Kitz Forum
Broadband Related => Broadband Hardware => Topic started by: dmcdonnell on May 10, 2014, 11:54:02 AM
-
This device is branded by some ISPs. The unbranding method here is generic, it will replace the ISP locked firmware with the latest ZyXel firmware. You need serial access to the device, it takes time to transfer 23Mb via serial. If you mess up, you will brick your device and that is your responsibility.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.05.10 11:35:41 =~=~=~=~=~=~=~=~=~=~=~=
CFE>
CFE> ATSH <---- Dump Manufacturer Info
FW Version : 1.32(VQG.4)b2
External Version : 1.00(AAHA.4)b2
Bootbase Version : V1.59 | 02/01/2013 17:48:02
Vendor Name : MitraStar Technology Corp.
Product Model : DSL-2492GNU-B1B
Serial Number : S130Y11094800
WPA-PSK : 47ee8e55e21e
First MAC Address : 000000000000
Last MAC Address : 00000000000B
MAC Address Quantity : 12
Default Country Code : EB
Boot Module Debug Flag : 00
RootFS Checksum : ae3bc848
ImageDefaultChecksum : a2095f79
Main Feature Bits : 00
Other Feature Bits :
4d 53 60 09 00 00 00 00-00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00-00 00 00 00 00 00
*** command status = 0
CFE>
CFE> ATSE DSL-2492GNU-B1B <---- Generate Random Seed Number for Product Model
00023E000000
OK
*** command status = 0
Enter seed number (00023E000000) in ZynPass or here: http://www.tonycool.es/zyxel/zynpass_en.htm
to generate password
CFE>
CFE> ATEN 1, 10F0A59F <---- Unlock the Device with password
OK
*** command status = 0
CFE>
CFE> ATWZ EC43F6470F58, 01, 01, 00, 0C <---- Set MAC addr, Country, EngDbgFlag, FeatureBit, # of MACs
MAC address : 0C:43:F6:47:0F:58 <---- This is not an error, 1st byte changes
Country Code : 01
EngDebugFlag : 01
FeatureBit : 00
MAC Number : 0C
*** command status = 0
CFE>
CFE> ATHE <---- List the, now extended, Command Set
Available commands:
ATMC Bootup device with SMT rom file
ATSW Show WPAPSK or change WPAPSK
ATMT reduce manufacture bootup time for wireless calibration
ATHV write Hardware Version to flash ROM
ATSN write Series Number to flash ROM
ATPA set wireless power index
ATWZ write MAC addr, Country code, EngDbgFlag, FeatureBit, MAC Number to flash ROM
ATSE show the seed of password generator
ATEN set BootExtension Debug Flag
ATCR Clear console screen
ATBT block0 write enable
ATTE Restore to TE configuration
ATRD xmodem upload ROM-D
ATLC xmodem upload defaultcfg
ATSH dump manufacturer related data in ROM
ATUB xmodem upload bootloader
ATUR xmodem upload router firmware to flash ROM
ATUW xmodem upload flash image to flash ROM
ATIR Set ImageDefault to ROM-D partition
ATER Erase ROM-D partition
ATBL Print boot line and board parameter info
ATAF Change board AFE ID
ATBP Change board parameters
ATIP Change booline parameters
ATDU Dump memory or registers.
ATWW Set memory or registers.
ATBR Reset to default Romfile
ATGO boot router
ATSR system reboot
ATTB Write the cfe image into flash
ATTR upload router firmware to flash ROM from TFTP Client
ATTW Write the whole image start from beginning of the flash
ATNR Reinitialize NAND flash
ATRM Dump flash data
ledhon Turn on the specific LED with high
ledhof Turn off the specific LED with high
ledlon Turn on the specific LED with low
ledlof Turn off the specific LED with low
ledh Blink all LEDs with pulling high
ledl Blink all LEDs with pulling low
ATMB Use for multiboot.
ATRT Test memory.
ATHE print help
For more information about a command, enter 'help command-name'
*** command status = 0
CFE>
CFE> ATBT 1 <---- Enable write
OK
*** command status = 0
CFE>
CFE> ATUR <---- Starts xModem update, you need to send the firmware file to the device n go for a coffee
-
Excellent. Well done for figuring out how to do this. :dance:
I take it that you now have an ex-eircom F1000 router running on your line as an unlocked ZyXel VMG8324-B10A
Out of interest what do you think? Stats and performance any better than the BT modem?
-
I take it that you now have an ex-eircom F1000 router running on your line as an unlocked ZyXel VMG8324-B10A
Yes, but via ADSL as, sadly, I am not yet on fibre. Thank you for the firmwares. Greatly appreciated.
-
...I take it that you now have an ex-eircom F1000 router running on your line as an unlocked ZyXel VMG8324-B10A
I do now :)
We switched ISP from Vodafone to Eircom a couple of days back to get fibre. Eircom provided a new locked F1000 which I replaced this morning with the unbranded F1000. I then followed your instructions for VDSL - Note that the VLAN settings required for Eircom are different:
802.1p should be 0 (zero)
802.1q should be 10
I am no expert an VDSL, below are the stats. I hope to unbrand my 2 remaining locked F1000s this pm.
============================================================================
VDSL Training Status: Showtime
Mode: VDSL2 Annex B
VDSL Profile: Profile 17a
Traffic Type: PTM Mode
Link Uptime: 0 day: 0 hour: 12 minutes
============================================================================
VDSL Port Details Upstream Downstream
Line Rate: 16.355 Mbps 34.813 Mbps
Actual Net Data Rate: 16.356 Mbps 34.814 Mbps
Trellis Coding: ON ON
SNR Margin: 9.0 dB 15.8 dB
Actual Delay: 0 ms 0 ms
Transmit Power: 2.3 dBm 12.3 dBm
Receive Power: -17.3 dBm -9.6 dBm
Actual INP: 29.0 symbols 30.0 symbols
Total Attenuation: 19.5 dB 21.9 dB
Attainable Net Data Rate: 17.234 Mbps 58.375 Mbps
============================================================================
VDSL Band Status U0 U1 U2 U3 D1 D2 D3
Line Attenuation(dB): 4.6 27.8 41.1 N/A 13.5 34.8 53.3
Signal Attenuation(dB): 4.6 27.1 39.8 N/A 18.1 34.5 53.3
SNR Margin(dB): 9.0 9.0 9.0 N/A 15.7 15.7 15.8
Transmit Power(dBm):-13.0 - 3.1 0.5 N/A 8.4 7.8 6.2
============================================================================
VDSL Counters
Downstream Upstream
Since Link time = 12 min 3 sec
FEC: 39 0
CRC: 0 0
ES: 0 0
SES: 0 0
UAS: 0 0
LOS: 0 0
LOF: 0 0
LOM: 0 0
Latest 15 minutes time = 12 min 32 sec
FEC: 39 0
CRC: 0 0
ES: 0 0
SES: 0 0
UAS: 29 29
LOS: 0 0
LOF: 0 0
LOM: 0 0
Previous 15 minutes time = 0 sec
FEC: 0 0
CRC: 0 0
ES: 0 0
SES: 0 0
UAS: 0 0
LOS: 0 0
LOF: 0 0
LOM: 0 0
Latest 1 day time = 12 min 32 sec
FEC: 39 0
CRC: 0 0
ES: 0 0
SES: 0 0
UAS: 29 29
LOS: 0 0
LOF: 0 0
LOM: 0 0
Previous 1 day time = 0 sec
FEC: 0 0
CRC: 0 0
ES: 0 0
SES: 0 0
UAS: 0 0
LOS: 0 0
LOF: 0 0
LOM: 0 0
Total time = 12 min 32 sec
FEC: 39 0
CRC: 0 0
ES: 0 0
SES: 0 0
UAS: 29 29
LOS: 0 0
LOF: 0 0
LOM: 0 0
============================================================================
-
We switched ISP from Vodafone to Eircom a couple of days back to get fibre.
Excellent :)
I hope to unbrand my 2 remaining locked F1000s this pm.
Let us know how it goes.
-
Hi have got down to were you upload the new firmware but have not succeeded. can you please tell me how to do this
-
.. can you please tell me how to do this
It depends.
On Windoze you need a terminal emulator that supports xmodem file transfer protocol to send the firmware file once you have entered the final CFE command:
....
CFE> ATBT 1 <---- Enable write
OK
*** command status = 0
CFE>
CFE> ATUR <---- Starts xModem update, you need to send the firmware file to the device..
I don't have Windoze so you'll have to google it but there are several free softwares that should work. Once you get to the point that the ZyXel is waiting for the firmware, find the command to send the file via xmodem in the software you choose.
On linux, I followed the advice below which works fine.
the best way to pass a file through xmodem is to use 'sx'. In debian this application is part of 'lrzsz' package.
In debian:
apt-get install screen lrzsz
screen /dev/ttyUSB0 115200
Then press Ctrl-A followed by : and type:
exec !! sx yourbinary.bin
This will send the file to ttyUSB0 over xmodem protocol
-
FYI, I spotted a post on OpenWRT forums: https://forum.openwrt.org/viewtopic.php?id=50968
"I have managed to flash OpenWRT to my 963168VX_P400 board". Not much information, I have asked the OP for further details, namely how to build an image in OWRT Trunk.
The board id on the ZyXel VMG8324-B10A is 963168VX, according to the bootlog, http://pastebin.com/kaS2Md2D
Sadly, of course, xDSL is never likely to be supported under OpenWRT on this board.
-
Finally found some information of the Feature Bits that can be set from CFE on ZyXel hardware. Posting here for reference.
;/************************************************************************
; *
; * Copyright (C) 2008 ZyXEL Communications, Corp.
; * All Rights Reserved.
; *
; * ZyXEL Confidential; Need to Know only.
; * Protected as an unpublished work.
; *
; * The computer program listings, specifications and documentation
; * herein are the property of ZyXEL Communications, Corp. and shall
; * not be reproduced, copied, disclosed, or used in whole or in part
; * for any reason without the prior express written permission of
; * ZyXEL Communications, Corp.
; *
; *************************************************************************/
;/*
;** $Log: MRD format $
;** Initial revision
;*/
;
;Parameter file format:
;
;Start # of Data Parameters
;Addr Param Type
;----- ------ ------ ----------
;<Hex> <Dec> 1(Str)
; 2(Hex)
;
;typedef struct mrd
;{
;uint8 VendorName[32];
1feb8 26 1 ZyXEL Communications Corp. ;
;uint8 ProductName[32];
1fed8 13 1 P-2812HNUL-F1
;uint8 EtherAddr;
1fef8 * 2 00 13 49 11 66 88
;uint8 CountryCode;
1fefe * 2 ff ff
;uint8 FeatureBits[256];
1ff00 * 2 06 00 00 04 ; [00] ~ [03]: Model ID (0xff means unknown)
1ff04 * 2 19 ; [04] : ImagePlan (0xff means unknown)
; Bit 0: Double Image (0: No double image, 1: support double image)
; Bit 1: Image Upgrade Mechanism (0: full function, 1: rescue function)
; Bit 2: Support device tree (0: No, 1: Yes)
; Bit 3: Kernel and RootFS is merged into one RAS image(0: No, 1: Yes)
; Bit 4: Double MRD_CERT (0: single MRD_CERT, 1: support double MRD_CERT)
; Bit 5 ~ Bit 7: Reserved
1ff05 * 2 01 ; [05] : Flash Number (1: one flash, 2: two flash)
1ff06 * 2 00 ff f8 00 ; [06] ~ [09]: Image version of max upgrade count for double image use
1ff0a * 2 01 ; [10] : Engineer debug flag (0: disable, 1: enable)
1ff0b * 2 00 ; [11] : Embed Flag (embed rootfs into kernel image. 0: kernel and rootfs separate, 1: kernel combination with rootfs)
1ff0c * 2 01 ; [12] : model ID checking flag (0:disable checking, 1:enable checking)
1ff0d * 2 00 ; [13] : Reserved
1ff0e * 2 00 ; [14] : Reserved
1ff0f * 2 00 ; [15] : Reserved
1ff10 * 2 00 00 00 00 ; [16] ~ [19] : Reserved
1ff14 * 2 00 00 00 00 ; [20] ~ [23] : Reserved
1ff18 * 2 00 00 00 00 ; [24] ~ [27] : Reserved
1ff1c * 2 00 00 00 00 ; [28] ~ [31] : Reserved
1ff20 * 2 01 ; [32] : NORPageSize (0: 8K, 1:64K, 2:128K for device tree update)
1ff21 * 2 08 ; [33] : MAC Address Quantity
1ff22 * 2 00 00 00 ; [34] ~ [36] : HW Version
1ff25 13 1 fffffffffffff ; [37] ~ [50] : Serial Number
1ff33 * 2 00 ; [51] : Main feature bits
1ff34 * 2 ff ff ff ff ; [52] ~ [75]: DDR calibration data
1ff38 * 2 ff ff ff ff ;
1ff3c * 2 ff ff ff ff ;
1ff40 * 2 ff ff ff ff ;
1ff44 * 2 ff ff ff ff ;
1ff48 * 2 ff ff ff ff ;
1ffff * 2 00 ; [76] ~ [255]: Reserved
;}
;/[code]
-
You seem to be doing pretty well, but some of this stuff is bit over my head when it comes to hacking the router, hence me not being able to contribute.
Keep up the good work :)
-
Serial access is very simple for anyone with a USB to TTL serial cable. The router board can be removed easily and it has a serial header in place - no soldering.
Using putty on Linux, or kitty :) on windoze, you can watch it boot and hit any key to get to the CFE. I should very much like to see the output of the ATSH command on the OEM ZyXel.
From an f1000:
CFE> ATSH <---- Dump Manufacturer Info
FW Version : 1.32(VQG.4)b2
External Version : 1.00(AAHA.4)b2
Bootbase Version : V1.59 | 02/01/2013 17:48:02
Vendor Name : MitraStar Technology Corp.
Product Model : DSL-2492GNU-B1B
Serial Number : S130Y11094800
WPA-PSK : 47ee8e55e21e
First MAC Address : 000000000000
Last MAC Address : 00000000000B
MAC Address Quantity : 12
Default Country Code : EB
Boot Module Debug Flag : 00
RootFS Checksum : ae3bc848
ImageDefaultChecksum : a2095f79
Main Feature Bits : 00
Other Feature Bits :
4d 53 60 09 00 00 00 00-00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00-00 00 00 00 00 00
-
Serial access is very simple for anyone with a USB to TTL serial cable. The router board can be removed easily and it has a serial header in place - no soldering.
Using putty on Linux, or kitty :) on windoze, you can watch it boot and hit any key to get to the CFE.
And as that should be done without the device being connected to the VDSL2 circuit, it is something well within Kitz' ability. ;)
-
I dont have a USB to TTL serial cable :/
Aside from that the OEM VMG8324's are now exceedingly hard to get hold of. They seem to be out of stock in the UK Although I do have a couple of other brand VDSL routers and a couple of modems, the Zyxel is easily my favourite of the lot (and the one I saved my pennies up for), so its the one which Id be most nervous about opening up for fear of breaking something. I may at some point open one of the other routers, but Im not an electronics fiddler type person when it comes to router internals. :(
-
I dont have a USB to TTL serial cable :/
Aside from that the OEM VMG8324's are now exceedingly hard to get hold of. They seem to be out of stock in the UK Although I do have a couple of other brand VDSL routers and a couple of modems, the Zyxel is easily my favourite of the lot (and the one I saved my pennies up for), so its the one which Id be most nervous about opening up for fear of breaking something. I may at some point open one of the other routers, but Im not an electronics fiddler type person when it comes to router internals. :(
Understood. :)
-
Could you please provide the USB to TTL color code to connect with F1000 modem. Do we need any driver for connecting this to windows 7.
In F1000 I can see 4 pins (1,2,3,4,5 - 4 is missing) in my usb cable there is Gren, Black, White and Red cables.
-
There are some excellent photos with that information: http://tjworld.net/wiki/Zyxel/VDSL_IAD
-
Thank you.. The normal usb cable is coming with 5v (http://www.bifelectronic.com/images/PL2303HXcable.jpg) but this one is 3.3v how can we solve that.
-
Take good look at the link I posted. Right next to the photo of the header, TJ writes:
The voltage levels are 3.3 volt CMOS (Complimentary Metal-Oxide Silicon). I connected the serial port to a PC using a CMOS to TTL (Transistor-Transistor Logic) MAX3232-based converter and a serial-to-USB MCT-U232-based converter.
You can get one on the net, e.g. ebay, for a few quid. I use one from sparkfun electronics and have had no problem with it.
-
Thank you..You mean these two
http://www.ebay.ie/itm/MAX3232-RS232-Serial-Port-to-TTL-Converter-Module-DB9-Connector-3-3-5V-Input-/261492982129?pt=UK_BOI_Electrical_Components_Supplies_ET&hash=item3ce2324171
http://www.ebay.ie/itm/MCT-U232-Male-USB-to-RS232-DB9-Plug-Play-Smart-cable-LI-/330785740568?pt=UK_BOI_Electrical_Components_Supplies_ET&hash=item4d045dd718
-
Thank you.. The normal usb cable is coming with 5v (http://www.bifelectronic.com/images/PL2303HXcable.jpg) but this one is 3.3v how can we solve that.
You only connect the Tx, Rx & Gnd leads to the PCB. The +5V lead is left unconnected as the PCB is powered by its own PSU.
There are many TTL to USB devices (http://www.ebay.co.uk/sch/i.html?_from=R40&_trksid=p2055119.m570.l1313.TR5.TRC2.A0.H0.XTTL+to+USB&_nkw=TTL+to+USB&_sacat=0) available.
-
http://www.ebay.co.uk/itm/USB-to-RS232-TTL-PL2303HX-Cable-Adapter-COM-Module-Converter-Adapter-for-Arduino-/350900210088?pt=UK_Computing_Other_Computing_Networking&hash=item51b34849a8
Ordered this one. Hope this will work...
-
That looks purrfect for the task. ;)
-
Got the cable. It detected as 'Prolific USB-to-Serial Comm Port' Thank you all for the help. Hope I can unbrand the eFiber modem with help of this cable.
Downloaded the new firmware from Zyxel.
Connected 3 cables ie TX, RX and Ground with external power connected
Via Putty Change Serial Line to COM3 and Speed to 115200 with serial connection but nothing is showing after connect.
In Linux
anu@Personal ~ $ lsusb
Bus 002 Device 003: ID 8087:07da Intel Corp.
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 004: ID 0c45:648d Microdia
Bus 001 Device 003: ID 0bda:0129 Realtek Semiconductor Corp. RTS5129 Card Reader Controller
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 002: ID 067b:2303 Prolific Technology, Inc. PL2303 Serial Port
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
-
In windows you need to install the right driver to get most "usb to serial" to work.
-
The driver is installed and it is detecting but I cant able to connect via putty
EDIT:
After changing RX and TX I can able to see the boot process but it stuck
[ENTERING]:icf_es_init
[ICF_ES]:PORT initalized succesfully
icf_port_open_ipc_channel path = /var/iptk_es.chanl
the open channel succeded
exit from the es init
ssk:error:32.154:lck_checkBeforeEntry:171:lock reBOS: Enter bosInit
quired during cmBOS: Exit bosInit
sObj_getNextInSuendpoint_open COMPLETED
bTreeFlags
ip_tables: (C) 2000-2006 Netfilter Core Team
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (3840 buckets, 15360 max)
xt_time: kernel timezone is -0000
nf_ct_rtsp: registering helper for port 554
nf_nat_rtsp: init success
ip6_tables: (C) 2000-2006 Netfilter Core Team
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
S
-
Press the space bar a few times at the beginning of boot and it will drop to the CFE command prompt.
-
Thank you Now I'm in command prompt after few trial. How can I update the factory firmware to this modem. I'm in windows.
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi59.tinypic.com%2F242bs49.png&hash=86629b15d6bf56fb95eaca7076f3d89af805440f)
I do have linux but im not an expert
anu@Personal ~ $ lsusb
Bus 002 Device 003: ID 8087:07da Intel Corp.
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 004: ID 0c45:648d Microdia
Bus 001 Device 003: ID 0bda:0129 Realtek Semiconductor Corp. RTS5129 Card Reader Controller
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 002: ID 067b:2303 Prolific Technology, Inc. PL2303 Serial Port
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
anu@Personal ~ $ dmesg | grep tty
[ 0.000000] console [tty0] enabled
[ 10.498168] usb 3-1: pl2303 converter now attached to ttyUSB0
-
From cfe in windows you can unlock it. Read the instuctions in first post.
You can flash the firmware from Linux, a few posts back tells you how to do that:
apt-get install screen lrzsz
screen /dev/ttyUSB0 115200
Then press Ctrl-A followed by : and type:
exec !! sx yourbinary.bin
This will send the file to ttyUSB0 over xmodem protocol
-
From cfe in windows you can unlock it. Read the instuctions in first post.
You can flash the firmware from Linux, a few posts back tells you how to do that:
apt-get install screen lrzsz
screen /dev/ttyUSB0 115200
Then press Ctrl-A followed by : and type:
exec !! sx yourbinary.bin
This will send the file to ttyUSB0 over xmodem protocol
Thanks for the reply, But in linux I cant able to connect using screen command.
I tried using ExtraPutty in windows and I can able to transfer the file using xmodem and xmodem 1 but in both case the transfer stop in between.
If you could able to help for connecting the device in linux then I can able to follow the reset of the steps. Thanks...
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi59.tinypic.com%2Fao3iux.png&hash=c0978e5b76727d356e13a881154701eed6d51997)
-
I don't know why it stops half way in windows, strange.
In some Linux you need to do
sudo screen /dev/ttyUSB0 115200
-
I don't know why it stops half way in windows, strange.
In some Linux you need to do
sudo screen /dev/ttyUSB0 115200
Thank you so much... Everything works fine... :)
Is it necessary to use ATWZ command while unbranding?
-
ATWZ is used to set the parameters listed, including Debug mode. You can change your bootloader also, if you wish, to a ZyXel built CFE. https://forum.openwrt.org/viewtopic.php?pid=246561#p246561
-
ATWZ is used to set the parameters listed, including Debug mode. You can change your bootloader also, if you wish, to a ZyXel built CFE. https://forum.openwrt.org/viewtopic.php?pid=246561#p246561
Thank you. After unbranding I tried to update the latest firmware from this forum via normal way but it is not allowing to do that. Do I have to flash new firmware from CFE? Why it is not allowing even after flashing zyxel firmware once.
-
Did you set cfe debug mode? Did you flash the ZyXel bootloader? Which firmware are you trying to flash?
-
Did you set cfe debug mode? Did you flash the ZyXel bootloader? Which firmware are you trying to flash?
Thanks for your time and help...
Steps that I did
CFE> ATSH
CFE> ATSE DSL-2492GNU-B1B
Then navigate to http://www.tonycool.es/zyxel/zynpass_en.htm site and generate the password
CFE> ATEN 1, password
CFE> ATBT 1
CFE> ATUR
From Another terminal trafered the V100AAKL0C0.bin file xModem
This is the firmware that I tried in normal way after the above steps.
http://forum.kitz.co.uk/index.php?topic=13930.0
-
If you did not set Debug mode, as per the instructions, you have not unlocked the bootloader.
-
If you did not set Debug mode, as per the instructions, you have not unlocked the bootloader.
Thank you I'm confused about that step. In that step you provided mac address along with some other values, where can I get all those values. Sorry about noob questions.
ATWZ write MAC addr, Country code, EngDbgFlag, FeatureBit, MAC Number to flash ROM
CFE> ATSH
FW Version : 1.00(AAKL.0)
External Version : 1.00(AAKL.0)
Bootbase Version : V1.63 | 09/17/2013 18:14:25
Vendor Name : MitraStar Technology Corp.
Product Model : VMG8324-B10A
Serial Number : S140Y08003094
WPA-PSK : 5386bb4b1d22
First MAC Address : 107BEFF381B3
Last MAC Address : 107BEFF381BE
MAC Address Quantity : 12
Default Country Code : EB
Boot Module Debug Flag : 00
RootFS Checksum : 9a6c81f3
ImageDefaultChecksum : 011e4a14
Main Feature Bits : 00
Other Feature Bits :
4d 53 60 09 00 00 00 00-00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00-00 00 00 00 00 00
*** command status = 0
ATWZ mac (I have the mac address printed in the modem), Country code EB, DebugFlag 00, Feature Bit 00, Mac number of Flash ROM ( Whats that)
ATWZ 107xxxxxxxxB3, EB, 00, 00, #of mac ?
-
If you did not set Debug mode, as per the instructions, you have not unlocked the bootloader.
Thank you I'm confused about that step. In that step you provided mac address along with some other values, where can I get all those values. Sorry about noob questions.
ATWZ write MAC addr, Country code, EngDbgFlag, FeatureBit, MAC Number to flash ROM
CFE> ATSH
FW Version : 1.00(AAKL.0)
External Version : 1.00(AAKL.0)
Bootbase Version : V1.63 | 09/17/2013 18:14:25
Vendor Name : MitraStar Technology Corp.
Product Model : VMG8324-B10A
Serial Number : S140Y08003094
WPA-PSK : 5386bb4b1d22
First MAC Address : 107BEFF381B3
Last MAC Address : 107BEFF381BE
MAC Address Quantity : 12
Default Country Code : EB
Boot Module Debug Flag : 00
RootFS Checksum : 9a6c81f3
ImageDefaultChecksum : 011e4a14
Main Feature Bits : 00
Other Feature Bits :
4d 53 60 09 00 00 00 00-00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00-00 00 00 00 00 00
*** command status = 0
ATWZ mac (I have the mac address printed in the modem), Country code EB, DebugFlag 00, Feature Bit 00, Mac number of Flash ROM ( Whats that)
ATWZ 107xxxxxxxxB3, EB, 00, 00, #of mac ?
Feature bits are unknown for this model. I see no public data. However, we're not changing any. Simply follow the command in the instructions, with your Mac address rather than the one in the example. I recommend flashing the ZyXel bootloader, ATUB does that over xmodem. It will enable you to flash future ZyXel firmwares from GUI.
The number of MAC addresses is 12, decimal, 0c in hex. 01 sets the debug bit and you can use whatever country code you wish.
-
If you did not set Debug mode, as per the instructions, you have not unlocked the bootloader.
Thank you I'm confused about that step. In that step you provided mac address along with some other values, where can I get all those values. Sorry about noob questions.
ATWZ write MAC addr, Country code, EngDbgFlag, FeatureBit, MAC Number to flash ROM
CFE> ATSH
FW Version : 1.00(AAKL.0)
External Version : 1.00(AAKL.0)
Bootbase Version : V1.63 | 09/17/2013 18:14:25
Vendor Name : MitraStar Technology Corp.
Product Model : VMG8324-B10A
Serial Number : S140Y08003094
WPA-PSK : 5386bb4b1d22
First MAC Address : 107BEFF381B3
Last MAC Address : 107BEFF381BE
MAC Address Quantity : 12
Default Country Code : EB
Boot Module Debug Flag : 00
RootFS Checksum : 9a6c81f3
ImageDefaultChecksum : 011e4a14
Main Feature Bits : 00
Other Feature Bits :
4d 53 60 09 00 00 00 00-00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00-00 00 00 00 00 00
*** command status = 0
ATWZ mac (I have the mac address printed in the modem), Country code EB, DebugFlag 00, Feature Bit 00, Mac number of Flash ROM ( Whats that)
ATWZ 107xxxxxxxxB3, EB, 00, 00, #of mac ?
Feature bits are unknown for this model. I see no public data. However, we're not changing any. Simply follow the command in the instructions, with your Mac address rather than the one in the example. I recommend flashing the ZyXel bootloader, ATUB does that over xmodem. It will enable you to flash future ZyXel firmwares from GUI.
The number of MAC addresses is 12, decimal, 0c in hex. 01 sets the debug bit and you can use whatever country code you wish.
Thank you now cleared.
-
Did everything as you suggested but still getting error while trying to update firmware.
Image uploading failed. The selected file contains an illegal model id.
Base Mac Address is now showing 000000000000
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host (f/h) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Boot image (0=latest, 1=previous) : 0
Board Id (0-14) : 963168VX
Number of MAC Addresses (1-32) : 12
Base MAC Address : 00:00:00:00:00:00
PSI Size (1-128) KBytes : 128
Enable Backup PSI [0|1] : 0
System Log Size (0-256) KBytes : 0
Main Thread Number [0|1] : 0
Voice Board Configuration (0-5) :
-
Any help?
-
Any help?
I dont know how you got rid of the MAC address but it is easy to fix. Please follow all of the commands below in full in the sequence they occur:
CFE> atse DSL-2492GNU-B1B
0002F675DEAC
OK
*** command status = 0
CFE> aten 1, 910F0873 <---- USE the password generator http://www.tonycool.es/zyxel/zynpass_en.htm
OK
*** command status = 0
CFE>atbt 1
OK
*** command status = 0
CFE>
Now you need to upload the ZyXel Bootloader via xmodem. You have done xmodem before. The file is here: https://www.dropbox.com/s/rdt1cpc15br0c3c/cfe63268nand128_Release.bin?dl=0
CFE> ATUB cfe63268nand128_Release.bin
When the upload is done do the following commands:
CFE>ATWZ EC43F6470F58, 01, 01, 00, 0C
MAC address : 0C:43:F6:47:0F:58
Country Code : 01
EngDebugFlag : 01
FeatureBit : 00
MAC Number : 0C
*** command status = 0
CFE> atbp
Press: <enter> to use current value
'-' to go previous parameter
'.' to clear the current value
'x' to exit this command
963268SV1 ------ 0
963268MBV(obsolete) ------ 1
963168VX ------ 2
963268BU ------ 3
963268BU_P300 ------ 4
963168MBV_17A ------ 5
963168MBV_30A ------ 6
963168XH ------ 7
963168MP ------ 8
963268V30A ------ 9
963168MEDIA ------ 10
963268SV2 ------ 11
963168XFG3 ------ 12
963168XF ------ 13
963168MXH_17A ------ 14
Board Id (0-14) : 2
Number of MAC Addresses (1-32) : 12
Base MAC Address : 0c:43:f6:47:0f:58 10:7f:ef:75:de:ac <--- Enter your MAC address
PSI Size (1-128) KBytes : 128
Enable Backup PSI [0|1] : 0
System Log Size (0-256) KBytes : 0
Main Thread Number [0|1] : 0
Press: <enter> to use current value
'-' to go previous parameter
'.' to clear the current value
'x' to exit this command
SI3217X -- 0
VE890_INVBOOST -- 1
LE88506 -- 2
SI32267 -- 3
LE88536_ZSI -- 4
LE88266 -- 5
Voice Board Configuration (0-5) : 1
Resetting board...HELO
Interrupt the boot and upload the ZyXel firmware. Try to do this by entering ip address 192.168.1.1 in your PC browser. You may have to set your PC ip address to 192.168.1.100 to achieve this. If it does not work for you, use the
CFE> ATUR
command to send the firmware by xmodem.
-
Thank you for your reply but from the first step itself I'm getting error. :(
[codeCFE> atse DSL-2492GNU-B1B
ERROR
*** command status = -1
CFE>
]
-
It seems you have already flashed a new bootloader? I have not seen this before:
Vendor Name : MitraStar Technology Corp.
Product Model : VMG8324-B10A
Is this an F1000 or something else?
Change
atse DSL-2492GNU-B1B
to
atse VMG8324-B10A
and proceed through the rest of the commands, please.
-
FW Version : V1.00(AAKL.0)
Bootbase Version : V1.60 | 05/10/2013 10:23:51
Vendor Name : MitraStar Technology Corp.
Product Model : VMG8324-B10A
Serial Number : S140Y08003094
First MAC Address : 000000000000
Last MAC Address : 00000000000B
MAC Address Quantity : 12
Default Country Code : EB
Boot Module Debug Flag : 00
RootFS Checksum : 9a6c81f3
ImageDefaultChecksum : 011e4a14
Main Feature Bits : 00
Other Feature Bits :
4d 53 60 09 00 00 00 00-00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00-00 00 00 00 00 00
*** command status = 0
CFE> atse VMG8324-B10A
ERROR
*** command status = -1
CFE>
It is F1000
Yes I flashed the boot loader before as you suggested but after that the mac address changed to 00.... Before flashing boot loader the mac was fine.
Same error :(
CFE> fwselect show
Version in first partition: 1.00(AAHA.4)D0
Version in second partition: 1.00(AAKL.0)
*** command status = 0
CFE>
These are the available commands showing
CFE> athe
Available commands:
ATSE show the seed of password generator
ATEN set BootExtension Debug Flag
ATCR Clear console screen
ATSH dump manufacturer related data in ROM
ATUR xmodem upload router firmware to flash ROM
FWSELECT Select partition to read/write image or show FW vers
ion
ATIR Set ImageDefault to ROM-D partition
ATER Erase ROM-D partition
ATBL Print boot line and board parameter info
ATDU Dump memory or registers.
ATBR Reset to default Romfile
ATGO boot router
ATSR system reboot
ATMB Use for multiboot.
ATHE print help
For more information about a command, enter 'help command-name'
*** command status = 0
Checking Reset button on EXT INTR 0
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host (f/h) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Boot image (0=latest, 1=previous) : 0
Board Id (0-14) : 963168VX
Number of MAC Addresses (1-32) : 12
Base MAC Address : 00:00:00:00:00:00
PSI Size (1-128) KBytes : 128
Enable Backup PSI [0|1] : 0
System Log Size (0-256) KBytes : 0
Main Thread Number [0|1] : 0
Voice Board Configuration (0-5) :
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 1
Port 4 link UP 1
web info: Waiting for connection on socket 0.
CFE>
-
Boot Module Debug Flag : 00It is F1000
Yes I flashed the boot loader before as you suggested but after that the mac address changed to 00.... Before flashing boot loader the mac was fine.
Same error :(
So you flashed the new bootloader without ever having unlocked the device. I know this because of Boot Module Debug Flag : 00
We had a lengthy exchange, you and I, on the need to do the commands listed in the instructions but you decided not to despite our subsequent discussion. This command is particular sets DEBUG mode. You only need to do it once ever:
ATWZ EC43F6470F58, 01, 01, 00, 0C <---- Set MAC addr, Country, EngDbgFlag, FeatureBit, # of MACs
You may appreciate that I feel somewhat frustrated, having spent considerable time on this with you. 10 days ago I wrote:
If you did not set Debug mode, as per the instructions, you have not unlocked the bootloader.
Now, I really dont know how to help you. The ATSE command is listed on your F1000 but it wont accept either product name. Try:
ATEN 1, 10F0A563
but I doubt it will work.
I attach a PDF with a complete log of the unlock of an Eircom F1000 as well as the bootloader and firmware update in the hope that others will avoid your fate.
-
Thanks for your reply I did exactly same
ATWZ EC43F6470F58, 01, 01, 00, 0C <---- Set MAC addr, Country, EngDbgFlag, FeatureBit, # of MACsas you suggested...But dont know why...
-
You really spend so many hrs to help me, I really appreciate your help thanks a lot.
I think it is working now. Will let you know the result...
EDIT: Everything working good, updated the latest firmware
Thank you so much for your help. @dmcdonnell
-
You really spend so many hrs to help me, I really appreciate your help thanks a lot.
I think it is working now. Will let you know the result...
EDIT: Everything working good, updated the latest firmware
Thank you so much for your help. @dmcdonnell
Well done!
-
You really spend so many hrs to help me, I really appreciate your help thanks a lot.
I think it is working now. Will let you know the result...
EDIT: Everything working good, updated the latest firmware
Thank you so much for your help. @dmcdonnell
Well done!
:) Did the second modem without any error.
Do you know the exact model of eircom D1000 zyxel?
-
Hello gents
Thank you for instructions how to unbrand that fine box.
I was able to push latest existing firmware (V100AAKL6b1) but I still do not see VOIP section.
Am I missing something?
-
:) Did the second modem without any error.
Do you know the exact model of eircom D1000 zyxel?
The only one it looks remotely anything like is the P-660HNU
http://www.zyxel.com/products_services/p_660hnu_f1.shtml?t=p
-
Hello gents
Thank you for instructions how to unbrand that fine box.
I was able to push latest existing firmware (V100AAKL6b1) but I still do not see VOIP section.
Am I missing something?
Have you ever been able to see the VoIP section on any of the firmwares?
-
Just to confirm that my F1000 which was from dmcdonnell does indeed show a VOIP option at the bottom of that screen.
Stuart
-
Sorry everyone
Last night I was to tired to think about obvious. After hard reset all functions came up ;D
Thank you very very much for that.
I can enjoy my new router. Will see today is eVision from Eircom will work through that box.
-
Hello gents
Thank you for instructions how to unbrand that fine box.
I was able to push latest existing firmware (V100AAKL6b1) but I still do not see VOIP section.
Am I missing something?
According to TJWorld webpage "... It has 2 RJ12 ports for analogue telephone devices which are supported by the two integrated Microsemi VE890 LE89156 "Single Channel FXS VoicePort?" (Foreign Exchange Subscriber) to provide VoIP (Voice over Internet Protocol) services to analogue terminals (telephone or facsimile)...".
From CFE, the ATBP command sets board parameters. I select the VE890_Invboost option for voice board. The VOIP option is then available in config.
You must Reset to Defaults after flashing, or issue the CFE command ATBR to erase the Eircom config. I do not have this in the PDF guide. I will add it and some pics n update later.
-
Greetings to all , I have a Zyxel P8701T and would like to introduce another firmware on it. Despite not speaking English , I understood that through the procedure will be possible for me to do this . My doubts : The USB cable for TTS will work with Win8 ? I do not speak a word of English , I used Google translator. Can I count on your help ? I thank you .
-
Hi
Unfortunately I can not seem to find anything about the Zyxel P8701T and if it uses Broadcom chipset. The Zyxel website is broken for me in the UK.
The only thing I can find is that the P8701T appears to only be available to the Spanish ISP Movistar and is also branded by a couple of Brazilian or Portugese ISPs and branded Vivo. Any limited information is either in Spanish or Portuguese which Im afraid I dont understand.
The first stage of finding out if the router can be hacked would be finding out which DSL chipset it uses and then find out if the firmware is similar to any other router.
Having seen an image of the router and also a user manual from here (http://www.movistar.es/rpmm/estaticos/residencial/fijo/banda-ancha-adsl/manuales/router-inalambrico-vdsl2/Manufacturer-User-Home-Station-VDSL2-Zyxel-P8701T.pdf), neither the router case nor the web GUI looks anything like the VMG8324 so Im not sure if the firmware would be compatible.
-
Hi
Unfortunately I can not seem to find anything about the Zyxel P8701T and if it uses Broadcom chipset. The Zyxel website is broken for me in the UK.
The only thing I can find is that the P8701T appears to only be available to the Spanish ISP Movistar and is also branded by a couple of Brazilian or Portugese ISPs and branded Vivo. Any limited information is either in Spanish or Portuguese which Im afraid I dont understand.
The first stage of finding out if the router can be hacked would be finding out which DSL chipset it uses and then find out if the firmware is similar to any other router.
Having seen an image of the router and also a user manual from here (http://www.movistar.es/rpmm/estaticos/residencial/fijo/banda-ancha-adsl/manuales/router-inalambrico-vdsl2/Manufacturer-User-Home-Station-VDSL2-Zyxel-P8701T.pdf), neither the router case nor the web GUI looks anything like the VMG8324 so Im not sure if the firmware would be compatible.
Good morning Kitz , thanks for the reply , my intention is just to get a router with compatible hardware , to change the firmware. The VMG 1312-B10A is simila do not know if it would be compatible . I am posting some pictures of the chips , perhaps with them it is easier to help. I appreciate any help .
-
Hi,
More images. DSL Chip: Broadcom BCM 63168 UKFEBG.
-
DSL Chip: Broadcom BCM 63168
Well it uses the same chipset so thats a good start at least. Im afraid I dont know much about hacking routers as its not something that I normally do (not clever enough). I was hoping someone else may have perhaps picked up on this and been able to give some advice.
Sorry that I personally cant help any further.
-
Greetings to all , I have a Zyxel P8701T and would like to introduce another firmware on it. Despite not speaking English , I understood that through the procedure will be possible for me to do this . My doubts : The USB cable for TTS will work with Win8 ? I do not speak a word of English , I used Google translator. Can I count on your help ? I thank you .
Hello Hector,
From what I read at ZyXel, your P8701T is a VMG1312-B10A. You can get a recent firmware here: ftp://certified@ftp.zyxel.it/firmware/VMG1312/
The unlock method in my guide might well work for you. If you connect to CFE via USB-TTL serial cable, try
ATSE VMG1312-B10A
or
ATSE P8701T
to see it it will generate a SEED that will get you a password here: http://www.tonycool.es/zyxel/zynpass_en.htm
I do not have a P8701T so it is difficult to assist you.
-
Hi,
I wanted to thank dmcdonnell for the instructions on how to unbrand this eircom router. Have flashed Boot Loader and Firmware. Works great now!
Cheers,
Chris.
-
Hi,
I wanted to thank dmcdonnell for the instructions on how to unbrand this eircom router. Have flashed Boot Loader and Firmware. Works great now!
Cheers,
Chris.
Chris,
Thank you and well done! I'm delighted to hear of your success.
Dermot.
-
For P-2812HNU-F1 vT (Telenor), I cannot get through ATSE invalid argument part.
I tried various versions of argument for ATSE, and no one was working.
ATSE P-2812HNUL-F1
ZLD Version: V3.10(TUL.4)
Bootbase Version: V3.03|11/19/2012(TUL)
-
Hello everybody, outstanding work going on in here!
I am from Argentina, received a Zyxel VMG1312-B10B modem router and trying to get rid of Telecomīs firmware.
Achieved some success: by following Dermotīs tutorial, could unlock bootbase and upload AAJZ7C0 firmware from Zyxel. Very usable now, but I wanted to update bootbase (previously read from memory block 0 and edited to avoid "Illegal Model ID" when uploading new firmware from webGUI) but received ERROR in CFE shell after transferring 131072 bytes correctly.
Any help, ideas, suggestions?
Thanks in advance.
Martin
-
More info about situation:
VMG1312-B10B is almost the same as VMG1312-B10A (except for externals and for having only one USB port), Zyxel firmware releases are for both of them.
This is ATSH output:
CFE> atsh
FW Version : V1.00(AAJZ.7)C0
Bootbase Version : V1.59 | 05/20/2013 14:07:14
Vendor Name : ZyXEL Communications Corp.
Product Model : VMG1312-B10B
Serial Number : S143118005838
First MAC Address : 5CF4ABB7BEF2
Last MAC Address : 5CF4ABB7BEFB
MAC Address Quantity : 10
Default Country Code : C6
Boot Module Debug Flag : 01
RootFS Checksum : d2d4f141
ImageDefaultChecksum : 68d54d73
Main Feature Bits : 00
Other Feature Bits :
4d 53 40 20 00 00 00 00-00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00-00 00 00 00 00 00
*** command status = 0
This is the routerīs behaviour when trying to upload bootbase modified with "13" instead of "20" in Other Feature Bits:
CFE> atub x.bin
Starting XMODEM upload (CRC mode)....
CCCCCC
Receive completed, start to write flash...
OK
Total 131072 (0x20000)bytes received
ERROR
*** command status = -1
CFE>
Router still working the same, no problems appeared.
Bootbase made dumping flash data with ATRM 0, then hex-editing.
Thanks in advance for your reading and helping.
-
[...]
screen /dev/ttyUSB0 115200
[...]
Hey dmcdonnell I just wanted to say thanks for this post (and introducing me to the lrzsz utility). I work for an ISP with a boat load of VMG8924-B10A's (and one VMG8324-B10A, but we decided to go with the other version) around our office and knowing there is a way we can reflash them is handy... although it seems unlocking ours isn't required, still testing various options.
That other web site mentioned using screen in this way (instead of yours), is there any difference do you know? (maybe XMODEM goes quicker?)
screen -L /dev/ttyUSB0 115200,cs8,istrip
Steven
-
dmcdonnell - many thanks for the guide. Was able to follow it and un-brand an F1000 without any problems :thumbs:
-
the http://www.tonycool.es/zyxel/zynpass_en.htmis dead, I guess it got pulled? :(
-
the http://www.tonycool.es/zyxel/zynpass_en.htmis dead, I guess it got pulled? :(
Looks like it.... just when there are a load of these routers on the bay for cheap prices....
-
Is buying a branded router and flashing still a realistic proposition?
Just asking before I buy yet another router...!
TIA
David
[Moderator edited. A small typo fix.]
-
the http://www.tonycool.es/zyxel/zynpass_en.htmis dead, I guess it got pulled? :(
https://web.archive.org/web/20160305162208/http://www.tonycool.es/zyxel/zynpass_en.htm
Enjoy
-
Hi guys i'm trying to do the same with mine VMG8823-B50B it's rebranded by an italian company who doesn't like to upddate the routers firmware
i got to the UART port for now [youtube]https://youtu.be/m902i0FXZrU[/youtube]
-
Hi guys i'm trying to do the same with mine VMG8823-B50B it's rebranded by an italian company who doesn't like to upddate the routers firmware
May I suggest you read this brief and excellent thread http://forum.kitz.co.uk/index.php/topic,17361.0.html. Kitz user Iam_TJ has written software to edit the header of ZyXel firmware. It is easy to take the latest ZyXel firmware for the vmg8324-b10 and turn it into an Eircom F1000 compatible firmware that can be flashed without unbranding the F1000.
His approach may work for you. Good luck.
-
Thanks! looks like that's my new favourite thread xD
-
Hey Luigi, just wondering if you've got any good news about this modem: were you able to update the firmware and remove the Infostrada customization?