Adding OpenWrt support for Zyxel EX5601-T0

I haven't read all of @thehybrid1337's new approach yet. I used the instructions as they are on the wiki, which includes this part. After the update, it stops at "Handshake...". I have two other ways of getting root in mind, so you could flash OpenWRT or Zyxel stock firmware through SSH by writing directly to the MTDs, but this is more difficult than mtk_uartboot, so an easier way in is more than welcome.

My methods only include using mtk_uartboot or zloader, because i figured those two were the simplest and more suited for everyone to use. Since they require minimal knowledge and instructions are easy to follow.

According to you mtk_uartboot no longer works and the zloader is also updated so i guess they will no longer function.

I had previously posted a way to get SSH access on the Odido firmware some weeks ago here. I wonder if that will work or is also patched.

If it works, then the first thing that comes to my mind is using that to gain SSH access and login with user root and your password that you have right now.

This is assuming they didn't change the root password of our devices after the update or denied root user access.

If they did change the root password but user admin is still able to use SSH, in previous attempts it was possible for me to use an exploit to run commands with root permissions even without logging in as root.

If all of the above is not possible then I could still think of a lot of possible ways to gain access.

I can not say anything for sure till I receive the update myself.

I've requested Odido to update my firmware and hope that it will somewhat accelerate the process of them updating my router, since i'm someone with no patience

The root password is hard-coded and the supervisor one hasn't changed yet, so getting root is not a problem if you already have the password. If you don't have it, it will be more difficult to get it after the update, but it's not impossible. I don't know if they update firmware upon request, but I hope they do. Patience is not my forte either.

zld_date=10/30/2024
zld_time=11:29:13
zld_ver=3.0

Firmware Version       : V5.70(ACEA.0)T56C_b10_0122_m
Bootbase Version       : V3.0 | 10/30/2024 11:29:13
Vendor Name            : ZYXEL Communication Corp
Product Model          : EX5601-T1

here is the serial console log of it updating.

****[TR-069]Firmware Upgrade****
ls: /cfe*: No such file or directory
recv_str=/tmp/firmware.bin
zcmdReqFirmwareUpgrade : Enter
Image path /tmp/firmware.bin
Image length 48630339
mtdnum = 6.
[  129.608052] ubi2: attaching mtd7
[  129.911963] ubi2: scanning is finished
[  129.923478] ubi2: attached mtd7 (name "ubi2", size 64 MiB)
[  129.929057] ubi2: PEB size: 262144 bytes (256 KiB), LEB size: 253952 bytes
[  129.935940] ubi2: min./max. I/O unit sizes: 4096/4096, sub-page size 4096
[  129.942717] ubi2: VID header offset: 4096 (aligned 4096), data offset: 8192
[  129.949754] ubi2: good PEBs: 256, bad PEBs: 0, corrupted PEBs: 0
[  129.955744] ubi2: user volume: 0, internal volumes: 1, max. volumes count: 128
[  129.962984] ubi2: max/mean erase counter: 9/6, WL threshold: 4096, image sequence number: 467207445
[  129.972012] ubi2: available PEBs: 214, total reserved PEBs: 42, PEBs reserved for bad PEB handling: 38
[  129.981607] ubi2: background thread "ubi_bgt2d" started, PID 12926
UBI device number 2, total 256 LEBs (65011712 bytes, 62.0 MiB), available 214 LEBs (54345728 bytes, 51.8 MiB), LEB size 
253952 bytes (248.0 KiB)
ubidev:ubi2.
zyFwInfoData
zyFwInfoData.seq_num = 0
zyFwInfoData.firmwareVersion V5.70(ACEA.0)T56C_b10_0122_m
rootfs signature verification of upgrading image passed
zyFwInfoDataO
zyFwInfoDataO.seq_num = 0
zyFwInfoDataO.firmwareVersion V5.70(ACEA.0)T56C_b7_1006
zyFwInfoData.seq_num = 1
zyFwInfoDataO.seq_num = 0
zcmdValidateImage : Enter.
Is being FW upgrade and checking Model-bit !!!
Correct model ID!!!
kill OneConnect processes to release CPU
killall: one_connect_monitor: no process killed
killall: l2command: no process killed
killall: plctool: no process killed
killall: amptool: no process killed
[  130.285700] sh (12960): drop_caches: 1
Sending SIP de-register...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[voiceApp]AppSignalHandler(): Thread 8323 has received Signal 15, TERMINATING 'voiceApp'!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[voiceApp]AppSignalHandler(): Snuff/Turn-Off All FXS Phone Ports' corresponding LEDs...
[voiceApp]AppSignalHandler(): Thread 8323 tries to de-Register All (active) SIP accounts...
[voiceApp]AppSignalHandler(): Thread 8323 is terminating the (user-space) DSP & Phone Port 'Event' data processing threa
d task by calling the 'Endpoint_itf.c/PhoneDeInitEventCb()'...
[voiceApp]AppSignalHandler(): Thread 8323 tries to deinit the voice DSP & Phone Port driver by calling dsp_endpoint_itf.
c/voiceDspDeinit()...
MM:Entering voiceDspCoreDeinit
[MM]dspDriverDeinit(): Start to De-initialize the DSP & Phone Port driver by calling 'PhoneDeinit()' (isEndptInitialized
()=1, gIsDspInitialized=1)...
PhoneDeinit(): Leaving with return -1...
MM:voiceDspCoreDeinit(): <<Error>> dspDriverDeinit() failed ==> response VOICE DSP API failure 'MM_FAILURE' to [voiceApp
] and also return!!
MM:Exiting voiceDspCoreDeinit, ret=0
I got a commapd client_cap_query 
reply=0
Sending ppp dissconnect and dhcp/dhcp6 release...
killall: dhcp6c: no process killed
killall: pppd: no process killed
*** dhcpc receive signal:15
Received SIGTERM
Entering released state
Unicasting a release of 
Sending release...
Expired, set the connection down
Entering released state
killall: pppd: no process killed
remove volumes ... 
ubirmvol: error!: cannot find UBI volume "kernel"
          error 2 (No such file or directory)
ubirmvol: error!: cannot find UBI volume "rootfs"
          error 2 (No such file or directory)
ubirmvol: error!: cannot find UBI volume "zyfwinfo"
          error 2 (No such file or directory)
ubirmvol: error!: cannot find UBI volume "zydefault"
          error 2 (No such file or directory)
ubirmvol: error!: cannot find UBI volume "rootfs_data"
          error 2 (No such file or directory)
create volumes ... 
Volume ID 0, size 15 LEBs (3809280 bytes, 3.6 MiB), LEB size 253952 bytes (248.0 KiB), dynamic, name "kernel", alignment
 1
Volume ID 1, size 177 LEBs (44949504 bytes, 42.8 MiB), LEB size 253952 bytes (248.0 KiB), dynamic, name "rootfs", alignm
ent 1
Volume ID 2, size 1 LEBs (253952 bytes, 248.0 KiB), LEB size 253952 bytes (248.0 KiB), dynamic, name "zyfwinfo", alignme
nt 1
I got a commapd client_cap_query 
reply=0
Volume ID 3, size 1 LEBs (253952 bytes, 248.0 KiB), LEB size 253952 bytes (248.0 KiB), dynamic, name "zydefault", alignm
ent 1
Set volume size to 5079040
Volume ID 4, size 20 LEBs (5079040 bytes, 4.8 MiB), LEB size 253952 bytes (248.0 KiB), dynamic, name "rootfs_data", alig
nment 1
update volumes ... 
I got a commapd client_cap_query 
reply=0
zcmdReqFirmwareUpgrade: write image completely.
****[TR-069]Firmware Upgrade Success!!****

EDIT: here are the files if someones interested.

https://drive.google.com/drive/folders/1QaOdj7qZppFHEksHQpK3llY3iio838Xn?usp=sharing

EDIT2: i also seem to have the files that were used for updating instead of just my whole mtd.

bl2.img

fip.bin

zloader.bin.gz2.uImage

honestly what a dissapointment

Could someone new try to get root password like this without serial console?

I'm not 100% sure that it will work on devices that were never touched before, since maybe i still have some settings set different.

To replicate a "factory default" router i had removed EngDebugFlag environment variable and erased RomD and also factory reset my router.
Now when using serial console to stop autoboot, i am asked for a password for zloader.

1. Factory reset your T-56 and leave the wan cable out since you need to login as supervisor.
2. Gain SSH access by following instructions i posted before which i link below.
3. Adding OpenWrt support for Zyxel EX5601-T0 - #597 by thehybrid1337
4. login ssh supervisor@192.168.1.1 with pasword :Uo1=8mR~`f.t?;MVsfk&e;u!L|;'4
5. sys atsh to see info and your mac addr
6. sys atwz (mac) 0 1 your mac addr format has to be like a1b2c3d4e5f6
7. sys atck to see root pass ?

I feel like this was not possible before so it's probably some setting i forgot to change i'm guessing?

Yes, I can confirm it's working following your instructions.
Tested on a T-56 fresh out of the box running on Odido FW version V5.70(ACEA.0)T56C_b7_1006.

Output (redacted):

BusyBox v1.31.1 () built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02-SNAPSHOT, r0-43529802
 -----------------------------------------------------
supervisor@EX5601-T1:/tmp/var/home/supervisor$ sys atsh
Firmware Version                  : V5.70(ACEA.0)T56C_b7_1006
Bootbase Version                  : V2.3 | 08/11/2022 09:46:58
Vendor Name                       : ZYXEL Communication Corp
Product Model                     : EX5601-T1
Serial Number                     : S24xxxxxx296
First MAC Address                 : 90xxxxxxx217
Last MAC Address                  : 90xxxxxxx221
MAC Address Quantity              : 11
Default Country Code              : 00
Boot Module Debug Flag            : 00
Kernel Checksum                   : 00006298
RootFS Checksum                   : 0000888C
Romfile Checksum                  : 00007FA9
Main Feature Bits                 : 00
Other Feature Bits                :
e2f861d6: 040a000b ffffffff 00000000 00000000
e2f861e6: ffffffff ffffffff ffffffff
supervisor@EX5601-T1:/tmp/var/home/supervisor$
supervisor@EX5601-T1:/tmp/var/home/supervisor$
supervisor@EX5601-T1:/tmp/var/home/supervisor$ sys atwz 90xxxxxxx217 0 1
MAC address  : 90xxxxxxx217
Country Code : 0
FeatureBit   : 00
MAC Number   : 11
supervisor@EX5601-T1:/tmp/var/home/supervisor$
supervisor@EX5601-T1:/tmp/var/home/supervisor$
supervisor@EX5601-T1:/tmp/var/home/supervisor$ sys atck
supervisor password: ddxxxxxxrD
admin password     : Txxxxxx6
WiFi PSK key       : 9MxxxxxxxxxxxxQH
supervisor@EX5601-T1:/tmp/var/home/supervisor$

Well there you have it, that was easy hahaha

I tested it on b10 by the way so no one has to worry about anything. The new firmware that's supposedly made to prevent unauthorized access but then they leave this available?

I'm sorry Odido for making it this easily available for everyone, atleast you know what to do to prevent this now.

It seems serial is no longer needed to unlock zloader and flash openwrt.

Does the stock FW (based on OpenWrt I guess, judging from the console output) have all the tools necessary to repartition and flash ubootmod?

Technically it doesn't have to, it's enough if it for instance ship with fw_setenv.
Then you could change bootcmd to try to boot (an initramfs) from USB, before booting from flash.
This would also assume stock boot loader supports USB boot, I have no idea if it does.

I will have a look later today and will find someway to go to ubootmod without serial console. It's for sure possible.

Though i don't think bootcmd will work since it skips the u-boot variables and just goes to read zloader 4600000

It was just a wild idea, but if you manage to figure one out, we'll put it in the wiki for sure

Got the router, stuck on waiting for the serial adapter... so I tried following your steps.

Firstly I'd like to point out that I naively tried to unlock ssh access through Chrome instead of Edge, but the new rows wouldn't show up in the Remote Management page. I switched over to Edge and did everything from scratch, it worked flawlessly.

With this out of the way, I connected via ssh as supervisor, ran the commands and it gave me all the info about the build version, MAC address, etc.
One thing missing is the root password itself.
When I do sys, it says this for atck:
sys atck <PSK> <admin password> <supervisor password>.
It doesn't mention the root password, and in fact when I execute the command it only gives me passwords for admin, supervisor and Wi-Fi.
The supervisor password is also wrong
It's different from default one (:Uo1=8mR~`f.t?;MVsfk&e;u!L|;'4) and when I tried using it on the web GUI it would say "The account is locked or the password is wrong".

I don't know if I'm doing something wrong, but it's very curious behaviour, that's for sure

That supervisor password is the root password

Try to login ssh root with that "supervisor" password atck gives you and it will work.

Root can not login the GUI, only SSH

Ohh, I get it. I somehow didn't try to access via ssh, only through web GUI
It works now, thank you so much!

Unfortunately it's indeed true about mtk_uartboot not working, i know this since i'm stuck with a brick

Maybe it will be possible by setting correct -l, --load-addr <LOAD_ADDR> when trying to use mtk_uartboot. Anyways i will try to get it working but at this moment i think it's best for me to take a little break from everything

At this moment in time i wouldn't recommend anyone experimenting with flashing anything.

The somewhat less risky way to flash OpenWrt at this moment if i had to choose would be only with a usb-to-serial adapter and this is also not a guarantee.

I had posted some instructions a few messages before on how to flash openwrt with stock layout.

so booting stock-initramfs-kernel, making sure not to forget to flash BL2, FIP and Zloader from one of my previous posts, in case yours has updated! these are the most important not to forget to flash since they are causing the issues.

files pre-update

then ubiformat /dev/mtd5 mtd6 and mtd7.

It would remove all firmware but you would still be able to enter ZHAL and u-boot console.

From this point what i would do is either
A)use mtkupgrade to flash openwrt with stock layout
B)follow the instructions on how to flash openwrt with ubootmod partition layout.

here my bootlog with zloader 3.0 causing the brick. I had flashed old FIP and old BL2 but wanted to see what would happen if i didn't flash the old zloader back but instead left this 3.0 version.
10/10 would not recommend

F0: 102B 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 0000 0000
V0: 0000 0000 [0001]
00: 0007 8000
01: 0000 0000
BP: 2400 0209 [0000]
G0: 1190 0000
EC: 0000 0000 [1000]
T0: 0000 0192 [010F]
Jump to BL

NOTICE:  BL2: v2.6(release):3b1fd9bf-dirty
NOTICE:  BL2: Built : 09:47:06, Aug 11 2022
NOTICE:  WDT: disabled
NOTICE:  CPU: MT7986 (1998MHz)
NOTICE:  EMI: Using DDR4 settings
NOTICE:  EMI: Detected DRAM size: 1024MB
NOTICE:  EMI: complex R/W mem test passed
NOTICE:  SPI_NAND parses attributes from parameter page.
NOTICE:  SPI_NAND Detected ID 0x2c
NOTICE:  Page size 4096, Block size 262144, size 536870912
NOTICE:  Initializing NMBM ...
NOTICE:  Signature found at block 2047 [0x1ffc0000]
NOTICE:  First info table with writecount 4 found in block 1920
NOTICE:  Second info table with writecount 4 found in block 1923
NOTICE:  NMBM has been successfully attached in read-only mode
NOTICE:  BL2: Booting BL31
NOTICE:  BL31: v2.6(release):1b03fb11
NOTICE:  BL31: Built : 10:18:06, Jul 21 2022


U-Boot 2022.01-rc4 (Jul 21 2022 - 10:16:56 +0000)

CPU:   MediaTek MT7986
Model: ZYXEL EX5601-T0
DRAM:  1 GiB

Initializing NMBM ...
spi-nand: spi_nand spi_nand@1: Micron SPI NAND was found.
spi-nand: spi_nand spi_nand@1: 512 MiB, block size: 256 KiB, page size: 4096, OOB size: 256
Could not find a valid device for nmbm0
Signature found at block 2047 [0x1ffc0000]
First info table with writecount 4 found in block 1920
Second info table with writecount 4 found in block 1923
NMBM has been successfully attached

MMC:   mmc@11230000: 0
Loading Environment from MTD... OK
In:    serial@11002000
Out:   serial@11002000
Err:   serial@11002000
Net:   eth0: ethernet@15100000
Reading 262144 byte(s) at offset 0x00000000
## Booting kernel from Legacy Image at 46000000 ...
   Image Name:   zld-3.0 10/30/2024 11:29:13
   Image Type:   AArch64 U-Boot Standalone Program (gzip compressed)
   Data Size:    22416 Bytes = 21.9 KiB
   Load Address: 41e00200
   Entry Point:  41e003f4
   Verifying Checksum ... OK
   Uncompressing Standalone Program


ZYXEL zloader v3.0.9 (10/30/2024 - 11:29:13)
GPIO: 'юрA' not found
GPIO: 'юрA' not found
GPIO: 'юрA' not found
GPIO: 'юрA' not found
GPIO: 'юрA' not found
GPIO: 'юрA' not found
'spi-nand0' is now active device
Reading from 0x0 to 0xffffffffffffffff, size 0x0 ...
Succeeded
"Synchronous Abort" handler, esr 0x86000004
elr: 7369206723594674 lr : 0000000003cd3fd0 (reloc)
elr: 73692067616c6674 lr : 0000000041e05fd0
x0 : 0000000041e09b10 x1 : 73692067616c6674
x2 : 000000000000000a x3 : 000000007ffeb560
x4 : 00000000000000a0 x5 : 0000000041e09b10
x6 : 000000007ffcb700 x7 : 000000007ffcb710
x8 : 000000007fb47640 x9 : 000000007ff5c08c
x10: 00000000ffffffe8 x11: 0000000000000006
x12: 000000000001869f x13: 0000000000000200
x14: 0000000000000001 x15: 00000000ffffffff
x16: 000000000000003f x17: 0000000000000000
x18: 000000007f7ffdb0 x19: 000000007f7feee0
x20: 0000000041e09b10 x21: 0000000041e23000
x22: 0000000041e09000 x23: 0000000041e23418
x24: 0000000000000001 x25: 000000007f7ff330
x26: 000000007ffcdbe8 x27: 0000000000000001
x28: 0000000046000040 x29: 000000007f7fee70

Code: "Synchronous Abort" handler, esr 0x96000004
elr: 0000000041e022a8 lr : 0000000041e02288 (reloc)
elr: 000000007ff342a8 lr : 000000007ff34288
x0 : 000000007ffba24d x1 : 0000000000000000
x2 : 000000007ff79154 x3 : 000000007f7fe7e0
x4 : 000000007f7fe820 x5 : fffffffffffffff8
x6 : 00000000ffffffc8 x7 : 000000000000000f
x8 : 0000000000000001 x9 : 000000007ff5c08c
x10: 00000000ffffffe8 x11: 0000000000000006
x12: 000000000001869f x13: 0000000000000200
x14: 0000000000000001 x15: 0000000000000010
x16: 000000000000003f x17: 0000000000000000
x18: 000000007f7ffdb0 x19: 73692067616c6664
x20: 000000007ffb5000 x21: 00000000fffffffc
x22: 000000007ffba245 x23: 000000007ffba24d
x24: 0000000000000001 x25: 000000007f7ff330
x26: 000000007ffcdbe8 x27: 0000000000000001
x28: 0000000046000040 x29: 000000007f7fed10

Code: d1004273 910916d6 aa0003f7 12800075 (b9400261)
Resetting CPU ...

I would not risk it since flashing the old files does not mean it will work 100%.

Maybe they've changed some setting in the device that's got nothing to do with the new bl2 fip and zloader.

My guess is this :
Secure Boot — IoT Yocto documentation

which would indicate its before bl2 and complicated for me atleast

Hey guys, how it is going right now with flashing Openwrt? Is it still possible to flash Openwrt on the device If I buy it from wifilinks? Is there any recent experience?

it's possible if you never updated to b10.

best way to find out if it's possible without risking anything is to try to use mtk_uartboot.

If mtk_uartboot works, then you're safe.

They've enabled secure boot.
MT7986 Secure Boot Quick Start 20220126 v1.2 | PDF | Booting | Operating System Technology

I'm guessing for mtk_uartboot to work we need to send a bl2 with the correct public key as payload. Since this efuse checks for the public key in BL2.

With the following script it got activated on first boot after updating to b10

#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2011 OpenWrt.org

START=10
STOP=90

uci_apply_defaults() {
	. /lib/functions/system.sh

	cd /etc/uci-defaults || return 0
	files="$(ls)"
	[ -z "$files" ] && return 0
	mkdir -p /tmp/.uci
	for file in $files; do
		( . "./$(basename $file)" ) && rm -f "$file"
	done
	uci commit
}
upgrade_zld_version(){
	version=$(strings /dev/mtd5 | grep zld | awk -F'-' '{print $2}' | awk -F'.' '{print $1}')
	echo "check upgrade_zld_version" > /dev/console
	if [ "$version" == "3" ]; then
		return 0
	fi

	mtd erase BL2
	mtd write /etc/bl2.img BL2
	sleep 1
	mtd erase FIP
	mtd write /etc/fip.bin FIP
	sleep 1
	mtd erase zloader
	mtd write /etc/zloader.bin.gz.uImage zloader
	sleep 1
	reboot
	exit 0
}
upgrade_efuse(){
	version=$(strings /dev/mtd5 | grep zld | awk -F'-' '{print $2}' | awk -F'.' '{print $1}')

	if [ "$version" == "3" ]; then
		echo "upgrade_efuse" > /dev/console
		tar -zxvf /etc/test
		/etc/efuse.sh start
	fi
}
boot() {
	[ -f /proc/mounts ] || /sbin/mount_root
	[ -f /proc/jffs2_bbc ] && echo "S" > /proc/jffs2_bbc

	mkdir -p /var/lock
	chmod 1777 /var/lock
	mkdir -p /var/log
	mkdir -p /var/run
	mkdir -p /var/state
	mkdir -p /var/tmp
	mkdir -p /tmp/.uci
	chmod 0700 /tmp/.uci
	touch /var/log/wtmp
	touch /var/log/lastlog
	mkdir -p /tmp/resolv.conf.d
	touch /tmp/resolv.conf.d/resolv.conf.auto
	ln -sf /tmp/resolv.conf.d/resolv.conf.auto /tmp/resolv.conf
	grep -q debugfs /proc/filesystems && /bin/mount -o noatime -t debugfs debugfs /sys/kernel/debug
	grep -q bpf /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime,mode=0700 -t bpf bpffs /sys/fs/bpf
	grep -q pstore /proc/filesystems && /bin/mount -o noatime -t pstore pstore /sys/fs/pstore
	[ "$FAILSAFE" = "true" ] && touch /tmp/.failsafe

	/sbin/kmodloader

	[ ! -f /etc/config/wireless ] && {
		# compat for bcm47xx and mvebu
		sleep 1
	}

	/bin/config_generate
	uci_apply_defaults
	sync

	# temporary hack until configd exists
	/sbin/reload_config
	upgrade_zld_version
	upgrade_efuse
}

Hi @thehybrid1337 ,
sorry, I have somewhat lost track; I'm afraid.
I understand I will still have to open the case and use a USB2UART adapter (again) to both

• move a device currently running on OpenWRT uboot-mod to dual boot (i.e. Zyxel stock and OpenWrt stock layout)
• move a device currently running on Odido stock FW (v5) to OpenWrt uboot-mod or to dual boot (as above) even if I know the supervisor and root passwords

Is this understanding correct? Can you confirm, please?
Thank you in advance!

I'm sorry i don't have answers that i'm 100% sure of since my router got bricked as i was in the process of trying to find the best way possible to flash without serial.

I can only make guesses at this moment till i get a new router and try it myself first.

But for your first question, it might be possible if you set the boot command in the uboot env variables with fw_setenv to tftpboot stock-initramfs-kernel && bootm .
Im not sure.

As for your 2nd question. From stock to ubootmod without usb to serial adapter has not been possible for me in the few times that i tried it. But i also didnt have a lot of time to test it out.

But from stock zyxel i think you can multiboot by making sure your on ubi2. If youre not, then use zycli commands to switch partition to ubi2.

And from there i think mtd6 was ubi so ubiformat dev/mtd6 and make the necessary volumes and update these volumes with kernel, rootfs and zyfwinfo( if you want to have openwrt on this partition).

This is all just a guess and sorry i cant help further