Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| inbox:toh:zyxel:nbg7815_armor_g5 [2024/10/04 08:44] – wip pwned | inbox:toh:zyxel:nbg7815_armor_g5 [2024/10/31 16:08] – case pwned | ||
|---|---|---|---|
| Line 5: | Line 5: | ||
| {{media: | {{media: | ||
| - | [[https:// | + | [[https:// |
| - | ^ | + | \\ |
| ===== Hardware ===== | ===== Hardware ===== | ||
| Line 31: | Line 31: | ||
| ^ PSU | 19VDC 2.1A | | ^ PSU | 19VDC 2.1A | | ||
| </ | </ | ||
| - | ^ | + | \\ |
| ===== OpenWrt Firmware ===== | ===== OpenWrt Firmware ===== | ||
| Line 39: | Line 39: | ||
| ^ Snapshot (sysupgrade image) ^ | ^ Snapshot (sysupgrade image) ^ | ||
| | [[https:// | | [[https:// | ||
| + | |||
| + | You only need one of the available sysupgrade images. The other available images are needed for special purposes only. | ||
| + | |||
| **Other images (factory, initramfs)** | **Other images (factory, initramfs)** | ||
| < | < | ||
| Line 50: | Line 53: | ||
| | [[https:// | | [[https:// | ||
| </ | </ | ||
| - | ^ | + | \\ |
| ===== Limitations ===== | ===== Limitations ===== | ||
| - | Currently (state of 2024) OpenWrt officially **__does not support__** the integrated FAN, the integrated LED and Bluetooth. | + | Currently (state of 2024) OpenWrt officially **__does not support__** the integrated FAN, the integrated LED. |
| * LED: [[https:// | * LED: [[https:// | ||
| * FAN: [[https:// | * FAN: [[https:// | ||
| - | * Bluetooth: is not supported. Only the driver is loaded but there are not mappings for CSR-8811. | ||
| * 5G 160MHz channel width is not supported officially. There is [[https:// | * 5G 160MHz channel width is not supported officially. There is [[https:// | ||
| - | :!: The device can really run hot due to the disabled fan leading to throttling and instabilities. Esp. if an USB device is connected. You be advised to either deploy an active cooler directed to the device itself or making your own build integrating the patch referenced above for proper cooling. To the state of 2024 this FAN patch is not working reliable. But there are others (simpler, script based) solutions available e. g.: [[https:// | + | :!: The device can **really run hot due to the disabled fan leading to throttling and instabilities**. Esp. if an USB device is connected. You be advised to either deploy an active cooler directed to the device itself or making your own build integrating the patch referenced above for proper cooling. To the state of 2024 this FAN patch is not working reliable. But there are others (simpler, script based) solutions available |
| - | ^ | + | \\ |
| ===== Forum Support Thread ===== | ===== Forum Support Thread ===== | ||
| - | [[https:// | + | [[https:// |
| - | ^ | + | \\ |
| ===== Installation ===== | ===== Installation ===== | ||
| Line 81: | Line 83: | ||
| - Reboot the device. | - Reboot the device. | ||
| - Check if SSH access is working by using address: '' | - Check if SSH access is working by using address: '' | ||
| - | |||
| <tabbox Enable Root/SSH access> | <tabbox Enable Root/SSH access> | ||
| < | < | ||
| Line 109: | Line 110: | ||
| </ | </ | ||
| </ | </ | ||
| - | ^ | + | \\ |
| + | |||
| + | ==== Backup ==== | ||
| + | |||
| + | Before you modify the device it is always a good idea to make a backup of the flash drive(s) installed. The generic process is described [[: | ||
| + | We have one 8MB SPI NOR flash chip and one 4GB emmc flash chip. For both you can use dd. The partition layout of both chips is described [[# | ||
| + | You can spare out the last two big partitions on the emmc chip if you want. They are not important. Transfer the files either via USB or ssh/ | ||
| + | \\ | ||
| ==== Installing OpenWrt ==== | ==== Installing OpenWrt ==== | ||
| - | - Login as root. | + | :!: **Do not power off the device |
| - | - Change to directory / | + | |
| - | - Get the OpenWrt image onto your router by either: | + | |
| - | * Configure | + | |
| - | * Download the OpenWrt firmware to your computer and move the file to a FAT or NTFS formatted USB drive. Connect the USB drive to your router and mount the USB device. Copy the file to / | + | |
| - | - Flash OpenWrt to the currently not active kernel and rootfs partitions. | + | |
| - | < | + | - Login as root via SSH. |
| - | Rework in Progress | + | - Change to directory '' |
| + | - Get the [[#OpenWrt Firmware|OpenWrt Firmware]] onto your router by either a) or b):\\ a) The device to has internet access for downloading the OpenWrt firmware file to the device using wget.\\ b) Download the OpenWrt firmware to your computer and move the file to a FAT or NTFS formatted USB drive. Connect the USB drive to your router and mount the USB device. Copy the file to / | ||
| + | - Extract the firmware file. | ||
| + | - Determine the bootconfig of the device and flash OpenWrt to the currently not active kernel and rootfs partitions. | ||
| + | - Mark the partitions to boot OpenWrt. | ||
| + | - Reboot the device. | ||
| + | |||
| + | <tabbox Semi-automatic (Step 2-7)>< | ||
| cd / | cd / | ||
| + | wget -O openwrt-ipq807x-generic-zyxel_nbg7815-squashfs-sysupgrade.bin https:// | ||
| + | wget https:// | ||
| + | sh flash_to_openwrt.sh | ||
| + | </ | ||
| + | |||
| + | <tabbox Step 2-6>< | ||
| + | # Author: Karol Przybylski < | ||
| + | # https:// | ||
| + | |||
| + | # Step 2 | ||
| + | cd / | ||
| + | |||
| + | # Step 3 | ||
| wget -O zyxel_nbg7815-squashfs-sysupgrade.bin https:// | wget -O zyxel_nbg7815-squashfs-sysupgrade.bin https:// | ||
| - | .... | + | if [ ! -f "/ |
| - | </ | + | echo " |
| + | exit 1 | ||
| + | fi | ||
| - | Example: | + | # Step 4 |
| + | tar xvf zyxel_nbg7815-squashfs-sysupgrade.bin | ||
| + | |||
| + | # Step 5 | ||
| + | primaryboot_hlos=$(cat / | ||
| + | if [ $primaryboot_hlos -eq 0 ]; then | ||
| + | dd if=/ | ||
| + | dd if=/ | ||
| + | echo 1 > / | ||
| + | else | ||
| + | dd if=/ | ||
| + | dd if=/ | ||
| + | echo 0 > / | ||
| + | fi | ||
| + | |||
| + | primaryboot_rootfs=$(cat / | ||
| + | if [ $primaryboot_rootfs -eq 0 ]; then | ||
| + | dd if=/ | ||
| + | dd if=/ | ||
| + | echo 1 > / | ||
| + | else | ||
| + | dd if=/ | ||
| + | dd if=/ | ||
| + | echo 0 > / | ||
| + | fi | ||
| + | |||
| + | # Step 6 | ||
| + | mkdir / | ||
| + | cat / | ||
| + | echo 1 > / | ||
| + | dd if=/ | ||
| + | dd if=/ | ||
| + | echo 0 > / | ||
| + | sync | ||
| + | </ | ||
| + | |||
| + | :!: For reference: [[https:// | ||
| + | \\ | ||
| - | root@NBG7815: | ||
| - | root@NBG7815: | ||
| - | root@NBG7815: | ||
| - | root@NBG7815: | ||
| - | root@NBG7815: | ||
| - | root@NBG7815: | ||
| - | ^ | ||
| ===== Back to OEM firmware ===== | ===== Back to OEM firmware ===== | ||
| - | OpenWrt is currently not using the dual partition layout writing the opposite/ | + | OpenWrt is currently not using the dual partition layout writing the opposite/ |
| - | ^ | + | \\ |
| ==== Back to OEM firmware (1) ==== | ==== Back to OEM firmware (1) ==== | ||
| - | | + | Be carefull with this process. :!: **Do not power off the device during the process!** |
| - | - Change directory to /tmp | + | |
| - | - Get script | + | |
| - | - Execute the script with '' | + | - To use this method it is required to install kmod-mtd-rw first: '' |
| + | - Change directory to /tmp. | ||
| + | - Copy & paste the code from script '' | ||
| + | - Execute the script | ||
| + | - Reboot the device. | ||
| + | - After reboot force a reflash of OEM firmware via WebGui using one of the provided [[#OEM firmware| OEM firmware files]] to purge OpenWrt entirely. | ||
| + | |||
| + | <tabbox Step 4>< | ||
| + | cat <<' | ||
| + | # Script to changing active boot partitions | ||
| + | # Author: Karol Przybylski < | ||
| + | # Orginal script: | ||
| + | |||
| + | openwrt_type=$(cat / | ||
| + | |||
| + | if [ ${openwrt_type} == " | ||
| + | echo " | ||
| + | boot_part=$(hexdump -e '1/1 " | ||
| + | |||
| + | | ||
| + | |||
| + | if [ ${boot_part} | ||
| + | printf | ||
| + | else | ||
| + | printf | ||
| + | |||
| + | fi | ||
| + | insmod mtd-rw i_want_a_brick=1 | ||
| + | mtd write boot.bin /dev/mtd2 | ||
| + | mtd write boot.bin /dev/mtd3 | ||
| + | fi | ||
| + | |||
| + | if [ ${openwrt_type} == " | ||
| + | echo " | ||
| + | primaryboot_hlos=$(cat / | ||
| + | if [ $primaryboot_hlos -eq 0 ]; then | ||
| + | echo 1 > / | ||
| + | else | ||
| + | echo 0 > / | ||
| + | fi | ||
| + | |||
| + | mkdir / | ||
| + | cat / | ||
| + | echo 1 > / | ||
| + | dd if=/ | ||
| + | dd if=/ | ||
| + | echo 0 > / | ||
| + | sync | ||
| + | fi | ||
| + | EOF | ||
| + | </ | ||
| + | \\ | ||
| ==== Back to OEM firmware (2) ==== | ==== Back to OEM firmware (2) ==== | ||
| + | |||
| + | :!: Be carefull with this process. Make sure you write the correct images to the correct partitions! **Do not power off the device during the process!** | ||
| - Download OEM firmware: [[#OEM firmware|see below]] | - Download OEM firmware: [[#OEM firmware|see below]] | ||
| - Extract rootfs and kernel. Already extracted v8: [[https:// | - Extract rootfs and kernel. Already extracted v8: [[https:// | ||
| - | - Copy the files to the router | + | |
| - | - Flash kernel and rootfs to the device. | + | - To use this method it is required to install kmod-mtd-rw first: '' |
| - | - Set active boot partition. | + | |
| + | - Flash the kernel and rootfs to the currently not active partitions. Copy & paste the code from and execute the script with '' | ||
| + | - Copy & paste the code from [[#Back to OEM firmware (1)|script Step 4]] from [[#Back to OEM firmware (1)|Back to OEM firmware (1)]] and execute the script with '' | ||
| + | - Reboot | ||
| + | - After reboot force a reflash of OEM firmware via WebGui using one of the provided [[#OEM firmware| OEM firmware files]] to purge OpenWrt entirely. | ||
| + | |||
| + | <tabbox Step 6>< | ||
| + | cat <<' | ||
| + | # check files | ||
| + | |||
| + | if [ ! -f "/ | ||
| + | echo " | ||
| + | exit 1 | ||
| + | fi | ||
| + | |||
| + | if [ ! -f "/ | ||
| + | echo " | ||
| + | exit 1 | ||
| + | fi | ||
| + | |||
| + | # get bootconfig | ||
| + | |||
| + | mtd_part=$(grep -i " | ||
| + | bootconfig=$(hexdump -v -e '1/1 " | ||
| + | |||
| + | # write rootfs and kernel; mmcblk0p3=0/ | ||
| + | |||
| + | if [ " | ||
| + | dd if=/ | ||
| + | dd if=/ | ||
| + | dd if=/ | ||
| + | dd if=/ | ||
| + | sync | ||
| + | fi | ||
| + | if [ " | ||
| + | dd if=/ | ||
| + | dd if=/ | ||
| + | dd if=/ | ||
| + | dd if=/ | ||
| + | sync | ||
| + | fi | ||
| + | EOF | ||
| + | </ | ||
| ==== OEM firmware ==== | ==== OEM firmware ==== | ||
| - | There are no public | + | There is no official publicly available ressource to download the firmware files for this cloud managed router. You can retrieve the firmware file by forcing a firmware upgrade and catching the temporary valid random cloudflare link by yourself (this is limited to the latest firmware only). Firmware files version |
| - | ^ Firmware/Link ^ sha256sum ^ | + | ^ Firmware |
| | [[https:// | | [[https:// | ||
| | [[https:// | | [[https:// | ||
| | [[https:// | | [[https:// | ||
| - | To get the rootfs and kernel image you have to extract them from the firmware file: rootfs=openwrt-ipq-ipq807x_64-squashfs-root.img, | + | To get the rootfs and kernel image you have to extract them from the firmware file: rootfs=openwrt-ipq-ipq807x_64-squashfs-root.img, |
| - | | [[https:// | + | ^ Firmware |
| - | | [[https:// | + | | [[https:// |
| + | | [[https:// | ||
| + | \\ | ||
| ===== Debricking ===== | ===== Debricking ===== | ||
| Line 177: | Line 330: | ||
| In case neither the **failsafe mode nor a factory reset** does bring back a working unit you can try to recover your device by the following steps: | In case neither the **failsafe mode nor a factory reset** does bring back a working unit you can try to recover your device by the following steps: | ||
| - | - [[#Opening the case|Opening | + | - [[#Opening the case|Open the device case.]] |
| - | - Access | + | - Connect |
| - | - [[#U-Boot access|Login to the device | + | - [[#Bootloader/U-Boot access|Access |
| - | - [[#TFTP boot OpenWrt|TFTP boot OpenWrt]] to either reinstall or fix a broken installation | [[#TFTP flash OEM firmware|TFTP flash OEM firmware]] to purge OpenWrt | + | - [[#TFTP boot OpenWrt|TFTP boot OpenWrt]] to either reinstall or fix a broken installation | [[#TFTP flash OEM firmware|TFTP flash OEM firmware]] to purge OpenWrt. |
| + | \\ | ||
| ==== Opening the case ==== | ==== Opening the case ==== | ||
| - | <WRAP BOX> | + | 1. Remove the two rubber crosses from the device' |
| - | FIXME //Describe what needs to be done to open the device, e.g. remove | + | 2. Unscrew the two screws appearing after step 1. |
| - | </ | + | 3. Remove the socket. |
| + | 4. After step 3. another four screws appear. Remove them as well. | ||
| + | 5. Around | ||
| + | 6. Keep the device with bottom side up and pry it up carefully around the case to remove | ||
| + | |||
| + | *) You will likely break some of them. Especially those on the left or right side. The clips at the front' | ||
| + | \\ | ||
| ==== Serial ==== | ==== Serial ==== | ||
| - | General information about the serial port and its usage: -> [[docs: | + | General information about the serial port and its usage: |
| + | |||
| + | * -> [[docs: | ||
| + | * -> [[docs: | ||
| + | * -> [[docs: | ||
| Serial Port connectors of this specific device: | Serial Port connectors of this specific device: | ||
| Line 197: | Line 361: | ||
| | Serial connection parameters | **TTL 115200, 8N1, 3.3V** | | | Serial connection parameters | **TTL 115200, 8N1, 3.3V** | | ||
| - | :!: Connect RX, TX, GND cable to your USB to TTL/USB to Serial adapter only! | + | :!: Connect RX, TX, GND cable to your USB to TTL/USB to Serial adapter only!\\ |
| - | ^ | + | \\ |
| - | ==== U-Boot access ==== | + | ==== Bootloader/U-Boot access ==== |
| - | 1. Connect the USB-to-serial adapter to the router and PC. Open up a serial console program. | + | - Connect the USB-to-serial adapter to the router and PC. Open up a serial console program. |
| + | - Reboot the device and interrupt autoboot by pressing any key. You will end up with a shell prompt: '' | ||
| + | Zyxel zloader v1.0.0 (2020-01-06 - 08:24) | ||
| - | 2. Reboot the device and interrupt autoboot by pressing any key | ||
| - | |||
| - | < | ||
| - | Zyxel zloader v1.0.0 (2020-01-06 - 08:24) | ||
| Multiboot clinent version: 2.0 | Multiboot clinent version: 2.0 | ||
| ipq807x_eth_halt: | ipq807x_eth_halt: | ||
| Line 220: | Line 382: | ||
| **Hit any key to stop autoboot: | **Hit any key to stop autoboot: | ||
| + | |||
| + | NBG7815> | ||
| </ | </ | ||
| - | + | - To get access to the bootloader you first need a seed/ | |
| - | You will end up with a shell prompt: '' | + | |
| - | + | ||
| - | 3. To get access to the bootloader you first need a seed/ | + | |
| - | < | + | |
| NBG7815> ATSE NBG7815 | NBG7815> ATSE NBG7815 | ||
| - | </code> | + | NBG7815> 013D72FF0710 |
| - | --> '' | + | </ |
| - | + | | |
| - | :!: The resulting | + | |
| - | + | ||
| - | 4. Generate the password: | + | |
| - | + | ||
| - | :!: **Do not enter the code below it into the current shell!** We have to distinguish here between Windows and Linux users! | + | |
| - | + | ||
| - | **__On Linux__**: Copy and paste the code from below into a **new terminal**. First use **create | + | |
| - | + | ||
| - | < | + | |
| < | < | ||
| - | cat << | + | cat <<'EOF' |
| ror32() { | ror32() { | ||
| echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) )) | echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) )) | ||
| Line 252: | Line 403: | ||
| EOF | EOF | ||
| </ | </ | ||
| - | < | + | <tabbox password> |
| - | < | + | |
| - | sh tool.sh **013D72FF0710** | + | |
| - | </ | + | |
| - | </ | + | |
| - | + | ||
| - | **__On Windows__** you can use [[https:// | + | |
| - | + | ||
| - | --> '' | + | |
| - | + | ||
| - | 5. Put the output from above in terminal and press enter | + | |
| < | < | ||
| + | sh tool.sh 013D72FF0710 | ||
| + | </ | ||
| + | - Put the output from paragraph 4. in the terminal and press enter:\\ \\ < | ||
| NBG7815> ATEN 1,10F0A563 | NBG7815> ATEN 1,10F0A563 | ||
| </ | </ | ||
| + | - Now Enter '' | ||
| + | NBG7815> ATGU | ||
| - | 6. Now Enter '' | + | ZYXEL# |
| - | < | + | |
| - | NBG7815> ATGU | + | |
| </ | </ | ||
| - | You will end up with a new prompt: --> '' | + | \\ |
| - | ^ | + | |
| - | ==== TFTP flash OEM firmware ==== | + | |
| - | + | ||
| - | **Hard debricking from U-boot with Serial Access:** | + | |
| - | + | ||
| - | 1. Get orginal firmware [[https:// | + | |
| - | + | ||
| - | 2. Setup your laptop to 192.168.1.99 | + | |
| - | + | ||
| - | 3. install and configure TFTP server, connect your laptop by cable, turn off windows firewall | + | |
| - | + | ||
| - | 4. Interrupt autoboot and execute command (no need unlock): | + | |
| - | + | ||
| - | NBG7815> ATUR V1.00(ABSK.7)C0.bin | + | |
| ==== TFTP boot OpenWrt ==== | ==== TFTP boot OpenWrt ==== | ||
| - | **Alternatively, you may recover | + | - Download |
| + | - Setup your PC/ | ||
| + | - Install and configure TFTP server. Your router' | ||
| + | - Connect your PC/ | ||
| + | - Power up your router and get access to [[# | ||
| + | - Enter '' | ||
| + | - After the file is uploaded (this takes a while) | ||
| + | - If OpenWrt is up you can try to fix your issues. E. g. fixing wrong config preventing booting | ||
| + | \\ | ||
| - | 1. Stop the bootloader by pressing any key. Once you're presented with the '' | + | ==== TFTP flash OEM firmware ==== |
| - | unlock the bootloader via the '' | + | |
| - | [[: | + | |
| - | 2. Connect to one of the //lan// Ethernet interfaces of the device, | + | - Download |
| - | and configure | + | - Setup your PC/ |
| + | - Install and configure TFTP server. Your router' | ||
| + | - Connect your PC/ | ||
| + | - Power up your router and get access to [[# | ||
| + | - Enter '' | ||
| - | 3. Start a TFTP server in a directory where you downloaded (or built) a (possibly known-good) | + | ===== Photos ===== |
| - | '' | + | |
| - | 4. Once presented with the '' | + | {{media: |
| - | tftpboot openwrt-ipq807x-generic-zyxel_nbg7815-initramfs-uImage.itb | + | \\ |
| - | If the download was successful, you can proceed; otherwise, check your setup. | + | |
| - | 5. Boot the initramfs: | + | ===== Flash-/ |
| - | bootm | + | |
| - | + | ||
| - | 6. If you didn't alter vendor eMMC partition table, skip to the next step. If you did, you need to | + | |
| - | opkg update && opkg install fdisk | + | |
| - | and then use fdisk manually to create GPT matching | + | |
| - | [[: | + | |
| - | + | ||
| - | 7. If all went well, you should be in OpenWrt now; you may | + | |
| - | sysupgrade -n / | + | |
| - | to a working sysupgrade image. In no case you should use any force option. | + | |
| - | + | ||
| - | ===== Notes ===== | + | |
| - | Code of flash_to_openwrt.sh Script: | + | |
| - | < | + | |
| - | # Author: Karol Przybylski < | + | |
| - | + | ||
| - | if [ ! -f " | + | |
| - | echo " | + | |
| - | exit 1 | + | |
| - | fi | + | |
| - | + | ||
| - | tar xvf ./ | + | |
| - | + | ||
| - | primaryboot_hlos=$(cat / | + | |
| - | if [ $primaryboot_hlos -eq 0 ]; then | + | |
| - | dd if=/ | + | |
| - | dd if=/ | + | |
| - | echo 1 > / | + | |
| - | else | + | |
| - | dd if=/ | + | |
| - | dd if=/ | + | |
| - | echo 0 > / | + | |
| - | fi | + | |
| - | + | ||
| - | primaryboot_rootfs=$(cat / | + | |
| - | if [ $primaryboot_rootfs -eq 0 ]; then | + | |
| - | dd if=/ | + | |
| - | dd if=/ | + | |
| - | echo 1 > / | + | |
| - | else | + | |
| - | dd if=/ | + | |
| - | dd if=/ | + | |
| - | echo 0 > / | + | |
| - | fi | + | |
| - | + | ||
| - | + | ||
| - | mkdir / | + | |
| - | cat / | + | |
| - | echo 1 > / | + | |
| - | dd if=/ | + | |
| - | dd if=/ | + | |
| - | echo 0 > / | + | |
| - | sync | + | |
| - | reboot | + | |
| - | </ | + | |
| - | + | ||
| - | ==== Photos ==== | + | |
| - | + | ||
| - | {{media: | + | |
| - | ^ | + | |
| - | ==== Flash-/ | + | |
| <tabbox 8MB SPI NOR>< | <tabbox 8MB SPI NOR>< | ||
| Line 458: | Line 535: | ||
| 10 307234 | 10 307234 | ||
| 11 | 11 | ||
| - | </ | + | </ |
| + | \\ | ||
| ===== Bootlogs ===== | ===== Bootlogs ===== | ||