OpenWrt Forum Archive

Topic: [solved] ZyXEL EMG2926-Q10A flash/upgrade

The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

This router is acctually a ZyXEL NBG6716, it comes with a custom OpenWRT from my ISP

I want to get rid of the ISP's firmware and install the 'normal' OpenWRT in it but I am having issues

Not the bootloader i'm used to seeing, no boot from tftp firmware or flash from tftp file...

EMG2926 - Scorpion 1.0
DRAM:  32bit ddr2 256 MB
Flash: 16 MB
*** Warning *** : PCIe WLAN Module not found !!!
Net:   Max resets limit reached exiting...
eth0, eth1
NAND:  Hynix NAND 128MiB 3,3V 8-bit [128MB]

ZyXEL zloader v1.31 (Feb 27 2014 - 03:42:13)
Multiboot clinent version: 1.2
dup 1 speed 1000

Hit any key to stop autoboot:  3
EMG2926>
ATEN    x,(y)     set BootExtension Debug Flag (y=password)
ATSE    x         show the seed of password generator
ATSH              dump manufacturer related data in ROM
ATRT    (x,y,z,u) ATRT RAM read/write test (x=level, y=start addr, z=end addr, u=iterations
ATGO              boot up whole system
ATUR    x         upgrade RAS image (filename)



root@EMG2926:/# cat /etc/openwrt_release
DISTRIB_ID="OpenWrt"
DISTRIB_RELEASE="Bleeding Edge"
DISTRIB_REVISION="r6687"
DISTRIB_CODENAME="barrier_breaker"
DISTRIB_TARGET="ar71xx/generic"
DISTRIB_DESCRIPTION="OpenWrt Barrier Breaker r6687"

root@EMG2926:/# cat /tmp/sysinfo/board_name
emg2926

root@EMG2926:/# cat /tmp/sysinfo/model
ZyXEL EMG2926

root@EMG2926:/tmp# mtd -r write openwrt-15.05.1-ar71xx-nand-nbg6716-squashfs-factory.bin firmware
Could not open mtd device: firmware
Can't open device for writing!

root@EMG2926:/tmp# mtd -r write openwrt-15.05.1-ar71xx-nand-nbg6716-squashfs-factory.bin linux
Could not open mtd device: linux
Can't open device for writing!

root@EMG2926:/tmp# sysupgrade -n -v openwrt-15.05.1-ar71xx-nand-nbg6716-squashfs-sysupgrade.tar
Still not supoort OpenWRT firmware upgrate mechainsm
Image check 'platform_check_image' failed.

root@EMG2926:/tmp# sysupgrade -n -v -F openwrt-15.05.1-ar71xx-nand-nbg6716-squashfs-sysupgrade.tar
Still not supoort OpenWRT firmware upgrate mechainsm
Image check 'platform_check_image' failed but --force given - will update anyway!
Sending TERM to remaining processes ... rcS logger zcmd watch syslogd klogd hotplug2 cpu_count.sh sleep procd ubusd netifd atd netprobe p910nd one_connect_mon bw_monitor uhttpd dnsmasq dnsmasq zy1905 EmappS bwm crond watch wifi_assoc_moni watch
Sending KILL to remaining processes ... uhttpd
Switching to ramdisk...
Performing system upgrade...
Could not open mtd device: firmware
Can't open device for writing!
Upgrade completed
Rebooting system...

it doesn't seem to have a 'firmware' mtd, any ideas?

(Last edited by va2thc on 27 Nov 2016, 08:54)

Ok according to https://wiki.openwrt.org/toh/zyxel/zyxel_nbg6716 I should of done

root@EMG2926:/tmp# mtd -r write openwrt-15.05.1-ar71xx-nand-nbg6716-squashfs-factory.bin /dev/mtd7

It rebooted and nothing changed, so I ran the command without the reboot flag and saw no error outputs... I'm so sure this is a modded NBG6716...

reading further down the NBG6716 page i saw the tftp key press method so i tried it...


here with the openwrt-15.05.1-ar71xx-nand-nbg6716-squashfs-factory.bin image:

Hit any key to stop autoboot:  3download ras.bin to memory address 0x80000000
Using eth0 device
TFTP from server 192.168.1.33; our IP address is 192.168.1.1
Filename 'ras.bin'.
Load address: 0x80000000
Loading: #################################################################
...cut...
         ###
done
Bytes transferred = 5767168 (580000 hex)
Wrong header checksum, stop to upgrade RAS image!

  0
### JFFS2 loading '/boot/vmlinux.lzma.uImage' to 0x80400000
and it booted...


here with the orignal NBG6716 firmware:

Hit any key to stop autoboot:  3download ras.bin to memory address 0x80000000
Using eth0 device
TFTP from server 192.168.1.33; our IP address is 192.168.1.1
Filename 'ras.bin'.
Load address: 0x80000000
Loading: #################################################################
...cut...
         #########################################################
done
Bytes transferred = 23724032 (16a0000 hex)
Wrong product name(NBG6716,EMG2926), stop to upgrade RAS image!
  0
### JFFS2 loading '/boot/vmlinux.lzma.uImage' to 0x80400000
and it booted....

Then I hex edit the orig firmware and change the NBG6716 to EMG2926 and retry, then i got the same header CRC error as with the openwrt binary

So I ran binwalk on my modded bin and the orignial:
root@rooted:~# binwalk V1.00\(AAKG.9\)C0.bin ras.bin

Scan Time:     2016-11-23 22:54:28
Target File:   /root/V1.00(AAKG.9)C0.bin
MD5 Checksum:  cbd4adae11edb52e5d05d0304b037d61
Signatures:    344

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
131072        0x20000         JFFS2 filesystem, big endian
22675456      0x15A0000       uImage header, header size: 64 bytes, header CRC: 0x9B5A644E, created: 2016-09-09 07:59:28, image size: 1021834 bytes, Data Address: 0x80060000, Entry Point: 0x80060000, data CRC: 0xAFF3D85C, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.3.8"
22675520      0x15A0040       LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3025528 bytes


Scan Time:     2016-11-23 22:54:40
Target File:   /root/ras.bin
MD5 Checksum:  872eb69ec7c18638cc7c3d351a3ae9dc
Signatures:    344

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
131072        0x20000         JFFS2 filesystem, big endian
22675456      0x15A0000       uImage header, header size: 64 bytes, header CRC: 0x9B5A644E, created: 2016-09-09 07:59:28, image size: 1021834 bytes, Data Address: 0x80060000, Entry Point: 0x80060000, data CRC: 0xAFF3D85C, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.3.8"
22675520      0x15A0040       LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3025528 bytes

they both report "0x9B5A644E" as header CRC. I can find the "9B5A644E" hex value @ 0x015A0004 in the binaries...

lets test...
root@rooted:~# dd if=V1.00\(AAKG.9\)C0.bin of=header.bin bs=1 count=64 skip=22675456
64+0 records in
64+0 records out
64 bytes copied, 0.000269411 s, 238 kB/s

hexedit the checksum to zero's to calculate it again
root@rooted:~# hexeditor header.bin

check the checksum
root@rooted:~# crc32 header.bin
9b5a644e

still stuck... the NBG6716 -> EMG2926 i changed in the firmware to bypass the product name error arn't in the 'header' section... so i don't need to recalculate

(Last edited by va2thc on 24 Nov 2016, 05:31)

Long road behind me, I can say its solved...

My ISP's custom firmware had 2 firmwares installed in mtd7 and mtd9, it was booting off mtd9.  I tried mtd -r openwrt-15.05.1-ar71xx-nand-nbg6716-squashfs-factory.bin /dev/mtd9.  It rebooted into openwrt but luci wasn't running, rebooted it and it never reloaded the kernel.  After alot of looking around the solution I found was editing the original NBG6716 firmware from ZyXEL and changing model name to EMG2926 + correcting the checksum (did that by changing the version number of the firmware lol), once that was done i was able to tftp upload the modded firmware to the deivce.  Once in the original ZyXEL firmware, logged into console and did the normal mtd -r openwrt-15.05.1-ar71xx-nand-nbg6716-squashfs-factory.bin /dev/mtd7 and we're back online 100%

Hi! I'm trying to get rid of the ISP firmware for the EMG2926-Q10A but there is a password for root?  Tried 1234... but it doesn't work...

@va2thc, thanks for all the information !

I changed the model from NBG6716 to EMG2926 and the version from V1.00(AAKG.9)C0 to V1.01(AAKG.9)C0 but I still having the checksum error.

Wrong header checksum, stop to upgrade RAS image!

What else did you change to make it works ?

Thanks !

va2thc wrote:

Long road behind me, I can say its solved...

My ISP's custom firmware had 2 firmwares installed in mtd7 and mtd9, it was booting off mtd9.  I tried mtd -r openwrt-15.05.1-ar71xx-nand-nbg6716-squashfs-factory.bin /dev/mtd9.  It rebooted into openwrt but luci wasn't running, rebooted it and it never reloaded the kernel.  After alot of looking around the solution I found was editing the original NBG6716 firmware from ZyXEL and changing model name to EMG2926 + correcting the checksum (did that by changing the version number of the firmware lol), once that was done i was able to tftp upload the modded firmware to the deivce.  Once in the original ZyXEL firmware, logged into console and did the normal mtd -r openwrt-15.05.1-ar71xx-nand-nbg6716-squashfs-factory.bin /dev/mtd7 and we're back online 100%

hello can you detail the procedure to do so ? im not sure I have understand everything

thank you

If I understand well you change the model name in the original firmware bin file ? but where do you change the checksum ?

(Last edited by bedou974 on 27 Jan 2017, 03:02)

The discussion might have continued from here.