Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
inbox:toh:zyxel:nbg7815_armor_g5 [2024/10/06 10:30] – wip pwnedinbox:toh:zyxel:nbg7815_armor_g5 [2024/12/13 11:35] – [Hardware] pwned
Line 10: Line 10:
 ===== Hardware ===== ===== Hardware =====
  
-^ CPU                           ^ Ram  ^ Flash                    ^ Network                                 ^ Wifi          ^ USB         ^ Serial ^ +^ Architecture        | ARMv8                                                                   | 
-| Qualcomm IPQ8074A @ 2.2 GHz | 1 GB | 4 GB eMMC + 8 MB SPI NOR | 1x 1/2.5/5/10 GbE 1x 1/2.5 GbE 4x 1 GbE | a/b/g/n/ac/ax | 1x 3.1 Gen2 | [[#Serial|Yes]] | +^ Vendor              | Qualcomm                                                                | 
-<hidden> +^ Bootloader          | U-Boot + ZyXEL zLoader                                                  | 
-^ Architecture      | ARMv8                                                                   | +^ System-On-Chip      | Qualcomm IPQ8074A                                                       | 
-^ Vendor            | Qualcomm                                                                | +^ CPU/Speed           | Quad Core 2.2 GHz                                                       | 
-^ Bootloader        | U-Boot + ZyXEL zLoader                                                  | +^ Flash-Chip          | Kingston EMMC04G-M627 + Winbond W25Q64DW                                | 
-^ System-On-Chip    | Qualcomm IPQ8074A                                                       | +^ Flash size          | 4 GB eMMC + 8 MB SPI NOR                                                | 
-^ CPU/Speed         | Quad Core 2.2 GHz                                                       | +^ RAM                 | 1 GB 2x Nanya NT5CC256M16ER-EK                                          | 
-^ Flash-Chip        | Kingston EMMC04G-M627 + Winbond W25Q64DW                                | +^ Bluetooth           | CSR8811 using HSUART                                                    | 
-^ Flash size        | 4 GB eMMC + 8 MB SPI NOR                                                | +^ Wireless            | QCN5024 bgn+ax                                                          | 
-^ RAM               | 1 GB 2x Nanya NT5CC256M16ER-EK                                          | +^ Wireless            | QCN5054 an+ac+ax                                                        | 
-^ Bluetooth         | CSR8811 using HSUART                                                    | +^ Ethernet            | 4x 10/100/1000 Mbps + 1x 1/2.5 GbE + 1x 1/2.5/5/10 GbE                  | 
-^ Wireless          | QCN5024 bgn+ax                                                          | +^ Ethernet            | ETH chip1: IPQ8074A + ETH chip2: QCA8081 + ETH chip3: Aquantia AQR113C 
-^ Wireless          | QCN5054 an+ac+ax                                                        | +^ Switch              | Qualcomm Atheros QCA8075                                                | 
-^ Ethernet          | 4x 10/100/1000 Mbps + 1x 1/2.5 GbE + 1x 1/2.5/5/10 GbE                  | +^ USB                 | 1x 3.1 Gen2, 5V/900mA                                                   
-^ Ethernet          | ETH chip1: IPQ8074A + ETH chip2: QCA8081 + ETH chip3: Aquantia AQR113C +^ [[#Serial|Serial]]  | TTL 115200, 8N1, 3.3V                                                   | 
-^ Switch            | Qualcomm Atheros QCA8075                                                | +^ PSU                 | 19VDC 2.1A                                                              |
-^ USB               | 1x 3.1 Gen2                                                             +
-^ [[#Serial|Serial]]| TTL 115200, 8N1, 3.3V                                                   | +
-^ PSU               | 19VDC 2.1A                                                              | +
-</hidden>+
 \\ \\
  
Line 57: Line 53:
 ===== Limitations ===== ===== Limitations =====
  
-Currently (state of 2024) OpenWrt officially **__does not support__** the integrated FAN, the integrated LED and Bluetooth.+Currently (state of 2024) OpenWrt officially **__does not support__** the integrated FAN, the integrated LED.
   * LED: [[https://github.com/openwrt/openwrt/pull/15504|PR 15504]]   * LED: [[https://github.com/openwrt/openwrt/pull/15504|PR 15504]]
   * FAN: [[https://github.com/openwrt/openwrt/pull/14210|PR 14210]]   * FAN: [[https://github.com/openwrt/openwrt/pull/14210|PR 14210]]
Line 131: Line 127:
   - Reboot the device.   - Reboot the device.
  
-<tabbox semi-automatic (Step 2-7)><WRAP><code>+<tabbox Semi-automatic (Step 2-7)><WRAP><code>
 cd /tmp/ApplicationData cd /tmp/ApplicationData
 wget -O openwrt-ipq807x-generic-zyxel_nbg7815-squashfs-sysupgrade.bin https://downloads.openwrt.org/snapshots/targets/qualcommax/ipq807x/openwrt-qualcommax-ipq807x-zyxel_nbg7815-squashfs-sysupgrade.bin wget -O openwrt-ipq807x-generic-zyxel_nbg7815-squashfs-sysupgrade.bin https://downloads.openwrt.org/snapshots/targets/qualcommax/ipq807x/openwrt-qualcommax-ipq807x-zyxel_nbg7815-squashfs-sysupgrade.bin
Line 186: Line 182:
 echo 0 > /proc/mtd_writeable echo 0 > /proc/mtd_writeable
 sync sync
-</code></WRAP></tabbox>\\+</code></WRAP></tabbox>
  
 :!: For reference: [[https://github.com/openwrt/openwrt/commit/5dee5965012e788f06e4d095e8cfb73200d818cb|initial commit nbg7815]]\\ :!: For reference: [[https://github.com/openwrt/openwrt/commit/5dee5965012e788f06e4d095e8cfb73200d818cb|initial commit nbg7815]]\\
Line 201: Line 197:
  
   - Login via SSH to the router.   - Login via SSH to the router.
-  - To use this method it is required to install kmod-mtd-rw first: ''**opkg update && opkg install kmod-mtd-rw**''+  - To use this method it is required to install kmod-mtd-rw first: ''**opkg update && opkg install kmod-mtd-rw**''.
   - Change directory to /tmp.   - Change directory to /tmp.
-  - Copy & paste the code from "script step 3" below.+  - Copy & paste the code from script ''**Step 4**'' below.
   - Execute the script with ''**sh change_boot_partition.sh**''.   - Execute the script with ''**sh change_boot_partition.sh**''.
   - Reboot the device.   - Reboot the device.
   - After reboot force a reflash of OEM firmware via WebGui using one of the provided [[#OEM firmware| OEM firmware files]] to purge OpenWrt entirely.   - After reboot force a reflash of OEM firmware via WebGui using one of the provided [[#OEM firmware| OEM firmware files]] to purge OpenWrt entirely.
  
-<tabbox script step 3><WRAP><code> +<tabbox Step 4><WRAP><code> 
-cat <<EOF> /tmp/change_boot_partition.sh+cat <<'EOF> /tmp/change_boot_partition.sh
 # Script to changing active boot partitions  # Script to changing active boot partitions 
 # Author: Karol Przybylski <itor@o2.pl> # Author: Karol Przybylski <itor@o2.pl>
-# Orginal script: https://github.com/itorK/nbg7815_tools/blob/main/change_boot_partition.sh +# Orginal script: https://github.com/itorK/nbg7815_tools/blob/main/change_boot_partition.sh // It lacks the insmod mtd-rw i_want_a_brick=1
-It lacks the insmod mtd-rw i_want_a_brick=1+
  
 openwrt_type=$(cat /etc/openwrt_release|grep DISTRIB_TARGET|cut -f 2 -d "'") openwrt_type=$(cat /etc/openwrt_release|grep DISTRIB_TARGET|cut -f 2 -d "'")
Line 263: Line 258:
   - Login via SSH to the router.   - Login via SSH to the router.
   - To use this method it is required to install kmod-mtd-rw first: ''**opkg update && opkg install kmod-mtd-rw**''   - To use this method it is required to install kmod-mtd-rw first: ''**opkg update && opkg install kmod-mtd-rw**''
-  - Copy the files to the router to /tmp (e. g. using scp or an usb drive). Rename them to ''kernel'' resp. ''rootfs''.+  - Copy the files to the router to /tmp (e. g. using scp or an usb drive). Rename them to ''**kernel**'' resp. ''**rootfs**''.
   - Flash the kernel and rootfs to the currently not active partitions. Copy & paste the code from and execute the script with ''**sh flash_kernel_rootfs.sh**''..   - Flash the kernel and rootfs to the currently not active partitions. Copy & paste the code from and execute the script with ''**sh flash_kernel_rootfs.sh**''..
-  - Copy & paste the code from [[#Back to OEM firmware (1)|script step 3]] from [[#Back to OEM firmware (1)|Back to OEM firmware (1)]] and execute the script with ''**sh change_boot_partition.sh**''.+  - Copy & paste the code from [[#Back to OEM firmware (1)|script Step 4]] from [[#Back to OEM firmware (1)|Back to OEM firmware (1)]] and execute the script with ''**sh change_boot_partition.sh**''.
   - Reboot the device.   - Reboot the device.
   - After reboot force a reflash of OEM firmware via WebGui using one of the provided [[#OEM firmware| OEM firmware files]] to purge OpenWrt entirely.   - After reboot force a reflash of OEM firmware via WebGui using one of the provided [[#OEM firmware| OEM firmware files]] to purge OpenWrt entirely.
  
-<tabbox Example step 6><WRAP><code> +<tabbox Step 6><WRAP><code> 
-cat <<EOF> flash_kernel_rootfs.sh+cat <<'EOF/tmp/flash_kernel_rootfs.sh
 # check files # check files
  
Line 285: Line 280:
 # get bootconfig # get bootconfig
  
-mtd_part_a=$(grep -i "\"0:bootconfig"\" /proc/mtd | awk -F: '{print $1}'+mtd_part=$(grep -i "\"0:bootconfig"\" /proc/mtd | awk -F: '{print $1}'
-get_bootconfig=$(hexdump -v -e '1/1 "%01x|"' -n 1 -s 168 -C /dev/"$mtd_part_a" | cut -f 1 -d "|" | head -n1)+bootconfig=$(hexdump -v -e '1/1 "%01x|"' -n 1 -s 168 -C /dev/"$mtd_part" | cut -f 1 -d "|" | head -n1)
  
 # write rootfs and kernel; mmcblk0p3=0/mmcblk0p4=0 mmcblk0p7=1/mmcblk0p8=1 # write rootfs and kernel; mmcblk0p3=0/mmcblk0p4=0 mmcblk0p7=1/mmcblk0p8=1
  
-if [ "${get_bootconfig}" -eq 1 ]; then+if [ "${bootconfig}" -eq 1 ]; then
  dd if=/dev/zero of=/dev/mmcblk0p7  dd if=/dev/zero of=/dev/mmcblk0p7
  dd if=/tmp/kernel of=/dev/mmcblk0p7  dd if=/tmp/kernel of=/dev/mmcblk0p7
Line 297: Line 292:
  sync  sync
 fi fi
- +if [ "${bootconfig}" -eq 0 ]; then
-if [ "${get_bootconfig}" -eq 0 ]; then+
  dd if=/dev/zero of=/dev/mmcblk0p3  dd if=/dev/zero of=/dev/mmcblk0p3
  dd if=/tmp/kernel of=/dev/mmcblk0p3  dd if=/tmp/kernel of=/dev/mmcblk0p3
Line 305: Line 299:
  sync  sync
 fi fi
- 
 EOF EOF
-</code></WRAP></tabbox>+</code></WRAP></tabbox>\\
  
 ==== OEM firmware ==== ==== OEM firmware ====
Line 335: Line 328:
   - [[#Opening the case|Open the device case.]]   - [[#Opening the case|Open the device case.]]
   - Connect to the device via [[#serial|serial]] connection using a terminal application e. g. [[https://www.putty.org|putty]] and an USB to TTL/USB to Serial adapter.   - Connect to the device via [[#serial|serial]] connection using a terminal application e. g. [[https://www.putty.org|putty]] and an USB to TTL/USB to Serial adapter.
-  - [[#U-Boot access|Access the device via bootloader.]]+  - [[#Bootloader/U-Boot access|Access the device via bootloader.]]
   - [[#TFTP boot OpenWrt|TFTP boot OpenWrt]] to either reinstall or fix a broken installation | [[#TFTP flash OEM firmware|TFTP flash OEM firmware]] to purge OpenWrt.   - [[#TFTP boot OpenWrt|TFTP boot OpenWrt]] to either reinstall or fix a broken installation | [[#TFTP flash OEM firmware|TFTP flash OEM firmware]] to purge OpenWrt.
 \\ \\
Line 341: Line 334:
 ==== Opening the case ==== ==== Opening the case ====
  
-<WRAP BOX> +  - Remove the two rubber crosses from the device' bottom side. 
-FIXME //Describe what needs to be done to open the device, e.gremove rubber feet, adhesive labels, screws, ...// +  - Unscrew the two screws appearing after step 1. 
-</WRAP>\\+  - Remove the socket. 
 +  - After step 3. another four screws appear. Remove them as well. 
 +  - Around the device' case there are eleven clips* inside (two on each sidefour in front and three in back) tying the upper shell with the bottom side. 
 +  - Keep the device with bottom side up and pry it up carefully around the case to remove the bottom sideStart at the side where the connectors are lead out. 
 + 
 +*) You will likely break some of them. Especially those on the left or right side. The clips at the front's case are very tight clipped because of the case' shape and the fact that there are four of them
 +\\ 
 + 
 +{{media:zyxel:nbg7815_open_1.jpg?350}} 
 +{{media:zyxel:nbg7815_open_2.jpg?350}} 
 +{{media:zyxel:nbg7815_open_3.jpg?350}}
  
 ==== Serial ==== ==== Serial ====
Line 388: Line 391:
   - Generate the password:\\ \\ :!: **Do not enter the code below it into the current shell!** We have to open a new terminal application. We have distinguish here between Windows and Linux users!\\ \\ **__Linux__**: Copy and paste the code from below into a **newly** opened terminal. First use **calc script** and then **generate password** executing the script using the seed/passcode generated in section 3.\\ \\ **__Windows__** you can use [[https://mega.nz/file/sgZnnYoT#WYuFCmvTETYVr6j8vIZuVHC9rWVykBIBXOOWB3MFhfs|ZynPass]] to calculate the password.\\ \\ <tabbox calc script>   - Generate the password:\\ \\ :!: **Do not enter the code below it into the current shell!** We have to open a new terminal application. We have distinguish here between Windows and Linux users!\\ \\ **__Linux__**: Copy and paste the code from below into a **newly** opened terminal. First use **calc script** and then **generate password** executing the script using the seed/passcode generated in section 3.\\ \\ **__Windows__** you can use [[https://mega.nz/file/sgZnnYoT#WYuFCmvTETYVr6j8vIZuVHC9rWVykBIBXOOWB3MFhfs|ZynPass]] to calculate the password.\\ \\ <tabbox calc script>
 <code> <code>
-cat <<EOF> tool.sh+cat <<'EOF> tool.sh
 ror32() { ror32() {
   echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))   echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
Line 402: Line 405:
 <tabbox password> <tabbox password>
 <code> <code>
-sh tool.sh **013D72FF0710**+sh tool.sh 013D72FF0710
 </code></tabbox> The resulting password looks like: ''**ATEN 1,10F0A563**'' </code></tabbox> The resulting password looks like: ''**ATEN 1,10F0A563**''
   - Put the output from paragraph 4. in the terminal and press enter:\\ \\ <code>   - Put the output from paragraph 4. in the terminal and press enter:\\ \\ <code>
Line 433: Line 436:
   - Connect your PC/Workstation via LAN cable to the router.   - Connect your PC/Workstation via LAN cable to the router.
   - Power up your router and get access to [[#Bootloader/U-Boot access|u-boot]] as describe above. Step 1-2 is enough (no need unlock).   - Power up your router and get access to [[#Bootloader/U-Boot access|u-boot]] as describe above. Step 1-2 is enough (no need unlock).
-  - Enter ''ATUR'' and the name of the downloaded firmware file e. g. ''ATUR V1.00(ABSK.8)C0.bin'': <code>NBG7815> ATUR V1.00(ABSK.8)C0.bin</code>\\+  - Enter ''ATUR'' and the name of the downloaded firmware file e. g. ''ATUR V1.00(ABSK.8)C0.bin'': <code>NBG7815> ATUR V1.00(ABSK.8)C0.bin</code> :!: **Do not power off the device during the process!**\\ 
  
 ===== Photos ===== ===== Photos =====
  • Last modified: 2024/12/13 12:10
  • by pwned