Mweb range extender

[corpsegrinder62]

Hi there, after some snooping around aswell, i confirm this thing does have TFTP in some way, but i think the SSH is locked out, if you setup static IP instead of DHCP, plug your lan in and ping 192.168.2.2, see what happens, it responds the first 5 seconds. so there must be a work around, did you find anything? it would be nice, im close to smashing this thing on the wall.. just want it back to original FW or mwebs FW that could actually work. mine doesn't even connect to an AP anymore, useless firmware!! don't find any answers ANYWHERE. thanks..

So…. Back to the Wifi Extender (or repeater) ! The ZyXel WRE2205 v2 is what MWEB is shipping with their “FON” Network package. I decided to return this “Extender” back to it’s default state without the FON part and this is what I have done so far:
I visited the ZyXel homepage and downloaded the original and updated firmware. Yes! It comes in .bin format and can be found here (ftp://ftp2.zyxel.com/WRE2205_v2/firmware/WRE2205 v2_V1.00(AANK.1)C0.zip ). I then reset the router to it’s default values by holding the little key button on the front for 15 or so seconds – restarted the router using the switch and then logged in to it via an Ethernet cable with the username: admin and password:1234. I Tried to upgrade the router and got the message “Incorrect firmware version”. 
Thanks MWEB. So I called MWEB and they said “Sorry, you should be able to upgrade if you go to the manufacturers website.” So I kept insisting that MWEB has ISP locked the device and they should provide me with a way to unlock it. (I am sure that ICASA has made it illegal to ISP lock hardware?? I have reported this to them aswell) MWEB eventually conceded that the device has been locked and no-one is permitted to unlock the device and change it’s settings.  So I contacted ZyXel and they said that they are not allowed to change the ISP’s perversion of their software as they would then have an unhappy client……. OK so that means there is a way!
So I looked at the source code of the repeaters web interface and saw…. Wait… who is EDIMAX? OK, so it turns out that EDIMAX is a company that makes and sells these routers and ZyXel just kinda resells them……and EDIMAX provides a tool to flash the device over the Ethernet port and not just the .bin file.  Yay EDIMAX!! You can find the tool here…. And as far as I can see the EDIMAX software is the better one and should work perfectly on the device even though it is a ZyXel (http://www.edimax.com/images/Image/...RPNv2/EW-7438RPn_v2_Firmware_Upgrade_tool.zip )
The Process goes as follows… Make sure you can ping the device on 192.168.1.2.. but in our case MWEB have stuffed this up again and you would have to use 192.168.2.2 . Connect to the devices webpage with the before mentioned username and password and then run the tool. The software finds the Device…  and then, like in the documentation asks for the device password… (The Default should be 1234). I entered the password and clicked the next button and it should now start flashine the unit back to default…..but wait…. I get a dialog box which says “Incorrect Password!!”  Thanks once again MWEB.
So that is where I am up to! I also tried using winrar to unpack the files in the EDIMAX exe file and ended up with the firmware and the actual running exe files inside the EDIMAX exe. There is a small “MFC” () created application that cannot be unencrypted at all .
I just want to see which port and what operation it uses to put the firmware in place and then I will brute force the password for the admin account on that port and we will all be happy campers with our stock standard ZyXel WRE2205 v2 devices but this is where I am stuck. If you have a clue or even a different idea for me to try or even the password then give me a shout and I will give it a bash.
Yes I have also tried all the values that I found when I backed up the device config and then exported the fields from the resulting .bin file with a small app called RouterPassView. None of them work! Oh Yes! And MWEB, if you are reading this then please may I have the ability to return the device back to it’s original firmware. This will stop me snooping!

 

[Drifter]

I returned the router and extender.

 

[neilronaldson]

I bought myself a Dlink DAP 1360 R400, buy yourself a proper wireless access point and run a cable to it - don't use it as a range extender....I find it doesn't work all that well

 

[Guji]

So…. Back to the Wifi Extender (or repeater) ! The ZyXel WRE2205 v2 is what MWEB is shipping with their “FON” Network package. I decided to return this “Extender” back to it’s default state without the FON part and this is what I have done so far:
I visited the ZyXel homepage and downloaded the original and updated firmware. Yes! It comes in .bin format and can be found here (ftp://ftp2.zyxel.com/WRE2205_v2/firmware/WRE2205 v2_V1.00(AANK.1)C0.zip ). I then reset the router to it’s default values by holding the little key button on the front for 15 or so seconds – restarted the router using the switch and then logged in to it via an Ethernet cable with the username: admin and password:1234. I Tried to upgrade the router and got the message “Incorrect firmware version”. 
Thanks MWEB. So I called MWEB and they said “Sorry, you should be able to upgrade if you go to the manufacturers website.” So I kept insisting that MWEB has ISP locked the device and they should provide me with a way to unlock it. (I am sure that ICASA has made it illegal to ISP lock hardware?? I have reported this to them aswell) MWEB eventually conceded that the device has been locked and no-one is permitted to unlock the device and change it’s settings.  So I contacted ZyXel and they said that they are not allowed to change the ISP’s perversion of their software as they would then have an unhappy client……. OK so that means there is a way!
So I looked at the source code of the repeaters web interface and saw…. Wait… who is EDIMAX? OK, so it turns out that EDIMAX is a company that makes and sells these routers and ZyXel just kinda resells them……and EDIMAX provides a tool to flash the device over the Ethernet port and not just the .bin file.  Yay EDIMAX!! You can find the tool here…. And as far as I can see the EDIMAX software is the better one and should work perfectly on the device even though it is a ZyXel (http://www.edimax.com/images/Image/...RPNv2/EW-7438RPn_v2_Firmware_Upgrade_tool.zip )
The Process goes as follows… Make sure you can ping the device on 192.168.1.2.. but in our case MWEB have stuffed this up again and you would have to use 192.168.2.2 . Connect to the devices webpage with the before mentioned username and password and then run the tool. The software finds the Device…  and then, like in the documentation asks for the device password… (The Default should be 1234). I entered the password and clicked the next button and it should now start flashine the unit back to default…..but wait…. I get a dialog box which says “Incorrect Password!!”  Thanks once again MWEB.
So that is where I am up to! I also tried using winrar to unpack the files in the EDIMAX exe file and ended up with the firmware and the actual running exe files inside the EDIMAX exe. There is a small “MFC” () created application that cannot be unencrypted at all .
I just want to see which port and what operation it uses to put the firmware in place and then I will brute force the password for the admin account on that port and we will all be happy campers with our stock standard ZyXel WRE2205 v2 devices but this is where I am stuck. If you have a clue or even a different idea for me to try or even the password then give me a shout and I will give it a bash.
Yes I have also tried all the values that I found when I backed up the device config and then exported the fields from the resulting .bin file with a small app called RouterPassView. None of them work! Oh Yes! And MWEB, if you are reading this then please may I have the ability to return the device back to it’s original firmware. This will stop me snooping!

sorry to resurrect this thread ... Marc I have been trying to use this edimax tool to update the firmware with no luck .... it keeps asking me for a 6 digit access key ... Did you have this problem and how did you get around it?

 

[jhbhacker]

This blog might be of interest to someone who still wants to pursue unlocking the Zyxel WRE2205 range extender.

http://simonfredsted.com/996

 

[geniass]

This blog might be of interest to someone who still wants to pursue unlocking the Zyxel WRE2205 range extender.

http://simonfredsted.com/996

Howzit,
Thanks to this blog post, I managed to flash the range extender with the stock firmware, and it's actually working quite well now. The process is a bit involved; basically there is an executable on the device called fw_upgrade which is responsible for flashing new firmware. Mweb's version checks for Mweb's firmware. So I downloaded the stock firmware from Zyxel website, extracted the binary (it's a squash -fs file system) and copied the fw_upgrade binary over using a tftp server. Then you can run that instead of Mweb's binary, and we're done.

I can make a guide if anyone's interested

 

[scienide]

Howzit,
Thanks to this blog post, I managed to flash the range extender with the stock firmware, and it's actually working quite well now. The process is a bit involved; basically there is an executable on the device called fw_upgrade which is responsible for flashing new firmware. Mweb's version checks for Mweb's firmware. So I downloaded the stock firmware from Zyxel website, extracted the binary (it's a squash -fs file system) and copied the fw_upgrade binary over using a tftp server. Then you can run that instead of Mweb's binary, and we're done.

I can make a guide if anyone's interested

Yes please

 

[geniass]

Getting rid of Mweb's rubbish

NOTE: I run Linux and have not tested any of this on Windows, but it shouldn't really matter. Anyway I don't take responsibilty for unusable (as if it wasn't already) devices after following this procedure.
To get rid of Mweb's 'firmware', we need to

• Copy the stock fw_upgrade binary and the firmware binary to the device
• Run the new binary

The device has a built-in tftp client which works (surprisingly) so we can use that.

1. Connect the repeater to your pc using the ethernet port, and make sure you can access its webpage (192.168.2.2)
2. Install a tftp server on pc
   On Linux, I used tftpd-hpa. On Windows it looks like you can use tftpd32. This seems like a decent tutorial.
3. Download the latest firmware from Zyxel's website. Make sure it's for the correct hardware version (probably wre2205v2) and extract the zip file
4. Either download the stock fw_upgrade from https://www.dropbox.com/s/zp21r8ijm2dpdph/fw_upgrade?dl=0 or use a program such as binwalk (Google for a tutorial) to extract the .bin file. In that case, fw_upgrade is in /sbin relative to the squash-fs file system you just extracted.
5. Put fw_upgrade as well as the .bin file into the base directory of the tftp server
6. Now go to 192.168.2.2/mp.asp
   You should see a basic webpage with a textbox and a button. This will allow you to enter commands as root [GASP]
7. Enter this command:

   ; echo "`tftp -g -l /etc/fw_upgrade -r fw_upgrade 192.168.2.100; tftp -g -l /etc/fw.bin -r [name of .bin file].bin 192.168.2.100`"

   This copies both files over to the repeater. They are being copied to /etc because the rest of the file system is read-only.
   192.168.2.100 is your pc's IP address. It should be this.
8. Now enter

   ; echo "`chmod +x /etc/fw_upgrade; ls -al /etc`"

   This makes it executable. In the output list you should see fw_upgrade and fw.bin
9. Enter

   /etc/fw_upgrade upg /etc/fw.bin

   This begins the update. The standard warnings apply: don't switch off the device etc... and wait about 5 minutes.
   Eventually the address 192.168.2.2 will stop working. The stock firmware uses 192.168.2.254 instead. Keep trying this address until it works.

That should be it. The repeater should now be ready to go with stock firmware.

 

[Soul Assassin]

What exactly do you gain from the stock firmware?

 

[geniass]

What exactly do you gain from the stock firmware?

A working range extender. At least for me, it just would not work before. Sometimes I could get it to connect to my network, but then it wouldn't actually broadcast any signal. It would also disconnect after a few minutes, which could only be fixed by a factory reset.

I wonder if it's possible to modify the stock firmware now before installing it, eg add an ssh server.

 

[gripen]

A working range extender. At least for me, it just would not work before. Sometimes I could get it to connect to my network, but then it wouldn't actually broadcast any signal. It would also disconnect after a few minutes, which could only be fixed by a factory reset.

I wonder if it's possible to modify the stock firmware now before installing it, eg add an ssh server.

Or add basic AP functionality i.e. run an ethernet cable to the repeater and run it as an AP (with the same SSID as the rest of the network - or not even.. maybe just a plain cheap and nasty AP). Any takers? The default stock firmware seems to be repeater only but really an AP mode is a software thing. Perhaps if we have SSH we can do iwconfig etc

 

[geniass]

Or add basic AP functionality i.e. run an ethernet cable to the repeater and run it as an AP (with the same SSID as the rest of the network - or not even.. maybe just a plain cheap and nasty AP). Any takers? The default stock firmware seems to be repeater only but really an AP mode is a software thing. Perhaps if we have SSH we can do iwconfig etc

According to that blog post, it's a rebranded Edimax, which according to http://www.edimax.com/edimax/mw/cufiles/files/download/QIG/transfer/Wireless/EW-7438RPn_V2/EW-7438RPn_V2_QIG_EN%28English%29.pdf can be used as an AP. So it's possible that Zyxel have just hidden that functionality...

 

[corpsegrinder62]

Hi, i get till step 9. Then the command does nothing, yes i checked that tdtp uploaded, shows fw.bin and fw_upgrade, and i enter the commands to make it executable, except the console shows nothing happening and i waited 20mins and i could still access 192.168.2.2, i rebooted it and still on mweb fw, any suggestions pls?!? I wanna get this unlocked so badly, thank you!!

NOTE: I run Linux and have not tested any of this on Windows, but it shouldn't really matter. Anyway I don't take responsibilty for unusable (as if it wasn't already) devices after following this procedure.
To get rid of Mweb's 'firmware', we need to

• Copy the stock fw_upgrade binary and the firmware binary to the device
• Run the new binary

The device has a built-in tftp client which works (surprisingly) so we can use that.

1. Connect the repeater to your pc using the ethernet port, and make sure you can access its webpage (192.168.2.2)
2. Install a tftp server on pc
   On Linux, I used tftpd-hpa. On Windows it looks like you can use tftpd32. This seems like a decent tutorial.
3. Download the latest firmware from Zyxel's website. Make sure it's for the correct hardware version (probably wre2205v2) and extract the zip file
4. Either download the stock fw_upgrade from https://www.dropbox.com/s/zp21r8ijm2dpdph/fw_upgrade?dl=0 or use a program such as binwalk (Google for a tutorial) to extract the .bin file. In that case, fw_upgrade is in /sbin relative to the squash-fs file system you just extracted.
5. Put fw_upgrade as well as the .bin file into the base directory of the tftp server
6. Now go to 192.168.2.2/mp.asp
   You should see a basic webpage with a textbox and a button. This will allow you to enter commands as root [GASP]
7. Enter this command:

   ; echo "`tftp -g -l /etc/fw_upgrade -r fw_upgrade 192.168.2.100; tftp -g -l /etc/fw.bin -r [name of .bin file].bin 192.168.2.100`"

   This copies both files over to the repeater. They are being copied to /etc because the rest of the file system is read-only.
   192.168.2.100 is your pc's IP address. It should be this.
8. Now enter

   ; echo "`chmod +x /etc/fw_upgrade; ls -al /etc`"

   This makes it executable. In the output list you should see fw_upgrade and fw.bin
9. Enter

   /etc/fw_upgrade upg /etc/fw.bin

   This begins the update. The standard warnings apply: don't switch off the device etc... and wait about 5 minutes.
   Eventually the address 192.168.2.2 will stop working. The stock firmware uses 192.168.2.254 instead. Keep trying this address until it works.

That should be it. The repeater should now be ready to go with stock firmware.

 

[geniass]

Hi, i get till step 9. Then the command does nothing, yes i checked that tdtp uploaded, shows fw.bin and fw_upgrade, and i enter the commands to make it executable, except the console shows nothing happening and i waited 20mins and i could still access 192.168.2.2, i rebooted it and still on mweb fw, any suggestions pls?!? I wanna get this unlocked so badly, thank you!!

Can you post the output of step 8?

 

[corpsegrinder62]

Can you post the output of step 8?

Hi Geniass, firstly thank you for your reply, was beginning to think there is no1 out there for help!

sure here you go -

Here is what i have done:

downloaded latest firmware from zyxel site - V1.00(AANK.2_C0.bin
-setup static ip - 192.168.2.100(IP)/255.255.255.0(sub)/192.168.2.2(gateway) it gave me a hassle on DHCP and often would not even give me an IP.

i should mention, the orig FW names prevented fw.bin to be uploaded. so i had to rename it first to firmware.bin before fw.bin appeared on the next step but successfully verified tftp uploaded both files after the rename.

>> http://prntscr.com/5bmulc

after this i enter the command in step 9, it goes through but does nothing and returns no error message whatsoever, using your stock fw_upgrade file and the other the above firmware mentioned.

>>http://prntscr.com/5bmwoq

i cannot seem to use binwalk, i tried to compile it in python (windows) but does not seem to work and just became frustrated with it,

Been stuck on this for quiet some time, any help is much appreciated!

Thanks for the help!

 

[Hoster]

Hi Geniass

I am stuck in the same position as @corpsegrinder62

Your help will really be appreciated as we want to have stock firmware

 

[corpsegrinder62]

Hi Geniass

I am stuck in the same position as @corpsegrinder62

Your help will really be appreciated as we want to have stock firmware

Glad to know im not alone was cracking my head open trying to get it right thinking i was doing something wrong, these things are just a bundle of frustration, this damned mweb fw keeps disconnecting on me, cant really call it a repeater if it disconnects you 40+ times daily -_- i think @geniass is going to save our day. I have an idea tho if anyone is willing to try. I just saw another post with someone in the same position, what he did was extract fw_upgrade from the squashfs of the most recent fw and he seemed to have success with it. But since my binwalk doesnt work, i cant fullproof if itll work. Just an idea.

 

[geniass]

Hi Geniass, firstly thank you for your reply, was beginning to think there is no1 out there for help!

sure here you go -

Here is what i have done:

downloaded latest firmware from zyxel site - V1.00(AANK.2_C0.bin
-setup static ip - 192.168.2.100(IP)/255.255.255.0(sub)/192.168.2.2(gateway) it gave me a hassle on DHCP and often would not even give me an IP.

i should mention, the orig FW names prevented fw.bin to be uploaded. so i had to rename it first to firmware.bin before fw.bin appeared on the next step but successfully verified tftp uploaded both files after the rename.

>> http://prntscr.com/5bmulc

after this i enter the command in step 9, it goes through but does nothing and returns no error message whatsoever, using your stock fw_upgrade file and the other the above firmware mentioned.

>>http://prntscr.com/5bmwoq

i cannot seem to use binwalk, i tried to compile it in python (windows) but does not seem to work and just became frustrated with it,

Been stuck on this for quiet some time, any help is much appreciated!

Thanks for the help!

Yeah this thing is extremely frustrating. If you were having problems with ethernet, did you try resetting it by holding down the button for something like 10 seconds? Also does

; echo "`/etc/fw_upgrade chk /etc/fw.bin`"

do anything?

 

[Hoster]

@corpsegrinder62 I managed to do it.

instead of using /etc/fw_upgrade upg /etc/fw.bin i used this

; echo "`/etc/fw_upgrade upg /etc/fw.bin`"

I than waited 4 minuted tried to log back on and and the IP address changed, I than changed it back to DHCP, logged onto my Zyxel(192.168.1.2)and guess what I was on stock Standard Firmware.

Thanks Geniass

 

[corpsegrinder62]

@corpsegrinder62 I managed to do it.

instead of using /etc/fw_upgrade upg /etc/fw.bin i used this

; echo "`/etc/fw_upgrade upg /etc/fw.bin`"

I than waited 4 minuted tried to log back on and and the IP address changed, I than changed it back to DHCP, logged onto my Zyxel(192.168.1.2)and guess what I was on stock Standard Firmware.


Thanks Geniass

@geniass @Hoster, u two are freakin geniuses, thank you so much!! It worked o0 at long last! Cant thank u guys enough! Finally can say F mweb fw and the thing actualy works now