Ubiquiti NanoStation 5AC Loco
The NanoStation 5AC Loco is a directional, weather resistant, PoE powered radio with a beam width of 90 degrees and a secondary omnidirectional radio. This makes it useful for simultaneously meshing on one radio while providing an access point for client devices on the other.
Contents
Files
MassMesh Firmware (Factory) (Latest)
MassMesh Firmware (Sysupgrade) (Latest)
Flashing
From OpenWrt
- Download the latest MassMesh sysupgrade firmware.
- Connect to the Nanostation and enter its IP address into your favorite web browser.
- If you are using another version of OpenWrt, please refer to its documentation for details about its IP address.
- Navigate to System → Backup / Flash Firmware → Actions: Flash new firmware image.
- Choose the sysupgrade file previously downloaded and click Flash
- Wait for the device to complete and reboot (This can take up to 5 minutes.)
From Stock Firmware (Ubiquiti AirOS)
Downgrade Ubiquiti AirOS
- Download the Stock Firmware Image v8.5.0.36727.
- Power on the Nanostation via a PoE injector. (This is the **red** ethernet port on your injector.)
- Connect the LAN side of the PoE injector to a computer.
- Assign a static IP/netmask of
192.168.1.25/24
to the computersudo ip addr add 192.168.1.25/24 dev eth0
- Use a browser to visit http://192.168.1.20/
- Login using the set password or default credentials
ubnt / ubnt
- Navigate to settings and downgrade the stock firmware to v8.5.0.36727 using the downloaded image file
Install The Mass Mesh OpenWrt Image
- Download the latest Mass Mesh firmware here.
- Copy the firmware onto the nanostation. (We like to put it in the
/tmp/
directory.) - Open a secure shell on the Nanostation.
ssh ubnt@192.168.1.20
- Patch the fwupdate.real binary a la the instructions here.
/tmp/fwupdate.real -m /tmp/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin
Downgrade Ubiquiti AirOS With An External Programmer
When your nanostation is bricked, or if the stock firmware won't let you flash our custom firmware, you can use the In-System Programming (ISP) technique to reflash the device (see also the Flashrom wiki. You're going to need:
- a Pomona 5252 test clip (https://www.digikey.com/product-detail/en/pomona-electronics/5252/501-2059-ND/745103), ~$16
- a raspberry pi (e.g. a zero w) ~$10
- some header pins and prototyping wires to connect everything
The Nanostation has a Macronix MX25L12835F rom chip (datasheet), which is an SPI chip with 16 connectors good for 128 Mbit of storage.
We can use Flashrom running on a raspberry pi to read and write that chip, if we hook up the Pomona 5252 test clip to the MX25L12835F and connect it to the correct SPI pins on the pi:
(note: the SPI1 CE0/CE1 pins are not labeled on this image)
Pinouts (please proceed with caution!)
The Raspberry Pi has 2 SPI interfaces, SPI0 and SPI1.
On the Raspberry Pi boot partition, make sure to update config.txt and uncomment the line that reads
dtparam=spi=on
After a reboot, you should see the spi device files:
root@raspberrypi:/home/pi# ls -laF /dev/spidev0.* crw-rw---- 1 root spi 153, 0 Jan 7 01:44 /dev/spidev0.0 crw-rw---- 1 root spi 153, 1 Jan 7 01:44 /dev/spidev0.1
Now connect the Raspberry Pi to the Pomona clip. Choose either SPI0 or SPI1. We're going to leave the VCC pin on the flash chip disconnected. We are however going to connect a few other pins to our 3.3V source from the raspberry pi, to pull them up.
RPi SPI0 | RPi SPI1 | Pomona Clip | Notes | Color in picture below | |||
---|---|---|---|---|---|---|---|
17 | 3.3V | 17 | 3.3V | 1 | SIO3 | we do not use this pin, so we pull it up | red |
17 | 3.3V | 17 | 3.3V | 9 | WP#SIO2 | put the chip in read/write mode | red |
19 | SPI0 MOSI | 38 | SPI1 MOSI | 15 | SI | blue | |
21 | SPI0 MISO | 35 | SPI1 MISO | 8 | SO | orange | |
23 | SPI0 SCLK | 40 | SPI1 SCLK | 16 | SCLK | green | |
25 | GND | 25 | GND | 10 | GND | brown | |
24 | SPI0 CE0 | 12 | SPI1 CE0 | 7 | CS | yellow |
Reading the chip with flashrom
Once the pomona is connected to the raspberry pi, make sure the nanostation is disconnected from power/ethernet. Then clip on the pomona.
Flashrom on the raspberry pi requires us to specify the spi speed for the operation. We also need to specify the exact rom chip model, because there are two models that match:
$ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=30000 -r proprietary.rom flashrom on Linux 4.19.75+ (armv6l) flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). Found Macronix flash chip "MX25L12805D" (16384 kB, SPI) on linux_spi. Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi. Multiple flash chip definitions match the detected chip(s): "MX25L12805D", "MX25L12835F/MX25L12845E/MX25L12865E" Please specify which chip definition to use with the -c <chipname> option.
So here's the final command to read out the chip:
$ flashrom -c "MX25L12835F/MX25L12845E/MX25L12865E" -p linux_spi:dev=/dev/spidev0.0,spispeed=30000 -r proprietary.rom flashrom on Linux 4.19.75+ (armv6l) flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi. Reading flash... done.
It's easy to verify that if the reading worked. If you were reading out the original firmware, binwalk would print something like this:
$ binwalk proprietary.rom
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 115152 0x1C1D0 Certificate in DER format (x509 v3), header length: 4, sequence length: 64 142896 0x22E30 U-Boot version string, "U-Boot 1.1.4-s1100 (Sep 5 2018 - 17:53:00)" 143184 0x22F50 CRC32 polynomial table, big endian 224396 0x36C8C CRC32 polynomial table, big endian 226924 0x3766C Ubiquiti end header, header size: 12 bytes, cumulative ~CRC32: 0x454E442E 231856 0x389B0 Ubiquiti partition header, header size: 56 bytes, name: "PARTkernel", base address: 0x00000001, data size: -2147475456 bytes 231920 0x389F0 uImage header, header size: 64 bytes, header CRC: 0xE75790E0, created: 2018-11-13 14:36:59, image size: 998847 bytes, Data Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0xAAECA664, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.68" 327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0x22425505, created: 2019-02-13 09:09:52, image size: 990770 bytes, Data Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0x8F3B71D3, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.68" 327744 0x50040 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2836596 bytes 1318514 0x141E72 Ubiquiti partition header, header size: 56 bytes, name: "PARTrootfs", base address: 0x00000002, data size: 0 bytes 1318578 0x141EB2 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 7203018 bytes, 956 inodes, blocksize: 262144 bytes, created: 2019-02-13 09:09:54
Useful resources:
Flash using serial header access
Using small modifications to the radio, direct serial access allows temporarily running OpenWRT in memory and using the temporary environment to flash a full image to the radio's memory.
- Using your thumb or a small tool, push the tab in the slot located on the lower rear of the radio and slide the bottom half out of the enclosure
- Looking at the rear of the board (where all the components are on the opposite side as the antenna), locate the serial headers on the middle left side of the board
- Solder at least the top 3 pins shown in the picture. The pins from left to right (starting with the square shaped pad that is unpopulated in the image) are 3.3V, RX, TX, and GND. 3.3V is not needed here
- Connect GND on the board to GND on your FTDI adapter, TX on the board to RX on the FTDI adapter, and RX on the board to TX on the FTDI adapter
- Make sure your FTDI adapter is in 3.3V mode and attached to your computer, then open the serial port on your computer (ex.
minicom -D /dev/ttyUSB0
). Use 115200 8N1 in your terminal settings. - Connect the NanoStation and press enter in the console when it says
Hit any key to stop autoboot:
. You should be left at aar7240>
prompt. - Connect your laptop to the LAN port of the PoE injector powering the NanoStation and assign a static IP of
192.168.1.254
- Install a TFTP server and place openwrt-19.07.0-ath79-generic-ubnt_nanostation-ac-loco-initramfs-kernel.bin in the root folder of the TFTP server (
/srv/tftp
for tftp-hpa on Arch). - Rename the initramfs-kernel.bin file to
1401A8C0.img
and ensure the tftp server / service is started - Run
tftpboot
in the serial console and wait for it to complete - Run
bootm
in the serial console to boot the initramfs - Once OpenWRT has booted, you can press Enter to enable shell access
- Ensure you have an IP address in the 192.168.1.x subnet and use scp to transfer the sysupgrade firmware you wish to flash
- Flash the full firmware to the radio's storage using
mtd -r write /tmp/sysupgrade.bin firmware
, replacingsysupgrade.bin
with the full filename of the firmware you are flashing
Condensed Command-list
Flash The Stock Ubiquiti Firmware via TFTP
wget https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin cp https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin firmware.bin sudo apt install tftp tftp tftp> connect 192.168.1.20 tftp> rexmt 1 tftp> timeout 60 tftp> binary tftp> put firmware.bin
Flash The Mass Mesh Firmware
wget https://github.com/MassMesh/meta-imagebuilder-artifacts/raw/master/massmesh/meshradio/ubnt_nanostation-ac-loco/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin scp openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin ubnt@192.168.1.20:/tmp ssh ubnt@192.168.1.20 hexdump -Cv /bin/ubntbox | sed 's/14 40 fe fe/00 00 00 00/g' | hexdump -R > /tmp/fwupdate.real chmod +x /tmp/fwupdate.real /tmp/fwupdate.real -m /tmp/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin