A guide to debrand (remove ISP firmware & locked bootloader) the Zyxel VMG8623-T50B router
- A Linux machine(or a machine that can ssh into the router and use scp to move files) & a hex editor (okteta for example)
Use the password generator in the ZyxelRoot.py file (Execute it online Here) to generate the device's root password for the zycli shell, accessible from both SSH & serial TTL.
This operation will be done from ssh. Using the serial header can give you a better picture of the state of the device since it outputs bootloader & other debug messages, but it is not required.
ssh -oHostKeyAlgorithms=+ssh-dss root@192.168.1.254
The stock device reports zycli sys atsh as following:
Firmware Version : V[version in the x.xx format](A[branch].[some revision])[higher level revision]
Bootbase Version : V[version] | [date{
Vendor Name : Zyxel Communications Corp.
Product Model : VMG8623-T50B
Serial Number : S220Y10021864
First MAC Address : macadress
Last MAC Address : macadress+0xf
MAC Address Quantity : 16
Default Country Code : (country code)
Boot Module Debug Flag : 00
Kernel Checksum : 68A00776
RootFS Checksum : EB4B7592
Romfile Checksum : 00000F7B
Main Feature Bits : 00
Other Feature Bits :
7f9ca5d2: 04050f0d 00000100 00000000 00000000
7f9ca5e2: 00000000 00000000 00000000
On this xlsx file from the OpenWrt-ZyXEL-VMG8825-T50 project we see that there is a Model with an ID that corresponds to 0x45FD
| Model ID | Project | Notes |
|---|---|---|
| 0x45FD | VMG8623-T50B WindGreece | EN7516+256MB RAM |
This happens to have very similar specs (SoC & ram capacity) with the VMG8623-T50B Generic whose model ID is 0x4553, shared with EMG5523-T50A Generic.
While Investigating the firmware available on zyxel's website we find out that 04 05 05 03 with a hex encoding is found in what looks to be a file header on the ABPM branch.
therefore, changing the ModelID is possible. Lets do it then
Knowing that the bootloader used mtd0 we can dump it using the following command
dd if=/dev/mtd0 of=/home/root/bootloader.bin
We now have saved the bootloader in /home/root/bootloader.bin as bootloader.bin .
After opening a new terminal window we will transfer the bootloader image using scp to our linux machine
scp -O -oHostKeyAlgorithms=+ssh-dss root@192.168.1.254:/home/root/bootloader.bin bootloader.bin
This will have dumped the bootloader partition on our host machine.
Open bootloader.bin on okteta (the hex editor of my choice, feel free to use what you are comfortable with)
Edit the byte sequence : 04 05 0F 0D at offset 0000FFC0 (on my bootloader , yours might be different) To 04 05 05 03,
save it as patchedBootloader.bin on the directory you downloaded bootloader.bin to and move it back to the device
scp -O -oHostKeyAlgorithms=+ssh-dss patchedBootloader.bin root@192.168.1.254:/home/root/bootloader.bin
Then on the original terminal where we have sshed into the route we run the following commands
mtd unlock
mtd writeflash bootloader.bin 262144 0 bootloader
zycli sys atcd
After a reboot we see that we can update the firmware using Zyxel's official downloads
After that we flash the firmware at https://192.168.1.254/FirmwareUpgrade) checking the "Reset All Settings After Firmware Upgrade" option
After flashing the firmware the device will change IP from 192.168.1.254 to 192.168.1.1 , you can login as a admin with the password written in the label
or as a supervisor using the password from the ZyxelRoot.py
Now you own a device that can , from now on ,be updated using the web Ui and is basically indistinguishable in all terms other than the Serial Number being marked as an ISP device from a Generic Device.