Unbranding Zyxel VMG3926?

Just trying to free from isp-fw now (to factory fw), maybe openWrt later.

Basic procedure:

I guess they were able to do fw upload with xmodem, 3926 needs tftp.

My skills end at running a tftp server. Tried 3 of them in windows, still none in macos.
Have set the computer's ethernet to (default for zyxel).
Offlined the firewall.

I still don't get how the modem can find an IP with TTL?
Does tftp happen with ethernet, so I connect a rj45 from modem to computer?
Which port?
Or how do I point the tftp server to bind (right term?) with serial port?
Do I need a DHCP server for tftp to work?

Amazing that I seem to be the only one that can't run sftp server out from the box to TTL connected device...

CFE error -21

#CFE #zyxel

For using tftp you need to connect both the ethernet and the serial port. Via serial you issue the command to start the tftp download, and the actual tftp download is over ethernet.

Thanks for confirmation.
Still the same error.

I tried different ports and WAN port on the modem seemed to do something.
Got the message

Port 3 Link up

But ATUR still can't upload the zyx.bin.
Probably some issue with ports, different defaults?

What I also noticed that if I wait for a bit longer in the boot process, I can login to Busybox.
Would it be easier to flash the fw there?
Maybe even the "zycli fwidcheck off" trick can work in there?
(EDIT: Nope, this (busy)box does not recognice fwidcheck command.)

Maybe the firewall on your tftp server PC is the problem. You can use Wireshark to see if and how the tftp client reaches to the server.

Im also trying to unbrand a Zyxel VMG8623-T50B

My conclusion is that the firmware is locked and doesn't allow tftp or commands like fwidcheck off. A modified generic firmware is needed, with the headers of the branded firmware in order to trick the firmware update mechanism.

I don't have this device, but the instructions are pretty clear in the first post that this is occurring entirely over serial. You need a good serial terminal program for Windows that supports, my God, good old fashioned xmodem.

EDIT: If you can't find one, I can step you through the process using Linux, or cygwin on WIndows.
EDIT2: Whoops, didn't read OP, sorry. Though I'm curious if you actually tried xmodem?

I've just recently dealt with the Windows terminal challenges.
My suggestion is Tera Term. I tried to use Kermit95, and Putty. Kermit didn't work (constantly retried blocks), Putty doesn't support file transfer.

Depending on the uboot config, you're likely going to need a serial connection (whether RS232 / TTL depending on where you'd hook into on the board).
Step 2 would always be to open the case, and identify and document all of the unpopulated headers.
Step 1 would have been to try to connect to all the external connections (ethernet with Wireshark, serial ports etc) and observe behaviour during cold boot. You might get lucky and have a tftp request visible at boottime.

From reading the other forum post. They used a serial connection (inside the case).
So you'd need to find this first.
Tera Term will allow you to do the xmodem transfer. The modem will either appear to 'hang' after entering the transfer command, or will prompt you to start transfer now. Then you'd go File > Transfer > XMODEM > Send, and then select the updated Zyxel firmware appropriate for your exact device.

VMG3926’s CFE dropped support for other than tftp.
So it has to be that.

Anyway this unbranding has been done several times before.
Unfortunately the oldest discussion forum in Finland was closed, so it’s hard to ask more closely how they did it.

I’ll try to check with wireshark if tftp-request is really coming out of zyxel.

TFTP between two computers to make sure your server works.

Note if you have an extra router running OpenWrt, it is bog-simple to use it as a TFTP server. Add these two lines to the top section of /etc/config/dhcp:

   option enable_tftp '1'
   option tftp_root '/tmp/tftpboot'

Static IP the LAN as needed, and place the file to be sent in /tmp/tftpboot. This is a RAM disk, so it will be erased on a reboot.

What do you mean by this?

Take the case off to expose the PCB, and then post a high resolution image here.
Everywhere else appears to be saying that the headers on the PCB are quite obvious.

Meaning that the command used to upload firmware ATUR, supports only tftp in this box.

Yes, you need TTL connection to get to the CFE prompt and interrupt the boot to get to the CFE.
But because you can't use XMODEM or some other "serial port" method, this is a bit more trickier, at least for me.

1 Like

Are you sure you're not confusing ATUR (xmodem transfer) with ATTR (tftp transfer)?

Perhaps you can post the ATHE listing from your device.

CFE> athe
Available commands:

ATMB                Use for multiboot.
ATHW                Other misc commands
ATDC                Disable Check Model Mechanism.
ATBB                Mark/unmark the Block X to be bad block.
ATCMP               Compare the contents at start address X and Y with L
                    ength Z
ATLD                Download data with file name X to memory address Y f
                    rom PC via TFTP
ATRB                Load the CFERAM to run by TFTP or UART!
ATDS                Dump data of spare area in block X`s page Y
ATRF                Read/Dump flash data
ATER                Erase NAND flash from block X to block Y
ATWF                Write data from RAM to flash
ATRT                Test memory.
ATCR                reset to default, erase Data partition
ATCD                Erase ROM-D partition
ATCM                Erase ROMFILE partition
ATWZ                write (a)MAC addr, (b)Country code, (c)EngDbgFlag, (
                    d)FeatureBit, (e)MAC Number to NVRAM
<press any key to continue>
ATCO                set Country Code to NVRAM.
ATSN                set Series Number to NVRAM.
ATSH                dump manufacturer related data from NVRAM
ATGO                Run program from flash image or from host depend on
                    [f/h] flag.
ATSE                show the seed of password generator
ATEN                set BootExtension Debug Flag
ATBT                block0 write enable
ATPH                Set/Get PHY`s registers.
ATWW                Set memory or registers.
ATDU                Dump memory or registers.
ATBL                Print boot line and board parameter info
ATIP                Change booline parameters
ATAF                Change board AFE ID
ATBP                Change board parameters
ATSR                System reboot
ATUM                Upload ROMFILE to flash from TFTP
ATUD                Upload ROM-D to flash from TFTP
<press any key to continue>
ATUB                Upload bootloader to flash from TFTP
ATUR                Upload router firmware to flash from TFTP
ATUW                Write the whole image start from beginning of the fl
                    ash from TFTP
ATHE                print help

For more information about a command, enter 'help command-name'
*** command status = 0

CFE> atur zyx.bin
Loading ...
Loading failed.: CFE error -21
*** command status = -21

Just noticed that the front page of zyxel looks like:

I wonder it that "image" is that 25MB .bin?

Wireshark seemed to be complicated.
Instead I checked firewalls again.
Somehow windows has decided that ethernet is public network.
And I can't change that.
Maybe because this seems to be windows-to-go installation. I don't know why and if it could be changed.
Are there 2 firewalls in windows? Defender and Windows firewall?
Anyway I disabled both, so the tftp started working.

CFE> atur zyx.bin
Loading ...
Finished loading 26477568 bytes at 0x80b60000
Illegal model ID, please check!

*** command status = -1

I thought the model ID was handled with ATWZ when debugflag was set.
Is this about the name of the fw file?

I noticed a command ATDC, maybe that next?

Btw, does "firmware" include ROMFILE?

ATDC made the trick!
Zyxel is now ISP free!

Oh well...
Something went wrong with fw update:
I can't get to NAT settings, spinning arrow until logout.
I can't flash this again, since the ATDC command is now missing.

I don't know how many different flushes are needed to get all old data out of the box...
If there's some conflict...

Got the latest fw from zyxel (Dec 2017).
They ended support fot vmg3926 in 2018, so nothing more from there.

I'll leave the question open, if there is somebody who knows how to get rid of that "Illegal model ID, please check!".
Or if somebody could point to a forum where the people in the know waste their time.
ATAF is the command to change AFE ID, but I'm not sure what it should be OR if it even is the ID which is checked when fw upgrade.

...aaAAND resurrection!
Since these zyxels have "multiboot", I booted to "previous" system.
And then again, there was ATDC.

Now latest fw installed and everything feels really much snappier and all settings seems to work.

Happy camper here, although way too much time wasted.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.