I was able to get ZYXEL XGS-PON 10GE ONT for less than $50 on eBay. I have no real use for it, but I was wondering how difficult it is to change the vendor name, model, GPON SN on this ONT.
It appears it is really easy.
Pop the cover of the ONT. You'll see 5-pin UART header with 4 populated pins. Starting from the side facing Ethernet port the pins are GND, RX, TX, 3v3. Speed is 115200.
Connect a 3.3v UART, power on the ONT and interrupt the boot at U-Boot by pressing Enter.
You will be at a prompt SATURN#. That is U-Boot. MRD data that contains MAC address, GPON serial, etc is stored at /dev/mtd4 in linux. In U-Boot mtd4 is at SPI NAND offset 0x900000 with length 0x100000.
One other interesting thing that is stored in this partition is a clear text SSH root password.
Use the following command to read the contents of MRD partition to RAM:
SATURN# spi_nand read 0x82000000 0x900000 0x100000
SPI-NAND: 1048576 bytes @ 0x900000 Read: OK
SATURN#
Now let's print the contents. (I've removed identifiable data and replaced with XX in hex view)
SATURN# md.b 0x82000000 0x1000
82000000: 5a 59 58 45 4c 00 00 00 00 00 00 00 00 00 00 00 ZYXEL...........
82000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
82000020: 50 4d 37 35 31 36 2d 52 30 00 00 00 00 00 00 00 PM7516-R0.......
82000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
82000040: 41 41 42 30 30 32 00 55 53 45 52 3d 72 6f 6f 74 AAB002.USER=root
82000050: 00 53 48 4c 56 4c 3d 31 00 48 4f 4d 45 3d 2f 68 .SHLVL=1.HOME=/h
82000060: XX XX XX XX XX XX 00 ff XX XX XX XX XX XX XX XX MACADD..XXXXXXXX
82000070: XX XX XX XX XX XX XX XX 00 d0 4d 77 20 e8 8c 7f XXXXXXXX..Mw ...
82000080: 40 02 67 77 6c e8 8c 7f 53 32 30 30 5a XX XX XX @.gwl...S200ZXXX
82000090: XX XX XX XX XX 00 00 00 00 00 00 00 00 00 00 00 XXXXX...........
820000a0: 00 00 00 00 00 00 00 00 XX XX XX XX XX XX XX XX ........GPON_SER
820000b0: XX XX XX XX XX XX 30 30 30 30 30 30 00 00 00 00 IALNUM000000....
820000c0: 00 00 00 00 00 00 00 00 XX XX XX XX XX XX XX XX ........ADMIN_PA
820000d0: XX XX 00 55 53 45 52 3d 00 XX XX XX XX XX XX XX SS.USER=.SN81#_N
820000e0: XX XX XX XX XX 00 00 00 00 00 00 00 00 00 00 00 UMBER...........
820000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
82000100: 00 00 00 00 00 00 02 00 XX XX XX XX XX XX XX XX ........BOSA_SER
82000110: XX XX XX XX XX XX 00 00 00 00 00 00 00 XX XX XX IALNUM.......ROO
82000120: XX XX XX XX XX XX XX 00 55 53 45 52 3d 30 30 30 T__PASS.USER=000
82000130: 30 30 30 30 30 30 30 0a 00 00 00 00 00 00 00 00 0000000.........
82000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
82000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
82000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
82000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
82000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
82000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Now you can continue booting with bootz command.
Log in with root using SSH or UART using the root password displayed from reading MRD partition. Now you can modify the contents of /dev/mtd4 using linux native commands, or download it from the device, make changes and then go back to U-Boot, erase MTD4, load contents of your modified partition with xmodem using loadx 0x82000000 command, followed by spi_nand erase 0x900000 0x100000 and then spi_nand write 0x82000000 0x900000 0x10000
SATURN# spi_nand erase 0x900000 0x100000
SPI-NAND: 1048576 bytes @ 0x900000 Erased: OK
SATURN# spi_nand write 0x82000000 0x900000 0x100000
SPI-NAND: 1048576 bytes @ 0x900000 Written: OK
Surprisingly there is no checksum update required when changing values. It just works. I don't have XGS-PON service, but for people who do, this may be a way to get 3rd party ONT to work with your ISP.
Some useful tools provided in linux userspace:
mrd_access - prints MRD settings in user-friendly format
app_cli - Cortina XGS-PON command-line interface (Cisco-like CLI with access to XGS-PON settings, same as telnet localhost 2233)
Can you clone your old ONT to effectively upgrade to 10gbe And If you bypass RG maybe take advantage of 1200 mbps overprovisioning?
ReplyDeleteI have GPON service. Zyxel ONT is XGS-PON. They use different wavelengths.
DeleteGpon still over-provisions to 1200, so it’s a good question. A path to 1200 without a bgw320??
DeleteISP does not have to overprovision. Zyxel is XGSPON only, it cannot do GPON, which uses a different wavelength, so I cannot use it, but it may be helpful for someone on XGSPON to separate the ONT from RG.
DeleteCan you get xgspon yet?
DeleteNot where I live.
DeleteI would like to receive this too. I would like to ask what the label is. Thank you
Delete