How to get Lede 17.01.04 on Zyxel P-2601HN-FX

Dear all,

How do i get Lede installed on a Zyxel P-2601HN-F1 ?
According to its device page it is supported but how do i get it on the device.
I have already managed to enter the bootloader, used ATEN 1,[PASSWORD]
Entered ATBT 1
Sofar OK.

But then ... What do i have to do next.
I have an tftp server availible.

Thanks in advance.

Klaas Eenkhoorn

Ok, the bootloader was not the real bootloader.
After entering ATGU i have entered the real bootloader uboot.
Using the commands:

tftp 0x80700000 lede-17.01.4-lantiq-xway-P2601HNFX-initramfs-kernel.bin
bootm 0x80700000

Lede starts!!!!

But, this is only in memory. Not from flash, after a reboot lede is gone and back is the zyxel firmware.
How can i find out to what flash address i have to write the Lede image ?
Does the printenv command from uboot help ?

Take a look here
I think it should be about the same

Thanks JEFFreal for your reaction.

Finally i have succeded to install LEDE on the P-2601HN-F1 by altering the uboot script of the existing bootloader.
Although the Zyxel bootloader does not allow you to change anything in its configuration it allows you to write to flash, even if it is it's own adresses and this is what i have done.

The first sector of the flash memory starting at address 0xb0000000 until 0xb001fff0 holds the boot loader. It also contains a uboot script starting at address b001f400.

It reads:
echo Z-Boot Autoscript file
echo ===============
cp.b 0xb0014000 0x82a80000 0x10000
go 82a80000

I have altered this script to:

echo Z-Boot Autoscript file
echo ======================
bootm 0xb0060000

This because Lede is loaded at 0xb0060000 not 82a80000.

Now you have to know this script has to be written in a binary image form so you have to make an image of it by using:

mkimage -T script -C none -n 'Z-Boot script' -d script_file.txt myscript.img

All you have to do now is edit the bootloader code and replace the script part, uploading the code by tftp and write this to flash finally followed by a reset.

I know this all sounds like Chinese for many, i know, but i want to make an understandable tutorial about what i did for those who want to put lede on this device too. Maybe it is not THE way to do this but it works and i did not find any other way so far.

Thanks goes out to Mathias Kresin who helped me out before with my vgv7519 (Experiabox v8), a lot of things i have done now he taught me.

More about uboot scripts at:

Hi kdeenkhoorn,

I'm also trying to get OpenWRT to run on my Zyxel P-2601HN-F1. So far is was able to write the image to flash and get it running, but it does not yet boot on startup.

I've created the new z-boot script image, as you suggested. But I'm not sure how to write this to flash, and to which address. Can you help me with that?


Hi Sneeze,
Well this is tricky and involves knowledge of hex editors etc. not something i'm capable of supporting remotely. I had the router working and auto booting but during the refinement of this process i bricked the router. There is no way back as far as i have experienced, during the search for the bootmode jumpers to alter the configuration i killed the board.
So if you know your way around this here's the way i've did it.

First i have dumped the firmware of the router using the serial line using the command:

md.l 0xb0000000 0x1000000

This takes some time so sit back ...

After this i seperated the lines from the first line b0000000 until, and including, the address line b001fff0 into a seperated file edit.txt, this is one entire memory sector. By design you only can rewrite entire sectors in memory not parts of them.

Around line b001f400 you will see this:

b001f400: 27051956 f39b0ce0 4e897986 00000079    '..V....N.y....y
b001f410: 00000000 00000000 37961ac7 05070600    ........7.......
b001f420: 5a2d426f 6f742073 63726970 74000000    Z-Boot script...
b001f430: 00000000 00000000 00000000 00000000    ................
b001f440: 00000071 00000000 6563686f 0a656368    ...q....echo.ech
b001f450: 6f205a2d 426f6f74 20417574 6f736372    o Z-Boot Autoscr
b001f460: 69707420 66696c65 0a656368 6f203d3d    ipt file.echo ==
b001f470: 3d3d3d3d 3d3d3d3d 3d3d3d3d 3d3d3d3d    ================
b001f480: 3d3d3d3d 0a656368 6f0a6370 2e622030    ====.echo.cp.b 0
b001f490: 78623030 31343030 30203078 38326138    xb0014000 0x82a8
b001f4a0: 30303030 20307831 30303030 0a676f20    0000 0x10000.go 
b001f4b0: 38326138 30303030 0a000000 00000000    82a80000........

This is the default Zyxel bootscript pointing to the wrong start address.
Replace it with your bootscript image, mine looked like:

b001f400: 27051956 917968a9 5a1abea1 0000005b    '..V.yh.Z......[
b001f410: 00000000 00000000 2c0bfd2a 05070600    ........,..*....
b001f420: 5a2d426f 6f742073 63726970 74000000    Z-Boot script...
b001f430: 00000000 00000000 00000000 00000000    ................
b001f440: 00000053 00000000 6563686f 0a656368    ...S....echo.ech
b001f450: 6f205a2d 426f6f74 20417574 6f736372    o Z-Boot Autoscr
b001f460: 69707420 66696c65 0a656368 6f203d3d    ipt file.echo ==
b001f470: 3d3d3d3d 3d3d3d3d 3d3d3d3d 3d3d3d3d    ================
b001f480: 3d3d3d3d 0a656368 6f0a626f 6f746d20    ====.echo.bootm
b001f490: 30786230 30363030 30300a00 00000000    0xb0060000......
b001f4a0: 00000000 00000000 00000000 00000000    ................
b001f4b0: 00000000 00000000 00000000 00000000    ................

Fill out the lines with zeroes if necessary.

If you want to use your own script you have to convert your image file to hex text with the xxd command like:

mkimage -T script -C none -n 'Z-Boot script' -d script_file.txt myscript.img
xxd myscript.img > myscript.hex

Now replace all starting addresses b0... with 00 so the entire file looks like:

00000000: 1000000b 00000000 00000000 00000000    ................^M
00000010: 688c688c 00000000 312e312e 30000000    h.h.....1.1.0...^M
00000020: 00000000 00000000 00000000 00000000    ................^M
00000030: 40809000 40809800 40806800 401b7800    @...@...@.h.@.x.^M
00000040: 3c0800ff 3508ff00 0368d824 3c080001    <...5....h.$<...^M
00000050: 35089500 17680019 00000000 40088000    5....h......@...^M
00000060: 3c098000 3529ffff 01094024 3c093604    <...5)....@$<.6.^M
00000070: 01094025 00000000 40888000 00000040    ..@%....@......@^M
00000080: 00000040 00000040 000000c0 40086000    ...@...@....@.`.^M
00000090: 3c09fffc 3529ffff 01094024 24090000    <...5)....@$$...^M
000000a0: 01094025 00000000 40886000 00000040    ..@%....@.`....@^M

Now create a binary file from the hexdump by using the command:

xxd -r edit.txt > edit.bin

It should now be:

du edit.bin
128	edit.bin

Place this file on your tftp server

Now boot your router with serial connected and get to the console and do the following:

AMAZON_S # setenv ipaddr
AMAZON_S # setenv serverip
AMAZON_S # tftp 0x80700000 edit.bin
Using amazon_s Switch device
TFTP from server; our IP address is
Filename 'edit.bin'.
Load address: 0x80700000
Loading: ##########################
Bytes transferred = 131072 (20000 hex)

AMAZON_S # erase 0xB0000000 +${filesize}
Erase Flash from 0xb0000000 to 0xb001ffff

Erased 1 sectors
AMAZON_S # cp.b 0x80700000 0xB0000000 ${filesize}
Copy to Flash... done
AMAZON_S # reset

If all went well you will see:

ROM VER: 1.1.3
CFG 01

U-Boot 1.1.5-ARX182 1.1.11(Oct  3 2011)

Boot from NOR flash
DRAM:  64 MB

 relocate_code start
 relocate_code finish.
Flash: 16 MB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
switch chip id=0000ffff

switch chip id=0000ffff
amazon_s Switch
## Executing script at b001f400

Z-Boot Autoscript file

## Booting image at b0060000 ...
   Image Name:   MIPS LEDE Linux-4.4.92
   Created:      2017-10-17  17:46:20 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1562155 Bytes =  1.5 MB
   Load Address: 80002000
   Entry Point:  80002000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

[    0.000000] Linux version 4.4.92 (buildbot@debian8) (gcc version 5.4.0 (LEDE GCC 5.4.0 r3556-46e29bd) ) #0 Mon Oct 16 15:21:43 2017
[    0.000000] SoC: AR9 rev 1.2
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0001954c (MIPS 34Kc)
[    0.000000] MIPS: machine is P2601HNFX - ZyXEL P-2601HN-Fx
[    0.000000] Determined physical RAM map: 

Again, i am not an experienced hacker so i can not help any further in a responsible way. I've bricked my router beyond repair when i tried to build in a time-out function to interrupt the boot process. But this was during a write action to flash from within Lede to a mtd device.
As you can see in my bootscript i had no time-out build in to interrupt the boot process so i could not get to the bootloaders prompt ever after this hack.

Thanks for you elaborate explanation kdeenkhoorn!

It worked great: when I turn on the router it now automatically boots OpenWRT. For my purposes that's enough. Sorry to hear you broke your router. Maybe you can find a replacement.. I got mine for free on