Nano Pi R5S Soft Brick Issue & Fix (HTTPS-DNS-Proxy Issue)

Installing and Using OpenWrt
1

Hey everyone,

edit: had to also disable irqbalance and possibly sqm. cant be bothered anymore so just using rc.local is a surefire way of it not soft bricking.

This has been driving me nuts for a while now, so I figured I’d share my findings and maybe get some feedback from anyone else dealing with this.

I hate the Nano Pi R5S sometimes. It’s really annoying when it soft bricks itself, especially since the "reset" button doesn’t actually trigger the squashfs firstboot. This makes recovery a pain.

After a lot of trial and error (why the hell would this service soft brick it? it was the last thing i could think of), I found a bypass that works:

root@OpenWrt:~# cat /etc/rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
service https-dns-proxy start
service https-dns-proxy disable
service irqbalance start
service irqbalance disable
service sqm start
service sqm disable

exit 0
root@OpenWrt:~#

What I Did*

  1. I built a custom firmware with the packages I wanted.
  2. Then, I optimized it further by including my configs.
  3. I started enabling services one by one and found that https-dns-proxy, when enabled, causes the device to soft brick.

*The power LED just flashes red and never boots.
*No HDMI or USB keyboard recovery option either.
*I tried adding HDMI support into the kernel, but honestly, it’s a hassle compared to just using the image builder.

Quick Recovery Method

To quickly recover from a soft brick, use the FriendlyWRT SD Flasher image.

  1. Flash it onto an SD card.
  2. Place your OpenWrt firmware file (e.g., openwrt-24.10.img.gz) in the same folder.
  3. Edit the .conf file in that folder and change friendlywrt.img to your specified image.
root@OpenWrt:~# service
/etc/init.d/avahi-daemon      	  disabled	   stopped
/etc/init.d/banip             	  disabled	   stopped
/etc/init.d/boot              	   enabled	   stopped
/etc/init.d/cron              	   enabled	   running
/etc/init.d/dbus              	   enabled	   running
/etc/init.d/ddns              	   enabled	   stopped
/etc/init.d/dnsmasq           	   enabled	   running
/etc/init.d/done              	   enabled	   stopped
/etc/init.d/dropbear          	   enabled	   running
/etc/init.d/etherwake         	   enabled	   stopped
/etc/init.d/fail2ban          	   enabled	   running
/etc/init.d/firewall          	   enabled	   stopped
/etc/init.d/fstab             	   enabled	   stopped
/etc/init.d/gpio_switch       	   enabled	   stopped
/etc/init.d/https-dns-proxy   	  disabled	   stopped
/etc/init.d/irqbalance        	   enabled	   stopped
/etc/init.d/led               	   enabled	   stopped
/etc/init.d/log               	   enabled	   running
/etc/init.d/miniupnpd         	   enabled	   stopped
/etc/init.d/mwan3             	   enabled	   running
/etc/init.d/network           	   enabled	   running
/etc/init.d/nut-cgi           	  disabled	   stopped
/etc/init.d/nut-monitor       	  disabled	   stopped
/etc/init.d/nut-server        	  disabled	   stopped
/etc/init.d/odhcpd            	   enabled	   running
/etc/init.d/openssl           	   enabled	   stopped
/etc/init.d/packet_steering   	   enabled	   stopped
/etc/init.d/rpcd              	   enabled	   running
/etc/init.d/sqm               	   enabled	   stopped
/etc/init.d/sshd              	  disabled	   stopped
/etc/init.d/sysctl            	   enabled	   stopped
/etc/init.d/sysfixtime        	   enabled	   stopped
/etc/init.d/sysntpd           	   enabled	   running
/etc/init.d/system            	   enabled	   stopped
/etc/init.d/ttyd              	   enabled	   running
/etc/init.d/ucitrack          	   enabled	   stopped
/etc/init.d/uhttpd            	   enabled	   running
/etc/init.d/umount            	   enabled	   stopped
/etc/init.d/urandom_seed      	   enabled	   stopped
/etc/init.d/urngd             	   enabled	   running

image build (i removed mbebtls from the r5s profile)

make image PROFILE="friendlyarm_nanopi-r5s" \
PACKAGES="libustream-openssl base-files ca-bundle dropbear dnsmasq e2fsprogs firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc logd mkf2fs mtd netifd nftables libustream-openssl odhcp6c odhcpd-ipv6only opkg partx-utils ppp ppp-mod-pppoe procd-ujail uboot-envtools uci uclient-fetch urandom-seed urngd kmod-r8169 luci nano luci-app-mwan3 luci-app-irqbalance luci-app-https-dns-proxy luci-app-acl luci-app-banip luci-app-ddns luci-app-nut luci-app-sqm nano tcpdump luci-app-upnp luci-ssl-openssl luci-proto-wireguard lsblk block-mount avahi-daemon openssh-sftp-server openssh-sftp-client openssh-keygen openssh-server openssh-client luci-app-openvpn luci-app-wol luci-app-ttyd nmap-full fail2ban wget-ssl curl ddns-scripts-cloudflare python3-speedtest-cli htop bind-host bash" \
ROOTFS_PARTSIZE="512" \
DISABLED_SERVICES="sshd ddns fail2ban mwan3 sqm miniupnpd nut-cgi nut-monitor nut-server etherwake https-dns-proxy irqbalance avahi-daemon banip" \
FILES=/home/anthony/r5s/openwrt-imagebuilder-24.10.0-rockchip-armv8.Linux-x86_64/configs/

P.S if anyone could let me know an easy way to make openwrt automatically use openssh instead of dropbear that would be sweet

2

I wonder what could be first step towards your target...

1 Like
3

Nope, running /usr/sbin/sshd says to add the sshd user and I haven’t looked further into it since I didn’t have the useradd command lol.
so just adding the package didn’t automatically enable it to work - In contrast to dropbear which works out of the box

4

openssh-server package adds user/group for it. Is it different whether sshd is added by imagebuilder vs installing package later?

5

reinstalling after the fact fixed it with manual updating of configs rather than doing it in luci. stop dropbear, then configure with luci-app-tty

I'll just save this config going forward since it didnt autogenerate with the image builder

6

ttyd app is cute.