Flashing OpenWrt and dual booting stock firmware on firmware version V5.70(ACEA.0)T56C_b10_0410 (no serial required)
I became an Odido subscriber last week and I've been looking for progress on flashing OpenWrt to devices running the latest firmware pushed by Odido (V5.70(ACEA.0)T56C_b10_0410). Couldn't find anything so I spent some time to work it out myself.
I actually prefer the stock partition layout over the ubootmod one, as it gives me the flexibility to dual boot OpenWrt and the stock firmware. So the steps below result in just that: OpenWrt and the stock firmware running side-by-side, with an easy way to switch between them.
The guide below is heavily inspired by @thehybrid1337's post Adding OpenWrt support for Zyxel EX5601-T0 - #814 by thehybrid1337. Great work by the way!
Anyway, let's get to it.
Step 1: Get a root shell
Since V5.70(ACEA.0)T56C_b10_0410, the backdoor supervisor account is gone. The admin user can not do much, but it turns out these limitations are mostly enforced at the client side. Under the hood, the admin user can actually do quite a lot.
Removing client-side restrictions
I'm using Firefox. Other browsers may be similar. I haven't tested.
Log into your device's web interface, hit CTRL + SHIFT + I, go to the Debugger tab, right click app.js, click 'Add script override', like so: -> screenshot (sorry, new user, can't embed images)
Save it to a file. Open it with a text editor, and replace its contents with the one found here. Save the file and hit F5 in the browser. The menu should now be fully populated.
The remainder of steps of getting a root shell is pretty much the same as @thehybrid1337's. I'll briefly re-iterate.
SP Domain
Head to Maintenance -> SP Domain
Enable SSH and hit Apply -> screenshot
In the SP Trust Domain tab, add 192.168.1.0/24
Remote Management
Go to Maintenance -> Remote Management
Once again, hit CTRL + SHIFT + I and go to the Debugger tab. Right click app.maintenance.js -> 'Add script override' -> screenshot
Save it to a file. Open it with a text editor, and replace its contents with the one found here. Save the file and hit F5 in the browser. You should be seeing the full list of items.
Enable SSH for LAN, WLAN and Trust Domain
Open the Trust Domain tab and add 192.168.1.0/24
SSH
Connect to your device via ssh
ssh admin@192.168.1.1
Accept the certificate, use the password you use for the web interface, and enter the command:
sys atsh
Copy the 'First MAC Address`, and paste it in the command below, followed by '0 1'
sys atwz (mac) 0 1
Now entering the following command will get you the root password (dubbed supervisor password here)
sys atck
And finally, log in as root with the password from the previous step and be greeted with a shell.
ssh root@192.168.1.1
I recommend you save the root password somewhere. It's unique per device and the algorithm to generate it is not present in the firmware (I checked). This password will also get you access to the boot loader, so you might need it one day if Odido sends another firmware update and locks you out.
Step 2: Flash a patched zloader
Background
Before going through the steps, I'll briefly explain why this works. On the OpenWrt wiki, you can check out the OEM bootlog and find the following line:
MMC: mmc@11230000: 0
Loading Environment from MTD... OK
In: serial@11002000
Out: serial@11002000
Err: serial@11002000
Net: eth0: ethernet@15100000
Reading 262144 byte(s) at offset 0x00000000
## Booting kernel from Legacy Image at 46000000 ... <----!!!!!!!!
Image Name: zld-2.3 08/11/2022 09:46:58
Image Type: AArch64 U-Boot Standalone Program (gzip compressed)
Data Size: 23638 Bytes = 23.1 KiB
Load Address: 41e00200
Entry Point: 41e003f4
Verifying Checksum ... OK
Uncompressing Standalone Program
Legacy image implies unsigned as the U-Boot legacy format does not support cryptographic signatures. Contained within this image is the zloader, which is the component that you can talk to over the serial port. It is also responsible for validating the main firmware's cryptographic signatures. Clearly, we can simply patch zloader to remove those checks. So that's exactly what I did.
As a side-note: I've noticed the latest firmware, in fact, does not enable secure boot. The efuse.sh found in /etc/efuse_tool_opal_mt7986.tar does the following:
insmod mtk_efuse.ko
# disable JTAG and BROM
echo "dj" > /sys/kernel/debug/mtk_efuse/efuse;
echo "db" > /sys/kernel/debug/mtk_efuse/efuse;
dj is for disabling JTAG, db is for disabling mtk_uartboot. Secure boot is not enabled, as confirmed by mtk_efuse.ko:
insmod mtk_efuse.ko
cat /sys/kernel/debug/mtk_efuse/secure_boot
Secure Boot: disable
So in principle, since you have a root shell, you should be able to flash ubootmod. However, I haven't looked into it so you're on your own if you want to try it. Below are the steps for setting it up using the stock partition layout with dual boot.
Flashing
SSH into the device as root, and enter the following commands
cd /tmp
wget https://github.com/carlicious/zloader/releases/download/v1.0-alpha/bl2.img
wget https://github.com/carlicious/zloader/releases/download/v1.0-alpha/fip.bin
wget https://github.com/carlicious/zloader/releases/download/v1.0-alpha/zloader.bin.gz.uImage_patched
Or use any other means of getting these files on the device. Then flash them, as follows:
mtd erase BL2
mtd write /tmp/bl2.img BL2
mtd erase FIP
mtd write /tmp/fip.bin FIP
mtd erase zloader
mtd write /tmp/zloader.bin.gz.uImage_patched zloader
sync
Now technically, you only have to flash zloader.bin.gz.uImage_patched, as the other images are stock taken from V5.70(ACEA.0)T56C_b10_0410. I've included them here because zloader depends on a function table provided by Zyxel's U-Boot (contained in FIP). This table differs from version to version so you can't mix and match zloader versions with FIP versions or else you'll get a brick.
Besides removing the signature checks, I figured it would be nice to have zloader ignore zyfwinfo entirely, and use an nvram variable (boot_flag) instead. This way, I can easily change the boot partition, should I decide to boot into the stock firmware one day, and so that I can update OpenWrt from the web interface.
Step 3: Check that you're on ubi2
OpenWrt does not support booting from the ubi2 partition, so that's where your stock firmware will live. Check which partition your current firmware is on, as follows:
cat /proc/cmdline
If it says rootubi=ubi2 at the end, then you're good.
Otherwise, execute the following to see the firmware version at ubi2
ubiattach -d 9 -p /dev/mtd7
strings /dev/ubi9_2
Within the output, it should contain the firmware version. Mine says V5.70(ACEA.0)T56C_b10_0410.
If for some reason you're not happy with this version, you may want to copy ubi to ubi2. I'm not going to elaborate how to do that here though 
.
Since you've flashed my patched zloader, rebooting into ubi2 is as easy as:
fw_setenv boot_flag 1
reboot
(You should do so now if you're currently not on ubi2)
Step 4: Flash OpenWrt
Download the latest OpenWrt sysupgrade to the device, make sure it's the STOCK image, not the ubootmod one as you're using the stock partition layout.
cd /tmp
wget https://downloads.openwrt.org/releases/24.10.2/targets/mediatek/filogic/openwrt-24.10.2-mediatek-filogic-zyxel_ex5601-t0-stock-squashfs-sysupgrade.bin
Or, again, use any other means of getting this file onto the device. Then, extract it:
tar xvf openwrt-24.10.2-mediatek-filogic-zyxel_ex5601-t0-stock-squashfs-sysupgrade.bin
Attach the ubi partition
ubiattach -d 9 -p /dev/mtd6
Delete existing UBI volumes
ubirmvol /dev/ubi9 -N kernel
ubirmvol /dev/ubi9 -N rootfs
ubirmvol /dev/ubi9 -N zydefault
ubirmvol /dev/ubi9 -N rootfs_data
Create new UBI volumes
ubimkvol /dev/ubi9 -N kernel -s $(ls -l sysupgrade-zyxel_ex5601-t0-stock/kernel | awk '{print $5}')
ubimkvol /dev/ubi9 -N rootfs -s $(ls -l sysupgrade-zyxel_ex5601-t0-stock/root | awk '{print $5}')
ubimkvol /dev/ubi9 -N rootfs_data -m
Perform flash
ubiupdatevol /dev/ubi9_0 sysupgrade-zyxel_ex5601-t0-stock/kernel
ubiupdatevol /dev/ubi9_1 sysupgrade-zyxel_ex5601-t0-stock/root
sync
Set ubi as the next boot target and reboot
fw_setenv boot_flag 0
reboot
You'll now be greeted with OpenWrt 
.