换了个办公室需要一个路由器,依稀记得小米路由某款有千兆+5g ac,且便宜可以刷openwrt
于是去楼下商场里随手买了个小米路由4,然而回来发现这玩意没有开发版固件,没法直接开启ssh,于是回家焊上ttl针脚,研究了一下。发现还是有办法解决的。
问题
小米路由器第一次启动后,会往uboot 配置(nvram)里写入 uart_en=0 ,这样导致uboot引导后,不接受ttl输入,只能查看,从而没法从ttl刷机了
解决办法
解决也很简单,连好ttl线,PC开启putty打开com,参数是标准 115200 8N1
进入小米路由器设置选项,选择恢复出厂设置,重启
然后看到uboot引导时候,不停按键盘 4 键(进入uboot 命令行)
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.如果不成功,则看到引导原厂固件时候,会有提示 擦除nvram (erase nvram),这时候果断拔电,再插上,就能成功进入 uboot命令行了
如果还不成功,就重复以上恢复出厂设置的操作
进入uboot命令行以后,输入:
setenv uart_en 1
saveenv这样以后uart ttl口就会一直起效了
刷机
当然我们要刷机,于是先准备好 tftpd , 下载 breed
我使用的是 breed-mt7621-xiaomi-r3g.bin ,来自 breed下载
因为r4 和r3g的区别,就是 阉割了128M内存和usb口,所以直接使用小米3g的版本即可
开启tftpd,把breed-mt7621-xiaomi-r3g.bin 重命名为 uboot.bin
设置pc ip(我这里是192.168.31.33)拔电,插电, 在引导界面 按9
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
You choosed 9然后会有一系列确认,按照你需要的修改各项
9: System Load Boot Loader then write to Flash via TFTP.
Warning!! Erase Boot Loader in Flash then burn new one. Are you sure?(Y/N)
Please Input new ones /or Ctrl-C to discard
Input device IP (192.168.31.1) ==:192.168.31.1
Input server IP (192.168.31.33) ==:192.168.31.33
Input Uboot filename (uboot.bin) ==:uboot.bin最后一项uboot.bin 回车后, 开始uboot刷机
TFTP from server 192.168.31.33; our IP address is 192.168.31.1
Filename 'uboot.bin'.
TIMEOUT_COUNT=10,Load address: 0x80100000
Loading: Got ARP REPLY, set server/gtwy eth addr (00:xx:xx:xx:xx:xx)
Got it
#####################
done
Bytes transferred = 105490 (19c12 hex)
LoadAddr=80100000 NetBootFileXferSize= 00019c12
..ranand_erase: start:0, len:20000
.(5192)offs=0 piece=0 piece_size=105490 rc=0
Done!接着会直接引导breed
Boot and Recovery Environment for Embedded Devices
Copyright (C) 2018 HackPascal <[email protected]>
Build date 2018-12-29 [git-135bed9]
Version 1.1 (r1266)
DRAM: 128MB
Platform: MediaTek MT7621A ver 1, eco 3
Board: Xiaomi R3G
Clocks: CPU: 880MHz, DDR: 1200MHz, Bus: 293MHz, Ref: 40MHz
Environment variables @ 00060000 on flash bank 0, size 00020000
Flash: Toshiba NAND 128MiB 3.3V 8-bit (128MB) on mt7621-nfi.0
mt7621-nfi.0: Found Fact BBT at block 1023 (offset 0x07fe0000)
mt7621-nfi.0: Block 768 (offset 0x06000000) is marked as bad block in Fact BBT
rt2880-eth: MAC address from EEPROM is invalid, using default settings.
rt2880-eth: Using MAC address 00:0c:43:00:00:01
eth0: MediaTek MT7530 Gigabit switch
Network started on eth0, inet addr 192.168.1.1, netmask 255.255.255.0
Press any key to interrupt autoboot ... 0这样就完成了,breed刷好了(我这新路由器,nand似乎就有一个坏块了...)
剩下的就是通用部分了,不再重复,可以搜索对应小米路由3g的 pandavan和openwrt,当然,这里最好还是按任意键停止自动启动
然后进入breed web控制台 192.168.1.1 ,清除之前的nvram设置,也可以在里面直接刷固件了,pandavan或者openwrt,都没问题
P.S. 最后还是有个小问题的,就是 r4g的交换机端口定义和 r3g 略有不同
openwrt下,需要自己改一下 /etc/config/network , wan 是 4 lan是 1,2
pandavan下 lan2和wan反了,反正能用(实际上wan是lan3),不高兴可以选择写个 启动脚本,调用switch 命令修改
但是我看了眼,比openwrt麻烦太多了...我就凑合了吧...P.S. 2 关于如何刷 openwrt
如果没有刷breed,按照openwrt wiki上小米r3g的 指引, mtd write即可
但是刷了breed就麻烦一点
小米r3g和小米4, 有两个kernel分区, openwrt里定义为 kernel_stock 和kernel
分别从 0x200000 和0x600000 开始,大小都为0x400000
breed可以在环境变量设置 xiaomi.r3g.bootfw
为1 则启动 位于 0x200000 的 kernel_stock
为2 则启动位于 0x600000 的 kernel
那么如果要从breed刷openwrt,
则首先启动到breed,在刷固件界面,刷入 r3g的 initramfs-kernel.bin
启动后,ssh连入,格式化ubifs
ubiformat /dev/mtd9接着,把 sysupgrade.bin下载到 /tmp 目录下
执行 sysupgrade -F openwrt-18.06.2-ramips-mt7621-mir3g-squashfs-sysupgrade.tar
ttl窗口会有提示信息,重启后会因为breed启动问题,停留在breed 控制台
(如果没进,捅reset 通电,5秒后放开进入breed)
在breed控制台,手动执行以下命令重刷 kernel.bin
#下载 kernel.bin 这里我在本机8090端口 开启了 http服务器
执行:
wget http://192.168.1.33:8090/mi4/openwrt-18.06.2-ramips-mt7621-mir3-squashfs-kernel1.bin
breed> wget http://192.168.1.33:8090/mi4/openwrt-18.06.2-ramips-mt7621-mir3-squashfs-kernel1.bin
wget http://192.168.1.33:8090/mi4/openwrt-18.06.2-ramips-mt7621-mir3g-squashfs-kernel1.bin
Connecting to 192.168.1.33:8090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1922059/0x1d540b (1MB) []
Saving to address 0x80001000
[========================================================================] 100%
Transmission completed in 0.9s.breed 将kernel 下载到了 内存的 0x80001000 的位置
#擦除 0x200000 和 0x600000 开始 大小 0x400000 的 nand
分别执行两条指令:
flash erase 0x200000 0x400000
flash erase 0x600000 0x400000
效果:
breed> flash erase 0x200000 0x400000
flash erase 0x200000 0x400000
Erasing flash bank 0 from 200000h , size 400000h
[========================================================================] 100%
Succeeded
breed> flash erase 0x600000 0x400000
flash erase 0x600000 0x400000 flash erase 0x600000 0x400000
Erasing flash bank 0 from 600000h , size 400000h
[========================================================================] 100%
Succeeded刷入kernel到两个位置:
执行:
flash write 0x200000 0x80001000 0x400000
flash write 0x600000 0x80001000 0x400000
效果:
breed> flash write 0x200000 0x80001000 0x400000
flash write 0x200000 0x80001000 0x400000
Writing flash bank 0 into 200000h from memory 80001000h, size 400000h
[========================================================================] 100%
Succeeded
breed> flash write 0x600000 0x80001000 0x400000
flash write 0x600000 0x80001000 0x400000
Writing flash bank 0 into 600000h from memory 80001000h, size 400000h
[========================================================================] 100%
Succeeded这样就完成了,接着,断电重启,或者直接执行 autoboot,即可引导openwrt
我这里设置 xiaomi.r3g.bootfw=2 所以从0x600000 启动了
breed> autoboot
autoboot
Trying to boot firmware from 0x00600000 in flash bank 0 ...
Reading data into memory ...
U-Boot firmware image header detected.
Image Name: MIPS OpenWrt Linux-4.14.98
Data Size: 1921995 Bytes
Load Address: 80001000
Entry Point: 80001000
Uncompressing data (LZMA) ... done.
Flushing cache ...