Fritz!Box 7520v1 firmware shenanigans

Back in 2019, 1und1, a german ISP, released the Fritz!Box 1&1 HomeServer (branded 7520 on the back) in collaboration with AVM, a company known for their successful modem/router combinations.

It was marketed as an entry level DSL home router with almost the same features as the Fritz!Box Fon WLAN 7530 released the year before, but sans USB3, and two GBit/s LAN ports downsized to 100MBit/s.

One could have assumed then, but latest in 2020, when an article was published in the german computer magazine c’t, and later released on heise.de (in german), the cat was out of the bag: the restrictions were software-induced.

The earliest description of the hack I could find was published in April 2020 on a family blog in german, c’t possibly adapted their article from there.

Since then, a lot has changed in models and firmwares, but the method to non-permanently upgrade the 7520 has not changed. However, AVM did phase out the original 7520 at a later date and replaced it with a similar 7520v2, where this hack does not work as the hardware is different. The two siblings can be easily distinguished by their appearance, as the hackable 7520 looks like earlier models of the Fritz!Box, with fins and all. The newer, not hackable model looks like the current design, sleek and streamlined.

The procedure I have applied is a variation on both the magazine article and the blog post, and depends a bit on luck and good timing. Then again, I have so far never needed more than three tries. The original blog post mentions that, if you have absolutely no success in getting into the box, a network switch in between computer and box may help.

AVM only releases the recovery tool for Windows OS, but a VM should suffice, as long as it has host network access.

Please go through the steps once before applying, as the timing is crucial and the window of opportunity is narrow:

  1. Download the most recent recovery tool for the 7530, found at https://download.avm.de/fritzbox/fritzbox-7530/deutschland/recover/
  2. Disconnect your computer from all networking, then connect the Fritz!Box via ethernet cable on LAN 1 with your computer
  3. Assign a static IP in the subnet 192.268.178.0/24, for example 192.168.178.2, with a netmask of 255.255.255.0 Gateway, DNS and other stuff are irrelevant at this point
  4. Start the recovery tool for the 7530 and follow the instructions up until it tells you to disconnect power from the Fritz!Box
  5. Open a PowerShell window and ready it with the command ftp 192.168.178.1, not pressing return. The user/password will be adam2/adam2, remember this.
  6. Advance the recovery tool to the next screen. It will tell you to power on the box. So, power it on.
  7. As soon as the recovery tool shows any sign of finding the box, press return in the powershell window and log in with user: adam2, and pass: adam2. This has to be done fast, as in my tests, the login process had to be done in under 5 seconds.
  8. The recovery tool will either hang or proclaim that no valid box was detected. You can quit and reopen the recovery tool now and advance it up until “turn off the box” again, as in step 4.
  9. In the ftp shell, execute the following commands, one by one:
    • quote SETENV ProductID Fritz_Box_HW_236
    • quote SETENV HWRevision 236
    • quote SETENV HWSubRevision 1
    • quote SETENV firmware_version avm
    • quit
  10. The last command exits the ftp session, but the Fritz!Box will stay open to recovery suggestions. Hence you can progress in the recovery tool. It should successfully detect the box connected as a 7530, and proceed to flash the firmware for this model.

As soon as the flashing is done, you can reset your ethernet connection back to DHCP, and as soon as a new IP has been assigned, you can navigate to http://192.168.178.1 or http://fritz.box and will be greeted by the Fritz!Box web interface of the 7530. The default password is written on the label of the box.

After sign in it is a good idea to disable update checks, because the box still looks for updates to the 7520, which it will find and notify about relentlessly.

Updates (for the 7530) can be done through the web interface, but the firmware has to be manually downloaded from AVM servers and then applied by uploading it.

If you ever feel like going back to the 7520, you should first try uploading a firmware update for the 7520, found at https://download.avm.de/fritzbox/fritzbox-7520/deutschland/fritz.os/, and if that does not work, follow the upgrade procedure through step 4, but instead use the recovery tool for the 7520 and skip the ftp part, just continue with the recovery program.

And if even that fails, with the with the procedure outlined above you may set the variables back to the following in step 9:

  • quote SETENV ProductID Fritz_Box_HW_247
  • quote SETENV HWRevision 247
  • quote SETENV HWSubRevision 2
  • quote SETENV firmware_version 1und1

I have been using this method without issue successfully for a while now, and even freetz-ng runs easily with the firmware of the 7530.

Happy hacking, Chris

Mandatory 'Hello World!'

There’s nothing here safe this placeholder yet, but this won’t stay for long :)

Stay tuned!