Playing with the flash through serial U-Boot on UBNT Bullet M2 HP XW

Installing and Using OpenWrt
1

Hi all,
I'm looking at putting custom firmware on a Bullet M2 HP XW but I'm having some trouble.

I have tried a few different firmwares going through either the web interface (the images are always rejected), through SSH (again rejected by the fwupdate utility), through TFTP (nothing happens) and through serial (doesn't work, with more info below).

I've troubleshooted down the rabbit hole as far as I can go but now I'm stuck. Using the flash commands through Uboot over serial isn't yielding the results I would expect. I've tried writing images, writing garbage, nuking the entire flash, erasing etc, but the flash never seems to change. The flash doesn't seem to be protected and there is no change in behaviour if I use protect off all. I would expect if I try hard enough I should be at least able to brick the device...

Here's an example where I try to erase a section of flash and overwrite it with 0's. I would expect that after the erase the flash should be different (maybe all 0xff's?) and then after the flash copy it should be all 0's, but it never seems to change.

U-Boot 1.1.4-s1039 (May 24 2017 - 15:58:18)

DRAM:  64 MB
Flash:  8 MB (0xc2, 0x20, 0x17)
Net:   AR8035
eth0, eth1
Board: Ubiquiti Networks AR9342 board (e2c4-141067.1122.0030)
Radio: 0777:e2c4
Reset: Normal
Hit any key to stop autoboot:  0 
ar7240> md 0x9f070000
9f070000: e771b8da 1c63b547 baf4c032 a8bbce23    .q...c.G...2...#
9f070010: 69861c9b 9c18bd0c 8cb34e6a daf7f1e0    i.........Nj....
9f070020: 90e982b5 92712537 bc07e875 baf25efe    .....q%7...u..^.
9f070030: c51ae4ff 16afd0d2 5944932b 73541e40    ........YD.+sT.@
9f070040: ef0063f6 134b0c3c 9bfa48d6 a65ecd6b    ..c..K.<..H..^.k
9f070050: 0c874eb6 b7d724d9 7eee3ab8 5c436b58    ..N...$.~.:.\CkX
9f070060: 8a4739c7 5a15711b 58bba5aa 029178a7    .G9.Z.q.X.....x.
9f070070: 8af515a0 de72bd14 86769653 a4ef6a46    .....r...v.S..jF
9f070080: 3914ace8 df4fecab 272c1032 04b43e7d    9....O..',.2..>}
9f070090: d21f5e4a 43b3dad0 f4ec43cd 3c6bf121    ..^JC.....C.<k.!
9f0700a0: 16a17dd4 26d629aa b85419c5 36c86c18    ..}.&.)..T..6.l.
9f0700b0: 5acb19d4 7a172373 66d1ada5 43d7683b    Z...z.#sf...C.h;
9f0700c0: f92ee838 57e29bd4 aa675e5b 7eb98879    ...8W....g^[~..y
9f0700d0: e31094fc 3e377277 6a047e16 017bcea7    ....>7rwj.~..{..
9f0700e0: 296962f0 5b7c0412 94dab4e5 d60f178e    )ib.[|..........
9f0700f0: 91f89f5a 15b22e56 3c60a55b 80c12dee    ...Z...V<`.[..-.
ar7240> mw.b 0x80000000 0 0x10000
ar7240> md 0x80000000
80000000: 00000000 00000000 00000000 00000000    ................
80000010: 00000000 00000000 00000000 00000000    ................
80000020: 00000000 00000000 00000000 00000000    ................
80000030: 00000000 00000000 00000000 00000000    ................
80000040: 00000000 00000000 00000000 00000000    ................
80000050: 00000000 00000000 00000000 00000000    ................
80000060: 00000000 00000000 00000000 00000000    ................
80000070: 00000000 00000000 00000000 00000000    ................
80000080: 00000000 00000000 00000000 00000000    ................
80000090: 00000000 00000000 00000000 00000000    ................
800000a0: 00000000 00000000 00000000 00000000    ................
800000b0: 00000000 00000000 00000000 00000000    ................
800000c0: 00000000 00000000 00000000 00000000    ................
800000d0: 00000000 00000000 00000000 00000000    ................
800000e0: 00000000 00000000 00000000 00000000    ................
800000f0: 00000000 00000000 00000000 00000000    ................
ar7240> erase 0x9f070000 +0x10000
. done
Erased 1 sectors
ar7240> md 0x9f070000
9f070000: e771b8da 1c63b547 baf4c032 a8bbce23    .q...c.G...2...#
9f070010: 69861c9b 9c18bd0c 8cb34e6a daf7f1e0    i.........Nj....
9f070020: 90e982b5 92712537 bc07e875 baf25efe    .....q%7...u..^.
9f070030: c51ae4ff 16afd0d2 5944932b 73541e40    ........YD.+sT.@
9f070040: ef0063f6 134b0c3c 9bfa48d6 a65ecd6b    ..c..K.<..H..^.k
9f070050: 0c874eb6 b7d724d9 7eee3ab8 5c436b58    ..N...$.~.:.\CkX
9f070060: 8a4739c7 5a15711b 58bba5aa 029178a7    .G9.Z.q.X.....x.
9f070070: 8af515a0 de72bd14 86769653 a4ef6a46    .....r...v.S..jF
9f070080: 3914ace8 df4fecab 272c1032 04b43e7d    9....O..',.2..>}
9f070090: d21f5e4a 43b3dad0 f4ec43cd 3c6bf121    ..^JC.....C.<k.!
9f0700a0: 16a17dd4 26d629aa b85419c5 36c86c18    ..}.&.)..T..6.l.
9f0700b0: 5acb19d4 7a172373 66d1ada5 43d7683b    Z...z.#sf...C.h;
9f0700c0: f92ee838 57e29bd4 aa675e5b 7eb98879    ...8W....g^[~..y
9f0700d0: e31094fc 3e377277 6a047e16 017bcea7    ....>7rwj.~..{..
9f0700e0: 296962f0 5b7c0412 94dab4e5 d60f178e    )ib.[|..........
9f0700f0: 91f89f5a 15b22e56 3c60a55b 80c12dee    ...Z...V<`.[..-.
ar7240> cp.b 0x80000000 0x9f070000 0x10000
Copy to Flash... write addr: 9f070000
done
ar7240> md 0x9f070000
9f070000: e771b8da 1c63b547 baf4c032 a8bbce23    .q...c.G...2...#
9f070010: 69861c9b 9c18bd0c 8cb34e6a daf7f1e0    i.........Nj....
9f070020: 90e982b5 92712537 bc07e875 baf25efe    .....q%7...u..^.
9f070030: c51ae4ff 16afd0d2 5944932b 73541e40    ........YD.+sT.@
9f070040: ef0063f6 134b0c3c 9bfa48d6 a65ecd6b    ..c..K.<..H..^.k
9f070050: 0c874eb6 b7d724d9 7eee3ab8 5c436b58    ..N...$.~.:.\CkX
9f070060: 8a4739c7 5a15711b 58bba5aa 029178a7    .G9.Z.q.X.....x.
9f070070: 8af515a0 de72bd14 86769653 a4ef6a46    .....r...v.S..jF
9f070080: 3914ace8 df4fecab 272c1032 04b43e7d    9....O..',.2..>}
9f070090: d21f5e4a 43b3dad0 f4ec43cd 3c6bf121    ..^JC.....C.<k.!
9f0700a0: 16a17dd4 26d629aa b85419c5 36c86c18    ..}.&.)..T..6.l.
9f0700b0: 5acb19d4 7a172373 66d1ada5 43d7683b    Z...z.#sf...C.h;
9f0700c0: f92ee838 57e29bd4 aa675e5b 7eb98879    ...8W....g^[~..y
9f0700d0: e31094fc 3e377277 6a047e16 017bcea7    ....>7rwj.~..{..
9f0700e0: 296962f0 5b7c0412 94dab4e5 d60f178e    )ib.[|..........
9f0700f0: 91f89f5a 15b22e56 3c60a55b 80c12dee    ...Z...V<`.[..-.
ar7240>

Here is some more info on the board/system

ar7240> bdinfo
boot_params = 0x83F77FB0
memstart    = 0x80000000
memsize     = 0x04000000
flashstart  = 0x9F000000
flashsize   = 0x00800000
flashoffset = 0x0002D6C4
ethaddr     = 00:AA:BB:CC:DD:EE
ip_addr     = 192.168.1.20
baudrate    = 115200 bps
ar7240> fli

Bank # 1: mx25l64 (Id: 0xc22017)
        Size: 8 MB in 128 sectors
ar7240> mtdparts

device nor0 <ath-nor0>, # parts = 6
 #: name                        size            offset          mask_flags
 0: u-boot                      0x00040000      0x00000000      0
 1: u-boot-env                  0x00010000      0x00040000      0
 2: kernel                      0x00100000      0x00050000      0
 3: rootfs                      0x00660000      0x00150000      0
 4: cfg                         0x00040000      0x007b0000      0
 5: EEPROM                      0x00010000      0x007f0000      0

active partition: nor0,0 - (u-boot) 0x00040000 @ 0x00000000

defaults:
mtdids  : nor0=ath-nor0
mtdparts: mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),1024k(kernel),6528k(rootfs),256k(cfg),64k(EEPROM)
ar7240> printenv
bootdelay=1
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
serverip=192.168.1.254 
mtdids=nor0=ath-nor0
ethact=eth0
mtdparts=mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),1024k(kernel),6528k(rootfs),256k(cfg),64k(EEPROM)
bootcmd=bootm 0x9f050000
bootargs=console=tty0 root=31:03 rootfstype=squashfs init=/init 
ipaddr=192.168.1.20 
stdin=serial
stdout=serial
stderr=serial
ubntaddr=80200020
appinitdone=true
partition=nor0,0
mtddevnum=0
mtddevname=u-boot

Environment size: 463/65532 bytes
ar7240>

I feel like I must be missing something obvious; I see other people have had success using the Bullet M2 but they look to be using slightly older hardware and software versions. I'm not sure what else to try; the simplest test I can think of is writing something to a random spot in flash and seeing if it can be read back and this seems to be failing. Any ideas?

2

Bootloader build date is 2017. That is likely one of the new ones with firmware "protection".

Can you TFTP to RAM? A possible approach is to build an initramd OpenWrt, boot it from RAM, then use it to write the flash.

2 Likes
3

Interesting, the thought that it might be a tampered Uboot crossed my mind but I figured it was more likely that I was misunderstanding something.

I can tftp to RAM. I've tried a few things so far:

I downloaded a different stock firmware from UBNT. I truncated the beginning of the file so that the image starts with the correct magic number, which solved one problem. iminfo shows the expected image name, build date, etc, and also shows that the checksum is OK. When I boot to it, it looks like it works, but when I view the UBNT web interface it shows the version number for the image in flash, not for the one I thought I booted to:

ar7240> tftpboot 0x82000000 XW.v6.1.9.32918.190108.1737-trim238988.bin
Using eth0 device
TFTP from server 192.168.1.254; our IP address is 192.168.1.20
Filename 'XW.v6.1.9.32918.190108.1737-trim238988.bin'.
Load address: 0x82000000
Loading: ####
done
Bytes transferred = 7292894 (6f47de hex)
ar7240> bootm 0x82000000
## Booting image at 82000000 ...
   Image Name:   MIPS Ubiquiti Linux-2.6.32.71
   Created:      2019-01-08  15:38:15 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    957336 Bytes = 934.9 kB
   Load Address: 80002000
   Entry Point:  80002000
   Verifying Checksum at 0x82000040 ...OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

Booting Atheros AR934x
 (The web interface shows version 6.1.11 which is what's in flash, not 6.1.9 which is the image in ram)

I have tried this process with a few different openwrt and libremesh images that I got from https://chef.libremesh.org/ and https://openwrt.org/toh/views/toh_fwdownload (both snapshot and regular images) but without success. I always find I have to truncate the first 0x144 bytes so that the image starts with the correct magic number, but them Uboot always says that the checksum is bad. If I don't truncate then it just complains about the magic number. EG:

ar7240> tftpboot 0x82000000 openwrt-18.06.2-ar71xx-generic-ubnt-bullet-m-squashfs-factory.bin
Using eth0 device
TFTP from server 192.168.1.254; our IP address is 192.168.1.20
Filename 'openwrt-18.06.2-ar71xx-generic-ubnt-bullet-m-squashfs-factory.bin'.
Load address: 0x82000000
Loading: ##
done
Bytes transferred = 3867036 (3b019c hex)
ar7240> iminfo 0x82000000

## Checking Image at 82000000 ...
   Bad Magic Number
ar7240> iminfo 0x82000144

## Checking Image at 82000144 ...
   Image Name:   MIPS OpenWrt Linux-4.9.152
   Created:      2019-01-30  12:21:02 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1376892 Bytes =  1.3 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum ...    Bad Data CRC

I found some info on building images for OpenWRT so I'm trying that. If you have any other resources that would be great; I'm familiar with embedded development in general but not so much on the linux booting side of things. I wouldn't be opposed to pulling the flash chip off and programming it manually, but with the checksums failing I'm not sure of the likelihood of that working. On the other hand if it is a perverted Uboot maybe they're using a different checksum algorithm or something.

4

The usual process was to downgrade AirOS using the CLI, then log in to the web GUI and again flash the downgrade. This replaces the bootloader with an older version. When you get down to a 5.5.10 version you can flash OpenWrt. I don't know if this still works if you have upgraded too far. If the bootloader is refusing to boot unsigned firmware you will have to replace it.

5

I see. We found that all XM ubnt firmware versions are rejected on this hardware by the web interface and the CLI; only the XW ones seem to be usable which only starts at v6.1.7/2018-05-25.

I was able to get past the checksum problems with setenv verify n on the uboot prompt. Now the LZMA decompression fails for all the images I've tried, but I'm trying to build an image with no compression to see what happens with that.

Alternatively I may have to replace the bootloader as you suggest. Would pulling the bootloader out of an old ubnt image be a bad idea? Or would it be best to compile a new image?

Thanks for the help

6

Got to a prompt!

I followed the instructions here: Building a initramfs image
and built the same type of image

Then from uboot I did

ar7240> tftpboot 0x82000000 openwrt-ar71xx-generic-ubnt-bullet-m-initramfs-kernel.bin
ar7240> setenv bootargs console=tty0 root=31:03 rootfstype=ramfs init=/init
ar7240> bootm 0x82000000
## Booting image at 82000000 ...
   Image Name:   MIPS OpenWrt Linux-4.14.109
   Created:      2019-04-04  15:09:40 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    3534602 Bytes =  3.4 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum at 0x82000040 ...OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

[    0.000000] Linux version 4.14.109 (che@che76) (gcc version 7.4.0 (OpenWrt GCC 7.4.0 r9773-6e060bd62c)) #0 Thu Apr 4 15:09:40 2019
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0001974c (MIPS 74Kc)
...
BusyBox v1.30.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r9773-6e060bd62c
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/#

Should I be concerned that there are no detected network adapters? I went through the build config pretty quickly so I'm not sure if I missed anything. I suppose now that I've reached this stage I have a whole net set of docs to go through...

7

The XM and XW platforms have different network hardware, so you need to use the proper build.

8

Think I've made it thanks to your help!

The OpenWRT build utilities don't seem to have a profile for Bullet M XW hardware, but does for Rocket M XW hardware, so that worked.

Then I found that writing the factory images to the flash was not right, the sysupgrade image was the thing to do. This solved magic number and CRC errors.

For reference, this is my whole process:

# Build initramfs image for Rocket M XW similar to here: https://forum.openwrt.org/t/building-a-initramfs-image/30269
# Connect via serial, boot, and get to uboot prompt
# Copy over initramfs image to mid point in ram, boot to it
ar7240> tftpboot 0x82000000 openwrt-ar71xx-generic-ubnt-rocket-m-xw-initramfs-kernel.bin
ar7240> setenv bootargs console=tty0 root=31:03 rootfstype=ramfs init=/init
ar7240> bootm 0x82000000
# After it has booted, SCP over the real image I want (I got this image from https://chef.libremesh.org/)
mylaptop> scp openwrt-b071218c612299b-ath79-generic-ubnt_bullet-m-xw-squashfs-sysupgrade.bin root@192.168.1.1:/tmp
# Save the image to flash
root@OpenWrt:/# mtd -r write /tmp/openwrt-b071218c612299b-ath79-generic-ubnt_bullet-m-xw-squashfs-sysupgrade.bin firmware

Once it rebooted I was able to get to the web interface.

Thanks again for your help, this is pretty cool!

9

Sir, I need your help, can you help me?
I'm experiencing the same thing as what you are working on. Thank you for sharing the information, but can you make a short tutorial to install OpenWRT on this bullet m2hp?
what I need to prepare and what steps I need to take, because I am a person who just learned about openWRT. If you wish to send an email to me with the address masyordan@gmail.com.

thank you