OpenWrt Support for Armor G5 (NBG7815)

Hi everyone! Is there any chances to see OpenWRT for NBG7815 (ZyXEL Armor G5) ?
Stock firmware is terrible... they still use SMBv1

It depends on the the question if ZyXEL locked down the bootloader by enabling (and enforcing-) secure boot, or if you can boot alternative firmwares. The SOC itself would be supportable and the router looks like a nice device with OpenWrt in mind, but don't expect a turn-key solution (follow the ax3600 thread for some hints about the progress on supporting devices with this SOC).

1 Like

Thank's for link

Might also be interesting to you, as it explains early device investigation steps for a similar device.

Thank's i'll see, but i'm not strong in router progamming despite the fact that I'm programmer )

Openwrt is installed and working on some Chinese sites. But no clue how to install it. And they didn't share Openwrt firmware. I hope we can see the official openwrt support soon.




https://youtu.be/FZE33x6Roq0

1 Like

Kernel 4.4.60, and version R22.5.6 doesn't sound anywhere near official...

I connected a serial cable today, here is the bootlog. I could not pass the login part because it does not accept the password. I don't know what the username is, I tried admin and root and it didn't work. I tried 1234 in the password part, it didn't work. I would like to help for Openwrt support, I am not a developer but I can do my best.

Full Bootlog:
https://pastebin.com/raw/mEfp47ry

MTD Parts:

0x000000000000-0x000000050000 : "0:SBL1"
0x000000050000-0x000000060000 : "0:MIBIB"
0x000000060000-0x000000080000 : "0:BOOTCONFIG"
0x000000080000-0x0000000a0000 : "0:BOOTCONFIG1"
0x0000000a0000-0x000000220000 : "0:QSEE"
0x000000220000-0x0000003a0000 : "0:QSEE_1"
0x0000003a0000-0x0000003b0000 : "0:DEVCFG"
0x0000003b0000-0x0000003c0000 : "0:DEVCFG_1"
0x0000003c0000-0x0000003d0000 : "0:APDP"
0x0000003d0000-0x0000003e0000 : "0:APDP_1"
0x0000003e0000-0x000000420000 : "0:RPM"
0x000000420000-0x000000460000 : "0:RPM_1"
0x000000460000-0x000000470000 : "0:CDT"
0x000000470000-0x000000480000 : "0:CDT_1"
0x000000480000-0x000000540000 : "0:APPSBL"
0x000000540000-0x000000600000 : "0:APPSBL_1"
0x000000600000-0x000000610000 : "0:APPSBLENV"
0x000000610000-0x000000650000 : "0:ART"
0x000000650000-0x0000006d0000 : "0:ETHPHYFW"
0x0000006d0000-0x0000006e0000 : "0:CRT"
0x0000006e0000-0x0000006f0000 : "DUAL_FLAG"
0x0000006f0000-0x000000800000 : "RESERVED"

Most of the info you need is already in this thread.

Start by checking if u-boot can be interrupted.
Then check if you can boot an initramfs.
Do device exploration using that same initramfs.

I don't understand chinese, i would even buy it if he is selling or whatever, i think it should be here https://op.supes.top/firmware/ipq807x_generic/ but nothing

Maybe it can be found here https://www.right.com.cn/forum/forum-169-2.html as comments mention forum i think.

Hi guys

I wonder what was hidden under the hood, so i connected cable TTL and:

  1. Interrupted autoboot:
Zyxel zloader v1.0.0 (2020-01-06 - 08:24)


Multiboot clinent version: 2.0
ipq807x_eth_halt: done
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 Down Speed :10 Half duplex
eth0 PHY4 Down Speed :10 Half duplex
10M speed not supported
ipq807x_eth_halt: done
Ethernet interface failed to initialized!

Hit any key to stop autoboot:  3
NBG7815> ATHE
ATEN    x[,y]     set BootExtension Debug Flag (y=password)
ATSE    x         show the seed of password generator
ATSH              dump manufacturer related data in ROM
ATRT    [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
ATGO              boot up whole system
ATUR    x         upgrade RAS image (filename)
ATUS    x         upgrade image by fit script (filename)
**NBG7815>**

It seems that U-boot has been locked

  1. Enter failsafe mode:
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
f
- failsafe -
[    8.161839] random: dropbearkey: uninitialized urandom read (32 bytes read, 8 bits of entropy available)
[    8.163176] random: dropbearkey: uninitialized urandom read (32 bytes read, 8 bits of entropy available)
Generating key, this may take a while...
[    8.418384] random: dropbearkey: uninitialized urandom read (32 bytes read, 8 bits of entropy available)
Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCAYHBFJs0Eqn8VjK2JFsp7Oh[    8.430835] random: dropbear: uninitialized urandom read (32 bytes read, 8 bits of entropy available)


BusyBox v1.25.1 (2021-09-29 08:20:53 UTC) built-in shell (ash)

ash: can't access tty; job control turned off
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 (eb4b1a4+r49254)

================= FAILSAFE MODE active ================
special commands:
* firstboot          reset settings to factory defaults
* mount_root     mount root-partition with config files

after mount_root:
* passwd                         change root's password
* /etc/config               directory with config files

for more help see:
http://wiki.openwrt.org/doc/howto/generic.failsafe
=======================================================

root@(none):/#
root@(none):/etc# cat openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='Chaos Calmer'
DISTRIB_REVISION='eb4b1a4+r49254'
DISTRIB_CODENAME='chaos_calmer'
DISTRIB_TARGET='ipq/ipq807x_64'
DISTRIB_DESCRIPTION='OpenWrt Chaos Calmer 15.05.1'
DISTRIB_TAINTS='no-all busybox'

After mount_root i was looking for some informations in config and succesfully found root password, so

  1. Login as root
NBG7815 login: root
Password:


BusyBox v1.25.1 (2021-09-29 08:20:53 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 (eb4b1a4+r49254)

root@NBG7815:~# uname -a
Linux NBG7815 4.4.60 #1 SMP PREEMPT Wed Sep 29 08:31:14 UTC 2021 aarch64 GNU/Linux
  1. Conclusions:

a) Default software has been built on OpenWRT 15.05.1 "Chaos Calmer" software,
opkg packages -> http://downloads.openwrt.org/chaos_calmer/15.05.1/ipq/ipq807x_64/packages/
b) ssh deamon has been removed :frowning:
c) Fortunetly there's telnet deamon, you can connect to it right after reset to factory setting
d) you can login as root

2 Likes

Seems that we can upload manually firmware, below is the router site:

https://192.168.123.1/gui/#/main/debug/firmwareupgrade

This could be useful, if someone wants to upload custom firmware

1 Like

I added some instructions -> how to get root acces and ssh at site:

Also u-boot can be unlocked, my example:

Zyxel zloader v1.0.0 (2020-01-06 - 08:24)


Multiboot clinent version: 2.0
ipq807x_eth_halt: done
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 up Speed :1000 Full duplex
eth0 PHY4 Down Speed :10 Half duplex
10M speed not supported
ipq807x_eth_init: done

Hit any key to stop autoboot:  3ipq807x_eth_halt: done

NBG7815> ATSE NBG7815
013D72FF0710
NBG7815> ATEN 1,10F0DFA7
NBG7815> ATGU

et voila:

ZYXEL#
ZYXEL# showvar
HUSH_VERSION=0.01
3 Likes

since their own firmware is clearly openwrt based, i asked them 14 days ago to share source to comply with GPL, nothing, but they do have https://www.zyxel.com/form/gpl_oss_software_notice.shtml this secret page to ask, so let's see, maybe it will be helpful.

I can't do the request, as I do not have serial number, mac and firmware version, I requested without it and got

1. Please help to specify which Firmware version's open source code you need.
2. Please help to provide NBG7815's serial number and MAC address.

as a reply, weird, however I do not want to buy the device not supporting openWrt just to return it. Seeing just screenshots from the firmware webUi is enough for me :slight_smile:

2 Likes

you can find the gpl source in my github:

3 Likes

That source does include the device trees for uboot and the kernel so it shouldn't be too difficult to port to robimarko's tree then

1 Like

Based on robimarko repository and zyxel firmware configuration, i've added Zyxel NGB7815 to openwrt:

Commit:

As for now is experimental and not fully tested.

1 Like

There's problem with LED's beacuse is managed by lp5569 I2C instead of GPIO.

Following documentation https://www.kernel.org/doc/html/latest/leds/leds-lp5562.html I assume that configuration is written to the chip every time when the router starts

fw_printenv drops :

ledB=run ledinit && i2c mw 0x40 0x18 0xff && i2c mw 0x40 0x1b 0xff && i2c mw 0x40 0x1e 0xff 
ledG=run ledinit && i2c mw 0x40 0x17 0xff && i2c mw 0x40 0x1a 0xff && i2c mw 0x40 0x1d 0xff 
ledR=run ledinit && i2c mw 0x40 0x16 0xff && i2c mw 0x40 0x19 0xff && i2c mw 0x40 0x1c 0xff 
ledRblink=i2c mw 0x40 0x16 0xff && i2c mw 0x40 0x19 0xff && i2c mw 0x40 0x1c 0xff && sleep 1 && i2c mw 0x40 0x16 0x00 && i2c mw 0x40 0x19 0x00 && i2c mw 0x40 0x1c 0x00 && sleep 1 
ledallon=run ledinit && mw 0x44000000 ffffffff 3 && i2c write 0x44000000 0x32 0x16 9 && i2c write 0x44000000 0x35 0x16 9 
ledinit=i2c dev 0 && i2c probe && i2c mw 0x40 0x0 0x40 && mw 0x44000000 a0a0a0a0 3 && i2c write 0x44000000 0x40 0x7 9 && mw 0x44000000 00000000 3 && i2c write 0x44000000 0x40 0x16 9
1 Like

Those aliases aren't what's handling the LEDs, from those kernel docs the LED Driver is supposed to be programmed through the userspace and there doesn't seem to be any script in the sources for controlling the LEDs. All those led(B/G/R) aliases do is make sure the driver works and set the PWM.

Correction, they added the programs for the LEDs into the kernel code here and they probably just switched programs through user space like the kernel docs described

2 Likes

You're right. They have special program to control LED's:
This will change colour to orange :slight_smile:

/sbin/zyxel_led_ctrl ResetToDefault
1 Like