Unlocking the eircom D1000 router - thoughts

yuloni · 27-01-2015 7:59pm #1

This post has been deleted.

ED E · 28-01-2015 2:18pm

Its a very basic piece of kit, I wouldnt bother unlocking it when decent ADSL2+ kit is cheap.

yuloni · 28-01-2015 2:39pm

This post has been deleted.

ED E · 28-01-2015 2:55pm

It is a 660-HNU rebrand, have you tried simply uploading the stock FW? Obviously theres a brick risk but if it accepted it...

Packet · 28-01-2015 2:57pm

There's a newer D1000 image here

http://broadbandsupport.eircom.net/download/zyxel/firmware/D1000/.

I also tried the F1000 upgrade but it didn't accept the bootloader after xmodeming it over the USB-TTL cable. I ploughed on anyway and it accepted the newer firmware without upgrading the bootloader.

yuloni · 28-01-2015 3:03pm

This post has been deleted.

yuloni · 28-01-2015 3:04pm

This post has been deleted.

Dermot McDonnell · 28-01-2015 3:31pm

yuloni wrote: »

This post has been deleted.

I did a bit of searching and see no evidence that this router has ever been hacked, unfortunately. The router spec is not up to much either. I suggest saving your effort for a worthier target.

Dermot McDonnell · 28-01-2015 3:35pm

Packet wrote: »

..I also tried the F1000 upgrade but it didn't accept the bootloader after xmodeming it over the USB-TTL cable. I ploughed on anyway and it accepted the newer firmware without upgrading the bootloader.

I am surprised to hear the Zyxel bootloader failed to install. I have never encountered that myself. You may find it is not possible to install future Zyxel firmwares from the GUI because the bootloader is Eircoms - I am unsure. However, you are now adept at installing new firmwares from the CFE so that wont slow you down

Out of interest, what, if any, improvement do you see?

yuloni · 28-01-2015 3:41pm

This post has been deleted.

Dermot McDonnell · 28-01-2015 3:54pm

yuloni wrote: »

This post has been deleted.

You may be able to do that with time and google. The Zyxel algorithm is published, afaik. I have noticed that all passwords, not the seed itself, are of the form of an ethernet MAC address, the final six digits of which are always identical to the final six digits of the ethernet MAC address of the F1000 that's being unlocked. The first 3 or 4 digits are always zero, leaving 2 or 3 hex digits. It's still a lot of work. You may get some ideas from the OpenWRT threads that hack similar Zyxel devices.

It does seem the D1000 was a special for Eircom and real info is very thin on the net.

yuloni · 28-01-2015 4:14pm

This post has been deleted.

rsrd · 28-05-2015 2:01pm

These are all based around similar hardware;

AMG1302-T10B
AMG1302-T30B
P-660HN-T1 v2
P-660HN-T3 v2
P-1302-T10B

You can usually unlock using this method; (taken from OpenWRT wiki)

To switch to debug mode to ATEN command together with the right key is used. The key is based upon a seed which is initialized
through the ATSE command. After power-up the seed is initialized as 0 (so don't send it :-) ). With the seed as 0 the key is only dependent
of the last 3 bits of the MAC-address (You can get the MAC-address of the ATSH command).
The following table lists the keys to the possible last MAC-address byte:

Last MAC byte Key
0 or 8 10F0A563
1 or 9 887852B1
2 or A C43C2958
3 or B 621E14AC
4 or C 310F0A56
5 or D 1887852B
6 or E 8C43C295
7 or F C621E14A

This works on the AMG1302-T30B. I know this thread is pretty dead, but I thought I'd share

yuloni · 28-05-2015 4:59pm

This post has been deleted.

yuloni · 08-06-2015 3:05am

This post has been deleted.

Unlocking the eircom D1000 router - thoughts

Comments