设为首页收藏本站

宽带技术网

 找回密码
 注 册

QQ登录

只需一步,快速开始

扫一扫,访问微社区

查看: 2200|回复: 5

合勤 ZyXE 660hw 无线路由 刷 RouterTech OpenWrt

[复制链接]
买了个660hw 61,感觉原有的固件很不稳定,功能又少,想刷第三方固件试试,翻墙搜了下,貌似这路由挺冷门的,只搜到两篇相对有用的文,请问下各大高手分析下,可否刷第三方固件?
网址是:
http://wiki.openwrt.org/doku.php?id=oldwiki:openwrtdocs:hardware:zyxel:prestige_660hw_61
http://forum.lowyat.net/topic/361118/all


Prestige 660HW-61
The device is based on Texas Instruments AR7 (MIPS based), so you need the target.ar7 in OpenWrt trunk. It uses //www.adslayuda.com/Zyxel650-9.html here (spanish) here (german) and here (german).

Status
Kolja Waschk had success booting uClinux kernel on previous ZyXEL Prestige router series (100, 310, 314, 316) and others. This router runs in Big Endian mode, unusual among other MIPS-based routers.

Serial Console
You can build a serial cable using various mobile cables as shown in this forum post (spanish) and on this page(german).
This way, you don't need to buy a MAX232 chip plus capacitors to do the TTL level conversion.
I used a SIEMENS S55 slim lumberg cable to do the trick.
/!\ DO NOT try to connect your PC's serial port to the router directly !

Router startup through serial console
Bootbase Version: V1.06 | 04/01/2004 11:22:33RAM: Size = 16384 KbytesDRAM POST: Testing: 16384KOKFLASH: Intel 16M *1ZyNOS Version: V3.40(PE.7) | 09/29/2004  17:42:50Press any key to enter debug mode within 3 seconds.................Enter Debug Mode

Enabling privileged commands
Thanks (again) to adslayuda for the howto on the password algorithm. The following code can be used to compute it:

/* ZyXEL prestige 660HW series password calculator by brainstorm   * Thanks to http://www.adslayuda.com/Zyxel650-9.html authors  *  * Example usage:  *  * Router:  * ======  *  * ATSE  * 0028D6DF1C03  * OK  *  * Computer:  * ========  *  * ./zyxel 0028D6DF1C03  * ATEN 1,221E3111  *  * Router:  * ======  * ATEN 1,221E3111  * OK  *  * "Dangerous" commands enabled :-)  *  * */#include #include #include #define magic1  0x10F0A563L#define magic2  7#define atse_length 12  /* ATSE command, ZyNOS seed password length */#define WORD_LENGTH (8*sizeof(value))int ror(unsigned int value, int places){  return (value>>places)|(value<<(WORD_LENGTH-places));}int main (int argc, char* argv[]) {        char *seed, a[7], c[3];        unsigned int b,d,e,password;        if ( argc != 2 ) {                printf("Only one argument is permitted: 00BDC8667E5B\n");                exit(-1);        } else if ( strlen(argv[1]) != atse_length ) {                printf( "Incorrect parameter length, should be %d characters long\n", atse_length );                exit (-2);        }        seed = argv[1];        strncpy (a, seed , 6);  //a="ersten" 3Bytes vom seed        e = strtol(a,NULL,16);  //e=a        strncpy (c, seed + strlen(seed)-2, 2); //c= last 2 bytes of seed?        d = strtol(c,NULL,16) & magic2; //d="last byte" AND 7        b = e + magic1; //        b = ror(b,d);        password = b ^ e;        printf("\nATEN 1,%X\n", password);        return 0;}
There is also a small windows tool called ZynPass which calculates the password.

Memory layout
Bootbase provides a powerful flashing/debugging console, for instance, the ATMP command shows us how is the memory allocated. Later on, you can use the ATDUx,y command to dump memory contents starting at x plus an y offset:

ATMPROMIO image start at b0010000code version:code start: 94008000code length: 1C3D24memMapTab: 14 entries, start = b0037000, checksum = A88D$RAM Section:  0: BootExt(RAMBOOT), start=94008000, len=38000  1: HTPCode(RAMCODE), start=94020000, len=E0000  2: RasCode(RAMCODE), start=94020000, len=FE0000$ROM Section:  3: BootBas(ROMIMG), start=b0000000, len=4000  4: DbgArea(ROMIMG), start=b0004000, len=2000  5: RomDir2(ROMDIR), start=b0006000, len=A000  6: BootExt(ROMIMG), start=b0010030, len=17FD0  7: HTPCode(ROMBIN), start=b0028000, len=F000          (Compressed)          Version: HTP_P660 V 0.05, start: b0028030          Length: 17618, Checksum: 3B6A          Compressed Length: 7F07, Checksum: 64E7  8: MemMapT(ROMMAP), start=b0037000, len=C00  9: termcap(ROMIMG), start=b0037c00, len=400 10: tiadsl(ROMBIN), start=b0038000, len=24A00          (Compressed)          Version: ADSL ATU-R, start: b0038030          Length: 40736, Checksum: 9761          Compressed Length: 2242D, Checksum: 6E3D 11: tiwlan(ROMBIN), start=b005ca00, len=1BC00          (Compressed)          Version: WLAN, start: b005ca30          Length: 12894, Checksum: 539D          Compressed Length: C1A0, Checksum: 4883 12: RomDefa(ROMIMG), start=b0078600, len=A000 13: RasCode(ROMBIN), start=b0082600, len=17DA00          (Compressed)          Version: P660HW-61 ATU-R, start: b0082630          Length: 446098, Checksum: 321B          Compressed Length: 151724, Checksum: 7D74
For instance, ATDU b0037c00,400 will produce the following output (refer to the "termcap" entry above for memory address and length):

B0037C00: 76 74 31 30 30 7C 64 65-63 2D 76 74 31 30 30 7C   vt100|dec-vt100|B0037C10: 76 74 31 30 30 2D 61 6D-7C 76 74 31 30 30 61 6D   vt100-am|vt100amB0037C20: 7C 64 65 63 20 76 74 31-30 30 3A 5C 0D 0A 09 3A   |dec vt100:\...:B0037C30: 64 6F 3D 5E 4A 3A 63 6F-23 38 30 3A 6C 69 23 32   do=^J:co#80:li#2B0037C40: 34 3A 63 6C 3D 35 30 5C-45 5B 3B 48 5C 45 5B 32   4:cl=50\E[;H\E[2B0037C50: 4A 3A 73 66 3D 32 2A 5C-45 44 3A 5C 0D 0A 09 3A   J:sf=2*\ED:\...:B0037C60: 6C 65 3D 5E 48 3A 62 73-3A 61 6D 3A 63 6D 3D 35   le=^H:bs:am:cm=5B0037C70: 5C 45 5B 25 69 25 64 3B-25 64 48 3A 6E 64 3D 32   \E[%i%d;%dH:nd=2B0037C80: 5C 45 5B 43 3A 75 70 3D-32 5C 45 5B 41 3A 5C 0D   \E[C:up=2\E[A:\.B0037C90: 0A 09 3A 63 65 3D 33 5C-45 5B 4B 3A 63 64 3D 35   ..:ce=3\E[K:cd=5B0037CA0: 30 5C 45 5B 4A 3A 73 6F-3D 32 5C 45 5B 37 6D 3A   0\E[J:so=2\E[7m:B0037CB0: 73 65 3D 32 5C 45 5B 6D-3A 75 73 3D 32 5C 45 5B   se=2\E[m:us=2\E[B0037CC0: 34 6D 3A 75 65 3D 32 5C-45 5B 6D 3A 5C 0D 0A 09   4m:ue=2\E[m:\...B0037CD0: 3A 6D 64 3D 32 5C 45 5B-31 6D 3A 6D 72 3D 32 5C   :md=2\E[1m:mr=2\B0037CE0: 45 5B 37 6D 3A 6D 62 3D-32 5C 45 5B 35 6D 3A 6D   E[7m:mb=2\E[5m:mB0037CF0: 65 3D 32 5C 45 5B 6D 3A-69 73 3D 5C 45 5B 31 3B   e=2\E[m:is=\E[1;

Original Firmware files
Firmware downloaded from official ZyXEL website:
340PE10C0.rom: Router configuration, coincides with "4: DbgArea" shown above. You can retrieve this file from your router using the ATTD BootBase command. 340PE10C0.bin: Router firmware.

Flashing BootBase
The following process rewrites the BootBase bootloader. It's just a translation from adslayuda mentioned earlier, thanks to "haypocos" for this procedure. This instructions may be useful to these brave enough to flash a new bootloader on top of BootBase.
/!\ DO NOT try this unless you know what it's all about
/!\ Really, DON'T, it's gonna brick your router

ATEN stuffATBA4: Sets baudrate to 57.6k to speedup Xmodem downloadATDO B0000000,13FD0: Downloads the bootbase and extensions for backup purposesATBT1: Block 0 unprotected, we are going to overwrite the bootloaderATUX 0: Actual bootloader upload and writing


 楼主| 发表于 2012-12-6 20:02:56 | 显示全部楼层
求高人阿!!
 楼主| 发表于 2013-4-2 23:35:54 | 显示全部楼层
 楼主| 发表于 2013-4-3 00:52:00 | 显示全部楼层
http://www.telefonica.net/web2/cooltony/zyxel/zyxel_en.htm
https://forum.openwrt.org/viewtopic.php?id=17473
我又找到了兩個關於這個p660 hw 61 的地址,請高手破解
 楼主| 发表于 2013-4-3 00:59:30 | 显示全部楼层
 楼主| 发表于 2013-4-3 01:01:24 | 显示全部楼层
您需要登录后才可以回帖 登录 | 注 册

本版积分规则

QQ|Archiver|手机版|小黑屋|宽带技术网 ( 粤ICP备15054574号  

粤公网安备 44152102000001号

GMT+8, 2016-12-4 05:59 , Processed in 0.473264 second(s), 24 queries , Gzip On.

Powered by Discuz! X3.2

© 2001-2013 Comsenz Inc.

快速回复 返回顶部 返回列表