One observation: The isp branded EX5601 units I have are running ACEE firmware while the Zyxel factory firmware is ACDZ.
After running zyeng and disabling fwid and model check I can cross flash using GUI. If I attempt to flash ACDZ1CO if fails with the same error message as ACDZ0C0 no-brand from hack-gpon or any of the OpenWRT firmwares: image upload failed. The selected file is an illegal image and “signature is not found” in my terminal. ACDZ2.1C0 is the oldest version that flashes correctly.
Inspecting the beforementioned firmwares with fwtool confirms that the older stock firmware does not contain a signature element like the newer 2.1. Cloned your repo now, added the relevant parts to the ex5601 definition, including the magic bytes based on output from ATSH and attempting compile now.
1 Like
1108 should not be a problem using the normal instructions, I used Opera with succes.
guys any workaround for new booloader ?
NOTICE: BL2: v2.6(release):181de89f NOTICE: BL2: Built : 11:51:33, Mar 7 2025
mtk_uartboot hangs on handshake and it boots to os 
Subject: Issue Extracting Supervisor Password from V5.70(ACDZ.4.3)C0 Firmware on EX5601-T0 Samples
I have two EX5601-T0 samples from the Italian ISP WindTre.
I successfully de-branded both by installing the stock firmware from Zyxel.
- One sample has the firmware version V5.70(ACDZ.3.2)C0
- The other sample has the firmware version V5.70(ACDZ.4.3)C0
Now, I need to read the supervisor password.
To do it, I followed just these steps provided by @carlicious (only these 4 commands, without serial adapter):
- ssh admin@192.168.1.1
- sys atsh
- sys atwz First MAC Address 0 1
- sys atck
For the sample with V5.70(ACDZ.3.2)C0, this procedure worked as expected, and I was able to retrieve the supervisor password.
For the sample with V5.70(ACDZ.4.3)C0, the procedure failed, and I was unable to extract the supervisor password.
I examined the attached results and noticed that the bootbase version remains the same (v2.3), but the boot module debug flag has changed.
Question: Is there a new procedure or method to extract the supervisor password from the V5.70(ACDZ.4.3)C0 firmware sample?
Can anyone help me please?
thank you for confirming they're usable, I've been suspecting it for over a year, but there haven't been any reports of them working with openwrt.
you can probably still use serial for flashing.
my friend tried with usb serial adapter but he cannot read the supervisor password
If you have serial, you don't need it.
Right now, my priority is executing the zycli commands:
- zycli fwidcheck off
- zycli modelcheck off
on the sample with V5.70(ACDZ.4.3)C0 firmware, in order to update the stock firmware from V5.70(ACDZ.4.3)C0 to 5.70(ACDZ.5)C0.
With the V5.70(ACDZ.4.3)C0 fw the "ssh admin@192.168.1.1 + admin passwd" do not permit to run the commands.
I need "ssh supervisor@192.168.1.1 + supervisor passwd" to run zycli commands.
Or I need to downgrade V5.70(ACDZ.4.3)C0 --> V5.70(ACDZ.3.2)C0 to read the supervisor passwd.
Any ideas?
Nope.
I used mtk_uartboot as described on the T-56 wiki page, never looked at whatever it was running when it came from Wifilinks.
Just want to say thanks. With this clear set of instructions, I managed to salvage my EX5601-T0 (non T-56) OpenWRT installation process. I had tried to flash the factory image directly from Zyxel interface originally, which might have messed something up, but with these instructions, I conquered the problem eventually. Now it remains to be seen what works and how well.
2 Likes
@NeroManto If you have serial you should still be able to extract the info you are after but it takes a bit more effort. You need to compile and run zyeng developed by bmork (see link below). Once you have run zyeng you can use serial to interrupt the boot process and drop into a ZHAL shell. The command ATHE will show all the available options in the ZHAL shell. In the list is a command which will print the supervisor details. (sorry can't remember the exact command from the top of my head)
I have managed to flash a couple T56 / EX5601s where mtk_uartboot was blocked using the process outlined below. I've not kept any details of bootloader versions so can't promise it works for your case.
Requirements: T56 / EX5601, serial connection, tftp server, linux machine which can compile and run zyeng.
First go to bmork's github and download the zyxel-hacks code. Find the zyeng utility and compile it. This utility is able to unlock the zyxel loader by setting the debug flag over ethernet.
Open the router and connect serial. Open a terminal and start picocom / minicom to monitor serial / UART. Connect an ethernet cable between your computer and a (1Gb) lan port on the router. Open a 2nd terminal and run 'zyeng' using the correct ethernet port name of your machine. Power on the router and monitor the serial log. Sometimes it may crash or it will boot as normal. After around 30 seconds or so zyeng should be done and the router can be powered off.
Go to the 2nd terminal and kill the zyeng process. Go to the 1st terminal running the serial process. Power on the router and keep hammering the space bar to interrupt the boot process. If zyeng was successful you should now end up with a ZHAL shell. If not you will have to redo the zyeng process again.
In the ZHAL shell you type ATGU to unlock uboot. This will reset the device so you need to immediately start hammering the space bar again to interrupt the bootloader. After the 1st time you still end up in ZHAL. Type ATGU a 2nd time and you should drop into mediatek uboot shell.
'help' will show all the available uboot commands and 'printenv' will show the values of the environment variables. Check the serverip value and adjust it if needed to match your tftp server. If you ping the tftp server ip address from uboot it should respond with alive otherwise something is wrong.
You can now place an openwrt initramfs file in your tftp server. I've only used the uboot-mod version but it should in theory also work with the factory version. In the uboot shell you can download the file using tftp to RAM: tftpboot 'openwrt-initramfs-file'. Once the file has been downloaded it should show the start address in RAM (something like 0x46000000). In uboot type bootm 0x46000000 to start booting the OpenWrt initramfs file.
OpenWrt will start and run from RAM. If you run the uboot-mod version you will now have to follow the mtk-uartboot instructions to clear the different partitions and flash the new uboot and related files. Once that is all done you do a sysupgrade to install to flash. I have no experience with the factory version so don't know the exact steps. I think you can just directly run sysupgrade from initramfs but it would be good to have someone else confirm this.
I hope it is all clear but let me know if you have any questions.
2 Likes
@konus
Thanks for the tip, but I assume one needs to be able to compile the script using Linux; I was hoping for something simpler!
And in any case, the procedure for compiling the script is not clear to me
cc zyeng.c, will produce an a.out binary.
thanks for your help...
but I think I will need a step by step guide if there is the risk to brick or damage the router
There are lots of linux live distributions around which allow you to run linux from an USB stick and don't touch your normal operating system.
compiling zyeng is as easy as:
gcc zyeng.c -o zyeng
in any case I will need a "Serial UART to USB adapter", right?
can you suggest me one?
Any capable of running at 3.3v will do.
Ones coming with wires are easier to use.