OpenWrt Forum Archive

Topic: Zyxel P-2812HNU-F3-telenor debrand ?

The content of this topic has been archived between 30 Mar 2018 and 4 May 2018. Unfortunately there are posts – most likely complete pages – missing.

hello, anyone knows if there is a way to debrand this multimodem to zyxel default firmware.

i i got root acces to modem.
backed up all partitions of modem.

i have firmware file from zyxel site, but is not accepted at web-firmware upgrade.

do u guys know any way to manualy upgrade this modem.

thanks.

(Last edited by cornelus2009 on 5 Oct 2013, 15:41)

hello, today discovered something interesting.

at boot pressed 'z' key and got this

ROM VER: 1.0.5
CFG 01
DDR Access auto data-eye tuning Rev 0.3a
DDR size from 0xa0000000 - 0xa7ffffff
DDR check ok... start booting...



ZyU-F02-200-01AF003-V2.08|04/11|2011(BLN)

CLOCK CPU 500M RAM 250M
DRAM:  128 MB

 relocate_code start
 relocate_code finish.
Flash:  8 MB
128 MiB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Net:   fw_addr=0xa0200000
Internal phy(GE) firmware version: 0x020c
setup MDIO for new GPHY
vr9 Switch
Hit any key to stop autoboot:  0
## Starting application at 0x85E80000 ...


Z-LOADER 2.0(Apr 11 2011)

NAND flash block size: 0x20000
ZLO>?
ZLGO              boot up the whole system
ZLGU              go back to U-Boot command line
ZLUA    x         upgrade ras image (whole image)
ZLUP    x         upgrade ras image (zboot+kernel+rootfs)
ZLO>ZLGU

=>## Application terminated, rc = 0x0
VR9 # ?
VR9 # ?
?       - alias for 'help'
askenv  - get environment variables from stdin
base    - print or set address offset
bootm   - boot application image from memory
bootp   - boot image via network using BootP/TFTP protocol
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
echo    - echo args to console
erase   - erase FLASH memory
flinfo  - print FLASH memory information
go      - start application at address 'addr'
help    - print online help
imls    - list all images found in flash
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version
VR9 #

think with ZLUP command can write default zyxel firmware ?

not work to write image

ZLO> zlup image.bin
Using vr9 Switch device
TFTP from server 192.168.1.33; our IP address is 192.168.1.1
Filename 'image.bin'.
Load address: 0x80000000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #####
done
Bytes transferred = 19992192 (1310e80 hex)
wrong signature
zboot verification fail

is there any available coomand there in vr9 with i can backup  flash to hard-disk ?

tftpboot only load, with md i can only display flash content.

found the basic start fuction.

- the device boots at adress b0000000, and load u-boot in memory.
- after he loads z-loader from adress b003b800 +10000 in memory.
- z-loader loads z-boot from adress b0040000 +20000.

strange is that i have 2 z-boot partitions, one start at b0040000 and second at b0060000, only difference from them is the build date.

stucked......

digged in default zyxel firmware and saw , at device is named P2812HNUL-F1, and my device from flash is P-2812HNU-F3.

Hi cornelus2009,

I have Zyxel P-2812HNU-F1 (from Telfort) and I'm trying to flash it with the default firmware ( P-2812HNU-F1_3.11(TUJ.0)C0 ).
I tried also to boot the bin file "311TUJ0C0.bin" from tftp server but without success.
Did you find how to flash from the "VR9 #" prompt?

Could you also, please, explain me how to get root on my device or how you got root on your device?

Thank you!

(Last edited by passero on 10 Oct 2013, 09:23)

from vr9, can do so much things.

to get root, follow this topic ROOT-P2812, dunno for sure if will work, on some firmwares works on others not.

after root, login with telnet and change passwords for ur accounts.

telnet <ip>
user = root
pass = 1234

then

cat /etc/passwd   to see ur users

after

zypasswd <user>
set ur wanted passwd
zypasswd <another user>
set ur wanted passwd

hope u succed with rooting.

passero,

if u succed with get root, can u provide me a copy of nor flash, maybe i can see changes made, why the routers reject default firmware.

to backup whole flash,need to login root and run

# cd /sbin

# dump_nor_flash.sh

and he will save the flash to tmp/fullimage.bin

thanks.

(Last edited by cornelus2009 on 12 Oct 2013, 08:49)

cornelus2009 wrote:

from vr9, can do so much things.

to get root, follow this topic ROOT-P2812, dunno for sure if will work, on some firmwares works on others not.

after root, login with telnet and change passwords for ur accounts.

telnet <ip>
user = root
pass = 1234

then

cat /etc/passwd   to see ur users

after

zypasswd <user>
set ur wanted passwd
zypasswd <another user>
set ur wanted passwd

hope u succed with rooting.




Hi cornelus2009,

first of all thanks for  your reply.
I already try (but I did again just in case) this procedure but unfortunally in the backup file (config.bin) lines that must be modify are not present (actually are present but are empty):

        <Shadow>
          <Value PARAMETER="configured" TYPE="string" LENGTH="4095"></Value>
          <Size PARAMETER="configured" TYPE="uint16" MAX="4095" MIN="0">216</Size>
        </Shadow>
        <Passwd>
          <Value PARAMETER="configured" TYPE="string" LENGTH="4095"></Value>
          <Size PARAMETER="configured" TYPE="uint16" MAX="4095" MIN="0">336</Size>
        </Passwd>

When I try to use telnet, the connection will close as soon as I type root end press enter.
When I try to use ssh, I always receive wrong password (after 5 times the connection drop).

Do you know what is and how to calc the "Size PARAMETER" above?
I'm trying to find an alternative version of my firmware from Telfort but without lucky.
If you have other ideas please let me know.

Thank you!

PS: I also tryed to provide (by tftp) to "V9" prompt this image: openwrt-lantiq-ar9-P2601HNFX-squashfs.image
and then boot it, again without success. Some suggestions?

(Last edited by passero on 12 Oct 2013, 12:54)

the size parameter, u will get selecting the length of those caracters, or give me a copy of ur config file on rodycor@yahoo.com, i will modify for u.

hi, can show me a list of files located in  "/sbin" folder of ur device ?
i need to see if we can make backup of bootloader.

there are some differences.

the big one is this

f3 - have 2 flashes (NOR + NAND)
f1 - have only NAND

ur device was branded, and u succeded to upgrade zyxel-firmware with that modifications in fwupgrade_erase_write file ?

can u attach a usb device and try to run  "nanddump" command ?

I need some options help ...

# nanddump
Usage: nanddump [OPTIONS] MTD-device
Dumps the contents of a nand mtd partition.

           --help               display this help and exit
           --version            output version information and exit
-f file    --file=file          dump to file
-i         --ignoreerrors       ignore errors
-l length  --length=length      length
-o         --omitoob            omit oob data
-b         --omitbad            omit bad blocks from the dump
-p         --prettyprint        print nice (hexdump)
-s addr    --startaddress=addr  start address
#

there is no way to backup bootoader from there, he ask for a mtd device that not represent bootloader.

anyway today bricked my f3, trying to burn a default zyxel f3 bootloader.

i discovered jtag pinout, but i can't read nothing about device in jtag chain.

only option left for me is to desolder nor flash and program externaly.

cornelus2009 wrote:

there is no way to backup bootoader from there, he ask for a mtd device that not represent bootloader.

anyway today bricked my f3, trying to burn a default zyxel f3 bootloader.

i discovered jtag pinout, but i can't read nothing about device in jtag chain.

only option left for me is to desolder nor flash and program externaly.


I'm new to this discussion, so shoot me if I'm off on what you're trying to achieve, but...

Can't you easily dump the bootloaders from U-boot?

First note, I don't have a "telenor" P-2812, so you probably need to adapt offsets to your box.

0. connect to serial port. My P-2812 runs at 115200;N;8;1
1. Boot device and quickly hit 'z' --> ZLO --> 'zlgu' to get to u-boot prompt.
2. VR9 # printenv

Gives output:

bootcmd=nand read 0x86a80000 0x0001C000 10000; go 0x86a80000
..
..
..

So, it reads sector from NAND into 0x86a80000 and runs it --> This example is "z-load".
So to dump z-load:
3. VR9 # nand read 0x86a80000 0x1c000 10000   (think I saw you post that the "telenor" z-load probably is at 0xb003b800)
4. md 0x86a80000 10000 (dumps everything to screen)
5. log this to file, write 10 lines of python to convert "text dump" to z-load.bin and there's the first bootloader (MIPS u-boot standalone application)

To dump Zboot (next loader in chain):
1. VR9 # nand read 0x86a90000 0x20000 20000 (these offsets are easily guessed from dump of z-load.bin. Just look in the binary)
2. md 0x86a90000 20000
3. reuse python converter script to get zboot.bin

These two puppies can easily be reversed and you'll find what''s needed to be able to flash (magics, etc.)

Now to my question. Where did you find the JTAG pin out?
Can you please post a picture?

JTAG is so much more interesting than the serial port smile

u are helping alot

cau u have the kindness to make a backup of ur bootloader and send to me to compare with my default zyxel .bm file, that bricked my device ?

i posted here the jtag pinout, and output of some jtag tools.

http://www.tiaowiki.com/forums/index.ph … 209.0.html

the source was here

http://wiki.openwrt.org/_detail/media/t … 3Atd-w8970

can u post me the python source files thing, to convert log to binary ?

thanks.

(Last edited by cornelus2009 on 25 Oct 2013, 09:29)

cornelus2009 wrote:

u are helping alot

cau u have the kindness to make a backup of ur bootloader and send to me to compare with my default zyxel .bm file, that bricked my device ?

i posted here the jtag pinout, and output of some jtag tools.

http://www.tiaowiki.com/forums/index.ph … 209.0.html

the source was here

http://wiki.openwrt.org/_detail/media/t … 3Atd-w8970

can u post me the python source files thing, to convert log to binary ?

thanks.

Here's a simple python script to convert text log from "md" command to binary files:

import sys
import struct
import binascii

print "[*] Will convert hex dumps (strings) from U-boot \"md\" command output to .bin files"

# Example line in input file (Big endian):
# 86a80010: afbf002c afb30028 afb20024 afb10020    ...,...(...$... 

if len(sys.argv) < 3:
    print "[*] Run like: <script>.py <md output logfile> <outfile>" 
    exit(1)

fh = open(sys.argv[1],"r")
fhOut = open(sys.argv[2],"wb")

for line in fh.readlines():
    linearr = line.split(' ')
    for i in xrange(1,5):
        fhOut.write(binascii.a2b_hex(linearr[i]))
fhOut.close()

I'm not sure you want my bootloaders, as they are compiled for my specific HW, Zyxel P-2812HNUL-F1, with hardcoded offsets (e.g. bases 0x86a80000 (z-load) and 0x86a90000 (zboot)). You'll need to get someone with your "telenor" branded model to dump their bootloaders.

Thanks for the JTAG pin out. Might try this one day.

i asked for ur bootloader, to make a comparation of bytes arranged in file, to make an ideea what is different from original f1 boot and original f3.

thanks.

@passero

passero wrote:

I already try......please let me know.

Another get root method working on UNbranded F1
Use for ping:
;telnetd -p 24 -l /bin/sh;

# telnet 192.168.1.1 24
Entering character mode
Escape character is '^]'.
# whoami
root
#

(Last edited by oxo on 26 Oct 2013, 11:01)

Sorry, posts 26 to 25 are missing from our archive.