theodric/zyxel_nr7101_setup_hacks_tips_and_tweaks.txt

## zyxel_nr7101_setup_hacks_tips_and_tweaks.txt
0. Don't have a SIM card in when you're updating radio firmware or it will bomb out partway through as it changes from internal IP to IP passthrough

1. Disable external IP passthrough mode: Network Setting -> Broadband -> Cellular APN -> #1 -> Modify icon -> "IP Passthrough" slider to off

2. Use "management" Wi-Fi AP as general Wi-Fi AP (with limitations) -> Network Setting -> Bridge1 -> Modify icon -> Move the Wi-Fi AP interface to the pane on the right alongside LAN1
NOTE: by default, once you do the above, the router will happily pass traffic from devices on the Wi-Fi AP to other devices on the LAN1 subnet, but will block traffic originating from the Wi-Fi AP from exiting to the Internet via the LTE side of the device. You can clumsily hack around this by setting another device, e.g. another Wi-Fi AP or Raspberry Pi or Cray supercomputer, as the default gateway for the LAN1 subnet in your DHCP server config, and pointing *that* device at the Zyxel as *its* default GW. This adds additional hops, but enables general use of the Zyxel's inbuilt Wi-Fi AP.

3. Supervisor password allows Linux shell login & additional functions.
cf. https://openwrt.org/toh/zyxel/nr7101 "Supervisor password"
summary: get this https://get.dyn.mork.no/zyxel_pwgen.tar.gz [mirror: https://github.com/theodric/pastebin/blob/master/zyxel_pwgen.tar.gz] and run it under qemu with the getsupervisor.sh script and the system serial number. Login ssh supervisor@the.router.ip.address; password is the string generated by the tool

3a. The supervisor password is also the root password, and that lets you do pretty much whatever including breaking iptables.

4. As Supervisor (see 3 above) turn off fucking annoying flashing orange Wi-Fi LED that the router turns on whenever the Wi-Fi AP is active: `/sbin/zyledctl WIFI off` <- maybe script this

5. **TBD** How to remove the softblock preventing Wi-Fi AP-sourced traffic from accessing the LTE gateway. iptables is doing this, but I haven't yet tried to undo it.

6. As of 2022-06-07 the latest firmware is not in Zyxel's Download Library, but pinned to a forum post here https://support.zyxel.eu/hc/en-us/articles/360021563900-NR7101-Connectivity-issues-and-firmware-fix-for-unsupported-frequency-bands-5G-NSA-B8-N1-

7. 2023-March-16
@giorgix3 commented on this gist with the following information about retrieving SMS:

"You can actually read SMS by talking to the modem via tty. Login via SSH and then:

cat /dev/ttyUSB2 &
echo "AT+CMGR=1" > /dev/ttyUSB2

by changing the number after CMGR=# you can read other messages in the memory. The detailed documentation of the commands to talk to the modem can be found here https://www.quectel.com/wp-content/uploads/2021/05/Quectel_RG50xQRM5xxQ_Series_AT_Commands_Manual_V1.1.pdf "

8. 2023-March-21
Quectel has a video tutorial on using AT commands to read and send SMS here: https://forums.quectel.com/t/how-to-send-and-receive-sms-messages-on-quectel-module/15555

Of note: echo 'AT+CMGL="all"' > /dev/ttyUSB2 dumps all received SMS to the screen at once
This may be a red herring, but I'll say it here anyway: I was only getting hex gibberish on the screen with the AT+CMGR command above until I had issued `echo "AT+CMGF=1" > /dev/ttyUSB2` to the modem.

9. 2023-08-20
@Manu99it discovered a means to obtain supervisor/root password on the newer (post-2022?) hardware/firmware revisions that use a different password generation algorithm:
https://gist.github.com/theodric/c8f280ead3b5ae1b4b1d6c4cf2d9420e?permalink_comment_id=4666079#gistcomment-4666079
"Reading https://th0mas.nl/2020/03/26/getting-root-on-a-zyxel-vmg8825-t50-router/#fnref:1 I understood that all password, even for root and supervisor users are contained into the zcfg_config.json file. Actually in my router accessing this file is much simple: just set up FTP by webgui, access FTP as admin user (I used MiXplorer on Android for example) and zcfg_config.json is just here. The absurd thing: it has rw permission even with admin user! So just open it and copy the encrypted password under the root user (not the default password as per the guide linked, that's the same that you can calculate with the emulator). Now we can decrypt this encrypted password just by using the DynamicDNS as oracle explained in the guide: set a fake DDNS in webgui. Download the backup file. Open the backup file and replace the encrypted password under DynamicDNS with our encrypted password of root user copied before. Now save and restore the file from webgui. Go to ddns settings and just read the password: it's clear. As just as that!"
	0. Don't have a SIM card in when you're updating radio firmware or it will bomb out partway through as it changes from internal IP to IP passthrough

	1. Disable external IP passthrough mode: Network Setting -> Broadband -> Cellular APN -> #1 -> Modify icon -> "IP Passthrough" slider to off

	2. Use "management" Wi-Fi AP as general Wi-Fi AP (with limitations) -> Network Setting -> Bridge1 -> Modify icon -> Move the Wi-Fi AP interface to the pane on the right alongside LAN1
	NOTE: by default, once you do the above, the router will happily pass traffic from devices on the Wi-Fi AP to other devices on the LAN1 subnet, but will block traffic originating from the Wi-Fi AP from exiting to the Internet via the LTE side of the device. You can clumsily hack around this by setting another device, e.g. another Wi-Fi AP or Raspberry Pi or Cray supercomputer, as the default gateway for the LAN1 subnet in your DHCP server config, and pointing that device at the Zyxel as its default GW. This adds additional hops, but enables general use of the Zyxel's inbuilt Wi-Fi AP.

	3. Supervisor password allows Linux shell login & additional functions.
	cf. https://openwrt.org/toh/zyxel/nr7101 "Supervisor password"
	summary: get this https://get.dyn.mork.no/zyxel_pwgen.tar.gz [mirror: https://github.com/theodric/pastebin/blob/master/zyxel_pwgen.tar.gz] and run it under qemu with the getsupervisor.sh script and the system serial number. Login ssh supervisor@the.router.ip.address; password is the string generated by the tool

	3a. The supervisor password is also the root password, and that lets you do pretty much whatever including breaking iptables.

	4. As Supervisor (see 3 above) turn off fucking annoying flashing orange Wi-Fi LED that the router turns on whenever the Wi-Fi AP is active: `/sbin/zyledctl WIFI off` <- maybe script this

	5. TBD How to remove the softblock preventing Wi-Fi AP-sourced traffic from accessing the LTE gateway. iptables is doing this, but I haven't yet tried to undo it.

	6. As of 2022-06-07 the latest firmware is not in Zyxel's Download Library, but pinned to a forum post here https://support.zyxel.eu/hc/en-us/articles/360021563900-NR7101-Connectivity-issues-and-firmware-fix-for-unsupported-frequency-bands-5G-NSA-B8-N1-

	7. 2023-March-16
	@giorgix3 commented on this gist with the following information about retrieving SMS:

	"You can actually read SMS by talking to the modem via tty. Login via SSH and then:

	cat /dev/ttyUSB2 &
	echo "AT+CMGR=1" > /dev/ttyUSB2

	by changing the number after CMGR=# you can read other messages in the memory. The detailed documentation of the commands to talk to the modem can be found here https://www.quectel.com/wp-content/uploads/2021/05/Quectel_RG50xQRM5xxQ_Series_AT_Commands_Manual_V1.1.pdf "

	8. 2023-March-21
	Quectel has a video tutorial on using AT commands to read and send SMS here: https://forums.quectel.com/t/how-to-send-and-receive-sms-messages-on-quectel-module/15555

	Of note: echo 'AT+CMGL="all"' > /dev/ttyUSB2 dumps all received SMS to the screen at once
	This may be a red herring, but I'll say it here anyway: I was only getting hex gibberish on the screen with the AT+CMGR command above until I had issued `echo "AT+CMGF=1" > /dev/ttyUSB2` to the modem.

	9. 2023-08-20
	@Manu99it discovered a means to obtain supervisor/root password on the newer (post-2022?) hardware/firmware revisions that use a different password generation algorithm:
	https://gist.github.com/theodric/c8f280ead3b5ae1b4b1d6c4cf2d9420e?permalink_comment_id=4666079#gistcomment-4666079
	"Reading https://th0mas.nl/2020/03/26/getting-root-on-a-zyxel-vmg8825-t50-router/#fnref:1 I understood that all password, even for root and supervisor users are contained into the zcfg_config.json file. Actually in my router accessing this file is much simple: just set up FTP by webgui, access FTP as admin user (I used MiXplorer on Android for example) and zcfg_config.json is just here. The absurd thing: it has rw permission even with admin user! So just open it and copy the encrypted password under the root user (not the default password as per the guide linked, that's the same that you can calculate with the emulator). Now we can decrypt this encrypted password just by using the DynamicDNS as oracle explained in the guide: set a fake DDNS in webgui. Download the backup file. Open the backup file and replace the encrypted password under DynamicDNS with our encrypted password of root user copied before. Now save and restore the file from webgui. Go to ddns settings and just read the password: it's clear. As just as that!"