recently i bricked my router (running an openwrt firmware) again: i changed the firewall setting of zone lan by setting input policy to reject; this effectively blocks all incoming traffic to the router from the lan interfaces; this is pretty bad because i lost access to luci and ssh, so i cannot restore the firewall settings;

in the old days i would simply use a serial cable to re-flash the firmware; but i dont have one at hand right now; so i did some search and decided to try the failsafe mode;

the official doc is here; basically, failsafe mode only mounts the read-only filesystem (squashfs) during boot, and does not mount the read-write filesystem (jffs2); so after boot the router is in its initial and intact state, as if you have not made any modifications; next, you can mount the read-write filesystem manually to see what goes wrong;

the doc gives 3 different procedures to enter failsafe mode:

  • wait for a flashing led and press a button;

  • wait for a udp message and press a button;

  • wait for a serial message and press a button;

in my case, i didnt see any udp message and didnt have a serial cable, but the flashing led just works fine; after power on the router, the led will flash as follows:

  1. a sequence of lights specific to the device;

  2. a 5/sec blink lasting 2 sec; this means the router is waiting for user to trigger the failsafe mode; press the reset button now; holding for 1-2 sec looks good; and you may need a pin;

  3. the led will flash as:

    • a 10/sec fast blink, if failsafe mode is triggered:

    • a 2.5/sec slow blink, if failsafe mode is not triggered and normal boot continues;

if you see the 10/sec fast blink, congrat, you can continue the next steps:

  1. plug an ethernet cable between pc and router, because failsafe mode disables wireless connection on the router;

  2. in failsafe mode, the router has ip address 192.168.1.1; so configure pc ethernet ip address to 192.168.1.xxx, where xxx is not 1; for example:

    ifconfig eth0 192.168.1.100
    
  3. in failsafe mode, the router provides a telnet interface; so you can connect to it from pc by running:

    telnet 192.168.1.1
    
  4. in telnet, there is a special command mount_root, which mounts the read-write partition at /overlay and overlays it on top of /; you need to run this command to see the overlay content:

    mount_root
    
  5. fix your specific problem; in my case, it was firewall misconfig; so i can inspect and fix firewall settings by running:

    vi /etc/config/firewall
    

    to fix my problem, i just need to restore input policy for zone lan:

    config zone
            option name 'lan'
            option output 'ACCEPT'
            option forward 'ACCEPT'
            option network 'lan'
            #option input 'REJECT'
            option input 'ACCEPT'
    
  6. save; restart; enjoy your day;

finally, as doc says, failsafe mode is the higher level way to “start over” with your router; if failsafe mode doesnt work, you may try factory reset or recovery mode; but those are off topic for this article; so read the doc;