Show pagesourceOld revisionsBacklinksBack to top × Table of Contents ZyXEL NBG 460N 550N 550NH OpenWrt support Hardware Highlights Installation Hardware Info Photos Opening the case Main PCB Serial GPIOs Bootloader Getting in debug mode BootExt Flash Layout Flash Layout in OpenWrt Recovery via serial console Tags ZyXEL NBG 460N 550N 550NH All three devices are based on the same board. The 460N is sold in Europe, the 550N/NH are sold in the U.S. The only difference between the 550N and the 550NH are the better antennas of the latter. WARNING: Currently there is no working image, so don't flash any. It will brick your router! Atheros AP81 devices are working, but the flashing of these particular devices is not yet recommended. OpenWrt support Not supported. Hardware Highlights CPU Ram Flash Network USB Serial JTag Atheros AR9132 32MB 4MB 4×1 GbE No (Not populated) Yes No Installation TODO Hardware Info Architecture MIPS Vendor Atheros Bootloader BootBase System-On-Chip Atheros AR9132-AC1E CPU Speed 400 Mhz Flash-Chip MXIC MX25L3205DMI-12G Datasheet Flash size 4 MiB RAM 32 MiB Wireless Atheros AR9103 802.11b/g/n Radio with 3T3R MIMO (integrated) Ethernet Realtek RTL8366SR 6-Port 10/100/1000MBs Switch Datasheet RTC Chip NXP PCF8563 Real-time Clock/Calendar Datasheet USB No (Not populated) Serial Yes JTAG No Photos NBG460N: Opening the case Note: This will void your warranty! To remove the cover simply remove the two screws on the bottom. Then just open it. The board itself has no screws. Main PCB Serial The pin assignment is: VCC TxD RxD empty GND With Pin 1 being the one closest to the LEDs. You need a RS232 Levelshifter to connect a serial Line! GPIOs Buttons Name GPIO WPS 12 Reset 21 LEDs Name GPIO WPS 3 Power 14 WLAN 15 PCF8563 RTC I2C Interface Name GPIO SDA 8 SCK 7 INT 9 RTL8366S Switch I2C Interface Name GPIO SDA 16 SCK 18 Bootloader The Bootloader used in this unit is BootBase/BootExt. It is available through the serial interface with the settings: 9600/N/1 BootBase loads BootExt from flash and executes it. BootBase it self is only capable of uploading a firmware through xmodem. Only BootExt has a builtin console. See Recovery via serial console for how to use BootBase to recover a bricked router. Getting in debug mode Note: The following information is taken from http://www.ixo.de/info/zyxel_uclinux/ . All credit goes to the author of this site! BootExt has two modes, the normal (restricted) mode and the debug mode. BootExt is in the normal (restricted) state after power-up. In this state the most useful commands are locked. Commands in normal mode: Command Description AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS dump RAS stack ATDT dump Boot Module Common Area ATDUx,y dump memory contents from address x for length y ATRBx display the 8-bit value of address x ATRWx display the 16-bit value of address x ATRLx display the 32-bit value of address x ATGO(x) run program at addr x or boot router ATGR boot router ATGT run Hardware Test Program ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations) ATSH dump manufacturer related data in ROM ATTD download router configuration to PC via XMODEM ATUR upload router firmware to flash ROM ATLC upload router configuration file to flash ROM ATLD upload router default configuration file to flash ROM ATXSx xmodem select: x=0: CRC mode(default); x=1: checksum mode ATSR system reboot ATSP send packet ATEUx Upgrate image by Ethernet, 0:bootbase,1:romfile,2:RAS ATMU print Multiboot client version ATLTx LED on/off test To switch to debug mode to ATEN command together with the right key is used. The key is based upon a seed which is initialized through the ATSE command. After power-up the seed is initialized as 0 (so don't send it ). With the seed as 0 the key is only dependent of the last 3 bits of the MAC-address (You can get the MAC-address of the ATSH command). The following table lists the keys to the possible last MAC-address byte: Last MAC byte Key 0 or 8 10F0A563 1 or 9 887852B1 2 or A C43C2958 3 or B 621E14AC 4 or C 310F0A56 5 or D 1887852B 6 or E 8C43C295 7 or F C621E14A So to switch to debug mode send: ATEN1,<key> (for me it was ATEN1,8C43C295). After unlocking the ATHE command lists some new commands: Additional commands in debug mode: Command Description ATWBx,y write address x with 8-bit value y ATWWx,y write address x with 16-bit value y ATWLx,y write address x with 32-bit value y AT%Tx Enable Hardware Test Program at boot up ATBTx block0 write enable (1=enable, other=disable) ATWEa(,b,c,d) write MAC addr, Country code, EngDbgFlag, FeatureBit to flash ROM ATCUx write Country code to flash ROM ATCB copy from FLASH ROM to working buffer ATCL clear working buffer ATSB save working buffer to FLASH ROM ATBU dump manufacturer related data in working buffer ATWMx set MAC address in working buffer ATCOx set country code in working buffer ATFLx set EngDebugFlag in working buffer ATSTx set ROMRAS address in working buffer ATSYx set system type in working buffer ATVDx set vendor name in working buffer ATPNx set product name in working buffer ATMP check & dump memMapTab ATWZa(,b,c,d) write ZyXEL MAC addr, Country code, EngDbgFlag, FeatureBit to flash ROM , Num MAC to flash ROM ATDOx,y download from address x for length y to PC via XMODEM ATUPx,y upload to RAM address x for length y from PC via XMODEM ATUXx(,y) xmodem upload from flash block x to y ATERx,y erase flash rom from block x to y ATWFx,y,z copy data from addr x to flash addr y, length z ATSI run sieve benchmark ATDHx(,y) run dhrystone benchmark, 1:ver 1.1, 2:ver 2.1, runs y ATSDx decompress & load image (name=x) ATBR Reset to default Romfile BootExt Flash Layout The ATMP command dumps the layout of the flash (the Flash-chip is mapped at 0xbfc00000): Name start address length BootBas(ROMIMG) 0xbfc00000 0x010000 DbgArea(ROMIMG) 0xbfc10000 0x010000 RomDir2(ROMDIR) 0xbfc20000 0x020000 BootExt(ROMIMG) 0xbfc40030 0x03FFD0 MemMapT(ROMMAP) 0xbfc80000 0x010000 termcap(ROMIMG) 0xbfc90000 0x010000 RomDefa(ROMIMG) 0xbfca0000 0x020000 RasCode(ROMBIN) 0xbfcc0000 0x330000 CalibData(ROMIMG) 0xbfff0000 0x010000 Flash Layout in OpenWrt Name start address length BootBase 0xbfc00000 0x010000 U-Boot Env 0xbfc10000 0x030000 U-Boot 0xbfc40000 0x030000 Kernel 0xbfc70000 0x0e0000 rootfs 0xbfd50000 0x2a0000 CalibData 0xbfff0000 0x010000 Only some kbytes of the U-Boot Env partition are used for the U-Boot environment (wasting 256kb). The Problem is that BootBase loads and starts the image at 0xbfc40000 and this address is hard coded. Recovery via serial console If, for some reason, your router boot any more, there is a good chance that the original BootBase is still working. To check, connect to the serial port. If you see something like: Bootbase Version: V1.05 | 10/06/2008 17:43:52 RAM: Size = 32768 Kbytes DRAM POST: Testing: 32768K OK ST32M *1 Bootbase is still working. If you only get some garbage, first try different baudrates. When you see the above output, power off the router plug it back in and press and hold 'c' while it tests the RAM. When it is done testing, it prints: Download firmware... Starting XMODEM upload (CRC mode).... CCC At this point it waits for a image send to it with xmodem. With this method it is also possible to go back to the original firmware. Tags How to add tags AR9132, 4Flash, 32RAM, Unsupported devices This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies ar9132 4Flash 32RAM Unsupported devices Last modified: 2019/10/17 15:53by tmomas