summaryrefslogtreecommitdiffstats
path: root/_sfp_cage/zyxel.md
diff options
context:
space:
mode:
authorPietro Ameruoso <42093926+pameruoso@users.noreply.github.com>2023-04-27 15:39:12 +0200
committerGitHub <noreply@github.com>2023-04-27 15:39:12 +0200
commit9f7ed4d70363c2ad9e3b5ea3285c7dca20f6aaf5 (patch)
tree48cf677ec89b0e1325f088b806f78fc82280e272 /_sfp_cage/zyxel.md
parentRefactoring EX5601-T0 page (#187) (diff)
downloadhack-gpon.github.io-9f7ed4d70363c2ad9e3b5ea3285c7dca20f6aaf5.tar
hack-gpon.github.io-9f7ed4d70363c2ad9e3b5ea3285c7dca20f6aaf5.tar.gz
hack-gpon.github.io-9f7ed4d70363c2ad9e3b5ea3285c7dca20f6aaf5.tar.bz2
hack-gpon.github.io-9f7ed4d70363c2ad9e3b5ea3285c7dca20f6aaf5.tar.lz
hack-gpon.github.io-9f7ed4d70363c2ad9e3b5ea3285c7dca20f6aaf5.tar.xz
hack-gpon.github.io-9f7ed4d70363c2ad9e3b5ea3285c7dca20f6aaf5.tar.zst
hack-gpon.github.io-9f7ed4d70363c2ad9e3b5ea3285c7dca20f6aaf5.zip
Diffstat (limited to '_sfp_cage/zyxel.md')
-rw-r--r--_sfp_cage/zyxel.md122
1 files changed, 119 insertions, 3 deletions
diff --git a/_sfp_cage/zyxel.md b/_sfp_cage/zyxel.md
index 1710bb7..9259f14 100644
--- a/_sfp_cage/zyxel.md
+++ b/_sfp_cage/zyxel.md
@@ -51,18 +51,134 @@ If `rootubi=ubi2` it means that the active partition is `mtd7`
{% include alert.html content="When you flash a new firmware via the web interface the router will automatically write the new firmware in the inactive partition, hence if the firmware upgrade is successfull it will automatically swap the boot partition at next reboot. If everything is ok you don't have to manually swap partitions" alert="Info" icon="svg-info" color="blue" %}
+## Serial interface
+
+This router has the serial interface pins directly accessible on the board:
+
+{% include image.html file="zyxel-ex5601t0\zyxel_ex5601t0_serial.jpg" alt="EX5601T0 Serial interface" caption="EX5601T0 Serial interface" %}
+
+The serial console speed is 115200.
+
+## ZHAL (Zloader) access
+
+The boot process of this router has multiple stages, long story short we have both u-boot and zloader (ZHAL).
+
+When the router is powered-up u-boot is loaded, u-boot will load zloader which is the zyxel proprietary boot manager.
+
+Zloader allows to manually swap boot partitions (`ubi` and `ubi2`), recover the supervisor password and many additional useful (and dangerous) things.
+
+By default zloader access is blocked.
+
+### Unlock zloader
+
+{% include alert.html content="The following procedure is provided as-is, if you damage the device this community is not responsibile of it in any way." alert="Warning" icon="svg-warning" color="red" %}
+
+1. Open the router case and connect your usb-ttl adapter to the router as show in the picture.
+2. Open putty or any other serial capable software and configure it to use your COMX port with 115200 speed.
+3. Power up the router.
+4. While the router is booting at some point you will read the following: `Please press Enter to activate this console.`
+5. As soon as you read that press enter, type root and than press enter again (just do it, don't care about the logs scrolling).
+6. Most likely the router is still printing the boot log, leave it boot until it stops.
+7. If everything went ok you should have full root access:
+```
+root@EX5601-T0:/#
+```
+8. type the following command and press enter:
+```
+fw_setenv EngDebugFlag 0x1
+```
+9. Reboot the router.
+10. As soon as you read `Hit any key to stop autoboot:` press Enter.
+11. If everything went ok you should have the following prompt:
+```
+ZHAL>
+```
+You have successfully unlocked zloader access, this procedure must be done only once.
+
+{% include alert.html content="There is an alternative procedure to achieve the same, you flash the firmware which gives you root access via ssh and you give the same fw_setenv command from point 8. Still you need the usb to serial adapter to access ZHAL" alert="Info" icon="svg-info" color="blue" %}
+
+
+### Dump supervisor password
+{% include alert.html content="The following procedure is provided as-is, if you damage the device this community is not responsibile of it in any way." alert="Warning" icon="svg-warning" color="red" %}
+
+{% include alert.html content="The supervisor user is the most powerful user that can be used from the web interface. The supervisor password is written in the nand and it's encrypted. To dump the password you must first complete the "Unlock zloader" procedure" alert="Info" icon="svg-info" color="blue" %}
+
+1. Open the router case and connect your usb to serial adapter.
+2. Open putty or any other serial capable software and configure it to use your COMX port with 115200 speed.
+3. Power up the router.
+4. As soon as you read `Hit any key to stop autoboot:` press Enter.
+5. Type the following command and press enter to read the supervisor password:
+```
+atck
+```
+6. The supervisor password will be printed in clear text and can be used on the zyxel webgui.
+7. You can reboot the router by typing the following command and press Enter:
+```
+atsr
+```
+
+### Manually swap the boot partition
+
+{% include alert.html content="The following procedure is provided as-is, if you damage the device this community is not responsibile of it in any way." alert="Warning" icon="svg-warning" color="red" %}
+
+{% include alert.html content="To swap the boot partition you first have to complete the Unlock zloader procedure" alert="Info" icon="svg-info" color="blue" %}
+
+1. Open the router case and connect your usb to serial adapter.
+2. Open putty or any other serial capable software and configure it to use your COMX port with 115200 speed.
+3. Power up the router.
+4. As soon as you read `Hit any key to stop autoboot:` press Enter.
+5. Type the following command sequence to swap the boot partition.
+```sh
+atbt 1 # unlock zhal write
+atsw # swap boot partition
+atsr # reboot the router
+```
+6. The router will boot from the new active partition (ubi or ubi2 depending on the previous active partition).
+7. Check if the active partition has changed with the following command:
+```sh
+cat /proc/cmdline
+```
+
+## Unlock u-boot access
+{% include alert.html content="The following procedure is provided as-is, if you damage the device this community is not responsibile of it in any way." alert="Warning" icon="svg-warning" color="red" %}
+
+{% include alert.html content="To unlock u-boot access you first have to complete the Unlock zloader procedure" alert="Info" icon="svg-info" color="blue" %}
+
+{% include alert.html content="Having full u-boot access can be very dangerous, with great power comes great responsibility." alert="Warning" icon="svg-warning" color="red" %}
+
+Up to today a strange combination of actions must be completed in a special sequence to access the u-boot command line interface.
+
+1. Open the router case and connect your usb to serial adapter.
+2. Open putty or any other serial capable software and configure it to use your COMX port with 115200 speed.
+3. Power up the router.
+4. As soon as you read `Hit any key to stop autoboot:` press Enter to access the ZHAL command line.
+5. Type the following command and press enter:
+```
+atgu
+```
+6. Apparently that command doesn't do anything and the router will reboot itself.
+7. Again for the second time you will read `Hit any key to stop autoboot:`, press Enter again to access ZHAL again.
+8. Type again the following command and press enter:
+```
+atgu
+```
+9. You should now have entered the u-boot command line interface:
+```
+MT7986>
+```
+
## Flashing a firmware or firmware downgrade
{% include alert.html content="The following procedure is provided as-is and if anything goes wrong you will likely need to open the router case and attach a USB serial adapter to the router to recover it.
This community is not responsible of any damage you cause by following these procedures." alert="Warning" icon="svg-warning" color="red" %}
-1. access via ssh to the router with admin user (admin password is printed on the back of the router)
-2. Disable firmware version check and model check by running the following commands
+1. access via ssh to the router with admin user (admin password is printed on the back of the router).
+2. Disable firmware version check and model check by running the following commands.
```
zycli fwidcheck off
zycli modelcheck off
```
-3. You can close the ssh console, do not reboot the router
+3. You can close the ssh console, do not reboot the router.
4. Open the router web interface and in the maintenance/firmware upgrade section select the "Restore Default Settings After Firmware Upgrade" option.
5. Select choose file to select the firmware file you want to upload and click Upload.
6. The router will automatically reboot and should get back up on 192.168.1.1