Xiaomi Mi Router 3

Revision as of 21:30, 14 May 2018 by Stephen304 (talk | contribs) (Fix formatting)
Jump to navigation Jump to search
Mi Router 3

The Mi Router 3 is a low cost consumer router from Xiaomi. It includes both a 2.4GHz and 5GHz radio and 4 external antennas.

Downgrading

The current flashing process requires being on firmware version 2.11.20. If your router shipped with a different version, or if you upgraded it, you will need to downgrade before you flash a custom firmware. Simply download the 2.11.20 firmware file and proceed with the following instructions.

  1. Save the firmware file as miwifi.bin
  2. Place miwifi.bin on a FAT32 formatted flash drive and insert it into the router's USB port
  3. Hold the reset button while plugging in the router
  4. Once the LED starts flashing orange, release the reset button

Flashing

Prerequisites

  • You must be on firmware version 2.11.20. Refer to the downgrading section if you need to downgrade. You can check your firmware verison in the web ui of the router.
  • Obtain kernel1.bin and rootfs0.bin of the firmware you wish to flash

Steps

  1. Complete the initial setup of the router
  2. Log in to the router and look at the url for stok=<32-sharacter-code>
  3. Load the following 3 URLs in your browser one after another, replacing <STOK> with your 32 character code
  4. http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqnetwork/set_wifi_ap?ssid=Xiaomi&encryption=NONE&enctype=NONE&channel=1%3Bnvram%20set%20ssh%5Fen%3D1%3B%20nvram%20commit
    http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqnetwork/set_wifi_ap?ssid=Xiaomi&encryption=NONE&enctype=NONE&channel=1%3Bsed%20%2Di%20%22%3Ax%3AN%3As%2Fif%20%5C%5B%2E%2A%5C%3B%20then%5Cn%2E%2Areturn%200%5Cn%2E%2Afi%2F%23tb%2F%3Bb%20x%22%20%2Fetc%2Finit.d%2Fdropbear
    http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqnetwork/set_wifi_ap?ssid=Xiaomi&encryption=NONE&enctype=NONE&channel=1%3B%2Fetc%2Finit.d%2Fdropbear%20start

    After each one, you should get the response {"msg":"未能连接到指定WiFi(Probe timeout)","code":1616} If you don't get this response, it is safe to retry until you do.

  5. Next, load this URL in your browser, replacing <STOK> with your 32 character code, replacing <OLDPWD> with the admin password you set for the router in step 1, and replacing <NEWPWD> with the desired SSH password
  6. http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/set_name_password?oldPwd=<OLDPWD>&newPwd=<NEWPWD>

    You should get the response {"code":0}

  7. Now you may scp over the kernel1.bin and rootfs0.bin to the router, entering the new password you just set when prompted:
  8. scp lede-ramips-mt7620nand-miwifi-r3-squashfs-kernel1.bin root@192.168.31.1:/tmp/
    scp lede-ramips-mt7620nand-miwifi-r3-squashfs-rootfs0.bin root@192.168.31.1:/tmp/
  9. Log in to the router via SSH:
  10. ssh root@192.168.31.1
  11. Run the following commands:
  12. nvram set flag_last_success=1
    nvram set boot_wait=on
    nvram set uart_en=1
    nvram commit
    mtd write /tmp/lede-ramips-mt7620nand-miwifi-r3-squashfs-kernel1.bin kernel1
    mtd write /tmp/lede-ramips-mt7620nand-miwifi-r3-squashfs-rootfs0.bin rootfs0
    reboot
    

Recovery

In the event of a bad flash, it may be possible to revert the device back to stock.

TODO: Add comprehensive list of recovery methods / Tidy up

  • Stock -> stock = try downgrade instructions
  • LEDE to stock via fw_setenv flag_last_success 0 and reset button

Using Console Access

  1. Save kernel0.bin from here to a TFTP server
  2. Place the 2.11.20 firmware .bin on a FAT32 formatted flash drive and connect it to the router
  3. Boot the router and select option 1 "Load system code to SDRAM via TFTP."
  4. Set an IP for the router and enter the IP of the TFTP server
  5. Enter the name of the file (kernel0.bin)
  6. Wait for it to reboot
  7. It will print something like the following - press and hold reset unitl the LED flashes orange and it will revert back to stock:
[    4.550000] Check for USB recovery...
[    4.580000] Both systems are corrupted... Entering recovery mode
starting pid 81, tty '': '/etc/rcS'
Press reset button to enter USB recovery