[Solved] Zyxel NBG6817 flashing from OEM

trunk/ master yes, since early november 2017, the corresponding change has also been backported to the lede-17.01 branch (not yet present in 17.01.4, will be present in 17.01.5 or 18.xx.y).

https://github.com/openwrt/openwrt/pull/670

This has now been merged and should be available in snapshot builds starting tomorrow.

Keep in mind that the installed firmware provides the sysupgrade functionality, so it will only start alternating between both firmware locations once you have a firmware version supporting this functionality already installed (so second flash from now on).

1 Like

I need some help recovering from a bad flash on my Zyxel nbg6817. It got stuck in a boot loop. If I power it up while holding down the WPS button I'm able to then ping it at 192.168.1.1 which is something. I've tried sending firmware to it using tftp2.exe and the generic windows tftp client with no luck. I've also tried setting up my PC as a TFTP server listening on .33 and .99 also with no luck. Does anyone have any tips or am I out of luck?

EDIT: Solved my issue. When I connected my PC directly to the router with nothing else connected Windows 10 decided that it was a "public" network and the firewall blocked incoming connections. Turned the firewall off and nbg6817 immediately grabbed the factory firmware! My router is alive!

Hello, first post from me (but as I am just getting started not the last one :slight_smile: )
I am having zyxel nbg6817, and want to run lede on it... but dont know how.
I have win based laptop, I download correct .bin files and will kindly ask someone to write step by step what to do next to get it installed.

Thank you in advance!

https://openwrt.org/toh/zyxel/nbg6817#oem_easy_installation

Until 17.01.5 or 18.xx.y gets released, you need to install a snapshot instead of a release build (otherwise the overlay won't be persistent).

Question.

I'am currently having chaos in my brain.
I have this type router for the past 3 weeks and i have some performance issues with it.
I have 400/40 from the ISP over cable ( Docsis 3.0 this your will update to 3.1 ) and i can't get it to work propperly.

So today i want to flash it back to it's original firmware and test the speeds there to see if there actually is a form of difference between them if no i want to return it back to the store, because i can't work with unstable download speeds.

So the actual problem now is: i tried to sysupgrade -n -F NBG6817_V1.00(ABCS.7)C0.bin and when ever it reboots it goes straight back to lede. Could you help me out with this situation?

@slh quick question from a novice/someone who has only flashed OpenWRT to devices via GUI previously.

In the OEM Easy Installation steps you linked, I take it that to get copies of .bin in the /tmp directory I should follow the generic instructions for upgrading LEDE via cli, specifically the Download and verify the LEDE firmware upgrade image?? https://openwrt.org/docs/guide-user/installation/sysupgrade.cli

So 1) Download the two snapshot .bin files, then 2) use code in OEM Easy Installation?

Edit: I guess I should add that I have WinSCP, so I could just transfer the files to /tmp via WinSCP's file explorer, yes?

Thanks!

  1. It doesn't matter how you copy the files to /tmp/ of your router('s OEM firmware). You can use (Win)scp (once you've enabled the ssh(d) in the OEM firmware), you can use (busybox-)wget to download it directly on the router's root shell from LEDE's download mirrors, etc. pp.
    For confirming the checksum, only an md5sum binary is provided by the OEM firmware, while the LEDE/ OpenWrt download mirrors only list sha256sum checksums (check the sha256sum of the downloaded files on your workstation and generate the according md5sum locally from that download, to check it on the router again).

  2. Yes, be extremely careful about getting the printf part right.
    If you want additional safeguards, use https://github.com/pkgadd/nbg6817/blob/master/nbg6817-dualboot to set the rootfs (copy to /tmp/, chmod +x /tmp/nbg6817-dualboot, /tmp/nbg6817-dualboot --set-rootfs /dev/mmcblk0p5) instead of using printf directly.
    Be careful to do all five steps in one go, don't reboot prematurely.

It is strongly recommended to install either a openwrt-18.06 snapshot (includes luci) or a master snapshot (doesn't include luci) on a nbg6817, LEDE <= 17.01.4 doesn't setup a persistent overlay (that has been fixed for 17.01.5 and 18.06.0, but those haven't been released yet - so you need snapshots for now).

You need to be very careful about changing the dualboot flag (via printf or nbg6817-dualboot), to make sure that you really write to the correct /dev/mtdblockX (it's 6 when running the OEM firmware or 11 on LEDE/ OpenWrt; nbg6817-dualboot ensures to only accept valid settings), other than that, the nbg6817 is basically unbrickable (tftp should almost always recover it to the OEM firmware), as all firmware operations (except for selecting the dualflag setting) happen on the eMMC, leaving the crucial data (bootloader, ART, firmwares, etc.) on the spi-nor flash untouched.

Thanks for taking the time to respond in detail!

Also, very helpful to know not to run the "OEM Easy Install" code line by line, but rather run it all at once as the 5 line blob.

What exactly does the nbg6817-dualboot package do? How to I use that if I am on the OEM firmware. When you say "copy to /tmp/, chmod +x /tmp/nbg6817-dualboot, /tmp/nbg6817-dualboot --set-rootfs /dev/mmcblk0p5", would you just run that line in the OEM cli or am I manually copying over the github file to /tmp? Apologies for all the additional questions, I am very new to this. It sounds like I need a better understanding of Linux and OpenWRT cli.

The additional safeguard sounds like a great concept, but now I am worried about messing up the installation of that and it might be better to just stick to copying that 5 line code chunk in one go.

Well, you still execute those 5 lines one by one, copying them over and hitting enter one by one (so you have a chance to spot and react to potential error messages), you just don't start in the morning, before powering off, having tea time and continuing in the evening.

Again, you can use nbg6817-dualboot (which uses additional safety checking), you don't need to - if in doubt, you can follow the wiki verbatim (I've written it - and obviously nbg6817-dualboot didn't exist yet when I first did those steps on my own device). That said, the script's help screen (./nbg6817-dualboot -h) is right on top of the file and should be easy to read even if you aren't familiar with POSIX shell scripting (as is traversing the relevant code paths). But, essentially the following is equivalent to printf "\xff" >/dev/mtdblock6, just with some additional safe guards:

root@NBG6817:~# cd /tmp/
root@NBG6817:/tmp# wget https://github.com/pkgadd/nbg6817/raw/master/nbg6817-dualboot
root@NBG6817:/tmp# chmod +x /tmp/nbg6817-dualboot
root@NBG6817:/tmp# /tmp/nbg6817-dualboot --set-rootfs /dev/mmcblk0p5

(obviously you can replace wget with manually copying it over from your workstation via (Win-)scp)

Except for --set-rootfs and --reset-rootfs, all of the script's operations (parameters) are readonly and safe to use (just in order to account for potential extensions in the future, these safe parameters currently amount to -h|--help, --check-mtd-integrity, --get-mtd, --get-rootfs, --get-version <blkdev>, -l|--list), so have a look at

root@NBG6817:/tmp# /tmp/nbg6817-dualboot --list

to understand about the current setup of your router.

To make this as simple as possible I am going to list what I believe is the complete steps using the 18.06 snapshot.

  1. Connect new ZyXEL NBG6817 to the Internet with ZyXELs firmware in use.
  2. Browse to 192.168.1.1 and go through the initial setup.
  3. Enable SSH access from the advanced remote management configuraiton
  4. Using an SSH client connect to the ZyXEL using root and the password created when first accessing the ZyXEL web interface.
  5. Change directory to /tmp
  6. Download required files using wget (links listed here were from 15/06/2018) from http://downloads.openwrt.org/releases/18.06-SNAPSHOT/targets/ipq806x/generic/ you will want to copy the current links and modify the wget commands below to download the latest build.
    6.1 wget http://downloads.openwrt.org/releases/18.06-SNAPSHOT/targets/ipq806x/generic/openwrt-18.06-snapshot-r7018-18f18a2-ipq806x-zyxel_nbg6817-squashfs-mmcblk0p4-kernel.bin
    6.2 wget http://downloads.openwrt.org/releases/18.06-SNAPSHOT/targets/ipq806x/generic/openwrt-18.06-snapshot-r7018-18f18a2-ipq806x-zyxel_nbg6817-squashfs-mmcblk0p5-rootfs.bin
  7. Enter these commands to complete the install, make sure you use the updated file names you downloaded:
# printf "\xff" >/dev/mtdblock6   #warning, only do this from the OEM firmware!
# cat /tmp/openwrt-18.06-snapshot-r7018-18f18a2-ipq806x-zyxel_nbg6817-squashfs-mmcblk0p4-kernel.bin >/dev/mmcblk0p4
# cat /tmp/openwrt-18.06-snapshot-r7018-18f18a2-ipq806x-zyxel_nbg6817-squashfs-mmcblk0p5-rootfs.bin >/dev/mmcblk0p5
# sync
# reboot -f

Once rebooted you will be able to browse to the web admin at http://192.168.1.1

I understand that you're afraid of potentially bricking a brandnew device, but quoting the procedure over and over again won't actually lead to a different outcome.

When someone comes here and states they are a bit unsure in regards to installing the firmware, the aim should be to help them. Not be overly technical in our responses. Know your audience.

1 Like

Bummer.. I did install as simplexion described. Connected via SSH. that worked so far

Updated this part...

# printf "\xff" >/dev/mtdblock6   #warning, only do this from the OEM firmware!
# cat /tmp/openwrt-18.06-snapshot-r7051-25eb240-ipq806x-zyxel_nbg6817-squashfs-mmcblk0p4-kernel.bin >/dev/mmcblk0p4
# cat /tmp/openwrt-18.06-snapshot-r7051-25eb240-ipq806x-zyxel_nbg6817-squashfs-mmcblk0p5-rootfs.bin >/dev/mmcblk0p5
# sync
# reboot -f

After reboot.. nothing.. no way to get to the router.. tried to reset it to default factory settings .. nothing..
Also direct connection via PC to router LAN no connection to router possible..

the only thing I can see when i connect an old sitecom router in between.. and can ping 169.254.255.222 but connection refused via putty

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection (2) I219-V
   Physical Address. . . . . . . . . : 2C-4D-54-D1-44-80
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::21b8:9a45:94a8:ffde%19(Preferred)
   Autoconfiguration IPv4 Address. . : 169.254.255.222(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 271338836
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-1B-47-A9-2C-4D-54-D1-44-80
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

So are there options left that i can try? Or is it for the presspaper or garbagebin?

Thanks for any help I get.. Cheers

Hi there! Yes, flashing Zyxel NBG6817 to LEDE is not as straightforward as e.g. R7800. But still, hardbricking the NBG6817 is very difficult, you should be able to recover your device by TFTP method:

  1. Download latest stock firmware, rename to ras.bin.
  2. On your Windows PC, install TFTP of your choice. My favorite is the Windows built-in one. Install by using Win + R -> appwiz.cpl -> Windows Features (left side panel) -> TFTP-Client.
  3. Open up a command-line where ras.bin is located (Shift + Right-Click -> Open Command-line here)
  4. Manually set your Windows PC to IP address 192.168.1.99, netmask 255.255.255.0, gateway 192.168.1.1, DNS 192.168.1.1
  5. Turn off the Zyxel, wait 30 seconds.
  6. Press and hold WPS button, turn on your device, keep WPS pushed.
  7. Enter tftp -i 192.168.1.1 put ras.bin into your commandline.

You might need a few runs or try your luck with other TFTP programs. Your device will give you LED signals in order to indicate, when it's ready to accept TFTP image. Unfortunately, I don't remember it in detail anymore. Also, make sure to disable Windows Firewall, as it may eventually get in your way. Good luck and please report back.

Edit: after you have recovered your device, I suggest flashing latest stock firmware 2 times via GUI. This will make sure both dual boot partitions are populated with a working firmware.

1 Like

If you have an unmanaged 100 MBit/s switch, using that between router (LAN) and tftpd can help significantly, the tftp window is rather short and avoiding link training can give you the crucial few seconds.

https://openwrt.org/toh/zyxel/nbg6817#debricking

Thans for helping out here..

  1. Renamed stockware to ras.bin
  2. Enabled TFTPclient in Windows
  3. Went to ras.bin location
    4.Static IPADDRESS set
  4. Zyxel was already off
  5. WPS pressed. turned on device kept pressing it for 3 sec.
    7 entered tftp -i 192.168.1.1 put ras.bin got after a while connect request failed.

My PC Utp cable to a TP link GB switch and the ZyXEL router lan port to TP switch lan..
Turned of my eset firewall. Enabled the Windows TFTp client and after that I turned on router with Wps Button pressed for three seconds. .
How do I know for sure the tftp server on ZyXEL is working.? Maybe LEDE isnt properly installed at all because the only thing I did was what simplexion described in the last part. Somehow i thought that was enough..
A a Ping to 192.168.1.1 gives a request timed out. Thanks for helping here I appreciate it a lot...

A packet sniffer like wireguardwireshark will list the tftp request and data transfer.

You mean wireshark? Also tried different setups like connecting:

  1. PC via utp to Router(WAN)
  2. PC via utp to Router(LAN)
    3.PC via utp via Tp link switch(Gb) to router(wan)
  3. PC via utp via Tp link switch(Gb) to router(lan)

Also Ethernet identifies and then switches back and forth to networkcable not attached.. Getting out of Ideas here. Zyxel should have an option to flash via USB and WPS. That would do the thing.. Will try Wireshark.. Also tried Putty SSH.. getting a reply Software caused connection abort. If the software is screwed and factory reset fails I think its over... after reboot PC I can get a ping to 192.168.1.1 but still connect request fails via tftp... Thanks! hereby my wireshark log deleted

I ran tftpd64.. Filled in Host 192.168.1.1 port 24 via server interface 192.168.1.99.. (already configured)
I did as described..
However network adapter turns off and on identifying over and over again. Seems Ethernet adapter is getting unstable Red cross saying not attached then attached again.. So it doesnt flash ..

Seems like its corrupted and even the tftp server functionality doesnt seem to work. As i've already mentioned.. I just the last steps provided by simplexion nothing else.. so maybe its missing something
Thanks
NB: As a noob I am only allowed to do 3 replies to a POST.. SO I WILL UPDATE HERE
IMAG1249

Lucky for you, I'm reconfiguring my whole network and the Zyxel NBG6817 is having a small break right now. I'll reproduce the TFTP method and give you more detailed steps. However, I remember having some issues getting the TFTP command at the right moment, as the time window is very tight (as @slh has noted, bootdelay is set to 3 seconds). Reporting back soon!

Edit: I couldn't get TFTP flash working with Windows built-in tool - not even a single time. Using tftpd64, this whole process gets foolproof! I had 100% success:

  1. Download tftpd64 from here: http://tftpd32.jounin.net/tftpd32_download.html (I prefer portable version) and extract it to a folder.
  2. Copy ras.bin to that folder.
  3. Launch the program and choose 192.168.1.99 as interface (which you've configured previously - IP address and netmask seems to be enough). The program is now completely set and doesn't require any user interaction from now on.
  4. Press and hold WPS, power on router, don't let go of WPS. NBG6817 LEDs will be: 2.4GHz LED -> 5GHz LED -> Power LED -> all LEDs off. A few seconds later, tftpd64 will notify you about ras.bin beeing sent to your router. Now, you're allowed to let go of WPS button.
  5. Once flashed, Power LED and 2.4GHz LED will blink very fast. This indicates a successful flash. I've waited an additional 15 minutes, just to make sure everything is fine. Power off your router, wait a little while and power it on again.
  6. Your router should work again.

If this successfully brings back your router, I will update my guide above accordingly. Interesting find: I kept WPS pressed, and started tftpd32 roughly around 15 to 30 seconds later, TFTP recovery still worked. Guess that "bootdelay = 3" in zloader / uboot source is meant for something else. I've done this with a direct connection to the router (LAN4, but any LAN port should work I guess). Windows Firewall enabled, allowed tftp64 to operate in private and public (unknown) networks. Worked fine.