Access Point, 128 WEP. To 28V, draws about 4W. Internal antennae connectors Hirose U.FL series.
Contents
-
Hardware
-
Known F5D7230-4 Hardware Versions
- Version 1111tt FCC ID: QDS-BRCM1005
- Version 1444 FCC ID: K7SF5D72304
- Version 2000 FCC ID: K7SF5D7234A
- Version 3000 FCC ID: PD5F5D72304
- Version 4000 FCC ID: K7S7230A (in FCC ID DB as K7SF5D7230A ?)
- Version 5000 FCC ID: RAXWG4005FB
- Version 6002 FCC ID: K7SF5D7230C
- Version 7002uk or 1000yy Sweden, FCC ID: RAXWG4005G
- Version 7000 FCC ID: K7SF5D7230D
- F5D7230-4 vs. F5D7230v4
- Power and Antennas
- F5D7230-4 Serial Console - DIY Process Documented
- Other devices based on Broadcom BCM47XX reference design
- Hardware version 1010, 20 pin expansion bus
-
Known F5D7230-4 Hardware Versions
-
Firmware
- Extracting firmware
- One step closer to custom firmware
- I got a shell on the box
- Boot messages
- Using Linksys binaries
- Recovery methods
- Custom firmware images
- Symlinks
- Belkin F5D7230-4 4.05.03 GPL firmware source code available!
- F5D7230-4 root shell and consolidated data structures
- F5D7230-4 Broadcom GPL Reference Firmware Compiled
- Upgrading the F5D7230-4 v1444 to a F5D7231-4 125mbit High Speed Mode (HSM)
- F5D7130 firmware to F5D7230-4 (v1444)
- Available firmware (4.05.03 fixes packed loss bug)
- Note regarding 4.05.03 firmware
- Locations of "official" firmware
- 5.00.02 firmware
- Custom firmware now available
- FAQ -- Questions and Answers Section
1. Hardware
1.1. Known F5D7230-4 Hardware Versions
1.1.1. Version 1111tt FCC ID: QDS-BRCM1005
Specifications
NVRAM get boardtype -> bcm94710r4 (similar to the Ravotek model, may need a patch to probe the miniPCI bus, per forum post).
- 4MB flash, 16MB RAM
- Shipped with 3.00.07 firmware; used modified 3.00.07 firmware above to get a shell and to set boot_wait
- Onboard miniPCI card
- CPU info:
system type : Broadcom BCM947XX processor : 0 cpu model : BCM4710 V0.0 BogoMIPS : 82.94 wait instruction : no microsecond timers : yes tlb_entries : 32 extra interrupt vector : no hardware watchpoint : no VCED exceptions : not available VCEI exceptions : not available
1.1.2. Version 1444 FCC ID: K7SF5D72304
Specifications
NVRAM get boardtype -> 0x0101
- 2MB flash, 8MB RAM
- Shipped with 4.03.03 firmware; got shell by deleting most of /usr/sbin and www, and replacing with "fake busybox httpd" as explained above
- Will not run 3.00.07 or openwrt firmware
- No miniPCI card
- CPU info:
system type : Broadcom BCM947XX processor : 0 cpu model : BCM3302 V0.7 BogoMIPS : 199.47 wait instruction : no microsecond timers : yes tlb_entries : 32 extra interrupt vector : no hardware watchpoint : no VCED exceptions : not available VCEI exceptions : not available
- To unbrick: bridge pins ~9-10 on 29lv160 flash
- 4.03.03 is picky about "compatible" trx images; I forced a failed reflash and then uploaded the new image with TFTP.
Opening the F5D7230-4: remove the two screws underneath the label on the bottom, then gently pry at the snaps around the edges
Serial port hookup instructions for v. 1444
I've got a serial port working, see f5d7230 I've spent a bit of time trying to get the thing to do an NFS boot but not there yet. I can get it to do a boot of vmlinux though which is a start. -Rick
1.1.3. Version 2000 FCC ID: K7SF5D7234A
Specifications
- shipped with 4.05.03 firmware
Broadcom BCM5325EKQM Broadcom BCM4712KFB ESMT M12L64164A
- To open: remove two screws from the bottom. There are two snaps each on the front, left- and right-hand sides.
WARNING! The 4.03.03 firmware does not work on this hardware revision. The 4.05.03 firmware is available at BELKIN_RT_54G_USA_4.05.03.bin (not listed on the Web site yet). The TFTP recovery method works as documented here.
- Tested all variants of OpenWRT as of February 2005. None of them work on this hardware.
- Model released in Europe (purchased in Copenhagen) labeled "2001yy" uses same chips and firmware, albeit the EU 14 channel revision. The power brick uses interchangeable cord, works fine on US powerlines.
1.1.4. Version 3000 FCC ID: PD5F5D72304
- 2MB Flash, 8MB RAM
Broadcom BCM4712KFB
- Main difference is in the antenna type, which increase the range with Version 3000
- Rumour has it that they will introduce a 4MB Flash/16MB RAM model.
Specifications
- shipped with 5.00.02 firmware
Download information at Belkin as F5D7230-4_V3000. Firmware image as BK54gr_v5.00.02.bin.
1.1.5. Version 4000 FCC ID: K7S7230A (in FCC ID DB as K7SF5D7230A ?)
- Acquired directly from Belkin as RMA replacement for malfunctioning unit.
- Hardware version 4.00.01
Support for wireless bridge mode (WDS) has been dropped. The menu option is entirely gone. Unsure at this point if menu has simply been disabled but router still supports WDS internally or not.
WDS/wireless bridging works--at least with a F5D7230-4 v.2000 AP/router. Entered MAC address of v.4001 AP into Wireless Bridge page of v.2000 AP. Unable to save any addresses in MAC Address Control page of v.4001 router. Seems like WDS is on by default, with no way to control access.- Size of router is approx. half the size of v1112.
- 8MB(8Mbit?) Flash
- 32MB(32Mbit?) RAM
- Marvell Ethernet chip and CPU
- Compatable with Texas Instruments Wireless Chipset (ACX111 driver)
- Has only one external antenna.
- Features and Web interface appear to be pretty much the same as older versions.
- Still bridges Appletalk between WLAN and LAN.
- Web configuration using Safari is completely broken (even more than before). Must use IE or Opera. (Web configuration works fine with Safari 2.0.1.)
- On reboot, network with SSID 'marvell-ap32' can be seen [Default SSID: belkin54g]
Looks like this may be the same as the LinksysWrt54gc based on the Marvell Libertas Home Gateway.
- Appears as if the Web interface from the older models was converted across to this new revision--there is a broken link back to the save/backup settings from the firmware update page (present in firmware 6.00.14).
- Web server is reporting as "IP_SHARER WEB 1.0".
- Supports WPA-PSK with TKIP or AES, and WPA2 with AES -- no longer has support for Radius.
- Turbo Mode (Frame Bursting mode) option is no longer available.
- Firmware updates
- Function reports "Update available" on 6.00.14 firmware--the file it links to is apparently 6.00.03
USA 54g_ap
USA F5D7230_6.00.03.rar
Firmware version 6.00.21 F5D7230-4_v4000 (23 Nov 2005, 554.09KB), with new features: dyndns/dtdns client support, port 80 forwarding working well (was not working in previous version 6.00.10).
- Function reports "Update available" on 6.00.14 firmware--the file it links to is apparently 6.00.03
Specifications
- Shipped with 6.00.10 firmware
- One purchased in Australia shipped with 6.00.14 firmware
1.1.6. Version 5000 FCC ID: RAXWG4005FB
I just picked this up at Circuit City. They just got them in today, 04 February 2006. Doesn't seem to run Linux so it's just going to get returned. Sigh.
Specifications
- Small one-antenna unit.
- Shipped with firmware version 7.01.06, boot version V0.07
- Also lists "Hardware 01" under version info.
- Web server reports itself as Apache/0.6.5 (Huh?)
- Reports no firmware update available as of Feb 04 2006
An NMap scan on it:
Interesting ports on 192.168.2.1:
(The 65533 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
21417/tcp open unknown
MAC Address: 00:11:50:76:65:97 (Unknown)
Device type: WAP
Running: SMC embedded
OS details: SMC Barricade DSL Router/Modem/Wireless AP
OS Fingerprint:
TSeq(Class=TD%gcd=1%SI=1%IPID=I%TS=U)
T1(Resp=Y%DF=Y%W=1770%ACK=S++%Flags=AS%Ops=ME)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=1770%ACK=S++%Flags=AS%Ops=ME)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
TCP Sequence Prediction: Class=trivial time dependency
Difficulty=1 (Trivial joke)
TCP ISN Seq. Numbers: FE5E FE69 FE75 FE80 FE8C
IPID Sequence Generation: Incremental
Not sure whats up with the random open ports. They seem to randomly change and disappear. I can Telnet to them and type random stuff but nothing comes back.
1.1.7. Version 6002 FCC ID: K7SF5D7230C
I got this one at Circuit City 12/08/06. It drops its Internet connection and needs frequent resetting.
Specifications
- Small one-antenna unit.
- Shipped with firmware version 8.01.07
It is likely that the hardware of this version is very similar to LinksysWrt54gc.
1.1.8. Version 7002uk or 1000yy Sweden, FCC ID: RAXWG4005G
FCC info on this version of the unit can be found on: RAXWG4005G Havent got around to build any firmeware or flash this unit yet. just did a quick peek in the current vendor firmware-update bin (uk v9.01.05).
Specifications
- Small one-antenna unit
Plattform: AR5315PLUS , Atheros, ('System-on-a-chip' with MIPS 4k class proc running at ~180-200)
- Board - "141400520017j rev: 01" (Accton board?)
Switch * IP175C LF- 5 Port eth integrated switch (1 WAN, 4 Switch ports)
- 2mb Flash, type '25p16v6P'
- 8mb SDRAM, type 'IC42S16400b-7TI'
- JTAG: 1 EJTAG
Ships with VxWorks based firmware
- Ships with BRN bootloader, "BRN - Boot-code Ver. V0.01"
- TFTP flash: To be able to use TFTP as method for flashing you have to set your IP to 192.168.0.100
- Panic-kernel: There is a small "panic-kernel" which can be accessed by holding "Reset" while powering up.
Pinouts
J3 - TTL Serial Header
- Pin1 =
- Pin2 = TXD
- Pin3 = RXD
- Pin4 = GND
- Pin5 =
Notes
The current vendor bin contains two lzma packed files (filenames assumed) * offset: 0-1364d = psf.bin, size: 79 438 bytes, unpacked: 715 638 bytes
- offset: 20000-9ec08 = soho.bin, size: 519 177 bytes, unpacked:, 2 033 304 bytes
More info and code to extract data from "PFS/0.9"-images can be found at http://cba.si/pfs/
Additional relevant offsets in vendor bin:
- Offset: ffff4-10000a: 09 EC 07 00 78 56 34 12 69 FB 14 31 42 52 4E 36 31 41 4B 00 00 00 = ".ì..xV4.iû.1BRN61AK..."
Mini Loader info
- image must start at 0x80001000
- Input Download Area Address (default:0x80600000)
Nmap
Running: 3Com embedded, Philips embedded, Sinus embedded, SMC embedded OS details: Wireless broadband router (3Com OfficeConnect, Philips SNB6500, Sinus 154, SMC SMCWEBT-G, or SMC SMCWBR14-G2), SMC SMC2804WBRP-G wireless broadband router 53/udp open|filtered domain 67/udp open|filtered dhcps 68/udp open|filtered dhcpc 80/tcp open http 1900/udp open|filtered upnp 10101/tcp open unknown 32768/udp open|filtered omad
Note on port 10101/tcp: "bkserver process listens to port 10101, the process is used for router quick setup procedure from Belkin's installation CD."
1.1.9. Version 7000 FCC ID: K7SF5D7230D
Grabbed this at Wal-Mart today, 2007/06/28. They do have WPA now, at least, and it was only $40, so I'll keep it. Still reporting Apache 0.6.5.
Specifications
- Small one-antenna unit.
- Shipped with firmware version 9.01.05, boot version 0.01
Exactly identical to Dynex DX-WGRTR.
1.2. F5D7230-4 vs. F5D7230v4
The "v4" seems to come in blister packs from HomeDepot and Microcenter. All that I've seen are v2000. The physical box is smaller than the original units.
1.3. Power and Antennas
Tested up to 28V! Draws about 4W; can you say low-cost solar-powered wireless Linux box? Put it in my car with engine running (alternator and spark plug noise test), connected to inside the house, works great! (for details see link below in the next section).
The internal antenna connectors appear to be Hirose U.FL series, which is emerging as a standard for miniPCI cards. Since the first revision of this AP used a miniPCI radio, this carried over to the current rev, which has the radio on the board but uses the same antennae and connectors. (Anyone with U.FL pigtails want to verify this? I'm just educated-guessing.)
1.4. F5D7230-4 Serial Console - DIY Process Documented
The Belkin F5D7230-4 Serial Console document has been published.
Brief document insight:
- By collating a mass of publicly available information, and experimenting with a single unit, the paper concludes by providing a physical console into the device, providing local root user level access, and a schematic diagram for a solder-less project that will allow individuals to try this experiment for themselves. It is hoped that this information can be used to debug open source firmware and to then adapt the OpenWRT, and Sveasoft, embedded Linux distributions for this Belkin router.
Boot sequence output, up to kernel load, is:
Decompressing..........done
Here we try to capture the default reset button: None.
CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Mon Apr 19 18:19:30 CST 2004 (denny@dnylinux)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.
Initializing Arena.
Initializing Devices.
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.60.9.0
CPU type 0x29007: 200MHz
Total memory: 0x800000 bytes (8MB)
Total memory used by CFE: 0x80300000 - 0x80434A50 (1264208)
Initialized Data: 0x8032EB60 - 0x80330E90 (9008)
BSS Area: 0x80330E90 - 0x80332A50 (7104)
Local Heap: 0x80332A50 - 0x80432A50 (1048576)
Stack Area: 0x80432A50 - 0x80434A50 (8192)
Text (code) segment: 0x80300000 - 0x8032EB60 (191328)
Boot area (physical): 0x00435000 - 0x00475000
Relocation Factor: I:00000000 - D:00000000
Device eth0: hwaddr 00-11-50-0D-DD-C4, ipaddr 192.168.2.1, mask
255.255.255.0
gateway not set, nameserver not set
Reading :: Failed.: Timeout occured
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: ..... 1482752 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
CPU revision is: 00029007
Primary instruction cache 8kb, linesize 16 bytes (2 ways)
Primary data cache 4kb, linesize 16 bytes (2 ways)
Linux version 2.4.20 (lchen@penguin.askey.com) (gcc version 3.0 20010422 prerelease) with bcm4710a0 modifications) #8 Mon 1 Dec 2003, 20:51:49 PST
Document at midnightcode.org as OpenWRT on the Belkin F5D7230-4 - Serial Console.pdf
from document directory.
Congrats Rick -- good work; loving the competition 
Thanks
1.5. Other devices based on Broadcom BCM47XX reference design
F5D7330 - Belkin 802.11g Wireless Ethernet Adapter
Belkin_7130 - Belkin 802.11g Wireless Network Access Point
LinksysWrt54g - Linksys 802.11g Broadband Router
AsusWL-300g - ASUS 802.11g Wireless AP Router
NetgearWGT634U - Netgear Sorage Router
1.6. Hardware version 1010, 20 pin expansion bus
I'm trying to figure out what is available on the expansion connector on hardware 1010, and probaly other versions of the board. This is what I've found so far:
Pin |
Description |
Pin |
Description |
1 |
D0 |
2 |
|
3 |
D1 |
4 |
A0 |
5 |
D2 |
6 |
A1 |
7 |
D3 |
8 |
OE# |
9 |
D4 |
10 |
|
11 |
D5 |
12 |
|
13 |
D6 |
14 |
|
15 |
D7 |
16 |
|
17 |
|
18 |
Vss |
19 |
WE# |
20 |
Vss |
My guess is that you can connect an UART to this port. Broadcom specs refer to UART 16551. According to the Broadcom docs, GPIO1 is used as interrupt. I'm not sure which pin this is routed to yet. According to the Broadcom doc, GPIO1 should be routed to GND when UART is to be disabled... (Does anyone have pinouts for the chip ?)
It would be REALLY great if someone with never revisions that includes an UART, could measure what pins on the UART goes to what pin on the 20pin connector -js
WAP54Gv1.1 uses the same 20-pin jumper block for external UART.
Schematic for the Asus WL-500G.
2. Firmware
2.1. Extracting firmware
Belkin's 802.11g router/AP.
To get cramfs: dd if=BELKIN_2.00.05.bin of=test.dump bs=1 skip=655388
One can find the start of the cramfs part of the .bin file by looking for hex values 3d4528cd. The offset of this 3d byte is the skip value ( converted to decimal ). hexdump test.dump | grep 3d45
Specific Firmware Versions
Use the following psuedo commands to extract the cramfs filesystem from the specific version firmware file, replacing the input filename as appropriate.
2.00.05
- dd if=2.00.05.bin of=cramfs.dump bs=655388 skip=1
3.00.07
- dd if=3.00.07.bin of=cramfs.dump bs=601220 skip=1
4.03.03
- dd if=4.03.03.bin of=cramfs.dump bs=630016 skip=1
4.05.03
- dd if=4.05.03.bin of=cramfs.dump bs=627928 skip=1
5.00.02
- dd if=5.00.02.bin of=cramfs.dump bs=625940 skip=1
In at least one known version (4.05.03) the offsets are verified identical in the UK and USA firmwares available for download.
2.2. One step closer to custom firmware
I was able to modify some files on the firmware and upload it to the router. Here is how:
- Extract the kernel from the firmware: it is in gzip format starting at offset 56 so
- Extract the filesystem
- Mount the filesystem
- mount -o loop -t cramfs cramfs.dump /mnt/somewhere
- copy recursively the mounted filesystem to a new directory for modification purpose
- copy -r /mnt/somewhere 3007/
- make sure all symbolic links are identical to the original
- make the wanted modif in 3007/
- create a new cramfs file
- mkcramfs 3007/ cramfsmod.dump
- using the release/tools/trx tool from linksys GPL tar ball combine the two
- ~/WRT54G/release/tools/trx -o 3007.trx kernel.gz cramfsmod.dump
- copy the NVRAM setting from the original firmware to 3007.trx. It starts at offset 1888284 (0x1cd01c) and begins with "NVAR" till the end of file.
- copy the first 28 bytes (all bytes before HDR0) of the original firmware to 3007.trx.
- now get the total size of the 3007.trx file.
- adjust accordingly the four bytes at offset 4 (these indicates the length of the file). Note that it is in little endian (least signifiant bit first). In the 3.00.07 firmware it is "d0dd1c00" which corresponds to 0x001cddd0, the total size of the file.
- upload the new firmware via the Web interface (I used 3.00.07 firmware) not by TFTP.
mail me at 54g at barabasy dot cjb dot net
2.3. I got a shell on the box
The idea is simple. Replace the httpd binary in /usr/sbin of the firmware to any binary we want. For instance, I replaced it by a Telnet daemon. For that, I used Busybox 1.00.pre5, which, I must say, is pleasantly well packaged, and delightfully easy to use. Here is what I did:
make menuconfig
Check General configuration/Use the devpts filesystem for Unix98 PTYs
Check Build options/Build Busybox as a static binary (no shared libs)
Check Build options/Do you want to build Busybox with a Cross Compiler? and set Cross compile prefix to /opt/brcm/hndtools-mipsel-linux/bin/mipsel-linux- (or whatever is your cross compiler prefix, this is for the one given by linksys GPL source for WRT54)
Check Networking options/httpd and Networking options/TelnetD
- exit and save configuration
- make dep
edit include/applet.h and change APPLET(httpd, httpd_main, _BB_DIR_USR_SBIN, _BB_SUID_NEVER) to APPLET(httpd, telnetd_main, _BB_DIR_USR_SBIN, _BB_SUID_NEVER)
- make
- make a new firmware by replacing /usr/sbin/httpd by busybox
- Telnet on your box
You can uncheck any applet you don't want during the Busybox config.
2.4. Boot messages
Here are the boot messages from dmesg
CPU revision is: 00024000 Loading BCM4710 MMU routines. Primary instruction cache 8kb, linesize 16 bytes (2 ways) Primary data cache 4kb, linesize 16 bytes (2 ways) Linux version 2.4.20 (lchen@penguin.askey.com) (gcc version 3.0 20010422 (prerelease) with bcm4710a0 modifications) #1 Mon Oct 6 14:16:21 PDT 2003 Determined physical RAM map: memory: 01000000 @ 00000000 (usable) On node 0 totalpages: 4096 zone(0): 4096 pages. zone(1): 0 pages. zone(2): 0 pages. Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200 CPU: BCM4710 rev 0 at 125 MHz !unable to setup serial console! Calibrating delay loop... 82.94 BogoMIPS Memory: 14588k/16384k available (1197k kernel code, 1796k reserved, 104k data, 64k init, 0k highmem) Dentry cache hash table entries: 2048 (order: 2, 16384 bytes) Inode cache hash table entries: 1024 (order: 1, 8192 bytes) Mount-cache hash table entries: 512 (order: 0, 4096 bytes) Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes) Page-cache hash table entries: 4096 (order: 2, 16384 bytes) Checking for 'wait' instruction... unavailable. POSIX conformance testing by UNIFIX PCI: Fixing up bus 0 PCI: Fixing up bridge PCI: Fixing up bus 1 Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Initializing RT netlink socket Starting kswapd devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au) devfs: boot_options: 0x1 pty: 256 Unix98 ptys configured Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled Amd/Fujitsu Extended Query Table v1.2 at 0x0040 number of CFI chips: 1 flash device: 400000 at 1fc00000 Physically mapped flash: cramfs filesystem found at block 843 Creating 5 MTD partitions on "Physically mapped flash": 0x00000000-0x00040000 : "pmon" 0x00040000-0x003c0000 : "linux" 0x000d2c68-0x003c0000 : "rootfs" 0x003c0000-0x003e0000 : "profile" 0x003e0000-0x00400000 : "nvram" sflash: chipcommon not found NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP IP: routing cache hash table of 512 buckets, 4Kbytes TCP: Hash tables configured (established 1024 bind 2048) ip_conntrack version 2.1 (128 buckets, 1024 max) - 344 bytes per conntrack ip_tables: (C) 2000-2002 Netfilter core team ipt_time loading NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. NET4: Ethernet Bridge 008 for NET4.0 VFS: Mounted root (cramfs filesystem) readonly. Mounted devfs on /dev Freeing unused kernel memory: 64k freed Warning: unable to open an initial console. eth0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.31.12.0 eth1: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.31.12.0 PCI: Enabling device 01:01.0 (0004 -> 0006) eth2: Broadcom BCM43XX 802.11 Wireless Controller 3.31.12.0 (Compiled in . at 19:20:29 on Jul 14 2003) CSLIP: code copyright 1989 Regents of the University of California PPP generic driver version 2.4.2 PPP MPPE compression module registered Algorithmics/MIPS FPU Emulator v1.5 device eth0 entered promiscuous mode <==sintInstallLEDs: VIOBA=b8007000 device eth2 entered promiscuous mode br0: port 2(eth2) entering learning state br0: port 1(eth0) entering learning state br0: port 2(eth2) entering forwarding state br0: topology change detected, propagating br0: port 1(eth0) entering forwarding state br0: topology change detected, propagating br0: port 2(eth2) entering disabled state br0: port 1(eth0) entering disabled state br0: port 1(eth0) entering disabled state device eth0 left promiscuous mode ==>sintUninstallLEDs: VIOBA=b8007000 br0: port 2(eth2) entering disabled state device eth2 left promiscuous mode device eth0 entered promiscuous mode <==sintInstallLEDs: VIOBA=b8007000 device eth2 entered promiscuous mode br0: port 2(eth2) entering learning state br0: port 1(eth0) entering learning state br0: port 2(eth2) entering forwarding state br0: topology change detected, propagating br0: port 1(eth0) entering forwarding state br0: topology change detected, propagating
2.5. Using Linksys binaries
Firmware 3.00.07 uses kernel 2.4.20, as Linksys firmware 1.42.2 does. Hence, all modules compiled from the Linksys source tree load with no problem on the Belkin. Binaries should work also if the libraries are well installed. As examples, I was able to mount a NFS filsystem by loading lockd.o, sunrpc.o and nfs.o that I just compiled from Linksys source and using Busybox supporting NFS mount. I was also able to run in client mode by loading the wl_apsta.o from Linksys and using the WL binary.
# ./busybox mount 192.168.2.5:/home/thierry/belkinhack nfs mount: /etc/mtab: Read-only file system # mount rootfs on / type rootfs (rw) /dev/root on / type cramfs (ro) none on /dev type devfs (rw) proc on /proc type proc (rw) ramfs on /tmp type ramfs (rw) 192.168.2.5:/home/thierry/belkinhack on /tmp/nfs type nfs (rw,v3,rsize=8192,wsize=8192,hard,udp,lock,addr=192.168.2.5) # ls nfs lockd.o hackuser.conf sunrpc.o apusermod.conf nfs.o piggy.gz wl_sta.o 3007.trx wl_apsta.o style.css.gz mini_httpd-1.19 kerfile.bin index.htm custom.bin install.c kern.bin mini_httpd-1.19.tar.gz crc32.pl 3007telnet.bin try.dump Install fstest busybox-1.00-pre5.tar.gz user1.conf busybox-1.00-pre5 code.bin wrt54g-0.3.tar.gz res.conf wrt54g-0.3 test.conf wrt54g-sshd-2003-09-13.tar.bz2 user.conf.1 wl user.conf wrt54g-sshd-2003-09-13 test.dump nvram.txt linux.trx 3007ker1.gz routerconf.pl 3007hack.cramfs ripflashmd9781manager_0.3.1-3.tar.gz 3007b.cramfs ripflashlinux 3007ker.gz log_web.txt savedapuser.conf insiderouter.html 3007 F5D7230-4-V3.00.07.bin 3007.cramfs buffalo.dump apuserno.conf BELKIN_2.00.04 apuser.conf BELKIN_1.01.00 routeruser.conf belk
2.6. Recovery methods
It has been confirmed that on boot you can fix a trashed flash upload by using TFTP. You must configure your Ethernet interface to the 192.168.2.x/24 network, but not 192.168.2.1. This method works reliably with version 2000 hardware, and is rumored to work with prior versions as well. The boot loader automatically uses IP address 192.168.2.1.
Pitfall: the TFTP client which comes with mac osx didn't work for me, the winxp one worked like a charm, as does the Linux TFTP client.
Hint: I bricked my router by uploading a legal image which would try to boot but wouldn't manage to bring up a Web interface (4.03.03 on v2000 hardware will do it). I opened the unit and located the flash rom (an Am29LV190B in my case). Then I had a look at the data sheet to find out where the address pins of the chip rest. Then I rebooted the router short circuiting two address pins, this let the bootloader think that it is loading a screwed up cramfs image and gave me access to TFTP. The invalid kernel status is indicated by a slowly flashing power LED and a a green flashing WLAN LED, if you see that you know that you can use TFTP.
Hint 2: If you catch the boot fast enough, or just start the transfer on your TFTP client then reboot the router, you do not need to mess with shorting pins on the flash chip.
# TFTP 192.168.2.1
> binary
> rexmt 1
> verbose
> put firmware_filename.bin
>> reboot router now <<
Or for Windows XP: # TFTP -i 192.168.2.1 put firmware_filename.bin
After booting the router, it will then blink the power light rapidly while it writes flash, don't power it off! Then it resets and starts up like normal and you have saved your box! (I assume the windows CD that comes with it does the same thing) The boot loader is in a protected area of flash so TFTP should always be available at power up to get you out of trouble.
It seems that with some hardware versions the WAN LED starts blinking after the flash is finished. At that point you have to reset using the reset deep switch.
I thought I messed it up good one time, but holding the reset button in for about 10 seconds makes it reset to "default" and then TFTP or whatever firmware you have works again.
It looks like there is a "jtag" port on this, so if you totally trash the thing you can build a simple jtag interface and possibly upload the firmware that way (but it ain't easy!).
These links have some inside PCB pics, info on opening the box, some distance RF test data and more at:
http://www.linux-hacker.net/misc/F5D7230/
http://www.linux-hacker.net/cgi-bin/UltraBoard/UltraBoard.pl?Action=ShowPost&Board=RG
2.7. Custom firmware images
I have made a TRX image that is suitable for development for the F5D7230-4.
* It's based upon the 3.07 firmware.
* Most of the old binaries has been replaced. (The firmware is heavily based on Busybox 1.0-pre8.)
* Includes TelnetD. Please note that Telnet is listening on both LAN and WAN interface.
* Includes nfs support
* The custom init has been replaced by Busybox init and a custom shell script to do the basic init stuff. Still uses NVRAM to configure router after boot. (/etc/init.d/rcS)
* Webserver and wireless support is not included in the current image.
To mount a nfs volume you can do something like this: mount -o nolock -t nfs 192.168.2.5:/home/share /mnt
chroot is installed, so you can chroot to your custom system by doing something like chroot /mnt/mybelkin
Please note that the power / connected lights will not be light up when the device is up. I'm working on making a program to control the lights. Have found the gpio for connected, but havent found for power on yet, so it shouldnt take long...
Please verify that you are able to upload the original image via TFTP before you attempt to use this image. It is possible to change firmware by Telneting to the unit, erasing the mtd area and dd'ing a new image in. But this is only recomended for experienced users as it can render your unit completly unusable.
The image can be obtained from this url (Use at your own risk. Don't blame me if your device goes up to smoke): http://www.suphammer.net/belkin/devel.trx
you can contact me at: belkin at suphammer DoT net
2.8. Symlinks
Here is the list of files and symlinks contained in the firmware F5D7230-4_V4.00.03.bin:
bin/busybox etc/ld.so.cache etc/ld.so.conf etc/ppp/options.pptp lib/ld-uClibc.so.0 lib/libc.so.0 lib/libcrypt.so.0 lib/libdl.so.0 lib/libnsl.so.0 lib/libresolv.so.0 lib/libutil.so.0 lib/modules/2.4.20/kernel/drivers/net/et/et.o lib/modules/2.4.20/kernel/drivers/net/led/led.o lib/modules/2.4.20/kernel/drivers/net/wl/wl.o sbin/rc usr/lib/libnetconf.so usr/lib/libnvram.so usr/lib/libshared.so usr/sbin/bkserver usr/sbin/bpalogin usr/sbin/brctl usr/sbin/dnsmasq usr/sbin/exlog usr/sbin/httpd usr/sbin/iptables usr/sbin/led_mon usr/sbin/nas usr/sbin/netfilter_log usr/sbin/ntpclient usr/sbin/nvram usr/sbin/parent_control usr/sbin/pppd usr/sbin/pppoecd usr/sbin/pptp usr/sbin/route_check usr/sbin/udhcpd usr/sbin/upnp usr/sbin/vconfig usr/sbin/wl usr/sbin/wlconf www/check_firmware_fail.html www/check_firmware_failb.html www/duplicate.html www/fw_clientip.html www/fw_dmz.html www/fw_id.html www/fw_mac.html www/fw_main.html www/fw_ping.html www/fw_security.html www/fw_virt.html www/fw_virt.js www/glossary.html www/graphics/bar.gif www/graphics/bar_cap.gif www/graphics/bar_floor.gif www/graphics/bar_slope.gif www/graphics/blu_bar.gif www/graphics/head_logo.gif www/graphics/shim.gif www/graphics/title.gif www/help.html www/index.html www/indexa.html www/lan_dhcp.html www/lan_main.html www/lan_settings.html www/language.js www/login.html www/loginerr.html www/main_router.css www/reset_success.html www/restore_factory_default_success.html www/restore_setting_success.html www/showMenu.js www/styles.css www/update_firmware_success.html www/update_firmware_success_en.html www/util_factory.html www/util_firmware.html www/util_main.html www/util_parentalc.html www/util_parentalc_acctinfo.html www/util_parentalc_advance.html www/util_parentalc_refresh.html www/util_prev.html www/util_reset.html www/util_save.html www/util_system.html www/utilb_system.html www/validate.js www/violation_page.html www/wan_conn.html www/wan_dns.html www/wan_dynamic.html www/wan_mac.html www/wan_main.html www/wan_pppoe.html www/wan_pptp.html www/wan_static.html www/wan_static_checked.html www/wan_telstra.html www/wireless_apt.html www/wireless_apt_disabled.html www/wireless_apt_enable.html www/wireless_bridge.html www/wireless_bridge_ss.html www/wireless_chan.html www/wireless_encrypt.html www/wireless_encrypt_128.html www/wireless_encrypt_64.html www/wireless_encrypt_no.html www/wireless_mac_ctrl.html www/wireless_main.html www/wireless_wpa.html www/wireless_wpa_psk.html bin/cat -> busybox bin/chmod -> busybox bin/cp -> busybox bin/date -> busybox bin/dd -> busybox bin/echo -> busybox bin/grep -> busybox bin/kill -> busybox bin/ln -> busybox bin/ls -> busybox bin/mkdir -> busybox bin/mknod -> busybox bin/more -> busybox bin/mount -> busybox bin/msh -> busybox bin/mv -> busybox bin/ping -> busybox bin/ps -> busybox bin/pwd -> busybox bin/rm -> busybox bin/rmdir -> busybox bin/sh -> busybox bin/sleep -> busybox bin/touch -> busybox bin/umount -> busybox etc/hosts -> /tmp/hosts etc/nsswitch.conf -> /tmp/nsswitch.conf etc/ppp/chap-secrets -> /tmp/chap-secrets etc/ppp/pap-secrets -> /tmp/pap-secrets etc/ppp/peers/my-isp -> /tmp/my-isp etc/resolv.conf -> /tmp/resolv.conf lib/modules/2.4.20/build -> /home4/lchen/rt511201-2/RT19xW/src/linux/linux sbin/erase -> rc sbin/hotplug -> rc sbin/ifconfig -> ../bin/busybox sbin/init -> rc sbin/insmod -> ../bin/busybox sbin/klogd -> ../bin/busybox sbin/lsmod -> ../bin/busybox sbin/reboot -> ../bin/busybox sbin/rmmod -> ../bin/busybox sbin/stats -> rc sbin/syslogd -> ../bin/busybox sbin/write -> rc usr/bin/free -> ../../bin/busybox usr/bin/killall -> ../../bin/busybox usr/bin/route -> ../../bin/busybox usr/bin/tftp -> ../../bin/busybox usr/bin/wget -> ../../bin/busybox usr/sbin/nas4not -> nas usr/sbin/udhcpc -> udhcpd usr/tmp -> ../tmp var -> tmp/var www/tmp -> /tmp/www
Of particular interest is that the RC binary (a multipurpose binary which runs as the init process) is dynamically linked against libnetconf.so, which is derived from iptables. This code can only be legally distributed as GPL code - IOW; Belkin must make the source code available (as Cisco/Linksys did).
2.9. Belkin F5D7230-4 4.05.03 GPL firmware source code available!
New! The 4.05.03 firmware source and compiler toolchain is now available from the GPL page!
The previous firmware version has been removed.
The reported compile success of the 4.05.03 firmware was incorrect. It will compile if you run "make", but not "make belkin". There are source files missing out of the router_belkin/shared directory. Anyone care to call Belkin and complain about an incomplete firmware distribution? wl.c wl_linux.c user_conf.c wlioc.c karnmd5.c getURL.c web_interface.c are all missing.
Any further success with the 4.05.03 firmware, please e-mail me at weage98 -at- yahoo -dot- com.
Previous GPL firmware notes (4.00.03 ?)
Has anyone succesfully built a firmware from this source? I got compilation errors in src/router/ppp/pppoecd
Add this lines to src/router/ppp/pppoecd/sys-linux.c
line 79 "#define PPPIOCGLANIP _IOR('t', 92, int)"
line 80 "#define PPPIOCSLANIP _IOW('t', 91, int)"
Sveasoft edit: We're looking at building a custom firmware version for this device. Please post feedback about desired features/fixes at phpBB2 in the Belkin F5D7230-4 forum.
2.10. F5D7230-4 root shell and consolidated data structures
I'm looking to get OpenWRT on this device. I've developed a simpler way to get a root shell on the device, as well as publishing a consolidated internal structure resource (and software to reliably generate the firmware images). This is all documented at midnightcode.org as OpenWRT on the Belkin F5D7230-4.pdf.
I've had trouble getting alternate CRAMFS file systems under the native kernel. I'd dearly like to skip this step altogether, in favour of a direct OpenWRT install, but this just doesn't work. A simple method for attaining a serial console would be useful.
2.11. F5D7230-4 Broadcom GPL Reference Firmware Compiled
- The latest paper is completed.
OpenWRT on the Belkin F5D7230-4 - Compiling and Installing the GPL Broadcom Reference Firmware
Brief document insight:
Belkin published the Broadcom reference firmware;
a small Linux distribution, designed to act as a
proof-of-concept and development environment for
the Belkin engineers. To minimize the amount of
experimentation required to adapt the OpenWRT and
Sveasoft firmware for use on the Belkin, the
published Broadcom reference firmware was compiled
to see if it was functional, and able to provide
driver and configuration information for the open
source distributions.
...
Furthermore, this process was developed rapidly
due to the excellent work performed by Rick
Bronson. Rick published the findings of his work
on his Web site and has been very supportive of
the development process;
http://www.efn.org/~rick/work/f5d7230/
[Document OpenWRT on the Belkin F5D7230-4 - Broadcom Firmware.pdf, from the directory.]
2.12. Upgrading the F5D7230-4 v1444 to a F5D7231-4 125mbit High Speed Mode (HSM)
I just picked up a F5D7230-4 v1444 router for $20. Everyone else seems to have given up hacking these things but I haven't. The v1444 comes with firmware version 4.03.03.
Its been noticed that you can upgrade the F5D7230-4 v1444 to a F5D7231-4, just grab the firmware. Latest on the site as of this writing is 4.03.04)
Use a hex editor to change the first four bytes to "LOAD", and flash it.
But here's the kicker! After extracting the kernels and filesystems and comparing the 4.03.03 and 4.03.04 firmwares, they are byte for byte exactly the same! The only difference is in the NVRAM settings and the flash header! Here are the differences:
$ diff -U0 4.03.03.conf 4.03.04.conf --- 4.03.03.conf 2005-02-11 02:51:30.414546494 -0600 +++ 4.03.04.conf 2005-02-11 02:50:52.365390556 -0600 @@ -3 +3 @@ -boardflags=0x0188 +boardflags=0x0388 @@ -61 +61 @@ -fw_magic=0x44414f4c +fw_magic=0x02013200 @@ -63 +63 @@ -fw_src=http://networking.belkin.com/update/files/54g_router.html +fw_src=http://networking.belkin.com/update/files/usa/125/54g_router.html @@ -74 +74 @@ -hw_model=F5D7230-4 +hw_model=F5D7231-4 @@ -113 +113 @@ -os_version=4.03.03 +os_version=4.03.04 @@ -196 +196 @@ -wl0_gmode=1 +wl0_gmode=6 @@ -214 +214 @@ -wl0_lazywds=1 +wl0_lazywds=0
Note, the differing flash header kind of complicates things. Once you've loaded the new firmware by changing the header, you can not re-flash with that same header. You need the new one from then on. The new header is 0x003f0102. If you want to go back to the old firmware, you have to modify it with the new header first...
Though it would appear the fw_magic NVRAM setting sets the header it's looking for.
I haven't tested it but I bet you can just change the boardflags setting and get High Speed mode.
The 2MB flash is a tight squeeze. I have been able to hack up a current firmware with a Busybox TelnetD, at the cost of stripping out all but the bare bones, and hardwiring the configuration. I'll release it once I clean things up a bit.
-- seg at haxxed dot com
2.12.1. Upgrading v2000 to High Speed Mode (HSM) Firmware Not Useful
I tried upgrading the F5D7230-4 v2000 to the HSM. It wasn't very useful.
Now, I had the routers configured as access points with wireless bridging (using one essentially as a router and the other as an wireless AP for a desktop). I was drying to do Wireless Bridging between to v2000's. (Perhaps my mistake was that I didn't hit the factory defaults before the upgrade--who knows.) However, the result was that the router was unresponsive on the WAN/LAN ethernet ports (as was the case in the F5D7130 firmware to F5D7230-4 (v1444) section below). In addition, when I got to the web browser from the wireless interface, it said that bridge mode is not available with HSM. So, I couldn't use the router as an AP.
I thought for a while that I bricked the router, since tftp'ing the original firmware seemed to work but produced no response. I then realized that I needed to change the flash header of the original firwmare. Note that even if you tftp the router invalid firwmare, the tftp will be successful. However, the router won't really flash itself.
-- gmail://ferriseula
2.13. F5D7130 firmware to F5D7230-4 (v1444)
I just finished flashing a F5D7230-4 (v1444) with the last 4.03.03 F5D7130 firmware. The flash completed succesufully through the Web interface (because the two headers are the same), but the new Web interface is very, very poor and has only a few features. I tried this method because I thought I could get to work this device (F5D7230) as an AP client. Not a chance!, 'cause this is the only AP device in the world which cannot act as a AP client (it's only a Belkin issue, not a Linux-based one 
You cannot Web manage the ex-router through one of the Ethernet switched ports (nor the WAN one); the only way is to connect through wireless (with a wireless card installed). The IP address remains the same, 192.168.2.1.
You may easily revert the F5D7230-4 original firmware through wireless right back afterward.
2.14. Available firmware (4.05.03 fixes packed loss bug)
I figured out these links based upon the posting by seg. I've not tested these against any hardware; they may only work with v2000. I'm going to try the image on the v1444 hardware to see if it fixes the packet loss problem.
7230 4.03.03
Networking.belkin 54g_router and BELKIN_54G_RT_USA_4.03.03.bin.
Last modified Wed 14 Apr 2004, 09:42:00 GMT
7231 4.03.04
Networking.belkin 54g_router and BELKIN_RT_USA_4.03.04.bin.
Last modified Sat 03 Apr 2004, 08:30:00 GMT
7230 4.05.03
Networking.belkin 54g_router and BELKIN_RT_54G_USA_4.05.03.bin.
Last modified Tue 14 Sep 2004, 08:47:00 GMT
7231 4.05.03
Networking.belkin BELKIN_RT_USA_4.05.03.bin.
Last modified Tue 14 Sep 2004, 08:24:00 GMT
The last-modified date is what's reported by a HEAD against the firmware file. You can see that while they released 4.03.03 in Oct 2004, it was built back in April.
--
I've now tested these images on my two v1444 units without a problem. I'm happy to report that the packet loss bug in the 4.xx.xx firmware has been fixed.
Further, I've taken the two 4.05.03 firmware files apart. The both the kernel and ramdisk contents are identical. As in previous case, the only difference is in the NVRAM settings and the flash header: $ diff 7230-4.05.03.conf 7231-4.05.03.conf 7,9c7,9 < *boardflags=0x0188 < *hw_model=F5D7230-4 < *fw_magic=0x44414f4c --- > *boardflags=0x0388 > *hw_model=F5D7231-4 > *fw_magic=0x02013200 23c23 < *fw_src=[[<a|http://networking.belkin.com/update/files/54g_router.html]] --- > *fw_src=http://networking.belkin.com/update/files/usa/125/54g_router.html 77c77 < wl0_lazywds=1 --- > wl0_lazywds=0 97a98 > wl0_afterburner=auto Compared with 4.03.03, there are also less symlinks for Busybox, but it doesn't appear that they compiled less into Busybox itself. There are newer versions of some stock utils. Most importantly, Askey is using a newer Broadcom reference kernel release, and a newer version of WL.O: {{{4.03.03 kernel:
Linux version 2.4.20 ( lchen@penguin.askey.com ) (gcc version 3.0 20010422 (prerelease) with bcm4710a0 modifications) #1 Fri Apr 2 16:05:18 PST 2004
(from wl.o) Jan 21 2004 20:52:36 %s: Broadcom BCM43XX 802.11 Wireless Controller %s (Compiled in %s at %s on %s) 3.50.21.10
4.05.03 kernel:
Linux version 2.4.20 ( lchen@penguin.askey.com ) (gcc version 3.2.3 with Broadcom kernel-4.05.03-vers:modifications) #16 Mon Sep 13 17:29:59 PDT 2004
(from wl.o) 3.60.9.0 %s: Broadcom BCM%04x 802.11 Wireless Controller 3.60.9.0 wds%d.%d 17:31:16 Apr 2 2004}}}
2.15. Note regarding 4.05.03 firmware
I also upgraded my v.1444 unit to the "new" firmware. Wireless performance locally is definitely superior (I have no problems getting 1100 kB/s streaming). However, my WAN performance has (if possible) gone to crap completely, even though I only use the Belkin as an AP (I have another dedicated firewall). From wireless clients, I struggle to get 30 kB/s from the Internet, from wired clients (to the belking) I get my usual 300 kB/s.
I've given up and installed a proxy on one of my wired clients for the wireless machines to use. This way my Internet performance from the wireless clients is decent (approaching 300 kB/s).
2.16. Locations of "official" firmware
While Belkin still officially insists (as of April, 2005) that 4.03.03 is the latest version of firmware for the F5D7230-4, this isn't so, since it's available at the networking.belkin site.
Here are the latest "official" firmware versions:
"v3000" 5.00.02 BK54gr_v5.00.02.bin
Of course, the UK gets 4.05.03:
Here are the "unofficial", but shipping versions:
(They don't even have a consistant naming scheme! : )`
2.17. 5.00.02 firmware
Belkin's page says this is only for the F5D7230-4 "version 3000". I've not tried it on my older units (yet). The firmware image differs from previous ones in that there is an extra 256-byte header in the front, and it lacks the configuration data tacked onto the end.
00000000 55 aa 55 00 19 42 65 6c 6b 69 6e 2d 46 69 72 65 |U.U..Belkin-Fire| 00000010 77 61 6c 6c 78 32 30 52 6f 75 74 65 72 00 01 08 |wallx20Router...| 00000020 35 2e 30 30 2e 30 32 00 02 0a 46 35 44 37 32 33 |5.00.02...F5D723| 00000030 30 2d 34 00 03 04 00 01 02 ff 04 0b 6e 6f 72 6d |0-4.........norm| 00000040 61 6c 63 6f 64 65 00 05 0c 42 45 34 30 34 38 30 |alcode...BE40480| 00000050 30 30 30 31 00 06 06 06 00 1b b0 00 b9 ff 5f 2e |0001.........._.| 00000060 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e |................| * 00000100 48 44 52 30 00 b0 1b 00 ea 97 23 bf 00 00 01 00 |HDR0......#.....| 00000110 1c 00 00 00 14 8c 09 00 00 00 00 00 1f 8b 08 08 |................| 00000120 c9 85 e7 41 02 03 70 69 67 67 79 00 ec 7c 0f 74 |...A..piggy..|.t| 00000130 1d 57 79 e7 f7 ee cc 93 9e 6d 25 1e c9 b2 fc ec |.Wy......m%.....|
Kernel
% dd if=BK54gr_v5.00.02.bin bs=1 skip=284 count=625656 > k5.00.02.gz % gunzip k5.00.02.gz % strings - k5.00.02 ... Linux version 2.4.20 ( dvdchen@sw2cvs2.localdomain ) (gcc version 3.2.3 with Broad com modifications) #244
- 14 16:41:39 CST 2005
The date string is very odd: 0011b210 33 2e 32 2e 33 20 77 69 74 68 20 42 72 6f 61 64 |3.2.3 with Broad| 0011b220 63 6f 6d 20 6d 6f 64 69 66 69 63 61 74 69 6f 6e |com modification| 0011b230 73 29 20 23 32 34 34 20 a4 ad 20 31 a4 eb 20 31 |s) #244 .. 1.. 1| 0011b240 34 20 31 36 3a 34 31 3a 33 39 20 43 53 54 20 32 |4 16:41:39 CST 2| 0011b250 30 30 35 0a 00 00 00 00 00 00 00 00 00 00 00 00 |005.............|
Filesystem
% dd if=BK54gr_v5.00.02.bin bs=625940 skip=1 > cramfs.7230.5.00.02 % sudo mount cramfs.7230.5.00.02 /mnt -t cramfs -o loop
Here's a comparison of the filesystems: {{{4.03.03: 4.05.03: 5.00.02: bin/ bin/ bin/ dev/ dev/ dev/ etc/ etc/ etc/ lib/ lib/ lib/ sbin/ sbin/ sbin/ usr/ usr/ usr/ var@ var@ var@ www/ www/
4.03.03/bin: 4.05.03/bin: 5.00.02/bin: busybox* busybox* busybox* cat@ chmod@ cat@ chmod@ cp@ chmod@ cp@ kill@ cp@ date@ ln@ date@ dd@ ls@ dd@ dmesg@ mount@ echo@ echo@ msh@ grep@ grep@ ping@ kill@ kill@ ps@ ln@ ln@ sh@ ls@ ls@ sleep@ mkdir@ mkdir@ touch@ mknod@ mknod@ umount@ more@ more@ mount@ mount@ msh@ msh@ mv@ mv@ ping@ ping@ ps@ ps@ rm@ pwd@ rmdir@ rm@ sh@ rmdir@ sleep@ sh@ umount@ sleep@ touch@ umount@
4.03.03/dev: 4.05.03/dev: 5.00.02/dev:
4.03.03/etc: 4.05.03/etc: 5.00.02/etc: hosts@ hosts@ ld.so.cache ld.so.cache ld.so.cache ld.so.conf ld.so.conf ld.so.conf resolv.conf@ nsswitch.conf@ nsswitch.conf@ ppp/ ppp/ resolv.conf@ resolv.conf@
4.03.03/etc/ppp: 4.05.03/etc/ppp: chap-secrets@ chap-secrets@ options.pptp* options.pptp* pap-secrets@ pap-secrets@ peers/ peers/
4.03.03/etc/ppp/peers: 4.05.03/etc/ppp/peers: my-isp@ my-isp@
4.03.03/lib: 4.05.03/lib: 5.00.02/lib: ld-uClibc.so.0* ld-uClibc.so.0* ld-uClibc.so.0* libc.so.0* libc.so.0* libc.so.0* libcrypt.so.0* libcrypt.so.0* libcrypt.so.0* libdl.so.0* libdl.so.0* libnsl.so.0* libnsl.so.0* libnsl.so.0* modules/ libresolv.so.0* libresolv.so.0* libutil.so.0* libutil.so.0* modules/ modules/
4.03.03/lib/modules: 4.05.03/lib/modules: 5.00.02/lib/modules: 2.4.20/ 2.4.20/ 2.4.20/
4.03.03/lib/modules/2.4.20:4.05.03/lib/modules/2.4.20:5.00.02/lib/modules/2.4.20: build@ build@ build@ kernel/ kernel/ kernel/
4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ drivers/ drivers/ drivers/
4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ net/ net/ net/
4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ et/ et/ et/ led/ led/ wl/ wl/ wl/
4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ et.o et.o et.o
4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/ led.o led.o
4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ wl.o wl.o wl.o
4.03.03/sbin: 4.05.03/sbin: 5.00.02/sbin: erase@ erase@ BlockSurfing@ hotplug@ hotplug@ CheckWan@ ifconfig@ ifconfig@ MonTask@ init@ init@ StopWan@ insmod@ insmod@ TestLedCtrl@ klogd@ rc* WanLedCtrl@ lsmod@ reboot@ erase@ rc* stats@ hb_connect@ reboot@ write@ hb_disconnect@ rmmod@ hotplug@ stats@ ifconfig@ syslogd@ init@ write@ insmod@
- lsmod@ rc* reboot@ rmmod@ stats@ write@
4.03.03/usr: 4.05.03/usr: 5.00.02/usr: bin/ bin/ bin/ lib/ lib/ lib/ sbin/ sbin/ sbin/ tmp@ tmp@ tmp@
4.03.03/usr/bin: 5.00.02/usr/bin: free@ killall@ killall@ 4.05.03/usr/bin: route@ route@ killall@ tftp@ route@ wget@ tftp@
4.03.03/usr/lib: 4.05.03/usr/lib: 5.00.02/usr/lib: libnetconf.so* libnetconf.so* libnetconf.so* libnvram.so* libnvram.so* libnvram.so* libshared.so* libshared.so* libshared.so*
4.03.03/usr/sbin: 4.05.03/usr/sbin: 5.00.02/usr/sbin: bkserver* bkserver* bpalogin* bpalogin* bpalogin* brctl* brctl* brctl* dnsmasq* dnsmasq* dnsmasq* epi_ttcp* exlog* exlog* gpio* httpd* httpd* httpd* iptables* iptables* httpd2* led_mon* led_mon* nas* nas* nas* nas4not@ nas4not@ nas4not@ ntpclient* netfilter_log* netfilter_log* nvram* ntpclient* ntpclient* parental* nvram* nvram* pppd* parent_control* parent_control* pptp* pppd* pppd* setled* pppoecd* pppoecd* udhcpc@ pptp* pptp* udhcpd* route_check* route_check* upnp* udhcpc@ udhcpc@ vconfig* udhcpd* udhcpd* wizard* upnp* upnp* wl* vconfig* vconfig* wlconf* wlconf* wlconf*
- zcsvc*
4.03.03/www: 4.05.03/www: check_firmware_fail.html check_firmware_fail.html check_firmware_failb.html check_firmware_failb.html duplicate.html duplicate.html fw_clientip.html fw_clientip.html fw_dmz.html fw_dmz.html fw_id.html fw_id.html fw_mac.html fw_mac.html fw_main.html fw_main.html fw_ping.html fw_ping.html fw_security.html fw_security.html fw_virt.html fw_virt.html fw_virt.js fw_virt.js glossary.html glossary.html graphics/ graphics/ help.html help.html index.html index.html indexa.html indexa.html lan_dhcp.html lan_dhcp.html lan_main.html lan_main.html lan_settings.html lan_settings.html language.js language.js login.html login.html loginerr.html loginerr.html main_router.css main_router.css reset_success.html reset_success.html restore_factory_default_sucrestore_factory_default_suc restore_setting_success.htmrestore_setting_success.htm showMenu.js showMenu.js styles.css styles.css tmp@ tmp@ update_firmware_success_en.update_firmware_success_en. util_factory.html util_factory.html util_firmware.html util_firmware.html util_main.html util_main.html util_parentalc.html util_parentalc.html util_parentalc_acctinfo.htmutil_parentalc_acctinfo.htm util_parentalc_advance.htmlutil_parentalc_advance.html util_parentalc_refresh.htmlutil_parentalc_refresh.html util_prev.html util_prev.html util_reset.html util_reset.html util_save.html util_save.html util_system.html util_system.html utilb_system.html utilb_system.html validate.js validate.js violation_page.html violation_page.html wan_conn.html wan_conn.html wan_dns.html wan_dns.html wan_dynamic.html wan_dynamic.html wan_mac.html wan_mac.html wan_main.html wan_main.html wan_pppoe.html wan_pppoe.html wan_pptp.html wan_pptp.html wan_static.html wan_static.html wan_static_checked.html wan_static_checked.html wan_telstra.html wan_telstra.html wireless_apt.html wireless_apt.html wireless_apt_disabled.html wireless_apt_disabled.html wireless_apt_enable.html wireless_apt_enable.html wireless_bridge.html wireless_bridge.html wireless_chan.html wireless_chan.html wireless_encrypt.html wireless_encrypt.html wireless_encrypt_128.html wireless_encrypt_128.html wireless_encrypt_64.html wireless_encrypt_64.html wireless_encrypt_no.html wireless_encrypt_no.html wireless_mac_ctrl.html wireless_mac_ctrl.html wireless_main.html wireless_main.html wireless_wpa.html wireless_wpa.html wireless_wpa_psk.html wireless_wpa_psk.html
4.03.03/www/graphics: 4.05.03/www/graphics: bar.gif bar.gif bar_cap.gif bar_cap.gif bar_floor.gif bar_floor.gif bar_slope.gif bar_slope.gif blu_bar.gif blu_bar.gif head_logo.gif head_logo.gif shim.gif shim.gif title.gif title.gif}}}
One substantional difference is the lack of /www directory. These files are now compiled into httpd: -rwxr-xr-x 1 users 150076 Dec 31 1969 fs.7230.4.03.03/usr/sbin/httpd -rwxr-xr-x 1 users 161412 Dec 31 1969 fs.7230.4.05.03/usr/sbin/httpd -rwxr-xr-x 1 users 779144 Dec 31 1969 fs.7230.5.00.02/usr/sbin/httpd
New Update Address
Networking.belkin also has the "new" address for firmware updates at http://networking.belkin.com/update/files/usa/mfr2/54g_router.html 54g_router]. Except that the page says the latest is still 4.03.03, but then gives a broken link to the 4.03.03 firmware (lacking the '.bin' extension). Quality control! : )`
New WL.O
Finally, the version of WL.o is also newer: 3.80.13.0 net/wl%d %s: Broadcom BCM%04x 802.11 Wireless Controller 3.80.13.0 Memory leak of bytes %d wds%d.%d 18:48:49 Aug 15 2004
New or changed utils
They added /usr/sbin/epi_ttcp. This is 'ttcp', a tool used for measuring the throughput of TCP connections. Someone must finally be sensistive to performance.
I wonder if the 'v3000' hardware has no LEDs, since they've removed the kernel module and support programs, unless it's now linked into the kernel and handled by interrupts (or some other program).
/usr/sbin/httpd2 has been split off from http (WHY?), and it looks like it just does the firmware update. It includes logic that looks for 'bootcode' or 'normalcode' at the front of the firmware.
2.18. Custom firmware now available
After many months of distraction and "just one more feature and I'll release it", I've released my custom firmware. Better late than never, haxxed.com belkin.
Please do not fill my mailbox with questions. Use the Wiki page: DotHaxxedFirmware
-- seg at haxxed dot com
Another Possibility is dd-wrt. According to the forums and front page the latest version supports the v1444 of this router. The v2000 is being worked on.
3. FAQ -- Questions and Answers Section
Q: Is there a way to change the port that the Advanced Configuration interface listens on? The HTTP server is called micro_httpd. There's a binary in /usr/sbin/ that I would imagine is the right guy. I just don't know what to change.
A: It seems that http_wanport and http_lanport can both be set via the configuration file that can be saved and restored through the advanced configuration Web interface. The file format for the saved configuration is
- 2 bytes (total number of bytes in the file) N bytes (configuration data) 16 bytes (binary md5sum) EOF
a perl script which takes a configuration data file and outputs the proper format to STDOUT is as follows (I can't seem to get it to format correctly):
- #!/usr/bin/perl -w use Digest::MD5; sub usage() {
- print "Usage: $0 file\n";
$file = shift || die usage; -e $file or die "'$file' does not exist"; $size = -s $file; $size += 2 + 16; print chr($size & 0x000000FF); print chr(($size & 0x0000FF00)>>8); open(FILE, $file) or die "Can't open '$file': $!"; binmode(FILE); $md5 = Digest::MD5->new; while(<FILE>){
- print $_;
$md5->add($_);
print ($md5->digest);
This however doesn't seem to have any effect on which port the httpd server runs on. I will post more as I find out more.
Additional information: The settings export in firmware 3.00.07 attempts to print the NAT table. Unfortunately it does it simultaneously with the other settings, and therefore must be pruned in order for it to be accepted (it looks like some debugging information was left in the build). Firmware 3.00.05 exports a valid file.
Additional information part 2: After talking with a Technical Supervisor, we determined that port 80 was hard coded in the firmware and not configurable via the settings file. However if "Any IP address can remotely manage the router." is unchecked on the "System Settings" page, and no IP address is entered in the exclusion box, the router does not listen on the WAN port, and the Virtual Server can execute properly.
Q: Has anyone been able to get wireless bridging with WPA or WEP enabled to work?
A: I finally got 128 WEP working. After you've followed the Wireless Bridging Addendum, power down the router and the WAP. Wait 5 seconds, and power on the router. Wait until it is completely powered up, and then power up the WAP. Ping to make sure it's working properly. I'll try it using WPA at some future date.
Follow-Up: These routers will act as routers, bridges and AP's. For bridging, enter the peer MAC address in the configuration for BOTH routers. With the 4.05.03 firmware, bridging does not work with WPA if you have additional wireless clients. It does seem to work if the only wireless traffic is between the two routers. I have successfully bridged three of the 4.05.03 version 2000 routers. Make sure to only enter the master MAC address on the remote AP's and all AP MAC's on the router/gatweway. Entering every MAC's on both AP's and the router seems to confuse them. BTW, I get better bandwidth running Ethernet through the bridged AP's than using a Belkin F5D7000 802.11g PCI card, go figure.
Q: What could we upload to the router using TFTP?
I saw that boot_wait is set to "on" on firmware 3.0.07. I tried to TFTP file to the box seconds after reset. The box accepted TFTP tranfer. So I TFTP-ed 3.0.05 firmware by renaming it to code.bin.
#>TFTP 192.168.2.1
TFTP> put code.bin
Sent 1904703 bytes in 1.5 seconds
But then, the router keeps booting to 3.0.07 firmware. What could we upload to the router using this method?
A: I forgot to switch to binary mode in TFTP but, doing so, the router accepted the 3.0.05 firmware uploaded as code.bin. The router burned it into the flash so on next reset, it uses 3.0.05 version.
Q: Where can I download a version of the firmware with Busybox? Or can anyone maybe send it to me to tobias at netmadeira dot com ?
A: You can get it as 3.00.07.trx. Use at your own risk. It is the 3.00.07 firmware version where the Web server /usr/sbin/httpd has been renamed to /usr/sbin/httpd.ori. The /usr/sbin/httpd is Busybox running TelnetD applet by default. Upon installation, Telneting to the box gives a Busybox shell. You can run the normal Web server by cd /www;/usr/sbin/httpd.ori
To use the custom Busybox, ln -s /usr/sbin/httpd /tmp/busybox;/tmp/busybox
Q: I was probing this firmware (update is okay via TFTP) and I cannot Telnet the router, they don't accept the conecction, what may be wrong?
A: This router is very, very similar to the 7130 Access Point, apart from the obvious lack of additional Ethernet connections. I'm fairly sure that they are using the same circuit board, with a number of components omitted from the 7130: switch IC, magnetics, and RJ45 sockets for the additional Ethernet connections. The Web interface on a brand-new 7130 identifies itself as a F5D7230-4, and the release notes for the latest 7130 identify it as being suitable for both the 7230-4 and 7130. I've haven't checked whether the firmware is interchangeable.
A: Yes, the firmware of the Belkin 7230 works on the 7130. I uploaded it via TFTP, using the Linksys-TFTP client under Windows. The WAN MAC address is displayed as 00:90:96:00:00:01 - probably denoting the fact that the WAN-interface is missing (although I believe the Broadcom includes the interface, did they not enable it ?) But at least you can stuff the accesspoint full of interesting features (read: servers) to make it a bit more interesting.
Q: How to fix wireless file transfer losing files?
When I move files from one computer to the other via the router wirelessly at 54 Mbps the router looses it. The wireless part becomes unusable. The wired ports stay operational. If I do the same thing with the same computers via the wired ports everything stays fine. Does anybody have a clue what’s going on? And how to fix it? I have version 1441 of the router with the latest firmware, 4.00.03.
A: it seems that with a tighter configuration of the wireless nic all goes well. I transfered gigabytes and no crash. With tighter I mean no looking for other wireless networks when connected, tell it to only use one band (a/b/g) etc.
Q: How to force pmon into recovery mode?
Has anyone been able to force the pmon to go into recovery mode by shortening pin 15+16 on the AMD flash ship like you can do on the WRT54G ? According to the specs for the AMD flash pin 15 is RY/BY# and pin 16 A18. This is not working for me. The router continues to boot when those are shortened. This is hardware 1010.
A: Try shorting pins 1 and 16 on AMD flash. 15-16 is for Intel flash on the V1.1 and forward WRT54G models. -- Sveasoft
Q: How to list using iptables -L;?
After I got a shell on the box I tried "iptables -L;" but it listed nothing. The firmware is adding rules using direct ipt_* calls. Does anyone know if rules added by ipt_* do not show up in iptables ? When I added rules using iptables they were listed using iptables -L but seemed to be functionally ignored. Any clues how to proceed ?
A: I removed the parental control to make room for a root shell. Apparently, that hinders the initialization of the firewall. When I put back the parental control and remove pppd instead to make room, then iptables does list the Belkin builtin rules.
Q: Is there a way to separate the wireless port from the others ?
A: I removed eth1 (wireless) from the br0 bridge (brctl delif br0 eth1). Gave it an IP address, switched on then used iptables to add a ssh limited forwarding rule between eth1 and the internal LAN.
Q: Does anyone have a JTAG interface & software? How does this work?
A: I have a cheap JTAG interface from Amontec. I also have the Wiggler from Macraigor. Both devices works great in Raven mode with tools from Macraigor. The Amontec POD is absoluttly recommended. You can use a JTAG interface for reading/writing memory and flash. You can also use JTAG for debuging code. (setting hardware breaks. step trought code etc).
Follow-up Q: Do you have info on how to hook this up to a v1444 F5D7230-4? It has a 10 pin block that has 6 (unknown) signals and 4 tied to ground.
Follow-up: Anyone know the jtag pinout?
JTAG PINOUT
3 TDO 5 TDI 7 TCK 9 TMS
Thanks! I'll give that a try and see if I can unbrick my Belkin.
It works! I don't want to repeat myself so see my post here: http://www.dslreports.com/forum/remark,13862729 Includes software to get going
Q: Does anyone know how to make the Wireless Bridging function work with other manufacturers routers, and allow selection of the other wireless AP by its SSID and not by directly entering the MAC?
A: Well, according to the help it is just supposed to work if you haven't ticked the limit to specific MAC addresses option. However, I am not able to get the things to bridge without entering the MAC address on both ends. I should probably try this with non-Belkin equipment also.
Follow-up: I'm working with the Belkin and a Netgear. I haven't tried entering the Belkin's MAC on the Netgear, because it I don't see a place where this *can* be done on the Netgear (except for 'Client lockout' (which I currently use in lieu of WEP) If Bridging does NOT work with non-Belkin equipment at all, it seems like a rather cheap way to do manufactuer lock-out.
As far as I'm concerned, the Belkin setup software should allow you to set it either to look for a particular SSID (not MAC), or *any* SSID being broadcast, and rebroadcast the packets. (Of course, there's a limited amount of space for code and such there. But isn't this why we *have* standards in the first place?) I'm wondering more about whether there's some OSS package I could just run on the Belkin once I get it running straight Linux, which will do this for me.
Follow-up 2: I have just verified that the Belkin F5D7230-4 4.05.03 routers will bridge with an SMC2804WBR (which is a fully featured router BTW. Why doesn't the Belkin firmware support port forwarding and DHCP address reservation?).
According to the SMC docs, the SMC requires that the MAC address be hard coded for it to use WDS bridging. Strange that the Belkin has the option of just enabling it, but according to the Belkin docs at least one of the routers must reference the other's MAC address. I had to go both ways to make it work. I have a Netgear WGR614v5 that I will test out as well.
Q: Can you wireless bridge between a Belkin F5D7230-4 4.05.03 (UK version) and F5D7230-4 4.03.03? (North America version)
A: ? YES. The only limitations would be between counrty version the channels would have to be the same. You should be able to bridge between all Broadcom firmware that allows bridging. I have a link WDS link between a Linksys wrt54g and a f5d7230 which I flashed the f5d7231 firmware.
Q: Does anyone else get "Blocked by DoS protection ###.###.###.###" messages in the firewall log every 1-30 seconds. A number of these log entries will also be corrupted.
Firewall log: Tue Jun 7 13:15:45 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:15:49 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:15:56 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:16:11 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:16:51 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:16:55 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:17:02 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:17:05 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:17:08 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:17:17 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:17:18 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:17:33 2005 1 Blocked by DoS protection ##.###.144.1 14 ] 1 Blocked by DoS protection ##.###.128.110 ] 1 Blocked by DoS protection ##.###.176.23 4 ] 1 Blocked by DoS protection ##.###.140.160 14 ] 1 Blocked by DoS protection ##.###.128.120 14 ] 1 Blocked by DoS protection ##.###.214.28 14 ] 1 Blocked by DoS protection ##.###.210.114 ] 1 Blocked by DoS protection ##.###.230.5 ] 1 Blocked by DoS protection ##.###.52.200 1 Blocked by DoS protection ##.###.204.4 1 Blocked by DoS protection ##.###.81.80 ] 1 Blocked by DoS protection ##.###.73.198 14 ] 1 Blocked by DoS protection ##.###.198.139 Tue Jun 7 13:17:45 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:17:45 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:18:01 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:18:05 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:18:13 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:18:29 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:19:41 2005 1 Blocked by DoS protection ##.###.144.1 Tue Jun 7 13:19:45 2005 1 Blocked by DoS protection ##.###.144.1
Firmware Version 4.03.03 Boot Version 2.01.03 Hardware F5D7230-4
The ##.###.144.1 address belongs to my ISP and is the second hop on all traceroutes.
I still get these messages despite having disabled the firewall.
This issue seems to be coincident to the router becoming sluggish every 2-5 days. Simply restarting the router will usually clear the sluggishness.
Here are links to other people having this problem:
Q: Is it possible to make F5D7330 firmware work on F5D7230-4 v.1444?
A:
Q: Is it possible to make F5D7231-4 125mbit High Speed Mode (HSM) router firmware work on F5D7130 v.2114ef Access Point (with actually 4.03.03 firmware?
A: I don't believe so.
I tried installing the "LOAD"-altered BELKIN_RT_UK_4.05.03.bin (F5D7231-4 European) firmware onto two F5D7130 access points, they booted up okay and the wireless LAN works okay, but the Ethernet port was incapacitated (no doubt it was expecting there to be a cable modem connected to it). When I tried enabling 125 mbit High Speed Mode I got a warning saying that Wireless Bridge mode wouldn't work, which means that it would have been of no use for me, since I'm using my F5D7130 Wireless Access Points as range extenders. To restore the Wireless Access Points to the F5D7130 firmware, I poked the first four bytes from the F5D7231-4 firmware (00 3F 01 02) into the F5D7130_4.03.03.bin firmware, which seems to work fine, with the only noticeable oddity being that my Wireless Access Points now describe their hardware as F5D7230.
Side-Effects: I gather that you then returned at least one of these F5D7130 WRE/AP boxes to CompUSA in Roseville where I purchased it this last weekend. Needless to say, the mis-reported hardware model number has caused some difficulty while working with Belkin support. Not cool to screw with hardware and then return it for some other poor soul to purchase.
Q: How to edit the user.conf file (the Settings backup file). What's the checksum used at the end. How to edit the file and create a new checksum???
See the Perl script at the top of the FAQ
Q2: How to downgrade the PMON, The boot code using TFTP or by using SSH thru .hAXXED??
