, didn't touch anything else.

Yup, I had the same problem with mine, then I blew it up by connecting the test clip round the wrong way (Doh!!). I ordered a new unit and I've dumped the rom before powering it up. I was thinking about chopping up the image at OS and catting the openwrt flash to the end of the cut file, then padding the end with zeros. Because if you have an SPI programmer why mess about with small stuff when you can just direct flash openwrt. (Well hopefully)

Finally, I was able to install Openwrt on it. My USB to TTL tricked me, as soon as I switched it to the flasher's TTL, I was able to interrupt the boot and install initramfs via TFTP.


root@OpenWrt:~# cat /tmp/sysinfo/model
Xiaomi Mi Router 3G v2
root@OpenWrt:~# uname -a
Linux OpenWrt 4.14.143 #0 SMP Sat Sep 14 15:11:45 2019 mips GNU/Linux

Does anyone has an image of the current firmware that can be uploaded via Breed?

A newer firmware build?

Breed can't take sysupgade.img?