OpenWrt Forum Archive

Topic: P-660hn-t3a

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

INFO added 20151223: into Normal booting part it has been added available list of hidden AT cmds after enabling DebugFlag and also memMapTab.

The device has available two various Bootbase into which you can boot.

1) Normally booting mode:

Bootbase detects and initiates only 16MiB RAM.

Bootbase Version: VTC_SPI_4M1.10 | 2010/06/03 09:32:52
RAM: Size = 16384 Kbytes
DRAM POST: Testing: 16384K
OK
Found SPI Flash 4MiB MX25L3205D(06E) at 0xbfc00000

RAS Version: 3.40(TSP.4)b2

Press any key to enter debug mode within 3 seconds.
.........................
Enter Debug Mode
atsh
RAS Version            : 3.40(TSP.4)b2
Bootbase Version       : VTC_SPI_4M1.10 | 2010/06/03 09:32:52
Vendor Name            : ZyXEL Communications Corp.
Product Model          : P-660HN-T3A
RAS ROM address        : bfc30000
System Type            : 6
MAC Address            : 5067F0C8B8F0
Default Country Code   : 08
Boot Module Debug Flag : 00
RomFile Version        : BC
RomFile Checksum       : 7439
RAS Checksum           : cda0
Core Checksum          : f4a7
SNMP MIB level & OID   : 050000000100000002000000030000000400000005
Main Feature Bits      : 86
Other Feature Bits     :
          93 17 00 00 00 00 00 00-00 00 00 00 00 00 00 00
          00 00 00 00 00 00 00 00-00 00 13 00 00 00

OK
athe
======= Debug Command Listing =======
AT          just answer OK
ATHE          print help
ATBAx         change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
ATENx,(y)     set BootExtension Debug Flag (y=password)
ATSE          show the seed of password generator
ATRLx         display the 32-bit value of address x
ATGO(x)       run program at addr x or boot router
ATGR          boot router
ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
ATSH          dump manufacturer related data in ROM
ATTD          download router configuration to PC via XMODEM
ATUR          upload router firmware to flash ROM
ATLC          upload router configuration file to flash ROM
ATXSx         xmodem select: x=0: CRC mode(default); x=1: checksum mode
ATLD          Upload Configuration File and Default ROM File to Flash
ATCD          Convert Running ROM File to Default ROM File into Flash

OK
atse

0911CDC8B8F0
OK
ATEN1,A1217D5E

OK
athe

======= Debug Command Listing =======
AT          just answer OK
ATHE          print help
ATBAx         change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
ATENx,(y)     set BootExtension Debug Flag (y=password)
ATSE          show the seed of password generator
ATWLx,y       write address x with 32-bit value y
ATRLx         display the 32-bit value of address x
ATGO(x)       run program at addr x or boot router
ATGR          boot router
AT%Tx         Enable Hardware Test Program at boot up
ATBTx         block0 write enable (1=enable, other=disable)
ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
ATCB          copy from FLASH ROM to working buffer
ATCL          clear working buffer
ATSB          save working buffer to FLASH ROM
ATSH          dump manufacturer related data in ROM
ATBS          show the bootbase seed of password generator
ATLBx         xmodem upload bootbase,x is password
ATFLx         set EngDebugFlag in working buffer
ATMP          check & dump memMapTab
ATTD          download router configuration to PC via XMODEM
ATUPx,y       upload to RAM address x for length y from PC via XMODEM
ATUR          upload router firmware to flash ROM
ATDC          hardware version check disable during uploading firmware
ATLC          upload router configuration file to flash ROM
ATXSx         xmodem select: x=0: CRC mode(default); x=1: checksum mode
ATWZa(,b,c,d) write ZyXEL MAC addr, Country code, EngDbgFlag, FeatureBit to flash ROM
ATLD          Upload Configuration File and Default ROM File to Flash
ATBR  Reset to default Romfile
ATCD          Convert Running ROM File to Default ROM File into Flash

OK
ATMP

ROMIO image start at bfc30000
code version: 
code start: 80008000
code length: 18E972
memMapTab: 17 entries, start = bfc44000, checksum = BF73
$RAM Section:
  0: BootExt(RAMBOOT), start=80030000, len=18000
  1: HTPCode(RAMCODE), start=80048000, len=E0000
  2: RasCode(RAMCODE), start=80048000, len=570000
$ROM Section:
  3: BootBas(ROMIMG), start=bfc28000, len=4000
  4: DbgArea(ROMIMG), start=bfc2c000, len=2000
  5: RomDir2(ROMDIR), start=bfc2e000, len=2000
  6: BootExt(ROMIMG), start=bfc30030, len=13FD0
  7: MemMapT(ROMMAP), start=bfc44000, len=C00
  8: HTPCode(ROMBIN), start=bfc44c00, len=8000
     (Compressed)
     Version: HTP_TC V 0.05, start: bfc44c30
     Length: 10508, Checksum: 0268
     Compressed Length: 41E7, Checksum: E942
  9: termcap(ROMIMG), start=bfc4cc00, len=400
 10: RomDefa(ROMIMG), start=bfc4d000, len=2000
 11: LedDefi(ROMIMG), start=bfc4f000, len=400
 12: LogoImg(ROMIMG), start=bfc4f400, len=2000
 13: LogoImg2(ROMIMG), start=bfc51400, len=2000
 14: StrImag(ROMIMG), start=bfc53400, len=32000
 15: Rt11nE2p(ROMIMG), start=bfc85400, len=400
 16: RasCode(ROMBIN), start=bfc85800, len=278C00
     (Compressed)
     Version: ADSL ATU-R, start: bfc85830
     Length: 562710, Checksum: 38CD
     Compressed Length: 13916F, Checksum: F4A7
$USER Section:
Msecs   128
Heap0   16   300 16
Heap1   32   64  4
Heap2   64   64  4
Heap3   128  160 4
Heap4   192  256 4
Heap5   256  80  4
Heap6   320  20   4
Heap7   384  4   2
Heap8   448  20  2
Heap9   512  34  2
Heap10  1024 52  4
Heap11  2048 20  2
Heap12  3172 4   2
Heap13  4096 2   2
Heap14  0 0
Heap15  0 0
MbufInt 20 20 20
MbufIO  160 160 1300 95 0 0
Queue   90
Cbuf    160
FuncId  30
Proc    40
Timer   64
DNS     128
Model 3 6035 333 0
FilterSet 12
IpRoute 16
IpxRoute 4
IpMaxRt     128   
IpxMaxRt    128
IpxMaxSap   128
FwTos300 16 16 16
AclType0   2048  8  10
AclType1   2048  8  100
AclType2   2048  8  20
AclType3   2048  8  128
AclType4   2048  8  128
AclType5   32768 8  128
AppleTalkRoute  0
Bridge      4
RemoteNode  8
Profile     8
Endpoint    4
NATServerSet   10
DHCPEntry   254
PoeSvrCnt4
ScheduleSet 12
AclBuffer1
IPSecManualSA8
IPSecIkePeer8
IPSecIkeSA8
IPSecAclBuffer1
IPSecSPD5
NatAclBuffer1
CustomPort10
NatSessions2048
cwmpTxBufLen    56000
IpPolicySet 12
CoeFixedPart0
MiscFirewallBuffer 1
CyberPatrolBuffer 1
CyberPatrolListBuffer 1
TrustedIPNum 0
AccessSecHost16
NatRulePerSet24
UPNPNum         1
IPBUFixpart     1
VCHuntSet10
VCHuntMang1
TCDMT32
WLANEXT4
CHINANM    2
VlanCtl 1
QosCtl 1
Features1
CWMPATTR1
NatVirSvrApp9
HTTPURLs 1
WLANWDSEXT1
TimeOfDay1
WLANWPSOOBEXT1
FilterRuleName50
SecondUser      1
DHCPMac8
AccessSecHostExt16
ServerExt1
Reserve_1       1
CWMPATTR_11
WlanIEEE8021X1
MailAccountInfo       1
ftpAuthInfo1
telnetAuthInfo1
IP_Filter_Enhancement1
tcCwmp_IP_Filter1
tcCwmp_Enhancement1
NatSessCtrl1
Reserve_21
PPP_Ext1
WlanIEEE8021X_Ext1
TimeOfDayExt1
ScheduleRule35
WlanExt_21
LanIEEE8021X1
IP6Route16
RemoteNodeIP68
EtherIP61
IP6QosCtl1
accessRange_ext5
CwmpAttr21
Reserve_31

OK



2) Recovery mode:

You can get here if you press and hold Reset button for a few seconds at at switch on the device. Then the device start with different Bootbase detects and initiates 32MiB RAM (this space matches real RAM chip on PCB).

Bootbase Version: VTC_ROM_1.16 | 2009/12/18 14:28:26
RAM: Size = 32768 Kbytes
DRAM POST: Testing: 32768K
OK

done

So 32MiB RAM and 4MiB FLASH should  be enough for running openwrt.
Now I would like to proceed according to http://www.ixo.de/info/zyxel_uclinux/ to make dump of RAM to debrick the current firmware and prepare a new one. But the main current problem is with enabling Debug Flag.

Neither of common procedure combination of cmds ATSE and ATEN nor only cmd ATEN with typical password derived from MAC does work :-(

Do you have any idea what can I do or how can I proceed to enable it?

Thanks in advanced.

(Last edited by comix on 1 Jan 2016, 20:17)

rqn wrote:

Dump the current firmware and disassemble it, then you can figure out how the password is generated, like: http://piotrbania.com/all/articles/tplink_patch/

Thanks for the link. This web uses a different "magic value" for generating password in compared to all other web site which I saw and tried before (including various ZynPass files which I tried to use too). And If I try to generate a password from this page then my device accepts the password.  Great smile
So, now I'm finally able to enable DebugFlag. Now I'm going to dump the RAM. I'll provide new update asap.

To be able to dump flash memory I had to change firmware first, which provides all necessary AT commands to dump memory after enabling Debug Flag. So, I found similar board on wikidevi (with the same SoC TC3162U) and tried upload a few firmware into my device. I was successful with firmware for Huawei HG530. This firmware provides much more AT commands after enabling Debug Flag (see below):

Bootbase Version: VTC_SPI_4M1.10 | 2010/06/03 09:32:52
RAM: Size = 16384 Kbytes
DRAM POST: Testing: 16384K
OK
Found SPI Flash 4MiB MX25L3205D(06E) at 0xbfc00000

RAS Version: V100R001B025 2014/12/16
System   ID: #5.1.150.0(RUE0.C2)3.12.8.76    2014/12/16

Press any key to enter debug mode within 3 seconds.
.................
Enter Debug Mode
atsh

RAS Version            : #5.1.150.0(RUE0.C2)3.12.8.76     2014/12/16
Bootbase Version       : VTC_SPI_4M1.10 | 2010/06/03 09:32:52
Vendor Name            : ZyXEL Communications Corp.
Product Model          : P-660HN-T3A
RAS ROM address        : bfc30000
System Type            : 6
MAC Address            : 5067F0C8B8F0
Default Country Code   : 08
Boot Module Debug Flag : 00
RomFile Version        : C5
RomFile Checksum       : 8df2

RAS Checksum           : cae8
Core Checksum          : 8076
SNMP MIB level & OID   : 050000000100000002000000030000000400000005

Main Feature Bits      : 86
Other Feature Bits     :
          93 17 00 00 00 00 00 00-00 00 00 00 00 00 00 00   
          00 00 00 00 00 00 00 00-00 00 13 00 00 00           

OK
athe

======= Debug Command Listing =======
AT          just answer OK
ATHE          print help
ATBAx         change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
ATENx,(y)     set BootExtension Debug Flag (y=password)
ATSE          show the seed of password generator
ATTI(h,m,s)   change system time to hour:min:sec or show current time
ATDA(y,m,d)   change system date to year/month/day or show current date
ATDS          dump RAS stack
ATDT          dump Boot Module Common Area
ATDUx,y       dump memory contents from address x for length y
ATRBx         display the  8-bit value of address x
ATRWx         display the 16-bit value of address x
ATRLx         display the 32-bit value of address x
ATGO(x)       run program at addr x or boot router
ATGR          boot router
ATGT          run Hardware Test Program
ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
ATSH          dump manufacturer related data in ROM
ATDOx,y       download from address x for length y to PC via XMODEM
ATTD          download router configuration to PC via XMODEM
ATUR          upload router firmware to flash ROM
ATLC          upload router configuration file to flash ROM
ATXSx         xmodem select: x=0: CRC mode(default); x=1: checksum mode
ATLD          Upload Configuration File and Default ROM File to Flash
ATCD          Convert Running ROM File to Default ROM File into Flash

OK
atse
05B30BC8B8F0
OK
 ATEN1, A120BEDA
OK
athe
======= Debug Command Listing =======
AT          just answer OK
ATHE          print help
ATBAx         change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
ATENx,(y)     set BootExtension Debug Flag (y=password)
ATSE          show the seed of password generator
ATTI(h,m,s)   change system time to hour:min:sec or show current time
ATDA(y,m,d)   change system date to year/month/day or show current date
ATDS          dump RAS stack
ATDT          dump Boot Module Common Area
ATDUx,y       dump memory contents from address x for length y
ATWBx,y       write address x with  8-bit value y
ATWWx,y       write address x with 16-bit value y
ATWLx,y       write address x with 32-bit value y
ATRBx         display the  8-bit value of address x
ATRWx         display the 16-bit value of address x
ATRLx         display the 32-bit value of address x
ATGO(x)       run program at addr x or boot router
ATGR          boot router
ATGT          run Hardware Test Program
AT%Tx         Enable Hardware Test Program at boot up
ATBTx         block0 write enable (1=enable, other=disable)
ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
ATWEa(,b,c,d) write MAC addr, Country code, EngDbgFlag, FeatureBit to flash ROM
ATCUx         write Country code to flash ROM
ATCB          copy from FLASH ROM to working buffer
ATCL          clear working buffer
ATSB          save working buffer to FLASH ROM
ATBU          dump manufacturer related data in working buffer
ATSH          dump manufacturer related data in ROM
ATWMx         set low 6 digits MAC address in working buffer
ATMHx         set hight 6 digits MAC address in working buffer
ATBS          show the bootbase seed of password generator
ATLBx         xmodem upload bootbase,x is password
ATSMx         set 6 digits MAC address in working buffer
ATCOx         set country code in working buffer
ATFLx         set EngDebugFlag in working buffer
ATSTx         set ROMRAS address in working buffer
ATSYx         set system type in working buffer
ATVDx         set vendor name in working buffer
ATPNx         set product name in working buffer
ATFEx,y,...   set feature bits in working buffer
ATMP          check & dump memMapTab
ATDOx,y       download from address x for length y to PC via XMODEM
ATTD          download router configuration to PC via XMODEM
ATUPx,y       upload to RAM address x for length y from PC via XMODEM
ATUR          upload router firmware to flash ROM
ATDC          hardware version check disable during uploading firmware
ATLC          upload router configuration file to flash ROM
ATUXx(,y)     xmodem upload from flash block x to y
ATERx,y       erase flash rom from block x to y
ATWFx,y,z     copy data from addr x to flash addr y, length z
ATXSx         xmodem select: x=0: CRC mode(default); x=1: checksum mode
ATLD          Upload Configuration File and Default ROM File to Flash
ATBR              Reset to default Romfile
ATCD          Convert Running ROM File to Default ROM File into Flash

OK

P-660HN-T3A with firmware Huawei HG530 uses following memMapTab:

atmp
ROMIO image start at bfc30000
code version:
code start: 80008000
code length: 178896
memMapTab: 18 entries, start = bfc44000, checksum = F979
$RAM Section:
  0: BootExt(RAMBOOT), start=80030000, len=18000
  1: HTPCode(RAMCODE), start=80048000, len=E0000
  2: RasCode(RAMCODE), start=80048000, len=570000
$ROM Section:
  3: BootBas(ROMIMG), start=bfc28000, len=4000
  4: DbgArea(ROMIMG), RomDir2(ROMDIR), start=bfc2e000, len=2000
  6: BootExt(ROMIMG), start=bfc30030, len=13FD0
  7: MemMapT(ROMMAP), start=bfc44000, len=C00
  8: HTPCode(ROMBIN), start=bfc44c00, len=8000
     (Compressed)
     Version: HTP_TC V 0.05, start: bfc44c30
     Length: 100D0, Checksum: 5429
     Compressed Length: 40D7, Checksum: 2E6C
  9: termcap(ROMIMG), start=bfc4cc00, len=400
 10: RomDefa(ROMIMG), start=bfc4d000, len=2000
 11: LedDefi(ROMIMG), start=bfc4f000, len=400
 12: LogoImg(ROMIMG), start=bfc4f400, len=2000
 13: LogoImg2(ROMIMG), start=bfc51400, len=2000
 14: StrImag(ROMIMG), start=bfc53400, len=32000
 15: Rt11nE2p(ROMIMG), start=bfc85400, len=400
 16: CertFile(ROMBIN), start=bfc85800, len=800
     signature error!
 17: RasCode(ROMBIN), start=bfc86000, len=388C00
     (Compressed)
     Version: ADSL ATU-R, start: bfc86030
     Length: 4FF00C, Checksum: ECD5
     Compressed Length: 122892, Checksum: 8076
$USER Section:
Msecs   96
Heap0   16   160 64
Heap1   32   160 64
Heap2   64   160 64
Heap3   128  160 64
Heap4   192  30 16
Heap5   256  30 16
Heap6   320  8  6
Heap7   384  16 6
Heap8   448  16 6
Heap9   512  16  8
Heap10  576  12  8
Heap11  1024 20  4
Heap12  2560 18  2
Heap13  4096 8  2
Heap14  0 0
Heap15  0 0
MbufInt 20 20 20
MbufIO  160 160 1400 0 0
Queue   80
Cbuf    160
FuncId  30
Proc    45
Timer   64
DNS     128
Model 3 6035 666 1
FilterSet 12
IpRoute 16
IpxRoute 4
IpMaxRt     128
IpxMaxRt    128
IpxMaxSap   128
FwTos   300 16 16 16
AclType0   2048  8  10
AclType1   2048  8  100
AclType2   2048  8  20
AclType3   2048  8  128
AclType4   2048  8  128
AclType5   32768 8  128
AppleTalkRoute  0
Bridge          4
RemoteNode      8
Profile         8
Endpoint        4
NATServerSet    10
DHCPEntry       254
PoeSvrCnt               4
ScheduleSet     12
AclBuffer               1
IPSecManualSA   8
IPSecIkePeer    8
IPSecIkeSA              8
IPSecAclBuffer  1
IPSecSPD                5
NatAclBuffer    1
CustomPort              10
NatSessions             1024
cwmpTxBufLen     50000
IpPolicySet     12
CoeFixedPart    0
MiscFirewallBuffer              1
CyberPatrolBuffer               1
CyberPatrolListBuffer   1
TrustedIPNum    0
AccessSecHost   16
NatRulePerSet   36
UPNPNum         1
IPBUFixpart     1
VCHuntSet       32
VCHuntMang      1
TCDMT   32
WLANEXT         4
CHINANM    2
VlanCtl 1
QosCtl 1
Features        1
HUAWEIPppEXT    1
CWMPATTR        1
NatVirSvrApp    1
HTTPURLs        1
SecondUser      1
macPvcBindCtl   1
CWMPEXT         1
CWMPATTR_1      1
WLANWDSEXT              1
deviceInfoHN    1
weekSched       1
HTTPURLExtras   1
DHCPMac         8
WLANWPSOOBEXT           1
admin2Info      3
ftpAuthInfo     1
telnetAuthInfo  1
DNSMapping      1
Reserve_1       1
WlanExt_2       1
NatVirSvrApp_2  1

OK
Question1:

Now I see that probably the most important to do first, it will be upgrade code of Bootbase version. At standard booting process the device uses Bootbase which detects only 16MiB RAM and only emergency Bootbase detects 32MiB (see my first post).

Does someone know how can I upgrade Bootbase version?

Question2:

I made dump of 4MiB flash from addresses range 0xbfc00000 - 0xc0000000, but I'm not a programmer so I have very limited knowhow to analyse this dump code.

Could someone help me with analysis of dump code from flash memory?

(Last edited by comix on 1 Jan 2016, 20:21)

The discussion might have continued from here.