How to unbrick of hard bricked the Mi Band 3
(with | without NFC)
(with | without NFC)
Last Updated: 07.04.2019
Warning
- Proceed at your own risk !!!
- It may also damage the internal electronics of the device (meganic damage, electrostatic discharge, etc.) !!!
- I'm not responsible for permanently bricked your the MB3!!!
Introduction
This thread contains instructions for unbrick the Mi Band 3 (after flash wrong firmware through bluetooth), using the SPI Flash programmer to program the correct firmware, directly into to the SPI flash memory on the PCB of the Mi Band 3. The DA14681 processor boots executable firmware directly from this flash memory, which contains a boot loader, calibration and other production data, and executable firmware that is updated via bluetooth.Known issues
- Need to open the cover body of Mi Band 3.
- When the body of the Mi Band 3 is opened, waterproofness is lost.
- Need special equipment (Micro soldering station, programmer for SPI flash memory, and etc.).
You will need
- Hard bricked the Mi Band 3 (bricked after flash wrong firmware through bluetooth)
- Micro soldering station, with 0.2mm tip
- SPI Flash programmer for programming correct firmware into internal SPI flash memory.
- Control software for SPI Flash programmer (Flashrom / FT2232-SPI-Prog)
- Hex editor for editing full dump bin file of the SPI flash memory.
- Correct firmware file for the Mi Band 3
Procedure
- How opening the cover body of Mi Band 3.
Follow this thread to open the Mi Band 3 cover body How to open the body cover of Mi Band 3 (with | without NFC) | Xiaomi Mi Band 3 | GeekDoing
- How to connect to the SPI flash memory
The Mi Band 3 contains the SPI flash memory GD25LQ32 32Mbit on the PCB. Unfortunately, there are no testpoints available on the PCB (maybe possible under the LCD), for easy contacting of the SPI flash memory. It is necessary to contact the terminal wire directly on the SPI flash memory package.
Example of connecting to the SPI flash memory (for single use unbrick):
Or a better connection solution (for continuous tests):
- How to connect to the SPI programmer (circuit diagram of the SPI Flash programmer)
You can use one of these programmers (FT2232 Programmers) based on FT2232 chipset to program the SPI Flash memory on the Mi band 3.
I used my own circuit diagram with FT2232H, see. the circuit diagram below. The SPI Flash memory (GD25LQ32) on the Mi band 3 has supply voltage of 1.8V !!! The SPI interface of this memory is 3.3V tolerant. The Mi Band 3 battery 3.8V must be disconnected when programming the SPI flash memory GD25LQ32, otherwise the Mi Band 3 processor blocks communication over the SPI interface.
- Control software for SPI Flash programmer (You can use one of these Flashrom or FT2232-SPI-Prog)
# Flashrom (utility for flash BIOS/EFI/coreboot/firmware/optionROM images)
You install drivers (Windows) for Flashrom / FT2232H SPI Flash programmer using tool: Zadig libusb-win32.
Flashrom requires these libraries "libusb-win32" !!!
Tool the Flashrom directly natively supports of the GD25LQ32 Flash memory.
* Reading of the flash memory GD25LQ32:
Command: flashrom -p ft2232_spi:type=2232H,port=A
You check the presence of the GD25LQ32 Falsh Memory (Found GigaDevice flash chip "GD25LQ32" (4096 kB, SPI) on ft2232_spi) !!!
* Reading of the flash memory GD25LQ32:
Command: flashrom -p ft2232_spi:type=2232H,port=A -c GD25LQ32 -r MB3_FullFlash_brick.bin
"MB3_FullFlash_brick.bin" is the output file.
* Erasing of the flash memory GD25LQ32:
Command: flashrom -p ft2232_spi:type=2232H,port=A -c GD25LQ32 -E
* Writing of the flash memory GD25LQ32:
Command: flashrom -p ft2232_spi:type=2232H,port=A -c GD25LQ32 -w MB3_FullFlash_unbrick.bin
You make sure that Flash Memory has been verified (Verifying flash... VERIFIED) !!!
# FT2232-SPI-Prog (SPI Flash Programmer based on FTDI chips in MPSSE mode)
FT2232-SPI-Prog does not require special drivers and uses native drivers from FTDI (Windows): Virtual COM port (VCP) drivers
Tool the FT2232-SPI-Prog does not support the GD25LQ32 Flash memory directly, you can use "M25PX32" type and set the "Ignore Device ID" control.
In case of problems with communication with the GD25LQ32 Flash Memory, you can set the communication slowdown by turning on "Disable Quad Mode".
Also, do not forget to select the memory address range "Start Address" and "End Address".
* Instructions to control the FT2232-SPI-Prog can be found here: FT2232-SPI-Prog
- How to unbrick of hard bricked the Mi Band 3
- You read out the Mi Band 3 GD25LQ32 SPI Flash memory full data range and save it to a file such as "MB3_FullFlash_brick.bin". This GD25LQ32 SPI Flash memory, which contains a boot loader, calibration and other production data (serial number), and executable firmware that is updated via bluetooth. These data are unique to the device and it is necessary to backup !!! Read the GD25LQ32 SPI Flash memory again, repeatedly and compare the files to see if the memory read is correct !!!
- Open "MB3_FullFlashFlash_brick.bin" in any HEX editor and go to address 4000 and paste the correct firmware from this address. After paste the correct firmware, save the file for example as "MB3_FullFlashFlash_unbrick.bin".
- Write the file "MB3_FullFlashFlash_unbrick.bin" back to the GD25LQ32 SPI Flash memory.
- It is recommended that you also reload Firmware, Resources and Font files via Bluetooth after unbrick. This will prevent the Mi Band 3 instability !!!
- That is all
Last edited:
