Ubiquiti U6-LR "u-boot mod" version

knacky · February 7, 2022, 4:20pm

When building from master, I see two versions for the U6-LR AP target...

Ubiquiti UniFi 6 LR
Ubiquiti UniFi 6 LR U-Boot mod

The "u-boot mod" version, from which limited docs I have found, apparently uses OpenWrt's u-boot and allows use of current ARM Trusted Firmware.

Is this firmware build directly flashable to a stock U6-LR using the normal kernel mtd write method, or does something need to happen before that (changes via serial port, etc)? Anyone know?

netomx · November 3, 2022, 6:46pm

Sadly, no info about this, and my APs softbrick when using any new version of OpenWRT.

daniel · November 3, 2022, 7:42pm

Hi!
Sorry to only bump into this thread now, I've simply not been aware of it.

@netomx:
I'm using a couple of those devices with stock bootloader in production as well as a bunch replaced U-Boot running the ubootmod firmware. Since when OpenWrt doesn't boot any more on your device? I understand that it was working and then soft-bricked after sysupgrade to a newer image downloaded from downloads.openwrt.org?

@knacky:
The ubootmod is basically a more full-featured U-Boot and recent ARM TrustedFirmware-A which supports recovery/production dual-boot similar to the Linksys E8450/Belkin RT3200 or the BananaPi R{2,3,64} boards.

The resulting flash layout of the 64MiB SPI-NOR flash:

0x000000000000-0x000000020000 : "bl2" <- *ubnt_unifi-6-lr-v1-ubootmod-preloader.bin
0x000000020000-0x0000000c0000 : "fip" <- *ubnt_unifi-6-lr-v1-ubootmod-bl31-uboot.fip
0x0000000c0000-0x0000000d0000 : "u-boot-env" -- erase
0x0000000d0000-0x000000110000 : "factory" -- dont't touch
0x000000110000-0x000000120000 : "eeprom" -- dont't touch
0x000000120000-0x000001000000 : "recovery" <- *ubnt_unifi-6-lr-*-ubootmod-initramfs-recovery.itb
0x000001000000-0x000004000000 : "firmware" <- *ubnt_unifi-6-lr-*-ubootmod-squashfs-sysupgrade.itb

So factory and eeprom (which contain MAC addresses and Wi-Fi calibration data) are kept intact and everything else is replaced. Note that as the replacement U-Boot doesn't touch the LED (which is the difference between v1 and v2) bl2 and fip are identical for v1 and v2. The recovery and sysupgrade image, however, do make use of the LEDs which are driven differently in v1 and v2, so there you need to select the appropriate image for the LEDs to work.

The easiest way to write these partitions is by booting ubnt_unifi-6-lr-*-ubootmod-initramfs-recovery.itb via TFTP using the stock loader. Once booted, give the device a default route and install kmod-mtd-rw using opkg:

opkg update
opkg install kmod-mtd-rw
insmod mtd-rw i_want_a_brick=1

You can now either upload the images to the device using scp -O ... or simply download them from downloads.openwrt.org using wget on the device:

cd /tmp
wget https://downloads.openwrt.org/snapshots/targets/mediatek/mt7622/openwrt-mediatek-mt7622-ubnt_unifi-6-lr-v1-ubootmod-preloader.bin
wget https://downloads.openwrt.org/snapshots/targets/mediatek/mt7622/openwrt-mediatek-mt7622-ubnt_unifi-6-lr-v1-ubootmod-bl31-uboot.fip
...

Then write the bootloader and firmware partitions:

mtd write *ubnt_unifi-6-lr-v1-ubootmod-preloader.bin bl2
mtd write *ubnt_unifi-6-lr-v1-ubootmod-bl31-uboot.fip fip
mtd erase u-boot-env
mtd write *ubnt_unifi-6-lr-*-ubootmod-initramfs-recovery.itb recovery
mtd write *ubnt_unifi-6-lr-*-ubootmod-squashfs-sysupgrade.itb firmware
reboot -f

Now you got ARM Trusted Firmware 2.7+ and U-Boot 2022.10 running on the device.

knacky · November 4, 2022, 1:24pm

Hi @daniel, and thank you for this amazing guide on installing u-boot mod on the Unifi U6 LR.

Just a question, does going to the u-boot mod version only provide increased functionality (e.g. dual-boot partitions) or are there also runtime performance/security improvements?

daniel · November 4, 2022, 1:32pm

Taken as-is, the only advantage at runtime is the changed flash layout which allows for bigger rootfs_data and adds the dual-boot mechanism (which also makes PSTORE/ramoops available for debugging crashes). Other than that there are no effects on either performance or device security (at this point ARM TrustedFirmware-A on this platform isn't used for much more than just being a preloader and taking care of reboot).

However, now that you are able to build everything from source, of course, you could go ahead and build your own secure boot system, based on OP-TEE to provide fTPM and/or using MediaTek's Anti-Rollback mechanism, ... Or build U-Boot with UEFI run-time support and let the device do standard UEFI PXE boot instead of storing the firmware in flash....

netomx · November 10, 2022, 8:59am

@daniel I got more info. Using the 1st sysupgrade that works on this devices, it works with 100M and 1000M, but if I use newer stable or snapshots, 100M links do NOT work, unless I use 1000M.

So, it wasn't the uboot

csmart · January 1, 2023, 12:50am

Hi @daniel,

I have a spare U6-LR device and thought I'd play with this. When you mention booting ubnt_unifi-6-lr-*-ubootmod-initramfs-recovery.itb via TFTP using the stock loader, is this done by the standard TFTP flashing recovery method? Or booting the device with the recovery image from uboot via remote TFTP server (i.e. using serial to interrupt boot process and setting ip/server/image etc, or some other built-in method)?

I assume the latter, but I tried the former method anyway however it remains in TFTP boot mode, rebooting it went back to stock image on the device.

Thanks!