Porting OpenWrt to Zyxel VMG3925-B10B

foxt · June 15, 2022, 5:01pm

Hello everyone, I've recently come into possession of a Zyxel VMG3925-B10B, and am interested in modifying it, hopefully run OpenWrt on it.

Device Specifications

SoC: bcm43602kmlg (BCM63168D0, Broadcom BMIPS4350 V8.0)
RAM: Winbond W631GG6KB-15 (128mb)
NAND: Winbond W29N01HVSINA (128mb)

Boot Log (Modified FW)

I have modified the firmware slightly as mentioned below so there might be extra lines refering to password changes, shell overriding etc,
https://pastebin.com/q0AZWVW7

More Details

CFE> ATSH

Firmware Version       : V5.13(AAVF.12)C0
Bootbase Version       : V1.63 | 05/25/2018 17:40:14
Vendor Name            : ZyXEL Communications Corp.
Product Model          : VMG3925-B10B
Serial Number          : S174143005320
First MAC Address      : 5C6A80660A94
Last MAC Address       : 5C6A80660A9F
MAC Address Quantity   : 12
Default Country Code   : FF
Boot Module Debug Flag : 00
Kernel Checksum        : 00004C09
RootFS Checksum        : 0000678E
Rom-D Checksum         : 0000E0CF
Main Feature Bits      : 00
Other Feature Bits     :
80b5c940: 0405010d ffffffff ffffffff ffffffff    ................
80b5c950: ffffffff ffffffff ffffffff ffff         ..............

*** command status = 0
CFE> ATBL
Board IP address                  : 192.168.1.1:ffffff00  
Host IP address                   : 192.168.1.33  
Gateway IP address                :   
Run from flash/host/tftp (f/h/c)  : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 0  
Boot image (0=latest, 1=previous) : 0  
Default host ramdisk file name    :   
Default ramdisk store address     :   
Board Id (0-46)                   : 963168_VMG3925B  
Number of MAC Addresses (1-32)    : 12  
Base MAC Address                  : 5c:6a:80:66:0a:94  
PSI Size (1-128) KBytes           : 64  
Enable Backup PSI [0|1]           : 0  
System Log Size (0-256) KBytes    : 0  
Auxillary File System Size Percent: 0  
Main Thread Number [0|1]          : 0  
WLan Feature                      : 0x00  
Partition 1 Size (MB)             :   
Partition 2 Size (MB)             :   
Partition 3 Size (MB)             :   
Partition 4 Size (MB) (Data)      : 4MB  

*** command status = 0

# cat /proc/cmdline
ro noinitrd  irqaffinity=0
# cat /proc/cpuinfo
system type		: 963168_VMG3925B
processor		: 0
cpu model		: Broadcom BMIPS4350 V8.0
BogoMIPS		: 397.31
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 32
extra interrupt vector	: no
hardware watchpoint	: no
ASEs implemented	:
shadow register sets	: 1
kscratch registers	: 0
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

processor		: 1
cpu model		: Broadcom BMIPS4350 V8.0
BogoMIPS		: 403.45
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 32
extra interrupt vector	: no
hardware watchpoint	: no
ASEs implemented	:
shadow register sets	: 1
kscratch registers	: 0
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

# cat /proc/meminfo
MemTotal:         123156 kB
MemFree:           10220 kB
Buffers:               0 kB
Cached:            31872 kB
SwapCached:            0 kB
Active:            21640 kB
Inactive:          18848 kB
Active(anon):       8708 kB
Inactive(anon):        0 kB
Active(file):      12932 kB
Inactive(file):    18848 kB
Unevictable:          92 kB
Mlocked:               0 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:          8716 kB
Mapped:             6736 kB
Shmem:                 0 kB
Slab:              62272 kB
SReclaimable:        948 kB
SUnreclaim:        61324 kB
KernelStack:        1648 kB
PageTables:          648 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:       61576 kB
Committed_AS:      14976 kB
VmallocTotal:    1032116 kB
VmallocUsed:        9276 kB
VmallocChunk:    1006100 kB
# cat /proc/devices
Character devices:
  1 mem
  2 pty
  3 ttyp
  4 ttyS
  5 /dev/tty
  5 /dev/console
  5 /dev/ptmx
 10 misc
 90 mtd
108 ppp
128 ptm
136 pts
180 usb
189 usb_device
206 brcmboard
208 adsl
228 bcmxtmcfg
233 spu
238 bcmvlan
240 pwrmngt
241 bcmfap
242 fcache
243 ingqos
244 bpm
246 chipinfo
249 gmac
250 tms

Block devices:
259 blkext
  8 sd
 31 mtdblock
 65 sd
 66 sd
 67 sd
 68 sd
 69 sd
 70 sd
 71 sd
128 sd
129 sd
130 sd
131 sd
132 sd
133 sd
134 sd
135 sd
# ls /sys/devices/platform
alarmtimer    bcmhs_spi.1   bcmleg_spi.0  brcmnand.0    uevent
# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 03be0000 00020000 "rootfs"
mtd1: 03be0000 00020000 "rootfs_update"
mtd2: 00400000 00020000 "data"
mtd3: 00100000 00020000 "romfile"
mtd4: 00100000 00020000 "rom-d"
mtd5: 00100000 00020000 "wwan"
mtd6: 00020000 00020000 "nvram"
mtd7: 03be0000 00020000 "image"
mtd8: 03be0000 00020000 "image_update"
# uname -a
Linux VMG3925-B10B 3.4.11 #5 SMP PREEMPT Wed Jun 15 09:12:59 PDT 2022 mips GNU/Linux
# cat /sys/class/mtd/mtd*/offset # Linux 4.1 and newer, see note 2.
cat: can't open '/sys/class/mtd/mtd*/offset': No such file or directory
# ifconfig -a
bcmsw     Link encap:Ethernet  HWaddr 5C:6A:80:66:0A:94
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:409 errors:0 dropped:0 overruns:0 frame:0
          TX packets:128 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:212511 (207.5 KiB)  TX bytes:25003 (24.4 KiB)
          Base address:0xda00

br0       Link encap:Ethernet  HWaddr 5C:6A:80:66:0A:94
          inet addr:10.0.0.1  Bcast:10.255.255.255  Mask:255.0.0.0
          inet6 addr: fe80::5e6a:80ff:fe66:a94/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:290 errors:0 dropped:0 overruns:0 frame:0
          TX packets:149 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:114929 (112.2 KiB)  TX bytes:28293 (27.6 KiB)

dsl0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          [NO FLAGS]  MTU:0  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr 5C:6A:80:66:0A:94
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:455 errors:0 dropped:0 overruns:0 frame:0
          TX packets:119 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:250069 (244.2 KiB)  TX bytes:20951 (20.4 KiB)


eth0.0    Link encap:Ethernet  HWaddr 5C:6A:80:66:0A:94
          inet6 addr: fe80::5e6a:80ff:fe66:a94/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:294 errors:0 dropped:0 overruns:0 frame:0
          TX packets:128 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:117919 (115.1 KiB)  TX bytes:23875 (23.3 KiB)

eth1      Link encap:Ethernet  HWaddr 5C:6A:80:66:0A:94
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


eth1.0    Link encap:Ethernet  HWaddr 5C:6A:80:66:0A:94
          inet6 addr: fe80::5e6a:80ff:fe66:a94/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:254 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:122311 (119.4 KiB)

eth2      Link encap:Ethernet  HWaddr 5C:6A:80:66:0A:94
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


eth2.0    Link encap:Ethernet  HWaddr 5C:6A:80:66:0A:94
          inet6 addr: fe80::5e6a:80ff:fe66:a94/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:254 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:122311 (119.4 KiB)

eth3      Link encap:Ethernet  HWaddr 5C:6A:80:66:0A:94
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


eth3.0    Link encap:Ethernet  HWaddr 5C:6A:80:66:0A:94
          inet6 addr: fe80::5e6a:80ff:fe66:a94/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:254 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:122311 (119.4 KiB)

eth4      Link encap:Ethernet  HWaddr 5C:6A:80:66:0A:96
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


ifb0      Link encap:Ethernet  HWaddr E6:14:FD:F1:20:BF
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ifb1      Link encap:Ethernet  HWaddr CE:BC:AD:3B:F1:82
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ip6tnl0   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          NOARP  MTU:1452  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

sit0      Link encap:IPv6-in-IPv4
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wl0       Link encap:Ethernet  HWaddr 5C:6A:80:66:0A:96
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:1 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:3668 (3.5 KiB)

wl1       Link encap:Ethernet  HWaddr 5C:6A:80:66:0A:95
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:15 Base address:0x4000

# ls /sys/class/net
bcmsw    br0      dsl0     eth0     eth0.0   eth1     eth1.0   eth2     eth2.0   eth3     eth3.0   eth4     ifb0     ifb1     ip6tnl0  lo       sit0     wl0      wl1
# brctl show
bridge name	bridge id		STP enabled	interfaces
br0		8000.5c6a80660a94	no		eth0.0
							eth1.0
							eth2.0
							eth3.0
# cat /sys/kernel/debug/gpio     # GPIO information
cat: can't open '/sys/kernel/debug/gpio': No such file or directory

I have been able to modify the firmware to replace the locked down zysh with standard ash and replace the root password with hunter2!

Firmware V18 (stock, latest): https://www.dropbox.com/s/khknekq5g2p8uz1/V5.13(AAVF18)C0.zip
Firmware V11 & V12 source: https://github.com/trejan/VMG3925-B10B
However after gaining root access that's where I'm stuck. I'm interested in porting OpenWrt but I am not sure how to get started, and would like help with pointers on where to start.

WereCatf · June 15, 2022, 5:13pm

Check what WiFi-chipset it uses. Since it's Broadcom, it's entirely likely that the WiFi-chipset does not have open-source drivers and thus isn't useable with OpenWrt.

foxt · June 15, 2022, 5:32pm

Looking at logs, the mentioned chips are bcm43602 & BCM435f, wikidevi also says its a bcm43602, but there are differences between the specs listed on wikidevi and the actual device. I'd check the actual device itsself but theres a heatsink glued to the chip that i cannot easily remove

frollic · June 15, 2022, 6:22pm

Broadcom, according to https://fccid.io/I88VMG3925-B10A/ too.

It's a dead end, assuming info's correct.

foxt · June 15, 2022, 6:57pm

The thing that's throwing me off is that that device looks nothing like my device, board layout looks different too. Entirely possible that they used the same base platform, but with a different board for the different markets. The B10A seems to be the only variant in the FCC databse, and the B10B is probably EU/UK specific then (I have only found this mentioned on UK (Kcom, AAISP, Aquiss, probably some others), and a singular French ISP)

says it's supported unless I misread it?

jdwl1o1 · June 15, 2022, 8:52pm

Bcm435f indicates unsupported

Here’s a device page for a similar router/modem https://openwrt.org/toh/sky/sr102

Though As you have serial console it can’t hurt to boot an initramfs for a similar device and see what works and what doesn’t, best of luck!

hecatae · June 16, 2022, 10:08am

Hi,

The VMG3925-B10A/B/C run a heavily customized/bastardized version of OpenWRT Barrier Breaker as it's base:
https://github.com/trejan/VMG3925-B10B/blob/master/.config with heavy use of the broadcom sdk:
http://datashed.science/misc/bcm/gpl/broadcom-sdk-416L05/

While it would be nice to get OpenWRT running natively, the DSL would never work, and as it's got Broadcom drivers everywhere, it's going to have proprietary issues.

I have 9 of the C version, I'm happy to take one apart if you need to test anything, the rest are used as bridge modems for customers who want a decent router behind a VDSL/ADSL connection.

foxt · June 17, 2022, 12:07am

Yeah I thought it was a bit interesting seeing references to OpenWrt (the built firmware file is literally openwrt-nand-VMG3926-jffs2-128k.bin.w). I don't think it runs UCI or includes opkg in the final builds so definately not what you'd call OpenWrt, but its interesting they used a lot of code/based on OpenWrt.

jdwl1o1 · June 17, 2022, 12:54am

Fairly standard for the vendor SDKs, take an old or ancient Openwrt code base, rip out most of the useful parts and stuff in heaps of closed source garbage.

hecatae · June 17, 2022, 11:46am

and then cry when exploited with dnsmasq and dnspooq

eisaev · March 10, 2024, 1:02pm

If anyone is interested, there is a root exploit for the latest Zyxel firmware (V5.13(AAVF18)C0.zip). It was easier than expected.

hecatae · March 10, 2024, 11:31pm

Cheers, sadly as it's a broadcom CPU it's unlikely that we will ever get proper Openwrt running on it.

frollic · March 11, 2024, 5:37am

... which was mentioned 1.5 yeah ago, already.