B10B Factory Reset: Difference between revisions
(Explain the issues regarding the supervisor password.) |
|||
Line 40: | Line 40: | ||
A factory reset router will also be sent an updated firmware if there is one available. |
A factory reset router will also be sent an updated firmware if there is one available. |
||
==Supervisor Access== |
|||
To use the steps below here on this page, you will need to login as the supervisor user. This needs some work, and (in the case of firmware versions AAVF.10 and later) may be quite difficult. |
|||
The supervisor account uses a password which is automatically generated by the device, and unique to each device. Its format is 9 hexadecimal digits (each digit is 0-9 or a-f), and is believed to use the device's serial number as a starting point. AAISP do not know this password. |
|||
The usual way to obtain the supervisor password is to use software (e.g. hashcat) to crack the hashed version of the password which is held in the file /etc/passwd (before firmware version AAVF.10) or /etc/shadow (version AAVF.10 and later). The earlier firmware versions used an MD5 hash, and hashcat (on a fast machine) could crack the password in around 8 minutes. AAVF.10 switched to SHA256 and hashcat takes longer to crack the password. |
|||
Unfortunately as of firmware version AAVF.10 the admin user can't read the files /etc/passwd or /etc/shadow. This means you can't get the hashed version of the password to feed to cracking software. |
|||
If you manage to crack the supervisor password, you can login to the CLI as root with this password and get a root shell - enabling you to run commands such as ''iptables'' and ''ip6tables''. |
|||
==Reset to the ZyXEL Factory Settings== |
==Reset to the ZyXEL Factory Settings== |
||
To erase the default AAISP settings, the 'ROM-D' file needs to be cleared, this is done via the CLI (Telnet or SSH) using the supervisor user and then issuing the <syntaxhighlight inline enclose="none" lang="bash">save_default clean</syntaxhighlight> command. |
To erase the default AAISP settings, the 'ROM-D' file needs to be cleared, this is done via the CLI (Telnet or SSH) using the supervisor user (see above) and then issuing the <syntaxhighlight inline enclose="none" lang="bash">save_default clean</syntaxhighlight> command. |
||
Here is an example: |
Here is an example: |
||
Line 62: | Line 73: | ||
In this state, the router has ZyXEL's default IP address, username and password. |
In this state, the router has ZyXEL's default IP address, username and password. |
||
=Adding the AAISP rom-d file= |
==Adding the AAISP rom-d file== |
||
'''This will probably not be possible to do on firmware version AAVF.10 and above as the supervisor password is now unique to the device and unknown to AAISP.''' |
|||
If you need to restore an AAISP rom-d file, then here are the steps to take. Support are able to provide you with the rom-d file on request. |
If you need to restore an AAISP rom-d file, then here are the steps to take. Support are able to provide you with the rom-d file on request. You have to login as the supervisor user - see above. |
||
FTP is used to add the rom-d file. Here the AAISP provided rom-d file is actually called vmg1312-b.rom-d, so when we upload it we have to specify the target file name of rom-d. (the lines highlighted contain things you need to type in) |
FTP is used to add the rom-d file. Here the AAISP provided rom-d file is actually called vmg1312-b.rom-d, so when we upload it we have to specify the target file name of rom-d. (the lines highlighted contain things you need to type in) |
Revision as of 14:01, 12 August 2019
Overview
There are 4 configuration settings that the router can be in:
State | Information | How to apply |
---|---|---|
ZyXEL Factory Settings | The actual state of the router before AAISP apply their 'base' setting | 'save_default clean' command via CLI. More info below |
AAISP Base Settings (rom-d) | As supplied by AAISP before the config for your line is applied, the settings allow the router to get online and obtain the specific configuration for your line | Upload AAISP's rom-d file. Not usually required as it is usually already loaded by AAISP, More info below. |
Configured by AAISP | The settings for your specific line, along with settings as per the Control Pages | Usually when first plugged in on a customer line. Or, Via the Control Pages, or by holding in reset for 5 sec. More info below |
Customer Edited | If customer makes further changes to their config after AAISP has sent the settings | Restore from a backup you made previously |
When supplied by AAISP, the router will be in the 'AAISP Base Settings' state. This is a temporary state and the router will receive its line-specific configuration when it first logs in.
Holding in the reset button will revert the configuration back to the AAISP Base Settings. Further work is needed to revert the config back to the ZyXEL factory settings. See below.
Reset to AAISP Base Settings
To reset the router to the AAISP base settings, follow these steps:
- Switch router on, wait for it to boot up
- With a paperclip, pen, etc., hold in the reset button
- Wait until all the LEDs light up then release the reset button
- Wait for the router to boot up again, the power light will flash whilst booting then go steady when ready
About the AAISP Base settings
The reset state is the state the router was in when we sent it to you. In most cases that will mean is has been given our 'standard' configuration. This configuration has settings for it to talk back to AAISP and request its own configuration for the line that it's connected to.
When a router is in AAISP Base Settings it will connect to AAISP using a temporary 'provisioning' login. This default configuration will connect either by the DSL port or the WAN 4 port. When it connects the router will be sent a software upgrade if there is one available, and then will be sent its individual configuration for the connection.
- For more information about the AAISP configuration see: B10B-AAISP Configuration
A factory reset router will also be sent an updated firmware if there is one available.
Supervisor Access
To use the steps below here on this page, you will need to login as the supervisor user. This needs some work, and (in the case of firmware versions AAVF.10 and later) may be quite difficult.
The supervisor account uses a password which is automatically generated by the device, and unique to each device. Its format is 9 hexadecimal digits (each digit is 0-9 or a-f), and is believed to use the device's serial number as a starting point. AAISP do not know this password. The usual way to obtain the supervisor password is to use software (e.g. hashcat) to crack the hashed version of the password which is held in the file /etc/passwd (before firmware version AAVF.10) or /etc/shadow (version AAVF.10 and later). The earlier firmware versions used an MD5 hash, and hashcat (on a fast machine) could crack the password in around 8 minutes. AAVF.10 switched to SHA256 and hashcat takes longer to crack the password.
Unfortunately as of firmware version AAVF.10 the admin user can't read the files /etc/passwd or /etc/shadow. This means you can't get the hashed version of the password to feed to cracking software.
If you manage to crack the supervisor password, you can login to the CLI as root with this password and get a root shell - enabling you to run commands such as iptables and ip6tables.
Reset to the ZyXEL Factory Settings
To erase the default AAISP settings, the 'ROM-D' file needs to be cleared, this is done via the CLI (Telnet or SSH) using the supervisor user (see above) and then issuing the save_default clean
command.
Here is an example:
$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
VMG3925-B10B
Login: supervisor
Password: [your admin password]
> save_default clean
ROM-D cleaned.
At this point you can reset the router for this to be applied. The router will then boot up in its original factory settings without any of the AAISP configuration settings. You can reset the router by holding in the reset button for 5 seconds.
In this state, the router has ZyXEL's default IP address, username and password.
Adding the AAISP rom-d file
If you need to restore an AAISP rom-d file, then here are the steps to take. Support are able to provide you with the rom-d file on request. You have to login as the supervisor user - see above.
FTP is used to add the rom-d file. Here the AAISP provided rom-d file is actually called vmg1312-b.rom-d, so when we upload it we have to specify the target file name of rom-d. (the lines highlighted contain things you need to type in)
$ ftp supervisor@192.168.0.1
Connected to 192.168.0.1.
220 Ftp firmware update utility
331 Password please.
Password: zyad1234
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put vmg1312-b.rom-d rom-d
local: vmg1312-b.rom-d remote: rom-d
229 Entering extended passive mode (|||47630|)
150 BINARY data connection established.
100% |*************************************************************************| 72063 101.21 MiB/s 00:00 ETA
226 Ftp image done. PLEASE TYPE 'bye' or 'quit' NOW to quit ftp and the Router will start writing the image to flash.
72063 bytes sent in 00:02 (28.38 KiB/s)
ftp> quit
221 The Router is rebooting...
At this point the ftp connection is closed and as it says, the router will reboot. The router will still need to be reset before the router will use the rom-d settings. Once reset though, the router will use the AAISP Base Settings to get online, retrieve a new firmware if available and then retrieve a config file for the line.
If you get an error such as:
bftpd:error:341.231:cmsImg_validateImage:1514:Could not determine image format [72063 bytes]
Then this will be due to the Firmware version not matching the version that the config file was made for. See the Software Page for information about the software versions.