Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Downgrade firmware instruction #87

Closed
DavidWang2014-01-28 opened this issue Oct 29, 2020 · 71 comments
Closed

Downgrade firmware instruction #87

DavidWang2014-01-28 opened this issue Oct 29, 2020 · 71 comments
Labels
documentation Improvements or additions to documentation

Comments

@DavidWang2014-01-28
Copy link

By mistake, i upgrade the firmware to 1.4.7_0065 and the gatwway won't work with this integration aymore. Hope any solution with this issue in the further.

@benleb
Copy link

benleb commented Oct 29, 2020

Thanks for testing 😝

@rezmus
Copy link

rezmus commented Oct 29, 2020

buy new hub till they have factory firmware 1.4.5/1.4.6 (expect 1.4.7 soon) OR solder uart, boot to bootloader and fix boot_info partition so it boots using older firmware slot.

@tsunglung
Copy link

@rezmus
two questions:

  1. can you detailed write on how to change boot_info?
  2. do you think that is any possible to re-enable telnet in firmware 1.4.7 by using UART?

@rezmus
Copy link

rezmus commented Oct 30, 2020

device has 2 slots for kernel/rootfs. this method works if you did update to firmware 1.4.7 only once, so you still have firmware 1.4.4-1.4.6 in 2nd slot. if you did update to 1.4.7 twice or more (for example 1.4.7_0063 and then 1.4.7_0065) this method can't be used. you will have to solder ethernet and recover via tftp.

once you boot to bootloader you have to modify boot_info to make device boot from the other slot (firmware 1.4.4-1.4.6).

note: use all bootloader commands in the same (lower/upper)case they are bellow.

# read boot_info to from nand to memory
NANDR 0xa0000 0xa0a00000 55
# display boot_info in memory
db 0xa0a00000 55

example output

A0A00000: 7c 91 00 00 XX XX YY YY YY YY 00 20 ec 04 c8 cf
A0A00010: 01 00 20 74 04 e8 7e 01 00 82 80 04 62 c6 00 00
A0A00020: 75 90 04 a4 0a 00 00 00 01 31 2e 30 2e 32 2e 30
A0A00030: 30 35 00 00 00 00 00

XX XX is boot_info checksum and YY YY YY YY is slot setup. slot setup will be 00 00 00 00 which means 1st slot is used or 01 01 01 01 which means 2nd slot is used. your goal is to change it to opposite and fix boot_info checksum.

if you change 00 00 00 00 to 01 01 01 01 you have to subtract 2 (-2) from each checksum byte. if you change 01 01 01 01 to 00 00 00 00 you have to add 2 (+2) to each checksum byte.

for example we had XX XX YY YY YY YY = 7a 25 00 00 00 00. we need to make it 78 23 01 01 01 01.

# modify boot_info in memory
eb 0xa0a00000 7c 91 00 00 XX XX YY YY YY YY

where XX XX YY YY YY YY is value we want to have (that we calculated in previous step). now we can display boot_info again and check if it looks like we want.

# display boot_info in memory
db 0xa0a00000 55

if everything is OK we can save it to nand.

# write boot_info from memory to nand
NANDW a0000 a0a00000 55

after reboot it should boot from the other slot (older firmware).

note: ALWAYS keep all uart logs and/or backups!

if your boot_info partition looks like this

A0A00000: 7c 91 00 00 XX XX YY YY YY YY 00 00 00 00 00 00
A0A00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
A0A00020: 00 00 00 00 00 00 00 00 01 31 2e 30 2e 32 2e 30
A0A00030: 30 35 00 00 00 00 00

it got wiped during boot (can happen if you short tp16/tp13 in wrong moment). you need to recreate it based on info from logs/backups or headers of rootfs partitions. in case of such problem tag me in this thread.

@AlexxIT AlexxIT pinned this issue Oct 30, 2020
@AlexxIT
Copy link
Owner

AlexxIT commented Oct 30, 2020

Works only if the previous firmware was with an open Telnet.
If you upgraded twice to a bad firmware, it does not work.
If you have bad firmware from the factory (euro hub) - it does not work.

  1. Solder uart read more @serrj-sv (tp11 - tx, tp4 - rx)
  2. Go to bootloader read more @serrj-sv
  3. Config boot from old fw read more @rezmus

@AlexxIT AlexxIT changed the title Firmware 1.4.7_0065 won't work with this integration anymore Downgrade firmware instruction Oct 30, 2020
@rezmus
Copy link

rezmus commented Oct 30, 2020

for global hub ZNDMWG02LM with firmware 1.4.6_0043 we should be able to open telnet using similar method (uart + boot to bootloader). if somebody wants to try tag me in this thread.

@tsunglung
Copy link

tsunglung commented Oct 30, 2020

Hi rezmus:

With your method, I successfully downgrade to the old firmware.
But there is a mistake in your instructions.
When interrupted the boot sequence, the boot_info may be reset to default values. (need interrupt boot at right timing)
the sum and size value of kerne and rootfs become to zero.

So it is important to keep the logs to know the sum and size of kernel and rootfs.

@rezmus
Copy link

rezmus commented Oct 30, 2020

there is no mistake there, but indeed boot_info can be wiped if you short tp16/gnd in wrong moment, because it's being read/write during boot (to mark failed attempts). i entered bootloader several times without wipe, but saw similar cases before. if you have boot logs or backup you can recreate boot_info. you can also restore it by reading kernel/rootfs header of both slots. i have checksum/size of each firmware.

@AlexxIT AlexxIT added the documentation Improvements or additions to documentation label Oct 31, 2020
@tsunglung
Copy link

I mean that it is very easy to get the wrong boot_info if short tp16/gnd in the wrong moment.
So in your instructions, there shall be a step to check boot_info is correct or not to remind the user the boot_info was not reset to default.

@rezmus
Copy link

rezmus commented Nov 2, 2020

some ppl with wiped boot_info had also broken rootfs/kernel partitions. some had no backups or uart logs so it's more tricky to restore it. you have to read partition header to check which fw version is there. at this point i think it's best to just write here in case of any problems with downgrade.

@tsunglung
Copy link

tsunglung commented Nov 4, 2020

After several days' study. Here is some information I can share.

I can transmit kerenl and rootfs to DDR RAM by xmodem and write kernel or rootfs in DDR to SPI NAND

After flash kernel and rootfs in slot 0, slot 1, I rewrite the boot_info and flash to MTD1.
Then can update any kernel or rootfs.

What is next?
unsquashfs/mksquashfs the rootfs to enable telnetd.

@tsunglung
Copy link

By the way, if you are hardware engineer or magic GOD and have ethernet board for xaiomi gateway 3, you can use Ethernet and tftp to transmit firmwares. Unfortunately most users like poor me don’t have it. The Xmodem is only way to transmit firmwares.
And WiFi and BT were not working in bootloader, too.

@rezmus
Copy link

rezmus commented Nov 5, 2020

@tsunglung please describe xmodem method. some users cut utp cable and solder to board for tftp (probably way faster than xmodem), but i never did that so can't give you much details.

some info about custom squashfs

https://community.home-assistant.io/t/xiaomi-mijia-smart-multi-mode-gateway-zndmwg03lm-support/159586/62

@tsunglung
Copy link

tsunglung commented Nov 5, 2020

@rezmus
There is no ethernet chip on the gateway3 board. Cut UTP cable to solder is still impossible.

I saw your info about custom squashfs. It helps a lot. Thanks. I tried to create a small rootfs yesterday but failed. I still try to find out why.
I will try the custom complete rootfs today.

@serrj-sv
Copy link

serrj-sv commented Nov 5, 2020

There is no ethernet chip on the gateway3 board. Cut UTP cable to solder is still impossible.

here you go, young Sherlock ) https://pasteboard.co/JyVxUOI.jpg

@tsunglung
Copy link

There is no ethernet chip on the gateway3 board. Cut UTP cable to solder is still impossible.

here you go, young Sherlock ) https://pasteboard.co/JyVxUOI.jpg

Great.
Then we do not need to use xmodem to burn firmware.

@AlexxIT
Copy link
Owner

AlexxIT commented Nov 5, 2020

@tsunglung Ethernet also works in stock firmware if you solder it :)

@serrj-sv
Copy link

serrj-sv commented Nov 5, 2020

@tsunglung please describe xmodem method.

<RealTek>xmrx 80000000 (start address of RAM)
then start upload using your terminal program. beware, your're limited by ram size
then you can copy from RAM to NAND:
<RealTek> snwbi
<RealTek> snwbwecc 80000000 [offset_on_nand/2048] [lenght_of_image_in_bytes]

@tsunglung
Copy link

tsunglung commented Nov 5, 2020

xmodem is slow. Not good to transmit firmware.

@serrj-sv
Copy link

serrj-sv commented Nov 5, 2020

xmodem is slow. Not good to transmit firmware.

enough to recover bootloader and boot_info partitions

@tsunglung
Copy link

agree.

@tsunglung
Copy link

tsunglung commented Nov 5, 2020

boot up logs.

=== Linux Firmware ===
version=1.4.7_0065
branch=release-1.4.7_0060

=== RootFS Firmware ===
product=aqara-rtl8197-mijia-gateway
branch=release-1.4.7_0060
VERSION=1.4.7_0065
version=1.4.7_0065

use telnet to login.

BusyBox v1.22.1 (2020-06-22 16:58:24 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

cat /etc/rootfs_fw_info
product=aqara-rtl8197-mijia-gateway
branch=release-1.4.7_0060
VERSION=1.4.7_0065
version=1.4.7_0065

miio-client --help
Version: miio-client 4.1.3
Build time: 07:49:59 Aug 21 2020

Finally, my bricked gateway3 becomes alive after re-burn the firmware via stupid and slow xmodem.

@carck
Copy link

carck commented Nov 9, 2020

Hope there could be easyway to flash the firmware, i was not able to buy new gatway with old firmware.

@Foroxon
Copy link

Foroxon commented Nov 11, 2020

Just received the new ZNDMWG03LM with factory firmware v1.4.6_0043 (
Do I have any chance to downgrade the firmware and how? Thanks.

@rezmus
Copy link

rezmus commented Nov 11, 2020

@Foroxon https://github.com/AlexxIT/XiaomiGateway3/wiki/Decode-Telnet-Password

@nocturneop15
Copy link

does this open a way to support 1.4.7_0065 firmware?

@plutosherry
Copy link

plutosherry commented Nov 30, 2020

https://github.com/AlexxIT/XiaomiGateway3/wiki/Decode-Telnet-Password

@rezmus
Thank you very much! I'll try to do it

@plutosherry
Copy link

@rezmus
After following the steps instructions in the website link, restart the gateway and fail to telnet it
The error message: The remote system refused the connection.
Telnet server seems to be disabled?
my firmware version is 1.4.6_0043

@rezmus
Copy link

rezmus commented Dec 1, 2020

use @AlexxIT integration or miio command to start telnet service, then login with password you decoded.

@Alxspb
Copy link
Contributor

Alxspb commented Dec 3, 2020

@rezmus, hello, can you help me, please?
I'm just wiped boot_info:

> NANDR 0xa0000 0xa0a00000 55
> db 0xa0a00000 55
[Addr]   .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .A .B .C .D .E .F
A0A00000: 7c 91 00 00 44 07 00 00 00 00 00 00 00 00 00 00     |...D...........
A0A00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
A0A00020: 00 00 00 00 00 00 00 00 01 31 2e 30 2e 32 2e 30     .........1.0.2.0
A0A00030: 30 35 00 00 00 00 00

I've saved 2 'good' reboots:

1 good UART log
uart ok
strap pin:0x412b8ae2
enable spi-nand
ROM ver:v1.1, sig:455cc27, time:2016.01.04-18:42+0800, CPU(400 MHz), DDR2(533 MHz)
load efuse ok
init IP ok
rom_progress: 0x0600006d
load_data_from_storage(260): 0xbfe01540, 0x00000000, 0xbfd16f44
load_data_from_spi_nand_flash(70): 0xbfe01540, 0x00000000, 0xbfe03e18
check_image_header(72): h(69,72,61,6d), s(69,72,61,6d)
img sig ok
rom_progress: 0x0c00006d
load_data_from_spi_nand_flash(81) 0x00000004 0x000024ba
load_data_from_spi_nand_flash(86): 0xbfe01d40, 0x00000001, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe02540, 0x00000002, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe02d40, 0x00000003, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe03540, 0x00000004, 0xbfe03e18
load_data_from_spi_nand_flash(90) read done (size:9402)
chksum ok
rom_progress: 0x0e00006d
load img ok
rom_progress: 0x1000006d
jump 0xbfe01550

Booting...
SPI NAND clock not enable

SPI Nand ID=00efaa21
SPI Nand die chipsize=0x08000000 byte
SPI Nand dienum=1,
SPI Nand blocksize=0x00020000 byte,
SPI Nand pagesize=0x00000800 byte,
SPI Nand oobsize=0x00000040 byte,
[rtkn_scan_bbt, line 1812], RBA=51, this->RBA_PERCENT = 5,block_v2r_num=1024
[rtkn_scan_bbt, line 1822] block_v2r_num 00000400
[rtk_scan_v2r_bbt]:678,RBA=00000033,2=00000400,
[rtk_scan_v2r_bbt]:684,block_v2r_num=000003cd
INFO: Stored BBT in Die 0: block=8 , block_status_p1=0x000000bb
load bbt v2r table:0 page:512
[rtk_scan_v2r_bbt] have created v2r bbt table:0 on block 8, just loads it !!
check v2r bbt table:0 OK
[rtk_nand_scan_bbt, line 393] mem_page_num=1 bbt_page 704
INFO: Stored BBT in Die 0: block=11 , block_status_p1=0x000000bb
load bbt table:0 page:704
[rtk_nand_scan_bbt] have created bbt table:0 on block 11, just loads it !!
check bbt table:0 OK
[dump_BBT] Nand BBT Content
[0] (00000000, 000000ff, 00000000, 000003ff)
=>CPU Wake-up interrupt happen! GISR=09000084

Realtek RTL8197F boot code at 2019.11.25-17:17+0800 v3.4T-pre2.1 (993MHz)
-- version: 1.0.2.005 --
Info: Load boot_info success!
=== bootloader for mijia_gw ===
boot_info: ver:0
kernel: newest:1, curr:0
rootfs: newest:1, curr:1
kernel[0]: sum:0xc8cf, size:2157572, fail:0
      [1]: sum:0xcb43, size:2157572, fail:3
rootfs[0]: sum:0x62c6, size:8552452, fail:0
      [1]: sum:0x742c, size:10108932, fail:0
root_sum_check: off
watchdog_time: 0
boot_version: 1.0.2.005
priv mode
Info: kernel 1 is invalid
Info: loading kernel 0 ...  Done
Info: checking kernel 0 ... Success
Info: select rootfs 1
Info: booting...
Jump to image start=0x80a00000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x8050cc40
[    0.000000] Linux version 3.10.90 (liaozhaobao@compilex64-ipg) (gcc version 4.9.4 20151028 (prerelease) (Realtek MSDK-4.9.4p1 Build 2648) ) #68 Fri Apr 3 15:18:37 CST 2020
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019385 (MIPS 24Kc)
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x03ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x03ffffff]
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping off.  Total pages: 4088
[    0.000000] Kernel command line: root=/dev/mtdblock8 console=ttyS0,38400
[    0.000000] PID hash table entries: 256 (order: -4, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 1, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 0, 16384 bytes)
[    0.000000] Writing ErrCtl register=000320b0
[    0.000000] Readback ErrCtl register=000320b0
[    0.000000] Memory: 58208k/65536k available (5203k kernel code, 7328k reserved, 1002k data, 192k init, 0k highmem)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:192
[    0.000000] Realtek GPIO IRQ init
[    0.000000] Calibrating delay loop... 660.68 BogoMIPS (lpj=3303424)
[    0.070000] pid_max: default: 32768 minimum: 301
[    0.080000] Mount-cache hash table entries: 2048
[    0.090000] [rtl819x_gpio_pin_enable][277]: mask=0xf00 mux=0x0 mux_reg=0xb8000844 val=0x100,                         CNR_REG=0xffffffbf MUX_REG=0x100
[    0.100000] [rtl819x_gpio_direction_output][150]: set pin38 as output pin, default value=0, DIR_REG=0x40 DAT_REG=0x3000000
[    0.110000] [rtl819x_gpio_pin_enable][277]: mask=0xf0 mux=0x100 mux_reg=0xb8000844 val=0x10,                         CNR_REG=0xffffff3f MUX_REG=0x110
[    0.120000] [rtl819x_gpio_direction_output][150]: set pin39 as output pin, default value=0, DIR_REG=0xc0 DAT_REG=0x3000000
[    0.130000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x0 mux_reg=0xb8000848 val=0x4000000,                         CNR_REG=0xfffffb3f MUX_REG=0x4000000
[    0.140000] [rtl819x_gpio_direction_output][150]: set pin42 as output pin, default value=0, DIR_REG=0x4c0 DAT_REG=0x3000000
[    0.150000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x4000000 mux_reg=0xb8000848 val=0x400000,                     CNR_REG=0xfffff33f MUX_REG=0x4400000
[    0.160000] [rtl819x_gpio_direction_output][150]: set pin43 as output pin, default value=1, DIR_REG=0xcc0 DAT_REG=0x3000800
[    0.170000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x4400000 mux_reg=0xb8000848 val=0x60000,                       CNR_REG=0xffffe33f MUX_REG=0x4460000
[    0.180000] [rtl819x_gpio_direction_output][150]: set pin44 as output pin, default value=1, DIR_REG=0x1cc0 DAT_REG=0x3001800
[    0.190000] [rtl819x_gpio_pin_enable][277]: mask=0xf000 mux=0x4460000 mux_reg=0xb8000848 val=0x6000,                         CNR_REG=0xffffc33f MUX_REG=0x4466000
[    0.200000] [rtl819x_gpio_direction_output][150]: set pin45 as output pin, default value=1, DIR_REG=0x3cc0 DAT_REG=0x3003800
[    0.210000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x11111000 mux_reg=0xb8000820 val=0x6000000,                  CNR_REG=0xffff833f MUX_REG=0x16111000
[    0.220000] [rtl819x_gpio_direction_output][150]: set pin46 as output pin, default value=1, DIR_REG=0x7cc0 DAT_REG=0x3007800
[    0.230000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000000 mux=0x16111000 mux_reg=0xb8000820 val=0x60000000,                        CNR_REG=0xffff033f MUX_REG=0x66111000
[    0.240000] [rtl819x_gpio_direction_output][150]: set pin47 as output pin, default value=0, DIR_REG=0xfcc0 DAT_REG=0x3007800
[    0.250000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x66111000 mux_reg=0xb8000820 val=0x600000,                    CNR_REG=0xfffe033f MUX_REG=0x66611000
[    0.260000] [rtl819x_gpio_direction_output][150]: set pin48 as output pin, default value=1, DIR_REG=0x1fcc0 DAT_REG=0x3017800
[    0.270000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x66611000 mux_reg=0xb8000820 val=0x70000,                      CNR_REG=0xfffc033f MUX_REG=0x66671000
[    0.280000] [rtl819x_gpio_direction_output][150]: set pin49 as output pin, default value=1, DIR_REG=0x3fcc0 DAT_REG=0x3037800
[    0.290000] [rtl819x_gpio_pin_enable][277]: mask=0xf000 mux=0x66671000 mux_reg=0xb8000820 val=0x7000,                        CNR_REG=0xfff8033f MUX_REG=0x66677000
[    0.300000] [rtl819x_gpio_direction_output][150]: set pin50 as output pin, default value=0, DIR_REG=0x7fcc0 DAT_REG=0x3037800
[    0.310000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000000 mux=0x100000 mux_reg=0xb8000824 val=0x20000000,                  CNR_REG=0xfff0033f MUX_REG=0x20100000
[    0.320000] [rtl819x_gpio_direction_output][150]: set pin51 as output pin, default value=1, DIR_REG=0xffcc0 DAT_REG=0x30b7800
[    0.330000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x20100000 mux_reg=0xb8000824 val=0x1000000,                  CNR_REG=0xffe0033f MUX_REG=0x21100000
[    0.340000] [rtl819x_gpio_direction_output][150]: set pin52 as output pin, default value=0, DIR_REG=0x1ffcc0 DAT_REG=0x30b7800
[    0.350000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x21100000 mux_reg=0xb8000824 val=0x0,                         CNR_REG=0xffc0033f MUX_REG=0x21000000
[    0.360000] [rtl819x_gpio_direction_output][150]: set pin53 as output pin, default value=0, DIR_REG=0x3ffcc0 DAT_REG=0x30b7800
[    0.370000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x33320000 mux_reg=0xb8000834 val=0x3000000,                  CNR_REG=0xff40033f MUX_REG=0x33320000
[    0.380000] [rtl819x_gpio_direction_output][150]: set pin55 as output pin, default value=0, DIR_REG=0xbffcc0 DAT_REG=0x30b7800
[    0.390000] NET: Registered protocol family 16
[    0.400000] <<<<<Register PCI Controller>>>>>
[    0.420000] Do MDIO_RESET
[    0.450000] 40MHz
[    0.810000] PCIE ->  Cannot LinkUP
[    0.820000] Realtek GPIO controller driver init
[    0.830000] INFO: initializing i2c devices ...
[    0.840000] INFO: registering sheipa spi device
[    0.860000] bio: create slab <bio-0> at 0
[    0.870000] SCSI subsystem initialized
[    0.880000] INFO: sheipa spi driver register
[    0.890000] INFO: sheipa spi probe
[    0.900000] cfg80211: Calling CRDA to update world regulatory domain
[    0.910000] Switching to clocksource MIPS
[    0.920000] NET: Registered protocol family 2
[    0.930000] TCP established hash table entries: 2048 (order: 0, 16384 bytes)
[    0.950000] TCP bind hash table entries: 2048 (order: -1, 8192 bytes)
[    0.970000] TCP: Hash tables configured (established 2048 bind 2048)
[    0.990000] TCP: reno registered
[    1.000000] UDP hash table entries: 1024 (order: 0, 16384 bytes)
[    1.020000] UDP-Lite hash table entries: 1024 (order: 0, 16384 bytes)
[    1.040000] NET: Registered protocol family 1
[    1.050000] RPC: Registered named UNIX socket transport module.
[    1.070000] RPC: Registered udp transport module.
[    1.080000] RPC: Registered tcp transport module.
[    1.100000] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    1.130000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    1.150000] NFS: Registering the id_resolver key type
[    1.160000] Key type id_resolver registered
[    1.180000] Key type id_legacy registered
[    1.190000] NTFS driver 2.1.30 [Flags: R/W DEBUG].
[    1.200000] msgmni has been set to 113
[    1.220000] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
[    1.240000] io scheduler noop registered (default)
[    1.250000] pwm_probe
[    1.260000] add buzzer dev!!!!!!!!!!!!!!!!
[    1.380000] Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled
[    1.400000] serial8250: ttyS0 at MMIO 0x18147000 (irq = 17) is a 16550A
[    1.420000] console [ttyS0] enabled, bootconsole disabled
[    1.420000] console [ttyS0] enabled, bootconsole disabled
[    1.450000] serial8250: ttyS1 at MMIO 0x18147400 (irq = 46) is a 16550A
[    1.480000] serial8250: ttyS2 at MMIO 0x18147800 (irq = 47) is a 16550A
[    1.500000] Realtek GPIO Driver for Flash Reload Default
[    1.510000] Load Kernel firmware information Driver
[    1.530000] id_chain value=efaa219f
[    1.540000] id_chain value=efaa219f
[    1.550000] NAND device: Manufacturer ID: 0xef, Chip ID: 0xaa (Unknown W25M01GV 1G SPI NAND), 128MiB, page size: 2048, OOB size: 64
[    1.580000] [rtkn_scan_bbt, line 1812], RBA=51, this->RBA_PERCENT = 5,block_v2r_num=1024
[    1.610000] [rtkn_scan_bbt, line 1822] block_v2r_num 400
[rtk_scan_v2r_bbt]:678,RBA=33,2=400,
[    1.640000] [rtk_scan_v2r_bbt]:684,block_v2r_num=3cd
[    1.660000] INFO: Stored BBT in Die 0: block=8 , block_status_p1=0xbb
[    1.680000] load bbt v2r table:0 page:512
[rtk_scan_v2r_bbt] have created v2r bbt table:0 on block 8, just loads it !!
check v2r bbt table:0 OK
[rtk_nand_scan_bbt, line 393] mem_page_num=1 bbt_page 704
[    1.740000] INFO: Stored BBT in Die 0: block=11 , block_status_p1=0xbb
[    1.760000] load bbt table:0 page:704
[rtk_nand_scan_bbt] have created bbt table:0 on block 11, just loads it !!
check bbt table:0 OK
[dump_BBT] Nand BBT Content
[    1.800000] [0] (0, ff, 0, 3ff)
[    1.810000] 11 rtkxxpart partitions found on MTD device rtk_nand
[    1.830000] Creating 11 MTD partitions on "rtk_nand":
[    1.860000] Realtek WLAN driver - version 1.7 (2015-10-30)(SVN:Unversioned directory)
[    1.890000] Adaptivity function - version 9.3.4
[    1.900000] Device Name = RTKWiFi0
[    1.910000] VIF_NUM=9
[    1.920000] MACHAL_version_init
[    1.930000] RFE TYPE =0
[    1.940000] RFE TYPE =0
[    1.950000] RFE TYPE =0
[    1.960000] RFE TYPE =0
[    1.960000] RFE TYPE =0
[    1.970000] RFE TYPE =0
[    1.980000] RFE TYPE =0
[    1.990000] RFE TYPE =0
[    2.000000] RFE TYPE =0
[    2.010000] RFE TYPE =0
[    2.020000] RFE TYPE =0
[    2.020000] lumi_btn_probe reset btn=7
[    2.040000] [rtl819x_gpio_request][42]: pin7
[    2.050000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x13000000 mux_reg=0xb8000800 val=0x600000,                    CNR_REG=0xffffff7f MUX_REG=0x13600000
[    2.090000] [rtl819x_gpio_direction_input][120]: set pin7 as input pin, DIR_REG=0xff000000
[    2.110000] rtl819x_gpio: GPIO7 requests IRQ79
[    2.130000] input: lumi_key as /devices/virtual/input/input0
[    2.140000] i2c /dev entries driver
[    2.160000] [rtl819x_gpio_request][42]: pin57
[    2.170000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x33320000 mux_reg=0xb8000834 val=0x20000,                      CNR_REG=0xfd40033f MUX_REG=0x33320000
[    2.210000] [rtl819x_gpio_direction_output][150]: set pin57 as output pin, default value=1, DIR_REG=0x2bffcc0 DAT_REG=0x30b7800
[    2.240000] rtl819x_gpio: GPIO57 requests IRQ129
[    2.260000] [rtl819x_gpio_request][42]: pin56
[    2.270000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x33320000 mux_reg=0xb8000834 val=0x300000,                    CNR_REG=0xfc40033f MUX_REG=0x33320000
[    2.310000] [rtl819x_gpio_direction_output][150]: set pin56 as output pin, default value=1, DIR_REG=0x3bffcc0 DAT_REG=0x30b7800
[    2.340000] rtl819x_gpio: GPIO56 requests IRQ128
[    2.360000] [rtl819x_gpio_request][42]: pin54
[    2.370000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000000 mux=0x33320000 mux_reg=0xb8000834 val=0x30000000,                        CNR_REG=0xfc00033f MUX_REG=0x33320000
[    2.410000] [rtl819x_gpio_direction_output][150]: set pin54 as output pin, default value=0, DIR_REG=0x3fffcc0 DAT_REG=0x30b7800
[    2.450000] rtl819x_gpio: GPIO54 requests IRQ126
[    2.460000] TCP: cubic registered
[    2.470000] NET: Registered protocol family 10
[    2.490000] sit: IPv6 over IPv4 tunneling driver
[    2.500000] NET: Registered protocol family 17
[    2.520000] Key type dns_resolver registered
[    2.530000]
[    2.530000] Probing RTL819X NIC-kenel stack size order[0]...
[    3.220000] eth0 added. vid=9 Member port 0x110...
[    3.240000] eth1 added. vid=8 Member port 0x0...
[    3.260000] Key type encrypted registered
[    3.280000] VFS: Mounted root (squashfs filesystem) readonly on device 31:8.
[    3.300000] Freeing unused kernel memory: 192K (80610000 - 80640000)
init started: BusyBox v1.22.1 (2020-06-22 16:58:24 CST)
[    4.380000] WlanSupportAbility = 0x3
[    4.390000] [ODM_software_init]
[    4.390000] [97F] Bonding Type 97FS, PKG1
[    4.390000] [97F] RFE type 0 PHY paratemters: DEFAULT
[    4.390000] clock 40MHz
[    4.390000] load efuse ok
[    4.390000] rom_progress: 0x200006f
[    4.390000] rom_progress: 0x400006f
[    4.470000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] size
[    4.480000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0]
[    4.700000] [GetHwReg88XX][rtl8197Ffw]
[    4.710000] [GetHwReg88XX][rtl8197Ffw size]
[    5.160000] [97F] Default BB Swing=30
[    5.310000] device eth0 entered promiscuous mode
[    5.330000] device wlan0 entered promiscuous mode
[    5.350000] br0: port 2(wlan0) entered forwarding state
[    5.360000] br0: port 2(wlan0) entered forwarding state
=== Linux Firmware ===
version=1.4.6_0012
branch=aqara-rtl8197-gateway
try mount ubi0!!!
test for jacky![    5.450000] UBI: attaching mtd10 to ubi0

[    6.770000] UBI: scanning is finished
[    6.820000] UBI: attached mtd10 (name "AppData", size 56 MiB) to ubi0
[    6.840000] UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[    6.860000] UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[    6.880000] UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
[    6.900000] UBI: good PEBs: 449, bad PEBs: 0, corrupted PEBs: 0
[    6.920000] UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
[    6.940000] UBI: max/mean erase counter: 708/127, WL threshold: 4096, image sequence number: 1972655063
[    6.970000] UBI: available PEBs: 0, total reserved PEBs: 449, PEBs reserved for bad PEB handling: 20
[    6.990000] UBI: background thread "ubi_bgt0d" started, PID 932
UBI device number 0, total 449 L[    7.040000] UBIFS: parse sync
EBs (57012224 bytes, 54.4 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
[    7.150000] UBIFS: background thread "ubifs_bgt0_0" started, PID 938
[    7.270000] UBIFS: recovery needed
[    8.240000] UBIFS: recovery completed
[    8.260000] UBIFS: mounted UBI device 0, volume 0, name "ubifs1"
[    8.270000] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    8.300000] UBIFS: FS size: 52695040 bytes (50 MiB, 415 LEBs), journal size 2666496 bytes (2 MiB, 21 LEBs)
[    8.330000] UBIFS: reserved for root: 2488917 bytes (2430 KiB)
[    8.350000] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 16B479AC-F1B4-4F83-8607-942FBC1957B7, small LPT model
is old unecrypt [    8.530000] [rtl819x_gpio_request][42]: pin18
dir!
[    8.550000] [rtl819x_gpio_pin_enable][277]: mask=0xf00 mux=0x455000 mux_reg=0xb8000808 val=0x600,                    CNR_REG=0xfffbff7f MUX_REG=0x455600
[    8.590000] rtl819x_gpio: GPIO18 requests IRQ90
[    8.610000] [rtl819x_gpio_direction_output][150]: set pin18 as output pin, default value=0, DIR_REG=0xff040000 DAT_REG=0x40080
[    8.650000] [rtl819x_gpio_request][42]: pin9
[    8.660000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x455600 mux_reg=0xb8000808 val=0xa0000,                        CNR_REG=0xfffbfd7f MUX_REG=0x4a5600
[    8.700000] rtl819x_gpio: GPIO9 requests IRQ81
[    8.720000] [rtl819x_gpio_direction_output][150]: set pin9 as output pin, default value=0, DIR_REG=0xff040200 DAT_REG=0x40080
MAC=64:90:C1:78:44:36
[    8.840000] [rtl819x_gpio_request][42]: pin31
[    8.850000] [rtl819x_gpio_pin_enable][277]: mask=0xf0 mux=0x22220077 mux_reg=0xb800083c val=0x70,                    CNR_REG=0x7ffbfd7f MUX_REG=0x22220077
[    9.030000] rtl819x_gpio: GPIO31 requests IRQ103
[    9.090000] [rtl819x_gpio_direction_output][150]: set pin31 as output pin, default value=0, DIR_REG=0xff040200 DAT_REG=0x40280
=== RootFS Firmware ===
product=aqara-rtl8197-mijia-gateway
branch=release-1.4.7_0060
VERSION=1.4.7_0065
version=1.4.7_0065
run /bin/pre_check.sh...
Check HK setup pass.
Will Start OT!!
device br0 already exists; can't create bridge with the same name
device wlan0 is already a member of a bridge; can't enslave it to bridge br0.
bridge name     bridge id               STP enabled     interfaces
br0             8000.6490c1784436       no              eth0
                                                        wlan0
killall: miio_agent: no process killed
killall: miio_client: no process killed
killall: miio_client_helper_nomqtt.sh: no process killed
killall: basic_app: no process killed
killall: basic_gw: no process killed
killall: wpa_supplicant: no process killed
killall: udhcpd: no process killed
killall: udhcpc: no process killed
killall: hostapd: no process killed
killall: eth0_start.sh: no process killed
killall: wifi_start.sh: no process killed
[   10.560000] br0: port 2(wlan0) entered disabled state
[   10.580000] WlanSupportAbility = 0x3
[   10.590000] [ODM_software_init]
[   10.590000] [97F] Bonding Type 97FS, PKG1
[   10.590000] [97F] RFE type 0 PHY paratemters: DEFAULT
[   10.590000] clock 40MHz
[   10.590000] load efuse ok
[   10.590000] rom_progress: 0x200006f
[   10.590000] rom_progress: 0x400006f
[   10.670000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] size
[   10.680000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0]
[   10.900000] [GetHwReg88XX][rtl8197Ffw]
[   10.910000] [GetHwReg88XX][rtl8197Ffw size]
[   11.360000] [97F] Default BB Swing=30
[   11.370000] br0: port 2(wlan0) entered forwarding state
[   11.380000] br0: port 2(wlan0) entered forwarding state
969 connect
miio_agent --- dead ---reboot
miio_client --- dead ---reboot
device wlan0 is already a member of a bridge; can't enslave it to bridge br0.
[   12.450000] br0: port 2(wlan0) entered disabled state
[   12.470000] WlanSupportAbility = 0x3
[   12.480000] [ODM_software_init]
[   12.480000] [97F] Bonding Type 97FS, PKG1
[   12.480000] [97F] RFE type 0 PHY paratemters: DEFAULT
[   12.480000] clock 40MHz
[   12.480000] load efuse ok
[   12.480000] rom_progress: 0x200006f
[   12.480000] rom_progress: 0x400006f
[   12.560000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] size
[   12.570000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0]
[   12.790000] [GetHwReg88XX][rtl8197Ffw]
[   12.800000] [GetHwReg88XX][rtl8197Ffw size]
[   13.250000] [97F] Default BB Swing=30
[   13.260000] br0: port 2(wlan0) entered forwarding state
[   13.270000] br0: port 2(wlan0) entered forwarding state
restart wpa_supplicant...
killall: wpa_supplicant: no process killed
wpa_supplicant has been killed, then restart it...
2
[   14.590000] store_tty0_enable buf=disable
[   14.590000] , count=8
[   15.550000] br0: port 2(wlan0) entered disabled state
[   17.480000] br0: port 2(wlan0) entered forwarding state
[   17.500000] br0: port 2(wlan0) entered forwarding state
[   20.000000] [rtl819x_gpio_request][42]: pin36
[   20.010000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x0 mux_reg=0xb8000844 val=0x10000,                     CNR_REG=0xfc00032f MUX_REG=0x10000
[   20.580000] i2c_designware i2c_designware.1: i2c_dw_handle_tx_abort: slave address not acknowledged (7bit mode)
[   20.650000] rtl819x_gpio: GPIO36 requests IRQ108
[   20.850000] [rtl819x_gpio_direction_output][150]: set pin36 as output pin, default value=0, DIR_REG=0x3fffcd0 DAT_REG=0x3083800
[   27.520000] br0: port 2(wlan0) entered forwarding state
2 good UART log
uart ok
strap pin:0x412b8ae2
enable spi-nand
ROM ver:v1.1, sig:455cc27, time:2016.01.04-18:42+0800, CPU(400 MHz), DDR2(533 MHz)
load efuse ok
init IP ok
rom_progress: 0x0600006d
load_data_from_storage(260): 0xbfe01540, 0x00000000, 0xbfd16f44
load_data_from_spi_nand_flash(70): 0xbfe01540, 0x00000000, 0xbfe03e18
check_image_header(72): h(69,72,61,6d), s(69,72,61,6d)
img sig ok
rom_progress: 0x0c00006d
load_data_from_spi_nand_flash(81) 0x00000004 0x000024ba
load_data_from_spi_nand_flash(86): 0xbfe01d40, 0x00000001, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe02540, 0x00000002, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe02d40, 0x00000003, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe03540, 0x00000004, 0xbfe03e18
load_data_from_spi_nand_flash(90) read done (size:9402)
chksum ok
rom_progress: 0x0e00006d
load img ok
rom_progress: 0x1000006d
jump 0xbfe01550

Booting...
SPI NAND clock not enable

SPI Nand ID=00efaa21
SPI Nand die chipsize=0x08000000 byte
SPI Nand dienum=1,
SPI Nand blocksize=0x00020000 byte,
SPI Nand pagesize=0x00000800 byte,
SPI Nand oobsize=0x00000040 byte,
[rtkn_scan_bbt, line 1812], RBA=51, this->RBA_PERCENT = 5,block_v2r_num=1024
[rtkn_scan_bbt, line 1822] block_v2r_num 00000400
[rtk_scan_v2r_bbt]:678,RBA=00000033,2=00000400,
[rtk_scan_v2r_bbt]:684,block_v2r_num=000003cd
INFO: Stored BBT in Die 0: block=8 , block_status_p1=0x000000bb
load bbt v2r table:0 page:512
[rtk_scan_v2r_bbt] have created v2r bbt table:0 on block 8, just loads it !!
check v2r bbt table:0 OK
[rtk_nand_scan_bbt, line 393] mem_page_num=1 bbt_page 704
INFO: Stored BBT in Die 0: block=11 , block_status_p1=0x000000bb
load bbt table:0 page:704
[rtk_nand_scan_bbt] have created bbt table:0 on block 11, just loads it !!
check bbt table:0 OK
[dump_BBT] Nand BBT Content
[0] (00000000, 000000ff, 00000000, 000003ff)
=>CPU Wake-up interrupt happen! GISR=89000084

Realtek RTL8197F boot code at 2019.11.25-17:17+0800 v3.4T-pre2.1 (993MHz)
-- version: 1.0.2.005 --
Info: Load boot_info success!
=== bootloader for mijia_gw ===
boot_info: ver:0
kernel: newest:1, curr:0
rootfs: newest:1, curr:1
kernel[0]: sum:0xc8cf, size:2157572, fail:0
      [1]: sum:0xcb43, size:2157572, fail:3
rootfs[0]: sum:0x62c6, size:8552452, fail:0
      [1]: sum:0x742c, size:10108932, fail:0
root_sum_check: off
watchdog_time: 0
boot_version: 1.0.2.005
priv mode
Info: kernel 1 is invalid
Info: loading kernel 0 ...  Done
Info: checking kernel 0 ... Success
Info: select rootfs 1
Info: booting...
Jump to image start=0x80a00000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x8050cc40
[    0.000000] Linux version 3.10.90 (liaozhaobao@compilex64-ipg) (gcc version 4.9.4 20151028 (prerelease) (Realtek MSDK-4.9.4p1 Build 2648) ) #68 Fri Apr 3 15:18:37 CST 2020
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019385 (MIPS 24Kc)
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x03ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x03ffffff]
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping off.  Total pages: 4088
[    0.000000] Kernel command line: root=/dev/mtdblock8 console=ttyS0,38400
[    0.000000] PID hash table entries: 256 (order: -4, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 1, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 0, 16384 bytes)
[    0.000000] Writing ErrCtl register=000320b0
[    0.000000] Readback ErrCtl register=000320b0
[    0.000000] Memory: 58208k/65536k available (5203k kernel code, 7328k reserved, 1002k data, 192k init, 0k highmem)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:192
[    0.000000] Realtek GPIO IRQ init
[    0.000000] Calibrating delay loop... 660.68 BogoMIPS (lpj=3303424)
[    0.070000] pid_max: default: 32768 minimum: 301
[    0.080000] Mount-cache hash table entries: 2048
[    0.090000] [rtl819x_gpio_pin_enable][277]: mask=0xf00 mux=0x0 mux_reg=0xb8000844 val=0x100,                         CNR_REG=0xffffffbf MUX_REG=0x100
[    0.100000] [rtl819x_gpio_direction_output][150]: set pin38 as output pin, default value=0, DIR_REG=0x40 DAT_REG=0x3000000
[    0.110000] [rtl819x_gpio_pin_enable][277]: mask=0xf0 mux=0x100 mux_reg=0xb8000844 val=0x10,                         CNR_REG=0xffffff3f MUX_REG=0x110
[    0.120000] [rtl819x_gpio_direction_output][150]: set pin39 as output pin, default value=0, DIR_REG=0xc0 DAT_REG=0x3000000
[    0.130000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x0 mux_reg=0xb8000848 val=0x4000000,                         CNR_REG=0xfffffb3f MUX_REG=0x4000000
[    0.140000] [rtl819x_gpio_direction_output][150]: set pin42 as output pin, default value=0, DIR_REG=0x4c0 DAT_REG=0x3000000
[    0.150000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x4000000 mux_reg=0xb8000848 val=0x400000,                     CNR_REG=0xfffff33f MUX_REG=0x4400000
[    0.160000] [rtl819x_gpio_direction_output][150]: set pin43 as output pin, default value=1, DIR_REG=0xcc0 DAT_REG=0x3000800
[    0.170000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x4400000 mux_reg=0xb8000848 val=0x60000,                       CNR_REG=0xffffe33f MUX_REG=0x4460000
[    0.180000] [rtl819x_gpio_direction_output][150]: set pin44 as output pin, default value=1, DIR_REG=0x1cc0 DAT_REG=0x3001800
[    0.190000] [rtl819x_gpio_pin_enable][277]: mask=0xf000 mux=0x4460000 mux_reg=0xb8000848 val=0x6000,                         CNR_REG=0xffffc33f MUX_REG=0x4466000
[    0.200000] [rtl819x_gpio_direction_output][150]: set pin45 as output pin, default value=1, DIR_REG=0x3cc0 DAT_REG=0x3003800
[    0.210000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x11111000 mux_reg=0xb8000820 val=0x6000000,                  CNR_REG=0xffff833f MUX_REG=0x16111000
[    0.220000] [rtl819x_gpio_direction_output][150]: set pin46 as output pin, default value=1, DIR_REG=0x7cc0 DAT_REG=0x3007800
[    0.230000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000000 mux=0x16111000 mux_reg=0xb8000820 val=0x60000000,                        CNR_REG=0xffff033f MUX_REG=0x66111000
[    0.240000] [rtl819x_gpio_direction_output][150]: set pin47 as output pin, default value=0, DIR_REG=0xfcc0 DAT_REG=0x3007800
[    0.250000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x66111000 mux_reg=0xb8000820 val=0x600000,                    CNR_REG=0xfffe033f MUX_REG=0x66611000
[    0.260000] [rtl819x_gpio_direction_output][150]: set pin48 as output pin, default value=1, DIR_REG=0x1fcc0 DAT_REG=0x3017800
[    0.270000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x66611000 mux_reg=0xb8000820 val=0x70000,                      CNR_REG=0xfffc033f MUX_REG=0x66671000
[    0.280000] [rtl819x_gpio_direction_output][150]: set pin49 as output pin, default value=1, DIR_REG=0x3fcc0 DAT_REG=0x3037800
[    0.290000] [rtl819x_gpio_pin_enable][277]: mask=0xf000 mux=0x66671000 mux_reg=0xb8000820 val=0x7000,                        CNR_REG=0xfff8033f MUX_REG=0x66677000
[    0.300000] [rtl819x_gpio_direction_output][150]: set pin50 as output pin, default value=0, DIR_REG=0x7fcc0 DAT_REG=0x3037800
[    0.310000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000000 mux=0x100000 mux_reg=0xb8000824 val=0x20000000,                  CNR_REG=0xfff0033f MUX_REG=0x20100000
[    0.320000] [rtl819x_gpio_direction_output][150]: set pin51 as output pin, default value=1, DIR_REG=0xffcc0 DAT_REG=0x30b7800
[    0.330000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x20100000 mux_reg=0xb8000824 val=0x1000000,                  CNR_REG=0xffe0033f MUX_REG=0x21100000
[    0.340000] [rtl819x_gpio_direction_output][150]: set pin52 as output pin, default value=0, DIR_REG=0x1ffcc0 DAT_REG=0x30b7800
[    0.350000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x21100000 mux_reg=0xb8000824 val=0x0,                         CNR_REG=0xffc0033f MUX_REG=0x21000000
[    0.360000] [rtl819x_gpio_direction_output][150]: set pin53 as output pin, default value=0, DIR_REG=0x3ffcc0 DAT_REG=0x30b7800
[    0.370000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x33320000 mux_reg=0xb8000834 val=0x3000000,                  CNR_REG=0xff40033f MUX_REG=0x33320000
[    0.380000] [rtl819x_gpio_direction_output][150]: set pin55 as output pin, default value=0, DIR_REG=0xbffcc0 DAT_REG=0x30b7800
[    0.390000] NET: Registered protocol family 16
[    0.400000] <<<<<Register PCI Controller>>>>>
[    0.420000] Do MDIO_RESET
[    0.450000] 40MHz
[    0.810000] PCIE ->  Cannot LinkUP
[    0.820000] Realtek GPIO controller driver init
[    0.830000] INFO: initializing i2c devices ...
[    0.840000] INFO: registering sheipa spi device
[    0.860000] bio: create slab <bio-0> at 0
[    0.870000] SCSI subsystem initialized
[    0.880000] INFO: sheipa spi driver register
[    0.890000] INFO: sheipa spi probe
[    0.900000] cfg80211: Calling CRDA to update world regulatory domain
[    0.910000] Switching to clocksource MIPS
[    0.920000] NET: Registered protocol family 2
[    0.930000] TCP established hash table entries: 2048 (order: 0, 16384 bytes)
[    0.950000] TCP bind hash table entries: 2048 (order: -1, 8192 bytes)
[    0.970000] TCP: Hash tables configured (established 2048 bind 2048)
[    0.990000] TCP: reno registered
[    1.000000] UDP hash table entries: 1024 (order: 0, 16384 bytes)
[    1.020000] UDP-Lite hash table entries: 1024 (order: 0, 16384 bytes)
[    1.040000] NET: Registered protocol family 1
[    1.050000] RPC: Registered named UNIX socket transport module.
[    1.070000] RPC: Registered udp transport module.
[    1.080000] RPC: Registered tcp transport module.
[    1.100000] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    1.130000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    1.150000] NFS: Registering the id_resolver key type
[    1.160000] Key type id_resolver registered
[    1.180000] Key type id_legacy registered
[    1.190000] NTFS driver 2.1.30 [Flags: R/W DEBUG].
[    1.200000] msgmni has been set to 113
[    1.220000] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
[    1.240000] io scheduler noop registered (default)
[    1.250000] pwm_probe
[    1.260000] add buzzer dev!!!!!!!!!!!!!!!!
[    1.380000] Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled
[    1.420000] console [ttyS0] enabled, bootconsole disabled7) is a 16550A
[    1.420000] console [ttyS0] enabled, bootconsole disabled
[    1.450000] serial8250: ttyS1 at MMIO 0x18147400 (irq = 46) is a 16550A
[    1.470000] serial8250: ttyS2 at MMIO 0x18147800 (irq = 47) is a 16550A
[    1.500000] Realtek GPIO Driver for Flash Reload Default
[    1.510000] Load Kernel firmware information Driver
[    1.530000] id_chain value=efaa219f
[    1.540000] id_chain value=efaa219f
[    1.550000] NAND device: Manufacturer ID: 0xef, Chip ID: 0xaa (Unknown W25M01GV 1G SPI NAND), 128MiB, page size: 2048, OOB size: 64
[    1.580000] [rtkn_scan_bbt, line 1812], RBA=51, this->RBA_PERCENT = 5,block_v2r_num=1024
[    1.610000] [rtkn_scan_bbt, line 1822] block_v2r_num 400
[rtk_scan_v2r_bbt]:678,RBA=33,2=400,
[    1.630000] [rtk_scan_v2r_bbt]:684,block_v2r_num=3cd
[    1.660000] INFO: Stored BBT in Die 0: block=8 , block_status_p1=0xbb
[    1.670000] load bbt v2r table:0 page:512
[rtk_scan_v2r_bbt] have created v2r bbt table:0 on block 8, just loads it !!
check v2r bbt table:0 OK
[rtk_nand_scan_bbt, line 393] mem_page_num=1 bbt_page 704
[    1.740000] INFO: Stored BBT in Die 0: block=11 , block_status_p1=0xbb
[    1.760000] load bbt table:0 page:704
[rtk_nand_scan_bbt] have created bbt table:0 on block 11, just loads it !!
check bbt table:0 OK
[dump_BBT] Nand BBT Content
[    1.800000] [0] (0, ff, 0, 3ff)
[    1.810000] 11 rtkxxpart partitions found on MTD device rtk_nand
[    1.830000] Creating 11 MTD partitions on "rtk_nand":
[    1.860000] Realtek WLAN driver - version 1.7 (2015-10-30)(SVN:Unversioned directory)
[    1.890000] Adaptivity function - version 9.3.4
[    1.900000] Device Name = RTKWiFi0
[    1.910000] VIF_NUM=9
[    1.920000] MACHAL_version_init
[    1.930000] RFE TYPE =0
[    1.940000] RFE TYPE =0
[    1.950000] RFE TYPE =0
[    1.960000] RFE TYPE =0
[    1.960000] RFE TYPE =0
[    1.970000] RFE TYPE =0
[    1.980000] RFE TYPE =0
[    1.990000] RFE TYPE =0
[    2.000000] RFE TYPE =0
[    2.010000] RFE TYPE =0
[    2.020000] RFE TYPE =0
[    2.020000] lumi_btn_probe reset btn=7
[    2.040000] [rtl819x_gpio_request][42]: pin7
[    2.050000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x13000000 mux_reg=0xb8000800 val=0x600000,                    CNR_REG=0xffffff7f MUX_REG=0x13600000
[    2.090000] [rtl819x_gpio_direction_input][120]: set pin7 as input pin, DIR_REG=0xff000000
[    2.110000] rtl819x_gpio: GPIO7 requests IRQ79
[    2.130000] input: lumi_key as /devices/virtual/input/input0
[    2.140000] i2c /dev entries driver
[    2.160000] [rtl819x_gpio_request][42]: pin57
[    2.170000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x33320000 mux_reg=0xb8000834 val=0x20000,                      CNR_REG=0xfd40033f MUX_REG=0x33320000
[    2.210000] [rtl819x_gpio_direction_output][150]: set pin57 as output pin, default value=1, DIR_REG=0x2bffcc0 DAT_REG=0x30b7800
[    2.240000] rtl819x_gpio: GPIO57 requests IRQ129
[    2.260000] [rtl819x_gpio_request][42]: pin56
[    2.270000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x33320000 mux_reg=0xb8000834 val=0x300000,                    CNR_REG=0xfc40033f MUX_REG=0x33320000
[    2.310000] [rtl819x_gpio_direction_output][150]: set pin56 as output pin, default value=1, DIR_REG=0x3bffcc0 DAT_REG=0x30b7800
[    2.340000] rtl819x_gpio: GPIO56 requests IRQ128
[    2.360000] [rtl819x_gpio_request][42]: pin54
[    2.370000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000000 mux=0x33320000 mux_reg=0xb8000834 val=0x30000000,                        CNR_REG=0xfc00033f MUX_REG=0x33320000
[    2.410000] [rtl819x_gpio_direction_output][150]: set pin54 as output pin, default value=0, DIR_REG=0x3fffcc0 DAT_REG=0x30b7800
[    2.450000] rtl819x_gpio: GPIO54 requests IRQ126
[    2.460000] TCP: cubic registered
[    2.470000] NET: Registered protocol family 10
[    2.490000] sit: IPv6 over IPv4 tunneling driver
[    2.500000] NET: Registered protocol family 17
[    2.520000] Key type dns_resolver registered
[    2.530000]
[    2.530000] Probing RTL819X NIC-kenel stack size order[0]...
[    3.220000] eth0 added. vid=9 Member port 0x110...
[    3.240000] eth1 added. vid=8 Member port 0x0...
[    3.260000] Key type encrypted registered
[    3.280000] VFS: Mounted root (squashfs filesystem) readonly on device 31:8.
[    3.300000] Freeing unused kernel memory: 192K (80610000 - 80640000)
init started: BusyBox v1.22.1 (2020-06-22 16:58:24 CST)
[    4.380000] WlanSupportAbility = 0x3
[    4.390000] [ODM_software_init]
[    4.390000] [97F] Bonding Type 97FS, PKG1
[    4.390000] [97F] RFE type 0 PHY paratemters: DEFAULT
[    4.390000] clock 40MHz
[    4.390000] load efuse ok
[    4.390000] rom_progress: 0x200006f
[    4.390000] rom_progress: 0x400006f
[    4.470000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] size
[    4.480000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0]
[    4.700000] [GetHwReg88XX][rtl8197Ffw]
[    4.710000] [GetHwReg88XX][rtl8197Ffw size]
[    5.160000] [97F] Default BB Swing=30
[    5.310000] device eth0 entered promiscuous mode
[    5.330000] device wlan0 entered promiscuous mode
[    5.350000] br0: port 2(wlan0) entered forwarding state
[    5.360000] br0: port 2(wlan0) entered forwarding state
=== Linux Firmware ===
version=1.4.6_0012
branch=aqara-rtl8197-gateway
try mount ubi0!!!
test for jacky![    5.450000] UBI: attaching mtd10 to ubi0

[    6.770000] UBI: scanning is finished
[    6.820000] UBI: attached mtd10 (name "AppData", size 56 MiB) to ubi0
[    6.840000] UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[    6.860000] UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[    6.880000] UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
[    6.900000] UBI: good PEBs: 449, bad PEBs: 0, corrupted PEBs: 0
[    6.920000] UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
[    6.940000] UBI: max/mean erase counter: 708/127, WL threshold: 4096, image sequence number: 1972655063
[    6.970000] UBI: available PEBs: 0, total reserved PEBs: 449, PEBs reserved for bad PEB handling: 20
[    7.000000] UBI: background thread "ubi_bgt0d" started, PID 932
UBI device number 0, total 449 LEBs (57012224 by[    7.040000] UBIFS: parse sync
tes, 54.4 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
[    7.150000] UBIFS: background thread "ubifs_bgt0_0" started, PID 939
[    7.270000] UBIFS: recovery needed
[    7.870000] UBIFS: recovery completed
[    7.880000] UBIFS: mounted UBI device 0, volume 0, name "ubifs1"
[    7.900000] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    7.930000] UBIFS: FS size: 52695040 bytes (50 MiB, 415 LEBs), journal size 2666496 bytes (2 MiB, 21 LEBs)
[    7.950000] UBIFS: reserved for root: 2488917 bytes (2430 KiB)
[    7.970000] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 16B479AC-F1B4-4F83-8607-942FBC1957B7, small LPT model
is old unecrypt [    8.130000] [rtl819x_gpio_request][42]: pin18
dir!
[    8.150000] [rtl819x_gpio_pin_enable][277]: mask=0xf00 mux=0x455000 mux_reg=0xb8000808 val=0x600,                    CNR_REG=0xfffbff7f MUX_REG=0x455600
[    8.190000] rtl819x_gpio: GPIO18 requests IRQ90
[    8.210000] [rtl819x_gpio_direction_output][150]: set pin18 as output pin, default value=0, DIR_REG=0xff040000 DAT_REG=0x40080
[    8.250000] [rtl819x_gpio_request][42]: pin9
[    8.260000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x455600 mux_reg=0xb8000808 val=0xa0000,                        CNR_REG=0xfffbfd7f MUX_REG=0x4a5600
[    8.300000] rtl819x_gpio: GPIO9 requests IRQ81
[    8.320000] [rtl819x_gpio_direction_output][150]: set pin9 as output pin, default value=0, DIR_REG=0xff040200 DAT_REG=0x40080
MAC=64:90:C1:78:44:36
[    8.510000] [rtl819x_gpio_request][42]: pin31
[    8.530000] [rtl819x_gpio_pin_enable][277]: mask=0xf0 mux=0x22220077 mux_reg=0xb800083c val=0x70,                    CNR_REG=0x7ffbfd7f MUX_REG=0x22220077
[    8.710000] rtl819x_gpio: GPIO31 requests IRQ103
[    8.720000] [rtl819x_gpio_direction_output][150]: set pin31 as output pin, default value=0, DIR_REG=0xff040200 DAT_REG=0x40280
=== RootFS Firmware ===
product=aqara-rtl8197-mijia-gateway
branch=release-1.4.7_0060
VERSION=1.4.7_0065
version=1.4.7_0065
run /bin/pre_check.sh...
Check HK setup pass.
Will Start OT!!
device br0 already exists; can't create bridge with the same name
device wlan0 is already a member of a bridge; can't enslave it to bridge br0.
bridge name     bridge id               STP enabled     interfaces
br0             8000.6490c1784436       no              eth0
                                                        wlan0
killall: miio_agent: no process killed
killall: miio_client: no process killed
killall: miio_client_helper_nomqtt.sh: no process killed
killall: basic_app: no process killed
killall: basic_gw: no process killed
killall: wpa_supplicant: no process killed
killall: udhcpd: no process killed
killall: udhcpc: no process killed
killall: hostapd: no process killed
killall: eth0_start.sh: no process killed
killall: wifi_start.sh: no process killed
[   10.170000] br0: port 2(wlan0) entered disabled state
[   10.190000] WlanSupportAbility = 0x3
[   10.200000] [ODM_software_init]
[   10.200000] [97F] Bonding Type 97FS, PKG1
[   10.200000] [97F] RFE type 0 PHY paratemters: DEFAULT
[   10.200000] clock 40MHz
[   10.200000] load efuse ok
[   10.200000] rom_progress: 0x200006f
[   10.200000] rom_progress: 0x400006f
[   10.280000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] size
[   10.290000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0]
[   10.510000] [GetHwReg88XX][rtl8197Ffw]
[   10.520000] [GetHwReg88XX][rtl8197Ffw size]
[   10.970000] [97F] Default BB Swing=30
[   10.980000] br0: port 2(wlan0) entered forwarding state
[   10.990000] br0: port 2(wlan0) entered forwarding state
969 connect
miio_agent --- dead ---reboot
miio_client --- dead ---reboot
device wlan0 is already a member of a bridge; can't enslave it to bridge br0.
[   12.060000] br0: port 2(wlan0) entered disabled state
[   12.080000] WlanSupportAbility = 0x3
[   12.090000] [ODM_software_init]
[   12.090000] [97F] Bonding Type 97FS, PKG1
[   12.090000] [97F] RFE type 0 PHY paratemters: DEFAULT
[   12.090000] clock 40MHz
[   12.090000] load efuse ok
[   12.090000] rom_progress: 0x200006f
[   12.090000] rom_progress: 0x400006f
[   12.170000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] size
[   12.180000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0]
[   12.400000] [GetHwReg88XX][rtl8197Ffw]
[   12.410000] [GetHwReg88XX][rtl8197Ffw size]
[   12.860000] [97F] Default BB Swing=30
[   12.870000] br0: port 2(wlan0) entered forwarding state
[   12.880000] br0: port 2(wlan0) entered forwarding state
restart wpa_supplicant...
killall: wpa_supplicant: no process killed
wpa_supplicant has been killed, then restart it...
2
[   14.190000] store_tty0_enable buf=disable
[   14.190000] , count=8
[   15.160000] br0: port 2(wlan0) entered disabled state
[   18.820000] br0: port 2(wlan0) entered forwarding state
[   18.840000] br0: port 2(wlan0) entered forwarding state
[   19.200000] [rtl819x_gpio_request][42]: pin36
[   19.210000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x0 mux_reg=0xb8000844 val=0x10000,                     CNR_REG=0xfc00032f MUX_REG=0x10000
[   19.530000] i2c_designware i2c_designware.1: i2c_dw_handle_tx_abort: slave address not acknowledged (7bit mode)
[   19.820000] rtl819x_gpio: GPIO36 requests IRQ108
[   19.990000] [rtl819x_gpio_direction_output][150]: set pin36 as output pin, default value=0, DIR_REG=0x3fffcd0 DAT_REG=0x3083800
[   28.860000] br0: port 2(wlan0) entered forwarding state

Boot process is failing now:

bad UART log
uart ok
strap pin:0x412b8ae2
enable spi-nand
ROM ver:v1.1, sig:455cc27, time:2016.01.04-18:42+0800, CPU(400 MHz), DDR2(533 MHz)
load efuse ok
init IP ok
rom_progress: 0x0600006d
load_data_from_storage(260): 0xbfe01540, 0x00000000, 0xbfd16f44
load_data_from_spi_nand_flash(70): 0xbfe01540, 0x00000000, 0xbfe03e18
check_image_header(72): h(69,72,61,6d), s(69,72,61,6d)
img sig ok
rom_progress: 0x0c00006d
load_data_from_spi_nand_flash(81) 0x00000004 0x000024ba
load_data_from_spi_nand_flash(86): 0xbfe01d40, 0x00000001, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe02540, 0x00000002, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe02d40, 0x00000003, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe03540, 0x00000004, 0xbfe03e18
load_data_from_spi_nand_flash(90) read done (size:9402)
chksum ok
rom_progress: 0x0e00006d
load img ok
rom_progress: 0x1000006d
jump 0xbfe01550

Booting...
SPI NAND clock not enable

SPI Nand ID=00efaa21
SPI Nand die chipsize=0x08000000 byte
SPI Nand dienum=1,
SPI Nand blocksize=0x00020000 byte,
SPI Nand pagesize=0x00000800 byte,
SPI Nand oobsize=0x00000040 byte,
[rtkn_scan_bbt, line 1812], RBA=51, this->RBA_PERCENT = 5,block_v2r_num=1024
[rtkn_scan_bbt, line 1822] block_v2r_num 00000400
[rtk_scan_v2r_bbt]:678,RBA=00000033,2=00000400,
[rtk_scan_v2r_bbt]:684,block_v2r_num=000003cd
INFO: Stored BBT in Die 0: block=8 , block_status_p1=0x000000bb
load bbt v2r table:0 page:512
[rtk_scan_v2r_bbt] have created v2r bbt table:0 on block 8, just loads it !!
check v2r bbt table:0 OK
[rtk_nand_scan_bbt, line 393] mem_page_num=1 bbt_page 704
INFO: Stored BBT in Die 0: block=11 , block_status_p1=0x000000bb
load bbt table:0 page:704
[rtk_nand_scan_bbt] have created bbt table:0 on block 11, just loads it !!
check bbt table:0 OK
[dump_BBT] Nand BBT Content
[0] (00000000, 000000ff, 00000000, 000003ff)
=>CPU Wake-up interrupt happen! GISR=09000084

Realtek RTL8197F boot code at 2019.11.25-17:17+0800 v3.4T-pre2.1 (993MHz)
-- version: 1.0.2.005 --
Info: Load boot_info success!
=== bootloader for mijia_gw ===
boot_info: ver:0
kernel: newest:0, curr:0
rootfs: newest:0, curr:0
kernel[0]: sum:0x0000, size:0, fail:0
      [1]: sum:0x0000, size:0, fail:0
rootfs[0]: sum:0x0000, size:0, fail:0
      [1]: sum:0x0000, size:0, fail:0
root_sum_check: off
watchdog_time: 0
boot_version: 1.0.2.005
priv mode
Info: kernel 0 is invalid
Info: kernel 1 is invalid
Warn: all kernels are invalid !

---Ethernet init Okay!
<RealTek>

I have no idea how to repair boot_info

@zvldz
Copy link
Contributor

zvldz commented Dec 3, 2020

I have no idea how to repair boot_info
https://github.com/serrj-sv/lumi.gateway.mgl03/tree/main/uart_recovery

@OrgoneBlaster
Copy link

OrgoneBlaster commented Dec 5, 2020

for global hub ZNDMWG02LM with firmware 1.4.6_0043 we should be able to open telnet using similar method (uart + boot to bootloader). if somebody wants to try tag me in this thread.

Hello,

@rezmus Is the "ZNDMWG02LM with firmware 1.4.6_0043" contains telnet? I am not able to connect to the Gateway. No promt only a message box with a "connection refused" error message. Is the telnet disabled by default?

@AlexxIT
Copy link
Owner

AlexxIT commented Dec 5, 2020

Telnet disabled by default. Setup my component, it will enable telnet

@OrgoneBlaster
Copy link

@thx AlexxIT
How can I do that? Do I need to flash a custom fw?

@AlexxIT
Copy link
Owner

AlexxIT commented Dec 5, 2020

Do you get telnet password?

@lastoks
Copy link

lastoks commented Dec 5, 2020

for global hub ZNDMWG02LM with firmware 1.4.6_0043 we should be able to open telnet using similar method (uart + boot to bootloader). if somebody wants to try tag me in this thread.

Hi @rezmus,
yes thats works fine with your instructions.
I get the Telnet password and can open telnet with miio cmd.

@OrgoneBlaster
Copy link

No. I succesfully dumped the boot info. But I got an error when I pasted into the "Factory extractor" is says: "You need to enter correct data! (lines)"

I pasted this:
image
and the mac address

@rezmus
Copy link

rezmus commented Dec 5, 2020

@OrgoneBlaster you need to dump factory partition (not boot_info), then use it to decode password.

https://github.com/AlexxIT/XiaomiGateway3/wiki/Decode-Telnet-Password

hold "u" during power on, then

dbgmsg 9
ri 0 1 1
snwbi
snwbrecc a0000000 180 1e0
db a0000000 1e0

@OrgoneBlaster
Copy link

@OrgoneBlaster you need to dump factory partition (not boot_info), then use it to decode password.

https://github.com/AlexxIT/XiaomiGateway3/wiki/Decode-Telnet-Password

hold "u" during power on, then

dbgmsg 9
ri 0 1 1
snwbi
snwbrecc a0000000 180 1e0
db a0000000 1e0

Thanks it worked. I mixed the partitons.

@OrgoneBlaster
Copy link

Is it possible to read out the token from the ZNDMWG02LM version?

@alekc
Copy link

alekc commented Dec 25, 2020

I am having some issues with getting into the bootloader. I've soldered tx and rx (not sure if) and I am able to see the booting process from the board (however some characters are messed up, not sure if that means that my connection is not good enough).

But I never reach the stage where I can see any input Realtek prompt.
putty2.log

Any suggestions?

@zvldz
Copy link
Contributor

zvldz commented Dec 25, 2020

Any suggestions?

Clean board with alcohol at soldering points

@vitaly74
Copy link

vitaly74 commented Jan 3, 2021

Hello! Can you help me?)
I brick my gateway (1 time usb power was not good, and 2time rx connector disconnected during flashing (( )
Now I have this log:
`spawn [open ...]

Power ON Gateway NOW!
uart ok
strap pin:0x412b8ae2
enable spi-nand
ROM ver:v1.1, sig:455cc27, time:2016.01.04-18:42+0800, CPU(400 MHz), DDR2(533 MHz)
load efuse ok
init IP ok
rom_progress: 0x0600006d
load_data_from_storage(260): 0xbfe01540, 0x00000000, 0xbfd16f44
load_data_from_spi_nand_flash(70): 0xbfe01540, 0x00000000, 0xbfe03e18
check_image_header(72): h(69,72,61,6d), s(69,72,61,6d)
img sig ok
rom_progress: 0x0c00006d
load_data_from_spi_nand_flash(81) 0x00000004 0x000024ba
load_data_from_spi_nand_flash(86): 0xbfe01d40, 0x00000001, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe02540, 0x00000002, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe02d40, 0x00000003, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe03540, 0x00000004, 0xbfe03e18
load_data_from_spi_nand_flash(90) read done (size:9402)
chksum ok
rom_progress: 0x0e00006d
load img ok
rom_progress: 0x1000006d
jump 0xbfe01550

Booting...
SPI NAND clock not enable

SPI Nand ID=00efaa21
SPI Nand die chipsize=0x08000000 byte
SPI Nand dienum=1,
SPI Nand blocksize=0x00020000 byte,
SPI Nand pagesize=0x00000800 byte,
SPI Nand oobsize=0x00000040 byte,
[rtkn_scan_bbt, line 1812], RBA=51, this->RBA_PERCENT = 5,block_v2r_num=1024
[rtkn_scan_bbt, line 1822] block_v2r_num 00000400
[rtk_scan_v2r_bbt]:678,RBA=00000033,2=00000400,
[rtk_scan_v2r_bbt]:684,block_v2r_num=000003cd
INFO: Stored BBT in Die 0: block=8 , block_status_p1=0x000000bb
load bbt v2r table:0 page:512
[rtk_scan_v2r_bbt] have created v2r bbt table:0 on block 8, just loads it !!
check v2r bbt table:0 OK
[rtk_nand_scan_bbt, line 393] mem_page_num=1 bbt_page 704
INFO: Stored BBT in Die 0: block=11 , block_status_p1=0x000000bb
load bbt table:0 page:704
[rtk_nand_scan_bbt] have created bbt table:0 on block 11, just loads it !!
check bbt table:0 OK
[dump_BBT] Nand BBT Content
Congratulation!! No BBs in this Nand.
=>CPU Wake-up interrupt happen! GISR=09000084

Realtek RTL8197F boot code at 2019.11.25-17:17+0800 v3.4T-pre2.1 (993MHz)
-- version: 1.0.2.005 --
Info: Load boot_info success!
=== bootloader for mijia_gw ===
boot_info: ver:0
kernel: newest:0, curr:0
rootfs: newest:0, curr:0
kernel[0]: sum:0xc8cf, size:2157572, fail:3
[1]: sum:0xc8cf, size:2157572, fail:3
rootfs[0]: sum:0x6bc7, size:10383362, fail:0
[1]: sum:0x6bc7, size:10383362, fail:0
root_sum_check: off
watchdog_time: 0
boot_version: 1.0.2.005
priv mode
Info: kernel 0 is invalid
Info: kernel 1 is invalid
Warn: all kernels are invalid !

---Ethernet init Okay!
<RealTek>
<RealTek>
<RealTek>
spawn sh -c sx -vv -X -b rtkboot_38400.bin < /dev/ttyUSB0 > /dev/ttyUSB0
Sending rtkboot_38400.bin, 773 blocks: Give your local XMODEM receive command now.
Retry 0: Receiver Cancelled

Transfer incomplete

<RealTek>
<RealTek>
<RealTek>
<RealTek>
<RealTek>
<RealTek>
<RealTek>
<RealTek>

At stage
Sending rtkboot_38400.bin, 773 blocks: Give your local XMODEM receive command now.
everything freezes for about 5 minutes and in syslog sx [18248]: [root] XMODEM / rtkboot_38400.bin: error occured

I am using Raspberry 3b+ with rasbian 10 and manual https://github.com/AlexxIT/XiaomiGateway3/wiki/Downgrade-Firmware

can my gateway still be reanimated or is it a victim?)

@vitaly74
Copy link

vitaly74 commented Jan 5, 2021

I found a solution!
IMPORTANT: after the contacts have been soldered, treat the soldering area with alcohol and dry it - otherwise the process would stop in a random order! Thanks a lot for this script, the gateway works great!

@Hyoengju-Johannes-Lee
Copy link

@serrj-sv
Thanks for the guide worked perfect on ZNDMWG03LM on a windows 10 PC with an CP2102 USB 2.0 to UART adapter.

Hello.! I have an cp2102 module, but Idk how the module can be "3.3V mode"..! Do I need something to do to make it? If you can help me by just writing a few sentences, it would be very helpful.!

@alekc
Copy link

alekc commented Jan 25, 2021

@Hyoengju-Johannes-Lee usually there is a switch. You can always verify the voltage by using the voltmeter (uploading an image of your module might help as well)

@Hyoengju-Johannes-Lee
Copy link

@Hyoengju-Johannes-Lee usually there is a switch. You can always verify the voltage by using the voltmeter (uploading an image of your module might help as well)

https://ko.aliexpress.com/item/32637261853.html?spm=a2g0o.productlist.0.0.6ee928aeJJk7B7&algo_pvid=2acd6847-cf31-4557-aed6-ecbb66f9e5ac&algo_expid=2acd6847-cf31-4557-aed6-ecbb66f9e5ac-10&btsid=0bb0600116115835881277116ea1f6&ws_ab_test=searchweb0_0,searchweb201602_,searchweb201603_

This product is what I have.! It seems that there is no switch and I have no voltmeter... 😞

@Snoekebeest
Copy link

@Hyoengju-Johannes-Lee usually there is a switch. You can always verify the voltage by using the voltmeter (uploading an image of your module might help as well)

https://ko.aliexpress.com/item/32637261853.html?spm=a2g0o.productlist.0.0.6ee928aeJJk7B7&algo_pvid=2acd6847-cf31-4557-aed6-ecbb66f9e5ac&algo_expid=2acd6847-cf31-4557-aed6-ecbb66f9e5ac-10&btsid=0bb0600116115835881277116ea1f6&ws_ab_test=searchweb0_0,searchweb201602_,searchweb201603_

This product is what I have.! It seems that there is no switch and I have no voltmeter... 😞

I didn't used the power from the module. just used the rxd, txd and ground. I used the usb as power just like the guide.

@dwojtkowiak
Copy link

tera_term_capture
Hi,
I have an issue with uart recovery. Provided macro stops at line 67 once bootloader is transferred via xmodem. Any idea what might be wrong?

@Hyoengju-Johannes-Lee
Copy link

@Hyoengju-Johannes-Lee usually there is a switch. You can always verify the voltage by using the voltmeter (uploading an image of your module might help as well)

https://ko.aliexpress.com/item/32637261853.html?spm=a2g0o.productlist.0.0.6ee928aeJJk7B7&algo_pvid=2acd6847-cf31-4557-aed6-ecbb66f9e5ac&algo_expid=2acd6847-cf31-4557-aed6-ecbb66f9e5ac-10&btsid=0bb0600116115835881277116ea1f6&ws_ab_test=searchweb0_0,searchweb201602_,searchweb201603_
This product is what I have.! It seems that there is no switch and I have no voltmeter... 😞

I didn't used the power from the module. just used the rxd, txd and ground. I used the usb as power just like the guide.

Okay.! Thank you so much.! For the people who would use CP2102, I make a comment on what I found too.! The RXD, TXD output is 3.3V, so you can just follow without "changing the mode."

@dwojtkowiak
Copy link

tera_term_capture
Hi,
I have an issue with uart recovery. Provided macro stops at line 67 once bootloader is transferred via xmodem. Any idea what might be wrong?

This is log output once power on device. Possible to recover?

uart ok
strap pin:0x412b8ae2
enable spi-nand
ROM ver:v1.1, sig:455cc27, time:2016.01.04-18:42+0800, CPU(400 MHz), DDR2(533 MHz)
load efuse ok
init IP ok
rom_progress: 0x0600006d
load_data_from_storage(260): 0xbfe01540, 0x00000000, 0xbfd16f44
load_data_from_spi_nand_flash(70): 0xbfe01540, 0x00000000, 0xbfe03e18
check_image_header(72): h(69,72,61,6d), s(69,72,61,6d)
img sig ok
rom_progress: 0x0c00006d
load_data_from_spi_nand_flash(81) 0x00000004 0x000024ba
load_data_from_spi_nand_flash(86): 0xbfe01d40, 0x00000001, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe02540, 0x00000002, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe02d40, 0x00000003, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe03540, 0x00000004, 0xbfe03e18
load_data_from_spi_nand_flash(90) read done (size:9402)
chksum ok
rom_progress: 0x0e00006d
load img ok
rom_progress: 0x1000006d
jump 0xbfe01550
exec from sram done
rom_progress: 0x0a00006d

dram_init.c : ss_init_rxi310()

dram_init.c : ms_ctrl_0_map=0xb8142000
ss_init_rxi310(1902):bond:0x0000000a

dram_init_clk_frequency ,ddr_freq=1066 (Mbps), 533 (MHZ)
mck_ck = 0, 1084

JSW : dram_init_rxi310 ,dev_map=0xb8142000

JSW : dram_init_rxi310 ,dram_info=0x9fe03f20

JSW : dram_init_rxi310 001

dfi_rate=2,dram_period=3752

JSW : dram_init_rxi310 002

SDR D1 dram_info-> dev-> device_type=2 ,cr_twr=3

DDR2 dram_info-> dev-> device_type=2

DDR2 dram_info-> mode_reg-> bst_len=0

SDR dq_width=2

SDR page=3

SDR dram_info-> dev-> bank =1

cr_bst_len =0

SDR dfi_rate=2

SDR dq_width=2

ddr_type =2

SDR cas_rd /(dfi_rate)=3

SDR cas_wr /(dfi_rate) =3

SDR dev_map-> dcr =0x00000222

SDR dev_map-> iocr=0x00204000

dev_map-> emr1=0x00000006

dev_map-> mr=0x00000672

SDR dev_map-> drr=0x0912be1c

SDR dev_map-> tpr0=0x000066c4

SDR dev_map-> tpr1=0x002a9104

SDR dev_map-> tpr2=0x00000042

DRAM init disable

DRAM init enable

DRAM init is done , jump to DRAM

SDR init done , dev_map=0xb8142000
Enter dram_auto_size_detect_rxi310, page_size = 3, bank_size = 1

DDR2 dram_info-> mode_reg-> bst_len=0

Detect page_size = 3, not detected

Detect bank_size = 2 , not detected

Detect dram size >= 256MB

dram_init.c : dram_calibration_turn_on_odt.

Perform sample dram testing
init ddr fail
rom_progress: 0x0900006d
load_data_from_storage(260): 0xa0500000, 0x00000000, 0xbfd16f4c
load_data_from_spi_nand_flash(70): 0xa0500000, 0x00000000, 0xbfe03e30

ECC_DECODE_FAIL,ecc_start_addr = 0xa0500000
check_image_header(72): h(ff,7f,ff,ff), s(62,6f,6f,74)
img sig err
rom_progress: 0x0d00006d
load_data_from_storage(260): 0xa0500000, 0x00000080, 0xbfd16f4c
load_data_from_spi_nand_flash(70): 0xa0500000, 0x00000080, 0xbfe03e30

ECC_DECODE_FAIL,ecc_start_addr = 0xa0500000
check_image_header(72): h(ff,7f,ff,ff), s(62,6f,6f,74)
img sig err
rom_progress: 0x0d00006d
load_data_from_storage(260): 0xa0500000, 0x00000100, 0xbfd16f4c
load_data_from_spi_nand_flash(70): 0xa0500000, 0x00000100, 0xbfe03e30

ECC_DECODE_FAIL,ecc_start_addr = 0xa0500000
check_image_header(72): h(ff,7f,ff,ff), s(62,6f,6f,74)
img sig err
rom_progress: 0x0d00006d
load_data_from_storage(260): 0xa0500000, 0x00000180, 0xbfd16f4c
load_data_from_spi_nand_flash(70): 0xa0500000, 0x00000180, 0xbfe03e30

ECC_DECODE_FAIL,ecc_start_addr = 0xa0500000
check_image_header(72): h(ff,7f,ff,ff), s(62,6f,6f,74)
img sig err
rom_progress: 0x0d00006d
load img fail(0xffffffff)
rom_progress: 0x1100006d

@AlexxIT AlexxIT unpinned this issue Mar 15, 2021
@AlexxIT
Copy link
Owner

AlexxIT commented Mar 15, 2021

No longer relevant today

@AlexxIT AlexxIT closed this as completed Mar 15, 2021
@aparadox1
Copy link

aparadox1 commented Nov 30, 2021

@tsunglung please describe xmodem method.

xmrx 80000000 (start address of RAM) then start upload using your terminal program. beware, your're limited by ram size then you can copy from RAM to NAND: snwbi snwbwecc 80000000 [offset_on_nand/2048] [lenght_of_image_in_bytes]

Hi. You can help me? boot_info my aqara hub M1S have big size. How can I resize boot_info
Command db 0xa0a00000 55 return next info:
[Addr] .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .A .B .C .D .E .F
A0A00000: 7C 91 00 00 96 3B 00 00 00 00 00 20 EC 04 CB 43 |....;..... ...C
A0A00010: 00 00 20 EC 04 C8 CF 00 00 9A 40 04 74 2C 00 00 .. [email protected],..
A0A00020: 82 80 04 62 C6 00 00 00 01 31 2E 30 2E 32 2E 30 ...b.....1.0.2.0
A0A00030: 30 35 00 00 00 00 00 00 20 00 04 00 00 00 00 20 05...... ......
A0A00040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
A0A00050: 00 00 00 00 00

db a0000000 1e0
[Addr] .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .A .B .C .D .E .F
A0000000: 20 20 20 49 6E 73 69 67 68 74 73 0A 3C 2F 61 3E Insights.
A0000010: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
A0000020: 3C 2F 6C 69 3E 0A 20 20 20 20 20 20 20 20 20 20 .
A0000030: 20 20 3C 2F 75 6C 3E 0A 0A 3C 2F 64 65 74 61 69 ..</detai
A0000040: 6C 73 2D 6D 65 6E 75 3E 3C 2F 64 69 76 3E 0A 3C ls-menu>.<
A0000050: 2F 64 65 74 61 69 6C 73 3E 3C 2F 64 69 76 3E 0A /details>.
A0000060: 3C 2F 6E 61 76 3E 0A 20 20 3C 2F 64 69 76 3E 0A . .
A0000070: 0A 0A 0A 3C 64 69 76 20 63 6C 61 73 73 3D 22 63 ...

. <div id="r
A00000D0: 65 70 6F 2D 63 6F 6E 74 65 6E 74 2D 70 6A 61 78 epo-content-pjax
A00000E0: 2D 63 6F 6E 74 61 69 6E 65 72 22 20 63 6C 61 73 -container" clas
A00000F0: 73 3D 22 72 65 70 6F 73 69 74 6F 72 79 2D 63 6F s="repository-co
A0000100: 6E 74 65 6E 74 20 22 20 3E 0A 0A 20 20 20 20 0A ntent " >.. .
A0000110: 0A 0A 20 20 20 20 0A 20 20 20 20 20 20 0A 20 20 .. . .
A0000120: 0A 20 20 0A 3C 64 69 76 3E 0A 20 20 0A 0A 0A 0A . .
. ....
A0000130: 20 20 20 20 3C 61 20 63 6C 61 73 73 3D 22 64 2D <a class="d-
A0000140: 6E 6F 6E 65 20 6A 73 2D 70 65 72 6D 61 6C 69 6E none js-permalin
A0000150: 6B 2D 73 68 6F 72 74 63 75 74 22 20 64 61 74 61 k-shortcut" data
A0000160: 2D 68 6F 74 6B 65 79 3D 22 79 22 20 68 72 65 66 -hotkey="y" href
A0000170: 3D 22 2F 6E 69 63 65 62 6F 79 67 69 74 68 75 62 ="/niceboygithub
A0000180: 2F 41 71 61 72 61 4D 31 53 4D 32 66 77 2F 62 6C /AqaraM1SM2fw/bl
A0000190: 6F 62 2F 33 30 37 38 31 61 39 30 63 30 39 61 64 ob/30781a90c09ad
A00001A0: 62 33 38 30 37 62 38 30 61 65 35 34 33 36 35 62 b3807b80ae54365b
A00001B0: 35 37 32 63 32 35 38 32 64 65 63 2F 72 61 77 2F 572c2582dec/raw/
A00001C0: 62 6F 6F 74 6C 6F 61 64 65 72 5F 31 2E 30 2E 30 bootloader_1.0.0
A00001D0: 5F 30 30 30 31 2F 62 6F 6F 74 6C 6F 61 64 5F 31 _0001/bootload_1

Now the hub is not loading for me. I see loop this information when loading hub:
Found recognized ID, rdid=0x00efaa21
init IP fail(0xffffffff)
init ddr ok
img sig err
ECC_DECODE_FAIL,ecc_start_addr = 0xbfe006e8
img sig err
ECC_DECODE_FAIL,ecc_start_addr = 0xbfe006e8
img sig err
img sig err
load img fail(0xffffffff)
s-boot
uart ok
strap:0x412b8ae2
enable spi-nand
ROM ver:v1.21, sig:866c151, time:2016.11.04-11:26+0800, CPU(400 MHz), DDR2(533 MHz)

@hadifarnoud
Copy link

I have read the wiki documentation on downgrading, but can someone please provide a simplified guide or even a video tutorial? Many people would appreciate it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests