Access Point, 128 WEP. To 28V, draws about 4W. Internal antennae connectors Hirose U.FL series.

1. Hardware

1.1. Known F5D7230-4 Hardware Versions

1.1.1. Version 1111tt FCC ID: QDS-BRCM1005

Specifications

• NVRAM get boardtype -> bcm94710r4 (similar to the Ravotek model, may need a patch to probe the miniPCI bus, per forum post).

• 4MB flash, 16MB RAM
• Shipped with 3.00.07 firmware; used modified 3.00.07 firmware above to get a shell and to set boot_wait
• Onboard miniPCI card
• CPU info:

   system type             : Broadcom BCM947XX
   processor               : 0
   cpu model               : BCM4710 V0.0
   BogoMIPS                : 82.94
   wait instruction        : no
   microsecond timers      : yes
   tlb_entries             : 32
   extra interrupt vector  : no
   hardware watchpoint     : no
   VCED exceptions         : not available
   VCEI exceptions         : not available

1.1.2. Version 1444 FCC ID: K7SF5D72304

Specifications

• NVRAM get boardtype -> 0x0101

• 2MB flash, 8MB RAM
• Shipped with 4.03.03 firmware; got shell by deleting most of /usr/sbin and www, and replacing with "fake busybox httpd" as explained above
• Will not run 3.00.07 or openwrt firmware
• No miniPCI card
• CPU info:

   system type             : Broadcom BCM947XX
   processor               : 0
   cpu model               : BCM3302 V0.7
   BogoMIPS                : 199.47
   wait instruction        : no
   microsecond timers      : yes
   tlb_entries             : 32
   extra interrupt vector  : no
   hardware watchpoint     : no
   VCED exceptions         : not available
   VCEI exceptions         : not available

• To unbrick: bridge pins ~9-10 on 29lv160 flash
• 4.03.03 is picky about "compatible" trx images; I forced a failed reflash and then uploaded the new image with TFTP.

  Opening the F5D7230-4: remove the two screws underneath the label on the bottom, then gently pry at the snaps around the edges

Serial port hookup instructions for v. 1444

• I've got a serial port working, see f5d7230 I've spent a bit of time trying to get the thing to do an NFS boot but not there yet. I can get it to do a boot of vmlinux though which is a start. -Rick

1.1.3. Version 2000 FCC ID: K7SF5D7234A

Specifications

• shipped with 4.05.03 firmware

   Broadcom BCM5325EKQM
   Broadcom BCM4712KFB
   ESMT M12L64164A

• To open: remove two screws from the bottom. There are two snaps each on the front, left- and right-hand sides.

• WARNING! The 4.03.03 firmware does not work on this hardware revision. The 4.05.03 firmware is available at BELKIN_RT_54G_USA_4.05.03.bin (not listed on the Web site yet). The TFTP recovery method works as documented here.

• Tested all variants of OpenWRT as of February 2005. None of them work on this hardware.
• Model released in Europe (purchased in Copenhagen) labeled "2001yy" uses same chips and firmware, albeit the EU 14 channel revision. The power brick uses interchangeable cord, works fine on US powerlines.

1.1.4. Version 3000 FCC ID: PD5F5D72304

• 2MB Flash, 8MB RAM

   Broadcom BCM4712KFB

• Main difference is in the antenna type, which increase the range with Version 3000
• Rumour has it that they will introduce a 4MB Flash/16MB RAM model.

Specifications

• shipped with 5.00.02 firmware

  Download information at Belkin as F5D7230-4_V3000. Firmware image as BK54gr_v5.00.02.bin.

1.1.5. Version 4000 FCC ID: K7S7230A (in FCC ID DB as K7SF5D7230A ?)

• Acquired directly from Belkin as RMA replacement for malfunctioning unit.
• Hardware version 4.00.01

• Support for wireless bridge mode (WDS) has been dropped. The menu option is entirely gone. Unsure at this point if menu has simply been disabled but router still supports WDS internally or not.
  WDS/wireless bridging works--at least with a F5D7230-4 v.2000 AP/router. Entered MAC address of v.4001 AP into Wireless Bridge page of v.2000 AP. Unable to save any addresses in MAC Address Control page of v.4001 router. Seems like WDS is on by default, with no way to control access.

• Size of router is approx. half the size of v1112.
  • 8MB(8Mbit?) Flash
  • 32MB(32Mbit?) RAM
  • Marvell Ethernet chip and CPU
  • Compatable with Texas Instruments Wireless Chipset (ACX111 driver)
• Has only one external antenna.
• Features and Web interface appear to be pretty much the same as older versions.
  • Still bridges Appletalk between WLAN and LAN.
• Web configuration using Safari is completely broken (even more than before). Must use IE or Opera. (Web configuration works fine with Safari 2.0.1.)
• On reboot, network with SSID 'marvell-ap32' can be seen [Default SSID: belkin54g]

  • Looks like this may be the same as the LinksysWrt54gc based on the Marvell Libertas Home Gateway.

• Appears as if the Web interface from the older models was converted across to this new revision--there is a broken link back to the save/backup settings from the firmware update page (present in firmware 6.00.14).
• Web server is reporting as "IP_SHARER WEB 1.0".
• Supports WPA-PSK with TKIP or AES, and WPA2 with AES -- no longer has support for Radius.
• Turbo Mode (Frame Bursting mode) option is no longer available.
• Firmware updates
  • Function reports "Update available" on 6.00.14 firmware--the file it links to is apparently 6.00.03

    • USA 54g_ap
      USA F5D7230_6.00.03.rar

    It would appear this function is not working properly as it should not link to a USA firmware for an Aus model.

  • Firmware version 6.00.21 F5D7230-4_v4000 (23 Nov 2005, 554.09KB), with new features: dyndns/dtdns client support, port 80 forwarding working well (was not working in previous version 6.00.10).

Specifications

• Shipped with 6.00.10 firmware
  • One purchased in Australia shipped with 6.00.14 firmware

1.1.6. Version 5000 FCC ID: RAXWG4005FB

I just picked this up at Circuit City. They just got them in today, 04 February 2006. Doesn't seem to run Linux so it's just going to get returned. Sigh.

Specifications

• Small one-antenna unit.
• Shipped with firmware version 7.01.06, boot version V0.07
• Also lists "Hardware 01" under version info.
• Web server reports itself as Apache/0.6.5 (Huh?)
• Reports no firmware update available as of Feb 04 2006

An NMap scan on it:

Interesting ports on 192.168.2.1:
(The 65533 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
80/tcp    open  http
21417/tcp open  unknown
MAC Address: 00:11:50:76:65:97 (Unknown)
Device type: WAP
Running: SMC embedded
OS details: SMC Barricade DSL Router/Modem/Wireless AP
OS Fingerprint:
TSeq(Class=TD%gcd=1%SI=1%IPID=I%TS=U)
T1(Resp=Y%DF=Y%W=1770%ACK=S++%Flags=AS%Ops=ME)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=1770%ACK=S++%Flags=AS%Ops=ME)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

TCP Sequence Prediction: Class=trivial time dependency
                         Difficulty=1 (Trivial joke)
TCP ISN Seq. Numbers: FE5E FE69 FE75 FE80 FE8C
IPID Sequence Generation: Incremental

Not sure whats up with the random open ports. They seem to randomly change and disappear. I can Telnet to them and type random stuff but nothing comes back.

1.1.7. Version 6002 FCC ID: K7SF5D7230C

I got this one at Circuit City 12/08/06. It drops its Internet connection and needs frequent resetting.

Specifications

• Small one-antenna unit.
• Shipped with firmware version 8.01.07

It is likely that the hardware of this version is very similar to LinksysWrt54gc.

1.1.8. Version 7002uk or 1000yy Sweden, FCC ID: RAXWG4005G

FCC info on this version of the unit can be found on: RAXWG4005G Havent got around to build any firmeware or flash this unit yet. just did a quick peek in the current vendor firmware-update bin (uk v9.01.05).

Specifications

• Small one-antenna unit

• Plattform: AR5315PLUS , Atheros, ('System-on-a-chip' with MIPS 4k class proc running at ~180-200)

• Board - "141400520017j rev: 01" (Accton board?)

• Switch * IP175C LF- 5 Port eth integrated switch (1 WAN, 4 Switch ports)

• 2mb Flash, type '25p16v6P'
• 8mb SDRAM, type 'IC42S16400b-7TI'
• JTAG: 1 EJTAG

• Ships with VxWorks based firmware

• Ships with BRN bootloader, "BRN - Boot-code Ver. V0.01"
• TFTP flash: To be able to use TFTP as method for flashing you have to set your IP to 192.168.0.100
• Panic-kernel: There is a small "panic-kernel" which can be accessed by holding "Reset" while powering up.

Notes

The current vendor bin contains two lzma packed files (filenames assumed)

• offset: 0-1364d = psf.bin, size: 79 438 bytes, unpacked: 715 638 bytes
• offset: 20000-9ec08 = soho.bin, size: 519 177 bytes, unpacked:, 2 033 304 bytes

More info and code to extract data from "PFS/0.9"-images can be found at http://cba.si/pfs/

Additional relevant offsets in vendor bin:

• Offset: ffff4-10000a: 09 EC 07 00 78 56 34 12 69 FB 14 31 42 52 4E 36 31 41 4B 00 00 00 = ".ì..xV4.iû.1BRN61AK..."

Mini Loader info

• image must start at 0x80001000
• Input Download Area Address (default:0x80600000)

Nmap

Running: 3Com embedded, Philips embedded, Sinus embedded, SMC embedded
OS details: Wireless broadband router (3Com OfficeConnect, Philips SNB6500, Sinus 154, SMC SMCWEBT-G, 
or SMC SMCWBR14-G2), SMC SMC2804WBRP-G wireless broadband router

53/udp    open|filtered domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
80/tcp    open  http
1900/udp  open|filtered upnp
10101/tcp open  unknown
32768/udp open|filtered omad

Note on port 10101/tcp: "bkserver process listens to port 10101, the process is used for router quick setup procedure from Belkin's installation CD."

1.1.9. Version 7000 FCC ID: K7SF5D7230D

Grabbed this at Wal-Mart today, 2007/06/28. They do have WPA now, at least, and it was only $40, so I'll keep it. Still reporting Apache 0.6.5.

Specifications

• Small one-antenna unit.
• Shipped with firmware version 9.01.05, boot version 0.01

Exactly identical to Dynex DX-WGRTR.

1.2. F5D7230-4 vs. F5D7230v4

The "v4" seems to come in blister packs from HomeDepot and Microcenter. All that I've seen are v2000. The physical box is smaller than the original units.

1.3. Power and Antennas

Tested up to 28V! Draws about 4W; can you say low-cost solar-powered wireless Linux box? Put it in my car with engine running (alternator and spark plug noise test), connected to inside the house, works great! (for details see link below in the next section).

The internal antenna connectors appear to be Hirose U.FL series, which is emerging as a standard for miniPCI cards. Since the first revision of this AP used a miniPCI radio, this carried over to the current rev, which has the radio on the board but uses the same antennae and connectors. (Anyone with U.FL pigtails want to verify this? I'm just educated-guessing.)

1.4. F5D7230-4 Serial Console - DIY Process Documented

The Belkin F5D7230-4 Serial Console document has been published.

Brief document insight:

• By collating a mass of publicly available information, and experimenting with a single unit, the paper concludes by providing a physical console into the device, providing local root user level access, and a schematic diagram for a solder-less project that will allow individuals to try this experiment for themselves. It is hoped that this information can be used to debug open source firmware and to then adapt the OpenWRT, and Sveasoft, embedded Linux distributions for this Belkin router.

Boot sequence output, up to kernel load, is:

Decompressing..........done
Here we try to capture the default reset button: None.

CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Mon Apr 19 18:19:30 CST 2004 (denny@dnylinux)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena.
Initializing Devices.
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.60.9.0
CPU type 0x29007: 200MHz
Total memory: 0x800000 bytes (8MB)

Total memory used by CFE:    0x80300000 - 0x80434A50 (1264208)
Initialized Data:            0x8032EB60 - 0x80330E90 (9008)
BSS Area:                    0x80330E90 - 0x80332A50 (7104)
Local Heap:                  0x80332A50 - 0x80432A50 (1048576)
Stack Area:                  0x80432A50 - 0x80434A50 (8192)
Text (code) segment:         0x80300000 - 0x8032EB60 (191328)
Boot area (physical):        0x00435000 - 0x00475000
Relocation Factor:           I:00000000 - D:00000000

Device eth0: hwaddr 00-11-50-0D-DD-C4, ipaddr 192.168.2.1, mask
255.255.255.0
        gateway not set, nameserver not set
Reading :: Failed.: Timeout occured
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: ..... 1482752 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
CPU revision is: 00029007

Primary instruction cache 8kb, linesize 16 bytes (2 ways)

Primary data cache 4kb, linesize 16 bytes (2 ways)

Linux version 2.4.20 (lchen@penguin.askey.com) (gcc version 3.0 20010422 prerelease) with bcm4710a0 modifications) #8 Mon 1 Dec 2003, 20:51:49 PST

Document at midnightcode.org as OpenWRT on the Belkin F5D7230-4 - Serial Console.pdf
from document directory.

Congrats Rick -- good work; loving the competition

Thanks

1.5. Other devices based on Broadcom BCM47XX reference design

• F5D7330 - Belkin 802.11g Wireless Ethernet Adapter

• Belkin_7130 - Belkin 802.11g Wireless Network Access Point

• LinksysWrt54g - Linksys 802.11g Broadband Router

• AsusWL-300g - ASUS 802.11g Wireless AP Router

• NetgearWGT634U - Netgear Sorage Router

1.6. Hardware version 1010, 20 pin expansion bus

I'm trying to figure out what is available on the expansion connector on hardware 1010, and probaly other versions of the board. This is what I've found so far:

My guess is that you can connect an UART to this port. Broadcom specs refer to UART 16551. According to the Broadcom docs, GPIO1 is used as interrupt. I'm not sure which pin this is routed to yet. According to the Broadcom doc, GPIO1 should be routed to GND when UART is to be disabled... (Does anyone have pinouts for the chip ?)

It would be REALLY great if someone with never revisions that includes an UART, could measure what pins on the UART goes to what pin on the 20pin connector -js

WAP54Gv1.1 uses the same 20-pin jumper block for external UART.

Schematic for the Asus WL-500G.

2. Firmware

2.1. Extracting firmware

Belkin's 802.11g router/AP.
To get cramfs: dd if=BELKIN_2.00.05.bin of=test.dump bs=1 skip=655388

One can find the start of the cramfs part of the .bin file by looking for hex values 3d4528cd. The offset of this 3d byte is the skip value ( converted to decimal ). hexdump test.dump | grep 3d45

Specific Firmware Versions

Use the following psuedo commands to extract the cramfs filesystem from the specific version firmware file, replacing the input filename as appropriate.

2.00.05

• dd if=2.00.05.bin of=cramfs.dump bs=655388 skip=1

3.00.07

• dd if=3.00.07.bin of=cramfs.dump bs=601220 skip=1

4.03.03

• dd if=4.03.03.bin of=cramfs.dump bs=630016 skip=1

4.05.03

• dd if=4.05.03.bin of=cramfs.dump bs=627928 skip=1

5.00.02

• dd if=5.00.02.bin of=cramfs.dump bs=625940 skip=1

In at least one known version (4.05.03) the offsets are verified identical in the UK and USA firmwares available for download.

2.2. One step closer to custom firmware

I was able to modify some files on the firmware and upload it to the router. Here is how:

• Extract the kernel from the firmware: it is in gzip format starting at offset 56 so

  • dd if=F5D7230-4-V3.00.07.bin of=kernel.gz count=601164 bs=1 skip=56

    • (601164+56=601220)

  • dd if=F5D7230-4_4.03.03.bin of=kernel.gz count=629960 bs=1 skip=56

    • (629960+56=630016)
• Extract the filesystem
  • V3.00.07 firmware:

    • dd if=F5D7230-4-V3.00.07.bin of=cramfs.dump bs=601220 skip=1

  • V4.03.03 firmware:

    • dd if=F5D7230-4_4.03.03.bin of=cramfs.dump bs=630016 skip=1

• Mount the filesystem
  • mount -o loop -t cramfs cramfs.dump /mnt/somewhere
• copy recursively the mounted filesystem to a new directory for modification purpose
  • copy -r /mnt/somewhere 3007/
• make sure all symbolic links are identical to the original
• make the wanted modif in 3007/
• create a new cramfs file
  • mkcramfs 3007/ cramfsmod.dump
• using the release/tools/trx tool from linksys GPL tar ball combine the two
  • ~/WRT54G/release/tools/trx -o 3007.trx kernel.gz cramfsmod.dump
• copy the NVRAM setting from the original firmware to 3007.trx. It starts at offset 1888284 (0x1cd01c) and begins with "NVAR" till the end of file.
• copy the first 28 bytes (all bytes before HDR0) of the original firmware to 3007.trx.
• now get the total size of the 3007.trx file.
• adjust accordingly the four bytes at offset 4 (these indicates the length of the file). Note that it is in little endian (least signifiant bit first). In the 3.00.07 firmware it is "d0dd1c00" which corresponds to 0x001cddd0, the total size of the file.
• upload the new firmware via the Web interface (I used 3.00.07 firmware) not by TFTP.

mail me at 54g at barabasy dot cjb dot net

2.3. I got a shell on the box

The idea is simple. Replace the httpd binary in /usr/sbin of the firmware to any binary we want. For instance, I replaced it by a Telnet daemon. For that, I used Busybox 1.00.pre5, which, I must say, is pleasantly well packaged, and delightfully easy to use. Here is what I did:

• make menuconfig

• Check General configuration/Use the devpts filesystem for Unix98 PTYs

• Check Build options/Build Busybox as a static binary (no shared libs)

• Check Build options/Do you want to build Busybox with a Cross Compiler? and set Cross compile prefix to /opt/brcm/hndtools-mipsel-linux/bin/mipsel-linux- (or whatever is your cross compiler prefix, this is for the one given by linksys GPL source for WRT54)

• Check Networking options/httpd and Networking options/TelnetD

• exit and save configuration
• make dep

• edit include/applet.h and change APPLET(httpd, httpd_main, _BB_DIR_USR_SBIN, _BB_SUID_NEVER) to APPLET(httpd, telnetd_main, _BB_DIR_USR_SBIN, _BB_SUID_NEVER)

• make
• make a new firmware by replacing /usr/sbin/httpd by busybox
• Telnet on your box

You can uncheck any applet you don't want during the Busybox config.

2.4. Boot messages

Here are the boot messages from dmesg

CPU revision is: 00024000
Loading BCM4710 MMU routines.
Primary instruction cache 8kb, linesize 16 bytes (2 ways)
Primary data cache 4kb, linesize 16 bytes (2 ways)
Linux version 2.4.20 (lchen@penguin.askey.com) (gcc version 3.0 20010422 (prerelease) with bcm4710a0 modifications) #1 Mon Oct 6 14:16:21 PDT 2003
Determined physical RAM map:
 memory: 01000000 @ 00000000 (usable)
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200
CPU: BCM4710 rev 0 at 125 MHz
!unable to setup serial console!
Calibrating delay loop... 82.94 BogoMIPS
Memory: 14588k/16384k available (1197k kernel code, 1796k reserved, 104k data, 64k init, 0k highmem)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
Checking for 'wait' instruction...  unavailable.
POSIX conformance testing by UNIFIX
PCI: Fixing up bus 0
PCI: Fixing up bridge
PCI: Fixing up bus 1
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
 Amd/Fujitsu Extended Query Table v1.2 at 0x0040
number of CFI chips: 1
flash device: 400000 at 1fc00000
Physically mapped flash: cramfs filesystem found at block 843
Creating 5 MTD partitions on "Physically mapped flash":
0x00000000-0x00040000 : "pmon"
0x00040000-0x003c0000 : "linux"
0x000d2c68-0x003c0000 : "rootfs"
0x003c0000-0x003e0000 : "profile"
0x003e0000-0x00400000 : "nvram"
sflash: chipcommon not found
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
ip_conntrack version 2.1 (128 buckets, 1024 max) - 344 bytes per conntrack
ip_tables: (C) 2000-2002 Netfilter core team
ipt_time loading
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
VFS: Mounted root (cramfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 64k freed
Warning: unable to open an initial console.
eth0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.31.12.0
eth1: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.31.12.0
PCI: Enabling device 01:01.0 (0004 -> 0006)
eth2: Broadcom BCM43XX 802.11 Wireless Controller  3.31.12.0 (Compiled in . at 19:20:29 on Jul 14 2003)
CSLIP: code copyright 1989 Regents of the University of California
PPP generic driver version 2.4.2
PPP MPPE compression module registered
Algorithmics/MIPS FPU Emulator v1.5
device eth0 entered promiscuous mode

<==sintInstallLEDs: VIOBA=b8007000
device eth2 entered promiscuous mode
br0: port 2(eth2) entering learning state
br0: port 1(eth0) entering learning state
br0: port 2(eth2) entering forwarding state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
br0: topology change detected, propagating
br0: port 2(eth2) entering disabled state
br0: port 1(eth0) entering disabled state
br0: port 1(eth0) entering disabled state
device eth0 left promiscuous mode

==>sintUninstallLEDs: VIOBA=b8007000
br0: port 2(eth2) entering disabled state
device eth2 left promiscuous mode
device eth0 entered promiscuous mode

<==sintInstallLEDs: VIOBA=b8007000
device eth2 entered promiscuous mode
br0: port 2(eth2) entering learning state
br0: port 1(eth0) entering learning state
br0: port 2(eth2) entering forwarding state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
br0: topology change detected, propagating

2.5. Using Linksys binaries

Firmware 3.00.07 uses kernel 2.4.20, as Linksys firmware 1.42.2 does. Hence, all modules compiled from the Linksys source tree load with no problem on the Belkin. Binaries should work also if the libraries are well installed. As examples, I was able to mount a NFS filsystem by loading lockd.o, sunrpc.o and nfs.o that I just compiled from Linksys source and using Busybox supporting NFS mount. I was also able to run in client mode by loading the wl_apsta.o from Linksys and using the WL binary.

# ./busybox mount 192.168.2.5:/home/thierry/belkinhack nfs
mount: /etc/mtab: Read-only file system
# mount
rootfs on / type rootfs (rw)
/dev/root on / type cramfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
ramfs on /tmp type ramfs (rw)
192.168.2.5:/home/thierry/belkinhack on /tmp/nfs type nfs (rw,v3,rsize=8192,wsize=8192,hard,udp,lock,addr=192.168.2.5)
# ls nfs
lockd.o                               hackuser.conf
sunrpc.o                              apusermod.conf
nfs.o                                 piggy.gz
wl_sta.o                              3007.trx
wl_apsta.o                            style.css.gz
mini_httpd-1.19                       kerfile.bin
index.htm                             custom.bin
install.c                             kern.bin
mini_httpd-1.19.tar.gz                crc32.pl
3007telnet.bin                        try.dump
Install                               fstest
busybox-1.00-pre5.tar.gz              user1.conf
busybox-1.00-pre5                     code.bin
wrt54g-0.3.tar.gz                     res.conf
wrt54g-0.3                            test.conf
wrt54g-sshd-2003-09-13.tar.bz2        user.conf.1
wl                                    user.conf
wrt54g-sshd-2003-09-13                test.dump
nvram.txt                             linux.trx
3007ker1.gz                           routerconf.pl
3007hack.cramfs                       ripflashmd9781manager_0.3.1-3.tar.gz
3007b.cramfs                          ripflashlinux
3007ker.gz                            log_web.txt
savedapuser.conf                      insiderouter.html
3007                                  F5D7230-4-V3.00.07.bin
3007.cramfs                           buffalo.dump
apuserno.conf                         BELKIN_2.00.04
apuser.conf                           BELKIN_1.01.00
routeruser.conf                       belk

---

2.6. Recovery methods

It has been confirmed that on boot you can fix a trashed flash upload by using TFTP. You must configure your Ethernet interface to the 192.168.2.x/24 network, but not 192.168.2.1. This method works reliably with version 2000 hardware, and is rumored to work with prior versions as well. The boot loader automatically uses IP address 192.168.2.1.

Pitfall: the TFTP client which comes with mac osx didn't work for me, the winxp one worked like a charm, as does the Linux TFTP client.

Hint: I bricked my router by uploading a legal image which would try to boot but wouldn't manage to bring up a Web interface (4.03.03 on v2000 hardware will do it). I opened the unit and located the flash rom (an Am29LV190B in my case). Then I had a look at the data sheet to find out where the address pins of the chip rest. Then I rebooted the router short circuiting two address pins, this let the bootloader think that it is loading a screwed up cramfs image and gave me access to TFTP. The invalid kernel status is indicated by a slowly flashing power LED and a a green flashing WLAN LED, if you see that you know that you can use TFTP.

Hint 2: If you catch the boot fast enough, or just start the transfer on your TFTP client then reboot the router, you do not need to mess with shorting pins on the flash chip.

# TFTP 192.168.2.1
> binary
> rexmt 1
> verbose
> put firmware_filename.bin
>> reboot router now <<

Or for Windows XP: # TFTP -i 192.168.2.1 put firmware_filename.bin

After booting the router, it will then blink the power light rapidly while it writes flash, don't power it off! Then it resets and starts up like normal and you have saved your box! (I assume the windows CD that comes with it does the same thing) The boot loader is in a protected area of flash so TFTP should always be available at power up to get you out of trouble.

It seems that with some hardware versions the WAN LED starts blinking after the flash is finished. At that point you have to reset using the reset deep switch.

I thought I messed it up good one time, but holding the reset button in for about 10 seconds makes it reset to "default" and then TFTP or whatever firmware you have works again.

It looks like there is a "jtag" port on this, so if you totally trash the thing you can build a simple jtag interface and possibly upload the firmware that way (but it ain't easy!).

These links have some inside PCB pics, info on opening the box, some distance RF test data and more at:

http://www.linux-hacker.net/misc/F5D7230/

http://www.linux-hacker.net/cgi-bin/UltraBoard/UltraBoard.pl?Action=ShowPost&amp;Board=RG

2.7. Custom firmware images

I have made a TRX image that is suitable for development for the F5D7230-4.

* It's based upon the 3.07 firmware.
* Most of the old binaries has been replaced. (The firmware is heavily based on Busybox 1.0-pre8.)
* Includes TelnetD. Please note that Telnet is listening on both LAN and WAN interface.
* Includes nfs support
* The custom init has been replaced by Busybox init and a custom shell script to do the basic init stuff. Still uses NVRAM to configure router after boot. (/etc/init.d/rcS)
* Webserver and wireless support is not included in the current image.

To mount a nfs volume you can do something like this: mount -o nolock -t nfs 192.168.2.5:/home/share /mnt

chroot is installed, so you can chroot to your custom system by doing something like chroot /mnt/mybelkin

Please note that the power / connected lights will not be light up when the device is up. I'm working on making a program to control the lights. Have found the gpio for connected, but havent found for power on yet, so it shouldnt take long...

Please verify that you are able to upload the original image via TFTP before you attempt to use this image. It is possible to change firmware by Telneting to the unit, erasing the mtd area and dd'ing a new image in. But this is only recomended for experienced users as it can render your unit completly unusable.

The image can be obtained from this url (Use at your own risk. Don't blame me if your device goes up to smoke): http://www.suphammer.net/belkin/devel.trx

you can contact me at: belkin at suphammer DoT net

2.8. Symlinks

Here is the list of files and symlinks contained in the firmware F5D7230-4_V4.00.03.bin:

bin/busybox
etc/ld.so.cache
etc/ld.so.conf
etc/ppp/options.pptp
lib/ld-uClibc.so.0
lib/libc.so.0
lib/libcrypt.so.0
lib/libdl.so.0
lib/libnsl.so.0
lib/libresolv.so.0
lib/libutil.so.0
lib/modules/2.4.20/kernel/drivers/net/et/et.o
lib/modules/2.4.20/kernel/drivers/net/led/led.o
lib/modules/2.4.20/kernel/drivers/net/wl/wl.o
sbin/rc
usr/lib/libnetconf.so
usr/lib/libnvram.so
usr/lib/libshared.so
usr/sbin/bkserver
usr/sbin/bpalogin
usr/sbin/brctl
usr/sbin/dnsmasq
usr/sbin/exlog
usr/sbin/httpd
usr/sbin/iptables
usr/sbin/led_mon
usr/sbin/nas
usr/sbin/netfilter_log
usr/sbin/ntpclient
usr/sbin/nvram
usr/sbin/parent_control
usr/sbin/pppd
usr/sbin/pppoecd
usr/sbin/pptp
usr/sbin/route_check
usr/sbin/udhcpd
usr/sbin/upnp
usr/sbin/vconfig
usr/sbin/wl
usr/sbin/wlconf
www/check_firmware_fail.html
www/check_firmware_failb.html
www/duplicate.html
www/fw_clientip.html
www/fw_dmz.html
www/fw_id.html
www/fw_mac.html
www/fw_main.html
www/fw_ping.html
www/fw_security.html
www/fw_virt.html
www/fw_virt.js
www/glossary.html
www/graphics/bar.gif
www/graphics/bar_cap.gif
www/graphics/bar_floor.gif
www/graphics/bar_slope.gif
www/graphics/blu_bar.gif
www/graphics/head_logo.gif
www/graphics/shim.gif
www/graphics/title.gif
www/help.html
www/index.html
www/indexa.html
www/lan_dhcp.html
www/lan_main.html
www/lan_settings.html
www/language.js
www/login.html
www/loginerr.html
www/main_router.css
www/reset_success.html
www/restore_factory_default_success.html
www/restore_setting_success.html
www/showMenu.js
www/styles.css
www/update_firmware_success.html
www/update_firmware_success_en.html
www/util_factory.html
www/util_firmware.html
www/util_main.html
www/util_parentalc.html
www/util_parentalc_acctinfo.html
www/util_parentalc_advance.html
www/util_parentalc_refresh.html
www/util_prev.html
www/util_reset.html
www/util_save.html
www/util_system.html
www/utilb_system.html
www/validate.js
www/violation_page.html
www/wan_conn.html
www/wan_dns.html
www/wan_dynamic.html
www/wan_mac.html
www/wan_main.html
www/wan_pppoe.html
www/wan_pptp.html
www/wan_static.html
www/wan_static_checked.html
www/wan_telstra.html
www/wireless_apt.html
www/wireless_apt_disabled.html
www/wireless_apt_enable.html
www/wireless_bridge.html
www/wireless_bridge_ss.html
www/wireless_chan.html
www/wireless_encrypt.html
www/wireless_encrypt_128.html
www/wireless_encrypt_64.html
www/wireless_encrypt_no.html
www/wireless_mac_ctrl.html
www/wireless_main.html
www/wireless_wpa.html
www/wireless_wpa_psk.html
bin/cat -> busybox
bin/chmod -> busybox
bin/cp -> busybox
bin/date -> busybox
bin/dd -> busybox
bin/echo -> busybox
bin/grep -> busybox
bin/kill -> busybox
bin/ln -> busybox
bin/ls -> busybox
bin/mkdir -> busybox
bin/mknod -> busybox
bin/more -> busybox
bin/mount -> busybox
bin/msh -> busybox
bin/mv -> busybox
bin/ping -> busybox
bin/ps -> busybox
bin/pwd -> busybox
bin/rm -> busybox
bin/rmdir -> busybox
bin/sh -> busybox
bin/sleep -> busybox
bin/touch -> busybox
bin/umount -> busybox
etc/hosts -> /tmp/hosts
etc/nsswitch.conf -> /tmp/nsswitch.conf
etc/ppp/chap-secrets -> /tmp/chap-secrets
etc/ppp/pap-secrets -> /tmp/pap-secrets
etc/ppp/peers/my-isp -> /tmp/my-isp
etc/resolv.conf -> /tmp/resolv.conf
lib/modules/2.4.20/build -> /home4/lchen/rt511201-2/RT19xW/src/linux/linux
sbin/erase -> rc
sbin/hotplug -> rc
sbin/ifconfig -> ../bin/busybox
sbin/init -> rc
sbin/insmod -> ../bin/busybox
sbin/klogd -> ../bin/busybox
sbin/lsmod -> ../bin/busybox
sbin/reboot -> ../bin/busybox
sbin/rmmod -> ../bin/busybox
sbin/stats -> rc
sbin/syslogd -> ../bin/busybox
sbin/write -> rc
usr/bin/free -> ../../bin/busybox
usr/bin/killall -> ../../bin/busybox
usr/bin/route -> ../../bin/busybox
usr/bin/tftp -> ../../bin/busybox
usr/bin/wget -> ../../bin/busybox
usr/sbin/nas4not -> nas
usr/sbin/udhcpc -> udhcpd
usr/tmp -> ../tmp
var -> tmp/var
www/tmp -> /tmp/www

Of particular interest is that the RC binary (a multipurpose binary which runs as the init process) is dynamically linked against libnetconf.so, which is derived from iptables. This code can only be legally distributed as GPL code - IOW; Belkin must make the source code available (as Cisco/Linksys did).

2.9. Belkin F5D7230-4 4.05.03 GPL firmware source code available!

New! The 4.05.03 firmware source and compiler toolchain is now available from the GPL page!

The previous firmware version has been removed.

The reported compile success of the 4.05.03 firmware was incorrect. It will compile if you run "make", but not "make belkin". There are source files missing out of the router_belkin/shared directory. Anyone care to call Belkin and complain about an incomplete firmware distribution? wl.c wl_linux.c user_conf.c wlioc.c karnmd5.c getURL.c web_interface.c are all missing.

Any further success with the 4.05.03 firmware, please e-mail me at weage98 -at- yahoo -dot- com.

Previous GPL firmware notes (4.00.03 ?)

Has anyone succesfully built a firmware from this source? I got compilation errors in src/router/ppp/pppoecd

Add this lines to src/router/ppp/pppoecd/sys-linux.c

line 79 "#define PPPIOCGLANIP _IOR('t', 92, int)"

line 80 "#define PPPIOCSLANIP _IOW('t', 91, int)"

Sveasoft edit: We're looking at building a custom firmware version for this device. Please post feedback about desired features/fixes at phpBB2 in the Belkin F5D7230-4 forum.

2.10. F5D7230-4 root shell and consolidated data structures

I'm looking to get OpenWRT on this device. I've developed a simpler way to get a root shell on the device, as well as publishing a consolidated internal structure resource (and software to reliably generate the firmware images). This is all documented at midnightcode.org as OpenWRT on the Belkin F5D7230-4.pdf.

I've had trouble getting alternate CRAMFS file systems under the native kernel. I'd dearly like to skip this step altogether, in favour of a direct OpenWRT install, but this just doesn't work. A simple method for attaining a serial console would be useful.

2.11. F5D7230-4 Broadcom GPL Reference Firmware Compiled

• The latest paper is completed.

  • OpenWRT on the Belkin F5D7230-4 - Compiling and Installing the GPL Broadcom Reference Firmware

Brief document insight:

    Belkin published the Broadcom reference firmware;
    a small Linux distribution, designed to act as a
    proof-of-concept and development environment for
    the Belkin engineers. To minimize the amount of
    experimentation required to adapt the OpenWRT and
    Sveasoft firmware for use on the Belkin, the
    published Broadcom reference firmware was compiled
    to see if it was functional, and able to provide
    driver and configuration information for the open
    source distributions.
    ...
    Furthermore, this process was developed rapidly
    due to the excellent work performed by Rick
    Bronson. Rick published the findings of his work
    on his Web site and has been very supportive of
    the development process;
      http://www.efn.org/~rick/work/f5d7230/

[Document OpenWRT on the Belkin F5D7230-4 - Broadcom Firmware.pdf, from the directory.]

2.12. Upgrading the F5D7230-4 v1444 to a F5D7231-4 125mbit High Speed Mode (HSM)

I just picked up a F5D7230-4 v1444 router for $20. Everyone else seems to have given up hacking these things but I haven't. The v1444 comes with firmware version 4.03.03.

Its been noticed that you can upgrade the F5D7230-4 v1444 to a F5D7231-4, just grab the firmware. Latest on the site as of this writing is 4.03.04)

Use a hex editor to change the first four bytes to "LOAD", and flash it.

But here's the kicker! After extracting the kernels and filesystems and comparing the 4.03.03 and 4.03.04 firmwares, they are byte for byte exactly the same! The only difference is in the NVRAM settings and the flash header! Here are the differences:

$ diff -U0 4.03.03.conf 4.03.04.conf --- 4.03.03.conf      2005-02-11 02:51:30.414546494 -0600 +++ 4.03.04.conf      2005-02-11 02:50:52.365390556 -0600 @@ -3 +3 @@ -boardflags=0x0188 +boardflags=0x0388 @@ -61 +61 @@ -fw_magic=0x44414f4c +fw_magic=0x02013200 @@ -63 +63 @@ -fw_src=http://networking.belkin.com/update/files/54g_router.html +fw_src=http://networking.belkin.com/update/files/usa/125/54g_router.html @@ -74 +74 @@ -hw_model=F5D7230-4 +hw_model=F5D7231-4 @@ -113 +113 @@ -os_version=4.03.03 +os_version=4.03.04 @@ -196 +196 @@ -wl0_gmode=1 +wl0_gmode=6 @@ -214 +214 @@ -wl0_lazywds=1 +wl0_lazywds=0

Note, the differing flash header kind of complicates things. Once you've loaded the new firmware by changing the header, you can not re-flash with that same header. You need the new one from then on. The new header is 0x003f0102. If you want to go back to the old firmware, you have to modify it with the new header first...

Though it would appear the fw_magic NVRAM setting sets the header it's looking for.

I haven't tested it but I bet you can just change the boardflags setting and get High Speed mode.

The 2MB flash is a tight squeeze. I have been able to hack up a current firmware with a Busybox TelnetD, at the cost of stripping out all but the bare bones, and hardwiring the configuration. I'll release it once I clean things up a bit.

-- seg at haxxed dot com

2.12.1. Upgrading v2000 to High Speed Mode (HSM) Firmware Not Useful

I tried upgrading the F5D7230-4 v2000 to the HSM. It wasn't very useful.

Now, I had the routers configured as access points with wireless bridging (using one essentially as a router and the other as an wireless AP for a desktop). I was drying to do Wireless Bridging between to v2000's. (Perhaps my mistake was that I didn't hit the factory defaults before the upgrade--who knows.) However, the result was that the router was unresponsive on the WAN/LAN ethernet ports (as was the case in the F5D7130 firmware to F5D7230-4 (v1444) section below). In addition, when I got to the web browser from the wireless interface, it said that bridge mode is not available with HSM. So, I couldn't use the router as an AP.

I thought for a while that I bricked the router, since tftp'ing the original firmware seemed to work but produced no response. I then realized that I needed to change the flash header of the original firwmare. Note that even if you tftp the router invalid firwmare, the tftp will be successful. However, the router won't really flash itself.

-- gmail://ferriseula

2.13. F5D7130 firmware to F5D7230-4 (v1444)

I just finished flashing a F5D7230-4 (v1444) with the last 4.03.03 F5D7130 firmware. The flash completed succesufully through the Web interface (because the two headers are the same), but the new Web interface is very, very poor and has only a few features. I tried this method because I thought I could get to work this device (F5D7230) as an AP client. Not a chance!, 'cause this is the only AP device in the world which cannot act as a AP client (it's only a Belkin issue, not a Linux-based one You cannot Web manage the ex-router through one of the Ethernet switched ports (nor the WAN one); the only way is to connect through wireless (with a wireless card installed). The IP address remains the same, 192.168.2.1.
You may easily revert the F5D7230-4 original firmware through wireless right back afterward.

2.14. Available firmware (4.05.03 fixes packed loss bug)

I figured out these links based upon the posting by seg. I've not tested these against any hardware; they may only work with v2000. I'm going to try the image on the v1444 hardware to see if it fixes the packet loss problem.

7230 4.03.03
Networking.belkin 54g_router and BELKIN_54G_RT_USA_4.03.03.bin.
Last modified Wed 14 Apr 2004, 09:42:00 GMT

7231 4.03.04
Networking.belkin 54g_router and BELKIN_RT_USA_4.03.04.bin.
Last modified Sat 03 Apr 2004, 08:30:00 GMT

7230 4.05.03
Networking.belkin 54g_router and BELKIN_RT_54G_USA_4.05.03.bin.
Last modified Tue 14 Sep 2004, 08:47:00 GMT

7231 4.05.03
Networking.belkin BELKIN_RT_USA_4.05.03.bin.
Last modified Tue 14 Sep 2004, 08:24:00 GMT

The last-modified date is what's reported by a HEAD against the firmware file. You can see that while they released 4.03.03 in Oct 2004, it was built back in April.

--

I've now tested these images on my two v1444 units without a problem. I'm happy to report that the packet loss bug in the 4.xx.xx firmware has been fixed.

Further, I've taken the two 4.05.03 firmware files apart. The both the kernel and ramdisk contents are identical. As in previous case, the only difference is in the NVRAM settings and the flash header: $ diff 7230-4.05.03.conf 7231-4.05.03.conf 7,9c7,9 < *boardflags=0x0188 < *hw_model=F5D7230-4 < *fw_magic=0x44414f4c --- > *boardflags=0x0388 > *hw_model=F5D7231-4 > *fw_magic=0x02013200 23c23 < *fw_src=[[<a|http://networking.belkin.com/update/files/54g_router.html]] --- > *fw_src=http://networking.belkin.com/update/files/usa/125/54g_router.html 77c77 < wl0_lazywds=1 --- > wl0_lazywds=0 97a98 > wl0_afterburner=auto Compared with 4.03.03, there are also less symlinks for Busybox, but it doesn't appear that they compiled less into Busybox itself. There are newer versions of some stock utils. Most importantly, Askey is using a newer Broadcom reference kernel release, and a newer version of WL.O: {{{4.03.03 kernel:

Linux version 2.4.20 ( lchen@penguin.askey.com ) (gcc version 3.0 20010422 (prerelease) with bcm4710a0 modifications) #1 Fri Apr 2 16:05:18 PST 2004

(from wl.o) Jan 21 2004 20:52:36 %s: Broadcom BCM43XX 802.11 Wireless Controller %s (Compiled in %s at %s on %s) 3.50.21.10

4.05.03 kernel:

Linux version 2.4.20 ( lchen@penguin.askey.com ) (gcc version 3.2.3 with Broadcom kernel-4.05.03-vers:modifications) #16 Mon Sep 13 17:29:59 PDT 2004

(from wl.o) 3.60.9.0 %s: Broadcom BCM%04x 802.11 Wireless Controller 3.60.9.0 wds%d.%d 17:31:16 Apr 2 2004}}}

2.15. Note regarding 4.05.03 firmware

I also upgraded my v.1444 unit to the "new" firmware. Wireless performance locally is definitely superior (I have no problems getting 1100 kB/s streaming). However, my WAN performance has (if possible) gone to crap completely, even though I only use the Belkin as an AP (I have another dedicated firewall). From wireless clients, I struggle to get 30 kB/s from the Internet, from wired clients (to the belking) I get my usual 300 kB/s.

I've given up and installed a proxy on one of my wired clients for the wireless machines to use. This way my Internet performance from the wireless clients is decent (approaching 300 kB/s).

2.16. Locations of "official" firmware

While Belkin still officially insists (as of April, 2005) that 4.03.03 is the latest version of firmware for the F5D7230-4, this isn't so, since it's available at the networking.belkin site.

Here are the latest "official" firmware versions:

• F5D7230-4_4.03.03.bin

• "v3000" 5.00.02 BK54gr_v5.00.02.bin

Of course, the UK gets 4.05.03:

• UK BELKIN_RT_54G_UK_4.05.03.bin

Here are the "unofficial", but shipping versions:

• BELKIN_54G_RT_USA_4.03.03.bin

• BELKIN_RT_54G_USA_4.05.03.bin

(They don't even have a consistant naming scheme! : )`

2.17. 5.00.02 firmware

Belkin's page says this is only for the F5D7230-4 "version 3000". I've not tried it on my older units (yet). The firmware image differs from previous ones in that there is an extra 256-byte header in the front, and it lacks the configuration data tacked onto the end.

00000000  55 aa 55 00 19 42 65 6c  6b 69 6e 2d 46 69 72 65  |U.U..Belkin-Fire| 00000010  77 61 6c 6c 78 32 30 52  6f 75 74 65 72 00 01 08  |wallx20Router...| 00000020  35 2e 30 30 2e 30 32 00  02 0a 46 35 44 37 32 33  |5.00.02...F5D723| 00000030  30 2d 34 00 03 04 00 01  02 ff 04 0b 6e 6f 72 6d  |0-4.........norm| 00000040  61 6c 63 6f 64 65 00 05  0c 42 45 34 30 34 38 30  |alcode...BE40480| 00000050  30 30 30 31 00 06 06 06  00 1b b0 00 b9 ff 5f 2e  |0001.........._.| 00000060  2e 2e 2e 2e 2e 2e 2e 2e  2e 2e 2e 2e 2e 2e 2e 2e  |................| * 00000100  48 44 52 30 00 b0 1b 00  ea 97 23 bf 00 00 01 00  |HDR0......#.....| 00000110  1c 00 00 00 14 8c 09 00  00 00 00 00 1f 8b 08 08  |................| 00000120  c9 85 e7 41 02 03 70 69  67 67 79 00 ec 7c 0f 74  |...A..piggy..|.t| 00000130  1d 57 79 e7 f7 ee cc 93  9e 6d 25 1e c9 b2 fc ec  |.Wy......m%.....| 

Kernel

% dd if=BK54gr_v5.00.02.bin bs=1 skip=284 count=625656 > k5.00.02.gz % gunzip k5.00.02.gz % strings - k5.00.02 ... Linux version 2.4.20 ( dvdchen@sw2cvs2.localdomain ) (gcc version 3.2.3 with Broad com modifications) #244

• 14 16:41:39 CST 2005

The date string is very odd: 0011b210  33 2e 32 2e 33 20 77 69  74 68 20 42 72 6f 61 64  |3.2.3 with Broad| 0011b220  63 6f 6d 20 6d 6f 64 69  66 69 63 61 74 69 6f 6e  |com modification| 0011b230  73 29 20 23 32 34 34 20  a4 ad 20 31 a4 eb 20 31  |s) #244 .. 1.. 1| 0011b240  34 20 31 36 3a 34 31 3a  33 39 20 43 53 54 20 32  |4 16:41:39 CST 2| 0011b250  30 30 35 0a 00 00 00 00  00 00 00 00 00 00 00 00  |005.............|

Filesystem

% dd if=BK54gr_v5.00.02.bin bs=625940 skip=1 > cramfs.7230.5.00.02 % sudo mount cramfs.7230.5.00.02 /mnt -t cramfs -o loop

Here's a comparison of the filesystems: {{{4.03.03: 4.05.03: 5.00.02: bin/ bin/ bin/ dev/ dev/ dev/ etc/ etc/ etc/ lib/ lib/ lib/ sbin/ sbin/ sbin/ usr/ usr/ usr/ var@ var@ var@ www/ www/

4.03.03/bin: 4.05.03/bin: 5.00.02/bin: busybox* busybox* busybox* cat@ chmod@ cat@ chmod@ cp@ chmod@ cp@ kill@ cp@ date@ ln@ date@ dd@ ls@ dd@ dmesg@ mount@ echo@ echo@ msh@ grep@ grep@ ping@ kill@ kill@ ps@ ln@ ln@ sh@ ls@ ls@ sleep@ mkdir@ mkdir@ touch@ mknod@ mknod@ umount@ more@ more@ mount@ mount@ msh@ msh@ mv@ mv@ ping@ ping@ ps@ ps@ rm@ pwd@ rmdir@ rm@ sh@ rmdir@ sleep@ sh@ umount@ sleep@ touch@ umount@

4.03.03/dev: 4.05.03/dev: 5.00.02/dev:

4.03.03/etc: 4.05.03/etc: 5.00.02/etc: hosts@ hosts@ ld.so.cache ld.so.cache ld.so.cache ld.so.conf ld.so.conf ld.so.conf resolv.conf@ nsswitch.conf@ nsswitch.conf@ ppp/ ppp/ resolv.conf@ resolv.conf@

4.03.03/etc/ppp: 4.05.03/etc/ppp: chap-secrets@ chap-secrets@ options.pptp* options.pptp* pap-secrets@ pap-secrets@ peers/ peers/

4.03.03/etc/ppp/peers: 4.05.03/etc/ppp/peers: my-isp@ my-isp@

4.03.03/lib: 4.05.03/lib: 5.00.02/lib: ld-uClibc.so.0* ld-uClibc.so.0* ld-uClibc.so.0* libc.so.0* libc.so.0* libc.so.0* libcrypt.so.0* libcrypt.so.0* libcrypt.so.0* libdl.so.0* libdl.so.0* libnsl.so.0* libnsl.so.0* libnsl.so.0* modules/ libresolv.so.0* libresolv.so.0* libutil.so.0* libutil.so.0* modules/ modules/

4.03.03/lib/modules: 4.05.03/lib/modules: 5.00.02/lib/modules: 2.4.20/ 2.4.20/ 2.4.20/

4.03.03/lib/modules/2.4.20:4.05.03/lib/modules/2.4.20:5.00.02/lib/modules/2.4.20: build@ build@ build@ kernel/ kernel/ kernel/

4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ drivers/ drivers/ drivers/

4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ net/ net/ net/

4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ et/ et/ et/ led/ led/ wl/ wl/ wl/

4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ et.o et.o et.o

4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/ led.o led.o

4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ wl.o wl.o wl.o

4.03.03/sbin: 4.05.03/sbin: 5.00.02/sbin: erase@ erase@ BlockSurfing@ hotplug@ hotplug@ CheckWan@ ifconfig@ ifconfig@ MonTask@ init@ init@ StopWan@ insmod@ insmod@ TestLedCtrl@ klogd@ rc* WanLedCtrl@ lsmod@ reboot@ erase@ rc* stats@ hb_connect@ reboot@ write@ hb_disconnect@ rmmod@ hotplug@ stats@ ifconfig@ syslogd@ init@ write@ insmod@

• lsmod@ rc* reboot@ rmmod@ stats@ write@

4.03.03/usr: 4.05.03/usr: 5.00.02/usr: bin/ bin/ bin/ lib/ lib/ lib/ sbin/ sbin/ sbin/ tmp@ tmp@ tmp@

4.03.03/usr/bin: 5.00.02/usr/bin: free@ killall@ killall@ 4.05.03/usr/bin: route@ route@ killall@ tftp@ route@ wget@ tftp@

4.03.03/usr/lib: 4.05.03/usr/lib: 5.00.02/usr/lib: libnetconf.so* libnetconf.so* libnetconf.so* libnvram.so* libnvram.so* libnvram.so* libshared.so* libshared.so* libshared.so*

4.03.03/usr/sbin: 4.05.03/usr/sbin: 5.00.02/usr/sbin: bkserver* bkserver* bpalogin* bpalogin* bpalogin* brctl* brctl* brctl* dnsmasq* dnsmasq* dnsmasq* epi_ttcp* exlog* exlog* gpio* httpd* httpd* httpd* iptables* iptables* httpd2* led_mon* led_mon* nas* nas* nas* nas4not@ nas4not@ nas4not@ ntpclient* netfilter_log* netfilter_log* nvram* ntpclient* ntpclient* parental* nvram* nvram* pppd* parent_control* parent_control* pptp* pppd* pppd* setled* pppoecd* pppoecd* udhcpc@ pptp* pptp* udhcpd* route_check* route_check* upnp* udhcpc@ udhcpc@ vconfig* udhcpd* udhcpd* wizard* upnp* upnp* wl* vconfig* vconfig* wlconf* wlconf* wlconf*

• zcsvc*

4.03.03/www: 4.05.03/www: check_firmware_fail.html check_firmware_fail.html check_firmware_failb.html check_firmware_failb.html duplicate.html duplicate.html fw_clientip.html fw_clientip.html fw_dmz.html fw_dmz.html fw_id.html fw_id.html fw_mac.html fw_mac.html fw_main.html fw_main.html fw_ping.html fw_ping.html fw_security.html fw_security.html fw_virt.html fw_virt.html fw_virt.js fw_virt.js glossary.html glossary.html graphics/ graphics/ help.html help.html index.html index.html indexa.html indexa.html lan_dhcp.html lan_dhcp.html lan_main.html lan_main.html lan_settings.html lan_settings.html language.js language.js login.html login.html loginerr.html loginerr.html main_router.css main_router.css reset_success.html reset_success.html restore_factory_default_sucrestore_factory_default_suc restore_setting_success.htmrestore_setting_success.htm showMenu.js showMenu.js styles.css styles.css tmp@ tmp@ update_firmware_success_en.update_firmware_success_en. util_factory.html util_factory.html util_firmware.html util_firmware.html util_main.html util_main.html util_parentalc.html util_parentalc.html util_parentalc_acctinfo.htmutil_parentalc_acctinfo.htm util_parentalc_advance.htmlutil_parentalc_advance.html util_parentalc_refresh.htmlutil_parentalc_refresh.html util_prev.html util_prev.html util_reset.html util_reset.html util_save.html util_save.html util_system.html util_system.html utilb_system.html utilb_system.html validate.js validate.js violation_page.html violation_page.html wan_conn.html wan_conn.html wan_dns.html wan_dns.html wan_dynamic.html wan_dynamic.html wan_mac.html wan_mac.html wan_main.html wan_main.html wan_pppoe.html wan_pppoe.html wan_pptp.html wan_pptp.html wan_static.html wan_static.html wan_static_checked.html wan_static_checked.html wan_telstra.html wan_telstra.html wireless_apt.html wireless_apt.html wireless_apt_disabled.html wireless_apt_disabled.html wireless_apt_enable.html wireless_apt_enable.html wireless_bridge.html wireless_bridge.html wireless_chan.html wireless_chan.html wireless_encrypt.html wireless_encrypt.html wireless_encrypt_128.html wireless_encrypt_128.html wireless_encrypt_64.html wireless_encrypt_64.html wireless_encrypt_no.html wireless_encrypt_no.html wireless_mac_ctrl.html wireless_mac_ctrl.html wireless_main.html wireless_main.html wireless_wpa.html wireless_wpa.html wireless_wpa_psk.html wireless_wpa_psk.html

4.03.03/www/graphics: 4.05.03/www/graphics: bar.gif bar.gif bar_cap.gif bar_cap.gif bar_floor.gif bar_floor.gif bar_slope.gif bar_slope.gif blu_bar.gif blu_bar.gif head_logo.gif head_logo.gif shim.gif shim.gif title.gif title.gif}}}

One substantional difference is the lack of /www directory. These files are now compiled into httpd: -rwxr-xr-x    1 users      150076 Dec 31  1969 fs.7230.4.03.03/usr/sbin/httpd -rwxr-xr-x    1 users      161412 Dec 31  1969 fs.7230.4.05.03/usr/sbin/httpd -rwxr-xr-x    1 users      779144 Dec 31  1969 fs.7230.5.00.02/usr/sbin/httpd

New Update Address

Networking.belkin also has the "new" address for firmware updates at http://networking.belkin.com/update/files/usa/mfr2/54g_router.html 54g_router]. Except that the page says the latest is still 4.03.03, but then gives a broken link to the 4.03.03 firmware (lacking the '.bin' extension). Quality control! : )`

New WL.O

Finally, the version of WL.o is also newer: 3.80.13.0 net/wl%d %s: Broadcom BCM%04x 802.11 Wireless Controller 3.80.13.0 Memory leak of bytes %d wds%d.%d 18:48:49 Aug 15 2004

New or changed utils

They added /usr/sbin/epi_ttcp. This is 'ttcp', a tool used for measuring the throughput of TCP connections. Someone must finally be sensistive to performance.

I wonder if the 'v3000' hardware has no LEDs, since they've removed the kernel module and support programs, unless it's now linked into the kernel and handled by interrupts (or some other program).

/usr/sbin/httpd2 has been split off from http