Convert an XClaim Xi-3 AP to a Ruckus R500
These APs have identical hardware inside, so you can convert the XClaim software without too much fuss.
NOTE
The steps below assume the AP is plugged directly into your computer.
If your AP is plugged into a switch and is picking up an IP address via DHCP then you will have to substitute it's assigned IP address anywhere the text 192.168.0.1
appears below.
SSH to the AP
$ ssh -oHostKeyAlgorithms=+ssh-rsa 192.168.0.1
Login. The default username is "xclaim-mfg", password is "mfg-admin12".
TIP
You may need to do a factory reset (by sticking a pin in the reset hole for a few seconds) if the default username and password don't work.
Perform command injection
xclaim : Ruckus
Now type ";/bin/sh;"
and hit enter (you won't be able to see what you're typing)
grrrr
TIP
Instead of grrrr
, another dog noise could be printed to the screen.
Escape to shell
xclaim : !v54!
What's your chow:
Now hit enter, and you should be dropped into a root shell.
BusyBox v1.15.2 (2020-10-27 13:20:01 IST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#
Identify which partition is active
# cat /proc/v54bsp/himem | grep "fis.image:"
You will see something like this:-
type: 2 index: 5 fis.image: rcks_wlan.bkup
Remember which fis.image
is active. In our case we can see rcks_wlan.bkup
.
Upload and install the R500 Solo firmware
I assume
- you have a tftp server running
- you have downloaded the latest Ruckus R500 Solo 110.0 firmware
- you copied the firmware to the tftp's content directory
# tftp -g -l /tmp/solo.img -r <R500 Solo firmware> <TFTP server>
e.g.
# tftp -g -l /tmp/solo.img -r R500_110.0.0.0.2005.bl7 192.168.0.22
Either (A) if your active fis.image
is rcks_wlan.bkup
:-
# flashcp /tmp/solo.img /dev/mtd5
# bsp set image_type 1
or (B) if your active fis.image
is rcks_wlan.main
:-
# flashcp /tmp/solo.img /dev/mtd7
# bsp set image_type 2
WARNING
Only the one that matches the active fis.image
. Not both!
Store R500 model information and request factory reset
# bsp set antinfo 0x00005f5e
# bsp set name R500
# bsp set model R500
# bsp set factory 1
# bsp commit
You will see something like this:-
Saving flash .....
bdSave: sizeof(bd)=0x7c, sizeof(rbd)=0xd0
caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ]
updating flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44]
updating flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14]
_erase_flash: offset=0x0 count=1
Erase Total 1 Units
Performing Flash Erase of length 262144 at offset 0x0 done
caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ]
verifying flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44]
verifying flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14]
... Changes saved to flash
Now you can reboot into the R500 Solo firmware.
# reboot
Upgrade from Solo to Unleashed firmware
Login to the AP's web administration interface.
The default username is "super", password is "sp-admin".
TIP
Your browser will show a security warning. This is normal and you should choose Advanced
and then click through to the website by pressing Accept the Risk and Continue
or Continue to 192.168.0.1 (unsafe)
(the exact wording will vary depending on your browser).
Upgrade to Ruckus Unleashed
I assume you have downloaded the latest Ruckus R500 Unleashed 200.7 firmware.
Navigate to Maintenance
> Upgrade
.
Choose Upgrade Method: Local
and press the Local File Name: Browse...
button and select your Ruckus R500 Unleashed 200.7 firmware file.
Choose Perform Upgrade
.
TIP
The upgrade will take several minutes. You probably won't be able to reconnect for a few minutes after the web administration interface says the upgrade is finished.