OpenWrt Forum Archive

Topic: ZyXEL P-2812HNU-F1 Unbranding Process

The content of this topic has been archived between 9 Apr 2018 and 19 Apr 2018. Unfortunately there are posts – most likely complete pages – missing.

I try all posible move but ...... not take cfg 06
R15+r20+r24
ROM VER: 1.0.5
CFG 04
UART

r20+r24
Board: ZyXEL P-2812HNU-Fx
SoC:   Lantiq VRX288 v1.1
CPU:   500 MHz
IO:    250 MHz
BUS:   250 MHz
BOOT:  NOR w/o BootROM
DRAM:  128 MiB
Flash: 8 MiB
NAND:  128 MiB
In:    serial
Out:   serial
Err:   serial
Net:   ltq-eth



ZHAL> ATSH
TLV_TYPE_CHKSUM is missing
TLV_TYPE_CHKSUM is missing

If not take cfg06 bl from f1 will not boot in any configuration and you were right with wifi.
I use BL "openwrt-lantiq-p2812hnufx_nor-u-boot.img" for F3 and image from f1 and work all led-s ,lan ,wan , ppoe , usb ,etc except wifi, but cpu it`s very hot
With OpenWRT for F3 all lights do not work, memori stick do not go usb, IP6 disconnects often, and wifi does not go to 300 only 130

Had to register just to thank you guys!

Finally got my own FTDI serial cable. I did exactly as in the tutorial, however I came across with the EXACT same issues as Mijzelf.

My fix for the failing ATUR? Power Cycle and ATUR again. This time it didn't complain about wrong FW, however httpd couldn't start because it wasn't found. On that I used Mijzelfs config fix. Now, the router works smile

And if anyone cares, I unbranded Finnish ISP's, Elisa's crippled version to factory.
I thought I might go around and take the newest bootbase etc, but then I thought - what for? I mean I only really need a couple of LAN ports and WLAN + DHCP/NAT, since this router is acting upon and as a router, not modem/router (I have another modem that has one port bridged for the router).

Thank you for the great guide and ton of help on the discussion about all the issues people have had!

I have Zyxel WMG3326-D20A and Zyxel 2812HNU-F1.
Both was Finnish ISP locked. Thanks for Asmartin I succesfully unbranded both devices.
3326 is same I think but no phone sockets.
V1.00(AACC.3) runs fine in both.
Good hardware specs, very stable, but no NFS file sharing and other software weakness.

(Last edited by Verner on 11 Jan 2015, 00:12)

Verner wrote:

I have Zyxel WMG3326-D20A and Zyxel 2812HNU-F1.
Both was Finnish ISP locked. Thanks for Asmartin I succesfully unbranded both devices.
3326 is same I think but no phone sockets.
V1.00(AACC.3) runs fine in both.
Good hardware specs, very stable, but no NFS file sharing and other software weakness.

Hmm, intriguing. Since I (again) have some issues with connectivity.
Or rather, the stability of connection. Both boxes drop's IRC connections, for example, at random intervals. VMG-box won't do that at friends place, but at my place it does. P-2812 does that at my place, not tested elsewhere...

I've flown back to the older version of FW on P-2812HNU-F1 and noticed it working way, way better than V1.00(AACC.3) - however V3.11(TUJ.0) works pretty nicely, only quite very random connection drops. Blaah, I wish I get OpenWRT running asap to counter all these issues...

Verner or Aquatica, are you interested in writing a guide for a noobie?-) I also live in Finland and I have this Elisa P-2812hnu but I'm not clever enough to do this by myself. And also if either of you is interested in selling the cable needed for the unbranding process?

Kiitoksia kovasti jos jaksatte auttaa. Ehkä Elisan laitteisiin sorvatulle ohjeelle olisi tarvetta muutenkin Suomessa.

helpneeded wrote:

Verner or Aquatica, are you interested in writing a guide for a noobie?-) I also live in Finland and I have this Elisa P-2812hnu but I'm not clever enough to do this by myself. And also if either of you is interested in selling the cable needed for the unbranding process?

Kiitoksia kovasti jos jaksatte auttaa. Ehkä Elisan laitteisiin sorvatulle ohjeelle olisi tarvetta muutenkin Suomessa.

The guide is actually quite simple: Get that cable as linked in the first post (I bought one with 1meter length), get the drivers, plug it in as shown, (notice the colors, GND for black etc) and do as it says. I don't think I can make it any easier no matter how many guides I would write...

PS.
There's OpenWRT working on these boxes and that's discussed on other thread, I suggest you go read it through. Doesn't seem too easy but should be doable; luckily I have 2 routers to work on it so I can spare a brick if that were to happen...

This guide is easy to follow and is hard to write better.
Every Elisa box is different, there is no one way to unbrand all and anly few of them is original or alternative firmware available.
But in this box Elisa firmware was allmost full featured? I unbranded mine, because I like to tune things like this and it wasn't my last router. If you have usb  continuation cable, you can order jtag dongle, which is cheaper and easier to store than longer cable version.

I wen through this, but I get this:

VR9 # bootm 0x80800000

## Booting image at 80800000 ...
   Image Name:   MIPS OpenWrt Linux-3.14.28
   Created:      2015-01-23  23:08:57 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    4425029 Bytes =  4.2 MB
   Load Address: 80002000
   Entry Point:  80002000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... ERROR: LzmaDecode.c, 545

Decoding error = 1
LZMA ERROR 1 - must RESET board to recover

In the step 15 it rebooted after the command succesfully completed. Is that normal? Shoudn't there be a mention of it?

For me I had set my ip to 192.168.10.33 or otherwise I would only get checksum bad error and retry loop.

EDIT: This was installing openwrt like in the wiki. Might be related to this though.

(Last edited by tommis on 24 Jan 2015, 20:03)

tommis, I guess you mix up 2 installations, ZyXEL or openWRT (on which HW)?
This topic is about restoring factory ZyXEL firmware on a P-2812HNU(L)-F1, NOT the installation of openWRT smile

You probably did use ATUR <filename> @ step 14 of this topic, and not tftp, as your log is showing a start-up of openWRT, which does NOT have a step 15.

And i am pretty sure you can NOT run openWRT firmware on ZyXEL (VR9) z-bootbase, or ZyXEL firmware on openWRT u-bootbase. So be sure to use correct firmware files on your current active bootbase.

You can read here how i did run openWRT on a P-2812HNU-F1.
Furthermore is the installing of openWRT on a P-2812HNU-Fx mentioned here: https://forum.openwrt.org/viewtopic.php?id=53511

DGDodo wrote:

tommis, I guess you mix up 2 installations, ZyXEL or openWRT (on which HW)?
This topic is about restoring factory ZyXEL firmware on a P-2812HNU(L)-F1, NOT the installation of openWRT smile

You probably did use ATUR <filename> @ step 14 of this topic, and not tftp, as your log is showing a start-up of openWRT, which does NOT have a step 15.

And i am pretty sure you can NOT run openWRT firmware on ZyXEL (VR9) z-bootbase, or ZyXEL firmware on openWRT u-bootbase. So be sure to use correct firmware files on your current active bootbase.

You can read here how i did run openWRT on a P-2812HNU-F1.
Furthermore is the installing of openWRT on a P-2812HNU-Fx mentioned here: https://forum.openwrt.org/viewtopic.php?id=53511

Yeah I was trying to run F3 software on F1 hardware. After I uploaded correct firmware it almost booted. I know I didn't need to do this because I'm going to need to install u-boot anyways. I will posting there.

Hi guys.

I flashed OpenWRT on my ZyXEL P-2812HNU-F1, it works nice. But VDSL2(sonera, finland) doesn't work.

And I want to back to stock firmware 311TUJ0C0.bin. How i can do this? How to flash stock u-boot?

fedor, wrong thread I'd say. You need the proper ADSL/VDSL Firmware that was on the OpenWRT-thread, I think

Aquatica wrote:

fedor, wrong thread I'd say. You need the proper ADSL/VDSL Firmware that was on the OpenWRT-thread, I think

Maybe op help, because vdsl2 doesn't work in openwrt with our ISP, it's fact.

fedor wrote:

Hi guys.

I flashed OpenWRT on my ZyXEL P-2812HNU-F1, it works nice. But VDSL2(sonera, finland) doesn't work.

And I want to back to stock firmware 311TUJ0C0.bin. How i can do this? How to flash stock u-boot?

I thinkit it is a same procedure than for unbranding (#1 post)

(Last edited by Verner on 7 Feb 2015, 22:17)

Verner wrote:
fedor wrote:

Hi guys.

I flashed OpenWRT on my ZyXEL P-2812HNU-F1, it works nice. But VDSL2(sonera, finland) doesn't work.

And I want to back to stock firmware 311TUJ0C0.bin. How i can do this? How to flash stock u-boot?

I thinkit it is a same procedure than for unbranding (#1 post)

Ok, tell me how to return original bootloader?
I tried:

tftp 0x80700000 304TUJ.bin (without ecc sections)
nand write 0x80700000 0x0 0x20000

then reboot and got:

ROM VER: 1.1.4
CFG 06
NAND
NAND Read OK

And halting.....

DGDodo wrote:

Here is how i re-flashed original ZyXEL bootloader:
https://forum.openwrt.org/viewtopic.php … 97#p262197
It even shows my logging

Doing this just show me:

ROM VER: 1.0.05
CFG 06
NAND
NAND Read OK

Thats it, its not booting the Z-boot i just downloaded and flashed? Please help me restore the zyxel firmware.

drsnuggels wrote:

i just downloaded and flashed?

How did you flash it? any logs?
As i did it from UART-boot with openWRT asc file, then re-flash with the '100AACC309.bin' file.

commands used:

tftp 0x80700000 100AACC309.bin
nand write 0x80700000 0x0 0x20000

(Make sure all other parameters are set for Z-Boot instead of U-boot.)
Power off and on again.

Should do the job, although you need to flash firmware too, as this ONLY does the z-Boot...

Yeah, i did that but it did not work. I took the original rom and cut out all the"ff ff ff ff ff ff" data with a hex editor and repeated the same steps. Now it is working. Only no root access sad

And i see the writer above me: Fedor has: ROM VER: 1.1.4 instead of ours: 1.0.5

atsh
ZLD   Version          : V1.00(AACC.3)
Bootbase Version       : V3.09|01/24|2013(AACC)
Vender Name            : ZyXEL Communications Corp.
Product Model          : P-2812HNU-F1
Serial Number          : S120Y08521062
First MAC Address      : CC5D4EA9CDF8
Last MAC Address       : CC5D4EA9CDFF
MAC Address Quantity   : 08
Default Country Code   : FD
Boot Module Debug Flag : 01
RootFS      Checksum   : 0000cd41
Kernel      Checksum   : 00006789
RomFile     Checksum   : 000054c8
Main Feature Bits      : 00
Other Feature Bits     :
          06 00 00 04 19 01 00 ff-f8 00 01 00 01 00 00 00
          00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00


ROM VER: 1.0.5
CFG 06
NAND
NAND Read OK

DDR autotuning Rev 0.3d
DDR size from 0xa0000000 - 0xa7ffffff
DDR check ok... start booting...



ZyU-F02-300-20AA003-V3.09|01/24|2013(AACC)

CLOCK CPU 500M RAM 250M
DRAM:  128 MB

relocate_code start
relocate_code finish.
128 MiB
*** Warning - bad CRC or NAND, using default environment

In:    serial
Out:   serial
Err:   serial
Net:   fw_addr=0xa0200000
Internal phy(GE) firmware version: 0x0405
setup MDIO for new GPHY
vr9 Switch
Hit any key to stop autoboot:  0

NAND read: device 0 offset 116736, size 65536 ...  65536 bytes read: OK
## Starting application at 0x86A80000 ...


Z-LOADER 3.0(Feb 14 2014)

NAND flash block size: 0x20000
Dual image: Both OK! upgcnt1=0 upgcnt2=1
Select 2nd zboot image...
go 0x86a90000
## Starting application at 0x86A90000 ...


Z-Boot 3.0.0(Feb 14 2014)

we get zloader version: 3.0
Hit any key to stop autoboot: 0
ROM-D check=0
MRD_CERT_1 check=0
MRD_CERT_2 check=0


Read Kernel to RAM from 2f00000
bootargs=root=/dev/mtdblock1 rootfstype=yaffs2 console=ttyS0,115200 phym=128M mem=126M panic=1 vpe1_load_addr=0x87e00000M vpe1_mem=2M vpe1_wired_tlb_entries=0
## Booting image at 80800000 ...
   Image Name:   MIPS Linux-2.6.32
   Created:      2014-02-14   3:33:18 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1544334 Bytes =  1.5 MB
   Load Address: 80002000
   Entry Point:  80006f30
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80006f30) ...
## Giving linux memsize in MB, 128

Starting kernel ...

(Last edited by drsnuggels on 3 Jun 2015, 21:31)

Tridy wrote:

Could someone help me with  me an idea how to unbrand my Swedish Bredbandsbolaget P-2812HNUL-F1 router. I cannot get through ATSE invalid argument part. I tried the following with no luck:

ATSE P-2812HNUL-F1
ATSE P2812HNUL-F1
ATSE P-2812HNULF1
ATSE P2812HNULF1
ATSE P-2812HNU-F1
ATSE P2812HNU-F1
ATSE P-2812HNUF1
ATSE P2812HNUF1

Thanks!

Same thing, I tried all of this arguments on P-2812HNU-F1 vT (Telenor), and no one was working.

ZLD   Version: V3.10(TUL.4)
Bootbase Version: V3.03|11/19/2012(TUL)

(Last edited by binaryx on 5 Nov 2015, 22:43)

johved wrote:

I'm actually sort of a newbie when it comes to this, so I was just wondering;
1. does this process enable the development for third party firmware on the p2812 ? - if so, will this happen?

2. does the unbranding of this device give me any features that i dont already have with the firmware that is on it? (is the  3.11(TUJ.0)C0 firmware "better" than the 'telenor'-one i have now?)

I think unbranding only makes sense if your branded firmware limits the access to all that features that have regular firmware. For example, Telenor firmware have a few levels of access and a few passwords. For customers they give user level of access, with limited features. If you have admin pass and full access to all features, then unbranding makes no sense to me.
Also, branded firmware does not allow to upgrade to regular Zyxel firmware, it don't accept regular firmware, only Telenor.

(Last edited by binaryx on 7 Nov 2015, 14:18)

@asmartin where exactly is stored the ATSE parameter?
It definitely have more variations than was found in this forum. None of the ATSE argument versions I tried are worked on Telenor firmware.

I have the same problem as fedor i got only

ROM VER: 1.1.4
CFG 02
UART
after R17 shortcut

and
ROM VER: 1.1.4
CFG 06
NAND
NAND Read OK

with normal start

I can send file but i can't write any command.
Any one can tell me whay should i do?

Hi, thanks for sharing all this useful information. I managed to get root on a locked P-2812HNU-F1 with the latest Telfort firmware, will share a howto later. I'd rather keep this firmware bc of vectoring support, but I would like to store local settings (ssh keys, dnsmasq & iptables config). However, everything is mounted as readonly or tmpfs so changes are lost upon reboot. Now, I don't understand how the Zyxel writes configuration to its persistent memory. It is clearly able to do so with webgui config changes.

All webgui changes appear to pass through /usr/bin/ccctest, which (I assume) modify and write config.rom to the NAND flash. However, I can't find how it does so. Curiously, it seems to have been build using the openwrt toolchain (from `strings`):

/opt/lantiq/UGW-5.4-SW/toolchain-mips_r2_gcc-4.3.3+cs_uClibc-0.9.30.1/usr/bin/../lib/gcc/mips-openwrt-linux-uclibc/4.3.3/../../../../mips-openwrt-linux-uclibc/sys-include
/home/cjalee/vr9/KPN/311TUE8b1/build/sysapps/libccc/core/include

In /etc/init.d/rcS, it mounts /mnt/preNAND/extfs.img as /mnt/NAND, then copies /mnt/NAND/etc/* to /etc.

I'll probably manage to rebuild a modified squashfs extfs.img, but how to write it to preNAND ?

Output from `mount`:

rootfs on / type rootfs (rw)
/dev/root on / type yaffs2 (ro,relatime)
/proc on /proc type proc (rw,relatime)
/sys on /sys type sysfs (rw,relatime)
/proc/bus/usb on /proc/bus/usb type usbfs (rw,relatime)
tmpfs on /etc type tmpfs (rw,relatime)
none on /tmp type tmpfs (rw,relatime)
tmpfs on /var type tmpfs (rw,relatime)
tmpfs on /e-data type tmpfs (rw,relatime)
tmpfs on /i-data type tmpfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
mdev on /dev/mdev type tmpfs (rw,relatime)
/dev/mtdblock4 on /mnt/Config type yaffs2 (rw,relatime)
/dev/mtdblock3 on /mnt/firmware type yaffs2 (rw,relatime)
/dev/loop0 on /mnt/NAND type squashfs (ro,relatime)
/dev/loop0 on /usr type squashfs (ro,relatime)
/dev/loop0 on /root type squashfs (ro,relatime)
/dev/loop0 on /home type squashfs (ro,relatime)
/dev/sda1 on /var/mnt/usb/sda1 type vfat (rw,relatime,uid=99,gid=99,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp437,iocharset=utf8,shortname=mixed,errors=remount-ro)
/dev/sda1 on /e-data/USB_USB_DISK_20_PMAP3A506489_1 type vfat (rw,relatime,uid=99,gid=99,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp437,iocharset=utf8,shortname=mixed,errors=remount-ro)

Now, I have mounted /dev/mtdblock1 (auto using rw/yaffs) and it seems to be the partition where the preNAND/extfs.img is stored.

So my questions:

1. Could I just overwrite this img file on /dev/mtdblock1?
2. Do I need to mount it as yaffs or yaffs2? (both seem to work)
3. Is there a way to make a backup of the current firmware so that I can restore it if I brick it? Highly likely ;)
4. How can I block firmware pushes by my ISP? How are they distributed? See below for open ports.

TIA!

# netstat -len
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:18888           0.0.0.0:*               LISTEN      
tcp        0      0 192.168.1.1:139         0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:2000            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:10001           0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:2001            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:7676            0.0.0.0:*               LISTEN      
tcp        0      0 192.168.1.1:445         0.0.0.0:*               LISTEN      
tcp        0      0 :::37964                :::*                    LISTEN      
tcp        0      0 :::9999                 :::*                    LISTEN      
tcp        0      0 :::80                   :::*                    LISTEN      
tcp        0      0 :::53                   :::*                    LISTEN      
tcp        0      0 :::22                   :::*                    LISTEN      
tcp        0      0 :::23                   :::*                    LISTEN      
tcp        0      0 :::443                  :::*                    LISTEN      
udp        0      0 0.0.0.0:2709            0.0.0.0:*                           
udp        0      0 0.0.0.0:2710            0.0.0.0:*                           
udp        0      0 0.0.0.0:161             0.0.0.0:*                           
udp        0      0 0.0.0.0:53              0.0.0.0:*                           
udp        0      0 0.0.0.0:67              0.0.0.0:*                           
udp   115240      0 0.0.0.0:1900            0.0.0.0:*                           
udp        0      0 0.0.0.0:7677            0.0.0.0:*                           
udp        0      0 :::53                   :::*                                
raw        0      0 0.0.0.0:2               0.0.0.0:*               7           
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING       1792 /var/syslog
unix  2      [ ACC ]     STREAM     LISTENING       1636 /var/run/celld.sock

(Last edited by gwillem on 4 Feb 2017, 14:19)

which (I assume) modify and write config.rom to the NAND flash. However, I can't find how it does so.

I wrote something on that in post #36

1. Could I just overwrite this img file on /dev/mtdblock1?

Theoretically, yes. But if you make a mistake your router will be bricked. (Not a very big deal, the box can boot from the serial port, so this way you can always install OpenWRT, or rewrite the mtdblock)

2. Do I need to mount it as yaffs or yaffs2? (both seem to work)

Use yaffs2. The difference is in the way the NAND is treated. Wiki. While yaffs1 if fine for reading, writing might (partitally) kill the NAND.

3. Is there a way to make a backup of the current firmware so that I can restore it if I brick it? Highly likely wink

As I wrote in port #36, you can dump /dev/hnand. I never tried to restore it.

4. How can I block firmware pushes by my ISP? How are they distributed? See below for open ports.

They probably use the TR-069 protocol, which normally use port 7547. Don't see that in your list. You can use 'netstat -lnp' to see the deamon names either. I'd simply kill everything which has an unknown purpose.

BTW, instead of changing the rootfs, you can also install add-ons. I managed to install optware on an usb stick. (At least, I *think* it was optware. It's some time ago, my box is running OpenWRT now). The trick is in /mnt/Config/user_startup_parameters.sh, which is called at boot, by rcS. At that stage USB is not yet up, but there is some script in /etc/<hotplug?>/ responsible for mounting the stick. You can inject code to call a script on the stick.

The discussion might have continued from here.