Monthly Archives: December 2016

UniFi 5.3.8 Stable has been released

Introducing our latest release for UniFi wireless, routing & switching hardware.


How to play safe?

Make sure you always do a backup before any updates, especially if you plan to upgrade your existing installation.


Release Notes:

  • For people who are migrating from v3, there’re many changes to APIs and it’s not backward compatible. You may need to update the shell library (unifi_sh_api) and/or your customized portal/external portal code.
  • Windows users must have x64 Java installed as we only support 64 bit webRTC library. Please see HERE and download the missing version (64bit offline Windows install package).
  • For hotspot management console, make sure you have bookmark the URL with site ID (i.e. x66cipn3, or whatever random string is generated for that site). For example:
  • For Debian/Ubuntu users, please update your APT source (see HERE).
    • unifi-beta/unifi-rapid are obsoleted. The old repo has been removed.
    • use ‘unifi5’ in your source file, instead of ‘stable’ or ‘unifi4’
  • On Linux you can now use Oracle Java instead of OpenJDK (if desired). When using Oracle Java you may need to define the JAVA_HOME location on your Debian/Ubuntu installation. To do this you need to create a default file to define the path. This method is persistent across controller upgrades. Something like the following will work for Oracle Java (change JAVA_HOME path as needed):
    echo "JAVA_HOME=/usr/lib/jvm/java-8-oracle" | sudo tee /etc/default/unifi
  • You can no longer manage/control UniFi VoIP devices from the UniFi controller. Please use the UniFi VoIP controller for UVP products. The latest release as the time of this post is found HERE.
  • You cannot re-use a VLAN ID for dynamic VLAN if it is set as a static value for another SSID on the same AP. So, if I have a SSID set to use VLAN 10, I cannot use VLAN ID 10 for RADIUS controlled VLAN users as those users will not get an IP.
  • Cloud Access feature in this release is not supported on Linux/ARMv6 architecture (for exmaple, Raspberry Pi 1). If you have problem starting controller on this platform, please remove the native library:
sudo rm /usr/lib/unifi/lib/native/Linux/armhf/
  • Smart Queue QoS is similar to the implementation as in EdgeOS (see HERE). Please note that DPI will not work when using Smart Queue QoS, as traffic will not be offloaded. It’s also worth noting that maximum throughput will be affected when using Smart Queue QoS, as traffic is not offloaded. There are some rough guidelines in the article linked above.
  • Do note that DFS channels can not be used for wireless uplink as of this release. Please use non-DFS channels if you need to use wireless uplink on dual band UAPs.
  • Official UniFi MIBs can be downloaded from HERE and HERE (those are 2 different files).
  • A full changelog has been attached, showing changes back to the first public release (1.2.1).

Other Notes:

  • We no longer support Java version 6, it needs to be 7 or later. We recommend Java version 8.
  • All APs will be reprovisioned on controller upgrade, which will cause a temporary outage for all connected users. Please make sure to do this after hours, or a time when it’s okay to disconnect users for several minutes.
  • Features like airtime fairness, bandsteering, load balancing and minimum RSSI are default disabled. If you need them you need to go to Settings>Site and check Enable advanced features.
  • If you previously used Google Maps for a site map, then you have to enable this feature again by adding an API key. This is done under Settings>Controller. There is a linked guide with instructions.
  • There is a known issue with binding the SSH daemon to a specific interface. A patch was missed when upgrading dropbear. This will be fixed in a future firmware. You can bind sshd to a specific IP, but you’d have to create a separate line for each device in


New Features:

  • Add batch edit of APs.
  • Added memory usage and load average to AP and switch details.
  • Added the ability to config gateway, switch and AP LED on/off state.
    • Added LED config option to device General config form.
  • Added switch statistics page.
  • Added AP config copy.
  • Added AP disable option.
  • Added Hotspot 2.0 config (beta).
  • Add option to enable Automatic Uplink Failover (found under Settings>Site>Uplink Connectivity Monitor).


Controller Bugfixes/Changes from 5.2.9:

  • Improve webrtc connection for debug terminal.
  • Improve icons in switch diagram.
  • Improve RF RSSI graph.
  • Add timezone to cron expressions for auto-backup.
  • Fix login issue in Safari, when websocket is blocked.
  • Fix drag&drop for firewall rules.
  • Fix truncated tooltips in Preferences.
  • Fix positioning of chart tooltips.
  • Improve look of checkboxes and radio buttons in Firefox.
  • Toggle size of Map Device Markers.
  • Improve labels for radio channel config.
  • Show backup file size.
  • Add UK to countries supported by Stripe.
  • Fixed special characters in translations.
  • Added preference for disabling websocket.
  • Fixed case when there is no selected map.
  • Added bandwidth info of neighboring AP, and grey out RSSI if too old.
  • Changed property panel adopt icon to blue.
  • Improved stability of WebRTC connections.
  • Added new rfscanning state.
  • Added modal with data retention update.
  • Enabled autobackup during initial setup.
  • Added pt_PT language to hotspot portal.
  • Do not allow read-only users to create vouchers.
  • Added search functionality to site overview modal and full page.
  • Added alert count to site overview pages.
  • Show more than just “Enabled” for WLAN overrides.
  • Renamed state from “Pending approval” to “Pending adoption”.
  • Adopt button in panels use reverse and round action icon style.
  • Show backend version in controller settings.
  • Added performance improvements on device page.
  • Added check device firmware update button to settings.
  • Added the ability to define custom switch port diagrams.
  • Added disabled device state notification.
  • Fix running controller as a service on true x64 Windows system.
  • Upgrade bundled Tomcat to 7.0.70.
  • Add French to the list of languages supported by Hotspot Portal.
  • Fix DPI charts.
  • Update RADIUS password field.
  • Fix UI version.
  • Add DFS flag to channel config view.
  • Fix bps value in voucher list.
  • Add IP to Admin login event.
  • Fix positions of tooltips.
  • Add note to WLAN group legacy support.
  • Add loading spinner on Insights pages.
  • Add support for Spanish.
  • Display 0 when no devices found in invetory device carth.
  • Add Czech, German, Greek, Indonesian to the list of languages supported by Hotspot Portal.
  • Add dBm to wireless uplink details.
  • Add throughput warnings to WLAN form.
  • Deploy proper default route metrics to USG versions >=4.3.30, fixing many multi-WAN issues.
  • Add Google Map API key entry in Controller settings view.


Controller Bugfixes/Changes ported from 5.4.x:

  • Fix attaching Google Analytics script in older browsers.
  • Show more details in device list radio columns.
  • Improve content of health stats tooltips on Dashboard.
  • Add confirmation dialog before restoring from autobackup.
  • Improve configuration for Hotspot Social Authentication.
  • Differentiate PoE and PoE+ in switch diagram.
  • Add new topology view in maps (Beta).
  • Change Zip to Zip / Postal Code label in hotspot payment fields (for other countries than US).
  • Improve port PoE capability detection.
  • Scroll to top when property panel is opened.
  • Improve Insights/Switch Stats (use device dropdown list).
  • Allow using API only for Angular hotspot authorization.
  • Enable port mirroring for all switch ports.
  • Fix empty dropdown value on Guest Control languages list.
  • Change default value for DTIM.
  • Add speedtest interval in Settings.
  • Improve switch stats.
  • Fix scroll to switch port to account for stick title overlap.
  • Show switch fan levels.
  • Add dBm to AP wireless uplinks and downlinks tables.
  • Remove confirm restart “Cycle PoE power” option from non-PoE switches.
  • Updated older APs to use green-ringed icon.
  • Update translations (CS, DE, ES, NL, PL, ZH).
  • Add translations (SV).
  • Add advanced feature toggle to site settings.
  • Fix loading map image through WebRTC.
  • Update image maps to make it work with latest Safari and Firefox.
  • Show/hide map topology links based on devices visibility.
  • Add topology on maps.
  • Add automatic uplink failover to site settings.


Firmware Changes from 3.7.21/4.3.23:

  • [UAPG2] Add ip package (from iproute2).
  • [UAPG1] Upgrade driver base to 10.2 for QCA models (excludes 1st gen AC).
  • [UAPG1] Fix issue causing an open SSID when HS2.0 config provisioned to devices which don’t support it.
  • [UAP] Fix an issue with memory corruption.
  • [UAP] Fix various bugs affecting 2.4GHz.
  • [UAP] Fix a few issues with wireless uplink.
  • [UAP] Fix issue which caused EAP authentication to stop working.
  • [UAP] Fix “peer count exceeds the supported number 136” issue with VAPs using EAP.
  • [UAP] Decrease uplink failover time. Targeted for AC-M and AC-M-PRO, but may help in other uplink use cases.
  • [UAP] Fix an issue with memory corruption.
  • [UAP] Fix various bugs affecting 2.4GHz.
  • [UAP] Fix various issues with wireless uplink.
  • [UAP] Update dropbear to 2016.74.
  • [USW] Fix reboot issue (reported HERE, and probably other locations).
  • [USG] Fix unexpected reboots related to scheduling while atomic.
  • [USG] Fix stripping of extraneous quotes from DHCP leases file in clients reporting. If some of your clients in the controller show up as “hostname” rather than hostname, this fixes that.
  • [USG] Add proper handling of gateway distances.
  • [USG] Fix performance regression introduced between 4.3.15 and 4.3.16 releases.
  • [USG] Update speedtest-cli client and built-in fallback speed test server list. Fixes instances of selecting sub-optimal speed test servers leading to lower than expected results.
  • [USG] FreeRADIUS back end enhancements for coming controller UI support.


Bundled Firmware:

Note that the bundled firmware links for UAP and USW are HTTP as currently HTTP links are required for custom upgrade via the controller UI, or firmware upgrade via CLI. You can update the link to HTTPS if you desire, but it will not work for either of those firmware upgrade methods.




Thousands of xHamster login credentials surface online

Members of the porn site xHamster should be changing their passwords today after a set of nearly 380,000 usernames, emails and poorly hashed passwords appeared online.

The subscription-only breach notification site LeakBase has published the set of login credentials, which Motherboard reports were being traded online. It’s not clear exactly where the database originated, but it contains information for only a small subset of xHamster’s 12 million registered users. While xHamster doesn’t require viewers to register with the site, those who do can comment and make video playlists.

Still, the leaked information has the potential to embarrass users — several of the accounts are linked to U.S. Army and other government email addresses. If xHamster’s subscribers reused their passwords on other sites, their accounts on those sites are at risk of compromise, as well.

“The passwords of all xHamster users are properly encrypted, so it is almost impossible to hack them. Thus, all the passwords are safe and the users data secured,” an xHamster spokesperson told Motherboard.

But according to LeakBase,  the passwords were hashed with the MD5 algorithm, which is considered insecure. “MD5 hashes are trivial and easy to crack,” according to LeakBase. “The fact they think the hashes are secure is a blatant example of the faulty security placed in companies even to this day.”