Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Unlocking the eircom D1000 router - thoughts

Comments

  • Registered Users, Registered Users 2 Posts: 36,170 ✭✭✭✭ED E


    Its a very basic piece of kit, I wouldnt bother unlocking it when decent ADSL2+ kit is cheap.


  • Registered Users, Registered Users 2 Posts: 2,040 ✭✭✭yuloni


    This post has been deleted.


  • Registered Users, Registered Users 2 Posts: 36,170 ✭✭✭✭ED E


    It is a 660-HNU rebrand, have you tried simply uploading the stock FW? Obviously theres a brick risk but if it accepted it...


  • Registered Users, Registered Users 2 Posts: 188 ✭✭Packet


    There's a newer D1000 image here

    http://broadbandsupport.eircom.net/download/zyxel/firmware/D1000/.


    I also tried the F1000 upgrade but it didn't accept the bootloader after xmodeming it over the USB-TTL cable. I ploughed on anyway and it accepted the newer firmware without upgrading the bootloader.


  • Registered Users, Registered Users 2 Posts: 2,040 ✭✭✭yuloni


    This post has been deleted.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,040 ✭✭✭yuloni


    This post has been deleted.


  • Registered Users, Registered Users 2 Posts: 224 ✭✭Dermot McDonnell


    yuloni wrote: »
    This post has been deleted.

    I did a bit of searching and see no evidence that this router has ever been hacked, unfortunately. The router spec is not up to much either. I suggest saving your effort for a worthier target.


  • Registered Users, Registered Users 2 Posts: 224 ✭✭Dermot McDonnell


    Packet wrote: »
    ..I also tried the F1000 upgrade but it didn't accept the bootloader after xmodeming it over the USB-TTL cable. I ploughed on anyway and it accepted the newer firmware without upgrading the bootloader.

    I am surprised to hear the Zyxel bootloader failed to install. I have never encountered that myself. You may find it is not possible to install future Zyxel firmwares from the GUI because the bootloader is Eircoms - I am unsure. However, you are now adept at installing new firmwares from the CFE so that wont slow you down :)

    Out of interest, what, if any, improvement do you see?


  • Registered Users, Registered Users 2 Posts: 2,040 ✭✭✭yuloni


    This post has been deleted.


  • Registered Users, Registered Users 2 Posts: 224 ✭✭Dermot McDonnell


    yuloni wrote: »
    This post has been deleted.

    You may be able to do that with time and google. The Zyxel algorithm is published, afaik. I have noticed that all passwords, not the seed itself, are of the form of an ethernet MAC address, the final six digits of which are always identical to the final six digits of the ethernet MAC address of the F1000 that's being unlocked. The first 3 or 4 digits are always zero, leaving 2 or 3 hex digits. It's still a lot of work. You may get some ideas from the OpenWRT threads that hack similar Zyxel devices.

    It does seem the D1000 was a special for Eircom and real info is very thin on the net.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,040 ✭✭✭yuloni


    This post has been deleted.


  • Registered Users, Registered Users 2 Posts: 1 rsrd


    These are all based around similar hardware;

    AMG1302-T10B
    AMG1302-T30B
    P-660HN-T1 v2
    P-660HN-T3 v2
    P-1302-T10B

    You can usually unlock using this method; (taken from OpenWRT wiki)

    To switch to debug mode to ATEN command together with the right key is used. The key is based upon a seed which is initialized
    through the ATSE command. After power-up the seed is initialized as 0 (so don't send it :-) ). With the seed as 0 the key is only dependent
    of the last 3 bits of the MAC-address (You can get the MAC-address of the ATSH command).
    The following table lists the keys to the possible last MAC-address byte:

    Last MAC byte Key
    0 or 8 10F0A563
    1 or 9 887852B1
    2 or A C43C2958
    3 or B 621E14AC
    4 or C 310F0A56
    5 or D 1887852B
    6 or E 8C43C295
    7 or F C621E14A


    This works on the AMG1302-T30B. I know this thread is pretty dead, but I thought I'd share ;)


  • Registered Users, Registered Users 2 Posts: 2,040 ✭✭✭yuloni


    This post has been deleted.


  • Registered Users, Registered Users 2 Posts: 2,040 ✭✭✭yuloni


    This post has been deleted.


Advertisement