OpenWrt support for Zyxel PMG5617GA, first GPON support !?

Hello everyone,

I'm not a very skilled developer but I try my best and hope to get some help. Like the title says, I'm trying to bring the PMG5617GA into OpenWRT mainstream and the goal of this project is 3 things:

  1. To build a fully featured OpenWRT image supporting all or most of the hardware features.
  2. To be able to see and tweak in LuCI the xPON capabilities (Serial number spoofing, MAC spoofing, SLID, LOID & PLOAM user and password, SNR details, temp, wavelength? (or at least the ITU standard)...).
  3. To expose the lowest level of OMCI fiber transmission.

I've tentatively created the wiki for the router with Bootlog, pictures and all the chip details here: https://openwrt.org/inbox/toh/zyxel/zyxel_pmg5617ga

Also, I've hosted the OEM GPL source code here:

Courtesy to the Zyxel team. Since the firmware is already based on OpenWRT Barrier Breaker (14.07) and most of the chips have some sort of open source drivers it should be fairly straightforward (least is not Broadcom).
This is huge as this could bring the first Fiber/GPON router to OpenWRT.

Let's get to work, gentlemen!

2 Likes

Should the first step of the process involve dumping the contents of the flash ROM to know at what offsets are the static partitions(MAC address, router serial number, wifi calibration data....)? Also, is it the same if I want to backup the ROM in case the router gets bricked?

The first step should always be to determine the flash layout and work out the recovery procedure. Ideally, if the stock bootloader is capable of booting custom kernels and has a functional shell, it should be easy and safe to experiment. However, you should have an alternative method at hand, like booting from UART (if supported) or direct access to the flash, especially if you plan to touch the bootloader.

So far, interrupting the boot process at

Hit any key to stop autoboot:  5

renders the following output:

ZHAL>

An typing a '?' will yeld:

ATEN    x[,y]         set BootExtension Debug Flag (y=password)
ATSE    x             show the seed of password generator
ATDC                  disable check model mechanism
ATSH                  dump manufacturer related data in ROM
ATRT    [x,y,z,u]     RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
ATGO                  boot up whole system
ATSR    [x]           system reboot
ATUR    x[,y]         upgrade RAS image (filename, partition number)

This looks a lot like OpenWrt style U-Boot so it might be a modified bootloader. Know any magic commands to throw at it to gain some insight of its Flash structure? All i know so far is that its size is 0x8000000.

Ok, new discovery. After unlocking the bootloader following the instructions here (this method seems to be generic across all Zyxel routers): https://forum.archive.openwrt.org/viewtopic.php?id=47957&p=1
I've managed to unlock the extended command set:


ATBT    x             block0 write enable (1=enable, 0=disable)
ATWM    x             set MAC address in working buffer
ATEN    x[,y]         set BootExtension Debug Flag (y=password)
ATSE    x             show the seed of password generator
ATDC                  disable check model mechanism
ATWZ    x[,y,z,a,b,c] write ZyXEL MAC addr, Country code, EngDbgFlag, FeatureBit, MAC Number, boot flag
ATCB                  copy from FLASH to working buffer
ATSB                  save working buffer to FLASH
ATSH                  dump manufacturer related data in ROM
ATCO    x             set country code in working buffer
ATCF    x             set boot flag in working buffer
ATSN    x             set serial number in FLASH ROM
ATGS    x,y           set gpon serial number in FLASH ROM
ATGU                  go back to master loader
ATCR                  erase data partition
ATRT    [x,y,z,u]     RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
ATGO                  boot up whole system
ATSR    [x]           system reboot
ATUR    x[,y]         upgrade RAS image (filename, partition number)
ATUB    x             upgrade ZLD image (filename)
ATUD    x             upgrade ROMD image (filename)
ATCD                  erase RomD partition
ATUM    x             upgrade ROMFILE image (filename)
ATCM                  erase ROMFILE partition
ATLD    x,[y]         load file X to memory address Y via TFTP
ATMB    [x,y]         upgrade firmware image by multiboot
ATDU    x[,y]         dump memory or registers
ATWW    x,y,z         set memory or registers(x=address, y=value, z=len)
ATER    x,y           erase flash from block X to block Y
ATRF    x,y[,z]       read/dump flash to ram/console(x=flash offset, y=len, z=ram address)
ATWF    x,y,z         write data from RAM to flash(x=RAM address, y=flash offset, z=len)
ATDS    x,y           dump data of spare area in page Y of block X
ATCMP   x,y,z         compare two memory space x and y with length is z
ATLED   [x,y]         set LED (x=led no, y=blink mode)
ATPIO   x[,y[,z]]     set GPIO (x={d|s|w|r}, y=pio num, z=write data)
ATSW                  swap boot image to another partition.
ZHAL>

It's a bit overwhelming so I'm still looking for the Flash layout command. Judging by this link https://openwrt.org/docs/techref/flash.layout I now have to find a way to access the linux environment/root and run cat /proc/mtd

Can you open the ONT and physically identify the flash to determine its make and size?

Since the ATRF command allows you to see the contents of the flash maybe you can display it on the screen and convert it to a binary file. Then you can try binwalk to learn the layout of the flash.

I saw such a script somewhere on github, but I can't find it.
Something similar is described here.

Sorry it took me a while to reply. Been busy with work and trying to work this thing out but now I'm going all out for this project.
I've already took pics of the PCB and wrote the details for each chip including the NAND flash in the Hardware info table of the wiki here: https://openwrt.org/inbox/toh/zyxel/zyxel_pmg5617ga

As for the ATRF command, i'm trying different combinations of commands to see how can I dump it into the USB stick but no success so far, It always return a fail. Google doesn't help me out either to decipher these command line syntaxes through some official documentations. All I know so far is that the flash ROM has a size of 0x8000000 and running ATRT command only spits out:

DRAMTest.. level 4 from 0x80020000 to 0x83e00000 1 iterations
Iteration 1: ...Testing...063360K ...OK

This is usually the way out, depending on what the "master loader" is. You might be able to get a U-Boot or CFE shell

F*cking brilliant bro, how did I missed that?
Seems that ATGU sends me 1 abstraction level lower and prompts: bldr>_
After throwing a ? command, I'm greeted with:

?                                   Print out help messages.
help                                Print out help messages.
go                                  Booting the linux kernel.
decomp                              Decompress kernel image to ram.
reboot <sec>                        Reboot after some seconds.
memrl <addr>                        Read a word from addr.
memwl <addr> <value>                Write a word to addr.
dump <addr> <len>                   Dump memory content.
jump <addr>                         Jump to addr.
flash <dst> <src> <len> <oob>       Write to flash from src to dst(oob: write nand oob if 1).
imginfo                             Show images info.
xmdm <addr> <len>                   Xmodem receive to addr.
miir <phyaddr> <reg>                Read ethernet phy reg.
miiw <phyaddr> <reg> <value>        Write ethernet phy reg.
cpufreq <freq num> / <m> <n>        Set CPU Freq <156~450>(freq has to be multiple of 6)
ipaddr <ip addr>                    Change modem's IP.
ddrdrv <..>                         Change DDR driving length
mtd
zloader                             run zloader

and after throwing a "mtd" command, I'm finally greeted with:

0x00000000-0x00040000 : "bootloader"
0x00040000-0x00080000 : "romfile"
0x00080000-0x001e120b : "kernel"
0x001e120b-0x0127120b : "rootfs"
0x00080000-0x03880000 : "tclinux"
0x03880000-0x039e122a : "kernel_slave"
0x039e122a-0x04a7122a : "rootfs_slave"
0x03880000-0x06f40000 : "tclinux_slave"
0x06f40000-0x07040000 : "wwan"
0x07040000-0x07440000 : "data"
0x07440000-0x07540000 : "rom-d"
0x07540000-0x075c0000 : "reservearea"

Seems that zloader sends me back to the ZHAL>_ prompt.
We're getting somewhere.

Just wondering, but what the reasoning for picking this ONT over the rest? Is it easier to incorporate into OpenWRT? Seems like an older model with WIFI5 support.

I wanted to work on a router with Fiber and WiFi 5+ since they are so ubiquitous to OpenWrt and this is what I could get my hand on at the time. Most ISP provided fiber routers are Wifi 4. Also, Zyxel was kind enough to provide source code too which can help. On top of that, Econet is new to OpenWrt so adding it to upstream targets will help develop other devices too like Nokia G-240W-F.
My next project will be the D-LINK DVA-6800Z which has Wifi 6 and GPON as well as VDSL.

I'm also trying to port OpenWrt to another ECONET device, do you have a teardown of your CPE? I'm interested in what kind of SoC model it is... ECONET have many lines of chipset that supports various function, the documentation about it is pretty much non-existent

Also, do you have a stock firmware image or a flash dump? Let see if ZyXEL actually have OpenWrt working on their device

My understanding of most ONTs that have RG / WIFI built into them, is that the GPON optical and data ONT side is controller from OMCI protocol from the OLT. So besides seeing the optical stats, I don't find much value in making that compatible with OpenWRT.

The RG/WIFI/LAN side would be extremely valuable to expose in OpenWRT. I would suggest doing this with a WIFI chip that is already supported on OpenWRT. Would prefer WIFI 6, the Mediatek makes the most sense, but I don't know of an GPON ONT that has this same wifi 6 Mediatek chip, do you?

Again, It's on the wiki page. It's a EcoNet EN7526GT. You are right, the website hosting any details about EcoNet chips is long gone and if anyone knows anything about SDKs, documentation... it's Mediatek as they own the IP now.
As for the entire ROM dump, there the command dump but it only decompress the LZMA kernel into the RAM and I'm not sure how to get it out of there (USB or TFTP).

So is it possible that there is EcoNe ONT out there that has the Mediatek WIFI 6 chipsets that are widely supported in OpenWRT already? If so, how would find such model?

No, there isn't any officially supported EcoNet devices according to the list in here:

Like I said before, this project, if it succeeds, will be a first for OpenWrt as there is no 'econet' target and no PON port router. The most you will ever get is a SFP-based OpenWrt router from here: https://openwrt.org/toh/views/toh_sfp_ports
But SFP is just a generic expansion port (like PCI-Express) and SFP modules are really just miniaturised routers with potential to host OpenWrt on their own.
As for WiFi 6, it is still in early stages for some manufacturers as ONTs with Wifi 4 is still commonplace for Huawei, ZTE and Nokia.
Someone has worked a build for ZTE F660 in here: OpenWrt now support ZTE F660 V3.0 and HGG420n and as you can see the PON port is still unmanageable. It may take a quantum leap to implement and standardise the a generic PON API (something the likes of dsl_control file) but that's the challenging and exciting bit. (Let's be thankful it's not a Broadcom chipset)

The really hard thing is to bring econet soc to linux 5.15 or newer. For marvell there is already many useful drivers in linux, which can be used after some simple patch. But in econet, you need to do it yourself. linux2.6 is not a good choice.

Why does it seem like all the mainstream vendors, realtek, mediatek, and marvell, this SDKs and testing OS are on really old versions on linux? Why internally don't they take time to update to the latest kernel?

When you say unmanageable, do you just mean you can't config the PON settings from the ONT GUI? That is fine as they are normally pushed from the OLT to the ONT via OMCI. However, if the port doesn't accept commands and configuration from the OLT, then its a bigger problem.

I guess you'd better ask me about that. Because I'm the creator of openwrt for zte f660. I use mainline kernel with little patches, so PON port can't work at all.