I know, but what if you don’t use any features which don’t work with hardware offloading?
Which addon and settings did you use?
15 posts were split to a new topic: Optimizing wifi speeds?
Flashing OpenWrt and dual booting stock firmware on firmware version V5.70(ACEA.0)T56C_b10_0410 (no serial required)
I became an Odido subscriber last week and I've been looking for progress on flashing OpenWrt to devices running the latest firmware pushed by Odido (V5.70(ACEA.0)T56C_b10_0410). Couldn't find anything so I spent some time to work it out myself.
I actually prefer the stock partition layout over the ubootmod one, as it gives me the flexibility to dual boot OpenWrt and the stock firmware. So the steps below result in just that: OpenWrt and the stock firmware running side-by-side, with an easy way to switch between them.
The guide below is heavily inspired by @thehybrid1337's post Adding OpenWrt support for Zyxel EX5601-T0 - #814 by thehybrid1337. Great work by the way!
Anyway, let's get to it.
Step 1: Get a root shell
Since V5.70(ACEA.0)T56C_b10_0410, the backdoor supervisor account is gone. The admin user can not do much, but it turns out these limitations are mostly enforced at the client side. Under the hood, the admin user can actually do quite a lot.
Removing client-side restrictions
I'm using Firefox. Other browsers may be similar. I haven't tested.
Log into your device's web interface, hit CTRL + SHIFT + I, go to the Debugger tab, right click app.js, click 'Add script override', like so: -> screenshot (sorry, new user, can't embed images)
Save it to a file. Open it with a text editor, and replace its contents with the one found here. Save the file and hit F5 in the browser. The menu should now be fully populated.
The remainder of steps of getting a root shell is pretty much the same as @thehybrid1337's. I'll briefly re-iterate.
SP Domain
Head to Maintenance -> SP Domain
Enable SSH and hit Apply -> screenshot
In the SP Trust Domain tab, add 192.168.1.0/24
Remote Management
Go to Maintenance -> Remote Management
Once again, hit CTRL + SHIFT + I and go to the Debugger tab. Right click app.maintenance.js -> 'Add script override' -> screenshot
Save it to a file. Open it with a text editor, and replace its contents with the one found here. Save the file and hit F5 in the browser. You should be seeing the full list of items.
Enable SSH for LAN, WLAN and Trust Domain
Open the Trust Domain tab and add 192.168.1.0/24
SSH
Connect to your device via ssh
ssh admin@192.168.1.1
Accept the certificate, use the password you use for the web interface, and enter the command:
sys atsh
Copy the 'First MAC Address`, and paste it in the command below, followed by '0 1'
sys atwz (mac) 0 1
Now entering the following command will get you the root password (dubbed supervisor password here)
sys atck
And finally, log in as root with the password from the previous step and be greeted with a shell.
ssh root@192.168.1.1
I recommend you save the root password somewhere. It's unique per device and the algorithm to generate it is not present in the firmware (I checked). This password will also get you access to the boot loader, so you might need it one day if Odido sends another firmware update and locks you out.
Step 2: Flash a patched zloader
Background
Before going through the steps, I'll briefly explain why this works. On the OpenWrt wiki, you can check out the OEM bootlog and find the following line:
MMC: mmc@11230000: 0
Loading Environment from MTD... OK
In: serial@11002000
Out: serial@11002000
Err: serial@11002000
Net: eth0: ethernet@15100000
Reading 262144 byte(s) at offset 0x00000000
## Booting kernel from Legacy Image at 46000000 ... <----!!!!!!!!
Image Name: zld-2.3 08/11/2022 09:46:58
Image Type: AArch64 U-Boot Standalone Program (gzip compressed)
Data Size: 23638 Bytes = 23.1 KiB
Load Address: 41e00200
Entry Point: 41e003f4
Verifying Checksum ... OK
Uncompressing Standalone Program
Legacy image implies unsigned as the U-Boot legacy format does not support cryptographic signatures. Contained within this image is the zloader, which is the component that you can talk to over the serial port. It is also responsible for validating the main firmware's cryptographic signatures. Clearly, we can simply patch zloader to remove those checks. So that's exactly what I did.
As a side-note: I've noticed the latest firmware, in fact, does not enable secure boot. The efuse.sh found in /etc/efuse_tool_opal_mt7986.tar does the following:
insmod mtk_efuse.ko
# disable JTAG and BROM
echo "dj" > /sys/kernel/debug/mtk_efuse/efuse;
echo "db" > /sys/kernel/debug/mtk_efuse/efuse;
dj is for disabling JTAG, db is for disabling mtk_uartboot. Secure boot is not enabled, as confirmed by mtk_efuse.ko:
insmod mtk_efuse.ko
cat /sys/kernel/debug/mtk_efuse/secure_boot
Secure Boot: disable
So in principle, since you have a root shell, you should be able to flash ubootmod. However, I haven't looked into it so you're on your own if you want to try it. Below are the steps for setting it up using the stock partition layout with dual boot.
Flashing
SSH into the device as root, and enter the following commands
cd /tmp
wget https://github.com/carlicious/zloader/releases/download/v1.0-alpha/bl2.img
wget https://github.com/carlicious/zloader/releases/download/v1.0-alpha/fip.bin
wget https://github.com/carlicious/zloader/releases/download/v1.0-alpha/zloader.bin.gz.uImage_patched
Or use any other means of getting these files on the device. Then flash them, as follows:
mtd erase BL2
mtd write /tmp/bl2.img BL2
mtd erase FIP
mtd write /tmp/fip.bin FIP
mtd erase zloader
mtd write /tmp/zloader.bin.gz.uImage_patched zloader
sync
Now technically, you only have to flash zloader.bin.gz.uImage_patched, as the other images are stock taken from V5.70(ACEA.0)T56C_b10_0410. I've included them here because zloader depends on a function table provided by Zyxel's U-Boot (contained in FIP). This table differs from version to version so you can't mix and match zloader versions with FIP versions or else you'll get a brick.
Besides removing the signature checks, I figured it would be nice to have zloader ignore zyfwinfo entirely, and use an nvram variable (boot_flag) instead. This way, I can easily change the boot partition, should I decide to boot into the stock firmware one day, and so that I can update OpenWrt from the web interface.
Step 3: Check that you're on ubi2
OpenWrt does not support booting from the ubi2 partition, so that's where your stock firmware will live. Check which partition your current firmware is on, as follows:
cat /proc/cmdline
If it says rootubi=ubi2 at the end, then you're good.
Otherwise, execute the following to see the firmware version at ubi2
ubiattach -d 9 -p /dev/mtd7
strings /dev/ubi9_2
Within the output, it should contain the firmware version. Mine says V5.70(ACEA.0)T56C_b10_0410.
If for some reason you're not happy with this version, you may want to copy ubi to ubi2. I'm not going to elaborate how to do that here though 
.
Since you've flashed my patched zloader, rebooting into ubi2 is as easy as:
fw_setenv boot_flag 1
reboot
(You should do so now if you're currently not on ubi2)
Step 4: Flash OpenWrt
Download the latest OpenWrt sysupgrade to the device, make sure it's the STOCK image, not the ubootmod one as you're using the stock partition layout.
cd /tmp
wget https://downloads.openwrt.org/releases/24.10.2/targets/mediatek/filogic/openwrt-24.10.2-mediatek-filogic-zyxel_ex5601-t0-stock-squashfs-sysupgrade.bin
Or, again, use any other means of getting this file onto the device. Then, extract it:
tar xvf openwrt-24.10.2-mediatek-filogic-zyxel_ex5601-t0-stock-squashfs-sysupgrade.bin
Attach the ubi partition
ubiattach -d 9 -p /dev/mtd6
Delete existing UBI volumes
ubirmvol /dev/ubi9 -N kernel
ubirmvol /dev/ubi9 -N rootfs
ubirmvol /dev/ubi9 -N zydefault
ubirmvol /dev/ubi9 -N rootfs_data
Create new UBI volumes
ubimkvol /dev/ubi9 -N kernel -s $(ls -l sysupgrade-zyxel_ex5601-t0-stock/kernel | awk '{print $5}')
ubimkvol /dev/ubi9 -N rootfs -s $(ls -l sysupgrade-zyxel_ex5601-t0-stock/root | awk '{print $5}')
ubimkvol /dev/ubi9 -N rootfs_data -m
Perform flash
ubiupdatevol /dev/ubi9_0 sysupgrade-zyxel_ex5601-t0-stock/kernel
ubiupdatevol /dev/ubi9_1 sysupgrade-zyxel_ex5601-t0-stock/root
sync
Set ubi as the next boot target and reboot
fw_setenv boot_flag 0
reboot
You'll now be greeted with OpenWrt 
.
13 Likes
Avesome work, @carlicious!
@thehybrid1337 you might have collected a couple of 0410's by now, care to verify the above ?
if reproducible, it'll go into the wiki.
@carlicious it worked! Atleast i installed evertything but i dont have a working internet connection with Odido ISP.
I tried powering off the fiber converter no result. I also tried this:
And i also tried 24.10.0 and 23.05.5.
My fiber converter is connected to the WAN port on the router.
1 Like
Found the problem and here is the fix for Odido ISP:
Log in to the LuCI web interface and go to 'Network' -> 'Interfaces'.
Select the 'Devices' -> Devices tab and select 'Add device configuration' at the bottom.
Configure the following:
Device type: VLAN (802.1q)
Base device: eth1
VLAN ID: 300
MTU: 1500
The rest of the settings are correct. Click 'Save' and 'Save & Apply'. You now have an additional device called eth1.300.
Select the 'Interfaces' tab.
Remove the default 'WAN6' interface. You don't need it.
Click the "WAN" interface -> Edit and configure the following:
Protocol: DHCP client
Device: eth1.300
This works perfectly for me.
1 Like
This works indeed in the Netherlands, ISP Odido
1 Like
does your wan paragraph in /etc/config/network look something like
config interface 'wan'
option device 'eth1.300'
option proto 'dhcp'
confirm, or post what it supposed to look like, and I'll add it to https://openwrt.org/docs/guide-user/network/wan/isp-configurations#netherlands.
2 Likes
This is what it looks like:
config interface 'wan'
option device 'eth1.300'
option proto 'dhcp'
config device
option type '8021q'
option ifname 'eth1'
option vid '300'
option name 'eth1.300'
1 Like
thnx, posted.
1 Like
Followed the instructions and it worked great . i have no longer a paper holder
1 Like
Just want to confirm, worked very nice on mine as well. Just in time, I wanted to offer mine to @thehybrid1337 one day before I read this 
I also did a quick comparison of the provided javascript files, they are safe but still I didn’t manage to fully understand the changes in the 3 minutes I looked at it. Thanks for the work!
2 Likes
I can confirm that flashing a device running V5.70(ACEA.0)T56C_b10_0410 using @carlicious methods of getting root access, combined with instructions by @thehybrid1337 for flashing a ubootmod firmware version worked! 
Then flashed to the latest stable release, and it booted just fine
Huge thanks to @thehybrid1337 + @carlicious for your contributions!
shouldn't use releases not announced in https://forum.openwrt.org/c/announcements/14.
they might get pulled last minute, it has happened before.
You're very welcome!
About the javascript:
The requests and responses going back and forth between the browser and the web application are encrypted with some homebrew encryption scheme. I didn't feel like reverse engineering and re-implementing all of it, so I just threw in a console.log() statement in both AesRsaEncrypt() and AesDecrypt().
Through this I found that the list of menu items is fetched with some web request, and the result consists of a filtered subset of menu.json found in the device's firmware. So all I did was regex the output of AesDecrypt(), see if it contains the menu items, and if so, replace it with the full contents of menu.json. That's all that was necessary. There are no further restrictions whatsoever on the server side.
In app.maintenance.js, all I did was replace findAndRemove() with a stub, similar to @thehybrid1337's approach.
I just felt like it'd be easier for you to just swap out the files with mine instead of explaining how to change them manually.
Well, that, or I might be the next Jia Tan social engineering you into running evil javascript in your router's web page, who knows? 
6 Likes
Got it, simply picked the latest stable releases, assuming it was published. Ive edited my previous post
1 Like
@gechu can you link me the instructions of the ubootmod you used?
I dont like the dualboot i just want full storage capacity for my openwrt and will never go back to Odido firmware.
Aquire root using this method:
Then flash the ubootmod version as described here:
1 Like