search

eimparas / Zyxel-VMG8623-T50B-Debrand

A guide to debrand (remove ISP firmware & locked bootloader) the Zyxel VMG8623-T50B router
GNU General Public License v3.0
1 stars 1 forks source link

Can't copy files over network - VMG3625-T50B #3

Open aka-khalid opened 7 months ago

aka-khalid commented 7 months ago

I've purchased my VMG3625-T50B, which is pretty similar to VMG8623-T50B, from a local ISP (te-data) and I guess they worked really hard to make sure no one gets to debrand the device. I got the supervisor password, which is the same as root, from the generator and by using a ping command injection script you can find here, I gained root shell access to the router and these are the steps:

  1. Get the supervisor/root password
  2. Connect to the router via LAN
  3. On a Linux machine, open a terminal and run nc -nvlp 13373
  4. In a new terminal, run python3 cmd_injection_ping2.py

Voila! Now I have root shell access.

By executing zycli sys atsh I get the following:

Firmware Version        : V550ABTL0b2r
Bootbase Version        : V1.41 | 12/08/2020 15:47:56
Vendor Name             : Zyxel Communications Corp.
Product Model           : VMG3625-T50B
Serial Number           : S213Hxxxxxxxxx
First MAC Address       : xxxxxxxxxxxx
Last MAC Address        : xxxxxxxxxxxx
MAC Address Quantity    : 16
Default Country Code    : FF
Boot Module Debug Flag  : 00
Kernel Checksum         : E993EF2A
RootFS Checksum         : 1DB70D37
Romfile Checksum        : 0000BC11
Main Feature Bits       : 00
Other Feature Bits      : 
7f93cc45: 04050503 00000100 00000000 00000000
7f93cc55: 00000000 00000000 00000000 0000

and netstat produces:

Active Internet connections (w/o servers)
Proto   Recv-Q  Send-Q   Local Address            Foreign Address         State       
tcp          0       0   192.168.1.1:[port]       192.168.1.12:13373      ESTABLISHED
...
...

My problem is I don't know how to successfully copy the bootloader file as I'm no expert in any of this. Performing regular ssh or ftp commands from my machine results in failure because these protocols are somehow blocked and hidden.

I thought of modifying the mentioned script to inject an scp command but I don't know how the script fully works and when I tried to do stuff on my own I failed and almost broke my device. 😃

Any thoughts? I'd really appreciate it.

Notupus commented 7 months ago

So your feature bits indicate you have "unlocked bootloader", have you tried flashing the file on zyxel's site?

aka-khalid commented 7 months ago

I have tried, multiple times actually, and I always get this error: image

I've executed zycli fwidcheck off and zycli modelcheck off to make sure I can upgrade firmware, but no luck.

aka-khalid commented 7 months ago

After further investigation, it appears that there's no openssh-server nor dropbear packages installed to allow SSH connection to the router. I tried to install them but according to opkg print-architecture I need a package that supports one of these architectures: 

arch: all
arch: noarch
arch: en75xx

and neither of the mentioned packages support them.

In order to install packages, I had to modify this line in /etc/opkg.conf from:

src/gz barrier_breaker http://downloads.openwrt.org/snapshots/trunk/en75xx/packages

to:

src/gz barrier_breaker http://downloads.openwrt.org/snapshots/packages/mipsel_24kc/packages/

because the original link doesn't exist and I had to choose mipsel_24kc because it had many packages of arch: all.

Also I would like to show this df report cause I couldn't install any packages in / and I had to switch to /tmp:

Filesystem           1K-blocks      Used Available Use% Mounted on
rootfs                   16384     16384         0 100% /
/dev/root                16384     16384         0 100% /
tmpfs                   118512      1996    116516   2% /tmp
devtmpfs                118404         0    118404   0% /dev
tmpfs                       16         0        16   0% /mnt
/dev/mtdblock9            4064      1524      2540  38% /data
/dev/mtdblock11          32512      1144     31368   4% /misc
tmpfs                   118512      1996    116516   2% /tmp/var/home/root/fw
/dev/mtdblock9            4064      1524      2540  38% /tmp/var/home/root/data
tmpfs                   118512      1996    116516   2% /tmp/var/home/supervisor/fw
tmpfs                   118512      1996    116516   2% /tmp/var/home/admin/fw
tmpfs                   118512      1996    116516   2% /tmp/var/home/user/fw
devtmpfs                118404         0    118404   0% /proc/bus

@Notupus, I'm out of ideas but I think I have to use a serial header as it's the only way for this device?

eimparas commented 6 months ago

@aka-khalid did you get anyware with this?

Notupus commented 6 months ago

Try flash from zloader with uart, run the following commands zycli sys atcd zycli sys atcr reboot should be stock if not you should at least have ssh so we can move some files like the bootloader. You can also probably use fat32 formatted usb sticks as these have been known to work oh those devices.

aka-khalid commented 4 months ago

@eimparas, @Notupus Sorry for the late reply, my provider decided to switch to an ONT device so I really don't have access to that device anymore. Trying to figure out a way to debrand it was fun, but sadly I can't do it anymore.

Thank you guys for your help.