Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2 3 ... 6

Author Topic: Unbranding the ZyXel VMG8324-B10A  (Read 72545 times)

dmcdonnell

  • Member
  • **
  • Posts: 93
Unbranding the ZyXel VMG8324-B10A
« on: May 10, 2014, 11:54:02 AM »

This device is branded by some ISPs. The unbranding method here is generic, it will replace the ISP locked firmware with the latest ZyXel firmware. You need serial access to the device, it takes time to transfer 23Mb via serial. If you mess up, you will brick your device and that is your responsibility.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.05.10 11:35:41 =~=~=~=~=~=~=~=~=~=~=~=

CFE>
CFE> ATSH                <---- Dump Manufacturer Info

FW       Version       : 1.32(VQG.4)b2
External Version       : 1.00(AAHA.4)b2
Bootbase Version       : V1.59 | 02/01/2013 17:48:02
Vendor Name            : MitraStar Technology Corp.
Product Model          : DSL-2492GNU-B1B
Serial Number          : S130Y11094800
WPA-PSK                : 47ee8e55e21e
First MAC Address      : 000000000000
Last MAC Address       : 00000000000B
MAC Address Quantity   : 12
Default Country Code   : EB
Boot Module Debug Flag : 00
RootFS      Checksum   : ae3bc848 
ImageDefaultChecksum   : a2095f79 
Main Feature Bits      : 00
Other Feature Bits     :
4d 53 60 09 00 00 00 00-00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00-00 00 00 00 00 00 
 
*** command status = 0
CFE>
CFE> ATSE DSL-2492GNU-B1B          <---- Generate Random Seed Number for Product Model

00023E000000
OK
*** command status = 0

Enter seed number (00023E000000) in ZynPass or here: http://www.tonycool.es/zyxel/zynpass_en.htm
to generate password

CFE>
CFE> ATEN 1, 10F0A59F             <---- Unlock the Device with password

OK
*** command status = 0
CFE>
CFE> ATWZ EC43F6470F58, 01, 01, 00, 0C      <---- Set MAC addr, Country, EngDbgFlag, FeatureBit, # of MACs
MAC address  : 0C:43:F6:47:0F:58      <---- This is not an error, 1st byte changes
Country Code : 01
EngDebugFlag : 01
FeatureBit   : 00
MAC Number   : 0C
*** command status = 0
CFE>
CFE> ATHE                <---- List the, now extended, Command Set
Available commands:

ATMC                Bootup device with SMT rom file
ATSW                Show WPAPSK or change WPAPSK
ATMT                reduce manufacture bootup time for wireless calibration
ATHV                write Hardware Version to flash ROM
ATSN                write Series Number to flash ROM
ATPA                set wireless power index
ATWZ                write MAC addr, Country code, EngDbgFlag, FeatureBit, MAC Number to flash ROM
ATSE                show the seed of password generator
ATEN                set BootExtension Debug Flag
ATCR                Clear console screen
ATBT                block0 write enable
ATTE                Restore to TE configuration
ATRD                xmodem upload ROM-D
ATLC                xmodem upload defaultcfg
ATSH                dump manufacturer related data in ROM
ATUB                xmodem upload bootloader
ATUR                xmodem upload router firmware to flash ROM
ATUW                xmodem upload flash image to flash ROM
ATIR                Set ImageDefault to ROM-D partition
ATER                Erase ROM-D partition
ATBL                Print boot line and board parameter info
ATAF                Change board AFE ID
ATBP                Change board parameters
ATIP                Change booline parameters
ATDU                Dump memory or registers.
ATWW                Set memory or registers.
ATBR                Reset to default Romfile
ATGO                boot router
ATSR                system reboot
ATTB                Write the cfe image into flash
ATTR                upload router firmware to flash ROM from TFTP Client
ATTW                Write the whole image start from beginning of the flash
ATNR                Reinitialize NAND flash
ATRM                Dump flash data
ledhon              Turn on the specific LED with high
ledhof              Turn off the specific LED with high
ledlon              Turn on the specific LED with low
ledlof              Turn off the specific LED with low
ledh                Blink all LEDs with pulling high
ledl                Blink all LEDs with pulling low
ATMB                Use for multiboot.
ATRT                Test memory.
ATHE                print help

For more information about a command, enter 'help command-name'
*** command status = 0
CFE>
CFE> ATBT 1                <---- Enable write

OK
*** command status = 0
CFE>
CFE> ATUR               <---- Starts xModem update, you need to send the firmware file to the device n go for a coffee
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Unbranding the ZyXel VMG8324-B10A
« Reply #1 on: May 10, 2014, 12:10:11 PM »

Excellent.  Well done for figuring out how to do this.  :dance:

I take it that you now have an ex-eircom F1000 router running on your line as an unlocked ZyXel VMG8324-B10A

Out of interest what do you think?  Stats and performance any better than the BT modem?
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

dmcdonnell

  • Member
  • **
  • Posts: 93
Re: Unbranding the ZyXel VMG8324-B10A
« Reply #2 on: May 10, 2014, 09:21:42 PM »

I take it that you now have an ex-eircom F1000 router running on your line as an unlocked ZyXel VMG8324-B10A

Yes, but via ADSL as, sadly, I am not yet on fibre. Thank you for the firmwares. Greatly appreciated.
Logged

dmcdonnell

  • Member
  • **
  • Posts: 93
Re: Unbranding the ZyXel VMG8324-B10A
« Reply #3 on: May 18, 2014, 12:38:00 PM »

...I take it that you now have an ex-eircom F1000 router running on your line as an unlocked ZyXel VMG8324-B10A

I do now :)

We switched ISP from Vodafone to Eircom a couple of days back to get fibre. Eircom provided a new locked F1000 which I replaced this morning with the unbranded F1000. I then followed your instructions for VDSL - Note that the VLAN settings required for Eircom are different:

802.1p should be 0 (zero)
802.1q should be 10

I am no expert an VDSL, below are the stats. I hope to unbrand my 2 remaining locked F1000s this pm.
               
============================================================================
    VDSL Training Status:   Showtime
                    Mode:   VDSL2 Annex B
            VDSL Profile:   Profile 17a
            Traffic Type:   PTM Mode
             Link Uptime:   0 day: 0 hour: 12 minutes
============================================================================
       VDSL Port Details       Upstream         Downstream
               Line Rate:     16.355 Mbps       34.813 Mbps
    Actual Net Data Rate:     16.356 Mbps       34.814 Mbps
          Trellis Coding:         ON                ON
              SNR Margin:        9.0 dB           15.8 dB
            Actual Delay:          0 ms              0 ms
          Transmit Power:        2.3 dBm          12.3 dBm
           Receive Power:      -17.3 dBm          -9.6 dBm
              Actual INP:       29.0 symbols      30.0 symbols
       Total Attenuation:       19.5 dB           21.9 dB
Attainable Net Data Rate:     17.234 Mbps       58.375 Mbps
============================================================================
      VDSL Band Status    U0      U1      U2      U3      D1      D2      D3
  Line Attenuation(dB):  4.6    27.8    41.1     N/A    13.5    34.8    53.3   
Signal Attenuation(dB):  4.6    27.1    39.8     N/A    18.1    34.5    53.3   
        SNR Margin(dB):  9.0     9.0     9.0     N/A    15.7    15.7    15.8   
   Transmit Power(dBm):-13.0   - 3.1     0.5     N/A     8.4     7.8     6.2   
============================================================================

            VDSL Counters

           Downstream        Upstream
Since Link time = 12 min 3 sec
FEC:      39      0
CRC:      0      0
ES:      0      0
SES:      0      0
UAS:      0      0
LOS:      0      0
LOF:      0      0
LOM:      0      0
Latest 15 minutes time = 12 min 32 sec
FEC:      39      0
CRC:      0      0
ES:      0      0
SES:      0      0
UAS:      29      29
LOS:      0      0
LOF:      0      0
LOM:      0      0
Previous 15 minutes time = 0 sec
FEC:      0      0
CRC:      0      0
ES:      0      0
SES:      0      0
UAS:      0      0
LOS:      0      0
LOF:      0      0
LOM:      0      0
Latest 1 day time = 12 min 32 sec
FEC:      39      0
CRC:      0      0
ES:      0      0
SES:      0      0
UAS:      29      29
LOS:      0      0
LOF:      0      0
LOM:      0      0
Previous 1 day time = 0 sec
FEC:      0      0
CRC:      0      0
ES:      0      0
SES:      0      0
UAS:      0      0
LOS:      0      0
LOF:      0      0
LOM:      0      0
Total time = 12 min 32 sec
FEC:      39      0
CRC:      0      0
ES:      0      0
SES:      0      0
UAS:      29      29
LOS:      0      0
LOF:      0      0
LOM:      0      0
============================================================================
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Unbranding the ZyXel VMG8324-B10A
« Reply #4 on: May 19, 2014, 09:01:59 PM »

Quote
We switched ISP from Vodafone to Eircom a couple of days back to get fibre.

Excellent :)

Quote
I hope to unbrand my 2 remaining locked F1000s this pm.

Let us know how it goes.
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

aavid60

  • Just arrived
  • *
  • Posts: 1
Re: Unbranding the ZyXel VMG8324-B10A
« Reply #5 on: May 28, 2014, 04:19:16 PM »

Hi have got down to were you upload the new firmware but have not succeeded. can you please tell me how to do this
Logged

dmcdonnell

  • Member
  • **
  • Posts: 93
Re: Unbranding the ZyXel VMG8324-B10A
« Reply #6 on: May 30, 2014, 04:28:39 PM »

.. can you please tell me how to do this

It depends.

On Windoze you need a terminal emulator that supports xmodem file transfer protocol to send the firmware file once you have entered the final CFE command:
....
CFE> ATBT 1                <---- Enable write

OK
*** command status = 0
CFE>
CFE> ATUR               <---- Starts xModem update, you need to send the firmware file to the device..


I don't have Windoze so you'll have to google it but there are several free softwares that should work. Once you get to the point that the ZyXel is waiting for the firmware, find the command to send the file via xmodem in the software you choose.

On linux, I followed the advice below which works fine.

the best way to pass a file through xmodem is to use 'sx'. In debian this application is part of 'lrzsz' package.

In debian:

apt-get install screen lrzsz

screen /dev/ttyUSB0 115200

Then press Ctrl-A followed by : and type:

exec !! sx yourbinary.bin

This will send the file to ttyUSB0 over xmodem protocol

« Last Edit: May 30, 2014, 04:47:26 PM by dmcdonnell »
Logged

dmcdonnell

  • Member
  • **
  • Posts: 93
Re: Unbranding the ZyXel VMG8324-B10A
« Reply #7 on: September 01, 2014, 03:23:03 PM »

FYI, I spotted a post on OpenWRT forums: https://forum.openwrt.org/viewtopic.php?id=50968

"I have managed to flash OpenWRT to my 963168VX_P400 board". Not much information, I have asked the OP for further details, namely how to build an image in OWRT Trunk.

The board id on the ZyXel VMG8324-B10A is 963168VX, according to the bootlog, http://pastebin.com/kaS2Md2D

Sadly, of course, xDSL is never likely to be supported under OpenWRT on this board.
Logged

dmcdonnell

  • Member
  • **
  • Posts: 93
Re: Unbranding the ZyXel VMG8324-B10A
« Reply #8 on: September 05, 2014, 02:34:13 PM »

Finally found some information of the Feature Bits that can be set from CFE on ZyXel hardware. Posting here for reference.

Code: [Select]
;/************************************************************************
; *
; *  Copyright (C) 2008 ZyXEL Communications, Corp.
; *  All Rights Reserved.
; *
; * ZyXEL Confidential; Need to Know only.
; * Protected as an unpublished work.
; *
; * The computer program listings, specifications and documentation
; * herein are the property of ZyXEL Communications, Corp. and shall
; * not be reproduced, copied, disclosed, or used in whole or in part
; * for any reason without the prior express written permission of
; * ZyXEL Communications, Corp.
; *
; *************************************************************************/
;/*
;** $Log: MRD format $
;** Initial revision
;*/

;
;Parameter file format:
;
;Start    # of    Data    Parameters
;Addr    Param    Type
;-----    ------    ------    ----------
;<Hex>    <Dec>    1(Str)
;        2(Hex)
;

;typedef struct mrd
;{
;uint8    VendorName[32];
1feb8    26        1        ZyXEL Communications Corp. ;

;uint8    ProductName[32];
1fed8    13        1        P-2812HNUL-F1

;uint8    EtherAddr;
1fef8    *        2        00 13 49 11 66 88

;uint8    CountryCode;
1fefe    *        2        ff ff

;uint8    FeatureBits[256];
1ff00    *        2        06 00 00 04    ; [00] ~ [03]: Model ID (0xff means unknown)
1ff04    *        2        19                   ; [04] : ImagePlan (0xff means unknown)
                                                       ; Bit 0: Double Image (0: No double image, 1: support double image)
                                                       ; Bit 1: Image Upgrade Mechanism (0: full function, 1: rescue function)
                                                       ; Bit 2: Support device tree (0: No, 1: Yes)
                                                       ; Bit 3: Kernel and RootFS is merged into one RAS image(0: No, 1: Yes)
                                                       ; Bit 4: Double MRD_CERT (0: single MRD_CERT, 1: support double MRD_CERT)
                                                       ; Bit 5 ~ Bit 7: Reserved
1ff05    *        2        01                   ; [05] : Flash Number (1: one flash, 2: two flash)
1ff06    *        2        00 ff f8 00       ; [06] ~ [09]: Image version of max upgrade count for double image use
1ff0a    *        2        01                   ; [10] : Engineer debug flag (0: disable, 1: enable)
1ff0b    *        2        00                   ; [11] : Embed Flag (embed rootfs into kernel image. 0: kernel and rootfs separate, 1: kernel combination with rootfs)
1ff0c    *        2        01                    ; [12] : model ID checking flag (0:disable checking, 1:enable checking)
1ff0d    *        2        00                    ; [13] : Reserved
1ff0e    *        2        00                    ; [14] : Reserved
1ff0f    *        2        00                     ; [15] : Reserved
1ff10    *        2        00 00 00 00     ; [16] ~ [19] : Reserved
1ff14    *        2        00 00 00 00     ; [20] ~ [23] : Reserved
1ff18    *        2        00 00 00 00     ; [24] ~ [27] : Reserved
1ff1c    *        2        00 00 00 00      ; [28] ~ [31] : Reserved
1ff20    *        2        01                    ; [32] : NORPageSize (0: 8K, 1:64K, 2:128K for device tree update)
1ff21   *               2               08              ; [33] : MAC Address Quantity
1ff22   *               2               00 00 00        ; [34] ~ [36] : HW Version
1ff25   13              1        fffffffffffff   ; [37] ~ [50] : Serial Number
1ff33   *               2               00              ; [51] : Main feature bits
1ff34   *               2               ff ff ff ff     ; [52] ~ [75]: DDR calibration data
1ff38   *               2               ff ff ff ff     ;
1ff3c   *               2               ff ff ff ff     ;
1ff40   *               2               ff ff ff ff     ;
1ff44   *               2               ff ff ff ff     ;
1ff48   *               2               ff ff ff ff     ;
1ffff   *               2               00              ; [76] ~ [255]: Reserved
;}
;/[code]
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Unbranding the ZyXel VMG8324-B10A
« Reply #9 on: September 05, 2014, 06:30:25 PM »

You seem to be doing pretty well, but some of this stuff is  bit over my head when it comes to hacking the router, hence me not being able to contribute.
Keep up the good work :)
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

dmcdonnell

  • Member
  • **
  • Posts: 93
Re: Unbranding the ZyXel VMG8324-B10A
« Reply #10 on: September 05, 2014, 07:23:28 PM »

Serial access is very simple for anyone with a USB to TTL serial cable. The router board can be removed easily and it has a serial header in place - no soldering.

Using putty on Linux, or kitty :) on windoze, you can watch it boot and hit any key to get to the CFE. I should very much like to see the output of the ATSH command on the OEM ZyXel.

From an f1000:

CFE> ATSH                <---- Dump Manufacturer Info

FW       Version       : 1.32(VQG.4)b2
External Version       : 1.00(AAHA.4)b2
Bootbase Version       : V1.59 | 02/01/2013 17:48:02
Vendor Name            : MitraStar Technology Corp.
Product Model          : DSL-2492GNU-B1B
Serial Number          : S130Y11094800
WPA-PSK                : 47ee8e55e21e
First MAC Address      : 000000000000
Last MAC Address       : 00000000000B
MAC Address Quantity   : 12
Default Country Code   : EB
Boot Module Debug Flag : 00
RootFS      Checksum   : ae3bc848 
ImageDefaultChecksum   : a2095f79 
Main Feature Bits      : 00
Other Feature Bits     :
4d 53 60 09 00 00 00 00-00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00-00 00 00 00 00 00
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Unbranding the ZyXel VMG8324-B10A
« Reply #11 on: September 05, 2014, 07:52:48 PM »

Serial access is very simple for anyone with a USB to TTL serial cable. The router board can be removed easily and it has a serial header in place - no soldering.

Using putty on Linux, or kitty :) on windoze, you can watch it boot and hit any key to get to the CFE.

And as that should be done without the device being connected to the VDSL2 circuit, it is something well within Kitz' ability.  ;)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Unbranding the ZyXel VMG8324-B10A
« Reply #12 on: September 06, 2014, 03:16:20 AM »

I dont have a USB to TTL serial cable :/

Aside from that the OEM VMG8324's are now exceedingly hard to get hold of. They seem to be out of stock in the UK  Although I do have a couple of other brand VDSL routers and a couple of modems, the Zyxel is easily my favourite of the lot (and the one I saved my pennies up for), so its the one which Id be most nervous about opening up for fear of breaking something.  I may at some point open one of the other routers, but Im not an electronics fiddler type person when it comes to router internals. :(
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Unbranding the ZyXel VMG8324-B10A
« Reply #13 on: September 06, 2014, 05:39:53 PM »

I dont have a USB to TTL serial cable :/

Aside from that the OEM VMG8324's are now exceedingly hard to get hold of. They seem to be out of stock in the UK  Although I do have a couple of other brand VDSL routers and a couple of modems, the Zyxel is easily my favourite of the lot (and the one I saved my pennies up for), so its the one which Id be most nervous about opening up for fear of breaking something.  I may at some point open one of the other routers, but Im not an electronics fiddler type person when it comes to router internals. :(

Understood.  :)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

HDTechVideo

  • Member
  • **
  • Posts: 38
Re: Unbranding the ZyXel VMG8324-B10A
« Reply #14 on: September 14, 2014, 10:17:47 AM »

Could you please provide the USB to TTL color code to connect with F1000 modem. Do we need any driver for connecting this to windows 7.
In F1000 I can see 4 pins (1,2,3,4,5 - 4 is missing) in my usb cable there is Gren, Black, White and Red cables.
« Last Edit: September 14, 2014, 04:51:16 PM by HDTechVideo »
Logged
Pages: [1] 2 3 ... 6
 

anything