OpenWrt Forum Archive

Topic: Zyxel P-2812HNU-F3-telenor debrand ?

The content of this topic has been archived between 30 Mar 2018 and 4 May 2018. Unfortunately there are posts – most likely complete pages – missing.

@oxo

Hi oxo.

I was looking for argument for ATSE command in GPL source files and I found:

[file = zboot_sub.c]

/* show the seed of the password generator */
int
do_atse (int argc, char *argv[])
{
    char tmp[60], sig[] = MRD_ATSE_SIGNATURE;
    static u_int32_t seeder = 0;

    if (argc != 1) {
        error_msg(ERROR_MSG_ARG_NUM_ERR);
        return -1;
    }

    if (strncmp(argv[0], sig, sizeof(sig))) {
        error_msg(ERROR_MSG_ARG_ERR);
        return -1;
    }

    seeder = get_timer(0);
    if (seeder == 0) {
        seeder = get_timer(0);
    }
    seeder &= 0xffffff;

    g_pw_timestamp = seeder;

    sprintf(tmp, "%06X", g_pw_timestamp);
    sprintf(tmp, "%s%02X%02X%02X\n", tmp, g_mrd_ptr->EtherAddr[3], g_mrd_ptr->EtherAddr[4], g_mrd_ptr->EtherAddr[5]);
    puts(tmp);

#if 0
    printf("passwd=%x\n",generate_pw());
#endif

    return 0;
}
/* do_atse */

where MRD_ATSE_SIGNATURE stands for

#define MRD_ATSE_SIGNATURE        "P-2812HNUL-F1"

in file zboot_main.h

Maybe P-2812HNUL-F1 is the argument in ATSE command ... could you test it, please?

asmartin wrote:

@oxo

Maybe P-2812HNUL-F1 is the argument in ATSE command ... could you test it, please?


if mac address is ab:cd:ef:gh:ij:kl
this command generate string like this
xxxxxxghijkl

x=every time different hex symbol


it works!!
cool!

atse P-2812HNUL-F1
output string i bring into ZynPass JS v.0.1.4b generation form
and get workable password for aten command

yahoooo)

(Last edited by zerg on 10 Dec 2013, 22:23)

zerg wrote:
asmartin wrote:

@oxo

Maybe P-2812HNUL-F1 is the argument in ATSE command ... could you test it, please?


if mac address is ab:cd:ef:gh:ij:kl
this command generate string like this
xxxxxxghijkl

x=every time different hex symbol


it works!!
cool!

atse output string i bring into ZynPass JS v.0.1.4b generation form
and get workable password for aten command

yahoooo)


Hi zerg.

Please confirm procedure.

So you have to use:

ZHAL>ATSE P-2812HNUL-F1

The result of ATSE command is a string like this: xxxxxxghijkl where your MACaddess was something like ab:cd:ef:gh:ij:kl

Then you used ZynPass JS v.0.1.4b generation form to calculate ATEN password and it works.

Is it right?

(Last edited by asmartin on 10 Dec 2013, 21:47)

asmartin wrote:

   it works.

Is it right?

yess!

//remark
i test this  not on a p2812hnu(l)-f(1/3) device but on the device with the same hardware(lantiq vr9)/software platform.


asmartin wrote:

   
Please could you tell me which router/platform you used?

i only can approve that this algorithm  give full access to advanced debug commands   for zyxel's  lantiq vr9 platform devices.

its win.

(Last edited by zerg on 10 Dec 2013, 22:08)

Please could you tell me which router/platform you used?

Because I also have the bootbase 3.04 from GLP sources that zyxel provided me, so it's possible to upload the bootbase and the original firmware from zyxel big_smile

(Last edited by asmartin on 10 Dec 2013, 21:59)

zerg wrote:
asmartin wrote:

   it works.

Is it right?

yess!

//remark
i test this  not on a p2812hnu(l)-f(1/3) device but on the device with the same hardware(lantiq vr9)/software platform.


asmartin wrote:

 

Please could you tell me which router/platform you used?

i only can approve that this algorithm  give full access to advanced debug commands   for zyxel's  lantiq vr9 platform devices.

its win.

Ok, but did you use P-2812HNUL-F1 as argument for ATSE command? or just ATSE command without argument?

Could you please show a complete list of available commands once you have activated debug flag (with ATEN)?, you can list the command set between code marks ...

Thanks in advance.

(Last edited by asmartin on 10 Dec 2013, 22:18)

asmartin wrote:


Ok, but did you use P-2812HNUL-F1 as argument for ATSE command? or just ATSE command without argument?

Could you please show a complete list of available commands once you have activated debug flag (with ATEN)?, you can list the command set between code marks ...

Thanks in advance.

list of commands is the same
but now you get full access to all of them.


atse P-2812HNUL-F1
this string will give you seed for passgen for aten command.

zerg wrote:
asmartin wrote:


Ok, but did you use P-2812HNUL-F1 as argument for ATSE command? or just ATSE command without argument?

Could you please show a complete list of available commands once you have activated debug flag (with ATEN)?, you can list the command set between code marks ...

Thanks in advance.

list of commands is the same
but now you get full access to all of them.


atse P-2812HNUL-F1
this string will give you seed for passgen for aten command.

THANK YOU.

I already bricked my P-2812HNU-F1, but I probably will purchase other branded to try to unbrand and show the process here.

@oxo

Do you have any branded router yet?

Now you can upload the bootbase with ATBU command (After ATBT 1), and the original firmware with ATUR. By this way, you will have one router like original F1.

I can compile one bootbase with valid signature, same version 3.04 than original zyxel routers have. If you are interested, just requested em by email.

@zerg

I have prepared the original bootbase file (no oob) with oob info using mkoobimg (from gpl  source code that zyxel provided to me). I can provide to you this bootloader image to upload with ATUB, to test is, are you agree?

Note ATUB manage oob images, not just bin files, because of NAND ECC algorithms, as indicated by zyxel.

(Last edited by asmartin on 11 Dec 2013, 12:33)

asmartin wrote:

I can provide to you this bootloader image to upload with ATUB, to test is, are you agree?

thank you.
but
i dont own sabj of this thread.
i dont need .bm for it.

my interest was to get full access to debug commands on a vr9_lantiq_zyxel platform.
you guys help me to understand and test working algorithm to get it.
have a nice zyxel)

Hi,

I just found this thread and I have a branded P-2812HNUL-F1.

Tested the ATSE command which worked as expected. Do you have a bootloader image uploaded on dropbox?

for me, on ZYXEL P-2812HNU-F3 TELENOR, not work any of those combinations.

ATSE P-2812-HNU-F1
ATSE P-2812-HNUL-F1
ATSE P-2812-HNU-F3
ATSE P-2812-HNUL-F3

BUT

work this

ATSE DSL-2492HNU-L3v2  big_smile

and for who don't have the tool to find password from seed use this:

zyxel-seed

(Last edited by cornelus2009 on 13 Dec 2013, 19:02)

Congratulations cornelus2009!!!!

It shows kind of work zyxel does with branded routers (they don't use original router bootbase but a strange mixture ofbootbase and firms).

@notez

This is the link to my ZyXEl P-2812HNU-F1 dropbox folder. File /bootloader/304TUJ.bm is the file that you have to upload using ATBT 1 and later ATUB:

          ZyXEL P-2812HNU-F1 DropBox by asmartin

And upload original zyxel firmware image (/311TUJ0C0/311TUJ0C0.bin) with ATUR before reseting the router.

(Last edited by asmartin on 14 Dec 2013, 18:33)

cornelus2009 wrote:

for me, on ZYXEL P-2812HNU-F3 TELENOR, not work any of those combinations.

ATSE P-2812-HNU-F1
ATSE P-2812-HNUL-F1
ATSE P-2812-HNU-F3
ATSE P-2812-HNUL-F3

BUT

work this

ATSE DSL-2492HNU-L3v2  big_smile

and for who don't have the tool to find password from seed use this:

zyxel-seed

GREAT JOB Cornel!!!

How did you find the X parameter for ATSE command?. I obtained the one for F1 model from searching into GPL source files.

notez wrote:

Hi,

I just found this thread and I have a branded P-2812HNUL-F1.

Tested the ATSE command which worked as expected. Do you have a bootloader image uploaded on dropbox?

Hi notez.

Could you tell me brand and firmware version of your router?

Thanks

asmartin wrote:
cornelus2009 wrote:

for me, on ZYXEL P-2812HNU-F3 TELENOR, not work any of those combinations.

ATSE P-2812-HNU-F1
ATSE P-2812-HNUL-F1
ATSE P-2812-HNU-F3
ATSE P-2812-HNUL-F3

BUT

work this

ATSE DSL-2492HNU-L3v2  big_smile

and for who don't have the tool to find password from seed use this:

zyxel-seed

GREAT JOB Cornel!!!

How did you find the X parameter for ATSE command?. I obtained the one for F1 model from searching into GPL source files.

from my source code also.

passero wrote:
asmartin wrote:
passero wrote:

New FW version ??? The revision looks old but the date is new...

http://origin-tw.zyxel.com/za/en/suppor … b=Firmware

Right now only a pdf file with changelog.

Hi passero.

Have a look to documentation: new firmware for P-2813HNU-F1 RAS, but firmware for european version is OBM. Different bootbase.

I know you have to match bootbase to firmware version, and in case of debranding, we need a WHOLE image that includes bootbase + firmware.

I already done something similar with a P870HW 51a v2 from Movistar (Spain).

Thank you very much for the info but, unfortunately, I bricked my device :-(


Hi passero.

Finally I changed the firmware sucessfully (now working with my new P-2812HNU-F1).

Does you router have blinking leds or the router does nothing?

Did you try to web-login as supervisor?. It shows a new menu called Login Privilege to assig different menues to each user.




http://img163.imageshack.us/img163/6752/f14h.png




It's a bit more privilege than admin

(Last edited by asmartin on 22 Dec 2013, 15:22)

@oxo

Do you have a TelenorRemoteAdmin folder in your router's /home folder?, I found it in mine once I changed from 3.11(TUJ.3) to 3.11(TUJ.0) firmware.

I activated SFTP access from web and then used WinSCP

(Last edited by asmartin on 22 Dec 2013, 09:33)

zerg wrote:

pay attention that you do not use this .bin files
https://forum.openwrt.org/viewtopic.php … 64#p215864
with atub bootloader update procedure
couse this bin files may be used with  u-boot commands shell only by
nand write
command

to use atub command under ZHAL commands shell to update bootloader you need to use .bm files
https://forum.openwrt.org/viewtopic.php … 57#p219657

No, DON'T use those files with ATUB or any other shell because they don't have OOB info, so you will not be able to upload (maybe you will obtain a "checksum error"). That's why I customized the bootloader as indicated in other threat.

Yo need oob files to program de nand. It's how the info in the nand is stored, with OOB (partial checksum) info, one block for each 2048 bytes. That's why bootloader has more than 128Kbytes, due to OOB overhead.

(Last edited by asmartin on 23 Dec 2013, 17:19)

I'm trying to make a supervisor account, but when I create one I can't use it to log in at the web-gui.

# adduser -S supervisor
adduser: /home/supervisor: Read-only file system
Changing password for supervisor
New password:
Retype password:
Password for supervisor changed by root

What am I doing wrong?

(Last edited by hjortland1 on 30 Dec 2013, 11:20)

I am trying to unbrand my ZyXEL P2813HNU-f3 from telenor, i have gained access to root and gotten into the telenorremoteadmin user but i can't figure out what it takes to unbrand it and restore it with Zyxel original firmware.

I have rootet the device via Ethernet cable and i can't add a "supervisor" account, the account gets created as a LinuxUser.

If anyone could help i would really love it, don't like what telenor does to their branded routers.

If anyone could provide a idiotproof guide to to this i would love it.

antonedvard wrote:

I am trying to unbrand my ZyXEL P2813HNU-f3 from telenor, i have gained access to root and gotten into the telenorremoteadmin user but i can't figure out what it takes to unbrand it and restore it with Zyxel original firmware.

I have rootet the device via Ethernet cable and i can't add a "supervisor" account, the account gets created as a LinuxUser.

If anyone could help i would really love it, don't like what telenor does to their branded routers.

If anyone could provide a idiotproof guide to to this i would love it.

this model cannot be unbranded.