Downgrade firmware instruction

[DavidWang2014-01-28]

By mistake, i upgrade the firmware to 1.4.7_0065 and the gatwway won't work with this integration aymore. Hope any solution with this issue in the further.

[benleb]

Thanks for testing 😝

[rezmus]

buy new hub till they have factory firmware 1.4.5/1.4.6 (expect 1.4.7 soon) OR solder uart, boot to bootloader and fix boot_info partition so it boots using older firmware slot.

[tsunglung]

@rezmus two questions:

1. can you detailed write on how to change boot_info?
2. do you think that is any possible to re-enable telnet in firmware 1.4.7 by using UART?

[rezmus]

device has 2 slots for kernel/rootfs. this method works if you did update to firmware 1.4.7 only once, so you still have firmware 1.4.4-1.4.6 in 2nd slot. if you did update to 1.4.7 twice or more (for example 1.4.7_0063 and then 1.4.7_0065) this method can't be used. you will have to solder ethernet and recover via tftp.

once you boot to bootloader you have to modify boot_info to make device boot from the other slot (firmware 1.4.4-1.4.6).

note: use all bootloader commands in the same (lower/upper)case they are bellow.

# read boot_info to from nand to memory
NANDR 0xa0000 0xa0a00000 55

# display boot_info in memory
db 0xa0a00000 55

example output

A0A00000: 7c 91 00 00 XX XX YY YY YY YY 00 20 ec 04 c8 cf
A0A00010: 01 00 20 74 04 e8 7e 01 00 82 80 04 62 c6 00 00
A0A00020: 75 90 04 a4 0a 00 00 00 01 31 2e 30 2e 32 2e 30
A0A00030: 30 35 00 00 00 00 00

XX XX is boot_info checksum and YY YY YY YY is slot setup. slot setup will be 00 00 00 00 which means 1st slot is used or 01 01 01 01 which means 2nd slot is used. your goal is to change it to opposite and fix boot_info checksum.

if you change 00 00 00 00 to 01 01 01 01 you have to subtract 2 (-2) from each checksum byte. if you change 01 01 01 01 to 00 00 00 00 you have to add 2 (+2) to each checksum byte.

for example we had XX XX YY YY YY YY = 7a 25 00 00 00 00. we need to make it 78 23 01 01 01 01.

# modify boot_info in memory
eb 0xa0a00000 7c 91 00 00 XX XX YY YY YY YY

where XX XX YY YY YY YY is value we want to have (that we calculated in previous step). now we can display boot_info again and check if it looks like we want.

# display boot_info in memory
db 0xa0a00000 55

if everything is OK we can save it to nand.

# write boot_info from memory to nand
NANDW a0000 a0a00000 55

after reboot it should boot from the other slot (older firmware).

note: ALWAYS keep all uart logs and/or backups!

if your boot_info partition looks like this

A0A00000: 7c 91 00 00 XX XX YY YY YY YY 00 00 00 00 00 00 A0A00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0A00020: 00 00 00 00 00 00 00 00 01 31 2e 30 2e 32 2e 30 A0A00030: 30 35 00 00 00 00 00

it got wiped during boot (can happen if you short tp16/tp13 in wrong moment). you need to recreate it based on info from logs/backups or headers of rootfs partitions. in case of such problem tag me in this thread.

[AlexxIT]

Works only if the previous firmware was with an open Telnet.
If you upgraded twice to a bad firmware, it does not work. If you have bad firmware from the factory (euro hub) - it does not work.

1. Solder uart read more @serrj-sv (tp11 - tx, tp4 - rx)
2. Go to bootloader read more @serrj-sv
3. Config boot from old fw read more @rezmus

[rezmus]

for global hub ZNDMWG02LM with firmware 1.4.6_0043 we should be able to open telnet using similar method (uart + boot to bootloader). if somebody wants to try tag me in this thread.

[tsunglung]

Hi rezmus:

With your method, I successfully downgrade to the old firmware. But there is a mistake in your instructions. When interrupted the boot sequence, the boot_info may be reset to default values. (need interrupt boot at right timing) the sum and size value of kerne and rootfs become to zero.

So it is important to keep the logs to know the sum and size of kernel and rootfs.

[rezmus]

there is no mistake there, but indeed boot_info can be wiped if you short tp16/gnd in wrong moment, because it's being read/write during boot (to mark failed attempts). i entered bootloader several times without wipe, but saw similar cases before. if you have boot logs or backup you can recreate boot_info. you can also restore it by reading kernel/rootfs header of both slots. i have checksum/size of each firmware.

[tsunglung]

I mean that it is very easy to get the wrong boot_info if short tp16/gnd in the wrong moment. So in your instructions, there shall be a step to check boot_info is correct or not to remind the user the boot_info was not reset to default.

[rezmus]

some ppl with wiped boot_info had also broken rootfs/kernel partitions. some had no backups or uart logs so it's more tricky to restore it. you have to read partition header to check which fw version is there. at this point i think it's best to just write here in case of any problems with downgrade.

[tsunglung]

After several days' study. Here is some information I can share.

I can transmit kerenl and rootfs to DDR RAM by xmodem and write kernel or rootfs in DDR to SPI NAND

After flash kernel and rootfs in slot 0, slot 1, I rewrite the boot_info and flash to MTD1. Then can update any kernel or rootfs.

What is next? unsquashfs/mksquashfs the rootfs to enable telnetd.

[tsunglung]

By the way, if you are hardware engineer or magic GOD and have ethernet board for xaiomi gateway 3, you can use Ethernet and tftp to transmit firmwares. Unfortunately most users like poor me don’t have it. The Xmodem is only way to transmit firmwares. And WiFi and BT were not working in bootloader, too.

[rezmus]

@tsunglung please describe xmodem method. some users cut utp cable and solder to board for tftp (probably way faster than xmodem), but i never did that so can't give you much details.

some info about custom squashfs

https://community.home-assistant.io/t/xiaomi-mijia-smart-multi-mode-gateway-zndmwg03lm-support/159586/62

[tsunglung]

@rezmus There is no ethernet chip on the gateway3 board. Cut UTP cable to solder is still impossible.

I saw your info about custom squashfs. It helps a lot. Thanks. I tried to create a small rootfs yesterday but failed. I still try to find out why. I will try the custom complete rootfs today.

[serrj-sv]

There is no ethernet chip on the gateway3 board. Cut UTP cable to solder is still impossible.

here you go, young Sherlock ) https://pasteboard.co/JyVxUOI.jpg

[tsunglung]

There is no ethernet chip on the gateway3 board. Cut UTP cable to solder is still impossible.

here you go, young Sherlock ) https://pasteboard.co/JyVxUOI.jpg

Great. Then we do not need to use xmodem to burn firmware.

[AlexxIT]

@tsunglung Ethernet also works in stock firmware if you solder it :)

[serrj-sv]

@tsunglung please describe xmodem method.

\<RealTek>xmrx 80000000 (start address of RAM) then start upload using your terminal program. beware, your're limited by ram size then you can copy from RAM to NAND: \<RealTek> snwbi \<RealTek> snwbwecc 80000000 [offset_on_nand/2048] [lenght_of_image_in_bytes]

[tsunglung]

xmodem is slow. Not good to transmit firmware.

[serrj-sv]

xmodem is slow. Not good to transmit firmware.

enough to recover bootloader and boot_info partitions

[tsunglung]

agree.

[tsunglung]

boot up logs.

=== Linux Firmware === version=1.4.7_0065 branch=release-1.4.7_0060

=== RootFS Firmware === product=aqara-rtl8197-mijia-gateway branch=release-1.4.7_0060 VERSION=1.4.7_0065 version=1.4.7_0065

use telnet to login.

BusyBox v1.22.1 (2020-06-22 16:58:24 CST) built-in shell (ash) Enter 'help' for a list of built-in commands.

cat /etc/rootfs_fw_info product=aqara-rtl8197-mijia-gateway branch=release-1.4.7_0060 VERSION=1.4.7_0065 version=1.4.7_0065

miio-client --help Version: miio-client 4.1.3 Build time: 07:49:59 Aug 21 2020

Finally, my bricked gateway3 becomes alive after re-burn the firmware via stupid and slow xmodem.

[carck]

Hope there could be easyway to flash the firmware, i was not able to buy new gatway with old firmware.

[Foroxon]

Just received the new ZNDMWG03LM with factory firmware v1.4.6_0043 ( Do I have any chance to downgrade the firmware and how? Thanks.

[rezmus]

@Foroxon https://github.com/AlexxIT/XiaomiGateway3/wiki/Decode-Telnet-Password

[nocturneop15]

does this open a way to support 1.4.7_0065 firmware?

[rezmus]

1.4.7 has closed telnet which can't be open. you want to downgrade or flash custom 1.4.7 firmware with telnet enabled. both require to solder uart.

[carck]

Found firmware here, we still need an instruction for starter like me through. https://github.com/niceboygithub/XiaomiGateway3fw

[rezmus]

fw_update is only for those with telnet access. if you don't have it you still need solder uart to flash custom firmware. manual and user friendly method will be published soon.

[serrj-sv]

fw_update is only for those with telnet access. if you don't have it you still need solder uart to flash custom firmware. manual and user friendly method will be published soon.

please use this manual for flashing to latest 1.4.7 firmware with open telnet via UART: https://github.com/serrj-sv/lumi.gateway.mgl03/tree/main/uart_recovery

[protonchang]

@serrj-sv Thanks for the guide, works on ZNDMWG02LM

[stryker01]

I got the gateway with 1.4.6_0043 AFAIK with password telnet So, followed AlexxIT and Rezmus docs - got into bootloader, read memory and decoded 2 (two) passwords - those passwords is different depends of the entered MAC-address - all capitals or not. Anyway I've got two password and how now I can get into telnet session? If I boot up gw "normal way" and see gw on router - any my telnet attempts just tell me "connection refused". In the bootloader mode gw not accesible from net and no way to enter any commands except those included in the doc.Tried from windows, linux, mikrotik telnets. Any idea? Thanks

[serrj-sv]

I got the gateway with 1.4.6_0043 AFAIK with password telnet So, followed AlexxIT and Rezmus docs - got into bootloader, read memory and decoded 2 (two) passwords - those passwords is different depends of the entered MAC-address - all capitals or not. Anyway I've got two password and how now I can get into telnet session? If I boot up gw "normal way" and see gw on router - any my telnet attempts just tell me "connection refused". In the bootloader mode gw not accesible from net and no way to enter any commands except those included in the doc.Tried from windows, linux, mikrotik telnets. Any idea? Thanks

https://github.com/serrj-sv/lumi.gateway.mgl03/tree/main/uart_recovery

[rezmus]

@stryker01 if you have password already use @AlexxIT HA component to open telnet.

if you don't use HA you can open telnet with miio cmd.

https://community.home-assistant.io/t/xiaomi-mijia-smart-multi-mode-gateway-zndmwg03lm-support/159586/61

[stryker01]

@rezmus, thanks! HA component works halfway - I've got login on the UART session where enter needed commands to clear the password. After reboot @AlexxIT components works as planned. Need to resolder UART and then will try custom firmware

[sameersbn]

Hi all. I bought this gateway and upgraded it to 1.4.7_0065 before coming across this project. Anyhow, is it possible to downgrade the firmware using the UART method as documented in https://github.com/serrj-sv/lumi.gateway.mgl03/tree/main/uart_recovery?

[Snoekebeest]

@serrj-sv Thanks for the guide worked perfect on ZNDMWG03LM on a windows 10 PC with an CP2102 USB 2.0 to UART adapter.

[serrj-sv]

@serrj-sv Thanks for the guide worked perfect on ZNDMWG03LM on a windows 10 PC with an CP2102 USB 2.0 to UART adapter.

thanks for feedback! glad it worked for you :)

[VladimirSe76]

@ serrj-sv https://github.com/serrj-sv/lumi.gateway.mgl03/tree/main/uart_recovery If you follow these instructions and install custom firmware 65, hone assistant will it work?

[zvldz]

@ serrj-sv https://github.com/serrj-sv/lumi.gateway.mgl03/tree/main/uart_recovery If you follow these instructions and install custom firmware 65, hone assistant will it work?

of course, there is a minimum of differences from the original, the main difference is an open telnet and mqtt broker.

[sameersbn]

@VladimirSe76 I used that guide to install the firmware and get the gateway to work with HA.

[plutosherry]

for global hub ZNDMWG02LM with firmware 1.4.6_0043 we should be able to open telnet using similar method (uart + boot to bootloader). if somebody wants to try tag me in this thread. @rezmus I want to know how to do that? using similar method ? 1.4.6_0043 needs password(telnet has a password)

[rezmus]

https://github.com/AlexxIT/XiaomiGateway3/wiki/Decode-Telnet-Password

[plutosherry]

https://github.com/AlexxIT/XiaomiGateway3/wiki/Decode-Telnet-Password

@rezmus Thank you very much! I'll try to do it

[plutosherry]

@rezmus After following the steps instructions in the website link, restart the gateway and fail to telnet it The error message: The remote system refused the connection. Telnet server seems to be disabled? my firmware version is 1.4.6_0043

[rezmus]

use @AlexxIT integration or miio command to start telnet service, then login with password you decoded.

[Alxspb]

@rezmus, hello, can you help me, please? I'm just wiped boot_info:

> NANDR 0xa0000 0xa0a00000 55
> db 0xa0a00000 55
[Addr]   .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .A .B .C .D .E .F
A0A00000: 7c 91 00 00 44 07 00 00 00 00 00 00 00 00 00 00     |...D...........
A0A00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
A0A00020: 00 00 00 00 00 00 00 00 01 31 2e 30 2e 32 2e 30     .........1.0.2.0
A0A00030: 30 35 00 00 00 00 00

I've saved 2 'good' reboots:

1 good UART log

``` uart ok strap pin:0x412b8ae2 enable spi-nand ROM ver:v1.1, sig:455cc27, time:2016.01.04-18:42+0800, CPU(400 MHz), DDR2(533 MHz) load efuse ok init IP ok rom_progress: 0x0600006d load_data_from_storage(260): 0xbfe01540, 0x00000000, 0xbfd16f44 load_data_from_spi_nand_flash(70): 0xbfe01540, 0x00000000, 0xbfe03e18 check_image_header(72): h(69,72,61,6d), s(69,72,61,6d) img sig ok rom_progress: 0x0c00006d load_data_from_spi_nand_flash(81) 0x00000004 0x000024ba load_data_from_spi_nand_flash(86): 0xbfe01d40, 0x00000001, 0xbfe03e18 load_data_from_spi_nand_flash(86): 0xbfe02540, 0x00000002, 0xbfe03e18 load_data_from_spi_nand_flash(86): 0xbfe02d40, 0x00000003, 0xbfe03e18 load_data_from_spi_nand_flash(86): 0xbfe03540, 0x00000004, 0xbfe03e18 load_data_from_spi_nand_flash(90) read done (size:9402) chksum ok rom_progress: 0x0e00006d load img ok rom_progress: 0x1000006d jump 0xbfe01550 Booting... SPI NAND clock not enable SPI Nand ID=00efaa21 SPI Nand die chipsize=0x08000000 byte SPI Nand dienum=1, SPI Nand blocksize=0x00020000 byte, SPI Nand pagesize=0x00000800 byte, SPI Nand oobsize=0x00000040 byte, [rtkn_scan_bbt, line 1812], RBA=51, this->RBA_PERCENT = 5,block_v2r_num=1024 [rtkn_scan_bbt, line 1822] block_v2r_num 00000400 [rtk_scan_v2r_bbt]:678,RBA=00000033,2=00000400, [rtk_scan_v2r_bbt]:684,block_v2r_num=000003cd INFO: Stored BBT in Die 0: block=8 , block_status_p1=0x000000bb load bbt v2r table:0 page:512 [rtk_scan_v2r_bbt] have created v2r bbt table:0 on block 8, just loads it !! check v2r bbt table:0 OK [rtk_nand_scan_bbt, line 393] mem_page_num=1 bbt_page 704 INFO: Stored BBT in Die 0: block=11 , block_status_p1=0x000000bb load bbt table:0 page:704 [rtk_nand_scan_bbt] have created bbt table:0 on block 11, just loads it !! check bbt table:0 OK [dump_BBT] Nand BBT Content [0] (00000000, 000000ff, 00000000, 000003ff) =>CPU Wake-up interrupt happen! GISR=09000084 Realtek RTL8197F boot code at 2019.11.25-17:17+0800 v3.4T-pre2.1 (993MHz) -- version: 1.0.2.005 -- Info: Load boot_info success! === bootloader for mijia_gw === boot_info: ver:0 kernel: newest:1, curr:0 rootfs: newest:1, curr:1 kernel[0]: sum:0xc8cf, size:2157572, fail:0 [1]: sum:0xcb43, size:2157572, fail:3 rootfs[0]: sum:0x62c6, size:8552452, fail:0 [1]: sum:0x742c, size:10108932, fail:0 root_sum_check: off watchdog_time: 0 boot_version: 1.0.2.005 priv mode Info: kernel 1 is invalid Info: loading kernel 0 ... Done Info: checking kernel 0 ... Success Info: select rootfs 1 Info: booting... Jump to image start=0x80a00000... decompressing kernel: Uncompressing Linux... done, booting the kernel. done decompressing kernel. start address: 0x8050cc40 [ 0.000000] Linux version 3.10.90 (liaozhaobao@compilex64-ipg) (gcc version 4.9.4 20151028 (prerelease) (Realtek MSDK-4.9.4p1 Build 2648) ) #68 Fri Apr 3 15:18:37 CST 2020 [ 0.000000] bootconsole [early0] enabled [ 0.000000] CPU revision is: 00019385 (MIPS 24Kc) [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 04000000 @ 00000000 (usable) [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x00000000-0x03ffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x00000000-0x03ffffff] [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes [ 0.000000] Built 1 zonelists in Zone order, mobility grouping off. Total pages: 4088 [ 0.000000] Kernel command line: root=/dev/mtdblock8 console=ttyS0,38400 [ 0.000000] PID hash table entries: 256 (order: -4, 1024 bytes) [ 0.000000] Dentry cache hash table entries: 8192 (order: 1, 32768 bytes) [ 0.000000] Inode-cache hash table entries: 4096 (order: 0, 16384 bytes) [ 0.000000] Writing ErrCtl register=000320b0 [ 0.000000] Readback ErrCtl register=000320b0 [ 0.000000] Memory: 58208k/65536k available (5203k kernel code, 7328k reserved, 1002k data, 192k init, 0k highmem) [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS:192 [ 0.000000] Realtek GPIO IRQ init [ 0.000000] Calibrating delay loop... 660.68 BogoMIPS (lpj=3303424) [ 0.070000] pid_max: default: 32768 minimum: 301 [ 0.080000] Mount-cache hash table entries: 2048 [ 0.090000] [rtl819x_gpio_pin_enable][277]: mask=0xf00 mux=0x0 mux_reg=0xb8000844 val=0x100, CNR_REG=0xffffffbf MUX_REG=0x100 [ 0.100000] [rtl819x_gpio_direction_output][150]: set pin38 as output pin, default value=0, DIR_REG=0x40 DAT_REG=0x3000000 [ 0.110000] [rtl819x_gpio_pin_enable][277]: mask=0xf0 mux=0x100 mux_reg=0xb8000844 val=0x10, CNR_REG=0xffffff3f MUX_REG=0x110 [ 0.120000] [rtl819x_gpio_direction_output][150]: set pin39 as output pin, default value=0, DIR_REG=0xc0 DAT_REG=0x3000000 [ 0.130000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x0 mux_reg=0xb8000848 val=0x4000000, CNR_REG=0xfffffb3f MUX_REG=0x4000000 [ 0.140000] [rtl819x_gpio_direction_output][150]: set pin42 as output pin, default value=0, DIR_REG=0x4c0 DAT_REG=0x3000000 [ 0.150000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x4000000 mux_reg=0xb8000848 val=0x400000, CNR_REG=0xfffff33f MUX_REG=0x4400000 [ 0.160000] [rtl819x_gpio_direction_output][150]: set pin43 as output pin, default value=1, DIR_REG=0xcc0 DAT_REG=0x3000800 [ 0.170000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x4400000 mux_reg=0xb8000848 val=0x60000, CNR_REG=0xffffe33f MUX_REG=0x4460000 [ 0.180000] [rtl819x_gpio_direction_output][150]: set pin44 as output pin, default value=1, DIR_REG=0x1cc0 DAT_REG=0x3001800 [ 0.190000] [rtl819x_gpio_pin_enable][277]: mask=0xf000 mux=0x4460000 mux_reg=0xb8000848 val=0x6000, CNR_REG=0xffffc33f MUX_REG=0x4466000 [ 0.200000] [rtl819x_gpio_direction_output][150]: set pin45 as output pin, default value=1, DIR_REG=0x3cc0 DAT_REG=0x3003800 [ 0.210000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x11111000 mux_reg=0xb8000820 val=0x6000000, CNR_REG=0xffff833f MUX_REG=0x16111000 [ 0.220000] [rtl819x_gpio_direction_output][150]: set pin46 as output pin, default value=1, DIR_REG=0x7cc0 DAT_REG=0x3007800 [ 0.230000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000000 mux=0x16111000 mux_reg=0xb8000820 val=0x60000000, CNR_REG=0xffff033f MUX_REG=0x66111000 [ 0.240000] [rtl819x_gpio_direction_output][150]: set pin47 as output pin, default value=0, DIR_REG=0xfcc0 DAT_REG=0x3007800 [ 0.250000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x66111000 mux_reg=0xb8000820 val=0x600000, CNR_REG=0xfffe033f MUX_REG=0x66611000 [ 0.260000] [rtl819x_gpio_direction_output][150]: set pin48 as output pin, default value=1, DIR_REG=0x1fcc0 DAT_REG=0x3017800 [ 0.270000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x66611000 mux_reg=0xb8000820 val=0x70000, CNR_REG=0xfffc033f MUX_REG=0x66671000 [ 0.280000] [rtl819x_gpio_direction_output][150]: set pin49 as output pin, default value=1, DIR_REG=0x3fcc0 DAT_REG=0x3037800 [ 0.290000] [rtl819x_gpio_pin_enable][277]: mask=0xf000 mux=0x66671000 mux_reg=0xb8000820 val=0x7000, CNR_REG=0xfff8033f MUX_REG=0x66677000 [ 0.300000] [rtl819x_gpio_direction_output][150]: set pin50 as output pin, default value=0, DIR_REG=0x7fcc0 DAT_REG=0x3037800 [ 0.310000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000000 mux=0x100000 mux_reg=0xb8000824 val=0x20000000, CNR_REG=0xfff0033f MUX_REG=0x20100000 [ 0.320000] [rtl819x_gpio_direction_output][150]: set pin51 as output pin, default value=1, DIR_REG=0xffcc0 DAT_REG=0x30b7800 [ 0.330000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x20100000 mux_reg=0xb8000824 val=0x1000000, CNR_REG=0xffe0033f MUX_REG=0x21100000 [ 0.340000] [rtl819x_gpio_direction_output][150]: set pin52 as output pin, default value=0, DIR_REG=0x1ffcc0 DAT_REG=0x30b7800 [ 0.350000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x21100000 mux_reg=0xb8000824 val=0x0, CNR_REG=0xffc0033f MUX_REG=0x21000000 [ 0.360000] [rtl819x_gpio_direction_output][150]: set pin53 as output pin, default value=0, DIR_REG=0x3ffcc0 DAT_REG=0x30b7800 [ 0.370000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x33320000 mux_reg=0xb8000834 val=0x3000000, CNR_REG=0xff40033f MUX_REG=0x33320000 [ 0.380000] [rtl819x_gpio_direction_output][150]: set pin55 as output pin, default value=0, DIR_REG=0xbffcc0 DAT_REG=0x30b7800 [ 0.390000] NET: Registered protocol family 16 [ 0.400000] <<<<>>>> [ 0.420000] Do MDIO_RESET [ 0.450000] 40MHz [ 0.810000] PCIE -> Cannot LinkUP [ 0.820000] Realtek GPIO controller driver init [ 0.830000] INFO: initializing i2c devices ... [ 0.840000] INFO: registering sheipa spi device [ 0.860000] bio: create slab at 0 [ 0.870000] SCSI subsystem initialized [ 0.880000] INFO: sheipa spi driver register [ 0.890000] INFO: sheipa spi probe [ 0.900000] cfg80211: Calling CRDA to update world regulatory domain [ 0.910000] Switching to clocksource MIPS [ 0.920000] NET: Registered protocol family 2 [ 0.930000] TCP established hash table entries: 2048 (order: 0, 16384 bytes) [ 0.950000] TCP bind hash table entries: 2048 (order: -1, 8192 bytes) [ 0.970000] TCP: Hash tables configured (established 2048 bind 2048) [ 0.990000] TCP: reno registered [ 1.000000] UDP hash table entries: 1024 (order: 0, 16384 bytes) [ 1.020000] UDP-Lite hash table entries: 1024 (order: 0, 16384 bytes) [ 1.040000] NET: Registered protocol family 1 [ 1.050000] RPC: Registered named UNIX socket transport module. [ 1.070000] RPC: Registered udp transport module. [ 1.080000] RPC: Registered tcp transport module. [ 1.100000] RPC: Registered tcp NFSv4.1 backchannel transport module. [ 1.130000] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 1.150000] NFS: Registering the id_resolver key type [ 1.160000] Key type id_resolver registered [ 1.180000] Key type id_legacy registered [ 1.190000] NTFS driver 2.1.30 [Flags: R/W DEBUG]. [ 1.200000] msgmni has been set to 113 [ 1.220000] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254) [ 1.240000] io scheduler noop registered (default) [ 1.250000] pwm_probe [ 1.260000] add buzzer dev!!!!!!!!!!!!!!!! [ 1.380000] Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled [ 1.400000] serial8250: ttyS0 at MMIO 0x18147000 (irq = 17) is a 16550A [ 1.420000] console [ttyS0] enabled, bootconsole disabled [ 1.420000] console [ttyS0] enabled, bootconsole disabled [ 1.450000] serial8250: ttyS1 at MMIO 0x18147400 (irq = 46) is a 16550A [ 1.480000] serial8250: ttyS2 at MMIO 0x18147800 (irq = 47) is a 16550A [ 1.500000] Realtek GPIO Driver for Flash Reload Default [ 1.510000] Load Kernel firmware information Driver [ 1.530000] id_chain value=efaa219f [ 1.540000] id_chain value=efaa219f [ 1.550000] NAND device: Manufacturer ID: 0xef, Chip ID: 0xaa (Unknown W25M01GV 1G SPI NAND), 128MiB, page size: 2048, OOB size: 64 [ 1.580000] [rtkn_scan_bbt, line 1812], RBA=51, this->RBA_PERCENT = 5,block_v2r_num=1024 [ 1.610000] [rtkn_scan_bbt, line 1822] block_v2r_num 400 [rtk_scan_v2r_bbt]:678,RBA=33,2=400, [ 1.640000] [rtk_scan_v2r_bbt]:684,block_v2r_num=3cd [ 1.660000] INFO: Stored BBT in Die 0: block=8 , block_status_p1=0xbb [ 1.680000] load bbt v2r table:0 page:512 [rtk_scan_v2r_bbt] have created v2r bbt table:0 on block 8, just loads it !! check v2r bbt table:0 OK [rtk_nand_scan_bbt, line 393] mem_page_num=1 bbt_page 704 [ 1.740000] INFO: Stored BBT in Die 0: block=11 , block_status_p1=0xbb [ 1.760000] load bbt table:0 page:704 [rtk_nand_scan_bbt] have created bbt table:0 on block 11, just loads it !! check bbt table:0 OK [dump_BBT] Nand BBT Content [ 1.800000] [0] (0, ff, 0, 3ff) [ 1.810000] 11 rtkxxpart partitions found on MTD device rtk_nand [ 1.830000] Creating 11 MTD partitions on "rtk_nand": [ 1.860000] Realtek WLAN driver - version 1.7 (2015-10-30)(SVN:Unversioned directory) [ 1.890000] Adaptivity function - version 9.3.4 [ 1.900000] Device Name = RTKWiFi0 [ 1.910000] VIF_NUM=9 [ 1.920000] MACHAL_version_init [ 1.930000] RFE TYPE =0 [ 1.940000] RFE TYPE =0 [ 1.950000] RFE TYPE =0 [ 1.960000] RFE TYPE =0 [ 1.960000] RFE TYPE =0 [ 1.970000] RFE TYPE =0 [ 1.980000] RFE TYPE =0 [ 1.990000] RFE TYPE =0 [ 2.000000] RFE TYPE =0 [ 2.010000] RFE TYPE =0 [ 2.020000] RFE TYPE =0 [ 2.020000] lumi_btn_probe reset btn=7 [ 2.040000] [rtl819x_gpio_request][42]: pin7 [ 2.050000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x13000000 mux_reg=0xb8000800 val=0x600000, CNR_REG=0xffffff7f MUX_REG=0x13600000 [ 2.090000] [rtl819x_gpio_direction_input][120]: set pin7 as input pin, DIR_REG=0xff000000 [ 2.110000] rtl819x_gpio: GPIO7 requests IRQ79 [ 2.130000] input: lumi_key as /devices/virtual/input/input0 [ 2.140000] i2c /dev entries driver [ 2.160000] [rtl819x_gpio_request][42]: pin57 [ 2.170000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x33320000 mux_reg=0xb8000834 val=0x20000, CNR_REG=0xfd40033f MUX_REG=0x33320000 [ 2.210000] [rtl819x_gpio_direction_output][150]: set pin57 as output pin, default value=1, DIR_REG=0x2bffcc0 DAT_REG=0x30b7800 [ 2.240000] rtl819x_gpio: GPIO57 requests IRQ129 [ 2.260000] [rtl819x_gpio_request][42]: pin56 [ 2.270000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x33320000 mux_reg=0xb8000834 val=0x300000, CNR_REG=0xfc40033f MUX_REG=0x33320000 [ 2.310000] [rtl819x_gpio_direction_output][150]: set pin56 as output pin, default value=1, DIR_REG=0x3bffcc0 DAT_REG=0x30b7800 [ 2.340000] rtl819x_gpio: GPIO56 requests IRQ128 [ 2.360000] [rtl819x_gpio_request][42]: pin54 [ 2.370000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000000 mux=0x33320000 mux_reg=0xb8000834 val=0x30000000, CNR_REG=0xfc00033f MUX_REG=0x33320000 [ 2.410000] [rtl819x_gpio_direction_output][150]: set pin54 as output pin, default value=0, DIR_REG=0x3fffcc0 DAT_REG=0x30b7800 [ 2.450000] rtl819x_gpio: GPIO54 requests IRQ126 [ 2.460000] TCP: cubic registered [ 2.470000] NET: Registered protocol family 10 [ 2.490000] sit: IPv6 over IPv4 tunneling driver [ 2.500000] NET: Registered protocol family 17 [ 2.520000] Key type dns_resolver registered [ 2.530000] [ 2.530000] Probing RTL819X NIC-kenel stack size order[0]... [ 3.220000] eth0 added. vid=9 Member port 0x110... [ 3.240000] eth1 added. vid=8 Member port 0x0... [ 3.260000] Key type encrypted registered [ 3.280000] VFS: Mounted root (squashfs filesystem) readonly on device 31:8. [ 3.300000] Freeing unused kernel memory: 192K (80610000 - 80640000) init started: BusyBox v1.22.1 (2020-06-22 16:58:24 CST) [ 4.380000] WlanSupportAbility = 0x3 [ 4.390000] [ODM_software_init] [ 4.390000] [97F] Bonding Type 97FS, PKG1 [ 4.390000] [97F] RFE type 0 PHY paratemters: DEFAULT [ 4.390000] clock 40MHz [ 4.390000] load efuse ok [ 4.390000] rom_progress: 0x200006f [ 4.390000] rom_progress: 0x400006f [ 4.470000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] size [ 4.480000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] [ 4.700000] [GetHwReg88XX][rtl8197Ffw] [ 4.710000] [GetHwReg88XX][rtl8197Ffw size] [ 5.160000] [97F] Default BB Swing=30 [ 5.310000] device eth0 entered promiscuous mode [ 5.330000] device wlan0 entered promiscuous mode [ 5.350000] br0: port 2(wlan0) entered forwarding state [ 5.360000] br0: port 2(wlan0) entered forwarding state === Linux Firmware === version=1.4.6_0012 branch=aqara-rtl8197-gateway try mount ubi0!!! test for jacky![ 5.450000] UBI: attaching mtd10 to ubi0 [ 6.770000] UBI: scanning is finished [ 6.820000] UBI: attached mtd10 (name "AppData", size 56 MiB) to ubi0 [ 6.840000] UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes [ 6.860000] UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048 [ 6.880000] UBI: VID header offset: 2048 (aligned 2048), data offset: 4096 [ 6.900000] UBI: good PEBs: 449, bad PEBs: 0, corrupted PEBs: 0 [ 6.920000] UBI: user volume: 1, internal volumes: 1, max. volumes count: 128 [ 6.940000] UBI: max/mean erase counter: 708/127, WL threshold: 4096, image sequence number: 1972655063 [ 6.970000] UBI: available PEBs: 0, total reserved PEBs: 449, PEBs reserved for bad PEB handling: 20 [ 6.990000] UBI: background thread "ubi_bgt0d" started, PID 932 UBI device number 0, total 449 L[ 7.040000] UBIFS: parse sync EBs (57012224 bytes, 54.4 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB) [ 7.150000] UBIFS: background thread "ubifs_bgt0_0" started, PID 938 [ 7.270000] UBIFS: recovery needed [ 8.240000] UBIFS: recovery completed [ 8.260000] UBIFS: mounted UBI device 0, volume 0, name "ubifs1" [ 8.270000] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes [ 8.300000] UBIFS: FS size: 52695040 bytes (50 MiB, 415 LEBs), journal size 2666496 bytes (2 MiB, 21 LEBs) [ 8.330000] UBIFS: reserved for root: 2488917 bytes (2430 KiB) [ 8.350000] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 16B479AC-F1B4-4F83-8607-942FBC1957B7, small LPT model is old unecrypt [ 8.530000] [rtl819x_gpio_request][42]: pin18 dir! [ 8.550000] [rtl819x_gpio_pin_enable][277]: mask=0xf00 mux=0x455000 mux_reg=0xb8000808 val=0x600, CNR_REG=0xfffbff7f MUX_REG=0x455600 [ 8.590000] rtl819x_gpio: GPIO18 requests IRQ90 [ 8.610000] [rtl819x_gpio_direction_output][150]: set pin18 as output pin, default value=0, DIR_REG=0xff040000 DAT_REG=0x40080 [ 8.650000] [rtl819x_gpio_request][42]: pin9 [ 8.660000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x455600 mux_reg=0xb8000808 val=0xa0000, CNR_REG=0xfffbfd7f MUX_REG=0x4a5600 [ 8.700000] rtl819x_gpio: GPIO9 requests IRQ81 [ 8.720000] [rtl819x_gpio_direction_output][150]: set pin9 as output pin, default value=0, DIR_REG=0xff040200 DAT_REG=0x40080 MAC=64:90:C1:78:44:36 [ 8.840000] [rtl819x_gpio_request][42]: pin31 [ 8.850000] [rtl819x_gpio_pin_enable][277]: mask=0xf0 mux=0x22220077 mux_reg=0xb800083c val=0x70, CNR_REG=0x7ffbfd7f MUX_REG=0x22220077 [ 9.030000] rtl819x_gpio: GPIO31 requests IRQ103 [ 9.090000] [rtl819x_gpio_direction_output][150]: set pin31 as output pin, default value=0, DIR_REG=0xff040200 DAT_REG=0x40280 === RootFS Firmware === product=aqara-rtl8197-mijia-gateway branch=release-1.4.7_0060 VERSION=1.4.7_0065 version=1.4.7_0065 run /bin/pre_check.sh... Check HK setup pass. Will Start OT!! device br0 already exists; can't create bridge with the same name device wlan0 is already a member of a bridge; can't enslave it to bridge br0. bridge name bridge id STP enabled interfaces br0 8000.6490c1784436 no eth0 wlan0 killall: miio_agent: no process killed killall: miio_client: no process killed killall: miio_client_helper_nomqtt.sh: no process killed killall: basic_app: no process killed killall: basic_gw: no process killed killall: wpa_supplicant: no process killed killall: udhcpd: no process killed killall: udhcpc: no process killed killall: hostapd: no process killed killall: eth0_start.sh: no process killed killall: wifi_start.sh: no process killed [ 10.560000] br0: port 2(wlan0) entered disabled state [ 10.580000] WlanSupportAbility = 0x3 [ 10.590000] [ODM_software_init] [ 10.590000] [97F] Bonding Type 97FS, PKG1 [ 10.590000] [97F] RFE type 0 PHY paratemters: DEFAULT [ 10.590000] clock 40MHz [ 10.590000] load efuse ok [ 10.590000] rom_progress: 0x200006f [ 10.590000] rom_progress: 0x400006f [ 10.670000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] size [ 10.680000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] [ 10.900000] [GetHwReg88XX][rtl8197Ffw] [ 10.910000] [GetHwReg88XX][rtl8197Ffw size] [ 11.360000] [97F] Default BB Swing=30 [ 11.370000] br0: port 2(wlan0) entered forwarding state [ 11.380000] br0: port 2(wlan0) entered forwarding state 969 connect miio_agent --- dead ---reboot miio_client --- dead ---reboot device wlan0 is already a member of a bridge; can't enslave it to bridge br0. [ 12.450000] br0: port 2(wlan0) entered disabled state [ 12.470000] WlanSupportAbility = 0x3 [ 12.480000] [ODM_software_init] [ 12.480000] [97F] Bonding Type 97FS, PKG1 [ 12.480000] [97F] RFE type 0 PHY paratemters: DEFAULT [ 12.480000] clock 40MHz [ 12.480000] load efuse ok [ 12.480000] rom_progress: 0x200006f [ 12.480000] rom_progress: 0x400006f [ 12.560000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] size [ 12.570000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] [ 12.790000] [GetHwReg88XX][rtl8197Ffw] [ 12.800000] [GetHwReg88XX][rtl8197Ffw size] [ 13.250000] [97F] Default BB Swing=30 [ 13.260000] br0: port 2(wlan0) entered forwarding state [ 13.270000] br0: port 2(wlan0) entered forwarding state restart wpa_supplicant... killall: wpa_supplicant: no process killed wpa_supplicant has been killed, then restart it... 2 [ 14.590000] store_tty0_enable buf=disable [ 14.590000] , count=8 [ 15.550000] br0: port 2(wlan0) entered disabled state [ 17.480000] br0: port 2(wlan0) entered forwarding state [ 17.500000] br0: port 2(wlan0) entered forwarding state [ 20.000000] [rtl819x_gpio_request][42]: pin36 [ 20.010000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x0 mux_reg=0xb8000844 val=0x10000, CNR_REG=0xfc00032f MUX_REG=0x10000 [ 20.580000] i2c_designware i2c_designware.1: i2c_dw_handle_tx_abort: slave address not acknowledged (7bit mode) [ 20.650000] rtl819x_gpio: GPIO36 requests IRQ108 [ 20.850000] [rtl819x_gpio_direction_output][150]: set pin36 as output pin, default value=0, DIR_REG=0x3fffcd0 DAT_REG=0x3083800 [ 27.520000] br0: port 2(wlan0) entered forwarding state ```

2 good UART log

``` uart ok strap pin:0x412b8ae2 enable spi-nand ROM ver:v1.1, sig:455cc27, time:2016.01.04-18:42+0800, CPU(400 MHz), DDR2(533 MHz) load efuse ok init IP ok rom_progress: 0x0600006d load_data_from_storage(260): 0xbfe01540, 0x00000000, 0xbfd16f44 load_data_from_spi_nand_flash(70): 0xbfe01540, 0x00000000, 0xbfe03e18 check_image_header(72): h(69,72,61,6d), s(69,72,61,6d) img sig ok rom_progress: 0x0c00006d load_data_from_spi_nand_flash(81) 0x00000004 0x000024ba load_data_from_spi_nand_flash(86): 0xbfe01d40, 0x00000001, 0xbfe03e18 load_data_from_spi_nand_flash(86): 0xbfe02540, 0x00000002, 0xbfe03e18 load_data_from_spi_nand_flash(86): 0xbfe02d40, 0x00000003, 0xbfe03e18 load_data_from_spi_nand_flash(86): 0xbfe03540, 0x00000004, 0xbfe03e18 load_data_from_spi_nand_flash(90) read done (size:9402) chksum ok rom_progress: 0x0e00006d load img ok rom_progress: 0x1000006d jump 0xbfe01550 Booting... SPI NAND clock not enable SPI Nand ID=00efaa21 SPI Nand die chipsize=0x08000000 byte SPI Nand dienum=1, SPI Nand blocksize=0x00020000 byte, SPI Nand pagesize=0x00000800 byte, SPI Nand oobsize=0x00000040 byte, [rtkn_scan_bbt, line 1812], RBA=51, this->RBA_PERCENT = 5,block_v2r_num=1024 [rtkn_scan_bbt, line 1822] block_v2r_num 00000400 [rtk_scan_v2r_bbt]:678,RBA=00000033,2=00000400, [rtk_scan_v2r_bbt]:684,block_v2r_num=000003cd INFO: Stored BBT in Die 0: block=8 , block_status_p1=0x000000bb load bbt v2r table:0 page:512 [rtk_scan_v2r_bbt] have created v2r bbt table:0 on block 8, just loads it !! check v2r bbt table:0 OK [rtk_nand_scan_bbt, line 393] mem_page_num=1 bbt_page 704 INFO: Stored BBT in Die 0: block=11 , block_status_p1=0x000000bb load bbt table:0 page:704 [rtk_nand_scan_bbt] have created bbt table:0 on block 11, just loads it !! check bbt table:0 OK [dump_BBT] Nand BBT Content [0] (00000000, 000000ff, 00000000, 000003ff) =>CPU Wake-up interrupt happen! GISR=89000084 Realtek RTL8197F boot code at 2019.11.25-17:17+0800 v3.4T-pre2.1 (993MHz) -- version: 1.0.2.005 -- Info: Load boot_info success! === bootloader for mijia_gw === boot_info: ver:0 kernel: newest:1, curr:0 rootfs: newest:1, curr:1 kernel[0]: sum:0xc8cf, size:2157572, fail:0 [1]: sum:0xcb43, size:2157572, fail:3 rootfs[0]: sum:0x62c6, size:8552452, fail:0 [1]: sum:0x742c, size:10108932, fail:0 root_sum_check: off watchdog_time: 0 boot_version: 1.0.2.005 priv mode Info: kernel 1 is invalid Info: loading kernel 0 ... Done Info: checking kernel 0 ... Success Info: select rootfs 1 Info: booting... Jump to image start=0x80a00000... decompressing kernel: Uncompressing Linux... done, booting the kernel. done decompressing kernel. start address: 0x8050cc40 [ 0.000000] Linux version 3.10.90 (liaozhaobao@compilex64-ipg) (gcc version 4.9.4 20151028 (prerelease) (Realtek MSDK-4.9.4p1 Build 2648) ) #68 Fri Apr 3 15:18:37 CST 2020 [ 0.000000] bootconsole [early0] enabled [ 0.000000] CPU revision is: 00019385 (MIPS 24Kc) [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 04000000 @ 00000000 (usable) [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x00000000-0x03ffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x00000000-0x03ffffff] [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes [ 0.000000] Built 1 zonelists in Zone order, mobility grouping off. Total pages: 4088 [ 0.000000] Kernel command line: root=/dev/mtdblock8 console=ttyS0,38400 [ 0.000000] PID hash table entries: 256 (order: -4, 1024 bytes) [ 0.000000] Dentry cache hash table entries: 8192 (order: 1, 32768 bytes) [ 0.000000] Inode-cache hash table entries: 4096 (order: 0, 16384 bytes) [ 0.000000] Writing ErrCtl register=000320b0 [ 0.000000] Readback ErrCtl register=000320b0 [ 0.000000] Memory: 58208k/65536k available (5203k kernel code, 7328k reserved, 1002k data, 192k init, 0k highmem) [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS:192 [ 0.000000] Realtek GPIO IRQ init [ 0.000000] Calibrating delay loop... 660.68 BogoMIPS (lpj=3303424) [ 0.070000] pid_max: default: 32768 minimum: 301 [ 0.080000] Mount-cache hash table entries: 2048 [ 0.090000] [rtl819x_gpio_pin_enable][277]: mask=0xf00 mux=0x0 mux_reg=0xb8000844 val=0x100, CNR_REG=0xffffffbf MUX_REG=0x100 [ 0.100000] [rtl819x_gpio_direction_output][150]: set pin38 as output pin, default value=0, DIR_REG=0x40 DAT_REG=0x3000000 [ 0.110000] [rtl819x_gpio_pin_enable][277]: mask=0xf0 mux=0x100 mux_reg=0xb8000844 val=0x10, CNR_REG=0xffffff3f MUX_REG=0x110 [ 0.120000] [rtl819x_gpio_direction_output][150]: set pin39 as output pin, default value=0, DIR_REG=0xc0 DAT_REG=0x3000000 [ 0.130000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x0 mux_reg=0xb8000848 val=0x4000000, CNR_REG=0xfffffb3f MUX_REG=0x4000000 [ 0.140000] [rtl819x_gpio_direction_output][150]: set pin42 as output pin, default value=0, DIR_REG=0x4c0 DAT_REG=0x3000000 [ 0.150000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x4000000 mux_reg=0xb8000848 val=0x400000, CNR_REG=0xfffff33f MUX_REG=0x4400000 [ 0.160000] [rtl819x_gpio_direction_output][150]: set pin43 as output pin, default value=1, DIR_REG=0xcc0 DAT_REG=0x3000800 [ 0.170000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x4400000 mux_reg=0xb8000848 val=0x60000, CNR_REG=0xffffe33f MUX_REG=0x4460000 [ 0.180000] [rtl819x_gpio_direction_output][150]: set pin44 as output pin, default value=1, DIR_REG=0x1cc0 DAT_REG=0x3001800 [ 0.190000] [rtl819x_gpio_pin_enable][277]: mask=0xf000 mux=0x4460000 mux_reg=0xb8000848 val=0x6000, CNR_REG=0xffffc33f MUX_REG=0x4466000 [ 0.200000] [rtl819x_gpio_direction_output][150]: set pin45 as output pin, default value=1, DIR_REG=0x3cc0 DAT_REG=0x3003800 [ 0.210000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x11111000 mux_reg=0xb8000820 val=0x6000000, CNR_REG=0xffff833f MUX_REG=0x16111000 [ 0.220000] [rtl819x_gpio_direction_output][150]: set pin46 as output pin, default value=1, DIR_REG=0x7cc0 DAT_REG=0x3007800 [ 0.230000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000000 mux=0x16111000 mux_reg=0xb8000820 val=0x60000000, CNR_REG=0xffff033f MUX_REG=0x66111000 [ 0.240000] [rtl819x_gpio_direction_output][150]: set pin47 as output pin, default value=0, DIR_REG=0xfcc0 DAT_REG=0x3007800 [ 0.250000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x66111000 mux_reg=0xb8000820 val=0x600000, CNR_REG=0xfffe033f MUX_REG=0x66611000 [ 0.260000] [rtl819x_gpio_direction_output][150]: set pin48 as output pin, default value=1, DIR_REG=0x1fcc0 DAT_REG=0x3017800 [ 0.270000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x66611000 mux_reg=0xb8000820 val=0x70000, CNR_REG=0xfffc033f MUX_REG=0x66671000 [ 0.280000] [rtl819x_gpio_direction_output][150]: set pin49 as output pin, default value=1, DIR_REG=0x3fcc0 DAT_REG=0x3037800 [ 0.290000] [rtl819x_gpio_pin_enable][277]: mask=0xf000 mux=0x66671000 mux_reg=0xb8000820 val=0x7000, CNR_REG=0xfff8033f MUX_REG=0x66677000 [ 0.300000] [rtl819x_gpio_direction_output][150]: set pin50 as output pin, default value=0, DIR_REG=0x7fcc0 DAT_REG=0x3037800 [ 0.310000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000000 mux=0x100000 mux_reg=0xb8000824 val=0x20000000, CNR_REG=0xfff0033f MUX_REG=0x20100000 [ 0.320000] [rtl819x_gpio_direction_output][150]: set pin51 as output pin, default value=1, DIR_REG=0xffcc0 DAT_REG=0x30b7800 [ 0.330000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x20100000 mux_reg=0xb8000824 val=0x1000000, CNR_REG=0xffe0033f MUX_REG=0x21100000 [ 0.340000] [rtl819x_gpio_direction_output][150]: set pin52 as output pin, default value=0, DIR_REG=0x1ffcc0 DAT_REG=0x30b7800 [ 0.350000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x21100000 mux_reg=0xb8000824 val=0x0, CNR_REG=0xffc0033f MUX_REG=0x21000000 [ 0.360000] [rtl819x_gpio_direction_output][150]: set pin53 as output pin, default value=0, DIR_REG=0x3ffcc0 DAT_REG=0x30b7800 [ 0.370000] [rtl819x_gpio_pin_enable][277]: mask=0xf000000 mux=0x33320000 mux_reg=0xb8000834 val=0x3000000, CNR_REG=0xff40033f MUX_REG=0x33320000 [ 0.380000] [rtl819x_gpio_direction_output][150]: set pin55 as output pin, default value=0, DIR_REG=0xbffcc0 DAT_REG=0x30b7800 [ 0.390000] NET: Registered protocol family 16 [ 0.400000] <<<<>>>> [ 0.420000] Do MDIO_RESET [ 0.450000] 40MHz [ 0.810000] PCIE -> Cannot LinkUP [ 0.820000] Realtek GPIO controller driver init [ 0.830000] INFO: initializing i2c devices ... [ 0.840000] INFO: registering sheipa spi device [ 0.860000] bio: create slab at 0 [ 0.870000] SCSI subsystem initialized [ 0.880000] INFO: sheipa spi driver register [ 0.890000] INFO: sheipa spi probe [ 0.900000] cfg80211: Calling CRDA to update world regulatory domain [ 0.910000] Switching to clocksource MIPS [ 0.920000] NET: Registered protocol family 2 [ 0.930000] TCP established hash table entries: 2048 (order: 0, 16384 bytes) [ 0.950000] TCP bind hash table entries: 2048 (order: -1, 8192 bytes) [ 0.970000] TCP: Hash tables configured (established 2048 bind 2048) [ 0.990000] TCP: reno registered [ 1.000000] UDP hash table entries: 1024 (order: 0, 16384 bytes) [ 1.020000] UDP-Lite hash table entries: 1024 (order: 0, 16384 bytes) [ 1.040000] NET: Registered protocol family 1 [ 1.050000] RPC: Registered named UNIX socket transport module. [ 1.070000] RPC: Registered udp transport module. [ 1.080000] RPC: Registered tcp transport module. [ 1.100000] RPC: Registered tcp NFSv4.1 backchannel transport module. [ 1.130000] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 1.150000] NFS: Registering the id_resolver key type [ 1.160000] Key type id_resolver registered [ 1.180000] Key type id_legacy registered [ 1.190000] NTFS driver 2.1.30 [Flags: R/W DEBUG]. [ 1.200000] msgmni has been set to 113 [ 1.220000] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254) [ 1.240000] io scheduler noop registered (default) [ 1.250000] pwm_probe [ 1.260000] add buzzer dev!!!!!!!!!!!!!!!! [ 1.380000] Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled [ 1.420000] console [ttyS0] enabled, bootconsole disabled7) is a 16550A [ 1.420000] console [ttyS0] enabled, bootconsole disabled [ 1.450000] serial8250: ttyS1 at MMIO 0x18147400 (irq = 46) is a 16550A [ 1.470000] serial8250: ttyS2 at MMIO 0x18147800 (irq = 47) is a 16550A [ 1.500000] Realtek GPIO Driver for Flash Reload Default [ 1.510000] Load Kernel firmware information Driver [ 1.530000] id_chain value=efaa219f [ 1.540000] id_chain value=efaa219f [ 1.550000] NAND device: Manufacturer ID: 0xef, Chip ID: 0xaa (Unknown W25M01GV 1G SPI NAND), 128MiB, page size: 2048, OOB size: 64 [ 1.580000] [rtkn_scan_bbt, line 1812], RBA=51, this->RBA_PERCENT = 5,block_v2r_num=1024 [ 1.610000] [rtkn_scan_bbt, line 1822] block_v2r_num 400 [rtk_scan_v2r_bbt]:678,RBA=33,2=400, [ 1.630000] [rtk_scan_v2r_bbt]:684,block_v2r_num=3cd [ 1.660000] INFO: Stored BBT in Die 0: block=8 , block_status_p1=0xbb [ 1.670000] load bbt v2r table:0 page:512 [rtk_scan_v2r_bbt] have created v2r bbt table:0 on block 8, just loads it !! check v2r bbt table:0 OK [rtk_nand_scan_bbt, line 393] mem_page_num=1 bbt_page 704 [ 1.740000] INFO: Stored BBT in Die 0: block=11 , block_status_p1=0xbb [ 1.760000] load bbt table:0 page:704 [rtk_nand_scan_bbt] have created bbt table:0 on block 11, just loads it !! check bbt table:0 OK [dump_BBT] Nand BBT Content [ 1.800000] [0] (0, ff, 0, 3ff) [ 1.810000] 11 rtkxxpart partitions found on MTD device rtk_nand [ 1.830000] Creating 11 MTD partitions on "rtk_nand": [ 1.860000] Realtek WLAN driver - version 1.7 (2015-10-30)(SVN:Unversioned directory) [ 1.890000] Adaptivity function - version 9.3.4 [ 1.900000] Device Name = RTKWiFi0 [ 1.910000] VIF_NUM=9 [ 1.920000] MACHAL_version_init [ 1.930000] RFE TYPE =0 [ 1.940000] RFE TYPE =0 [ 1.950000] RFE TYPE =0 [ 1.960000] RFE TYPE =0 [ 1.960000] RFE TYPE =0 [ 1.970000] RFE TYPE =0 [ 1.980000] RFE TYPE =0 [ 1.990000] RFE TYPE =0 [ 2.000000] RFE TYPE =0 [ 2.010000] RFE TYPE =0 [ 2.020000] RFE TYPE =0 [ 2.020000] lumi_btn_probe reset btn=7 [ 2.040000] [rtl819x_gpio_request][42]: pin7 [ 2.050000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x13000000 mux_reg=0xb8000800 val=0x600000, CNR_REG=0xffffff7f MUX_REG=0x13600000 [ 2.090000] [rtl819x_gpio_direction_input][120]: set pin7 as input pin, DIR_REG=0xff000000 [ 2.110000] rtl819x_gpio: GPIO7 requests IRQ79 [ 2.130000] input: lumi_key as /devices/virtual/input/input0 [ 2.140000] i2c /dev entries driver [ 2.160000] [rtl819x_gpio_request][42]: pin57 [ 2.170000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x33320000 mux_reg=0xb8000834 val=0x20000, CNR_REG=0xfd40033f MUX_REG=0x33320000 [ 2.210000] [rtl819x_gpio_direction_output][150]: set pin57 as output pin, default value=1, DIR_REG=0x2bffcc0 DAT_REG=0x30b7800 [ 2.240000] rtl819x_gpio: GPIO57 requests IRQ129 [ 2.260000] [rtl819x_gpio_request][42]: pin56 [ 2.270000] [rtl819x_gpio_pin_enable][277]: mask=0xf00000 mux=0x33320000 mux_reg=0xb8000834 val=0x300000, CNR_REG=0xfc40033f MUX_REG=0x33320000 [ 2.310000] [rtl819x_gpio_direction_output][150]: set pin56 as output pin, default value=1, DIR_REG=0x3bffcc0 DAT_REG=0x30b7800 [ 2.340000] rtl819x_gpio: GPIO56 requests IRQ128 [ 2.360000] [rtl819x_gpio_request][42]: pin54 [ 2.370000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000000 mux=0x33320000 mux_reg=0xb8000834 val=0x30000000, CNR_REG=0xfc00033f MUX_REG=0x33320000 [ 2.410000] [rtl819x_gpio_direction_output][150]: set pin54 as output pin, default value=0, DIR_REG=0x3fffcc0 DAT_REG=0x30b7800 [ 2.450000] rtl819x_gpio: GPIO54 requests IRQ126 [ 2.460000] TCP: cubic registered [ 2.470000] NET: Registered protocol family 10 [ 2.490000] sit: IPv6 over IPv4 tunneling driver [ 2.500000] NET: Registered protocol family 17 [ 2.520000] Key type dns_resolver registered [ 2.530000] [ 2.530000] Probing RTL819X NIC-kenel stack size order[0]... [ 3.220000] eth0 added. vid=9 Member port 0x110... [ 3.240000] eth1 added. vid=8 Member port 0x0... [ 3.260000] Key type encrypted registered [ 3.280000] VFS: Mounted root (squashfs filesystem) readonly on device 31:8. [ 3.300000] Freeing unused kernel memory: 192K (80610000 - 80640000) init started: BusyBox v1.22.1 (2020-06-22 16:58:24 CST) [ 4.380000] WlanSupportAbility = 0x3 [ 4.390000] [ODM_software_init] [ 4.390000] [97F] Bonding Type 97FS, PKG1 [ 4.390000] [97F] RFE type 0 PHY paratemters: DEFAULT [ 4.390000] clock 40MHz [ 4.390000] load efuse ok [ 4.390000] rom_progress: 0x200006f [ 4.390000] rom_progress: 0x400006f [ 4.470000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] size [ 4.480000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] [ 4.700000] [GetHwReg88XX][rtl8197Ffw] [ 4.710000] [GetHwReg88XX][rtl8197Ffw size] [ 5.160000] [97F] Default BB Swing=30 [ 5.310000] device eth0 entered promiscuous mode [ 5.330000] device wlan0 entered promiscuous mode [ 5.350000] br0: port 2(wlan0) entered forwarding state [ 5.360000] br0: port 2(wlan0) entered forwarding state === Linux Firmware === version=1.4.6_0012 branch=aqara-rtl8197-gateway try mount ubi0!!! test for jacky![ 5.450000] UBI: attaching mtd10 to ubi0 [ 6.770000] UBI: scanning is finished [ 6.820000] UBI: attached mtd10 (name "AppData", size 56 MiB) to ubi0 [ 6.840000] UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes [ 6.860000] UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048 [ 6.880000] UBI: VID header offset: 2048 (aligned 2048), data offset: 4096 [ 6.900000] UBI: good PEBs: 449, bad PEBs: 0, corrupted PEBs: 0 [ 6.920000] UBI: user volume: 1, internal volumes: 1, max. volumes count: 128 [ 6.940000] UBI: max/mean erase counter: 708/127, WL threshold: 4096, image sequence number: 1972655063 [ 6.970000] UBI: available PEBs: 0, total reserved PEBs: 449, PEBs reserved for bad PEB handling: 20 [ 7.000000] UBI: background thread "ubi_bgt0d" started, PID 932 UBI device number 0, total 449 LEBs (57012224 by[ 7.040000] UBIFS: parse sync tes, 54.4 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB) [ 7.150000] UBIFS: background thread "ubifs_bgt0_0" started, PID 939 [ 7.270000] UBIFS: recovery needed [ 7.870000] UBIFS: recovery completed [ 7.880000] UBIFS: mounted UBI device 0, volume 0, name "ubifs1" [ 7.900000] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes [ 7.930000] UBIFS: FS size: 52695040 bytes (50 MiB, 415 LEBs), journal size 2666496 bytes (2 MiB, 21 LEBs) [ 7.950000] UBIFS: reserved for root: 2488917 bytes (2430 KiB) [ 7.970000] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 16B479AC-F1B4-4F83-8607-942FBC1957B7, small LPT model is old unecrypt [ 8.130000] [rtl819x_gpio_request][42]: pin18 dir! [ 8.150000] [rtl819x_gpio_pin_enable][277]: mask=0xf00 mux=0x455000 mux_reg=0xb8000808 val=0x600, CNR_REG=0xfffbff7f MUX_REG=0x455600 [ 8.190000] rtl819x_gpio: GPIO18 requests IRQ90 [ 8.210000] [rtl819x_gpio_direction_output][150]: set pin18 as output pin, default value=0, DIR_REG=0xff040000 DAT_REG=0x40080 [ 8.250000] [rtl819x_gpio_request][42]: pin9 [ 8.260000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x455600 mux_reg=0xb8000808 val=0xa0000, CNR_REG=0xfffbfd7f MUX_REG=0x4a5600 [ 8.300000] rtl819x_gpio: GPIO9 requests IRQ81 [ 8.320000] [rtl819x_gpio_direction_output][150]: set pin9 as output pin, default value=0, DIR_REG=0xff040200 DAT_REG=0x40080 MAC=64:90:C1:78:44:36 [ 8.510000] [rtl819x_gpio_request][42]: pin31 [ 8.530000] [rtl819x_gpio_pin_enable][277]: mask=0xf0 mux=0x22220077 mux_reg=0xb800083c val=0x70, CNR_REG=0x7ffbfd7f MUX_REG=0x22220077 [ 8.710000] rtl819x_gpio: GPIO31 requests IRQ103 [ 8.720000] [rtl819x_gpio_direction_output][150]: set pin31 as output pin, default value=0, DIR_REG=0xff040200 DAT_REG=0x40280 === RootFS Firmware === product=aqara-rtl8197-mijia-gateway branch=release-1.4.7_0060 VERSION=1.4.7_0065 version=1.4.7_0065 run /bin/pre_check.sh... Check HK setup pass. Will Start OT!! device br0 already exists; can't create bridge with the same name device wlan0 is already a member of a bridge; can't enslave it to bridge br0. bridge name bridge id STP enabled interfaces br0 8000.6490c1784436 no eth0 wlan0 killall: miio_agent: no process killed killall: miio_client: no process killed killall: miio_client_helper_nomqtt.sh: no process killed killall: basic_app: no process killed killall: basic_gw: no process killed killall: wpa_supplicant: no process killed killall: udhcpd: no process killed killall: udhcpc: no process killed killall: hostapd: no process killed killall: eth0_start.sh: no process killed killall: wifi_start.sh: no process killed [ 10.170000] br0: port 2(wlan0) entered disabled state [ 10.190000] WlanSupportAbility = 0x3 [ 10.200000] [ODM_software_init] [ 10.200000] [97F] Bonding Type 97FS, PKG1 [ 10.200000] [97F] RFE type 0 PHY paratemters: DEFAULT [ 10.200000] clock 40MHz [ 10.200000] load efuse ok [ 10.200000] rom_progress: 0x200006f [ 10.200000] rom_progress: 0x400006f [ 10.280000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] size [ 10.290000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] [ 10.510000] [GetHwReg88XX][rtl8197Ffw] [ 10.520000] [GetHwReg88XX][rtl8197Ffw size] [ 10.970000] [97F] Default BB Swing=30 [ 10.980000] br0: port 2(wlan0) entered forwarding state [ 10.990000] br0: port 2(wlan0) entered forwarding state 969 connect miio_agent --- dead ---reboot miio_client --- dead ---reboot device wlan0 is already a member of a bridge; can't enslave it to bridge br0. [ 12.060000] br0: port 2(wlan0) entered disabled state [ 12.080000] WlanSupportAbility = 0x3 [ 12.090000] [ODM_software_init] [ 12.090000] [97F] Bonding Type 97FS, PKG1 [ 12.090000] [97F] RFE type 0 PHY paratemters: DEFAULT [ 12.090000] clock 40MHz [ 12.090000] load efuse ok [ 12.090000] rom_progress: 0x200006f [ 12.090000] rom_progress: 0x400006f [ 12.170000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] size [ 12.180000] [GetHwReg88XX][PHY_REG_PG_8197Fmp_Type0] [ 12.400000] [GetHwReg88XX][rtl8197Ffw] [ 12.410000] [GetHwReg88XX][rtl8197Ffw size] [ 12.860000] [97F] Default BB Swing=30 [ 12.870000] br0: port 2(wlan0) entered forwarding state [ 12.880000] br0: port 2(wlan0) entered forwarding state restart wpa_supplicant... killall: wpa_supplicant: no process killed wpa_supplicant has been killed, then restart it... 2 [ 14.190000] store_tty0_enable buf=disable [ 14.190000] , count=8 [ 15.160000] br0: port 2(wlan0) entered disabled state [ 18.820000] br0: port 2(wlan0) entered forwarding state [ 18.840000] br0: port 2(wlan0) entered forwarding state [ 19.200000] [rtl819x_gpio_request][42]: pin36 [ 19.210000] [rtl819x_gpio_pin_enable][277]: mask=0xf0000 mux=0x0 mux_reg=0xb8000844 val=0x10000, CNR_REG=0xfc00032f MUX_REG=0x10000 [ 19.530000] i2c_designware i2c_designware.1: i2c_dw_handle_tx_abort: slave address not acknowledged (7bit mode) [ 19.820000] rtl819x_gpio: GPIO36 requests IRQ108 [ 19.990000] [rtl819x_gpio_direction_output][150]: set pin36 as output pin, default value=0, DIR_REG=0x3fffcd0 DAT_REG=0x3083800 [ 28.860000] br0: port 2(wlan0) entered forwarding state ```

Boot process is failing now:

bad UART log

``` uart ok strap pin:0x412b8ae2 enable spi-nand ROM ver:v1.1, sig:455cc27, time:2016.01.04-18:42+0800, CPU(400 MHz), DDR2(533 MHz) load efuse ok init IP ok rom_progress: 0x0600006d load_data_from_storage(260): 0xbfe01540, 0x00000000, 0xbfd16f44 load_data_from_spi_nand_flash(70): 0xbfe01540, 0x00000000, 0xbfe03e18 check_image_header(72): h(69,72,61,6d), s(69,72,61,6d) img sig ok rom_progress: 0x0c00006d load_data_from_spi_nand_flash(81) 0x00000004 0x000024ba load_data_from_spi_nand_flash(86): 0xbfe01d40, 0x00000001, 0xbfe03e18 load_data_from_spi_nand_flash(86): 0xbfe02540, 0x00000002, 0xbfe03e18 load_data_from_spi_nand_flash(86): 0xbfe02d40, 0x00000003, 0xbfe03e18 load_data_from_spi_nand_flash(86): 0xbfe03540, 0x00000004, 0xbfe03e18 load_data_from_spi_nand_flash(90) read done (size:9402) chksum ok rom_progress: 0x0e00006d load img ok rom_progress: 0x1000006d jump 0xbfe01550 Booting... SPI NAND clock not enable SPI Nand ID=00efaa21 SPI Nand die chipsize=0x08000000 byte SPI Nand dienum=1, SPI Nand blocksize=0x00020000 byte, SPI Nand pagesize=0x00000800 byte, SPI Nand oobsize=0x00000040 byte, [rtkn_scan_bbt, line 1812], RBA=51, this->RBA_PERCENT = 5,block_v2r_num=1024 [rtkn_scan_bbt, line 1822] block_v2r_num 00000400 [rtk_scan_v2r_bbt]:678,RBA=00000033,2=00000400, [rtk_scan_v2r_bbt]:684,block_v2r_num=000003cd INFO: Stored BBT in Die 0: block=8 , block_status_p1=0x000000bb load bbt v2r table:0 page:512 [rtk_scan_v2r_bbt] have created v2r bbt table:0 on block 8, just loads it !! check v2r bbt table:0 OK [rtk_nand_scan_bbt, line 393] mem_page_num=1 bbt_page 704 INFO: Stored BBT in Die 0: block=11 , block_status_p1=0x000000bb load bbt table:0 page:704 [rtk_nand_scan_bbt] have created bbt table:0 on block 11, just loads it !! check bbt table:0 OK [dump_BBT] Nand BBT Content [0] (00000000, 000000ff, 00000000, 000003ff) =>CPU Wake-up interrupt happen! GISR=09000084 Realtek RTL8197F boot code at 2019.11.25-17:17+0800 v3.4T-pre2.1 (993MHz) -- version: 1.0.2.005 -- Info: Load boot_info success! === bootloader for mijia_gw === boot_info: ver:0 kernel: newest:0, curr:0 rootfs: newest:0, curr:0 kernel[0]: sum:0x0000, size:0, fail:0 [1]: sum:0x0000, size:0, fail:0 rootfs[0]: sum:0x0000, size:0, fail:0 [1]: sum:0x0000, size:0, fail:0 root_sum_check: off watchdog_time: 0 boot_version: 1.0.2.005 priv mode Info: kernel 0 is invalid Info: kernel 1 is invalid Warn: all kernels are invalid ! ---Ethernet init Okay! ```

I have no idea how to repair boot_info

[zvldz]

I have no idea how to repair boot_info https://github.com/serrj-sv/lumi.gateway.mgl03/tree/main/uart_recovery

[OrgoneBlaster]

for global hub ZNDMWG02LM with firmware 1.4.6_0043 we should be able to open telnet using similar method (uart + boot to bootloader). if somebody wants to try tag me in this thread.

Hello,

@rezmus Is the "ZNDMWG02LM with firmware 1.4.6_0043" contains telnet? I am not able to connect to the Gateway. No promt only a message box with a "connection refused" error message. Is the telnet disabled by default?

[AlexxIT]

Telnet disabled by default. Setup my component, it will enable telnet