Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[tiffy]

Obtained a "new" ZyXEL VMG3925-B10B modem/router from e-bay at a very good price, seller guaranteed it was not an ex ISP model, on checking this certainly appeared to be the case.

Initial GUI access with admin/1234, PW requested changing to min. 8 mixed characters, accepted.
Followed this very informative post for detailed guidance:
https://forum.kitz.co.uk/index.php/topic,20006.msg350991.html#msg350991

The unit was running V5.13(AAVF.10)C0 firmware which was not showing a BusyBox prompt on Telnet access.
Loaded V5.13(AAVF.7)C0 FW which did permit BusyBox access, successfully extracted and cracked the supervisor PW..

Now decided to check the latest available FW V5.13(AAVF.13)C0, found this had the later ZyXEL GUI interface which I had experienced before on my XyXEL VMG1312-B10D, not to my liking, also did not permit BusyBox access.

Experimented with FW revisions and established that V5.13(AAVF.9)B0 was the latest rev. that permitted BusyBox access and still had the original ZyXEL GUI which I prefer.
Note: The admin & supervisor PW's remained the same during all the FW changes.
Also noted that FW changes from newer to older revisions usually had to be done in sequence, ie. moving back by more than one step produced a "not valid" file error.

Last move was migration from FW V5.13(AAVF.10)B0 to V5.13(AAVF.9)B0, this appeared to proceed normally but now found I could not access the GUI at any level with any password !
Tried the push button reset procedure, power down/re-boot etc. but no joy, locked out.
Obviously can't get BusyBox access either without a PW..

So, do I now have to go down the serial interface route ?
If so will clearing "ROM D" restore default admin access ?
Is the FW corrupted and if so how can I reload ?   

[banger]

At least you can see the GUI. I tried downgrading the firmware after reading the 5ghz had problems on the latest firmware and it disappeared from my system. No amount of fiddling could get access to the GUI although it appeared to boot I just couldn't access the GUI or telnet.

[Weaver]

Does the 20-sec poke work on this unit?

ie. turn off / poke reset hole / turn-on / wait (~20-sec) until flashing led goes solid / release poker / then you get a recovery page at http://192.168.1.1

That works for a VMG1312-B10A but don’t know about other models.

[tiffy]

At least you can see the GUI. I tried downgrading the firmware after reading the 5ghz had problems on the latest firmware and it disappeared from my system. No amount of fiddling could get access to the GUI although it appeared to boot I just couldn't access the GUI or telnet.

Well not really, only get to the GUI login page when it won't accept any password for any ID.
Wonder have you tried any serial connection solutions or is the unit still bricked ?
Very disappointed, thought I did so well achieving supervisor access.

@Weaver:
Yes, tried the 20 sec. + long reset, green power LED keeps flashing and only goes steady on when re-booted again, definately no recovery screen produced.

Trying to open the case to explore serial interface options, have removed the 4 back screws (2 under the label) but case still won't open, can't see how I can achieve this without damage, any tips or ideas ?

[digbey]

Just simply prise apart the two halves of the case. There are a number of moulded clips on the inside of the case but they seem quite sturdy. Once you manage to insert a prising tool and work your way along until you feel one clip give way, it's usually easy after that. With the back towards me, I started at the top right hand corner.

After that it's straight forward as the serial interface is clearly labelled.

Good luck.

[tiffy]

Just simply prise apart the two halves of the case. There are a number of moulded clips on the inside of the case but they seem quite sturdy. Once you manage to insert a prising tool and work your way along until you feel one clip give way, it's usually easy after that. With the back towards me, I started at the top right hand corner.

After that it's straight forward as the serial interface is clearly labelled.

Good luck.

Many thanks for the tips.
Used a thin pallet knife borrowed from the wife's art tools, top and sides not too bad but bottom is a real bu**er, no clips broken, only sign of entry should be the 2 holes in the back label for access to the case screws.
As you say, serial header is well identified and easily accessable, just like the 1312-B10D I unlocked previously.

Now to see if the situation is retrievable via serial interface or have I produced a brick !

[tiffy]

With USB/serial converter have interrupted boot routine and reached CFE> prompt.
However, can not get any further, "ATSE VMG3925" command produces an error so can't display the seed to decode and so proceed to the next step "ATEN 1, {code}" to unlock the enhansed CFE commands.

Any suggestion to get around this ?
Is there anything I can do with the limited, available CFE commands ?
ATMB,ATSH,ATGO,ATSE,ATEN,ATPH,ATBL,ATSR,ATUR,ATHE

[digbey]

Oh I forgot, I had the same problem, somewhere on the forum I found the answer.
Try "ATSE VMG3926" apparently it's a very similar model using the same firmware.

[burakkucat]

I believe the following is the full list of Broadcom CFE commands for a ZyXEL VMG3925-B10C . . .

ATDC                Disable Check Model Mechanism.
ATBB                Mark/unmark the Block X to be bad block.
ATCMP               Compare the contents at start address X and Y with Length Z
ATLD                Download data with file name X to memory address Y from PC via TFTP
ATRB                Load the CFERAM to run by TFTP or UART!
ATDS                Dump data of spare area in block X`s page Y
ATRF                Read/Dump flash data
ATER                Erase NAND flash from block X to block Y
ATWF                Write data from RAM to flash
ATRT                Test memory.
ATCR                reset to default, erase Data partition
ATCD                Erase ROM-D partition
ATCM                Erase ROMFILE partition
ATWZ                write (a)MAC addr, (b)Country code, (c)EngDbgFlag, (d)FeatureBit, (e)MAC Number to NVRAM
ATCO                set Country Code to NVRAM.
ATSN                set Series Number to NVRAM.
ATSH                dump manufacturer related data from NVRAM
ATGO                Run program from flash image or from host depend on [f/h] flag.
ATSE                show the seed of password generator
ATEN                set BootExtension Debug Flag
ATBT                block0 write enable
ATPH                Set/Get PHY`s registers.
ATWW                Set memory or registers.
ATDU                Dump memory or registers.
ATBL                Print boot line and board parameter info
ATIP                Change booline parameters
ATAF                Change board AFE ID
ATBP                Change board parameters
ATSR                System reboot
ATUM                Upload ROMFILE to flash from TFTP
ATUD                Upload ROM-D to flash from TFTP
ATUB                Upload bootloader to flash from TFTP
ATUR                Upload router firmware to flash from TFTP
ATUW                Write the whole image start from beginning of the flash from TFTP
ATHE                print help

[banger]

Well not really, only get to the GUI login page when it won't accept any password for any ID.
Wonder have you tried any serial connection solutions or is the unit still bricked ?
Very disappointed, thought I did so well achieving supervisor access.

I haven't tried serial connection as it doesn't seem worth it as the 5ghz is broken so it's a brick.

[tiffy]

Oh I forgot, I had the same problem, somewhere on the forum I found the answer.
Try "ATSE VMG3926" apparently it's a very similar model using the same firmware.

Fantastic, that worked, displayed the PW seed, cracked with ZynPass, cleared ROM-D, reset, logged in to GUI with default PW "1234", back in business, thank you so much, would never have guessed that "ATSE VMG3926" permutation in a million years.
As a bonus, my supervisor PW has remained the same, no need to re-crack.

Before gaining access to the full CFE command listing found that I could re-load/change the firmware using the "ATUR" command, putty serial connection and Tftpd64 utility, didn't get me back into the GUI but definately did change the FW revision.

Thanks to b*cat for the full CFE command listing, will store for future reference.

Will stick with V.5.13(AAVF.9)C0 FW as it's the last revision on the old ZyXEL GUI with BusyBox shell.

Still no idea what went wrong and caused the lock out, I had gone up and down FW revisions quite a few times yesterday before settling on Rev.9 not aware of doing anything different on the last change prior to lock out.

@banger:
You should try to recover your unit unless of course the 5G Wi-Fi is a game changer for you, clearing ROM-D seems to be the key factor in restoration of GUI access.

Once again, thanks to all for the interest, help and support.

Edit: Changed incorrectly listed CFE ATLD command to ATUR.

[banger]

@tiffy I was having lots of problems with 5ghz dropping out is mainly why I changed firmware as I googled about the 5ghz problem and came across a Zyxel forum user who was having the same problem. But once I downgraded that was it and even with static IP I couldn't access the GUI. I have a new Asus with 3 year warranty which has replaced it so I dont think it is worth trying.

[tiffy]

@tiffy I was having lots of problems with 5ghz dropping out is mainly why I changed firmware as I googled about the 5ghz problem and came across a Zyxel forum user who was having the same problem. But once I downgraded that was it and even with static IP I couldn't access the GUI. I have a new Asus with 3 year warranty which has replaced it so I dont think it is worth trying.

Yes, the FW downgrade scenario sounds exactly whan happened to my unit, was moving from Rev.10 to Rev.9 when the "lock out" occured.
5G. Wi-Fi won't really be an issue to me at present even if it turns out to be not the best performer available.
Noted that the USB port appears to be USB-3 (judging by colour) was only expecting USB-2 so that's a bonus.

After a recent bad experience with an Asus RT-AC68U which I had to return to Amazon, I now intend to put the 3925-B10B into router only service on my line retaining my old faithful 1312-B10A as modem, this will fulfill my current modest requirements for a 2 box setup at a much cheaper cost than an Asus or Netgear router replacement, will also have the added bonus that it can be put into modem/router service should anything happen to my 1312-B10A.