Recovering a Ruckus Access Point Using the Serial Port

· 1499 words · 8 minute read

I recently purchased a couple of used Ruckus R710 access points from Ebay to use in my Ruckus Unleashed setup. Usually these APs are pretty expensive, but I scored nice deal of just one tenth of the price. Often they come from a business environment and are used in combination with a Ruckus ZoneDirector. This means they cannot be directly used in an Unleashed setup. There is no physical difference between an Unleashed AP and a ZoneDirector AP, only the software is different. If you purchase an Unleashed device it will come with Unleashed software pre-installed. The ones I bought all had ZoneDirector firmware on them and I want to flash them all with Unleashed firmware.

To flash them, I attach the Ruckus AP to a PoE injector via ethernet and attach the other end to my computer. Then I set a static IP on my computer of 192.168.0.100 with subnet mask 255.255.255.0 (router can be empty or 192.168.0.1). You can also use any other IP in 192.168.0.0/24, apart from 192.168.0.1, as that’s the IP the Ruckus AP will use. After that I reset the AP to factory settings by pressing the reset button 10 seconds, so we can login with the default credentials later. The LED will flash red, orange and yellow while you hold the button and turn red after you let it go. After a minute the AP should be finished booting.

Then you have two options to go about flashing: via the web interface or via the command-line. I chose the web interface as it’s the fastest and easiest. First I need to download the latest Unleashed firmware for the R710, which can be done here. Luckily software updates and downloads are free and do not require a support contract at Ruckus. You will need a free account on their website, though. Choose the latest Unleashed bl7 file that’s available. In my case that was 200.12.10.5.234. Now we can go to the web interface of the AP at https://192.168.0.1/ and login with username/password combination of super/sp-admin. Then head over Maintenance -> Upgrade and upload the firmware under the Local tab. The AP should then be running the latest Unleashed version after a couple of minutes.

This was easy for the first 4 APs, but the last one was a little more difficult. The web interface does not show when browsing the IP via HTTP or HTTPS and an SSH session can also not be started, as the connection is being refused. A quick nmap shows that only two TCP ports are open:

floris@mac ~ % nmap -p- 192.168.0.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-01 11:32 CET
Nmap scan report for 192.168.0.1
Host is up (0.00069s latency).
Not shown: 65533 closed tcp ports (reset)
PORT      STATE SERVICE
1883/tcp  open  mqtt
18301/tcp open  unknown
MAC Address: 58:B6:33:xx:xx:xx (Ruckus Wireless)

Nmap done: 1 IP address (1 host up) scanned in 2.33 seconds

Only MQTT and Ruckus' internal wireless performance testing service SpeedFlex seem to be accessible on the AP—nothing of use for us to try and flash the firmware. People on the Ruckus forums suggest to reset the AP again and then connect to the AP via SSH. But no matter for how much time I hold the reset button, SSH did not appear on the AP. This leaves us with one option left: the serial console. I recently bought this cheap USB to serial adapter (PL2303TA) to try and recover a badly flashed TP-Link RE450 with OpenWrt. In the end I did not manage to get a connection to the device, which could either be the adapter but probably was a botched soldering job. Luckily all, or most, Ruckus access points come with easily accessible pins, so no soldering required. For example the R320:

My R710 also had these pins, but angled by 90 degrees, which did not allow them to be connected directly as the shell was blocking it. This made me try and remove the screws to completely remove the PCB from the shell. Warning: Ruckus says your warranty is void and the device is not covered under the support contract once you open your device or tinker with it in any way. I’m not sure about the legality of voiding warranty on opening the device, but as these devices are second hand and without any contract, I have nothing to lose.

Now the next problem arose that, even after removing all the screws, the PCB did not move at all. I used a plastic tool to try and pry it off the shell, but it only started making cracking noises, so I quickly stopped. I sat down for a bit and questioned the next possibilities. I could either solder the pins or bend them. Looking at the least destructive way and they way my previous soldering job ended, I went with the second option. Ruckus does not provide any information on these pins or the line coding. I saw some other people trying to interface with these access points via serial and they found that the middle pin was VCC, which you did not need for a successful connection. This leaves me with 3 other pins I need to bend.

Only pin 1 and 5 are marked (left and right on the picture above). After trial and error I found the following configuration of pins: 1 - TXD, 2 - Empty, 3 - VCC, 4 - GND, 5 - RXD. For the line coding it uses a baud rate of 115200, 8 data bits, no parity and 1 stop bit (115200 8N1). I then used the excellent macOS app “Serial” to interface with the device. In the end the setup looked like this:

Now we can actually start to flash the device, the same way we would do it via SSH. We’ll need the firmware we downloaded earlier and a TFTP server running. I used the macOS app “Transfer” for this, an easy to use visual TFTP server. First we need to move the firmware to the Transfer server’s root directory, default is ~/Transfer. Then we need to tell the AP which TFTP server to use (our previously set static IP) and which file to download from it:

rkscli: fw set host 192.168.0.100
OK
rkscli: fw set proto tftp
OK
rkscli: fw set port 69
OK
rkscli: fw set control R710_200.12.10.5.234.bl7
OK

Everything looks fine, so we can start the download of the firmware and upgrade using fw update:

rkscli: fw update
fw: Updating rcks_wlan.bkup ...
net_get_flash_ubi(192.168.0.100, R710_200.12.10.5.234.bl7, rcks_wlan.bkup,, 0)
...

We can see that the firmware is being downloaded from the TFTP server:

It takes a while, but you should be able to see the progress in the serial console as well as the TFTP server. Now the image will be applied:

...
flash id is 0
imghdr.{hdr_len=160, bin_len=39870304}
fw_flash_read_open: kernel open(/dev/ubi0_0) rootfs open(/dev/ubi0_1)
fw_flash_read_open: kernel open(/dev/ubi1_0) rootfs open(/dev/ubi1_1)
flash id is 0

Image2 FW check ...

MD5 = 864C5353A6F4F85B9BD9388BB7A67203
tail_offset 0 bin_len 39870304 sign 2.
net_get_flash_ubi, Upgrading from Intermediate Signed Image(ISI) to Fully Signed Image(FSI) image.
fw_ubi_write_open: kernel open(/dev/ubi1_0)
fw_ubi_write_open: rootfs open(/dev/ubi1_1)


Flashing KERNEL image(2.44MB)
[====================================================================================================] 100 

Flashing ROOTFS image(35.59MB)
[====================================================================================================] 100

Reading Image TAIL:- TLV No-1.TLV INFO
  Number of TLVS in Tail is 3.
  Size of Tail is 3160. len 9 tail_len = 9
2. SIGNATURE OBTAINED SUCCESSULLY
len 515 tail_len = 524
        cert len 2118 pass
3. CERTICATE OBTAINED SUCCESSFULLY
len 2121 tail_len = 2645
Unknown TLV in the Tail =4 0 2 7b.
len 515 tail_len = 3160

MD5 Checksum successful!!!!!!!!! 

Checking Image hash:-
1. Obtaining public key from Certificate.
        Executing openssl x509 -in /tmp/in_cert.pem -pubkey -noout >/tmp/pubkey.pem
        line: Certificate will not expire
  Certificate validity verified.
        line: /tmp/in_cert.pem: OK
2. Public key verified.
3. Decrypting the Image signature.
        Executing openssl rsautl -verify -pubin -inkey /tmp/pubkey.pem -in /tmp/signsure.bin -out /tmp/ext_sha256.
4. Comparing the signatures:-
  IMAGE TAIL SHA256 :
        7b75ac3f3f5e1f90c321af621faab199d925f6c8031dcd7b84a7b9354ef91b9c
  CALC SHA256 :
        7b75ac3f3f5e1f90c321af621faab199d925f6c8031dcd7b84a7b9354ef91b9c
        HASH CHECK PASSED.

AIS cleanup : Removing /tmp/ext_sha256...
AIS cleanup : Removing /tmp/in_cert.pem...
AIS cleanup : Removing /tmp/signsure.bin...
AIS cleanup : Removing /tmp/pubkey.pem...
AIS cleanup : Completed
bdSave: sizeof(bd)=0x7c, sizeof(rbd)=0xd0
  caching flash data from /dev/mtd14 [ 0x00000000 - 0x00010000 ]
  updating flash data [0x00008000 - 0x000080d0] from [0xbeedfad0 - 0xbeedfba0]
_erase_flash: offset=0x0 count=1
Erasing 64 Kibyte @ 0 -- 100 % complete 
  caching flash data from /dev/mtd14 [ 0x00000000 - 0x00010000 ]
  verifying flash data [0x00008000 - 0x000080d0] from [0xbeedfad0 - 0xbeedfba0]
**fw(2994) : Completed

All looks good! Now we can reboot and we should be on the Unleashed firmware:

rkscli: reboot
OK
rkscli: Receive reboot msg [u,1]

System information written to /tmp/reboot_support


*** Reboot by pid=4387: rsmd_func rsmd reboot 1 1  ***


***  Rebooting ... please wait *** 

System Shutdown ...
 12:19:57 up 6 min, load average: 1.19, 0.91, 0.43
The system is going down NOW!
Sent SIGTERM to all processes
[  379.499750] watchdog: qcom_wdt: watchdog did not stop!
Sent SIGKILL to all processes
Requesting system reboot
[  380.522742] Restarting system.

Success! After a couple of minutes the Unleashed interface was shown on https://192.168.0.1/.