ZyXel EMG2926 (NBG6716), can't access serial console

Installing and Using OpenWrt
1

Hi there,

I found a ZyXel EMG2926-Q10A (The Videotron model) and installed a permanent serial port according to the wiki page (I only reversed TX and RX as these were incorrectly labelled).

As I tried to access it following goldyfruit's instructions, I hit two, show-stoppers snags:

  1. The vulnerable OEM firmware he used is not available anymore
  2. As soon as I get to the EMG2926> prompt, minicom is held up by some input it can't decipher, which is confirmed by the USB-serial converter's activity LED being lit constantly:
Hit any key to stop autoboot:  3
EMG2926> ?????????????????????????????????????????????????????

This is on Mac, but a Linux Mint box displays the same issues.

I can't type any command beyond this point.
BTW this isn't the first time I'm using a serial console on a device, but so far only this device displays such a weird behaviour.

As a side note, I also tried to:

  1. set admin password (this step is mandatory in order to get the stok value, which changes every time the router is reset)
  2. Use Postman to create a GET request and have the router give its password file (vulnerability described here).

Needless to say, I haven't had any success, for three reasons:

  1. I'm unsure as how to use Postman precisely (i.e. code 60 - problem 60cm from monitor);
  2. Firmware version on my router is not the same one (current: V1.00(AAQT.6)b3, vulnerable/tested:V1.00(AAQT.4)b8)

So I'm back to the usual process.

What could be happening there?

2

Here's an autoreply:

Turns out this router absolutely wants a WAN connection. As soon as I plugged in a live cable to the WAN port, it behaved and let me access its serial console.

As for the unavailable firmware, it wasn't even necessary. Rather than using a vendor-provided firmware (which is an OpenWRT in disguise), I simply used a factory OpenWRT image for the ZyXel NBG6716.

The following works on Mac (Mojave):

  1. Set the computer Ethernet IP address to static, 192.168.1.33, router being 192.168.1.1. Don't forget to turn off wifi as well as the default config will conflict with Internet access otherwise. Better to have two computers for this step.
  2. Use the TftpServer app, which is only a nice GUI to the TFTP server but for some reason seems to work more reliably than the CLI's TFTP (less chance of timeout in the serial console).
  3. Rename OpenWRT image as ras.bin and copy the firmware to /private/tftpboot
  4. In the serial console (now working), at the EMG2926> prompt, access the U-Boot shell, then change the router's name to NBG6716 then reboot as described
  5. Start TFTP server.
  6. When back to the EMG2926> prompt, type ATURras.bin (no, there aren't any space)
  7. If all goes well, you'll see # padding the terminal.
  8. Once you get back to the EMG2926> prompt, type ATGO to actually boot the newly-installed OpenWRT.
  9. For more details, please refer to goldyfruit's blog post.

Closing remark:
This router has plenty of empty space inside and two USB ports, so I mounted a 1GiB USB key inside to extend the /overlay partition, and blocked one of the USB ports.

1 Like