Podsumowanie na temat MF286 (nie z t-mobile PL i prawdopodobnie z wielu innych źródeł)
-----------------------------------------------------------------

ZTE MF286 is an indoor LTE category 6 CPE router with simultaneous
dual-band 802.11ac plus 802.11n Wi-Fi radios and quad-port gigabit
Ethernet switch, FXS and external USB 2.0 port.

Hardware highlights:
- CPU: QCA9563 SoC at 775MHz,
- RAM: 128MB DDR2,
- NOR Flash: MX25L1606E 2MB SPI Flash, for U-boot only,
- NAND Flash: GD5F1G04UBYIG 128MB SPI NAND-Flash, for all other data,
- Wi-Fi 5GHz: QCA9882 2x2 MIMO 802.11ac radio,
- WI-Fi 2.4GHz: QCA9563 3x3 MIMO 802.11n radio,
- Switch: QCA8337v2 4-port gigabit Ethernet, with single SGMII CPU port,
- WWAN: MDM9230-based category 6 internal LTE modem in extended
  mini-PCIE form factor, with 3 internal antennas and 2 external antenna
  connections, single mini-SIM slot. Modem model identified as MF270,
- FXS: one external ATA port (handled entirely by modem part) with two
  physical connections in parallel,
- USB: Single external USB 2.0 port,
- Switches: power switch, WPS, Wi-Fi and reset buttons,
- LEDs: Wi-Fi, Test (internal). Rest of LEDs (Phone, WWAN, Battery,
  Signal state) handled entirely by modem. 4 link status LEDs handled by
  the switch on the backside.
- Battery: 3Ah 1-cell Li-Ion replaceable battery, with charging and
  monitoring handled by modem.
- Label MAC device: eth0

Console connection: connector X2 is the console port, with the following
pinout, starting from pin 1, which is the topmost pin when the board is
upright:
- VCC (3.3V). Do not use unless you need to source power for the
  converer from it.
- TX
- RX
- GND
Default port configuration in U-boot as well as in stock firmware is
115200-8-N-1.

Installation:
Due to different flash layout from stock firmware, sysupgrade from
within stock firmware is impossible, despite it's based on QSDK which
itself is based on OpenWrt.

STEP 1: gaining root shell:
Method 1:
This works if busybox has telnetd compiled in the binary.
If this does not work, try method 2.

Using well-known exploit to start telnetd on your router - works
only if Busybox on stock firmware has telnetd included:
- Open stock firmware web interface
- Navigate to "URL filtering" section by going to "Advanced settings",
  then "Firewall" and finally "URL filter".
- Add an entry ending with "&&telnetd&&", for example
  "http://hostname/&&telnetd&&".
- telnetd will immediately listen on port 4719.
- After connecting to telnetd use "admin/admin" as credentials.

Method 2:
This works if busybox does not have telnetd compiled in. Notably, this
is the case in DNA.fi firmware.
If this does not work, try method 3.

- Set IP of your computer to 192.168.1.22.
- Have a TFTP server running at that address
- Download MIPS build of busybox including telnetd, for example from:
  https://busybox.net/downloads/binaries/ … sybox-mips
  and put it in it's root directory. Rename it as "telnetd".
- As previously, login to router's web UI and navigate to "URL
  filtering"
- Using "Inspect" feature, extend "maxlength" property of the input
  field named "addURLFilter", so it looks like this:
  <input type="text" name="addURLFilter" id="addURLFilter" maxlength="332"
    class="required form-control">
- Stay on the page - do not navigate anywhere
- Enter "http://aa&zte_debug.sh 192.168.1.22 telnetd" as a filter.
- Save the settings. This will download the telnetd binary over tftp and
  execute it. You should be able to log in at port 23, using
  "admin/admin" as credentials.

Method 3:
If the above doesn't work, use the serial console - it exposes root shell
directly without need for login. Some stock firmwares, notably one from
finnish DNA operator lack telnetd in their builds.

STEP 2: Backing up original software:
As the stock firmware may be customized by the carrier and is not
officially available in the Internet, IT IS IMPERATIVE to back up the
stock firmware, if you ever plan to returning to stock firmware.

Method 1: after booting openwrt initramfs image:
- Dump stock firmware located on stock kernel and ubi partitions:
ssh root@192.168.1.1: cat /dev/mtd4 > mtd4_kernel.bin
ssh root@192.168.1.1: cat /dev/mtd8 > mtd8_ubi.bin
And keep them in a safe place, should a restore be needed in future.

Method 2: using stock firmware:
- Connect an external USB drive formatted with FAT or ext4 to the USB
- The drive will be auto-mounted to /var/usb_disk
- Copy over all MTD partitions, for example by executing the following:
for i in 0 1 2 3 4 5 6 7 8 9 10 11; do cat /dev/mtd$i > \
/var/usb_disk/mtd$i; done

for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16; do cat /dev/mtd$i > /var/usb_disk/mtd$i; done
cat /proc/mtd > /var/usb_disk/mtd.txt

- (optionally) rename the files according to MTD partition names from
  /proc/mtd
- umount /var/usb_disk; sync and remove the drive
- Store the files in safe place if you ever plan to return to stock
  firmware. This is especially important, because stock firmware for
  this device is not available publicly, and is usually customized by
  the mobile providers.

STEP 3: Booting initramfs image:

Method 1: using initramfs as temporary kernel
This exploits the fact, that kernel and rootfs MTD devices are
consecutive on NAND flash, so from within stock image, an initramfs can
be written to this area and booted by U-boot on next reboot, because it
uses "nboot" command which isn't limited by kernel partition size.
- Download a pair of -intermediate-*.bin images. Together they form an
  initramfs image to be written from within stock firmware, allowing
  OpenWrt installation.
- Copy over /usr/bin/flash_eraseall and /usr/bin/nandwrite utilities to
  /tmp. This is critical for installation, as erasing rootfs will cut
  you off from those tools on flash!
- After backing up the previous MTD contents, write the images to the
  respective MTD devices
  # /tmp/flash_eraseall /dev/<kernel-mtd>
  # /tmp/nandwrite /dev/<kernel-mtd> \
  /var/usb_disk/openwrt-ath79-zte-mf286-intermediate-kernel.bin
  # /tmp/flash_eraseall /dev/<kernel-mtd>
  # /tmp/nandwrite /dev/<rootfs-mtd> \
  /var/usb_disk/openwrt-ath79-zte-mf286-intermediate-rootfs.bin
- Ensure that no bad blocks were present on the devices while writing.
  If they were present, you may need to change split offset between
  kernel and rootfs parts, so U-boot reads a valid uImage after skipping
  the bad blocks.
- If write is OK, reboot the device, it will reboot to OpenWrt
  initramfs.
- After rebooting, SSH into the device and use sysupgrade to perform
  proper installation.

Method 2: using serial console:
- Have TFTP server running, exposing the OpenWrt initramfs image, and
  set your computer's IP address as 192.168.1.22. This is the default
  expected by U-boot. You may wish to change that, and alter later
  commands accordingly.
- Connect the serial console if you haven't done so already,
- Interrupt boot sequence by pressing any key in U-boot when prompted
- Use the following commands to boot OpenWrt initramfs through TFTP:
  setenv serverip 192.168.1.22
  setenv ipaddr 192.168.1.1
  tftpboot 0x81000000 openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin
  bootm 0x81000000
  (Replace server IP and router IP as needed). There seems to be no
  emergency TFTP boot sequence triggered by buttons, contrary to MF283+.
- When OpenWrt initramfs finishes booting, proceed to actual
  installation.

Method 3: using built-in TFTP recovery (NOT RECOMMENDED):
- With that method, ensure you have complete backup of system's NAND
  flash first. It involves deliberately erasing the kernel.
- Download "-initramfs-recovery.bin" image for the device.
- Set up a TFTP server at 192.0.0.1/8. Router will use address
  192.99.44.100.
- Put the image into TFTP server directory, renaming it as
  "root_uImage"
- Deliberately erase "kernel" partition" using stock firmware after
  taking backup. THIS IS POINT OF NO RETURN.
- Restart the device. U-boot will attempt flashing the recovery
  initramfs image, which will let you perform actual installation using
  sysupgrade.
- After U-boot finishes flashing, the device will boot from this image.
  Wait for finishing of bootup, then proceed to actual installation.

STEP 4: Actual installation:
- scp the sysupgrade image to the device:
  scp openwrt-ath79-nand-zte_mf286-squashfs-sysupgrade.tar \
  root@192.168.1.1:/tmp/
- ssh into the device and execute sysupgrade:
  sysupgrade -n /tmp/openwrt-ath79-nand-zte_mf286-squashfs-sysupgrade.tar
- Wait for router to reboot to OpenWrt

Restoring the stock firmware:

Preparation:
If you took your backup using stock firmware, you will need to
reassemble the partitions into images to be restored onto the flash.
The only partitions you really care about are "web", "kernel", and
"rootfs". For easy padding and possibly restoring configuration, you can
concatenate most of them into images written into "ubi" meta-partition
in OpenWrt. To do so, execute something like:

cat mtd5_cfg-param.bin mtd6-oops.bin mtd7-web.bin mtd9-rootfs.bin > \
mtd8-ubi_restore.bin

You can skip the "fota" partition altogether,
it is used only for stock firmware update purposes and can be overwritten
safely anyway. The same is true for "data" partition which on my device
was found to be unused at all.

Method 1: Using initramfs:
- Boot to initramfs as in step 3:
- Completely detach ubi0 partition using ubidetach /dev/ubi0_0
- Look up the kernel and ubi partitions in /proc/mtd
- Copy over the stock kernel image using scp to /tmp
- Erase kernel and restore stock kernel:
  (scp mtd4_kernel.bin root@192.168.1.1:/tmp/)
  mtd write <kernel_mtd> mtd4_kernel.bin
  rm mtd4_kernel.bin
- Copy over the stock partition backups one-by-one using scp to /tmp, and
  restore them individually. Otherwise you might run out of space in
  tmpfs:
  (scp mtd3_ubiconcat0.bin root@192.168.1.1:/tmp/)
  mtd write <ubiconcat0_mtd> mtd3_ubiconcat0.bin
  rm mtd3_ubiconcat0.bin
  (scp mtd5_ubiconcat1.bin root@192.168.1.1:/tmp/)
  mtd write <ubiconcat1_mtd> mtd5_ubiconcat1.bin
  rm mtd5_ubiconcat1.bin
- If the write was correct, force a device reboot with
  # reboot -f
Method 3: Using live OpenWrt system (NOT RECOMMENDED):
- Prepare a USB flash drive contatining MTD backup files
- Ensure you have kmod-usb-storage and filesystem driver installed for
  your drive
- Mount your flash drive
  # mkdir /tmp/usb
  # mount /dev/sda1 /tmp/usb
- Remount your UBI volume at /overlay to R/O
  # mount -o remount,ro /overlay
- Write back the kernel and ubi partitions from USB drive
  # cd /tmp/usb
  # mtd write mtd4_kernel.bin /dev/<kernel_mtd>
  # mtd write mtd4_ubi.bin /dev/<kernel_ubi>
- If everything went well, force a device reboot with
  # reboot -f
Method 3 using built-in TFTP recovery (LAST RESORT):
- Assemble a recovery rootfs image from backup of stock partitions by
  concatenating "web", "kernel", "rootfs" images dumped from the device,
  as "root_uImage"
- Use it in place of "root_uImage" recovery initramfs image as in the
  TFTP pre-installation method.

Last image may be truncated a bit due to lack of space in RAM, but this will happen over "fota"
MTD partition which may be safely erased after reboot anyway.

Quirks and known issues:
- OpeNWrt Flash layout is TBD, and VERY LIKELY to change, maybe it is
  possible to use sysupgrade from stock firmware to perform
  installation.
- uqmi seems to stick at "waiting for SIM" state, after booting stock
  software. When modem was removed from the device and plugged into
  laptop with ModemManager, it connected successfully there, and
  afterwards uqmi also managed to connect under OpenWrt. Why is that so,
  I have no clue. I also found out, that modem refuses to connect over
  QMI to APN other than configured in its EPS default bearer, available
  at AT+CGDCONT? command. Without that, however, modem happily connects
  over PPP at /dev/ttyUSB2 (its AT port)
- The only usable LED as a "system LED" is the green debug LED hidden
  inside the case. All other LEDs are controlled by modem, on which the
  router part has some influence only on Wi-Fi LED.
- Wi-Fi LED currently doesn't work while under OpenWrt, despite having
  correct GPIO mapping. All other LEDs are controlled by modem,
  including this one in stock firmware. GPIO19, mapped there only acts
  as a gate, while the actual signal source seems to be 5GHz Wi-Fi
  radio, however it seems it is not the LED exposed by ath10k as
  ath10k-phy0.
- GPIO5 used for modem reset is a suicide switch, causing a hardware
  reset of whole board, not only the modem. It is attached to
  gpio-restart driver, to restart the modem on reboot as well, to ensure
  QMI connectivity after reboot, which tends to fail otherwise.
- Modem, as in MF283+, exposes root shell over ADB - while not needed
  for OpenWrt operation at all - have fun lurking around.
- MAC address shift for 5GHz Wi-Fi used in stock firmware is
  0x320000000000, which is impossible to encode in the device tree, so I
  took the liberty of using MAC address increment of 1 for it, to ensure
  different BSSID for both Wi-Fi interfaces.

Tu jest oryginalny obraz routera z sieci DNA do wgrania przez tftp dla MF286: https://dl.eko.one.pl/orig/zte_mf286/DNA/

Raczej nie ma w ogóle prac bo:
- Tam jest modem na nieznanym realteku
- Nikt go jeszcze nie mial w rękach.

Gdyby cos sie działo to powstałby nowy watek w tym temacie i tutaj o nim nie piszemy bo znow bedzie burdel.

@Cezary kolejny stockowy soft z MF286 do kolekcji - z tej samej linii co mój, więc chyba generyczny.
https://3ginfo.ru/downloads2070.html

Zawiera też soft fabrycznego flashowania do modemu i prawdopodobnie wyjaśnił tajemnicę, dlaczego u mnie update na stocku się wywalał - otóż, modem był za nowy dla tego builda i nie łykał update'u, co wywalało całość aktualizacji.

Paczka dla MF286 z kilkoma fabrycznymi softami do frameworka
https://www.szybkiplik.pl/uaKjaNdJ3W

Link wazny 7 dni lub 20 pobrań

wsadź usb i spróbuj wkonać skrypt , któryby zczytywał i zapisywał na usb listę partycji , logread , to wtedy będziesz miał pewność...

Jaśniej masz w PR do wsparcia tego modelu.  Dostań się do oryginalnego softu to będziesz wiedział jakie masz partycje i  który to jest model.

Ale dawno tego nie robiłem.
Jak mam objerzec logi startowe bez rozbierania ?
Chodzi o to by nie rozbierać jak nie potrzeba
Bo jak już rozbiorę to lotto mi czy mam go programować wtedy przez UART czy nie...

nie mogłem tego znaleźć, czyli to to samo, a wydawało mi sie że ma inny początek w nazwie

nie bo to 5V. Jesli juz to ftdi 3232. mozesz probowac na Tx adaptera zapiąć diode zenera 3v do masy ale musisz miec o tym jakiekolwiek pojęcie

Wklej linka tego FT232RL , on jest na usb i powinien mieć wybór napięcia 5v /3,3v i poinien byc ok.
@pawol pomyliłeś chyba max232 i max3232