Ubiquiti NanoStation 5AC Loco

Revision as of 20:43, 28 January 2020 by Cure (talk | contribs) (→‎Reading the chip with flashrom: clarify that we're not using nanostation power)
Jump to navigation Jump to search
NanoStation 5AC Loco

The NanoStation 5AC Loco is a directional, weather resistant, PoE powered radio with a beam width of 90 degrees and a secondary omnidirectional radio. This makes it useful for simultaneously meshing on one radio while providing an access point for client devices on the other.

Warning: This is a PoE device. Never connect your computer directly to the PoE injector's red port!!!
Note: The Nanostation's architecture is MIPS 24KC.
Warning: As of January 1, 2020, brand new Nanostations do not support downgrading the Ubiquiti AirOS firmware. (Even with the patch.)

Files

Stock Firmware v8.5.0.36727

MassMesh Firmware (Factory) (Latest)

MassMesh Firmware (Sysupgrade) (Latest)

Flashing

From OpenWrt

Note: Mass Mesh mesh radios have a static IP of 192.168.2.1. To access the admin UI, set your computer's ip/netmask to 192.168.2.10/24, then browse to http://192.168.2.1/ in your favorite web browser.
  1. Download the latest MassMesh sysupgrade firmware.
  2. Connect to the Nanostation and enter its IP address into your favorite web browser.
    1. If you are using another version of OpenWrt, please refer to its documentation for details about its IP address.
  3. Navigate to System → Backup / Flash Firmware → Actions: Flash new firmware image.
  4. Choose the sysupgrade file previously downloaded and click Flash
  5. Wait for the device to complete and reboot (This can take up to 5 minutes.)

From Stock Firmware (Ubiquiti AirOS)

Downgrade Ubiquiti AirOS

  1. Download the Stock Firmware Image v8.5.0.36727.
  2. Power on the Nanostation via a PoE injector. (This is the **red** ethernet port on your injector.)
  3. Connect the LAN side of the PoE injector to a computer.
  4. Assign a static IP/netmask of 192.168.1.25/24 to the computer
    1. sudo ip addr add 192.168.1.25/24 dev eth0
  5. Use a browser to visit http://192.168.1.20/
  6. Login using the set password or default credentials ubnt / ubnt
  7. Navigate to settings and downgrade the stock firmware to v8.5.0.36727 using the downloaded image file

Install The Mass Mesh OpenWrt Image

Note: Additional instructions are available on OpenWrt's website.
  1. Download the latest Mass Mesh firmware here.
  2. Copy the firmware onto the nanostation. (We like to put it in the /tmp/ directory.)
  3. Open a secure shell on the Nanostation. ssh ubnt@192.168.1.20
  4. Patch the fwupdate.real binary a la the instructions here.
  5. /tmp/fwupdate.real -m /tmp/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin

Downgrade Ubiquiti AirOS With An External Programmer

When your nanostation is bricked, or if the stock firmware won't let you flash our custom firmware, you can use the In-System Programming (ISP) technique to reflash the device (see also the Flashrom wiki. You're going to need:

  1. a Pomona 5252 test clip (https://www.digikey.com/product-detail/en/pomona-electronics/5252/501-2059-ND/745103), ~$16
  2. a raspberry pi (e.g. a zero w) ~$10
  3. some header pins and prototyping wires to connect everything

The Nanostation has a Macronix MX25L12835F rom chip (datasheet), which is an SPI chip with 16 connectors good for 128 Mbit of storage.

We can use Flashrom running on a raspberry pi to read and write that chip, if we hook up the Pomona 5252 test clip to the MX25L12835F and connect it to the correct SPI pins on the pi:

raspberry pi GPIO pinout

(note: the SPI1 CE0/CE1 pins are not labeled on this image)

Pinouts (please proceed with caution!)

The Raspberry Pi has 2 SPI interfaces, SPI0 and SPI1.

On the Raspberry Pi boot partition, make sure to update config.txt and uncomment the line that reads

dtparam=spi=on

After a reboot, you should see the spi device files:

 root@raspberrypi:/home/pi# ls -laF /dev/spidev0.*
 crw-rw---- 1 root spi 153, 0 Jan  7 01:44 /dev/spidev0.0
 crw-rw---- 1 root spi 153, 1 Jan  7 01:44 /dev/spidev0.1

Now connect the Raspberry Pi to the Pomona clip. Choose either SPI0 or SPI1. We're going to leave the VCC pin on the flash chip disconnected. We are however going to connect a few other pins to our 3.3V source from the raspberry pi, to pull them up.

RPi SPI0 RPi SPI1 Pomona Clip Notes Color in picture below
17 3.3V 17 3.3V 1 SIO3 we do not use this pin, so we pull it up red
17 3.3V 17 3.3V 9 WP#SIO2 put the chip in read/write mode red
19 SPI0 MOSI 38 SPI1 MOSI 15 SI blue
21 SPI0 MISO 35 SPI1 MISO 8 SO orange
23 SPI0 SCLK 40 SPI1 SCLK 16 SCLK green
25 GND 25 GND 10 GND brown
24 SPI0 CE0 12 SPI1 CE0 7 CS yellow


A Raspberry Pi Zero W with wires connected to the SPI0 pins. There is an unused 3.3V wire visible.

Reading the chip with flashrom

Once the pomona is connected to the raspberry pi, make sure the nanostation is disconnected from power/ethernet. Then clip on the pomona.

Flashrom on the raspberry pi requires us to specify the spi speed for the operation. We also need to specify the exact rom chip model, because there are two models that match:

 $ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=30000 -r proprietary.rom
 flashrom  on Linux 4.19.75+ (armv6l)
 flashrom is free software, get the source code at https://flashrom.org
 Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
 Found Macronix flash chip "MX25L12805D" (16384 kB, SPI) on linux_spi.
 Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi.
 Multiple flash chip definitions match the detected chip(s): "MX25L12805D", "MX25L12835F/MX25L12845E/MX25L12865E"
 Please specify which chip definition to use with the -c <chipname> option.

So here's the final command to read out the chip:

 $ flashrom -c "MX25L12835F/MX25L12845E/MX25L12865E" -p linux_spi:dev=/dev/spidev0.0,spispeed=30000 -r proprietary.rom
 flashrom  on Linux 4.19.75+ (armv6l)
 flashrom is free software, get the source code at https://flashrom.org
 Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
 Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on linux_spi.
 Reading flash... done.

It's easy to verify that if the reading worked. If you were reading out the original firmware, binwalk would print something like this:

 $ binwalk proprietary.rom 
 DECIMAL       HEXADECIMAL     DESCRIPTION
 --------------------------------------------------------------------------------
 115152        0x1C1D0         Certificate in DER format (x509 v3), header length: 4, sequence length: 64
 142896        0x22E30         U-Boot version string, "U-Boot 1.1.4-s1100 (Sep  5 2018 - 17:53:00)"
 143184        0x22F50         CRC32 polynomial table, big endian
 224396        0x36C8C         CRC32 polynomial table, big endian
 226924        0x3766C         Ubiquiti end header, header size: 12 bytes, cumulative ~CRC32: 0x454E442E
 231856        0x389B0         Ubiquiti partition header, header size: 56 bytes, name: "PARTkernel", base address: 0x00000001, data size: -2147475456 bytes
 231920        0x389F0         uImage header, header size: 64 bytes, header CRC: 0xE75790E0, created: 2018-11-13 14:36:59, image size: 998847 bytes, Data Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0xAAECA664, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.68"
 327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0x22425505, created: 2019-02-13 09:09:52, image size: 990770 bytes, Data Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0x8F3B71D3, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.68"
 327744        0x50040         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2836596 bytes
 1318514       0x141E72        Ubiquiti partition header, header size: 56 bytes, name: "PARTrootfs", base address: 0x00000002, data size: 0 bytes
 1318578       0x141EB2        Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 7203018 bytes, 956 inodes, blocksize: 262144 bytes, created: 2019-02-13 09:09:54


Useful resources:

Flash using serial header access

Using small modifications to the radio, direct serial access allows temporarily running OpenWRT in memory and using the temporary environment to flash a full image to the radio's memory.

Click to enlarge pinout
  1. Using your thumb or a small tool, push the tab in the slot located on the lower rear of the radio and slide the bottom half out of the enclosure
  2. Looking at the rear of the board (where all the components are on the opposite side as the antenna), locate the serial headers on the middle left side of the board
  3. Solder at least the top 3 pins shown in the picture. The pins from left to right (starting with the square shaped pad that is unpopulated in the image) are 3.3V, RX, TX, and GND. 3.3V is not needed here
  4. Connect GND on the board to GND on your FTDI adapter, TX on the board to RX on the FTDI adapter, and RX on the board to TX on the FTDI adapter
  5. Make sure your FTDI adapter is in 3.3V mode and attached to your computer, then open the serial port on your computer (ex. minicom -D /dev/ttyUSB0). Use 115200 8N1 in your terminal settings.
  6. Connect the NanoStation and press enter in the console when it says Hit any key to stop autoboot:. You should be left at a ar7240> prompt.
  7. Connect your laptop to the LAN port of the PoE injector powering the NanoStation and assign a static IP of 192.168.1.254
  8. Install a TFTP server and place openwrt-19.07.0-ath79-generic-ubnt_nanostation-ac-loco-initramfs-kernel.bin in the root folder of the TFTP server (/srv/tftp for tftp-hpa on Arch).
  9. Rename the initramfs-kernel.bin file to 1401A8C0.img and ensure the tftp server / service is started
  10. Run tftpboot in the serial console and wait for it to complete
  11. Run bootm in the serial console to boot the initramfs
  12. Once OpenWRT has booted, you can press Enter to enable shell access
  13. Ensure you have an IP address in the 192.168.1.x subnet and use scp to transfer the sysupgrade firmware you wish to flash
  14. Flash the full firmware to the radio's storage using mtd -r write /tmp/sysupgrade.bin firmware, replacing sysupgrade.bin with the full filename of the firmware you are flashing

Condensed Command-list

Flash The Stock Ubiquiti Firmware via TFTP

wget https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin
cp https://dl.ubnt.com/firmwares/XC-fw/v8.5.0/WA.v8.5.0.36727.180118.1314.bin firmware.bin
sudo apt install tftp
tftp
tftp> connect 192.168.1.20
tftp> rexmt 1
tftp> timeout 60
tftp> binary
tftp> put firmware.bin

Flash The Mass Mesh Firmware

wget https://github.com/MassMesh/meta-imagebuilder-artifacts/raw/master/massmesh/meshradio/ubnt_nanostation-ac-loco/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin
scp openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin ubnt@192.168.1.20:/tmp
ssh ubnt@192.168.1.20
hexdump -Cv /bin/ubntbox | sed 's/14 40 fe fe/00 00 00 00/g' | hexdump -R > /tmp/fwupdate.real
chmod +x /tmp/fwupdate.real
/tmp/fwupdate.real -m /tmp/openwrt-massmesh-meshradio-ath79-generic-ubnt_nanostation-ac-loco-squashfs-factory.bin