Some of you might realize that while the modem works properly after following my previous post, you can’t upgrade it using the original firmware from ZyXEL. Repeating what I said in the original post, you can’t upgrade the firmware to use the official ZyXEL version because of the built in firmware.
For those of you who have some electronics experience a lot of time to spare, I’ve summarized the steps on how to change Telefonica’s P-660HW-61 firmware to ZyXEL’s original version.
Note that in the steps below, you will void your warranty and you may brick your device. I am not liable for the damages caused by this post.
FYI, I bricked my modem in my first try. You have been warned.
—
This guide summarizes what’s written in these sites:
- These two sites provide information on how to create a USB to Serial cable from obsolete Nokia data cables.
- This German site on flashing the firmware via USB to Serial
- This Spanish site which explains the entire process but doesn’t use a USB to Serial cable.
Preparation
Before you get started, you’ll need to prepare the following:
- The modem/router – The process will reset the device to factory settings so say goodbye to what you did in the previous post. (optional) Take note of the MAC Address of the device before starting the process.
- A Nokia USB data cable which converts the serial data to 3.3v. More on this later.
- Pin sockets – in the pic (my first try), I salvaged one from an old case fan. Turns out I needed 4 pin sockets in line. I bought a 16×1 socket from Alexan for my second try. See pics below.
- Basic tools for electronics – you need a screwdriver to open the case, your tools of choice for cutting and stripping the cable, a multimeter to test for conduction and voltage, and a soldering iron depending on the type of pin sockets you have available.
- PE Firmware from ZyXEL. I used P-660HW-61_3.40(PE.11)C0.zip for my device.
- Bootbase v1.06 – I’ve uploaded one in this site in case the other sites go boom.
- A hex editor – I used Notepad++ with the hex editor plugin
Making the USB to Serial Connector
This is the most time-consuming part of the process. It’s not because of geeky electronic stuff though.
The main reason why this step takes a lot of time is it’s hard to find a cheap compatible data cable for our task. Quoting one of the sites I listed above:
A CA-42, or DKU-5 (some later Nokia phone cables e.g. the DKU-2, CA-53, CA-70 – which look similar are actually pure USB cables with no transceiver – DON’T use these, they won’t work, and you might break your linkstation or USB port – you can tell because the USB plug is shorter, they are also a bit cheaper – if you want to double-check, use a multimeter to check whether the contacts of the USB “A” plug are connected directly to those of the pop-port).
You will need a CA-42 or a DKU-5 cable to connect to the device. At first I thought it was going to be easy; CD-R King lists CA-42 and DKU-5 in their inventory. After going through 9 different CD-R King branches, though, it seems that they no longer have that data cable in stock.
My remaining course of action would be to browse the cellphone tiangge looking for that cable. Luckily, I found a technician in Greenhills selling one for only PhP150. Other stalls offered the cable for much more than that.
Once you have a data cable, it’s now time to determine which cable is which. Install the Prolific driver included in the cable package to allow Windows to assign a COM port to the cable.
Cut the cable up and refer to the diagrams and steps in this site to find out which cables are the ground, RXD, and TXD.
Ok, black is ground.
After connecting the cable to the computer, the voltage between green and black is 3.34v. Same goes for white and black. Red doesn’t seem to be working (which is probably why the technician sold me the cable at such a cheap price).
I used both Windows’ HyperTerminal and PuTTy to send serial data through the COM port used by the cable (it’s listed in Device Manager). The settings are: 9600-8-none-1-hardware. Depressing a button caused a sag in the voltage, meaning green is RXD.
Connecting green and white produces a crossover cable i.e. characters typed in the terminal echoes back to the screen. This means white is the TXD.
Now connect the three cables to your pin sockets according to the German site. That site uses CD-audio cable from old CD-ROM drives but any pin socket connector should do. For my cable, I only needed to replace the red cable with the green cable, the black and white cables are already correct.
Behold my sucky soldering skills.
Initial steps and downloading old Bootbase
If you do this correctly, start the device and you’ll see something like this on the terminal:
Bootbase Version V1.10t | 01/17/2005 15:54:30
RAM: Size = 16384 Kbytes
DRAM POST: Testing: 16384K
OK
FLASH: AMD 16M *1ZyNOS Version: V3.40(PT.0)b46 | 10/5/2005 9:54:21
Press any key to enter debug mode within 3 seconds.
……………
Pressing any key will, of course, enter debug mode.
First step is to unlock more options for debug mode. For that we need the password. Type
ATSE
to get the seed. Go to ZynPass to calculate the password from the seed. Now enter the password with:
ATEN1,xxxxxxxx
where xxxxxxxx is the password. “OK” will be displayed if you enter the correct password. Now let’s download the old bootbase. But first we’ll increase the console speed to make our lives easier.
ATBA5
Now, console speed will be changed to 115200 bps
OK
Disconnect from the terminal then change the baud rate to 115200bps. Reconnect. Download the old bootbase with:
ATDO b0000000,4000
Starting XMODEM download (CRC mode)…..
Receive the file (there’s a button in the toolbar of HyperTerminal) using Xmodem.
You can now turn off the modem if you feel like taking a break. Note that when you restart the modem, it’s reverts to 9600 bps.
Bricking your router Updating Bootbase to accept ZyXEL firmware
This is the part where I bricked my router. You have been warned (again).
Unrar the Bootbase you downloaded in the first part of this tutorial and open it with a hex editor. Replace the highlighted part in 3ff0 below with the router’s MAC address.
Now let’s update the Bootbase. If you restarted after downloading the Bootbase from the device, follow the steps above again up to the point after setting the console speed to 115200bps. Then run the following:
ATBT1
ATUX0
Now send the modified Bootbase 1.06 via Xmodem. If you’re lucky, you’ll see:
ATBT1
ATUX0
Starting XMODEM upload (CRC mode)…..
C
Total 16384 bytes received.
Erasing.
….
OK
And after restarting the modem (and reverting back to 9600bps) you’ll see:
Bootbase Version V1.06 | 04/01/2004 11:22:33
RAM: Size = 16384 Kbytes
DRAM POST: Testing: 16384K
OK
FLASH: AMD 16M *1ZyNOS Version: V3.40(PT.0)b46 | 10/5/2005 9:54:21
Press any key to enter debug mode within 3 seconds.
……………
If not, well, say goodbye to your router. :P
Updating the Firmware to PE.11
Compared to the one above, this part is cakewalk. Even if you failed to upload the files correctly, you could still try again.
Set the console speed to 115200bps with the steps above. Upload the 340PE11C0.rom file with
ATUR3
Restart the device.
Set the console speed to 115200bps (for the last time) with the steps above. Upload the 340PE11C0.bin file with
ATUR
After restarting the modem, the device should now be using 3.40(PE.11)C0. All that remains is to redo the steps in the previous post.
What if I bricked my router?
If in case you messed up with uploading the Bootbase and all your device does on startup is make its WAN LED blink, there’s still one way to unbrick it: have mad soldering skills (which I don’t have) and use JTAG. My Delicious tag on JTAG is a good place to start.
[Edit : new content ahead. found after researching more on the topic ]
Upgrade Without Overwriting the Bootbase
According to this site, you can upgrade the firmware without overwriting the Bootbase by setting the current firmware’s feature bits to match the ZyXEL firmware. The only catch is that this seems to only work on the b20 firmware, requiring you to downgrade from the existing b46 firmware.
The basic steps are:
- Upload the b20 firmware to the device, possibly via web configuration, FTP, or serial cable.
- Go to the second debug mode (ATSE …)
- Alter the feature bit of the firmware to 4B by running ATFE1,4B. This should fool the Bootbase to think that ZyXEL’s firmware is Telefonica’s.
- Upload ZyXEL’s firmware using ATUR3 and ATUR
my wifi connection is intermittent. will the above solve this? Thanks.
my wifi connection is intermittent. will the above solve this? Thanks.
It’s possible, but I’m not betting on it. Problem with the WiFi (assuming it’s already enabled) would probably mean a problem with the hardware itself.
It’s possible, but I’m not betting on it. Problem with the WiFi (assuming it’s already enabled) would probably mean a problem with the hardware itself.
should i return it to cdrking and ask for replacement?
should i return it to cdrking and ask for replacement?
You should, but I would personally double check the problem first.
Dropped internet connections might mean a problem with your ISP, while dropped wireless connections might be a problem with your WiFi adapter.
You should, but I would personally double check the problem first.
Dropped internet connections might mean a problem with your ISP, while dropped wireless connections might be a problem with your WiFi adapter.
No problem with internet connection. Wired conection to my desktop works flawlessly. My laptop also works flawlessly with wifi in our office.
Will return it tomorrow sa cdrking. thanks for this great site!
No problem with internet connection. Wired conection to my desktop works flawlessly. My laptop also works flawlessly with wifi in our office.
Will return it tomorrow sa cdrking. thanks for this great site!
Glad to be of service. :D
Glad to be of service. :D
hi sir. sorry to bother, but can you post a screenshot of the other parts of the zyxel modem? especially the flash and mem chips? thanks in advance.
hi sir. sorry to bother, but can you post a screenshot of the other parts of the zyxel modem? especially the flash and mem chips? thanks in advance.
Sorry, I already fixed a crapload of heatsinks on those chips to remove the possibility of overheating as the cause of my internet connection problems (in the end, heat wasn’t the problem) so I can’t take a picture of the chips.
Sorry, I already fixed a crapload of heatsinks on those chips to remove the possibility of overheating as the cause of my internet connection problems (in the end, heat wasn’t the problem) so I can’t take a picture of the chips.
Dude.. your guide is confusing, a few tweaks and its perfect for newbie techs.
Add a description to the commands plus a video.. perhaps >_<
Add:
Atur3 is for uploading .Bin files
Atur is for uploading .rom files (may take a couple of minutes)
ATSE is for getting the SEED password
ATEN1,XXXXXXXX is for entering the password for debug mode (XXXXXXXX = ZynPass)
bla… bla… bla..
I used RS232 Disk-station guide, then Tera term, and the Spanish guide.
Thank-yas to DEECO for kindly providing and assembling for the RS232 Disk-station and Bryanbibat.com
Dude.. your guide is confusing, a few tweaks and its perfect for newbie techs.
Add a description to the commands plus a video.. perhaps >_<
Add:
Atur3 is for uploading .Bin files
Atur is for uploading .rom files (may take a couple of minutes)
ATSE is for getting the SEED password
ATEN1,XXXXXXXX is for entering the password for debug mode (XXXXXXXX = ZynPass)
bla… bla… bla..
I used RS232 Disk-station guide, then Tera term, and the Spanish guide.
Thank-yas to DEECO for kindly providing and assembling for the RS232 Disk-station and Bryanbibat.com
Hi Bry! Had it replaced 2 wees ago. wifi connection now stable. only problem now is the weak signal (most of the time no signal at all) when I’m in my room (router is in the living room). I think the antenna cannot be replaced. or maybe you know a way to replace it? : ) Thanks again
Hi Bry! Had it replaced 2 wees ago. wifi connection now stable. only problem now is the weak signal (most of the time no signal at all) when I’m in my room (router is in the living room). I think the antenna cannot be replaced. or maybe you know a way to replace it? : ) Thanks again
Nope, sorry I don’t know how to replace the unit’s antenna.
Nope, sorry I don’t know how to replace the unit’s antenna.
I have seen your walkthrough/upgrade FW steps….I have been running the same router ever since…i just want to ask if running it without the FW upgrade, it’s not using ADSL+2??? And is it much faster than : Standard:ADSL_G.lite???
Last question: how to setup WPA security on this router?
I have seen your walkthrough/upgrade FW steps….I have been running the same router ever since…i just want to ask if running it without the FW upgrade, it’s not using ADSL+2??? And is it much faster than : Standard:ADSL_G.lite???
Last question: how to setup WPA security on this router?
It depends on your line. If you set your modem to multimode then it uses G.Lite, then that’s probably the type of line installed in your house. And yes, ADSL2+ has a higher bandwidth than G.Lite.
As for WPA, it should be available in the Wireless settings. I don’t have the original firmware here so I don’t know if it’s available there too.
It depends on your line. If you set your modem to multimode then it uses G.Lite, then that’s probably the type of line installed in your house. And yes, ADSL2+ has a higher bandwidth than G.Lite.
As for WPA, it should be available in the Wireless settings. I don’t have the original firmware here so I don’t know if it’s available there too.
@stonedchewy
just go to wireless lan then 802.1x/wpa then at key management protocol.
@bry
what’s new about upgrading the FW? can you post a screenshot?
@stonedchewy
just go to wireless lan then 802.1x/wpa then at key management protocol.
@bry
what’s new about upgrading the FW? can you post a screenshot?
Here’s a screenshot of the upgraded firmware. I think the main difference would be the Firewall settings.
Here’s a screenshot of the upgraded firmware. I think the main difference would be the Firewall settings.
[…] […]
[…] […]
hey, just bricked my router, do you have more info on unbricking…
thanks
nope, the only info I got is the JTAG stuff
hey, just bricked my router, do you have more info on unbricking…
thanks
nope, the only info I got is the JTAG stuff
hey – been doing a quick look at the infineon ADM6996I chip that controls the router and it seems do-able to load flash but unfortunately it requires the mad skills with the solder gun.
hey – been doing a quick look at the infineon ADM6996I chip that controls the router and it seems do-able to load flash but unfortunately it requires the mad skills with the solder gun.
mea culpa ( that’s latin for d’oh.)
for a start ADM6996I is the ethernet chip so I was barking up the wrong tree there.
… so I realised the error of my ways in bricking my p660hw-d1 ( standard issue telefonica router inalambrico ) , I loaded your firmware as above which was not very wise of me.
now, back from the local rastro and I got a p660hw-d1 for a fistful of pesatos (3euros)… so I will precede with caution and post link to relevant firmware here if things work out.
hasta luego
mea culpa ( that’s latin for d’oh.)
for a start ADM6996I is the ethernet chip so I was barking up the wrong tree there.
… so I realised the error of my ways in bricking my p660hw-d1 ( standard issue telefonica router inalambrico ) , I loaded your firmware as above which was not very wise of me.
now, back from the local rastro and I got a p660hw-d1 for a fistful of pesatos (3euros)… so I will precede with caution and post link to relevant firmware here if things work out.
hasta luego
Thnx a lot for this post
it is really helpfull
the only thing I found not 100% working is the firmware you post in this page for the first time it gaves error and after I changed the FW with one tha I’ve downloaded befor (340PE10C0_q2.bin) and It succed
thx