Kitz Forum

Broadband Related => Broadband Hardware => Topic started by: manny2003 on January 12, 2017, 10:03:14 AM

Title: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on January 12, 2017, 10:03:14 AM
Sorry guys, is there a way to get the supervisor password of a VMG8924-B10A unbranded router?
I would like to be able to login with supervisor but the password is unknown. I think it is an auto generated password maybe on mac or serial... at Zyxel they should have a keygen for this I suppose to recover the password for each unit.

I do not like the idea that I totally own a router that have a supervisor user with a password that I do not know and that someone else do and that I cannot even change.  :no:

Many thanks!
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: roseway on January 12, 2017, 10:47:38 AM
If it's unbranded, you should be able to reset it to the factory defaults - login name = admin, password = 1234. With the device switched on and fully booted, press the reset button at the back and hold it down for 10 seconds or until the PWR/SYS LED starts blinking. Leave it to reboot, then log in again using the default credentials.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: rhohne on January 12, 2017, 11:27:05 AM
Default username/password combinations are
    admin/1234
    zyuser/1234
    supervisor/zyad1234
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 12, 2017, 12:44:11 PM
I'd like to know this too as I have an ex John Lewis 8924 that I don't know the Supervisor password for.
I've unbranded it as much as I can (cleared ROMD) but still have missing features.
The Supervisor user exists as it tells me so if I try to create a new user with that name.
 
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: roseway on January 12, 2017, 01:18:28 PM
The admin login is all you need. If you can log in with this you should be able to load one of the standard firmware versions and reset it to the defaults.

Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 12, 2017, 01:23:47 PM
Thanks Roseway but unfortunately that hasn't worked for me.
I have cleared the ROMD (which got rid of the John Lewis default account settings), reloaded V15 firmware from the Zyxel site and then pin-hole reset.
I still can't login as Supervisor and still have options missing (no VOIP or TR064/069 menus to name two).
 :(
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on January 12, 2017, 02:22:56 PM
If it's unbranded, you should be able to reset it to the factory defaults - login name = admin, password = 1234. With the device switched on and fully booted, press the reset button at the back and hold it down for 10 seconds or until the PWR/SYS LED starts blinking. Leave it to reboot, then log in again using the default credentials.

Thank you roseway, but unfortunately there is a difference between the 2 users. supervisor is a sort of root user in the system. It can access through the GUI a screen where it can enable or disabled the access to the various menu items of the GUI, also for admin users. Some menu are hidden by default to the admin too.
Furthermore the supervisor user has a longer list of CLI command and can enter in shell mode with the command "sh" without session timeout. It is the user that run all the processes on the router and that has access to all the system resources as a root user.
It is used in case the router it is property of the ISP to let them have a super-admin role.

Default username/password combinations are
    admin/1234
    zyuser/1234
    supervisor/zyad1234

Thank you rhohne, you are right! I always used the zyad1234 initially but then at a certain point in the firmware releases cycle they changed this. They did it because people was complaining about the fact that superuser existence is not declared on the manual and in any case the password is not officially distributed. This way the admin tends to ignore its existence and to leave open a possible security breach. In order to keep this user as a Zyxel or ISP privilege they keep it hidden but from a certain version of the firmware the password is now generated through a kind of algorithm that Zyxel can use to find the password of a certain unit (I think based on the serial number).
In fact I was no more able to login with supervisor for the last year after firmware updates.
The superuser password is not restored after a factory reset (it should be stored elsewhere than the standard config and admin user password). This is what I have experienced personally and I have asked many times the Zyxel support regarding this credentials. I asked if it was possible to have them since I am the owner of my unbranded router, but they replied this was not possible due to internal policy. I did not see the point since if the password is unique per unit there would no security issue in giving me my router password. I asked then if they could at least assure me that the password was at least effectively unique and they told me that it is set by the ISP or if unbranded random generated, so yes.
I gave up and stop to use the supervisor user, but I have now received a new unit and wanted to run some CLI command I cannot use with simple admin and for this reason I was asking here if someone knows something about the supervisor password.

In a incredibly stupid way, I did not test the good old zyad1234 on this new router... and I should have do it because... IT WORKS!
So... do not know what to think about the Zyxel support's version about the random generated password and the security reason to have it random, do not know why the first router has lost the default superuser password that I was not able to reset neither with the factory rear button procedure... but at least on this new unit I can access as supervisor. Shame on me for not having tried this default password before on the new router!  :blush:


Title: Re: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on January 12, 2017, 02:39:48 PM
Thanks Roseway but unfortunately that hasn't worked for me.
I have cleared the ROMD (which got rid of the John Lewis default account settings), reloaded V15 firmware from the Zyxel site and then pin-hole reset.
I still can't login as Supervisor and still have options missing (no VOIP or TR064/069 menus to name two).
 :(

As I said in previous post the credential for superuser do not seems to be reset via the factory reset procedure.
You can try to hack the config file in order to enable some menu items you do not actually see.
Save you config via the backup procedure in the GUI of your router then open the .conf file and search the string "<Name>Administrator</Name>". You should see immediately over a <Privilege> key in xml format. I copy paste mine, where all the menu items should be enabled. Try to replace yours with mine, I did this way in order to enabled some features that was disabled since I lost my superuser access on an old router and it worked.

<Privilege>broadband,wireless,homeNetworking,routing,qos,nat,dns,igmpSetting,vlangroup,intfGrp,usbService,powerManagement,firewall,macFilter,parentalControl,schedulerRule,certificates,ipsecVPN,pptpVPN,sip,phone,callRule,callHistory,lineTest,log,trafficStatus,voipStatus,arpTable,routeTable,igmpGroupStatus,xdslStatistics,3gStatistics,system,userAccount,remoteMGMT,tr069Client,tr064,snmp,time,emailNotification,logSetting,firmwareUpgrade,configuration,reboot,disagnostic,wizard</Privilege>

I do not see any danger in trying this, configuration can always be reset via the factory restore, but please do it on your own responsibility  :-[
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: broadstairs on January 12, 2017, 03:20:26 PM
I've just tried this supervisor on my 8924 and it works. One difference is that with the supervisor under Maintenance/System there is a romd option screen where you can clear and save configuration to romd. Also as has been said the available screens can be set via an option on the initial screen called Login Privilege and there is indeed very little that the admin user does not have, romd being one and that cannot be added. Next I'll see what happens on my F1000/8324 and see if it works.

Stuart
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: broadstairs on January 12, 2017, 03:31:26 PM
Just tested the F1000 which is running V15 f/w and the supervisor p/w works OK. The romd option is not there on the 8324 with supervisor login but everything else is and login privilege works as well for setting admin and user screens.

Stuart
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: broadstairs on January 12, 2017, 03:47:45 PM
Interestingly I just tried clearing the romd from telnet and then did a restoredefault and now I am unable to login with the supervisor and zyad1234, it says either username or password is invalid. admin still works and prompts for p/w change from the default of 1234 but no supervisor access. This is an ex EIRCOM F1000.

Not too bothered as I only keep it as a backup but would be good to get supervisor login working again.

Stuart
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 12, 2017, 04:16:45 PM
manny2003,

Thanks - I'll give that a go when I have a few minutes spare - it should be safe enough and it wouldn't be the end of the world if I bricked it.

broadstairs,

That's very interesting and suggests that the Supervisor credentials are held in romd.
Do you have a saved config file that you can reload as it'd be good to see if that restores access.
 :)
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on January 12, 2017, 04:27:46 PM
As far as I know regarding the supervisor password it is not in fact, as I have previously stated, into the .conf file we can backup. It is just a supposition, but it seems like the zyad1234 is working on my new router because it comes with an older firmware release (before the pwd was changed to something unique per unit) and I have not made any factory reset after the firmware update.

On my older router this was the case and I was locked out from the supervisor account. It seems like there is a procedure that generate and change the supervisor password if you make a factory reset on a more recent firmware, but that this procedure is not run if you just update the firmware.
In any case I do not like this fact. I am the owner of my router and I am locked out, but instead people at Zyxel or whoever could understand how to recover this password can access to my router because there is a secret supervisor user with a password I cannot change.  :(
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: broadstairs on January 12, 2017, 04:38:48 PM
This is only an issue if the access is available from the WAN, however we dont know if there is a back door which they can use. However there are no open ports on my 8924. Interestingly my 8924 is an original Zyxel ie. not ISP provided and has been reset a number of times although not since I installed V15 f/w on it.

The F1000 is obviously ISP originally supplied. Since it is only a backup I can play with it to see if I can guess the password. I did try the serial number but it's not that.

On the basis the password is on a per unit basis then ZyXEL are only likely to be able to access it if they have the physical device unless it is related to the serial number which is the only thing they would have knowledge of.

Stuart
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on January 12, 2017, 04:58:34 PM
Yes broadstairs, it is only an issue if you have WAN remote access enabled, and this is the reply the Zyxel gave me, but what if you need to have it enabled? I would like to have the possibility to remotely connect to my router and be confident at the same time that I am the only person who can access the router. I do not suspect about any interest from the Zyxel support to access someone's else router for fun, but from a security point of view (and imagine on an enterprise perspective) this is not really acceptable.

zyad1234 that I am not aware of and that I cannot even imagine I have to change is a security flaw.
On the other hand a random generated password that only Zyxel know is better, but why should I accept that Zyxel can have access to my router without my permission?
They accessed my router for assistance reason once, and now knowing the serial and the IP they can log in whenever they want, without giving me the chance to lock them out in other way than by removing the remote access (that I would like to use for myself). Maybe this would not be a concern in the 99% of the cases, but I find this a little unfair as a security principle.

Regarding your unbranded router, I had my supervisor password lost after resetting to factory, but only when this was firstly done on a firmware version greater than 10 or 11 I think.
I suppose the serial is taken into consideration but only for generating a password from it. Only someone that had experience in reverse engineering the firmware could confirm how this is handled.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 12, 2017, 05:15:22 PM
Looking at the release notes for the firmware it appears that the Supervisor password becomes auto generated in V11.
I wonder if loading V10 and then defaulting it would put it back to zyad1234?
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: burakkucat on January 12, 2017, 07:28:20 PM
A couple of comments with regards to my ZyXEL VMG1312-B10D.

There are four entries in the password file --

root:$1$Vdupzo4w$vdXS8BpFfwJrHRbKbSn4S1:0:0:root:/home/root:/bin/sh
supervisor:$1$uG75nx3n$AxoIv1tn.4JJcql3ZhHDj.:12:12:supervisor:/home/supervisor:/bin/sh
admin:$1$3pK.WT/B$5NCl1sB7vIuwU6Oem74TA.:21:21:admin:/home/admin:/bin/sh
nobody:x:99:99:nobody:/nonexistent:/bin/false

Every official firmware release has contained a rom file, along with the bin and pdf files. Using the latest firmware package as an example, it contains --

V5.11(AAXA.4)C0.bin
V5.11(AAXA.4)C0.pdf
V5.11(AAXA.4)C0.rom
VMG1312-B10D_V5.11(AAXA.4)C0-foss.pdf

Whether it is relevant or useful . . .  :shrug2:
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on January 13, 2017, 12:00:13 AM
Looking at the release notes for the firmware it appears that the Supervisor password becomes auto generated in V11.
I wonder if loading V10 and then defaulting it would put it back to zyad1234?
It could be possible... but probably will not revert the password. It is just my opinion but I think that before the version 10 no action will be taken by the firmware on the password, so the actual generated password will not be replaced. What I would like to understand is that if this is the case how Zyxel would reset the supervisor password if they remain locked out for some reason?
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on January 13, 2017, 12:06:44 AM
A couple of comments with regards to my ZyXEL VMG1312-B10D.

There are four entries in the password file --

root:$1$Vdupzo4w$vdXS8BpFfwJrHRbKbSn4S1:0:0:root:/home/root:/bin/sh
supervisor:$1$uG75nx3n$AxoIv1tn.4JJcql3ZhHDj.:12:12:supervisor:/home/supervisor:/bin/sh
admin:$1$3pK.WT/B$5NCl1sB7vIuwU6Oem74TA.:21:21:admin:/home/admin:/bin/sh
nobody:x:99:99:nobody:/nonexistent:/bin/false

Every official firmware release has contained a rom file, along with the bin and pdf files. Using the latest firmware package as an example, it contains --

V5.11(AAXA.4)C0.bin
V5.11(AAXA.4)C0.pdf
V5.11(AAXA.4)C0.rom
VMG1312-B10D_V5.11(AAXA.4)C0-foss.pdf

Whether it is relevant or useful . . .  :shrug2:
It is possible that the Rom file is where the supervisor password is stored but rarely I found the rom file in the firmware package.
Maybe using the rom file along with the firmware 10 could restore the old default  password in case of downgrade.

Inviato dal mio SM-G930F utilizzando Tapatalk

Title: Re: VMG8924-B10A unbranded supervisor password
Post by: burakkucat on January 13, 2017, 06:17:48 PM
Please remember that I am referring to a VMG1312-B10D in the following . . .

A quick check of where in the rom file certain key words appear shows --

[Duo2 Firmware]$ grep -in cwmp *rom
478:    "EnableCWMP": true,
491:    "CWMPRetryMinimumWaitInterval": 5,
492:    "CWMPRetryIntervalMultiplier": 2000,
[Duo2 Firmware]$ grep -in root *rom
2067:            "Username": "root",
[Duo2 Firmware]$ grep -in supervisor *rom
2077:            "Username": "supervisor",
[Duo2 Firmware]$ grep -in admin *rom
2092:            "Username": "admin",
[Duo2 Firmware]$ grep -in nobody *rom
[Duo2 Firmware]$

Lines 478 to 509, inclusive, are --

Code: [Select]
    "EnableCWMP": true,
    "URL": "",
    "X_ZYXEL_FallbackURL": "",
    "X_ZYXEL_URLChangedViaOption43": false,
    "Username": "",
    "Password": "changeme",
    "PeriodicInformEnable": false,
    "PeriodicInformInterval": 86400,
    "PeriodicInformTime": "0001-01-01T00:00:00Z",
    "ConnectionRequestUsername": "",
    "ConnectionRequestPassword": "",
    "UpgradesManaged": false,
    "DefaultActiveNotificationThrottle": 0,
    "CWMPRetryMinimumWaitInterval": 5,
    "CWMPRetryIntervalMultiplier": 2000,
    "STUNEnable": true,
    "STUNServerAddress": "",
    "STUNServerPort": 3478,
    "STUNUsername": "",
    "STUNPassword": "",
    "STUNMaximumKeepAlivePeriod": 0,
    "STUNMinimumKeepAlivePeriod": 0,
    "InstanceMode": "",
    "AutoCreateInstances": false,
    "X_ZYXEL_BoundInterface": "Any_WAN",
    "X_ZYXEL_BoundInterfaceList": "IP.Interface.2,IP.Interface.3,IP.Interface.4,IP.Interface.5",
    "X_ZYXEL_DisplaySOAP": false,
    "X_ZYXEL_ConnectionRequestUDPPort": 7678,
    "X_ZYXEL_ConnectionRequestPort": 7547,
    "X_ZYXEL_DataModelSpec": "TR-098",
    "X_ZYXEL_Certificate": "0",
    "X_ZYXEL_DebugLevel": 13

Lines 2063 to 2070, inclusive, are --

Code: [Select]
            "AutoShowQuickStart": false,
            "Enabled": true,
            "EnableQuickStart": true,
            "Page": "",
            "Username": "root",
            "Password": "",
            "PasswordHash": "",
            "Privilege": "login"

Lines 2073 to 2080, inclusive, are --

Code: [Select]
            "AutoShowQuickStart": false,
            "Enabled": true,
            "EnableQuickStart": true,
            "Page": "",
            "Username": "supervisor",
            "Password": "",
            "PasswordHash": "",
            "Privilege": "login,httpd,samba"

Lines 2088 to 2096, inclusive, are --

Code: [Select]
            "AutoShowQuickStart": true,
            "Enabled": true,
            "EnableQuickStart": true,
            "Page": "Broadband,Wireless,Home_Networking,QoS,NAT,Routing,DNS,IGMP_MLD,Vlan_Group,Interface_Grouping,USB_Service,Firewall,MAC_Filter,Parental_Control,Scheduler_Rule,Certificates,Log,Traffic_Status,Routing_Table,McastSt,ARP_Table,ARPTable_handle,WWAN_Statistics,SNMP,System,User_Account,Remote_MGMT,Time,Log_Setting,Backup/Restore,Backup_Restore,Reboot,Diagnostic,Status,Upnp_Portmap,Diagnostic_Result,xDSL_Statistics,xDSLStatistics_handle,NATSession_handle,RoutingTable_handle,McastSt,wps_status_handle,PortMirror,ParseDirectory,ParseUSBInfo,Email_Notify,Firmware_Upgrade,Diagnostic_id,ROMD",
            "Username": "admin",
            "Password": "_encrypt_hFmIO8s8qficW623JbZqT0FjY291bnQuAAAAIAAAAIk=",
            "PasswordHash": "",
            "Privilege": "login,httpd,samba",
            "AccountIdleTime": 300
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on January 13, 2017, 09:43:24 PM
Thank you burakkucat.
I have investigated a bit about the .rom and I think that it is not different from the .conf we can save via the configuration backup procedure on the router.
Apparently there are 3 configuration on the router... the running config that is the one changed by the user, the default config that is the one used after a restore to factory and the rom-d configuration, that is the same as a default config but it is used in place of the default config (if it is present) after a restore to factory or a firmware update and should be the config the ISP put inside a stock router in order to set some permanents parameters that will last also after a factory reset.
So I think that the superuser pwd is not set there, but only admin and other users, like in a standard .conf file.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: burakkucat on January 13, 2017, 10:35:35 PM
Thank you burakkucat.

And thank you for analysing my observations. What you have typed makes perfect sense.

There is one aspect for which I can not deduce a method . . . That of getting a default rom file onto the device and saving it to the relevant area of the flash memory.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on January 14, 2017, 02:40:31 AM
Thank you again burakkucat.  :)

Discovered that there exist 3 configs, I think that despite the fact that the file has an extension .rom and that the location in memory for the ISP custom default config is called Rom-d, I think that .rom file is nothing more than a saved running configuration, like the .conf, but given by the manufacturer as a file in order to put at default the current router config... a sort of reset to factory alternative. This should justify the fact that I have never used the .rom file, that is optional during a firmware update and that it can be uploaded the same way you would do with the .conf.

Instead, if you want to put the .rom file in the rom-d partition, Zyxel says that you should do it via ftp. I do not know if this apply to all CPE models, but just as a reference this should be the procedure:

1. Set your laptop IP address as 192.168.1.33(CPE is 192.168.1.1)
2. Type in command ftp 192.168.1.1 to login your CPE.
3. Type in username: admin
4. Type in password: 1234
5. Type in command put xxx.rom fw/rom-d (xxx as your file name)
6. Type in command bye to make it effective.
 
I have also read that the .rom file is already embedded into the .bin firmware so that it could be used as standard default config in case of a reset to factory.

In the end I think that the supervisor password was not modified on older firmware and that after a certain release version (in our model case the 10th) the reset to factory procedure will run a script that will generate the new supervisor password. So this is not stored anywhere, but generated on a specific algorithm for every factory reset. This way also the supervisor password will always be regenerated as expected after a reset.

Some firmware guru could be able to discover the algorithm and create a keygen for supervisor password. :P
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: broadstairs on January 14, 2017, 08:54:45 AM
We have been assuming that the later f/w changes the supervisor p/w, however on my 8924 running the V15 f/w the old p/w still works. Now it is possible that I have not done any factory resets for a while which may be why it still works. I have not seemed to need a factory reset as I usually upgrade the f/w incrementally. Obviously I will try to not have to do a factory reset on it  ;)

Assuming this ftp process works and loads the romd does that mean a factory reset will be needed to get back the password? Also if the romd is loaded on every f/w update then this means we will have to re-run this ftp procedure after every update if we need the supervisor p/w. A p/w generator would be great IF someone can figure out the formula, or perhaps someone can crack their encryption and then translate that p/w shown earlier. Perhaps cracking the encryption might be possible since we can see the admin p/w as stored and obviously know what it is.

Stuart
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: broadstairs on January 14, 2017, 11:07:34 AM
I have just been looking at the rom file for V15 of the 8924 f/w. No where in it is any reference to supervisor. There is Administrator, User. Same is found in the rom file for V10 f/w. So if there is nothing in the rom file for supervisor I suspect this could be built into the f/w?

Stuart

Edit: Just checked the pdf file for V15 and there are references to changing the supervisor password in V11 and other references earlier, nothing after V11. References to supervisor start on P17 of the pdf.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 14, 2017, 04:53:27 PM
I've just tried manny2003's trick (post #7) of copying a new set of privs for the admin user into the config file and reloading.
The amended file loaded just fine but I don't have any more menus than before. :(
If I export the config again the changes are still there.
It's all very strange.  :wall:
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on January 14, 2017, 06:42:13 PM
I've just tried manny2003's trick (post #7) of copying a new set of privs for the admin user into the config file and reloading.
The amended file loaded just fine but I don't have any more menus than before. :(
If I export the config again the changes are still there.
It's all very strange.  :wall:

 :-\ mmm very strange.. I know it should work because was the workaround I used on my router... Just to be 110% sure, have you double checked that the Privileges you have modified really pertain to the right user? Sometime is easy to modify the wrong line. Also try a reboot.

Assuming this ftp process works and loads the romd does that mean a factory reset will be needed to get back the password? Also if the romd is loaded on every f/w update then this means we will have to re-run this ftp procedure after every update if we need the supervisor p/w. A p/w generator would be great IF someone can figure out the formula, or perhaps someone can crack their encryption and then translate that p/w shown earlier. Perhaps cracking the encryption might be possible since we can see the admin p/w as stored and obviously know what it is.

Please Stuart, consider this is just my opinion and not a global truth.
The .rom is not mandatory, is just a file that you can upload as default config (like the .conf). It is also embedded in the firmware as it install in the router a default config that will be used in case of reset. Put the .rom or any other configs in the rom-d partition is just an option for the ISP that want the customer to always have some special config set after a factory reset.

supervisor password in my opinion is not set anywhere but just generated by the firmware during the factory reset via a script. So updating will not change the old password but factory reset on a firmware greater than version 10 will do.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 14, 2017, 07:11:26 PM
manny2003,

Yes, it's the right line - in fact I tried it on both 'Privilege' lines and it made no difference.
It rebooted after I reloaded the file so I assume that should be good enough.

An earlier post mentioned that the Supervisor user can turn menu items on and off so perhaps that is overriding the config file settings?

It was worth a go and all is still working so nothing lost.
 :)
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: highpriest on January 14, 2017, 10:33:29 PM
I have just been looking at the rom file for V15 of the 8924 f/w. No where in it is any reference to supervisor. There is Administrator, User. Same is found in the rom file for V10 f/w. So if there is nothing in the rom file for supervisor I suspect this could be built into the f/w?

Yup, same here. Only two users as far as I can tell.

Code: [Select]
      <X_5067F0_Login_Group instance="1">
        <GroupKey>0</GroupKey>
        <Privilege>broadband,wireless,homeNetworking,usbService,powerManagement,routing,dnsroute,vlangroup,qos,nat,dns,halfBridge,igmpSetting,intfGrp,firewall,macFilter,parentalControl,schedulerRule,certificates,ipsecVPN,pptpVPN,sip,phone,callRule,callHistory,log,trafficStatus,voipStatus,arpTable,routeTable,igmpGroupStatus,xdslStatistics,3gStatistics,system,userAccount,remoteMGMT,tr069Client,tr064,time,emailNotification,logSetting,firmwareUpgrade,configuration,reboot,disagnostic,HelpDesk,wizard,status,snmp</Privilege>
        <Name>Administrator</Name>
        <ConsoleLevel>2</ConsoleLevel>
        <Use_Login_Info instance="1">
          <UserName>admin</UserName>
          <Password>_encrypted_removed</Password>
          <Modified>TRUE</Modified>
          <LatestLoginSuccessFrom>192.168.2.1</LatestLoginSuccessFrom>
          <CurrentLoginSuccessFrom>192.168.2.1</CurrentLoginSuccessFrom>
          <idleTimeout>300</idleTimeout>
        </Use_Login_Info>
        <Use_Login_Info nextInstance="2"></Use_Login_Info>
      </X_5067F0_Login_Group>
      <X_5067F0_Login_Group instance="2">
        <GroupKey>2</GroupKey>
        <Privilege>log,trafficStatus,arpTable,routeTable,igmpGroupStatus,xdslStatistics,3gStatistics,system,userAccount,remoteMGMT,time,emailNotification,logSetting,firmwareUpgrade,configuration,reboot,disagnostic,HelpDesk</Privilege>
        <Name>User</Name>
        <ConsoleLevel>2</ConsoleLevel>
        <Use_Login_Info instance="1">
          <UserName>zyuser</UserName>
          <Password>_encrypted_removed</Password>
          <idleTimeout>300</idleTimeout>
        </Use_Login_Info>
        <Use_Login_Info nextInstance="2"></Use_Login_Info>
      </X_5067F0_Login_Group>
      <X_5067F0_Login_Group nextInstance="3"></X_5067F0_Login_Group>

Nothing appears to be locked down in the GUI.

(https://c1.staticflickr.com/1/350/32161388052_345c9a9c1b_o_d.png)

This is a de-branded F1000 running v15.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on January 15, 2017, 04:31:50 AM
manny2003,

Yes, it's the right line - in fact I tried it on both 'Privilege' lines and it made no difference.
It rebooted after I reloaded the file so I assume that should be good enough.

An earlier post mentioned that the Supervisor user can turn menu items on and off so perhaps that is overriding the config file settings?

It was worth a go and all is still working so nothing lost.
 :)
Very strange... the privilege line in configuration should be where the selection made by the supervisor via the GUI are stored...
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: broadstairs on January 15, 2017, 10:23:10 AM
I am playing with my F1000 this morning and just tried the ftp procedure to upload the rom.d file but it tells me the remote directory is protected and the ftp fails.

Stuart
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on January 15, 2017, 02:40:15 PM
I am playing with my F1000 this morning and just tried the ftp procedure to upload the rom.d file but it tells me the remote directory is protected and the ftp fails.

Stuart

Maybe because you need to log as supervisor?
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: aam on January 15, 2017, 04:16:18 PM
Make sure you put the file in the /fw directory via ftp and make sure it's called rom-d.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: highpriest on January 16, 2017, 12:04:46 AM
I stand corrected. There is a supervisor account. If you try to change its password as admin, you get an error.

Code: [Select]
> passwd config --login supervisor SecretPass1234
password : Can not change supervisor password.

If you do the same using a dummy account, you get a different error, proving the account really exists.

Code: [Select]
> passwd config --login super SecretPass1234

Usage: Invalid user name super.

After messing about for a bit, I figured out that the supervisor password is printed out in plain text if you issue the dumpmdm command!

It chucks out a fair bit of information and the relevant bit is <AdminPassword> in the <X_5067F0_LoginCfg> section. Even the password for the admin account is displayed unencrypted.

Code: [Select]
    <X_5067F0_LoginCfg>
      <AdvancedAccountSecurity>FALSE</AdvancedAccountSecurity>
      <AdminUserName>supervisor</AdminUserName>
      <AdminPassword>**hidden**</AdminPassword>
      <AdminPasswordHash>(null)</AdminPasswordHash>
      <AdminPasswordModify>TRUE</AdminPasswordModify>

It is 8 characters, numbers and lowercase letters.

Even when you are logged on as supervisor using SSH, it does not allow you to change the supervisor password. You get the same 'Can not change supervisor password' error.

I can get into a shell by issuing the sh command as supervisor.

Edit: You can change the supervisor password by logging on to the GUI! Use the Login Privilege option on the top right :)
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on January 16, 2017, 01:22:37 AM
It is 8 characters, numbers and lowercase letters.

Nice discovery highpriest! I knew that you can change the password via the GUI once inside as supervisor, the problem was that after a factory reset the password was autogenerated and changed to something unknown. Apparently the dumpmdm seems to be the solution to the problem.
Could you please confirm that you are on a firmware greater that version 10 (for the VMG8924) in order to be sure you are using the latest firmware including the new supervisor password policy?

Anyone with a locked supervisor user that could verify this new discovery? I have a new router with a known supervisor password and I cannot factory reset it at the moment to test.  :blush:
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: highpriest on January 16, 2017, 02:07:31 AM
Yup. It's a VMG8324-B10A (de-branded F1000) running firmware 1.00(AAKL.15)C0.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: npr on January 16, 2017, 09:44:24 AM
Excellent find. :thumbs:

I can confirm the command dumpmdm does reveal the supervisor password for my VMG8924 FW 15C0.


Title: Re: VMG8924-B10A unbranded supervisor password
Post by: broadstairs on January 16, 2017, 09:46:25 AM
It also does on my F1000. Nice catch....

Stuart
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: broadstairs on January 16, 2017, 10:26:28 AM
Interestingly my F1000 was now running V10 f/w, so after getting the supervisor p/w I updated to V15 and the password has remained the same as it was on V10. So it seems that the password is static.

Stuart
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: roseway on January 16, 2017, 11:01:04 AM
I can confirm that the dumpmdm command reveals all the passwords on my VMG8324-B10A with the old 6b1 firmware. That's a very nice find.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 16, 2017, 05:12:58 PM
 :thumbs:
I'm in - and all of the menus are available as Supervisor.
Strangely I can't assign the missing ones to the admin user as the Login Privilege menu has no save button!
I also can't change the supervisor password for the same reason.

No matter - at least I now have lots more to play with.
Well done highpriest.
 ;D
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: lloyd on January 16, 2017, 08:03:03 PM
Good find.  Works on my non-ISP 8924
:thumbs:
I'm in - and all of the menus are available as Supervisor.
Strangely I can't assign the missing ones to the admin user as the Login Privilege menu has no save button!
The only menu my admin account does not have assigned is VOIP line test - every thing else is ticked.  And I do have a save button for the admin login privs.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 16, 2017, 08:10:49 PM
Further to my earlier post I seem to have got mine working now (8924).
I was fiddling with the 'webstyle' command in the CLI, setting it to 'Brick' (don't know what the original setting was!) and the save button is now there.
What's odd is that it now won't go away whatever websyle I chose (none of which make any obvious difference to the GUI anyway).

The reason I thought webstyle might influence it is that the save button would appear for a second and then vanish making me think it was a GUI bug.
 :D
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 17, 2017, 09:32:33 AM
It occurred to me that the default password for my Supervisor user is in a hex format (ie only contains digits 0-9 and letters a-f).
Is this just a coincidence on my unit or does it perhaps relate to another property of the router?
 :-\
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: broadstairs on January 17, 2017, 10:23:46 AM
It occurred to me that the default password for my Supervisor user is in a hex format (ie only contains digits 0-9 and letters a-f).
Is this just a coincidence on my unit or does it perhaps relate to another property of the router?
 :-\

Well I just converted mine from hex values to characters and it is meaningless, consists of all special characters. So I don't believe we will get anywhere looking for a direct comparison, it is likely to have been a fairly random value initially.

Stuart
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 17, 2017, 10:30:23 AM
broadstairs - I take it from your reply that your password is in a hex format too?
I was more wondering if perhaps it related to part of a mac address or some other router property that is easy to get to.
It was just a thought, and as you say it's likely just random.
 :)
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: broadstairs on January 17, 2017, 10:44:36 AM
Yes I looked at the values printer on the rear of the router like MAC etc but nothing jumped out at me. It could well be something ZyXEL can work out if they need to access it remotely and you would be asked for during the discussions. It cold be related to serial number for example but probably some kind of algorithm which develops the password.

Stuart
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: roseway on January 17, 2017, 11:01:25 AM
On my old 6b1 firmware the supervisor password is an ordinary English word with one number added.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 17, 2017, 11:23:51 AM
On my old 6b1 firmware the supervisor password is an ordinary English word with one number added.

Yes, I think it was from V11 onwards that it became self generated.
 :)
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: broadstairs on January 17, 2017, 11:31:10 AM
However when I went back to V10 on my F1000 and a factory reset it did not go back to the original word plus numbers. Once I lost that it stayed as the random numbers & letters. So I doubt it was ever set originally by the router or F/W but was set at the factory. I believe from the pdf files associated with the F/W that it went back to static so unless you actually load F/W V11 and do a factory reset it is unlikely to change. My 8924 running V15 is still the original p/w and I don't think I ever used V11 F/W, jumped from V10 to a later one.

Stuart
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 17, 2017, 11:45:39 AM
Stuart,

Interesting - thanks.
I can't fully remember which version my 8924 had when I got it as I just saw that it wasn't the latest version and upgraded it straight away.
Mine was however an ISP locked version so who knows how it was setup at the factory.
Thanks to you lovely Kitz people it's not locked any more.  :love:
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on January 17, 2017, 02:03:00 PM
In my opinion the line is this:

1) the password is set at factory and is the same for all units
2) the firmware versions from 11 have a password generated on the serial or Mac for each units (I saw the support looking at one or both information before trying to get in as supervisor)
3) the password is only generated during a factory reset on a firmware greater than version 10
4) on firmware lesser than 11 the reset to factory won't affect the current password
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: paulsmith109 on March 05, 2017, 02:44:44 PM
I have run the `dumpmdm` command but can find no reference to the supervisor account or its password.
Please help somebody!
VMG8324 with firmware 15
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on March 05, 2017, 06:25:46 PM
Have you managed to capture the full dump, as it's quite long and the default buffer in a Windows command line isn't long enough to get the whole thing.
I think I changed mine to 999 which is the maximum allowed.  I then copied the whole thing out into notepad and searched for 'supervisor'.
 :)
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: npr on March 05, 2017, 06:45:33 PM
Alternatively, in windows, open a admin command prompt and start the telnet session with the command

telnet -f c:\dump.txt 192.168.1.1

This sends the telnet output to the file c:\dump.txt, then all you need do is search this file for supervisor.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: paulsmith109 on March 05, 2017, 07:49:52 PM
Alternatively, in windows, open a admin command prompt and start the telnet session with the command

telnet -f c:\dump.txt 192.168.1.1

This sends the telnet output to the file c:\dump.txt, then all you need do is search this file for supervisor.

I just get a flashing cursor in the cmd prompt window and nothing seems to happen.
I also tried the suggestion in the post above yours, and a word search shows no sign of `supervisor` whatsoever.
Any other suggestions guys?
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: npr on March 05, 2017, 09:42:01 PM
Works here with win vista and win 10.

Is it waiting for you to input a username and password?
Are you using a  command prompt with admin privileges ?
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: highpriest on March 05, 2017, 10:35:48 PM
I just get a flashing cursor in the cmd prompt window and nothing seems to happen.

I got that the first time in command prompt. Re-ran the command and it works fine. Try running it again in a command prompt with administrator privileges.

All of these work for me (I have a directory called Temp in the C drive):

Code: [Select]
cd \Temp
telnet -f zyxel.log 192.168.2.2
telnet -f .\zyxel.log 192.168.2.2
telnet -f C:\Temp\zyxel.log 192.168.2.2

Change the IP to your router's IP, obviously.

Quote
I also tried the suggestion in the post above yours, and a word search shows no sign of `supervisor` whatsoever.
Any other suggestions guys?

The output of dumpmdm on my device has around 8090 lines. The password appears around line 158. It is certain to disappear behind scrollback on most command prompts so logging the output of telnet is your best bet.

If logging simply doesn't work for you, increase the scrollback to around 9999 lines, which is the maximum you can set it to in command prompt. Right click anywhere on the title bar, click on Properties, Layout tab, Screen Buffer Size, Height. Change that to 9999 and apply. Then telnet to your device as normal and run the dumpmdm command.

Another way is to use a client like PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) (you can use SSH or Telnet protocol). Before you connect, click on Window and set lines of scrollback to 10000 or 20000.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: manny2003 on March 06, 2017, 02:02:37 AM
Just one more info about this topic is that on the 16C0 firmware Zyxel declares this:

Code: [Select]
[Bug Fix]
1. [# 31023 ][System] The password of supervisor would be "zyad1234".

Maybe they set it back to zyad1234 by default in the new firmware release.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: paulsmith109 on March 06, 2017, 07:58:58 AM
Success!
I used Putty as suggested and copied/pasted the `dumpmdm` output into Wordpad in Windows 10.
The required password for my supervisor account was `Darkside1`.
Thanks again for all your help. I now have all the extra options in the GUI!
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: polymath on March 09, 2017, 12:31:23 PM
Struggling here to understand how to get dumpmdm to work on my VMG3925-B10B. I telnet into the router and get:

Busybox v1.20.1 (2016-10-18 14:40:36 CST) built in shell (ash)

and then a $ prompt (not a > prompt)

I do $ dumpmdm

and the response is:

-sh: dumpmdm: not found

If I do $ help BusyBox responds with a list of built in commands bt dumpmdm is not there.

Have I missed something?
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: burakkucat on March 09, 2017, 03:51:55 PM
I have no experience with a VMG3925-B10B but you might like to experiment with the following . . .

At the busybox shell prompt, $, type  --

find / -xdev -name \*dump\*

It will show those files which contain the string dump as part of their name.

Performing the above on my VMG1312-B10D, I obtain the following --

Code: [Select]
$ find / -xdev -name \*dump\*
/bin/dumpmem
/usr/bin/hexdump
/usr/lib/opkg/info/tcpdump.control
/usr/lib/opkg/info/tcpdump.list
/usr/sbin/tcpdump
$

You would be interested in the lines that contain the string bin as part of the path name to the files. In my case, above, there are three --

Code: [Select]
$ ls -l /bin/dumpmem
lrwxrwxrwx    1 root     0                6 Oct 18 09:01 /bin/dumpmem -> xtmctl
$ ls -l /usr/bin/hexdump
lrwxrwxrwx    1 root     0               17 Oct 18 09:13 /usr/bin/hexdump -> ../../bin/busybox
$ ls -l /usr/sbin/tcpdump
-rwxr-xr-x    1 root     0           643787 Oct 18 09:06 /usr/sbin/tcpdump
$

Of those three, we can see that the first two are symbolic links to other binary files.

So then try each command with a --help flag.

Code: [Select]
$ dumpmem --help
usage: dumpmem <address_in_hex> <length_in_decimal>

$ hexdump --help
BusyBox v1.20.1 (2016-10-18 15:41:48 CST) multi-call binary.

Usage: hexdump [-bcCdefnosvx] [FILE]...

Display FILEs (or stdin) in a user specified format

        -b              One-byte octal display
        -c              One-byte character display
        -C              Canonical hex+ASCII, 16 bytes per line
        -d              Two-byte decimal display
        -e FORMAT_STRING
        -f FORMAT_FILE
        -n LENGTH       Interpret only LENGTH bytes of input
        -o              Two-byte octal display
        -s OFFSET       Skip OFFSET bytes
        -v              Display all input data
        -x              Two-byte hexadecimal display

$ tcpdump --help
tcpdump: invalid option -- -
tcpdump version 4.2.1
libpcap version 1.1.1
Usage: tcpdump [-aAbdDefhHIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -M secret ]
                [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
                [ -W filecount ] [ -y datalinktype ] [ -z command ]
                [ -Z user ] [ expression ]
$
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: polymath on March 09, 2017, 07:29:13 PM
burakkucat: Thanks for the swift reply.

I get exactly the same response to the find and help commands as you.

My simple understanding of the dumpmdm command is it provides a 'memory dump'.

Is there a way of using, say the dumpmem command to achieve the same thing? That would need an appropriate start address and length.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: burakkucat on March 09, 2017, 09:09:42 PM
Hmm . . . I'll have to have a poke around, for I suspect you may need something different from the dumpmem command to which we both have access.  :-\

From the busybox shell prompt, $ --

Code: [Select]
BusyBox v1.20.1 (2016-10-18 15:41:48 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

$ find / -xdev \( -name \*zycli\* -o -name \*zysh\* -o -name \*nvram\* \) | sort
/bin/nvram
/etc/wlan/bcm43602_nvramvars.bin
/etc/wlan/bcm4360_nvramvars.bin
/etc/wlan/bcmcmn_nvramvars.bin
/etc/zyshrc
/lib/libnvram.so
/sbin/zycli
/usr/bin/zysh
/usr/lib/opkg/info/zycli.control
/usr/lib/opkg/info/zycli.list
/usr/lib/opkg/info/zysh.control
/usr/lib/opkg/info/zysh.list
$ for F in $(find / -xdev \( -name \*zycli\* -o -name \*zysh\* -o -name \*nvram\* \) | sort)
> do echo $F
> hexdump -C -n 16 $F
> echo
> done
/bin/nvram
00000000  7f 45 4c 46 01 02 01 00  01 00 00 00 00 00 00 00  |.ELF............|
00000010

/etc/wlan/bcm43602_nvramvars.bin
00000000  6c 65 64 62 68 31 30 3d  30 78 38 38 00 45 4e 44  |ledbh10=0x88.END|
00000010

/etc/wlan/bcm4360_nvramvars.bin
00000000  6c 65 64 62 68 31 30 3d  30 78 38 38 00 45 4e 44  |ledbh10=0x88.END|
00000010

/etc/wlan/bcmcmn_nvramvars.bin
00000000  77 61 74 63 68 64 6f 67  3d 31 33 30 30 30 30 00  |watchdog=130000.|
00000010

/etc/zyshrc
00000000  23 20 42 65 67 69 6e 20  6f 66 20 5a 79 53 48 32  |# Begin of ZySH2|
00000010

/lib/libnvram.so
00000000  7f 45 4c 46 01 02 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010

/sbin/zycli
00000000  7f 45 4c 46 01 02 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010

/usr/bin/zysh
00000000  7f 45 4c 46 01 02 01 00  01 00 00 00 00 00 00 00  |.ELF............|
00000010

/usr/lib/opkg/info/zycli.control
00000000  50 61 63 6b 61 67 65 3a  20 7a 79 63 6c 69 0a 56  |Package: zycli.V|
00000010

/usr/lib/opkg/info/zycli.list
00000000  2f 73 62 69 6e 2f 64 6e  73 0a 2f 73 62 69 6e 2f  |/sbin/dns./sbin/|
00000010

/usr/lib/opkg/info/zysh.control
00000000  50 61 63 6b 61 67 65 3a  20 7a 79 73 68 0a 56 65  |Package: zysh.Ve|
00000010

/usr/lib/opkg/info/zysh.list
00000000  2f 65 74 63 2f 7a 79 73  68 72 63 0a 2f 75 73 72  |/etc/zyshrc./usr|
00000010

$ cat /etc/wlan/bcm43602_nvramvars.bin
ledbh10=0x88END$
$ cat /etc/wlan/bcm4360_nvramvars.bin
ledbh10=0x88END$
$ cat /etc/wlan/bcmcmn_nvramvars.bin
watchdog=130000END$
$ cat /etc/zyshrc
# Begin of ZySH2 initialization
# command-mode COMMAND_MODE_USER_EXEC 2
# privilege 0
# visibility 0
# End of ZySH2 initialization
$ cat /usr/lib/opkg/info/zycli.control
Package: zycli
Version: 1.0-1
Depends: libc, zcmd, libzyutil
Source: package/private/zyxel/zycli
SourceFile: zycli-1.0.tar.gz
SourceURL: @ZyXEL_SITE/private/ZyXEL
Section: net
Architecture: brcm963xx
Installed-Size: 27743
Description:  ZyXEL CLI
$ cat /usr/lib/opkg/info/zycli.list
/sbin/dns
/sbin/vcautohuntctl
/sbin/sys
/sbin/pppoectl
/sbin/zycli
/sbin/ethwanctl
/sbin/wan
/sbin/wlan
$ cat /usr/lib/opkg/info/zysh.control
Package: zysh
Version: 2.0-7
Depends: libc, zcmd, libedit, libncurses
Source: package/private/zyxel/zysh
SourceFile: zysh-2.0.tar.gz
SourceURL: @ZyXEL_SITE/private/ZyXEL
Section: net
Architecture: brcm963xx
Installed-Size: 48097
Description:  ZyXEL Shell and Command Line Interface
$ cat /usr/lib/opkg/info/zysh.list
/etc/zyshrc
/usr/bin/zysh
$ cat /etc/zyshrc
# Begin of ZySH2 initialization
# command-mode COMMAND_MODE_USER_EXEC 2
# privilege 0
# visibility 0
# End of ZySH2 initialization
$ zycli
zycli help
wan
ethwanctl
dns
pppoectl
vcautohuntctl
sys
tr069
wlan
cfgupdate
save_default
$

I was interested in the nvram, zycli and zysh commands, knowing that a sub-option to the zycli command allows the ROM-D to be cleared. Unfortunately I do not see anything remotely appropriate for what you wish to do.

At a long-shot, you might like to download a copy of the VMG1312-B10A CLI Reference Manual (https://support.aa.net.uk/File:VMG1312-B10A_CLI_Reference_Manual.pdf) and read it through. It might prove to be a source of inspiration.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: polymath on March 10, 2017, 02:59:31 PM
Yes, I have had the CLI reference manual pdf for a while. It adds to my confusion. The document lists ZyXEL CLI commands. But before the list is an Overview (pages 3 and 4) which, in part, states:

.....The CLI is available from the serial console, telnet login and ssh logins. It is enabled via the make
menuconfig option "Enable Command Line Interface" in the "Management Protocols and User Interface
Selection" section. The CLI is part of the Configuration Management System (CMS), so CMS must also be
enabled make menuconfig in order to have the CLI.

The CLI has a">" prompt character. If you type "sh", you will enter the busybox shell, which has the "#"
prompt character. This document describes the commands available from the CLI (">"), not the busybox
shell......  (I assume the "#" prompt is the same as "$" prompt)

First thing is my telnet session lands straight into BusyBox, there is no other prompt but "$".  No way I can
see of entering another command prompt level, other than the zycli command.

The CLI reference manual list CLI commands and includes dumpmdm (page 58). For comparison it includes adsl (page 5).

Now in my telent session adsl works at the BusyBox $ prompt but returns an error when dumpmdm is input.
Using zycli adsl and zycli dumpmdm produces nothing, other than a new line with the $ prompt at the start.

Near the end of the Overview section it states:

In accordance to the CMS architecture, all commands which modify the configuration will modify the MDM
(shared memory configuration database). I assume that MDM is the same as in dumpmdm.

Title: Re: VMG8924-B10A unbranded supervisor password
Post by: polymath on March 10, 2017, 03:33:16 PM
One small extra bit of information:

At the BusyBox $ prompt I input zysh and the next line has  ZySH> as the prompt. Only problem is I cannot figure out anything to put in this new command line that gets any response other than an error.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: burakkucat on March 10, 2017, 07:28:21 PM
Yes, I have had the CLI reference manual pdf for a while. It adds to my confusion.

It is the CLI reference manual for the VMG1312-B10A and not for my VMG1312-B10D nor your VMG3925-B10B.
 
The zycli command is a "one shot" invocation of the CLI from the busybox shell. So, for example, zycli save_default clean clears the ROM-D. (See here (http://forum.kitz.co.uk/index.php/topic,19022.msg340064.html#msg340064).)

The zysh> prompt should respond to a solitary ? input with a list of sub-options.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Chrysalis on July 29, 2017, 12:44:11 AM
no luck for us with newer firmwares :(

dumpmdm command not found
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Fuggi on July 29, 2017, 12:52:46 AM
Chrys
Can you back to the version 16 firmware this still has access to dumpmdm. I used it two days ago to find the supervisor password
in my Vmg8924.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Chrysalis on July 29, 2017, 01:35:09 AM
where is the v16 firmware? on zyxel's website is just v11 and v15.

also what is the exact command you used for dumpmdm, here is my output.  Thanks

Code: [Select]
$ dumpmdm
-sh: dumpmdm: not found

or maybe its only on the b10a but not the b10b?
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Fuggi on July 29, 2017, 02:13:36 AM
Quote
http://forum.kitz.co.uk/index.php/topic,13930.msg351376.html#msg351376
The dumpmdm command only seems to be on the VMG8924 not the VMG3925.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Bestgear on August 25, 2017, 07:56:24 PM
I would really appreciate some guidance please.

I have a VMG8924-B10A running 1.00(AAKL.10)C0_20151008 which I bought from ebay, and expected an off the shelf Zyxel, but later found its a John Lewis device.

What i the best move in terms of firmware upgrade for me, given I dont want to loose supervisor access?

Thanks in advance for your time and help.


David
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Iam_TJ on August 25, 2017, 09:02:49 PM
The dumpmdm command only seems to be on the VMG8924 not the VMG3925.
That's correct. It's because the 3925 firmware is based around OpenWRT rather than the Broadcom/Mitrastar/Zyxel framework.

I'm guessing the reason for that is the high maintenance overhead of the proprietary stack in the 8924 and similar.

For a 3925 that hasn't had a "save_default clear" operation you can find unencrypted passwords in the text config stored in /dev/mtd4 (or for older firmware versions, /dev/mtd3). 
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: NewtronStar on August 25, 2017, 10:11:02 PM
I would really appreciate some guidance please.

I have a VMG8924-B10A running 1.00(AAKL.10)C0_20151008 which I bought from ebay, and expected an off the shelf Zyxel, but later found its a John Lewis device.

What i the best move in terms of firmware upgrade for me, given I dont want to loose supervisor access?

Thanks in advance for your time and help.


David

1. Unplug the DSL cable to 8924
2. you clear Rom-D by using telnet command save_default clean via putty or a linux OS
3. keep the 8924 powered up and hard reset it via the pinhole hold for 10 seconds until leds turn off and release.

4 wait until the 8924 fully boots use Web Browser enter 192.168.1.1 enter ADMIN then 1234 set the modem/router up with your ISP details and other stuff and save a config file, PS I would change the password

5 reboot modem/router again and wait for the DSL Internet LED to turn red on the 8924 then plug the DSL cable back into the modem/router if all has gone right the red Internet LED will become a blinking green Internet LED.

6 Download the most upto date firmware and install once its all updated and running use putty again but make sure you have text logging active and run the command dumpmdm the saved logging text file will show your supervisor password.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: machare on September 22, 2017, 09:16:23 PM
Alternatively, in windows, open a admin command prompt and start the telnet session with the command

telnet -f c:\dump.txt 192.168.1.1

This sends the telnet output to the file c:\dump.txt, then all you need do is search this file for supervisor.

That works fine for me.  Thank you very much!
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: machare on September 22, 2017, 10:25:45 PM
There is now a version 18 of the firmware where they say "Implement conditional randomizing of supervisor/root password on firmware update" so if I upgrade maybe I will loose the password I have just found, but anything would be better than a fixed publicly known password.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: NewtronStar on September 22, 2017, 10:47:32 PM
It's still the same technique using V18 firmware here and still find the Supervisor password freely in the text dump.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: machare on September 22, 2017, 11:42:24 PM
Interesting thank you.  I upgraded a router that I had upgraded to version 16 but had not then been reset so it was not using the syad.... password. I have now upgraded to version 18 and the password has remained the same.  I wonder if that is because they have gone back to the same password algorithm that they were using before.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Ronski on May 24, 2018, 02:49:54 PM
I just purchased one of these to use at work as we appear to be having issues with our current router, or at least I wish to rule it out.

It's a brand new unused John Lewis modem (no branding though), date on the sealed box was September 2017, and it has v10 firmware, prior to updating it I wanted to retrieve the supervisor password (or would it be better to update the firmware then retrieve it?).

Anyway it's been quite a while since I used Putty, I'm entering the default 192.168.1.1 IP address selecting Telnet, so its port 23. When I open the session I get a black box with a cursor, I can type stuff which seems to have no effect, but after a while the connection times out.

Any idea where I'm going wrong? I seemed to have failed at the first hurdle  :wall:

PS. The zyad1234 supervisor password doesn't work.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: spring on May 24, 2018, 03:10:19 PM
Did you follow this? (read from the top first, may be sufficient): https://forum.kitz.co.uk/index.php/topic,21513.msg372337.html#msg372337

And yeah you should try finding it on the firmware it came with and if it didn't work trying on an older firmware. Once you're done with ROM-D you can try repeat this after resetting, flashing, and resetting (it might be the same password, might not).

I wonder if there's a way to clear the ROM-D when the ROM-D was flashed with something that has passwords different from the default?

Also see this before you go v16 or higher: https://forum.kitz.co.uk/index.php?topic=13930.780 (um, seems v18 is fine, overlooked the thread im posting in right now)
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Ronski on May 24, 2018, 03:22:37 PM
Trouble is I'm getting no response from Telnet via Putty  ???
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: spring on May 24, 2018, 03:24:42 PM
I use command prompt, but you may need to enable the windows feature
(http://elmajdal.net/Win7/Enabling_Telnet_Client_in_Windows_7/5-select%20telnet%20client.png)
to start telnet is "telnet", enter is "open 192.168.1.1" and to close is "quit"
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: johnson on May 24, 2018, 03:32:24 PM
Anyway it's been quite a while since I used Putty, I'm entering the default 192.168.1.1 IP address selecting Telnet, so its port 23. When I open the session I get a black box with a cursor, I can type stuff which seems to have no effect, but after a while the connection times out.

Have you reset it first? Might be new but someone has still connected to it and set a different IP.

Can you ping it on 192.168.1.1?
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: spring on May 24, 2018, 03:39:03 PM
Have you reset it first? Might be new but someone has still connected to it and set a different IP.

Can you ping it on 192.168.1.1?
I thought it has 192.168.1.1 o.o (I read it that he entered from web browser, because he said he tried zyad1234)
Anyway yeah if it doesn't work on a command prompt then pin reset it and tell us.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Ronski on May 24, 2018, 04:29:50 PM
Yes I can access it from a browser, have pin reset (powered up, pin in for 10 seconds, lights flash), have also tried updating to v13, but still no telnet.

Just enabled telnet in windows, and that also fails to connect.

I'm on a laptop with the wi-fi turned off, I'll take it home tonight and try there.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: j0hn on May 24, 2018, 05:39:37 PM
Just checking the obvious, but have you enabled telnet on the ZyXEL?
It's under Maintenance > Remote MGMT
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Ronski on May 24, 2018, 07:17:45 PM
Just checking the obvious, but have you enabled telnet on the ZyXEL?
It's under Maintenance > Remote MGMT

Oops  :-[ I knew it had to something simple, thank you very much for spotting that, it now works
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: spring on May 24, 2018, 07:18:13 PM
Oops  :-[ I knew it had to something simple, thank you very much for spotting that, it now works
I'm almost mad..... xD
Your post count made me say "nah, he checked it 5 times that it's enabled"
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Ronski on May 24, 2018, 07:29:35 PM
LOL, what's that old saying, never assume anything, which means it's always worth stating what appears to be the obvious.

I did say it had been a while, but thanks for what you suggested, we got there in the end.

I now have the supervisor password, which is not hexadecimal, but upper and lower case letters along with some numbers. Now just to update the firmware.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Ronski on May 24, 2018, 08:41:30 PM
Well I'm now on V20 and can still login as supervisor, even after a pin hole reset. On the privileges settings my save button disappears, which someone else mentioned as well.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: machare on May 24, 2018, 09:23:16 PM
Have you cleared ROM-D? If you don't, you may be in for a shock if you reboot the router from the command line.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: j0hn on May 24, 2018, 11:23:44 PM
Oops  :-[ I knew it had to something simple, thank you very much for spotting that, it now works

 You're very welcome.  :P
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Ronski on May 25, 2018, 06:21:03 AM
Have you cleared ROM-D? If you don't, you may be in for a shock if you reboot the router from the command line.

I haven't, please explain the implications of not doing so and the shock?
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: spring on May 25, 2018, 10:13:02 AM
LOL, what's that old saying, never assume anything, which means it's always worth stating what appears to be the obvious.
Too many people nowadays lash out at me if I "treat them as if they don't know", but so far this forum isn't that like.

Login in web interface as supervisor, go to Management > Configuration > there will be a ROM-D tab.
The ROM-D stores a config file that replaces the firmware config when resetting the modem, if the modem wasn't straight from ZyXEL factory [retail?] there probably is a custom config file stored there, that you would be using now (might explain why you have the same supervisor password as v10). It's as if someone you don't know took a firmware config and did stuff to it, and by my logic is a v10 config (:no:). You can save the config stored there for research purposes (um, I don't know how), and after that clearing it and using the firmware config. To use the firmware config you need to reset it again once the ROM-D was cleared :o, everyone here recommends pin reset straight after clearing the ROM-D.


Edit: Well well, would you look at that: https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=012662&lang=EN
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Ronski on May 25, 2018, 11:21:33 AM
Thanks Spring, yes some people do take great offence to being told the obvious, but it's often that which trips us up. I'm now fast approaching 50 so am wiser and appreciate that.

I spent a far while this morning trying to get save_default_clean to work, in fact it was only when I read my post prior to posting another help it doesn't work post that I spotted the error, the last underscore should be a space and then it worked  ;D

The default John Lewis username has gone form the broadband configuration details, and also the supervisor password has changed to a hexadecimal one.

I think I can finally start setting it up now  :fingers:

PS. I've also got the save button back in the login privileges section, not sure if it was the webstyle command that did it, or clearing rom-d
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: spring on May 25, 2018, 11:41:27 AM
The more recent a generation is, the general prevalency is higher.

It's clearing the ROM-D that restored the privileges Save button.

Good to know the supervisor password behind the hash is the same (I guess it's generated from hardware info).
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: DeuxEx on August 24, 2018, 06:34:39 AM
Hello! Can someone make a simple step-by-step tutorial, using Putty or something else to obtain dumpmdm file? I am a noob and I don't know how to obtain my supervisor username and password.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Weaver on August 24, 2018, 11:44:04 AM
Welcome to the forum DeuxEx!

If I remember rightly our very own Burakkucat did such a thing a while back, now where to find it. There is a search thing that will search the entire set of posts, and it can do it by content text match or subject or both and optionally limit it to one person's posts and recent posts.



Is the following any use?https://forum.kitz.co.uk/index.php/topic,21936.msg378037.html#msg378037

I did a search for posts by user=Burakkucat and containing=supervisor and there are a lot so I could not go through them all, in too much pain just now
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: DeuxEx on August 26, 2018, 01:25:26 PM
Welcome to the forum DeuxEx!

If I remember rightly our very own Burakkucat did such a thing a while back, now where to find it. There is a search thing that will search the entire set of posts, and it can do it by content text match or subject or both and optionally limit it to one person's posts and recent posts.



Is the following any use?https://forum.kitz.co.uk/index.php/topic,21936.msg378037.html#msg378037

I did a search for posts by user=Burakkucat and containing=supervisor and there are a lot so I could not go through them all, in too much pain just now

I'm a noob to this, but thanks. I think that i have now an other problem. After a put the lates firmware, I did a reset. No I can't acces the user interface with zyuser/1234. Any solution? I also mention that user and password supervisor/zyad1234 never worked for me, not now, not before the upgrade.
If someone is willing to help me, he can access my computer through Teamviewer
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: hushcoden on August 26, 2018, 05:10:17 PM
Have you tried admin/1234 ?
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: DeuxEx on August 30, 2018, 02:39:51 PM
Yes, I did. Is not working. I also try supervisor/zyad1234 and zyuser/1234. Not working.
It has 1.00(AAPQ.15)C0 firmware version. Ca I downgrade it to an other version? That will modify the login credentials to default (admin/1234 or supervisor/zyad1234)?
Sorry for my poor english!
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: hushcoden on January 24, 2019, 03:23:14 PM
Hi folks,

I've just got a VMG8924-B10A with firmware v.20 and I was able to find the supervisor password with "dumpmdm", then I've cleared ROM-D, factory reset and finally updated to the latest v.28

Now, after the update the supervisor password apparently has changed + if I telnet to the device and type the command "dumpmdm" I get the following error message:
Code: [Select]
> dumpmdm
telnetd:error:733.204:processInput:599:unrecognized command dumpmdm

The strange thing is that if I type the command "help" I get a list of the available commands and "dumpmdm" is listed...  :'(

I'm quite confused and not sure what else to do, can someone please advise ?

Tia.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: burakkucat on January 24, 2019, 04:45:47 PM
Hmm . . .  :o  :hmm:
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: hushcoden on January 24, 2019, 05:00:49 PM
Also, is it normal that if I type the command "ls" I get an error message:
Code: [Select]
> ls
telnetd:error:477.203:processInput:599:unrecognized command ls

yes I did try "supervisor" with "zyad1234" and it didn't work!

And assuming I am able to roll back, then I should stay with an older firmware ?  :'(

And this the list of commands I get when I type "help":
Code: [Select]
> help
?
help
logout
exit
quit
reboot
adsl
xdslctl
xtm
loglevel
logdest
virtualserver
ddns
dumpcfg
dumpmdm
meminfo
psp
dumpsysinfo
syslog
sntp
voice
ethwanctl
wlan
wlanctl
arp
defaultgateway
dhcpserver
dhcpcondserv
igmpcmd
dns
lan
lanhosts
staticdhcp
portforward
passwd
ppp
pppoectl
firewall
dmz
snmpctl
rmtmgmt
restoredefault
route
save
swversion
uptime
cfgupdate
swupdate
exitOnIdle
wan
interfaceGroup
udpechod
tr69c
webstyle
radvdconf
vcautohunt
vlanautohunt
sys
save_default
captiveportal
celld
zyims_watchdog
wanaslan
tr064
wakeOnLan
snmp
phonetest
dhcpmachash
udpportrange
mapp
redirect
buttondisable
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: burakkucat on January 24, 2019, 06:08:59 PM
And assuming I am able to roll back, then I should stay with an older firmware ?  :'(

That would best be discussed with other users of the same device.

Quote
And this the list of commands I get when I type "help":
Code: [Select]
> help
?
help
logout
exit
quit
reboot
adsl
xdslctl
xtm
loglevel
logdest
virtualserver
ddns
dumpcfg
dumpmdm
meminfo
psp
dumpsysinfo
syslog
sntp
voice
ethwanctl
wlan
wlanctl
arp
defaultgateway
dhcpserver
dhcpcondserv
igmpcmd
dns
lan
lanhosts
staticdhcp
portforward
passwd
ppp
pppoectl
firewall
dmz
snmpctl
rmtmgmt
restoredefault
route
save
swversion
uptime
cfgupdate
swupdate
exitOnIdle
wan
interfaceGroup
udpechod
tr69c
webstyle
radvdconf
vcautohunt
vlanautohunt
sys
save_default
captiveportal
celld
zyims_watchdog
wanaslan
tr064
wakeOnLan
snmp
phonetest
dhcpmachash
udpportrange
mapp
redirect
buttondisable

One command in that list caught my eye . . . "sys". I suspect that if you just enter that command without any arguments it will probably return a "help" message. Perhaps there will be something that can be used.

It would be good if other users could give their opinion(s) on your problem, as I can only offer general thoughts.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: hushcoden on January 24, 2019, 06:43:12 PM
Code: [Select]
> sys
Usage: sys <atsh|atwz|atsn|ledctl|btt|wanset|gphytest|atse|aten|linkhistory|usb|usbtest|wwanpackage|atmt|atmc|fwselect> [sys command option]
       sys show
       sys help
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 24, 2019, 06:49:39 PM
Some of the firmware release notes have previously referred to randomising the supervisor password and my suspicion is that if you clear ROM-D and then factory reset then that is when this  happens.
I believe that to be the case as I have factory reset my 8924 before, but only after I had saved my own config to ROM-D. In this scenario the randomisation has not occurred.
Hopefully rolling back will re-enable 'dumpmdm' and allow you to retrieve the new password.
I would then put a basic config into the device and save to ROM-D before reloading the latest firmware.
 :)
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: hushcoden on January 24, 2019, 07:16:46 PM
So, after a couple of hours I got there:

1) Rolled back to v.20, logged in as "admin" and retrieved the supervisor password with "dumpmdm"

2) Updated to v.21, "dumpmdm" still available once logged in as "admin" and supervisor password did not change  :police:

3) Updated to v.28,  "dumpmdm" not available once logged in as "admin" BUT supervisor password did not change  :angel:  and "dumpmdm" available once logged in as "supervisor"

Many thanks burakkucat and tubaman !
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: burakkucat on January 24, 2019, 08:32:58 PM
So, after a couple of hours I got there:

That's good to know.  :)

Quote
Many thanks burakkucat and tubaman !

You are welcome.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 24, 2019, 08:46:34 PM
Good news!
 ;D
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: facboy on June 28, 2019, 02:25:58 AM
for reference, i just used https://iam.tj/projects/zyxel/README.html to get the supervisor password on a VMG9024-B10A with 8924-B10A-AAKL24-jumboframes-oldtelnet-x6 firmware.

had to get a bit creative with firewall zones and netcat on my OpenWRT router as i am in bridged mode and so did not have network access from the Zyxel.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: ktz392837 on June 28, 2019, 08:26:16 AM


8924-B10A-AAKL24-jumboframes-oldtelnet-x6 firmware.
Do you happen to know where the message is that explains these firmwares and associated download link?  Thanks

Title: Re: VMG8924-B10A unbranded supervisor password
Post by: johnson on June 28, 2019, 09:09:46 AM
Do you happen to know where the message is that explains these firmwares and associated download link?  Thanks

Here:
https://forum.kitz.co.uk/index.php/topic,21545.msg381478.html#msg381478

I cant edit the post but the x6 firmware is labelled as such in the dropbox link. Any questions please ask.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: xlr8r on January 09, 2020, 11:14:25 AM
So, after a couple of hours I got there:

1) Rolled back to v.20, logged in as "admin" and retrieved the supervisor password with "dumpmdm"

2) Updated to v.21, "dumpmdm" still available once logged in as "admin" and supervisor password did not change  :police:

3) Updated to v.28,  "dumpmdm" not available once logged in as "admin" BUT supervisor password did not change  :angel:  and "dumpmdm" available once logged in as "supervisor"

Many thanks burakkucat and tubaman !

sadly, i followed your method and it did NOT work for me. i now have lost all supervisor access.

i only use this router for modem-bridge mode and it will be too much hassle to revert back to an older firmware to retrieve the supervisor password, only for it do do the same thing again after upgrading the firmware to .28.

i will just have to live with it as is now...  :(
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: xlr8r on January 09, 2020, 11:16:54 AM
Here:
https://forum.kitz.co.uk/index.php/topic,21545.msg381478.html#msg381478

I cant edit the post but the x6 firmware is labelled as such in the dropbox link. Any questions please ask.

sadly the link is broken or the OP has removed the firmwares from dropbox.

i would have liked to have tried on of them as i only use my 8324 in bridge mode (modem only).

if anyone still has these firmwares, please post new links. thanks
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: ktz392837 on January 09, 2020, 11:27:29 AM
if anyone still has these firmwares, please post new links. thanks

https://github.com/johnson442/custom-zyxel-firmware/releases
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: ktz392837 on January 09, 2020, 11:31:47 AM
sadly, i followed your method and it did NOT work for me. i now have lost all supervisor access.

i will just have to live with it as is now...  :(

Same thing happened to me.  You can get the new supervisor password by looking at the csemu (or something very similar) file and decoding the base64.  Can't remember the specifics but if you can't find them or if no one else posts, reply and I will dig out the notes I made.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: xlr8r on January 09, 2020, 11:39:43 AM
https://github.com/johnson442/custom-zyxel-firmware/releases

brilliant! many thanks

do u happen to know if i upgrade to one of these , it will allow supervisor password to be easily accessible from dumpmdm command ?

or are these just for these options ?;
jumbo - baby jumbo frames
tel - multiple telnet sessions
x1/6 - later adsl_phy.bin
stats - stats webserver
cmd - custom commands on boot

ALSO, since im already on .28 standard version firmware, could I just simply upgrade to the .28 custom firmware without having to do any factory resets or anything and will current config settings remain intact ? its just i am remotely connected to my home network from work and was going to attempt to upgrade the 8324 to the .28 custom firmware but dont want to lose remote connection for any longer than the router needs to reboot itself lol

Title: Re: VMG8924-B10A unbranded supervisor password
Post by: xlr8r on January 09, 2020, 11:42:27 AM
Same thing happened to me.  You can get the new supervisor password by looking at the csemu (or something very similar) file and decoding the base64.  Can't remember the specifics but if you can't find them or if no one else posts, reply and I will dig out the notes I made.

yes that would be great if not too much bother, i would like to be able to retrieve the supervisor password again.

many thanks
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: ktz392837 on January 09, 2020, 02:37:12 PM
The newer firmwares had the dump command removed so johnsons firmware will be the same as they are based on the official ones iirc.

For me I had to use hashcat on my 1312 to get the supervisor password and the csamu trick on the 8324.

For 8324 one of these should work (last one for me iirc):
Code: [Select]
cat /etc/passwd
cat /var/csamu
echo $(cat /etc/passwd)
echo $(cat /var/csamu)

Search Google for how to decode the base64 strings found in the files above.

I wouldn't risk a remote upgrade!

If you want more information on what each version of johnsons firmware provides use
https://github.com/johnson442/custom-zyxel-firmware/blob/master/README.md
Unless you know you need it iirc the v6 are NOT recommended I just went for the everything option
8x24-B10A-28-jumbo-tel-stats-cmd.bin
Now running a 1312 though
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: xlr8r on January 09, 2020, 03:05:36 PM
The newer firmwares had the dump command removed so johnsons firmware will be the same as they are based on the official ones iirc.

For me I had to use hashcat on my 1312 to get the supervisor password and the csamu trick on the 8324.

For 8324 one of these should work (last one for me iirc):
Code: [Select]
cat /etc/passwd
cat /var/csamu
echo $(cat /etc/passwd)
echo $(cat /var/csamu)

Search Google for how to decode the base64 strings found in the files above.

I wouldn't risk a remote upgrade!

If you want more information on what each version of johnsons firmware provides use
https://github.com/johnson442/custom-zyxel-firmware/blob/master/README.md
Unless you know you need it iirc the v6 are NOT recommended I just went for the everything option
8x24-B10A-28-jumbo-tel-stats-cmd.bin
Now running a 1312 though

thanks could you guide me a little through the initial part i.e. the csamu trick on the 8324 ?
Do i just putty or telnet in using normal admin and password and then type , echo $(cat /var/csamu)
i presume this gives some code that i need to "decode the base64 strings found in the files" ?
thanks

update - i tried using ;
> echo $(cat /var/csamu)

and got this ;

telnetd:error:317.879:processInput:599:unrecognized command echo $(cat /var/csamu)
> echo
telnetd:error:374.535:processInput:599:unrecognized command echo

2nd update - ahaa!! i got it using ;
cat /var/csamu
and base64'd it to text and it works!

many thanks for this

[Moderator edited to fix a typo.]
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Mike-UK on January 22, 2020, 05:33:12 PM
Hi just got myself a vmg8924, I've managed to retive the superviser password so can log in, it was a john lewis router and is running firmware 1.00(AAKL.24)C0 ,would I benefit from flashing zyxels latest firmware or should I keep it as is ??
Thanks
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 22, 2020, 06:44:29 PM
Hi just got myself a vmg8924, I've managed to retive the superviser password so can log in, it was a john lewis router and is running firmware 1.00(AAKL.24)C0 ,would I benefit from flashing zyxels latest firmware or should I keep it as is ??
Thanks

There are a number of bug fixes and security patches between AAKL.24 and the latest AAKL.28 version, so if it were me I'd update it. Be aware that the update could randomise the Supervisor password again. I think this happens if you clear the ROM-D before upgrading, so if you've saved a config back to it you should be ok.
 :)
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Mike-UK on January 22, 2020, 08:16:25 PM
Ok I'll have a go at updating it, I did try updating it via the admin login but said illegal file or something, I'm guess that's due to not having zyxel standard firmware upgrade permissions due to john lewis, so will superviser login allow me to upgrade ?, and is it just a case of upgrading or do I need to wipe the rom-d before, and will the passwords still be reteviable via the csamu command ?
Thanks
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: ktz392837 on January 22, 2020, 11:50:59 PM
https://forum.kitz.co.uk/index.php?topic=19186.msg407783.msg#407783 and surrounding replies may be of use when debranding is sorted.

Update: just realised I have linked to the same thread ;) I am sure I have read how to debrand on this forum somewhere and I think Johnson's firmware is great
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 23, 2020, 10:31:52 AM
Ok I'll have a go at updating it, I did try updating it via the admin login but said illegal file or something, I'm guess that's due to not having zyxel standard firmware upgrade permissions due to john lewis, so will superviser login allow me to upgrade ?, and is it just a case of upgrading or do I need to wipe the rom-d before, and will the passwords still be reteviable via the csamu command ?
Thanks
That's odd, as if the upgrade option is available it should work.
I assume you have unzipped the upgrade files and are pointing it to the right one in the set? There are usually four files in there - two PDFs, a blank config file, and the firmware file itself.
 :)
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Mike-UK on January 23, 2020, 01:05:01 PM
That's odd, as if the upgrade option is available it should work.
I assume you have unzipped the upgrade files and are pointing it to the right one in the set? There are usually four files in there - two PDFs, a blank config file, and the firmware file itself.
 :)

hi, thanks all your replys and help, it was prob a corrupted download as I had to download the firmware on my mobile as I couldn't figureout how to change ppp to not use a login, and looks like it was a corrupt file as I have now got the router to connect to my isp and I downloaded the firmware again and extracted it and it was a larger size this time, although I did upgrade via supervisor account and now on .28

im on a ECI cabinet and been using the BT openreach separate modem, thought id give a BC chip a try, so far no speed difference :(
Thanks
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: tubaman on January 23, 2020, 01:42:26 PM
hi, thanks all your replys and help, it was prob a corrupted download as I had to download the firmware on my mobile as I couldn't figureout how to change ppp to not use a login, and looks like it was a corrupt file as I have now got the router to connect to my isp and I downloaded the firmware again and extracted it and it was a larger size this time, although I did upgrade via supervisor account and now on .28

im on a ECI cabinet and been using the BT openreach separate modem, thought id give a BC chip a try, so far no speed difference :(
Thanks

Glad you got it working and commiserations for being on an ECI cabinet as you won't benefit from G.INP and xdB which can give very worthwhile speed boosts.
Broadcom chips don't give the best results for everyone - it really is a case of try it and see.
 :)
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Mike-UK on January 23, 2020, 02:59:11 PM
yes is a bit of a bummer having an eci cab, although I cant complain too much, my line length is around 500 meters and sync at 55.854 Mbps and get 6.2 downloads, so could be worse but could be better  :'(
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: ktz392837 on January 23, 2020, 03:09:25 PM
im on a ECI cabinet and been using the BT openreach separate modem, thought id give a BC chip a try, so far no speed difference :(
Thanks
For me also not much speed difference but my 8924/1312a has far less errors.  Everyone's line is different so your experience may be different.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: Mike-UK on January 23, 2020, 03:51:19 PM
unfortunately I have no stats from the previous modem to compare, Wi-Fi signal has improved over my netgear unit and speeds have stayed the same, maybe dlm will be nice to me in the future 
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: banger on February 05, 2020, 08:40:47 PM
Just tagging onto this thread but had some trouble getting rid of plusnet TR069 settings so had to downgrade to V7 and clear rom and save then upgrade back to V28 and the plusnet TR069 settings and URL had gone. There doesn't appear to be a way to change supervisor password on V28 unless I am missing something.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: burakkucat on February 05, 2020, 10:05:20 PM
. . . downgrade to V7 and clear rom and save then upgrade back to V28 and the plusnet TR069 settings and URL had gone. There doesn't appear to be a way to change supervisor password on V28 . . .

I suspect that changing the supervisor password whilst on "V7" and then upgrading would be the way to do it.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: banger on February 05, 2020, 10:30:47 PM
Thanks Mr B*kat. I have the V28 randomised password stored in a file and on firefox just in case.
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: digitalnemesis on September 02, 2020, 06:09:11 PM
Just wanted to post that this worked for me on VMG8924-B10A custom firmware 28-jumbo-tel-x6-stats1.1-cmd

Also once I found the supervisor password the dumpmdm command now works!

Cheers!

Code: [Select]
cat /var/csamu
Title: Re: VMG8924-B10A unbranded supervisor password
Post by: burakkucat on September 02, 2020, 06:14:23 PM
Busy kittehs have trouble remembering all the details, from months ago.  :D