[Solved] Zyxel NBG6817 flashing from OEM

Hi there! Yes, flashing Zyxel NBG6817 to LEDE is not as straightforward as e.g. R7800. But still, hardbricking the NBG6817 is very difficult, you should be able to recover your device by TFTP method:

  1. Download latest stock firmware, rename to ras.bin.
  2. On your Windows PC, install TFTP of your choice. My favorite is the Windows built-in one. Install by using Win + R -> appwiz.cpl -> Windows Features (left side panel) -> TFTP-Client.
  3. Open up a command-line where ras.bin is located (Shift + Right-Click -> Open Command-line here)
  4. Manually set your Windows PC to IP address, netmask, gateway, DNS
  5. Turn off the Zyxel, wait 30 seconds.
  6. Press and hold WPS button, turn on your device, keep WPS pushed.
  7. Enter tftp -i put ras.bin into your commandline.

You might need a few runs or try your luck with other TFTP programs. Your device will give you LED signals in order to indicate, when it's ready to accept TFTP image. Unfortunately, I don't remember it in detail anymore. Also, make sure to disable Windows Firewall, as it may eventually get in your way. Good luck and please report back.

Edit: after you have recovered your device, I suggest flashing latest stock firmware 2 times via GUI. This will make sure both dual boot partitions are populated with a working firmware.

1 Like

If you have an unmanaged 100 MBit/s switch, using that between router (LAN) and tftpd can help significantly, the tftp window is rather short and avoiding link training can give you the crucial few seconds.


Thans for helping out here..

  1. Renamed stockware to ras.bin
  2. Enabled TFTPclient in Windows
  3. Went to ras.bin location
    4.Static IPADDRESS set
  4. Zyxel was already off
  5. WPS pressed. turned on device kept pressing it for 3 sec.
    7 entered tftp -i put ras.bin got after a while connect request failed.

My PC Utp cable to a TP link GB switch and the ZyXEL router lan port to TP switch lan..
Turned of my eset firewall. Enabled the Windows TFTp client and after that I turned on router with Wps Button pressed for three seconds. .
How do I know for sure the tftp server on ZyXEL is working.? Maybe LEDE isnt properly installed at all because the only thing I did was what simplexion described in the last part. Somehow i thought that was enough..
A a Ping to gives a request timed out. Thanks for helping here I appreciate it a lot...

A packet sniffer like wireguardwireshark will list the tftp request and data transfer.

You mean wireshark? Also tried different setups like connecting:

  1. PC via utp to Router(WAN)
  2. PC via utp to Router(LAN)
    3.PC via utp via Tp link switch(Gb) to router(wan)
  3. PC via utp via Tp link switch(Gb) to router(lan)

Also Ethernet identifies and then switches back and forth to networkcable not attached.. Getting out of Ideas here. Zyxel should have an option to flash via USB and WPS. That would do the thing.. Will try Wireshark.. Also tried Putty SSH.. getting a reply Software caused connection abort. If the software is screwed and factory reset fails I think its over... after reboot PC I can get a ping to but still connect request fails via tftp... Thanks! hereby my wireshark log deleted

I ran tftpd64.. Filled in Host port 24 via server interface (already configured)
I did as described..
However network adapter turns off and on identifying over and over again. Seems Ethernet adapter is getting unstable Red cross saying not attached then attached again.. So it doesnt flash ..

Seems like its corrupted and even the tftp server functionality doesnt seem to work. As i've already mentioned.. I just the last steps provided by simplexion nothing else.. so maybe its missing something
NB: As a noob I am only allowed to do 3 replies to a POST.. SO I WILL UPDATE HERE

Lucky for you, I'm reconfiguring my whole network and the Zyxel NBG6817 is having a small break right now. I'll reproduce the TFTP method and give you more detailed steps. However, I remember having some issues getting the TFTP command at the right moment, as the time window is very tight (as @slh has noted, bootdelay is set to 3 seconds). Reporting back soon!

Edit: I couldn't get TFTP flash working with Windows built-in tool - not even a single time. Using tftpd64, this whole process gets foolproof! I had 100% success:

  1. Download tftpd64 from here: http://tftpd32.jounin.net/tftpd32_download.html (I prefer portable version) and extract it to a folder.
  2. Copy ras.bin to that folder.
  3. Launch the program and choose as interface (which you've configured previously - IP address and netmask seems to be enough). The program is now completely set and doesn't require any user interaction from now on.
  4. Press and hold WPS, power on router, don't let go of WPS. NBG6817 LEDs will be: 2.4GHz LED -> 5GHz LED -> Power LED -> all LEDs off. A few seconds later, tftpd64 will notify you about ras.bin beeing sent to your router. Now, you're allowed to let go of WPS button.
  5. Once flashed, Power LED and 2.4GHz LED will blink very fast. This indicates a successful flash. I've waited an additional 15 minutes, just to make sure everything is fine. Power off your router, wait a little while and power it on again.
  6. Your router should work again.

If this successfully brings back your router, I will update my guide above accordingly. Interesting find: I kept WPS pressed, and started tftpd32 roughly around 15 to 30 seconds later, TFTP recovery still worked. Guess that "bootdelay = 3" in zloader / uboot source is meant for something else. I've done this with a direct connection to the router (LAN4, but any LAN port should work I guess). Windows Firewall enabled, allowed tftp64 to operate in private and public (unknown) networks. Worked fine.

Nope. You tried to run tftpd64 using "Tftp Client" tab. However, you're supposed to run it in "Tftp Server" tab.



Whooohooo.. yes tolga9009.. Amazing.. works like a charm.. So thankful for the help I've got here..
It was the tftp server instead of the client.. Duhhhh.. And I use ESET for security so needed to turn of firewallprotection and then it worked.. Had already opened the router up and was about to order serial to usb cable and a converter..Many many thanksIMAG1247

If your router is still open, please take some high-res pictures from the PCB for the wiki.

1 Like

@HammerFall you're welcome ;)!

@slh maybe we should work on an install script making use of nbg6817-dualboot for an easier install experience? Something, which checks current active partition, installs LEDE on the other, sets flag accordingly and then reboots. Also, do you have any idea why the LEDE flash process could've failed? Maybe wrong active partition during flash?

@tolga9009 I've been considering that for quite a while already, but I'm not sure if the OEM firmware provides the basic dependencies for dealing with the sysupgrade image (needs losetup/ mkfs, as the sysupgrade images aren't padded, thereby missing the signature for mtdsplit), expecting the user to supply the two images (kernel & rootfs) feels risky - and downloading it automatically is a can of worms I'd rather avoid to open. The other alternative would be to work on a real factory image, which doesn't seem to be that difficult - I'm just not sure which hash algorithm is actually used by genImgHdr.

It's hard to guess what might have failed, recent- and current master are fine, the mtd/ eMMC partitioning hasn't changed in 1.00(ABCS.8)C0 either, so the printf and cat calls are fine as well. The only thing that might have happened, albeit unlikely, is that the OEM firmware was booted from /dev/mmcblk0p5 and some running process of the OEM firmware clobbered data on /dev/mmcblk0p5 while writing the new image/ before rebooting. ...or simple finger trouble.

Hi,,I made 3 pics from the header pins.. its al I've got.. opening btw is quite simple. 4 screws hidden under the rubber pads in the corner. And I used a broad table knife to open it up from the corners where the screws where and sliding the table knife to the sides. open up the sides then the back and then you can lit the front off..!!! (restricted to just 1 image to a post: some limitations for noobs).. Thanks again...!!IMAG1248

@slh and @simplexion thanks both for your advice and additional directions. Just reporting in that I have the latest snapshot up (6-21-2018) running on my device. Very helpful advice for a linux/OpenWRT novice!

I followed @slh instructions to pull dualboot code from github rather than running "# printf "\xff" >/dev/mtdblock6". Then I just used the last four lines of OEM Easy Install. I had to use WinSCP as my router didn't have open-ssl, so I couldn't wget from HTTPS.

@slh, I know this is repetitive, but posting up my process anyways for others checking out the thread.

Step 1: Enable SSH on ZyXel NBG6817 and internet connectivity

Step 2: Download appropriate OpenWRT Versions

i.e. ....mmcblk0p4-kernel.bin and mmcblk0p5-rootfs.bin

Step 3: Transfer kernel.bin and rootfs.bin files to /tmp directory on router

  • You can use WinSCP and navigate to /tmp for drag and drop transfer

Step 4: Dual Boot Protection

root@NBG6817:~# cd /tmp/
root@NBG6817:/tmp# wget https://github.com/pkgadd/nbg6817/raw/master/nbg6817-dualboot
root@NBG6817:/tmp# chmod +x /tmp/nbg6817-dualboot
root@NBG6817:/tmp# /tmp/nbg6817-dualboot --set-rootfs /dev/mmcblk0p5

Step 5: complete installation (as @simplexion said, change .bin filenames to ones you downloaded)

root@NBG6817: # cat /tmp/openwrt-18.06-snapshot-r7018-18f18a2-ipq806x-zyxel_nbg6817-squashfs-mmcblk0p4-kernel.bin >/dev/mmcblk0p4
root@NBG6817: # cat /tmp/openwrt-18.06-snapshot-r7018-18f18a2-ipq806x-zyxel_nbg6817-squashfs-mmcblk0p5-rootfs.bin >/dev/mmcblk0p5
root@NBG6817: # sync
root@NBG6817: # reboot -f

Also, any type of streamlined install with dualboot I am sure would be very helpful for other users, especially novices like myself! Not necessarily automated, as @slh your concerns certainly make sense, but I think it would be great to include additional info on the wiki possible.

Thanks again to everyone! Especially @slh for work on supporting the router and being super helpful on the forums!


The download mirrors intentionally don't redirect from http to https, to retain the option of using plain http downloads (just drop the 's' from the protocol).

Now this looks promising.

1 Like

Thanks to the post from Art on June23, I was able to follow and get OpenWRT installed on this router. You will need to be savy enough to understand how to get the .bin files from the openwrt page for this router, get the dualboot file from github, use WinSCP to transfer the file from pc to /tmp directory on router, log into router using ssh, then run the linux command according to Art in the /tmp directory. Took me about an hour to do all this, but I had already spent several hours googling to find an easier way to install openwrt, but couldn't find anything. If you are not savy you'll have problems. For example, I couldn't get wget to pull the dualboot file fron github, but simple went directly to github.com and searched and downloaded directly to pc and scp'd to router. Thanks again Art!

http://raw.githubusercontent.com/pkgadd/nbg6817/master/nbg6817-dualboot "should" work (github defaults to https, which probably isn't supported by the OEM wget implementation (busybox))

...and real factory images for the nbg6817 are basically working now, thanks to
http://lists.infradead.org/pipermail/openwrt-devel/2018-August/013670.html with these preliminary results http://lists.infradead.org/pipermail/openwrt-devel/2018-August/013763.html

1 Like

The corresponding patches have been merged today, that means current snapshots now provide a openwrt-ipq806x-zyxel_nbg6817-squashfs-factory.bin image, which can be flashed directly from the stock vendor firmware (like an original ZyXEL firmware update) or used for recovering via tftp.

openwrt-ipq806x-zyxel_nbg6817-squashfs-mmcblk0p4-kernel.bin and openwrt-ipq806x-zyxel_nbg6817-squashfs-mmcblk0p5-rootfs.bin are no longer needed and will probably be removed in a subsequent cleanup patch soon.


I've worked on the nbg6817's wiki device page over the last couple of days, it would be nice if my changes (flash layout in particular) could be reviewed by a another set of eyes - and missing bits and pieces added as needed. It certainly could be a little more verbose in a few places.