Difference between revisions of "Ubiquiti NanoStation 5AC Loco"

Jump to navigation Jump to search
(Reference based on roadblock yesterday.)
(Add the btih for a stock + OpenWrt dump from NS 5AC Loco)
 
(42 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
[[Category:Devices]]
 
[[Category:Ubiquiti]]
 
[[Category:Ubiquiti]]
 
[[File:Ubnt-ns-5ac-loco.png|thumb|NanoStation 5AC Loco]]
 
[[File:Ubnt-ns-5ac-loco.png|thumb|NanoStation 5AC Loco]]
  
 
The NanoStation 5AC Loco is a directional, weather resistant, PoE powered radio with a beam width of 90 degrees and a secondary omnidirectional radio. This makes it useful for simultaneously meshing on one radio while providing an access point for client devices on the other.
 
The NanoStation 5AC Loco is a directional, weather resistant, PoE powered radio with a beam width of 90 degrees and a secondary omnidirectional radio. This makes it useful for simultaneously meshing on one radio while providing an access point for client devices on the other.
 +
 +
{{ Warning| This is a PoE device. Never connect your computer directly to the PoE injector's red port!!!}}
 +
 +
{{Note| The Nanostation's architecture is '''MIPS 24KC.'''}}
 +
 +
{{ Warning| As of January 1, 2020, brand new Nanostations do not support downgrading the Ubiquiti AirOS firmware. (Even with the patch.) Instead, you must [[#Flash using serial header access|Flash using serial header access]]}}
  
 
== Files ==
 
== Files ==
Line 10: Line 17:
  
 
[https://github.com/MassMesh/meta-imagebuilder-artifacts/raw/master/massmesh/meshradio/ubnt_nanostation-ac-loco/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-sysupgrade.bin MassMesh Firmware (Sysupgrade) (Latest)]
 
[https://github.com/MassMesh/meta-imagebuilder-artifacts/raw/master/massmesh/meshradio/ubnt_nanostation-ac-loco/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-sysupgrade.bin MassMesh Firmware (Sysupgrade) (Latest)]
 +
 +
[magnet:?xt=urn:btih:3ec9b5e9cbc7561507eb933df855f15c7b7eb9bc BitTorrent magnet link containing two 16MiB flash .bin files, one for a pre-OpenWrt stock 5AC Loco and another for an OpenWrt-flashed Loco]. You may use the latter to overwrite the content of flash on a 5AC Loco to restore it to an older version of U-boot capable of booting OpenWrt, but note that the MAC address is also stored in flash.
  
 
== Flashing ==
 
== Flashing ==
=== From Stock Firmware ===
+
 
# Download the Stock Firmware Image v8.5.0.36727 from above as well as the MassMesh '''Factory''' image file
+
=== From OpenWrt ===
# Power on the NanoStation via a PoE injector and connect the other side of the PoE injector to a computer
+
{{Note|Mass Mesh mesh radios have a static IP of 192.168.2.1. To access the admin UI, set your computer's ip/netmask to 192.168.2.10/24, then browse to http://192.168.2.1/ in your favorite web browser.}}
 +
# Download the latest [https://github.com/MassMesh/meta-imagebuilder-artifacts/raw/master/massmesh/meshradio/ubnt_nanostation-ac-loco/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-sysupgrade.bin MassMesh sysupgrade firmware.]
 +
# Connect to the Nanostation and enter its IP address into your favorite web browser.
 +
## If you are using another version of OpenWrt, please refer to its documentation for details about its IP address.
 +
# Navigate to System → Backup / Flash Firmware → Actions: '''Flash new firmware image.'''
 +
# Choose the sysupgrade file previously downloaded and click '''Flash'''
 +
# Wait for the device to complete and reboot (This can take up to 5 minutes.)
 +
 
 +
=== From Stock Firmware (Ubiquiti AirOS)===
 +
 
 +
==== Downgrade Ubiquiti AirOS via Web UI ====
 +
 
 +
# Download the [https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin Stock Firmware Image v8.5.0.36727].
 +
# Power on the Nanostation via a PoE injector. (This is the **red** ethernet port on your injector.)
 +
# Connect the LAN side of the PoE injector to a computer.
 
# Assign a static IP/netmask of <code>192.168.1.25/24</code> to the computer
 
# Assign a static IP/netmask of <code>192.168.1.25/24</code> to the computer
 +
## <code>sudo ip addr add 192.168.1.25/24 dev eth0</code>
 
# Use a browser to visit http://192.168.1.20/
 
# Use a browser to visit http://192.168.1.20/
 
# Login using the set password or default credentials <code>ubnt / ubnt</code>
 
# Login using the set password or default credentials <code>ubnt / ubnt</code>
 
# Navigate to settings and downgrade the stock firmware to v8.5.0.36727 using the downloaded image file
 
# Navigate to settings and downgrade the stock firmware to v8.5.0.36727 using the downloaded image file
# Follow the instructions for enabling updates to the firmware [https://openwrt.org/toh/ubiquiti/ubiquiti_nanostation_ac_loco on OpenWRT's website.]
 
  
=== From OpenWrt ===
+
{{Note|Newer versions of the NanoStation 5AC Loco block downgrading the firmware to 8.5.0. If you encounter this error, you will need to open up the radio and use the [[#Downgrade Ubiquiti AirOS With An External Programmer|Pomona clip method]] or the [[#Flash using serial header access|serial flashing method]].}}
# Download the latest MassMesh Sysupgrade firmware file from above
+
 
# Connect to the device and navigate to the IP address of the device
+
==== Downgrade Ubiquiti AirOS via TFTP ====
#:{{Note|MassMesh MeshRadio firmwares use an IP of 192.168.2.1. To access the administration UI, set an ip/netmask of 192.168.2.10/24 and browse to http://192.168.2.1/}}
+
 
# Navigate to System → Backup / Flash Firmware → Actions: Flash new firmware image
+
<pre>
# Choose the sysupgrade file previously downloaded and click Flash
+
wget https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin
# Wait for the device to complete and reboot
+
cp https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin firmware.bin
 +
sudo apt install tftp
 +
tftp
 +
tftp> connect 192.168.1.20
 +
tftp> rexmt 1
 +
tftp> timeout 60
 +
tftp> binary
 +
tftp> put firmware.bin
 +
</pre>
 +
 
 +
No re-boot is necessary. You should be able to access the router at 192.168.1.20 after a couple of minutes.
 +
 
 +
{{Note|Newer versions of the NanoStation 5AC Loco block downgrading the firmware to 8.5.0. If you encounter an "Initialization Error" after flashing, you will need to open up the radio and use the [[#Downgrade Ubiquiti AirOS With An External Programmer|Pomona clip method]] or the [[#Flash using serial header access|serial flashing method]].}}
 +
 
 +
==== Install The Mass Mesh OpenWrt Image ====
 +
 
 +
{{ Note| Additional instructions are available [https://openwrt.org/toh/ubiquiti/ubiquiti_nanostation_ac_loco on OpenWrt's website]. The "factory" image should be chosen for this step.}}
 +
# Download the latest Mass Mesh firmware [https://github.com/MassMesh/meta-imagebuilder-artifacts/raw/master/massmesh/meshradio/ubnt_nanostation-ac-loco/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin here].
 +
# Copy the firmware onto the nanostation. (We like to put it in the <code>/tmp/</code> directory.)
 +
# Open a secure shell on the Nanostation. <code>ssh ubnt@192.168.1.20</code>
 +
# Patch the fwupdate.real binary a la the instructions [https://openwrt.org/toh/ubiquiti/ubiquiti_nanostation_ac_loco here.]
 +
# <code>/tmp/fwupdate.real -m /tmp/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin</code>
 +
 
 +
== Advanced Flashing Techniques ==
 +
 
 +
=== Downgrade Ubiquiti AirOS With An External Programmer===
 +
 
 +
When your nanostation is bricked, or if the stock firmware won't let you flash our custom firmware, you can use the '''In-System Programming''' (ISP) technique to reflash the device (see also the [https://www.flashrom.org/ISP Flashrom wiki]. You're going to need:
 +
 
 +
# a Pomona 5252 test clip (https://www.digikey.com/product-detail/en/pomona-electronics/5252/501-2059-ND/745103), ~$16
 +
# a raspberry pi (e.g. a zero w) ~$10
 +
# some header pins and prototyping wires to connect everything
 +
 
 +
The Nanostation has a Macronix MX25L12835F rom chip ([https://www.macronix.com/Lists/Datasheet/Attachments/7397/MX25L12835F,%203V,%20128Mb,%20v1.6.pdf datasheet]), which is an SPI chip with 16 connectors good for 128 Mbit of storage.
 +
 
 +
We can use [https://flashrom.org Flashrom] running on a raspberry pi to read and write that chip, if we hook up the Pomona 5252 test clip to the MX25L12835F and connect it to the correct [https://pinout.xyz/pinout/spi SPI pins] on the pi:
 +
 
 +
[[File:raspberry-pi-pinout.png|inline|raspberry pi GPIO pinout]]
 +
 
 +
(note: the SPI1 CE0/CE1 pins are not labeled on this image)
 +
 
 +
==== Pinouts (please proceed with caution!) ====
 +
 
 +
The Raspberry Pi has 2 SPI interfaces, SPI0 and SPI1.
 +
 
 +
On the Raspberry Pi boot partition, make sure to update config.txt and uncomment the line that reads
 +
 
 +
dtparam=spi=on
 +
 
 +
After a reboot, you should see the spi device files:
 +
 
 +
  root@raspberrypi:/home/pi# ls -laF /dev/spidev0.*
 +
  crw-rw---- 1 root spi 153, 0 Jan  7 01:44 /dev/spidev0.0
 +
  crw-rw---- 1 root spi 153, 1 Jan  7 01:44 /dev/spidev0.1
 +
 
 +
Now connect the Raspberry Pi to the Pomona clip. Choose either SPI0 or SPI1. We're going to leave the VCC pin on the flash chip disconnected. We are however going to connect a few other pins to our 3.3V source from the raspberry pi, to pull them up.
 +
 
 +
{| class="wikitable"
 +
|-
 +
!colspan="2"|RPi SPI0!!colspan="2"|RPi SPI1!!colspan="2"|Pomona Clip!!Notes!!Color in picture below
 +
|-
 +
|17||3.3V
 +
|17||3.3V
 +
|1||SIO3
 +
|''we do not use this pin, so we pull it up''
 +
|red
 +
|-
 +
|17||3.3V
 +
|17||3.3V
 +
|9||WP#SIO2
 +
|''put the chip in read/write mode''
 +
|red
 +
|-
 +
|19||SPI0 MOSI
 +
|38||SPI1 MOSI
 +
|15||SI
 +
|
 +
|blue
 +
|-
 +
|21||SPI0 MISO
 +
|35||SPI1 MISO
 +
|8||SO
 +
|
 +
|orange
 +
|-
 +
|23||SPI0 SCLK
 +
|40||SPI1 SCLK
 +
|16||SCLK
 +
|
 +
|green
 +
|-
 +
|25||GND
 +
|25||GND
 +
|10||GND
 +
|
 +
|brown
 +
|-
 +
|24||SPI0 CE0
 +
|12||SPI1 CE0
 +
|7||CS
 +
|
 +
|yellow
 +
|}
 +
 
 +
 
 +
[[File:20200127-raspberry-pi-zero-w-with-pomona-clip.jpg|thumb|A Raspberry Pi Zero W with wires connected to the SPI0 pins. There is an unused 3.3V wire visible.]]
 +
 
 +
==== Reading the chip with flashrom ====
 +
 
 +
Once the Pomona is connected to the raspberry pi, make sure the NanoStation is disconnected from power/ethernet. Then clip on the Pomona.
 +
 
 +
Flashrom on the Pi [https://github.com/flashrom/flashrom/issues/29 requires] us to specify the speed of operation. We also need to specify the exact ROM chip model, because there are two models that match:
 +
 
 +
  $ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=4096 -r proprietary.rom
 +
  flashrom  on Linux 4.19.75+ (armv6l)
 +
  flashrom is free software, get the source code at https://flashrom.org
 +
 
 +
  Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
 +
  Found Macronix flash chip "MX25L12805D" (16384 kB, SPI) on linux_spi.
 +
  Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi.
 +
  Multiple flash chip definitions match the detected chip(s): "MX25L12805D", "MX25L12835F/MX25L12845E/MX25L12865E"
 +
  Please specify which chip definition to use with the -c <chipname> option.
 +
 
 +
So here's the final command to read out the chip:
 +
 
 +
  $ flashrom -c "MX25L12835F/MX25L12845E/MX25L12865E" -p linux_spi:dev=/dev/spidev0.0,spispeed=4096 -r proprietary.rom
 +
  flashrom  on Linux 4.19.75+ (armv6l)
 +
  flashrom is free software, get the source code at https://flashrom.org
 +
 
 +
  Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
 +
  Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi.
 +
  Reading flash... done.
 +
 
 +
It's easy to verify that if the reading worked. If you were reading out the original firmware, binwalk would print something like this:
 +
 
 +
  $ binwalk proprietary.rom
 +
 
 +
  DECIMAL      HEXADECIMAL    DESCRIPTION
 +
  --------------------------------------------------------------------------------
 +
  115152        0x1C1D0        Certificate in DER format (x509 v3), header length: 4, sequence length: 64
 +
  142896        0x22E30        U-Boot version string, "U-Boot 1.1.4-s1100 (Sep  5 2018 - 17:53:00)"
 +
  143184        0x22F50        CRC32 polynomial table, big endian
 +
  224396        0x36C8C        CRC32 polynomial table, big endian
 +
  226924        0x3766C        Ubiquiti end header, header size: 12 bytes, cumulative ~CRC32: 0x454E442E
 +
  231856        0x389B0        Ubiquiti partition header, header size: 56 bytes, name: "PARTkernel", base address: 0x00000001, data size: -2147475456 bytes
 +
  231920        0x389F0        uImage header, header size: 64 bytes, header CRC: 0xE75790E0, created: 2018-11-13 14:36:59, image size: 998847 bytes, Data
 +
  Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0xAAECA664, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.68"
 +
  327680        0x50000        uImage header, header size: 64 bytes, header CRC: 0x22425505, created: 2019-02-13 09:09:52, image size: 990770 bytes, Data Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0x8F3B71D3, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.68"
 +
  327744        0x50040        LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2836596 bytes
 +
  1318514      0x141E72        Ubiquiti partition header, header size: 56 bytes, name: "PARTrootfs", base address: 0x00000002, data size: 0 bytes
 +
  1318578      0x141EB2        Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 7203018 bytes, 956 inodes, blocksize: 262144 bytes, created: 2019-02-13 09:09:54
 +
 
 +
Useful resources:
 +
* [https://www.flashrom.org/RaspberryPi Flashrom page on using the Raspberry Pi as a flashing tool]
 +
 
 +
==== Writing to the chip with flashrom ====
 +
 
 +
  pi@raspberrypi:~ $ flashrom -c "MX25L12835F/MX25L12845E/MX25L12865E" -p linux_spi:dev=/dev/spidev0.0,spispeed=4096 -w read1-10000-openwrt.bin
 +
  flashrom  on Linux 4.19.75-v7l+ (armv7l)
 +
  flashrom is free software, get the source code at https://flashrom.org
 +
 
 +
  Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
 +
  Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi.
 +
  Reading old flash chip contents... done.
 +
  Erasing and writing flash chip... Erase/write done.
 +
  Verifying flash... VERIFIED.
 +
 
 +
=== Flash using serial header access ===
 +
Direct serial access allows temporarily running OpenWRT in memory and using the temporary environment to flash a full image to the radio's memory.
 +
 
 +
[[File:Ubnt_ns5acl_serial.jpg|thumb|Click to enlarge pinout]]
 +
# Using your thumb or a small tool, push the tab in the slot located on the lower rear of the radio and slide the bottom half out of the enclosure
 +
# Looking at the rear of the board (where all the components are on the opposite side as the antenna), locate the serial headers on the middle left side of the board
 +
# Solder at least the top 3 pins shown in the picture. The pins from left to right (starting with the square shaped pad that is unpopulated in the image) are 3.3V, RX, TX, and GND. 3.3V is not needed here
 +
# Connect GND on the board to GND on your FTDI adapter, TX on the board to RX on the FTDI adapter, and RX on the board to TX on the FTDI adapter
 +
# Make sure your FTDI adapter is in 3.3V mode and attached to your computer, then open the serial port on your computer (ex. <code>minicom -D /dev/ttyUSB0</code>). Use 115200 8N1 in your terminal settings.
 +
# Connect the NanoStation and press enter in the console when it says <code>Hit any key to stop autoboot:</code>. You should be left at a <code>ar7240> </code> prompt.
 +
# Connect your laptop to the LAN port of the PoE injector powering the NanoStation and assign a static IP of <code>192.168.1.254</code>
 +
# Install a TFTP server and place [https://downloads.openwrt.org/releases/19.07.0/targets/ath79/generic/openwrt-19.07.0-ath79-generic-ubnt_nanostation-ac-loco-initramfs-kernel.bin openwrt-19.07.0-ath79-generic-ubnt_nanostation-ac-loco-initramfs-kernel.bin] in the root folder of the TFTP server (<code>/srv/tftp</code> for tftp-hpa on Arch).
 +
# Rename the initramfs-kernel.bin file to <code>1401A8C0.img</code> and ensure the tftp server / service is started
 +
# Run <code>tftpboot</code> in the serial console and wait for it to complete
 +
# Run <code>bootm</code> in the serial console to boot the initramfs
 +
# Once OpenWRT has booted, you can press Enter to enable shell access
 +
# Ensure you have an IP address in the 192.168.1.x subnet and use scp to transfer the sysupgrade firmware you wish to flash
 +
# Flash the full firmware to the radio's storage using <code>mtd -r write /tmp/sysupgrade.bin firmware</code>, replacing <code>sysupgrade.bin</code> with the full filename of the firmware you are flashing
 +
 
 +
== Condensed Command-list ==
 +
=== Flash The Stock Ubiquiti Firmware via TFTP ===
 +
<pre>
 +
wget https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin
 +
cp https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin firmware.bin
 +
sudo apt install tftp
 +
tftp
 +
tftp> connect 192.168.1.20
 +
tftp> rexmt 1
 +
tftp> timeout 60
 +
tftp> binary
 +
tftp> put firmware.bin
 +
</pre>
 +
 
 +
No re-boot is necessary. You should be able to access the router at 192.168.1.20 after a couple of minutes.
 +
 
 +
=== Flash The Mass Mesh Firmware ===
 +
<pre>
 +
wget https://github.com/MassMesh/meta-imagebuilder-artifacts/raw/master/massmesh/meshradio/ubnt_nanostation-ac-loco/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin
 +
scp openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin ubnt@192.168.1.20:/tmp
 +
ssh ubnt@192.168.1.20
 +
hexdump -Cv /bin/ubntbox | sed 's/14 40 fe fe/00 00 00 00/g' | hexdump -R > /tmp/fwupdate.real
 +
chmod +x /tmp/fwupdate.real
 +
/tmp/fwupdate.real -m /tmp/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin
 +
</pre>

Latest revision as of 14:31, 6 February 2021

NanoStation 5AC Loco

The NanoStation 5AC Loco is a directional, weather resistant, PoE powered radio with a beam width of 90 degrees and a secondary omnidirectional radio. This makes it useful for simultaneously meshing on one radio while providing an access point for client devices on the other.

Warning: This is a PoE device. Never connect your computer directly to the PoE injector's red port!!!
Note: The Nanostation's architecture is MIPS 24KC.
Warning: As of January 1, 2020, brand new Nanostations do not support downgrading the Ubiquiti AirOS firmware. (Even with the patch.) Instead, you must Flash using serial header access

Files

Stock Firmware v8.5.0.36727

MassMesh Firmware (Factory) (Latest)

MassMesh Firmware (Sysupgrade) (Latest)

BitTorrent magnet link containing two 16MiB flash .bin files, one for a pre-OpenWrt stock 5AC Loco and another for an OpenWrt-flashed Loco. You may use the latter to overwrite the content of flash on a 5AC Loco to restore it to an older version of U-boot capable of booting OpenWrt, but note that the MAC address is also stored in flash.

Flashing

From OpenWrt

Note: Mass Mesh mesh radios have a static IP of 192.168.2.1. To access the admin UI, set your computer's ip/netmask to 192.168.2.10/24, then browse to http://192.168.2.1/ in your favorite web browser.
  1. Download the latest MassMesh sysupgrade firmware.
  2. Connect to the Nanostation and enter its IP address into your favorite web browser.
    1. If you are using another version of OpenWrt, please refer to its documentation for details about its IP address.
  3. Navigate to System → Backup / Flash Firmware → Actions: Flash new firmware image.
  4. Choose the sysupgrade file previously downloaded and click Flash
  5. Wait for the device to complete and reboot (This can take up to 5 minutes.)

From Stock Firmware (Ubiquiti AirOS)

Downgrade Ubiquiti AirOS via Web UI

  1. Download the Stock Firmware Image v8.5.0.36727.
  2. Power on the Nanostation via a PoE injector. (This is the **red** ethernet port on your injector.)
  3. Connect the LAN side of the PoE injector to a computer.
  4. Assign a static IP/netmask of 192.168.1.25/24 to the computer
    1. sudo ip addr add 192.168.1.25/24 dev eth0
  5. Use a browser to visit http://192.168.1.20/
  6. Login using the set password or default credentials ubnt / ubnt
  7. Navigate to settings and downgrade the stock firmware to v8.5.0.36727 using the downloaded image file
Note: Newer versions of the NanoStation 5AC Loco block downgrading the firmware to 8.5.0. If you encounter this error, you will need to open up the radio and use the Pomona clip method or the serial flashing method.

Downgrade Ubiquiti AirOS via TFTP

wget https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin
cp https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin firmware.bin
sudo apt install tftp
tftp
tftp> connect 192.168.1.20
tftp> rexmt 1
tftp> timeout 60
tftp> binary
tftp> put firmware.bin

No re-boot is necessary. You should be able to access the router at 192.168.1.20 after a couple of minutes.

Note: Newer versions of the NanoStation 5AC Loco block downgrading the firmware to 8.5.0. If you encounter an "Initialization Error" after flashing, you will need to open up the radio and use the Pomona clip method or the serial flashing method.

Install The Mass Mesh OpenWrt Image

Note: Additional instructions are available on OpenWrt's website. The "factory" image should be chosen for this step.
  1. Download the latest Mass Mesh firmware here.
  2. Copy the firmware onto the nanostation. (We like to put it in the /tmp/ directory.)
  3. Open a secure shell on the Nanostation. ssh ubnt@192.168.1.20
  4. Patch the fwupdate.real binary a la the instructions here.
  5. /tmp/fwupdate.real -m /tmp/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin

Advanced Flashing Techniques

Downgrade Ubiquiti AirOS With An External Programmer

When your nanostation is bricked, or if the stock firmware won't let you flash our custom firmware, you can use the In-System Programming (ISP) technique to reflash the device (see also the Flashrom wiki. You're going to need:

  1. a Pomona 5252 test clip (https://www.digikey.com/product-detail/en/pomona-electronics/5252/501-2059-ND/745103), ~$16
  2. a raspberry pi (e.g. a zero w) ~$10
  3. some header pins and prototyping wires to connect everything

The Nanostation has a Macronix MX25L12835F rom chip (datasheet), which is an SPI chip with 16 connectors good for 128 Mbit of storage.

We can use Flashrom running on a raspberry pi to read and write that chip, if we hook up the Pomona 5252 test clip to the MX25L12835F and connect it to the correct SPI pins on the pi:

raspberry pi GPIO pinout

(note: the SPI1 CE0/CE1 pins are not labeled on this image)

Pinouts (please proceed with caution!)

The Raspberry Pi has 2 SPI interfaces, SPI0 and SPI1.

On the Raspberry Pi boot partition, make sure to update config.txt and uncomment the line that reads

dtparam=spi=on

After a reboot, you should see the spi device files:

 root@raspberrypi:/home/pi# ls -laF /dev/spidev0.*
 crw-rw---- 1 root spi 153, 0 Jan  7 01:44 /dev/spidev0.0
 crw-rw---- 1 root spi 153, 1 Jan  7 01:44 /dev/spidev0.1

Now connect the Raspberry Pi to the Pomona clip. Choose either SPI0 or SPI1. We're going to leave the VCC pin on the flash chip disconnected. We are however going to connect a few other pins to our 3.3V source from the raspberry pi, to pull them up.

RPi SPI0 RPi SPI1 Pomona Clip Notes Color in picture below
17 3.3V 17 3.3V 1 SIO3 we do not use this pin, so we pull it up red
17 3.3V 17 3.3V 9 WP#SIO2 put the chip in read/write mode red
19 SPI0 MOSI 38 SPI1 MOSI 15 SI blue
21 SPI0 MISO 35 SPI1 MISO 8 SO orange
23 SPI0 SCLK 40 SPI1 SCLK 16 SCLK green
25 GND 25 GND 10 GND brown
24 SPI0 CE0 12 SPI1 CE0 7 CS yellow


A Raspberry Pi Zero W with wires connected to the SPI0 pins. There is an unused 3.3V wire visible.

Reading the chip with flashrom

Once the Pomona is connected to the raspberry pi, make sure the NanoStation is disconnected from power/ethernet. Then clip on the Pomona.

Flashrom on the Pi requires us to specify the speed of operation. We also need to specify the exact ROM chip model, because there are two models that match:

 $ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=4096 -r proprietary.rom
 flashrom  on Linux 4.19.75+ (armv6l)
 flashrom is free software, get the source code at https://flashrom.org
 Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
 Found Macronix flash chip "MX25L12805D" (16384 kB, SPI) on linux_spi.
 Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi.
 Multiple flash chip definitions match the detected chip(s): "MX25L12805D", "MX25L12835F/MX25L12845E/MX25L12865E"
 Please specify which chip definition to use with the -c <chipname> option.

So here's the final command to read out the chip:

 $ flashrom -c "MX25L12835F/MX25L12845E/MX25L12865E" -p linux_spi:dev=/dev/spidev0.0,spispeed=4096 -r proprietary.rom
 flashrom  on Linux 4.19.75+ (armv6l)
 flashrom is free software, get the source code at https://flashrom.org
 Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
 Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi.
 Reading flash... done.

It's easy to verify that if the reading worked. If you were reading out the original firmware, binwalk would print something like this:

 $ binwalk proprietary.rom 
 DECIMAL       HEXADECIMAL     DESCRIPTION
 --------------------------------------------------------------------------------
 115152        0x1C1D0         Certificate in DER format (x509 v3), header length: 4, sequence length: 64
 142896        0x22E30         U-Boot version string, "U-Boot 1.1.4-s1100 (Sep  5 2018 - 17:53:00)"
 143184        0x22F50         CRC32 polynomial table, big endian
 224396        0x36C8C         CRC32 polynomial table, big endian
 226924        0x3766C         Ubiquiti end header, header size: 12 bytes, cumulative ~CRC32: 0x454E442E
 231856        0x389B0         Ubiquiti partition header, header size: 56 bytes, name: "PARTkernel", base address: 0x00000001, data size: -2147475456 bytes
 231920        0x389F0         uImage header, header size: 64 bytes, header CRC: 0xE75790E0, created: 2018-11-13 14:36:59, image size: 998847 bytes, Data 
 Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0xAAECA664, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.68"
 327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0x22425505, created: 2019-02-13 09:09:52, image size: 990770 bytes, Data Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0x8F3B71D3, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.68"
 327744        0x50040         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2836596 bytes
 1318514       0x141E72        Ubiquiti partition header, header size: 56 bytes, name: "PARTrootfs", base address: 0x00000002, data size: 0 bytes
 1318578       0x141EB2        Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 7203018 bytes, 956 inodes, blocksize: 262144 bytes, created: 2019-02-13 09:09:54

Useful resources:

Writing to the chip with flashrom

 pi@raspberrypi:~ $ flashrom -c "MX25L12835F/MX25L12845E/MX25L12865E" -p linux_spi:dev=/dev/spidev0.0,spispeed=4096 -w read1-10000-openwrt.bin
 flashrom  on Linux 4.19.75-v7l+ (armv7l)
 flashrom is free software, get the source code at https://flashrom.org
 
 Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
 Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi.
 Reading old flash chip contents... done.
 Erasing and writing flash chip... Erase/write done.
 Verifying flash... VERIFIED.

Flash using serial header access

Direct serial access allows temporarily running OpenWRT in memory and using the temporary environment to flash a full image to the radio's memory.

Click to enlarge pinout
  1. Using your thumb or a small tool, push the tab in the slot located on the lower rear of the radio and slide the bottom half out of the enclosure
  2. Looking at the rear of the board (where all the components are on the opposite side as the antenna), locate the serial headers on the middle left side of the board
  3. Solder at least the top 3 pins shown in the picture. The pins from left to right (starting with the square shaped pad that is unpopulated in the image) are 3.3V, RX, TX, and GND. 3.3V is not needed here
  4. Connect GND on the board to GND on your FTDI adapter, TX on the board to RX on the FTDI adapter, and RX on the board to TX on the FTDI adapter
  5. Make sure your FTDI adapter is in 3.3V mode and attached to your computer, then open the serial port on your computer (ex. minicom -D /dev/ttyUSB0). Use 115200 8N1 in your terminal settings.
  6. Connect the NanoStation and press enter in the console when it says Hit any key to stop autoboot:. You should be left at a ar7240> prompt.
  7. Connect your laptop to the LAN port of the PoE injector powering the NanoStation and assign a static IP of 192.168.1.254
  8. Install a TFTP server and place openwrt-19.07.0-ath79-generic-ubnt_nanostation-ac-loco-initramfs-kernel.bin in the root folder of the TFTP server (/srv/tftp for tftp-hpa on Arch).
  9. Rename the initramfs-kernel.bin file to 1401A8C0.img and ensure the tftp server / service is started
  10. Run tftpboot in the serial console and wait for it to complete
  11. Run bootm in the serial console to boot the initramfs
  12. Once OpenWRT has booted, you can press Enter to enable shell access
  13. Ensure you have an IP address in the 192.168.1.x subnet and use scp to transfer the sysupgrade firmware you wish to flash
  14. Flash the full firmware to the radio's storage using mtd -r write /tmp/sysupgrade.bin firmware, replacing sysupgrade.bin with the full filename of the firmware you are flashing

Condensed Command-list

Flash The Stock Ubiquiti Firmware via TFTP

wget https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin
cp https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin firmware.bin
sudo apt install tftp
tftp
tftp> connect 192.168.1.20
tftp> rexmt 1
tftp> timeout 60
tftp> binary
tftp> put firmware.bin

No re-boot is necessary. You should be able to access the router at 192.168.1.20 after a couple of minutes.

Flash The Mass Mesh Firmware

wget https://github.com/MassMesh/meta-imagebuilder-artifacts/raw/master/massmesh/meshradio/ubnt_nanostation-ac-loco/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin
scp openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin ubnt@192.168.1.20:/tmp
ssh ubnt@192.168.1.20
hexdump -Cv /bin/ubntbox | sed 's/14 40 fe fe/00 00 00 00/g' | hexdump -R > /tmp/fwupdate.real
chmod +x /tmp/fwupdate.real
/tmp/fwupdate.real -m /tmp/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin