Flashing on NR7101 continued

I'm trying to follow the conversation here: Flash on Zyxel NR7101 - #204 and I've able to connect to the device.

If I type in the console I see this:

NR7101 login:

What is the user name? 'admin', 'root', 'supervisor'
I've ran getsupervisor.sh and got a password, but that doesn't work.

Any tips?

Is this firmware too new?

seen https://openwrt.org/toh/zyxel/nr7101 ?

Yes, I've followed that

@bmork any ideas ?

The username is root.

The firmware versions (both modem and router) are irrelevant. The password is stored on flash independently of the firmware. And the algorithms use to generate that password are obviously varying. It might even be true random.

The getsupervisor.sh is most likely to work for older devices (serial numbers starting with. S20, and maybe S21 something - I don't know the exact cutoff date). But all factory data, including passwords and serial numbers, are possibly subject fo operator customizations. Making it very hard to provide precise answers or rules....

In short: If getsupervisor.sh works, then great. If it doesn't, then I don't know what to try next.

zycast ? :slight_smile:


Yes, but I don't want to propose that.

When you can't get access to the OEM firmware then there is no way to make a backup before flashing. My NR7101s will always flash both fimware partitions when you use zycast, and I assume that's how all the NR7101 boot loader versions work. So there is no way back to OEM firmware after flashing with zycast unless you can get an OEM firmware copy somewhere. Which you often can't for operator customized firmwares.

Why would I need to go back to OEM firmware?

I'm not going to use it with 'Telenor Bredbånd' plan, and I bought it used, so I have no way of returning it (unless I sell it used). So what I'm saying is that I'm open for all options :smiley:

Then zycast should work. It's now part of the firmware-utils repo:

Not much usage instructions availble. Read the source and look at the example in the help text. I would use an OpenWrt initramfs image with this and then run sysupgrade after the first boot.

1 Like

I don't have NR7101, I have NR5101 (sadly not supported) with S22 serial and I was able to obtain the root/supervisor password using this method. Might or might not work on NR7101

Passwords (encrypted) are stored in zcfg_config.json file. I didn't have access to this file but I was able to get it using the following procedure. You can connect to FTP using admin user and password and see if the file is already there, if it is skip to decrypt password part.

When you setup a custom Dynamic DNS entry, there is a cron entry created in /var/spool/cron/ddns/root which looks something like this

0 0 * * * /usr/sbin/ez-ipupdate -S userdefined -U URL_UPDATE -h HOST_NAME -u USERNAME:PASSWORD -i wwan0 -t 10

This runs as root user and looks like "URL Update" field is not escaped in any way so we can run any command there

Go to Network Settings -> DNS -> Dynamic DNS

Create a new "DNS user defined" entry and enable it.

Enter something like this in URL Update field: ; cp /data/zcfg_config.json /home/admin/config.json ;

Enter whatever you want in other fields, it doesn't matter. Since this runs every day at midnight we just have to wait a bit. You can change the timezone to something closest to midnight to wait a little bit less.

After midnight, connect to FTP and look for file named config.json. In this file you'll find something like this (just an example, this password is not real):


Go back to DDNS entry you just created and copy/paste the password value into the Password field there. If there are any JSON escaped characters you need to unescape them (remove backslashes). In the above example the text to copy would be _encrypt_fref411023/AarAbnHQ=

Click Apply and then click the eye icon next to the password field to see your root/supervisor password. After you're done, clear the fields, disable DDNS and reboot your router to remove the generated cron entry.