ZyXEL NBG 460N 550N 550NH

All three devices are based on the same board. The 460N is sold in Europe, the 550N/NH are sold in the U.S.
The only difference between the 550N and the 550NH are the better antennas of the latter.

WARNING: Currently there is no working image, so don't flash any. It will brick your router!

Atheros AP81 devices are working, but the flashing of these particular devices is not yet recommended.

Not supported.

CPU Ram Flash Network USB Serial JTag
Atheros AR9132 32MB 4MB 4×1 GbE No (Not populated) Yes No

TODO

Architecture MIPS
Vendor Atheros
Bootloader BootBase
System-On-Chip Atheros AR9132-AC1E
CPU Speed 400 Mhz
Flash-Chip MXIC MX25L3205DMI-12G Datasheet
Flash size 4 MiB
RAM 32 MiB
Wireless Atheros AR9103 802.11b/g/n Radio with 3T3R MIMO (integrated)
Ethernet Realtek RTL8366SR 6-Port 10/100/1000MBs Switch Datasheet
RTC Chip NXP PCF8563 Real-time Clock/Calendar Datasheet
USB No (Not populated)
Serial Yes
JTAG No

NBG460N:

Note: This will void your warranty!

  • To remove the cover simply remove the two screws on the bottom. Then just open it.
  • The board itself has no screws.

The pin assignment is:

  1. VCC
  2. TxD
  3. RxD
  4. empty
  5. GND

With Pin 1 being the one closest to the LEDs. You need a RS232 Levelshifter to connect a serial Line!

Buttons

Name GPIO
WPS 12
Reset 21

LEDs

Name GPIO
WPS 3
Power 14
WLAN 15

PCF8563 RTC I2C Interface

Name GPIO
SDA 8
SCK 7
INT 9

RTL8366S Switch I2C Interface

Name GPIO
SDA 16
SCK 18

The Bootloader used in this unit is BootBase/BootExt. It is available through the serial interface with the settings: 9600/N/1
BootBase loads BootExt from flash and executes it. BootBase it self is only capable of uploading a firmware through xmodem. Only BootExt has a builtin console.
See Recovery via serial console for how to use BootBase to recover a bricked router.

Note: The following information is taken from http://www.ixo.de/info/zyxel_uclinux/ . All credit goes to the author of this site!

BootExt has two modes, the normal (restricted) mode and the debug mode. BootExt is in the normal (restricted) state after power-up.
In this state the most useful commands are locked.

Commands in normal mode:

Command Description
AT just answer OK
ATHE print help
ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
ATENx,(y) set BootExtension Debug Flag (y=password)
ATSE show the seed of password generator
ATTI(h,m,s) change system time to hour:min:sec or show current time
ATDA(y,m,d) change system date to year/month/day or show current date
ATDS dump RAS stack
ATDT dump Boot Module Common Area
ATDUx,y dump memory contents from address x for length y
ATRBx display the 8-bit value of address x
ATRWx display the 16-bit value of address x
ATRLx display the 32-bit value of address x
ATGO(x) run program at addr x or boot router
ATGR boot router
ATGT run Hardware Test Program
ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
ATSH dump manufacturer related data in ROM
ATTD download router configuration to PC via XMODEM
ATUR upload router firmware to flash ROM
ATLC upload router configuration file to flash ROM
ATLD upload router default configuration file to flash ROM
ATXSx xmodem select: x=0: CRC mode(default); x=1: checksum mode
ATSR system reboot
ATSP send packet
ATEUx Upgrate image by Ethernet, 0:bootbase,1:romfile,2:RAS
ATMU print Multiboot client version
ATLTx LED on/off test

To switch to debug mode to ATEN command together with the right key is used. The key is based upon a seed which is initialized
through the ATSE command. After power-up the seed is initialized as 0 (so don't send it :-) ). With the seed as 0 the key is only dependent
of the last 3 bits of the MAC-address (You can get the MAC-address of the ATSH command).
The following table lists the keys to the possible last MAC-address byte:

Last MAC byte Key
0 or 8 10F0A563
1 or 9 887852B1
2 or A C43C2958
3 or B 621E14AC
4 or C 310F0A56
5 or D 1887852B
6 or E 8C43C295
7 or F C621E14A

So to switch to debug mode send: ATEN1,<key> (for me it was ATEN1,8C43C295).

After unlocking the ATHE command lists some new commands:

Additional commands in debug mode:

Command Description
ATWBx,y write address x with 8-bit value y
ATWWx,y write address x with 16-bit value y
ATWLx,y write address x with 32-bit value y
AT%Tx Enable Hardware Test Program at boot up
ATBTx block0 write enable (1=enable, other=disable)
ATWEa(,b,c,d) write MAC addr, Country code, EngDbgFlag, FeatureBit to flash ROM
ATCUx write Country code to flash ROM
ATCB copy from FLASH ROM to working buffer
ATCL clear working buffer
ATSB save working buffer to FLASH ROM
ATBU dump manufacturer related data in working buffer
ATWMx set MAC address in working buffer
ATCOx set country code in working buffer
ATFLx set EngDebugFlag in working buffer
ATSTx set ROMRAS address in working buffer
ATSYx set system type in working buffer
ATVDx set vendor name in working buffer
ATPNx set product name in working buffer
ATMP check & dump memMapTab
ATWZa(,b,c,d) write ZyXEL MAC addr, Country code, EngDbgFlag, FeatureBit to flash ROM , Num MAC to flash ROM
ATDOx,y download from address x for length y to PC via XMODEM
ATUPx,y upload to RAM address x for length y from PC via XMODEM
ATUXx(,y) xmodem upload from flash block x to y
ATERx,y erase flash rom from block x to y
ATWFx,y,z copy data from addr x to flash addr y, length z
ATSI run sieve benchmark
ATDHx(,y) run dhrystone benchmark, 1:ver 1.1, 2:ver 2.1, runs y
ATSDx decompress & load image (name=x)
ATBR Reset to default Romfile

The ATMP command dumps the layout of the flash (the Flash-chip is mapped at 0xbfc00000):

Name start address length
BootBas(ROMIMG) 0xbfc00000 0x010000
DbgArea(ROMIMG) 0xbfc10000 0x010000
RomDir2(ROMDIR) 0xbfc20000 0x020000
BootExt(ROMIMG) 0xbfc40030 0x03FFD0
MemMapT(ROMMAP) 0xbfc80000 0x010000
termcap(ROMIMG) 0xbfc90000 0x010000
RomDefa(ROMIMG) 0xbfca0000 0x020000
RasCode(ROMBIN) 0xbfcc0000 0x330000
CalibData(ROMIMG) 0xbfff0000 0x010000
Name start address length
BootBase 0xbfc00000 0x010000
U-Boot Env 0xbfc10000 0x030000
U-Boot 0xbfc40000 0x030000
Kernel 0xbfc70000 0x0e0000
rootfs 0xbfd50000 0x2a0000
CalibData 0xbfff0000 0x010000

Only some kbytes of the U-Boot Env partition are used for the U-Boot environment (wasting 256kb). The Problem is that BootBase loads and starts the image at 0xbfc40000 and this address is hard coded.

If, for some reason, your router boot any more, there is a good chance that the original BootBase is still working. To check, connect to the serial port. If you see something like:

Bootbase Version: V1.05 | 10/06/2008 17:43:52
RAM: Size = 32768 Kbytes
DRAM POST: Testing: 32768K
OK
ST32M *1

Bootbase is still working. If you only get some garbage, first try different baudrates. When you see the above output, power off the router plug it back in and press and hold 'c' while it tests the RAM. When it is done testing, it prints:

Download firmware...
Starting XMODEM upload (CRC mode)....
CCC

At this point it waits for a image send to it with xmodem. With this method it is also possible to go back to the original firmware.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2019/10/17 19:53
  • by tmomas