Method to flash any NR7101

bmork · August 6, 2023, 7:47pm

Great news! I believe we have a method to flash any NR7101 without knowing any password. I finally took the time to decompile their closed source part of the bootloader to reverse engineer the "Multiboot" feature you might bave noticed on the console while booting these devices. This is a protocol allowing direct flashing using multicast. With absolutely no authentication at all...

My initial work-in-progress code with protocol docs is here: https://github.com/bmork/firmware-utils/commit/dd4ce54ee35cb36197ee61f1e979be4264513e55

There are still some unknown parts of the protocol, but I believe I have enough of it covered to make it safe for firmware flashing. Bootloader flashing is not recommended, and is disabled by default in the tool.

This will work on almost any ZyXEL router. But not the switches are excepted. That would be a security risk. It's bad enoough for the routers

I just tested the code on one of my NR7101s. Started the tool on a host connected to the LAN port of the NR7101:

bjorn@idefix:/tmp$ /tmp/zycast -i eth0.10 -f openwrt-snapshot-r22900-abec62a54268-ramips-mt7621-zyxel_nr7101-initramfs-recovery.bin -t 10
Press Ctrl+C to stop before rebooting target after upgrade
^C
Closing all files

And then I powered on the NR7101. Console output:

dcache: sets:256, ways:4, linesz:32 ,total:32768 

 ##### The CPU freq = 880 MHZ #### 
 estimate memory size =256 Mbytes
#Reset_MT7530
.## Starting application at 0x8402A800 ...


Z-LOADER V1.30 | 06/03/2020 08:39:30


Hit ESC key to stop autoboot: 1

 NetLoop,call eth_halt ! 

 NetLoop,call eth_init ! 
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!! 
Multiboot Listening...
 3Receive first multiboot packet

Received RAS packet ID: 0x3f13
Roll back to receive previous RAS packet ID: 0x023f
gEngCleanROMD = 0

------MultiBoot Download Finish------
Upgrading Ras...

Firmware with RAS format.
trx_exist = 1
RAS header checksum: 0x2e168055 vs caculation checksum: 0x2e168055
Image checksum: 0xfd86d98f vs caculation checksum: 0xfd86d98f
Image checking PASS! Start upgrading...
Upgrade firmware from memory 0x89140000 to flash 0x00140000, file length 16535069, file type=1
ranand_erase: start:140000, len:20000 
..ranand_erase: start:160000, len:20000 
..ranand_erase: start:180000, len:20000 
..ranand_erase: start:1a0000, len:20000 
..ranand_erase: start:1c0000, len:20000 
..ranand_erase: start:1e0000, len:20000 
..ranand_erase: start:200000, len:20000 
..ranand_erase: start:220000, len:20000 
..ranand_erase: start:240000, len:20000 
..ranand_erase: start:260000, len:20000 
..ranand_erase: start:280000, len:20000 
..ranand_erase: start:2a0000, len:20000 
..ranand_erase: start:2c0000, len:20000 
..ranand_erase: start:2e0000, len:20000 
..ranand_erase: start:300000, len:20000 
..ranand_erase: start:320000, len:20000 
..ranand_erase: start:340000, len:20000 
..ranand_erase: start:360000, len:20000 
..ranand_erase: start:380000, len:20000 
..ranand_erase: start:3a0000, len:20000 
..ranand_erase: start:3c0000, len:20000 
..ranand_erase: start:3e0000, len:20000 
..ranand_erase: start:400000, len:20000 
..ranand_erase: start:420000, len:20000 
..ranand_erase: start:440000, len:20000 
ranand_erase: attempt to erase a fact bad block at 0x00440000
.bad block: 440000, try next: 460000
ranand_erase: start:460000, len:20000 
..ranand_erase: start:480000, len:20000 
..ranand_erase: start:4a0000, len:20000 
..ranand_erase: start:4c0000, len:20000 
..ranand_erase: start:4e0000, len:20000 
..ranand_erase: start:500000, len:20000 
..ranand_erase: start:520000, len:20000 
..ranand_erase: start:540000, len:20000 
..ranand_erase: start:560000, len:20000 
..ranand_erase: start:580000, len:20000 
..ranand_erase: start:5a0000, len:20000 
..ranand_erase: start:5c0000, len:20000 
..ranand_erase: start:5e0000, len:20000 
..ranand_erase: start:600000, len:20000 
..ranand_erase: start:620000, len:20000 
..ranand_erase: start:640000, len:20000 
..ranand_erase: start:660000, len:20000 
..ranand_erase: start:680000, len:20000 
..ranand_erase: start:6a0000, len:20000 
..ranand_erase: start:6c0000, len:20000 
..ranand_erase: start:6e0000, len:20000 
..ranand_erase: start:700000, len:20000 
..ranand_erase: start:720000, len:20000 
..ranand_erase: start:740000, len:20000 
..ranand_erase: start:760000, len:20000 
..ranand_erase: start:780000, len:20000 
..ranand_erase: start:7a0000, len:20000 
..ranand_erase: start:7c0000, len:20000 
..ranand_erase: start:7e0000, len:20000 
..ranand_erase: start:800000, len:20000 
..ranand_erase: start:820000, len:20000 
..ranand_erase: start:840000, len:20000 
..ranand_erase: start:860000, len:20000 
..ranand_erase: start:880000, len:20000 
..ranand_erase: start:8a0000, len:20000 
..ranand_erase: start:8c0000, len:20000 
..ranand_erase: start:8e0000, len:20000 
..ranand_erase: start:900000, len:20000 
..ranand_erase: start:920000, len:20000 
..ranand_erase: start:940000, len:20000 
..ranand_erase: start:960000, len:20000 
..ranand_erase: start:980000, len:20000 
..ranand_erase: start:9a0000, len:20000 
..ranand_erase: start:9c0000, len:20000 
..ranand_erase: start:9e0000, len:20000 
..ranand_erase: start:a00000, len:20000 
..ranand_erase: start:a20000, len:20000 
..ranand_erase: start:a40000, len:20000 
..ranand_erase: start:a60000, len:20000 
..ranand_erase: start:a80000, len:20000 
..ranand_erase: start:aa0000, len:20000 
..ranand_erase: start:ac0000, len:20000 
..ranand_erase: start:ae0000, len:20000 
..ranand_erase: start:b00000, len:20000 
..ranand_erase: start:b20000, len:20000 
..ranand_erase: start:b40000, len:20000 
..ranand_erase: start:b60000, len:20000 
..ranand_erase: start:b80000, len:20000 
..ranand_erase: start:ba0000, len:20000 
..ranand_erase: start:bc0000, len:20000 
..ranand_erase: start:be0000, len:20000 
..ranand_erase: start:c00000, len:20000 
..ranand_erase: start:c20000, len:20000 
..ranand_erase: start:c40000, len:20000 
..ranand_erase: start:c60000, len:20000 
..ranand_erase: start:c80000, len:20000 
..ranand_erase: start:ca0000, len:20000 
..ranand_erase: start:cc0000, len:20000 
..ranand_erase: start:ce0000, len:20000 
..ranand_erase: start:d00000, len:20000 
..ranand_erase: start:d20000, len:20000 
..ranand_erase: start:d40000, len:20000 
..ranand_erase: start:d60000, len:20000 
..ranand_erase: start:d80000, len:20000 
..ranand_erase: start:da0000, len:20000 
..ranand_erase: start:dc0000, len:20000 
..ranand_erase: start:de0000, len:20000 
..ranand_erase: start:e00000, len:20000 
..ranand_erase: start:e20000, len:20000 
..ranand_erase: start:e40000, len:20000 
..ranand_erase: start:e60000, len:20000 
..ranand_erase: start:e80000, len:20000 
..ranand_erase: start:ea0000, len:20000 
..ranand_erase: start:ec0000, len:20000 
..ranand_erase: start:ee0000, len:20000 
..ranand_erase: start:f00000, len:20000 
..ranand_erase: start:f20000, len:20000 
..ranand_erase: start:f40000, len:20000 
..ranand_erase: start:f60000, len:20000 
..ranand_erase: start:f80000, len:20000 
..ranand_erase: start:fa0000, len:20000 
..ranand_erase: start:fc0000, len:20000 
..ranand_erase: start:fe0000, len:20000 
..ranand_erase: start:1000000, len:20000 
..ranand_erase: start:1020000, len:20000 
..ranand_erase: start:1040000, len:20000 
..ranand_erase: start:1060000, len:20000 
..ranand_erase: start:1080000, len:20000 
..ranand_erase: start:10a0000, len:20000 
..ranand_erase: start:10c0000, len:20000 
..ranand_erase: start:10e0000, len:20000 
..ranand_erase: start:1100000, len:20000 
....ranand_erase: start:1120000, len:20000 
.(5230)offs=17956864 piece=0 piece_size=19997 rc=0
Done!
Upgrade firmware from memory 0x89140000 to flash 0x02140000, file length 16535069, file type=1
ranand_erase: start:2140000, len:20000 
..ranand_erase: start:2160000, len:20000 
..ranand_erase: start:2180000, len:20000 
..ranand_erase: start:21a0000, len:20000 
..ranand_erase: start:21c0000, len:20000 
..ranand_erase: start:21e0000, len:20000 
..ranand_erase: start:2200000, len:20000 
..ranand_erase: start:2220000, len:20000 
..ranand_erase: start:2240000, len:20000 
..ranand_erase: start:2260000, len:20000 
..ranand_erase: start:2280000, len:20000 
..ranand_erase: start:22a0000, len:20000 
..ranand_erase: start:22c0000, len:20000 
..ranand_erase: start:22e0000, len:20000 
..ranand_erase: start:2300000, len:20000 
..ranand_erase: start:2320000, len:20000 
..ranand_erase: start:2340000, len:20000 
..ranand_erase: start:2360000, len:20000 
..ranand_erase: start:2380000, len:20000 
..ranand_erase: start:23a0000, len:20000 
..ranand_erase: start:23c0000, len:20000 
..ranand_erase: start:23e0000, len:20000 
..ranand_erase: start:2400000, len:20000 
..ranand_erase: start:2420000, len:20000 
..ranand_erase: start:2440000, len:20000 
..ranand_erase: start:2460000, len:20000 
..ranand_erase: start:2480000, len:20000 
..ranand_erase: start:24a0000, len:20000 
..ranand_erase: start:24c0000, len:20000 
..ranand_erase: start:24e0000, len:20000 
..ranand_erase: start:2500000, len:20000 
..ranand_erase: start:2520000, len:20000 
..ranand_erase: start:2540000, len:20000 
..ranand_erase: start:2560000, len:20000 
..ranand_erase: start:2580000, len:20000 
..ranand_erase: start:25a0000, len:20000 
..ranand_erase: start:25c0000, len:20000 
..ranand_erase: start:25e0000, len:20000 
..ranand_erase: start:2600000, len:20000 
..ranand_erase: start:2620000, len:20000 
..ranand_erase: start:2640000, len:20000 
..ranand_erase: start:2660000, len:20000 
..ranand_erase: start:2680000, len:20000 
..ranand_erase: start:26a0000, len:20000 
..ranand_erase: start:26c0000, len:20000 
..ranand_erase: start:26e0000, len:20000 
..ranand_erase: start:2700000, len:20000 
..ranand_erase: start:2720000, len:20000 
..ranand_erase: start:2740000, len:20000 
..ranand_erase: start:2760000, len:20000 
..ranand_erase: start:2780000, len:20000 
..ranand_erase: start:27a0000, len:20000 
..ranand_erase: start:27c0000, len:20000 
..ranand_erase: start:27e0000, len:20000 
..ranand_erase: start:2800000, len:20000 
..ranand_erase: start:2820000, len:20000 
..ranand_erase: start:2840000, len:20000 
..ranand_erase: start:2860000, len:20000 
..ranand_erase: start:2880000, len:20000 
..ranand_erase: start:28a0000, len:20000 
..ranand_erase: start:28c0000, len:20000 
..ranand_erase: start:28e0000, len:20000 
..ranand_erase: start:2900000, len:20000 
..ranand_erase: start:2920000, len:20000 
..ranand_erase: start:2940000, len:20000 
..ranand_erase: start:2960000, len:20000 
..ranand_erase: start:2980000, len:20000 
..ranand_erase: start:29a0000, len:20000 
..ranand_erase: start:29c0000, len:20000 
..ranand_erase: start:29e0000, len:20000 
..ranand_erase: start:2a00000, len:20000 
..ranand_erase: start:2a20000, len:20000 
..ranand_erase: start:2a40000, len:20000 
..ranand_erase: start:2a60000, len:20000 
..ranand_erase: start:2a80000, len:20000 
..ranand_erase: start:2aa0000, len:20000 
..ranand_erase: start:2ac0000, len:20000 
..ranand_erase: start:2ae0000, len:20000 
..ranand_erase: start:2b00000, len:20000 
..ranand_erase: start:2b20000, len:20000 
..ranand_erase: start:2b40000, len:20000 
..ranand_erase: start:2b60000, len:20000 
..ranand_erase: start:2b80000, len:20000 
..ranand_erase: start:2ba0000, len:20000 
..ranand_erase: start:2bc0000, len:20000 
..ranand_erase: start:2be0000, len:20000 
..ranand_erase: start:2c00000, len:20000 
..ranand_erase: start:2c20000, len:20000 
..ranand_erase: start:2c40000, len:20000 
..ranand_erase: start:2c60000, len:20000 
..ranand_erase: start:2c80000, len:20000 
..ranand_erase: start:2ca0000, len:20000 
..ranand_erase: start:2cc0000, len:20000 
..ranand_erase: start:2ce0000, len:20000 
..ranand_erase: start:2d00000, len:20000 
..ranand_erase: start:2d20000, len:20000 
..ranand_erase: start:2d40000, len:20000 
..ranand_erase: start:2d60000, len:20000 
..ranand_erase: start:2d80000, len:20000 
..ranand_erase: start:2da0000, len:20000 
..ranand_erase: start:2dc0000, len:20000 
..ranand_erase: start:2de0000, len:20000 
..ranand_erase: start:2e00000, len:20000 
..ranand_erase: start:2e20000, len:20000 
..ranand_erase: start:2e40000, len:20000 
..ranand_erase: start:2e60000, len:20000 
..ranand_erase: start:2e80000, len:20000 
..ranand_erase: start:2ea0000, len:20000 
..ranand_erase: start:2ec0000, len:20000 
..ranand_erase: start:2ee0000, len:20000 
..ranand_erase: start:2f00000, len:20000 
..ranand_erase: start:2f20000, len:20000 
..ranand_erase: start:2f40000, len:20000 
..ranand_erase: start:2f60000, len:20000 
..ranand_erase: start:2f80000, len:20000 
..ranand_erase: start:2fa0000, len:20000 
..ranand_erase: start:2fc0000, len:20000 
..ranand_erase: start:2fe0000, len:20000 
..ranand_erase: start:3000000, len:20000 
..ranand_erase: start:3020000, len:20000 
..ranand_erase: start:3040000, len:20000 
..ranand_erase: start:3060000, len:20000 
..ranand_erase: start:3080000, len:20000 
..ranand_erase: start:30a0000, len:20000 
..ranand_erase: start:30c0000, len:20000 
..ranand_erase: start:30e0000, len:20000 
....ranand_erase: start:3100000, len:20000 
.(5230)offs=51380224 piece=0 piece_size=19997 rc=0
Done!
RAS upgrade done!
Upgrade firmware finished and please restart system !!

Then I could stop the zycast client (important, or it will continue to flash the router on every boot....), and reboot the NR7101 into OpenWrt.

Nice, eh?

frollic · August 6, 2023, 8:55pm

Very!

But you should really put this in a separate thread

Lynx · August 6, 2023, 9:04pm

Incredible work! Would this permit a buttonless reset?

bmork · August 6, 2023, 9:22pm

No, the router must be manually reset after upgrade.

This protocol wouldn't work if it reset automatically since the upgrade would restart over and over again. You need to stop the image casting before rebooting. And the only reasonable way to sync that is by doing a manual reboot.

Lynx · August 6, 2023, 9:24pm

But the manual reset can be power off and power on (still buttonless)? For those that screw up settings and router is up huge ladder or in enemy territory?

@moderators it might be an idea to split off @bmork's post here into a new thread entitled something like "Zyxel NR7101 - zycast - network flashing"?

patrakov · August 7, 2023, 6:49am

@patrakov ut the manual reset can be power off and power on (still buttonless)?

Yes for some modems, no for others. At least for Quectel EG25-G, this could result in firmware damage. Look what PinePhone does to ensure the safety of that modem.

psherman · August 16, 2023, 4:32am

2 posts were merged into an existing topic: Supported router (Must have GigE ports + LTE/4G)?

Tarmgass · August 9, 2023, 9:33pm

I tried this zycast, but with oem firmware 100ABUV8C0.bin instead of openwrt firmware.

No my supervisor (or any other passwords) for login does NOT work.

Tested zycast again with openwrt, booted up okey, but it was in recovery (initramfs) mode.
Had to configure lan port for internet and download uboot-envtools and set bootflag and sysupgrade. Okey in openwrt now, but bothers me that it looks like it is not possible to go back to zyxel firmware.

Lynx · August 10, 2023, 1:14pm

I wonder why.

I am also curious if there might be a way to reset the NR7101 with this protocol but without flashing, e.g. if you screwed up configuration setting and cannot physically access the NR7101 to press the reset button (say it is up on a huge tower or inside enemy territory)?

Tarmgass · August 10, 2023, 3:21pm

I suppose you could with zycast, but you must be able to take power off/on to do it.
I had serial console connected so see what was happening, but i am not sure if i would recomend trying to flash firmware without possibility to access the router itself.

bmork · August 10, 2023, 3:34pm

Me too. That's very unexpected. I thought the password would be safe inside the Factory partition. But I haven't actually verified that with a non-Telenor image.

I have not found any reset mechanism in this protocol. I agree that it would be useful.

You should be able to cut power regardless of where it is installed since that is a simple as unplugging the other end of the ethernet cable. Personally I use a PoE switch (ZyXEL GS1900-10HP with OpenWrt) to power the NR7101, so I can toggle power using ubus:

root@gs1900-10hp-f:~# ubus -v call poe manage '{"port":"lan5","enable":false}'
root@gs1900-10hp-f:~# ubus -v call poe manage '{"port":"lan5","enable":true}'

yes, yes, you're not supposed to just cut power like that. But it's pretty harmless in practice, as long as you aren't flashing the modem or somthing like that.

Tarmgass · August 10, 2023, 7:09pm

Hi
Is it possible that i still have the orginal telenor firmware in the backup partition??
I just found this in another post. strings /dev/mtd2 | head -4
This gives me the correct serialnr so i do not think its changed.

root@OpenWrt:/# strings /dev/mtd2 | head -4
NR7101
S210Zxxxxxxxx
-----BEGIN CERTIFICATE-----
MIIDNDCCArqgAwIBAg3MAoGCCqGSM49BAMDMFwxKjAoBgNVBAMMIU1RVFQg
strings: standard output: Broken pipe
root@OpenWrt:/#

How can i try to boot up from the second "recovery" partition ?

Tarmgass · August 10, 2023, 7:16pm

Continuing the discussion from Flash on Zyxel NR7101:

Yes i want to try go back to telenor firmware. I do not have any backup file of them, but not sure if they are overwritten with the zycast. ?

How can i try to boot from recover partition?
I tried cat /dev/mtd5 > /tmp/backup.bin
then mtd -r write /tmp/backp.bin Kernel and reboot, but still openwrt. Is there somehow to verify if i still have the stock firmware in recovery partition?

root@OpenWrt:/tmp# [ 1486.444177] mt7530 mdio-bus:1f lan: Link is Down
[ 1486.453884] br-lan: port 1(lan) entered disabled state
cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00080000 00020000 "Bootloader"
mtd1: 00080000 00020000 "Config"
mtd2: 00040000 00020000 "Factory"
mtd3: 01ec0000 00020000 "Kernel"
mtd4: 01ac0000 00020000 "ubi"
mtd5: 01ec0000 00020000 "Kernel2"
mtd6: 00100000 00020000 "wwan"
mtd7: 01000000 00020000 "data"
mtd8: 00100000 00020000 "rom-d"
mtd9: 00080000 00020000 "reserve"
root@OpenWrt:/tmp#

bmork · August 11, 2023, 6:16am

If you've used zycast on the NR7101 then the original content of both "Kernel" and "Kernel2" is lost. The NR7101 bootloader flashes the uploaded image to both partitions unfortunately.

One way to figure out what's there is simply looking at the version strings in the beginning of the partition. E.g

root@OpenWrt:/# hexdump -n 400 -C /dev/mtd5
00000000  30 52 44 48 00 00 01 7c  00 fc 4e 1d fd 86 d9 8f  |0RDH...|..N.....|
00000010  35 2e 30 2e 30 2e 30 0a  00 00 00 00 00 00 00 00  |5.0.0.0.........|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  0a 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 fc 4c a1 00 00 00 00  00 00 00 00 00 00 00 00  |..L.............|
00000060  33 20 36 30 33 35 20 31  32 32 20 30 0a 00 00 00  |3 6035 122 0....|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000100  00 00 00 00 4d 54 37 36  32 31 41 00 4e 52 37 31  |....MT7621A.NR71|
00000110  30 31 00 00 00 00 00 00  00 00 00 00 07 01 00 01  |01..............|
00000120  00 00 00 00 00 00 00 00  39 2e 39 39 28 41 42 55  |........9.99(ABU|
00000130  56 2e 39 29 4f 70 65 6e  57 72 74 2d 72 65 63 6f  |V.9)OpenWrt-reco|
00000140  76 65 72 79 00 00 00 00  39 2e 39 39 28 41 42 55  |very....9.99(ABU|
00000150  56 2e 39 29 4f 70 65 6e  57 72 74 2d 72 65 63 6f  |V.9)OpenWrt-reco|
00000160  76 65 72 79 00 00 00 00  00 00 00 00 12 34 56 78  |very.........4Vx|
00000170  00 00 00 00 2e 16 80 55  00 00 00 00 27 05 19 56  |.......U....'..V|
00000180  1b 2e 66 2f 64 63 ed 85  00 fc 4c 61 80 00 10 00  |..f/dc....La....|
00000190

The fake "9.99" version tells us that this is OpenWrt.

Lynx · August 11, 2023, 8:36pm

Is there a way to overwrite the password as part of the flash when flashing OEM firmware?

bmork · August 12, 2023, 7:36am

Not directly using zycast at least. But I guess it's possible the OEM firmware runs some code having unexpected side effects on operator branded devices. Not likely IMHO, but possible.

Note that this answer is only valid for the exact NR7101 bootloader I've tested. One problem with zycast and the protocol it implements, is that the end result depend on hardcoded values in the bootloader. The protocol uses flags to indicate what the payload is, but it is entirely up to the bootloader to map that into flash locations. And those values are hardcoded, unrelated to the locations used for booting. I would not be suprised if there is some model out there where this code is completely wrong. It's closed source, and therefore often linked into the bootloader as a binary blob. There is no guarantee the code is updated if e.g. the location of the primary image is moved for some operator branded image.

And as demonstrated on the NR7101 I have: Some implementations flash multiple locations based on a single image upload, thus increasing the risk. This also documents that they add device specific hacks when adapting the code to different devices. Given the quality of vendor code in general, and this being closed source, I estimate the probability of serious bugs in the code to be at least 1. Maybe not more than 1 though

Tarmgass · October 24, 2023, 7:38pm

Another method to get supervisor access (NR7101, 7102, 7103).

Hook up serial adapter for consol.
Get admin password (Its the same as wifi pass). If wifi is not turned on, push wifi button for 5 seconds. (Check consol) Connect to wifi with pc, and when you come to type in password hit the wifi button 3sec again for WPA share passphrase. (Check consol) It should now automaticaly log in. When logged on, check your wireless properties in network connections. Hit secuity tab and show network security key, thats your admin password.

NR7102 and 7103 has no wifi button, but comes with wifi pass on sticker.
WiFi key 7103 from Telia, try password 3UQC47T728s8 and admin password TeliaInstall

2.. Boot up and login as admin in serial consol. Check ip ifconfig. On some models its 172.17.1.1 and others are 192.168.2.1.

Set fixed ip in same range on computers lan card. Connect cable from computer to lan port on POE injector.

Use zycli mgmtsrvctl show to check open ports.


ZySH> zycli mgmtsrvctl show
Service Control
        WAN interface:  Multi_WAN ( )
Service Table
        [SERVICE]       [LAN/WLAN]      [WAN]           [TRUST_DOMAIN]  [PORT]
        HTTP            Disable         Disable         Disable         80
        HTTPS           Enable          Enable          Disable         443
        FTP             Disable         Disable         Disable         21
        TELNET          Disable         Disable         Disable         23
        SSH             Enable          Disable         Disable         22
        PING            Enable          Enable          Disable         -1
Trust Domain
ZySH>

Then open port 21 and 22, 80 for ftp and ssh , http protocols:

zycli mgmtsrvctl config -s SSH 0

zycli mgmtsrvctl config -s FTP 0

zycli mgmtsrvctl config -s HTTP 0

Connect to ftp and download zcfg_config_json file.
Open file in editor and find supervisor user with the enctypted password string.
Should look like this:

"Username":"supervisor",
            "Password":"_encrypt_yLIaQfrt35LUnwy4Tp80g==",

The password is this: _encrypt_yLIaQfrt35LUnwy4Tp80g==
You now need to login to webinterface and go to network settings, DNS, and DynDns.
Paste the enctypted key to the password line and hit apply. Then hit the show password and it should be decrypted.

On 7101 devices from telenor admin user is not enabeled for webif, so had to use another zyxel device to decrypt the password with dyndns method. Ex5501, 7101, 7102, ++...

When you have the supervisor/root password use guide in https://openwrt.org/toh/zyxel/nr7101 to install openwrt.

roba · October 26, 2023, 4:20pm

Any tips on Telia 7103? TeliaInstall password did not work..

Tarmgass · October 26, 2023, 8:43pm

Sorry, i never managed to get proper serial consol on 7103. But, the ones from telia, you need to boot up, soon as you see the TeliaInstall wifi try connect. It starts with WPS on (for short time?).

Try logon to webif with admin and password TeliaInstall or 1234
I havent played with this device for a long time but think thats how i got logged into it.

Tarmgass · October 29, 2023, 10:03pm

I used wifi WPS and got the key for wifi. Then i could login as admin and get the encrypted string for supervisor