Downgrading Firmware of Xiaomi Mijia Smart Multi-Mode Gateway (ZNDMWG03LM)

luc1 · October 25, 2020, 4:57pm

Hello,

As many people, I updated the firmware of my Xiaomi hub v3 ZNDMWG03LM to v1.4.7_0065 and now I am screwed because the latest supported version was 1.4.6_0030 [1]. I’ve read on this forum that it is possible to downgrade the firmware: here [3] [4] thanks to @serrj-sv.
I applied the procedure:

solder UART (TP8=GND, TP11=Tx, TP4=Rx, TP10=VCC)
solder btn1 reboot switch TP5 / GND (not really needed IMO)
solder btn2 interrupt communication between flash chip and CPU TP16 / GND
make the boot failed by pressing btn2 at boot time (check boot log via UART)
access the bootloader console via UART
check help message by sending ?

<RealTek>? 
----------------- COMMAND MODE HELP ------------------
HELP (?)                                    : Print this help message
boot : Boot kernel
boot_info : Show boot info
root_sum_check on|off   : Turn on or off rootfs boot sum check
wd_time <value>  : Set booting watch dog
DB <Address> <Len>
DW <Address> <Len>
EB <Address> <Value1> <Value2>...
EW <Address> <Value1> <Value2>...
CMP: CMP <dst><src><length>
IPCONFIG:<TargetAddress>
MEMCPY:<dst><src><length>
AUTOBURN: 0/1
LOADADDR: <Load Address>
J: Jump to <TargetAddress>
reboot
NANDID: Read NAND Flash ID
NANDBE:<offset><len>
NANDSCRUB:<offset><len>
NANDPIOR:<flash_Paddress><image_addr><image_size>
NANDPIOW:<flash_Paddress><image_addr><image_size>
NANDR:<flash_Paddress><image_addr><image_size>
NANDW:<flash_Paddress><image_addr><image_size>
NANDECCGEN: <source_addr><des_addr><ecc working buffer><length in hex>
NANDBBD:<offset><len>
NANDMARKB:<offset>
NANDFEATURE:<cmd> <address> <value>
NANDT: <cmd> <param>
MDIOR:  MDIOR phyid reg
MDIOW:  MDIOW phyid reg data
PHYR: PHYR <PHYID><reg>
PHYW: PHYW <PHYID><reg><data>
PHYPR: PHYPR <PHYID><page><reg>
PHYPW: PHYPW <PHYID><page><reg><data>
COUNTER: Dump Asic Counter
XMOD <addr>  [jump] 
TI : timer init 
T : test 
ETH : startup Ethernet
CPUClk: 
CP0

My question here: how can I restore the previous version of the firmware?
I do not understand the above commands
I tried some commands to make it reboot normally without success:

<RealTek>boot_info
=== bootloader for mijia_gw ===
boot_info: ver:0
kernel: newest:0, curr:0
rootfs: newest:0, curr:0
kernel[0]: sum:0x0000, size:0, fail:0
      [1]: sum:0x0000, size:0, fail:0
rootfs[0]: sum:0x0000, size:0, fail:0
      [1]: sum:0x0000, size:0, fail:0
root_sum_check: on
watchdog_time: 0
boot_version: 1.0.2.005
priv mode
status:Sync
<RealTek>boot
Info: kernel 0 is invalid
Info: kernel 1 is invalid
Warn: all kernels are invalid !
<RealTek>

Thanks for any hint / help.

Luc

[1] https://github.com/AlexxIT/XiaomiGateway3#supported-firmwares
[2] Xiaomi Mijia Smart Multi-Mode Gateway (ZNDMWG03LM) support
[3] Xiaomi Mijia Smart Multi-Mode Gateway (ZNDMWG03LM) support

tsunglung · November 3, 2020, 1:19am

If you have the last info of boot_info, you can program it back to flash.
If you do not have the boot_info, currently there is no way to flash firmware in boot loader . Only Lumi’s engreeners know how to flash firmware in boot loader.

luc1 · November 3, 2020, 5:54pm

Yes I have the boot_info:

kernel[0]: sum:0xc8cf, size:2157572, fail:0
      [1]: sum:0xcb43, size:2157572, fail:0
rootfs[0]: sum:0x62c6, size:8552452, fail:0
      [1]: sum:0x742c, size:10108932, fail:0

I do not know how to restore these infos.

tsunglung · November 4, 2020, 12:59am

If you did not touch the firmware in flash, use the following commands in the cli of the bootloader.

The New checksum: 0x78 0x59

eb 0xa0a00000 7c 91 00 00 78 59 00 00 00 00 00 20 ec 04 c8 cf
eb 0xa0a00010 00 00 20 ec 04 cb 43 00 00 82 80 04 62 c6 00 00
eb 0xa0a00020 9a 40 04 74 2c 00 00 00 01 31 2e 30 2e 32 2e 30
eb 0xa0a00030 30 35 00 00 00 00 00
NANDW 0xa0000 0xa0a00000 55

This boot_info will use slot 0 to boot up.
And I guess the version of firmware in slot 1 is 1.4.7.x

luc1 · November 5, 2020, 6:55am

Thank you @tsunglung but it still not boot.
It seems that kernel checking is failing and then it still goes into the bootloader CLI.
But now the boot_info seems to be restored as previously.
any idea?

uart ok                                                                         
strap pin:0x412b8ae2                                                            
enable spi-nand                                                                 
ROM ver:v1.1, sig:455cc27, time:2016.01.04-18:42+0800, CPU(400 MHz), DDR2(533 MHz)
load efuse ok                                                                   
init IP ok                                                                      
rom_progress: 0x0600006d                                                        
load_data_from_storage(260): 0xbfe01540, 0x00000000, 0xbfd16f44                 
load_data_from_spi_nand_flash(70): 0xbfe01540, 0x00000000, 0xbfe03e18           
check_image_header(72): h(69,72,61,6d), s(69,72,61,6d)                          
img sig ok                                                                      
rom_progress: 0x0c00006d                                                        
load_data_from_spi_nand_flash(81) 0x00000004 0x000024ba                         
load_data_from_spi_nand_flash(86): 0xbfe01d40, 0x00000001, 0xbfe03e18 
load_data_from_spi_nand_flash(86): 0xbfe02540, 0x00000002, 0xbfe03e18 
load_data_from_spi_nand_flash(86): 0xbfe02d40, 0x00000003, 0xbfe03e18 
load_data_from_spi_nand_flash(86): 0xbfe03540, 0x00000004, 0xbfe03e18 
load_data_from_spi_nand_flash(90) read done (size:9402) 
chksum ok
rom_progress: 0x0e00006d
load img ok
rom_progress: 0x1000006d
jump 0xbfe01550

Booting...
SPI NAND clock not enable

SPI Nand ID=00efaa21
SPI Nand die chipsize=0x08000000 byte
SPI Nand dienum=1,
SPI Nand blocksize=0x00020000 byte,
SPI Nand pagesize=0x00000800 byte,
SPI Nand oobsize=0x00000040 byte,
[rtkn_scan_bbt, line 1812], RBA=51, this->RBA_PERCENT = 5,block_v2r_num=1024
[rtkn_scan_bbt, line 1822] block_v2r_num 00000400
[rtk_scan_v2r_bbt]:678,RBA=00000033,2=00000400,
[rtk_scan_v2r_bbt]:684,block_v2r_num=000003cd
INFO: Stored BBT in Die 0: block=8 , block_status_p1=0x000000bb
load bbt v2r table:0 page:512
[rtk_scan_v2r_bbt] have created v2r bbt table:0 on block 8, just loads it !!
check v2r bbt table:0 OK
[rtk_nand_scan_bbt, line 393] mem_page_num=1 bbt_page 704
INFO: Stored BBT in Die 0: block=11 , block_status_p1=0x000000bb
load bbt table:0 page:704
[rtk_nand_scan_bbt] have created bbt table:0 on block 11, just loads it !!
check bbt table:0 OK
[dump_BBT] Nand BBT Content
[0] (00000000, 00000005, 00000000, 000003ff)
[1] (00000000, 000000f5, 00000000, 000003fe)
[2] (00000000, 000000ff, 00000000, 000003fd)
=>CPU Wake-up interrupt happen! GISR=89000084 
 
Realtek RTL8197F boot code at 2019.11.25-17:17+0800 v3.4T-pre2.1 (993MHz)
-- version: 1.0.2.005 --
Info: Load boot_info success!
=== bootloader for mijia_gw ===
boot_info: ver:0
kernel: newest:0, curr:0
rootfs: newest:0, curr:0
kernel[0]: sum:0xc8cf, size:2157572, fail:0
      [1]: sum:0xcb43, size:2157572, fail:0
rootfs[0]: sum:0x62c6, size:8552452, fail:0
      [1]: sum:0x742c, size:10108932, fail:0
root_sum_check: off
watchdog_time: 0
boot_version: 1.0.2.005
priv mode
Info: loading kernel 0 ...  Done
Info: checking kernel 0 ... Fail
Info: loading kernel 1 ...  Done
Info: checking kernel 1 ... Fail
Warn: all kernels are invalid !
Info: save boot_info

---Ethernet init Okay!
<RealTek>boot_info
=== bootloader for mijia_gw ===
boot_info: ver:0
kernel: newest:0, curr:0
rootfs: newest:0, curr:0
kernel[0]: sum:0xc8cf, size:2157572, fail:1
      [1]: sum:0xcb43, size:2157572, fail:1
rootfs[0]: sum:0x62c6, size:8552452, fail:0
      [1]: sum:0x742c, size:10108932, fail:0
root_sum_check: off
watchdog_time: 0
boot_version: 1.0.2.005
priv mode
status:Sync

tsunglung · November 5, 2020, 8:27am

@luc1
Looks that your kernel slot 0, 1 are damaged.
You need to re-program them.

tsunglung · November 9, 2020, 9:14am

@luc1

you can try

NANDR 0x0020000 0x80a00000 0x20ec80
j 0x80a00000


NANDR 0x01e0000 0x80a00000 0x20ec80
j 0x80a00000

if it can boot up, try to get Linux firmware, then use fw_update to re-program

guardianbs · November 11, 2020, 1:53pm

Hi, I have the same problem as luc1 - corrupted bootloader trying to interrupt boot.

kernel[0]: sum:0x0000, size:0, fail:0
          [1]: sum:0x0000, size:0, fail:0
rootfs[0]: sum:0x0000, size:0, fail:0
          [1]: sum:0x0000, size:0, fail:0
root_sum_check: off
watchdog_time: 0
boot_version: 1.0.2.005
priv mode
Info: kernel 0 is invalid
Info: kernel 1 is invalid
Warn: all kernels are invalid !

I hope you can help !

The original values were

kernel[0]: sum:0xcb43, size:2157572, fail:0
          [1]: sum:0xc8cf, size:2157572, fail:0
rootfs[0]: sum:0x742c, size:10108932, fail:0
         [1]: sum:0x62c6, size:8552452, fail:0

What would be the sequence to re-enter these values ?

rezmus · November 11, 2020, 5:13pm

eb 0xa0a00000 7c 91 00 00 94 39 01 01 01 01 00 20 ec 04 cb 43
eb 0xa0a00010 00 00 20 ec 04 c8 cf 00 00 9a 40 04 74 2c 00 00
eb 0xa0a00020 82 80 04 62 c6 00 00 00 01 31 2e 30 2e 32 2e 30
eb 0xa0a00030 30 35 00 00 00 00 00
NANDW 0xa0000 0xa0a00000 55

luc1 · November 11, 2020, 8:44pm

@tsunglung thanks for giving ideas.
BTW, do you have any URL to some technical doc, tuto, … on how to program this chip?

It seems that what you suggested did not work:

<RealTek>NANDR 0x0020000 0x80a00000 0x20ec80
Read NAND Flash from 0x0020000 to 0x80A00000 with 0x20ec80 bytes ?
(Y)es , (N)o ? --> Y
Read NAND Flash Successed!
<RealTek>j 0x80a00000
 Invalid Address(HEX) value.
<RealTek>NANDR 0x01e0000 0x80a00000 0x20ec80
Read NAND Flash from 0x001E0000 to 0x80A00000 with 0x0020EC80 bytes ?
(Y)es , (N)o ? --> Y
Read NAND Flash Successed!
<RealTek>j 0x80a00000
 Invalid Address(HEX) value.
<RealTek>

and reboot log:

uart ok                                                                      
strap pin:0x412b8ae2                                                         
enable spi-nand                                                              
ROM ver:v1.1, sig:455cc27, time:2016.01.04-18:42+0800, CPU(400 MHz), DDR2(533 MHz)
load efuse ok                                                                
init IP ok                              
rom_progress: 0x0600006d                
load_data_from_storage(260): 0xbfe01540, 0x00000000, 0xbfd16f44 
load_data_from_spi_nand_flash(70): 0xbfe01540, 0x00000000, 0xbfe03e18 
check_image_header(72): h(69,72,61,6d), s(69,72,61,6d) 
img sig ok                              
rom_progress: 0x0c00006d
load_data_from_spi_nand_flash(81) 0x00000004 0x000024ba 
load_data_from_spi_nand_flash(86): 0xbfe01d40, 0x00000001, 0xbfe03e18 
load_data_from_spi_nand_flash(86): 0xbfe02540, 0x00000002, 0xbfe03e18 
load_data_from_spi_nand_flash(86): 0xbfe02d40, 0x00000003, 0xbfe03e18 
load_data_from_spi_nand_flash(86): 0xbfe03540, 0x00000004, 0xbfe03e18 
load_data_from_spi_nand_flash(90) read done (size:9402) 
chksum ok
rom_progress: 0x0e00006d
load img ok
rom_progress: 0x1000006d
jump 0xbfe01550

Booting...
SPI NAND clock not enable

SPI Nand ID=00efaa21
SPI Nand die chipsize=0x08000000 byte
SPI Nand dienum=1,
SPI Nand blocksize=0x00020000 byte,
SPI Nand pagesize=0x00000800 byte,
SPI Nand oobsize=0x00000040 byte,
[rtkn_scan_bbt, line 1812], RBA=51, this->RBA_PERCENT = 5,block_v2r_num=1024
[rtkn_scan_bbt, line 1822] block_v2r_num 00000400
[rtk_scan_v2r_bbt]:678,RBA=00000033,2=00000400,
[rtk_scan_v2r_bbt]:684,block_v2r_num=000003cd
INFO: Stored BBT in Die 0: block=8 , block_status_p1=0x000000bb
load bbt v2r table:0 page:512
[rtk_scan_v2r_bbt] have created v2r bbt table:0 on block 8, just loads it !!
check v2r bbt table:0 OK
[rtk_nand_scan_bbt, line 393] mem_page_num=1 bbt_page 704
WARNING: Die 0: block=11 is bad, block_status_p1=0x00000000
bbt table:0 block:11 page:704 is bad
INFO: Stored BBT in Die 0: block=12 , block_status_p1=0x000000bb
load bbt table:1 page:768
[rtk_nand_scan_bbt] have created bbt table:1 on block 12, just loads it !!
check bbt table:1 OK
[dump_BBT] Nand BBT Content
[0] (00000000, 00000005, 00000000, 000003ff)
[1] (00000000, 000000f5, 00000000, 000003fe)
[2] (00000000, 000000ff, 00000000, 000003fd)
[3] (00000000, 0000000b, 00000000, 000003fc)
=>CPU Wake-up interrupt happen! GISR=89000084 
 
Realtek RTL8197F boot code at 2019.11.25-17:17+0800 v3.4T-pre2.1 (993MHz)
-- version: 1.0.2.005 --
Info: Load boot_info success!
=== bootloader for mijia_gw ===
boot_info: ver:0
kernel: newest:0, curr:0
rootfs: newest:0, curr:0
kernel[0]: sum:0xc8cf, size:2157572, fail:3
      [1]: sum:0xcb43, size:2157572, fail:3
rootfs[0]: sum:0x62c6, size:8552452, fail:0
      [1]: sum:0x742c, size:10108932, fail:0
root_sum_check: off
watchdog_time: 0
boot_version: 1.0.2.005
priv mode
Info: kernel 0 is invalid
Info: kernel 1 is invalid
Warn: all kernels are invalid !

---Ethernet init Okay!
<RealTek>

Thanks!

guardianbs · November 11, 2020, 9:10pm

@rezmus Than you for the code sequence. It worked ! All up and running again.

rezmus · November 11, 2020, 10:03pm

it should also boot now using old firmware 1.4.6_0012 if it was your intention

tsunglung · November 12, 2020, 12:32am

@luc1

Sorry, I have a typo. no ‘0x’

j 80a00000

tsunglung · November 12, 2020, 12:38am

@guardianbs
If you want boot with slot 0 (1.4.7)

eb 0xa0a00000 7c 91 00 00 96 3b 00 00 00 00 00 20 ec 04 cb 43
eb 0xa0a00010 00 00 20 ec 04 c8 cf 00 00 9a 40 04 74 2c 00 00
eb 0xa0a00020 82 80 04 62 c6 00 00 00 01 31 2e 30 2e 32 2e 30
eb 0xa0a00030 30 35 00 00 00 00 00
NANDW 0xa0000 0xa0a00000 55

If you want boot up with slot 1,

eb 0xa0a00000 7c 91 00 00 95 3a 00 00 01 01 00 20 ec 04 cb 43
eb 0xa0a00010 00 00 20 ec 04 c8 cf 00 00 9a 40 04 74 2c 00 00
eb 0xa0a00020 82 80 04 62 c6 00 00 00 01 31 2e 30 2e 32 2e 30
eb 0xa0a00030 30 35 00 00 00 00 00
NANDW 0xa0000 0xa0a00000 55

And since you had upgraded to 1.4.7 before, this way only switch linux and rootfs to old version.
The bluetooth may not work well with slot1.
You need downlgrade the firmware of bluetooth as well if you want to downgrade to old version.

guardianbs · November 12, 2020, 2:18am

@tsunglung thank you for the reply. @rezmus came back with a reply first which I implemented and the hub now boots into 1.4.6_0012 from slot 1. The code from @rezmus had ‘01 01’ in bytes 7 and 8 as opposed to ‘00 00’ in your version and obviously a different checksum. What is the significance of these 2 bytes ?
Also do you know of any problems that there might be with Bluetooth and if so how a downgrade might be achieved. After downgrading the kernel and rootfs the 'Bluetooth worked to pair a device with hub via the app.

rezmus · November 12, 2020, 7:08am

first 2 bytes of slot setup are current kernel/rootfs, next 2 bytes are newest. during startup device always try to boot using newest. it’s not important for you, because even if you set them 00 00 01 01 they will change to 01 01 01 01 after reboot.

firmware 1.4.7 comes with update of ble app from version 123 to 125, but i don’t think you will run into any problems using new version with old kernel/rootfs. if you do, you can always downgrade it via telnet.

tomdu85 · November 13, 2020, 1:29pm

Hi

when I jump to 08a0 0000. I’ve got that

---Ethernet init Okay!
<RealTek>eb 0xa0a00000 7c 91 00 00 96 3b 00 00 00 00 00 20 ec 04 cb 43
<RealTek>eb 0xa0a00010 00 00 20 ec 04 c8 cf 00 00 9a 40 04 74 2c 00 00
<RealTek>eb 0xa0a00020 82 80 04 62 c6 00 00 00 01 31 2e 30 2e 32 2e 30
<RealTek>eb 0xa0a00030 30 35 00 00 00 00 00
<RealTek>NANDW 0xa0000 0xa0a00000 55
Program NAND flash addr 000A0000 from A0A00000 with 00000055 bytes ?
(Y)es, (N)o->y
Write NAND Write Successed!
<RealTek>j 80a00000
---Jump to address=80A00000

reboot.......
Undefined Exception happen.

Is it normal ?
So, my gateway can’t start anymore.

rezmus · November 13, 2020, 2:03pm

show your bootlog.

tomdu85 · November 13, 2020, 2:04pm

This my boot log

uart ok
strap pin:0x412b8ae2
enable spi-nand
ROM ver:v1.1, sig:455cc27, time:2016.01.04-18:42+0800, CPU(400 MHz), DDR2(533 MHz)
load efuse ok
init IP ok
rom_progress: 0x0600006d
load_data_from_storage(260): 0xbfe01540, 0x00000000, 0xbfd16f44
load_data_from_spi_nand_flash(70): 0xbfe01540, 0x00000000, 0xbfe03e18
check_image_header(72): h(69,72,61,6d), s(69,72,61,6d)
img sig ok
rom_progress: 0x0c00006d
load_data_from_spi_nand_flash(81) 0x00000004 0x000024ba
load_data_from_spi_nand_flash(86): 0xbfe01d40, 0x00000001, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe02540, 0x00000002, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe02d40, 0x00000003, 0xbfe03e18
load_data_from_spi_nand_flash(86): 0xbfe03540, 0x00000004, 0xbfe03e18
load_data_from_spi_nand_flash(90) read done (size:9402)
chksum ok
rom_progress: 0x0e00006d
load img ok
rom_progress: 0x1000006d
jump 0xbfe01550

Booting...
SPI NAND clock not enable

SPI Nand ID=00efaa21
SPI Nand die chipsize=0x08000000 byte
SPI Nand dienum=1,
SPI Nand blocksize=0x00020000 byte,
SPI Nand pagesize=0x00000800 byte,
SPI Nand oobsize=0x00000040 byte,
[rtkn_scan_bbt, line 1812], RBA=51, this->RBA_PERCENT = 5,block_v2r_num=1024
[rtkn_scan_bbt, line 1822] block_v2r_num 00000400
[rtk_scan_v2r_bbt]:678,RBA=00000033,2=00000400,
[rtk_scan_v2r_bbt]:684,block_v2r_num=000003cd
INFO: Stored BBT in Die 0: block=8 , block_status_p1=0x000000bb
load bbt v2r table:0 page:512
[rtk_scan_v2r_bbt] have created v2r bbt table:0 on block 8, just loads it !!
check v2r bbt table:0 OK
[rtk_nand_scan_bbt, line 393] mem_page_num=1 bbt_page 704
INFO: Stored BBT in Die 0: block=11 , block_status_p1=0x000000bb
load bbt table:0 page:704
[rtk_nand_scan_bbt] have created bbt table:0 on block 11, just loads it !!
check bbt table:0 OK
[dump_BBT] Nand BBT Content
[0] (00000000, 00000014, 00000000, 000003ff)
[1] (00000000, 000000f7, 00000000, 000003fe)
[2] (00000000, 000000fd, 00000000, 000003fd)
[3] (00000000, 00000019, 00000000, 000003fc)
[4] (00000000, 0000001b, 00000000, 000003fb)
[5] (00000000, 00004050, 00000000, 000003fa)
[6] (00000000, 00004051, 00000000, 000003f9)
[7] (00000000, 00004052, 00000000, 000003f8)
[8] (00000000, 00004053, 00000000, 000003f7)
[9] (00000000, 00004054, 00000000, 000003f6)
[10] (00000000, 00004055, 00000000, 000003f5)
[11] (00000000, 00004056, 00000000, 000003f4)
[12] (00000000, 00004057, 00000000, 000003f3)
=>CPU Wake-up interrupt happen! GISR=09000084

Realtek RTL8197F boot code at 2019.11.25-17:17+0800 v3.4T-pre2.1 (993MHz)
-- version: 1.0.2.005 --
Info: Load boot_info success!
=== bootloader for mijia_gw ===
boot_info: ver:0
kernel: newest:1, curr:1
rootfs: newest:1, curr:1
kernel[0]: sum:0xcb43, size:2157572, fail:1
      [1]: sum:0xc8cf, size:2157572, fail:1
rootfs[0]: sum:0x742c, size:10108932, fail:0
      [1]: sum:0x62c6, size:8552452, fail:0
root_sum_check: off
watchdog_time: 0
boot_version: 1.0.2.005
priv mode
Info: loading kernel 1 ...  Done
Info: checking kernel 1 ... Fail
Info: loading kernel 0 ...  Done
Info: checking kernel 0 ... Fail
Warn: all kernels are invalid !
Info: save boot_info

---Ethernet init Okay!
<RealTek>
<RealTek>NANDR 0x0020000 0x80a00000 0x20ec80
Read NAND Flash from 0x00020000 to 0x80A00000 with 0x0020EC80 bytes ?
(Y)es , (N)o ? --> y
Read NAND Flash Successed!
<RealTek>j 80a00000
---Jump to address=80A00000

reboot.......
Undefined Exception happen.

rezmus · November 13, 2020, 2:22pm

any specific reason you overwrite your boot_info partition with one of above? do you have bootlog before you did something to your hub? what you try to do before it crashed? send something like this and paste output

NANDR 0x500000 0xa0a00000 96
db 0xa0a00000 96

NANDR 0x2100000 0xa0a00000 96
db 0xa0a00000 96