Sometimes ISPs brand the routers and disable features, maybe mess with their settings and perhaps spy on you.
Maybe the router is locked into a specific provider and you need to use it with another. There are many reasons why you may want to install generic ZYXEL firmware to an xDSL router.
Luckily it is rather easy to unbrnad the ZYXEL routers. I have performed this operation on a ZYXEL VMG3625-T20A router which was provided free with (also free) VDSL service. Albeit, free service is limited to 10Mbit/s speed but that is a good enough speed for most people.
What Do We Need?
We need few items for this operation.- USB TTL Serial adapter
- Putty or any terminal program which supports serial communication
- Tftp client (Windows 10 comes with one!)
Opening The Router Case
This router has only 2 screws under the sticker. Some other routers may have 4 screws. You can feel the placements of he screw holes with your finger if you move on the sticker. You can lift the corners of the sticker with a sharp knife and unscrew the screws. I left the screws under the sticker, so they would not go far.Once the screws are removed, you can use a plastic prying tool to open the clips. The parts are quite tight, so use patience.
I did not make pictures of this as the operation is vey simple. If you can't manage to open a simple plastic cover, you should stop now.
Here is how the router looks like inside. For our purposes, the most important piece is th 4pin connector.
The 4pin connector...
Connecting Rouer To Serial Adapter
We need to connect the router to serial adapter for communication. As you can see, the 4pin connector pins are marked as GND, NC, RX, TX, and 3.3V. For our purposes, we only need to connect RX, TX, and GND pins.Important: Now you need to set your TTL adapter to use 3.3v. They usually have a jumper or switch for this purpose.
Modem Side - Serial Adapter Side
RX - TXTX - RXGND - GND The only thing you need to be careful is to connect TX to RX. There is little which can go wrong.
Connecting Router To Ethernet
You will also need to connect the router to ethernet as we will use TFTP to push files to the router. You should set your PCs IP address statically to 192.168.1.10 (or anyting else than 192.168.1.1 in 192.168.1.0/24 network).Getting Ready To Send Firmware
When you turn on the router, it will give you few seconds to abort the boot process. Press a key to abort it!You should now be at a prompt which says
ZHAL> Now we can start some magic.First run
ATSH command to extract some important information. We will not need this information, but it is good to have in case something goes wrong.The output will look like following
Firmware Version : V5.30(ABIE.6)b2_E0
Bootbase Version : V1.32 | 03/22/2018 16:56:20
Vendor Name : Zyxel Communications Corp.
Product Model : VMG3625-T20A
Serial Number : SXXXXXXXXXXXX
First MAC Address : XXXXXXXXXXX0
Last MAC Address : XXXXXXXXXXXF
MAC Address Quantity : 16
Default Country Code : FF
Boot Module Debug Flag : 01
RootFS Checksum : e4d28a4b
Kernel Checksum : eeba2049
Main Feature Bits : 00
Other Feature Bits :
840291b4: 04050305 00000100 00000000 00000000
840291c4: 00000000 00000000 00000000 0000
Now we need to get the login code. The login code is required for dangerous operaitons. For this purpose we should feed the
Product Model from above output usin ATSE command. We will need to decode this. Luckily some nice people provided a C program which can do it. You can compile it with GCC easily. Obviously this program can be used for other ZYXEL routers! Just see the example in comments section of the program to figure out how to proceed!/* ZyXEL prestige 660HW series password calculator by brainstorm
* Thanks to http://www.adslayuda.com/Zyxel650-9.html authors
*
* Example usage:
*
* Router:
* ======
*
* ATSE
* 0028D6DF1C03
* OK
*
* Computer:
* ========
*
* ./zyxel 0028D6DF1C03
* ATEN 1,221E3111
*
* Router:
* ======
* ATEN 1,221E3111
* OK
*
* "Dangerous" commands enabled :-)
*
* */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define magic1 0x10F0A563L
#define magic2 7
#define atse_length 12 /* ATSE command, ZyNOS seed password length */
#define WORD_LENGTH (8*sizeof(value))
int ror(unsigned int value, int places)
{
return (value>>places)|(value<<(WORD_LENGTH-places));
}
int main (int argc, char* argv[]) {
char *seed, a[7], c[3];
unsigned int b,d,e,password;
if ( argc != 2 ) {
printf("Only one argument is permitted: 00BDC8667E5B\n");
exit(-1);
} else if ( strlen(argv[1]) != atse_length ) {
printf( "Incorrect parameter length, should be %d characters long\n", atse_length );
exit (-2);
}
seed = argv[1];
strncpy (a, seed , 6); //a="ersten" 3Bytes vom seed
e = strtol(a,NULL,16); //e=a
strncpy (c, seed + strlen(seed)-2, 2); //c= last 2 bytes of seed?
d = strtol(c,NULL,16) & magic2; //d="last byte" AND 7
b = e + magic1; //
b = ror(b,d);
password = b ^ e;
printf("\nATEN 1,%X\n", password);
return 0;
}
After entering
ATEN command we can finally upload the firmware. If you downloaded the firmware files from ZYXEL site, you will see that there is a BIN file which is about 17Mbyte in size. I renamed this file as zyxel.bin just for easy typing.Now we need to tell the router that we are about to send it firmware image named, you guessed it,
zyxel.bin. The command for tis operation is ZHAL> ATUR zyxel.bin The router will wait you to send the fileUpgrade to rootfs partition 1 TFTP server is started, put your file 'zyxel.bin' to server (IP is 192.168.1.1).
Now from windows we can send the file in binary mode. We need ot use the
-i flag for binary transfer with windows tftp client. So the command should look like tftp -i 192.168.1.1 PUT zyxel.bin. We already set the IP address of our machine statically so it should work just fine. So the complete output should look like below:ZHAL> ATSE VMG3625-T20A 0EA420ED3340 ZHAL> ATEN 1,10F1EDA3 ZHAL> ATUR zyxel.bin Upgrade to rootfs partition 1 TFTP server is started, put your file 'zyxel.bin' to server (IP is 192.168.1.1). ....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... Total 17498534 (0x10B01A6) bytes received File download to memory address 0x80020000, length is 17498534 Please be patient, start to upgrade RAS! ........................................................................................................................................................................................................................................................................................................................................................................................................................................... Update boot flag to 1 ... Auto reboot after 2 seconds ZHAL>
Router will reboot by itself and you need to wait patiently as this will take few minutes at least. Meanwhile, not forget to remove the static IP setting from your ethernet adapter or you may regret not doing it later.
Next Step
Obviously the next step is closing up the router and tightenin the screws. I first installed5.30(ABIE.4)C0 firmware from ZYXEL site then used the built-in web based upgrade to upgrade to 5.30(ABIE.5)C0 firmware. Also normal VDSL2 connectivity was working fine, including the 6RD tunnel that Telia/Sonera provides. So everything seems to be working fine. I am not sure why Telia/Sonera decided to make their own image, it is slightly suspicious.Using same method, you can install any firmware to device (as long as it is compatible). For example if you want to brand it as another provider's device. I don't know why you would want to do this, but it is an option.
Hi Evren, I have found a vulnerability in the firmware of Zyxel VMG3625-T20A. Unfortunately, I do not own the device and cannot fully verify the vulnerability. I would like to write you the details personally, but I cannot find a contact form on your blog. I would be very grateful if you could take a few minutes for me and contact me via e-mail (hansi.leberwurst1(at)gmail.com). Thanks!
ReplyDeleteHi Evren, I have found a vulnerability in the firmware of Zyxel VMG3625-T20A. Unfortunately, I do not own the device and cannot fully verify the vulnerability. I would like to write you the details personally, but I cannot find a contact form on your blog. I would be very grateful if you could take a few minutes for me and contact me via e-mail (hansi.leberwurst1(at)gmail.com). Thanks!
ReplyDeleteI do not have this modem anymore. Sorry :(
Delete