Some of you might realize that while the modem works properly after following my previous post, you can’t upgrade it using the original firmware from ZyXEL. Repeating what I said in the original post, you can’t upgrade the firmware to use the official ZyXEL version because of the built in firmware.
For those of you who have some electronics experience a lot of time to spare, I’ve summarized the steps on how to change Telefonica’s P-660HW-61 firmware to ZyXEL’s original version.
Note that in the steps below, you will void your warranty and you may brick your device. I am not liable for the damages caused by this post.
FYI, I bricked my modem in my first try. You have been warned.
–
This guide summarizes what’s written in these sites:
- These two sites provide information on how to create a USB to Serial cable from obsolete Nokia data cables.
- This German site on flashing the firmware via USB to Serial
- This Spanish site which explains the entire process but doesn’t use a USB to Serial cable.
Preparation
Before you get started, you’ll need to prepare the following:
- The modem/router – The process will reset the device to factory settings so say goodbye to what you did in the previous post. (optional) Take note of the MAC Address of the device before starting the process.
- A Nokia USB data cable which converts the serial data to 3.3v. More on this later.
- Pin sockets – in the pic (my first try), I salvaged one from an old case fan. Turns out I needed 4 pin sockets in line. I bought a 16×1 socket from Alexan for my second try. See pics below.
- Basic tools for electronics – you need a screwdriver to open the case, your tools of choice for cutting and stripping the cable, a multimeter to test for conduction and voltage, and a soldering iron depending on the type of pin sockets you have available.
- PE Firmware from ZyXEL. I used P-660HW-61_3.40(PE.11)C0.zip for my device.
- Bootbase v1.06 – I’ve uploaded one in this site in case the other sites go boom.
- A hex editor – I used Notepad++ with the hex editor plugin
Making the USB to Serial Connector
This is the most time-consuming part of the process. It’s not because of geeky electronic stuff though.
The main reason why this step takes a lot of time is it’s hard to find a cheap compatible data cable for our task. Quoting one of the sites I listed above:
A CA-42, or DKU-5 (some later Nokia phone cables e.g. the DKU-2, CA-53, CA-70 – which look similar are actually pure USB cables with no transceiver – DON’T use these, they won’t work, and you might break your linkstation or USB port – you can tell because the USB plug is shorter, they are also a bit cheaper – if you want to double-check, use a multimeter to check whether the contacts of the USB “A” plug are connected directly to those of the pop-port).
You will need a CA-42 or a DKU-5 cable to connect to the device. At first I thought it was going to be easy; CD-R King lists CA-42 and DKU-5 in their inventory. After going through 9 different CD-R King branches, though, it seems that they no longer have that data cable in stock.
My remaining course of action would be to browse the cellphone tiangge looking for that cable. Luckily, I found a technician in Greenhills selling one for only PhP150. Other stalls offered the cable for much more than that.
Once you have a data cable, it’s now time to determine which cable is which. Install the Prolific driver included in the cable package to allow Windows to assign a COM port to the cable.
Cut the cable up and refer to the diagrams and steps in this site to find out which cables are the ground, RXD, and TXD.
Ok, black is ground.
After connecting the cable to the computer, the voltage between green and black is 3.34v. Same goes for white and black. Red doesn’t seem to be working (which is probably why the technician sold me the cable at such a cheap price).
I used both Windows’ HyperTerminal and PuTTy to send serial data through the COM port used by the cable (it’s listed in Device Manager). The settings are: 9600-8-none-1-hardware. Depressing a button caused a sag in the voltage, meaning green is RXD.
Connecting green and white produces a crossover cable i.e. characters typed in the terminal echoes back to the screen. This means white is the TXD.
Now connect the three cables to your pin sockets according to the German site. That site uses CD-audio cable from old CD-ROM drives but any pin socket connector should do. For my cable, I only needed to replace the red cable with the green cable, the black and white cables are already correct.
Behold my sucky soldering skills.
Initial steps and downloading old Bootbase
If you do this correctly, start the device and you’ll see something like this on the terminal:
Bootbase Version V1.10t | 01/17/2005 15:54:30
RAM: Size = 16384 Kbytes
DRAM POST: Testing: 16384K
OK
FLASH: AMD 16M *1ZyNOS Version: V3.40(PT.0)b46 | 10/5/2005 9:54:21
Press any key to enter debug mode within 3 seconds.
……………
Pressing any key will, of course, enter debug mode.
First step is to unlock more options for debug mode. For that we need the password. Type
ATSE
to get the seed. Go to ZynPass to calculate the password from the seed. Now enter the password with:
ATEN1,xxxxxxxx
where xxxxxxxx is the password. “OK” will be displayed if you enter the correct password. Now let’s download the old bootbase. But first we’ll increase the console speed to make our lives easier.
ATBA5
Now, console speed will be changed to 115200 bps
OK
Disconnect from the terminal then change the baud rate to 115200bps. Reconnect. Download the old bootbase with:
ATDO b0000000,4000
Starting XMODEM download (CRC mode)…..
Receive the file (there’s a button in the toolbar of HyperTerminal) using Xmodem.
You can now turn off the modem if you feel like taking a break. Note that when you restart the modem, it’s reverts to 9600 bps.
Bricking your router Updating Bootbase to accept ZyXEL firmware
This is the part where I bricked my router. You have been warned (again).
Unrar the Bootbase you downloaded in the first part of this tutorial and open it with a hex editor. Replace the highlighted part in 3ff0 below with the router’s MAC address.
Now let’s update the Bootbase. If you restarted after downloading the Bootbase from the device, follow the steps above again up to the point after setting the console speed to 115200bps. Then run the following:
ATBT1
ATUX0
Now send the modified Bootbase 1.06 via Xmodem. If you’re lucky, you’ll see:
ATBT1
ATUX0
Starting XMODEM upload (CRC mode)…..
C
Total 16384 bytes received.
Erasing.
….
OK
And after restarting the modem (and reverting back to 9600bps) you’ll see:
Bootbase Version V1.06 | 04/01/2004 11:22:33
RAM: Size = 16384 Kbytes
DRAM POST: Testing: 16384K
OK
FLASH: AMD 16M *1ZyNOS Version: V3.40(PT.0)b46 | 10/5/2005 9:54:21
Press any key to enter debug mode within 3 seconds.
……………
If not, well, say goodbye to your router. 
Updating the Firmware to PE.11
Compared to the one above, this part is cakewalk. Even if you failed to upload the files correctly, you could still try again.
Set the console speed to 115200bps with the steps above. Upload the 340PE11C0.rom file with
ATUR3
Restart the device.
Set the console speed to 115200bps (for the last time) with the steps above. Upload the 340PE11C0.bin file with
ATUR
After restarting the modem, the device should now be using 3.40(PE.11)C0. All that remains is to redo the steps in the previous post.
What if I bricked my router?
If in case you messed up with uploading the Bootbase and all your device does on startup is make its WAN LED blink, there’s still one way to unbrick it: have mad soldering skills (which I don’t have) and use JTAG. My Delicious tag on JTAG is a good place to start.
[Edit : new content ahead. found after researching more on the topic ]
Upgrade Without Overwriting the Bootbase
According to this site, you can upgrade the firmware without overwriting the Bootbase by setting the current firmware’s feature bits to match the ZyXEL firmware. The only catch is that this seems to only work on the b20 firmware, requiring you to downgrade from the existing b46 firmware.
The basic steps are:
- Upload the b20 firmware to the device, possibly via web configuration, FTP, or serial cable.
- Go to the second debug mode (ATSE …)
- Alter the feature bit of the firmware to 4B by running ATFE1,4B. This should fool the Bootbase to think that ZyXEL’s firmware is Telefonica’s.
- Upload ZyXEL’s firmware using ATUR3 and ATUR
Related posts:
Comments