if I will use the router power adapter I do not need 3.3V, right?
But I would like to know if this procudure is risky or not, I want only to read the supervisor password, nothing else.
I suppose the script will read and not write to the flash, right?
If you already own a raspberry pi you could use that instead.
You only connect 3 wires: rx tx and ground. Some devices use different serial / UART voltages: 1.8V 3.3V or 5V. This router uses 3.3V so your USB serial adapter also needs to be 3.3V otherwise it won't work and may cause damage.
the voltage coming from the router is also 3.3v.
the serial connection itself isn't, the supervisor password thing, I have no idea.
do we can change this efuse which disables mtk_uartboot ?
Hi guys,
I’m using a USB-TTL serial adapter to access my router. I opened the router and followed this procedure to read the supervisor password:
The procedure involves unlocking Zloader and dumping the supervisor password.
During the boot process, I see the message:
“Please press Enter to activate this console.”
(15 sec after the kernel is started)
I press Enter, then type root and press Enter again, but I don’t get full root access.
Instead, I only get “login incorrect”, as shown in the attached images (18 sec after the kernel is started).
Am I missing the correct timing? Do I need to be faster when pressing Enter and typing root, or is there something else I’m doing wrong?
The interesting part is in the beginning.
Don't post screen shots, post text.
Use </> button to make it post unformatted.
I'm not sure if that method still works since multiple Zyxel / ISP firmware updates have been released since. The easiest method to achieve an unlocked zhal shell is to compile and run zyeng.
can you please explain how to run zyeng?
zyeng is free of risks? it will only read?
zyeng only sets the debug flag so it does write to the router but does not make any changes to the rest of the firmware. I don't know if zyeng will work from windows so it is best to use a linux machine. You can download the code from bmork's github page. Download the files, find zyeng.c and compile it. gcc zyeng.c -o zyeng
Next you need to find the name of the network adapter on your linux PC. If you type the command ip a it will show all the network adapters on your machine. The exact name will depend on the linux distribution and hardware in your PC. Connect an ethernet cable between your PC and one of the 1G lan ports on the router. Start zyeng as follows: ./zyeng eth0 but replace eth0 with the correct name of the network interface of your PC.
Once zyeng is running you can power on the router. It will start booting and zyeng will do its magic and set the debug flag on the router. Let the router sit for a bit (30s or so) and then power it off. Stop the zyeng process by typing ctrl + c in the terminal.
Connect your serial adapter and start minicom / picocom. Power on the router and start pressing the space bar to interrupt the boot process. In your terminal you should end up with a zhal shell.
Are you interested in keeping stock firmware?
If not, simply follow the T-56 guide, you already got serial up an running.
@konus
if I understood well to run the zyeng I need only the lan cable connected to a 1 gbps lan port, not the serial cable, right?
@frollic I prefer to maintein the stock firmware
yes the zyeng process works via the ethernet cable. It does not matter if serial is connected or not.
@konus
thank you for your help... I will try
Do we need to set ip config for eth on pc?
There is no need to do any configuration of the interface before running zyeng.
I don't know the details but as far as I understand it zyeng will create a special package and just transmit it on the interface. When the router boots zyloader receives the package and enables the debug flag.
In theory zyeng doesn't need any local IP config. But Linux will do normal route processing even if the result is discarded later. And this fails unless there is a route matching the 225.0.0.0 destination address. Most systems will have a default route and get away with that. But if you run zyeng on a dedicated system without any other networking then you migh have to add that route. Somewhere. Doesn't matter where. Could even be loopback.
I guess the tool could have done that for you. But it doesn't. Or maybe I should set SO_DONTROUTE or some other magic option... Probably won't change this. It's an obscure problem and easy enough to work around by temporarily adding a route
EDIT: The simple solution is dropping connect() and using sendto() instead of send(). This works without any routes. And makes sense since it simplifies the code. But I'm considering making the "zyeng" a simple option for "zycast" instead. After all it's just a special case and a separate tool is overkill for such a simple thing.
Can anyone share any of the branded firmware for this device? Trying to build a small repository.
I Connect an ethernet cable between PC and 1G lan ports on the router and started zyeng but network is unreachable:
alessandro@NUC:~/Scrivania/ex5601$ ./zyeng eno1
Network is unreachable
alessandro@NUC:~/Scrivania/ex5601$ ./zyeng enp0s31f6
Network is unreachable
alessandro@NUC:~/Scrivania/ex5601$ ./zyeng wlp58s0
Network is unreachable
alessandro@NUC:~/Scrivania/ex5601$ ./zyeng lo
Network is unreachable
alessandro@NUC:~/Scrivania/ex5601$
I tried all of these:
alessandro@NUC:~/Scrivania/ex5601$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 94:c6:91:a1:1a:0e brd ff:ff:ff:ff:ff:ff
altname enp0s31f6
3: wlp58s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 14:4f:8a:06:a9:d7 brd ff:ff:ff:ff:ff:ff
what I am missing???
You are missing the route to 225.0.0.0 (or some other prefix matching that address). Something like this should do:
ip route add 225.0.0.0/32 dev lo
and then run zyeng with the outgoing interface as parameter
