Hi, i've buyed the Zyxel LTE5398-M904. I searched the forum and finded nothing. The system to get into root shell is the same as the NR7101, the cpu is the same MT7621, the modem is a Quectel LTE cat 18 that work perfectly in openwrt. I'm asking if it's possible to compile a version compatible with my device. I'm not capable myself... is anyone interested? Thanks a lot (sorry for duplication i've posted this topic also inside NR7101 posts).
Bye for now and thanks all
I've buyed it too, looking to test everything if needed. Looking forward to LTE5398 support on new snapshot builds
Most probably the way to generate the root password as changed. Bought a couple of days ago an LTE5398-M904 and the login/password was not admin/1234 anymore but admin/wifi network password...
The python script found there [https://github.com/boginw/zyxel-vmg8825-keygen] gives incorrect root passwords.
@ctolzane so I bought this router 2 days ago. I've found a way to still obtain root access in new firmware:
reading https://th0mas.nl/2020/03/26/getting-root-on-a-zyxel-vmg8825-t50-router/#fnref:1 I understood that all password, even for root and supervisor users are contained into the zcfg_config.json file. Actually in my router accessing this file is much simple: just set up FTP by webgui, access FTP as admin user (I used MiXplorer on Android for example) and zcfg_config.json is just here. The absurd thing: it has rw permission even with admin user! So just open it and copy the encrypted password under the root user (not the default password as per the guide linked, that's the same that you can calculate with the emulator). Now we can decrypt this encrypted password just by using the DynamicDNS as oracle explained in the guide: set a fake DDNS in webgui. Download the backup file. Open the backup file and replace the encrypted password under DynamicDNS with our encrypted password of root user copied before. Now save and restore the file from webgui. Go to ddns settings and just read the password: it's clear. As simple as that!
I still hope someone can build openwrt for it, or if and when I've time I could learn and do it myself
@Manu99it I think this security hole has been fixed in the latest firmware revision. But not sure. I still own this router but don't use it anymore. Anyway well done !
It seems they have fixed smb but there's nothing about FTP. However they probably fixed that too. Do you know if updating to latest firmware the root password change? Now that I've gained access I'm reluctant to update. Even if probably you can downgrade there's always the possibility that the config file could remain unreadable by admin if permissions are changed
Pretty sure this device can be flashed the same way the NR7101 can, in case none of the password retrieval methods work: Method to flash any NR7101
But note that this most likely writes to both firmware partitions like it does on the NR7101. So don't try unless you have some other way to get a copy of the original firmware. Or don't care about that...
Passwords are strored in nvram and can be modified with CLI commands.
But while updating the firmware I don't know if new random root/admin are generated or not. So there is a risk ... and then I would suggest not to try any firmware update unless bugs corrected are blockers for you.