Adding OpenWrt support for Zyxel EX5601-T0

For Developers
1270

I dug out my locked EX5601-T0 which still has a locked boot loader

BP: 2400 0209 [0000]

And followed your instructions starting from the point where you SSH as a root user - SSH was enabled and the admin user printed on the back of the device provided access to run the sys atsh etc. commands. My UK router was Trooli branded but doesn’t appear to have anything locked out other than the boot loader, but that looks like it didn’t matter in this instance. I can’t explain it. Anyway, it was easy to connect as root and pick your guide up from that point. The only bit that threw me was the reboot after flashing the FIP - I got a boot menu but the system didn’t automatically launch into TFTP so I had to drop out to the EX5601> menu and launch tftpboot from there. I also had to type “boot” after it had copied to kick it into launching, but at that point everything matched up with what’s expected from a device in the initramfs state.

So thanks for your guide. I don’t know what the implications are for locked boot loaders, if you want me to do anything on the UART while I still have the back off then fire away.

Edit: I drilled and filed out the back cover to retain access to the header:

IMG_3260
IMG_32601920×1440 350 KB

3 Likes
1271

pushing openwrt via zycast:

ZHAL> ATSH
Firmware Version       : Unknown
Bootbase Version       : V2.3 | 07/21/2022 10:17:53
Vendor Name            : 
Product Model          : EX5601-T0
Serial Number          : 
First MAC Address      : 1071B38686B3
Last MAC Address       : 1071B38686B2
MAC Address Quantity   : 00
Default Country Code   : 00
Boot Module Debug Flag : 01
RootFS      Checksum   : 00000000
Kernel      Checksum   : 00000000
Main Feature Bits      : 00
Other Feature Bits     : 
41e23410: 00000000 00000000 00000000 00000000
41e23420: 00000000 00000000 00000000
ZHAL> ATSR
Reboot after 0 seconds
resetting ...


F0: 102B 0000

FA: 1040 0000

FA: 1040 0000 [0200]

F9: 0000 0000

V0: 0000 0000 [0001]

00: 0000 0000

BP: 2400 0041 [0000]

G0: 1190 0000

EC: 0000 0000 [1000]

T0: 0000 0229 [010F]

Jump to BL


NOTICE:  BL2: v2.6(release):3b1fd9bf-dirty
NOTICE:  BL2: Built : 09:47:06, Aug 11 2022
NOTICE:  WDT: disabled
NOTICE:  CPU: MT7986 (2000MHz)
NOTICE:  EMI: Using DDR4 settings
NOTICE:  EMI: Detected DRAM size: 1024MB
NOTICE:  EMI: complex R/W mem test passed
NOTICE:  SPI_NAND parses attributes from parameter page.
NOTICE:  SPI_NAND Detected ID 0xc2
NOTICE:  Page size 4096, Block size 262144, size 536870912
NOTICE:  Initializing NMBM ...
NOTICE:  Signature found at block 2047 [0x1ffc0000]
NOTICE:  First info table with writecount 0 found in block 1920
NOTICE:  Second info table with writecount 0 found in block 1923
NOTICE:  NMBM has been successfully attached in read-only mode
NOTICE:  BL2: Booting BL31
NOTICE:  BL31: v2.6(release):1b03fb11
NOTICE:  BL31: Built : 10:18:06, Jul 21 2022


U-Boot 2022.01-rc4 (Jul 21 2022 - 10:16:56 +0000)

CPU:   MediaTek MT7986
Model: ZYXEL EX5601-T0
DRAM:  1 GiB

Initializing NMBM ...
spi-nand: spi_nand spi_nand@1: Macronix SPI NAND was found.
spi-nand: spi_nand spi_nand@1: 512 MiB, block size: 256 KiB, page size: 4096, OOB size: 128
Could not find a valid device for nmbm0
Signature found at block 2047 [0x1ffc0000]
First info table with writecount 0 found in block 1920
Second info table with writecount 0 found in block 1923
NMBM has been successfully attached 

MMC:   mmc@11230000: 0
Loading Environment from MTD... OK
In:    serial@11002000
Out:   serial@11002000
Err:   serial@11002000
Net:   eth0: ethernet@15100000
Reading 262144 byte(s) at offset 0x00000000
## Booting kernel from Legacy Image at 46000000 ...
   Image Name:   zld-2.3 07/21/2022 10:17:53
   Image Type:   AArch64 U-Boot Standalone Program (gzip compressed)
   Data Size:    21708 Bytes = 21.2 KiB
   Load Address: 41e00200
   Entry Point:  41e003f4
   Verifying Checksum ... OK
   Uncompressing Standalone Program


ZYXEL zloader v2.3.9 (07/21/2022 - 10:17:53)
ubi0: attaching mtd7
ubi0: scanning is finished
ubi0: attached mtd7 (name "ubi", size 64 MiB)
ubi0: PEB size: 262144 bytes (256 KiB), LEB size: 253952 bytes
ubi0: min./max. I/O unit sizes: 4096/4096, sub-page size 4096
ubi0: VID header offset: 4096 (aligned 4096), data offset: 8192
ubi0: good PEBs: 256, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 11/8, WL threshold: 4096, image sequence number: 1821966369
ubi0: available PEBs: 0, total reserved PEBs: 256, PEBs reserved for bad PEB handling: 38
Reading from volume 'zyfwinfo' to 0x7fb34590, size 0x100 ... e[93;41m*** Cannot find volume 'zyfwinfo' ***e[0m
ubi0: detaching mtd7
ubi0: mtd7 is detached
Cannot get seq_num from rootfs0
ubi0: attaching mtd8
ubi0: scanning is finished
ubi0: attached mtd8 (name "ubi2", size 64 MiB)
ubi0: PEB size: 262144 bytes (256 KiB), LEB size: 253952 bytes
ubi0: min./max. I/O unit sizes: 4096/4096, sub-page size 4096
ubi0: VID header offset: 4096 (aligned 4096), data offset: 8192
ubi0: good PEBs: 256, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 0, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 4/4, WL threshold: 4096, image sequence number: 1653515731
ubi0: available PEBs: 214, total reserved PEBs: 42, PEBs reserved for bad PEB handling: 38
Reading from volume 'zyfwinfo' to 0x7fb35610, size 0x100 ... e[93;41m*** Cannot find volume 'zyfwinfo' ***e[0m
ubi0: detaching mtd8
ubi0: mtd8 is detached
Cannot get seq_num from rootfs1
Current bootflag is 0
BOARD_DETECT_BY_GPIO=>result=0
ubi0: attaching mtd7
ubi0: scanning is finished
ubi0: attached mtd7 (name "ubi", size 64 MiB)
ubi0: PEB size: 262144 bytes (256 KiB), LEB size: 253952 bytes
ubi0: min./max. I/O unit sizes: 4096/4096, sub-page size 4096
ubi0: VID header offset: 4096 (aligned 4096), data offset: 8192
ubi0: good PEBs: 256, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 11/8, WL threshold: 4096, image sequence number: 1821966369
ubi0: available PEBs: 0, total reserved PEBs: 256, PEBs reserved for bad PEB handling: 38
Reading from volume 'zyfwinfo' to 0x7fb34590, size 0x100 ... e[93;41m*** Cannot find volume 'zyfwinfo' ***e[0m
ubi0: detaching mtd7
ubi0: mtd7 is detached
Multiboot clinent version: 2.7

Hit any key to stop autoboot:  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  ...4  4  4  4  4  4  4  4

Multiboot server is available for download firmware image!
Be patient, it should be finish in 12 minutes...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
RAS: download to address 0x0000000046000000, size=8816116

!!! Firmware download success !!!
Failed to parse ras image
Failed to verify image

!!! Fail to update RAS firmware image !!!
Reset your board! system halt...
1272

pushing zyxel stock firmware via zycast:

F0: 102B 0000

FA: 1040 0000

FA: 1040 0000 [0200]

F9: 0000 0000

V0: 0000 0000 [0001]

00: 0000 0000

BP: 2400 0041 [0000]

G0: 1190 0000

EC: 0000 0000 [1000]

T0: 0000 0229 [010F]

Jump to BL


NOTICE:  BL2: v2.6(release):3b1fd9bf-dirty
NOTICE:  BL2: Built : 09:47:06, Aug 11 2022
NOTICE:  WDT: disabled
NOTICE:  CPU: MT7986 (2000MHz)
NOTICE:  EMI: Using DDR4 settings
NOTICE:  EMI: Detected DRAM size: 1024MB
NOTICE:  EMI: complex R/W mem test passed
NOTICE:  SPI_NAND parses attributes from parameter page.
NOTICE:  SPI_NAND Detected ID 0xc2
NOTICE:  Page size 4096, Block size 262144, size 536870912
NOTICE:  Initializing NMBM ...
NOTICE:  Signature found at block 2047 [0x1ffc0000]
NOTICE:  First info table with writecount 0 found in block 1920
NOTICE:  Second info table with writecount 0 found in block 1923
NOTICE:  NMBM has been successfully attached in read-only mode
NOTICE:  BL2: Booting BL31
NOTICE:  BL31: v2.6(release):1b03fb11
NOTICE:  BL31: Built : 10:18:06, Jul 21 2022


U-Boot 2022.01-rc4 (Jul 21 2022 - 10:16:56 +0000)

CPU:   MediaTek MT7986
Model: ZYXEL EX5601-T0
DRAM:  1 GiB

Initializing NMBM ...
spi-nand: spi_nand spi_nand@1: Macronix SPI NAND was found.
spi-nand: spi_nand spi_nand@1: 512 MiB, block size: 256 KiB, page size: 4096, OOB size: 128
Could not find a valid device for nmbm0
Signature found at block 2047 [0x1ffc0000]
First info table with writecount 0 found in block 1920
Second info table with writecount 0 found in block 1923
NMBM has been successfully attached 

MMC:   mmc@11230000: 0
Loading Environment from MTD... OK
In:    serial@11002000
Out:   serial@11002000
Err:   serial@11002000
Net:   eth0: ethernet@15100000
Reading 262144 byte(s) at offset 0x00000000
## Booting kernel from Legacy Image at 46000000 ...
   Image Name:   zld-2.3 07/21/2022 10:17:53
   Image Type:   AArch64 U-Boot Standalone Program (gzip compressed)
   Data Size:    21708 Bytes = 21.2 KiB
   Load Address: 41e00200
   Entry Point:  41e003f4
   Verifying Checksum ... OK
   Uncompressing Standalone Program


ZYXEL zloader v2.3.9 (07/21/2022 - 10:17:53)
ubi0: attaching mtd7
ubi0: scanning is finished
ubi0: attached mtd7 (name "ubi", size 64 MiB)
ubi0: PEB size: 262144 bytes (256 KiB), LEB size: 253952 bytes
ubi0: min./max. I/O unit sizes: 4096/4096, sub-page size 4096
ubi0: VID header offset: 4096 (aligned 4096), data offset: 8192
ubi0: good PEBs: 256, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 11/8, WL threshold: 4096, image sequence number: 1821966369
ubi0: available PEBs: 0, total reserved PEBs: 256, PEBs reserved for bad PEB handling: 38
Reading from volume 'zyfwinfo' to 0x7fb34590, size 0x100 ... e[93;41m*** Cannot find volume 'zyfwinfo' ***e[0m
ubi0: detaching mtd7
ubi0: mtd7 is detached
Cannot get seq_num from rootfs0
ubi0: attaching mtd8
ubi0: scanning is finished
ubi0: attached mtd8 (name "ubi2", size 64 MiB)
ubi0: PEB size: 262144 bytes (256 KiB), LEB size: 253952 bytes
ubi0: min./max. I/O unit sizes: 4096/4096, sub-page size 4096
ubi0: VID header offset: 4096 (aligned 4096), data offset: 8192
ubi0: good PEBs: 256, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 0, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 4/4, WL threshold: 4096, image sequence number: 1653515731
ubi0: available PEBs: 214, total reserved PEBs: 42, PEBs reserved for bad PEB handling: 38
Reading from volume 'zyfwinfo' to 0x7fb35610, size 0x100 ... e[93;41m*** Cannot find volume 'zyfwinfo' ***e[0m
ubi0: detaching mtd8
ubi0: mtd8 is detached
Cannot get seq_num from rootfs1
Current bootflag is 0
BOARD_DETECT_BY_GPIO=>result=0
ubi0: attaching mtd7
ubi0: scanning is finished
ubi0: attached mtd7 (name "ubi", size 64 MiB)
ubi0: PEB size: 262144 bytes (256 KiB), LEB size: 253952 bytes
ubi0: min./max. I/O unit sizes: 4096/4096, sub-page size 4096
ubi0: VID header offset: 4096 (aligned 4096), data offset: 8192
ubi0: good PEBs: 256, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 11/8, WL threshold: 4096, image sequence number: 1821966369
ubi0: available PEBs: 0, total reserved PEBs: 256, PEBs reserved for bad PEB handling: 38
Reading from volume 'zyfwinfo' to 0x7fb34590, size 0x100 ... e[93;41m*** Cannot find volume 'zyfwinfo' ***e[0m
ubi0: detaching mtd7
ubi0: mtd7 is detached
Multiboot clinent version: 2.7

Hit any key to stop autoboot:  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  5  ....4  4  4

Multiboot server is available for download firmware image!
Be patient, it should be finish in 12 minutes...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
RAS: download to address 0x0000000046000000, size=43991592

!!! Firmware download success !!!
Verified checksum of ras image successfully
Verified blocksize successfully
Current bootflag is 0!
ubi0: attaching mtd8
ubi0: scanning is finished
ubi0: attached mtd8 (name "ubi2", size 64 MiB)
ubi0: PEB size: 262144 bytes (256 KiB), LEB size: 253952 bytes
ubi0: min./max. I/O unit sizes: 4096/4096, sub-page size 4096
ubi0: VID header offset: 4096 (aligned 4096), data offset: 8192
ubi0: good PEBs: 256, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 0, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 4/4, WL threshold: 4096, image sequence number: 1653515731
ubi0: available PEBs: 214, total reserved PEBs: 42, PEBs reserved for bad PEB handling: 38
Updating volume 'kernel' from 0x46000800, size 0x39cddc ... OK
Updating volume 'rootfs' from 0x4639d800, size 0x2648000 ... OK
Updating volume 'zyfwinfo' from 0x489f3400, size 0x100 ... OK
Updating volume 'zydefault' from 0x489e5a00, size 0xd6b7 ... OK
ubi0: detaching mtd8
ubi0: mtd8 is detached

Succeed to writing 43991592 bytes data into partition ubi2

!!! Firmware upgrade success !!!

!!! Force doing reset to default !!!
ubi0: attaching mtd9
ubi0: scanning is finished
ubi0: attached mtd9 (name "zyubi", size 346 MiB)
ubi0: PEB size: 262144 bytes (256 KiB), LEB size: 253952 bytes
ubi0: min./max. I/O unit sizes: 4096/4096, sub-page size 4096
ubi0: VID header offset: 4096 (aligned 4096), data offset: 8192
ubi0: good PEBs: 1386, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 0, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 6/4, WL threshold: 4096, image sequence number: 721642446
ubi0: available PEBs: 1344, total reserved PEBs: 42, PEBs reserved for bad PEB handling: 38
data partition does not exist
ubi0: detaching mtd9
ubi0: mtd9 is detached
ubi0: attaching mtd9
ubi0: scanning is finished
ubi0: attached mtd9 (name "zyubi", size 346 MiB)
ubi0: PEB size: 262144 bytes (256 KiB), LEB size: 253952 bytes
ubi0: min./max. I/O unit sizes: 4096/4096, sub-page size 4096
ubi0: VID header offset: 4096 (aligned 4096), data offset: 8192
ubi0: good PEBs: 1386, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 0, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 6/4, WL threshold: 4096, image sequence number: 721642446
ubi0: available PEBs: 1344, total reserved PEBs: 42, PEBs reserved for bad PEB handling: 38
misc partition does not exist

Update engineer debug flag!
'spi-nand0' is now active device
Reading from 0x180000 to 0x1bffff, size 0x40000 ...
Succeeded
Saving Environment to MTD... Erasing on MTD device 'nmbm0'... OK
Writing to MTD device 'nmbm0'... OK
OK
ubi0: detaching mtd9
ubi0: mtd9 is detached
ubi0: attaching mtd8
ubi0: scanning is finished
ubi0: attached mtd8 (name "ubi2", size 64 MiB)
ubi0: PEB size: 262144 bytes (256 KiB), LEB size: 253952 bytes
ubi0: min./max. I/O unit sizes: 4096/4096, sub-page size 4096
ubi0: VID header offset: 4096 (aligned 4096), data offset: 8192
ubi0: good PEBs: 256, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 5, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 5/4, WL threshold: 4096, image sequence number: 1653515731
ubi0: available PEBs: 0, total reserved PEBs: 256, PEBs reserved for bad PEB handling: 38
Reading from volume 'zyfwinfo' to 0x7fb8b4d0, size 0x100 ... OK
ubi0: detaching mtd8
ubi0: mtd8 is detached
Reset your board! system halt...
1273

I did overwrite the passwords such that

ZHAL> ATCK
supervisor password: supervisor
admin password     : supervisor
WiFi PSK key       : supervisor

Yet, when the firmware boots:

OpenWrt login: supervisor
Password: 
Login incorrect
OpenWrt login: root
Login incorrect

Given the missing information in the ATSH output and Cannot find volume 'zyfwinfo', I suspect that I am in some sort of inconsistent state…

@frollic you were correct, there is no output when running zycast, so without serial we are flying blind…

1274

This was an initramfs image?

I haven't looked at the OEM images for EX5601-T0, but I assume they are similar to those I'm looking at. If so, then they are almost standard OpenWrt sysupgrade-tar images. The required differences are:

  • "zyfwinfo" file is required and must be valid. Valid means that the checksums and file sizes must match the "kernel" and "root" files
  • "root" file is required, but can be anything down to a single 0 byte. Empty or missing does not work
  • additional "zyfwinfo" field in the appended JSON metadata. The original reflects the zyfwinfo" file contents, but by experimenting I've found that only "model_id" and "blocksize" are required

The image may contain other files, like "zydefault", but these are not required. The JSON metadata may also contain other fields, like "signature", but these are not required.

You can inspect the JSON metadata of the OEM images using fwtool (from your staging_dir/host/bin for example). This is one example:

$ ./fwtool -i - V670ACQQ0b4.bin | jq .
{
  "metadata_version": "1.1",
  "compat_version": "1.0",
  "supported_devices": [
    "mediatek,mt7988d-dsa-10g-spim-snand-we4600-01"
  ],
  "version": {
    "dist": "OpenWrt",
    "version": "21.02-SNAPSHOT",
    "revision": "r17719-3db5ad6580",
    "target": "mediatek/we460001",
    "board": "we4600-01-secure"
  },
  "zyfwinfo": {
    "product_name": "WE4600-01",
    "model_id": "4A56",
    "fw_ver": "V6.70(ACQQ.0)b4",
    "extfw_ver": "V6.70(ACQQ.0)b4",
    "build_date": "11/04/2025",
    "build_time": "00:29:31",
    "kernel_chksum": "0x08cd",
    "rootfs_chksum": "0x3032",
    "blocksize": "256kB"
  },
  "signature": "4abfbe9346581f6a8b10578a3eab6775f4372f994c97255e4343d6afbd00f178a371e266f89b76a8c9266c6ce4966e7fc8960dd8735511c8144d9e3bcb9672e565c2ab7c36e389654bebaa050bed6e632756b9b8b202af8ba0db9a51f5bf7663b035c9127d6e238b743372ea743e867f4d08af66ae8489eadb80cc9884525f6d4617d6e60f691a91ec665d99926a92ca440145167868d7771d9f093cbcf2494e30c615334e96798e144e12de353a024561a8a40ce8d49d83bb831ad2ddf1bd13f30177ed1bda2392271a664a8147a9631696605abf69105aec9bf76f87af7497aa7232cee19b52c2f605b745b866f88d70b1889ef003c0df0217dab9115660b9"
}

This is a shell function I made to recreate the "zyfwinfo" struct before I realized that I can get away with something simpler:

zyfwinfo_json() {
	i=0
	for b in $(hexdump -v -n 128 -e '1/1 "%02x "'); do
		eval v$i=$b
		i=$((i+1))
	done

	_str() {
		for i in $(seq $1 $(($1 + $2 - 1))); do
			eval val=\$v$i
			[ "$val" = "00" ] && break;
			/bin/echo -ne "\x$val"
		done
	}

	[ "$(_str 0 4)" = "EXYZ" ] || { echo '{}'; return 0; }
	modelid=$(echo $v116$v117$v118$v119 | sed -e 's,^0\(.\)0\(.\)0\(.\)0\(.\),\1\2\3\4,' | tr [a-f] [A-F])
	echo -n "{ \"product_name\": \"$(_str 20 32)\", "
	echo -n "\"model_id\": \"${modelid}\", "
	echo -n "\"fw_ver\": \"$(_str 52 30)\", "
	echo -n "\"extfw_ver\": \"$(_str 82 30)\", "
	echo -n "\"build_date\": \"$v13/$v14/$v15$v16\", "
	echo -n "\"build_time\": \"$v17:$v18:$v19\", "
	echo -n "\"kernel_chksum\": \"0x$v113$v112\", "
	echo -n "\"rootfs_chksum\": \"0x$v115$v114\", "
	echo -n "\"blocksize\": \"$((0x$v9$v8))kB\" }"
}

But it is useful for dumping "zyfwinfo" files:

$ tar Oxf V670ACQQ0b4.bin sysupgrade-we4600-01-secure/zyfwinfo | zyfwinfo_json|jq .
{
  "product_name": "WE4600-01",
  "model_id": "4A56",
  "fw_ver": "V6.70(ACQQ.0)b4",
  "extfw_ver": "V6.70(ACQQ.0)b4",
  "build_date": "11/04/2025",
  "build_time": "00:29:31",
  "kernel_chksum": "0x08cd",
  "rootfs_chksum": "0x257a",
  "blocksize": "256kB"
}

But do note how the rootfs checksum differs between those two! That's how I understood that this isn't checked after all. The "blocksize" is though. And I the "model_id" must match or it will be updated! The number is the same you'll find in other places, like in the beginning of the "FeatureBits". It will be different on EX5601-T0. I have this

root@OpenWrt:~# fw_printenv FeatureBits
FeatureBits=040A0506ffffffff0000000000000000ffffffffffffffffffffffffa2f7
1 Like
1275

Thanks, and yes, I verified just now with initramfs from both 24.10 and 23.05 and they fail verification.

1276

I’m not a software engineer but wonder if it would be possible to extract the default zyxel firmware, enable ssh, repack it and then push this with zycast to the device to automatically enable ssh at boot? That would make it easier to get access to the device to then proceed with installing OpenWrt.

I’m not sure I like the zycast ‘feature’ in these routers. I guess you need another machine on the local network to execute it but still feels like a security problem.

1277

It might be possible to push a modified OEM image, but then you could just as well push a specially crafted OpenWrt image. I suggest using an initramfs kernel for this to make it simplest possible. It will need to be wrapped in a sysupgrade-tar along with a dummy rootfs and a zyfwinfo file. And probably some of the extra zyfwinfo json metadata too. At least that was required on the EE4600.

As for the security: you need a reset in addition to the direct Ethernet connection. And the device must be hard reset again after flashing. And there is no network feedback so you can't know if you succeeded without seeing the LEDs. Or console. But yes, it is vulnerable to attacks from devices on the same lan on every boot.

1278

Yes that is true, may as well send an OpenWrt image directly. I may do some experimenting over the Xmas break. Is it correct that it will only work on a stock device and not one that has uboot replaced?

1279

I believe the zloader application implements this feature, and that's not part of the replacement uboot

1280

I’ve run ‘binwalk -e’ on a backup of the EX5601 zloader partition. When I run ‘strings’ on the extracted file it shows the output below. It looks like there are quite a few commands available in zloader and it may be possible to directly flash a ras image using the ATUR command.

I have a few T56s at my parents in the Netherlands and hope that one of those still has mtk-uartboot capabilities. If so I’ll do some investigating and experimenting.

j!8S
j!8s
js8s
grA9
fnA9B
ejA9B
dfA9
cbA9`vA9
Rs~ 
#hs8&hu8
jA9!
rA9!<x
vA9B
ZB<x
azA9 
jA9!
rA9!<x
vA9B
ZB<x
azA9 
jA9!
rA9!<x
vA9B
ZB<x
azA9 
hc8c
 H`8a
Hu8a
Hu8a
"h`8
9!hw8
A9`B@9?
j`8"
B@9?
T@{s
@y @
@y@@
@y@@
@yB@
`j`8
@y@@
@yb"
@y!@
*`{4
@y @
T9@!
6`B@9
Ta"`
Cpa9
@y?  k
@y?  k
`ka8!
 VJ!
j38s
T@@B
hc8c
" kA
?  k
d*@9
c&@9!
b"@9!
e.@9l
oBy?
4 SBy
Zc<x
bZA9
b^A9
bVA9!
`j78B
`j78
Hs8a
T`~6
!Hf8b
`ja8
Tbj!8!
Q`j!8
!Hf8b
`ja8
Tbj!8!
`j!8
j38s
%he8
 he8
 h`8
"h`8
Tfh"8
+A9G|
jb8_
TcF@9
TcF@9
Supervisor : Password decryption failed
Password:
Wrong password!
Enter wrong password 3 times!
Correct password!
ZYXEL zloader v%s.%d (%s - %s)
!!! U-Boot ABI version(%d) incorrect, it may cause system crash !!!
supervisor
!!! Unknown product name of this board !!!
!!! Fail to booting kernel !!!
Hit any key to stop autoboot:%3d
%3lu
raise: Signal # %d caught
ATER
x,y       erase flash from offset x whith length y
ATRF
x,y,z     read data flash to ram(x=flash offset, y=len, z=ram address)
ATWF
x,y,z     write data from RAM to flash(x=flash offset, y=len, z=ram address)
ATDS
x,y       dump data of spare area in page y of block x
ATUR
[y:]x     upgrade RAS image (x=file name, y=host ip)
ATUB
[y:]x     upgrade ZLD image (x=file name, y=host ip)
ATUD
[y:]x     upgrade ROMD image (x=file name, y=host ip)
ATUM
[y:]x     upgrade ROMFILE image (x=file name, y=host ip)
ATCD
          erase RomD partition
ATCM
          erase ROMFILE partition
ATCR
          erase data partition
ATCMISC
          erase misc partition
ATCMP
x,y,z     compare two memory space x and y with length is z
ATDU
x,y       dump memory or registers(x=ram address, y=length)
ATWW
x,y,z     set memory or registers(x=address, y=value, z=len)
ATRT
[x,y,z,u] ATRT RAM read/write test (x=level, y=start addr, z=end addr, u=iterations
ATCB
          copy from FLASH to working buffer
ATSB
          save working buffer to FLASH
ATWM
x         set MAC address in working buffer
ATWZ
x,y,z,u,v set zyxel MAC address, Country code, EngDbgFlag, FeatureBit and MAC number to FLASH
ATSH
          dump manufacturer related data in ROM
ATCO
x         set country code in working buffer
ATSN
x         set serial number to FLASH
ATCK
[x,y,z]   show, write or reset psk, admin and supervisor key
ATBT
x         block0 write enable (1=enable, 0=disable)
ATEN
x[,y]     set BootExtension Debug Flag (y=password)
ATSE
x         show the seed of password generator
ATDC
          disable check model mechanism
ATSR
[x]       system reboot
ATGU
          go back to U-Boot command line mode
ATGO
          boot up whole system
ATLD
x,[y]     load file x to memory address y via TFTP
ATMB
[x,y]     upgrade firmware image by multiboot
ATSW
          swap boot image to another partition (must reboot to make it take effect)
ATLED
[x,y]     set LED (x=led no, y=blink mode(0(off)|1(on)|2(fast)|3(slow))
ATPIO
x,y[,z]   set GPIO (x={s|w|r}, y=pio num, z=write data)
ATD2
[x]       show or write D2 key
ATHE
          show command list
internal error
too many arguments
invalid argument
num of argument is incorrect
Can't write to protected Flash
MRD_CERT partition error
malloc fail
ROM-D partition error
MISC partition error
%02X%02X%02X%02X%02X%02X
%06X
Invalid input!
byte at 0x%08lx (%#0*lx) != btye at 0x%08lx (%#0*lx)
Total of %ld byte(s) were the same
lenght should be 1, 2 or 4!!
valid level range 0..%d
end address should be larger than start address
start:%p,end:%p
DRAMTest.. 
level %lu from 0x%p to 0x%p %lu iterations 
Iteration %lu: ...Testing...000000K
 ...FAIL
DRAM Test Fail at address 0x%p, read:0x%08lx, should:0x%08lx
%06zuK
 ...OK
Invalid input!(%d)
check: addr=0x%08lx, length=0x%08lx
check: buf=0x%p
ERROR
zflash %zu bytes read from 0x%llx: %s
zflash %zu bytes write to 0x%llx: %s
tftpboot %x %s
Auto reboot after 2 seconds
Fail to download %s
rom-d
romfile
Erase data partition error!
misc
Erase misc partition error!
Firmware Version       : %s
Int_Firmware Version   : %s
Bootbase Version       : V%s | %s %s
Vendor Name            : %s
Product Model          : %s
Serial Number          : %s
First MAC Address      : %02X%02X%02X%02X%02X%02X
Last MAC Address       : %06lX%06lX
MAC Address Quantity   : %02d
Default Country Code   : %02X
Boot Module Debug Flag : %02X
RootFS      Checksum   : %08lx
Kernel      Checksum   : %08lx
Main Feature Bits      : %02X
Other Feature Bits     : 
%8p:
length is not correct
reset
supervisor password: %s
admin password     : %s
WiFi PSK key       : %s
please run atse first
password is incorrect
flag is incorrect
disabled
enabled
Model ID check: %s
Unknown
ZyXEL Communications, Corp.
S090Y00000000
format of MAC number is incorrect
format of FeatureBit is incorrect
format of EngDbgFlag is incorrect
format of Country code is incorrect
format of MAC address is incorrect
A;93
Reboot after %d seconds
Wrong address 0x%08lX
tftpboot %s %s
tftpboot %s
OUTPUT
INPUT
HIGH
ATPIO: config GPIO %d to %s
ATPIO: set GPIO %d to %s
ATPIO: GPIO %d is %s
Length of D2 key must be %d
%s      %s
ZHAL> 
Invalid command!
parameter incorrect
Invalid command!use ATHE to check the command list!
Reset your board! system halt...
UUUU
ZZZZ
iiii
3333
RomD
RomFile
Multiboot server is available for download firmware image!
Be patient, it should be finish in %d minutes...
No file need to download, stop multiboot service!
!!!File size larger than partition size!!! FileFlag=0x%04X ID=%u FileLen=%u(%u)
!!!Too many sub packets per one file!!! FileFlag=0x%04X ID=%u FileLen=%u (should be under %u)
!!!File ID larger than expect MaxID, Redownload!!! FileFlag=0x%04X ID=%u
!!!Data Checksum Error!!! FileFlag=0x%04X ID=%u Checksum=0x%04X(0x%04X)
Multiboot clinent version: 2.9
eth_init failed!
%s: download to address 0x%p, size=%u
!!! Firmware download success !!!
!!! Fail to update ZLD firmware image !!!
!!! Fail to update RAS firmware image !!!
!!! Fail to update ROMD firmware image !!!
Select RomD passing to current config, do nothing
Flash ROMFILE to romfile partition succeed!!!
!!! Firmware upgrade success !!!
!!! Force doing reset to default !!!
Update conuntry code!
!!! Fail to update country code !!!
Update engineer debug flag!
Clear Rom-D partition!
!!! Fail to Clear ROMD firmware image !!!
!!! Taking too long time for receive packet, give up !!!
Memory space not enough to store firmware image! Needs %u bytes but only has %u.
tftpboot %lx %s
filesize
Failed to parse ras image
Failed to verify kernelChecksum
Failed to verify rootFSChecksum
Failed to verify zy_checksum
Verified checksum of ras image successfully
Failed to verify checksum of ras image
Magic number of metadata is incorrect
Version of metadata is incorrect
"model_id":
model id is not found
Verified model id successfully
FeatureBits
Change model id to %c%c%c%c
Failed to verify model id
"blocksize":
blocksize is not found
%dkB
Verified blocksize successfully
Failed to verify blocksize
rootfs_data
kernel
rootfs
zydefault
zydefault volume does not exist
zyfwinfo
zyubi
ubi part %s
ubi check %s
ubi remove %s
Erase mtd partition %s!
Error: Cannot attach ubi!
ubi create %s %zx dynamic
ubi write %lx %s %lx
Succeed to writing %zu bytes data into partition %s
Fail to write %zu bytes data into partition %s
ubi2
fileaddr
error !
Current bootflag is %d!
Upgrade firmware fail!
Failed to verify image
%s: addr=0x%lx, size=0x%lx
Verified magic number successfully
Fail to verify magic number
Verified zld header version successfully
Fail to verify zld header version
%X%X%X%X
Fail to verify model id
Verified checksum of zld header successfully
Fail to verify checksum of zld header
Fail to verify checksum of zld image
Verified checksum of zld image successfully
Upgrade bl2
Upgrade fip
Upgrade u-boot-env
u-boot-env
Upgrade zloader
zloader
Failed to verify zld.bin
Please be patient, start to upgrade %s!
The RomD size is %ld(%d), checksum is %x.
The ROMFILE size is %ld(%d), checksum is %x.
Cannot get zyfwinfo from %s
Current bootflag is %d
%s partition donot have zyfwinfo vol.
zld_swapBootImage: %s %d
cannot malloc memory
Fail to get zyfwinfo from %s.
Fail to update %s vol.
Fail to set zyfwinfo to %s.
Cannot set seq_num for partition %s
No legal image to boot
config-1
/chosen
Node not found
bootargs
bootargs in fdt not found
%s rootubi=%s
env set bootargs $(bootargs) %s
Error: failed to do %s!
VendorName
BOARD_DETECT_BY_GPIO=>result=%d
ProductName
SerialNumber
ethaddr
WpaPskKey
PSK : Password decryption failed
admin
Admin : Password decryption failed
nummacaddrs
countryCode
EngDebugFlag
FeatureBit
%06lX%06lX
%02x:%02x:%02x:%02x:%02x:%02x
factory
PSK : Password encryption failed
Admin : Password encryption failed
Supervisor : Password encryption failed
%s partition does not exist
Error: Cannot attach zyubi!
serverip
192.168.1.33
zld_ver
zld_date
zld_time
Incorrect Magic number in ZYFWINFO!
d2key
D2 key: %s
zld_upgradeZLD
zyled-green-pwr
zyled-red-pwr
zyled-green-inet
zyled-red-inet
zyled-amber-wps24g
zyled-green-fxs
zyled-green-lan
Uknown blinking mode %d!
Not support LED number %d on this board!
Blinking
LED%2d(%s): %s(%d)
%s,%d, ERROR!!! Please add a mapping table for new project!!!, result_value=0x%x
zyBoardDetectByGpio
10/04/2024
10:28:56
root@76f6cc279697
Input out of range
!',ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
%2hhx
%u%u%u
%06lX%02X%02X%02X
b0309ebbc0f05945ffaaf777fdcdfaa4394ca6eade02d4fa66f9507fe14d2081
792cfc177fce19c782938827be73f883
EX5601-T0
EX5600-T0
EX5601-T1
EX5600-T1
RESERVED
DETECT_ERR
1281

Tested zyeng on another 5601 just now and I can confirm it works on a factory/isp limited bootloader. Will try to forge an OpenWRT image that can be zycasted or web upgraded over the holidays.

1 Like
1282

This is WiP, nowhere near finished, and should not be used by anyone.

But in the interest of avoiding double work, and to hoping to get some early testing, feedback and improvements back, I decided to push it anyway:

This might not be the best solution. I've changed it several times already and I am not that happy with the result.... So please go ahead and make changes. And feel free to use or refuse whatever you want of it. It is meant as a basis for further work.

But I believe you can use the "add-zyfwinfo" build rule backed by the "zyfwinfo.sh" script directly if you want a quick test. Wouldn't be surprised if that created an installable "factory" image for the EX5601-T0 as it is. Or maybe with some minor tweaks.

Examples of how I use in here:

The argument to the "add-zyfwinfo" is the magic number Zyxel use to identify the device. You can pull it out of the OEM metadata, or from the "other feature bits" in ATSH, or from the "FeatureBits" ubootenv variable.

For example, if ATSH says:

Other Feature Bits :
420282b8: 040a0504 ffffffff 00000000 00000000
420282c8: ffffffff ffffffff ffffffff

Then the argument will be "4A54" (just strip away the leading 0s in each of the 4 first bytes).

And for anyone curious about the devices I try to add: This might never happen. Don't expect too much. Sorry

2 Likes
1283

Thanks for your work on this @bmork. I’ve tried zyeng on a couple T56 routers and that works as expected and allows me interrupt the boot process and drop into a ZHAL shell which is great.

Unfortunately I can’t get zycast to work yet on the T56 routers. When I try zycast with a factory firmware it fails.

./zycast -c EE4600 -i enp0s31f6 -f V570ACDZ4.3C0.tar

This is end of the resulting error message:

RAS: download to address 0x0000000046000000, size=48180283

!!! Firmware download success !!!
zld_verify_signature-[Info]: checksum-algorithm sha256 for rsa2048!
rootfs signature verification of upgrading image failed
Failed to verify image

!!! Fail to update RAS firmware image !!!
Reset your board! system halt...

When I check the feature bits from ZHAL and the data in the zyxel firmware they are different:

4a0b vs 4a01

Not sure if that is the reason it does not work. I’m going to try to change zyfwinfo and see if that makes zycast work.

1284

Extracting the factory firmware, hexedit of zyfwinfo and re-packaging the factory firmware does not work unfortunately. It complains about a checksum error.

#####################++++++++
RAS: download to address 0x0000000046000000, size=48179200

!!! Firmware download success !!!
Failed to verify zy_checksum
Failed to verify image

!!! Fail to update RAS firmware image !!!
Reset your board! system halt...

I’ll try again but with the mkzywinfo utility instead.

1285

I've created a new zyfwinfo file using the following command with the kernel and root files from the factory firmware.

./mkzywinfo -p 'EX5601-T0' -s 'V5.70(ACDZ.4.3)C0' -k kernel -r root -m 0x4a0b

I've re-packaged the upgrade file and started zycast:

./zycast -c EE4600 -i enp0s31f6 -f upgrade.tar

But unfortunately it still gives an error:

#################++++++++++++
RAS: download to address 0x0000000046000000, size=48179200

!!! Firmware download success !!!
zld_verify_signature-[Info]: checksum-algorithm sha256 for rsa2048!
rootfs signature verification of upgrading image failed
Failed to verify image

!!! Fail to update RAS firmware image !!!
Reset your board! system halt...

Not sure if I'm doing something wrong or if the T56 has stronger firmware checks but unfortunately I can't get zycast to work on this router. Maybe someone else has any ideas what to try / do? It would be nice to have an install method without the need to open the case.

1286

Maybe the install verification is stronger than the devices I've tested? They have signed kernels with a verity root hash included, so the root file system is immutable.

Is this test with the real thing from Zyxel, or is the rootfs modified? Maybe try removing the signature blob from the json metadata? This was not required by my devices. If we're lucky then it's only validated if present.

1287

The tests were all done with original kernel and rootfs extracted from the factory firmware file. I'll do some more testing later this week.

1288

Hi, I had t56 since May, I started it and left it then I came back to it recently. It’s still on T56C_b8_1108. After editing app.maintence.js and refreshing the page, only two of the services showed up. Anyone with a solution?, please help.

remote management 1
remote management 11666×811 45.4 KB

1289

You can still convert it to OpenWrt if you use a serial connection. A blocked mtk-uartboot makes it a bit more difficult but not impossible.