OpenWrt support for Zyxel LTE5398-M904

Hi, i've buyed the Zyxel LTE5398-M904. I searched the forum and finded nothing. The system to get into root shell is the same as the NR7101, the cpu is the same MT7621, the modem is a Quectel LTE cat 18 that work perfectly in openwrt. I'm asking if it's possible to compile a version compatible with my device. I'm not capable myself... is anyone interested? Thanks a lot (sorry for duplication i've posted this topic also inside NR7101 posts).

Bye for now and thanks all


I've buyed it too, looking to test everything if needed. Looking forward to LTE5398 support on new snapshot builds :stuck_out_tongue:



Most probably the way to generate the root password as changed. Bought a couple of days ago an LTE5398-M904 and the login/password was not admin/1234 anymore but admin/wifi network password...
The python script found there [] gives incorrect root passwords.


@ctolzane so I bought this router 2 days ago. I've found a way to still obtain root access in new firmware:

reading I understood that all password, even for root and supervisor users are contained into the zcfg_config.json file. Actually in my router accessing this file is much simple: just set up FTP by webgui, access FTP as admin user (I used MiXplorer on Android for example) and zcfg_config.json is just here. The absurd thing: it has rw permission even with admin user! So just open it and copy the encrypted password under the root user (not the default password as per the guide linked, that's the same that you can calculate with the emulator). Now we can decrypt this encrypted password just by using the DynamicDNS as oracle explained in the guide: set a fake DDNS in webgui. Download the backup file. Open the backup file and replace the encrypted password under DynamicDNS with our encrypted password of root user copied before. Now save and restore the file from webgui. Go to ddns settings and just read the password: it's clear. As simple as that!

I still hope someone can build openwrt for it, or if and when I've time I could learn and do it myself

1 Like

@Manu99it I think this security hole has been fixed in the latest firmware revision. But not sure. I still own this router but don't use it anymore. Anyway well done !

It seems they have fixed smb but there's nothing about FTP. However they probably fixed that too. Do you know if updating to latest firmware the root password change? Now that I've gained access I'm reluctant to update. Even if probably you can downgrade there's always the possibility that the config file could remain unreadable by admin if permissions are changed

Pretty sure this device can be flashed the same way the NR7101 can, in case none of the password retrieval methods work: Method to flash any NR7101

But note that this most likely writes to both firmware partitions like it does on the NR7101. So don't try unless you have some other way to get a copy of the original firmware. Or don't care about that...


Passwords are strored in nvram and can be modified with CLI commands.

But while updating the firmware I don't know if new random root/admin are generated or not. So there is a risk ... and then I would suggest not to try any firmware update unless bugs corrected are blockers for you.

1 Like

sorry maybe a stupid question when and if the device will be switched to Openwrt:

Zyxel LTE5398-M904

I have this device with root access,
what should you know to port to Openwrt ?

what features do i lose with an openwrt install on this ?

thanks to all the developers.

When someone who owns it get their hands dirty, someone like you.

Question is, what you should know ...

You're the guy with the device ...

1 Like

I'm sorry but my skills are not high enough to allow me to carry out the porting

since in this period some zyxel models are added to Openwrt, I was wondering if someone has already started doing it (a developer)

surely I don't have the adequate knowledge, I can still help you/help me if possible for a possible debug if instructed how do it

Thank you

Hoping to do something useful, I attach what I have been able to deduce about the router

The Zyxel LTE5398-M904 router featuring 2 Ethernet ports + 1 rj11 port for phone


  • CPU:
    cat /proc/cpuinfo
    system type : MT7621
    cpu model : MIPS 1004Kc V2.15
    BogoMIPS : 583.68

  • RAM: 256MB DDR3
    total used free shared buffers
    Mem: 254816 112592 142224 0 0
    -/+ buffers: 112592 142224
    Swap: 0 0 0

  • Wi-Fi 2.4Ghz: lsmod | grep mt7603e
    mt7603e 1435234 0

  • Wi-Fi 5Ghz: lsmod | grep mt7615e
    mt7615e 3746894 0

  • Switch: MT7530 2x1Gbit Ports
    switch | grep mt7530

  • WWAN: Quectel EG18 Revision: EG18EAPAR01A08M4G (atcmd ati)

  • USB: 1x optional USB2.0 external port

  • Switches/Buttons: WPS, Reset, Power Switch

  • LEDs: Power, Wi-Fi, Data, Signal 1-5, Phone

uname -a
Linux LTE5398-M904 3.10.14 #1 SMP Tue Jun 28 10:51:01 CST 2022 mips GNU/Linux

zycli swversion show

Bus 001 Device 003: ID 18a5:0302 Verbatim, Ltd
Bus 002 Device 002: ID 2c7c:0512
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

cat /proc/mtd
dev: size erasesize name
mtd0: 07f80000 00020000 "ALL"
mtd1: 00080000 00020000 "Bootloader"
mtd2: 00080000 00020000 "Config"
mtd3: 00040000 00020000 "Factory"
mtd4: 01ec0000 00020000 "Kernel"
mtd5: 01ec0000 00020000 "Kernel2"
mtd6: 00100000 00020000 "wwan"
mtd7: 01000000 00020000 "data"
mtd8: 00100000 00020000 "rom-d"
mtd9: 00080000 00020000 "reserve"

1 Like

just to bring to attention:

1 Like

I needed a LTE-A router and found this model having a Cat 18 LTE modem at an excellent price point. I was missing VPN functionality in the OEM firmware so I thought it would be great if it could run OpenWRT.

Huge thanks to @bmork for all his work, especially around NR7101 which is very similar to this device.

I've been running OpenWRT for a week now and haven't noticed any issues so far. I cannot really compare it to OEM firmware as I didn't have it running for more than a couple of hours after I unboxed it :slight_smile:

I hope the PR gets reviewed in the near future.


In the meantime, can you give me some feedback on stability:
of the LTE connection
router stability (general)
management of both front and rear LEDs
VLAN management (DSA or swconfig)
installed software packages for SMS management
other information you think is useful to share

migration process from official firmware to Openwrt
and possible process from Openwrt to official firmware

and thanks again for your porting which I hope will be included in Openwrt in a reasonable time

Based on the past few weeks of experience:

  • LTE stability: for me the LTE is very stable, but I haven't had a chance to load test it seriously yet as my router is not in "production" environment yet. Performance will probably be tied to the Quectel firmware version and interoperability, so probably similar to OEM. That said I haven't seen any disconnects so far.
  • Router stability: haven't observed any crashes, looks stable. Again, I don't run a lot of software on it either other than Luci, wireguard, modemmanager and watchcat and those are stable.
  • Front leds are fully manageable from OpenWRT (so you can switch them all off if you want). I have tried to mimic the OEM behaviour so by default:
    -- power LED is solid green, blinks during early boot (by bootloader) and during failsafe timers (by OpenWRT)
    -- power LED is solid blue when rear USB port is in use (as in OEM)
    -- Internet LED blinks on wwan0 activity, but doesn't light up when internet is connected. I've initially used netdev LED trigger for link too, but that's almost always up even when upper layer 4G data connection is down (e.g. even when no SIM is inserted) so by default it will only blink on activity. I will look into improving this later if I find some time.
    -- LTE signal strength LED is not used. Same as for Internet, I may look into improving this if I find time.
    -- WiFi LED blinks on 5GHz wifi activity.
    -- Have in mind that in LEDs with multiple colors (power, signal), the color LEDs are controlled individually so you can get "additional" colors by concurrently switching on multiple base color LEDs.
  • Rear LAN port LEDs are controlled by hardware. See for more details
  • VLANs are managed by DSA
  • By default no SMS software is installed, just minimal QMI wwan0 config. It's up to the user to use whatever they like. I've used modemmanager to read SMS but that's about it from my side.
  • Serial console pins headers are absent and the pin holes are filled with solder. I was able to make it work by pushing pin headers against those solder contacts with one hand and typing with the other, which is far from easy but it's doable if you don't want to solder and don't need to use the console a lot.

Installation process is pretty much the same as with NR7101 as described in the Wiki, just the default IPs/ports might be different:

Reverting should be similar but I haven't tested it:

Keep in mind that the flash is NAND so don't use cat or dd.

1 Like

If anyone would be interested, we can try to add support for this Quectel EG18-EA LTE-A Cat. 18 modem to the packages from my github ( Important, my packages do not work with modemmanager.

1 Like

from my point of view all excellent news

I can't wait to try Openwrt on this router
because with my operator's SIM it sometimes disconnects
on its own and to restore the connection I am forced to reboot

I couldn't understand this sentence:

so I won't be able to turn off the rear LEDs


it means that I cannot consider an image made
with dd to be useful if so,
how can I make a backup before making any changes
I have no serial console,
I only have access to the original firmware with ssh to the root user

and thank you again

for now I'm more interested in having a working Openwrt
on the router in question

I'm in favor

but I hope (if possible) that all your wonderful packages will be directly added official Openwrt packages without going through any additional repositories

Not at the moment. I've seen some discussion around that so we'll see:

More details are available here:

I don't have the OEM firmware readily available but I believe mtd_write command had some options for reading flash and writing to file. Alternatively, you could download a statically compiled busybox which contains nanddump and use that. For example I used but I don't guarantee for this repo.

1 Like