Convert an XClaim Xi-3 AP to a Ruckus R500

Ruckus discontinued their XClaim CloudManager platform in 2021 and remotely installed very limited (and buggy) standalone firmware onto cloud-managed APs.

Ruckus and XClaim APs have identical hardware inside, so rather than throwing away perfectly functional XClaim hardware you can convert your Xi-3 into a Ruckus R500 and run Ruckus Unleashed (or any other Ruckus R500 firmware).

NOTE

The steps below assume the AP is plugged directly into your computer.
If your AP is plugged into a switch and is picking up an IP address via DHCP then you will have to substitute its assigned IP address anywhere the text 192.168.0.1 appears below.

SSH to the AP

$ ssh -oHostKeyAlgorithms=+ssh-rsa 192.168.0.1

Login. The default username is "xclaim-mfg", password is "mfg-admin12".

TIP

You may need to do a factory reset (by sticking a pin in the reset hole for a few seconds) if the default username and password don't work.

TIP

If you see an error Unable to negotiate with 192.168.0.1 port 22: no matching host key type found. Their offer: ssh-rsa then you probably need to update your crypto policy to allow SHA1.

$ sudo yum -y install crypto-policies-scripts
$ sudo update-crypto-policies --set DEFAULT:SHA1

You can disable SHA1 after you've completed this guide, if you wish.

$ sudo update-crypto-policies --set DEFAULT

Perform command injection

xclaim : Ruckus

Now type ";/bin/sh;" including the quotes and hit enter (you won't be able to see what you're typing)

grrrr

TIP

Instead of grrrr, another dog noise could be printed to the screen.

Escape to shell

xclaim : !v54!
What's your chow:

Now hit enter, and you should be dropped into a root shell.

BusyBox v1.15.2 (2020-10-27 13:20:01 IST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

#

TIP

If you don't see a BusyBox shell prompt, and instead see just the xclaim : prompt then the injection hasn't worked.
Repeat the command injection step, ensuring you type ";/bin/sh;" including the quotes.

Upload and install the R500 Solo firmware

I assume

• you have a tftp server running
• you have downloaded the latest Ruckus R500 Solo 110.0 firmware
• you copied the firmware to the tftp server's content directory

Copy the firmware onto your AP

# tftp -g -l /tmp/solo.img -r <R500 Solo firmware> <TFTP server>

e.g.

# tftp -g -l /tmp/solo.img -r R500_110.0.0.0.2005.bl7 192.168.0.22

Flash the firmware

# flashcp /tmp/solo.img /dev/mtd5 2>/dev/null && bsp set image_type 1
# flashcp /tmp/solo.img /dev/mtd7 2>/dev/null && bsp set image_type 2

TIP

One of these flashcp commands will take a minute or so, the other will take no time at all.
Which one takes a long time depends on which flash partition is currently active.

Store R500 model information and request factory reset

# bsp set antinfo 0x00005f5e
# bsp set name R500
# bsp set model R500
# bsp set factory 1
# bsp commit

You will see something like this:-

Saving flash .....
bdSave: sizeof(bd)=0x7c, sizeof(rbd)=0xd0
  caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ]
  updating flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44]
  updating flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14]
_erase_flash: offset=0x0 count=1
Erase Total 1 Units
Performing Flash Erase of length 262144 at offset 0x0 done
  caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ]
  verifying flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44]
  verifying flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14]
... Changes saved to flash

Now you can reboot into the R500 Solo firmware.

# reboot

WARNING

You should now immediately install Unleashed firmware or allow this AP to join a controller (ZoneDirector / SmartZone / Ruckus One).

Upgrade from Solo to Unleashed firmware

Login to the AP's web administration interface.

The default username is "super", password is "sp-admin".

TIP

Your browser will show a security warning. This is normal and you should choose Advanced and then click through to the website by pressing Accept the Risk and Continue or Continue to 192.168.0.1 (unsafe) (the exact wording will vary depending on your browser).

Upgrade to Ruckus Unleashed

I assume you have downloaded the latest Ruckus R500 Unleashed 200.7 firmware.

Navigate to Maintenance > Upgrade.
Choose Upgrade Method: Local and press the Local File Name: Browse... button and select your Ruckus R500 Unleashed 200.7 firmware file.
Choose Perform Upgrade.

TIP

The upgrade will take several minutes. You probably won't be able to reconnect for a few minutes after the web administration interface says the upgrade is finished.