OpenWrt 21.02.0 - First Stable Release

The only way to be certain is disconnect everything from the router except the device you are using to upgrade and configure.

1 Like

If one certificate would be distributed to everyone, I.e., a standard installed one, then you would have no way of knowing if you are correcting to the right device.

Few solutions

  1. make your own root certificate and key and derived certificates and key and install on router and in browser, i.e., both sides of connection
  2. trust the certificate when 1st presented that you at least know the 2nd time you connect it is to the same device
  3. get a letsencrypt certificate on you globally routable public ip and connect to that
  4. connect via VPN e.g. wireguard and have privacy and authentication via that

Best regards,


1 Like

Sorry - reading too quickly. Just reviewed my syslog, and apart from the normal (for me) DHCP chatter, no kernel fault messages.

1 Like

Thank you very much, Takimata, for a clear and concise description of what is going on, enabling me to check the certificate fingerprint.

Thank you also for providing more background, grrr2.

Thank you, Ramon.

As it happened, I had already set up SSH before the upgrade, and preserved settings. So I could do (5.) log in over SSH and get a copy of the uhttpd.crt file and follow takimata's instructions for comparing the fingerprint of the file on the router with the fingerprint presented to me by the web-browser*. Obviously not everyone will have an SSH trust relationship set up beforehand.

*My copy of Mozilla Firefox does not make this easy, as the display of the SHA-256 fingerprint does not show the last few characters. I had to use 'Web Developer' mode to see the entire fingerprint, and I get an error trying to view the certificate after I have created an exception.

My Netgear R6220 doesn't get correct system time when it boots. I've updated 2 other (TP-Link devices) and they get the correct time. I haven't debugged it. Is there anything I can tweak?

It's not a time zone problem. Last time I booted the system time was 6 days off (system time was September 1, I think (image build time?)).

I may be wrong with the correct device name, but according to the new firmware selector, it does seem to do for both versions of that device:

It looks like the ToH just just has not yet been updated, it still lists v19 (device v1) and snapshot (device v2):

1 Like

Thank you. You are correct.

Ok well the DHCP chatter we all have, for good and bad I guess.

I tried to update from 19.07.8.
Device xiaomi,mir3g not supported by this image Supported devices: xiaomi,mi-router-3g R3G
mir3g xiaomi,mir3g - Image version mismatch: image 1.1, device 1.0. Please wipe config during
upgrade (force required) or reinstall. Reason: Config cannot be migrated from swconfig to DSA
Image check failed.
What shoud i do ?

Sysupgrade without settings, and do not restore settings from backup (especially network and system (LEDs)).
You need to use the force flag in sysupgrade to override the warning.

Just like the explanation given to you...

1 Like

i still think this is rather confusing, maybe the the error message should read:

"Device xyz not supported by this image if you keep settings, please select wipe config during upgrade (force required). Reason: Config cannot be migrated from swconfig to DSA"

The thing is, the device is supported by this image, just not with those settings...


I saw that when there was either a DNS or routing misconfiguration. Have you checked that you can reach NTP server from that node?

I have the erx I think it is very different from the er4 but in the stable version that came out the last one I have micro cuts when I play online or when you are in video conferences this also happened to me on 19.07 and in rc2 and rc3 less in rc1

It was my fault. I had a command in rc.local that never finished, so all startup scripts that were scheduled to run after rc.local (such as sysntpd) didn't run.

1 Like

The message you are seeing is printed by the old sysupgrade that is still installed on your system, which knows nothing about the new DSA in the image you are trying to install. So, users would have to upgrade first sysupgrade, to an new version that knows about DSA, then try to upgrade to a new image... or the new image had to be made incompatible.


getting this error when trying to upgrade using factory image, i am on a Linksys WRT1900ACS, is it safe to ignore and flash?

sysupgrade.bin is for updating openwrt
factory.bin is for first install (from OEM firmware)

Post the link to the image you downloaded

this is the link

also when i try to use the upgrade image for my router i get this error instead

the link to the upgrade image is this