OpenWrt Forum Archive

Topic: Zyxel AMG1302-T10B

The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi all, this is post to document the Zyxel AMG1302-T10B, I recently had a couple of these donated to me and couldn't find out much about them, less so on OpenWRT.

The ZyXEL AMG1302 is Wireless-N ADSL2+ Router, with two "Airgain" antennas built around a Ralink rt63365e

Using a Serial Converter on J4 on the mother board (RXD, TXD, GND, VCC 3V - 115200) the boot process is as follows;

U-Boot 1.1.5 (Jan 31 2013 - 11:09:29)

CPU: RT63365
Memory Size: 32 MB
Found SPI Flash 8MiB Winbond W25Q64 at 0xb0000000
Size: 8 MB in 128 Sectors
Manufacturer ID  = 00ef
Device ID        = 4017

Using default environment
In:    serial
Out:   serial
Err:   serial
Net:   skbuff start addr a1100000
RT63365 Switch
MAC addresses in MRD and Env don't match.
Use MAC in MRD: 28:28:5D:A5:7E:B4

## Starting application at 0x81FC0000 ...

OK
Search PHY addr and found PHY addr=0
Hit any key to stop autoboot: 0

***** ZyXEL Communications Corporation Firmware *****
Uncompressing [LZMA] ...  done.
Linux version 2.6.22.15 (root@seven-desktop) (gcc version 4.3.4 (GCC) ) #17 SMP Thu Jun 20 21:59:36 CST 2013
ISPRAM0: PA=00270000,Size=00008000,enabled
Enable SRAM=1c000001
Ralink RT63365 SOC prom init
CPU revision is: 00019555
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
3 available secondary CPU TC(s)
Built 1 zonelists.  Total pages: 8128
Kernel command line: console=ttyS0 rootfstype=squashfs es=1
Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (23 instructions).
Synthesized TLB load handler fastpath (37 instructions).
Synthesized TLB store handler fastpath (37 instructions).
Synthesized TLB modify handler fastpath (36 instructions).
Cache parity protection disabled
PID hash table entries: 128 (order: 7, 512 bytes)
CPU frequency 420.00 MHz
Using 250.000 MHz high precision timer.
console handover: boot [early0] -> real [ttyS0]
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 29044k/32768k available (2404k kernel code, 3724k reserved, 491k data, 168k init, 0k highmem)
SLUB: Genslabs=17, HWalign=32, Order=0-1, MinObjects=4, CPUs=4, Nodes=1
Mount-cache hash table entries: 512
34K sync es set to 1.
Config7: 0x80080500
FPU Affinity set after 929 emulations
Limit of 4 TCs set
TLB of 64 entry pairs shared by 2 VPEs
VPE 0: TC 0 1 2, VPE 1: TC 3
IPI buffer pool of 32 buffers
CPU revision is: 00019555
TC 1 going on-line as CPU 1
CPU revision is: 00019555
TC 2 going on-line as CPU 2
CPU revision is: 00019555
TC 3 going on-line as CPU 3
Brought up 4 CPUs
migration_cost=10000
NET: Registered protocol family 16
RT63365_pcie_init
registering PCI controller with io_map_base unset
PCI: Bridge: 0000:00:00.0
  IO window: disabled.
  MEM window: 20000000-200fffff
  PREFETCH window: disabled.
PCI: Enabling device 0000:00:00.0 (0000 -> 0002)
NET: Registered protocol family 8
NET: Registered protocol family 20
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 12288 bytes)
TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
TC3162 hardware watchdog module loaded.
squashfs: version 3.0 (2006/03/15) Phillip Lougher
io scheduler noop registered (default)
ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
NET: Registered protocol family 24
IMQ starting with 2 devices...
IMQ driver loaded successfully.
        Hooking IMQ after NAT on PREROUTING.
        Hooking IMQ before NAT on POSTROUTING.
tc3162: flash device 0x01000000 at 0x10000000
tc3162: Found SPIFLASH 8MiB Winbond W25Q64
Creating 9 MTD partitions on "tc3162":
0x00000000-0x00020000 : "bootloader"
0x00020000-0x00030000 : "romfile"
0x00030000-0x0012b210 : "kernel"
mtd: partition "kernel" doesn't end on an erase block -- force read-only
0x0012b210-0x005d2210 : "rootfs"
mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only
0x005d2210-0x005d4dce : "defcfg"
mtd: partition "defcfg" doesn't start on an erase block boundary -- force read-only
0x00030000-0x007a0000 : "tclinux"
0x007a0000-0x007e0000 : "reservearea"
0x007e0000-0x007f0000 : "romd"
0x007f0000-0x00800000 : "second_romfile"

root filesystem is from rootfs
RT3xxx EHCI/OHCI init.
net/core/klink_updown.c:99 >> Create link_updown kernel netlink success!
u32 classifier
    Performance counters on
    Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (256 buckets, 2048 max)
ctnetlink v0.93: registering with nfnetlink.
nf_conntrack_rtsp v0.6.21 loading
nf_nat_rtsp v0.6.21 loading
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
NET: Registered protocol family 15
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 168k freed
busybox init and set aff
init started:  BusyBox v1.00 (2013.06.20-13:59+0000) multi-call binary
chmod: /userfs/profile.cfg: Read-only file system
/userfs/profile.cfg: 329: TRUE_AUTO_DMZ: not found
tcledctrl: module license 'unspecified' taints kernel.
TC3162 LED Manager 0.1 init

tcledctrl version: tcledctrl V1.1.0.0 (Jun 20 2013-21:59:47).
tccicmd V1.1.0.0 (Jun 20 2013-21:59:48)
htp_switch=0
system is initialized in normal mode

tcsmux version: tcsmux V1.1.0.0 (Dec 25 2011-15:32:01).

tcportbind version: tcportbind V1.1.0.0 (Jun 20 2013-20:13:24).
TCSUPPORT_IPV6
write file (/tmp/md5.txt) successfully!
The number of cache node is 5
compressedLen = 13311

===webRedirectInit, reason = 1, redirect status: 0===

 can't read web redirect parametercompressedLen = 13062
compressedLen = 13311
Read current configuration...
compressedLen = 11158
Read default configuration...
sslca_verify!

 node is NULL
 node is NULL
 node is NULL
 node is NULL
 node is NULL
 node is NULL
 node is NULL
 node is NULL
 node is NULL
 node is NULLFile /etc/isp0.conf content DHCPClientopt60Flag= is worng
File /etc/isp0.conf content DHCPClientopt60value= is worng
etherWan_write isMSTCEtherWan=0 not ETH mode
mrd.CountryCode = FF
Success to set CountryRegion by mrd country code.
mtd[readflash]:device=reservearea tclen=512 tcoffset=196608
Unlocking reservearea ...
Reading from reservearea to /tmp/RT30xxEEPROM.bin ...
firewall_cmd = iptables -t filter -A FIREWALL_INPUT -i br+ -j RETURN

firewall_cmd = ip6tables -t filter -A FIREWALL_INPUT -i br+ -j RETURN

firewall_cmd = iptables -t filter -A FIREWALL_FORWARD -i br+ -j RETURN

firewall_cmd = ip6tables -t filter -A FIREWALL_FORWARD -i br+
Add CWMP pass through rules.ables -t filter -A FIREWALL_FORWARD -i ! br+ -m state --state NEW,INVALID -j DROP

firewall_cmd = ip6tables -t filter -A FIREWALL_FORWARD -i ! br+ -m state --state NEW,INVALID -j DROP

firewall_cmd = iptables -t filter -A FIREWALL_INPUT -i ! br+ -m state --state NEW,INVALID -j DROP

firewall_cmd = ip6tables -t filter -A FIREWALL_INPUT -i ! br+ -m state --state NEW,INVALID -j DROP

Can't open /etc/isp1.conf
Can't open /etc/isp1.conf
Can't open /etc/isp2.conf
Can't open /etc/isp2.conf
Can't open /etc/isp3.conf
Can't open /etc/isp3.conf
Can't open /etc/isp4.conf
Can't open /etc/isp4.conf
Can't open /etc/isp5.conf
Can't open /etc/isp5.conf
Can't open /etc/isp6.conf
Can't open /etc/isp6.conf
Can't open /etc/isp7.conf
Can't open /etc/isp7.conf
Can't open /etc/isp8.conf
Can't open /etc/isp9.conf
Can't open /etc/isp10.conf
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
acl_cmd=iptables -t filter -A acl_chain -i br0 -p TCP -m multiport --dport 80 -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=iptables -t filter -A acl_chain -i br0 -p UDP -m multiport --dport 80 -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i br0 -p TCP -m multiport --dport 80 -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i br0 -p UDP -m multiport --dport 80 -j ACCEPT

acl_cmd=iptables -t filter -A acl_chain -i br0 -p TCP -m multiport --dport 23 -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=iptables -t filter -A acl_chain -i br0 -p UDP -m multiport --dport 23 -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i br0 -p TCP -m multiport --dport 23 -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i br0 -p UDP -m multiport --dport 23 -j ACCEPT

acl_cmd=iptables -t filter -A acl_chain -i br0 -p TCP -m multiport --dport 21 -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=iptables -t filter -A acl_chain -i br0 -p UDP -m multiport --dport 21 -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i br0 -p TCP -m multiport --dport 21 -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i br0 -p UDP -m multiport --dport 21 -j ACCEPT

acl_cmd=iptables -t filter -A acl_chain -i br0 -p TCP -m multiport --dport 161 -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=iptables -t filter -A acl_chain -i br0 -p UDP -m multiport --dport 161 -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i br0 -p TCP -m multiport --dport 161 -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i br0 -p UDP -m multiport --dport 161 -j ACCEPT

acl_cmd=iptables -t filter -A acl_chain -i br0 -p TCP -m multiport --dport domain -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=iptables -t filter -A acl_chain -i br0 -p UDP -m multiport --dport domain -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i br0 -p TCP -m multiport --dport domain -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i br0 -p UDP -m multiport --dport domain -j ACCEPT

Error occurs while getting Wan PVC1 Activate value.
Error occurs while getting Wan PVC2 Activate value.
Error occurs while getting Wan PVC3 Activate value.
Error occurs while getting Wan PVC4 Activate value.
Error occurs while getting Wan PVC5 Activate value.
Error occurs while getting Wan PVC6 Activate value.
Error occurs while getting Wan PVC7 Activate value.
        The TransMode is ATM SKIP PVC8
        The TransMode is ATM SKIP PVC9
        The TransMode is ATM SKIP PVC10
acl_cmd=iptables -t filter -A acl_chain -i ppp0 -p ICMP --icmp-type 8 -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i ppp0 -p ICMPv6 --icmpv6-type 128  -j ACCEPT

acl_cmd=iptables -t filter -A acl_chain -i br0 -p ICMP --icmp-type 8 -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i br0 -p ICMPv6 --icmpv6-type 128  -j ACCEPT

acl_cmd=iptables -t filter -A acl_chain -i br0 -p TCP -m multiport --dport 22 -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=iptables -t filter -A acl_chain -i br0 -p UDP -m multiport --dport 22 -m iprange --src-range 0.0.0.0-2
===.webRedirectInit, reason = 1, redirect status: 0===
acl
 can't read web redirect parameterport 22 -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i br0 -p UDP -m multiport --dport 22 -j ACCEPT

acl_cmd=iptables -t filter -A acl_chain -i br0 -p TCP -m multiport --dport 443 -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=iptables -t filter -A acl_chain -i br0 -p UDP -m multiport --dport 443 -m iprange --src-range 0.0.0.0-223.255.255.255 -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i br0 -p TCP -m multiport --dport 443 -j ACCEPT

acl_cmd=ip6tables -t filter -A acl_chain -i br0 -p UDP -m multiport --dport 443 -j ACCEPT

The kernel doesn't support the ebtables 'filter' table.
sslca_write:get Frag Number failed!
killall: dropbear: no process killed
insmod raeth driver
femac.c:v1.00-NAPI 29.Mar.2011
eth0: FE MAC Ethernet address: 28:28:5D:A5:7E:B4
killall: boa: no process killed
ioctl(SIOCGIFADDR): No such device
TSARM: TC3162 ATM SAR driver 1.5 init

tc3162sar V1.2.0.0 (Jun 20 2013-21:59:45)
register autopvc cmd to sys
TSARM: TC3162 ATM SAR driver 1.5 done
vlantag_drv_init

===webRedirectInit, reason = 1, redirect status: 0===

 can't read web redirect parameterADSL mode, insmod tc3162_dmt.ko !

Enabling SSL security system
SSL security system enabled[01/Jan/2010:00:00:06 +0000] boa: server version Boa/0.94.13
[01/Jan/2010:00:00:06 +0000] boa: server built Jun 20 2013 at 22:01:08.
[01/Jan/2010:00:00:06 +0000] boa: starting server pid=168, port 80
ioctl(SIOCGIFADDR): No such device
ADSL DMT initialization starting
Begin AdslTaskInit.....
End AdslTaskInit
Begin to  request IRQ 20
DMT:Succeed to request IRQ 20
Initializing ADSL F/W 3.20.36.0 ......
Reset dmt

===webRedirectInit, reason = 1, redirect status: 0===

iptables -t nat -A PREROUTING -i br+ -p tcp --dport 80 -j REDIRECT --to-ports 80
iptables -t nat -A PREROUTING -i br+ -p udp --dport 53 -j DNAT --to 192.168.1.1:53
killall: dnsmasq: no process killed
Check DMT version =b2 ........
Initializing ADSL F/W ........ done
ADSL HW version: b2, HCLK 140
TCSUPPORT_WLAN
TCSUPPORT_WLAN_RT5392
The remaining IMEM space cannot accommodate section .text.imem !!
Remaining IMEM space: -4540 bytes       Section Size: 732 bytes
PCI: Enabling device 0000:01:00.0 (0000 -> 0002)
Mirror/redirect action on
Ebtables v2.0 registered
igmpsnoop V1.1.0.0 (Oct 23 2012-16:24:33)

mldsnooping V1.1.0.0 (Jun  8 2012-14:28:18)
eth0: starting interface.
alloc_sram p=bc000800 free=7800
alloc_sram p=bc002800 free=5800
TC2105MJ, <6>Ralink HW NAT Module Enabled
device eth0 entered promiscuous mode
TCSUPPORT_WLAN: ifconfig
0x1300 = 00064380
jiffies=ffff91f3, POLLING_MODE_DETECT_INTV=300
device ra0 entered promiscuous mode
0x1300 = 00064380
jiffies=ffff944a, POLLING_MODE_DETECT_INTV=300
device ra1 entered promiscuous mode
0x1300 = 00064380
jiffies=ffff96a1, POLLING_MODE_DETECT_INTV=300
device ra2 entered promiscuous mode
0x1300 = 00064380
jiffies=ffff98f6, POLLING_MODE_DETECT_INTV=300
device ra3 entered promiscuous mode
TCSUPPORT_WLAN_WDS
TC3162 hardware watchdog initialized
telnetd: starting
  port: 23; login program: /bin/login
[01/Jan/2010:00:00:36 +0000] boa.c:971 - unable to bind: Address already in use
========================insmod iptable_filter=======================
insmod: cannot open module `/lib/modules/2.6.22.15/kernel/net/ipv4/netfilter/iptable_filter.ko': No such file or directory
iptables: Chain already exists
ip6tables: No chain/target/match by that name
/userfs/profile.cfg: 329: TRUE_AUTO_DMZ: not found
/etc/isp0.conf
/etc/ConcurrentWAN.conf
/usr/script/wan_start.sh: 540: cannot create /proc/sys/net/ipv6/conf/nas0/interface_identifier: Directory nonexistent
iptables v1.3.8: Unknown arg `--set-mss'
Try `iptables -h' or 'iptables --help' for more information.
SIOCDIFADDR: Cannot assign requested address
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
lugin pppoa loaded.
PPPoA Plugin Initialized
Plugin pppoa called.
PPPoATM setdevname_pppoatm - SUCCESS
PPPoATM setdevname_pppoatm - SUCCESS
Options file - /etc/ppp/options.0.38.
setting line discipline hook
connect_pppoatm_ses...Enter
connect_pppoatm_ses: socket created fd - 0xc.
traffic_class = 1
glb.qos.rxtp.traffic_class = 0
glb.qos.txtp.pcr = glb.qos.rxtp.pcr = 0
connect_pppoatm_ses: setsockopt called.
sh: /userfs/bin/dproxy: not found
Open file OK fd=10
warning, Failure parsing line 7 of /etc/udhcpd.conf
warning, Failure parsing line 12 of /etc/udhcpd.conf
info, udhcpd (v0.9.9-pre) started
warning, Failure parsing line 8 of /etc/udhcpd_option.conf
warning, Failure parsing line 18 of /etc/udhcpd_option.conf
warning, Unable to open /etc/udhcp_lease for reading
connect_pppoatm_ses: connect successful.
Calling line discipline hook
Setting pppoatm line discipline.
vc encaps.
Using interface ppp0
Connect: ppp0 <-->
Couldn't increase MTU to 1500
Couldn't increase MRU to 1500
Cannot find device "nas0"
Action 4 device imq0 ifindex 2
Cannot find device "nas0"
ra0       no private iread WLAN driver from rt_device failed,set with default value!
device wds0 is not a slave of br0
device wds1 is not a slave of br0
device wds2 is not a slave of br0
device wds3 is not a slave of br0
killall: wscd: no process killed
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables v1.3.8: log-level `DEBUG--log-prefix' unknown
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name
Testlab 26
ANNEXAIJLM

Enter cwmp boot, we will start tr69 Process
Set SN:S142E12003874 into romfile!
/etc/syslog.conf: 5: WAN-DHCP: not found
/etc/syslog.conf: 6: xDSL: not found
/etc/syslog.conf: 7: ETHER: not found
/etc/syslog.conf: 8: PPP: not found
/etc/syslog.conf: 9: SystemMaintenance: not found
/etc/syslog.conf: 10: RemoteManagement: not found
/etc/syslog.conf: 11: TR069: not found
/etc/syslog.conf: 12: NTP: not found
/etc/syslog.conf: 13: DDNS: not found
/etc/syslog.conf: 14: NAT: not found
/etc/syslog.conf: 15: Firewall: not found
/etc/syslog.conf: 16: DHCP-Srv: not found
/etc/syslog.conf: 17: WLAN: not found
/etc/syslog.conf: 18: INTERNET: not found
/etc/syslog.conf: 19: UPNP: not found
/etc/syslog.conf: 20: DoS: not found
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
ip6tables: No chain/target/match by that name
ip6tables: No chain/target/match by that name
ip6tables: No chain/target/match by that name
ip6tables: No chain/target/match by that name
killall: tftpd: no process killed
rmmod: xt_layer7: No such file or directory
/etc/lanAlias0.conf
ftp switch turn on
sip switch turn off
h323 switch turn on
rtsp switch turn on
l2tp switch turn on
ipsec switch turn on
route: SIOC[ADD|DEL]RT: File exists
email4log:[PrintTime_420]Set the Schedule. Current time 2010/01/01  00:00:44
four ports
SIOCGIFFLAGS: No such device
interface eth0.1 does not exist!
sh: vconfig: not found
SIOCGIFFLAGS: No such device
interface eth0.2 does not exist!
sh: vconfig: not found
SIOCGIFFLAGS: No such device
interface eth0.3 does not exist!
sh: vconfig: not found
ra0       no private ioctls.

SIOCGIFFLAGS: No such device
interface eth0.4 does not exist!
ra0       no private ioctls.

sh: vconfig: not found
ra0       no private ioctls.

SIOCGIFFLAGS: No such device
==>getMacEntryByIndex(): ioctl open fail
==>getMacEntryByIndex(): ioctl open fail
==>getMacEntryByIndex(): ioctl open fail
interface eth0.5 does not exist!
==>getMacEntryByIndex(): ioctl open fail
sh: vconfig: not found
SIOCGIFFLAGS: No such device
interface eth0.6 does not exist!
sh: vconfig: not found
device eth0 is already a member of a bridge; can't enslave it to bridge br0.
/usr/etc/init.d/rcS: 17: cannot create /proc/tc3162/stag_to_vtag: Directory nonexistent
Added VLAN with VID == 1 to IF -:eth0:-
WARNING:  VLAN 1 does not work with many switches,
consider another number if you have problems.
br0: port 6(eth0.1) entering learning state
br0: topology change detected, propagating
br0: port 6(eth0.1) entering forwarding state
Added VLAN with VID == 2 to IF -:eth0:-
br0: port 7(eth0.2) entering learning state
br0: topology change detected, propagating
br0: port 7(eth0.2) entering forwarding state
Added VLAN with VID == 3 to IF -:eth0:-
br0: port 8(eth0.3) entering learning state
br0: topology change detected, propagating
br0: port 8(eth0.3) entering forwarding state
Added VLAN with VID == 4 to IF -:eth0:-
br0: port 9(eth0.4) entering learning state
br0: topology change detected, propagating
br0: port 9(eth0.4) entering forwarding state
Added VLAN with VID == 5 to IF -:eth0:-
br0: port 10(eth0.5) entering learning state
br0: topology change detected, propagating
br0: port 10(eth0.5) entering forwarding state
process `snmpd' is using deprecated sysctl (syscall) net.ipv6.neigh.lo.retrans_time; Use net.ipv6.neigh.lo.retrans_time_ms instead.

get value error(normal attr),the attrName is ISP
get value error(normal attr),the attrName is ISP
get value error(normal attr),the attrName is ISP
get value error(normal attr),the attrName is ISP
get value error(normal attr),the attrName is ISP
get value error(normal attr),the attrName is ISP
get value error(normal attr),the attrName is ISPed VLAN with VID == 6 to IF -:eth0:-
<7>eth0.6: add 33:33:00:00:00:01 mcast address to master interface
AddTimer: get now_time for first time
br0: port 11(eth0.6) entering learning state
br0: topology change detected, propagating
br0: port 11(eth0.6) entering forwarding state
device eth0 left promiscuous mode
br0: port 1(eth0) entering disabled state
eth0.1: dev_set_promiscuity(master, 1)
device eth0 entered promiscuous mode
largeD flag=2 (0:maxD=64, 1:maxD=128, 2:maxD=511)
eth0.3: dev_set_promiscuity(master, 1)
ra0       no private ioctls.

 FwVer:3.20.36.0_A_TC3087 HwVer:T14.F7_11.2
xDSL      module is OK
WIFI      module is FAILED
ETH0      interface is OK
eth0.5: dev_set_promiscuity(master, 1)
eth0.2: dev_set_promiscuity(master, 1)
RA0       interface is FAILED
BR0       interface is OK
APP       tcapi is OK
<<< Device failed during initializing >>>

Please press Enter to activate this console. eth0.4: dev_set_promiscuity(master, 1)
eth0.6: dev_set_promiscuity(master, 1)
ThreadedTimerCheck: get last for first time


ZyXEL login:

http://i.imgur.com/piUBcG2.jpg


A binwalk of a firmware contains the following;


Scan Time:     2015-05-18 11:36:16
Signatures:    193
Target File:   V2.00(AAFN.9)C0.bin
MD5 Checksum:  9480b9395a3eb405c5a7bdfb131d86a3

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------
512             0x200           LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3177316 bytes
1032381         0xFC0BD         Squashfs filesystem, big endian, version 3.0, size: 5030439 bytes, 1139 inodes, blocksize: 65536 bytes, created: Thu Jan 15 12:41:42 2015



I hope some one will find this information useful smile

- rsrd.

(Last edited by rsrd on 18 May 2015, 11:36)

Nice report !

I've tried to disassemble the firmware to make small changes and add midnight commander binary but could not manage to remount it.

Do you know how to unpack/decompress and pack/compress the firmware for customization ?

If someone could create a sh script to do that would be nice !

Cheers !

P.S.: After write this I found https://code.google.com/p/firmware-mod-kit/ it seems to do what I was asking for !

(Last edited by mingodad on 20 May 2015, 11:02)

Thanks big_smile

I must admit, I'm not familiar with the process of modding the firmware, I've just followed a few tutorials and played around, but I have managed to extract the squashfs filesystem.

It's nonstandard, but I could decompress it with 7zip, but not unsquashfs. I think I need a patched version of unsquashfs to do this correctly, I've yet to do anything else as I'm reaching my limits of knowledge hehe.

If anyone makes any progress it would be good to post it here smile

Excellent smile I found I couldn't unsquash the firmware with firmwaremodkit, but I might try it again as the *nix box I'm using is a little messy!

I guess the next step is to try and rebuild a firmware and flash it back to the device big_smile

I can't seem to get a password seed from the AT commands in ZyU console at start up, so that portion of the router remains locked sad

When flashing with an official firwmare (V2.00(AAJC.7)), the following can be observed;

***** ZyXEL Confidential Firmware *****
compressedLen = 11859
pTag->kernelChksum = 32a1ea30
pTag->rootfsChksum = fc028fd9
pTag->defcfgChksum = 0be447dd
cal kernelChksum = 32a1ea30
cal rootfsChksum = fc028fd9
cal defcfgChksum = 0be447dd

pTag->modelId = 5a594515
pTag->chipId = 63365
len = 005d0f38

Ready to flash image...

I've discovered that the following all share the same FCC ID.

AMG1302-T10B
AMG1302-T30B
P-660HN-T1 v2
P-660HN-T3 v2
P-1302-T10B

A variation of one of those may work lol

I also found in the config files;

 <Entry Active="0"
ServerAddr="firmware.zyxel.com.tr" Username="Anonymous" Password="Guest"
Directory="AMG1302-T10B" FileName="P660HNT1Av2.TXT" Interval="720"
Notification="1" />
</AutoFwUpgrade> 

(Last edited by rsrd on 20 May 2015, 14:51)

After some problems with "binwalk" I installed it with "python setup install" (I also needed to chmod all *.sh to make then executable because when extracted they were not executable) then I could unpack the firmware using "extract-firmware.sh" but when I tried to repack without any modification using "build-firmware.sh" I've got this:

extract-firmware.sh V2.00\(AAJC.7\)C0.bin 
Firmware Mod Kit (extract) 0.99, (c)2011-2013 Craig Heffner, Jeremy Collake

Scanning firmware...

Scan Time:     2015-05-20 15:53:30
Signatures:    193
Target File:   /tmp/ZYXEL/V2.00(AAJC.7)C0.bin
MD5 Checksum:  b9f324e5dd93bdaad096f89f76f8a611

DECIMAL       HEX           DESCRIPTION
-------------------------------------------------------------------------------------------------------
512           0x200         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3177316 bytes
1032381       0xFC0BD       Squashfs filesystem, big endian, version 3.0, size: 5053846 bytes, 1139 inodes, blocksize: 65536 bytes, created: Thu Jan 15 13:19:12 2015 

Extracting 1032381 bytes of  header image at offset 0
Extracting squashfs file system at offset 1032381
Extracting 2864 byte footer from offset 6095880
Extracting squashfs files...
[sudo] password for xxxxx: 
Firmware extraction successful!
Firmware parts can be found in '/tmp/ZYXEL/fmk/*'

build-firmware.sh 
Firmware Mod Kit (build) 0.99, (c)2011-2013 Craig Heffner, Jeremy Collake

Building new squashfs file system... (this may take several minutes!)
Squashfs block size is 64 Kb
[sudo] password for xxxxx: 
Creating big endian 3.0 filesystem on /tmp/ZYXEL/fmk/new-filesystem.squashfs, block size 65536.

Big endian filesystem, data block size 65536, compressed data, compressed metadata, compressed fragments
Filesystem size 4935.39 Kbytes (4.82 Mbytes)
    24.31% of uncompressed filesystem size (20306.03 Kbytes)
Inode table size 8401 bytes (8.20 Kbytes)
    23.48% of uncompressed inode table size (35781 bytes)
Directory table size 10512 bytes (10.27 Kbytes)
    52.53% of uncompressed directory table size (20011 bytes)
Number of duplicate files found 12
Number of inodes 1139
Number of files 807
Number of fragments 94
Number of symbolic links  103
Number of device nodes 60
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 169
Number of uids 1
    root (0)
Number of gids 0
Remaining free bytes in firmware image: 9035
Processing 0 header(s) from /tmp/ZYXEL/fmk/new-firmware.bin...
CRC update failed.

Firmware header not supported; firmware checksums may be incorrect. 
New firmware image has been saved to: /tmp/ZYXEL/fmk/new-firmware.bin

The repacked firmware has the same size of the original.

I only have one unit that is in use right now so I didn't tried to install the repacked image, maybe you having several of then could try it ?

Cheers !

(Last edited by mingodad on 20 May 2015, 16:00)

OK, progress, thanks to the information found here http://wiki.openwrt.org/toh/zyxel/nbg460n I was able to drop into debug mode smile

ZHAL> aten1,10F0A563
erase addr=0 size=10000
erase addr=10000 size=10000
Erased 2 sectors
Copy to Flash... program from 0 to 20000
....
done

OK
ZHAL>
?                 Print out help messages.
HELP              Print out help messages.
ATGU              go back to U-Boot command line mode
ATUB              xmodem upload bootloader to flash ROM.
ATBT              ATBT <1|0>,Block0 write enable.
ATLC              xmodem upload default config to flash ROM.
ATBR              Clear current rom file sector
ATUR              xmodem upload router firmware to flash ROM.
ATGO              Booting the linux kernel.
ATSH              dump manufacturer related data in ROM.
ATWZ              ATWZ <MAC>,<Country Code>,<EngDebugFlag>,<MainFeatureBit>                       Write MAC address,Country code,EngDebugFlag,MainFeatureBit.
ATSN              ATSN <Serial Number>  write Series Number to flash ROM.
ATSE              show the seed of password generator.
ATEN              ATEN <EngDebugFlag>,<Password>  set BootExtension Debug Flag.
ATWP              ATWP <key>  write WPA-PSK key to flash ROM.
ATSW              show WPA-PSK key.
ATMT              ATMT <1|0>  write HTP switch to flash ROM.
ATUW              xmodem upload flash image to flash ROM.
ATMB              ATMB <time> (time=sec 0~60)  Multiboot
ATTF              enable tftp server.
ZHAL>

I see we posted at the same time, good work with the repack! big_smile

Edit - Now I have xmodem access to the device I'm assuming if the firmware is broken I can recover it from bricking.

(Last edited by rsrd on 20 May 2015, 16:21)

Thank you !

Two things I want try to start with:

1 - Replace the busibox with one with more complete tools, I found one for the mips (http://www.busybox.net/downloads/binari … sybox-mips).

2 - The other is edit the dynamic dns options to add free ones or one hosted on another server I can control.

When I replaced the busybox and repacked I've got a warning that the new size was bigger than the original firmware and that could brick the device, and for now because I need this device for my broadband usage I didn't tried reflash.

The busybox above mentioned was tested on this device and it works.

Cheers !

(Last edited by mingodad on 20 May 2015, 16:13)

I have two devices so I'll test this with one of them. I think what I will do is confirm I can flash an official working firmware to the device via xmodem (not TFTP as I incorrectly said earlier). If that works I at least know then I can revert the changes and unbrick the device.

I have to leave work soon so will probably pick this off where i left off tomorrow smile

Thank you for your input mingodad

OK, so I've managed to flash an original firmware to the device in the first instance to prove I can unbrick the device.

I edited the firmware mod kit script to ignore the file size change and allow it to create a larger firmware, however, it does create a checksum error on completion.

Regardless, I attempted to flash the new firmware to the device. It transfers, but returns a checksum error.

## Ready for binary (xmodem) download to 0x80020000 at 115200 bps...
CCCC55(STX)/0(CAN) packets, 4 retries
## Total Size      = 0x00634bed = 6507501 Bytes
Illegal image! Image Checksum failed.
Upload image validation failed.
ERROR
write image error!

I'm not sure what to do at this point.

On the original firmware the rootfs crc of fc028fd9 can be found in the header.img extracted by binwalk. My assumption at this point is that we need to work out how to the CRC is generated for the rootfs so this can be changed in the header.

The CRC of fc028fd9 looks like a CRC32 of some description, I am however unable to recreate it from the original firmware files.

hmm

(Last edited by rsrd on 21 May 2015, 15:07)

I have made some progress getting the device to accept the Firmware, however, it is now broken big_smile

***** ZyXEL Communications Corporation Firmware *****
Uncompressing [LZMA] ...  done.
Linux version 2.6.22.15 (root@seven-desktop) (gcc version 4.3.4 (GCC) ) #14 SMP Thu Jan 15 21:16:08 CST 2015
ISPRAM0: PA=00278000,Size=00008000,enabled
Enable SRAM=1c000001
Ralink RT63365 SOC prom init
CPU revision is: 00019555
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
3 available secondary CPU TC(s)
Built 1 zonelists.  Total pages: 8128
Kernel command line: console=ttyS0 rootfstype=squashfs es=1
Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (23 instructions).
Synthesized TLB load handler fastpath (37 instructions).
Synthesized TLB store handler fastpath (37 instructions).
Synthesized TLB modify handler fastpath (36 instructions).
Cache parity protection disabled
PID hash table entries: 128 (order: 7, 512 bytes)
CPU frequency 420.00 MHz
Using 250.000 MHz high precision timer.
console handover: boot [early0] -> real [ttyS0]
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 29004k/32768k available (2436k kernel code, 3764k reserved, 491k data, 172k init, 0k highmem)
SLUB: Genslabs=17, HWalign=32, Order=0-1, MinObjects=4, CPUs=4, Nodes=1
Mount-cache hash table entries: 512
34K sync es set to 1.
Config7: 0x80080500
FPU Affinity set after 929 emulations
Limit of 4 TCs set
TLB of 64 entry pairs shared by 2 VPEs
VPE 0: TC 0 1 2, VPE 1: TC 3
IPI buffer pool of 32 buffers
CPU revision is: 00019555
TC 1 going on-line as CPU 1
CPU revision is: 00019555
TC 2 going on-line as CPU 2
CPU revision is: 00019555
TC 3 going on-line as CPU 3
Brought up 4 CPUs
migration_cost=10000
NET: Registered protocol family 16
RT63365_pcie_init
registering PCI controller with io_map_base unset
PCI: Bridge: 0000:00:00.0
  IO window: disabled.
  MEM window: 20000000-200fffff
  PREFETCH window: disabled.
PCI: Enabling device 0000:00:00.0 (0000 -> 0002)
NET: Registered protocol family 8
NET: Registered protocol family 20
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 12288 bytes)
TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
TC3162 hardware watchdog module loaded.
squashfs: version 3.0 (2006/03/15) Phillip Lougher
io scheduler noop registered (default)
ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
NET: Registered protocol family 24
IMQ starting with 2 devices...
IMQ driver loaded successfully.
        Hooking IMQ after NAT on PREROUTING.
        Hooking IMQ before NAT on POSTROUTING.
tc3162: flash device 0x01000000 at 0x10000000
tc3162: Found SPIFLASH 8MiB Winbond W25Q64
Creating 9 MTD partitions on "tc3162":
0x00000000-0x00020000 : "bootloader"
0x00020000-0x00030000 : "romfile"
0x00030000-0x0012c0bd : "kernel"
mtd: partition "kernel" doesn't end on an erase block -- force read-only
0x0012c0bd-0x005fe0bd : "rootfs"
mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only
0x005fe0bd-0x00600f38 : "defcfg"
mtd: partition "defcfg" doesn't start on an erase block boundary -- force read-only
0x00030000-0x007a0000 : "tclinux"
0x007a0000-0x007e0000 : "reservearea"
0x007e0000-0x007f0000 : "romd"
0x007f0000-0x00800000 : "second_romfile"

root filesystem is from rootfs
RT3xxx EHCI/OHCI init.
net/core/klink_updown.c:99 >> Create link_updown kernel netlink success!
u32 classifier
    Performance counters on
    Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (256 buckets, 2048 max)
ctnetlink v0.93: registering with nfnetlink.
nf_conntrack_rtsp v0.6.21 loading
nf_nat_rtsp v0.6.21 loading
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
NET: Registered protocol family 15
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>

All bugs added by David S. Miller <davem@redhat.com>
attempt to access beyond end of device
mtdblock3: rw=0, want=10686, limit=9872
SQUASHFS error: sb_bread failed reading block 0x14de
SQUASHFS error: unable to read uid/gid table
List of all partitions:
1f00        128 mtdblock0 (driver?)
1f01         64 mtdblock1 (driver?)
1f02       1008 mtdblock2 (driver?)
1f03       4936 mtdblock3 (driver?)
1f04         11 mtdblock4 (driver?)
1f05       7616 mtdblock5 (driver?)
1f06        256 mtdblock6 (driver?)
1f07         64 mtdblock7 (driver?)
1f08         64 mtdblock8 (driver?)
No filesystem could mount root, tried:  squashfs
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,3)
Machine restart ...

Edit: I thought I should add how I managed to calculate the CRC. I didn't do it myself, the device calculates it when it's sent a firmware over the web interface, this out puts to the console. The expected and calculated CRC's are show. Editing the firmware in a Hex editor allowed me to give the firmware it's calculated CRC which in turn allows the flash file to be written. Pretty easy once I'd worked that out! smile

(Last edited by rsrd on 21 May 2015, 16:30)

With that could you try to only unpack and repack without any modification and fix the crc as you did and reflash to see if it works ?

Then we can have an idea if the problem is changing the size, or at least to start with !

And if it work repeat again but adding small dummy files only to know how much we can increase the firmware size without break it.

Cheers !

(Last edited by mingodad on 21 May 2015, 23:44)

I had some problems getting the original firmware back onto the device, this seems to have been an issue with the PC/software, a reboot fixed it and I've unbricked the device by putting the original on, which is good! big_smile

Just while I'm here I'll dump so uboot output for reference;

u-boot # coninfo
List of available devices:
serial   80000003 SIO stdin stdout stderr
u-boot # bdinfo
boot_params = 0x8175EFB0
memstart    = 0x80000000
memsize     = 0x02000000
flashstart  = 0xB0000000
flashsize   = 0x00800000
flashoffset = 0x00000000
ethaddr     = xx:xx:xx:xx:xx:xx
ip_addr     = 0.0.0.0
baudrate    = 115200 bps

At some point recently it stated there were TWO images in the flash, but I can't seem to find the command that showed me that before.

I'll have a crack at changing some system files and rebuilding today. I'll start by enabling telnet and an ftp server on the device.


Edit : Seems telnet was already enabled, the ftp service is running although I can't login. Small changes to config files appear to be fine, the firmwares upload fine.

(Last edited by rsrd on 22 May 2015, 11:37)

Having dug around the web looking at these kind of problems I've come to the assumption that the reason the modded larger firmware is failing is down to the MTD RAM disk created at boot is not big enough for the image it's attempting to transfer to it.

With 32MB of RAM on the device it's possible there is some space to sacrifice for the file system, but changing the existing allocation might be impossible, I really don't know at this point.

Mingodad, are there any specific changes you'd like me to make to a firmware for you to test?

Hello !

What I would like to test is add options to free dynamic dns providers or a custom entry to specify our own.

I did a look at "/rootfs/boaroot/cgi-bin/pages/network/dynamicDNS.html" but I could not understand all the needed changes.

If I manage to find how do that I'll tell you !

Also there is one thing that they advertise and I could not found what it is:

---
Easy customization with ROM-D function

Service Providers providers need to have a quick and, easy way to customize and manage different
firmware versions before networking devices are distributed to fulfill specific requirements in from
different customers. The ZyXEL AMG1302-T10B features ROM-D to provide the flexibility to for service
providers for to changing default configurations settings through an easy way of uploading of a new
customized configuration file.
---

http://kb.zyxel.com/KB/searchArticle!vi … mp;lang=EN
http://kb.zyxel.com/KB/searchArticle!gw … mp;lang=EN
http://kb.zyxel.com/KB/searchArticle!vi … mp;lang=EN

Maybe if we know what's that it can open the door to easier customization !

Cheers !

(Last edited by mingodad on 23 May 2015, 21:42)

Have you checked to see if you have telnet access to the device already? If so you can interact with the dynamic DNS tool directly, it uses ez-ipupdate Version 3.0.11b7 under /userfs/bin

I'll take a look at those links tomorrow, thanks!

I've made a request to Zyxel for the open source code under GPL terms, they offer a nice easy form to fill out so thought I might as well try. In theory, this would make it much easier to create a custom firmware.

I now have a third router to play with, so may look at changing the uboot loader to something more OpenWRT friendly, I've never done that so some reading will be required!

Zyxel expect to have a source code package available to me by the  25th Aug, so I have a bit of a wait yet smile

I'm happy to share with you the Open Source package for this router at last, I've placed it on Dropbox as the ftp is very slow and will be closed in a few days.

https://www.dropbox.com/sh/xvwtfm4oojkt … XNeNa?dl=0

I've not had any time to try it yet, but everything seems to be there.

Enjoy!

Just a little update, I've built a dev environment to compile the firmware, created one and uploaded it to the device, this works fine. I made some changes to the busybox compile config, but none of them seem to have worked, so I'm missing something some where smile

More tinkering ahead.

Hi! I got a Zyxel P-660HNU T1 V2 and looks similar to AMG1302... Actually have the FW ver: 2.00(AAIJ.1) D1 [Telecom branded sad ]

Can I try this firmware or the original one of AMG1202??

Cheers

hello someone podeia post the EPROM file amg 1202 for testing in Brazil?

robinhocelulares wrote:

hello someone podeia post the EPROM file amg 1202 for testing in Brazil?

Hi,  .rom file?

(Last edited by fabioccoelho on 28 Sep 2016, 14:56)

The discussion might have continued from here.