Hi, i've buyed the Zyxel LTE5398-M904. I searched the forum and finded nothing. The system to get into root shell is the same as the NR7101, the cpu is the same MT7621, the modem is a Quectel LTE cat 18 that work perfectly in openwrt. I'm asking if it's possible to compile a version compatible with my device. I'm not capable myself... is anyone interested? Thanks a lot (sorry for duplication i've posted this topic also inside NR7101 posts).
Bye for now and thanks all
I've buyed it too, looking to test everything if needed. Looking forward to LTE5398 support on new snapshot builds 
Hi,
Most probably the way to generate the root password as changed. Bought a couple of days ago an LTE5398-M904 and the login/password was not admin/1234 anymore but admin/wifi network password...
The python script found there [https://github.com/boginw/zyxel-vmg8825-keygen] gives incorrect root passwords.
Sad.
Christophe.
@ctolzane so I bought this router 2 days ago. I've found a way to still obtain root access in new firmware:
reading https://th0mas.nl/2020/03/26/getting-root-on-a-zyxel-vmg8825-t50-router/#fnref:1 I understood that all password, even for root and supervisor users are contained into the zcfg_config.json file. Actually in my router accessing this file is much simple: just set up FTP by webgui, access FTP as admin user (I used MiXplorer on Android for example) and zcfg_config.json is just here. The absurd thing: it has rw permission even with admin user! So just open it and copy the encrypted password under the root user (not the default password as per the guide linked, that's the same that you can calculate with the emulator). Now we can decrypt this encrypted password just by using the DynamicDNS as oracle explained in the guide: set a fake DDNS in webgui. Download the backup file. Open the backup file and replace the encrypted password under DynamicDNS with our encrypted password of root user copied before. Now save and restore the file from webgui. Go to ddns settings and just read the password: it's clear. As simple as that!
I still hope someone can build openwrt for it, or if and when I've time I could learn and do it myself
@Manu99it I think this security hole has been fixed in the latest firmware revision. But not sure. I still own this router but don't use it anymore. Anyway well done !
Pretty sure this device can be flashed the same way the NR7101 can, in case none of the password retrieval methods work: Method to flash any NR7101
But note that this most likely writes to both firmware partitions like it does on the NR7101. So don't try unless you have some other way to get a copy of the original firmware. Or don't care about that...
Passwords are strored in nvram and can be modified with CLI commands.
But while updating the firmware I don't know if new random root/admin are generated or not. So there is a risk ... and then I would suggest not to try any firmware update unless bugs corrected are blockers for you.
sorry maybe a stupid question when and if the device will be switched to Openwrt:
Zyxel LTE5398-M904
I have this device with root access,
what should you know to port to Openwrt ?
what features do i lose with an openwrt install on this ?
thanks to all the developers.
When someone who owns it get their hands dirty, someone like you.
Question is, what you should know ...
You're the guy with the device ...
I'm sorry but my skills are not high enough to allow me to carry out the porting
since in this period some zyxel models are added to Openwrt, I was wondering if someone has already started doing it (a developer)
surely I don't have the adequate knowledge, I can still help you/help me if possible for a possible debug if instructed how do it
Thank you
Hoping to do something useful, I attach what I have been able to deduce about the router
The Zyxel LTE5398-M904 router featuring 2 Ethernet ports + 1 rj11 port for phone
Specifications:
CPU:
cat /proc/cpuinfo
system type : MT7621
cpu model : MIPS 1004Kc V2.15
BogoMIPS : 583.68
RAM: 256MB DDR3
free
total used free shared buffers
Mem: 254816 112592 142224 0 0
-/+ buffers: 112592 142224
Swap: 0 0 0
Wi-Fi 2.4Ghz: lsmod | grep mt7603e
mt7603e 1435234 0
Wi-Fi 5Ghz: lsmod | grep mt7615e
mt7615e 3746894 0
Switch: MT7530 2x1Gbit Ports
switch | grep mt7530
WWAN: Quectel EG18 Revision: EG18EAPAR01A08M4G (atcmd ati)
USB: 1x optional USB2.0 external port
Switches/Buttons: WPS, Reset, Power Switch
LEDs: Power, Wi-Fi, Data, Signal 1-5, Phone
uname -a
Linux LTE5398-M904 3.10.14 #1 SMP Tue Jun 28 10:51:01 CST 2022 mips GNU/Linux
zycli swversion show
V1.00(ABQV.2)C0
lsusb
Bus 001 Device 003: ID 18a5:0302 Verbatim, Ltd
Bus 002 Device 002: ID 2c7c:0512
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
cat /proc/mtd
dev: size erasesize name
mtd0: 07f80000 00020000 "ALL"
mtd1: 00080000 00020000 "Bootloader"
mtd2: 00080000 00020000 "Config"
mtd3: 00040000 00020000 "Factory"
mtd4: 01ec0000 00020000 "Kernel"
mtd5: 01ec0000 00020000 "Kernel2"
mtd6: 00100000 00020000 "wwan"
mtd7: 01000000 00020000 "data"
mtd8: 00100000 00020000 "rom-d"
mtd9: 00080000 00020000 "reserve"
just to bring to attention:
I needed a LTE-A router and found this model having a Cat 18 LTE modem at an excellent price point. I was missing VPN functionality in the OEM firmware so I thought it would be great if it could run OpenWRT.
Huge thanks to @bmork for all his work, especially around NR7101 which is very similar to this device.
I've been running OpenWRT for a week now and haven't noticed any issues so far. I cannot really compare it to OEM firmware as I didn't have it running for more than a couple of hours after I unboxed it 
I hope the PR gets reviewed in the near future.
In the meantime, can you give me some feedback on stability:
of the LTE connection
router stability (general)
management of both front and rear LEDs
VLAN management (DSA or swconfig)
installed software packages for SMS management
other information you think is useful to share
migration process from official firmware to Openwrt
and possible process from Openwrt to official firmware
and thanks again for your porting which I hope will be included in Openwrt in a reasonable time
Based on the past few weeks of experience:
Installation process is pretty much the same as with NR7101 as described in the Wiki, just the default IPs/ports might be different:
Reverting should be similar but I haven't tested it:
Keep in mind that the flash is NAND so don't use cat or dd.
If anyone would be interested, we can try to add support for this Quectel EG18-EA LTE-A Cat. 18 modem to the packages from my github (https://github.com/4IceG). Important, my packages do not work with modemmanager.
from my point of view all excellent news
I can't wait to try Openwrt on this router
because with my operator's SIM it sometimes disconnects
on its own and to restore the connection I am forced to reboot
I couldn't understand this sentence:
so I won't be able to turn off the rear LEDs
and
it means that I cannot consider an image made
with dd to be useful if so,
how can I make a backup before making any changes
I have no serial console,
I only have access to the original firmware with ssh to the root user
and thank you again
for now I'm more interested in having a working Openwrt
on the router in question
I'm in favor
but I hope (if possible) that all your wonderful packages will be directly added official Openwrt packages without going through any additional repositories
Not at the moment. I've seen some discussion around that so we'll see:
More details are available here:
I don't have the OEM firmware readily available but I believe mtd_write command had some options for reading flash and writing to file. Alternatively, you could download a statically compiled busybox which contains nanddump and use that. For example I used https://github.com/EXALAB/Busybox-static but I don't guarantee for this repo.
