Saturday, September 25, 2021

Changing XGS-PON factory settings for Zyxel PM7516-R0

I was able to get ZYXEL XGS-PON 10GE ONT for less than $50 on eBay. I have no real use for it, but I was wondering how difficult it is to change the vendor name, model, GPON SN on this ONT.
It appears it is really easy.

Pop the cover of the ONT. You'll see 5-pin UART header with 4 populated pins. Starting from the side facing Ethernet port the pins are GND, RX, TX, 3v3. Speed is 115200.

Connect a 3.3v UART, power on the ONT and interrupt the boot at U-Boot by pressing Enter.

You will be at a prompt SATURN#. That is U-Boot. MRD data that contains MAC address, GPON serial, etc is stored at /dev/mtd4 in linux. In U-Boot mtd4 is at SPI NAND offset 0x900000 with length 0x100000.

One other interesting thing that is stored in this partition is a clear text SSH root password.

Use the following command to read the contents of MRD partition to RAM:

SATURN# spi_nand read 0x82000000 0x900000 0x100000

SPI-NAND: 1048576 bytes @ 0x900000 Read: OK

SATURN#


Now let's print the contents. (I've removed identifiable data and replaced with XX in hex view)

SATURN# md.b 0x82000000 0x1000

82000000: 5a 59 58 45 4c 00 00 00 00 00 00 00 00 00 00 00    ZYXEL...........

82000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

82000020: 50 4d 37 35 31 36 2d 52 30 00 00 00 00 00 00 00    PM7516-R0.......

82000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

82000040: 41 41 42 30 30 32 00 55 53 45 52 3d 72 6f 6f 74    AAB002.USER=root

82000050: 00 53 48 4c 56 4c 3d 31 00 48 4f 4d 45 3d 2f 68    .SHLVL=1.HOME=/h

82000060: XX XX XX XX XX XX 00 ff XX XX XX XX XX XX XX XX    MACADD..XXXXXXXX

82000070: XX XX XX XX XX XX XX XX 00 d0 4d 77 20 e8 8c 7f    XXXXXXXX..Mw ...

82000080: 40 02 67 77 6c e8 8c 7f 53 32 30 30 5a XX XX XX    @.gwl...S200ZXXX

82000090: XX XX XX XX XX 00 00 00 00 00 00 00 00 00 00 00    XXXXX...........

820000a0: 00 00 00 00 00 00 00 00 XX XX XX XX XX XX XX XX    ........GPON_SER

820000b0: XX XX XX XX XX XX 30 30 30 30 30 30 00 00 00 00    IALNUM000000....

820000c0: 00 00 00 00 00 00 00 00 XX XX XX XX XX XX XX XX    ........ADMIN_PA

820000d0: XX XX 00 55 53 45 52 3d 00 XX XX XX XX XX XX XX    SS.USER=.SN81#_N

820000e0: XX XX XX XX XX 00 00 00 00 00 00 00 00 00 00 00    UMBER...........

820000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

82000100: 00 00 00 00 00 00 02 00 XX XX XX XX XX XX XX XX    ........BOSA_SER

82000110: XX XX XX XX XX XX 00 00 00 00 00 00 00 XX XX XX    IALNUM.......ROO

82000120: XX XX XX XX XX XX XX 00 55 53 45 52 3d 30 30 30    T__PASS.USER=000

82000130: 30 30 30 30 30 30 30 0a 00 00 00 00 00 00 00 00    0000000.........

82000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

82000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

82000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

82000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

82000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

82000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................


Now you can continue booting with bootz command.

Log in with root using SSH or UART using the root password displayed from reading MRD partition. Now you can modify the contents of /dev/mtd4 using linux native commands, or download it from the device, make changes and then go back to U-Boot, erase MTD4, load contents of your modified partition with xmodem using loadx 0x82000000 command, followed by spi_nand erase 0x900000 0x100000 and then spi_nand write 0x82000000 0x900000 0x10000

SATURN# spi_nand erase 0x900000 0x100000

SPI-NAND: 1048576 bytes @ 0x900000 Erased: OK

SATURN# spi_nand write 0x82000000 0x900000 0x100000  

SPI-NAND: 1048576 bytes @ 0x900000 Written: OK


Surprisingly there is no checksum update required when changing values. It just works. I don't have XGS-PON service, but for people who do, this may be a way to get 3rd party ONT to work with your ISP.


Some useful tools provided in linux userspace:

mrd_access - prints MRD settings in user-friendly format

app_cli - Cortina XGS-PON command-line interface (Cisco-like CLI with access to XGS-PON settings, same as telnet localhost 2233)

7 comments:

  1. Can you clone your old ONT to effectively upgrade to 10gbe And If you bypass RG maybe take advantage of 1200 mbps overprovisioning?

    ReplyDelete
    Replies
    1. I have GPON service. Zyxel ONT is XGS-PON. They use different wavelengths.

      Delete
    2. Gpon still over-provisions to 1200, so it’s a good question. A path to 1200 without a bgw320??

      Delete
    3. ISP does not have to overprovision. Zyxel is XGSPON only, it cannot do GPON, which uses a different wavelength, so I cannot use it, but it may be helpful for someone on XGSPON to separate the ONT from RG.

      Delete
    4. I would like to receive this too. I would like to ask what the label is. Thank you

      Delete

Making work with eMMC interposer slightly more convenient

In one of the previous posts I have described eMMC interposer and how it can help with modifications of the device firmware without having t...