@oxo

Hi oxo.

I was looking for argument for ATSE command in GPL source files and I found:

[file = zboot_sub.c]

/* show the seed of the password generator */
int
do_atse (int argc, char *argv[])
{
    char tmp[60], sig[] = MRD_ATSE_SIGNATURE;
    static u_int32_t seeder = 0;

    if (argc != 1) {
        error_msg(ERROR_MSG_ARG_NUM_ERR);
        return -1;
    }

    if (strncmp(argv[0], sig, sizeof(sig))) {
        error_msg(ERROR_MSG_ARG_ERR);
        return -1;
    }

    seeder = get_timer(0);
    if (seeder == 0) {
        seeder = get_timer(0);
    }
    seeder &= 0xffffff;

    g_pw_timestamp = seeder;

    sprintf(tmp, "%06X", g_pw_timestamp);
    sprintf(tmp, "%s%02X%02X%02X\n", tmp, g_mrd_ptr->EtherAddr[3], g_mrd_ptr->EtherAddr[4], g_mrd_ptr->EtherAddr[5]);
    puts(tmp);

#if 0
    printf("passwd=%x\n",generate_pw());
#endif

    return 0;
}
/* do_atse */

where MRD_ATSE_SIGNATURE stands for

#define MRD_ATSE_SIGNATURE        "P-2812HNUL-F1"

in file zboot_main.h

Maybe P-2812HNUL-F1 is the argument in ATSE command ... could you test it, please?

if mac address is ab:cd:ef:gh:ij:kl
this command generate string like this
xxxxxxghijkl

x=every time different hex symbol

it works!!
cool!

atse P-2812HNUL-F1
output string i bring into ZynPass JS v.0.1.4b generation form
and get workable password for aten command

yahoooo)

(Last edited by zerg on 10 Dec 2013, 22:23)

Hi zerg.

Please confirm procedure.

So you have to use:

ZHAL>ATSE P-2812HNUL-F1

The result of ATSE command is a string like this: xxxxxxghijkl where your MACaddess was something like ab:cd:ef:gh:ij:kl

Then you used ZynPass JS v.0.1.4b generation form to calculate ATEN password and it works.

Is it right?

(Last edited by asmartin on 10 Dec 2013, 21:47)

yess!

//remark
i test this  not on a p2812hnu(l)-f(1/3) device but on the device with the same hardware(lantiq vr9)/software platform.

i only can approve that this algorithm  give full access to advanced debug commands   for zyxel's  lantiq vr9 platform devices.

its win.

(Last edited by zerg on 10 Dec 2013, 22:08)

Please could you tell me which router/platform you used?

Because I also have the bootbase 3.04 from GLP sources that zyxel provided me, so it's possible to upload the bootbase and the original firmware from zyxel

(Last edited by asmartin on 10 Dec 2013, 21:59)

Ok, but did you use P-2812HNUL-F1 as argument for ATSE command? or just ATSE command without argument?

Could you please show a complete list of available commands once you have activated debug flag (with ATEN)?, you can list the command set between code marks ...

Thanks in advance.

(Last edited by asmartin on 10 Dec 2013, 22:18)

list of commands is the same
but now you get full access to all of them.

atse P-2812HNUL-F1
this string will give you seed for passgen for aten command.

THANK YOU.

I already bricked my P-2812HNU-F1, but I probably will purchase other branded to try to unbrand and show the process here.

@oxo

Do you have any branded router yet?

Now you can upload the bootbase with ATBU command (After ATBT 1), and the original firmware with ATUR. By this way, you will have one router like original F1.

I can compile one bootbase with valid signature, same version 3.04 than original zyxel routers have. If you are interested, just requested em by email.

@zerg

I have prepared the original bootbase file (no oob) with oob info using mkoobimg (from gpl  source code that zyxel provided to me). I can provide to you this bootloader image to upload with ATUB, to test is, are you agree?

Note ATUB manage oob images, not just bin files, because of NAND ECC algorithms, as indicated by zyxel.

(Last edited by asmartin on 11 Dec 2013, 12:33)

thank you.
but
i dont own sabj of this thread.
i dont need .bm for it.

my interest was to get full access to debug commands on a vr9_lantiq_zyxel platform.
you guys help me to understand and test working algorithm to get it.
have a nice zyxel)

Hi,

I just found this thread and I have a branded P-2812HNUL-F1.

Tested the ATSE command which worked as expected. Do you have a bootloader image uploaded on dropbox?

for me, on ZYXEL P-2812HNU-F3 TELENOR, not work any of those combinations.

ATSE P-2812-HNU-F1
ATSE P-2812-HNUL-F1
ATSE P-2812-HNU-F3
ATSE P-2812-HNUL-F3

BUT

work this

ATSE DSL-2492HNU-L3v2 

and for who don't have the tool to find password from seed use this:

zyxel-seed

(Last edited by cornelus2009 on 13 Dec 2013, 19:02)

Congratulations cornelus2009!!!!

It shows kind of work zyxel does with branded routers (they don't use original router bootbase but a strange mixture ofbootbase and firms).

@notez

This is the link to my ZyXEl P-2812HNU-F1 dropbox folder. File /bootloader/304TUJ.bm is the file that you have to upload using ATBT 1 and later ATUB:

          ZyXEL P-2812HNU-F1 DropBox by asmartin

And upload original zyxel firmware image (/311TUJ0C0/311TUJ0C0.bin) with ATUR before reseting the router.

(Last edited by asmartin on 14 Dec 2013, 18:33)

GREAT JOB Cornel!!!

How did you find the X parameter for ATSE command?. I obtained the one for F1 model from searching into GPL source files.

Hi notez.

Could you tell me brand and firmware version of your router?

Thanks

from my source code also.

Hi passero.

Finally I changed the firmware sucessfully (now working with my new P-2812HNU-F1).

Does you router have blinking leds or the router does nothing?

Did you try to web-login as supervisor?. It shows a new menu called Login Privilege to assig different menues to each user.

It's a bit more privilege than admin

(Last edited by asmartin on 22 Dec 2013, 15:22)

Added new threat to unbrand F1 router

         ZyXEL P-2812HNU-F1 Unbranding Process

@oxo

Do you have a TelenorRemoteAdmin folder in your router's /home folder?, I found it in mine once I changed from 3.11(TUJ.3) to 3.11(TUJ.0) firmware.

I activated SFTP access from web and then used WinSCP

(Last edited by asmartin on 22 Dec 2013, 09:33)

pay attention that you do not use this .bin files
https://forum.openwrt.org/viewtopic.php … 64#p215864
with atub bootloader update procedure
couse this bin files may be used with  u-boot commands shell only by
nand write
command

to use atub command under ZHAL commands shell to update bootloader you need to use .bm files
https://forum.openwrt.org/viewtopic.php … 57#p219657

(Last edited by zerg on 23 Dec 2013, 16:56)

No, DON'T use those files with ATUB or any other shell because they don't have OOB info, so you will not be able to upload (maybe you will obtain a "checksum error"). That's why I customized the bootloader as indicated in other threat.

Yo need oob files to program de nand. It's how the info in the nand is stored, with OOB (partial checksum) info, one block for each 2048 bytes. That's why bootloader has more than 128Kbytes, due to OOB overhead.

(Last edited by asmartin on 23 Dec 2013, 17:19)

I'm trying to make a supervisor account, but when I create one I can't use it to log in at the web-gui.

# adduser -S supervisor
adduser: /home/supervisor: Read-only file system
Changing password for supervisor
New password:
Retype password:
Password for supervisor changed by root

What am I doing wrong?

(Last edited by hjortland1 on 30 Dec 2013, 11:20)

I am trying to unbrand my ZyXEL P2813HNU-f3 from telenor, i have gained access to root and gotten into the telenorremoteadmin user but i can't figure out what it takes to unbrand it and restore it with Zyxel original firmware.

I have rootet the device via Ethernet cable and i can't add a "supervisor" account, the account gets created as a LinuxUser.

If anyone could help i would really love it, don't like what telenor does to their branded routers.

If anyone could provide a idiotproof guide to to this i would love it.

this model cannot be unbranded.