OpenWrt Forum Archive

Topic: ZyXEL P-2812HNU-F1 Unbranding Process

The content of this topic has been archived between 9 Apr 2018 and 19 Apr 2018. Unfortunately there are posts – most likely complete pages – missing.

Latest firmware from ZyXEL : 1.00(AAC3)C0

Nice, a kernel upgrade. Wonder why.

Have you already installed it? *Can* it be installed on 3.11(TUJ.0)C0? Does the webinterface still contains some holes to get root access? Does the firmware still run a user script, if available?

BTW, why would ZyXEL restart at 1.00? Just to confuse customers?

To answer my own questions: Yes, 1.00(AAC3)C0 can be installed over 3.11(TUJ.0)C0 using the webinterface, and no, all ways to get a shell (known to me) are patched.
Some work to do.




BTW, I tried this on a 2nd crippled box, which I first unbranded using the instructions on this thread. And again I had the same problems I had the first time.

asmartin,

Nice new FW !!
Lot of more options in it, great.

I had 2 same devices, 1 is working fine now 107 days tongue
--
Device Information
Host Name:        DGZyXEL01
Model Name:        P-2812HNU-F1
MAC Address:        b0:b2:dc:0x:xx:xx
Firmware Version:    V3.10(TUJ.0)

System Status
System Up Time:    107 days, 9:29
Current Date/Time:    Tue May 6 23:57:10 CEST 2014
--

Although i messed (F#%#&%ED) up my 3.06 (strangly enough earlier 31-3) boot code, on this one.
When I started to flash my second, i also did the boot code to (regular?) 304TUJ.bm (v3.04).

No problem in functioning, but i was intend to leave it on 3.06, i don't have the original now anymore. (Maybe you have that 3.06 code?)
But, anyway its working!
I updated from 311TUJ0C0.bin to 100AACC3C0.bin within the webinterface with no problems.
If you want you can even have serial output off all actions wink

I'll now try to run file sharing & VPN on it too.

Zyxel boot versions seen:

- ZyU-F02-300-20AA003-V3.06|03/31|2011(TUE) (This one i DONT have anymore)
- ZyU-F02-300-20AA003-V3.04|04/01|2011(TUJ) (I only have this one running)


Regards, DG.

P.S. I now see that my longest running router runs 3.10 still smile  3.11 has already the 'more' options.

(Last edited by DGDodo on 8 May 2014, 22:13)

Jil,

About your remark changing the MAC address the following:

After: Repeat steps 7 and 13 to get access to ZyU console,
To change the MAC address, only the last 6 bytes can be changed?
And the serial number went to ffffffffffff?

1st change the serial number again (auto reboot will follow)
Then, again Repeat steps 7 and 13 to get access to ZyU console,

The command ATWZ should be used, instead of ATWM! To change the MAC address smile
Also an automatic reboot will follow, after which all my settings are the same as on the box itself!
(This was tested running FW 100AACC3C0.bin)

Regards, DG.

(Last edited by DGDodo on 8 May 2014, 13:09)

asmartin wrote:

Latest firmware from ZyXEL : 1.00(AAC3)C0

asmartin,

Perfectly new firmware, but ...
You have any idea where to download the new Bootbase version: V3.01|04/02|2013(AAKI) ??

ZyXEL itself writes in http://www.zyxel.com/za/en/uploads/imag … I.0)b7.pdf

ZyXEL P-2812HNU-F1 RSA 
V3.00(AAKI.0)b7 
Release Note 
Date: Nov. 13, 2013 
 
Supported Platforms: 
ZyXEL P-2812HNU-F1 
 
Versions: 
Bootbase version: V3.01|04/02|2013(AAKI) 
Firmware version: V3.00(AAKI.0)b7 
DSL code version: 5.3.3.11.1.1 
WLAN code version: Ralink3062-2.3.0.0 
Voice code version: 3.13.0 IFX TAPI 

But nowhere to download this Bootbase code sad

Regards, DG.

As mentioned in the docs from 13 nov 2013, i now have fw version V3.00(AAKI.0)b7 running smile
Only still on older bootcode V3.04, but its working. With even more VPN options.

ZHAL> atsh
ZLD   Version          : V3.00(AAKI.0)b7
Bootbase Version       : V3.04|04/01|2011(TUJ)
Vender Name            : ZyXEL Communications Corp.
Product Model          : P2812HNUL-F1
Serial Number          : S110Y4xxxxx39
First MAC Address      : CC5D4Exxxxx0
Last MAC Address       : CC5D4Exxxxx7
MAC Address Quantity   : 08
Default Country Code   : FF
Boot Module Debug Flag : 01
RootFS      Checksum   : 000022da
Kernel      Checksum   : 00009dbf
RomFile     Checksum   : 000071c2
Main Feature Bits      : 00
Other Feature Bits     :
          00 01 02 03 18 01 00 ff-f8 00 01 00 00 00 00 00
          00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00

Boot process is now as follow, with Z-Boot 3.0.0(Nov 13 2013):

ROM VER: 1.0.5
CFG 06
NAND
NAND Read OK
DDR Access auto data-eye tuning Rev 0.3a
DDR size from 0xa0000000 - 0xa7ffffff
Start DDR tuning [\]
Read DQS Delay Slice0     :0000001f
Read DQS Delay Slice1     :00000020
Write DQS Delay Slice0    :00000064
Write DQS Delay Slice1    :00000069


ZyU-F02-300-20AA003-V3.04|04/01|2011(TUJ)

CLOCK CPU 500M RAM 250M
DRAM:  128 MB

 relocate_code start
 relocate_code finish.
128 MiB
=>new DDR param:88888888-00141F04-00142004-00566404-00566904-00003200
=>old DDR param:00000000-00000000-00000000-00000000-00000000-00000000


  ZyXEL: DDR parameter is changed, but we ignore it!!

*** Warning - bad CRC or NAND, using default environment

In:    serial
Out:   serial
Err:   serial
Net:   fw_addr=0xa0200000
Internal phy(GE) firmware version: 0x020c
setup MDIO for new GPHY
vr9 Switch
Hit any key to stop autoboot:  0

NAND read: device 0 offset 114688, size 65536 ...  65536 bytes read: OK
## Starting application at 0x86A80000 ...


Z-LOADER 3.0(Apr  1 2011)

NAND flash block size: 0x20000
Select 1st zboot image...
go 0x86a90000
## Starting application at 0x86A90000 ...


Z-Boot 3.0.0(Nov 13 2013)

we get zloader version: 3.0
Hit any key to stop autoboot: 3

Regards, DG.

(Last edited by DGDodo on 15 May 2014, 02:14)

Hi. Could someone possibly point me in the right direction for something I want to do with this router.

I only have Telnet access and do not have Serial access yet.  I am going to order the serial cable this weekend though. 

I am not super knowledgable with routers. But is there a way to alter a file on this router so I can run something at boot up? As obviously any writes to configuration files are reset on a boot.   

Is that even possible?

rhole,

With WINSCP this should be possible. http://en.wikipedia.org/wiki/WinSCP
But it depends with user and its authority you log into the router.

DG.

DGDodo wrote:

rhole,

With WINSCP this should be possible. http://en.wikipedia.org/wiki/WinSCP
But it depends with user and its authority you log into the router.

DG.

Thank you.

What the very latest firmware for this router?  is it V3.00(AAKI.0)b7 or V1.00(AACC.3)?   

My router had v3.11 custom ISP firmware on it. I connected via Serial cable and followed the unbrand guide which worked perfectly. With no scary moments haha. So thank you asmartin!

I installed the 100AACC3C0.bin firmware throught the ZyU console with Serial cable and TFTP server and not through the Web interface. On boot this gave me 8Mbit higher possible 'max attainable' VDSL sync than with older firmware.

But I am a little confused as to the very latest firmware.  ZyXel have very strange numbering!

I still have root access to v1.00 firmware, but I guess that is because the configuration was saved from before?


EDIT: since I flashed v1.00 firmware though the console I did have to use ATWZ as DGDodo said to set the MAC address. The other command was not found.

(Last edited by rhole on 20 May 2014, 22:46)

rhole wrote:

I still have root access to v1.00 firmware

Root access? How?

Mijzelf wrote:

Root access? How?

I flashed the 1.00 firmware file via the serial console. Like in the unbrand guide.  Set the serial numbers and MAC etc like it shows in the unbrand guide.  Then on boot everything worked as before. It kept my configuration incuding root access via Telnet and WinSCP.  But now on V1.00(AACC.3) firmware.

EDIT: I originally had locked 3.11 firmware from ISP.  I was given the Supervisor password for my ISP 3.11 firmware. I got root access on 3.11 by following a guide to edit the Config.rom file.

(Last edited by rhole on 22 May 2014, 15:07)

I confirm that the settings from 3.11 subsist when upgrading to 1.00. I downgraded back to 3.11, got root access, stored a root password, and upgraded again. My root password persisted.

I did some further investigation on the config file. This is my passwd file stored in the config file:

 <Passwd>
          <Value PARAMETER="configured" TYPE="string" LENGTH="4095">_encrypted_U2FsdGVkX1+hK8fbaQUyUVrTbLdtzGqmowiiUYx3M8hnjlWAYRSt+7ENzVcsaGAF
uxqtHKQW96g8w+CeWXFEbRltV/YDr4WlTEiAmbSFHRbU3tGueq+OEoNtterctV81
Pa6jcANBkmqeM2LAcB0nuYU1vFH/ZNbjjAXx+9rdnjHMjW7fU8X2WLio0TJVp/f5
kCSPrM801irG6hIilkpPH2flMG/4uw/3wii2digst7xNVZL+6Ya63YVd16PYXPIP
B6j6CmbnBzJrVFOVIdDQ6VdrCvG6ifMuZXy7bn0E4VQ=
</Value>
          <Size PARAMETER="configured" TYPE="uint16" MAX="4095" MIN="0">192</Size>
        </Passwd>

The _encrypted_ already tells it, it's encrypted. By grepping for 'Passwd' in the firmware I found that the xml file is read/written by /usr/bin/config_proc. This file also contains the strings

echo -n "%s" | /usr/bin/openssl enc -aes-256-cbc -a -salt -k %s
echo "%s" | /usr/bin/openssl enc -d -aes-256-cbc -a -salt -k %s

so it's clear this does the encryption. By bindmounting a script on /usr/bin/openssl, I found the key:  thisistheencryptkey

Unencrypting is done this way:

echo <base64-string-from-config> |  openssl enc -d -aes-256-cbc -a -salt -k thisistheencryptkey | base64 -d | gunzip >passwd

and reencrypting:

cat passwd | gzip | base64 | openssl enc -aes-256-cbc -a -salt -k thisistheencryptkey

The Size PARAMETER in the xml file is the size of the input of openssl:

cat passwd | gzip | base64 | wc -c
Mijzelf wrote:

...
Unencrypting is done this way:

echo <base64-string-from-config> |  openssl enc -d -aes-256-cbc -a -salt -k thisistheencryptkey | base64 -d | gunzip >passwd

Thank you for this, I have a slightly different ZyXel model, VMG8324-B10, and I wondered if your technique applies?

My config file looks like this:

<Name>Administrator</Name>
        <ConsoleLevel>2</ConsoleLevel>
        <Use_Login_Info instance="1">
          <UserName>admin</UserName>
          <Password>_encrypted_iWksqOgOfd+edhsLS4TRvGVybmV0R2F0ZXdheQAAAEE=</Password>
          <Modified>TRUE</Modified>
        </Use_Login_Info>
        <Use_Login_Info nextInstance="2"></Use_Login_Info>
      </X_5067F0_Login_Group>
      <X_5067F0_Login_Group instance="2">
        <GroupKey>2</GroupKey>

I try to decrypt using:

echo _encrypted_iWksqOgOfd+edhsLS4TRvGVybmV0R2F0ZXdheQAAAEE= |  openssl enc -d -aes-256-cbc -a -salt -k thisistheencryptkey | base64 -d | gunzip >passwd

But get:

error reading input file

gzip: stdin: unexpected end of file

I would greatly appreciate any advise you may have to offer.

When I just decode the base64 part of the code, I get this:

echo iWksqOgOfd+edhsLS4TRvGVybmV0R2F0ZXdheQAAAEE= | base64 -d | hexdump -C
00000000  89 69 2c a8 e8 0e 7d df  9e 76 1b 0b 4b 84 d1 bc  |.i,...}..v..K...|
00000010  65 72 6e 65 74 47 61 74  65 77 61 79 00 00 00 41  |ernetGateway...A|
00000020

That doesn'l look encrypted. I can imaging that some padding is added when there is not enough data, but I would expect that to be encrypted, to hide the amount of real data.

I guess you don't have shell access?

Mijzelf wrote:

..I guess you don't have shell access?

I have limited shell access via telnet. Entering echo && bash provides a shell for a few minutes before a timeout terminates the session.

The /usr/bin/config_proc file is not present.

Grepping for 'Password' on the whole tree (leave /proc /dev and /sys) should show which binary/script creates the XML file.

But first you need a more stable shell. Can't you just start a (loginless) telnet daemon on a non-privileged port?

telnetd -l /bin/sh -p 10023

Or, if the firmware does a 'killall telnetd', maybe

busybox telnetd -l /bin/sh -p 10023
Mijzelf wrote:

..first you need a more stable shell.

Sadly,

#telnetd -l /bin/sh -p 10023
telnetd: invalid option -- l
telnetd:error:417.058:main:524:bad arguments, exit


However, Grepping for 'assw' found this:

/sbin # cat des3_encrypt.sh

#!/bin/sh
OPTION="$1"
INPUTFILE="$2"
OUTPUTFILE="$3"

PROGRAM=`basename $0`

OPENSSL=/bin/openssl
CAT=/bin/cat
RM=/bin/rm

PASSWD=N3z0y93

#####################################################################################################
# usage
usage()
{
        echo ""
        echo "Copyright (C) ZyXEL Communications, Corp. All Rights Reserved."
        echo "Usage: $PROGRAM [option] [input filename] [output filename]"
        echo "$PROGRAM: A Simple Script to Encrypt/Decrypt file using openssl"
        echo "option : e [Encrypt],  d [Decrypt]"
        echo "Examples:"
        echo "  $PROGRAM e /var/pdm/config.rom /tmp/config.enc"
        echo ""
        exit 1
}

filenotfound()
{
        echo "Error! Input file not found."
        exit 1
}

optnotfound()
{
        echo "Error! Option not support."
        echo "option : e [Encrypt],  d [Decrypt]"
        exit 1
}
#####################################################################################################

test -n "$OPTION" || usage
test -n "$INPUTFILE" || usage
test -n "$OUTPUTFILE" || usage
test -e "$INPUTFILE" || filenotfound

case $OPTION in
        "e")
                $OPENSSL enc -e -des3 -pass pass:$PASSWD -in $INPUTFILE -out $OUTPUTFILE
                ;;
        "d")
                $OPENSSL enc -d -des3 -pass pass:$PASSWD -in $INPUTFILE -out $OUTPUTFILE
                ;;
        *)
                optnotfound;
                ;;
esac
exit 0

Not sure how to proceed. Thanks again for your guidence

You have a login, don't you? So you can also try without the -l

telnetd  -p 10023

That script is not useful, I think. It is designed to en/decrypt files. But that _encrypted_base64= is an output of a piped string. Using that key and cypher I was not able to decrypt your password. Was this the only file showing up?

Slightly offtopic, but does anyone happen to have a v2.6.32 source tree for P2812-HNU-F1?

Mijzelf:

Hi, i have read your story. Did you (and how) succeed with unbranding (i guess kpn or telfort) zyxel? Cos im in the point that i flashed both  "304TUJ.bm" and "311TUJ0C0.bin" and im in a point that i can access only the serial console and nothing more.

thanks

step[at]n.cz

Yes, I did. Twice, on 2 different boxes. It seems the configuration is not always cleared, as you can read somewhere in this thread. The remedy is here. But beware, as you can read further on this doesn't work for everybody. But it worked for me.

Hi i tried unbranding mine but it still did not change the default usernames and passwords. Mine came with a non standard username password configuration. None of the root or admin defaults worked for me after unbranding. Is there any solution around this? Otherwise the device is stuck as a useless modem.

Even the reset to default does not set the password to the default 1234

asmartin wrote:

Latest firmware from ZyXEL : 1.00(AAC3)C0

Anyone have the Bootbase version 3.09 to share ?

I successfully unbranded a WMG3326 model that is basically the same as P-2812HNU-F1 but without the VoIP ports.
Have another branded WMG3326 model in stock as well and would be interested in experimenting the unbranding process with the newest Bootbase version.

(Last edited by kenlee70 on 24 Aug 2014, 13:51)

Can anybody help please?

I've got a P-2812HNU-F1.  I factory reset the unit using the pin hole.  I can get to the Zyxel web login page at 192.168.1.1 but can't access any of the accounts as they are not the default admin/1234, user/1234, etc.   

I followed asmartin's guide to enable the debug flag and load bootbase 304TUJ.bm and firmware 311TUJ0C0.bin. 

ZLD   Version          : V3.11(TUJ.0)
Bootbase Version       : V3.04|04/01|2011(TUJ)
Vender Name            : ZyXEL Communications Corp.
Product Model          : P-2812HNUL-F1 

I've reset the device again but I still can't access any of the accounts. 

How do I reset or add the accounts and passwords with only access to the ZHAL> and ZLO> prompts via serial and I don't have telnet or root access?

Does anyone have any ideas?

Sorry, posts 76 to 75 are missing from our archive.