Adding support for a ipq8065+qca9984 based device link to all the outputs from:
I am not a developer. I have two of these devices, one in the box and one set-up. It has ssh and telnet, and when I telnet in (or ssh) I am greeted with the OpenWRT logo.
Comment from the #openwrt IRC channel:
"it's not [supported right now], it's running an ancient OEM firmware, based on a modified QSDK, loosely based on a mutilated ancient OpenWrt version. the device is not supported at this point, but could be supportable (ipq8065+qca9984)"

Googling that ipq8065 qca9984, the only threads that come up are about a Netgear R7800.

Complete dmesg would be a good start.
And name the device, wont help mentioning other devices.

it's in the zip file in the original post above. I've just physically opened the second device I have. Zyxel is not telling me much, other than they were sent to an ISP for their customers.

Examining the board, they applied a new part number label for the board over the older one. I'm not finding anything with an internet search though. Looking carefully at the, and peeling back the second sticker applied to this board, it seems it's just a re-badged NBG6817. I can make out most of the board model information from the Openwrt Wiki of the NBG6817, and it matches this board.


The challenge is to be able to flash the NBG6817 build on it, but since the Product Model does not match... I get an error that they don't match. The TFTP recovery flash method doesn't seem to override the mismatch. I have got a serial console going, and am attempting to flash it that way (or change the Product Model somehow).

and How do I change the U-Boot variable when flashing the firmware?

As dwfreed was helping on Openwrt IRC,

we could:

Start the device with the serial tty cable attached

interrupt the boot (just press enter while it's starting up)

Zyxel uses some retarded locked boot environment:

use the built-in ATSE (modelname) command, to generate a numerical output, feed that output into the script at: (nbg6817-dualboot xxxxxxxxx)

Use the output from that script ('ATEN x,xxxxxx'), and the command ATGU, to get out of the locked zloader and into the real U-Boot

prepare the tftpd on the local laptop with a fixed ethernet IP ( and plug it into a LAN port on the router. Run 'tftpboot' which told us what the filename.img needed to be for the initramfs file (openwrt-23.05.3-ipq806x-generic-zyxel_nbg6817-initramfs-uImage > C0A80101.img). Re-run tftpboot, then bootm, and the routerboard boots from the initramfs image.

At this point, regular Openwrt 23.xx Luci and other stuff worked. With a warning about the image being temporary. Attempted to flash full Openwrt, but while it appeared successful, when it reboots, it's running the old manufacturer's firmware (something ancient based on Openwrt 12.x).

The next step - IDK.

I've followed the how to build openwrt in the wiki. I got as far as running 'make menuconfig', and figured that would be a good place to pause, and do a 'grep -r NBG6817' to find out what needed to be changed to the files for the build, so the Product Model/Name would match - which is where the OEM Openwrt 12.x firmware, their modified version, seems to get stuck, with error:

Firmware upgrade error...
The flash image upload failed. The error messages are as follows:
Firmware version V1.99(OWRT.9999)C0 Project Name NBG6817 Header checksum d3c4 Image checksum c3c4 Image length 21436416 Host Name EMG3435 kernel checksum be2c kernel length 4194304 Local Project Name EMG3435 Wrong Project Name Wrong firmware image header!

grep -r NBG6817 output:

(base) ubuntu@COMPUTER:~/openwrt$ grep -r NBG6817
feeds/luci/applications/luci-app-advanced-reboot/root/usr/share/advanced-reboot/devices/zyxel-nbg6817.json:     "deviceName": "NBG6817",
target/linux/ipq806x/files-5.15/arch/arm/boot/dts/qcom-ipq8065-nbg6817.dts:     model = "ZyXEL NBG6817";
target/linux/ipq806x/image/  DEVICE_MODEL := NBG6817
target/linux/ipq806x/image/  RAS_BOARD := NBG6817
tmp/  bool "ZyXEL NBG6817"
tmp/    Build firmware images for ZyXEL NBG6817
tmp/  bool "ZyXEL NBG6817"
tmp/          string "ZyXEL NBG6817 additional packages"
tmp/.targetinfo:Target-Profile-Name: ZyXEL NBG6817
tmp/.targetinfo:Build firmware images for ZyXEL NBG6817
tmp/info/.targetinfo-ipq806x:Target-Profile-Name: ZyXEL NBG6817
tmp/info/.targetinfo-ipq806x:Build firmware images for ZyXEL NBG6817
(base) ubuntu@COMPUTER:~/openwrt$

Never built an image before, not sure what actually needs to be changed in the above.

Made what seems like logical changes. Where there was a profile for an NBG6817 in a text file, I copied it to make a profile for EMG3435. Where there was a directive to compile for the NBG6817 target, I changed it to EMG3435. "Make" is currently running...

OK. The ISP-version but otherwise physically identical clone of the NBG6817 board, is working with Openwrt 23x. The last issue is, the first flash to Openwrt 23.x is successful, but subsequent flashes are not.

They produce the error:

Fri Mar 22 22:12:24 UTC 2024 upgrade: Switching to ramdisk...
Fri Mar 22 22:12:25 UTC 2024 upgrade: Performing system upgrade...
[  169.761695] do_stage2 (3044): drop_caches: 3
Could not open mtd device: firmware
Can't open device for writing!
cat: write error: Broken pipe
sysupgrade aborted with return code: 256
[  172.420639] qcom_scm firmware:scm: No available mechanism for setting download mode
[  172.420687] reboot: Restarting system

So, right now, it is necessary to boot into the OEM firmware on the primary boot area, (the default), then use their webflash procedure to flash Openwrt 23.x. The Openwrt image flashes to the Secondary boot image area, and the device reboots into Openwrt 23.x.

You can see this with the tool at To use this script, you will simply need to change every reference of nbg6817 to the emg3435, to match the board identifier (called also "Product Name" or "Product Model" variously) programmed into the ROM.

However, trying to do a subsequent Sysupgrade flash from that image of Openwrt 23.x, fails with the above error.

Alternatively, booting with the serial cable attached, and bypassing the restrictions in U-Boot [ATSE BOARDNAME, then feeding it through the tool script at (see above) to produce an ATEN 1,x output, ATGU which then drops into real unrestricted U-Boot,]

to then do a 'tftpboot' to pull over the initramfs image from your tftpd server, and 'bootm' [booting that image in RAM], then using that web interface to flash, also fails (otherwise, the other functions work fine).

Last hurdle is to figure out how to modify Openwrt so it correctly flashes the updates itself.

Current builds are in the /bin/targets/ipq806x/generic folder

I don't know how to do a 'diff' or whatever, I am not a developer.

  • Access to WAN is granted by default for http/https/ssh, because that's the only physical port connected to the outside (unless you open the cover on the unit and modify it). The device is meant to have a single ethernet cable run up to it, plus 12v power (or a PoE splitter/combiner adapter).

  • Access to WiFi is granted by default to 'OpenWRT', no password, because these units were meant to be installed on a mast, and may be physically-inaccessible when someone finds this thread and wants to upgrade his unit.

  • The default LAN IP is instead of, to avoid conflict with the ethernet/WAN port DHCP client, which if on a typical LAN, will be assigned a 192.168.1.x address.

  • SW & HW offload is turned on by default. I'm not 100% sure if the hardware supports it, but there isn't any downside to turning it on in this case.