Adding OpenWrt support for Zyxel EX5601-T0

lytr · 2025-01-26T19:21:10.853Z

thehybrid1337:

NOTICE:  BL2: v2.9(release):OpenWrt v2023-07-24-00ac6db3-2 (mt7986-spim-nand-4k-ddr4)

U-Boot 2023.07.02-OpenWrt-r24106-10cc5fcd00 (Sep 23 2024 - 12:34:46 +0000)

Are you trying to restore OEM firmware but still using the OpenWrt bootloader?

thehybrid1337 · 2025-01-26T19:57:59.615Z

please inform on what to do. my device was running openwrt with u-bootmod.

i followed your instructions , i don't know how to change bootloader.

Did i have to use mtd5_kernel to boot my device with before flashing instead of openwrt-23.05.5-mediatek-filogic-zyxel_ex5601-t0-stock-initramfs-kernel ?

by saying i followed your instructions i don't put responsibility on you so you know.. if it's not too much effort could you give me short explanation how to fix this.

My exact steps were :

(router zyxel ex5601-t0 ubootmod openwrt)

accessing the router through UART,
usb start
fatload usb 0:1 0x46000000 openwrt-mediatek-filogic-zyxel_ex5601-t0-stock-initramfs-kernel.bin
bootm
uploading t-56 files and kmod-mtd-rw to /tmp/ folder through winscp
opkg install /tmp/kmod-mtd-rw.ipk
insmod mtd-rw.ko i_want_a_brick=1
run the following as a whole :

mtd write mtd0 bl2
mtd write mtd3 fip
mtd write mtd4 zloader
ubiformat /dev/mtd5
ubiattach -d 0 -m 5
ubimkvol /dev/ubi0 -n 0 -N kernel -s 3787688
ubimkvol /dev/ubi0 -n 1 -N rootfs -s 42688KiB
ubimkvol /dev/ubi0 -n 2 -N zyfwinfo -s 256
ubimkvol /dev/ubi0 -n 3 -N zydefault -s 55558
ubimkvol /dev/ubi0 -n 4 -N rootfs_data -m
ubiupdatevol /dev/ubi0_0 mtd5_kernel
ubiupdatevol /dev/ubi0_1 mtd5_rootfs
ubiupdatevol /dev/ubi0_2 mtd5_zyfwinfo
ubiupdatevol /dev/ubi0_3 mtd5_zydefault
ubidetach -d 0

run the following as a whole after last one finish

ubiformat /dev/mtd6
ubiattach -d 1 -m 6
ubimkvol /dev/ubi1 -n 0 -N kernel -s 3787688
ubimkvol /dev/ubi1 -n 1 -N rootfs -s 42688KiB
ubimkvol /dev/ubi1 -n 2 -N zyfwinfo -s 256
ubimkvol /dev/ubi1 -n 3 -N zydefault -s 55558
ubimkvol /dev/ubi1 -n 4 -N rootfs_data -m
ubiupdatevol /dev/ubi1_0 mtd5_kernel
ubiupdatevol /dev/ubi1_1 mtd5_rootfs
ubiupdatevol /dev/ubi1_2 mtd5_zyfwinfo
ubiupdatevol /dev/ubi1_3 mtd5_zydefault
ubidetach -d 1

10.reboot

11.bricked xd

I've been playing around a little bit . if i get the kernel to boot from stock t-56 firmware, everythign works like normal but yeah when completely cut power off and restart i ahve to manually boot that kernel again. but oddly enough, it doesn't reset my settings.

this makes me wonder can i just point u-boot to boot from that kernel? or is that not correct.

the root password i can not do anything with. for what is it except for backup config.

also why does my router keep broadcasting a hidden ssid ?

how do we gain privileges in the zyxel default firmware for like guiflag.multi.user_customization and group telek0m?

I can allow SSH access from LAN, but neither supervisor nor admin have permissions.

edit: after hours of playing around i got full access to everything on odido firmware, i only need help to make the router directly start from zyxel software.

thehybrid1337 · 2025-01-27T04:03:49.744Z

why no one say the root and supervisor password publicly? it's against rules or what?

BlackJack · 2025-01-27T21:30:08.409Z

Because The cruelest company in the world Odido will come and take their souls.

Dante · 2025-01-28T01:36:32.709Z

I've got a somewhat odd request. Can anyone please measure the box that the router comes in? Length, width and height. I'm trying to figure out if it makes sense to ship it from NL to another country.

Zyxel T-56 box994×554 365 KB

frollic · 2025-01-28T06:49:38.527Z

40x20x4 cm, give or take.

thehybrid1337 · 2025-01-28T12:08:53.468Z

I think i'm very close to a hard brick lol. Some help is appreciated.

F0: 102B 0000

FA: 1040 0000

FA: 1040 0000 [0200]

F9: 0000 0000

V0: 0000 0000 [0001]

00: 0000 0000

BP: 2400 0041 [0000]

G0: 1190 0000

EC: 0000 0000 [1000]

T0: 0000 0228 [010F]

Jump to BL


NOTICE:  BL2: v2.6(release):3b1fd9bf-dirty
NOTICE:  BL2: Built : 09:47:06, Aug 11 2022
NOTICE:  WDT: disabled
NOTICE:  CPU: MT7986 (2000MHz)
NOTICE:  EMI: Using DDR4 settings
NOTICE:  EMI: Detected DRAM size: 1024MB
NOTICE:  EMI: complex R/W mem test passed
NOTICE:  SPI_NAND parses attributes from parameter page.
NOTICE:  SPI_NAND Detected ID 0x2c
NOTICE:  Page size 4096, Block size 262144, size 536870912
NOTICE:  Initializing NMBM ...
NOTICE:  Signature found at block 2047 [0x1ffc0000]
NOTICE:  First info table with writecount 0 found in block 1920
NOTICE:  Second info table with writecount 0 found in block 1923
NOTICE:  NMBM has been successfully attached in read-only mode
NOTICE:  BL2: Booting BL31
NOTICE:  BL31: v2.6(release):3b1fd9bf-dirty
NOTICE:  BL31: Built : 09:47:11, Aug 11 2022


U-Boot 2022.01-rc4 (Aug 11 2022 - 09:45:52 +0000)

CPU:   MediaTek MT7986
Model: ZYXEL EX5601-T0
DRAM:  1 GiB

Initializing NMBM ...
spi-nand: spi_nand spi_nand@1: Micron SPI NAND was found.
spi-nand: spi_nand spi_nand@1: 512 MiB, block size: 256 KiB, page size: 4096, OOB size: 256
Could not find a valid device for nmbm0
Signature found at block 2047 [0x1ffc0000]
First info table with writecount 0 found in block 1920
Second info table with writecount 0 found in block 1923
NMBM has been successfully attached 

MMC:   mmc@11230000: 0
Loading Environment from MTD... OK
In:    serial@11002000
Out:   serial@11002000
Err:   serial@11002000
Net:   eth0: ethernet@15100000
Reading 262144 byte(s) at offset 0x00000000
Wrong Image Format for bootm command
ERROR: can't get kernel image!

!!!!! fail to do bootm 46000000 !!!!!
Reset your board! system halt...

lytr · 2025-01-28T12:56:41.244Z

U-boot is not able to start zloader. This is from working unit with OEM firmware:

Reading 262144 byte(s) at offset 0x00000000
## Booting kernel from Legacy Image at 46000000 ...
   Image Name:   zld-2.3 08/11/2022 09:46:58
   Image Type:   AArch64 U-Boot Standalone Program (gzip compressed)
   Data Size:    23638 Bytes = 23.1 KiB
   Load Address: 41e00200
   Entry Point:  41e003f4
   Verifying Checksum ... OK
   Uncompressing Standalone Program

thehybrid1337 · 2025-01-28T18:33:23.172Z

After a very long night and day and almost night again i fixed it. from ubootmod openwrt back to Odido T-56 ISP firmware, ofcourse with root ssh and supervisor access.

how i finally managed to do it was

mtk_uartboot and booting with the stock intramfs_kernel

dd if=/dev/mtd0 of=/tmp/mtd0
dd if=/dev/mtd1 of=/tmp/mtd1
dd if=/dev/mtd2 of=/tmp/mtd2
dd if=/dev/mtd3 of=/tmp/mtd3
dd if=/dev/mtd4 of=/tmp/mtd4

insmod mtd-rw.ko i_want_a_brick=1

mtd write mtd0 /dev/mtd0
mtd write mtd1 /dev/mtd1
mtd write mtd2 /dev/mtd2
mtd write mtd3 /dev/mtd3
mtd write mtd4 /dev/mtd4

then by scp i uploaded @lytyr's mtd5 files to the tmp folder

ubiformat /dev/mtd5
ubiattach -d 0 -m 5
ubimkvol /dev/ubi0 -n 0 -N kernel -s 3787688
ubimkvol /dev/ubi0 -n 1 -N rootfs -s 42688KiB
ubimkvol /dev/ubi0 -n 2 -N zyfwinfo -s 256
ubimkvol /dev/ubi0 -n 3 -N zydefault -s 55558
ubimkvol /dev/ubi0 -n 4 -N rootfs_data -m
ubiupdatevol /dev/ubi0_0 /tmp/mtd5_kernel
ubiupdatevol /dev/ubi0_1 /tmp/mtd5_rootfs
ubiupdatevol /dev/ubi0_2 /tmp/mtd5_zyfwinfo
ubiupdatevol /dev/ubi0_3 /tmp/mtd5_zydefault
ubidetach -d 0

and the same for mtd6 after , everything is fixed.

BlackJack · 2025-01-28T19:18:34.986Z

Would you be so nice and share supervisor password if not to public but in PM. I would highly appreciate it.

thehybrid1337 · 2025-01-28T20:21:03.692Z

Sure i will and since i've wasted countless+hours on this and had to learn almost everything on my own by trial and error.. if you need some help or have a question, fewl free to dm me.

frollic · 2025-01-28T21:48:25.050Z

Or simply post how to obtain it...

sittingduck · 2025-01-29T09:49:50.158Z

I've taken the plunge with this particular router and am a bit anxious seeing as I'm purely a Windows guy starting out with Openwrt on one of the more "difficult" routers So if you have recent experiences with the wiki-guide, it would be awesome if you would add to it in the places that caused issues for you. Or at least make a post with input and then someone can update the wiki. No reason not to uitlize your experience.

frollic · 2025-01-29T09:54:24.135Z

sittingduck:

Or at least make a post with input and then someone can update the wiki.

if you're planning on using the ubootmod, the guide's straight forward, assuming you got flashing experience using serial.

sittingduck · 2025-01-29T11:13:19.384Z

I really don't, but I can take directions and read up on things - and yes, I'll go the ubootmod way. I'm sure I'll get there. The router is sitting in a box af few weeks more for when a remodelling project is done.

thehybrid1337 · 2025-01-29T13:00:43.649Z

It's mentoined already in this topic how to obtain the supervisor password.

Adding OpenWrt support for Zyxel EX5601-T0 For Developers

I was able to find a supervisor password in flash backup for T-56. It's located in file /etc/zydefault/sysconfig.tar.gz. I don't know if it's unique per device. Flash layout: supervisor@EX5601-T1:/$ cat /proc/mtd dev: size erasesize name mtd0: 20000000 00040000 "spi0.1" mtd1: 00100000 00040000 "BL2" mtd2: 00080000 00040000 "u-boot-env" mtd3: 00200000 00040000 "Factory" mtd4: 001c0000 00040000 "FIP" mtd5: 00040000 00040000 "zloader" mtd6: 04000000 00040000 "ubi" mtd7: 04000000 00040000 …

Most important thing is to use the backup config ability to gain access. You don't even need the supervisor password for that, just the pass that's used for then encryption of that config.

The password used for this encryption i found in the serial console but i dont remember if it was from booting on odido software or maybe from stock initramfs kernel. Anyways here's the following

sysCmd = openssl enc -e -des3 -md md5 -pass pass: root password code: (unique per device) in /tmp/zcfg_config.json -out /tmp/zcfg_config.encrypt, zcmdEncryptConfig 532

EDIT: Apparently its unique per device and stored in u-boot env as "supervisor" variable.

Therefore you use the following command to decrypt the backup.

openssl enc -d -des3 -md md5 -pass pass:*** -in Backup_Restore -out Backup_Restore.json

After changing whats necessary you encrypt it back and restore the config with following command.

openssl enc -e -des3 -md md5 -pass pass:*** -in Backup_Restore.json -out Backup_Restore

What to change in this backup?

First of all look for the account supervisor and account root

Copy the shadow of account supervisor and replace the shadow of account root.

This will replace the root password to the supervisor password, which you can find in the message i quoted so /etc/zydefault/sysconfig.tar.gz.

:Uo1=8mR~`f.t?;MVsfk&e;u!L|;'4

After this you can login to the supervisor account, the root account is only for SSH but you can still not login there. To be able to login you also have to change the following in the decrypted config :

I'm not on my PC but on my phone, so i can not access the files, but there was something about

SPTrustDomain

Either replacd the IP statting with 10.1.?

With 192.168.1.0 and subnetmask 24 or add anoth entry like that one with ip

192.168.1.0

And subnetmask

24

After that look for the following line : LAN_ONLY

I think you will see an entry with HTTP indicsting you only have access to HTTP through LAN.

Copy the parameters of this entry and replace it with the paramaters of SSH,FTP etc... they are found below it.

Then encrypt the backup back and upload it.

If i didnt miss any step. You can now login ssh root@192.168.1.1 with the supervisor pasword.

Use passwd root , passwd supervisor commands to change the passwords

Enjoy. And probably Odido will patch this asap now.

So with the root shell i dont even think you need serial console to be able to switch to OpenWRT

thehybrid1337 · 2025-01-29T16:04:09.147Z

Im also a windows only guy so before experimenting with this router i hard bricked 2 other routers before starting on this and learned the hard way what not to do

lytr · 2025-01-29T16:12:42.399Z

Password for root user is stored in u-boot env as supervisor variable and it's unique per device. Please remove this password from your post.

jonybat · 2025-01-29T18:43:52.825Z

I can confirm that neither the FTP method nor the Hack GPON guide work for a EX5601-T0 V5.70(ACDZ.3.4)C0. It was seemingly stock firmware

Instructions from T56 page (mtk_uartboot) worked perfectly for 23.05.5, followed by attended sysupgrade to 24.10-rc7

thehybrid1337 · 2025-01-29T22:06:06.623Z

Oh i didnt know that. Do you mean the one you can login as supervisor in the admin page or the one that is used to decrypt the backup config?

I know multiple methods to gain the other pass easily as long as you have 1 of them.