Method to flash any NR7101

If you have / in encrypted string - try to erase it and decrypt without it.

I tried decrypting the private key after removing / but it appears that the dyndns field only accepts <64 chars. Upon closer inspection I found that I could ssh in as root using option -o HostKeyAlgorithms=+ssh-rsa, so apparently no need for key pairs…

Hi ! i am new on linux ... how can i get zycast to run ? how to install in linux ? iam using debian 12

how to run the script ?

This is not so helpful given that zycast is a C program :frowning:

It's normally built as part of the firmware-utils, but you can build it separately by simply running

gcc -o zycast zycast.c

It has no dependencies at all except for the standard library, so that's all.

It's also possible to extract prebuilt binaries from one of the snapshot SDKs, like for example https://downloads.openwrt.org/snapshots/targets/x86/generic/openwrt-sdk-x86-generic_gcc-13.3.0_musl.Linux-x86_64.tar.zst . The binary will be extracted as
/openwrt-sdk-x86-generic_gcc-13.3.0_musl.Linux-x86_64/staging_dir/host/bin/zycast

But downloading all that just for this binary is a bit of an overkill....

1 Like

fark, posts removed

[ face palm ]

sorry @Paperdude !

Thanks for the help , what Linux is you using ? I got Error 1 and 2 and can not start zcast on debian 12 Cinnamon

I can confirm that this method still works. You can flash either the original Zyxel firmware or an OpenWRT image. I managed to take over my Telenor unit

1 Like

Mee too. First I tried procedures from the Wiki, but was not able to stop the boot. So I compiled zycast on ubuntu and installed OpenWrt on first try. This is a NR7101 from Telenor, serial S230Z2*

i tried zycast with nr7302 , no success

1 Like

Why did you think it would work? Nr7302 dont have openwrt support!?

zycast can work on many different zyxel hardware.
being able to flash and recover is a good starting point.
i tried stock firmware.
TTL does not take input and the output does not show much interesting.

1 Like

you have a list of devices that work ?

I have no such list. Just making unverified assumptions....

It's safer to say that many Zyxel devices support/advertise a variant of this "multiboot" protocol. But my tool might not work with all of them since it is based on reverse engineering the NR7101 implementation only. The tool will probably need some adjustments and improvements for other variants. In particular those running on other architectures and/or from userspace instead of bootloader

1 Like