Convert an XClaim Xi-3 AP to a Ruckus R500

These APs have identical hardware inside, so you can convert the XClaim software without too much fuss.

NOTE

The steps below assume the AP is plugged directly into your computer.
If your AP is plugged into a switch and is picking up an IP address via DHCP then you will have to substitute it's assigned IP address anywhere the text 192.168.0.1 appears below.

SSH to the AP

$ ssh -oHostKeyAlgorithms=+ssh-rsa 192.168.0.1

Login. The default username is "xclaim-mfg", password is "mfg-admin12".

TIP

You may need to do a factory reset (by sticking a pin in the reset hole for a few seconds) if the default username and password don't work.

Perform command injection

xclaim : Ruckus

Now type ";/bin/sh;" and hit enter (you won't be able to see what you're typing)

grrrr

TIP

Instead of grrrr, another dog noise could be printed to the screen.

Escape to shell

xclaim : !v54!
What's your chow:

Now hit enter, and you should be dropped into a root shell.

BusyBox v1.15.2 (2020-10-27 13:20:01 IST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

#

Identify which partition is active

# cat /proc/v54bsp/himem | grep "fis.image:"

You will see something like this:-

  type:       2  index:      5  fis.image: rcks_wlan.bkup

Remember which fis.image is active. In our case we can see rcks_wlan.bkup.

Upload and install the R500 Solo firmware

I assume

• you have a tftp server running
• you have downloaded the latest Ruckus R500 Solo 110.0 firmware
• you copied the firmware to the tftp's content directory

# tftp -g -l /tmp/solo.img -r <R500 Solo firmware> <TFTP server>

e.g.

# tftp -g -l /tmp/solo.img -r R500_110.0.0.0.2005.bl7 192.168.0.22

Either (A) if your active fis.image is rcks_wlan.bkup:-

# flashcp /tmp/solo.img /dev/mtd5
# bsp set image_type 1

or (B) if your active fis.image is rcks_wlan.main:-

# flashcp /tmp/solo.img /dev/mtd7
# bsp set image_type 2

WARNING

Only the one that matches the active fis.image. Not both!

Store R500 model information and request factory reset

# bsp set antinfo 0x00005f5e
# bsp set name R500
# bsp set model R500
# bsp set factory 1
# bsp commit

You will see something like this:-

Saving flash .....
bdSave: sizeof(bd)=0x7c, sizeof(rbd)=0xd0
  caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ]
  updating flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44]
  updating flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14]
_erase_flash: offset=0x0 count=1
Erase Total 1 Units
Performing Flash Erase of length 262144 at offset 0x0 done
  caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ]
  verifying flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44]
  verifying flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14]
... Changes saved to flash

Now you can reboot into the R500 Solo firmware.

# reboot

Upgrade from Solo to Unleashed firmware

Login to the AP's web administration interface.

The default username is "super", password is "sp-admin".

TIP

Your browser will show a security warning. This is normal and you should choose Advanced and then click through to the website by pressing Accept the Risk and Continue or Continue to 192.168.0.1 (unsafe) (the exact wording will vary depending on your browser).

Upgrade to Ruckus Unleashed

I assume you have downloaded the latest Ruckus R500 Unleashed 200.7 firmware.

Navigate to Maintenance > Upgrade.
Choose Upgrade Method: Local and press the Local File Name: Browse... button and select your Ruckus R500 Unleashed 200.7 firmware file.
Choose Perform Upgrade.

TIP

The upgrade will take several minutes. You probably won't be able to reconnect for a few minutes after the web administration interface says the upgrade is finished.