UCI config bricked UniFi 6 Lite TFTP

haasalex · March 21, 2022, 8:35pm

I have two Ubiquiti UniFi 6 Lite APs.

One is "soft" bricked, the other I just unpacked.

The bricked one has OpenWRT 21.02.0 where I applied a failing network configuration using UCI-CLI. I installed it along https://openwrt.org/toh/ubiquiti/unifi6lite#installation and it worked well up to when I screwed up the network configuration.

I tried to recover the bricked TFTP as described in https://openwrt.org/toh/ubiquiti/unifi6lite#recovery which is linking https://help.ui.com/hc/en-us/articles/204910124-UniFi-TFTP-Recovery-for-Bricked-Access-Points .

Despite flashing the LEDs, the bricked one does not work with TFTP recovery.

The fresh/good AP is working as advertised:

booting into TFTP recovery mode
flashing white/blue/off/...
returns ARP reply for requests for 192.168.1.20
TFTP upload
strobing LED for 5-10 secs, pause
white flashing LED for some secs, pause
white LED and device is up and having the default configuration

The bricked AP is not doing it right:

booting into TFTP recovery mode
flashing white/blue/off/...
never returns any ARP reply for queries for 192.168.1.20
all TFTP uploads timeout

Is there anything I might try to get it unbricked?

Borromini · March 21, 2022, 8:38pm

I read something recently about Ubiquiti implementing seemingly random IPs for TFTP on newer devices like these. So you should scan your network for devices, it should pop up.

Not sure if the IP is printed on the device label, but it seems to be hardcoded in u-boot.

haasalex · March 21, 2022, 8:42pm

I read about this, too. It seems to be non deterministic. I tried .1, .2, .20, .21, .22, .30, .31 and .32 . I might just retry it once again. Since the working AP is using .20 and it is the default, I was expecting the other one to use the same.

Sadly there is nothing printed on the device and no paper trail with it.

psherman · March 21, 2022, 9:02pm

Instead of TFTP mode, have you tried simply booting into failsafe mode? This will allow you to fix the problematic network configuration without needing to reload the firmware.

Borromini · March 21, 2022, 9:10pm

@haasalex An Android app like Ning e.g. will scan your network. Surely worth trying instead of just typing random IP addresses.

haasalex · March 21, 2022, 9:10pm

Failsafe mode sounds like it was made for my kind of problem. I will try that...

haasalex · March 21, 2022, 9:13pm

I got nmap for that and a shotgun shell script for tftp, arp, etc. I am just about to tune the timeouts to get it done before the tftp window of opportunity closes.

bmork · March 21, 2022, 9:42pm

I believe you should try a few more addresses before giving up. One of my U6 Lites is using .33.

root@u6-1:~# fw_printenv ipaddr
ipaddr=192.168.1.33

If you have a backup dump of mtd1 you might be able to find the correct address there.

haasalex · March 21, 2022, 10:04pm

I did about 50 tries to get the bricked AP respond to 192.168.1.20. It never worked.

Just now I had a script trying every possible host number. It stopped on success at 32. My tcpdump did show me ARP replies for 192.168.1.32 (with that APs MAC address).

So I quite confidently changed my TFTP forced upload script to use 192.168.1.32 instead of 192.168.1.20.
It did run without success for some time. In the meanwhile my Laptop was still configured to use 192.168.1.20 for a gateway and kept trying to get its MAC address.
And while .32 was still not working, in the running tcpdump I saw replies for 192.168.1.20 at my APs MAC address.
I confirmed this after yet another reboot of the AP. It kept 192.168.1.20.
Then I started flashing and it just worked.

I don't know what's the logic with all of this, but I will make sure to keep my scripts for future reference.

Thank you all for your ideas and heads up!

ranu007 · July 31, 2022, 2:06am

thank you so much