Xiaomi Mi WiFi 3C (Mi Wifi Router 3C / R3C / R3L)

Xiaomi Mi WiFi Router 3C is 802.11n wireless router based on the MediaTek MT7628N SoC. It has three Ethernet ports and one radio (2T2R MiMo).

1. Use OpenWRTInvasion method to gain telnet access. https://github.com/acecilia/OpenWRTInvasion (IP: 192.168.31.1 - Username: root - Password: root)

2. Connect to router using telnet.

3. Backup all partitions using command:

dd if=/dev/mtd0 of=/tmp/mtd0

Copy /tmp/mtd0 to computer using ftp.

4. Copy openwrt-ramips-mt76x8-xiaomi_miwifi-3c-squashfs-sysupgrade.bin to /tmp in router using ftp.

5. İnstall Openwrt to OS1 and free OS2.

mtd erase OS1

mtd erase OS2

mtd -r write /tmp/openwrt-ramips-mt76x8-xiaomi_miwifi-3c-squashfs-sysupgrade.bin OS1

Limitations: For the first install the image size needs to be less than 7733248 bits.

Commit page:3c97fb4346d11ab3.

Instruction set MIPS
Vendor MediaTek
bootloader U-Boot + Xiaomi U-Boot
System-On-Chip Mediatek MT7628N
CPU @Freq MIPS 24KEc V5.0 @575 MHz
Flash size 16MB NorFlash
Flash Chip Spansion S34ML01G100TF100 Winbond W25Q128JV
RAM size 64 MiB DDR2 @ 800 Mhz
RAM Chip NT5TU64M16HG-AC
Wireless No1 SoC-integrated: MT7628N 2×2 MIMO 802.11b/g/n (2.4 GHz)
switch MT7620 built-in 10/100 switch w/ vlan support
Serial Yes

Xiaomi Wifi router 3C (board top view) Xiaomi Wifi router 3C (board top view)

port.serial general information about the serial port, serial port cable, etc.

Attaching 3 pins to J1 and connecting with a USB to TTL (CP2102 module) on COM4 115200bps using Putty console From the COM 4:

1 —— VCC (3.3V) (DO NOT CONNECT!)
2 —— RX
3 —— GND
4 —— TX

Serial port works in one-way only (no input going through pin4).

Serial connection parameters
for Xiaomi Mi WiFi 3C
115200, 8N1

Recovery mode only works with offical Xiaomi firmware's. Into recovery is checked with RSA if image is signed.

  1. Config static ip on your computer:
IP address: 192.168.31.2
Subnet mask: 255.255.255.0
Default gateway: 192.168.31.1
  1. Remove power cable from router.
  2. Connect ethernet cable on Computer and Wan port (Blue Port).
  3. Press continuously reset button and re-connect power cable.
  4. Continue to hold down the Reset button until the front LED colour changes from static orange to blinking orange.
  5. Open browser and enter http://192.168.31.1
  6. Select firmware file and click on upload button.
  7. Wait until router restart (5 minutes).

More info and credits: https://visser.io/2018/01/xiaomi-mi-router-3c-recovery-from-system-error-orange-red-led/.

On step 3 of installation of Openwrt, gets file mtd0 with contains all flash backup. Write this file directly to flash.

[04050C09][04050C0B] DDR Calibration DQS reg = 00008887 U-Boot 1.1.3 (Sep 6 2018 - 11:44:39) Board: Ralink APSoC DRAM: 64 MB Power on memory test. Memory size= 64 MB...OK! relocate_code Pointer at: 83fa8000 RT2880_RSTSTAT_REG 0xc0030000 *************************** Board power on Occurred *************************** flash manufacture id: c8, device id 40 18 find flash: GD25Q128C env is right! ============================================ Ralink UBoot Version: 4.3.0.0 -------------------------------------------- ASIC 7628_MP (Port5<->None) DRAM component: 512 Mbits DDR, width 16 DRAM bus: 16 bit Total memory: 64 MBytes Flash component: SPI Flash Date:Sep 6 2018 Time:11:44:39 ============================================ icache: sets:512, ways:4, linesz:32 ,total:65536 dcache: sets:256, ways:4, linesz:32 ,total:32768 ##### The CPU freq = 575 MHZ #### estimate memory size =64 Mbytes RESET MT7628 PHY!!!!!! Please choose the operation: 1: Load system code to SDRAM via TFTP. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). 4: Entr boot command line interface. 5: Load system2 code then write to Flash via TFTP. 7: Load system code via web. 9: Load Boot Loader code then write to Flash via TFTP. n3: System Boot system code via Flash. Booting System 2 Erasing SPI Flash... raspi_erase: offs:30000 len:10000 . Writing to SPI Flash... . done ## Booting image at bc8a0000 ... Image Name: MIPS OpenWrt Linux-3.10.14 Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 1323887 Bytes = 1.3 MB Load Address: 80000000 Entry Point: 80000000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK commandline uart_en=0 factory_mode=0 mem=64m root=/dev/mtdblock10 No initrd ## Transferring control to Linux (at address 80000000) ... ## Giving linux memsize in MB, 64 Starting kernel ... LINUX started... THIS IS ASIC [ 0.000000] Linux version 3.10.14 (jenkins@521a7855145a) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #1 Thu Sep 6 11:52:12 UTC 2018 [ 0.000000] [ 0.000000] The CPU feqenuce set to 575 MHz [ 0.000000] [ 0.000000] MIPS CPU sleep mode enabled. [ 0.000000] CPU0 revision is: 00019655 (MIPS 24KEc) [ 0.000000] Software DMA cache coherency [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 04000000 @ 00000000 (usable) [ 0.000000] User-defined physical RAM map: [ 0.000000] memory: 04000000 @ 00000000 (usable) [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x00000000-0x03ffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x00000000-0x03ffffff] [ 0.000000] Primary instruction cache 64kB, 4-way, VIPT, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256 [ 0.000000] Kernel command line: console=ttyS1,115200n8 uart_en=0 factory_mode=0 mem=64m root=/dev/mtdblock10 [ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes) [ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) [ 0.000000] Writing ErrCtl register=00057ff9 [ 0.000000] Readback ErrCtl register=00057ff9 [ 0.000000] Memory: 61016k/65536k available (2679k kernel code, 4520k reserved, 872k data, 224k init, 0k highmem) [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS:128 [ 0.000000] console [ttyS1] enabled [ 0.120000] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216) [ 0.180000] pid_max: default: 32768 minimum: 301 [ 0.180000] Mount-cache hash table entries: 512 [ 0.190000] NET: Registered protocol family 16 [ 0.190000] RALINK_GPIOMODE = 54054404 [ 0.200000] RALINK_GPIOMODE = 54044404 [ 0.300000] ***** Xtal 40MHz ***** [ 0.300000] start PCIe register access [ 0.800000] RALINK_RSTCTRL = 2400000 [ 0.810000] RALINK_CLKCFG1 = fdbfffc0 [ 0.810000] [ 0.810000] *************** MT7628 PCIe RC mode ************* [ 1.310000] PCIE0 no card, disable it(RST&CLK) [ 1.340000] bio: create slab <bio-0> at 0 [ 1.340000] cfg80211: Calling CRDA to update world regulatory domain [ 1.350000] Switching to clocksource Ralink Systick timer [ 1.350000] NET: Registered protocol family 2 [ 1.360000] TCP established hash table entries: 512 (order: 0, 4096 bytes) [ 1.360000] TCP bind hash table entries: 512 (order: -1, 2048 bytes) [ 1.370000] TCP: Hash tables configured (established 512 bind 512) [ 1.370000] TCP: reno registered [ 1.380000] UDP hash table entries: 256 (order: 0, 4096 bytes) [ 1.380000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) [ 1.390000] NET: Registered protocol family 1 [ 1.390000] Load Kernel WDG Timer Module [ 1.410000] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 1.420000] jffs2: version 2.2. (ZLIB) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. [ 1.430000] msgmni has been set to 119 [ 1.430000] io scheduler noop registered [ 1.430000] io scheduler deadline registered (default) [ 1.440000] MIWIFI panic notifier registered [ 1.450000] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled [ 1.450000] serial8250: ttyS0 at MMIO 0x10000d00 (irq = 21) is a 16550A [ 1.460000] serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A [ 1.470000] led=44, on=4000, off=1, blinks,=1, reset=1, time=4000 [ 1.480000] Ralink gpio driver initialized [ 1.480000] flash manufacture id: c8, device id 40 18 [ 1.490000] GD25Q128C(c8 40180000) (16384 Kbytes) [ 1.490000] mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0 [ 1.500000] Creating 10 MTD partitions on "raspi": [ 1.510000] 0x000000000000-0x000001000000 : "ALL" [ 1.510000] 0x000000000000-0x000000030000 : "Bootloader" [ 1.520000] 0x000000030000-0x000000040000 : "Config" [ 1.530000] 0x000000040000-0x000000050000 : "Bdata" [ 1.530000] 0x000000050000-0x000000060000 : "Factory" [ 1.540000] 0x000000060000-0x000000070000 : "crash" [ 1.540000] 0x000000070000-0x000000080000 : "cfg_bak" [ 1.550000] 0x000000080000-0x000000140000 : "overlay" [ 1.560000] 0x000000140000-0x0000008a0000 : "OS1" [ 1.560000] 0x0000008a0000-0x000001000000 : "OS2" [ 1.570000] mtd: try split OS2 partition [ 1.570000] mtd: split_firmware [ 1.580000] mtd: firmware_partition->size 0x760000 [ 1.580000] mtd: firmware_partition->offset 0x8a0000 [ 1.590000] mtd: uimage_len 1323951 [ 1.590000] mtd: uimage_len 1376256 [ 1.590000] mtd: rootfs_partition->size 0x610000 [ 1.600000] mtd: rootfs_partition->offset 0x9f0000 [ 1.600000] mtd: partition "rootfs" created automatically, ofs=9F0000, len=610000 [ 1.610000] 0x0000009f0000-0x000001000000 : "rootfs" [ 1.620000] PPP generic driver version 2.4.2 [ 1.620000] PPP MPPE Compression module registered [ 1.630000] NET: Registered protocol family 24 [ 1.630000] PPTP driver version 0.8.5 [ 1.640000] GMAC1_MAC_ADRH -- : 0x00007811 [ 1.640000] GMAC1_MAC_ADRL -- : 0xdc11c7c3 [ 1.650000] Ralink APSoC Ethernet Driver Initilization. v3.1 256 rx/tx descriptors allocated, mtu = 1500! [ 1.660000] GMAC1_MAC_ADRH -- : 0x00007811 [ 1.660000] GMAC1_MAC_ADRL -- : 0xdc11c7c3 [ 1.670000] PROC INIT OK! [ 1.670000] Mirror/redirect action on [ 1.670000] u32 classifier [ 1.670000] input device check on [ 1.680000] Actions configured [ 1.680000] Netfilter messages via NETLINK v0.30. [ 1.690000] nfnl_acct: registering with nfnetlink. [ 1.690000] nf_conntrack version 0.5.0 (953 buckets, 3812 max) [ 1.700000] ipip: IPv4 over IPv4 tunneling driver [ 1.700000] gre: GRE over IPv4 demultiplexor driver [ 1.710000] ip_tables: (C) 2000-2006 Netfilter Core Team [ 1.710000] Type=Restricted Cone [ 1.720000] TCP: cubic registered [ 1.720000] NET: Registered protocol family 17 [ 1.730000] l2tp_core: L2TP core driver, V2.0 [ 1.730000] l2tp_ppp: PPPoL2TP kernel driver, V2.0 [ 1.740000] 8021q: 802.1Q VLAN Support v1.8 [ 1.760000] VFS: Mounted root (squashfs filesystem) readonly on device 31:10. [ 1.770000] Freeing unused kernel memory: 224K (80378000 - 803b0000) config core 'version' # ROM ver option ROM '2.8.51' # channel option CHANNEL 'release' # hardware platform R1AC or R1N etc. option HARDWARE 'R3L' # CFE ver option UBOOT '1.0.0' # Linux Kernel ver option LINUX '0.0.1' # RAMFS ver option RAMFS '0.0.1' # SQUASHFS ver option SQAFS '0.0.1' # ROOTFS ver option ROOTFS '0.0.1' #build time option BUILDTIME 'Thu, 06 Sep 2018 11:43:43 +0000' #build timestamp option BUILDTS '1536234223' #build git tag option GTAG 'commit 8beecd979b824c3238bdb70964f285224be4e4af' /lib/preinit.sh: line 1: can't create /proc/1/coredump_filter: nonexistent directory [ 3.880000] Raeth v3.1 (Tasklet,SkbRecycle) [ 3.880000] [ 3.880000] phy_tx_ring = 0x03fda000, tx_ring = 0xa3fda000 [ 3.890000] [ 3.890000] phy_rx_ring0 = 0x03fdb000, rx_ring0 = 0xa3fdb000 [ 3.910000] config 7628 esw as WLLLL [ 3.980000] GMAC1_MAC_ADRH -- : 0x00007811 [ 3.990000] GMAC1_MAC_ADRL -- : 0xdc11c7c3 [ 3.990000] RT305x_ESW: Link Status Changed - preinit - Thu Sep 6 11:52:12 UTC 2018 [ 4.120000] beginning erase nvram region! [ 4.340000] end erase nvram region! - regular preinit - mount: mounting /tmp/mnt on /extdisks failed: No such file or directory jffs2 not ready yet; using ramdisk - init - [ 5.480000] ra2880stop()...Done [ 5.490000] Free TX/RX Ring Memory! init started: BusyBox v1.19.4 (2018-09-06 11:41:48 UTC) Please press Enter to activate this console. rcS S boot: INFO: rc script run time limit to 65 seconds. [ 7.870000] ip_gre: GRE over IPv4 tunneling driver [ 7.910000] xt_time: kernel timezone is +0800 [ 7.990000] ip_set: protocol 6 [ 8.040000] dev_redirect load success. [ 9.150000] [ 9.150000] [ 9.150000] === pAd = c05a7000, size = 1759856 === [ 9.150000] [ 9.160000] <-- RTMPAllocTxRxRingMemory, Status=0, ErrorValue=0x [ 9.170000] <-- RTMPAllocAdapterBlock, Status=0 [ 9.170000] RtmpChipOpsHook(492): Not support for HIF_MT yet! [ 9.180000] mt7628_init()--> [ 9.180000] mt7628_init(FW(8a00), HW(8a01), CHIPID(7628)) [ 9.180000] e2.bin mt7628_init(1117)::(2), pChipCap->fw_len(63984) [ 9.190000] mt_bcn_buf_init(218): Not support for HIF_MT yet! [ 9.200000] <--mt7628_init() Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: INFO: loading exist /etc/config/network. Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: config interface 'loopback' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option ifname 'lo' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option proto 'static' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option ipaddr '127.0.0.1' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option netmask '255.0.0.0' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: config interface 'lan' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option ifname 'eth0.1' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option type 'bridge' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option proto 'static' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option ipaddr '192.168.31.1' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option netmask '255.255.255.0' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: config interface 'ifb' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option ifname 'ifb0' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: config interface 'ready' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option proto 'static' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option ipaddr '169.254.29.1' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option netmask '255.255.255.0' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: config interface 'wan' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option proto 'dhcp' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: list dns '1.1.1.1' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: list dns '1.0.0.1' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option peerdns '0' Thu Sep 6 11:52:17 UTC 2018 netconfig[608]: option ifname 'eth0.2' [ 12.090000] Raeth v3.1 (Tasklet,SkbRecycle) [ 12.100000] [ 12.100000] phy_tx_ring = 0x02413000, tx_ring = 0xa2413000 [ 12.100000] [ 12.100000] phy_rx_ring0 = 0x03552000, rx_ring0 = 0xa3552000 [ 12.130000] config 7628 esw as WLLLL [ 12.200000] GMAC1_MAC_ADRH -- : 0x00007811 [ 12.200000] GMAC1_MAC_ADRL -- : 0xdc11c7c3 [ 12.210000] RT305x_ESW: Link Status Changed [ 12.240000] device eth0.1 entered promiscuous mode [ 12.240000] device eth0 entered promiscuous mode [ 12.260000] br-lan: port 1(eth0.1) entered forwarding state [ 12.260000] br-lan: port 1(eth0.1) entered forwarding state [ 12.980000] TX_BCN DESC a24cf000 size = 320 [ 12.990000] RX[0] DESC a24d1000 size = 2048 [ 12.990000] RX[1] DESC a24d4000 size = 1024 [ 13.010000] E2pAccessMode=2 [ 13.020000] cfg_mode=9 [ 13.020000] cfg_mode=9 [ 13.020000] wmode_band_equal(): Band Equal! [ 13.290000] load fw image from fw_header_image [ 13.290000] AndesMTLoadFwMethod1(2181)::pChipCap->fw_len(63984) [ 13.300000] CmdAddressLenReq:(ret = 0) [ 13.300000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.310000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.310000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.320000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.320000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.330000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.330000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.340000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.340000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.350000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.350000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.360000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.360000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.370000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.370000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.380000] AndesInitCmdMsg:cmd_type:238,ExtCmdType:0 [ 13.380000] CmdFwStartReq: override = 1, address = 1048576 [ 13.390000] CmdStartDLRsp: WiFI FW Download Success [ 13.420000] MtAsicDMASchedulerInit(): DMA Scheduler Mode=0(LMAC) [ 13.420000] efuse_probe: efuse = 10000012 [ 13.430000] RtmpChipOpsEepromHook::e2p_type=2, inf_Type=4 [ 13.430000] RtmpEepromGetDefault::e2p_dafault=2 [ 13.440000] RtmpChipOpsEepromHook: E2P type(2), E2pAccessMode = 2, E2P default = 2 [ 13.440000] NVM is FLASH mode [ 13.450000] 1. Phy Mode = 14 [ 13.610000] Country Region from e2p = ffff [ 13.620000] tssi_1_target_pwr_g_band = 34 [ 13.620000] 2. Phy Mode = 14 [ 13.630000] 3. Phy Mode = 14 [ 13.630000] NICInitPwrPinCfg(11): Not support for HIF_MT yet! [ 13.630000] NICInitializeAsic(652): Not support rtmp_mac_sys_reset () for HIF_MT yet! [ 13.640000] mt_mac_init()--> [ 13.650000] MtAsicInitMac()--> [ 13.670000] mt7628_init_mac_cr()--> [ 13.670000] MtAsicSetMacMaxLen(1279): Set the Max RxPktLen=1024! [ 13.670000] <--mt_mac_init() [ 13.680000] WTBL Segment 1 info: [ 13.680000] MemBaseAddr/FID:0x28000/0 [ 13.690000] EntrySize/Cnt:32/128 [ 13.690000] WTBL Segment 2 info: [ 13.690000] MemBaseAddr/FID:0x40000/0 [ 13.700000] EntrySize/Cnt:64/128 [ 13.700000] WTBL Segment 3 info: [ 13.700000] MemBaseAddr/FID:0x42000/64 [ 13.710000] EntrySize/Cnt:64/128 [ 13.710000] WTBL Segment 4 info: [ 13.710000] MemBaseAddr/FID:0x44000/128 [ 13.720000] EntrySize/Cnt:32/128 [ 13.720000] AntCfgInit(2918): Not support for HIF_MT yet! [ 13.730000] MCS Set = ff ff 00 00 00 [ 13.730000] MtAsicSetChBusyStat(846): Not support for HIF_MT yet! [ 14.260000] br-lan: port 1(eth0.1) entered forwarding state [ 16.610000] MtAsicSetRalinkBurstMode(2971): Not support for HIF_MT yet! [ 16.620000] MtAsicSetPiggyBack(783): Not support for HIF_MT yet! [ 16.640000] MtAsicSetTxPreamble(2950): Not support for HIF_MT yet! [ 16.650000] MtAsicAddSharedKeyEntry(1346): Not support for HIF_MT yet! [ 16.660000] MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0xf0 [ 16.660000] Main bssid = 78:11:dc:11:c7:c4 [ 16.670000] <==== rt28xx_init, Status=0 [ 16.680000] set_obtw_delta_proc: found cck1m_, DeltaVal = 6 [ 16.680000] set_obtw_delta_proc: found cck5m_, DeltaVal = 6 [ 16.690000] set_obtw_delta_proc: found ofdm6m_, DeltaVal = 6 [ 16.690000] set_obtw_delta_proc: found ofdm12m_, DeltaVal = 6 [ 16.700000] set_obtw_delta_proc: found ht20mcs0_, DeltaVal = 6 [ 16.700000] set_obtw_delta_proc: found ht20mcs1_, DeltaVal = 6 [ 16.710000] set_obtw_delta_proc: found ht40mcs0_, DeltaVal = 6 [ 16.720000] set_obtw_delta_proc: found ht40mcs32_, DeltaVal = 6 [ 16.720000] set_obtw_delta_proc: found ht40mcs1_, DeltaVal = 6 [ 16.730000] AndesInitCmdMsg:cmd_type:237,ExtCmdType:47 [ 16.730000] set_obtw_delta_proc: anyEnable=1 [ 16.740000] CmdSlotTimeSet start [ 16.780000] CmdSlotTimeSet end [ 17.040000] MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0x0 [ 17.050000] MtAsicSetPiggyBack(783): Not support for HIF_MT yet! [ 17.260000] MtAsicSetRalinkBurstMode(2971): Not support for HIF_MT yet! [ 17.270000] MtAsicSetPiggyBack(783): Not support for HIF_MT yet! [ 17.300000] MtAsicSetTxPreamble(2950): Not support for HIF_MT yet! [ 17.310000] MtAsicAddSharedKeyEntry(1346): Not support for HIF_MT yet! [ 17.310000] MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0xf0 [ 17.320000] Main bssid = 78:11:dc:11:c7:c4 [ 18.460000] device wl1 entered promiscuous mode [ 18.470000] br-lan: port 2(wl1) entered forwarding state [ 18.470000] br-lan: port 2(wl1) entered forwarding state [ 18.520000] ##### mbss_cr_enable, BssId = 1 [ 20.470000] br-lan: port 2(wl1) entered forwarding state [ 24.060000] dev_redirect: add(+) dev redirect mapping: src:eth0.2->dst:ifb0 Thu Sep 6 11:52:35 UTC 2018 boot_check[2079]: INFO: Wireless OK [ 34.580000] xqfp: forward hooks init success! [ 34.590000] xqfp:extend init success! [ 34.590000] xqfp: register_netdevice_notifier! [ 34.600000] xqfp: module V2 init success! [ 35.120000] ctf: bytes_threshold 3MB(3145728B), mask F00000, old_mark: 200000, new_mark: 400000 [ 35.130000] dev_redirect: add(+) dev redirect mapping: src:eth0.2->dst:ifb0 rcS S boot: INFO: rcS S boot timing 29 seconds. Thu Sep 6 11:52:45 UTC 2018 INFO: rcS S boot timing 29 seconds. rcS S boot: system type(R3L/2): SQUASH/3 Thu Sep 6 11:52:45 UTC 2018 system type(R3L/2): SQUASH/3 rcS S boot: ROOTFS: /dev/root on / type squashfs (ro,relatime) Thu Sep 6 11:52:45 UTC 2018 ROOTFS: /dev/root on / type squashfs (ro,relatime) [ 37.290000] led=37, on=1, off=4000, blinks,=1, reset=1, time=4000 [ 37.300000] led=44, on=1, off=4000, blinks,=1, reset=1, time=4000 [ 37.310000] led=11, on=4000, off=1, blinks,=1, reset=1, time=4000 [ 37.430000] beginning erase nvram region! [ 37.660000] end erase nvram region! [ 38.040000] beginning erase nvram region! mknod: /dev/gpio: File exists [ 38.270000] end erase nvram region! Unlocking cfg_bak ... Erasing cfg_bak ... Unlocking cfg_bak ... Writing from /tmp/cfg_bak.tgz to cfg_bak ... Thu Sep 6 11:52:47 UTC 2018 boot_check[3473]: Booting up finished.


[04050C0A][04050C0C] DDR Calibration DQS reg = 00008887 U-Boot 1.1.3 (Sep 6 2018 - 11:44:39) Board: Ralink APSoC DRAM: 64 MB Power on memory test. Memory size= 64 MB...OK! relocate_code Pointer at: 83fa8000 RT2880_RSTSTAT_REG 0xc0030000 *************************** Board power on Occurred *************************** flash manufacture id: c8, device id 40 18 find flash: GD25Q128C env is right! ============================================ Ralink UBoot Version: 4.3.0.0 -------------------------------------------- ASIC 7628_MP (Port5<->None) DRAM component: 512 Mbits DDR, width 16 DRAM bus: 16 bit Total memory: 64 MBytes Flash component: SPI Flash Date:Sep 6 2018 Time:11:44:39 ============================================ icache: sets:512, ways:4, linesz:32 ,total:65536 dcache: sets:256, ways:4, linesz:32 ,total:32768 ##### The CPU freq = 575 MHZ #### estimate memory size =64 Mbytes RESET MT7628 PHY!!!!!! Please choose the operation: 1: Load system code to SDRAM via TFTP. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). 4: Entr boot command line interface. 5: Load system2 code then write to Flash via TFTP. 7: Load system code via web. 9: Load Boot Loader code then write to Flash via TFTP. 0 n3: System Boot system code via Flash. Booting System 1 Erasing SPI Flash... raspi_erase: offs:30000 len:10000 . Writing to SPI Flash... . done ## Booting image at bc140000 ... Image Name: MIPS OpenWrt Linux-5.4.155 Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 2145791 Bytes = 2 MB Load Address: 80000000 Entry Point: 80000000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK commandline uart_en=1 factory_mode=0 mem=64m root=/dev/mtdblock9 No initrd ## Transferring control to Linux (at address 80000000) ... ## Giving linux memsize in MB, 64 Starting kernel ... [ 0.000000] Linux version 5.4.155 (builder@buildhost) (gcc version 11.2.0 (OpenWrt GCC 11.2.0 r18014-15e55a2190)) #0 Sat Nov 6 05:18:48 2021 [ 0.000000] Board has DDR2 [ 0.000000] Analog PMU set to hw control [ 0.000000] Digital PMU set to hw control [ 0.000000] SoC Type: MediaTek MT7628AN ver:1 eco:2 [ 0.000000] printk: bootconsole [early0] enabled [ 0.000000] CPU0 revision is: 00019655 (MIPS 24KEc) [ 0.000000] MIPS: machine is Xiaomi MiWiFi 3C [ 0.000000] Initrd not found or empty - disabling initrd [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x0000000000000000-0x0000000003ffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x0000000000000000-0x0000000003ffffff] [ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000003ffffff] [ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 16240 [ 0.000000] Kernel command line: console=ttyS0,115200 rootfstype=squashfs,jffs2 [ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes, linear) [ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes, linear) [ 0.000000] Writing ErrCtl register=00057ff9 [ 0.000000] Readback ErrCtl register=00057ff9 [ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off [ 0.000000] Memory: 56932K/65536K available (5164K kernel code, 201K rwdata, 1100K rodata, 1204K init, 205K bss, 8604K reserved, 0K cma-reserved) [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS: 256 [ 0.000000] intc: using register map from devicetree [ 0.000000] random: get_random_bytes called from start_kernel+0x354/0x548 with crng_init=0 [ 0.000000] CPU Clock: 580MHz [ 0.000000] timer_probe: no matching timers found [ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6590553264 ns [ 0.000009] sched_clock: 32 bits at 290MHz, resolution 3ns, wraps every 7405115902ns [ 0.007569] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216) [ 0.073494] pid_max: default: 32768 minimum: 301 [ 0.078119] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear) [ 0.085137] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear) [ 0.098318] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns [ 0.107820] futex hash table entries: 256 (order: -1, 3072 bytes, linear) [ 0.114459] pinctrl core: initialized pinctrl subsystem [ 0.122397] NET: Registered protocol family 16 [ 0.156468] workqueue: max_active 576 requested for napi_workq is out of range, clamping between 1 and 512 [ 0.169652] clocksource: Switched to clocksource MIPS [ 0.175498] thermal_sys: Registered thermal governor 'step_wise' [ 0.175962] NET: Registered protocol family 2 [ 0.186084] IP idents hash table entries: 2048 (order: 2, 16384 bytes, linear) [ 0.193868] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 4096 bytes, linear) [ 0.201979] TCP established hash table entries: 1024 (order: 0, 4096 bytes, linear) [ 0.209330] TCP bind hash table entries: 1024 (order: 0, 4096 bytes, linear) [ 0.216152] TCP: Hash tables configured (established 1024 bind 1024) [ 0.222419] UDP hash table entries: 256 (order: 0, 4096 bytes, linear) [ 0.228691] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes, linear) [ 0.235775] NET: Registered protocol family 1 [ 0.240018] PCI: CLS 0 bytes, default 32 [ 0.248559] workingset: timestamp_bits=14 max_order=14 bucket_order=0 [ 0.262677] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.268252] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. [ 0.293111] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 252) [ 0.303509] mt7621_gpio 10000600.gpio: registering 32 gpios [ 0.309098] mt7621_gpio 10000600.gpio: registering 32 gpios [ 0.314755] mt7621_gpio 10000600.gpio: registering 32 gpios [ 0.320420] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled [ 0.329111] printk: console [ttyS0] disabled [ 0.333308] 10000c00.uartlite: ttyS0 at MMIO 0x10000c00 (irq = 28, base_baud = 2500000) is a 16550A [ 0.342028] printk: console [ttyS0] enabled [ 0.342028] printk: console [ttyS0] enabled [ 0.350442] printk: bootconsole [early0] disabled [ 0.350442] printk: bootconsole [early0] disabled [ 0.361272] spi-mt7621 10000b00.spi: sys_freq: 193333333 [ 0.377728] spi-nor spi0.0: gd25q128 (16384 Kbytes) [ 0.382810] 8 fixed-partitions partitions found on MTD device spi0.0 [ 0.389248] Creating 8 MTD partitions on "spi0.0": [ 0.394142] 0x000000000000-0x000000030000 : "Bootloader" [ 0.400650] 0x000000030000-0x000000040000 : "Config" [ 0.406655] 0x000000040000-0x000000050000 : "Bdata" [ 0.412727] 0x000000050000-0x000000060000 : "factory" [ 0.418862] 0x000000060000-0x000000070000 : "crash" [ 0.424896] 0x000000070000-0x000000080000 : "cfg_bak" [ 0.431151] 0x000000080000-0x000000140000 : "overlay" [ 0.437279] 0x000000140000-0x000001000000 : "firmware" [ 0.451083] 2 uimage-fw partitions found on MTD device firmware [ 0.457094] Creating 2 MTD partitions on "firmware": [ 0.462201] 0x000000000000-0x00000020be3f : "kernel" [ 0.468283] 0x00000020be3f-0x000000ec0000 : "rootfs" [ 0.474402] mtd: device 9 (rootfs) set to be root filesystem [ 0.482303] 1 squashfs-split partitions found on MTD device rootfs [ 0.488594] 0x0000004c0000-0x000000ec0000 : "rootfs_data" [ 0.495912] libphy: Fixed MDIO Bus: probed [ 0.538220] rt3050-esw 10110000.esw: mediatek esw at 0xb0110000, irq 25 initialized [ 0.546828] mtk_soc_eth 10100000.ethernet eth0: mediatek frame engine at 0xb0100000, irq 5 [ 0.557234] NET: Registered protocol family 10 [ 0.566108] Segment Routing with IPv6 [ 0.570021] NET: Registered protocol family 17 [ 0.574590] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this. [ 0.587754] 8021q: 802.1Q VLAN Support v1.8 [ 0.598251] VFS: Mounted root (squashfs filesystem) readonly on device 31:9. [ 0.612257] Freeing unused kernel memory: 1204K [ 0.616850] This architecture does not have kernel memory protection. [ 0.623408] Run /sbin/init as init process [ 1.298370] init: Console is alive [ 1.302501] init: - watchdog - [ 2.161888] kmodloader: loading kernel modules from /etc/modules-boot.d/* [ 2.239664] random: fast init done [ 2.318149] kmodloader: done loading kernel modules from /etc/modules-boot.d/* [ 2.336152] init: - preinit - [ 3.435443] random: jshn: uninitialized urandom read (4 bytes read) [ 3.543589] random: jshn: uninitialized urandom read (4 bytes read) [ 3.686252] random: jshn: uninitialized urandom read (4 bytes read) Press the [f] key and hit [enter] to enter failsafe mode Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level [ 7.937994] rt3050-esw 10110000.esw: port 0 link up [ 7.943018] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 7.949970] IPv6: ADDRCONF(NETDEV_CHANGE): eth0.2: link becomes ready [ 8.613426] jffs2: notice: (463) jffs2_build_xattr_subsystem: complete building xattr subsystem, 6 of xdatum (0 unchecked, 1 orphan) and 7 of xref (1 dead, 0 orphan) found. [ 8.631098] mount_root: switching to jffs2 overlay [ 8.638872] overlayfs: upper fs does not support tmpfile. [ 8.650243] urandom-seed: Seeding with /etc/urandom.seed [ 8.722891] rt3050-esw 10110000.esw: port 4 link up [ 8.806715] procd: - early - [ 8.810485] procd: - watchdog - [ 9.581379] procd: - watchdog - [ 9.585253] procd: - ubus - [ 9.621658] urandom_read: 3 callbacks suppressed [ 9.621667] random: ubusd: uninitialized urandom read (4 bytes read) [ 9.640475] random: ubusd: uninitialized urandom read (4 bytes read) [ 9.647610] random: ubusd: uninitialized urandom read (4 bytes read) [ 9.660144] procd: - init - Please press Enter to activate this console. [ 10.631316] kmodloader: loading kernel modules from /etc/modules.d/* [ 10.935485] Loading modules backported from Linux version v5.15-rc6-0-g519d81956ee2 [ 10.943336] Backport generated by backports.git v5.15-rc6-1-0-gd44432d6 [ 11.020245] xt_time: kernel timezone is -0000 [ 11.153318] mt76_wmac 10300000.wmac: ASIC revision: 76280001 [ 11.312763] urngd: v1.0.2 started. [ 11.575013] random: crng init done [ 11.578477] random: 1 urandom warning(s) missed due to ratelimiting [ 12.191751] mt76_wmac 10300000.wmac: Firmware Version: 20151201 [ 12.197770] mt76_wmac 10300000.wmac: Build Time: 20151201183641 [ 12.239664] mt76_wmac 10300000.wmac: firmware init done [ 12.532975] PPP generic driver version 2.4.2 [ 12.551259] NET: Registered protocol family 24 [ 12.603012] kmodloader: done loading kernel modules from /etc/modules.d/* [ 19.938169] rt3050-esw 10110000.esw: port 0 link down [ 19.943307] rt3050-esw 10110000.esw: port 4 link down [ 23.826585] rt3050-esw 10110000.esw: port 0 link up [ 24.506522] rt3050-esw 10110000.esw: port 4 link up [ 25.736556] br-lan: port 1(eth0.2) entered blocking state [ 25.742134] br-lan: port 1(eth0.2) entered disabled state [ 25.747987] device eth0.2 entered promiscuous mode [ 25.753052] device eth0 entered promiscuous mode [ 25.785999] br-lan: port 1(eth0.2) entered blocking state [ 25.791554] br-lan: port 1(eth0.2) entered forwarding state [ 26.740178] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready


SSH access can be gained via the instructions found at the following repository without opening the case of the router:

https://github.com/acecilia/OpenWRTInvasion

Instead of the stock bootloader BREED can be used:

https://breed.hackpascal.net/breed-mt7688-reset38.bin

The bootloader of the MT7688 is compatible to MT7628. The bootloader mentioned above offers a reset functionality, which other BREED MT7628 bootloaders do not offer. Therefore it is advised to use the bootloader listed above to be able to reset among flashing different firmware to the router.

Installation instructions via SSH:

wget -P /tmp  https://breed.hackpascal.net/breed-mt7688-reset38.bin

mtd_write write /tmp/breed-mt7688-reset38.bin Bootloader

djStolen: Unfortunatelly, even though following these instructions, my device got bricked, therefore I recommend thinking twice before doing it. I am currently working on U-Boot for this device.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/07/11 20:36
  • by s.farid