Ubiquiti UniFi AP and AP-LR

NOTE for UAP-v2: As for July 2018, Ubiquiti seems to have blocked custom firmware installation possibility by using signatures on all 3.7 and later brand firmwares. As long as there is no brand pre-3.7 firmware available (in order to downgrade) for UAP-v2 devices, installing OpenWrt/LEDE could be impossible, as seen on the forum https://forum.lede-project.org/t/are-ubiquiti-actively-blocking-installation-of-third-party-firmware/4301 and https://forum.lede-project.org/t/are-ubiquiti-blocking-lede-installation/3877. If you want liberty, do not buy Ubiquiti.

Barrier Breaker 14.07 openwrt-ar71xx-generic-ubnt-unifi-squashfs-factory.bin works out of the box, no need to change XM/BZ for the firmware image. Configurations then can be changed right away using LuCi.

Install OpenWrt (generic explanation)

  1. Device get IP address from DHCP (without DHCP the UniFi AP's default to 192.168.1.20)
  2. Login inside the AP with ssh ubnt@ip_address (password ubnt)
  3. Find the image like “openwrt-ar71xx-ubnt-unifi-*-factory.bin” on openwrt binary repository and download inside /tmp.
  4. Rename the image to fwupdate.bin
  5. Use the Ubiquiti fwupdate.real script to reflash it:
    fwupdate.real -m openwrt-ar71xx-generic-ubnt-unifi-squashfs-factory.bin -d

Later 3.xx firmware versions fail to upgrade using the above and brick so use instead. If brick reset device with 20-sec-press way with connected lan-cable - after it tftp start work.

  1. Device get IP address from DHCP (without DHCP the UniFi AP's default to 192.168.1.20)
  2. Login inside the AP with ssh ubnt@ip_address (password ubnt)
  3. Find the image like “openwrt-ar71xx-ubnt-unifi-*-factory.bin” on openwrt binary repository and download inside /tmp.
  4. Use syswrapper to flash it:
mv /tmp/openwrt-ar71xx-generic-ubnt-unifi-squashfs-factory.bin /tmp/fwupdate.bin
cd /tmp
nohup syswrapper.sh upgrade2

- As refered, it could be impossible to install OpenWrt/LEDE on UAP-v2 devices.

Later 4.xx firmware versions fail to upgrade via TFTP too because of different MTD partition scheme. See via serial port console:

ar7240> mtdparts

device nor0 <ar7240-nor0>, # parts = 5
 #: name			size		offset		mask_flags
 0: u-boot                	0x00040000	0x00000000	0
 1: u-boot-env            	0x00010000	0x00040000	0
 2: kernel                	0x00760000	0x00050000	0
 3: cfg                   	0x00040000	0x007b0000	0
 4: EEPROM                	0x00010000	0x007f0000	0

rootfs partition is removed so firmware upgrade fail. In the serial port console, during booting, press any button to interrupt the U-BOOT autoboot procedure:

U-Boot unifi-v1.6.17.296-g1af7670c (Apr 22 2019 - 11:05:55)

DRAM:  64 MB
Base:0x80000000, Top:0x84000000, Res logbuf:0xa3ff3800, log_magic:0xf0e0f0f0 kseg: 0xa0000000
Flash:  8 MB
PCIe WLAN Module found (tries: 1). 
Net:   eth0, eth1
Board: Copyright Ubiquiti Networks Inc. 2014
Hit any key to stop autoboot:  1 
ar7240>

Optionally, it is also possible to set and check the IP address:

ar7240> setenv ipaddr 192.168.0.20
ar7240> setenv serverip 192.168.0.231 
ar7240> ping ${serverip}

And now, with a tftp server at 192.168.1.254 (default, or 192.168.0.231 in above example) with openwrt sysupgrade firmware file, issue this commands:

ar7240> tftpboot 0x80000000 openwrt-19.07.2-ar71xx-generic-ubnt-unifi-squashfs-sysupgrade.bin

reply:

Using eth0 device
TFTP from server 192.168.1.254; our IP address is 192.168.1.20
Filename 'openwrt-19.07.2-ar71xx-generic-ubnt-unifi-squashfs-sysupgrade.bin'.
Load address: 0x80000000
Loading: *#################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 ########################################
done
Bytes transferred = 4194308 (400004 hex)

after:

ar7240> erase 0x9f050000 +0x00760000

reply:

..................................... done
Erased 118 sectors

after:

ar7240> cp.b 0x80000000 0x9f050000 0x400004

Important: the last number in that line (0x400004) refers to the size from the last line of TFTP transfer (400004 hex). Other OpenWrt firmware files can have other sizes. Mind to adjust command line as needed. The size should be 0x52012f for 21.02.1 reply:

Copy to Flash... write addr: 9f050000
done

finally:

ar7240> reset

If you have already installed OpenWrt and like to reflash for e.g. upgrading to a new OpenWrt version you can upgrade using the sysupgrade command line tool. It is important that you put the firmware image into the ramdisk (/tmp) before you start flashing.

  • Browse to http://192.168.1.1/cgi-bin/luci/mini/system/upgrade/ LuCI Upgrade URL
  • Upload “openwrt-ar71xx-ubnt-unifi-*-sysupgrade.bin” file to LuCI
  • Wait for reboot
  • Login as root via SSH on your access point ip
  • Use the following commands to upgrade:
    cd /tmp/
    wget http://downloads.openwrt.org/.../openwrt-ar71xx-ubnt-unifi-*-sysupgrade.bin
    sysupgrade -i /tmp/openwrt-ar71xx-ubnt-unifi-*-sysupgrade.bin

Very helpful in case your upgrade went wrong or your AP is not responding anymore. See TFTP Unbricking section below for more detailed instructions on this process

  • Keep the reset button pressed while powering on AP
  • Once the LED ring is blinking green/orange, you can run the TFTP command.
  • In case you are on Windows, the command is:
    tftp -i 192.168.1.20 put openwrt-ar71xx-generic-ubnt-unifi-squashfs-factory.bin
  • On linux using tftp-hpa 5.2 you can run
    tftp 192.168.1.20 -lv -m binary -c put openwrt-[version]-ar71xx-generic-ubnt-unifi-squashfs-factory.bin
    -lv = literal mode + verbose
    -m binary = transfer in binary mode
    -c put file-path = run `put file-path`
  • If this is succesful, you will see:
    Transfer successful: 3342748 bytes in 2 second(s), 1671374 bytes/s
  • After this, just wait for about a minute for the AP to reboot and boot OpenWrt. The LED ring will show static green when ready.
Architecture MIPS
Vendor Atheros
Bootloader U-boot
System-On-Chip Atheros (AR7240)
CPU Speed 400 MHz
Flash-Chip MX25L6405D
Flash size 8 MiB
RAM 64 MiB DDR
Wireless AR9287
Switch none
Ethernet ports 1x 10/100, PoE capable
USB No 1)
Serial Yes, settings
JTAG Yes

A male-strip is on board to connect your TTL capable serial converter. Serial connection parameters: 115200, 8N1. Do not connect 3.3V pin.

How to connect to JTAG interface, and how to reflash the device with JTAG tools
See port.jtag for more JTAG details.
The USBJTAG NT also supports read, write, erase, debrick, etc. You can use the WRT160NL config, or download the specific device config from this forum post.


The UniFi ap has 2 leds, the orange one can be configured adding something like:

config led
	option default '0'
	option name 'led1'
	option sysfs 'ubnt:green:dome'
	option trigger 'netdev'
	option dev 'br-lan'
	option mode 'link'

config led
	option default '0'
	option name 'led2'
	option sysfs 'ubnt:orange:dome'
	option trigger 'netdev'
	option dev 'br-lan'
	option mode 'tx rx'

at the end of /etc/config/system. This will give you a steady green when the ethernet is up and a light blink during wireless activity.

Also its possible to change the led status manually.

  1. static, use 1 for on, 0 for off:
    echo 1 > /sys/class/leds/ubnt\:orange\:dome/brightness
    echo 1 > /sys/class/leds/ubnt\:green\:dome/brightness
    echo 0 > /sys/class/leds/ubnt\:green\:dome/brightness
    echo 0 > /sys/class/leds/ubnt\:orange\:dome/brightness
  2. blinking
    1. blinking on, interval 1000ms, orange led:
      echo timer > /sys/class/leds/ubnt\:orange\:dome/trigger
      echo 1000 > /sys/class/leds/ubnt\:orange\:dome/delay_on
      echo 1000 > /sys/class/leds/ubnt\:orange\:dome/delay_off
    2. blinking off:
      echo 0 > /sys/class/leds/ubnt\:orange\:dome/delay_off

This is a working standalone router setup, working as of 17.01.4. The old version used a trick with bridging a nonexistent interface (eth1) for no real reason, and it didn't work for me. Instead, I just set the wlan0 interface to be the lan network and everything worked perfectly. This is a working configuration that should be default, in easily pasteable form:

uci set network.loopback=interface
uci set network.loopback.ifname='lo'
uci set network.loopback.proto='static'
uci set network.loopback.ipaddr='127.0.0.1'
uci set network.loopback.netmask='255.0.0.0'
uci set network.lan=interface
uci set network.lan.proto='static'
uci set network.lan.ipaddr='192.168.1.1'
uci set network.lan.netmask='255.255.255.0'
uci set network.lan.ip6assign='60'
uci set network.wan=interface
uci set network.wan.proto='dhcp'
uci set network.wan.ifname='eth0'
uci set network.wan6=interface
uci set network.wan6.proto='dhcpv6'
uci set network.wan6.ifname='eth0'
uci set network.wan6.reqaddress='try'
uci set network.wan6.reqprefix='auto'

uci set wireless.radio0=wifi-device
uci set wireless.radio0.type='mac80211'
uci set wireless.radio0.channel='11'
uci set wireless.radio0.hwmode='11g'
uci set wireless.radio0.path='pci0000:00/0000:00:00.0'
uci set wireless.radio0.htmode='HT20'
uci set wireless.radio0.distance='20'
uci set wireless.default_radio0=wifi-iface
uci set wireless.default_radio0.device='radio0'
uci set wireless.default_radio0.network='lan'
uci set wireless.default_radio0.mode='ap'
uci set wireless.default_radio0.ssid='OpenWRT'
uci set wireless.default_radio0.encryption='open'
uci commit

/etc/init.d/network reload

The UniFi has only the single ethernet port, so much of the OpenWrt documentation is a little confusing. Most of the documentation is written with the idea of routers which have a WAN port, a LAN wired switch and the WLAN wireless. Clearly the Unifi doesn't have the wired LAN switch.

After flashing (I found r41163 worked while the 12.09 version had the XM problem discussed above and editing the characters 4-6 didn't fix it) I was able to connect via wired ethernet as described in FirstLogin (i.e. there is a DHCP server handing out IPs in the 192.168.1.X subnet, running on the ethernet port).

After changing the password and exiting, I had to wait a while (60 secs?) until I could ssh back into the box. That was strange because I thought I'd lost networking ... I think that is due to a long-running first time ssh key generation. Even so, each ssh in takes a long time to respond (something about recent versions of dropbear taking a long time to setup a session key). I found LUCI not installed, so I had to work to get internet access on the box before I could use that.

Once ssh'd into the box I followed these steps: 1. Enable wireless, using commands at top of the UCI wireless config page. This enables the radio. The radio is bridged to the lan network. 2. Connect to the wireless network, disconnect the wired from your computer, and ensure that you can ssh in via the wifi. 3. Swap eth0 and eth1 between lan and wan. The default configuration has the ethernet port on the lan network. But if you are going to plug the Unifi into a cable modem (for example) to use it as a router, then you want the ethernet port to be the wan network (and to seek a dhcp assigned address). I edited the /etc/config/wireless file changing etho in the lan section to eth1, and eth0 in the wan section to eth1. Quite honestly I'm not sure that this is perfect (since there isn't an eth1 on the Unifi, but it worked for me). 4. Restart networking (/etc/inid.d/networking restart) 5. Connect the ethernet lan on the PoE injector to the cable modem. Remember nonsense about having cable modem off for 20 seconds or so to give out an IP to a new MAC address. 6. Connect back to the OpenWrt Wifi. 7. ping google.com. yay.

At this point things are working with NAT routing between the lan and the wan.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
config globals 'globals'
	option ula_prefix 'fd18:37f2:587f::/48'
config interface 'lan'
	option ifname 'eth1'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'
config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'
root@OpenWrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr DC:9F:DB:EB:19:24
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fd18:37f2:587f::1/60 Scope:Global
          inet6 addr: 2605:6000:1018:5f::1/64 Scope:Global
          inet6 addr: fe80::de9f:dbff:feeb:1924/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:35879 errors:0 dropped:0 overruns:0 frame:0
          TX packets:64154 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:7629054 (7.2 MiB)  TX bytes:76188963 (72.6 MiB)
eth0      Link encap:Ethernet  HWaddr DC:9F:DB:EA:19:24
          inet addr:70.113.82.54  Bcast:70.113.95.255  Mask:255.255.224.0
          inet6 addr: 2605:6000:ffc0:60:1406:59bd:ae45:b383/128 Scope:Global
          inet6 addr: fe80::de9f:dbff:feea:1924/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:88136 errors:0 dropped:1 overruns:0 frame:0
          TX packets:36148 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:78402192 (74.7 MiB)  TX bytes:8333999 (7.9 MiB)
          Interrupt:4
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:16092 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16092 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1137726 (1.0 MiB)  TX bytes:1137726 (1.0 MiB)
wlan0     Link encap:Ethernet  HWaddr DC:9F:DB:EB:19:24
          inet6 addr: fe80::de9f:dbff:feeb:1924/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:35881 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65056 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8131532 (7.7 MiB)  TX bytes:77645373 (74.0 MiB)

In a situation where you'd just like to drop the AP in an existing network, it might be handy to use DHCP. However, how do you figure which IP the AP is using... Below config allows you to use a DHCP assigned IP and still keep an extra IP address (192.168.254.1) you can use to directly connect over the ethernet port.

Your usual 'ifconfig -a' will not show this 2nd IP. Yes, this very confusing and is caused due to a limitation of Busybox. You'll have to use the 'ip' command which you can install using 'opkg install ip'.

#/etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdcb:9bde:4f7c::/48'

config interface 'lan'
	option ifname 'eth0'
	option force_link '1'
	option type 'bridge'
	option proto 'dhcp'

config interface 'lan2'
	option ifname 'br-lan'
	option proto 'static'
	option ipaddr '192.168.254.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config interface 'wifi'
	option proto 'static'

Parts of this section taken from UniFi - TFTP soft recovery for bricked access point

Before starting, set a static IP on your PC's NIC from 192.168.1.0/24 range, but not 192.168.1.20 (this is the Unifi AP default TFTP IP).

Follow the steps to unbrick your UAP:

  1. Set the IP on your PC to be able to access the bricked unit and prepare the firmware file.
  2. On your PC, open your TFTP client and locate the firmware.bin file so you can start it later. Do not initiate the transfer. (You may use a stock Ubiquiti firmware or applicable OpenWrt firmware as mentioned above)
  3. Using the Windows integrated TFTP client (or the client of your choice) the command to prepare is: “tftp -i 192.168.1.20 PUT [path to file]\firmware.bin” for stock or “tftp -i 192.168.1.20 PUT [path to file]\openwrt-ar71xx-generic-ubnt-unifi-squashfs-factory.bin” for OpenWrt. Do not start the transfer until following steps below.
  4. Unplug the bricked unit.
  5. Plug the LAN connection of the PoE injector directly to your PC's NIC.
  6. Keep the UniFi AP's reset button depressed and plug in network/PoE in the unit.
  7. Keep the reset button depressed until you see the light cycling relatively fast through amber/green/off colors (~14 seconds from power on) → Release it. Now the device is in TFTP transfer mode. The AP will not respond to pings in this mode but will accept a TFTP file transfer
  8. Engage the TFTP push command and wait. The device will write the firmware and it will reboot.
  9. If you wait too long to start the TFTP transfer, the push will not work as the device will stall. Please redo from step 3.
  10. At this point your device should be recovered and ready to go. If it is still not functioning as expected then you will need to send for RMA (if under warranty).

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/02/12 08:58
  • by 127.0.0.1