Tuesday, August 10, 2010

Unbricking a Belkin Wireless Router

I have been doing a good deal of messing with OpenWRT the last few weeks trying to getter a better grasp of embedded linux and linux in general. I have had good success in the past installing and modifying OpenWRT on FON and Linksys routers in the past. However, I had some issues with trying to install it on my cheap and cheerful Belkin F5D9230 router. Firstly, I tried to install it by uploading the firmware image for the Airlink router (they have similar hardware specifications) with the guide here:


  • 1) Go to the router config page (ex. https://192.168.2.1/), log in, and then go to ver.htm (ex. https://192.168.2.1/ver.htm).
  • 2) Set firmware header checking to 0, apply, and wait for it to reboot.
  • 3) Use the firmware upgrade page to upload the OpenWrt firmware intended for the Airlink AR525W (ex. openwrt-rdc-squashfs-ar525w.img). Do not use the -web.img version.
  • 4) OpenWrt should be working after it reboots. 
Unfortunately, this did not work. So then I cracked open the router and soldered some jumpers onto the connection onto the routers motherboard. This allowed me to access the routers console using my trusty nokia serial cable. The connections were as follows:
[   ] [RX   ] [       ] [       ] [TX   ]
       [GND1] [GND2] [Vcc1] [Vcc2]

settings are 38400, 8, N, 1, no flow. Using this, I was able to view the boot sequence of the router:

+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05


...and so on. From here, I was able to see that it was using RedBoot for its boot environment. Restartin the router again, i got a prompt at redboot y pressing ctrl + c (there is only like a 1second window so you have to be fast.). In the serial console i typed:
tftpd
Then on the laptop I flashed it with OpenWRT KAMIKAZE (8.09.2, r18961)using the using the openwrt-rdc-squashfs-ar525w.img tftp method outlined here. It booted up fine, and everything worked except wireless. It turned out that it was because Kamikaze 8.09 kernel had very little support with the wireless chipset driver needed by the Belkin router. So I flashed over a newer OpenWRT Backfire 10.03 image. But this firmware would not even boot up properly:

+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05

# Activate RDC-Keilven's RS232 Patch V2
RedBoot> @
** Error: Illegal command: ""
RedBoot>
# Kernel size = 851936 bytes
# FW size = 2686980 bytes

# fwcheck: base = 0x00400000, size = 0x00000400
# Firmware Checksum O.K
# Kernel copying......BEGIN
# Kernel copying......FINISH

mem_size: 1000000


...and then it would hang. It turns out that there is a bug in the compiled version of OpenWRT for devices that use the RDC processor, which includes the Belkin F5D9230 v4. At this stage, I gave up, because i really needed to get this router working for the home network. At this stage it was bricked, as I could not get it working at all. So I set about trying to install the old Belkin software back onto the router.
This was not as straightforward as it sounds. For starters, there was no web interface, so i could not upload an official Belkin image downloaded off their website. Secondly, when I tried just to tftp over the official image  to the router, redboot would balk:

+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05

# Activate RDC-Keilven's RS232 Patch V2
RedBoot> 0^C
RedBoot> ^C
RedBoot> ^C
RedBoot> ^C
RedBoot> tftpd
# Dante's tiny tftpd is ready......
WRequest from 192.168.1.100: [f5d9230-4v3_uk_3.01.53.bin, octet]

# Error: invalid magic


What the duck does "Invalid Magic" mean? It must be in relation to the magic numbers used in the header of a file to identify what type of file it is. After having a wee think about this, I thought that redboot must be doing some kind of checking of the firmware. Delving a bit deeper, It turns out that we need to strip off some header information on the official Belkin firmware file to get at the firmware file that we need.  So i did the following on the terminal on the laptop:

dd if=input.bin of=output.bin bs=1 skip=X count=Y

Where X is the number of bytes you want to remove from the beginning, and Y is the number of bytes you want to process before the end of file.

Suppose you have a binary files which is 100 bytes in size and you want to remove the first 10 bytes and the last 5 bytes, obtaining an 85 bytes output.
The value of X will be 10, while the value of Y will be 85 (=100-10-5). You can find file size with a simple "ls" or "wc -c" command. In our case, we wish to remove the first 8 bytes of the file. Then TFTP over the edited file as normal:


+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05



# Activate RDC-Keilven's RS232 Patch V2
RedBoot> ^C
RedBoot> ^C
RedBoot> ^C
RedBoot> ftfpd
** Error: Illegal command: "ftfpd"
RedBoot> tftpd
# Dante's tiny tftpd is ready......
WRequest from 192.168.1.100: [f5d9230-4v3_uk_3.01.53-edit.bin, octet]

# Firmware Checksum O.K
# DFLASH: SRC=0x00400000, DST=0xFFC00000, LEN=0x0022A520
# Decide to use AMD/Fujitsu Standard command set.
# MFG ID = 0x007F, DEV ID = 0x22F6
Flash size = 4 MB
# Erasing...................................
# Writing...................................
# Finishing successfully...
# Firmware Upgrade Finished, and shotdown the TFTPD......
RedBoot> reset


And lo and behold after restarting, the router worked successfully. I have the edited firmware file available if anyone wants it.

6 comments:

  1. Hi,
    I have the same problem. Have u managed to get rid of it? Unfortunately i had the device working with backfire, but after a update to backfire-trunk I cant get it working anymore. Also had some strange Segfaults when starting dropbear and openssh. I really would appreciate if you could mail me or post some news here.

    Kind Regards
    sc0rp

    ReplyDelete
  2. No, after I got the stock firmware working on the device I left it alone. I had planned to try Backfire again when some of the bugs had been ironed out on the system but it looks like that hasnt happened yet.If you got the original backfire working before you upgraded, could you not just flash back to that version?

    ReplyDelete
  3. Hello,
    I had a similar problem. I tried to install DD-WRT and the router is now dead. Can you help with this serial port that you described? I am really a noob on such matters. What I need to do to get an answer from the router and start the recovery process?
    Can you email me?

    ReplyDelete
  4. I know that this post is a little old, but I just ran into this same issue. I used the guide that you did, and now I have a bricked router. I have a USB/Serial converter hooked up, using the pin-out that you have listed. My computer sees the device and recognizes it as a USB/Serial converter. However, I can't get PUTTY or Hyperterminal to see anything. Could you help me out with the serial connection part?

    ReplyDelete
  5. I think I totally bricked mine, serial cable and JTAG attached but I think I need my original redboot back. Know where I can find one?

    ReplyDelete
  6. Anyone figured out how to do this on the 3100 version? Even after disabling the firmware check it still comes up with a invalid checksum error after flashing and reboot then starts the tftp and waits for new firmware. Then i had to cut the first 8 bytes off the original firmware and flash it back to get it going again.

    Anyone know another way to assure the firmware checking is 100% disabled?

    ReplyDelete