Difference between revisions of "Ubiquiti NanoStation 5AC Loco"
(→From Stock Firmware: Added more complete instructions & seperate the downgrade from the Mass Mesh image install.) |
(Add the btih for a stock + OpenWrt dump from NS 5AC Loco) |
||
(33 intermediate revisions by 4 users not shown) | |||
Line 5: | Line 5: | ||
The NanoStation 5AC Loco is a directional, weather resistant, PoE powered radio with a beam width of 90 degrees and a secondary omnidirectional radio. This makes it useful for simultaneously meshing on one radio while providing an access point for client devices on the other. | The NanoStation 5AC Loco is a directional, weather resistant, PoE powered radio with a beam width of 90 degrees and a secondary omnidirectional radio. This makes it useful for simultaneously meshing on one radio while providing an access point for client devices on the other. | ||
− | + | {{ Warning| This is a PoE device. Never connect your computer directly to the PoE injector's red port!!!}} | |
+ | |||
+ | {{Note| The Nanostation's architecture is '''MIPS 24KC.'''}} | ||
+ | |||
+ | {{ Warning| As of January 1, 2020, brand new Nanostations do not support downgrading the Ubiquiti AirOS firmware. (Even with the patch.) Instead, you must [[#Flash using serial header access|Flash using serial header access]]}} | ||
== Files == | == Files == | ||
Line 13: | Line 17: | ||
[https://github.com/MassMesh/meta-imagebuilder-artifacts/raw/master/massmesh/meshradio/ubnt_nanostation-ac-loco/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-sysupgrade.bin MassMesh Firmware (Sysupgrade) (Latest)] | [https://github.com/MassMesh/meta-imagebuilder-artifacts/raw/master/massmesh/meshradio/ubnt_nanostation-ac-loco/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-sysupgrade.bin MassMesh Firmware (Sysupgrade) (Latest)] | ||
+ | |||
+ | [magnet:?xt=urn:btih:3ec9b5e9cbc7561507eb933df855f15c7b7eb9bc BitTorrent magnet link containing two 16MiB flash .bin files, one for a pre-OpenWrt stock 5AC Loco and another for an OpenWrt-flashed Loco]. You may use the latter to overwrite the content of flash on a 5AC Loco to restore it to an older version of U-boot capable of booting OpenWrt, but note that the MAC address is also stored in flash. | ||
== Flashing == | == Flashing == | ||
− | === From Stock Firmware === | + | |
− | ==== Downgrade Ubiquiti AirOS ==== | + | === From OpenWrt === |
+ | {{Note|Mass Mesh mesh radios have a static IP of 192.168.2.1. To access the admin UI, set your computer's ip/netmask to 192.168.2.10/24, then browse to http://192.168.2.1/ in your favorite web browser.}} | ||
+ | # Download the latest [https://github.com/MassMesh/meta-imagebuilder-artifacts/raw/master/massmesh/meshradio/ubnt_nanostation-ac-loco/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-sysupgrade.bin MassMesh sysupgrade firmware.] | ||
+ | # Connect to the Nanostation and enter its IP address into your favorite web browser. | ||
+ | ## If you are using another version of OpenWrt, please refer to its documentation for details about its IP address. | ||
+ | # Navigate to System → Backup / Flash Firmware → Actions: '''Flash new firmware image.''' | ||
+ | # Choose the sysupgrade file previously downloaded and click '''Flash''' | ||
+ | # Wait for the device to complete and reboot (This can take up to 5 minutes.) | ||
+ | |||
+ | === From Stock Firmware (Ubiquiti AirOS)=== | ||
+ | |||
+ | ==== Downgrade Ubiquiti AirOS via Web UI ==== | ||
+ | |||
# Download the [https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin Stock Firmware Image v8.5.0.36727]. | # Download the [https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin Stock Firmware Image v8.5.0.36727]. | ||
# Power on the Nanostation via a PoE injector. (This is the **red** ethernet port on your injector.) | # Power on the Nanostation via a PoE injector. (This is the **red** ethernet port on your injector.) | ||
− | |||
# Connect the LAN side of the PoE injector to a computer. | # Connect the LAN side of the PoE injector to a computer. | ||
# Assign a static IP/netmask of <code>192.168.1.25/24</code> to the computer | # Assign a static IP/netmask of <code>192.168.1.25/24</code> to the computer | ||
Line 26: | Line 43: | ||
# Login using the set password or default credentials <code>ubnt / ubnt</code> | # Login using the set password or default credentials <code>ubnt / ubnt</code> | ||
# Navigate to settings and downgrade the stock firmware to v8.5.0.36727 using the downloaded image file | # Navigate to settings and downgrade the stock firmware to v8.5.0.36727 using the downloaded image file | ||
− | ==== Install The Mass Mesh | + | |
− | {{ Note| Additional instructions are available [https://openwrt.org/toh/ubiquiti/ubiquiti_nanostation_ac_loco on | + | {{Note|Newer versions of the NanoStation 5AC Loco block downgrading the firmware to 8.5.0. If you encounter this error, you will need to open up the radio and use the [[#Downgrade Ubiquiti AirOS With An External Programmer|Pomona clip method]] or the [[#Flash using serial header access|serial flashing method]].}} |
+ | |||
+ | ==== Downgrade Ubiquiti AirOS via TFTP ==== | ||
+ | |||
+ | <pre> | ||
+ | wget https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin | ||
+ | cp https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin firmware.bin | ||
+ | sudo apt install tftp | ||
+ | tftp | ||
+ | tftp> connect 192.168.1.20 | ||
+ | tftp> rexmt 1 | ||
+ | tftp> timeout 60 | ||
+ | tftp> binary | ||
+ | tftp> put firmware.bin | ||
+ | </pre> | ||
+ | |||
+ | No re-boot is necessary. You should be able to access the router at 192.168.1.20 after a couple of minutes. | ||
+ | |||
+ | {{Note|Newer versions of the NanoStation 5AC Loco block downgrading the firmware to 8.5.0. If you encounter an "Initialization Error" after flashing, you will need to open up the radio and use the [[#Downgrade Ubiquiti AirOS With An External Programmer|Pomona clip method]] or the [[#Flash using serial header access|serial flashing method]].}} | ||
+ | |||
+ | ==== Install The Mass Mesh OpenWrt Image ==== | ||
+ | |||
+ | {{ Note| Additional instructions are available [https://openwrt.org/toh/ubiquiti/ubiquiti_nanostation_ac_loco on OpenWrt's website]. The "factory" image should be chosen for this step.}} | ||
# Download the latest Mass Mesh firmware [https://github.com/MassMesh/meta-imagebuilder-artifacts/raw/master/massmesh/meshradio/ubnt_nanostation-ac-loco/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin here]. | # Download the latest Mass Mesh firmware [https://github.com/MassMesh/meta-imagebuilder-artifacts/raw/master/massmesh/meshradio/ubnt_nanostation-ac-loco/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin here]. | ||
# Copy the firmware onto the nanostation. (We like to put it in the <code>/tmp/</code> directory.) | # Copy the firmware onto the nanostation. (We like to put it in the <code>/tmp/</code> directory.) | ||
# Open a secure shell on the Nanostation. <code>ssh ubnt@192.168.1.20</code> | # Open a secure shell on the Nanostation. <code>ssh ubnt@192.168.1.20</code> | ||
− | # Patch the fwupdate.real binary a la the instructions [ | + | # Patch the fwupdate.real binary a la the instructions [https://openwrt.org/toh/ubiquiti/ubiquiti_nanostation_ac_loco here.] |
# <code>/tmp/fwupdate.real -m /tmp/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin</code> | # <code>/tmp/fwupdate.real -m /tmp/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin</code> | ||
− | === | + | == Advanced Flashing Techniques == |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | === With | + | === Downgrade Ubiquiti AirOS With An External Programmer=== |
When your nanostation is bricked, or if the stock firmware won't let you flash our custom firmware, you can use the '''In-System Programming''' (ISP) technique to reflash the device (see also the [https://www.flashrom.org/ISP Flashrom wiki]. You're going to need: | When your nanostation is bricked, or if the stock firmware won't let you flash our custom firmware, you can use the '''In-System Programming''' (ISP) technique to reflash the device (see also the [https://www.flashrom.org/ISP Flashrom wiki]. You're going to need: | ||
Line 52: | Line 85: | ||
The Nanostation has a Macronix MX25L12835F rom chip ([https://www.macronix.com/Lists/Datasheet/Attachments/7397/MX25L12835F,%203V,%20128Mb,%20v1.6.pdf datasheet]), which is an SPI chip with 16 connectors good for 128 Mbit of storage. | The Nanostation has a Macronix MX25L12835F rom chip ([https://www.macronix.com/Lists/Datasheet/Attachments/7397/MX25L12835F,%203V,%20128Mb,%20v1.6.pdf datasheet]), which is an SPI chip with 16 connectors good for 128 Mbit of storage. | ||
− | We can use [https://flashrom.org Flashrom] running on a raspberry pi to read and write that chip, if we hook up the Pomona 5252 test clip to the MX25L12835F and connect it to the correct [https://pinout.xyz/ SPI pins] on the pi: | + | We can use [https://flashrom.org Flashrom] running on a raspberry pi to read and write that chip, if we hook up the Pomona 5252 test clip to the MX25L12835F and connect it to the correct [https://pinout.xyz/pinout/spi SPI pins] on the pi: |
[[File:raspberry-pi-pinout.png|inline|raspberry pi GPIO pinout]] | [[File:raspberry-pi-pinout.png|inline|raspberry pi GPIO pinout]] | ||
− | + | (note: the SPI1 CE0/CE1 pins are not labeled on this image) | |
− | [[File:raspberry-pi-zero-w-with- | + | ==== Pinouts (please proceed with caution!) ==== |
+ | |||
+ | The Raspberry Pi has 2 SPI interfaces, SPI0 and SPI1. | ||
+ | |||
+ | On the Raspberry Pi boot partition, make sure to update config.txt and uncomment the line that reads | ||
+ | |||
+ | dtparam=spi=on | ||
+ | |||
+ | After a reboot, you should see the spi device files: | ||
+ | |||
+ | root@raspberrypi:/home/pi# ls -laF /dev/spidev0.* | ||
+ | crw-rw---- 1 root spi 153, 0 Jan 7 01:44 /dev/spidev0.0 | ||
+ | crw-rw---- 1 root spi 153, 1 Jan 7 01:44 /dev/spidev0.1 | ||
+ | |||
+ | Now connect the Raspberry Pi to the Pomona clip. Choose either SPI0 or SPI1. We're going to leave the VCC pin on the flash chip disconnected. We are however going to connect a few other pins to our 3.3V source from the raspberry pi, to pull them up. | ||
+ | |||
+ | {| class="wikitable" | ||
+ | |- | ||
+ | !colspan="2"|RPi SPI0!!colspan="2"|RPi SPI1!!colspan="2"|Pomona Clip!!Notes!!Color in picture below | ||
+ | |- | ||
+ | |17||3.3V | ||
+ | |17||3.3V | ||
+ | |1||SIO3 | ||
+ | |''we do not use this pin, so we pull it up'' | ||
+ | |red | ||
+ | |- | ||
+ | |17||3.3V | ||
+ | |17||3.3V | ||
+ | |9||WP#SIO2 | ||
+ | |''put the chip in read/write mode'' | ||
+ | |red | ||
+ | |- | ||
+ | |19||SPI0 MOSI | ||
+ | |38||SPI1 MOSI | ||
+ | |15||SI | ||
+ | | | ||
+ | |blue | ||
+ | |- | ||
+ | |21||SPI0 MISO | ||
+ | |35||SPI1 MISO | ||
+ | |8||SO | ||
+ | | | ||
+ | |orange | ||
+ | |- | ||
+ | |23||SPI0 SCLK | ||
+ | |40||SPI1 SCLK | ||
+ | |16||SCLK | ||
+ | | | ||
+ | |green | ||
+ | |- | ||
+ | |25||GND | ||
+ | |25||GND | ||
+ | |10||GND | ||
+ | | | ||
+ | |brown | ||
+ | |- | ||
+ | |24||SPI0 CE0 | ||
+ | |12||SPI1 CE0 | ||
+ | |7||CS | ||
+ | | | ||
+ | |yellow | ||
+ | |} | ||
+ | |||
+ | |||
+ | [[File:20200127-raspberry-pi-zero-w-with-pomona-clip.jpg|thumb|A Raspberry Pi Zero W with wires connected to the SPI0 pins. There is an unused 3.3V wire visible.]] | ||
+ | |||
+ | ==== Reading the chip with flashrom ==== | ||
+ | |||
+ | Once the Pomona is connected to the raspberry pi, make sure the NanoStation is disconnected from power/ethernet. Then clip on the Pomona. | ||
+ | |||
+ | Flashrom on the Pi [https://github.com/flashrom/flashrom/issues/29 requires] us to specify the speed of operation. We also need to specify the exact ROM chip model, because there are two models that match: | ||
+ | |||
+ | $ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=4096 -r proprietary.rom | ||
+ | flashrom on Linux 4.19.75+ (armv6l) | ||
+ | flashrom is free software, get the source code at https://flashrom.org | ||
+ | |||
+ | Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). | ||
+ | Found Macronix flash chip "MX25L12805D" (16384 kB, SPI) on linux_spi. | ||
+ | Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi. | ||
+ | Multiple flash chip definitions match the detected chip(s): "MX25L12805D", "MX25L12835F/MX25L12845E/MX25L12865E" | ||
+ | Please specify which chip definition to use with the -c <chipname> option. | ||
+ | |||
+ | So here's the final command to read out the chip: | ||
+ | |||
+ | $ flashrom -c "MX25L12835F/MX25L12845E/MX25L12865E" -p linux_spi:dev=/dev/spidev0.0,spispeed=4096 -r proprietary.rom | ||
+ | flashrom on Linux 4.19.75+ (armv6l) | ||
+ | flashrom is free software, get the source code at https://flashrom.org | ||
+ | |||
+ | Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). | ||
+ | Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi. | ||
+ | Reading flash... done. | ||
+ | |||
+ | It's easy to verify that if the reading worked. If you were reading out the original firmware, binwalk would print something like this: | ||
+ | |||
+ | $ binwalk proprietary.rom | ||
+ | |||
+ | DECIMAL HEXADECIMAL DESCRIPTION | ||
+ | -------------------------------------------------------------------------------- | ||
+ | 115152 0x1C1D0 Certificate in DER format (x509 v3), header length: 4, sequence length: 64 | ||
+ | 142896 0x22E30 U-Boot version string, "U-Boot 1.1.4-s1100 (Sep 5 2018 - 17:53:00)" | ||
+ | 143184 0x22F50 CRC32 polynomial table, big endian | ||
+ | 224396 0x36C8C CRC32 polynomial table, big endian | ||
+ | 226924 0x3766C Ubiquiti end header, header size: 12 bytes, cumulative ~CRC32: 0x454E442E | ||
+ | 231856 0x389B0 Ubiquiti partition header, header size: 56 bytes, name: "PARTkernel", base address: 0x00000001, data size: -2147475456 bytes | ||
+ | 231920 0x389F0 uImage header, header size: 64 bytes, header CRC: 0xE75790E0, created: 2018-11-13 14:36:59, image size: 998847 bytes, Data | ||
+ | Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0xAAECA664, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.68" | ||
+ | 327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0x22425505, created: 2019-02-13 09:09:52, image size: 990770 bytes, Data Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0x8F3B71D3, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.68" | ||
+ | 327744 0x50040 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2836596 bytes | ||
+ | 1318514 0x141E72 Ubiquiti partition header, header size: 56 bytes, name: "PARTrootfs", base address: 0x00000002, data size: 0 bytes | ||
+ | 1318578 0x141EB2 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 7203018 bytes, 956 inodes, blocksize: 262144 bytes, created: 2019-02-13 09:09:54 | ||
Useful resources: | Useful resources: | ||
* [https://www.flashrom.org/RaspberryPi Flashrom page on using the Raspberry Pi as a flashing tool] | * [https://www.flashrom.org/RaspberryPi Flashrom page on using the Raspberry Pi as a flashing tool] | ||
+ | |||
+ | ==== Writing to the chip with flashrom ==== | ||
+ | |||
+ | pi@raspberrypi:~ $ flashrom -c "MX25L12835F/MX25L12845E/MX25L12865E" -p linux_spi:dev=/dev/spidev0.0,spispeed=4096 -w read1-10000-openwrt.bin | ||
+ | flashrom on Linux 4.19.75-v7l+ (armv7l) | ||
+ | flashrom is free software, get the source code at https://flashrom.org | ||
+ | |||
+ | Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). | ||
+ | Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi. | ||
+ | Reading old flash chip contents... done. | ||
+ | Erasing and writing flash chip... Erase/write done. | ||
+ | Verifying flash... VERIFIED. | ||
+ | |||
+ | === Flash using serial header access === | ||
+ | Direct serial access allows temporarily running OpenWRT in memory and using the temporary environment to flash a full image to the radio's memory. | ||
+ | |||
+ | [[File:Ubnt_ns5acl_serial.jpg|thumb|Click to enlarge pinout]] | ||
+ | # Using your thumb or a small tool, push the tab in the slot located on the lower rear of the radio and slide the bottom half out of the enclosure | ||
+ | # Looking at the rear of the board (where all the components are on the opposite side as the antenna), locate the serial headers on the middle left side of the board | ||
+ | # Solder at least the top 3 pins shown in the picture. The pins from left to right (starting with the square shaped pad that is unpopulated in the image) are 3.3V, RX, TX, and GND. 3.3V is not needed here | ||
+ | # Connect GND on the board to GND on your FTDI adapter, TX on the board to RX on the FTDI adapter, and RX on the board to TX on the FTDI adapter | ||
+ | # Make sure your FTDI adapter is in 3.3V mode and attached to your computer, then open the serial port on your computer (ex. <code>minicom -D /dev/ttyUSB0</code>). Use 115200 8N1 in your terminal settings. | ||
+ | # Connect the NanoStation and press enter in the console when it says <code>Hit any key to stop autoboot:</code>. You should be left at a <code>ar7240> </code> prompt. | ||
+ | # Connect your laptop to the LAN port of the PoE injector powering the NanoStation and assign a static IP of <code>192.168.1.254</code> | ||
+ | # Install a TFTP server and place [https://downloads.openwrt.org/releases/19.07.0/targets/ath79/generic/openwrt-19.07.0-ath79-generic-ubnt_nanostation-ac-loco-initramfs-kernel.bin openwrt-19.07.0-ath79-generic-ubnt_nanostation-ac-loco-initramfs-kernel.bin] in the root folder of the TFTP server (<code>/srv/tftp</code> for tftp-hpa on Arch). | ||
+ | # Rename the initramfs-kernel.bin file to <code>1401A8C0.img</code> and ensure the tftp server / service is started | ||
+ | # Run <code>tftpboot</code> in the serial console and wait for it to complete | ||
+ | # Run <code>bootm</code> in the serial console to boot the initramfs | ||
+ | # Once OpenWRT has booted, you can press Enter to enable shell access | ||
+ | # Ensure you have an IP address in the 192.168.1.x subnet and use scp to transfer the sysupgrade firmware you wish to flash | ||
+ | # Flash the full firmware to the radio's storage using <code>mtd -r write /tmp/sysupgrade.bin firmware</code>, replacing <code>sysupgrade.bin</code> with the full filename of the firmware you are flashing | ||
== Condensed Command-list == | == Condensed Command-list == | ||
Line 76: | Line 249: | ||
tftp> put firmware.bin | tftp> put firmware.bin | ||
</pre> | </pre> | ||
+ | |||
+ | No re-boot is necessary. You should be able to access the router at 192.168.1.20 after a couple of minutes. | ||
+ | |||
=== Flash The Mass Mesh Firmware === | === Flash The Mass Mesh Firmware === | ||
<pre> | <pre> |
Latest revision as of 14:31, 6 February 2021
The NanoStation 5AC Loco is a directional, weather resistant, PoE powered radio with a beam width of 90 degrees and a secondary omnidirectional radio. This makes it useful for simultaneously meshing on one radio while providing an access point for client devices on the other.
Files
MassMesh Firmware (Factory) (Latest)
MassMesh Firmware (Sysupgrade) (Latest)
BitTorrent magnet link containing two 16MiB flash .bin files, one for a pre-OpenWrt stock 5AC Loco and another for an OpenWrt-flashed Loco. You may use the latter to overwrite the content of flash on a 5AC Loco to restore it to an older version of U-boot capable of booting OpenWrt, but note that the MAC address is also stored in flash.
Flashing
From OpenWrt
- Download the latest MassMesh sysupgrade firmware.
- Connect to the Nanostation and enter its IP address into your favorite web browser.
- If you are using another version of OpenWrt, please refer to its documentation for details about its IP address.
- Navigate to System → Backup / Flash Firmware → Actions: Flash new firmware image.
- Choose the sysupgrade file previously downloaded and click Flash
- Wait for the device to complete and reboot (This can take up to 5 minutes.)
From Stock Firmware (Ubiquiti AirOS)
Downgrade Ubiquiti AirOS via Web UI
- Download the Stock Firmware Image v8.5.0.36727.
- Power on the Nanostation via a PoE injector. (This is the **red** ethernet port on your injector.)
- Connect the LAN side of the PoE injector to a computer.
- Assign a static IP/netmask of
192.168.1.25/24
to the computersudo ip addr add 192.168.1.25/24 dev eth0
- Use a browser to visit http://192.168.1.20/
- Login using the set password or default credentials
ubnt / ubnt
- Navigate to settings and downgrade the stock firmware to v8.5.0.36727 using the downloaded image file
Downgrade Ubiquiti AirOS via TFTP
wget https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin cp https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin firmware.bin sudo apt install tftp tftp tftp> connect 192.168.1.20 tftp> rexmt 1 tftp> timeout 60 tftp> binary tftp> put firmware.bin
No re-boot is necessary. You should be able to access the router at 192.168.1.20 after a couple of minutes.
Install The Mass Mesh OpenWrt Image
- Download the latest Mass Mesh firmware here.
- Copy the firmware onto the nanostation. (We like to put it in the
/tmp/
directory.) - Open a secure shell on the Nanostation.
ssh ubnt@192.168.1.20
- Patch the fwupdate.real binary a la the instructions here.
/tmp/fwupdate.real -m /tmp/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin
Advanced Flashing Techniques
Downgrade Ubiquiti AirOS With An External Programmer
When your nanostation is bricked, or if the stock firmware won't let you flash our custom firmware, you can use the In-System Programming (ISP) technique to reflash the device (see also the Flashrom wiki. You're going to need:
- a Pomona 5252 test clip (https://www.digikey.com/product-detail/en/pomona-electronics/5252/501-2059-ND/745103), ~$16
- a raspberry pi (e.g. a zero w) ~$10
- some header pins and prototyping wires to connect everything
The Nanostation has a Macronix MX25L12835F rom chip (datasheet), which is an SPI chip with 16 connectors good for 128 Mbit of storage.
We can use Flashrom running on a raspberry pi to read and write that chip, if we hook up the Pomona 5252 test clip to the MX25L12835F and connect it to the correct SPI pins on the pi:
(note: the SPI1 CE0/CE1 pins are not labeled on this image)
Pinouts (please proceed with caution!)
The Raspberry Pi has 2 SPI interfaces, SPI0 and SPI1.
On the Raspberry Pi boot partition, make sure to update config.txt and uncomment the line that reads
dtparam=spi=on
After a reboot, you should see the spi device files:
root@raspberrypi:/home/pi# ls -laF /dev/spidev0.* crw-rw---- 1 root spi 153, 0 Jan 7 01:44 /dev/spidev0.0 crw-rw---- 1 root spi 153, 1 Jan 7 01:44 /dev/spidev0.1
Now connect the Raspberry Pi to the Pomona clip. Choose either SPI0 or SPI1. We're going to leave the VCC pin on the flash chip disconnected. We are however going to connect a few other pins to our 3.3V source from the raspberry pi, to pull them up.
RPi SPI0 | RPi SPI1 | Pomona Clip | Notes | Color in picture below | |||
---|---|---|---|---|---|---|---|
17 | 3.3V | 17 | 3.3V | 1 | SIO3 | we do not use this pin, so we pull it up | red |
17 | 3.3V | 17 | 3.3V | 9 | WP#SIO2 | put the chip in read/write mode | red |
19 | SPI0 MOSI | 38 | SPI1 MOSI | 15 | SI | blue | |
21 | SPI0 MISO | 35 | SPI1 MISO | 8 | SO | orange | |
23 | SPI0 SCLK | 40 | SPI1 SCLK | 16 | SCLK | green | |
25 | GND | 25 | GND | 10 | GND | brown | |
24 | SPI0 CE0 | 12 | SPI1 CE0 | 7 | CS | yellow |
Reading the chip with flashrom
Once the Pomona is connected to the raspberry pi, make sure the NanoStation is disconnected from power/ethernet. Then clip on the Pomona.
Flashrom on the Pi requires us to specify the speed of operation. We also need to specify the exact ROM chip model, because there are two models that match:
$ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=4096 -r proprietary.rom flashrom on Linux 4.19.75+ (armv6l) flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). Found Macronix flash chip "MX25L12805D" (16384 kB, SPI) on linux_spi. Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi. Multiple flash chip definitions match the detected chip(s): "MX25L12805D", "MX25L12835F/MX25L12845E/MX25L12865E" Please specify which chip definition to use with the -c <chipname> option.
So here's the final command to read out the chip:
$ flashrom -c "MX25L12835F/MX25L12845E/MX25L12865E" -p linux_spi:dev=/dev/spidev0.0,spispeed=4096 -r proprietary.rom flashrom on Linux 4.19.75+ (armv6l) flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi. Reading flash... done.
It's easy to verify that if the reading worked. If you were reading out the original firmware, binwalk would print something like this:
$ binwalk proprietary.rom
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 115152 0x1C1D0 Certificate in DER format (x509 v3), header length: 4, sequence length: 64 142896 0x22E30 U-Boot version string, "U-Boot 1.1.4-s1100 (Sep 5 2018 - 17:53:00)" 143184 0x22F50 CRC32 polynomial table, big endian 224396 0x36C8C CRC32 polynomial table, big endian 226924 0x3766C Ubiquiti end header, header size: 12 bytes, cumulative ~CRC32: 0x454E442E 231856 0x389B0 Ubiquiti partition header, header size: 56 bytes, name: "PARTkernel", base address: 0x00000001, data size: -2147475456 bytes 231920 0x389F0 uImage header, header size: 64 bytes, header CRC: 0xE75790E0, created: 2018-11-13 14:36:59, image size: 998847 bytes, Data Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0xAAECA664, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.68" 327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0x22425505, created: 2019-02-13 09:09:52, image size: 990770 bytes, Data Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0x8F3B71D3, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.68" 327744 0x50040 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2836596 bytes 1318514 0x141E72 Ubiquiti partition header, header size: 56 bytes, name: "PARTrootfs", base address: 0x00000002, data size: 0 bytes 1318578 0x141EB2 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 7203018 bytes, 956 inodes, blocksize: 262144 bytes, created: 2019-02-13 09:09:54
Useful resources:
Writing to the chip with flashrom
pi@raspberrypi:~ $ flashrom -c "MX25L12835F/MX25L12845E/MX25L12865E" -p linux_spi:dev=/dev/spidev0.0,spispeed=4096 -w read1-10000-openwrt.bin flashrom on Linux 4.19.75-v7l+ (armv7l) flashrom is free software, get the source code at https://flashrom.org Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi. Reading old flash chip contents... done. Erasing and writing flash chip... Erase/write done. Verifying flash... VERIFIED.
Flash using serial header access
Direct serial access allows temporarily running OpenWRT in memory and using the temporary environment to flash a full image to the radio's memory.
- Using your thumb or a small tool, push the tab in the slot located on the lower rear of the radio and slide the bottom half out of the enclosure
- Looking at the rear of the board (where all the components are on the opposite side as the antenna), locate the serial headers on the middle left side of the board
- Solder at least the top 3 pins shown in the picture. The pins from left to right (starting with the square shaped pad that is unpopulated in the image) are 3.3V, RX, TX, and GND. 3.3V is not needed here
- Connect GND on the board to GND on your FTDI adapter, TX on the board to RX on the FTDI adapter, and RX on the board to TX on the FTDI adapter
- Make sure your FTDI adapter is in 3.3V mode and attached to your computer, then open the serial port on your computer (ex.
minicom -D /dev/ttyUSB0
). Use 115200 8N1 in your terminal settings. - Connect the NanoStation and press enter in the console when it says
Hit any key to stop autoboot:
. You should be left at aar7240>
prompt. - Connect your laptop to the LAN port of the PoE injector powering the NanoStation and assign a static IP of
192.168.1.254
- Install a TFTP server and place openwrt-19.07.0-ath79-generic-ubnt_nanostation-ac-loco-initramfs-kernel.bin in the root folder of the TFTP server (
/srv/tftp
for tftp-hpa on Arch). - Rename the initramfs-kernel.bin file to
1401A8C0.img
and ensure the tftp server / service is started - Run
tftpboot
in the serial console and wait for it to complete - Run
bootm
in the serial console to boot the initramfs - Once OpenWRT has booted, you can press Enter to enable shell access
- Ensure you have an IP address in the 192.168.1.x subnet and use scp to transfer the sysupgrade firmware you wish to flash
- Flash the full firmware to the radio's storage using
mtd -r write /tmp/sysupgrade.bin firmware
, replacingsysupgrade.bin
with the full filename of the firmware you are flashing
Condensed Command-list
Flash The Stock Ubiquiti Firmware via TFTP
wget https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin cp https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin firmware.bin sudo apt install tftp tftp tftp> connect 192.168.1.20 tftp> rexmt 1 tftp> timeout 60 tftp> binary tftp> put firmware.bin
No re-boot is necessary. You should be able to access the router at 192.168.1.20 after a couple of minutes.
Flash The Mass Mesh Firmware
wget https://github.com/MassMesh/meta-imagebuilder-artifacts/raw/master/massmesh/meshradio/ubnt_nanostation-ac-loco/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin scp openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin ubnt@192.168.1.20:/tmp ssh ubnt@192.168.1.20 hexdump -Cv /bin/ubntbox | sed 's/14 40 fe fe/00 00 00 00/g' | hexdump -R > /tmp/fwupdate.real chmod +x /tmp/fwupdate.real /tmp/fwupdate.real -m /tmp/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin