ZyXEL VMG5313-B30A JTAG

I've opened this ZyXEL and tried to connect to JTAG. Serial connection works.
https://openwrt.org/toh/zyxel/zyxel_vmg5313-b30a
I used RPi to connect. JTAG connector looks like MIPS EJTAG 14-pin connector.
But no response.
First I thought that my RPi is not communicating, so I opened WRT54GL, soldered two row header pins and connected with the Linksys.
Connection with WRT54GL works OK. I get the response and see this:
Info : JTAG tap: bcm5352e.cpu tap/device found: 0x0535217f (mfg: 0x0bf (Broadcom), part: 0x5352, ver: 0x0)
Info : accepting 'telnet' connection on tcp/4444
TapName Enabled IdCode Expected IrLen IrCap IrMask


0 bcm5352e.cpu Y 0x0535217f 0x0535217f 8 0x01 0x1f

That proved that I can use my RPi to communicate ove JTAG.

So... then I removed pins from my ZyXEL VMG5313-B30A to see the traces on the board.
Jtag loks like this one:
http://www.jtagtest.com/pinouts/ejtag
Pins 3, 7, 9, 11 (coresponding to TDI, TMS, TCK, nSRST respectivly) are pulled up to 3.3V through 1.36kOhm resistors.

What am I missing?

I am the author of that wiki page, and this thread on old forum: https://forum.archive.openwrt.org/viewtopic.php?id=67587

You don't need JTAG for "normal" OpenWrt development, but I wouldn't bother with this device at all due to bad Broadcom support. SoC is BCM63168 with integrated 2.4 GHz WLAN, and it uses BCM6302 for xDSL.

Also, when I was playing with it, CFE acted weird and there were some problems with NAND support in kernel, or it was a mistake on my part, but I never got back to it to see if it would work now.

I know that you've tried making OpenWrt working on this device. And I know that I do not need JTAG for OpenWrt development.
I just wanted to read the flash from the device using JTAG.
In case I do not know any administrative password on that device and I want to read the setting from that device... than I have to read it using JTAG, right?
I do not have my outputs from CFE, but I do not think I can read flash from CFE. Only write to flash. I remember that I can only upload fresh firmware. Right?

What kind of settings would you like to extract from the device? I'm not entirely sure that VMG5313 holds the configuration easily accessible, but then again, it's been over two years since I last examined it.

Did you manage to unlock all options in CFE? I remember that by default, there are not a lot of options, but with some AT commands, it can be unlocked, possibly giving you read access to NAND via UART.

I'll hook it up once I find some time and let you know.

Well... root access as my ISP locked out internal calls in user accessible setting (VoIP).
Factory default is "####". But my ISP force it to "".
And I need this feature of this device.

I'll use your unlock code to see what else is in the menues.
How did you get it?

I tried with your code... but no luck...

CFE> ATEN 1, 10F0A563

ERROR
*** command status = -1
CFE> atse

ERROR

How did you get that data for ATEN command?

I found that code on some forum a long time ago, I think it was related to another ZyXEL model. ATSE doesn't work on VMG5313 so you can't get the seed for unlock code anyway.
This is the full process:
First enable debug flag:
ATEN 1, 10F0A563
Then I enabled block0 write:
ATBT 1
To make it permanent, use:
ATWZ <MAC>, FF, 01, 00, 12
Replace <MAC> with MAC address listed with ATBT command (without colons).
Third parameter (01) is the debug flag.

If it doesn't work for you, can you check if we have the same CFE version? Mine is:

CFE version 1.0.38-112.118 for BCM963268 (32bit,SP,BE)
Build Date: 01/12/2015 (root@CjLai2Ubuntu)
Copyright (C) 2000-2011 Broadcom Corporation.

Hm... mine is:

CFE version 1.0.38-112.118 for BCM963268 (32bit,SP,BE)
Build Date: 06/23/2014 (root@CjLai2Ubuntu)
Copyright (C) 2000-2011 Broadcom Corporation.

and ATN command does not work.

Does ATSE command work for you?

Does not work.

CFE> atse

ERROR
*** command status = -1

Maybe they changed something...

CFE> aten 1

OK
*** command status = 0
CFE> atbt 1
Invalid command: "atbt"
Available commands: ATSE, ATEN, ATCR, ATSH, ATUR, FWSELECT, ATIR, ATER, ATBL, ATDU, ATBR, ATGO, ATSR, ATMB, ATHE

*** command status = -1
CFE> athe
Available commands:

ATSE                show the seed of password generator
ATEN                set BootExtension Debug Flag
ATCR                Clear console screen
ATSH                dump manufacturer related data in ROM
ATUR                xmodem upload router firmware to flash ROM
FWSELECT            Select partition to read/write image or show FW vers
                    ion
ATIR                Set ImageDefault to ROM-D partition
ATER                Erase ROM-D partition
ATBL                Print boot line and board parameter info
ATDU                Dump memory or registers.
ATBR                Reset to default Romfile
ATGO                boot router
ATSR                system reboot
ATMB                Use for multiboot.
ATHE                print help

For more information about a command, enter 'help command-name'
*** command status = 0
CFE> 

Which firmware version do you have installed? Is CFE installed with firmware?
Maybe I can install the same version and than get the same CFE?

No, it's not working for me neither. My firmware is 1.00(AATS.1)C0, you can download it here: https://www.zyxel.com/support/DownloadLandingSR.shtml?c=gb&l=en&kbid=M-01846&md=VMG5313-B30A

I thought you were using some of these:

I do not know there whey got these firmwares from.

So... ok... that command ATEN 1, 10F0A563 works on your firmware. If I install it on my machine, do you think that I could also use the ATEN on my machine?

It's branded firmware from one Croatian ISP, don't waste time on it because it has some specific customizations (and effort to make supervisor account inaccessible).
Try with latest FW from ZyXEL, ATEN works for me on 1.00(AATS.1)C0.

Well... this is exactly what I need. :slight_smile:
Supervisor account to set option in SIP: internal call. Nothing else.

Install 1.00(AATS.1)C0 and I'll explain how to get supervisor account.

Well... here's the thing: I have 2 devices. Device #1 is connected to my ISP and I do not have admin password for it. Device #2 I use to experiment on.
I need admin password for the #1 to enable internal calls as my ISP erases the factory setting from "####" to "" when device reads the settings they provide on their machines.
Device #2 is opened and the idea was to let my ISP install their FW on it and then to try to get admin password. I have functional serial connection and nonfunctional JTAG connection. I thought that JTAG would enable me to read the setting or flash or something that I could read admin password from.
Another idea is to desolder flash and read it.
My ISP replied that they will not enable internal calls as the "do not support that" on this ZyXEL device, but provide it on Siemens device.
I used to have Siemens SX763 for the same provider, but they changed it as it started to misbehave.
And I had internal calls on Siemens using number 1001 and 1002 for two phone lines I have.
But now I cannot make internal calls on device #1 and I have internal calls on device #2 as I can set "####" for internal call in the SIP setting. But I need admin privileges to do that on device #1.
And this is the whole point of doing all this. My ISP does not want to let me make internal calls. Only paid ones.