Installing OpenWrt on UniFi nanoHD

OMG I feel very silly. I have been looking at this for the whole two days and you just fixed it with a blink of an eye! You are a awesome Thank you very much - it worked like a charm!

Hi all,

I fought a new, locked NanoHD with the latest bootloader for a while before getting the recipe right, so I'll share what I did:

1. Crack the case on the NanoHD with a knife. Work the knife around the outside between the plastic case and aluminum base until you free all five plastic clips. Open the case.
2. Put the device in TFTP mode by holding the reset button for 30s and waiting for it to boot. Use PumpKIN to flash it with the 3.9.27 firmware.
3. The device will accept this firmware version over TFTP (but not via fwupdate or web UI), but it will disable inbound http/ssh on ethernet after booting. Use one of these: https://www.adafruit.com/product/954 to connect to the exposed J2 serial connector on the NanoHD. I just used three copper wires, one for each of gnd/tx/rx, to temporarily connect the solder points on the J2 holes to the TTL adapter leads.
4. The serial connection runs at 115200 baud and works great with Putty. When the NanoHD boots with 3.9.27, the serial connection will give you a login prompt. You can now use the ethernet connection to wget the OpenWRT upgrade binary to the NanoHD filesystem.
5. Follow the instructions at the top of this thread and reboot.

Congratulations, you've h4x0r3d your NanoHD.

Happy flashing!

Wanted to thank everyone for the hard work involved in figuring this out. The above steps work, tested for 6.2 firmware.

Wanted to show the board and outline the pins of the uart connector. First is the square pin that is pin1 and that is 3.3V (don't connect that), than RX, TX and Ground (don't forget that TX of the device connects to RX of the usb device and RX to TX). Couldn't use wget to download firmware so I've used curl to do the same thing.

IMG_20230815_1520221920×2560 491 KB

p.s. you can use flipper instead of uart usb adapter if you have one lying around somewhere.

When opening up the device you will have to pry on the dome and not the clips since clips are fully metal. So put your prying tool under the clips and pry.

On a side note, it's VERY difficult to find download links on Ubiquiti's site older than 2020. Here is a link to the release announcement for 3.9.27. There's a link for the nanoHD at the end of the post: https://community.ui.com/releases/FIRMWARE-3-9-27-8537-for-UAP-USW-has-been-released-3-9-27-8537/e41acf46-de72-4336-8104-f6996c8d04d8?page=13

It's not easy, but not that difficult to find these old firmware versions...

Here is 3.9.27 for the NanoHD

I found it by clicking "load more" a bunch of times on this page until I found the firmware of interest

I did the same thing and the page eventually started over showing 2023 stuff. Maybe I have a browser extension interfering with something or something lol

I’ve spent about 14 hours on this today trying to accomplish this in ArchLinux (EndeavourOS). It hasn’t been entirely bashing my head into failed commands and errors. A good part of the “pre-game” was soldering a USB to serial cable to the AP’s J2 port that had no preinstalled header… and I basically had a curling iron and a blow dryer to get the harvesting of donor header parts and installation to the AP’s board… fun lol!

ANYWHO, EOS does not come with TFTP installed. So I installed it (I think with yay but I REALLY don’t remember; it’s been a long day; this one: https://wiki.archlinux.org/title/TFTP ). The instructions to initiate the flashing process of the AP via tftp is explained on Ubiquiti’s site (here: https://help.ui.com/hc/en-us/articles/360043360253-UniFi-Recovery-Mode ). The problem is when I try to “put” the file, I either get a “No such file or directory” error or a “Transfer timed out.” error.

I CANNOT for the life of me understand how to properly get the image file transferred to the AP via TFTP. There seems to be some kind of permissions or settings or something I’m missing. I’ve n00b-faced it as far as I can and am just stumped. What am I missing? (Thanks all in advance!)

I don't think that the OpenWrt image can be directly transferred by tftp.

The tftp server runs on the AP, so you only need a tftp client on your computer to put the file onto the server (AP). Information about that is here from UI (the expectation is that you're loading the stock firmware)

The git commit describes copying the OpenWrt file to the AP using scp and then writing the file using dd commands.

I'm trying to flash it down to 3.9.27 first. Then I'll have to use the serial connection to get openwrt transferred. So yeah I'm not even to the transferring of openwrt yet. I'm just trying to flash an older stock firmware first.

The git commit doesn't describe the need for a serial connection... you should be able to copy the OpenWrt file over a standard ethernet connection (via scp), then use ssh for running the commands. Of course, that doesn't help with the downgrade of the actual Unifi firmware. I don't recall if they changed the bootloader to only accept certain signed firmware versions, but if so, that could explain difficulty with the downgrade.

It's also worth searching to see what other firmware versions will accept the OpenWrt install process as described in the git commit. Search these forums as well as the internet in general and you'll hopefully find some answers on that.

I'm not seeing any mention of other firmware versions in the commit. This entire thread has explained to an eternity that the nanoHD ABSOLUTELY HAS to be on 3.9.27, and it IS NOT POSSIBLE to downgrade to that version once the AP has been upgraded to a certain version. I'm stuck on 4.17 or something and I've tried all kinds of beta firmwares and incremental version downgrades, and it just WILL NOT downgrade via ssh or the GUI. The downgrade to 3.9.27 at this point MUST BE DONE via TFTP. Period.

Once that's done (and again, I'm stuck on this downgrade to 3.9.27 step) the ONLY way to access the AP once it's running 3.9.27 is via serial. Once in the serial console, I can enable SSH and proceed to flashing openwrt as normal.

I broke down and switched over to a windows machine to attempt this. (I'm a new migrant from the M$ plantation to Planet Linux lol). I had 2 major problems going on.

1. I connected the RX wire of my UART cable to the RX pin of the J2 header, and likewise the TX wire to the TX pin. NO WONDER I wasn't getting anything from the console lol!

2. Once I was able to see console output, I then learned my previous attempts to put the device into TFTP mode were actually insufficient. By being able to observe the console output, I was able to see just exactly how long I needed to hold that pesky reset button. Once I ACTUALLY got it into auto-TFTP mode, everything was smooth sailing with Pumpkin and Putty.

Now I just have to use the console to facilitate copying openwrt over and installing it and I should be good to go. I'm guessing I need to use the console connection to enable SSH, then I can SCP the openwrt file over. Anyway, thanks all for the input!

Officially, my nanoHD is up and running on OpenWRT! woohoo!

I liked the idea of just doing wget to download the OpenWRT image, but when I tried that the 3.9.27 software said it needed to install a few different ssl packages in order to access an https address. So I created a webdav share on my lan with no security and over http, dumped the OpenWRT there, then used wget on that local address to snorkle it to the AP. Followed the rest of the installation instructions located with the commit, and VOILA!

Cheers all! hugs! <3

If the bootloader is locked, which probably why a downgrade won't be required —it won't work, as you know. The only option to load the Openwrt file in the AP is from a serial terminal. An pull it from a local HTTP server (as I did) or similar using curl. This is how I did it, see my post, @TrazhCant.

Update: I see you succeeded, congrats mate!

Just wanted to say thanks to all for all the input. Just flashed successfully OpenWRT 23.05 into nanohd. I first tried to install 3.9.27 via fwupdate.real -m but it failed and left nanohd in tftp "emergency mode" (blue-white-black).

Then I put 3.9.27 via tftp and followed the original instructions (scp firmware into nano and use dd to write). Luckily did not need serial.

OpenWRT works just so great and I have much better speeds than with original nanohd software! I will next flash TP Link RE305 and hoping to get some sort of 'seamless roaming' with nanohd working or buy another nanohd for this. Any input regarding this is welcome

I has successfully flash Unifi Nano HD to OpenWRT on-the-fly without serial interface.
All that you need:
Any Linux distribution (I use Linux Mint)
Installed: binwalk, netcat (nc), openssh-client (ssh), wget or curl
In case of Ubuntu or Linux Mint, simple run
apt-get install binwalk

My way is:

1. Downgrade to the earlest working firmware:
   1.1 Downgrade to https://dl.ubnt.com/unifi/firmware/U7NHD/5.43.36.12724/BZ.mt7621_5.43.36+12724.210416.1557.bin
   1.2 Downgrade to https://dl.ubnt.com/unifi/firmware/U7NHD/4.3.20.11298/BZ.mt7621.v4.3.20.11298.200704.1347.bin

2. Download https://dl.ubnt.com/unifi/firmware/U7NHD/3.9.27.8537/BZ.mt7621.v3.9.27.8537.180317.1220.bin

3. Download https://downloads.openwrt.org/releases/23.05.4/targets/ramips/mt7621/openwrt-23.05.4-ramips-mt7621-ubnt_unifi-nanohd-squashfs-sysupgrade.bin

4. Unpack .v.3.9.27 Firmware, locate /usr/lib/libubnt.so.1, /lib/libubox.so and /sbin/ubntbox

binwalk -e BZ.mt7621.v3.9.27.8537.180317.1220.bin
cd _BZ.mt7621.v3.9.27.8537.180317.1220.bin.extracted/
binwalk -e 342D4
cd _342D4.extracted/
binwalk -e 4BD894
cd _4BD894.extracted/cpio-root/

6. Netcat binaries to /tmp, e.g.:
   HOST: nc -N -l 12345 < libubnt.so.1
   AP: nc 10.100.4.50 12345 > /tmp/libubnt.so.1
   HOST: nc -N -l 12345 < libubox.so
   AP: nc 10.100.4.50 12345 > /tmp/libubox.so
   HOST: nc -N -l 12345 < ubntbox
   AP: nc 10.100.4.50 12345 > ubntbox
   HOST: nc -N -l 12345 < BZ.mt7621.v3.9.27.8537.180317.1220.bin
   AP: nc 10.100.4.50 12345 > /tmp/unifi.bin
   HOST: nc -N -l 12345 < openwrt-23.05.4-ramips-mt7621-ubnt_unifi-nanohd-squashfs-sysupgrade.bin
   AP: nc 10.100.4.50 12345 > /tmp/owrt.bin

7. Flash U-Boot only (Ctrl+C on kernel1)
   LD_LIBRARY_PATH=/tmp /tmp/ubntbox fwupdate.real -m /tmp/unifi.bin

8. Flash OpenWRT to the kernel images

dd if=/tmp/owrt.bin of=/dev/mtdblock6
dd if=/tmp/owrt.bin of=/dev/mtdblock7

9. Write the bootselect flag.
   dd if=/dev/zero bs=1 count=1 of=/dev/mtd4

10. Reboot or powercycle the device.
    reboot

P.S. Original u-boot.img (extracted) has the next hash:

Oh! This is genius. Great idea. I'm taking note for the future, if needed. Thanks heaps for this. Appreciate it.