Regarding the TR069 , i tryed to perform a MiM attact as i did to other ISPs of the country and i was able to get the whole XML comunication & configuration plus firmware etc
in this case the TR069 was using https, and the ZTE wouldnt accept my certificate..
for me uart works but its as it is for the last couple of years... locked. maybe firmware or hardware revision or a combination of those were the reason you didnt have any uart access. i dont know i didnt even solder them in my case just for a quick test with pins. the bootlog is posted above ive tried to check it out a bit further it doesnt give me access to any alternative address as it shows in bootlog 192.168.1.254 tried portscanning and everything. probably for a tftp address. it has 3 options 'x' 'b' and '1' it is blank when it boots with serial so theres only access to these 3 options. maybe similar to the other bootlogs of zxhn devices ive posted. im sure there is just alike a possibility to flash. if we can get our hands on more firmwares we can reverse engineer more information just as partitioning. or even more so having any friends working within the isp with insider knowledge on bootpasswords. dont mean to sound like james bond, the hardware is just better than i had imagined whats the point of passthrough if it could run directly on the modem you get my point? from what i know ive only come up with decrypting the config file from another router and using the credentials in the h1600. how did you manage to pull this off to get the xml? if you do have any firmwares please post them so more people here can have a look. im tired of all these stock modems especially since they are getting better. ive also contacted the isp through facebook in the hopes of a firmware. i dont know what flash storage chip it uses but maybe flashable with a programmer and clipper? i mean i didnt have time to lookup all details since i was constantly busy with all i mention above. come on its greece, some password will stop us? ask around if you have any connections with technicians of the isp. if you know more people please do get them involved, the more brains the better since im not that experienced. the storage chip and all other chips are soldered with those 2 caps. i hope we can achieve something together and if we do just 1 device with uart is enough to extract information for a device tree and making a firmware. what hardware/firmware revision do you have? i have posted all info i could think of above. thanks for answering btw. 3 seperate options during boot and doing nothing makes it boot normally. judging from the other openwrt thread on another zxhn device it would probably lead to the same zte cli allowing to flash or load into memory. ps. the isp answered, in case of a firmware update it will happen automatic without your intervention. probably they dont release any and just use tr069 or any other service being responsible. its gpl, they have to release kernel sources i dont care.
In the next cupple of weeks i will be trying to dump the Wsoc serial Rom of the CPE, i cannot promice exacly when i will do this cause my schedule is kinda full these days .
i will get back to this tho.
appreciated man. its well worth for a device with specs like this. if im able to help in any way making matters easier let me know. the more people contributing the better.
If you have any specific task I'll help too.
i have a ch341a but bad experience using it on bios chips. i was wondering if you dump firmware with that soic16 or something. and whats the difference between dumping it straight from the chip and extracting it from binary form. im confused because reading spi chips gives me binaries. since im lacking the experience will clarify a lot for me. when dumping you get the firmware fully accessible? or is it still stored as a binary file? im not good with the clip. ill short circuit the chip and fry it in a second. if you have more experience ill leave it up to you and wait lol. problem is i also dont have any backup modem. furthermore after catching up afaik if somehow we can get access to the bootloader we could unlock it. bear with me since its my first time delving this deep into routers. i guess this way we could bypass the zte cli as well if im not wrong and the boot password. i know this place is full of tech wizards so even tips are very much appreciated to guide us on what we could try. im guessing drivers must be included in the mainline kernel right or is this not always the case? and if not do we need blobs from the original firmware? building a device tree from scratch looking at comparable devices with similar chips after right? this is going to be hard. i hope someone can clarify it a bit for me. it would be much more fun having openwrt on the modem rather than router imo. better even, both. pppd can be manually adjusted this way.
in some cases the binary itself can be adjusted as well right? thing is i dont know how that will work out in practice want to avoid stupid things avoiding bricking. i wonder if and when encryption keys come out what settings the config.bin has and if it could be adjusted through that as well escalating privileges. i think for now till you have any updates ill stick to trying to find exploits. ive tried myself to recover encryption keys in the past as this is how its done dissasmbling the firmware, i dont think bruteforcing aes will ever lead to anything. meanwhile came across this:
lan ports dead tried everything doesnt work. doesnt detect any active lan port configuring it or not. when in bootmode or in the bootloader generally at least on my device. even with httpd as password as the last post mentioned.
This is firmware from another model
I never tried to make a new firmware, so my knowledge is limited.
i know but we can learn something for other zxhn devices. if you have a usb male to male try connecting it to pc and see if it shows anything like serial interface. many hardware uses that flashing method even when dead. like modern motherboards. had amlogic devices which were same. if you dont have any ill cut up a cable to check. but again i hesitate. if this would be the case it would be with special software. i give up on other methods, only existing exploits for running services are worth a try for me the rest is a waste of time. let me know whenever you read the firmware from the chip. a good hacker could easily bypass that whole password encryption with javascript btw. sucks im not good enough.
Hi all,
I've came across this topic since I have the same hardware and I'm willing to include OpenWRT in my router. I've check all the hardware and here it's the list:
The CPU has a heat dissipator glued and cannot see the SoC number :\
Does anyone have the SoC model? Is an ARM, x64 or x86?
Is there a reference guide on how to generate a firmware with OpenWRT?
Here is the hardware:
Thanks
Hi all, after looking for a while I found in the boot log this EN751627 which I guess is the SoC model
I got this from an online search
Source: http://en.techinfodepot.shoutwiki.com/wiki/MediaTek/SoC
My only concern if both chips are same. Could anyone confirm this please?
EDIT: Apparently are same chip, this router have the same number in the boot log and has a similar PCB
https://openwrt.org/inbox/toh/zyxel/zyxel_vmg8825-t50
I just wrote an email to ZTE asking about the tools used to build the firmware.
There is a manual how to start building a new target in OpenWRT
https://openwrt.org/inbox/toh/zyxel/zyxel_vmg8825-t50
There is no support for Econet SOCs in OpenWrt so far (yes, they've been bought by Mediatek, but the SOCs have a different heritage and aren't supported yet), so you'd be looking at a steep learning curve.
Hello slh, thanks for your reply
I emailed my ISP, importer of the device and the headquarters in China asking for the SDK as is suggested in the reference guide, see link.
Assuming I could get the SDK, would it be feasible to add OpenWRT support to this chip? or am I on the wrong path?
Everything is 'possible', but only if you have enough time to bring up a new target (and it's questionable if you'll get the xDSL driver source in the first place). Even if you were familiar with this, you'd be looking at 6-9 months development time at best.
Long standing wisdom about Econet has always been "run away".
Hi, to all
As previously noted by isas, OpenWRT has already run in Econet 7516 https://openwrt.org/inbox/toh/zyxel/zyxel_vmg8825-t50.
What makes you believe that?
There is no indication in that device page about OpenWrt at all, but there is a very explicit "OpenWrt support: Not supported.".
Thanks all for the help, apparently there is no support for Econet SoC
However I found several post with work in progress for Econet SoCs.
For now I'm following this reference guide
https://openwrt.org/docs/guide-developer/add.new.platform
And following this post which have good information about Econet
https://forum.openwrt.org/t/adding-openwrt-support-for-ancatus-a6-wifi-6-ax1800-ax3/104649/25
I'll keep looking what I can found in the wild.
Meanwhile I'm waiting for ZTE response, I'm getting fast replies
Thanks for help me out to identify the SoC
I'll keep you posted
any news about this router?
@isas : did they reply to your emails?
I work now on H369A, I faced same problem, here is link to the Topic but i was able to extract the firmware from NAND and I got the root files. I may help you if I could of course.
I hope I can add this new platform to OpenWrt one day.
I have in my hands a succsesful dump of the WSON8 eeprom .
Its half a Gb . i dont know if it will let me upload it here
@saladin @isas @filippos are you still working on it ? if so i could upload to WeTransfer or similar the .bin and send it over
No, I was busy in improving my knowledge on how to build efficient Linux device drivers, for now I put the whole project on hold because unavailability of vendor documentations on hardware, device drivers and dts files required to build openwrt for this router, may be (and I hope) I get back to it because the router has very good hardware capabilities
Just want to add that I am also an owner of the ZTE H1600 and very interested for OpenWRT among other things. I would like to provide any assistance I can.
