Saturday, 25 November 2017 16:22

Install LEDE on a BT Home Hub 5 / Plusnet One Router

Written by

Overview / Purpose of this guide

These instructions are for aimed at users of Windows but a lot of the information will work for other OS users.

I wrote these instructions just to clear few things up so next time I flashed a BT Home Hub 5 Model A (HH5A) router, it would be easier. The instructions done by other people are not necessarily faulty but not as clear as I needed at points and this mini guide will address those. It must be said I am also a bit of a newbie at electronics so not everything is obvious.

These instructions are complementary to the guides and information that has already been done by the community and in particular thanks goes out to:

  • Bill at ebilan for the excellent instructions for installing LEDE on a HH5A.
  • LEDE / OpenWRT groups for the hardwork with the open source router software.
  • mkresin - for the BT HH5A install image
  • Anyone else I have not mentioned who helped with this setup.

My guide covers all aspects of this process:

  • Opening the routers case
  • Soldering the serial connection
  • Flashing / Installing LEDE and backup of the orginal router firmware
  • Configuring LEDE on the router

Things you need

Step 1 – Opening the routers case

If you do not open the case carefully you will break the 'fixing tabs' inside. I broke them on my first go and then repaired them with a soldering iron. Look at these instructions in order on how to open the case.

Step 2 – Soldering the serial connection

Before you start soldering read this article:

Simple no soldering flashing jig made from a cat5e keystone jack -

It is perfect for those who cannot solder. You will need to buy a RJ45 Network Keystone from eBay.

You can use your own method for soldering the connections as long as you have access to the required connections on the circuit board and can attach them to a USB to TTL RS232 Converter.

People have done this many different ways but I am going to replicate the arrangement on the OpenWRT BT HomeHub 5.0 Type A as this is the page most people will land and the method is quite clean.

You do not have to use the ground points that I have used based on the OpenWRT BT HomeHub 5.0 Type A page.

This method described on this page mounts a 5 pin header block designed for reuse.

Connections of the 5 pin header

Before soldering, you need to know what you are soldering and why.

The images and instructions could be a little clearer about what is actually soldered to where, so I will just clear that up now.

I have taken the image off the OpenWRT HH5A page that shows the wires connected and then labelled the connections with an accompanying table below showing the connections. These are now labelled in a logical order and are easier to follow but do not have the same numbering as the OpenWRT HH5A page.

serial console connector

Image from the OpenWRT HH5A page

 Pin No. USB Serial to TTL Adapter Wire Colour Home Hub Connection Point
 1 n/a Blue  boot_sel2 / R45 Pad
 2 n/a n/a  GND / Use the USB socket ground/case pin
 3 TX Blue  RX / R78 Pad
 4 RX Purple  TX  / R77 Pad
 5 GND n/a  GND / Use the ground plane connection of the capacitor
  • As you can see there are 2 groups. One is for the ‘Boot Selection’ and the other is for the 'Data Connection'
  • There are 2 grounds because each group needs its own ground.
  • The ground on the left is a case pin of the USB socket and the one on the right is the ground plane of a capacitor. The 5 pin header is soldered directly to these points (pins 2 and 5) which gives it stability as well as a ground connection on each pin.
  • If left as is, the case would need to have some holes drilled into it to allow the 5 Pin header to be exposed outside of the case for permanent access.
  • After the process is complete the serial interface is not needed unless router becomes bricked.
  • Some people say to remove the serial interface (wires etc.) as it can affect the wireless calibration. Eliban left his in

This is a close up of the pads

pad positions close up

Image from the OpenWRT HH5A page

Fitting the 5 pin header and soldering the wires to the pads

These are my newbie notes

  • Do not use to much heat because you will damage stuff. If it gets a bit warm wait a few minutes before doing the next pad or pin.
  • if you are not a good solderer, get some practice (or someone to do it for you)
  • Mask of the area around the pads with some kapton tape to prevent accidental damage to components

Soldering instructions

  1. Get some wires and make sure you get the approximate length to match how it looks in the picture
  2. Strip the ends of the wire, but not too much.
  3. Solder the wires to the required pins of the 5 pin header.
  4. Solder the 5 pin header on to the 2 grounding points.
  5. Make sure you have not melted the 5 Pin header and the pins are still tight so do not move.
  6. Lay the wires in place on the board so they run from the header to the pads
  7. Tape the down the wires with some Kapton tape. This makes it much easier to solder them to the pads and removes load of the solder pads when the wires are soldered to the pads
  8. Solder the wires to the pads carefully. The solder mask will be quite forgiving. 

Example of neat soldering

Step 3 - Flashing / Installing LEDE and backup of the orginal router firmware

Follow the instructions from BT HH5A openwrtLEDE Windows instructions v3.44.pdf (ebilan) and use this as a companion guide.

Download Firmware / Install Files for the HH5A

NB: ‘Factory Reset’ function and ‘Reset’ button only work with squashfs images. = use squash

Install the required software

  • PuTTY
  • Notepad++
  • TFTPD32 - Use the Standard edition installer
  • WinSCP - This is only needed for messing with the router later. FlashFXP will also work.

Connect the adapter

  • Connect the USB serial adapter to the 5 pin connector as the connection table above.
  • Connect the USB serial adapter to windows.
  • Get the COM number of the adapter by going to windows device manager and find the COM assignment of the new device.

Configure Putty

  • As per the eliban instructions page 3

Access the router firmware via the console

With putty running and the adapter connected:

  • Short the boot_sel2 pin to Ground (GND) and power on the HH5A. Now immediately disconnect the boot_sel2 pin from Ground. The UART ‘CFG 04’ prompt will appear.
    Do NOT leave it connected any longer than necessary because it may damage the hub, causing it to remain permanently stuck in ‘CFG 04’ mode!
  • CFG04 mode should now appear in the console. This means it is in a read/write mode.
    • If you get CFG06 either you soldering is wrong for the boot select, you did not make a good short for long enough or you did not short the pins properly.

Transfer ‘HH5A LEDE install image’ to the router

  • Transfer the lede-lantiq-bthomehubv5a_ram-u-boot.asc (u-boot) to the router
    • Open the .asc file with Notepad++, select all and copy
    • Goto the Putty console window and right click (should still be open and connected to the router). The asc file will transfer and execute.
    • I believe the .asc is file contains loads of prewritten scripts that get executed
    • After about 90 seconds, the custom U-boot will start and the BTHOMEHUBV5A u-boot prompt will appear.
  • On you windows PC set IP on the Ethernet to be
  • Open TFTPD32
  • Go back to putty
    • Type the following command into the console
      tftpboot 0x81000000 lede-lantiq-xrx200-BTHOMEHUBV5A-installimage.bin; bootm 0x81000000
    • The file should automatically transfer via TFTP
  • Wait 5+ mins for ‘br-lan’ to appear and then press enter

Now move on to the LEDE Installation Guide for HH5A v1.60b.pdf (eliban) as the rest of the instructions should be the same as the linux OS.

Backup BT Firmware (eliban 3.0)

Before doing anything else you need to back your routers original firmware.

When you remove a pendrive from windows you should eject it properly so the volume is not marked as dirty

  • Plug a pendrive into the USB socket (if a FSCK notice is shown, the volume was not unmounted properly, just a warning but it is better to use a clean pendrive). It will auto mount, usually as USB-A1
  • Get the USB mount name by typing
     ls /tmp/mounts
  • Check the pendrive works by doing a directory listing
     ls /tmp/mounts/USB-A1
  • Run the backup command to send the nanddump to the pendrive took (12 minutes to complete on mine)
     nanddump -f /tmp/mounts/USB-A1/hh5a.nanddump /dev/mtd4
  • Unmount the pendrive and transfer the nandbackup backup to a PC. You can run the backup process again as above and then binary compare them if you want.
     umount /tmp/mounts/USB-A1
  • Whilst the USB is in the PC, put the file lede-17.01.4-lantiq-xrx200-BTHOMEHUBV5A-squashfs-sysupgrade.bin in the root of the USB
  • Plug the USB back into the router

Replace the stock BT firmware (eliban 4.0)

  • Eun the prepare script by entering the command below. This will unlock the internal bootloader. Only ever run this once.
  • Enter the confirmation
  • The bootloader is now decrypted, unlocked and rewritten back to the firmware
  • A LEDE console will now appear root@lede:/#
  • Enter the command
     sysupgrade /tmp/mounts/USB-A1/lede-lantiq-xrx200-BTHOMEHUBV5A-squashfs-sysupgrade.bin
  • This only takes a couple of minutes at most before the CFG04 message is on screen and this means the flash has finished successfully
  • Powercycle the router 

Backup settings - (eliban 4.3)

Always backup your current LEDE configuration before making any significant changes.

  • (System-->Backup / Flash Firmware-->Backup / Restore-->Download Backup)
  • Get the backup of your configuration settings and store safely on another device.
  • This seems to include all of the /etc/ folder and in particular the /etc/config/ folder 

We have now installed LEDE successfully installed on our HH5A. You should now follow my instructions but I still use references to the LEDE Installation Guide for HH5A v1.60b.pdf (eliban) tutorial.

Step 4 - Configuring LEDE on the router

The following are my instructions on how to configure LEDE to give the same functionality (and more) of the orginal HH5A.

Router password

(System-->Administration-->Router Password)


  • This must be done ASAP for security.
  • When the password is not swt you can just click on the message at the top for easy access
  • I use the admin password off the router itself because it is easier to remember


(System--> Administration --> SSH Access --> Dropbear Instance-->Interface)

  • by default is set to unspecified (i.e. all)
  • perhaps set this to ‘LAN’ for better security?



  • Set the wifi SSID and encryption with a suitable password
    • 5GHz / wlan0
      • Operating Frequency: = leave as is (AC / 36(5180 MHz) / 80 MHz)
      • Transmit power = leave on auto
      • SSID (ESSID) = quantumwarp_wifi_5G
      • Mode – access point
      • Wireless security
        • Encryption = WPA-PSK/WPA2-PSK Mixed Mode
        • Cipher = auto
        • Key = {your password}
      • 2.4GHz / wlan1
        • Operating Frequency: = leave as is (N/ 11(2462 MHz) / 20 MHz)
        • Transmit power = leave on auto
        • SSID (ESSID) = quantumwarp_wifi
        • Mode – access point
        • Wireless security
          • Encryption = WPA-PSK/WPA2-PSK Mixed Mode
          • Cipher = auto
          • Key = {your password}


  • Wifi is off by default
  • You can also use the same SSID for both networks if you want. This is the way BT Home Hub normally does it. 

BT/Plusnet fibre using the DSL socket

  • Read How do I connect the HH5A to my UK ISP ? (eliban 7.5) – this will give you the settings for your VDSL (fibre) or ADSL line but more importantly gove you the correction section to read next which depends on your required setup.
  • Select the correct section to goto, In my case (eliban 9.1)
  • Read Quick PPPoE setup using DSL port for VDSL Connection (eliban 9.1)
  • Follow the instructions below to configure your BT/Plusnet fibre.


  • Protocol =PPPoE
  • PAP/CHAP username = your broadband username
  • PAP/CHAP password = your password if you have one
  • If you need to set a VLAN tag (i.e. for BT with VLAN tag of 101)
    • (Network-->Interfaces-->WAN-->Edit-->Physical Settings-->Interface-->Custom Interface:) = ptm0.101
    • This setting will not stay on Custom Interface: but will create a new setting called Software VLAN: "ptm0.101" (wan) which will be selected.
  • Leave the rest


  • Annex = B (all)
  • Tone = A (A43c + J43 + A43)
  • Encapsulation mode = PTM/EFM (Packet Transfer Mode) – which is also the default
  • DSL line mode = VDSL (slightly fast to connect if you specify)
  • Ignore the rest

Now Reboot Router (System-->Reboot)


OpenDNS / Custom DNS servers

This still sends to the clients but sets the DNS servers used by the router to OpenDNS

  • (Network-->Interfaces-->WAN-->Advanced Settings-->Use DNS servers advertised by peer) = unticked
  • (Network-->Interfaces-->WAN-->Advanced Settings-->Use custom DNS servers) = OpenDNS servers / and
  • Check out Quad9 and use their security based Public DNS servers (


  • In (Networks-->Interfaces-->LAN-->Edit-->Advanced Settings-->Use custom DNS servers) you can set what DNS servers are issued to the LAN clients.
    • This becomes available after you unticked/disable:
      (networks-->Interfaces-->LAN-->Edit-->Advanced Settings-->Use DNS servers advertised by peer)
  • In (Network-->DHCP and DNS-->General settings-->DNS forwardings) you can change where DNS queries are forwarded to.
  • Edit the config file manually /etc/config/dhcp
  • Configuring OpenWRT and OpenDNS to log all DNS lookups - might has some relevance.
  • You can use the Dynamic DNS plugin to update the client IP at OpenDNS servers directly (or use DNS-O-Matic) so you can perform any required filtering you want such as a familiy filter etc...



  • DHCP settings are configured on the interface (i.e. network-->interfaces-->LAN-->DHCP Server)
  • You can edit the DHCP settings manually by editing the Config file = /etc/config/dhcp
  • (network-->DHCP and DNS-->) has the non-interface specific settings for DHCP and DNS.

Set Red WAN port as a LAN port

  • LEDE Installation Guide for HH5A v1.60b (03-11-17).pdf - port 9.7 (page 72)
  • (network-->switch-->VLAN ID 1) set the WAN to be untagged
  • (network-->switch-->VLAN ID 2) set the WAN to be off
  • You need to do both settings above otherwise you get this error
    “WAN is untagged in multiple VLANs!”
    You could delete VLAN 2, but I don’t know what that does.


  • By default: VLAN1 WAN = off, VLAN 2 WAN = untagged


I currently do not have any specific configurations for the firewall because it has all been done.


  • Firewall 'Port Forward' is the rule to use for blocking. You can foward packets to nowhere. Instructions will be added here when I have some

LED Lights

You are able to configure the router's 3 compound LEDs to provide feedback from the router's various functions with a selection of colours which can also be controlled independently.

There are some really nice features you can add such as the heartbeat effect where you can translate the CPU load in to a heartbeat pulse via the select LED. I use the wifi LED configured as red.

Colours available

  • Red
  • Green
  • Blue
  • Orange - The router is capable but it is not currently available in LEDE


  • You can edit the LED rules very easily using LuCI
    (System-->LED Configuration)
  • The LED configurations are stored in the file /etc/config/system
  • You can edit the system file directly witout needing to use LuCI.
  • The order the rules appear in the system file is important because they are hierarchical like CSS so each rule will override the ones before it if they conflict.
  • The dimmed rule when enabled will dim all the LEDs.
  • LED triggers prefixed with phy mean they are direct physical polls of the wifi hardware. phy0 is the
  • netdev trigger is a wrapper for polling various different softeware polls.
  • The LED flashes on events triggered in physical interface, rather than in software network interface. Besides phy triggers have more events, it also provides possibility of static LED setup in case you want to monitor your 2.4 GHz radio (phy0 usually) and 5 GHz radio (phy1 usually) separately. netdev can’t guarantee this distinguishing since wlan0 may be referring to 2.4 GHz or 5 GHz radio based on current network setup.
  • You cannot monitor both wifi networks as one.


LED Configurations

This section contains various configuration for your HH5A LEDs.

Default Configuration

config led 'led_wifi'
	option name 'wifi'
	option sysfs 'bthomehubv5a:blue:wireless'
	option trigger 'phy0tpt'
	option default '0'

config led 'led_internet'
	option name 'internet'
	option sysfs 'bthomehubv5a:blue:broadband'
	option trigger 'netdev'
	option mode 'link tx rx'
	option dev 'ptm0'
	option default '0'

config led 'led_dimmed'
	option name 'dimmed'
	option sysfs 'dimmed'
	option default '0'
	option trigger 'none'

This is the default configuration for the LEDs when you first install LEDE.

HH5A Configuration

config led 'led_wifi'
	option name 'wifi'
	option default '0'
	option trigger 'none'
	option sysfs 'bthomehubv5a:blue:wireless'

config led 'led_internet'
	option name 'internet'
	option sysfs 'bthomehubv5a:blue:broadband'
	option trigger 'netdev'
	option dev 'ptm0'
	option default '0'
	option mode 'link'

config led 'led_dimmed'
	option name 'dimmed'
	option sysfs 'dimmed'
	option default '1'
	option trigger 'none'

This is not the same as the default HH5A LED configuration because the LED configuration in LEDE lack the features I need to program this. In the future I would like to revisit this.

This configuration will do the following

  • The WIFI LED will be disabled.
  • The Internet LED will light up blue when the DSL connection is up
  • All LEDs will be dimmed.
  • The load up procedure and it's LED configuration is untrouched because it is controlled by the bootloader. This also means the Power LED will stay on coloured as blue.

Disable Power LED / Other LED

It is possible to disable the Power LED (or other LED) by adding a new rule via LuCI or directly in the /etc/config/system file. The Power LED is turned on by the bootloader and this is why you need to add an extra rule whereas Other LEDs you could just delete the rule that turns them on.

  • Name: Power LED
  • LED Name: bthomehubv5a:blue:power
  • Default state: unticked
  • Trigger: none

or you can add the following code directly into the system file

config led
	option default '0'
	option name 'Power LED'
	option sysfs 'bthomehubv5a:blue:power'
	option trigger 'none'

Unmodified HH5A LED behaviour

This is the default LED behaviour of an unmodified HH5A and I can use this to program up the LED behaviour in LEDE to match this default behaviour when the required functionality is added in a future version of LEDE.

Booting a configured router with DSL plugged in

Router bootloader

  • (0:00) Start:
    • Power: Green, Solid
  • (0:25) Power: Green, Flashing

Router has booted

  • (0:40) Power: Blue, Solid
  • (1:00) Power: Orange, Flashing
  • (1:50) Power: Orange, Solid
  • (2:00) Internet: Orange, Solid
  • (2:33) Internet: Orange, Off
  • (2:35) Power: Blue, Solid

NB: occasionally at 1:15 the orange light goes solid while the internet led flashes about 4 times before resuming flashing orange.

Remove DSL wire from a connected and configured router

  • (0:00) Start:
    • Power: Blue, Solid
  • (0:07) Power: Orange
  • (0:07) Internet: Orange, Solid
  • (0:13) Internet: Red, Flashing (0.5 second on/off)

Plug in DSL wire to a configured router

  • (0:00) Start:
    • Internet: Orange, Solid
    • Internet: Red, Flashing (0.5 second on/off)
  • (0:06) Power: Orange, Flashing (0.5 second on/off)
  • (0:40) Power Orange, Solid
  • (0:55) Internet: Orange, Solid
  • (1:24) Internet: Red, Off
  • (1:25) Power: Blue, Solid

Hold the WPS Button

  • Wifi: Orange, Flashing (2 second on/1 second off)

Step 5 - Additional LEDE functionality with Add-ons (Packages)


Your Router must be on the internet to be able to install software

These extra features do not come preinstalled in LEDE so need to be installed. The GUI (web interface) is called LuCI and all of the GUI add-ons are prefixed with ‘luci’ so you can search for just GUI add-ons by using the search term 'luci-'. I have found that if I install a ‘LUCI’ add-on then the other dependencies such as the actual service it will controls gets installed as well. This is why using LuCI is much better for most people than using the command line.

The plugins I have listed below are the main ones to get your router doing the orginal HH5A features and the little extras to make life easier.

There is currently no place online you can browse the software repository. The best place for decriptions is to type something in to the search box on the software page of your router and look at the packages you want to install and you will see a brief description of them but only on the 'Available Packages' tab.

Please bear in mind this is my setup to get a good baseline as close to the HH5A as possible. All those addons that have (not used) means I have installed them to make sure they work but have uninstalled them because I did not want the features they offered. Some people might want those features so I have left the install notes here for reference.

The optional addons should only be installed if you want those features. All the rest of the addons should be installed unless you absolutely do not need those features. 

LEDE will run with none of these addons installed.

Add-on Notes

Editing Files (SSH / SCP / SFTP)

You need to use this to edit config files with windows  using WinSCP or FlashFXP which is easier than the commandline but this requires a little configuration. You can use SSH and edit via the command line using the VI editor.

  • Install openssh-sftp-server - OpenSSH SFTP server.
  • Installs nothing else

Install Notes

  • LEDE Project: SSH Access for Newcomers
  • this sub system is require because FlashFXP give the error {see sftp flashfxp error.txt}
  • You can now edit files like you can in ftp
  • this might already be installed. I did a reset and uploaded my old config and openssh-sftp-server was in the installed packages. This could be a bug or an incomplete reset.
  • If you try and use SFTP over SSH without openssh-sftp-server installed you will get the following error
    [15:11:23] [R] Connection failed (Unable to access SFTP sub-system, operation failed.)
    [15:11:23] [R] Delaying for 10 seconds before reconnect attempt #1


  • Install WinSCP in windows. FlashFXP will do the same (SFTP over SSH)
  • connect using the 'root' account and password
  • once connected, click up folder once to see all of the folders
  • Config settings are at /etc/config/
  • Edit them like a normal text file
  • Read WinSCP (eliban 10.2)

UPnP (optional)

UPnP is not installed by default.

Once installed UPnP will need to be turned on.


WPS doesn't work out of the box on OpenWrt or LEDE, you need to:

  • remove wpad-mini
    • This package contains a minimal IEEE 802.1x/WPA Authenticator and Supplicant (WPA-PSK only).
  • install wpad
    • This package contains a full featured IEEE 802.1x/WPA/EAP/RADIUS Authenticator and Supplicant
    • does not install anything else
  • install hostapd-utils
    • This package contains a command line utility to control the IEEE 802.1x/WPA/EAP/RADIUS Authenticator.
    • does not install anything else
  • reboot
  • Log back into LuCI
  • You will now have the option to enable WPS in LuCI under
    (Network-->Wireless-->Edit-->Interface Configuration-->Wireless Security-->Enable WPS pushbutton, requires WPA(2)-PSK)
  • Tick the box
  • Click 'Save & Apply'
  • Done, WPS is enabled.


  • WPS works my HH5A with LEDE, and just to confirm, yes the button does work with no extra configuration. But i have read that WPS working can be hit or miss varying from router to router.
  • LEDE Project: Wireless configuration - contains information on configuring WPS, this is really for reference or advanced users.

WIFI on/off buttons (optional)

This is not needed for the HH5A if you use WPS, otherwise you can use this to configure the WPS button for something else such as turning the WIFI on or off.

  • install wifitoggle
    • Very versatile script to toggle Wi-Fi with a button. Allows to set timeouts, persist changes after boot, and set LEDs according to the state.
    • I dont think this installs anything else as I have not tested it.


GUI for the web server daemon (optional)

You only need this if you want to play around with the web server settings. Most people will not need this.

  • Install luci-app-uhttpd
    • uHTTPd Webserver Configuration
    • This installs nothing else
    • Creates a menu under services called ‘uHTTPd’


There seems to be a few SSL packages but most people seem to use one which is the package that is used by LuCI for https/SSL (see below).

Basic Open SSL

This will install the minimum to use SSL

  • Install libustream-openssl
    • ustream SSL Library (openssl)
    • Also installs
      • Zlib
      • libopenssl

CA Certificates (optional)

This installs all root certificates as one bundle file and seems to be updated on a regular basis to keep upto date with certificate authority changes. Root certificates are required to validate HTTPS certificates.

  • Install ca-bundle
    • System CA certificates as a bundle
    • This installs nothing else

ca-bundle vs ca-certificates

I do not know why there is ca-bundle and ca-certificates but I believe that ca-bundle is all of the root certificates in one file where as ca-certificates the root certificates are all seperate and that some programs require them to be seperate. Which ones these are is beyonnd me and unless otherwise told I will use ca-bundle.

LetsEncrypt (not used)

Control the ACME Letsencrypt certificate interface

  • Install luci-app-acme
    • Control the ACME Letsencrypt certificate interface
    • Also installs
      • libmbedtls
      • libcurl
      • luci-app-uhttpd
      • curl
      • netcat
      • ca-bundle
      • acme


  • Amongst other things, this installs a LuCI add-on for the uhttpd webserver which is already installed and running with LEDE by default.

HTTPS for LuCI (optional)

This installs https for luci, the required SSL libraries and disables http:// for LuCI,

  • Install luci-ssl-openssl
    • LuCI with OpenSSL as the SSL backend (libustream-openssl). OpenSSL cmd tools (openssl-util) are used by uhttpd for SSL key generation instead of the default px5g. (If px5g is installed, uhttpd will prefer that.)
    • Also installs
      • zlib
      • libopenssl
      • openssl-util
      • libustream-openssl



LuCI support for Adblock

  • Install luci-app-adblock
    • LuCI support for Adblock
    • Also installs
      • adblock
    • Creates a menu under services called ‘Adblock’

Force all DNS requests through the router

  • Enable (Adblock-->Extra Options-->Force local DNS)
    • Using this feature and OpenDNS adds extra security to your network and prevents rougue uncontrolled DNS requests.
    • This option adds a rule into the LEDE firewall so all DNS requests are sent to the router and if you have set up OpenDNS as a custom DNS server then all DNS requests will be sent to OpenDNS.
    • You can use adblock to install the rules and not actually use the adblock service.
    • These rules might be left on after you uninstall adblock if you do not turn the option of first before uninstalling.
    • If you really want you can manually add these rules to the firewall.


  • Blocks advertising at the router by intercepting DNS requests and checking them against a list.
  • This might not work with DNSCrypt? I have not tested this.
  • this adds a menu item under services called 'Adblock'.
  • Documentation
  • Adblock support thread - LEDE Project Forum
  • Adblock downloads the lists local and uses these for its lookups rather then doing an online lookup for each domain.
  • the block lists are stored locally after downloading them
  • The block lists are updated when the adblock process is started or stopped but you can configure a cron job to do this on a regular basis.
  • To setup a cron job to update the lists
    • goto (System-->Scheduled Tasks)
    • add the following line to the 'Scheduled Tasks' and click submit
      0 06 * * *    /etc/init.d/adblock reload
    • Reboot the router. This might not be needed but it is easier just to do it.
  • OpenDNS might do a similar job but Adblock will check against its own lists aswell before forwarding the DNS request to your chosesn DNS server.
  • you can configure Adblock locally for your own whitelists and blacklists
  • Test your browsers ads blocker - Load this page and see if AdBlocker is working.
  • Adblock lists are all adblock formatted lists.

Simple Adblock (not used)

To install, read the instructions on the GitHub page because I have not installed this and the packages might not be in the official repo yet.


Dynamic DNS

LuCI Support for Dynamic DNS Client (ddns-scripts)

  • Install luci-app-ddns
    • LuCI Support for Dynamic DNS Client (ddns-scripts)
    • Also installs
      • ddns-scripts
    • This adds a menu item under services ‘Dynamic DNS’

Configuring as a custom DDNS provider

For some reason is not in the list of DDNS providers and by the looks of it people have been using a custom script for I dont know wether that is still the prefered method by most people. now offer the standard http/https API method of updating the DNS records with them, so that is my prefered method of updating DNS records.

In (Services-->Dynamic DNS-->myddns_ipv4) configure these settings

These settings work fine and are using normal http.

You need to install SSL to use https

To use SSL you needs to install the basic SSL package or install https for LuCI will also install the basic SSL package and make the web interface use https at the same time.

If you try and use https for DDNS without installing a suitable SSL packge you will get the following error and The DDNS service will also fail to start:

 223214  WARN : uclient-fetch: no HTTPS support! Additional install one of ustream-ssl packages - TERMINATE
 223214  WARN : PID '4597' exit WITH ERROR '1' at 2017-11-23 22:32

The resolution is simple, Install SSL functionality by following the instructions in the sections below.

Configure DDNS to use https

Making DDNS use https is really simple

  • install a suitable SSL package
  • in (Services-->Dynamic DNS-->myddns_ipv4)
    • enable Use HTTP Secure
    • a new box will apear called Path to CA-Certificate
    • You now have to options to enter in
      1. type in IGNORE and SSL will work but will not verify the SSL certificate of the provider. this does add a slight security risk because you do not verify the certificates. It is still beter than not using https.
      2. type in /etc/ssl/certs/ and install the ca-bundle package - This installs the root certificates (CA Bundles) LEDE can use to verify the SSL certificates that are issued by the DDNS prover. I have not verified this works.



DNSSec is an internet standard that is getting adopted across the internet. This technology prevents DNS cache poisoning by verifying that DNS lookups are valid by using a public key infrastructure similiar to that used for SSL certificates to authenticate them. A target website needs to also have DNSSec configured correctly for the system to fully work. I assume most large companies will have this configured by now. The end user will not notice any difference if a site does not have this configured as the DNS request will be correctly handled and sent to the requester. If the DNS lookup fails validation then the lookup will return a domain not found.

LEDE comes with the small version of dnsmasq which is fine for most basic operations but DNSSec requires the full package to be installed.

It should be possible to run DNSSec and DNSCrypt if the target DNS server supports both of these technologies.

  • uninstall dnsmasq
    • It is intended to provide coupled DNS and DHCP service to a LAN.
  • install dnsmasq-full
    • It is intended to provide coupled DNS and DHCP service to a LAN. This is a fully configurable variant with DHCPv6, DNSSEC, Authoritative DNS and IPset, Conntrack support & NO_ID enabled by default.
    • Also installs
      • kmod-nfnetlink
      • libmnl
      • libgmp
      • libnettle
      • libnfnetlink
      • kmod-nf-conntrack-netlink
      • libnetfilter-conntrack
      • kmod-ipt-ipset

You probably will receive the follow error:

Collected errors:
 * resolve_conffiles: Existing conffile /etc/config/dhcp is different from the conffile in the new package. The new conffile will be placed at /etc/config/dhcp-opkg.

Compare the config files

You should note there might be more that one service using the dhcp config file.

  • Text compare the 2 files for obvious settings that need to be copied. Always keep your orginal dhcp file and move what is missing from dhcp-opkg (optional)
  • or you can freshly load the page (Network-->DHCP and DNS) after upgrading to dnsmasq-full and then 'save and apply' the settings thus creating any missing setting that needs to be added (i am guessing here).
  • the dnsmasq-full dhcp config file is almost the same as dnsmasq dhcp config file. dnsmasq-full dhcp config file seems messy. and when you save 'DHCP and DNS' settings in LuCI with no changes it encapsulates all of the settings in apostrophes which mean the original dsnmasq dhcp file format is correct. This most likely means that you should use you orginal dsnmasq dhcp config file. When you enable additional settings then they will be recorded in the config file so any that were possibluy missing will appear as required, this is probably how things worked even before the upgrade.
  • Delete the dhcp-opkg (or save it somewhere but do not leave it on the router)

Enable DNSSec

DNSSec is not enabled by default so will need to be turned on.

  • (Network-->DHCP and DNS-->Server Settings-->Advanced Settings-->DNSSEC) = enabled
  • (Network-->DHCP and DNS-->Server Settings-->Advanced Settings-->DNSSEC check unsigned) = enabled (optional)
    • is slower but more secure, see notes.
    • Requires upstream supports DNSSEC; verify unsigned domain responses really come from unsigned domains


  • Quad 9 | Internet Security and Privacy in a Few Easy Steps - Quad9 is a free public DNS service that provides security focussed DNS lookups. They actively prevent access to malicious sites by blocking the lookups. Quad9 also supports DNSSec.
  • Man page of DNSMASQ
  • "As a default, dnsmasq does not check that unsigned DNS replies are legitimate: they are assumed to be valid and passed on (without the "authentic data" bit set, of course). This does not protect against an attacker forging unsigned replies for signed DNS zones, but it is fast. If this flag is set, dnsmasq will check the zones of unsigned replies, to ensure that unsigned replies are allowed in those zones. The cost of this is more upstream queries and slower performance. See also the warning about upstream servers in the section on --dnssec"
  • Create a DNSSEC record for your domain in cPanel - YouTube - If available.
  • cPanel Zone Editor - cPanel Version 64 Documentation
  • LEDE Project: DNS configuration
  • CZ.NIC - O DNSSEC - A central point on the internet for information and tools for DNSSec.
  • DNSSEC – What Is It and Why Is It Important? - ICANN
  • RFC 3655 - Redefinition of DNS Authenticated Data (AD) bit
  • What is DNSSEC? | ResellerClub
  • What is DNSSEC? (DNSSEC)
  • DNSSec Explained - YouTube
    • This fully explains how DNSSec works. I have added somes notes below I took from the video about DNSSec.
    • 8:40 in video shoes how DNSSec works, the bit before just covered prerequsite technology with explanations.
    • The 'root PubKSK' need to be already installed in LEDE DNS server from means other than the DNS protocol therefore dnsmasq-full must have this file(s) in it to allow DNSsec to work as expected. This is either added in to the repository or the package downloads the file(s) as required but seperate to the DNS protocol.
    • For each lookup from (root zone-->TLD Zone-->Website Domain/Zone)  in a fully DNSSec compliant router there is a chain of trust similiar to a CA certificate. Each signed with the parents public key and so on.
    • A DNSSec server passes back additional information in its lookup response over and above normal DNS and the DNSsec service performs validation and decryption of various keys and signatures which requires the servers to be DNSSec capable.
    • For a website to be using DNSSec there there needs to be keys and things installed on that domains DNS record. (not 100%)
    • I think the keys are all stored as DNS records (not 100%)
    • LEDE is not a full 'recursive DNS server'. dnsmasq will pass the DNS request to a 'full recursive DNS server', this server will do all of the hard work. When the response is sent back to LEDE this will be checked and then forwarded to the client as a normal DNS request reponse.
    • 13:50 in the video setting up DNNSec on your domain
    • Things have to be added to the domain. Just becasue you enable DNNSsec on the router does not mean that it will happen for the full tree. (root zone-->TLD Zone-->Website Domain/Zone) as the chain of trust needs to be maintained.

DNSCrypt (not used)

DNSCrypt is an open source technology developed by OpenDNS that allows the SSL/TLS encryption of DNS requests between the client and the DNS server/resolver. This is not an internet standard but it does have some adoption. DNSCrypt does not do any validation of the DNS request or response like DNSSec does but the two technologies could potentially be used in tandom although currently OpenDNS does not support DNSSec.

  • This is a new way to get your DNS quries. It is not a web standard yet nor is it DNSSEC
  • Install dnscrypt-proxy
    • dnscrypt-proxy provides local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server. The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver.
    • Also installs
      • ibsodium
      • dnscrypt-proxy-resolvers
      • dnscrypt-proxy


OpenVPN (not used)

This section is not complete. check out the links to get things working.

LuCI Support for OpenVPN

  • install luci-app-openvpn
    • LuCI Support for OpenVPN
    • installs nothing else
    • creates a menu item unders services called 'OpenVPN
  • install openvpn-openssl
    • Open source VPN solution using OpenSSL
    • Also installs
      • kmod-tun
      • liblzo
  • install openssl-util (optional?)
    • The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. This package contains the OpenSSL command-line utility.
    • Also installs
      • openvpn-easy-rsa
  • install openvpn-easy-rsa – (optional?)
    • Simple shell scripts to manage a Certificate Authority
    • This might not be needed for some configurations.
    • i do
  • Creates a menu under service called ‘OpenVPN’


  • This might need something else installing to get working
  • OpenVPN on your LEDE router has 3 potential modes
    1. Force all local traffic through the VPN
    2. Configured as a VPN server so clients can connect to your network remotely.
    3. Bridge mode so 2 routers bridge their networks. (might be the same as 1 and 2)


ClamAV (not used)

ClamAV is an anti-virus package you can run on the router independant of the clients but it is CPU intensive. This is better suited for higher spec setups such as virtual machines.

  • install luci-app-clamav
    • This package will install ClamAV Web UI.
    • This also installs
      • libmbedtls
      • libcurl
      • uclibcxx
      • clamav
    • This creates a menu item under services called 'ClamAV'
  • install freshclam (optional)
    • Database updater for ClamAV
    • this does not install anything else


  • This will put a high cpu load on the router.
  • freshclam is a service to keep the definition files upto date

Step 6 - Backup settings

After configuring the router you will want to backup your settings

  • (System-->Backup / Flash Firmware-->Backup / Restore-->Download Backup)
  • Get the backup of your configuration settings and store safely on another device.
  • This seems to include all of the /etc/ folder and in particular the /etc/config/ folder 


  • When you make a backup it basically makes a copy of the /etc/ which includes all settings.
  • A backup does not contain downloaded software packages
  • When you restore a backup you overwrite everything in the /etc/ folder with that in the backup archive,  but no files are deleted, just replaced. 

Other Configurations, Features and Things

Stuff that was not covered above will be here.

Resetting the Router

What Happens

  • Resetting the router removes all of the user settings and downloaded packages by putting the router back to how it was when you first flashed it.
  • It will keep all of the system information like mac addresses.
  • It basically wipes the /etc/ folder


  • You should do this over Ethernet because the reset process will disable the wifi
  • The router will revert to and http:// so this might also create an update in the router
  • This seems to wipe the etc folder
  • LEDE Project: Failsafe Mode and Factory Reset

Upgrading LEDE

Do not upgrade over WIFI and read How to update LEDE (eliban 4.3)


Try a new Add-on

When you uninstall a piece of software, this will not remove the dependencies automatically (LEDE should add a dependencies register to fix this). If you want to try out a new add-on, do the following so if the add-on installs a load of stuff you do not want you can remove the dependencies and revert back to your old settings.


  • make a backup of your settings configuration
  • install the Add-on
  • make a list of the dependencies installed from the log notifcations (at the top of the page) that appears after the add-on has been installed. Only dependencies that are not installed but required will be downloaded and installed. Add-ons can share packages


  • uninstall the LuCI app (if you used one)
  • remove the dependencies that were installed
  • delete the relevant settings in /etc/config/ (optional). these can be left for re-installation.

Upgrading Add-ons

This currently cannot be done through the web interface (LuCI) so you must use the command line (console)

I have not done this yet but here are some threads with simple instructions. Read them both.

Failsafe Mode

Failsafe mode is where you can access LEDE Console/Linux Kerel via SSH or a serial connection and is used for those times LEDE will not boot up.

To access the Failsafe mode by SSH

  • when the router is booting up (Flashing Green LED), Press any button on the router to interrupt.
  • The LEDE normal boot procedure is interupted and the cut down console over SSH will become available on
  • You can now SSH into the router. Use the username 'root' and no password is required.


Config file conflicts

Config file conflicts can happen at various times but in this instance it was when I had done the following

  • Factory reset my router
  • Uploaded my config back
  • installed a dynamic DNS script luci-app-ddns which also installs ddns-scripts

I then received the following error:

Collected errors:
* resolve_conffiles: Existing conffile /etc/config/ddns is different from the conffile in the new package. The new conffile will be placed at /etc/config/ddns-opkg.

What this error means is that when i downloaded luci-app-ddns, LEDE discovered I already had a config file called ddns so it just renamed the new/default config file that came with the package to ddns-opkg so my original config file that had been restored with my backup was unaffected and I still had the opportunity to examine the new config file to see if there were any changes.

You can delete the file ddns-opkg as it is not used. You might want to just look in it to see if there any changes you need to know about.



My Security Options Overview

I will briefly outline the security settings I have added to my LEDE HH5A setup. This might change over time.

  • adblock - Using block lists.
  • adblock/firewall rule - to forward all dns enquires to the local router
  • Quad9 used for the DNS provider
  • DNSSec with 'DNSSEC check unsigned' enabled
  • SSH console pnly allowed to be accessed from the LAN (WIFI and Ethernet)
  • Strong password for root



I have not verified the answers to these so any feedback is welcome.

  • Can I leave the wires in place to access the serial, or are they no longer required. = does not seem to make much difference.
  • Is the config file specific to a router i.e. because of MAC addresses = I thinks so.
  • Where does LEDE store MAC addresses = in /etc/config/network and then in the image which is used for a factory reset (squashfs only).
  • What happens when I press the reset button on my HH5A LEDE router = I think it just performs a factory reset.

General Notes

  • LuCI is the GUI for LEDE
  • LAN referrers to LAN and WIFI clients
  • LEDE and OpenWRT were going to join and might still join. LEDE was forked from OpenWRT and is still getting actively developed and so is currently the successor of OpenWRT.
  • LEDE is still very young, started in 2016

Additional Settings

These settings here are useful ones I have come across but do not form part of the intial configuration of LEDE for the HH5A.

Wireless Isolation

This is not available for configuration in LuCI and the correct format seems to be option isolate '1'


Flashing Guides / Tutorials

Documentation / Configuration

Tech Specs

Websites of note


BT HomeHub stuck in CFG04 (UART) mode after installation

Read 12889 times Last modified on Thursday, 29 March 2018 13:33

Comments (0)

There are no comments posted here yet