Back up to the VMG3925-B10B settings Page

B10B Factory Reset

From AAISP Support Site
Revision as of 14:09, 19 August 2019 by Adsb (talk | contribs) ("save_default clean" needs to be run from zycli)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


There are 4 configuration settings that the router can be in:

State Information How to apply
ZyXEL Factory Settings The actual state of the router before AAISP apply their 'base' setting 'save_default clean' command via CLI. More info below
AAISP Base Settings (rom-d) As supplied by AAISP before the config for your line is applied, the settings allow the router to get online and obtain the specific configuration for your line Upload AAISP's rom-d file. Not usually required as it is usually already loaded by AAISP, More info below.
Configured by AAISP The settings for your specific line, along with settings as per the Control Pages Usually when first plugged in on a customer line. Or, Via the Control Pages, or by holding in reset for 5 sec. More info below
Customer Edited If customer makes further changes to their config after AAISP has sent the settings Restore from a backup you made previously

When supplied by AAISP, the router will be in the 'AAISP Base Settings' state. This is a temporary state and the router will receive its line-specific configuration when it first logs in.

Holding in the reset button will revert the configuration back to the AAISP Base Settings. Further work is needed to revert the config back to the ZyXEL factory settings. See below.

Reset to AAISP Base Settings

To reset the router to the AAISP base settings, follow these steps:

  1. Switch router on, wait for it to boot up
  2. With a paperclip, pen, etc., hold in the reset button
  3. Wait until all the LEDs light up then release the reset button
  4. Wait for the router to boot up again, the power light will flash whilst booting then go steady when ready

About the AAISP Base settings

The reset state is the state the router was in when we sent it to you. In most cases that will mean is has been given our 'standard' configuration. This configuration has settings for it to talk back to AAISP and request its own configuration for the line that it's connected to.

When a router is in AAISP Base Settings it will connect to AAISP using a temporary 'provisioning' login. This default configuration will connect either by the DSL port or the WAN 4 port. When it connects the router will be sent a software upgrade if there is one available, and then will be sent its individual configuration for the connection.

A factory reset router will also be sent an updated firmware if there is one available.

Supervisor Access

To use the steps below here on this page, you will need to login as the supervisor user. This needs some work, and (in the case of firmware versions AAVF.10 and later) may be quite difficult.

The supervisor account uses a password which is automatically generated by the device, and unique to each device. Its format is 8 hexadecimal digits (each digit is 0-9 or a-f), and is believed to use the device's serial number as a starting point. AAISP do not know this password. The usual way to obtain the supervisor password is to use software (e.g. hashcat) to crack the hashed version of the password which is held in the file /etc/passwd (before firmware version AAVF.10) or /etc/shadow (version AAVF.10 and later). The earlier firmware versions used an MD5 hash, and hashcat (on a fast machine) could crack the password in around 8 minutes. AAVF.10 switched to SHA-512 and hashcat takes much longer to crack the password (~9.5 hours).

Unfortunately as of firmware version AAVF.10 the admin user can't read the files /etc/passwd or /etc/shadow. This means you can't get the hashed version of the password to feed to cracking software.

If you manage to crack the supervisor password, you can login to the CLI as root with this password and get a root shell - enabling you to run commands such as iptables and ip6tables.

Reset to the ZyXEL Factory Settings

To erase the default AAISP settings, the 'ROM-D' file needs to be cleared, this is done via the CLI (Telnet or SSH) using the supervisor user (see above) and then issuing the zycli save_default clean command.

Here is an example:

$ telnet
Connected to
Escape character is '^]'.
Login: supervisor
Password: [your supervisor password]
 > zycli save_default clean
ROM-D cleaned.

At this point you should reset the router for this to be applied - by holding in the reset button for 5 seconds. The router will then boot up in its original factory settings without any of the AAISP configuration settings.

In this state, the router has ZyXEL's default IP address, username and password.

Adding the AAISP rom-d file

If you need to restore an AAISP rom-d file, then here are the steps to take. Support are able to provide you with the rom-d file on request. You have to login as the supervisor user - see above.

FTP is used to add the rom-d file. Here the AAISP provided rom-d file is actually called vmg1312-b.rom-d, so when we upload it we have to specify the target file name of rom-d. (the lines highlighted contain things you need to type in)

$ ftp supervisor@
Connected to
220 Ftp firmware update utility
331 Password please.
Password: zyad1234
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put vmg1312-b.rom-d rom-d
local: vmg1312-b.rom-d remote: rom-d
229 Entering extended passive mode (|||47630|)
150 BINARY data connection established.
100% |*************************************************************************| 72063      101.21 MiB/s    00:00 ETA
226 Ftp image done. PLEASE TYPE 'bye' or 'quit' NOW to quit ftp and the Router will start writing the image to flash.
72063 bytes sent in 00:02 (28.38 KiB/s)
ftp> quit
221 The Router is rebooting...

At this point the ftp connection is closed and as it says, the router will reboot. The router will still need to be reset before the router will use the rom-d settings. Once reset though, the router will use the AAISP Base Settings to get online, retrieve a new firmware if available and then retrieve a config file for the line.

If you get an error such as:

bftpd:error:341.231:cmsImg_validateImage:1514:Could not determine image format [72063 bytes]

Then this will be due to the Firmware version not matching the version that the config file was made for. See the Software Page for information about the software versions.