找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
广告投放联系QQ68610888
楼主: hanwckf

[AC2100(RM2100)] Redmi AC2100 拆机 求开ssh或uart方法

  [复制链接]
发表于 2019-12-21 06:23 | 显示全部楼层
京东入了一个,不知道什么时候能有包出来。。。
我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

发表于 2019-12-23 13:38 | 显示全部楼层
看测评此路由器5G很强,但是固件是问题,没第三方的话,小米迟早玩坏
我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

发表于 2019-12-30 13:35 | 显示全部楼层
这个路由器要是能刷固件就起飞了,按测评来看唯一担心的就是未来固件越更越烂。
我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

发表于 2020-1-4 15:53 | 显示全部楼层
只想要广告屏蔽的功能   其余的无所谓  但是很难啊  估计没多少人搞
我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

发表于 2020-1-5 20:09 | 显示全部楼层
不能刷机那不是废材啊
我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

发表于 2020-1-7 09:32 | 显示全部楼层
https://forum.openwrt.org/t/xiao ... th-programmer/36685
这个是4a的刷法,可以尝试一下,夹子好像某宝上就有,也就2-3十块的样子,等你好消息。openwrt可以根据芯片型号自己编译一下。

点评

是的, 这里就提到了TTL没反应的真正原因: 菜单延迟和RX都被锁了 我搞了个夹子来刷我的4A千兆, 不过不知是我没夹好还是电路有冲突, 编程器一直报错, 看来要焊下来试试  详情 回复 发表于 2020-1-9 11:19
我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

发表于 2020-1-7 09:51 | 显示全部楼层
刚注意到是sop48的 可能得需要焊下来烧程序了
F59L1G81A的引脚 https://datasheetspdf.com/pdf/96 ... nductor/F59L1G81A/1
加油啊
我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

发表于 2020-1-7 09:58 | 显示全部楼层
0.5mm的引脚,街上谁便找个修手机的师傅都能轻松搞定,应该用烙铁焊比较保险,热风枪容易出问题。不过我看了一下好在周围的原件不多,热风枪也应该问题不大。
我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

发表于 2020-1-9 11:19 | 显示全部楼层
tinysun 发表于 2020-1-7 09:32
https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but ...

是的, 这里就提到了TTL没反应的真正原因: 菜单延迟和RX都被锁了
我搞了个夹子来刷我的4A千兆, 不过不知是我没夹好还是电路有冲突, 编程器一直报错, 看来要焊下来试试

点评

A small detail: the SPI FLASH chip (or the whole router board, probably) draws too much power from the CH341, so I have to add some "extra" power by connecting the programmers' 3.3V pin to the USB to  详情 回复 发表于 2020-1-9 17:30
我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

发表于 2020-1-9 17:30 | 显示全部楼层
cjfof 发表于 2020-1-9 11:19
是的, 这里就提到了TTL没反应的真正原因: 菜单延迟和RX都被锁了
我搞了个夹子来刷我的4A千兆, 不过不知 ...

A small detail: the SPI FLASH chip (or the whole router board, probably) draws too much power from the CH341, so I have to add some "extra" power by connecting the programmers' 3.3V pin to the USB to TTL's 3.3V pin to somehow "sum" the total amount of power on the 3.3V rail. It's a nasty trick from the formal point of view, but does the thing.

应该是3。3v的供电问题,供电不足,你可以试试把usb3.3v飞过去试试。

点评

哈哈~~感谢提醒,成功dump下flash了~~ 接下来可以改bootdelay, 刷鸡~ 可能我手工竹梯子不行,openwrt的那个帖子老打不开,折腾效率非常低...  详情 回复 发表于 2020-1-12 03:04
我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

发表于 2020-1-11 01:38 | 显示全部楼层
楼主有竞斗云的话 可以借用竞斗云救NAND
我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

发表于 2020-1-12 03:04 | 显示全部楼层
tinysun 发表于 2020-1-9 17:30
A small detail: the SPI FLASH chip (or the whole router board, probably) draws too much power from ...

哈哈~~感谢提醒,成功dump下flash了~~
接下来可以改bootdelay, 刷鸡~
可能我手工竹梯子不行,openwrt的那个帖子老打不开,折腾效率非常低...

点评

只能帮你到这了  详情 回复 发表于 2020-1-14 08:45
Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit): fully supported but requires overwriting SPI flash with programmer[/backcolor]For Developers May 2019 1 / 221 May 2019 B  详情 回复 发表于 2020-1-14 08:44
我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

发表于 2020-1-14 08:44 | 显示全部楼层
cjfof 发表于 2020-1-12 03:04
哈哈~~感谢提醒,成功dump下flash了~~
接下来可以改bootdelay, 刷鸡~
可能我手工竹梯子不行,openwrt的那 ...

Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit): fully supported but requires overwriting SPI flash with programmer[size=0.8706em]For Developers





[url=]May 2019[/url]


1 / 221
May 2019



Back

[url=]9h ago[/url]








[size=1em]rogerpueyo
4
May '19
[size=0.571em]


Hi there,
A few days ago, a colleague from eXO
[size=0.7579em]50
pointed me to this new device by Xiaomi, which would be very nice to have it supported by OpenWrt to use it in our community network
[size=0.7579em]60
. I ordered it from a well-known on-line shop and I just received it, so I'll be posting here any updates on adding support for it.
Main specifications
  • SoC: MediaTek MT7621
  • RAM: 128 MB
  • Flash: 16 MB SPI flash
  • Ethernet: 3x10/100/1000 Mbps (2xLAN, 1xWAN)
  • WiFi: dual band, 802.11bgn + 802.11ac
Pictures

[size=1em]1280×960 43.7 KB

[size=1em]1280×960 43.5 KB

[size=1em]1280×960 166 KB

[size=1em]1280×960 51.3 KB

[size=1em]1280×960 138 KB

[size=1em]1280×960 457 KB


IMPORTANT NOTICE
This post is not a tutorial on how to flash OpenWrt on the device; I am just showing what I've discovered so far regarding this device. If you try anything on your device and void its warranty, break it, or if you injure yourself or someone else, I take no responsibility. You've been warned.
TTL UART
First thing I do is soldering some cables to the UART pins on the board and connect them to a TTL to USB adapter. I can see the usual Linux output from a router but, unfortunately, I can't interact with it: I can't stop U-Boot from booting automatically and I can't enter the command line interface once the stock firmware has booted.
Stock firmware bootlog
Here you can see the full bootloader and stock firmware bootlogs:
No SSH/Telnet on the stock firmware
The router has, by default, the address 192.168.31.1/24. I try to SSH or telnet it, but the connection is refused.
First OpenWrt support attempt
Based on the information I collect from the stock firmware bootlog, I add basic support for the device. You can see my git branch here: https://github.com/rogerpueyo/openwrt/tree/xiaomi-mi-router-4a-1000m-gigabit-edition_wip
[size=0.7579em]516

The stock firmware's web interface is a heavily modified LuCI, with a section for updating the firmware. It can search and download an image from the vendor's website, but it also allows manually uploading a firmware file. I try to upload my recently created openwrt-ramips-mt7621-xiaomi_mir4a-gigabit-squashfs-sysupgrade.bin, but the router refuses to flash it.
When the reset button is pressed during power-on, the stock bootloader starts a TFTP client to download and flash a firmware image. I set up a TFTP server on my computer and send an image file. Unfortunately, the bootloader does not like it:
Click here to see the stock U-Boot refusing the firmware image via TFTP log.Nevertheless, I've noticed that if during the TFTP file loading process I hit CTRL+C, the process stops:
TIMEOUT_COUNT=10,Load address: 0x82000000Loading: Got ARP REPLY, set server/gtwy eth addr (00:1e:00:1e:1e:b1)Got it#################################################################         ##################################Abort========Upgrade fail!========This is good! It means the UART's RX port is active and U-Boot is receiving the command.
Dumping the SPI FLASH memory
Since I am unable to get access to the console or the bootloader, neither remotely (SSH/Telnet) nor using the UART, maybe it's time to see what's inside the FLASH memory.
With a CH341 USB SPI serial programmer and an SPI clamp, which you can both buy from a well-known on-line shop, I dump the whole content of the SPI FLASH memory to my computer. To do so, I use this very nice tool: ch341prog
[size=0.7579em]210
. Here is a picture of the whole thing i action:

[size=1em]960×1280 158 KB


A small detail: the SPI FLASH chip (or the whole router board, probably) draws too much power from the CH341, so I have to add some "extra" power by connecting the programmers' 3.3V pin to the USB to TTL's 3.3V pin to somehow "sum" the total amount of power on the 3.3V rail. It's a nasty trick from the formal point of view, but does the thing.
Extracting the SPI FLASH memory content using binwalk
I use binwalk to see what's inside the router's SPI FLASH now that I have it dumped on my computer:
binwalk -e spi_flash.dump DECIMAL       HEXADECIMAL     DESCRIPTION--------------------------------------------------------------------------------97696         0x17DA0         U-Boot version string, "U-Boot 1.1.3 (Jan 24 2019 - 07:46:43)"98248         0x17FC8         CRC32 polynomial table, little endianWARNING: Extractor.execute failed to run external extractor 'jefferson -d '%%jffs2-root%%' '%e'': [Errno 2] No such file or directory: 'jefferson'524288        0x80000         JFFS2 filesystem, little endian1572864       0x180000        uImage header, header size: 64 bytes, header CRC: 0xD8422C49, created: 2019-01-24 07:54:52, image size: 1855537 bytes, Data Address: 0x81001000, Entry Point: 0x813ECCE0, data CRC: 0xC26BDD0D, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.10.14"1572928       0x180040        LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 5458688 bytes2705694       0x29491E        COBALT boot rom data (Flat boot rom or file system)3473408       0x350000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 11348484 bytes, 2236 inodes, blocksize: 262144 bytes, created: 2019-01-24 07:54:48WARNING: Extractor.execute failed to run external extractor 'jefferson -d '%%jffs2-root%%' '%e'': [Errno 2] No such file or directory: 'jefferson'15204352      0xE80000        JFFS2 filesystem, little endianI see that the Squashfs partition contains the usual Ralink SDK based on OpenWrt 12.09.1. For instance:
$ cat _spi_flash.dump.extracted/squashfs-root/etc/openwrt_release DISTRIB_ID="OpenWrt"DISTRIB_RELEASE="Attitude Adjustment"DISTRIB_REVISION="unknown"DISTRIB_CODENAME="attitude_adjustment"DISTRIB_TARGET="ramips/mt7621"DISTRIB_DESCRIPTION="OpenWrt Attitude Adjustment 12.09.1"Modifying the U-Boot bootloader timeout with Bless
As the U-Boot bootlog above shows, the bootloader shows the usual options (booting from TFTP, flashing an image, etc.) but it does not wait for the user's command with a countdown, it boots straight ahead:
Please choose the operation:   1: Load system code to SDRAM via TFTP.   2: Load system code then write to Flash via TFTP.   3: Boot system code via Flash (default).   4: Entr boot command line interface.   7: Load Boot Loader code then write to Flash via Serial.   9: Load Boot Loader code then write to Flash via TFTP.    n3: System Boot system code via Flash.Using the Bless
[size=0.7579em]51
hex editor I open the SPI FLASH dump and find the "bootdelay" parameter at 0x19690 is set to "off":

bless1.jpg[size=1em]842×63 63.5 KB


I can change the value to something more convenient, say 5 seconds to, hopefully, be able to interact with the bootloader:

bless2.jpg[size=1em]840×74 85.8 KB


Using the ch341prog tool I erase the router's SPI FLASH chip and write the modified dump. Fortunately, the result is satisfactory and I can now stop the bootloader's countdown and interact with it:
Ralink UBoot Version: 5.0.0.0-------------------------------------------- ASIC MT7621A DualCore (MAC to MT7530 Mode)DRAM_CONF_FROM: Auto-Detection DRAM_TYPE: DDR3 DRAM bus: 16 bitXtal Mode=3 OCP Ratio=1/3Flash component: SPI FlashDate:Jan 24 2019  Time:07:46:43============================================ icache: sets:256, ways:4, linesz:32 ,total:32768dcache: sets:256, ways:4, linesz:32 ,total:32768  ##### The CPU freq = 880 MHZ ####  estimate memory size =128 Mbytes#Reset_MT7530set LAN/WAN LLLLWrestore_defaults:1Please choose the operation:    1: Load system code to SDRAM via TFTP.    2: Load system code then write to Flash via TFTP.    3: Boot system code via Flash (default).   4: Entr boot command line interface.   7: Load Boot Loader code then write to Flash via Serial.    9: Load Boot Loader code then write to Flash via TFTP.  2 You choosed 4 0    4: System Enter Boot Command Line Interface.U-Boot 1.1.3 (Jan 24 2019 - 07:46:43)MT7621 # ??       - alias for 'help'bootm   - boot application image from memorycp      - memory copydhcp        - invoke DHCP client to obtain IP/boot paramsintena   - intenaintena   - intenaerase   - erase SPI FLASH memorygo      - start application at address 'addr'help    - print online helploadb   - load binary file over serial line (kermit mode)md      - memory displaymdio   - Ralink PHY register R/W command !!mm      - memory modify (auto-incrementing)mt   - mt cnt start sizenm      - memory modify (constant address)printenv- print environment variablesreadcnt   - readcntreset   - Perform RESET of the CPUrf      - read/write rf registersaveenv - save environment variables to persistent storagesetenv  - set environment variablesspi        - spi commandtftpboot- boot image via network using TFTP protocoltrap_init   - trap_initversion - print monitor versionAmazing!
Booting an initramfs image via TFTP
Now that I can interact with U-Boot, I can send the initramfs image I generated to the device via TFTP:
Ralink UBoot Version: 5.0.0.0-------------------------------------------- ASIC MT7621A DualCore (MAC to MT7530 Mode)DRAM_CONF_FROM: Auto-Detection DRAM_TYPE: DDR3 DRAM bus: 16 bitXtal Mode=3 OCP Ratio=1/3Flash component: SPI FlashDate:Jan 24 2019  Time:07:46:43============================================ icache: sets:256, ways:4, linesz:32 ,total:32768dcache: sets:256, ways:4, linesz:32 ,total:32768  ##### The CPU freq = 880 MHZ ####  estimate memory size =128 Mbytes#Reset_MT7530set LAN/WAN LLLLWrestore_defaults:1Please choose the operation:    1: Load system code to SDRAM via TFTP.    2: Load system code then write to Flash via TFTP.    3: Boot system code via Flash (default).   4: Entr boot command line interface.   7: Load Boot Loader code then write to Flash via Serial.    9: Load Boot Loader code then write to Flash via TFTP. You choosed 1 0    1: System Load Linux to SDRAM via TFTP.  Please Input new ones /or Ctrl-C to discard        Input device IP (192.168.31.1) ==:192.168.31.1        Input server IP (192.168.31.2) ==:192.168.31.2        Input Linux Kernel filename (test.bin) ==:test.bin NetTxPacket = 0x87FE52C0  KSEG1ADDR(NetTxPacket) = 0xA7FE52C0  NetLoop,call eth_halt !  NetLoop,call eth_init ! Trying Eth0 (10/100-M) Waitting for RX_DMA_BUSY status Start... done ETH_STATE_ACTIVE!! TFTP from server 192.168.31.2; our IP address is 192.168.31.1Filename 'test.bin'. TIMEOUT_COUNT=10,Load address: 0x80a00000Loading: Got ARP REPLY, set server/gtwy eth addr (00:1e:00:1e:1e:b1)Got it#################################################################         #################################################################         #################################################################         #################################################################         #################################################################         #################################################################         #################################################################         #################################################################         #################################################################         #################################################################         #######################################################Got ARP REQUEST, return our IP##########         #################################################################         #################################################################         ###########doneBytes transferred = 4380578 (42d7a2 hex)LoadAddr=80a00000 NetBootFileXferSize= 0042d7a2Automatic boot of image at addr 0x80A00000 ...## Booting image at 80a00000 ...   Image Name:   MIPS OpenWrt Linux-4.14.115   Image Type:   MIPS Linux Kernel Image (lzma compressed)   Data Size:    4380514 Bytes =  4.2 MB   Load Address: 80001000   Entry Point:  80001000   Verifying Checksum ... OK   Uncompressing Kernel Image ... OKErasing SPI Flash...raspi_erase: offs:30000 len:10000.Writing to SPI Flash....donecommandline uart_en=0 factory_mode=0 mem=128m root=/dev/mtdblock9No initrd## Transferring control to Linux (at address 80001000) ...## Giving linux memsize in MB, 128Starting kernel ...[    0.000000] Linux version 4.14.115 (chumba@wamba) (gcc version 7.4.0 (OpenWrt GCC 7.4.0 r9945-bc85640cdc)) #0 SMP Wed May 8 19:40:47 2019[    0.000000] SoC Type: MediaTek MT7621 ver:1 eco:3[    0.000000] bootconsole [early0] enabled[    0.000000] CPU0 revision is: 0001992f (MIPS 1004Kc)[    0.000000] MIPS: machine is Xiaomi Mi Router 4A Gigabit Edition[    0.000000] Determined physical RAM map:[    0.000000]  memory: 08000000 @ 00000000 (usable)[    0.000000] Initrd not found or empty - disabling initrd[    0.000000] VPE topology {2,2} total 4[    0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes[    0.000000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.[etc.]Please press Enter to activate this console.BusyBox v1.30.1 () built-in shell (ash)  _______                     ________        __ |       |.-----.-----.-----.|  |  |  |.----.|  |_ |   -   ||  _  |  -__|     ||  |  |  ||   _||   _| |_______||   __|_____|__|__||________||__|  |____|          |__| W I R E L E S S   F R E E D O M ----------------------------------------------------- OpenWrt SNAPSHOT, r9946-7c970cba98 -----------------------------------------------------=== WARNING! =====================================There is no root password defined on this device!Use the "passwd" command to set up a new passwordin order to prevent unauthorized SSH logins.--------------------------------------------------root@OpenWrt:/# cat /tmp/sysinfo/board_name xiaomi,mir4a-gigabitThat's very good!
Summary: what's working, what's missing
  • Working
    • SoC/RAM/FLASH detection
    • Ethernet
    • Wireless
    • Reset button
    • LEDS (1x blue, 1x orange)
  • Missing
    • Sysupgrade
    • Factory image














我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

发表于 2020-1-14 08:45 | 显示全部楼层
cjfof 发表于 2020-1-12 03:04
哈哈~~感谢提醒,成功dump下flash了~~
接下来可以改bootdelay, 刷鸡~
可能我手工竹梯子不行,openwrt的那 ...

只能帮你到这了

点评

[attachimg]336551[/attachimg] 看, 进去了, 接下来慢慢找固件塞进去折腾~~ 可惜openwrt还在snapshoot阶段  详情 回复 发表于 2020-1-14 16:09
我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

发表于 2020-1-14 16:09 | 显示全部楼层
tinysun 发表于 2020-1-14 08:45
只能帮你到这了



看, 进去了, 接下来慢慢找固件塞进去折腾~~
可惜openwrt还在snapshoot阶段

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

×

点评

你是通过刷flash的方式进入的ssh吗?  详情 回复 发表于 2020-2-24 11:01
牛b,openwrt不行就自己编译一下吧。总有一款适合你。嘻嘻  详情 回复 发表于 2020-1-15 09:45
我的恩山、我的无线 The best wifi forum is right here.
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

有疑问请添加管理员QQ86788181|手机版|小黑屋|Archiver|恩山无线论坛(常州市恩山计算机开发有限公司版权所有) ( 苏ICP备05084872号 )

GMT+8, 2024-3-29 19:39

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

| 江苏省互联网有害信息举报中心 举报信箱:js12377 | @jischina.com.cn 举报电话:025-88802724 本站不良内容举报信箱:68610888@qq.com 举报电话:0519-86695797

快速回复 返回顶部 返回列表