Zyxel wx3401 - locked. Supervisor-password?

Hi!
I have three Zyxel wx3401. They are locked and the firmware is old. I cannot upgrader them with admin-access, and I contact ISP anymore for help.
Is there any way to login to them with supervisor password? Is it possible to find it somewhere?
I have contacted Zyxel support, and they just sent me two passwords I could try, but none of them does work.
Any way to get access to them and be able to upgrade firmware?

Sorry about my english ..im from Norway

how exactly is this question related to openwrt ?

That thing is not sold by zyxel to individuals, not supported by any post-market firmware, so you need to reclaim your electronic waste disposal expense to whomever threw it at you.

Yes, youre right. I think I cannot use them. They got the oldest firmware available... they work.. but are unstable because of old firmware. I got them for free from a company.. that dont exist anymore

Thanks anyway for your fast reply!

well,

if you're going to recycle them, you can at least open it up, and document the hw.
it might be supportable, but we won't know until someone opens it up.

Backup the config (Backup_Restore), substitute the "shadow" password for the "admin" user to the root user; reboot > get root shell access from ssh

enable the ssh access by

zycli mgmtsrvctl config -s SSH 0

Done.

Thanks
Interesting! Im not sure I fully understand, but I have now backed up the config-file. and It looks like this:

{
  "X_ZYXEL_LoginCfg":{
    "LoginGroupConfigurable":true,
    "LogGp":[
      {
        "emptyIns":true
      },
      {
        "GP_Privilege":"_encryp1_qmmb5+mF+SO8zu7NkkJcFQSxAqYcK6zDnkf0NVLl5uQ=",
        "Account":[
          {
            "Enabled":true,
            "Username":"admin",
            "Password":"_encryp1_IyDCb0j5PofD2p9VkZJvcg==",
            "PasswordHash":"",
            "Privilege":"_encryp1_e8nx0GtPTMxfyyEz4qvZWg==",
            "DotChangeDefPwd":true,
            "ThemeColor":"green",
            "RemoteAccessPrivilege":"LAN",
            "DefaultPassword":"_encryp1_1wJBVNirK9OUdgWa4pKP0g==",
            "OldDefaultPassword":"_encryp1_ZaV\/Xl0K58TAU51F0BT9pA==",
            "EnableQuickStart":false,
            "DefaultGuiPassword":"",
            "ResetDefaultPassword":false,
            "shadow":"admin:$6$5QB0c\/sFjL9G4kLJ$3f\/cO00LmF74zj5Cn0bRovMgd\/C\/buFtyjgbLSoizJBPeno1uIcKmnRz6eYOEioiLG.G0a0FDm0uq.pnpdrh61:18932::::::\n",
            "smbpasswd":"",
            "ConfigAccountFromWAN":false,
            "DefPwLength":8,
            "AccountRetryTime":3,
            "AccountIdleTime":300,
            "AccountLockTime":300,
            "ShowSkipBtnInChgDefPwdPage":true,
            "AutoGenPwdBySn":false,
            "AutoShowQuickStart":false,
            "Stored":"",
            "Salt":"",
            "RoleList":"",
            "CardOrder":"",
            "CardHide":"",
            "HiddenPage":"",
            "SshKeyBaseAuthPublicKey":"",
            "Modified":false
          },
          {
            "Enabled":true,
            "EnableQuickStart":true,
            "Username":"support",
            "Password":"_encryp1_IyDCb0j5PofD2p9VkZJvcg==",
            "PasswordHash":"",
            "Privilege":"_encryp1_e8nx0GtPTMxfyyEz4qvZWg==",
            "DotChangeDefPwd":true,
            "ThemeColor":"green",
            "RemoteAccessPrivilege":"LAN",
            "DefaultPassword":"_encryp1_IyDCb0j5PofD2p9VkZJvcg==",
            "DefaultGuiPassword":"",
            "ResetDefaultPassword":false,
            "shadow":"support:$6$qeFJGj8yPX1Suubw$ios12\/\/tva2\/wGFQ8MABXdnYIEfBCff1Evkq4snM77mIm0gU5RiZjsaGEMselYPBgnvVRf46louoIjJYfzUQU\/:18932::::::\n",
            "smbpasswd":"",
            "ConfigAccountFromWAN":false,
            "DefPwLength":8,
            "AccountRetryTime":3,
            "AccountIdleTime":300,
            "AccountLockTime":300,
            "ShowSkipBtnInChgDefPwdPage":false,
            "AutoGenPwdBySn":false,
            "AutoShowQuickStart":false,
            "Stored":"",
            "Salt":"",
            "RoleList":"",
            "OldDefaultPassword":"",
            "CardOrder":"",
            "CardHide":"",
            "HiddenPage":"",
            "SshKeyBaseAuthPublicKey":"",
            "Modified":false
          }
        ]
      },
      {
        "GP_Privilege":"_encryp1_Gv\/qT4N4GHVNjRHXjXu6QQ==",
        "Account":[
        ]
      }
    ],
    "MaxiumLoginAccountNumber":20
  },
  "X_ZYXEL_Change_Icon_Name":[
  ]
}

--

Where/what should be changed in it to get root-access?

Thanks.

Strange, you don't have the root user on this file. Mine has.

Then was a simple task to get the line

            "shadow":"support:$6$qeFJGj8yPX1Suubw$ios12\/\/tva2\/wGFQ8MABXdnYIEfBCff1Evkq4snM77mIm0gU5RiZjsaGEMselYPBgnvVRf46louoIjJYfzUQU\/:18932::::::\n",

and substitute on the root user.

In some units, there is also the possibility to recover the zcfg_config.json (that is a extended version of this Backup_Restore file) by using the ftp (logged as admin). To enable the ftp service, try

zycli mgmtsrvctl config -s FTP 0

hanks.
But seem I cannot access router with telnet:

I get message "connection timeout" when i try to open connection
Or maybe Im doing something wrong..

change the port to 21, or scan the open ports with nmap:

sudo nmap -sC -T4 -p- -vv 192.168.X.X

Discovered open port 80/tcp on 192.168.1.203
Discovered open port 443/tcp on 192.168.1.203
Discovered open port 50257/tcp on 192.168.1.203
Discovered open port 7547/tcp on 192.168.1.203
Discovered open port 60001/tcp on 192.168.1.203
Discovered open port 50259/tcp on 192.168.1.203
Discovered open port 49152/tcp on 192.168.1.203
Discovered open port 20443/tcp on 192.168.1.203
Completed SYN Stealth Scan at 21:54, 5.58s elapsed (65535 total ports)
NSE: Script scanning 192.168.1.203.

What is the output of:

zycli mgmtsrvctl show

?

But is this command possible to run without access to telnet or SSH, port 21-23 to my router?
Could you please explain how to run it? Im new to this..