Convert an XClaim Xo-1 AP to a Ruckus T300
These APs have identical hardware inside, so you can convert the XClaim software without too much fuss.
The steps below assume the AP is plugged directly into your computer.
If your AP is plugged into a switch and is picking up an IP address via DHCP then you will have to substitute it's assigned IP address anywhere the text
192.168.0.1 appears below.
SSH to the AP
$ ssh -oHostKeyAlgorithms=+ssh-rsa 192.168.0.1
Login. The default username is "xclaim-mfg", password is "mfg-admin12".
You may need to do a factory reset (by sticking a pin in the reset hole for a few seconds) if the default username and password don't work.
Perform command injection
xclaim : Ruckus
";/bin/sh;" and hit enter (you won't be able to see what you're typing)
grrrr, another dog noise could be printed to the screen.
Escape to shell
xclaim : !v54! What's your chow:
Now hit enter, and you should be dropped into a root shell.
BusyBox v1.15.2 (2020-10-27 13:20:01 IST) built-in shell (ash) Enter 'help' for a list of built-in commands. #
Identify which partition is active
# cat /proc/v54bsp/himem | grep "fis.image:"
You will see something like this:-
type: 2 index: 5 fis.image: rcks_wlan.bkup
fis.image is active. In our case we can see
Upload and install the T300 Solo firmware
- you have a tftp server running
- you have downloaded the latest Ruckus T300 Solo 110.0 firmware
- you copied the firmware to the tftp's content directory
# tftp -g -l /tmp/solo.img -r <T300 Solo firmware> <TFTP server>
# tftp -g -l /tmp/solo.img -r T300_22.214.171.124.2005.bl7 192.168.0.22
Either (A) if your active
# flashcp /tmp/solo.img /dev/mtd5 # bsp set image_type 1
or (B) if your active
# flashcp /tmp/solo.img /dev/mtd7 # bsp set image_type 2
Only the one that matches the active
fis.image. Not both!
Store T300 model information and request factory reset
# bsp set antinfo 0x0000055e # bsp set name T300 # bsp set model T300 # bsp set factory 1 # bsp commit
You will see something like this:-
Saving flash ..... bdSave: sizeof(bd)=0x7c, sizeof(rbd)=0xd0 caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ] updating flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44] updating flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14] _erase_flash: offset=0x0 count=1 Erase Total 1 Units Performing Flash Erase of length 262144 at offset 0x0 done caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ] verifying flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44] verifying flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14] ... Changes saved to flash
Now you can reboot into the T300 Solo firmware
Upgrade from Solo to Unleashed firmware
Login to the AP's web administration interface.
The default username is "super", password is "sp-admin".
Your browser will show a security warning. This is normal and you should choose
Advanced and then click through to the website by pressing
Accept the Risk and Continue or
Continue to 192.168.0.1 (unsafe) (the exact wording will vary depending on your browser).
Upgrade to Ruckus Unleashed
I assume you have downloaded the latest Ruckus T300 Unleashed 200.7 firmware.
Upgrade Method: Local and press the
Local File Name: Browse... button and select your Ruckus T300 Unleashed 200.7 firmware file.
The upgrade will take several minutes. You probably won't be able to reconnect for a few minutes after the web administration interface says the upgrade is finished.