Just trying to free from isp-fw now (to factory fw), maybe openWrt later.
Basic procedure:
I guess they were able to do fw upload with xmodem, 3926 needs tftp.
My skills end at running a tftp server. Tried 3 of them in windows, still none in macos.
Have set the computer's ethernet to 192.168.1.33 (default for zyxel).
Offlined the firewall.
I still don't get how the modem can find an IP with TTL?
Does tftp happen with ethernet, so I connect a rj45 from modem to computer?
Which port?
Or how do I point the tftp server to bind (right term?) with serial port?
Do I need a DHCP server for tftp to work?
Amazing that I seem to be the only one that can't run sftp server out from the box to TTL connected device...
For using tftp you need to connect both the ethernet and the serial port. Via serial you issue the command to start the tftp download, and the actual tftp download is over ethernet.
I tried different ports and WAN port on the modem seemed to do something.
Got the message
Port 3 Link up
But ATUR still can't upload the zyx.bin.
Probably some issue with ports, different defaults?
What I also noticed that if I wait for a bit longer in the boot process, I can login to Busybox.
Would it be easier to flash the fw there?
Maybe even the "zycli fwidcheck off" trick can work in there?
(EDIT: Nope, this (busy)box does not recognice fwidcheck command.)
My conclusion is that the firmware is locked and doesn't allow tftp or commands like fwidcheck off. A modified generic firmware is needed, with the headers of the branded firmware in order to trick the firmware update mechanism.
I don't have this device, but the instructions are pretty clear in the first post that this is occurring entirely over serial. You need a good serial terminal program for Windows that supports, my God, good old fashioned xmodem.
EDIT: If you can't find one, I can step you through the process using Linux, or cygwin on WIndows.
EDIT2: Whoops, didn't read OP, sorry. Though I'm curious if you actually tried xmodem?
I've just recently dealt with the Windows terminal challenges.
My suggestion is Tera Term. I tried to use Kermit95, and Putty. Kermit didn't work (constantly retried blocks), Putty doesn't support file transfer.
Depending on the uboot config, you're likely going to need a serial connection (whether RS232 / TTL depending on where you'd hook into on the board).
Step 2 would always be to open the case, and identify and document all of the unpopulated headers.
Step 1 would have been to try to connect to all the external connections (ethernet with Wireshark, serial ports etc) and observe behaviour during cold boot. You might get lucky and have a tftp request visible at boottime.
From reading the other forum post. They used a serial connection (inside the case).
So you'd need to find this first.
Tera Term will allow you to do the xmodem transfer. The modem will either appear to 'hang' after entering the transfer command, or will prompt you to start transfer now. Then you'd go File > Transfer > XMODEM > Send, and then select the updated Zyxel firmware appropriate for your exact device.
VMG3926’s CFE dropped support for other than tftp.
So it has to be that.
Anyway this unbranding has been done several times before.
Unfortunately the oldest discussion forum in Finland was closed, so it’s hard to ask more closely how they did it.
I’ll try to check with wireshark if tftp-request is really coming out of zyxel.
TFTP between two computers to make sure your server works.
Note if you have an extra router running OpenWrt, it is bog-simple to use it as a TFTP server. Add these two lines to the top section of /etc/config/dhcp:
Take the case off to expose the PCB, and then post a high resolution image here.
Everywhere else appears to be saying that the headers on the PCB are quite obvious.
Meaning that the command used to upload firmware ATUR, supports only tftp in this box.
Yes, you need TTL connection to get to the CFE prompt and interrupt the boot to get to the CFE.
But because you can't use XMODEM or some other "serial port" method, this is a bit more trickier, at least for me.
CFE> athe
Available commands:
ATMB Use for multiboot.
ATHW Other misc commands
ATDC Disable Check Model Mechanism.
ATBB Mark/unmark the Block X to be bad block.
ATCMP Compare the contents at start address X and Y with L
ength Z
ATLD Download data with file name X to memory address Y f
rom PC via TFTP
ATRB Load the CFERAM to run by TFTP or UART!
ATDS Dump data of spare area in block X`s page Y
ATRF Read/Dump flash data
ATER Erase NAND flash from block X to block Y
ATWF Write data from RAM to flash
ATRT Test memory.
ATCR reset to default, erase Data partition
ATCD Erase ROM-D partition
ATCM Erase ROMFILE partition
ATWZ write (a)MAC addr, (b)Country code, (c)EngDbgFlag, (
d)FeatureBit, (e)MAC Number to NVRAM
<press any key to continue>
ATCO set Country Code to NVRAM.
ATSN set Series Number to NVRAM.
ATSH dump manufacturer related data from NVRAM
ATGO Run program from flash image or from host depend on
[f/h] flag.
ATSE show the seed of password generator
ATEN set BootExtension Debug Flag
ATBT block0 write enable
ATPH Set/Get PHY`s registers.
ATWW Set memory or registers.
ATDU Dump memory or registers.
ATBL Print boot line and board parameter info
ATIP Change booline parameters
ATAF Change board AFE ID
ATBP Change board parameters
ATSR System reboot
ATUM Upload ROMFILE to flash from TFTP
ATUD Upload ROM-D to flash from TFTP
<press any key to continue>
ATUB Upload bootloader to flash from TFTP
ATUR Upload router firmware to flash from TFTP
ATUW Write the whole image start from beginning of the fl
ash from TFTP
ATHE print help
For more information about a command, enter 'help command-name'
*** command status = 0
CFE> atur zyx.bin
Loading 192.168.1.33:zyx.bin ...
Loading failed.: CFE error -21
*** command status = -21
Wireshark seemed to be complicated.
Instead I checked firewalls again.
Somehow windows has decided that ethernet is public network.
And I can't change that.
Maybe because this seems to be windows-to-go installation. I don't know why and if it could be changed.
Are there 2 firewalls in windows? Defender and Windows firewall?
Anyway I disabled both, so the tftp started working.
But:
CFE> atur zyx.bin
Loading 192.168.1.33:zyx.bin ...
Finished loading 26477568 bytes at 0x80b60000
Illegal model ID, please check!
ERROR
*** command status = -1
I thought the model ID was handled with ATWZ when debugflag was set.
Is this about the name of the fw file?
Oh well...
Something went wrong with fw update:
I can't get to NAT settings, spinning arrow until logout.
I can't flash this again, since the ATDC command is now missing.
I don't know how many different flushes are needed to get all old data out of the box...
If there's some conflict...
Got the latest fw from zyxel (Dec 2017).
They ended support fot vmg3926 in 2018, so nothing more from there.
So,
I'll leave the question open, if there is somebody who knows how to get rid of that "Illegal model ID, please check!".
Or if somebody could point to a forum where the people in the know waste their time.
ATAF is the command to change AFE ID, but I'm not sure what it should be OR if it even is the ID which is checked when fw upgrade.
