All three devices are based on the same board. The 460N is sold in Europe, the 550N/NH are sold in the U.S.
The only difference between the 550N and the 550NH are the better antennas of the latter.
WARNING: Currently there is no working image, so don't flash any. It will brick your router!
Atheros AP81 devices are working, but the flashing of these particular devices is not yet recommended.
|Atheros AR9132||32MB||4MB||4×1 GbE||No (Not populated)||Yes||No|
|CPU Speed:||400 Mhz|
|Flash-Chip:||MXIC MX25L3205DMI-12G Datasheet|
|Flash size:||4 MiB|
|Wireless:||Atheros AR9103 802.11b/g/n Radio with 3T3R MIMO (integrated)|
|Ethernet:||Realtek RTL8366SR 6-Port 10/100/1000MBs Switch Datasheet|
|RTC Chip:||NXP PCF8563 Real-time Clock/Calendar Datasheet|
|USB:||No (Not populated)|
Note: This will void your warranty!
The pin assignment is:
With Pin 1 being the one closest to the LEDs. You need a RS232 Levelshifter to connect a serial Line!
The Bootloader used in this unit is BootBase/BootExt. It is available through the serial interface with the settings: 9600/N/1
BootBase loads BootExt from flash and executes it. BootBase it self is only capable of uploading a firmware through xmodem. Only BootExt has a builtin console.
See Recovery via serial console for how to use BootBase to recover a bricked router.
Note: The following information is taken from http://www.ixo.de/info/zyxel_uclinux/ . All credit goes to the author of this site!
BootExt has two modes, the normal (restricted) mode and the debug mode. BootExt is in the normal (restricted) state after power-up.
In this state the most useful commands are locked.
Commands in normal mode:
|AT||just answer OK|
|ATBAx||change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k|
|ATENx,(y)||set BootExtension Debug Flag (y=password)|
|ATSE||show the seed of password generator|
|ATTI(h,m,s)||change system time to hour:min:sec or show current time|
|ATDA(y,m,d)||change system date to year/month/day or show current date|
|ATDS||dump RAS stack|
|ATDT||dump Boot Module Common Area|
|ATDUx,y||dump memory contents from address x for length y|
|ATRBx||display the 8-bit value of address x|
|ATRWx||display the 16-bit value of address x|
|ATRLx||display the 32-bit value of address x|
|ATGO(x)||run program at addr x or boot router|
|ATGT||run Hardware Test Program|
|ATRTw,x,y(,z)||RAM test level w, from address x to y (z iterations)|
|ATSH||dump manufacturer related data in ROM|
|ATTD||download router configuration to PC via XMODEM|
|ATUR||upload router firmware to flash ROM|
|ATLC||upload router configuration file to flash ROM|
|ATLD||upload router default configuration file to flash ROM|
|ATXSx||xmodem select: x=0: CRC mode(default); x=1: checksum mode|
|ATEUx||Upgrate image by Ethernet, 0:bootbase,1:romfile,2:RAS|
|ATMU||print Multiboot client version|
|ATLTx||LED on/off test|
To switch to debug mode to ATEN command together with the right key is used.
The key is based upon a seed which is initialized
through the ATSE command. After power-up the seed is initialized as 0 (so don't send it ). With the seed as 0 the key is only dependent
of the last 3 bits of the MAC-address (You can get the MAC-address of the ATSH command).
The following table lists the keys to the possible last MAC-address byte:
|Last MAC byte||Key|
|0 or 8||10F0A563|
|1 or 9||887852B1|
|2 or A||C43C2958|
|3 or B||621E14AC|
|4 or C||310F0A56|
|5 or D||1887852B|
|6 or E||8C43C295|
|7 or F||C621E14A|
So to switch to debug mode send: ATEN1,<key> (for me it was ATEN1,8C43C295).
After unlocking the ATHE command lists some new commands:
Additional commands in debug mode:
|ATWBx,y||write address x with 8-bit value y|
|ATWWx,y||write address x with 16-bit value y|
|ATWLx,y||write address x with 32-bit value y|
|AT%Tx||Enable Hardware Test Program at boot up|
|ATBTx||block0 write enable (1=enable, other=disable)|
|ATWEa(,b,c,d)||write MAC addr, Country code, EngDbgFlag, FeatureBit to flash ROM|
|ATCUx||write Country code to flash ROM|
|ATCB||copy from FLASH ROM to working buffer|
|ATCL||clear working buffer|
|ATSB||save working buffer to FLASH ROM|
|ATBU||dump manufacturer related data in working buffer|
|ATWMx||set MAC address in working buffer|
|ATCOx||set country code in working buffer|
|ATFLx||set EngDebugFlag in working buffer|
|ATSTx||set ROMRAS address in working buffer|
|ATSYx||set system type in working buffer|
|ATVDx||set vendor name in working buffer|
|ATPNx||set product name in working buffer|
|ATMP||check & dump memMapTab|
|ATWZa(,b,c,d)||write ZyXEL MAC addr, Country code, EngDbgFlag, FeatureBit to flash ROM , Num MAC to flash ROM|
|ATDOx,y||download from address x for length y to PC via XMODEM|
|ATUPx,y||upload to RAM address x for length y from PC via XMODEM|
|ATUXx(,y)||xmodem upload from flash block x to y|
|ATERx,y||erase flash rom from block x to y|
|ATWFx,y,z||copy data from addr x to flash addr y, length z|
|ATSI||run sieve benchmark|
|ATDHx(,y)||run dhrystone benchmark, 1:ver 1.1, 2:ver 2.1, runs y|
|ATSDx||decompress & load image (name=x)|
|ATBR||Reset to default Romfile|
The ATMP command dumps the layout of the flash (the Flash-chip is mapped at 0xbfc00000):
Only some kbytes of the U-Boot Env partition are used for the U-Boot environment (wasting 256kb). The Problem is that BootBase loads and starts the image at 0xbfc40000 and this address is hard coded.
If, for some reason, your router boot any more, there is a good chance that the original BootBase is still working. To check, connect to the serial port. If you see something like:
Bootbase Version: V1.05 | 10/06/2008 17:43:52 RAM: Size = 32768 Kbytes DRAM POST: Testing: 32768K OK ST32M *1
Bootbase is still working. If you only get some garbage, first try different baudrates. When you see the above output, power off the router plug it back in and press and hold 'c' while it tests the RAM. When it is done testing, it prints:
Download firmware... Starting XMODEM upload (CRC mode).... CCC
At this point it waits for a image send to it with xmodem. With this method it is also possible to go back to the original firmware.