UCI config bricked UniFi 6 Lite TFTP

I have two Ubiquiti UniFi 6 Lite APs.

One is "soft" bricked, the other I just unpacked.

The bricked one has OpenWRT 21.02.0 where I applied a failing network configuration using UCI-CLI. I installed it along https://openwrt.org/toh/ubiquiti/unifi6lite#installation and it worked well up to when I screwed up the network configuration.

I tried to recover the bricked TFTP as described in https://openwrt.org/toh/ubiquiti/unifi6lite#recovery which is linking https://help.ui.com/hc/en-us/articles/204910124-UniFi-TFTP-Recovery-for-Bricked-Access-Points .

Despite flashing the LEDs, the bricked one does not work with TFTP recovery.

The fresh/good AP is working as advertised:

  • booting into TFTP recovery mode
  • flashing white/blue/off/...
  • returns ARP reply for requests for
  • TFTP upload
  • strobing LED for 5-10 secs, pause
  • white flashing LED for some secs, pause
  • white LED and device is up and having the default configuration

The bricked AP is not doing it right:

  • booting into TFTP recovery mode
  • flashing white/blue/off/...
  • never returns any ARP reply for queries for
  • all TFTP uploads timeout

Is there anything I might try to get it unbricked?

I read something recently about Ubiquiti implementing seemingly random IPs for TFTP on newer devices like these. So you should scan your network for devices, it should pop up.

Not sure if the IP is printed on the device label, but it seems to be hardcoded in u-boot.

I read about this, too. It seems to be non deterministic. I tried .1, .2, .20, .21, .22, .30, .31 and .32 . I might just retry it once again. Since the working AP is using .20 and it is the default, I was expecting the other one to use the same.

Sadly there is nothing printed on the device and no paper trail with it.

1 Like

Instead of TFTP mode, have you tried simply booting into failsafe mode? This will allow you to fix the problematic network configuration without needing to reload the firmware.

@haasalex An Android app like Ning e.g. will scan your network. Surely worth trying instead of just typing random IP addresses.

Failsafe mode sounds like it was made for my kind of problem. I will try that...

I got nmap for that and a shotgun shell script for tftp, arp, etc. I am just about to tune the timeouts to get it done before the tftp window of opportunity closes.

1 Like

I believe you should try a few more addresses before giving up. One of my U6 Lites is using .33.

root@u6-1:~# fw_printenv ipaddr

If you have a backup dump of mtd1 you might be able to find the correct address there.

1 Like

I did about 50 tries to get the bricked AP respond to It never worked.

Just now I had a script trying every possible host number. It stopped on success at 32. My tcpdump did show me ARP replies for (with that APs MAC address).

So I quite confidently changed my TFTP forced upload script to use instead of
It did run without success for some time. In the meanwhile my Laptop was still configured to use for a gateway and kept trying to get its MAC address.
And while .32 was still not working, in the running tcpdump I saw replies for at my APs MAC address.
I confirmed this after yet another reboot of the AP. It kept
Then I started flashing and it just worked.

I don't know what's the logic with all of this, but I will make sure to keep my scripts for future reference.

Thank you all for your ideas and heads up! :slight_smile:

1 Like

thank you so much