Kitz Forum

Broadband Related => Broadband Hardware => Topic started by: lurch on March 21, 2021, 07:41:09 PM

Title: Zyxel VMG3925-B10B and nowtv
Post by: lurch on March 21, 2021, 07:41:09 PM
Looking at replacing my nowtv hub 2 with a Zyxel VMG3925-B10B and no matter what option 60/61 values I use it fails to connect.

i've extracted option 60
2.90.2471.R|004|NR801|xxxxxxxxxxxx and converted to hex

option 60 I extracted but understand any combination can be used i.e
dsklfjdsklfewui9e7r@nowtv|zzzzzzzz and converted to hex

is there anything i'm doing wrong/missing form these boxes?

https://i.ibb.co/0BJKGqC/Screenshot-2021-03-21-193855.jpg
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: burakkucat on March 21, 2021, 10:55:18 PM
Welcome to the kitz forum.  :)

From your description, it seem (to me) that you have done everything right. However I am not fully up-to-date with the usage of DHCP Option 61, so I really cannot comment any further.

Other members should be able to assist . . . So please wait for subsequent posts.
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: meritez on March 22, 2021, 10:13:49 AM
Welcome to the forums lurch,

@siofjofj made a very detailed post on a gui limitation on the zyxel vmg8x24 regarding option 60 and 61: https://forum.kitz.co.uk/index.php/topic,25176.0.html

Would you be able to confirm the firmware version on your vmg3925-b10b?
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: lurch on March 22, 2021, 12:57:54 PM
Hi thanks for the welcome. It was actually that post that helped me get this far. It's currently running

V5.13(AAVF.12)C0

There is one newer version available on their ftp site should I upgrade?

As an aside i've jsut found VMG1312-B10A running Current Firmware Version: V1.00(AAJZ.1) I could use if this is a better option?

The router will be used for it's parental controls for a non tech savy parent and the 3925 has a more user friendly gui.
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: meritez on March 22, 2021, 01:55:00 PM
I do not think the latest firmware will help, as it's not mentioned in the changelog: ftp://ftp.zyxel.com/VMG3925-B10B/firmware/VMG3925-B10B_5.13(AAVF.13)C0_2.pdf

I'm interested to see if @siofjofj patch would work on the new web interface, or if you will need to downgrade to the older web interface.
Awaiting to see if anyone else will reply
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: meritez on March 29, 2021, 06:50:17 PM
@lurch, did you get anywhere with the vmg1312?

Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: siofjofj on March 29, 2021, 08:17:29 PM
Sorry I'm a bit late to this, I must have missed this thread somehow.

Quote from: lurch on March 21, 2021, 07:41:09 PM
i've extracted option 60
2.90.2471.R|004|NR801|xxxxxxxxxxxx and converted to hex
It is not necessary to include option 60 for Sky/NowTV (though doesn't hurt).

Quote from: lurch on March 21, 2021, 07:41:09 PM
option 60 I extracted but understand any combination can be used i.e
dsklfjdsklfewui9e7r@nowtv|zzzzzzzz and converted to hex
I believe the username can't quite be anything, it has to be 12 hexadecimal digits. Something like abcdef123456@nowtv|abcd1234 would suffice.

Quote from: lurch on March 22, 2021, 12:57:54 PM
It's currently running V5.13(AAVF.12)C0 There is one newer version available on their ftp site should I upgrade?
While I do not own a VMG3925-B10B, I note that this (http://ftp://ftp2.zyxel.com/VMG3925-B10B/user_guide/VMG3925-B10B_V5.13_5.50.pdf) version of the manual includes on page 125
LABELDESCRIPTION
Option 61Select this and enter any string that identifies the device.
IAIDEnter the Identity Association Identifier (IAID) of the device, for example, the WAN connection index number.
DUIDEnter the hardware type, a time value and the MAC address of the device.
whereas this (http://ftp://ftp2.zyxel.com/VMG3925-B10B/user_guide/VMG3925-B10B_1.00.pdf) older versions suggests on page 65 that only the IAD and DUID can be used (as in your screenshot). Perhaps the newest firmware will allow you to enter the string directly (as in my bold above), rather than as a IAID and DUID? The description in my other thread about setting the IAID to 00000000 is only relevant if using the custom firmware on that page, otherwise the router will insert a bunch of extra stuff that will prevent authentication.

If the newest firmware still doesn't allow entry of an option 61 string, try entering
Code: [Select]
IAID: 00000000
DUID: 616263646566313233343536406e6f7774767c6162636431323334 (this is abcdef123456@nowtv|abcd1234 as hex)
and then capture the result using Wireshark (like you did for extracting the credentials from the NowTV router) and post it here. The mention of "hardware type" in the manual when describing what goes in the DUID gives a hint that the VMG3925 might not have a hardcoded type field, so we might be able to engineer suitable IAID and DUID hex values which will work on the stock firmware (which was impossible for the VMG8924 due to the hardcoded type bytes sent too).

Quote from: lurch on March 22, 2021, 12:57:54 PM
As an aside i've jsut found VMG1312-B10A running Current Firmware Version: V1.00(AAJZ.1) I could use if this is a better option?
The VMG1312-B10A firmware is very similar to that of the VMG8924-B10A and definitely has no versions available which allow direct entry of an option 61 string. They also would not be as good a choice for a combined modem/router/access point as they are only wireless-n capable, not ac like the VMG8924 and VMG3925.

Quote from: meritez on March 22, 2021, 01:55:00 PM
I'm interested to see if @siofjofj patch would work on the new web interface, or if you will need to downgrade to the older web interface.
Something similar to my patch certainly could be made (though I'm sorry to say I don't have time to investigate this at the moment) for the VMG3925 with the new web interface, as the patch itself actually has nothing to do with the web interface whatsoever. It is a modification to the DHCP client itself which results in it ignoring what was entered in the IAID field, not sending any of the 'type' bytes and just passing through the DUID field as-is. Bit of a bodge really.
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: meritez on March 30, 2021, 12:38:26 PM
@siofjofj thank you, I slowly realised that it's a backend patch when reading the patch file.

So if the udhcp package here: https://github.com/trejan/VMG3925-B10B/tree/master/dl was edited it might work?

Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: siofjofj on March 30, 2021, 06:28:42 PM
Quote from: meritez on March 30, 2021, 12:38:26 PM
So if the udhcp package here: https://github.com/trejan/VMG3925-B10B/tree/master/dl was edited it might work?
Possibly. My patch applied to the options.c file in the source of the VMG8924-B10A, however a quick look at the same file for the VMG3925-B10B reveals somthing very different that is not doing any of the processing of option 61. A quick grep though the entire udhcp source for the strings 'DUID', 'IAID', '61' and '0x3d' (61 in hex) revealed nothing. My assumption would be that the actual option 61 string is now being created somewhere else (no idea where, it will probably need tracing back from the GUI. Could perhaps try grepping through the entire source for some relevant strings?
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: lurch on April 07, 2021, 04:37:11 PM
Hi @siofjofj

Thanks for the info much appreciated.

I have upgrade to f/w ftp://ftp.zyxel.com/VMG3925-B10B/firmware/VMG3925-B10B_5.13(AAVF.13)C0.zip

When I try and add DUID abcdef123456@nowtv|abcd1234 I get a "No special characters allowed" error it does however accept the hex value like the previous firmware i.e 616263646566313233343536406e6f7774767c6162636431323334

I used IAID: 00000000

I have NOT populated the option 60 box.

I will now need to go to my friends house and try it on their nowtv line to see if it works/capture wireshark. If it doesn't work is there anything else I can try while i'm there to save me making another trip?
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: siofjofj on April 07, 2021, 05:13:33 PM
Quote from: lurch on April 07, 2021, 04:37:11 PM
I have upgrade to f/w ftp://ftp.zyxel.com/VMG3925-B10B/firmware/VMG3925-B10B_5.13(AAVF.13)C0.zip

When I try and add DUID abcdef123456@nowtv|abcd1234 I get a "No special characters allowed" error it does however accept the hex value like the previous firmware i.e 616263646566313233343536406e6f7774767c6162636431323334
What I had more in mind was that there might be an additional box that actually allows direct entry of the string when on the latest firmware. I take it this is not the case then and the manual is a little unclear.

Quote from: lurch on April 07, 2021, 04:37:11 PM
I will now need to go to my friends house and try it on their nowtv line to see if it works/capture wireshark. If it doesn't work is there anything else I can try while i'm there to save me making another trip?
I am next to certain the configuration you currently have will not work. Try capturing the result using Wireshark first (you will need to create a broadband connection of type 'Ethernet' that is otherwise set up with the same parameters as you would use for VDSL, then capture the result using a PC connected to the Zyxel's WAN port). What we need for this to work is for the captured option 61 parameter to be exactly the same hex string you inputted preceded by 3d 1b (3d = 61 in decimal for the option type and 1b = 27 in decimal for the length of the string). If you post exactly what wireshark captures we may be able to come up with something.
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: lurch on April 10, 2021, 02:24:10 PM
Hi I have created a connection on the eth wan port with same details as when I did the xDSL port.

Option 61
DUID: 616263646566313233343536406e6f7774767c6162636431323334 (abcdef123456@nowtv|abcd1234)
IAID: 00000000

Wireshark shows option 61 as
="ÿa0bdcdd639e0@nowtv|aGPcpEmG

https://i.ibb.co/L6DtN7p/Screenshot-2021-04-10-141513.jpg
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: siofjofj on April 10, 2021, 02:31:44 PM
Bad news I'm afraid then. It looks like the VMG3925-B10B does exactly the same thing as the VMG8924-B10A: it inserts 0xff at the beginning of the option 61 string and then 0x00 0x02 between the IAID and DUID. There's nothing you can do about this from the GUI, it will need some form of modified firmware for this to work.
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: lurch on April 10, 2021, 02:38:34 PM
Ahh damn, is this something you would be able to modify the firmware to fix?
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: siofjofj on April 10, 2021, 03:29:40 PM
I'm afraid I'm not well placed to do this as I don't own this device so would be doing it somewhat blind, plus I have less free time than when I produced the patch for the VMG8924. Sorry.

If anyone else on the forum fancies giving it a go, after a bit of digging through the source tree it looks like the file at ./dl/public/zyxel/libzcfg_fe_dal-1.0/zcfg_fe_dal_broadband.c has something to do with it, although it gets modified significantly at build time by the patches in ./package/public-zyxel/libzcfg_fe_dal/patches and I'm having some difficulty piecing it all together.
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: siofjofj on April 11, 2021, 12:54:57 PM
Found it!

In ./package/public-zyxel/libzcfg_fe_dal/patches/322-ZYXEL_ENHANCE_CLI_move_dhcp_option_60_61_encode_decode_from_GUI_to_DAL_FrankFang.patch, the function 'int opt61ValEncode' is defined (no corresponding function exists in the original source file targeted by the patch). It is

Code: [Select]
+int opt61ValEncode(char *iaid, char *duid, char *encVal, int tag){
+ if(encVal)
+ strcpy(encVal,"");
+
+ //*(iaid+4)='\0';
+
+ int strLen = 1+4+2+(strlen(duid)/2);
+ char tagStr[2]={0};
+ char hexLen[2]={0};
+
+ intToHexStr(tag,tagStr);
+ strcat(encVal,tagStr);
+
+ intToHexStr(strLen,hexLen);
+ strcat(encVal,hexLen);
+
+ strcat(encVal,"ff");
+ strcat(encVal,iaid);
+ strcat(encVal,"0002");
+ strcat(encVal,duid);
+
+ return 1;
+}

Rather than messing around trying to make patches of patches, a suitable modification to this file would be to replace the above with
Code: [Select]
+int opt61ValEncode(char *iaid, char *duid, char *encVal, int tag){
+ if(encVal)
+ strcpy(encVal,"");
+
+ //*(iaid+4)='\0';
+
+ int strLen = strlen(duid)/2;
+ char tagStr[2]={0};
+ char hexLen[2]={0};
+
+ intToHexStr(tag,tagStr);
+ strcat(encVal,tagStr);
+
+ intToHexStr(strLen,hexLen);
+ strcat(encVal,hexLen);
+
+ //strcat(encVal,"ff");
+ //strcat(encVal,iaid);
+ //strcat(encVal,"0002");
+ strcat(encVal,duid);
+
+ return 1;
+}
Which simply removes the parts of the code which insert 0xff, the IAID, 0x00 and 0x02. It also modifies the string length computation such that it gives the right value with all the other stuff removed.

So @lurch, do you want me to go ahead and build this for you, bearing in mind I have absolutely no way of testing it so flashing such a firmware will be at your own risk? Also, the firmware source on github linked above is not the latest, so it might be better to request the latest one from here https://www.zyxel.com/us/en/form/gpl_oss_form.shtml (https://www.zyxel.com/us/en/form/gpl_oss_form.shtml) (I can't do this as it needs the router's serial number).
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: lurch on April 11, 2021, 01:40:54 PM
@siofjofj that would be awesome if you could do a modified firmware file and yes I take full responsibility if it turns it into a brick.
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: siofjofj on April 11, 2021, 06:54:24 PM
Right, try this https://www.dropbox.com/s/0quvrw9kqxhgw64/5.13%28AAVF.12%29C0-opt61.bin?dl=0 (https://www.dropbox.com/s/0quvrw9kqxhgw64/5.13%28AAVF.12%29C0-opt61.bin?dl=0)
This is the 5.13(AAVF.12)C0 firmware for the VMG3925-B10B with the edits to the handling of the option 61 parameters such that the DUID is passed through as is, and the IAID and all type bits are neglected.

Flash it to your router and, assuming it boots, try creating a WAN connection with
IAID = 00000000 (or any other 8 hex digits, this is now ignored but the GUI will insist on you entering 8 hex digits)
DUID = 616263646566313233343536406e6f7774767c6162636431323334 (this is abcdef123456@nowtv|abcd1234 as hex, you could use any other properly formatted string if you wish)
and then capture the result using Wireshark. If this worked, the result should be 3d1b616263646566313233343536406e6f7774767c6162636431323334. Please post the result in HEX and ASCII if unsure.
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: lurch on April 11, 2021, 07:31:45 PM
So loaded your firmware

Current Firmware Version: V5.13(AAVF.12)C0
IAID = 00000000
DUID = 616263646566313233343536406e6f7774767c6162636431323334 (abcdef123456@nowtv|abcd1234 as hex)

wiresshark output

Code: [Select]
=abcdef123456@nowtv|abcd1234
Code: [Select]
0000   ff ff ff ff ff ff 5c 6a 80 5d bd 3f 08 00 45 00   ......\j.].?..E.
0010   02 40 00 00 00 00 40 11 78 ae 00 00 00 00 ff ff   .@....@.x.......
0020   ff ff 00 44 00 43 02 2c 78 55 01 01 06 00 60 82   ...D.C.,xU....`.
0030   dd 47 00 00 00 00 00 00 00 00 00 00 00 00 00 00   .G..............
0040   00 00 00 00 00 00 5c 6a 80 5d bd 3f 00 00 00 00   ......\j.].?....
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00c0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00d0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00e0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00f0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0100   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0110   00 00 00 00 00 00 63 82 53 63 35 01 01 3d 1b 61   ......c.Sc5..=.a
0120   62 63 64 65 66 31 32 33 34 35 36 40 6e 6f 77 74   bcdef123456@nowt
0130   76 7c 61 62 63 64 31 32 33 34 37 06 01 03 06 0c   v|abcd12347.....
0140   0f 1c ff 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0150   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0160   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0170   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01a0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01b0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01c0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01d0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01e0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01f0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0200   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0210   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0220   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0230   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0240   00 00 00 00 00 00 00 00 00 00 00 00 00 00         ..............
So looks like it's done the trick :cool:
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: siofjofj on April 11, 2021, 07:40:58 PM
Quote from: lurch on April 11, 2021, 07:31:45 PM
So looks like it's done the trick :cool:
Agreed, it looks good. This will almost certainly work on VDSL now. Just a pointer on this, when my connect my VMG8924 to my NowTV VDSL connection the WAN connection initially fails, and takes a few minutes to connect after the VDSL connection has synced. Not sure why this is, but if you find your VMG3925 fails to connect just wait a few minutes and see if it comes up.

I've attached the patch to this post for the record. If someone wants to compile a different version of the firmware themselves, the patch replaces ./package/public-zyxel/libzcfg_fe_dal/patches/322-ZYXEL_ENHANCE_CLI_move_dhcp_option_60_61_encode_decode_from_GUI_to_DAL_FrankFang.patch
Title: Re: Zyxel VMG3925-B10B and nowtv
Post by: lurch on April 11, 2021, 07:46:15 PM
You absolute legend! I have requested the latest firmware from https://www.zyxel.com/us/en/form/gpl_oss_form.shtml and tomorrow I will try your patched firmware on the nowtv connection and let you know. Thanks for the heads up about the conneciton delay after syncing. I really appreciate you doing this for me and the community ;)