Downgrading UBNT Nanostation M2 Loco (XM): ubnt downgrade code=2, msg=Firmware check failed

I recently tried to downgrade a UBNT Nanostation M2 Loco (XM version) in order to flash LEDE afterwards.

The problem is, that AirOS 6.0.6 needs signed firmwares and even original firmwares seem to miss a valid signature for this purpose.  Hence TFTP is always failing with “ubnt downgrade code=2, msg=Firmware check failed“. (Of course the web interface behaves likewise.

Here is what I did instead:

  1. Get a XM version of AirOS 5.5.11¹
  2. scp XM.v5.5.11.28002.150723.1344.bin ubnt@192.168.1.20:/tmp/fwupdate.bin
    ssh -lubnt 192.168.1.20
  3. /sbin/fwupdate -m ²

Remark – all the steps in one command: ssh -lubnt ‘curl -o /tmp/fwupdate.bin http://dl.ubnt.com/firmwares/XN-fw/v5.5.11/XM.v5.5.11.28002.150723.1344.bin && /sbin/fwupdate -m’

Update: If /sbin/fwupdate does not work for you, look for /sbin/fwupdate.real. /sbin/fwupdate now seems to be a wrapper script, that’s simply invokes /sbin/fwupdate.real -m after doing some more checks (fwupdate.real -c). Use it at your own risk. Double check to use the right firmware file for your platform.

 

Now I have AirOS 5.5.11 on the device and can flash my individual LEDE 17.01.2 build from the AirOS webinterface. If I’d wanted to revert, I’d have to flash 5.5.11 or lower again according to OpenWRT’s/LEDE’s documentation.

References:

1: http://dl.ubnt.com/firmwares/XN-fw/v5.5.11/XM.v5.5.11.28002.150723.1344.bin

2: https://help.ubnt.com/hc/en-us/articles/204959804-airMAX-How-do-I-upgrade-the-firmware-from-the-CLI-SSH-

3: https://community.ubnt.com/t5/airOS-Software-Configuration/Problem-upgrading-some-XM-devices-5-5-6-to-5-5-11/td-p/1324988

21 thoughts on “Downgrading UBNT Nanostation M2 Loco (XM): ubnt downgrade code=2, msg=Firmware check failed

    1. I googled around for you:

      https://www.ubnt.com/download/airmax-m/powerbeam/nanobeam-m5-25-dbi400mm-nbem5400 (see past firmware)

      https://community.ubnt.com/t5/airMAX-Updates-Blog/bg-p/Blog_airMAX
      https://community.ubnt.com/t5/blogs/blogarchivespage/blog-id/Blog_airMAX
      https://www.ubnt.com/download/airmax-m

      Hint:
      I guess, if XM/XW/… firmwares work on any of the correspondent devices of a series (XM/XW/…), you could get the exact version number and look for the filename in the community or forum.

      That way I found the following files, for example – no guarantuee, that these will work for you:
      XM version 5.5.10 from https://community.ubnt.com/t5/airMAX-General-Discussion/5-5-10/td-p/1044567
      http://www.ubnt.com/downloads/XN-fw-internal/v5.5.10/XM.v5.5.10.24241.141001.1649.bin

      XW version 5.5.9:
      http://www.ubnt.com/downloads/XN-fw-internal/v5.5.9/XW.v5.5.9.21734.140403.1801.bin

      If you know the filename, you will find the correct version for any AirMax devices.

      If you are unsure, better ask the ubnt community once more.

      Other links that could help:
      https://wiki.openwrt.org/toh/ubiquiti/powerbeam

      If that does not answer your question, ask again at community.ubnt.com or use their search function. I am sure, they can help you out.

      Like

    2. Hello, is this is the same way for Nanostation M2?
      How can i load old firmware wia TFTP on Windows?
      If i try to downgrade using airOS interface it will doesn’t work (sing check failed)?
      If you can please contact me on email

      Like

      1. I cannot tell for sure, but yes: Be aware that there are different hardware versions xm and xw. Within one hardware version, there are only minor differences: the antenna layout and/or LAN/PoE-Passthrough. So in theory it will work. Stick to the UBNT Faq.
        For tftp tftp32 and tftp64 have been proven to be quite useful.
        In case of devices UBNT, you’ll need the client mode as opposed to those devices from TP-Link (see my article on TFTP recovery of the TL-WR1043ND) that will require a TFTP server, to pull the file from. Keep in mind, that the devices demand for a certain, individual file name – in case of UBNT this is firmware.bin, in case of TP-Link, this is a variation of the model’s name + “_recovery” + “.bin”.

        For TP-Link e.g., if you don’t know that exact file name, wireshark will help you to figure it out. In case of UBNT stick the manual, if you are unsure.

        Something else: Whenever I try to flash a device with TFTP, my laptop’s ethernet interface is way to slow in media sense detection and the program hence misses the short time slot for transmission. Better get a dumb ethernet switch and put it in between your PC and the device to be flashed. Don’t use a router with it’s own, configured IP, since that could conflict.

        Read UBNT’s flashing manual

        Like

    3. Hi ! I put the firmware renamed fwupdate.bin, but when try to execute say “permission denied”…..
      Can help me….?

      Like

      1. I guess, if you exactly followed the instructions and if you have to right firmware file (it could also be another file for a different model) and it still does not work, you’d better consider the method to have been obsoleted.

        Like

  1. Erich, please, contact me wia email(felixanti@gmail.com) or skype(felixanti). I really need your help, im scared of brick device 🙂

    Like

    1. Извини́те, Васили! The purpose of this blog is to document my finding and probably discuss them with the public. I am not offering professional support here. Stick to the UBNT community and the UBNT professionals there, if you need sound and rock solid support.

      Like

  2. 1) i downgrade from airos6 to 5.6 wia tftp,
    2) then from 5.6 to 5.5 wia web giu,
    3) i flash nsm2 with openwrt wia tftp (and web works too)
    and when i try to save any changes – it wont…
    configurations doesn’t save after changes…
    Can you tell me where is my problem. please?

    Like

    1. The error could be in step 2:
      OpenWRT-Wiki (TOH) says something about changed flash layouts, … and that’s the point. Flashing from the webinterface propably won’t repartition.
      Try to tftp-flash 5.5 instead. If want to get prove, if this assumption is correct, connect to the router (with 5.6) or openwrt by ssh and read /proc/mtd and copy-paste save it to a text file. Compare the values. If I am right, and the layouts differ, let me know please.

      But there is another common mistake that would lead to the “nothing get’s saved” problem: If you are using an individually adapted flash image, that’s way too big. Then the rootfs (overlay) partition doesn’t have enough spare memory, which will lead to “does not get saved”. In some cases it even causes booting loops.

      Like

  3. I am trying to downgrade using tftp2 and it says “unable to get responses from the server” … I can ping the unit fine and the flashing LED change to a solid yellow and solid green when the tftp2 is sending the firmware to the unit so I know that is communicating… what am I missing???

    Like

    1. Hello Mark, your question has already been answered in the article you commented on… The Nanostation’s TFTP-Client does checks on the uploaded file’s header and checksum and since the values don’t match (too old, not signed), refuses to flash it. You need to flash the correct binary using the shell as described. That way the binary won’t be checked in the first place.
      If you have problems with the more recent firmware, so it won’t allow you to get into ssh, just flash the same version of the newer firmware again, using tftp in order to fully reset the unit. Then proceed as described.

      Like

      1. Thank you for the fast response. I am trying the shell method and I keep getting: “ssh: connect to host 192.168.1.20 port 22: Connection timed out
        lost connection”

        I can ping it just fine and it has the blinking red/green – amber/green leds…

        thoughts?

        Like

    1. I am not sure, if it’s a good idea to flash a file in one command without checking it’s hashsum.
      Furthermore look for fwupdate.real and see what it’s parameters are.

      Like

  4. Hello I accidentally upgraded my firmware and now on 6.1.7, Now I can’t downgrade back to the original software I believe was 5.5.?. Any idea how I can get my device back? Failed check message, in ssh and interface

    Like

    1. Hello Robert,
      first of all 5.5 is somewhat outdated and insecure. Why would you want to downgrade in the first place? The only reason to do so, was to be able to flash OpenWRT again. If you are just looking for the possibility to use custom scripts, check this thread at community.ubnt.com:
      https://community.ubnt.com/t5/airOS-Software-Configuration/airOS-5-6-with-Custom-Script-Support/m-p/1624488/highlight/true#M44527

      Second: What device are you on, exactly? This article was written in respect to Nanostation M2 Loco (XM) only. I am sure the procedure also works with other devices as well, but only if -and only if- you have the correct firmware file. Have a look at the corresponding threads at community.ubnt.com for details on that.

      Like

  5. I only use this nano station loco m2 a few weeks a year. And we only visit family about every 2-3 years. But I use it in Thailand. This USA version requires a hack to be able to open up all the countries. This way when I’m there I can select Thailand from the Wireless list and connect to a WiFi source. Somewhere along the way (not sure which version) they have prevented the use of the hack I used. I was able to get back on 5.5.6 and got the countries back. If you know of another way around this I’m more than willing to learn about it.

    Like

    1. Hello Bob,
      when it comes to regulatory issues, I’d personally refrain from fiddling with it and AFAIK, there should be no need for „hacking“ whatsoever.
      Regulatory settings should be altered on the first setup of the device. You could just backup the configuration data from within the GUI twice: one for the US and one for Thailand and restore this configuration after the initial setup (solution 1).
      Caveat: https://community.ubnt.com/t5/airMAX-AC/Change-Country/td-p/1855368 (but you are on an AirMax M device, not AC). But I have to admit I am not familiar with hardware version for the US regdom. Also see: https://community.ubnt.com/t5/UniFi-Wireless/How-to-change-a-regulatory-domain/td-p/1876359

      It seems you’d should get an international version.

      Just another hint: if you connect to your device by ssh, you can use the command ‘regdomain -h’ and look for evasive action, if you are sure, it is perfectly legal.

      Firmwares with custom scripts will let you execute commands on device startup, so this may be a solution (2) for your problem.
      Solution 3 would be to use open firmware like OpenWRT, but I cannot recommend this, since it is unclear, if it works for you (DISCLAIMER: don’t do it, if you are not an expert. Even if you are an expert, be sure what you do. All you do, happens at your own risk at your very own liability.)

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s