Adding installation via WebUI for Zyxel SCR 50AXE

Best-HeyGman · March 7, 2026, 9:32pm

Hi everyone. I recently saw that the Zyxel SCR 50AXE got support for OpenWrt
(https://git.openwrt.org/openwrt/openwrt/commit/?id=f948f71300a9f9685a6bbb7dfd742ed64892a86c)

So, the installation instructions in the git commit say it works with some debug port, but I thought I'd give it a try to find a way to install OpenWrt via the OEM WebUI. I got the source code from Zyxel and by sifting through that I found a hidden firmware upgrade page in the Webui (https://192.168.168.1/LocalFirmwareUpgrade). It seems to work, but when I naively just try to upload the OpenWrt build for the scr 50axe (https://firmware-selector.openwrt.org/?target=qualcommax/ipq50xx&id=zyxel_scr50axe) it tells me that this is an "illegal firmware".

So, I tried to figure out how to circumvent that, but I wasn't successful yet. I thought I am probably not the first one who did something like that and maybe someone has tips from experience. Considering the number of Zyxel devices supported by OpenWrt, somebody might even have already a solution at hand.

There's a couple of things making this harder: First, I've never used OpenWrt before (other than when OEMs use it as their base system. The scr 50axe is also based on OpenWrt). And second, I would love to share the source code with you guys so that maybe someone can take a look with more experience, but I got a problem there. I only asked them for the GPL source code via https://www.zyxel.com/global/en/form/gpl-oss-software-notice
It took 2 months and the code I got isn't just foss code, it is absolutely littered with source code files that say " * Confidential and Proprietary - Qualcomm Technologies, Inc." and I highly doubt that I can share the codebase like that. I don't even think Zyxel should have done that, but maybe I just don't understand software law enough. It's super messy.

nicefile · March 14, 2026, 9:19pm

Great find! For me UART method was the easiest way to go forward.
Also it assures that you set debugflag and bootdelay to be able to interact with u-boot in case of recovery.

Back to your finding. Have you try investigate filesystem first ? like:

/lib/upgrade/nand.sh
/sbin/upgraded
/etc/netopeer/netopeer/firmware-update/

You probably captured firmware file to test it? I have link to v1.10 in case you need it.
Process of OEM upgrade can be monitored by process manager like top to see what is run and where.

ct85msi · March 27, 2026, 10:52am

flashed 25.12.1 and 25.12.2, enabled software offload, packet steering was enabled by default and I got 650-700 mbps routing power with static wan ip. The main problem is the wireless radios, it seems that there is a hardlock on a PHY with US country setting. So, if i set my regulatory domain to RO, it disabled the radio or radio1 (5 ghz) won`t broadcast.

Another problem with wireless is that it wont switch radios. I have the same SSID on all 3 radios and if it connects on 2.4 it stays there, it wont switch to 5 or 6 ghz. I enabled all functions for the devices to roam across the bands but didnt do anything. If I am connected to 6 ghz, I get a maximum of 300 Mbps. OpenWRT support on the scr50axe is very in its early stages and it cant be used even as a simple AP. I reverted to stock rootfs.

config wifi-iface 'default_radio1'

        option device 'radio1'

        option network 'lan'

        option mode 'ap'

        option ssid 'MSI'

        option encryption 'sae'

        option key 'password'

        option ocv '0'

        option ieee80211r '1'

        option nasid 'SCR50_AP'

        option ft_over_ds '0'

        option ieee80211k '1'

        option wnm_sleep_mode '1'

        option bss_transition '1'

root@OpenWrt:~# iw reg get

global

country RO: DFS-ETSI

        (2400 - 2483 @ 40), (N/A, 20), (N/A)

        (5150 - 5250 @ 80), (N/A, 23), (N/A), NO-OUTDOOR, AUTO-BW

        (5250 - 5350 @ 80), (N/A, 20), (0 ms), NO-OUTDOOR, DFS, AUTO-BW

        (5470 - 5725 @ 160), (N/A, 26), (0 ms), DFS

        (5725 - 5875 @ 80), (N/A, 13), (N/A)

        (5945 - 6425 @ 320), (N/A, 23), (N/A), NO-OUTDOOR

        (57000 - 66000 @ 2160), (N/A, 40), (N/A)



phy#2 (self-managed)

country US: DFS-FCC

        (2402 - 2472 @ 40), (6, 30), (N/A)

        (5170 - 5250 @ 80), (N/A, 30), (N/A), AUTO-BW

        (5250 - 5330 @ 80), (N/A, 24), (0 ms), DFS, AUTO-BW

        (5490 - 5730 @ 160), (N/A, 24), (0 ms), DFS, AUTO-BW

        (5735 - 5895 @ 160), (N/A, 30), (N/A), AUTO-BW

        (5925 - 7125 @ 160), (N/A, 30), (N/A), NO-OUTDOOR, AUTO-BW



phy#1 (self-managed)

country RO: DFS-ETSI

        (2402 - 2482 @ 40), (N/A, 20), (N/A)

        (5170 - 5250 @ 80), (N/A, 23), (N/A), NO-OUTDOOR, AUTO-BW

        (5250 - 5330 @ 80), (N/A, 23), (0 ms), NO-OUTDOOR, DFS, AUTO-BW

        (5490 - 5590 @ 80), (N/A, 30), (0 ms), DFS, AUTO-BW

        (5590 - 5650 @ 40), (N/A, 30), (600000 ms), DFS, AUTO-BW

        (5650 - 5710 @ 40), (N/A, 30), (0 ms), DFS, AUTO-BW



phy#0 (self-managed)

country RO: DFS-ETSI

        (2402 - 2482 @ 40), (N/A, 20), (N/A)

        (5170 - 5250 @ 80), (N/A, 23), (N/A), NO-OUTDOOR, AUTO-BW

        (5250 - 5330 @ 80), (N/A, 23), (0 ms), NO-OUTDOOR, DFS, AUTO-BW

        (5490 - 5590 @ 80), (N/A, 30), (0 ms), DFS, AUTO-BW

        (5590 - 5650 @ 40), (N/A, 30), (600000 ms), DFS, AUTO-BW

        (5650 - 5710 @ 40), (N/A, 30), (0 ms), DFS, AUTO-BW

root@OpenWrt:~# dmesg | grep ath11k | tail -n 20

[  932.232589] ath11k b00b040.wifi: Failed to set the requested Country regulatory setting

[  932.236239] ath11k b00b040.wifi: failed to process regulatory info -22

LS3434 · March 27, 2026, 11:04am

There’s something wrong with either bdf files for wifi, or wifi firmware itself. I’m getting the same error about regulatory info, if i set it to other country than US. It’s the same for Linksys MX6200.

Best-HeyGman · March 27, 2026, 12:27pm

nicefile:

Great find! For me UART method was the easiest way to go forward.
Also it assures that you set debugflag and bootdelay to be able to interact with u-boot in case of recovery.

Back to your finding. Have you try investigate filesystem first ? like:
/lib/upgrade/nand.sh
/sbin/upgraded
/etc/netopeer/netopeer/firmware-update/
You probably captured firmware file to test it? I have link to v1.10 in case you need it.
Process of OEM upgrade can be monitored by process manager like top to see what is run and where.

Hi, thanks for your reply, the files you pointed out look very promising

I haven't had the time to get back into fiddling around with the device, but I think the link to the firmware file would be helpful, if that's still an option, so that I know how a firmware file looks like which the device accepts. I don't have an official firmware file yet. I'm not sure what you mean by capturing it, because I would think they'd use something encrypted like TLS to transmit the firmware(?).
I also don't have an UART adapter or something, so it's not super easy to get insights into what the device is doing in real time.

I can't promise that I'll have time to really get into it in the near future, but I will try to make some time

nicefile · March 27, 2026, 3:50pm

What I've did is I did press update on zyxel nebula then I've monitored if there's wget / curl that's pull file from the internet.
Also to make it easy I've reduced my internet speed to 1Mbit via SQM

Edit: all of this via UART under root shell