Unfortunately, the downgrading procedure doesn't work anymore.
Well downgrade over TFTP should still work
There is no way to downgrade it. Have you ever tried it on a XW model?
Cant you just flash a new u-boot version without firmware checking to it based on the gpl archive ?
Yeah I tried it couple of months on Loco M2 XW,could be that they changed it.
Giuseppe-
I was able to flash the 17.01.2 images. There was a change in MTD
layout, so earlier builds may not work. The trunk images work, as well.
However, note that nothing (except AirOS) works via tftp, which is...
weird. It seems as if uboot is locked, but, somehow, the WebUI in 5.6.12
overcomes the lock. Or something like that... I tried using a serial
cable to discover what was happening, but they have turned off the
serial console in AirOS.
PLEASE NOTE: they will soon be shipping everything with AirOS 6, and
there will be no way to overcome the lock (unless you somehow hack the
signature). If you are (like me) depending on Ubiquiti products running
OpenWRT/LEDE, it's time to find an alternative - Senao/Engenius,
Comfast, etc. That's what I'm doing - if anyone is interested, I'll can
update the list on what I find out there. So far I have taken a hard
look at Engenius,/Senao. They provide a "GPL dump" of their firmware
source if you ask multiple times, but I don't have the
knowledge/experience to turn that into a working OpenWRT/LEDE image
(It's probably fairly easy, I haven't put in the time to figure it out).
For instance, the files for the ENS620EXT (a very nice outdoor AP) are
here:
https://files.mycloud.com/home.php?brand=webfiles&seuuid=1bf3b5078722a94c8c5b1ec9a16b3e89&name=GPL_ENS620EXT.tar_2
-Bill
Hi Bill,
thanks for your reply.
We tried to flash with Lede 17.01.2 stable (Factory) via WebUI (AirOS 5.6.12) without success => we bricked the unit.
Did you load the stable release or the trunk image?
By the way, yes, we have hundreds of nanostations and, if we cannot use OpenWRT/Lede anymore, then we need to find an alternative.
Hmmmmmmmm... it was actually a custom build of LEDE based on 17.01.2,
but I only added shell scripts and other stuff, no patches to
executables, extra drivers, or anything like that. I bricked several of
them trying to flash OpenWRT CC onto them, and I'm waiting for some new
ones, as I am out again.
I tested the units we flashed myself, and they seemed to be working fine.
-Bill
I dont think you hard bricked them.
You should be able to TFTP recover to AirOS
Well, it's effectively a hard brick, because the only version of AirOS available is 6.0.6, and that enacts the firmware lock.
So, yes, you can still tftp AirOS 6, but then there is absolutely nothing else you can do with it.
Well,according to XW 6.0.6 release notes: Signed firmware support (Users are not able to downgrade below v6.0.6 unless using TFTP)
So TFTP downgrade to older version should work.
Also downgrading to 6.0.6 beta using Web UI and then to other versions should also work
Hi guys,
finally I recovered the unit via TFTP with AirOS 5.6.15 XW (earlier versions don't work), then I uploaded Lede 17.01.2 via WebUI .
It works 
It seems that you don't need to downgrade to AirOS 5.5.10 anymore, at least with the latest version of Lede.
1 Like
The first Loco M2 I tried didn't work. When I read your post, I tried it again, and... it still didn't work. So I went and got another one, and... IT WORKED.
I had 8 Loco M2s here, and I was able to recover 3 of them this way. THANK YOU! What's interesting is the 5 that failed all failed in slightly different ways (Ethernet port not responding, unit accepts firmware and then won't boot, stuck in recovery mode, etc.)
Note that I have not been successful flashing LEDE onto the Loco M2 XW via tftp.
I downloaded AirOS 5.6.15 from the Loco M5 XW area on ubnt.com's downloads section.
Good news - it will reduce the number of units I have to RMA back to Ubiquiti.
Thanks again,
Bill
Hi Bill,
I'm happy to hear you've recovered some units.
For those remaining in recovery mode, try booting with different POE adapter (without RST feature)
and without being directly plugged to your PC (use a non-Gbit switch).
Thanks, Giuseppe!
Yes, I tried that, as well. As I said, the fascinating thing is that
they failed in different ways. Very odd, very confusing.
-Bill
@lynxis I am not saying you are wrong but there is need to understand that if a vendor doesn't update it's product and doesn't secure it the best practice is to not buy it.
Just recently I got a call from someone with costly devices(10000++$) that just somehow got shutdown...
Would a lede powered device would have been more safe against an electrical issue?
I am not answering since I do think that locking the hardware on devices that can be programmed to emit more then 5W** without the proper PSU and proper safety measures is dangerous.
ETSI and FCC are saying and requiring the same thing...
If you can provide a safe device then it's fine to use it in the market.
It's actually possible to downgrade the XW to 5.5.10 even from a signed firmware.
- downgrade your loco to 5.6.15-sign
- extract /bin/ubntbox from 5.6.15-unsign using binwalk -e
- copy ubntbox to your loco /tmp
- copy 5.5.10 firmware to /tmp/fwupdate.bin
- cd /tmp ; /tmp/ubntbox fwupdate.real -m fwupdate.bin
- flash lede via tftp
FWIW, the method lynxis mentions didn't work for me, but what did work was flashing a u-boot, scalped from an existing XW board with the 5.5.10 version, using an external programmer. It helped a lot when I figured out that you can hold the CPU in reset by grounding the inboard pad of R9, near the JTAG pads while the external programmer reads/writes. That said, this might be my last purchase of ubiquiti equipment. What jackasses.
Thanx - it worked like a charme 
After replacing the firmware with the ubntbox (without signature check), i have also replaced the u-boot to get rid of the signature check.
Everthing works fine on the first look.
Then I have seen, that eth0 is missing. So I´ve checked the kernel log and tried several lede versions.
Everatime I get a:
[ 0.694305] libphy: Fixed MDIO Bus: probed
[ 0.701316] libphy: ag71xx_mdio: probed
[ 1.327233] ag71xx ag71xx.0: no PHY found with phy_mask=00000002
Does anybody has the same issue? I´m totally lost - now I have Lede running on my v2 XW Loco M5 - but no eth0??? Wireles works fine.
Erasing the cfg partition, testing three old versions of the bootloader (5.5.3, 5.5.6, 5.5.10)and testing several other lede versions does not work.
The hardware is ok - I also tested the original versions. Also urescue/tftp works with eth0.
Enclosed the full log (nightly build):
[ 0.000000] Linux version 4.9.111 (buildbot@slashdirt-03) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 r7444-e204717) ) #0 Sun Jul 8 12:22:54 2018
[ 0.000000] MyLoader: sysp=fce5a5a7, boardp=85a7a9e5, parts=adbde7a5
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 0001974c (MIPS 74Kc)
[ 0.000000] SoC: Atheros AR9342 rev 2
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 04000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000003ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000003ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000003ffffff]
[ 0.000000] On node 0 totalpages: 16384
[ 0.000000] free_area_init_node: node 0, pgdat 804a7f64, node_mem_map 81000020
[ 0.000000] Normal zone: 128 pages used for memmap
[ 0.000000] Normal zone: 0 pages reserved
[ 0.000000] Normal zone: 16384 pages, LIFO batch:3
[ 0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[ 0.000000] pcpu-alloc: [0] 0
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
[ 0.000000] Kernel command line: board=UBNT-LOCO-XW mtdparts=spi0.0:256k(u-boot)ro,64k(u-boot-env)ro,7552k(firmware),256k(cfg)ro,64k(EEPROM)ro console=ttyS0,115200 rootfstype=squashfs noinitrd
[ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 59636K/65536K available (3370K kernel code, 177K rwdata, 840K rodata, 276K init, 219K bss, 5900K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:51
[ 0.000000] Clocks: CPU:535.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:40.000MHz
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7144898866 ns
[ 0.000011] sched_clock: 32 bits at 267MHz, resolution 3ns, wraps every 8027976190ns
[ 0.008336] Calibrating delay loop... 266.64 BogoMIPS (lpj=1333248)
[ 0.091166] pid_max: default: 32768 minimum: 301
[ 0.096210] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.103263] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.113885] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.124395] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.132302] NET: Registered protocol family 16
[ 0.138906] MIPS: machine is Ubiquiti Loco M XW
[ 0.405949] clocksource: Switched to clocksource MIPS
[ 0.412673] NET: Registered protocol family 2
[ 0.418448] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.425885] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.432725] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.439608] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.445843] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.452872] NET: Registered protocol family 1
[ 0.457596] PCI: CLS 0 bytes, default 32
[ 0.461688] Crashlog allocated RAM at address 0x3f00000
[ 0.468464] workingset: timestamp_bits=30 max_order=14 bucket_order=0
[ 0.483727] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.489989] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.510726] io scheduler noop registered
[ 0.514905] io scheduler deadline registered (default)
[ 0.520908] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[ 0.530922] console [ttyS0] disabled
[ 0.554842] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11, base_baud = 2500000) is a 16550A
[ 0.564046] console [ttyS0] enabled
[ 0.571470] bootconsole [early0] disabled
[ 0.586843] m25p80 spi0.0: found mx25l6405d, expected m25p80
[ 0.593052] m25p80 spi0.0: mx25l6405d (8192 Kbytes)
[ 0.598093] 5 cmdlinepart partitions found on MTD device spi0.0
[ 0.604094] Creating 5 MTD partitions on "spi0.0":
[ 0.608983] 0x000000000000-0x000000040000 : "u-boot"
[ 0.615753] 0x000000040000-0x000000050000 : "u-boot-env"
[ 0.623122] 0x000000050000-0x0000007b0000 : "firmware"
[ 0.640159] 2 uimage-fw partitions found on MTD device firmware
[ 0.646236] 0x000000050000-0x0000001c0000 : "kernel"
[ 0.652885] 0x0000001c0000-0x0000007b0000 : "rootfs"
[ 0.659952] mtd: device 4 (rootfs) set to be root filesystem
[ 0.665738] 1 squashfs-split partitions found on MTD device rootfs
[ 0.672084] 0x0000003b0000-0x0000007b0000 : "rootfs_data"
[ 0.679514] 0x0000007b0000-0x0000007f0000 : "cfg"
[ 0.686282] 0x0000007f0000-0x000000800000 : "EEPROM"
[ 0.694305] libphy: Fixed MDIO Bus: probed
[ 0.701316] libphy: ag71xx_mdio: probed
[ 1.327233] ag71xx ag71xx.0: no PHY found with phy_mask=00000002
[ 1.335458] NET: Registered protocol family 10
[ 1.343728] NET: Registered protocol family 17
[ 1.348386] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[ 1.361676] 8021q: 802.1Q VLAN Support v1.8
[ 1.367961] hctosys: unable to open rtc device (rtc0)
[ 1.377324] VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
[ 1.386361] Freeing unused kernel memory: 276K
[ 1.390875] This architecture does not have kernel memory protection.
[ 2.114961] init: Console is alive
[ 2.118772] init: - watchdog -
[ 2.481286] random: fast init done
[ 3.153733] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[ 3.226341] usbcore: registered new interface driver usbfs
[ 3.232021] usbcore: registered new interface driver hub
[ 3.237593] usbcore: registered new device driver usb
[ 3.249477] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 3.258143] ehci-platform: EHCI generic platform driver
[ 3.264281] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[ 3.282191] init: - preinit -
[ 4.089646] random: procd: uninitialized urandom read (4 bytes read)
[ 7.360389] jffs2: notice: (378) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[ 7.377732] mount_root: switching to jffs2 overlay
[ 7.416000] urandom-seed: Seeding with /etc/urandom.seed
[ 7.540891] procd: - early -
[ 7.543937] procd: - watchdog -
[ 8.191358] procd: - watchdog -
[ 8.194868] procd: - ubus -
[ 8.237875] random: ubusd: uninitialized urandom read (4 bytes read)
[ 8.301182] random: ubusd: uninitialized urandom read (4 bytes read)
[ 8.308285] random: ubusd: uninitialized urandom read (4 bytes read)
[ 8.315844] procd: - init -
[ 8.692185] kmodloader: loading kernel modules from /etc/modules.d/*
[ 8.704687] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 8.723945] Loading modules backported from Linux version wt-2017-11-01-0-gfe248fc2c180
[ 8.732133] Backport generated by backports.git v4.14-rc2-1-31-g86cf0e5d
[ 8.742731] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 8.759501] nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
[ 8.833894] xt_time: kernel timezone is -0000
[ 8.909157] PPP generic driver version 2.4.2
[ 8.916639] NET: Registered protocol family 24
[ 8.969781] ath: EEPROM regdomain: 0x0
[ 8.969791] ath: EEPROM indicates default country code should be used
[ 8.969795] ath: doing EEPROM country->regdmn map search
[ 8.969813] ath: country maps to regdmn code: 0x3a
[ 8.969819] ath: Country alpha2 being used: US
[ 8.969823] ath: Regpair used: 0x3a
[ 8.983459] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[ 8.988312] ieee80211 phy0: Atheros AR9340 Rev:2 mem=0xb8100000, irq=47
[ 9.028519] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 10.200862] urandom_read: 5 callbacks suppressed
[ 10.200872] random: jshn: uninitialized urandom read (4 bytes read)
[ 18.637483] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[ 21.671890] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 21.712450] br-lan: port 1(wlan0) entered blocking state
[ 21.717925] br-lan: port 1(wlan0) entered disabled state
[ 21.723795] device wlan0 entered promiscuous mode
[ 21.831057] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 21.837803] br-lan: port 1(wlan0) entered blocking state
[ 21.843210] br-lan: port 1(wlan0) entered forwarding state
[ 21.861582] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[ 75.481032] random: crng init done
I've seen the same issue on a Loco M5 XW. This device historically had a AR8032 external to the AR9342 SOC (with GPIO line over to reset). It finds the Ethernet PHY:
[ 1.328452] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.0:01 [uid=004dd023, driver=Atheros 8032 ethernet]
With this newly purchased device, it can not find a PHY:
[ 0.684816] libphy: Fixed MDIO Bus: probed
[ 0.691820] libphy: ag71xx_mdio: probed
[ 1.323815] ag71xx ag71xx.0: no PHY found with phy_mask=00000002
The AirOS 6.1 dmesg for the newer device (what looks like a new hardware REV):
"AR8035 Detected"
But both are in the 803x driver. I'm wondering if they got rid of the external 8032 chip to lower cost and now are using the one on the SOC AR9342, is that an 8035?
Joe