Hacking the Belkin F5D7230-4 Version 1444 router

This version of the Belkin F5D7230-4 seems to have a different case and no plug-in daughter board on the main board. The parts consist of:

Information on a previous version is here http://openwrt.org/ http://openwrt.org/F5D7230 http://www.codefu.org/weblogs/darkness/archives/000169.html Belkin has released the source code in GPL-4-00-03.tgz http://www.megaupload.com/?d=F9E5838X

The first task is to take the cover off. This is not so easy but start by taking two small screws off from the bottom under the label. See http://www.linux-hacker.net/misc/F5D7230/

Then insert a rather wide screwdriver under the top cover starting in the back and working your way around to the side. This is pretty hard to do but you can undo the snaps that hold the top to the bottom. Top cover

Once you've got the cover off, you can attached a serial cable to the 4 pin serial connector. It's set to 115200 8N2. Note that the levels on the pins are NOT RS-232 leves but 3.3 volts so you will need a level shifter chip.

     /-----            ------\                
     |  1    2      3    4   |                
     \-----------------------/                

1 = Data In (in to router)
2 = Data Out
3 = Ground
4 = 3.3v power
4 pin serial connector

When you boot, here is what you'll see:

Decompressing..........done
Here we try to capture the default reset button: None.


CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Mon Apr 19 18:19:30 CST 2004 (denny@dnylinux)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena.
Initializing Devices.
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.60.9.0
CPU type 0x29007: 200MHz
Total memory: 0x800000 bytes (8MB)

Total memory used by CFE:  0x80300000 - 0x80434A50 (1264208)
Initialized Data:          0x8032EB60 - 0x80330E90 (9008)
BSS Area:                  0x80330E90 - 0x80332A50 (7104)
Local Heap:                0x80332A50 - 0x80432A50 (1048576)
Stack Area:                0x80432A50 - 0x80434A50 (8192)
Text (code) segment:       0x80300000 - 0x8032EB60 (191328)
Boot area (physical):      0x00435000 - 0x00475000
Relocation Factor:         I:00000000 - D:00000000

Device eth0:  hwaddr 00-11-50-0A-07-84, ipaddr 192.168.2.1, mask 255.255.255.0
        gateway not set, nameserver not set
Reading :: Failed.: Timeout occured
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: ..... 1482752 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
CPU revision is: 00029007
Primary instruction cache 8kb, linesize 16 bytes (2 ways)
Primary data cache 4kb, linesize 16 bytes (2 ways)
Linux version 2.4.20 (lchen@penguin.askey.com) (gcc version 3.0 20010422 (prerelease) with bcm4710a0 modifications) #1 Fri Apr 2 16:05:18 PST 2004
Determined physical RAM map:
 memory: 00800000 @ 00000000 (usable)
On node 0 totalpages: 2048
zone(0): 2048 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200
CPU: BCM4712 rev 1 at 200 MHz
Calibrating delay loop... 199.47 BogoMIPS
Memory: 6424k/8192k available (1257k kernel code, 1768k reserved, 108k data, 64k init, 0k highmem)
Dentry cache hash table entries: 1024 (order: 1, 8192 bytes)
Inode cache hash table entries: 512 (order: 0, 4096 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 2048 (order: 1, 8192 bytes)
Checking for 'wait' instruction...  unavailable.
POSIX conformance testing by UNIFIX
PCI: Fixing up bus 0
PCI: Fixing up bridge
PCI: Fixing up bus 1
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0xb8000300 (irq = 3) is a 16550A
ttyS01 at 0xb8000400 (irq = 0) is a 16550A
PPP generic driver version 2.4.2
 Amd/Fujitsu Extended Query Table v1.0 at 0x0040
number of CFI chips: 1
Flash device: 0x200000 at 0x1c000000
Physically mapped flash: cramfs filesystem found at block 743
Creating 5 MTD partitions on "Physically mapped flash":
0x00000000-0x00020000 : "pmon"
0x00020000-0x001f0000 : "linux"
0x000b9ce4-0x001f0000 : "rootfs"
0x00004000-0x00006000 : "profile"
0x001f0000-0x00200000 : "nvram"
sflash: found no supported devices
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 1024)
ip_conntrack version 2.1 (64 buckets, 512 max) - 344 bytes per conntrack
ip_tables: (C) 2000-2002 Netfilter core team
ipt_time loading
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
802.1Q VLAN Support v1.7 Ben Greear
All bugs added by David S. Miller
VFS: Mounted root (cramfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 64k freed
Using /lib/modules/2.4.20/kernel/drivers/net/et/et.o
Using /lib/modules/2.4.20/kernel/drivers/net/wl/wl.o
Using /lib/modules/2.4.20/kernel/drivers/net/led/led.o
Hit enter to continue...Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config
Added VLAN with VID == 0 to IF -:eth0:-
Added VLAN with VID == 1 to IF -:eth0:-
WARNING:  VLAN 1 does not work with many switches,
consider another number if you have problems.
killall: iappd: no process killed
iappd: No such file or directory
info, Moreton Bay DHCP Server (v0.9.5) started
===wan_ifname=vlan1, ifname=vlan1
killall: upnp: no process killed
No interface specified. Quitting...
info, Moreton Bay DHCP Client (v0.9.5) started
Hit enter to continue...debug, Sending discover...
No interface specified. Quitting...
Hit enter to continue...debug, Sending discover...
debug, Sending discover...

Hitting Ctrl-C just after:

Reading :

Yields:

Automatic startup canceled via Ctrl-C                                           

typeing "help" Yields:

Available commands:                                                             
                                                                                
et                  Broadcom Ethernet utility.                                  
led                 LED control.                                                
tftpupg             Upgrade firmware through ethernet TFTP.                     
dnvram              Default NVRAM utility.                                      
nvram               NVRAM utility.                                              
reboot              Reboot.                                                     
flash               Update a flash memory device                                
autoboot            Automatic system bootstrap.                                 
batch               Load a batch file into memory and execute it                
go                  Verify and boot OS image.                                   
boot                Load an executable file into memory and execute it          
load                Load an executable file into memory without executing it    
save                Save a region of memory to a remote file via TFTP           
ping                Ping a remote IP host.                                      
arp                 Display or modify the ARP Table                             
ifconfig            Configure the Ethernet interface                            
unsetenv            Delete an environment variable.                             
printenv            Display the environment variables                           
setenv              Set an environment variable.                                
help                Obtain help for CFE commands                                
                                                                               
For more information about a command, enter 'help command-name'                 

The following commands seem to work (assuming you have a /tftpboot/belkin)

# first do this on your host:
sudo ifconfig eth0 broadcast 192.168.2.255 netmask 255.255.255.0 192.168.2.3
# then try these from minicom:
load -addr=0x80000000 -max=789932 192.168.2.3:belkin/dump.bin
save 192.168.2.3:belkin/dump.bin 0x80000000 0x100      # ram                       
save 192.168.2.3:belkin/dump.bin 0x90000000 0x100
save 192.168.2.3:belkin/dump.bin 0xa0000000 0x100
save 192.168.2.3:belkin/dump.bin 0xb0000000 0x100      # flash
boot -z -addr=0x80001000 -max=1482752 flash0.os:  # this boots the current flash

To save the entire flash part do:

save 192.168.2.3:belkin/dump.bin 0xbfc00000 0x200000
# then on host do:
mv /tftpboot/belkin/dump.bin /tftpboot/belkin/belkin.flash

To save the entire ram do:

save 192.168.2.3:belkin/dump.bin 0x80000000 0x400000

To save the ramdisk, use these numbers: '0x000b9ce4-0x001f0000 : "rootfs"' from Linux boot and get flash start addr from 'CFE> nvram show' (boot_flash_addr=bfc00000) and do:

save 192.168.2.3:belkin/dump.bin 0xbfcb9ce4 0x136316
# where 0x136316 = 0x001f0000-0x000b9ce4

To save the Linux kernel, use these numbers: '0x00020000-0x001f0000 : "linux"' from Linux boot and do:

save 192.168.2.3:belkin/dump.bin 0xbfc20000 0x99ce4
# where 0x99ce4 = 0x000b9ce4-0x00020000
# then on host do:
mv /tftpboot/belkin/dump.bin /tftpboot/belkin/belkin.linux

To save the Linux kernel and filesystem, use these numbers: '0x00020000-0x001f0000 : "linux"' from Linux boot and do:

save 192.168.2.3:belkin/dump.bin 0xbfc20000 0x1d0000
# then on host do:
mv /tftpboot/belkin/dump.bin /tftpboot/belkin/belkin.img

To save the nvram, use these numbers: '0x001f0000-0x00200000 : "nvram"' from Linux boot and do:

save 192.168.2.3:belkin/dump.bin 0xbfdf8000 0x8000
# then on host do:
mv /tftpboot/belkin/dump.bin /tftpboot/belkin/belkin.nvram

now mount the ramdisk:

sudo mount -o loop /tftpboot/belkin/belkin.rd.bin /mnt

Now set up to do an NFS boot (you will need to set up the serial cable above). The advantage of NFS is that you never need to touch the flash, which can render your unit useless. Getting NFS working required removing VLAN which means you can't really run your router as a router. Plug the ethernet cable into "Connections to Computers" #1, then make a directory called belkin (and tftpboot subdir):

mkdir -p ~/belkin/tftpboot
Get the build tools here: http://www.linksys.com/support/gpl.asp Get wrt54g.2.02.2.tgz, then get GPL-4-00-03.tgz from http://www.megaupload.com/?d=F9E5838X and my changes belkin.3.tar.bz2 put them all in ~/belkin and roughly do:
#put this in your .bashrc file and then do: "source ~/.bashrc"

belkin ()
{
export CUSTOMER=belkin
export PATH=/opt/brcm/hndtools-mipsel-linux/bin:/opt/brcm/hndtools-mipsel-uclibc/bin:$PATH
export OPT_HOME=/opt/brcm
export CROSS_COMPILE=$OPT_HOME/hndtools-mipsel-uclibc-0.9.19/bin/mipsel-uclibc-
export OPT_LINUX=/opt/belkin/GPL-4/src/linux/linux
alias x='cd $OPT_LINUX'
}

# make sure you have the package zlib1g-dev
source ~/.bashrc
belkin  # executes the above subroutine
sudo mkdir /opt
cd /opt
sudo ln -s $HOME/belkin/WRT54G/tools/brcm brcm
sudo mkdir /tftpboot
cd /tftpboot
sudo ln -s /opt/belkin/tftpboot
cd ~/belkin
tar xzf wrt54g.2.02.2.tgz
# put 
/opt/belkin     *(rw,no_root_squash,sync,insecure)
# into your /etc/exports and then do:
sudo exportfs -r
make config
make overlay
make linux
# then do this via the serial port from minicom:
boot -elf 192.168.2.3:belkin/vmlinux

Now set up USB (you will need to set up the serial cable above). The 1444 has a USB on board the CPU but there are some missing capacitors, resistors, jumpers and a fuse. The first jumper is near the power supply and connects the +5 volts to the stuff near the USB connector (which isn't populated). The 2nd jumper is near the USB connector and is labed as a fuse. There are 2 inline resistors that should be around 26 ohms that go in series with the 2 data lines that make up USB. I just shorted these. There are also 2 15K ohm pull-downs that MUST be inserted. I choose to put these off board on the USB connector that I wired to the 4 holes that make up the USB footprint on the board. All you have to then is:

cd ~/belkin/GPL-4/src/linux/linux
cp default_belkin.nfs.usb .config
make oldconfig
cd ~/belkin
make linux
# then from minicom on the target try:
mount -t auto /dev/scsi/host0/bus0/target0/lun0/part1 /mnt
© Rick Bronson