csamsel/gist:37e14e2280b6c48bc8e4486b50b3a61c

## gistfile1.txt
Need the following tools: binwalk, squashfs-tools

The tutorial will probably work with similar devices, but i havent tested it.
Adjust the firmware files.

1. Have AirOS 5.6.15 signed installed (mind the XM vs. XW, the device type is shown in the webinterface)
Get it from:
XM: https://dl.ubnt.com/firmwares/XN-fw/v5.6.15/XM.v5.6.15-sign.31612.170908.1458.bin
XW: https://dl.ubnt.com/firmwares/XW-fw/v5.6.15/XW.v5.6.15-sign.31612.170908.1440.bin

Leave NanoStation in factory configuration (IP: 192.168.1.20)

2. get 5.6.15 file unsigned from

XM: https://dl.ubnt.com/firmwares/XN-fw/v5.6.15/XM.v5.6.15.30572.170328.1107.bin
XW: https://dl.ubnt.com/firmwares/XW-fw/v5.6.15/XW.v5.6.15.30572.170328.1052.bin

3. extract ubntbox file from firmware:

$ binwalk -e XW.v5.6.15.30572.170328.1052.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Ubiquiti firmware header, header size: 264 bytes, ~CRC32: 0xF9227069, version: "XW.ar934x.v5.6.15.30572.170328.1052"
260           0x104           Ubiquiti partition header, header size: 56 bytes, name: "PARTu-boot", base address: 0x00000000, data size: 0 bytes
127444        0x1F1D4         Certificate in DER format (x509 v3), header length: 4, sequence length: 64
151956        0x25194         U-Boot version string, "U-Boot 1.1.4-s958 (Jun 10 2015 - 10:56:20)"
152244        0x252B4         CRC32 polynomial table, big endian
222808        0x36658         CRC32 polynomial table, big endian
225032        0x36F08         Ubiquiti end header, header size: 12 bytes, cumulative ~CRC32: 0x454E442E
228848        0x37DF0         Ubiquiti partition header, header size: 56 bytes, name: "PARTkernel", base address: 0x00000001, data size: -2147475456 bytes
228912        0x37E30         uImage header, header size: 64 bytes, header CRC: 0x42F5A412, created: 2017-03-28 07:53:41, image size: 956233 bytes, Data Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0x6A5C2356, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.68"
228976        0x37E70         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2799616 bytes
1185209       0x1215B9        Ubiquiti partition header, header size: 56 bytes, name: "PARTrootfs", base address: 0x00000002, data size: 0 bytes
1185273       0x1215F9        Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 5915650 bytes, 1234 inodes, blocksize: 131072 bytes, created: 2017-03-28 07:53:44
7345721       0x701639        gzip compressed data, from Unix, last modified: 2017-03-28 07:51:39


4. copy ubntbox file to /tmp/fwupdate.real on device:

$ scp _XW.v5.6.15.30572.170328.1052.bin.extracted/squashfs-root/bin/ubntbox ubnt@192.168.1.20:/tmp/fwupdate.real
(default password is "ubnt")

5. copy target firmware to /tmp/fwupdate.bin on device:

e.g. $ scp gluon-ffac-2018.1-1~exp20180721-ubiquiti-nanostation-loco-m2-xw.bin ubnt@192.168.1.20:/tmp/fwupdate.bin


5. initate firmware update
$ ssh ubnt@192.168.1.20
ubnt@192.168.1.20's password:
   KM                       ,ok0KNWW
         KM               :NMMMMMMMM
       KM  ..             WMMMMMMMMM
   KM      KM             WMMMMMMMMM
   KM    KM               WMMMMMMMMM
   KM  KM  ..             WMMMMMMMMM
   KM  ..  KM             WMMMMMMMMM
   KM  KM  KM             WMMMMMMMMM
   KMNXWM  KM             WMMMMMMMMK
   KMMMMMKONM             WMMMMMMMW
   KMMMMMMMMM             WMMMMMMM x
   lMMMMMMMMM             WMMMMMN xK
    MMMMMMMMMl           ,WMMMP dXM:
    lMMMMMMMMx .        ,,,aaadXMMd
     lNMMMMMMW: XOxolcclodOKMMMMWc
       lXMMMMMNc lMMMMMMMMMMMMNo.
         llONMMM0c lMMMMMMNOo'
              'lMN;. lMWl'

BusyBox v1.11.2 (2017-09-08 14:33:59 EEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

XW.v5.6.15-sign.31612.170908.1440# cd /tmp

XW.v5.6.15-sign.31612.170908.1440# ./fwupdate.real -m fwupdate.bin
Current ver: 329231
New version: 393216
No need to fix.
Writing 'kernel         ' to /dev/mtd2(kernel         ) ...  [%100]
Writing 'rootfs         ' to /dev/mtd3(rootfs         ) ...  [%100]
Done
	Need the following tools: binwalk, squashfs-tools

	The tutorial will probably work with similar devices, but i havent tested it.
	Adjust the firmware files.

	1. Have AirOS 5.6.15 signed installed (mind the XM vs. XW, the device type is shown in the webinterface)
	Get it from:
	XM: https://dl.ubnt.com/firmwares/XN-fw/v5.6.15/XM.v5.6.15-sign.31612.170908.1458.bin
	XW: https://dl.ubnt.com/firmwares/XW-fw/v5.6.15/XW.v5.6.15-sign.31612.170908.1440.bin

	Leave NanoStation in factory configuration (IP: 192.168.1.20)

	2. get 5.6.15 file unsigned from

	XM: https://dl.ubnt.com/firmwares/XN-fw/v5.6.15/XM.v5.6.15.30572.170328.1107.bin
	XW: https://dl.ubnt.com/firmwares/XW-fw/v5.6.15/XW.v5.6.15.30572.170328.1052.bin

	3. extract ubntbox file from firmware:

	$ binwalk -e XW.v5.6.15.30572.170328.1052.bin

	DECIMAL HEXADECIMAL DESCRIPTION
	--------------------------------------------------------------------------------
	0 0x0 Ubiquiti firmware header, header size: 264 bytes, ~CRC32: 0xF9227069, version: "XW.ar934x.v5.6.15.30572.170328.1052"
	260 0x104 Ubiquiti partition header, header size: 56 bytes, name: "PARTu-boot", base address: 0x00000000, data size: 0 bytes
	127444 0x1F1D4 Certificate in DER format (x509 v3), header length: 4, sequence length: 64
	151956 0x25194 U-Boot version string, "U-Boot 1.1.4-s958 (Jun 10 2015 - 10:56:20)"
	152244 0x252B4 CRC32 polynomial table, big endian
	222808 0x36658 CRC32 polynomial table, big endian
	225032 0x36F08 Ubiquiti end header, header size: 12 bytes, cumulative ~CRC32: 0x454E442E
	228848 0x37DF0 Ubiquiti partition header, header size: 56 bytes, name: "PARTkernel", base address: 0x00000001, data size: -2147475456 bytes
	228912 0x37E30 uImage header, header size: 64 bytes, header CRC: 0x42F5A412, created: 2017-03-28 07:53:41, image size: 956233 bytes, Data Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0x6A5C2356, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Ubiquiti Linux-2.6.32.68"
	228976 0x37E70 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2799616 bytes
	1185209 0x1215B9 Ubiquiti partition header, header size: 56 bytes, name: "PARTrootfs", base address: 0x00000002, data size: 0 bytes
	1185273 0x1215F9 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 5915650 bytes, 1234 inodes, blocksize: 131072 bytes, created: 2017-03-28 07:53:44
	7345721 0x701639 gzip compressed data, from Unix, last modified: 2017-03-28 07:51:39



	4. copy ubntbox file to /tmp/fwupdate.real on device:

	$ scp _XW.v5.6.15.30572.170328.1052.bin.extracted/squashfs-root/bin/ubntbox ubnt@192.168.1.20:/tmp/fwupdate.real
	(default password is "ubnt")

	5. copy target firmware to /tmp/fwupdate.bin on device:

	e.g. $ scp gluon-ffac-2018.1-1~exp20180721-ubiquiti-nanostation-loco-m2-xw.bin ubnt@192.168.1.20:/tmp/fwupdate.bin


	5. initate firmware update
	$ ssh ubnt@192.168.1.20
	ubnt@192.168.1.20's password:
	KM ,ok0KNWW
	KM :NMMMMMMMM
	KM .. WMMMMMMMMM
	KM KM WMMMMMMMMM
	KM KM WMMMMMMMMM
	KM KM .. WMMMMMMMMM
	KM .. KM WMMMMMMMMM
	KM KM KM WMMMMMMMMM
	KMNXWM KM WMMMMMMMMK
	KMMMMMKONM WMMMMMMMW
	KMMMMMMMMM WMMMMMMM x
	lMMMMMMMMM WMMMMMN xK
	MMMMMMMMMl ,WMMMP dXM:
	lMMMMMMMMx . ,,,aaadXMMd
	lNMMMMMMW: XOxolcclodOKMMMMWc
	lXMMMMMNc lMMMMMMMMMMMMNo.
	llONMMM0c lMMMMMMNOo'
	'lMN;. lMWl'

	BusyBox v1.11.2 (2017-09-08 14:33:59 EEST) built-in shell (ash)
	Enter 'help' for a list of built-in commands.

	XW.v5.6.15-sign.31612.170908.1440# cd /tmp

	XW.v5.6.15-sign.31612.170908.1440# ./fwupdate.real -m fwupdate.bin
	Current ver: 329231
	New version: 393216
	No need to fix.
	Writing 'kernel ' to /dev/mtd2(kernel ) ... [%100]
	Writing 'rootfs ' to /dev/mtd3(rootfs ) ... [%100]
	Done