Start at https://openwrt.org/toh/zyxel/t-56#tab__option_a_-_use_tftp_to_serve_and_boot_the_initramfs
You can use option 2 in the U-Boot menu to load the initramfs.
TFTP is often blocked by TFTP host's firewall.
Hello everyone,
I'm in this situation. Is there any way to recover it? Can anyone suggest a guide or the necessary files, if it's possible? I have a TTL serial number available.
Thanks for your help.
F0: 102B 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 3903 0041
F3: 1001 0000 [0200]
F3: 1001 0000
F6: 102C 0000
F5: 1026 0000
00: 1005 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 3903 0041
F3: 1001 0000 [0200]
F3: 1001 0000
F6: 102C 0000
01: 102A 0001
02: 1005 0000
BP: 2000 00C0 [0001]
EC: 0000 0000 [1000]
T0: 0000 00BB [010F]
System halt!
Try the link above your post, read it from the top.
Thank you for your help, I'll do some tests.
Hi everyone,
I have an EX5601-T1 with firmware V5.70(ACEA.0)T56C_b4_0130, and I’m unable to execute the following commands:
zycli modelcheck off
zycli fwidcheck off
I don’t get any output at all for fwidcheck.
I’ve tried both as supervisor and as root, but no luck. I also tested via Telnet and SSH, with the same result, both from Windows and from macOS (using Termius).
Does anyone know why this might be happening? Thanks!
install using serial, 4 posts up.
I just wanted to share my success and ask for some advice regarding the next steps. I received a second T-56 (EX5601-T1) from a friend and decided to try @carlicious's method to bypass the recent odido firmware restrictions without opening the router.
The router was originally runningthe firmware V5.70(ACEA.0)T56C_b10_0410.
I followed the guide to the letter:
- Used the JS override to gain full access to the web gui and enabled ssh.
- Grabbed the root password using the MAC address trick.
- Transferred the patched zloader files via SCP to
/tmp/and flashed them via SSH usingmtd write. - Flashed the openwrtStock Layout image (
openwrt-24.10.2-mediatek-filogic-zyxel_ex5601-t0-stock-squashfs-sysupgrade.bin).
Current situation
Everything worked flawlessly! I now have a working OpenWrt 24.10.2 on ubi with the stock partition layout, and the router can dual-boot with the original Zyxel firmware sitting on ubi2. (if i'm not mistaken xD)
My question
Now that I have a working OpenWrt installation with a patched zloader, I'd like to switch to the ubootmod layout to reclaim the full NAND storage space.
Given my current state (router booting into OpenWrt on stock layout with carlicious patched zloader):
- Can I safely install the
ubootmodlayout directly from my current OpenWrt SSH terminal? - What is the correct and safest procedure to make this switch?
- Would you recommend doing this via software, or is the risk of bricking too high?
If a serial connection is strictly required to move to ubootmod safely, it’s not a problem for me to open the router (my first t56 was locked at handshake, so i have to check if this isn't the same). But since this unit is already running OpenWrt, I’m hoping there is a faster/(easier software-only path.
@frollic thanks for linking the commit!
after reading it and digging a bit deeper into the thread i realized something important: other users successfully combined @carlicious root method with @thehybrid1337 guide to flash ubootmod entirely via software, without needing mtk-uartboot or zyeng at all
however i only read this after i already flashed the patched zloader and booted into openwrt stock layout!
so my main doubts right now are:
- does having the patched zloader already installed affect the ubootmod flashing process?
- does @thehybrid1337 procedure (specifically mtd write ... FIP) have to be executed from the original zyxel firmware? should i switch back to the zyxel fw (fw_setenv boot_flag 1 and reboot) to run those commands from the zyxel root shell?
- or can i just do everything straight from my current openwrt root ssh (maybe using kmod-mtd-rw to unlock the partitions before flashing)?
am i on the right track here? just asking to be 100% sure before i pull the trigger and potentially turn this thing into a paperweight 
thanks again!
I guess you will have to ask anybody else who has done the procedure from OpenWrt stock to ubootmod to be sure.
The safest way to install ubootmod is using serial and mtk-uartboot as documented on the T56 wiki page.
That's how I did it too, went directly to ubootmod, the devices didn't boot stock fw even once.
Quick update:
i managed to install the ubootmod, i followed the guide at the link suggested by @dando
since i had already obtained root ssh and flashed the patched zloader using @carlicious method, i didn't even need to run zyeng to interrupt the boot. i just hooked up my serial cable, booted the router, pressed the spacebar quickly and it dropped me straight into the ZHAL> prompt.
typed atgu, then atgu again, and boom... i was instantly inside the MT7986> u-boot shell!
from there i just set up the tftp server, loaded the initramfs recovery image and booted it in ram with bootm 0x46000000.
one important note about partitions though:
once openwrt booted in ram, i transferred the files to /tmp via scp -O (since sftp is not available in initramfs), installed kmod-mtd-rw and loaded insmod mtd-rw.ko i_want_a_brick=1.
but when i tried to run ubidetach -p /dev/mtd5 as the guide says, i got an error 19 (no such device).
i checked cat /proc/mtd and realized my partition layout was different because i was coming from the openwrt stock layout, not the one expected in the guide!
big warning here, please pay attention guys! this is what i noticed, and i think it makes sense since i installed the patched zloader (but maybe i'm wrong or completely hallucinating, i'll just tell you this)
in my case, the big ubi partition (1da80000 size) was actually on mtd5 and there was nothing to detach yet.
so i just skipped the detach and ran:
ubiformat /dev/mtd5 -y
ubiattach -p /dev/mtd5
and then proceeded with ubimkvol to create ubootenv, ubootenv2 and recovery.
after that i just flashed bl2 and fip via mtd write, ran the sysupgrade and it rebooted perfectly into the new open-source u-boot with the full ~400mb nand storage available!
i immediately upgraded to the 25.12.2 release via luci and everything is running flawlessly now.
huge thanks to everyone for the tools and guides, hopefully my note about the mtd5 partition layout helps someone else avoid a panic attack
It's only needed if your device won't accept mtk-uartboot.
Could someone please send me their backup of the most recent Odido firmware? i would like to take a look at it to see if i can make flashing from stock odido firmware simpler.
So depending on how the backup was made, i would either need the ubi partitions (rootfs,kernel,zyfwinfo,zydefault) or just a single mtd5/6 file(less preferered).
Thanks.
Hi, I followed your advice by reading the post you pointed me to. I did a few tests but I can't figure it out. It doesn't unlock. Any other suggestions? Thanks.
what tests ?
be specific, post serial output of everything.
They're not really what i was looking for but it could be worth it to check them to ensure nothing crazy is going on inside. So if you could send them then i would surely appreciate it, Don't include the fw_env_backup.txt and -u-boot-env.backup.bin please since they contain info that's for your device only. So just add the bl2,fip and zloader into an archive (zip,gunzip,whatever.) and use any site to upload them whatever works. (catbox/gofile/wetransfer etc..)
I'm looking for either these mtd partitions or 1 of them with with the odido firmware on them
mtd6: 04000000 00040000 "ubi"
mtd7: 04000000 00040000 "ubi2"
or
backups that were made after using ubiattach will have 5 volumes on these ubi devices. I need 0,1,2 and 3.
/dev/ubi{x}_0(kernel)
/dev/ubi{x}_1(rootfs)
/dev/ubi{x}_2(zyfwinfo)
/dev/ubi{x}_3(zydefault)
Example
ubi1
Volumes count: 5
Logical eraseblock size: 253952 bytes, 248.0 KiB
Total amount of logical eraseblocks: 256 (65011712 bytes, 62.0 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes 128
Count of bad physical eraseblocks: 0
Count of reserved physical eraseblocks: 36
Current maximum erase counter value: 14
Minimum input/output unit size: 4096 bytes
Character device major/minor: 248:0
Present volumes: 0, 1, 2, 3, 4
Volume ID: 0 (on ubi1)
Type: dynamic
Alignment: 1
Size: 15 LEBs (3809280 bytes, 3.6 MiB)
State: OK
Name: kernel
Character device major/minor: 248:1
-----------------------------------
Volume ID: 1 (on ubi1)
Type: dynamic
Alignment: 1
Size: 175 LEBs (44441600 bytes, 42.3 MiB)
State: OK
Name: rootfs
Character device major/minor: 248:2
-----------------------------------
Volume ID: 2 (on ubi1)
Type: dynamic
Alignment: 1
Size: 1 LEBs (253952 bytes, 248.0 KiB)
State: OK
Name: zyfwinfo
Character device major/minor: 248:3
-----------------------------------
Volume ID: 3 (on ubi1)
Type: dynamic
Alignment: 1
Size: 1 LEBs (253952 bytes, 248.0 KiB)
State: OK
Name: zydefault
Character device major/minor: 248:4
===================================
I will wait a short time to see if i will receive them or not but otherwise i think i will just revert to some old odido firmware that i still have and let it succsefully flash to a recent one. or if possible i will try intercepting the firmware.bin
have you made any attempts? if you haven't yet then i'd like to ask you to wait a few days since i tihnk i will use 1 of my last 2 t-56 s to experiment flashing the opewnrt and also debrickign without mtk_uartboot
no attempts made to renaissance the 5601-t0, i was going to buy some hook clips to attach to the spi nand pins and get a ch341 too but ive never flashed a spi nand before and would need help identifying the 8 pins and the connections and the s/w required to flash it etc.