I bought recently an HAME A! clone at Amazon, just named "3G Wi-Fi Router", without any additional brand name.

The Image-Name (from the boot message) points to an chinese company, called ZLMNet, with an chinese-only homepage: http://zlmnet.com/

I posted pictures from the PCB as well as the original bootlog into the Wiki: http://wiki.openwrt.org/toh/zlmnet/mifif10n

Unfortunately I am not able, to get openwrt installed on that device.  When I go through the very simple webfrontend, I get a nice javascript enabled progress bar, when I try to upload an open-wrt image.
However, already immediately after start of the upload, I see the following message on the serial console:

No suitable usb disk partition found 
.nvram_set Needrestoredefault 1
sleep 3 && reboot &
starting pid 2579, tty '': '/etc_ro/rcH'
The system is going down NOW!
Sending SIGTERM to all processes
syslogd exiting
Requesting system reboot
Restarting system.

and all previous configuration is gone, as the device reboots with default settings.
The progress-bar continues during that reboot and  states success after two minutes ;-)

So, next try is TFTP via the U-BOOT boot-loader. There I see already some mismatch:

While booting, i get the message:
   U-Boot 1.1.3 (Jul  8 2013 - 10:59:04)
followed by
Ralink UBoot Version: 3.6.0.0
during the boot-process

I prepared an TFTP-Server on a linux box, connected the MiFi F1 with an crossover cable direct to that box, having as well an dhcpd running.  Each time, the box boots regulary, it receives an IP address from the Linux-Server and I am able to login.

When I try to TFTP however, there is complete silence on that network.  The physical link is up, as soon, as the MiFi F1 is powered up, however I see no packages at all arriving.  I watched the observed the connection from the linux end with tcpdump, not a single packet arrives!

That brought me to another finding:

When the MiFi F1 is booted, the devices look like:

br0       Link encap:Ethernet  HWaddr 2C:67:FB:5D:10:68  
          inet addr:192.168.100.1  Bcast:192.168.100.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1995 (1.9 KiB)  TX bytes:590 (590.0 B)

eth2      Link encap:Ethernet  HWaddr 2C:67:FB:5D:10:6A  
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:205 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:21050 (20.5 KiB)  TX bytes:2620 (2.5 KiB)
          Interrupt:3 

eth2.1    Link encap:Ethernet  HWaddr 2C:67:FB:5D:10:6A  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:27 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2301 (2.2 KiB)  TX bytes:618 (618.0 B)

eth2.2    Link encap:Ethernet  HWaddr 2C:67:FB:5D:10:6B  
          inet addr:192.168.250.129  Bcast:192.168.250.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:171 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:14387 (14.0 KiB)  TX bytes:1926 (1.8 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ra0       Link encap:Ethernet  HWaddr 2C:67:FB:5D:10:68  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1870 (1.8 KiB)  TX bytes:604 (604.0 B)
          Interrupt:4 

and I see, that the MAC address associated with the ethernet-port  is 2C:67:FB:5D:10:6B

when I look now to the U-BOOT-Environment I see:

printenv
 
 RT5350 # printenv
bootcmd=tftp
bootdelay=2
baudrate=57600
ethaddr="00:AA:BB:CC:DD:20"
ipaddr=192.168.100.1
serverip=192.168.100.100
ramargs=setenv bootargs root=/dev/ram rw
addip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):off
addmisc=setenv bootargs $(bootargs) console=ttyS0,$(baudrate) ethaddr=$(ethaddr) panic=1
flash_self=run ramargs addip addmisc;bootm $(kernel_addr) $(ramdisk_addr)
kernel_addr=BFC40000
u-boot=u-boot.bin
load=tftp 8A100000 $(u-boot)
u_b=protect off 1:0-1;era 1:0-1;cp.b 8A100000 BC400000 $(filesize)
loadfs=tftp 8A100000 root.cramfs
u_fs=era bc540000 bc83ffff;cp.b 8A100000 BC540000 $(filesize)
test_tftp=tftp 8A100000 root.cramfs;run test_tftp
stdin=serial
stdout=serial
stderr=serial
ethact=Eth0 (10/100-M)

Environment size: 771/4092 bytes

The mac-address used here is ethaddr="00:AA:BB:CC:DD:20", which is not in sync with the hardware.

Unfortunately the ethaddr variable is blocked from u-boot an cannot be changed.  The tricks, I found in the internet, are not working, a I have only very limited commands in U-boot enabled.

RT5350 # help
?       - alias for 'help'
bootm   - boot application image from memory
cp      - memory copy
erase   - erase SPI FLASH memory
go      - start application at address 'addr'
help    - print online help
loadb   - load binary file over serial line (kermit mode)
md      - memory display
mdio   - Ralink PHY register R/W command !!
mm      - memory modify (auto-incrementing)
mw      - memory write (fill)
nm      - memory modify (constant address)
printenv- print environment variables
reset   - Perform RESET of the CPU
rf      - read/write rf register
saveenv - save environment variables to persistent storage
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version

What for possibilities I have, to get openwrt on that device?

As it has 32MB SDRAM, its a nice device, however the 4MB Flash are the limiting factor.

Are there possibilities to exchange the flash?  And how can a new flash chip get initialized?

Thanks for any hints...

P.S.

The box gives some error-messages, where I found as well no explanation:

MIC Different in pairwise msg 2 of 4-way handshake!

(Last edited by gnag on 1 Oct 2013, 16:05)

Another finding, I forgot to report:

This device has the same problem, I was reading in the thread about the HAME A1 (https://forum.openwrt.org/viewtopic.php?id=37002).  When the USB-serial cable is connected,  there are situations, where the device will not boot.

However, I have one cable, where the serial TTL is +4.5V and another one, where serial TTL is 2.8V.

When I use that, where the TTL voltage is 4.5V, the device starts, as soon, as GND and RX are connected!

As soon, as I enter some characters, the device reboots, as the RX goes down for short moments.

I expect that as an problem, that somehow Rx can be used the power the device.  When the Rx current is to low, the device starts already in the moment, when the UART gets connected, but the current is to weak to drive the device, so it stucks.

Can you please post external case pictures?

btw i would never try to connect a 4.5V adapter to a 3.3V device....

I uploaded some more pictures. It really looks like the HAME A1.

the device seems to run on slightly higher power. I measured around 3.6 Volt at the + pin close to TX.

So I gave it a try, especially as the TX output from the converter has limited current. When the TTL converter is unconnected, the voltage on TX is around 4.5, when it was connected and running the device, voltage went down to 3.4 V.

When it is connected, while the device is powered by its own, voltage goes down to 3.6 V.

I don't know, which converter is in that cable. Its a reused cable from an old Siemens mobile-phone, where the converter is part of the USB-plug and impossible to open.

@all:  I am still thinking, which ways I may have, to bring openwrt onto that device.

The smartest way would be, to unsolder the flash, and soldering an new bigger flash-chip in, which is already prepared, to boot the device.   Has someone done such things with success? 
How to prepare the flash?
I was searching, if I find JTAG connectors on the board, but i am unsure, if the six pads in the lower right corner (between the switch and the button) can it be?

Does someone know, how those devices got flashed during fabrication? 

Unfortunately I am not able at all, to find source-code links on the manufacture webpage, even with google-translate.

(Last edited by gnag on 2 Oct 2013, 18:20)

See the updated wiki page for more info
: http://wiki.openwrt.org/toh/zlmnet/mifif10n

I have this same device. TFTP is not working.
Is there any way to flash with openwrt ?

So I have exactly the same problem and have not yet been able to find a solution for this. I also tried loading an image through kermit via loadb, but this just timeouts. It really looks like the bootloader is completely locked down.

Have you been able to load any image via the built-in firmware upgrade mechanism that comes with the stock firmware? That also fails for me despite having a local USB stick for storage.

Ended up following the instructions from here: http://my-embedded.blogspot.ru/2013/12/ … 5350f.html and this works just fine now.