Hacking the XiaoMi router R4

Written on June 1, 2019 by thanh

xiaomi-router-R4-mainboard-front xiaomi-router-R4-mainboard-back

Hardware

Info

  • Power: 12 VDC, 1.5 A
  • Connector type: barrel
  • CPU1: MediaTek MT7621A (880 MHz, 4 cores)
  • FLA1: 128 MiB (Brand? Model?)
  • RAM1: 128 MiB (ESMT M15T1G1664A)
  • WI1 chip1: MediaTek MT7603EN
  • WI1 802dot11 protocols: bgn
  • WI1 MIMO config: 2x2:2
  • WI1 antenna connector: U.FL
  • WI2 chip1: MediaTek MT7612EN
  • WI2 802dot11 protocols: an+ac
  • WI2 MIMO config: 2x2:2
  • WI2 antenna connector: U.FL
  • ETH chip1: MediaTek MT7621A
  • Switch: MediaTek MT7621A
  • LAN speed: 10/100/1000
  • LAN ports: 2
  • WAN speed: 10/100/1000
  • WAN ports: 1
  • Default IP address: 192.168.31.1

https://wikidevi.com/wiki/Xiaomi_MiWiFi_4

Serial

The serial port of the router can be accessed using the TTL pins. A voltage level converter (such as a CP2102 TTL-USB dongle) is required.

[o] TX
[o] GND
[o] RX
[ ] VCC - Do not connect it

The communication settings are: TTL voltage, 115200 bps, 8N1. Writing to the console is disabled in the factory U-Boot. Writing to the console in the factory firmware is only possible during first boot; afterwards it is disabled by the firmware.

Access Serial Port

To enable writing to the console, you must reset to factory settings

Then you see uboot boot, press the keyboard 4 button (enter uboot command line)

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial. 
   9: Load Boot Loader code then write to Flash via TFTP. 

If it is not successful, repeat the above operation of restoring the factory settings.

After entering the uboot command line, type:

setenv uart_en 1
saveenv

Yay, Serial port (UART) will work

BusyBox v1.19.4 (2019-05-18 03:47:59 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

 -----------------------------------------------------
       Welcome to XiaoQiang!
 -----------------------------------------------------
  $$$$$$\  $$$$$$$\  $$$$$$$$\      $$\      $$\        $$$$$$\  $$\   $$\
 $$  __$$\ $$  __$$\ $$  _____|     $$ |     $$ |      $$  __$$\ $$ | $$  |
 $$ /  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ /  $$ |$$ |$$  /
 $$$$$$$$ |$$$$$$$  |$$$$$\         $$ |     $$ |      $$ |  $$ |$$$$$  /
 $$  __$$ |$$  __$$< $$  __|        $$ |     $$ |      $$ |  $$ |$$  $$<
 $$ |  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ |  $$ |$$ |\$$\
 $$ |  $$ |$$ |  $$ |$$$$$$$$\       $$$$$$$$$  |       $$$$$$  |$$ | \$$\
 \__|  \__|\__|  \__|\________|      \_________/        \______/ \__|  \__|


[email protected]:/#

Bootlog

Boot log of firmware miwifi_r4_firmware_8ed47_2.26.175.bin


[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Linux version 3.10.14 ([email protected]) (gcc version 4.8.5 (crosstool-NG crosstool-ng-1.22.0) ) #1 MiWiFi-R4-2.26.175 SMP Sat May 18 04:01:02 UTC 2019
[    0.000000] 
[    0.000000]  The CPU feqenuce set to 880 MHz
[    0.000000] GCMP present
[    0.000000] CPU0 revision is: 0001992f (MIPS 1004Kc)
[    0.000000] Software DMA cache coherency
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x00000000-0x00ffffff]
[    0.000000]   Normal   [mem 0x01000000-0x07ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x07ffffff]
[    0.000000] Detected 3 available secondary CPU(s)
[    0.000000] Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.000000] PERCPU: Embedded 7 pages/cpu @81843000 s6912 r8192 d13568 u32768
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
[    0.000000] Kernel command line: console=ttyS1,115200n8 root=/dev/mtdblock5 console=ttyS1,115200n8 root=/dev/mtdblock5 uart_en=1 factory_mode=0 usb_u3=0
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Writing ErrCtl register=00010003
[    0.000000] Readback ErrCtl register=00010003
[    0.000000] allocated 262144 bytes of page_cgroup
[    0.000000] please try 'cgroup_disable=memory' option if you don't want memory cgroups
[    0.000000] Memory: 122132k/131072k available (4352k kernel code, 8940k reserved, 1124k data, 1620k init, 0k highmem)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] Hierarchical RCU implementation.
[    0.000000] NR_IRQS:128
[    0.000000] console [ttyS1] enabled
[    0.140000] Calibrating delay loop... 577.53 BogoMIPS (lpj=2887680)
[    0.200000] pid_max: default: 32768 minimum: 301
[    0.200000] Mount-cache hash table entries: 512
[    0.210000] Initializing cgroup subsys memory
[    0.210000] launch: starting cpu1
[    0.220000] launch: cpu1 gone!
[    0.220000] CPU1 revision is: 0001992f (MIPS 1004Kc)
[    0.220000] Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
[    0.220000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.220000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.280000] Synchronize counters for CPU 1: done.
[    0.290000] launch: starting cpu2
[    0.290000] launch: cpu2 gone!
[    0.290000] CPU2 revision is: 0001992f (MIPS 1004Kc)
[    0.290000] Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
[    0.290000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.290000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.350000] Synchronize counters for CPU 2: done.
[    0.360000] launch: starting cpu3
[    0.360000] launch: cpu3 gone!
[    0.360000] CPU3 revision is: 0001992f (MIPS 1004Kc)
[    0.360000] Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
[    0.360000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.360000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.420000] Synchronize counters for CPU 3: done.
[    0.430000] Brought up 4 CPUs
[    0.430000] devtmpfs: initialized
[    0.430000] NET: Registered protocol family 16
[    0.670000] release PCIe RST: RALINK_RSTCTRL = 7000000
[    0.670000] PCIE PHY initialize
[    0.670000] ***** Xtal 40MHz *****
[    0.680000] start MT7621 PCIe register access
[    1.130000] RALINK_RSTCTRL = 7000000
[    1.140000] RALINK_CLKCFG1 = 73ffeff8
[    1.140000] 
[    1.140000] *************** MT7621 PCIe RC mode *************
[    1.520000] pcie_link status = 0x3
[    1.520000] RALINK_RSTCTRL= 7000000
[    1.530000] *** Configure Device number setting of Virtual PCI-PCI bridge ***
[    1.540000] RALINK_PCI_PCICFG_ADDR = 21007f2 -> 21007f2
[    1.540000] PCIE0 enabled
[    1.540000] PCIE1 enabled
[    1.550000] interrupt enable status: 300000
[    1.550000] Port 1 N_FTS = 1b105000
[    1.550000] Port 0 N_FTS = 1b105000
[    1.560000] config reg done
[    1.560000] init_rt2880pci done
[    1.580000] bio: create slab <bio-0> at 0
[    1.590000] SCSI subsystem initialized
[    1.590000] PCI host bridge to bus 0000:00
[    1.600000] pci_bus 0000:00: root bus resource [mem 0x60000000-0x6fffffff]
[    1.610000] pci_bus 0000:00: root bus resource [io  0x1e160000-0x1e16ffff]
[    1.610000] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    1.620000] pci 0000:00:00.0: BAR 0: can't assign mem (size 0x80000000)
[    1.630000] pci 0000:00:01.0: BAR 0: can't assign mem (size 0x80000000)
[    1.640000] pci 0000:00:00.0: BAR 8: assigned [mem 0x60000000-0x600fffff]
[    1.640000] pci 0000:00:01.0: BAR 8: assigned [mem 0x60100000-0x601fffff]
[    1.650000] pci 0000:00:01.0: BAR 9: assigned [mem 0x60200000-0x602fffff pref]
[    1.660000] pci 0000:00:00.0: BAR 1: assigned [mem 0x60300000-0x6030ffff]
[    1.660000] pci 0000:00:01.0: BAR 1: assigned [mem 0x60310000-0x6031ffff]
[    1.670000] pci 0000:01:00.0: BAR 0: assigned [mem 0x60000000-0x600fffff]
[    1.680000] pci 0000:00:00.0: PCI bridge to [bus 01]
[    1.680000] pci 0000:00:00.0:   bridge window [mem 0x60000000-0x600fffff]
[    1.690000] pci 0000:02:00.0: BAR 0: assigned [mem 0x60100000-0x601fffff 64bit]
[    1.700000] pci 0000:02:00.0: BAR 6: assigned [mem 0x60200000-0x6020ffff pref]
[    1.700000] pci 0000:00:01.0: PCI bridge to [bus 02]
[    1.710000] pci 0000:00:01.0:   bridge window [mem 0x60100000-0x601fffff]
[    1.710000] pci 0000:00:01.0:   bridge window [mem 0x60200000-0x602fffff pref]
[    1.720000] BAR0 at slot 0 = 0
[    1.730000] bus=0x0, slot = 0x0
[    1.730000] res[0]->start = 0
[    1.730000] res[0]->end = 0
[    1.730000] res[1]->start = 60300000
[    1.740000] res[1]->end = 6030ffff
[    1.740000] res[2]->start = 0
[    1.740000] res[2]->end = 0
[    1.750000] res[3]->start = 0
[    1.750000] res[3]->end = 0
[    1.750000] res[4]->start = 0
[    1.760000] res[4]->end = 0
[    1.760000] res[5]->start = 0
[    1.760000] res[5]->end = 0
[    1.760000] BAR0 at slot 1 = 0
[    1.770000] bus=0x0, slot = 0x1
[    1.770000] res[0]->start = 0
[    1.770000] res[0]->end = 0
[    1.780000] res[1]->start = 60310000
[    1.780000] res[1]->end = 6031ffff
[    1.780000] res[2]->start = 0
[    1.790000] res[2]->end = 0
[    1.790000] res[3]->start = 0
[    1.790000] res[3]->end = 0
[    1.790000] res[4]->start = 0
[    1.800000] res[4]->end = 0
[    1.800000] res[5]->start = 0
[    1.800000] res[5]->end = 0
[    1.810000] bus=0x1, slot = 0x0, irq=0x4
[    1.810000] res[0]->start = 60000000
[    1.810000] res[0]->end = 600fffff
[    1.820000] res[1]->start = 0
[    1.820000] res[1]->end = 0
[    1.820000] res[2]->start = 0
[    1.820000] res[2]->end = 0
[    1.830000] res[3]->start = 0
[    1.830000] res[3]->end = 0
[    1.830000] res[4]->start = 0
[    1.840000] res[4]->end = 0
[    1.840000] res[5]->start = 0
[    1.840000] res[5]->end = 0
[    1.840000] bus=0x2, slot = 0x1, irq=0x18
[    1.850000] res[0]->start = 60100000
[    1.850000] res[0]->end = 601fffff
[    1.860000] res[1]->start = 0
[    1.860000] res[1]->end = 0
[    1.860000] res[2]->start = 0
[    1.860000] res[2]->end = 0
[    1.870000] res[3]->start = 0
[    1.870000] res[3]->end = 0
[    1.870000] res[4]->start = 0
[    1.880000] res[4]->end = 0
[    1.880000] res[5]->start = 0
[    1.880000] res[5]->end = 0
[    1.890000] cfg80211: Calling CRDA to update world regulatory domain
[    1.890000] Switching to clocksource MIPS
[    1.900000] NET: Registered protocol family 2
[    1.900000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[    1.910000] TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
[    1.920000] TCP: Hash tables configured (established 1024 bind 1024)
[    1.920000] TCP: reno registered
[    1.930000] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    1.930000] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    1.940000] NET: Registered protocol family 1
[    3.010000] 4 CPUs re-calibrate udelay(lpj = 2924544)
[    3.040000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    3.040000] msgmni has been set to 238
[    3.050000] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
[    3.050000] io scheduler noop registered (default)
[    3.060000] MIWIFI panic notifier registeredreg_int_mask=0, INT_MASK= 0 
[    3.070000] HSDMA_init
[    3.070000] 
[    3.070000]  hsdma_phy_tx_ring0 = 0x00c00000, hsdma_tx_ring0 = 0xa0c00000
[    3.080000] 
[    3.080000]  hsdma_phy_rx_ring0 = 0x00c04000, hsdma_rx_ring0 = 0xa0c04000
[    3.090000] TX_CTX_IDX0 = 0
[    3.090000] TX_DTX_IDX0 = 0
[    3.090000] RX_CRX_IDX0 = 3ff
[    3.090000] RX_DRX_IDX0 = 0
[    3.100000] set_fe_HSDMA_glo_cfg
[    3.100000] HSDMA_GLO_CFG = 465
[    3.100000] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[    3.110000] serial8250: ttyS0 at MMIO 0x1e000d00 (irq = 27) is a 16550A
[    3.120000] serial8250: ttyS1 at MMIO 0x1e000c00 (irq = 26) is a 16550A
[    3.130000] led=10, on=4000, off=1, blinks,=1, reset=1, time=4000
[    3.130000] Ralink gpio driver initialized
[    3.140000] brd: module loaded
[    3.140000] MediaTek Nand driver init, version v2.1 Fix AHB virt2phys error
[    3.150000] Allocate 16 byte aligned buffer: 81720500
[    3.150000] Enable NFI Clock
[    3.160000] # MTK NAND # : Use HW ECC
[    3.160000] NAND ID [C8 D1 80 95 40, 00809540]
[    3.160000] NAND ECC: Controller
[    3.170000] Device found in MTK table, ID: c8d1, EXT_ID: 809540
[    3.170000] Support this Device in MTK table! c8d1 

[    3.180000] NAND device: Manufacturer ID: 0xc8, Chip ID: 0xd1 (ESMT NAND 128MiB 3,3V 8-bit), 128MiB, page size: 2048, OOB size: 64
[    3.190000] [NAND]select ecc bit:4, sparesize :64 spare_per_sector=16
[    3.200000] Scanning device for bad blocks
[    3.340000] Signature matched and data read!
[    3.350000] load_fact_bbt success 1023
[    3.350000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[    3.360000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[    3.370000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[    3.380000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[    3.390000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[    3.400000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[    3.410000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[    3.420000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[    3.430000] Creating 14 MTD partitions on "MT7621-NAND":
[    3.440000] 0x000000000000-0x000007f80000 : "ALL"
[    3.440000] 0x000000000000-0x000000080000 : "Bootloader"
[    3.450000] 0x000000080000-0x0000000c0000 : "Config"
[    3.460000] 0x0000000c0000-0x000000100000 : "Bdata"
[    3.460000] 0x000000100000-0x000000140000 : "Factory"
[    3.470000] 0x000000140000-0x000000180000 : "crash"
[    3.470000] 0x000000180000-0x0000001c0000 : "crash_syslog"
[    3.480000] 0x0000001c0000-0x000000200000 : "cfg_bak"
[    3.490000] 0x000000200000-0x000000600000 : "kernel0"
[    3.490000] 0x000000600000-0x000000a00000 : "kernel1"
[    3.500000] 0x000000a00000-0x000002400000 : "rootfs0"
[    3.510000] 0x000002400000-0x000003e00000 : "rootfs1"
[    3.510000] 0x000003e00000-0x000006400000 : "overlay"
[    3.520000] 0x000006400000-0x000007f80000 : "obr"
[    3.530000] [mtk_nand] probe successfully!
[    3.530000] PPP generic driver version 2.4.2
[    3.540000] PPP BSD Compression module registered
[    3.540000] PPP Deflate Compression module registered
[    3.550000] PPP MPPE Compression module registered
[    3.550000] NET: Registered protocol family 24
[    3.550000] PPTP driver version 0.8.5
[    3.560000] ps: can't get major 253
[    3.560000] GMAC1_MAC_ADRH -- : 0x0000ec41
[    3.570000] GMAC1_MAC_ADRL -- : 0x18248a5b
[    3.570000] Ralink APSoC Ethernet Driver Initilization. v3.1  1024 rx/tx descriptors allocated, mtu = 1500!
[    3.580000] GMAC1_MAC_ADRH -- : 0x0000ec41
[    3.580000] GMAC1_MAC_ADRL -- : 0x18248a5b
[    3.590000] PROC INIT OK!
[    3.590000] softdog: Software Watchdog Timer: 0.08 initialized. soft_noboot=0 soft_margin=60 sec soft_panic=0 (nowayout=0)
[    3.600000] Netfilter messages via NETLINK v0.30.
[    3.610000] nfnl_acct: registering with nfnetlink.
[    3.610000] nf_conntrack version 0.5.0 (1908 buckets, 7632 max)
[    3.620000] ipip: IPv4 over IPv4 tunneling driver
[    3.630000] gre: GRE over IPv4 demultiplexor driver
[    3.630000] ip_tables: (C) 2000-2006 Netfilter Core Team
[    3.640000] Type=Restricted Cone
[    3.640000] TCP: cubic registered
[    3.640000] NET: Registered protocol family 10
[    3.650000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[    3.660000] NET: Registered protocol family 17
[    3.660000] l2tp_core: L2TP core driver, V2.0
[    3.660000] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[    3.670000] l2tp_netlink: L2TP netlink interface
[    3.670000] 8021q: 802.1Q VLAN Support v1.8
[    3.680000] Failed to lock mtd reserved0
[    3.690000] FLASH ID: [C8 D1 80 95 40] 
[    3.690000] MIQEF register done
[    3.700000] Freeing unused kernel memory: 1620K (8155b000 - 816f0000)
[    3.700000] csd: CSD deadlock debugging initiated!
[    3.760000] Loading essential drivers...
[    3.770000] Press Ctrl+C to enter RAMFS...
mknod: /dev/gpio: File exists
[    4.820000] Bringup the system...
[    4.830000] flag_boot_rootfs=1 mounting /dev/mtd11
[    4.840000] UBI: attaching mtd11 to ubi0
[    5.080000] UBI: scanning is finished
[    5.100000] UBI: attached mtd11 (name "rootfs1", size 26 MiB) to ubi0
[    5.110000] UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[    5.120000] UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[    5.120000] UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
[    5.130000] UBI: good PEBs: 208, bad PEBs: 0, corrupted PEBs: 0
[    5.140000] UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
[    5.140000] UBI: max/mean erase counter: 2/2, WL threshold: 4096, image sequence number: 761578281
[    5.150000] UBI: available PEBs: 87, total reserved PEBs: 121, PEBs reserved for bad PEB handling: 20
[    5.160000] UBI: background thread "ubi_bgt0d" started, PID 375
UBI device number 0, total 208 LEBs (26411008 bytes, 25.2 MiB), available 87 LEBs (11046912 bytes, 10.5 MiB), LEB size 126976 bytes (124.0 KiB)
config core 'version'
# ROM ver
option ROM '2.26.175'
# channel
option CHANNEL 'release'
# hardware platform R1AC or R1N etc.
option HARDWARE 'R4'
# CFE ver
option UBOOT '1.0.2'
# Linux Kernel ver
option LINUX '0.0.1'
# RAMFS ver
option RAMFS '0.0.1'
# SQUASHFS ver
option SQAFS '0.0.1'
# ROOTFS ver
option ROOTFS '0.0.1'
#build time
option BUILDTIME 'Sat, 18 May 2019 03:51:10 +0000'
#build timestamp
option BUILDTS '1558151470'
#build git tag
option GTAG 'commit 0e005b9bdcd5c2330c956869186585dbda287d37'
mount: mounting proc on /proc failed: Device or resource busy
mount: mounting sysfs on /sys failed: Device or resource busy
[    6.400000] FFFFFFEC:41:18:24:FFFFFF8A:5B
[    6.400000] Raeth v3.1 (Tasklet)
[    6.410000] set CLK_CFG_0 = 0x40a00020!!!!!!!!!!!!!!!!!!1
[    6.420000] phy_free_head is 0xc08000!!!
[    6.420000] phy_free_tail_phy is 0xc09ff0!!!
[    6.420000] txd_pool=a0c10000 phy_txd_pool=00C10000
[    6.430000] ei_local->skb_free start address is 0x877626dc.
[    6.430000] free_txd: 00c10010, ei_local->cpu_ptr: 00C10000
[    6.440000]  POOL  HEAD_PTR | DMA_PTR | CPU_PTR 
[    6.440000] ----------------+---------+--------
[    6.450000]      0xa0c10000 0x00C10000 0x00C10000
[    6.450000] 
[    6.450000] phy_qrx_ring = 0x00c0a000, qrx_ring = 0xa0c0a000
[    6.460000] 
[    6.460000] phy_rx_ring0 = 0x00c0c000, rx_ring0 = 0xa0c0c000
[    6.490000] MT7530 Reset Completed!!
[    6.500000] change HW-TRAP to 0x17c8f
[    6.510000] set LAN/WAN LLLLW
[    6.510000] GMAC1_MAC_ADRH -- : 0x0000ec41
[    6.520000] GMAC1_MAC_ADRL -- : 0x18248a5b
[    6.520000] GDMA2_MAC_ADRH -- : 0x0000ec41
[    6.530000] GDMA2_MAC_ADRL -- : 0x18248a5c
[    6.530000] eth1: ===> VirtualIF_open
[    6.540000] MT7621 GE2 link rate to 1G
[    6.540000] CDMA_CSG_CFG = 81000000
[    6.540000] GDMA1_FWD_CFG = 20710000
[    6.550000] GDMA2_FWD_CFG = 20710000
- preinit -
Sat May 18 04:01:02 UTC 2019
Unlocking overlay ...
Erasing overlay ...
Unlocking cfg_bak ...
Erasing cfg_bak ...
start nvram clear.....
nvram clear...Done!
- regular preinit -
/lib/preinit.sh: line 1: pi_indicate_led: not found
overlay appears erased
flag_format_overlay is set, format
ubiformat: mtd12 (nand), size 39845888 bytes (38.0 MiB), 304 eraseblocks of 131072 bytes (128.0 KiB), min. I/O size 2048 bytes

libscan: scanning eraseblock 0 --  0 % complete  
libscan: scanning eraseblock 1 --  0 % complete  
<truncated>
libscan: scanning eraseblock 303 -- 100 % complete  
ubiformat: 304 eraseblocks are supposedly empty

ubiformat: formatting eraseblock 0 --  0 % complete  
ubiformat: formatting eraseblock 1 --  0 % complete  

[    9.980000] ESW: Link Status Changed - Port1 Link UP,1000Mbps,Full Duplex
[   11.170000] UBI: attaching mtd12 to ubi1

<truncated> 
ubiformat: formatting eraseblock 302 -- 99 % complete  
ubiformat: formatting eraseblock 303 -- 100 % complete  
[   11.530000] UBI: scanning is finished
[   11.540000] UBI: attached mtd12 (name "overlay", size 38 MiB) to ubi1
[   11.550000] UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[   11.560000] UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[   11.560000] UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
[   11.570000] UBI: good PEBs: 304, bad PEBs: 0, corrupted PEBs: 0
[   11.580000] UBI: user volume: 0, internal volumes: 1, max. volumes count: 128
[   11.580000] UBI: max/mean erase counter: 0/0, WL threshold: 4096, image sequence number: 746306654
[   11.590000] UBI: available PEBs: 280, total reserved PEBs: 24, PEBs reserved for bad PEB handling: 20
[   11.600000] UBI: background thread "ubi_bgt1d" started, PID 628
UBI device number 1, total 304 LEBs (38600704 bytes, 36.8 MiB), available 280 LEBs (35553280 bytes, 33.9 MiB), LEB size 126976 bytes (124.0 KiB)
Set volume size to 35553280
Volume ID 0, size 280 LEBs (35553280 bytes, 33.9 MiB), LEB size 126976 bytes (12[   11.690000] UBI: detaching mtd12 from ubi1
4.0 KiB), dynami[   11.700000] UBI: mtd12 is detached from ubi1
c, name "data", alignment 1
[   11.710000] UBI: attaching mtd12 to ubi1
[   12.060000] UBI: scanning is finished
[   12.080000] UBI: attached mtd12 (name "overlay", size 38 MiB) to ubi1
[   12.090000] UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[   12.100000] UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[   12.100000] UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
[   12.110000] UBI: good PEBs: 304, bad PEBs: 0, corrupted PEBs: 0
[   12.110000] UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
[   12.120000] UBI: max/mean erase counter: 1/0, WL threshold: 4096, image sequence number: 746306654
[   12.130000] UBI: available PEBs: 0, total reserved PEBs: 304, PEBs reserved for bad PEB handling: 20
[   12.140000] UBI: background thread "ubi_bgt1d" started, PID 634
UBI device number 1, total 304 LEBs (38600704 bytes, 36.8 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
[   12.170000] UBIFS: default file-system created
[   12.170000] UBIFS: background thread "ubifs_bgt1_0" started, PID 638
[   12.280000] UBIFS: mounted UBI device 1, volume 0, name "data"
[   12.290000] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[   12.300000] UBIFS: FS size: 34283520 bytes (32 MiB, 270 LEBs), journal size 1777664 bytes (1 MiB, 14 LEBs)
[   12.310000] UBIFS: reserved for root: 1619295 bytes (1581 KiB)
[   12.310000] UBIFS: media format: w4/r0 (latest is w4/r0), UUID C8AD5458-1C13-4445-AA89-6137DEF0A83E, small LPT model
/lib/preinit.sh: line 1: jffs2_not_mounted: not found
- init -
[   13.560000] ra2880stop()...Done
[   13.560000] eth1: ===> VirtualIF_close
[   13.570000] Free TX/RX Ring Memory!

init started: BusyBox v1.19.4 (2019-05-18 03:47:59 UTC)

Please press Enter to activate this console. rcS S boot: INFO: rc script run time limit to 65 seconds.
[   13.750000] MIWIFI crash syslog initialized
[   14.700000] tun: Universal TUN/TAP device driver, 1.6
[   14.710000] tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
[   14.720000] Mirror/redirect action on
[   14.750000] u32 classifier
[   14.750000]     input device check on
[   14.760000]     Actions configured
[   14.920000] ip_gre: GRE over IPv4 tunneling driver
[   14.960000] xt_time: kernel timezone is +0800
[   15.350000] nf_nat_amanda: Unknown symbol nf_nat_amanda_hook (err 0)
[   15.490000] ip_set: protocol 6
[   15.540000] Traffic lan port is eth0 
[   15.600000] dev_redirect OFF.dev_redirect load success. 
[   16.130000] <-- RTMPAllocTxRxRingMemory, Status=0, ErrorValue=0x
[   16.140000] <-- RTMPAllocAdapterBlock, Status=0
[   16.660000] <-- RTMPAllocTxRxRingMemory, Status=0
[   16.670000] <-- RTMPAllocAdapterBlock, Status=0
[   16.670000] pAd->CSRBaseAddress =0xc0f80000, csr_addr=0xc0f80000!
[   16.680000] <dbg> MAC_CSR0=1986146304, RtmpChipOpsHook
[   16.690000] <dbg> dev idx = 1!
[   16.690000] <dbg> get_dev_config_idx pAd->MACVersion = 76623000, pAd->ChipID = 76120044
Sat May 18 12:01:12 CST 2019 netconfig[1015]: #### Loopback configuration
Sat May 18 12:01:12 CST 2019 netconfig[1015]: config interface loopback
Sat May 18 12:01:12 CST 2019 netconfig[1015]: option ifnamelo
Sat May 18 12:01:12 CST 2019 netconfig[1015]: option protostatic
Sat May 18 12:01:12 CST 2019 netconfig[1015]: option ipaddr127.0.0.1
Sat May 18 12:01:12 CST 2019 netconfig[1015]: option netmask255.0.0.0
Sat May 18 12:01:12 CST 2019 netconfig[1015]: #### LAN configuration
Sat May 18 12:01:12 CST 2019 netconfig[1015]: config interface lan
Sat May 18 12:01:12 CST 2019 netconfig[1015]: option ifnameeth0
Sat May 18 12:01:12 CST 2019 netconfig[1015]: option typebridge
Sat May 18 12:01:12 CST 2019 netconfig[1015]: option protostatic
Sat May 18 12:01:13 CST 2019 netconfig[1015]: option ipaddr192.168.31.1
Sat May 18 12:01:13 CST 2019 netconfig[1015]: option netmask255.255.255.0
Sat May 18 12:01:13 CST 2019 netconfig[1015]: #### WAN configuration
Sat May 18 12:01:13 CST 2019 netconfig[1015]: config interface wan
Sat May 18 12:01:13 CST 2019 netconfig[1015]: option ifnameeth1
Sat May 18 12:01:13 CST 2019 netconfig[1015]: option protodhcp
Sat May 18 12:01:13 CST 2019 netconfig[1015]: #### IFB interface for MiQoS
Sat May 18 12:01:13 CST 2019 netconfig[1015]: config interface ifb
Sat May 18 12:01:13 CST 2019 netconfig[1015]: option ifname ifb0
Sat May 18 12:01:13 CST 2019 netconfig[1015]: #### READY configuration
Sat May 18 12:01:13 CST 2019 netconfig[1015]: config interface ready
Sat May 18 12:01:13 CST 2019 netconfig[1015]: option proto    static
Sat May 18 12:01:13 CST 2019 netconfig[1015]: option ipaddr   169.254.29.1
Sat May 18 12:01:13 CST 2019 netconfig[1015]: option netmask  255.255.255.0
[   20.770000] FFFFFFEC:41:18:24:FFFFFF8A:5B
[   20.770000] Raeth v3.1 (Tasklet)
[   20.780000] set CLK_CFG_0 = 0x40a00020!!!!!!!!!!!!!!!!!!1
[   20.790000] phy_free_head is 0xc46000!!!
[   20.790000] phy_free_tail_phy is 0xc47ff0!!!
[   20.790000] txd_pool=a0c50000 phy_txd_pool=00C50000
[   20.800000] ei_local->skb_free start address is 0x877626dc.
[   20.800000] free_txd: 00c50010, ei_local->cpu_ptr: 00C50000
[   20.810000]  POOL  HEAD_PTR | DMA_PTR | CPU_PTR 
[   20.820000] ----------------+---------+--------
[   20.820000]      0xa0c50000 0x00C50000 0x00C50000
[   20.820000] 
[   20.820000] phy_qrx_ring = 0x00c45000, qrx_ring = 0xa0c45000
[   20.830000] 
[   20.830000] phy_rx_ring0 = 0x00c58000, rx_ring0 = 0xa0c58000
[   20.860000] MT7530 Reset Completed!!
[   20.870000] change HW-TRAP to 0x17c8f
[   20.880000] set LAN/WAN LLLLW
[   20.890000] GMAC1_MAC_ADRH -- : 0x0000ec41
[   20.890000] GMAC1_MAC_ADRL -- : 0x18248a5b
[   20.890000] eth1: ===> VirtualIF_open
[   20.900000] MT7621 GE2 link rate to 1G
[   20.900000] CDMA_CSG_CFG = 81000000
[   20.900000] GDMA1_FWD_CFG = 20710000
[   20.910000] GDMA2_FWD_CFG = 20710000
[   20.910000] device eth0 entered promiscuous mode
[   20.920000] br-lan: port 1(eth0) entered forwarding state
[   20.920000] br-lan: port 1(eth0) entered forwarding state
[   20.940000] eth1: ===> VirtualIF_open
[   21.340000] efuse_probe: efuse = 10000002
[   21.520000] tssi_1_target_pwr_g_band = 36
[   22.930000] br-lan: port 1(eth0) entered forwarding state
[   24.150000] <==== rt28xx_init, Status=0
[   24.440000] ESW: Link Status Changed - Port1 Link UP,1000Mbps,Full Duplex
[   24.850000] device wl1 entered promiscuous mode
[   24.860000] br-lan: port 2(wl1) entered forwarding state
[   24.860000] br-lan: port 2(wl1) entered forwarding state
[   24.890000] ##### mbss_cr_enable, BssId = 1
[   25.790000] <dbg> MAC_CSR0=1986146304, rtmp_asic_top_init
[   25.830000] Set defult RDRegion value:  CountryCode=CN , RDRegion=0
[   26.860000] br-lan: port 2(wl1) entered forwarding state
[   28.180000] <==== rt28xx_init, Status=0
[   28.910000] device wl0 entered promiscuous mode
[   28.910000] br-lan: port 3(wl0) entered forwarding state
[   28.920000] br-lan: port 3(wl0) entered forwarding state
[   29.880000] dev_redirect: add(+) dev redirect mapping: src:eth1->dst:ifb0
[   30.920000] br-lan: port 3(wl0) entered forwarding state
[   32.430000] nf_tcp_proxy: module license 'Proprietary' taints kernel.
[   32.440000] Disabling lock debugging due to kernel taint
[   32.450000] tcpproxy_keyinfo_proc_init, create keyinfo proc entry ok!
[   32.450000] tcpproxy_init, succeed!
[   32.520000] Ralink HW NAT Module Enabled
[   32.530000] eth0 ifindex =3
[   32.530000] eth1 ifindex =5
[   32.530000] HNAT: switch HNAT ON.....
[   32.540000] *hwnat reg dev ******* set dev[lo]->ifindex = 1
[   32.540000] *hwnat reg dev ******* set dev[ifb0]->ifindex = 2
[   32.550000] *hwnat reg dev ******* set dev[tunl0]->ifindex = 4
[   32.550000] *hwnat reg dev ******* set dev[gre0]->ifindex = 6
[   32.560000] *hwnat reg dev ******* set dev[gretap0]->ifindex = 7
[   32.570000] *hwnat reg dev ******* set dev[wl1]->ifindex = 8
[   32.570000] *hwnat reg dev ******* set dev[wl0]->ifindex = 9
[   32.580000] *hwnat reg dev ******* set dev[br-lan]->ifindex = 10
[   32.580000] *hwnat reg dev ******* set dev[wl2]->ifindex = 11
[   32.590000] *hwnat reg dev ******* set dev[wl3]->ifindex = 12
[   32.590000] *hwnat reg dev ******* set dev[apcli0]->ifindex = 13
[   32.600000] *hwnat reg dev ******* set dev[apclii0]->ifindex = 14
[   32.670000] HNAT: switch HNAT ON.....
Sat May 18 12:01:28 CST 2019 boot_check[3132]: INFO: Wireless OK
[   36.000000] dev_redirect: add(+) dev redirect mapping: src:eth1->dst:ifb0
[   40.360000] dev_redirect OFF.
[   42.110000] dev_redirect OFF.
[   54.530000] dev_redirect OFF.rcS S boot: INFO: rcS S boot timing 41 seconds.
Sat May 18 12:01:51 CST 2019 INFO: rcS S boot timing 41 seconds.
rcS S boot: system type(R4/2): SQUASH/3
Sat May 18 12:01:51 CST 2019 system type(R4/2): SQUASH/3
rcS S boot: ROOTFS: /dev/mtdblock14 on / type squashfs (ro,relatime)
Sat May 18 12:01:51 CST 2019 ROOTFS: /dev/mtdblock14 on / type squashfs (ro,relatime)
led=6, on=1, off=4000, blinks,=1, reset=1, time=4000
[   56.510000] led=10, on=1, off=4000, blinks,=1, reset=1, time=4000
[   56.520000] led=8, on=4000, off=1, blinks,=1, reset=1, time=4000
uci: Entry not found
Sat May 18 12:01:52 CST 2019 boot_check[5958]: Booting up finished.

Install uboot mod (Breed uBoot)

Because the difference between r4 and r3g is to cast 128M memory and no USB port, so you can directly use the version of Xiaomi 3g.

tftpd: http://tftpd32.jounin.net/tftpd32_download.html

breed uboot: https://breed.hackpascal.net/breed-mt7621-xiaomi-r3g.bin rename to uboot.bin and place the same folder of tftpd

Power off router, change PC IP address of LAN port to 192.168.31.33 or any

Power on the router, press 9 on the serial console

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial. 
   9: Load Boot Loader code then write to Flash via TFTP. 
You choosed 9

Then there will be a series of confirmations, modify the items as you need them.

9: System Load Boot Loader then write to Flash via TFTP. 
 Warning!! Erase Boot Loader in Flash then burn new one. Are you sure?(Y/N)
 Please Input new ones /or Ctrl-C to discard
        Input device IP (192.168.31.1) ==:192.168.31.1 <--- IP of router
        Input server IP (192.168.31.33) ==:192.168.31.33 <--- IP of your PC/laptop
        Input Uboot filename (uboot.bin) ==:uboot.bin

After the last uboot.bin enter, new uBoot will burn, do not power off the router

TFTP from server 192.168.31.33; our IP address is 192.168.31.1
Filename 'uboot.bin'.

 TIMEOUT_COUNT=10,Load address: 0x80100000
Loading: Got ARP REPLY, set server/gtwy eth addr (00:xx:xx:xx:xx:xx)
Got it
#####################
done
Bytes transferred = 105490 (19c12 hex)
LoadAddr=80100000 NetBootFileXferSize= 00019c12
..ranand_erase: start:0, len:20000 
.(5192)offs=0 piece=0 piece_size=105490 rc=0
Done!

New uboot log will like bellow

DRAM: 128MB
Platform: MediaTek MT7621A ver 1, eco 3
Board: Xiaomi R3G
Clocks: CPU: 880MHz, DDR: 1200MHz, Bus: 293MHz, Ref: 40MHz
Environment variables @ 00060000 on flash bank 0, size 00020000
Flash: ESMT NAND 128MiB 3.3V 8-bit (128MB) on mt7621-nfi.0
mt7621-nfi.0: Found Fact BBT at block 1023 (offset 0x07fe0000)
rt2880-eth: MAC address from EEPROM is invalid, using default settings.
rt2880-eth: Using MAC address 00:0c:43:00:00:01
eth0: MediaTek MT7530 Gigabit switch

Network started on eth0, inet addr 192.168.1.1, netmask 255.255.255.0

Press any key to interrupt autoboot ... 0

Done, press any key on serial console to access uBoot recovery page

uboot-breed-web-interface

Install OpenWrt/PandoraBox/Padavan firmware

Download any Xiaomi Router R3G firmware and install via uBoot breed web-interface

PandoraBox

Knowledge issues:

  • OpenWRT official image wifi function is not working for both 2.4 and 5Ghz
  • Switch port mismatch
    • Under OpenWRT, you need to change /etc/config/network yourself, wan is 4 and LAN is 1,2
    • Under Pandavan, LAN2 and WAN are reversed. Anyway, it can be used (actually wan is LAN3). If you are not happy, you can choose to write a startup script and call the switch command to modify it.

Special thanks to @phorcys-phorcys https://zhuanlan.zhihu.com/p/56317023