B10B Factory Reset: Difference between revisions

(5 intermediate revisions by one other user not shown)

Line 25:

To reset the router to the AAISP base settings, follow these steps:

#Unplug everything from the router except the power and phone line

#Switch router on, wait for it to boot up

#With a paperclip, pen, etc., hold in the reset button

Line 44:

Line 45:

To use the steps below here on this page, you will need to login as the supervisor user. This needs some work, and (in the case of firmware versions AAVF.10 and later) may be quite difficult.

The supervisor account uses a password which is automatically generated by the device, and unique to each device. Its format is 9 hexadecimal digits (each digit is 0-9 or a-f), and is believed to use the device's serial number as a starting point. AAISP do not know this password.

The supervisor account uses a password which is automatically generated by the device, and unique to each device. Its format is 8 hexadecimal digits (each digit is 0-9 or a-f), and is believed to use the device's serial number as a starting point. AAISP do not know this password.

The usual way to obtain the supervisor password is to use software (e.g. hashcat) to crack the hashed version of the password which is held in the file /etc/passwd (before firmware version AAVF.10) or /etc/shadow (version AAVF.10 and later). The earlier firmware versions used an MD5 hash, and hashcat (on a fast machine) could crack the password in around 8 minutes. AAVF.10 switched to ~~SHA256~~ and hashcat takes longer to crack the password.

The usual way to obtain the supervisor password is to use software (e.g. hashcat) to crack the hashed version of the password which is held in the file /etc/passwd (before firmware version AAVF.10) or /etc/shadow (version AAVF.10 and later). The earlier firmware versions used an MD5 hash, and hashcat (on a fast machine) could crack the password in around 8 minutes. AAVF.10 switched to SHA-512 and hashcat takes ''much'' longer to crack the password (~9.5 hours).

Unfortunately as of firmware version AAVF.10 the admin user can't read the files /etc/passwd or /etc/shadow. This means you can't get the hashed version of the password to feed to cracking software.

If you manage to crack the supervisor password, you can login to the CLI as root with this password and get a root shell - enabling you to run commands such as ''iptables'' and ''ip6tables''.

==Reset to the ZyXEL Factory Settings==

To erase the default AAISP settings, the 'ROM-D' file needs to be cleared, this is done via the CLI (Telnet or SSH) using the supervisor user (see above) and then issuing the <syntaxhighlight inline enclose="none" lang="bash">save_default clean</syntaxhighlight> command.

To erase the default AAISP settings, the 'ROM-D' file needs to be cleared, this is done via the CLI (Telnet or SSH) using the supervisor user (see above) and then issuing the <syntaxhighlight inline enclose="none" lang="bash">zycli save_default clean</syntaxhighlight> command.

Here is an example:

Line 64:

Line 65:

VMG3925-B10B

Login: supervisor

Password: [your ~~admin~~ password]

Password: [your supervisor password]

> save_default clean

> zycli save_default clean

ROM-D cleaned.

</syntaxhighlight>

At this point you ~~can~~ reset the router for this to be applied. The router will then boot up in its original factory settings without any of the AAISP configuration settings~~. You can reset the router by holding in the reset button for 5 seconds~~.

At this point you should reset the router for this to be applied - by holding in the reset button for 5 seconds. The router will then boot up in its original factory settings without any of the AAISP configuration settings.

In this state, the router has ZyXEL's default IP address, username and password.