Access Point, 128 WEP. To 28V, draws about 4W. Internal antennae connectors Hirose U.FL series.

1. Hardware

1.1. Known F5D7230-4 Hardware Versions

1.1.1. Version 1111tt FCC ID: QDS-BRCM1005


1.1.2. Version 1444 FCC ID: K7SF5D72304


Serial port hookup instructions for v. 1444

1.1.3. Version 2000 FCC ID: K7SF5D7234A


1.1.4. Version 3000 FCC ID: PD5F5D72304


1.1.5. Version 4000 FCC ID: K7S7230A (in FCC ID DB as K7SF5D7230A ?)


1.1.6. Version 5000 FCC ID: RAXWG4005FB

I just picked this up at Circuit City. They just got them in today, 04 February 2006. Doesn't seem to run Linux so it's just going to get returned. Sigh.


An NMap scan on it:

Interesting ports on

(The 65533 ports scanned but not shown below are in state: closed)


80/tcp    open  http

21417/tcp open  unknown

MAC Address: 00:11:50:76:65:97 (Unknown)

Device type: WAP

Running: SMC embedded

OS details: SMC Barricade DSL Router/Modem/Wireless AP

OS Fingerprint:










TCP Sequence Prediction: Class=trivial time dependency

                         Difficulty=1 (Trivial joke)

TCP ISN Seq. Numbers: FE5E FE69 FE75 FE80 FE8C

IPID Sequence Generation: Incremental

Not sure whats up with the random open ports. They seem to randomly change and disappear. I can Telnet to them and type random stuff but nothing comes back.

1.1.7. Version 6002 FCC ID: K7SF5D7230C

I got this one at Circuit City 12/08/06. It drops its Internet connection and needs frequent resetting.


It is likely that the hardware of this version is very similar to LinksysWrt54gc.

1.1.8. Version 7002uk or 1000yy Sweden, FCC ID: RAXWG4005G

FCC info on this version of the unit can be found on: RAXWG4005G Havent got around to build any firmeware or flash this unit yet. just did a quick peek in the current vendor firmware-update bin (uk v9.01.05).




The current vendor bin contains two lzma packed files (filenames assumed) * offset: 0-1364d = psf.bin, size: 79 438 bytes, unpacked: 715 638 bytes

More info and code to extract data from "PFS/0.9"-images can be found at

Additional relevant offsets in vendor bin:

Mini Loader info


Running: 3Com embedded, Philips embedded, Sinus embedded, SMC embedded

OS details: Wireless broadband router (3Com OfficeConnect, Philips SNB6500, Sinus 154, SMC SMCWEBT-G,

or SMC SMCWBR14-G2), SMC SMC2804WBRP-G wireless broadband router

53/udp    open|filtered domain

67/udp    open|filtered dhcps

68/udp    open|filtered dhcpc

80/tcp    open  http

1900/udp  open|filtered upnp

10101/tcp open  unknown

32768/udp open|filtered omad

Note on port 10101/tcp: "bkserver process listens to port 10101, the process is used for router quick setup procedure from Belkin's installation CD."

1.1.9. Version 7000 FCC ID: K7SF5D7230D

Grabbed this at Wal-Mart today, 2007/06/28. They do have WPA now, at least, and it was only $40, so I'll keep it. Still reporting Apache 0.6.5.


Exactly identical to Dynex DX-WGRTR.

1.2. F5D7230-4 vs. F5D7230v4

The "v4" seems to come in blister packs from HomeDepot and Microcenter. All that I've seen are v2000. The physical box is smaller than the original units.

1.3. Power and Antennas

Tested up to 28V! Draws about 4W; can you say low-cost solar-powered wireless Linux box? Put it in my car with engine running (alternator and spark plug noise test), connected to inside the house, works great! (for details see link below in the next section).

The internal antenna connectors appear to be Hirose U.FL series, which is emerging as a standard for miniPCI cards. Since the first revision of this AP used a miniPCI radio, this carried over to the current rev, which has the radio on the board but uses the same antennae and connectors. (Anyone with U.FL pigtails want to verify this? I'm just educated-guessing.)

1.4. F5D7230-4 Serial Console - DIY Process Documented

The Belkin F5D7230-4 Serial Console document has been published.

Brief document insight:

Boot sequence output, up to kernel load, is:


Here we try to capture the default reset button: None.

CFE version 1.0.37 for BCM947XX (32bit,SP,LE)

Build Date: Mon Apr 19 18:19:30 CST 2004 (denny@dnylinux)

Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena.

Initializing Devices.

et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller

CPU type 0x29007: 200MHz

Total memory: 0x800000 bytes (8MB)

Total memory used by CFE:    0x80300000 - 0x80434A50 (1264208)

Initialized Data:            0x8032EB60 - 0x80330E90 (9008)

BSS Area:                    0x80330E90 - 0x80332A50 (7104)

Local Heap:                  0x80332A50 - 0x80432A50 (1048576)

Stack Area:                  0x80432A50 - 0x80434A50 (8192)

Text (code) segment:         0x80300000 - 0x8032EB60 (191328)

Boot area (physical):        0x00435000 - 0x00475000

Relocation Factor:           I:00000000 - D:00000000

Device eth0: hwaddr 00-11-50-0D-DD-C4, ipaddr, mask

        gateway not set, nameserver not set

Reading :: Failed.: Timeout occured

Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)

Loading: ..... 1482752 bytes read

Entry at 0x80001000

Closing network.

Starting program at 0x80001000

CPU revision is: 00029007

Primary instruction cache 8kb, linesize 16 bytes (2 ways)

Primary data cache 4kb, linesize 16 bytes (2 ways)

Linux version 2.4.20 ( (gcc version 3.0 20010422 prerelease) with bcm4710a0 modifications) #8 Mon 1 Dec 2003, 20:51:49 PST

Document at as OpenWRT on the Belkin F5D7230-4 - Serial Console.pdf
from document directory.

Congrats Rick -- good work; loving the competition ;-)


1.5. Other devices based on Broadcom BCM47XX reference design

1.6. Hardware version 1010, 20 pin expansion bus

I'm trying to figure out what is available on the expansion connector on hardware 1010, and probaly other versions of the board. This is what I've found so far:







































My guess is that you can connect an UART to this port. Broadcom specs refer to UART 16551. According to the Broadcom docs, GPIO1 is used as interrupt. I'm not sure which pin this is routed to yet. According to the Broadcom doc, GPIO1 should be routed to GND when UART is to be disabled... (Does anyone have pinouts for the chip ?)

It would be REALLY great if someone with never revisions that includes an UART, could measure what pins on the UART goes to what pin on the 20pin connector ;-) -js

WAP54Gv1.1 uses the same 20-pin jumper block for external UART.

Schematic for the Asus WL-500G.

2. Firmware

2.1. Extracting firmware

Belkin's 802.11g router/AP.
To get cramfs: dd if=BELKIN_2.00.05.bin of=test.dump bs=1 skip=655388

One can find the start of the cramfs part of the .bin file by looking for hex values 3d4528cd. The offset of this 3d byte is the skip value ( converted to decimal ). hexdump test.dump | grep 3d45

Specific Firmware Versions

Use the following psuedo commands to extract the cramfs filesystem from the specific version firmware file, replacing the input filename as appropriate.






In at least one known version (4.05.03) the offsets are verified identical in the UK and USA firmwares available for download.

2.2. One step closer to custom firmware

I was able to modify some files on the firmware and upload it to the router. Here is how:

mail me at 54g at barabasy dot cjb dot net

2.3. I got a shell on the box

The idea is simple. Replace the httpd binary in /usr/sbin of the firmware to any binary we want. For instance, I replaced it by a Telnet daemon. For that, I used Busybox 1.00.pre5, which, I must say, is pleasantly well packaged, and delightfully easy to use. Here is what I did:

You can uncheck any applet you don't want during the Busybox config.

2.4. Boot messages

Here are the boot messages from dmesg

CPU revision is: 00024000

Loading BCM4710 MMU routines.

Primary instruction cache 8kb, linesize 16 bytes (2 ways)

Primary data cache 4kb, linesize 16 bytes (2 ways)

Linux version 2.4.20 ( (gcc version 3.0 20010422 (prerelease) with bcm4710a0 modifications) #1 Mon Oct 6 14:16:21 PDT 2003

Determined physical RAM map:

 memory: 01000000 @ 00000000 (usable)

On node 0 totalpages: 4096

zone(0): 4096 pages.

zone(1): 0 pages.

zone(2): 0 pages.

Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200

CPU: BCM4710 rev 0 at 125 MHz

!unable to setup serial console!

Calibrating delay loop... 82.94 BogoMIPS

Memory: 14588k/16384k available (1197k kernel code, 1796k reserved, 104k data, 64k init, 0k highmem)

Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)

Inode cache hash table entries: 1024 (order: 1, 8192 bytes)

Mount-cache hash table entries: 512 (order: 0, 4096 bytes)

Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)

Page-cache hash table entries: 4096 (order: 2, 16384 bytes)

Checking for 'wait' instruction...  unavailable.

POSIX conformance testing by UNIFIX

PCI: Fixing up bus 0

PCI: Fixing up bridge

PCI: Fixing up bus 1

Linux NET4.0 for Linux 2.4

Based upon Swansea University Computer Society NET3.039

Initializing RT netlink socket

Starting kswapd

devfs: v1.12c (20020818) Richard Gooch (

devfs: boot_options: 0x1

pty: 256 Unix98 ptys configured

Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled

 Amd/Fujitsu Extended Query Table v1.2 at 0x0040

number of CFI chips: 1

flash device: 400000 at 1fc00000

Physically mapped flash: cramfs filesystem found at block 843

Creating 5 MTD partitions on "Physically mapped flash":

0x00000000-0x00040000 : "pmon"

0x00040000-0x003c0000 : "linux"

0x000d2c68-0x003c0000 : "rootfs"

0x003c0000-0x003e0000 : "profile"

0x003e0000-0x00400000 : "nvram"

sflash: chipcommon not found

NET4: Linux TCP/IP 1.0 for NET4.0

IP Protocols: ICMP, UDP, TCP

IP: routing cache hash table of 512 buckets, 4Kbytes

TCP: Hash tables configured (established 1024 bind 2048)

ip_conntrack version 2.1 (128 buckets, 1024 max) - 344 bytes per conntrack

ip_tables: (C) 2000-2002 Netfilter core team

ipt_time loading

NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.

NET4: Ethernet Bridge 008 for NET4.0

VFS: Mounted root (cramfs filesystem) readonly.

Mounted devfs on /dev

Freeing unused kernel memory: 64k freed

Warning: unable to open an initial console.

eth0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller

eth1: Broadcom BCM47xx 10/100 Mbps Ethernet Controller

PCI: Enabling device 01:01.0 (0004 -> 0006)

eth2: Broadcom BCM43XX 802.11 Wireless Controller (Compiled in . at 19:20:29 on Jul 14 2003)

CSLIP: code copyright 1989 Regents of the University of California

PPP generic driver version 2.4.2

PPP MPPE compression module registered

Algorithmics/MIPS FPU Emulator v1.5

device eth0 entered promiscuous mode

<==sintInstallLEDs: VIOBA=b8007000

device eth2 entered promiscuous mode

br0: port 2(eth2) entering learning state

br0: port 1(eth0) entering learning state

br0: port 2(eth2) entering forwarding state

br0: topology change detected, propagating

br0: port 1(eth0) entering forwarding state

br0: topology change detected, propagating

br0: port 2(eth2) entering disabled state

br0: port 1(eth0) entering disabled state

br0: port 1(eth0) entering disabled state

device eth0 left promiscuous mode

==>sintUninstallLEDs: VIOBA=b8007000

br0: port 2(eth2) entering disabled state

device eth2 left promiscuous mode

device eth0 entered promiscuous mode

<==sintInstallLEDs: VIOBA=b8007000

device eth2 entered promiscuous mode

br0: port 2(eth2) entering learning state

br0: port 1(eth0) entering learning state

br0: port 2(eth2) entering forwarding state

br0: topology change detected, propagating

br0: port 1(eth0) entering forwarding state

br0: topology change detected, propagating

2.5. Using Linksys binaries

Firmware 3.00.07 uses kernel 2.4.20, as Linksys firmware 1.42.2 does. Hence, all modules compiled from the Linksys source tree load with no problem on the Belkin. Binaries should work also if the libraries are well installed. As examples, I was able to mount a NFS filsystem by loading lockd.o, sunrpc.o and nfs.o that I just compiled from Linksys source and using Busybox supporting NFS mount. I was also able to run in client mode by loading the wl_apsta.o from Linksys and using the WL binary.

# ./busybox mount nfs

mount: /etc/mtab: Read-only file system

# mount

rootfs on / type rootfs (rw)

/dev/root on / type cramfs (ro)

none on /dev type devfs (rw)

proc on /proc type proc (rw)

ramfs on /tmp type ramfs (rw) on /tmp/nfs type nfs (rw,v3,rsize=8192,wsize=8192,hard,udp,lock,addr=

# ls nfs

lockd.o                               hackuser.conf

sunrpc.o                              apusermod.conf

nfs.o                                 piggy.gz

wl_sta.o                              3007.trx

wl_apsta.o                            style.css.gz

mini_httpd-1.19                       kerfile.bin

index.htm                             custom.bin

install.c                             kern.bin


3007telnet.bin                        try.dump

Install                               fstest

busybox-1.00-pre5.tar.gz              user1.conf

busybox-1.00-pre5                     code.bin

wrt54g-0.3.tar.gz                     res.conf

wrt54g-0.3                            test.conf

wrt54g-sshd-2003-09-13.tar.bz2        user.conf.1

wl                                    user.conf

wrt54g-sshd-2003-09-13                test.dump

nvram.txt                             linux.trx


3007hack.cramfs                       ripflashmd9781manager_0.3.1-3.tar.gz

3007b.cramfs                          ripflashlinux

3007ker.gz                            log_web.txt

savedapuser.conf                      insiderouter.html

3007                                  F5D7230-4-V3.00.07.bin

3007.cramfs                           buffalo.dump

apuserno.conf                         BELKIN_2.00.04

apuser.conf                           BELKIN_1.01.00

routeruser.conf                       belk

2.6. Recovery methods

It has been confirmed that on boot you can fix a trashed flash upload by using TFTP. You must configure your Ethernet interface to the 192.168.2.x/24 network, but not This method works reliably with version 2000 hardware, and is rumored to work with prior versions as well. The boot loader automatically uses IP address

Pitfall: the TFTP client which comes with mac osx didn't work for me, the winxp one worked like a charm, as does the Linux TFTP client.

Hint: I bricked my router by uploading a legal image which would try to boot but wouldn't manage to bring up a Web interface (4.03.03 on v2000 hardware will do it). I opened the unit and located the flash rom (an Am29LV190B in my case). Then I had a look at the data sheet to find out where the address pins of the chip rest. Then I rebooted the router short circuiting two address pins, this let the bootloader think that it is loading a screwed up cramfs image and gave me access to TFTP. The invalid kernel status is indicated by a slowly flashing power LED and a a green flashing WLAN LED, if you see that you know that you can use TFTP.

Hint 2: If you catch the boot fast enough, or just start the transfer on your TFTP client then reboot the router, you do not need to mess with shorting pins on the flash chip.

> binary
> rexmt 1
> verbose
> put firmware_filename.bin
>> reboot router now <<

Or for Windows XP: # TFTP -i put firmware_filename.bin

After booting the router, it will then blink the power light rapidly while it writes flash, don't power it off! Then it resets and starts up like normal and you have saved your box! (I assume the windows CD that comes with it does the same thing) The boot loader is in a protected area of flash so TFTP should always be available at power up to get you out of trouble.

It seems that with some hardware versions the WAN LED starts blinking after the flash is finished. At that point you have to reset using the reset deep switch.

I thought I messed it up good one time, but holding the reset button in for about 10 seconds makes it reset to "default" and then TFTP or whatever firmware you have works again.

It looks like there is a "jtag" port on this, so if you totally trash the thing you can build a simple jtag interface and possibly upload the firmware that way (but it ain't easy!).

These links have some inside PCB pics, info on opening the box, some distance RF test data and more at:;Board=RG

2.7. Custom firmware images

I have made a TRX image that is suitable for development for the F5D7230-4.

* It's based upon the 3.07 firmware.
* Most of the old binaries has been replaced. (The firmware is heavily based on Busybox 1.0-pre8.)
* Includes TelnetD. Please note that Telnet is listening on both LAN and WAN interface.
* Includes nfs support
* The custom init has been replaced by Busybox init and a custom shell script to do the basic init stuff. Still uses NVRAM to configure router after boot. (/etc/init.d/rcS)
* Webserver and wireless support is not included in the current image.

To mount a nfs volume you can do something like this: mount -o nolock -t nfs /mnt

chroot is installed, so you can chroot to your custom system by doing something like chroot /mnt/mybelkin

Please note that the power / connected lights will not be light up when the device is up. I'm working on making a program to control the lights. Have found the gpio for connected, but havent found for power on yet, so it shouldnt take long...

Please verify that you are able to upload the original image via TFTP before you attempt to use this image. It is possible to change firmware by Telneting to the unit, erasing the mtd area and dd'ing a new image in. But this is only recomended for experienced users as it can render your unit completly unusable.

The image can be obtained from this url (Use at your own risk. Don't blame me if your device goes up to smoke):

you can contact me at: belkin at suphammer DoT net

Here is the list of files and symlinks contained in the firmware F5D7230-4_V4.00.03.bin:





















































































































bin/cat -&gt; busybox

bin/chmod -&gt; busybox

bin/cp -&gt; busybox

bin/date -&gt; busybox

bin/dd -&gt; busybox

bin/echo -&gt; busybox

bin/grep -&gt; busybox

bin/kill -&gt; busybox

bin/ln -&gt; busybox

bin/ls -&gt; busybox

bin/mkdir -&gt; busybox

bin/mknod -&gt; busybox

bin/more -&gt; busybox

bin/mount -&gt; busybox

bin/msh -&gt; busybox

bin/mv -&gt; busybox

bin/ping -&gt; busybox

bin/ps -&gt; busybox

bin/pwd -&gt; busybox

bin/rm -&gt; busybox

bin/rmdir -&gt; busybox

bin/sh -&gt; busybox

bin/sleep -&gt; busybox

bin/touch -&gt; busybox

bin/umount -&gt; busybox

etc/hosts -&gt; /tmp/hosts

etc/nsswitch.conf -&gt; /tmp/nsswitch.conf

etc/ppp/chap-secrets -&gt; /tmp/chap-secrets

etc/ppp/pap-secrets -&gt; /tmp/pap-secrets

etc/ppp/peers/my-isp -&gt; /tmp/my-isp

etc/resolv.conf -&gt; /tmp/resolv.conf

lib/modules/2.4.20/build -&gt; /home4/lchen/rt511201-2/RT19xW/src/linux/linux

sbin/erase -&gt; rc

sbin/hotplug -&gt; rc

sbin/ifconfig -&gt; ../bin/busybox

sbin/init -&gt; rc

sbin/insmod -&gt; ../bin/busybox

sbin/klogd -&gt; ../bin/busybox

sbin/lsmod -&gt; ../bin/busybox

sbin/reboot -&gt; ../bin/busybox

sbin/rmmod -&gt; ../bin/busybox

sbin/stats -&gt; rc

sbin/syslogd -&gt; ../bin/busybox

sbin/write -&gt; rc

usr/bin/free -&gt; ../../bin/busybox

usr/bin/killall -&gt; ../../bin/busybox

usr/bin/route -&gt; ../../bin/busybox

usr/bin/tftp -&gt; ../../bin/busybox

usr/bin/wget -&gt; ../../bin/busybox

usr/sbin/nas4not -&gt; nas

usr/sbin/udhcpc -&gt; udhcpd

usr/tmp -&gt; ../tmp

var -&gt; tmp/var

www/tmp -&gt; /tmp/www

Of particular interest is that the RC binary (a multipurpose binary which runs as the init process) is dynamically linked against, which is derived from iptables. This code can only be legally distributed as GPL code - IOW; Belkin must make the source code available (as Cisco/Linksys did).

2.9. Belkin F5D7230-4 4.05.03 GPL firmware source code available!

New! The 4.05.03 firmware source and compiler toolchain is now available from the GPL page!

The previous firmware version has been removed.

The reported compile success of the 4.05.03 firmware was incorrect. It will compile if you run "make", but not "make belkin". There are source files missing out of the router_belkin/shared directory. Anyone care to call Belkin and complain about an incomplete firmware distribution? wl.c wl_linux.c user_conf.c wlioc.c karnmd5.c getURL.c web_interface.c are all missing.

Any further success with the 4.05.03 firmware, please e-mail me at weage98 -at- yahoo -dot- com.

Previous GPL firmware notes (4.00.03 ?)

Has anyone succesfully built a firmware from this source? I got compilation errors in src/router/ppp/pppoecd

Add this lines to src/router/ppp/pppoecd/sys-linux.c

line 79 "#define PPPIOCGLANIP _IOR('t', 92, int)"

line 80 "#define PPPIOCSLANIP _IOW('t', 91, int)"

Sveasoft edit: We're looking at building a custom firmware version for this device. Please post feedback about desired features/fixes at phpBB2 in the Belkin F5D7230-4 forum.

2.10. F5D7230-4 root shell and consolidated data structures

I'm looking to get OpenWRT on this device. I've developed a simpler way to get a root shell on the device, as well as publishing a consolidated internal structure resource (and software to reliably generate the firmware images). This is all documented at as OpenWRT on the Belkin F5D7230-4.pdf.

I've had trouble getting alternate CRAMFS file systems under the native kernel. I'd dearly like to skip this step altogether, in favour of a direct OpenWRT install, but this just doesn't work. A simple method for attaining a serial console would be useful.

2.11. F5D7230-4 Broadcom GPL Reference Firmware Compiled

Brief document insight:

    Belkin published the Broadcom reference firmware;

    a small Linux distribution, designed to act as a

    proof-of-concept and development environment for

    the Belkin engineers. To minimize the amount of

    experimentation required to adapt the OpenWRT and

    Sveasoft firmware for use on the Belkin, the

    published Broadcom reference firmware was compiled

    to see if it was functional, and able to provide

    driver and configuration information for the open

    source distributions.


    Furthermore, this process was developed rapidly

    due to the excellent work performed by Rick

    Bronson. Rick published the findings of his work

    on his Web site and has been very supportive of

    the development process;

[Document OpenWRT on the Belkin F5D7230-4 - Broadcom Firmware.pdf, from the directory.]

2.12. Upgrading the F5D7230-4 v1444 to a F5D7231-4 125mbit High Speed Mode (HSM)

I just picked up a F5D7230-4 v1444 router for $20. Everyone else seems to have given up hacking these things but I haven't. The v1444 comes with firmware version 4.03.03.

Its been noticed that you can upgrade the F5D7230-4 v1444 to a F5D7231-4, just grab the firmware. Latest on the site as of this writing is 4.03.04)

Use a hex editor to change the first four bytes to "LOAD", and flash it.

But here's the kicker! After extracting the kernels and filesystems and comparing the 4.03.03 and 4.03.04 firmwares, they are byte for byte exactly the same! The only difference is in the NVRAM settings and the flash header! Here are the differences:

$ diff -U0 4.03.03.conf 4.03.04.conf --- 4.03.03.conf      2005-02-11 02:51:30.414546494 -0600 +++ 4.03.04.conf      2005-02-11 02:50:52.365390556 -0600 @@ -3 +3 @@ -boardflags=0x0188 +boardflags=0x0388 @@ -61 +61 @@ -fw_magic=0x44414f4c +fw_magic=0x02013200 @@ -63 +63 @@ -fw_src= +fw_src= @@ -74 +74 @@ -hw_model=F5D7230-4 +hw_model=F5D7231-4 @@ -113 +113 @@ -os_version=4.03.03 +os_version=4.03.04 @@ -196 +196 @@ -wl0_gmode=1 +wl0_gmode=6 @@ -214 +214 @@ -wl0_lazywds=1 +wl0_lazywds=0

Note, the differing flash header kind of complicates things. Once you've loaded the new firmware by changing the header, you can not re-flash with that same header. You need the new one from then on. The new header is 0x003f0102. If you want to go back to the old firmware, you have to modify it with the new header first...

Though it would appear the fw_magic NVRAM setting sets the header it's looking for.

I haven't tested it but I bet you can just change the boardflags setting and get High Speed mode.

The 2MB flash is a tight squeeze. I have been able to hack up a current firmware with a Busybox TelnetD, at the cost of stripping out all but the bare bones, and hardwiring the configuration. I'll release it once I clean things up a bit.

-- seg at haxxed dot com

2.12.1. Upgrading v2000 to High Speed Mode (HSM) Firmware Not Useful

I tried upgrading the F5D7230-4 v2000 to the HSM. It wasn't very useful.

Now, I had the routers configured as access points with wireless bridging (using one essentially as a router and the other as an wireless AP for a desktop). I was drying to do Wireless Bridging between to v2000's. (Perhaps my mistake was that I didn't hit the factory defaults before the upgrade--who knows.) However, the result was that the router was unresponsive on the WAN/LAN ethernet ports (as was the case in the F5D7130 firmware to F5D7230-4 (v1444) section below). In addition, when I got to the web browser from the wireless interface, it said that bridge mode is not available with HSM. So, I couldn't use the router as an AP.

I thought for a while that I bricked the router, since tftp'ing the original firmware seemed to work but produced no response. I then realized that I needed to change the flash header of the original firwmare. Note that even if you tftp the router invalid firwmare, the tftp will be successful. However, the router won't really flash itself.

-- gmail://ferriseula

2.13. F5D7130 firmware to F5D7230-4 (v1444)

I just finished flashing a F5D7230-4 (v1444) with the last 4.03.03 F5D7130 firmware. The flash completed succesufully through the Web interface (because the two headers are the same), but the new Web interface is very, very poor and has only a few features. I tried this method because I thought I could get to work this device (F5D7230) as an AP client. Not a chance!, 'cause this is the only AP device in the world which cannot act as a AP client (it's only a Belkin issue, not a Linux-based one :) You cannot Web manage the ex-router through one of the Ethernet switched ports (nor the WAN one); the only way is to connect through wireless (with a wireless card installed). The IP address remains the same,
You may easily revert the F5D7230-4 original firmware through wireless right back afterward.

2.14. Available firmware (4.05.03 fixes packed loss bug)

I figured out these links based upon the posting by seg. I've not tested these against any hardware; they may only work with v2000. I'm going to try the image on the v1444 hardware to see if it fixes the packet loss problem.

7230 4.03.03
Networking.belkin 54g_router and BELKIN_54G_RT_USA_4.03.03.bin.
Last modified Wed 14 Apr 2004, 09:42:00 GMT

7231 4.03.04
Networking.belkin 54g_router and BELKIN_RT_USA_4.03.04.bin.
Last modified Sat 03 Apr 2004, 08:30:00 GMT

7230 4.05.03
Networking.belkin 54g_router and BELKIN_RT_54G_USA_4.05.03.bin.
Last modified Tue 14 Sep 2004, 08:47:00 GMT

7231 4.05.03
Networking.belkin BELKIN_RT_USA_4.05.03.bin.
Last modified Tue 14 Sep 2004, 08:24:00 GMT

The last-modified date is what's reported by a HEAD against the firmware file. You can see that while they released 4.03.03 in Oct 2004, it was built back in April.


I've now tested these images on my two v1444 units without a problem. I'm happy to report that the packet loss bug in the 4.xx.xx firmware has been fixed.

Further, I've taken the two 4.05.03 firmware files apart. The both the kernel and ramdisk contents are identical. As in previous case, the only difference is in the NVRAM settings and the flash header: $ diff 7230-4.05.03.conf 7231-4.05.03.conf 7,9c7,9 < *boardflags=0x0188 < *hw_model=F5D7230-4 < *fw_magic=0x44414f4c --- > *boardflags=0x0388 > *hw_model=F5D7231-4 > *fw_magic=0x02013200 23c23 < *fw_src=[[<a|]] --- > *fw_src= 77c77 < wl0_lazywds=1 --- > wl0_lazywds=0 97a98 > wl0_afterburner=auto Compared with 4.03.03, there are also less symlinks for Busybox, but it doesn't appear that they compiled less into Busybox itself. There are newer versions of some stock utils. Most importantly, Askey is using a newer Broadcom reference kernel release, and a newer version of WL.O: {{{4.03.03 kernel:

Linux version 2.4.20 ( ) (gcc version 3.0 20010422 (prerelease) with bcm4710a0 modifications) #1 Fri Apr 2 16:05:18 PST 2004

(from wl.o) Jan 21 2004 20:52:36 %s: Broadcom BCM43XX 802.11 Wireless Controller %s (Compiled in %s at %s on %s)

4.05.03 kernel:

Linux version 2.4.20 ( ) (gcc version 3.2.3 with Broadcom kernel-4.05.03-vers:modifications) #16 Mon Sep 13 17:29:59 PDT 2004

(from wl.o) %s: Broadcom BCM%04x 802.11 Wireless Controller wds%d.%d 17:31:16 Apr 2 2004}}}

2.15. Note regarding 4.05.03 firmware

I also upgraded my v.1444 unit to the "new" firmware. Wireless performance locally is definitely superior (I have no problems getting 1100 kB/s streaming). However, my WAN performance has (if possible) gone to crap completely, even though I only use the Belkin as an AP (I have another dedicated firewall). From wireless clients, I struggle to get 30 kB/s from the Internet, from wired clients (to the belking) I get my usual 300 kB/s.

I've given up and installed a proxy on one of my wired clients for the wireless machines to use. This way my Internet performance from the wireless clients is decent (approaching 300 kB/s).

2.16. Locations of "official" firmware

While Belkin still officially insists (as of April, 2005) that 4.03.03 is the latest version of firmware for the F5D7230-4, this isn't so, since it's available at the networking.belkin site.

Here are the latest "official" firmware versions:

Of course, the UK gets 4.05.03:

Here are the "unofficial", but shipping versions:

(They don't even have a consistant naming scheme! : )`

2.17. 5.00.02 firmware

Belkin's page says this is only for the F5D7230-4 "version 3000". I've not tried it on my older units (yet). The firmware image differs from previous ones in that there is an extra 256-byte header in the front, and it lacks the configuration data tacked onto the end.

00000000  55 aa 55 00 19 42 65 6c  6b 69 6e 2d 46 69 72 65  |U.U..Belkin-Fire| 00000010  77 61 6c 6c 78 32 30 52  6f 75 74 65 72 00 01 08  |wallx20Router...| 00000020  35 2e 30 30 2e 30 32 00  02 0a 46 35 44 37 32 33  |5.00.02...F5D723| 00000030  30 2d 34 00 03 04 00 01  02 ff 04 0b 6e 6f 72 6d  |0-4.........norm| 00000040  61 6c 63 6f 64 65 00 05  0c 42 45 34 30 34 38 30  |alcode...BE40480| 00000050  30 30 30 31 00 06 06 06  00 1b b0 00 b9 ff 5f 2e  |0001.........._.| 00000060  2e 2e 2e 2e 2e 2e 2e 2e  2e 2e 2e 2e 2e 2e 2e 2e  |................| * 00000100  48 44 52 30 00 b0 1b 00  ea 97 23 bf 00 00 01 00  |HDR0......#.....| 00000110  1c 00 00 00 14 8c 09 00  00 00 00 00 1f 8b 08 08  |................| 00000120  c9 85 e7 41 02 03 70 69  67 67 79 00 ec 7c 0f 74  |...A..piggy..|.t| 00000130  1d 57 79 e7 f7 ee cc 93  9e 6d 25 1e c9 b2 fc ec  |.Wy......m%.....| 


% dd if=BK54gr_v5.00.02.bin bs=1 skip=284 count=625656 > k5.00.02.gz % gunzip k5.00.02.gz % strings - k5.00.02 ... Linux version 2.4.20 ( dvdchen@sw2cvs2.localdomain ) (gcc version 3.2.3 with Broad com modifications) #244

The date string is very odd: 0011b210  33 2e 32 2e 33 20 77 69  74 68 20 42 72 6f 61 64  |3.2.3 with Broad| 0011b220  63 6f 6d 20 6d 6f 64 69  66 69 63 61 74 69 6f 6e  |com modification| 0011b230  73 29 20 23 32 34 34 20  a4 ad 20 31 a4 eb 20 31  |s) #244 .. 1.. 1| 0011b240  34 20 31 36 3a 34 31 3a  33 39 20 43 53 54 20 32  |4 16:41:39 CST 2| 0011b250  30 30 35 0a 00 00 00 00  00 00 00 00 00 00 00 00  |005.............|


% dd if=BK54gr_v5.00.02.bin bs=625940 skip=1 > cramfs.7230.5.00.02 % sudo mount cramfs.7230.5.00.02 /mnt -t cramfs -o loop

Here's a comparison of the filesystems: {{{4.03.03: 4.05.03: 5.00.02: bin/ bin/ bin/ dev/ dev/ dev/ etc/ etc/ etc/ lib/ lib/ lib/ sbin/ sbin/ sbin/ usr/ usr/ usr/ var@ var@ var@ www/ www/

4.03.03/bin: 4.05.03/bin: 5.00.02/bin: busybox* busybox* busybox* cat@ chmod@ cat@ chmod@ cp@ chmod@ cp@ kill@ cp@ date@ ln@ date@ dd@ ls@ dd@ dmesg@ mount@ echo@ echo@ msh@ grep@ grep@ ping@ kill@ kill@ ps@ ln@ ln@ sh@ ls@ ls@ sleep@ mkdir@ mkdir@ touch@ mknod@ mknod@ umount@ more@ more@ mount@ mount@ msh@ msh@ mv@ mv@ ping@ ping@ ps@ ps@ rm@ pwd@ rmdir@ rm@ sh@ rmdir@ sleep@ sh@ umount@ sleep@ touch@ umount@

4.03.03/dev: 4.05.03/dev: 5.00.02/dev:

4.03.03/etc: 4.05.03/etc: 5.00.02/etc: hosts@ hosts@ resolv.conf@ nsswitch.conf@ nsswitch.conf@ ppp/ ppp/ resolv.conf@ resolv.conf@

4.03.03/etc/ppp: 4.05.03/etc/ppp: chap-secrets@ chap-secrets@ options.pptp* options.pptp* pap-secrets@ pap-secrets@ peers/ peers/

4.03.03/etc/ppp/peers: 4.05.03/etc/ppp/peers: my-isp@ my-isp@

4.03.03/lib: 4.05.03/lib: 5.00.02/lib:************** modules/**** modules/ modules/

4.03.03/lib/modules: 4.05.03/lib/modules: 5.00.02/lib/modules: 2.4.20/ 2.4.20/ 2.4.20/

4.03.03/lib/modules/2.4.20:4.05.03/lib/modules/2.4.20:5.00.02/lib/modules/2.4.20: build@ build@ build@ kernel/ kernel/ kernel/

4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ drivers/ drivers/ drivers/

4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ net/ net/ net/

4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ et/ et/ et/ led/ led/ wl/ wl/ wl/

4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ et.o et.o et.o

4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/ led.o led.o

4.03.03/lib/modules/2.4.20/4.05.03/lib/modules/2.4.20/5.00.02/lib/modules/2.4.20/ wl.o wl.o wl.o

4.03.03/sbin: 4.05.03/sbin: 5.00.02/sbin: erase@ erase@ BlockSurfing@ hotplug@ hotplug@ CheckWan@ ifconfig@ ifconfig@ MonTask@ init@ init@ StopWan@ insmod@ insmod@ TestLedCtrl@ klogd@ rc* WanLedCtrl@ lsmod@ reboot@ erase@ rc* stats@ hb_connect@ reboot@ write@ hb_disconnect@ rmmod@ hotplug@ stats@ ifconfig@ syslogd@ init@ write@ insmod@

4.03.03/usr: 4.05.03/usr: 5.00.02/usr: bin/ bin/ bin/ lib/ lib/ lib/ sbin/ sbin/ sbin/ tmp@ tmp@ tmp@

4.03.03/usr/bin: 5.00.02/usr/bin: free@ killall@ killall@ 4.05.03/usr/bin: route@ route@ killall@ tftp@ route@ wget@ tftp@

4.03.03/usr/lib: 4.05.03/usr/lib: 5.00.02/usr/lib:*********

4.03.03/usr/sbin: 4.05.03/usr/sbin: 5.00.02/usr/sbin: bkserver* bkserver* bpalogin* bpalogin* bpalogin* brctl* brctl* brctl* dnsmasq* dnsmasq* dnsmasq* epi_ttcp* exlog* exlog* gpio* httpd* httpd* httpd* iptables* iptables* httpd2* led_mon* led_mon* nas* nas* nas* nas4not@ nas4not@ nas4not@ ntpclient* netfilter_log* netfilter_log* nvram* ntpclient* ntpclient* parental* nvram* nvram* pppd* parent_control* parent_control* pptp* pppd* pppd* setled* pppoecd* pppoecd* udhcpc@ pptp* pptp* udhcpd* route_check* route_check* upnp* udhcpc@ udhcpc@ vconfig* udhcpd* udhcpd* wizard* upnp* upnp* wl* vconfig* vconfig* wlconf* wlconf* wlconf*

4.03.03/www: 4.05.03/www: check_firmware_fail.html check_firmware_fail.html check_firmware_failb.html check_firmware_failb.html duplicate.html duplicate.html fw_clientip.html fw_clientip.html fw_dmz.html fw_dmz.html fw_id.html fw_id.html fw_mac.html fw_mac.html fw_main.html fw_main.html fw_ping.html fw_ping.html fw_security.html fw_security.html fw_virt.html fw_virt.html fw_virt.js fw_virt.js glossary.html glossary.html graphics/ graphics/ help.html help.html index.html index.html indexa.html indexa.html lan_dhcp.html lan_dhcp.html lan_main.html lan_main.html lan_settings.html lan_settings.html language.js language.js login.html login.html loginerr.html loginerr.html main_router.css main_router.css reset_success.html reset_success.html restore_factory_default_sucrestore_factory_default_suc restore_setting_success.htmrestore_setting_success.htm showMenu.js showMenu.js styles.css styles.css tmp@ tmp@ update_firmware_success_en.update_firmware_success_en. util_factory.html util_factory.html util_firmware.html util_firmware.html util_main.html util_main.html util_parentalc.html util_parentalc.html util_parentalc_acctinfo.htmutil_parentalc_acctinfo.htm util_parentalc_advance.htmlutil_parentalc_advance.html util_parentalc_refresh.htmlutil_parentalc_refresh.html util_prev.html util_prev.html util_reset.html util_reset.html util_save.html util_save.html util_system.html util_system.html utilb_system.html utilb_system.html validate.js validate.js violation_page.html violation_page.html wan_conn.html wan_conn.html wan_dns.html wan_dns.html wan_dynamic.html wan_dynamic.html wan_mac.html wan_mac.html wan_main.html wan_main.html wan_pppoe.html wan_pppoe.html wan_pptp.html wan_pptp.html wan_static.html wan_static.html wan_static_checked.html wan_static_checked.html wan_telstra.html wan_telstra.html wireless_apt.html wireless_apt.html wireless_apt_disabled.html wireless_apt_disabled.html wireless_apt_enable.html wireless_apt_enable.html wireless_bridge.html wireless_bridge.html wireless_chan.html wireless_chan.html wireless_encrypt.html wireless_encrypt.html wireless_encrypt_128.html wireless_encrypt_128.html wireless_encrypt_64.html wireless_encrypt_64.html wireless_encrypt_no.html wireless_encrypt_no.html wireless_mac_ctrl.html wireless_mac_ctrl.html wireless_main.html wireless_main.html wireless_wpa.html wireless_wpa.html wireless_wpa_psk.html wireless_wpa_psk.html

4.03.03/www/graphics: 4.05.03/www/graphics: bar.gif bar.gif bar_cap.gif bar_cap.gif bar_floor.gif bar_floor.gif bar_slope.gif bar_slope.gif blu_bar.gif blu_bar.gif head_logo.gif head_logo.gif shim.gif shim.gif title.gif title.gif}}}

One substantional difference is the lack of /www directory. These files are now compiled into httpd: -rwxr-xr-x    1 users      150076 Dec 31  1969 fs.7230.4.03.03/usr/sbin/httpd -rwxr-xr-x    1 users      161412 Dec 31  1969 fs.7230.4.05.03/usr/sbin/httpd -rwxr-xr-x    1 users      779144 Dec 31  1969 fs.7230.5.00.02/usr/sbin/httpd

New Update Address

Networking.belkin also has the "new" address for firmware updates at 54g_router]. Except that the page says the latest is still 4.03.03, but then gives a broken link to the 4.03.03 firmware (lacking the '.bin' extension). Quality control! : )`

New WL.O

Finally, the version of WL.o is also newer: net/wl%d %s: Broadcom BCM%04x 802.11 Wireless Controller Memory leak of bytes %d wds%d.%d 18:48:49 Aug 15 2004

New or changed utils

They added /usr/sbin/epi_ttcp. This is 'ttcp', a tool used for measuring the throughput of TCP connections. Someone must finally be sensistive to performance.

I wonder if the 'v3000' hardware has no LEDs, since they've removed the kernel module and support programs, unless it's now linked into the kernel and handled by interrupts (or some other program).

/usr/sbin/httpd2 has been split off from http (WHY?), and it looks like it just does the firmware update. It includes logic that looks for 'bootcode' or 'normalcode' at the front of the firmware.

2.18. Custom firmware now available

After many months of distraction and "just one more feature and I'll release it", I've released my custom firmware. Better late than never, belkin.

Please do not fill my mailbox with questions. Use the Wiki page: DotHaxxedFirmware

-- seg at haxxed dot com

Another Possibility is dd-wrt. According to the forums and front page the latest version supports the v1444 of this router. The v2000 is being worked on.

3. FAQ -- Questions and Answers Section

Q: Is there a way to change the port that the Advanced Configuration interface listens on? The HTTP server is called micro_httpd. There's a binary in /usr/sbin/ that I would imagine is the right guy. I just don't know what to change.

A: It seems that http_wanport and http_lanport can both be set via the configuration file that can be saved and restored through the advanced configuration Web interface. The file format for the saved configuration is

a perl script which takes a configuration data file and outputs the proper format to STDOUT is as follows (I can't seem to get it to format correctly):

This however doesn't seem to have any effect on which port the httpd server runs on. I will post more as I find out more.

Additional information: The settings export in firmware 3.00.07 attempts to print the NAT table. Unfortunately it does it simultaneously with the other settings, and therefore must be pruned in order for it to be accepted (it looks like some debugging information was left in the build). Firmware 3.00.05 exports a valid file.

Additional information part 2: After talking with a Technical Supervisor, we determined that port 80 was hard coded in the firmware and not configurable via the settings file. However if "Any IP address can remotely manage the router." is unchecked on the "System Settings" page, and no IP address is entered in the exclusion box, the router does not listen on the WAN port, and the Virtual Server can execute properly.

Q: Has anyone been able to get wireless bridging with WPA or WEP enabled to work?

A: I finally got 128 WEP working. After you've followed the Wireless Bridging Addendum, power down the router and the WAP. Wait 5 seconds, and power on the router. Wait until it is completely powered up, and then power up the WAP. Ping to make sure it's working properly. I'll try it using WPA at some future date.

Follow-Up: These routers will act as routers, bridges and AP's. For bridging, enter the peer MAC address in the configuration for BOTH routers. With the 4.05.03 firmware, bridging does not work with WPA if you have additional wireless clients. It does seem to work if the only wireless traffic is between the two routers. I have successfully bridged three of the 4.05.03 version 2000 routers. Make sure to only enter the master MAC address on the remote AP's and all AP MAC's on the router/gatweway. Entering every MAC's on both AP's and the router seems to confuse them. BTW, I get better bandwidth running Ethernet through the bridged AP's than using a Belkin F5D7000 802.11g PCI card, go figure.

Q: What could we upload to the router using TFTP?
I saw that boot_wait is set to "on" on firmware 3.0.07. I tried to TFTP file to the box seconds after reset. The box accepted TFTP tranfer. So I TFTP-ed 3.0.05 firmware by renaming it to code.bin.


TFTP> put code.bin

Sent 1904703 bytes in 1.5 seconds

But then, the router keeps booting to 3.0.07 firmware. What could we upload to the router using this method?

A: I forgot to switch to binary mode in TFTP but, doing so, the router accepted the 3.0.05 firmware uploaded as code.bin. The router burned it into the flash so on next reset, it uses 3.0.05 version.

Q: Where can I download a version of the firmware with Busybox? Or can anyone maybe send it to me to tobias at netmadeira dot com ?

A: You can get it as 3.00.07.trx. Use at your own risk. It is the 3.00.07 firmware version where the Web server /usr/sbin/httpd has been renamed to /usr/sbin/httpd.ori. The /usr/sbin/httpd is Busybox running TelnetD applet by default. Upon installation, Telneting to the box gives a Busybox shell. You can run the normal Web server by  cd /www;/usr/sbin/httpd.ori 

To use the custom Busybox,  ln -s /usr/sbin/httpd /tmp/busybox;/tmp/busybox 

Q: I was probing this firmware (update is okay via TFTP) and I cannot Telnet the router, they don't accept the conecction, what may be wrong?

A: This router is very, very similar to the 7130 Access Point, apart from the obvious lack of additional Ethernet connections. I'm fairly sure that they are using the same circuit board, with a number of components omitted from the 7130: switch IC, magnetics, and RJ45 sockets for the additional Ethernet connections. The Web interface on a brand-new 7130 identifies itself as a F5D7230-4, and the release notes for the latest 7130 identify it as being suitable for both the 7230-4 and 7130. I've haven't checked whether the firmware is interchangeable.

A: Yes, the firmware of the Belkin 7230 works on the 7130. I uploaded it via TFTP, using the Linksys-TFTP client under Windows. The WAN MAC address is displayed as 00:90:96:00:00:01 - probably denoting the fact that the WAN-interface is missing (although I believe the Broadcom includes the interface, did they not enable it ?) But at least you can stuff the accesspoint full of interesting features (read: servers) to make it a bit more interesting.

Q: How to fix wireless file transfer losing files?
When I move files from one computer to the other via the router wirelessly at 54 Mbps the router looses it. The wireless part becomes unusable. The wired ports stay operational. If I do the same thing with the same computers via the wired ports everything stays fine. Does anybody have a clue what’s going on? And how to fix it? I have version 1441 of the router with the latest firmware, 4.00.03.

A: it seems that with a tighter configuration of the wireless nic all goes well. I transfered gigabytes and no crash. With tighter I mean no looking for other wireless networks when connected, tell it to only use one band (a/b/g) etc.

Q: How to force pmon into recovery mode?
Has anyone been able to force the pmon to go into recovery mode by shortening pin 15+16 on the AMD flash ship like you can do on the WRT54G ? According to the specs for the AMD flash pin 15 is RY/BY# and pin 16 A18. This is not working for me. The router continues to boot when those are shortened. This is hardware 1010.

A: Try shorting pins 1 and 16 on AMD flash. 15-16 is for Intel flash on the V1.1 and forward WRT54G models. -- Sveasoft

Q: How to list using iptables -L;?
After I got a shell on the box I tried "iptables -L;" but it listed nothing. The firmware is adding rules using direct ipt_* calls. Does anyone know if rules added by ipt_* do not show up in iptables ? When I added rules using iptables they were listed using iptables -L but seemed to be functionally ignored. Any clues how to proceed ?

A: I removed the parental control to make room for a root shell. Apparently, that hinders the initialization of the firewall. When I put back the parental control and remove pppd instead to make room, then iptables does list the Belkin builtin rules.

Q: Is there a way to separate the wireless port from the others ?

A: I removed eth1 (wireless) from the br0 bridge (brctl delif br0 eth1). Gave it an IP address, switched on then used iptables to add a ssh limited forwarding rule between eth1 and the internal LAN.

Q: Does anyone have a JTAG interface & software? How does this work?

A: I have a cheap JTAG interface from Amontec. I also have the Wiggler from Macraigor. Both devices works great in Raven mode with tools from Macraigor. The Amontec POD is absoluttly recommended. You can use a JTAG interface for reading/writing memory and flash. You can also use JTAG for debuging code. (setting hardware breaks. step trought code etc).

Follow-up Q: Do you have info on how to hook this up to a v1444 F5D7230-4? It has a 10 pin block that has 6 (unknown) signals and 4 tied to ground.

Follow-up: Anyone know the jtag pinout?



Thanks! I'll give that a try and see if I can unbrick my Belkin.

It works! I don't want to repeat myself so see my post here:,13862729 Includes software to get going

Q: Does anyone know how to make the Wireless Bridging function work with other manufacturers routers, and allow selection of the other wireless AP by its SSID and not by directly entering the MAC?

A: Well, according to the help it is just supposed to work if you haven't ticked the limit to specific MAC addresses option. However, I am not able to get the things to bridge without entering the MAC address on both ends. I should probably try this with non-Belkin equipment also.

Follow-up: I'm working with the Belkin and a Netgear. I haven't tried entering the Belkin's MAC on the Netgear, because it I don't see a place where this *can* be done on the Netgear (except for 'Client lockout' (which I currently use in lieu of WEP) If Bridging does NOT work with non-Belkin equipment at all, it seems like a rather cheap way to do manufactuer lock-out.
As far as I'm concerned, the Belkin setup software should allow you to set it either to look for a particular SSID (not MAC), or *any* SSID being broadcast, and rebroadcast the packets. (Of course, there's a limited amount of space for code and such there. But isn't this why we *have* standards in the first place?) I'm wondering more about whether there's some OSS package I could just run on the Belkin once I get it running straight Linux, which will do this for me.

Follow-up 2: I have just verified that the Belkin F5D7230-4 4.05.03 routers will bridge with an SMC2804WBR (which is a fully featured router BTW. Why doesn't the Belkin firmware support port forwarding and DHCP address reservation?).
According to the SMC docs, the SMC requires that the MAC address be hard coded for it to use WDS bridging. Strange that the Belkin has the option of just enabling it, but according to the Belkin docs at least one of the routers must reference the other's MAC address. I had to go both ways to make it work. I have a Netgear WGR614v5 that I will test out as well.

Q: Can you wireless bridge between a Belkin F5D7230-4 4.05.03 (UK version) and F5D7230-4 4.03.03? (North America version)

A: ? YES. The only limitations would be between counrty version the channels would have to be the same. You should be able to bridge between all Broadcom firmware that allows bridging. I have a link WDS link between a Linksys wrt54g and a f5d7230 which I flashed the f5d7231 firmware.

Q: Does anyone else get "Blocked by DoS protection ###.###.###.###" messages in the firewall log every 1-30 seconds. A number of these log entries will also be corrupted.

Firewall log:

Tue Jun 7 13:15:45 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:15:49 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:15:56 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:16:11 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:16:51 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:16:55 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:17:02 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:17:05 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:17:08 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:17:17 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:17:18 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:17:33 2005 1 Blocked by DoS protection ##.###.144.1

14 ] 1 Blocked by DoS protection ##.###.128.110

] 1 Blocked by DoS protection ##.###.176.23

4 ] 1 Blocked by DoS protection ##.###.140.160

14 ] 1 Blocked by DoS protection ##.###.128.120

14 ] 1 Blocked by DoS protection ##.###.214.28

14 ] 1 Blocked by DoS protection ##.###.210.114

] 1 Blocked by DoS protection ##.###.230.5

] 1 Blocked by DoS protection ##.###.52.200

1 Blocked by DoS protection ##.###.204.4

1 Blocked by DoS protection ##.###.81.80

] 1 Blocked by DoS protection ##.###.73.198

14 ] 1 Blocked by DoS protection ##.###.198.139

Tue Jun 7 13:17:45 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:17:45 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:18:01 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:18:05 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:18:13 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:18:29 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:19:41 2005 1 Blocked by DoS protection ##.###.144.1

Tue Jun 7 13:19:45 2005 1 Blocked by DoS protection ##.###.144.1

Firmware Version  4.03.03

Boot Version  2.01.03

Hardware   F5D7230-4

The ##.###.144.1 address belongs to my ISP and is the second hop on all traceroutes.

I still get these messages despite having disabled the firewall.

This issue seems to be coincident to the router becoming sluggish every 2-5 days. Simply restarting the router will usually clear the sluggishness.

Here are links to other people having this problem:

Q: Is it possible to make F5D7330 firmware work on F5D7230-4 v.1444?


Q: Is it possible to make F5D7231-4 125mbit High Speed Mode (HSM) router firmware work on F5D7130 v.2114ef Access Point (with actually 4.03.03 firmware?

A: I don't believe so.
I tried installing the "LOAD"-altered BELKIN_RT_UK_4.05.03.bin (F5D7231-4 European) firmware onto two F5D7130 access points, they booted up okay and the wireless LAN works okay, but the Ethernet port was incapacitated (no doubt it was expecting there to be a cable modem connected to it). When I tried enabling 125 mbit High Speed Mode I got a warning saying that Wireless Bridge mode wouldn't work, which means that it would have been of no use for me, since I'm using my F5D7130 Wireless Access Points as range extenders. To restore the Wireless Access Points to the F5D7130 firmware, I poked the first four bytes from the F5D7231-4 firmware (00 3F 01 02) into the F5D7130_4.03.03.bin firmware, which seems to work fine, with the only noticeable oddity being that my Wireless Access Points now describe their hardware as F5D7230.

Side-Effects: I gather that you then returned at least one of these F5D7130 WRE/AP boxes to CompUSA in Roseville where I purchased it this last weekend. Needless to say, the mis-reported hardware model number has caused some difficulty while working with Belkin support. Not cool to screw with hardware and then return it for some other poor soul to purchase.

See the Perl script at the top of the FAQ

Q2: How to downgrade the PMON, The boot code using TFTP or by using SSH thru .hAXXED??

Belkin_F5D7230-4 (last edited 2011-07-09 19:44:55 by 203-206-136-44)