So, I seem to have somewhat bricked my router :-(
It's an Amazon seller-refurbished MF286D (originally Three branded judging by the sticker on the bottom). It came with Nordic B11 firmware and B02 modem installed.
I decided to try and upgrade the modem firmware, so I attached a serial port, put the incremental Nordic modem updates on a USB drive and proceeded to apply them one by one using adb and picocom per the instructions in this forum. All went well and I ended up with Nordic B11 firmware and B11 modem working fine.
I should probably have stopped at this point, but having got the firmware and modem versions to match I decided to try and FOTA the final update to B12. This failed as I had failed to read the posts about the IMEI verification. I then decided, for reasons I'm not quite sure of, to try a factory reset. I backed up all the MTD partitions to the USB drive and then did the factory reset.
Unfortunately, at this point, the unit went into a boot loop, repeatedly crashing with an error like this:
Code:
[ 54.650806] kernel BUG at /home/scl/ci/workspace/Soft4_MF286D_H3GSE_CPE/build_folder/qsdk/build_dir/target-arm_cortex-a7_uClibc-1.0.14_eabi/linux-ipq806x/qca-wifi-gf53cef1-dirty-unified-profile/qca-wifi-gf53cef1-dirty/os/linux/../../qca_ol/../cmn_dev/htc/htc_recv.c:618!
[ 54.674675] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
I first tried restoring just mtd9 as follows:
Code:
- load mtd9 into ram via tftp server by:
tftp mtd9.bin
- erase mtd9 by:
nand erase 0x1800000 0x1d00000
- write ram into mtd9 by:
nand write 0x84000000 0x1800000 0x1d00000
- reboot
To my surprise, the system still went into a boot loop with the same kernel panic, so I tried restoring mtd8 and mtd9:
Code:
tftp mtd8.bin
nand erase 0x1000000 0x0800000
nand write 0x84000000 0x1000000 0x0800000
tftp mtd9.bin
nand erase 0x1800000 0x1d00000
nand write 0x84000000 0x1800000 0x1d00000
Again the system went into a boot loop.
Figuring I didn't have much to lose by this point, I decided to try flashing the Openwrt luci build from eko.one.pl as follows:
Code:
set fdt_high 0x85000000
tftp luci-23.05-snapshot-r23403-736e3b81aa-ipq40xx-generic-zte_mf286d-initramfs-zImage.itb
nand erase 0x1800000 0x1d00000
bootm $loadaddr
followed by:
Code:
scp luci-23.05-snapshot-r23403-736e3b81aa-ipq40xx-generic-zte_mf286d-initramfs-zImage.bin root@192.168.1.1:/tmp
ssh root@192.168.1.1
sysupgade -n /tmp/luci-23.05-snapshot-r23403-736e3b81aa-ipq40xx-generic-zte_mf286d-initramfs-zImage.bin
Somewhat to my surprise the system rebooted into Openwrt and after a bit of configuration I had it all working and connected to the Smarty network.
Anyway, I found Openwrt OK but compared to the Nordic firmware it seems complicated to configure and lacks some features like signal strength display and SMS management in the GUI.
I wondered if my backup images had been corrupted somehow, so I decided to try flashing back to Nordic using the original partition images at
https://dl.eko.one.pl/orig/zte_mf286d/NORDIC, and I thought I may as well go for for the latest B12. So I applied them as follows to the running Openwrt system:
Code:
scp mtd8.bin root@192.168.1.1:/tmp
ssh root@192.168.1.1
mtd -r write /tmp/mtd8.bin /dev/mtd8
then after reboot
scp mtd9.bin root@192.168.1.1:/tmp
ssh root@192.168.1.1
mtd -r write /tmp/mtd9.bin /dev/mtd9
I now had Nordic B12 installed but it went into the same boot loop I had experienced before installing Openwrt.
So, it seems I can install Openwrt and it works fine, but every time I try to flash back to Nordic it goes into this boot loop.
I can only assume that something that happened during the factory reset procedure has changed something that isn't being restored when I reflash mtd8 and mtd9.
I guess I could just live with Openwrt but would prefer to get back to the Nordic Firmware. Anyone have any more ideas as I'm just about out of them.
Many thanks, John.