Ubiquiti UniFi AP-LR Support

[ricktendo]

The following device config XML was tested and working on a Ubiquiti AP Long Range but should also be compatible with all of the following: UAP, UAP-LR, UAP-OD, UAP-OD5, PicoM2

Processor: Atheros AR7241-AH1A
SPI Flash: Macronix MX25L6408EMI-12G
EJTAG Port: 14 Pins
More Info on OpenWRT Wiki

During boot execute PROGRAM command to enter TRAP ON mode to halt the boot process and gain high speed access to the flash chip: read, write, erase, debrick. (Note: ERASE is currently not working)

Code:

Copyright (C) 2010-2015
USB JTAG NT    0.79
Target: UAP-LR
-PROGRAM
-detect
IDCODE 00000001
Atheros
IMPCODE 60414000
EJTAG V2.6
DMA not supported
Found Address= 9f800000 MX25L6405D

Some Device Screenshots (click image to enlarge)

[ricktendo]

Serial log does not provide much info

Code:

U-Boot unifi-v1.5.2.206-g44e4c8bc (Aug 29 2014 - 18:01:57)

DRAM:  64 MB
Flash:  8 MB
PCIe WLAN Module found (tries: 1).
Net:   eth0, eth1
Board: Copyright Ubiquiti Networks Inc. 2014
Hit any key to stop autoboot:  0
Board: Ubiquiti Networks AR7241 board (e512-20.0101.002e)
UBNT application initialized
## Booting image at 9f050000 ...
   Image Name:   MIPS Ubiquiti Linux-2.6.32.33
   Created:      2016-05-30   7:22:22 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    918712 Bytes = 897.2 kB
   Load Address: 80002000
   Entry Point:  80002000
   Verifying Checksum at 0x9f050040 ...OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

Booting...

Stopped autoboot and ran the flinfo command

Code:

DRAM:  64 MB
Flash:  8 MB
PCIe WLAN Module found (tries: 1). 
Net:   eth0, eth1
Board: Copyright Ubiquiti Networks Inc. 2014
Hit any key to stop autoboot:  1  0 
ar7240>help

?       - alias for 'help'
autoscr - run script from memory
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootp	- boot image via network using BootP/TFTP protocol
chpart	- change active partition
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dhcp	- invoke DHCP client to obtain IP/boot params
echo    - echo args to console
erase   - erase FLASH memory
flinfo  - print FLASH memory information
fsinfo	- print information about filesystems
fsload	- load binary file from a filesystem image
go      - start application at address 'addr'
help    - print online help
iminfo  - print header information for application image
imls    - list all images found in flash
itest	- return true/false on integer compare
loop    - infinite loop on address range
ls	- list files in a directory (default /)
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing)
mtdparts- define flash/nand partitions
mtest   - simple RAM test
mw      - memory write (fill)
nfs	- boot image via network using NFS protocol
nm      - memory modify (constant address)
pci     - list and access PCI Configuration Space
ping	- send ICMP ECHO_REQUEST to network host
pll [<val>] - Set to change CPU/AHB/DDR speeds
printenv- print environment variables
progmac - Set ethernet MAC addresses
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sleep   - delay execution for some time
tftpboot- boot image via network using TFTP protocol
ubntfsboot  - UBNT fsboot command
urescue	- start TFTP server and wait for firmware
version - print monitor version
ar7240> flinfo

Bank # 1: mx25l64 (Id: 0xc22017)
	Size: 8 MB in 128 sectors

[Koevoet]

Try using the WRT160NL config.

Regards

[ricktendo]

Quote:

Originally Posted by Koevoet

Try using the WRT160NL config.

Regards

Thank you very much, it worked!

Could anybody help me with the XML file, I have little to no clue what I am doing (also could somebody explain EEPROM)

Code:

<Test>
	<Name>UAP-LR</Name>
	<Cat>Router</Cat>
	<Protocol>EJTAG</Protocol>
	<Endian>Big</Endian>
	<IRLength>5</IRLength>
	<DMA>No</DMA>
	<ProbTrap>1</ProbTrap>
	<Programram>0x80100000</Programram>
	<SPIFlash>2</SPIFlash>
	<Memorys>
			<Memory>
				<Name>u-boot</Name>
				<Type>1</Type>
				<Address>0x0</Address>
				<Size>0x0</Size>
			</Memory>
			<Memory>
				<Name>u-boot-env</Name>
				<Type>1</Type>
				<Address>0x0</Address>
				<Size>0x0</Size>
			</Memory>
			<Memory>
				<Name>kernel</Name>
				<Type>1</Type>
				<Address>0x0</Address>
				<Size>0x0</Size>
			</Memory>
			<Memory>
				<Name>rootfs</Name>
				<Type>1</Type>
				<Address>0x0</Address>
				<Size>0x0</Size>
			</Memory>
			<Memory>
				<Name>cfg</Name>
				<Type>1</Type>
				<Address>0x0</Address>
				<Size>0x0</Size>
			</Memory>
			<Memory>
				<Name>EEPROM</Name>
				<Type>2</Type>
				<Address>0x0</Address>
				<Size>0x0</Size>
			</Memory>
	</Memorys>
	<Inits>
	</Inits>
</Test>

I have the full dump from and the original firmware.bin from ubiquiti, I got the XML section names from the u-boot-env partition

Code:

256k(u-boot),64k(u-boot-env),1024k(kernel),6528k(rootfs),256k(cfg),64k(EEPROM)

I will upload all I have in hopes somebody could help, also if you could please explain how you find and calculate the sizes, like how does 0x40000 = 256?

[usbbdm]

Glad that 160NL worked. I will take a look of the bin file and upload xml latter.

[ricktendo]

Quote:

Originally Posted by usbbdm

Glad that 160NL worked. I will take a look of the bin file and upload xml latter.

I figured out that you calculate 64k decimal which equals 40 hex, 256k = 100 hex, 1024k = 400 hex. All these work fine if I add 0x before and 000 after, but I run into problems when doing the same with the rootfs size 6528k = 1980 hex

[usbbdm]

Try this one.
Just open with hex editor Or even use USB JTAG NT (WRT160NL) then load the file and analyze it.
I am not sure EEPROM is correct or not but it should allow you to program the router now.

[ricktendo]

Thank you usbbdm, seems like it does the job

Code:

Copyright (C) 2010-2015
USB JTAG NT    0.79
Target: UAP-LR
-PROGRAM
-detect
IDCODE 00000001
Atheros
IMPCODE 60414000
EJTAG V2.6
DMA not supported
Found Address= 9f800000 MX25L6405D
-getram 9f800000 800000
Time 00:00:28 (.450)

I still do not understand so could you explain how you get the hex values for the sizes, and where do you get address 9f800000 from?

[usbbdm]

0x9f80000 is just something works. The exact address might be slightly different but that does not matter too much.

[ricktendo]

OK I think I got the correct locations, I went based on these figures

Code:

256k(u-boot),64k(u-boot-env),1024k(kernel),6528k(rootfs),256k(cfg),64k(EEPROM)

EEPROM does not work when I have the Type set to 2 but it does work if I set it to 1 (I do not know if this is correct.) It could also be failing for another reason is we do not have any EEPROMPageSize, or EEPROMData or Eepromprot or other defined. Because even with the correct eeprom section it hangs when I do -getram eeprom when its set to Type 2

Code:

<Test>
	<Name>UAP-LR</Name>
	<Cat>Router</Cat>
	<Protocol>EJTAG</Protocol>
	<Endian>Big</Endian>
	<IRLength>5</IRLength>
	<DMA>No</DMA>
	<ProbTrap>1</ProbTrap>
	<Programram>0x80100000</Programram>
	<SPIFlash>2</SPIFlash>
	<Memorys>
			<Memory>
				<Name>u-boot</Name>
				<Type>1</Type>
				<Address>0x9f800000</Address>
				<Size>0x40000</Size>
			</Memory>
			<Memory>
				<Name>u-boot-env</Name>
				<Type>1</Type>
				<Address>0x9f840000</Address>
				<Size>0x10000</Size>
			</Memory>
			<Memory>
				<Name>kernel</Name>
				<Type>1</Type>
				<Address>0x9f850000</Address>
				<Size>0x100000</Size>
			</Memory>
			<Memory>
				<Name>rootfs</Name>
				<Type>1</Type>
				<Address>0x9f950000</Address>
				<Size>0x660000</Size>
			</Memory>
			<Memory>
				<Name>cfg</Name>
				<Type>1</Type>
				<Address>0x9ffb0000</Address>
				<Size>0x40000</Size>
			</Memory>
			<Memory>
				<Name>EEPROM</Name>
				<Type>1</Type>
				<Address>0x9fff0000</Address>
				<Size>0x10000</Size>
			</Memory>
	</Memorys>
	<Inits>
	</Inits>
</Test>

In any case I can confirm the sections are correct because I reset the device and this cleaned out the cfg section, usbbdm if you want any pictures so you can publish a page for the router I can provide some.

[usbbdm]

OK I see why, if you are talking about EEPROM chip then you can use type 2. If it is just EEPROM data you should use type 1.
If you have an EEPROM chip, then additional program need to provide to read EEPROM (type 2). Otherwise it will hang.

EEPROM read is not as simple as you thought to provide type 2. Each device has its own algorithm (registers can be completely different from on with another). In short you should only define type 1 in the XML for now unless a full EEPROM program is provided in dat file.

[ricktendo]

Thanks to Koevoet and usbbdm for all your help in getting this working, I updated the first post with the final working XML and I also updated the OpenWRT Wiki to point out the device is now supported by the usbjtag nt

[ricktendo]

Big vs Little Endian, how does one know which to use in the XML when an analysis of the full flash has images with both?

Here is a binwalk analysis of my UAP-LR bin

Code:

binwalk 9f800000.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
192895        0x2F17F         Copyright string: " Ubiquiti Networks Inc. 2014"
327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0x213AEF0A, created: Mon May 30 01:22:22 2016, image size: 918712 bytes, Data Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0x6084C351, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.33"
327744        0x50040         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2647828 bytes
1376256       0x150000        Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 4135013 bytes,  587 inodes, blocksize: 131072 bytes, created: Mon May 30 01:22:24 2016
5718432       0x5741A0        Zlib compressed data, best compression, uncompressed size >= 65536
5749940       0x57BCB4        Zlib compressed data, best compression, uncompressed size >= 34064
5764595       0x57F5F3        Zlib compressed data, best compression, uncompressed size >= 62764
5783939       0x584183        Zlib compressed data, best compression, uncompressed size >= 48428
5804648       0x589268        Zlib compressed data, best compression, uncompressed size >= 65529
5832409       0x58FED9        Zlib compressed data, best compression, uncompressed size >= 64257
5853110       0x594FB6        Zlib compressed data, best compression, uncompressed size >= 23862
5861759       0x59717F        Zlib compressed data, best compression, uncompressed size >= 8192
5864216       0x597B18        Zlib compressed data, best compression, uncompressed size >= 6694
5866613       0x598475        Zlib compressed data, best compression, uncompressed size >= 6895
5871173       0x599645        Zlib compressed data, best compression, uncompressed size >= 464
6094848       0x5D0000        JFFS2 filesystem, big endian
8060952       0x7B0018        Zlib compressed data, default compression, uncompressed size >= 4683
8192024       0x7D0018        Zlib compressed data, default compression, uncompressed size >= 4684

[usbbdm]

You can read back binary, look at some readable text. If endian is wrong, the text will be swapped. like "text" will be "txet"

[ricktendo]

Hello usbbdm erase does not work, I can read/write to it fine, once written I verify and it passes.

If I select erase on any tab then I read back and nothing is erased.

Do you know why this could be?