User Tools

Site Tools


toh:xiaomi:mir3

Xiaomi Mi WiFi R3 (Mi Wifi Router 3 / MIR3 / MI3)

Xiaomi Mi Router 3 is 802.11ac+bgn AC1200 wireless router based on the MediaTek MT7620A SoC. It has three Ethernet ports and two radios (one SoC-based 2.4 GHz 802.11bgn and one MT7612E-based 5GHz 802.11ac, both 2×2 MiMo).

Hardware

Info

Instruction set MIPS
Vendor MediaTek
bootloader U-Boot + Xiaomi U-Boot
System-On-Chip Ralink MT7620A
CPU @Freq MIPS 24KEc V5.0 @580 MHz
Flash size 128 MiB NAND
Flash Chip ESMT F59L1G81LA (different chip might be used)
RAM size 128 MiB DDR2
RAM Chip NT5TU64M16HG-AC
Wireless No1 SoC-integrated: MT7620A 2×2 MIMO 802.11b/g/n (2.4 GHz)
Wireless No2 On-board chip: MT7612E 2×2 MIMO 802.11a/n/ac (5 GHz)
switch MT7620 built-in 10/100 switch w/ vlan support
USB 1x
Serial Yes (write disabled after first boot by kernel)

Serial

The serial port of the router can be accessed using the TTL pins. A voltage level converter (such as a CP2102 TTL-USB dongle) is required. Writing to the console is disabled in the factory U-Boot. Writing to the console in the factory firmware is only possible during first boot; afterwards it is disabled by the firmware.

To enable writing to the console, you must use the following commands:

nvram set uart_en=1
nvram commit

The communication settings are: TTL voltage, 115200 bps, 8N1.

MTD output from stock firmware

root@XiaoQiang:/# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 08000000 00020000 "ALL"
mtd1: 00040000 00020000 "Bootloader"
mtd2: 00040000 00020000 "Config"
mtd3: 00040000 00020000 "Bdata"
mtd4: 00040000 00020000 "Factory"
mtd5: 00040000 00020000 "crash"
mtd6: 00040000 00020000 "crash_syslog"
mtd7: 00080000 00020000 "reserved0"
mtd8: 00400000 00020000 "kernel0"
mtd9: 00400000 00020000 "kernel1"
mtd10: 02000000 00020000 "rootfs0"
mtd11: 02000000 00020000 "rootfs1"
mtd12: 03600000 00020000 "overlay"

Bootlog

U-Boot 1.1.3 (Apr 15 2016 - 17:46:32) Board: Ralink APSoC DRAM: 128 MB Power on memory test. Memory size= 128 MB...OK! relocate_code Pointer at: 87fb8000 enable ephy clock...done. rf reg 29 = 5 SSC disabled. !!! nand page size = 2048, addr len=4 ..============================================ Ralink UBoot Version: 4.2.S.1 -------------------------------------------- ASIC 7620_MP (Port5<->None) DRAM_CONF_FROM: Auto-detection DRAM_TYPE: DDR2 DRAM component: 1024 Mbits DRAM bus: 16 bit Total memory: 128 MBytes Flash component: NAND Flash Date:Apr 15 2016 Time:17:46:32 ============================================ icache: sets:512, ways:4, linesz:32 ,total:65536 dcache: sets:256, ways:4, linesz:32 ,total:32768 ##### The CPU freq = 580 MHZ #### estimate memory size =128 Mbytes Please choose the operation: 1: Load system code to SDRAM via TFTP. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). 4: Entr boot command line interface. 9: Load Boot Loader code then write to Flash via TFTP. 3: System Boot system code via Flash. Booting System 2 ..ranand_erase_write: offs:40000, count:20000 .Done! done ## Booting image at bc600000 ... Image Name: MIPS OpenWrt Linux-2.6.36 Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 2284520 Bytes = 2.2 MB Load Address: 80000000 Entry Point: 80000000 ................................... Verifying Checksum ... OK Uncompressing Kernel Image ... OK commandline uart_en=0 factory_mode=0 mem=128m No initrd ## Transferring control to Linux (at address 80000000) ... ## Giving linux memsize in MB, 128 Starting kernel ... LINUX started... THIS IS ASIC [ 0.000000] Initializing cgroup subsys cpuset [ 0.000000] Initializing cgroup subsys cpu [ 0.000000] Linux version 2.6.36 (jenkins@JenkinsServer) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #1 Fri Apr 15 17:59:34 CST 2016 [ 0.000000] [ 0.000000] The CPU feqenuce set to 580 MHz [ 0.000000] PCIE: bypass PCIe DLL. [ 0.000000] PCIE: Elastic buffer control: Addr:0x68 -> 0xB4 [ 0.000000] disable all power about PCIe [ 0.000000] CPU revision is: 00019650 (MIPS 24Kc) [ 0.000000] Software DMA cache coherency [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 08000000 @ 00000000 (usable) [ 0.000000] User-defined physical RAM map: [ 0.000000] memory: 08000000 @ 00000000 (usable) [ 0.000000] Initrd not found or empty - disabling initrd [ 0.000000] Zone PFN ranges: [ 0.000000] Normal 0x00000000 -> 0x00008000 [ 0.000000] Movable zone start PFN for each node [ 0.000000] early_node_map[1] active PFN ranges [ 0.000000] 0: 0x00000000 -> 0x00008000 [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512 [ 0.000000] Kernel command line: console=ttyS1,115200n8 root=/dev/ram0 uart_en=0 factory_mode=0 mem=128m [ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes) [ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) [ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Primary instruction cache 64kB, VIPT, , 4-waylinesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes [ 0.000000] Writing ErrCtl register=00078fdb [ 0.000000] Readback ErrCtl register=00078fdb [ 0.000000] allocated 655360 bytes of page_cgroup [ 0.000000] please try 'cgroup_disable=memory' option if you don't want memory cgroups [ 0.000000] Memory: 123760k/131072k available (3348k kernel code, 7312k reserved, 1028k data, 868k init, 0k highmem) [ 0.000000] SLUB: Genslabs=7, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS:128 [ 0.000000] console [ttyS1] enabled [ 0.010000] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216) [ 0.220000] pid_max: default: 32768 minimum: 301 [ 0.220000] Mount-cache hash table entries: 512 [ 0.220000] Initializing cgroup subsys cpuacct [ 0.230000] Initializing cgroup subsys memory [ 0.230000] Initializing cgroup subsys net_cls [ 0.230000] devtmpfs: initialized [ 0.240000] NET: Registered protocol family 16 [ 0.240000] RALINK_GPIOMODE = 121b1c [ 0.240000] RALINK_GPIOMODE = 101b1c [ 0.440000] PPLL_CFG1=0xe6c000 [ 0.450000] MT7620 PPLL lock [ 0.450000] PPLL_DRV =0x80080504 [ 0.650000] Deassert the PCIE0 RESET. [ 0.650000] start PCIe register access [ 1.150000] RALINK_RSTCTRL = 2400000 [ 1.160000] RALINK_CLKCFG1 = 75afffc0 [ 1.160000] [ 1.160000] *************** MT7620 PCIe RC mode ************* [ 1.660000] PCIE0 enabled [ 1.670000] init_rt2880pci done [ 1.670000] bio: create slab <bio-0> at 0 [ 1.680000] SCSI subsystem initialized [ 1.680000] usbcore: registered new interface driver usbfs [ 1.680000] usbcore: registered new interface driver hub [ 1.690000] usbcore: registered new device driver usb [ 1.690000] pci 0000:00:00.0: BAR 0: can't assign mem (size 0x80000000) [ 1.700000] pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x200fffff] [ 1.700000] pci 0000:00:00.0: BAR 9: assigned [mem 0x20100000-0x201fffff pref] [ 1.710000] pci 0000:00:00.0: BAR 1: assigned [mem 0x20200000-0x2020ffff] [ 1.710000] pci 0000:00:00.0: BAR 1: set to [mem 0x20200000-0x2020ffff] (PCI address [0x20200000-0x2020ffff] [ 1.720000] pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff 64bit] [ 1.720000] pci 0000:01:00.0: BAR 0: set to [mem 0x20000000-0x200fffff 64bit] (PCI address [0x20000000-0x200fffff] [ 1.730000] pci 0000:01:00.0: BAR 6: assigned [mem 0x20100000-0x2010ffff pref] [ 1.730000] pci 0000:00:00.0: PCI bridge to [bus 01-01] [ 1.740000] pci 0000:00:00.0: bridge window [io disabled] [ 1.740000] pci 0000:00:00.0: bridge window [mem 0x20000000-0x200fffff] [ 1.750000] pci 0000:00:00.0: bridge window [mem 0x20100000-0x201fffff pref] [ 1.750000] BAR0 at slot 0 = 0 [ 1.760000] bus=0x0, slot = 0x0 [ 1.760000] res[0]->start = 0 [ 1.760000] res[0]->end = 0 [ 1.760000] res[1]->start = 20200000 [ 1.770000] res[1]->end = 2020ffff [ 1.770000] res[2]->start = 0 [ 1.770000] res[2]->end = 0 [ 1.770000] res[3]->start = 0 [ 1.780000] res[3]->end = 0 [ 1.780000] res[4]->start = 0 [ 1.780000] res[4]->end = 0 [ 1.780000] res[5]->start = 0 [ 1.790000] res[5]->end = 0 [ 1.790000] bus=0x1, slot = 0x0 [ 1.790000] res[0]->start = 20000000 [ 1.790000] res[0]->end = 200fffff [ 1.800000] res[1]->start = 0 [ 1.800000] res[1]->end = 0 [ 1.800000] res[2]->start = 0 [ 1.800000] res[2]->end = 0 [ 1.810000] res[3]->start = 0 [ 1.810000] res[3]->end = 0 [ 1.810000] res[4]->start = 0 [ 1.810000] res[4]->end = 0 [ 1.820000] res[5]->start = 0 [ 1.820000] res[5]->end = 0 [ 1.820000] Switching to clocksource MIPS [ 1.830000] NET: Registered protocol family 2 [ 1.830000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes) [ 1.840000] TCP established hash table entries: 4096 (order: 3, 32768 bytes) [ 1.850000] TCP bind hash table entries: 4096 (order: 2, 16384 bytes) [ 1.850000] TCP: Hash tables configured (established 4096 bind 4096) [ 1.860000] TCP reno registered [ 1.860000] UDP hash table entries: 256 (order: 0, 4096 bytes) [ 1.870000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) [ 1.870000] NET: Registered protocol family 1 [ 2.570000] RT3xxx EHCI/OHCI init. [ 2.580000] msgmni has been set to 241 [ 2.580000] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254) [ 2.590000] io scheduler noop registered (default) [ 2.600000] RALINK_REG_PIO7140DATA b0000670 = 0 [ 2.700000] RALINK_REG_PIO7140DATA b0000670 = 2000000 [ 2.710000] Ralink gpio driver initialized [ 2.710000] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled [ 2.720000] serial8250: ttyS0 at MMIO 0x10000500 (irq = 37) is a 16550A [ 2.720000] serial8250: ttyS1 at MMIO 0x10000c00 (irq = 12) is a 16550A [ 2.730000] init reset module! [ 2.740000] brd: module loaded [ 2.740000] !!! nand page size = 2048, addr len=4 [ 2.750000] ra_nand_init: alloc 1350, at 87fd0000 , btt(87fd10c0, 100), ranfc_mtd:87fd11c0 [ 2.760000] Creating 13 MTD partitions on "ra_nfc": [ 2.760000] 0x000000000000-0x000008000000 : "ALL" [ 2.790000] 0x000000000000-0x000000040000 : "Bootloader" [ 2.800000] 0x000000040000-0x000000080000 : "Config" [ 2.810000] 0x000000080000-0x0000000c0000 : "Bdata" [ 2.810000] 0x0000000c0000-0x000000100000 : "Factory" [ 2.820000] 0x000000100000-0x000000140000 : "crash" [ 2.820000] 0x000000140000-0x000000180000 : "crash_syslog" [ 2.830000] 0x000000180000-0x000000200000 : "reserved0" [ 2.840000] 0x000000200000-0x000000600000 : "kernel0" [ 2.840000] 0x000000600000-0x000000a00000 : "kernel1" [ 2.850000] 0x000000a00000-0x000002a00000 : "rootfs0" [ 2.850000] 0x000002a00000-0x000004a00000 : "rootfs1" [ 2.860000] 0x000004a00000-0x000008000000 : "overlay" [ 2.870000] rdm_major = 253 [ 2.870000] SMACCR1 -- : 0x000034ce [ 2.870000] SMACCR0 -- : 0x004b3cc1 [ 2.880000] Ralink APSoC Ethernet Driver Initilization. v3.0 256 rx/tx descriptors allocated, mtu = 1500! [ 2.890000] SMACCR1 -- : 0x000034ce [ 2.890000] SMACCR0 -- : 0x004b3cc1 [ 2.900000] PROC INIT OK! [ 2.900000] PPP generic driver version 2.4.2 [ 2.900000] PPP MPPE Compression module registered [ 2.910000] NET: Registered protocol family 24 [ 2.910000] PPTP driver version 0.8.5 [ 2.920000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 3.040000] rt3xxx-ehci rt3xxx-ehci: Ralink EHCI Host Controller [ 3.050000] rt3xxx-ehci rt3xxx-ehci: new USB bus registered, assigned bus number 1 [ 3.090000] rt3xxx-ehci rt3xxx-ehci: irq 18, io mem 0x101c0000 [ 3.110000] rt3xxx-ehci rt3xxx-ehci: USB 0.0 started, EHCI 1.00 [ 3.110000] hub 1-0:1.0: USB hub found [ 3.120000] hub 1-0:1.0: 1 port detected [ 3.120000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver [ 3.150000] rt3xxx-ohci rt3xxx-ohci: RT3xxx OHCI Controller [ 3.150000] rt3xxx-ohci rt3xxx-ohci: new USB bus registered, assigned bus number 2 [ 3.160000] rt3xxx-ohci rt3xxx-ohci: irq 18, io mem 0x101c1000 [ 3.230000] hub 2-0:1.0: USB hub found [ 3.230000] hub 2-0:1.0: 1 port detected [ 3.240000] usbcore: registered new interface driver cdc_acm [ 3.240000] cdc_acm: v0.26:USB Abstract Control Model driver for USB modems and ISDN adapters [ 3.250000] Initializing USB Mass Storage driver... [ 3.260000] usbcore: registered new interface driver usb-storage [ 3.260000] USB Mass Storage support registered. [ 3.270000] usbcore: registered new interface driver usbserial [ 3.270000] USB Serial support registered for generic [ 3.280000] usbcore: registered new interface driver usbserial_generic [ 3.290000] usbserial: USB Serial Driver core [ 3.290000] USB Serial support registered for pl2303 [ 3.300000] usbcore: registered new interface driver pl2303 [ 3.300000] pl2303: Prolific PL2303 USB to serial adaptor driver [ 3.310000] USB Serial support registered for TI USB 3410 1 port adapter [ 3.320000] USB Serial support registered for TI USB 5052 2 port adapter [ 3.320000] usbcore: registered new interface driver ti_usb_3410_5052 [ 3.330000] ti_usb_3410_5052: v0.10:TI USB 3410/5052 Serial Driver [ 3.340000] Software Watchdog Timer: 0.07 initialized. soft_noboot=0 soft_margin=60 sec (nowayout= 0) [ 3.340000] u32 classifier [ 3.350000] input device check on [ 3.350000] Actions configured [ 3.350000] Netfilter messages via NETLINK v0.30 with ipset netlink.patch. [ 3.360000] nf_conntrack version 0.5.0 (1933 buckets, 7732 max) [ 3.370000] xt_time: kernel timezone is -0000 [ 3.370000] GRE over IPv4 demultiplexor driver [ 3.380000] ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Restricted Cone [ 3.390000] TCP cubic registered [ 3.390000] NET: Registered protocol family 10 [ 3.400000] NET: Registered protocol family 17 [ 3.400000] L2TP core driver, V2.0 [ 3.400000] PPPoL2TP kernel driver, V2.0 [ 3.410000] L2TP netlink interface [ 3.410000] 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> [ 3.420000] All bugs added by David S. Miller <davem@redhat.com> [ 3.440000] Freeing unused kernel memory: 868k freed [ 3.530000] Loading essential drivers... [ 3.530000] Press Ctrl+C to enter RAMFS... [ 4.550000] Check for USB recovery... [ 4.580000] Bringup the system... [ 4.590000] flag_boot_rootfs=1 mounting /dev/mtd11 [ 4.600000] UBI: attaching mtd11 to ubi0 [ 4.600000] UBI: physical eraseblock size: 131072 bytes (128 KiB) [ 4.610000] UBI: logical eraseblock size: 126976 bytes [ 4.610000] UBI: smallest flash I/O unit: 2048 [ 4.620000] UBI: VID header offset: 2048 (aligned 2048) [ 4.620000] UBI: data offset: 4096 [ 4.780000] UBI: max. sequence number: 2 [ 4.790000] UBI: attached mtd11 to ubi0 [ 4.790000] UBI: MTD device name: "rootfs1" [ 4.800000] UBI: MTD device size: 32 MiB [ 4.800000] UBI: number of good PEBs: 256 [ 4.810000] UBI: number of bad PEBs: 0 [ 4.810000] UBI: max. allowed volumes: 128 [ 4.820000] UBI: wear-leveling threshold: 4096 [ 4.820000] UBI: number of internal volumes: 1 [ 4.830000] UBI: number of user volumes: 1 [ 4.830000] UBI: available PEBs: 0 [ 4.840000] UBI: total number of reserved PEBs: 256 [ 4.840000] UBI: number of PEBs reserved for bad PEB handling: 4 [ 4.850000] UBI: max/mean erase counter: 2/1 [ 4.850000] UBI: image sequence number: 1481461889 [ 4.860000] UBI: background thread "ubi_bgt0d" started, PID 80 UBI device number 0, total 256 LEBs (32505856 bytes, 31.0 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB) [ 4.950000] UBIFS: mounted UBI device 0, volume 0, name "system" [ 4.950000] UBIFS: mounted read-only [ 4.960000] UBIFS: file system size: 30093312 bytes (29388 KiB, 28 MiB, 237 LEBs) [ 4.960000] UBIFS: journal size: 9023488 bytes (8812 KiB, 8 MiB, 72 LEBs) [ 4.970000] UBIFS: media format: w4/r0 (latest is w4/r0) [ 4.980000] UBIFS: default compressor: zlib [ 4.980000] UBIFS: reserved for root: 0 bytes (0 KiB) config core 'version' # ROM ver option ROM '2.11.20' # channel option CHANNEL 'stable' # hardware platform R1AC or R1N etc. option HARDWARE 'R3' # CFE ver option UBOOT '1.0.2' # Linux Kernel ver option LINUX '0.1.12' # RAMFS ver option RAMFS '0.1.12' # SQUASHFS ver option SQAFS '0.1.12' # ROOTFS ver option ROOTFS '0.1.12' #build time option BUILDTIME 'Fri, 15 Apr 2016 17:43:41 +0800' #build timestamp option BUILDTS '1460713422' #build git tag option GTAG 'commit dec2379967c2b44760bc6bab36c584cf58e06ae4' mount: mounting proc on /proc failed: Device or resource busy mount: mounting sysfs on /sys failed: Device or resource busy [ 5.760000] Raeth v3.0 (Tasklet,SkbRecycle) [ 5.760000] [ 5.760000] phy_tx_ring = 0x07ef6000, tx_ring = 0xa7ef6000 [ 5.760000] [ 5.760000] phy_rx_ring0 = 0x07ef7000, rx_ring0 = 0xa7ef7000 [ 5.760000] SMACCR1 -- : 0x000034ce [ 5.760000] SMACCR0 -- : 0x004b3cc1 [ 5.790000] ESW: Link Status Changed - Port4 Link UP [ 5.790000] CDMA_CSG_CFG = 81000000 [ 5.790000] GDMA1_FWD_CFG = 20710000 - preinit - Fri Apr 15 17:59:34 UTC 2016 - regular preinit - [ 5.950000] UBI: attaching mtd12 to ubi1 [ 5.960000] UBI: physical eraseblock size: 131072 bytes (128 KiB) [ 5.960000] UBI: logical eraseblock size: 126976 bytes [ 5.970000] UBI: smallest flash I/O unit: 2048 [ 5.970000] UBI: VID header offset: 2048 (aligned 2048) [ 5.980000] UBI: data offset: 4096 [ 6.230000] UBI: max. sequence number: 586 [ 6.240000] UBI: attached mtd12 to ubi1 [ 6.250000] UBI: MTD device name: "overlay" [ 6.250000] UBI: MTD device size: 54 MiB [ 6.260000] UBI: number of good PEBs: 432 [ 6.260000] UBI: number of bad PEBs: 0 [ 6.270000] UBI: max. allowed volumes: 128 [ 6.270000] UBI: wear-leveling threshold: 4096 [ 6.280000] UBI: number of internal volumes: 1 [ 6.280000] UBI: number of user volumes: 1 [ 6.290000] UBI: available PEBs: 0 [ 6.290000] UBI: total number of reserved PEBs: 432 [ 6.300000] UBI: number of PEBs reserved for bad PEB handling: 8 [ 6.300000] UBI: max/mean erase counter: 2/1 [ 6.310000] UBI: image sequence number: 520187673 [ 6.310000] UBI: background thread "ubi_bgt1d" started, PID 149 UBI device number 1, total 432 LEBs (54853632 bytes, 52.3 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB) [ 6.360000] UBIFS: recovery needed [ 6.420000] UBIFS: recovery completed [ 6.420000] UBIFS: mounted UBI device 1, volume 0, name "data" [ 6.430000] UBIFS: file system size: 52187136 bytes (50964 KiB, 49 MiB, 411 LEBs) [ 6.440000] UBIFS: journal size: 2666496 bytes (2604 KiB, 2 MiB, 21 LEBs) [ 6.440000] UBIFS: media format: w4/r0 (latest is w4/r0) [ 6.450000] UBIFS: default compressor: lzo [ 6.450000] UBIFS: reserved for root: 2464926 bytes (2407 KiB) /lib/preinit.sh: line 1: jffs2_not_mounted: not found - init - [ 7.080000] ra2880stop()...Done [ 7.100000] Free TX/RX Ring Memory! init started: BusyBox v1.19.4 (2016-04-15 17:38:14 CST) Please press Enter to activate this console. rcS S boot: INFO: rc script run time limit to 65 seconds. [ 8.040000] tntfs: module license 'Commercial. For support email ntfs-support@tuxera.com.' taints kernel. [ 8.050000] Disabling lock debugging due to kernel taint [ 8.090000] Tuxera NTFS driver 3015.1.29 [Flags: R/W MODULE]. [ 8.190000] Tuxera FAT 12/16/32 driver version 3014.1.24 [Flags: R/W MODULE]. [ 8.250000] tun: Universal TUN/TAP device driver, 1.6 [ 8.260000] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com> [ 8.280000] Mirror/redirect action on [ 8.550000] GRE over IPv4 tunneling driver [ 8.780000] ipt: xt_cgroup_MARK installed ok. [ 8.850000] ip_set: protocol 6 [ 9.140000] sstack_init [ 10.430000] <-- RTMPAllocTxRxRingMemory, Status=0 [ 10.440000] <-- RTMPAllocAdapterBlock, Status=0 [ 11.980000] <-- RTMPAllocTxRxRingMemory, Status=0 [ 12.000000] <-- RTMPAllocAdapterBlock, Status=0 [ 12.000000] pAd->CSRBaseAddress =0xc1180000, csr_addr=0xc1180000! [ 12.010000] <dbg> MAC_CSR0=1986146304, RtmpChipOpsHook [ 12.020000] <dbg> dev idx = 1! [ 12.020000] <dbg> get_dev_config_idx pAd->MACVersion = 76623000, pAd->ChipID = 76120044 Sat Apr 16 01:59:40 CST 2016 netconfig[405]: INFO: loading exist /etc/config/network. Sat Apr 16 01:59:40 CST 2016 netconfig[405]: config interface 'loopback' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option ifname 'lo' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option proto 'static' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option ipaddr '127.0.0.1' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option netmask '255.0.0.0' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: config interface 'lan' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option ifname 'eth0.1' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option type 'bridge' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option proto 'static' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option ipaddr '192.168.31.1' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option netmask '255.255.255.0' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: config interface 'wan' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option ifname 'eth0.2' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option proto 'dhcp' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: config interface 'ifb' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option ifname 'ifb0' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: config interface 'ready' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option proto 'static' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option ipaddr '169.254.29.1' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option netmask '255.255.255.0' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: config interface 'guest' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option ifname 'eth0.3' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option type 'bridge' Sat Apr 16 01:59:40 CST 2016 netconfig[405]: option proto 'static' Sat Apr 16 01:59:41 CST 2016 netconfig[405]: option ipaddr '192.168.32.1' Sat Apr 16 01:59:41 CST 2016 netconfig[405]: option netmask '255.255.255.0' [ 14.540000] Raeth v3.0 (Tasklet,SkbRecycle) [ 14.550000] [ 14.550000] phy_tx_ring = 0x061ed000, tx_ring = 0xa61ed000 [ 14.550000] [ 14.550000] phy_rx_ring0 = 0x07f78000, rx_ring0 = 0xa7f78000 [ 14.550000] SMACCR1 -- : 0x000034ce [ 14.550000] SMACCR0 -- : 0x004b3cc1 [ 14.570000] CDMA_CSG_CFG = 81000000 [ 14.580000] GDMA1_FWD_CFG = 20710000 [ 14.640000] device eth0.3 entered promiscuous mode [ 14.640000] device eth0 entered promiscuous mode [ 14.660000] br-guest: port 1(eth0.3) entering learning state [ 14.660000] br-guest: port 1(eth0.3) entering learning state [ 14.690000] device eth0.1 entered promiscuous mode [ 14.730000] br-lan: port 1(eth0.1) entering learning state [ 14.730000] br-lan: port 1(eth0.1) entering learning state [ 15.400000] <dbg> MAC_CSR0=1986146304, rtmp_asic_top_init [ 15.550000] Set_Bsd_Proc 7412 Bsd 0 [ 16.660000] br-guest: port 1(eth0.3) entering forwarding state [ 16.730000] br-lan: port 1(eth0.1) entering forwarding state [ 19.460000] <==== rt28xx_init, Status=0 [ 24.950000] device wl0 entered promiscuous mode [ 24.960000] br-lan: port 2(wl0) entering learning state [ 24.960000] br-lan: port 2(wl0) entering learning state [ 25.540000] Set_Bsd_Proc 7083 Bsd 0 [ 26.960000] br-lan: port 2(wl0) entering forwarding state [ 28.930000] <==== rt28xx_init, Status=0 [ 28.940000] 0x1300 = 00064320 [ 33.620000] device wl1 entered promiscuous mode [ 33.630000] br-lan: port 3(wl1) entering learning state [ 33.630000] br-lan: port 3(wl1) entering learning state [ 35.630000] br-lan: port 3(wl1) entering forwarding state [ 39.850000] device wl3 entered promiscuous mode [ 39.850000] br-guest: port 2(wl3) entering learning state [ 39.860000] br-guest: port 2(wl3) entering learning state rcS S calling: /etc/rc.d/S20network boot: WARNING: EXITCODE=0, execute too slow, 28 >= 15: /etc/rc.d/S20network boot [ 41.860000] br-guest: port 2(wl3) entering forwarding state Sat Apr 16 02:00:18 CST 2016 boot_check[5080]: INFO: Wireless OK [ 65.030000] Enabling Ralink HW NAT Module ... [ 65.040000] Ralink HW NAT Module Enabled! [ 68.480000] tcpproxy_init, succeed! [ 73.250000] xqfp: forward hooks init success! [ 73.250000] xqfp:pre hooks init success! [ 73.260000] xqfp:extend init success! [ 73.260000] xqfp: module init success! rcS S boot: INFO: rcS S boot timing 62 seconds. Sat Apr 16 02:00:42 CST 2016 INFO: rcS S boot timing 62 seconds. rcS S boot: system type(R3/2): SQUASH/3 Sat Apr 16 02:00:42 CST 2016 system type(R3/2): SQUASH/3 rcS S boot: ROOTFS: ubi0_0 on / type ubifs (ro,noatime,bulk_read,no_chk_data_crc,compr=zlib) Sat Apr 16 02:00:42 CST 2016 ROOTFS: ubi0_0 on / type ubifs (ro,noatime,bulk_read,no_chk_data_crc,compr=zlib) mknod: /dev/gpio: File exists Sat Apr 16 02:00:43 CST 2016 boot_check[7406]: Booting up finished.


Get SSH/dropbear access

Recommended downgrading to http://bigota.miwifi.com/xiaoqiang/rom/r3/miwifi_r3_all_55ac7_2.11.20.bin for this & a presumption that you understand the STOK bit otherwise read from mini

STEPS

  * http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/web/home#router
  
  * http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqnetwork/set_wifi_ap?ssid=Xiaomi&encryption=NONE&enctype=NONE&channel=1%3Bnvram%20set%20ssh%5Fen%3D1%3B%20nvram%20commit
  
  * http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqnetwork/set_wifi_ap?ssid=Xiaomi&encryption=NONE&enctype=NONE&channel=1%3Bsed%20%2Di%20%22%3Ax%3AN%3As%2Fif%20%5C%5B%2E%2A%5C%3B%20then%5Cn%2E%2Areturn%200%5Cn%2E%2Afi%2F%23tb%2F%3Bb%20x%22%20%2Fetc%2Finit.d%2Fdropbear
  
  * http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqnetwork/set_wifi_ap?ssid=Xiaomi&encryption=NONE&enctype=NONE&channel=1%3B%2Fetc%2Finit.d%2Fdropbear%20start
  
  * http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/set_name_password?oldPwd=<OLD_PASSWORD>&newPwd=<NEW_PASSWORD>
  • OLD_PASSWORD is your admin password you'd set while setting up the router or can be reset from Mi Wifi app.

You should now be able to access ssh: ssh root@192.168.31.1

Now you can re-enable serial port (must reboot):

nvram set uart_en=1
nvram set flag_last_success=1
nvram set boot_wait=on
nvram commit

Instructions from: https://4pda.ru/forum/index.php?showtopic=736801&st=19100#entry68306060

How to flash PandoraBox OpenWrt

All necessary files r linked here https://mega.nz/#F!WY0FiTIS!Cl_Dzm4yhzrQZFazYG3i8Q

For future firmware/bootloader update https://downloads.pangubox.com or http://downloads.pangubox.cn

Flash instructions

  1. get ssh/dropbear access by above instruction
  2. we need the pandorabox bootloader and flash it, transfer/wget it to cd /tmp
  3. in ssh:
    cd /tmp
    mtd write pb-boot-xiaomi3-20180726-0d8505f.img Bootloader
    reboot

    (if there is a updated bootloader in future use that one)

  4. wait 4-5 min after reboot
  5. now switch off the router through plug, hold the reset button and switch on the router then release the reset button after 1~2 sec, router will flash breath style yellow led
  6. go to 192.168.1.1, u will see a PandoraBox firmware upgrade page. select ur pandorabox firmware (*-sysupgrade.bin) and upload it.
  7. access the PandoraBox openwrt by 192.168.1.1, default password is “admin”. This has english language, just select the auto in language option.

Revert to stock

First, we have to flash our stock bootloader and kernel0 partition back to their initial state. But there is a catch, the bootloader partition is locked in pandorabox firmware or any other normal openwrt firmware. Good news is I have compiled a openwrt firmware with unlocked bootloader option for mir3. You will find it in mega link.

  1. access the pandorabox firmware upgrade page like before (see 5,6 above)
  2. select the firmware “openwrt-ramips-mt7620-xiaomi_miwifi-r3-squashfs-pb-boot.bin” and upload it. (Source: https://bitbucket.org/shibajee/openwrt)
  3. login to the router 192.168.1.1, no password, just press login, configure password and enable ssh (well, u can use this firmware as vanilla openwrt)
  4. transfer/wget ur necessary files (Bootloader.bin & kernel0.bin) to cd /tmp
  5. in ssh:
    cd /tmp
    mtd write Bootloader.bin Bootloader
    reboot
  6. access ssh again
    fw_setenv flag_try_sys2_failed 1
    cd /tmp
    mtd write kernel0.bin kernel0_rsvd
    reboot
  7. shortly after reboot router will start blinking red (means it's in recovery mode)
  8. insert a usb stick in fat32 formatted with stock firmware renamed to miwifi.bin
  9. press the reset button for 1~2 sec until the red blinking turns into yellow blinking.
  10. now wait for 4-5min and login to the router 192.168.31.1

This tutorial originally posted here https://forum.openwrt.org/t/xiaomi-mi-wifi-3-support/2252/685

Recovering from Softbrick

If your MIR3 is soft bricked, but you have write access to the serial console, you may be able to recover.

  1. Save kernel0.bin from here to a TFTP server
  2. Place the 2.11.20 firmware .bin on a FAT32 formatted flash drive and connect it to the router
  3. Boot the router and select option 1 “Load system code to SDRAM via TFTP.”
  4. Set an IP for the router and enter the IP of the TFTP server
  5. Enter the name of the file (kernel0.bin)
  6. Wait for it to reboot
  7. It will print something like the following - press and hold reset unitl the LED flashes orange and it will revert back to stock:
[    4.550000] Check for USB recovery...
[    4.580000] Both systems are corrupted... Entering recovery mode
starting pid 81, tty '': '/etc/rcS'
Press reset button to enter USB recovery

Video: Xiaomi Mi WiFi 3 Router Unboxing and Teardown

Pictures

Hardware Mods

SPI Flash Mod

Unfortunately, due to Xiaomi's restrictive bootloader which locks you out from the serial console (!) after first boot, if you totally brick every OS and Kernel partition on this device without enabling the serial console, and the bootloader doesn't pick up the recovery image off a thumb drive, there's no easy way to get the device back up and running again.

However, it is possible to install an easily-programmable SPI flash module to bring your router back to life, by way of the SOIC-8 sized pad in the middle of the PCB, and a few configuration jumpers. The location of the pads should be fairly obvious (marked FN1 FN2), and there is a silkscreened white dot on the PCB to indicate the proper direction to install the SPI chip.

Make sure you install a compatible bootloader on the SPI chip (such as the Xiaomi Mini version of the WRTNode or Breed bootloader, others may work but have not been tested)

The MT7620A SoC used in the Xiaomi Router 3 uses hardware straps to encode a binary number, determining what device to boot from, as in the datasheet:

Straps Configuration Description
SPI_MOSI, SPI_CLK, TXD2, GPIO0 CHIP_MODE[3:0] A vector to set chip function/test/debug modes. In non test/debug operation, 1: Normal mode (boot from ROM+NAND flash 4 cycle address/2 KB page size) 2: Normal mode (boot from SPI 3-byte Addr) 3: Normal mode (boot from SPI 4-byte Addr)

By default, the Xiaomi Router 3 has the four straps configured as follows:

SPI_MOSI (R135) - 0 (tied to ground)
SPI_CLK (R127) - 0 (tied to ground)
TXD2 (R139) - 0 (tied to ground)
GPIO0 (R124) - 1 (pulled up via 4.7kO resistor)

To boot the router from an installed SPI flash chip, two modifications need to be performed:

  1. Move the 4.7kO resistor, or short with a solder bridge, R139 to the adjacent R137 pads. This sets TXD2 to 1.
  2. Move the 4.7kO resistor, or short with a solder bridge, R124 to the adjacent R126 pads. This sets GPIO0 to 0.

The router's new boot configuration should be 0010 (binary 2), and should a compatible bootloader be installed on the SPI chip it should boot right up.

If you have installed a 16MB SPI chip, the Xiaomi Mini firmware images should be compatible out of the box. Should you install a smaller or larger capacity chip, you may have to adjust the Device Tree definition for your device at target/linux/ramips/dts/MIWIFI-MINI.dts and recompile your kernel from source.

Conversations regarding this device

Reviews

toh/xiaomi/mir3.txt · Last modified: 2018/10/30 06:32 by painfull30_gmail.com