Belkin F5D8230-4 v2000

One of Belkin's "Pre-N" routers. This page is specifically about the v2xxx units with Realtek RTL8651B SoC, and research is based on a v2001 unit. The v1000 used a Broadcom SoC and information about it is available elsewhere.

Supported Versions

Version/Model S/N OpenWrt Version Supported Model Specific Notes
v1xxx ? ? Works if MiniPCI card is replaced (Airgo not supported)
v2xxx ? WIP Realtek SoC not yet in toolchain

Hardware Highlights

CPU Ram Flash Network USB Serial JTag
Realtek RTL8651B 16MB 4MB 4x1 No ? ?

This board is also known as the RT3105W-D56 (probably the Askey OEM model).

More RTL8651B info available here

Installation

Possible methods:

  • Use serial console to load RAM image, flash from OpenWRT shell
  • Use serial console to directly flash
  • Use Belkin web interface flasher (build compatible image)

OEM easy installation

No such technique exists yet. The Belkin web upgrade file format needs to be understood in order to generate custom firmware images which will be accepted (mostly the checksum algorithm, which may be the same as for other Belkin routers – untested as of yet). Much of the other header information has been correctly guessed at (see below).

OEM installation using the TFTP method

If the router has a corrupted "RUN" image in flash, it will default to recovery mode. Unlike the Broadcom SoC with CFE, it does not wait for a "TFTP put" – you have to set up a BOOTP and TFTP server and tell it what file to grab (similar to the TFTP boot method below). Without using a serial console method to trigger the recovery (or flash) it does not seem likely there will be an easy method for forcibly flashing via recovery mode such as on Broadcom hardware, there is apparently no equivalent to the "boot_wait" mode.

Upgrading OpenWRT

If you have already installed OpenWrt (which you couldn't have done yet) and like to reflash for e.g. upgrading to a new OpenWrt version you can upgrade using the mtd command line tool. It is important that you put the firmware image into the ramdisk (/tmp) before you start flashing.

LuCI Web Upgrade Process
Terminal Upgrade Process
  • Login as root via SSH on 192.168.1.1
  • Use the following commands to upgrade.

cd /tmp/
wget http://downloads.openwrt.org/latest/brcm-2.4/openwrt-brcm-2.4-squashfs.trx
mtd write /tmp/openwrt-brcm-2.4-squashfs.trx linux && reboot

Hardware

Info

See also: RTL8651B info from Linux-MIPS.org

Architecture: MIPS32 MSB (Lexra LX5280 core w/MMU)
Vendor: Realtek
Bootloader: ROME
System-On-Chip: Realtek RTL8651B
CPU Speed: 200 Mhz
Flash-Chip: MX 29LV320ABTC-90
Flash size: 4 MiB
RAM-Chip: 2 x EtronTech EM638165TS-7
RAM size: 16 MiB
Wireless: Airgo AGN103BB-01 (MiniPCI) (possible driver here)
Ethernet: Switch in CPU
USB: USB1.1 on-chip, no obvious connections on this board (possibly available with hardware mod)
Serial: Yes
JTAG: maybe

Photos

(forthcoming)

Model Number

Front:

Photo of front

Back:

Photo of back

Opening the case

Note: This will void your warranty!

  • To remove the cover simply remove the four obvious corner screws on the bottom and pull apart easily.
  • There are four obvious screws holding the PCB to the bottom cover.
  • To completely free the top cover, carefully disconnect the three antenna cables from the MiniPCI card.
  • To remove the MiniPCI card, use a thin dull object to tear out the adhesive foam mounting sandwiched between the card and the board. There is not much to damage in that area but be careful anyway. Replace with Velcro or similar to regain solid mounting but still be easily removable. Once card is freed, it removes like any MiniPCI does using the release tabs on the edges of the socket, and can be replaced by some other card with driver support (Broadcom, Atheros…)
  • To access the important guts, carefully pry the lid off the larger ("top side") shield can, referred to in this document as the "system can". It is not soldered and comes off very easily.

Main PCB

(photos forthcoming)

Serial

There is a 4-pin white header ("JP1") inside the system can which is the serial port. This is the confirmed pinout, and the terminal settings are 38400 8N1:

(Towards LED edge of board)
+3.5V
GND
(output)
(input)
(Towards "J7")

Direction here is relative the device. So, "output" would connect to the PC "input" so you could see the console data and "input" would connect to the PC "output" so you could enter commands. All the usual Tx and Rx stuff gets confusing so I went with this more descriptive method.

JTAG

Possible JTAG located in system can at micro header J7 (12 pin, probably standard). To be verified and tested.

Realtek SoC supports MIPS EJTAG 2.0, so the question is whether the board has the SoC JTAG pins connected or not. JTAG identifiers should be these, if connection is figured out:

  • ManufID: 6
  • PartNumber: 5280

See port.jtag for more JTAG details.

Specific Configuration

Interfaces

OpenWRT designations to be determined.

Interfaces within original Belkin 2.01.02 firmware are below:

Interface Name Description Default configuration
(bridge?) LAN & WiFi 192.168.2.1/24
rtl0 Ethernet core device? ?
et0 LAN ports (1 to 4) None
et1 WAN port DHCP
wlan0 Airgo WiFi Open, SSID = "Belkin_Pre_N_"

Switch Ports (for VLANs)

There don't appear to be any VLANs. The Realtek SoC provides two separate MAC interfaces in hardware, one is chained to a built-in switch chip and drives the LAN ports (eth0), and the other is apparently connected to the WAN port (eth1).

Failsafe mode

If you forgot your password, broken one of the startup scripts, firewalled yourself or corrupted the JFFS2 partition, you can get back in by using OpenWrt's failsafe mode.

Boot into failsafe mode

  • Unplug the router's power cord.
  • Connect the router's LAN1 port directly to your PC.
  • Configure your PC with a static IP address between 192.168.1.2 and 192.168.1.254. E. g. 192.168.1.2 (gateway and DNS is not required).
  • Plug the power on and wait for the DMZ LED to light up.
  • While the DMZ LED is on immediately press any button (Reset and Secure Easy Setup will work) a few times .
  • If done right the DMZ LED will quickly flash 3 times every second.
  • You should be able to telnet to the router at 192.168.1.1 now (no username and password)

What to do in failsafe mode?

NOTE: The root file system in failsafe mode is the SquashFS partition mounted in readonly mode. To switch to the normal writable root file system run mount_root and make any changes. Run mount_root now.

  1. Forgot/lost your password and you like to set a new one

passwd

  1. Forgot the routers IP address

uci get network.lan.ipaddr

  1. You accidentally run 'ipkg upgrade' or filled up the flash by installing to big packages (clean the JFFS2 partition and start over)

mtd -r erase rootfs_data If you are done with failsafe mode power cycle the router and boot in normal mode.

Buttons

The Belkin F5D8230-4 v2xxx has one button, Reset, located on the bottom in the right rear corner (viewing unit from the "front"), near one of the main case screw holes - it is labeled and requires a reasonable length poking tool. The button may be able to be used with hotplug events, but may be hard-wired to reset the board (verification pending).

BUTTON Event
Reset reset

Basic configuration

This space for rent.

Hardware mods

Nothing yet

Other Info

Belkin GPL Source

Available here

  • broken tgz archive, inside a broken tar.gz archive (BRAVO!)
  • unpacks a bunch of stuff if you force it (probably not all the files are there)
  • does not include toolchain (uClinux)
  • won't build (probably due to lack of all the files)
  • contacted Belkin so maybe they put up a repack that isn't truncated and broken
  • have to use other Realtek based GPL sources from other manufacturers in the mean time

GPL Source Highlights

Belkin Firmware (bin) Format

Examination of latest firmware bin (f5d8230-4-v2_2.01.02_usa.bin):

Belkin (overall) Structures

All multibyte "uint" types are big-endian unless otherwise specified.

file offset format example description
0x00000000 file magic? 02 FF FF 00 (most likely) Belkin magic number for this model
0x00000004 uint32 00 33 40 55 Total File Size, including headers (size of bin file on disk)
0x00000008 file checksum? D1 55 1D C1 (most likely) Total File Checksum (TODO: algorithm)
0x0000000c-0x0000001b 00 80 00 00 ?
0x0000001c node magic 30 52 44 48 reversed ASCII = "HDR0"
0x00000020 uint32 00 33 30 1C "HDR0" Size, including "HDR0" header (from 0x1c onward)
0x00000024 node checksum? FD 3E 8C 6F (most likely) "HDR0" Checksum (TODO: algorithm)
0x00000028-0x00000037 00 80 00 00 ?
"HDR0" Payload
0x00000038 Realtek Image "WEB" Header (see below)
0x00000050 Realtek Image "RUN" Header (see below)
0x00000068 "kernel.bin" (probably wrapped in some structure defining load addresses, etc)
0x000d860e null padding
0x000e0038 rootfs (cromfs)
offsets below this point depend on the "HDR0" Node Size!
(listed offsets are based on the specific f5d8230-4-v2_2.01.02_usa.bin file)
Note: 0x0000001c + 0x0033301c = 0x00333038
0x00333038 node magic 52 41 56 4E reversed ASCII = "NVAR"
0x0000003c uint32 00 00 10 1D "NVAR" Size, including "NVAR" header (from 0x333038 onward)
0x00333040 node checksum? 7C AC 9A 85 (most likely) "NVAR" Checksum (TODO: algorithm)
0x00333044 "NVAR" Payload
(EOF)

Realtek ROME Structures

Note: image offset is within the ROME image itself (not file offsets in the bin file)
Most of this info comes directly from the structures and defines in rtl_image.h in the GPL source.
In the example file, there are two headers – the main "WEB" header, and within the "WEB" Image Body is an immediate "RUN" header, and then within the "RUN" Image Body is the actual executable code.

"WEB" Header (begins at 0x38 in example file)
offset format example description
0x00000000 magic 59 A0 E8 42 Product Magic
0x00000004 uint16 D9 2F Image Type
» 0xb162 ⇒ "RDIR"
» 0xea43 ⇒ "BOOT"
» 0x8dc9 ⇒ "RUN"
» 0xd92f ⇒ "WEB"
» 0x2a05 ⇒ "CCFG"
» 0x6ce8 ⇒ "DCFG"
» 0xc371 ⇒ "LOG"
0x00000006 uint8 01 Image Header Version
0x00000007 uint8 00 "reserved1" (padding for 32-bit alignment)
0x00000008 uint32 07 D5 08 01 Image Creation Date (in Network Order)
» B1B2:year(0..65535) (big-endian)
» B3:month(1..12)
» B4:day(1..31)
(example = 2005-08-01)
0x0000000c uint32 10 38 2F 00 Image Creation Time (in Network Order)
» B1:hour(0..23)
» B2:minute(0..59)
» B3:second(0..59)
(example = 4:56:47PM)
0x00000010 uint32 00 33 2F E8 Image Body Length (not including header)
0x00000014 uint16 00 00 "reserved2" (unused?)
0x00000016 uint8 F0 Image Body Checksum (running byte XOR)
0x00000017 uint8 7C Image Header Checksum (running byte XOR)
0x00000018 Image Body
"RUN" Header (begins at 0x50 in example file, 0x18 in the Realtek "WEB" Image)
offset format example description
0x00000000 magic 59 A0 E8 42 Product Magic
0x00000004 uint16 8D C9 Image Type
» 0xb162 ⇒ "RDIR"
» 0xea43 ⇒ "BOOT"
» 0x8dc9 ⇒ "RUN"
» 0xd92f ⇒ "WEB"
» 0x2a05 ⇒ "CCFG"
» 0x6ce8 ⇒ "DCFG"
» 0xc371 ⇒ "LOG"
0x00000006 uint8 01 Image Header Version
0x00000007 uint8 00 "reserved1" (padding for 32-bit alignment)
0x00000008 uint32 07 D5 08 01 Image Creation Date (in Network Order)
» B1B2:year(0..65535) (big-endian)
» B3:month(1..12)
» B4:day(1..31)
(example = 2005-08-01)
0x0000000c uint32 10 38 2E 00 Image Creation Time (in Network Order)
» B1:hour(0..23)
» B2:minute(0..59)
» B3:second(0..59)
(example = 4:56:46PM)
0x00000010 uint32 00 0D 85 A6 Image Body Length (not including header)
0x00000014 uint16 00 00 "reserved2" (unused?)
0x00000016 uint8 DE Image Body Checksum (running byte XOR)
0x00000017 uint8 3B Image Header Checksum (running byte XOR)
0x00000018 Image Body
  • Kernel is in the "RUN" Image Body
  • The "WEB" Image Body includes the "RUN" Image, then a bunch of 00 padding, and finally the rootfs
  • Compressed ROMFS (cromfs) root filesystem @ bin file offset 0x000e0038 (can be extracted, mounted, and examined)

BONUS: "file" magic definitions

These can be added to your /usr/share/file/magic list (wherever it is on your system) to allow the "file" command to tell you most of the info about proper ROME binaries. This can be a quick test to make sure the header is right, or a quicker way to extract certain info than firing up the hex editor.
Don't forget to do something like sudo file -C -m /usr/share/file/magic ; sudo mv magic.mgc /usr/share/file/magic.mgc to recompile your magics so that "file" will use them. Furthermore, all spaces up to "\b" or other text should be tab characters (the wiki, and/or copy-paste will probably mangle them).

# Realtek ROME binaries
0 belong  0x59a0e842 Realtek ROME Binary
>4 beshort  0xb162  \b RDIR Image
>4 beshort  0xea43  \b BOOT Image
>4 beshort  0x8dc9  \b RUN Image
>4 beshort  0xd92f  \b WEB Image
>4 beshort  0x2a05  \b CCFG Image
>4 beshort  0x6ce8  \b DCFG Image
>4 beshort  0xc371  \b LOG Image
>6 byte x \b, version %d
>16 belong x \b, payload size %d
>8 beshort x \b (built %04d-
>10 byte x \b%02d-
>11 byte x \b%02d
>12 byte x \b %02d:
>13 byte x \b%02d:
>14 byte x \b%02d)

After these are properly installed, you can do stuff like this:

$ file rome.boot
rome.boot: Realtek ROME Binary RUN Image, version 1, payload size 886182 (built 2005-08-01 16:56:46)

Booting from TFTP

  1. Setup BOOTP server connected to any LAN port. Use something like this (ISC DHCP3 server):
    subnet 10.7.7.0 netmask 255.255.255.0 {
      range 10.7.7.100 10.7.7.200;
      option domain-name-servers 10.7.7.1;
      option domain-name "dev.lan";
      option routers 10.7.7.1;
      option broadcast-address 10.7.7.255;
      default-lease-time 600;
      max-lease-time 7200;
    }
    host f5d8230 {
      hardware ethernet 00:11:50:d1:3b:30;
      fixed-address 10.7.7.7;
      server-name "10.7.7.1";
      next-server 10.7.7.1;
      filename "rome.boot";
    }
    
  2. If you copy the above config, don't forget to make the ethernet MAC properly match your unit, and config your ethernet for 10.7.7.1 before firing up dhcpd
  3. Place "RUN" image in /tftpboot/rome.boot, complete with proper "RUN" header
  4. Connect serial console (standard TTL level shifter setup)
  5. Press reset, select "b" from ROME boot menu before timeout
  6. Enjoy booting directly from your file instead of flash image

Note: if you extract the "RUN" image from the default firmware file (dd if=f5d8230-4-v2_2.01.02_usa.bin of=rome.boot bs=1 count=886206 skip=80) then booting this way is mainly just a proof-of-concept, since it will still use flash as rootfs due to kernel flag "root=/dev/mtdblock4", so nothing will really be different.
Creating a custom "RUN" image with different rootfs settings (nfs?) would be much more useful for an interim hacking platform during development and testing of a working OpenWRT environment without repeated flashing of kernel and rootfs.

Interesting Discoveries from rootfs/console

  • Kernel 2.4.26-uc0
  • uClibc 0.9.26
  • BusyBox v0.60.0
  • Moreton Bay DHCP Client v0.9.5
  • Includes IPV6 iptables target modules (unused?)
ROME Boot Menu
(c)Copyright Realtek, Inc. 2003
Project ROME LOADER
Version 00.00.18(uClinux) (Mar 10 2005 18:43:35)
Sub version 1.00.00 for identification
[865xB] CPU Clock Rate: 200MHz, Memory Clock Rate: 130MHz
AMD/Fujitsu Standard CFI Query Table v1.1 at 0x0040
Detected flash size: total 4MB.
SDRAM size: 16MB
+TFTP +Auto UART +Bank1:ROM 
Here we try to capture the default reset button:  None.

--== Loader Menu ==--
'r' to update run image
'a' to change config
'l' to update loader
'g' to load run image without updating Flash
'o' to update flash with ROM file
's' to test SDRAM memory
't' to test flash memory
'e' to erase flash memory
Boot Messages
Loading runtime image ...

Unzip image from address: 0xbe020000

Unexpected end of file

Start runtime image at 80000400.

************************************
Powered by Realtek RTL8651B SoC, rev 1
************************************
SDRAM size: 16MB
CPU revision is: 0000ff00
Init MMU (16 entries)
Primary instruction cache 0kB, linesize 0 bytes.
Primary data cache 0kB, linesize 0 bytes.
Linux version 2.4.26-uc0 (fangsongmao@compile-server) (gcc version 3.3.3)
 #6 Mon Aug 1 16:55:02 CST 2005
Determined physical RAM map:
 memory: 01000000 @ 00000000 (usable)
NOFS reserved @ 0x8027fff0
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock4
IRR(0)=c0000000
Calibrating delay loop... 199.06 BogoMIPS
Memory: 13640k/16384k available (2067k kernel code, 2744k reserved, 104k data,
 104k init, 0k highmem)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
Checking for 'wait' instruction...  unavailable.
POSIX conformance testing by UNIFIX
NEW PCI Driver...isLinuxCompliantEndianMode=False(Big Endian)
Found Airgo PCI, function=0!
Memory Space 0 data=0xfffe0000 size=0x20000
Memory Space 1 data=0xfff80000 size=0x80000
PCI device exists: slot 0 function 0 VendorID 17cb DeviceID 1 bbd40000
Found Airgo PCI, function=1!
Found Airgo PCI, function=2!
Found Airgo PCI, function=3!
Found Airgo PCI, function=4!
Found Airgo PCI, function=5!
Found Airgo PCI, function=6!
Found Airgo PCI, function=7!
memory mapping BAnum=0 slot=0 func=0
memory mapping BAnum=1 slot=0 func=0
assign mem base 1bf00000~1bf7ffff at bbd40014 size=524288
assign mem base 1bf80000~1bf9ffff at bbd40010 size=131072
Find Total 1 PCI functions
Found 00:00 [17cb/0001] 000200 00
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SERIAL_PCI enabled
Probing RTL8651 home gateway controller...
Initialize RTL865x ASIC and driver
chip name: 8651B, chip revid: 1
   Initialize mbuf...
   creating default 2 interfaces...eth0 IRR(6)=c0040000
===> Request IRQ 6 for eth0, ret=0
eth1 ...OK
PPP generic driver version 2.4.2
PPP BSD Compression module registered
flash device: 3d0000 at be000000
 Amd/Fujitsu Extended Query Table v1.1 at 0x0040
number of CFI chips: 1
Using word write method
Creating 8 MTD partitions on "Physically mapped flash":
0x00000000-0x00004000 : "boot1"
0x0000a000-0x00010000 : "boot2"
0x00010000-0x00020000 : "boot3"
0x00020000-0x00100000 : "kernel"
0x00100000-0x003e0000 : "rootfs"
0x003f0000-0x00400000 : "nvram"
0x00008000-0x0000a000 : "dnvram"
0x00020000-0x003e0000 : "linux"
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
GRE over IPv4 tunneling driver
ip_conntrack version 2.1 (128 buckets, 1024 max) - 344 bytes per conntrack
ip_conntrack_pptp version $Revision: 1.1.1.1 $ loaded
ip_nat_pptp version $Revision: 1.1.1.1 $ loaded
ip_tables: (C) 2000-2002 Netfilter core team
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
VFS: Mounted root (cramfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 104k freed
Bad boy: serial (at 0x8009d9bc) called us without a dev_id!
IRR(4)=c0c40000
===> Request IRQ 4 for serial, ret=0
__flash_base=0x2ac62000
__crmr_addr=0x2aaaf104
share memory not exist
Trying to free free IRQ4
Bad boy: serial (at 0x8009d9bc) called us without a dev_id!
===> Request IRQ 4 for serial, ret=0
noconsole=0
insmod: et.o: no module by that name found
insmod: led.o: no module by that name found
setup_rtl8651
System initializing...
AMD/Fujitsu Standard CFI Query Table v1.1 at 0x0040
  
cfgmgr_integrityCheck: ok
remote disable        0        ffffffff
rtl8651_user_pid set to 1
pRomeCfgParam->ifCfgParam[0].connType = 2
Bring up ext  port 6..
Rx shift=10002
Using /lib/modules/2.4.26-uc0/kernel/drivers/net/askey/airgo/ccd.o
Using /lib/modules/2.4.26-uc0/kernel/drivers/net/askey/airgo/wns_mod.o
Using /lib/modules/2.4.26-uc0/kernel/drivers/net/askey/airgo/pol_nosdram.o
# MAC Monitoring Register = 0x00000000
# Setup System Clock Rate for Watch Dog
plm probe (plm_dump_buf @ C0027100)
&bdh 807F4170 bdh A07E0000
np->hif_regs->bus_slave.hif_ctrl.val 00000000
np->hif_regs->bus_slave.hif_ctrl.val 000000C0
wlan0: PCI Revision = 3, Slot Name[00:00.0], Slot#[0]
wlan0: at BAR0 = 0xbbf80000, BAR1 = 0xbbf00000, IRQ 5.
IRR(5)=c0c40000
===> Request IRQ 5 for wlan0, ret=0
wlan0: request_irq, err = 0
wlan0: plm_reg_init Succeeded
wlan0: MAC:00:11:50:d1:94:d0
wlan0: plm_get_radio_eeprominfo(), err = 0
wlan0: OFFSET of dev->priv[0x6C]
wlan0: OFFSET of np->hif_regs[0x1060]
wlan0: OFFSET of np->stats_mac_td_ring_flush_cnt[0xD40]
wlan0: OFFSET of np->stats_mac_td_cnt[0xD2C]
Register shadow 18
ccd_msg_handler_shadow 18 2 C0028534
Hit enter to continue...System initializing...
remote disable        0     rtl8651_user_pid set to 1
   ffffffff
pRomeCfgParam
-Set IGMP Default Upstream interface >(eth0) ... iSUCCESS!!
fCfgParam[0].connType = 2
cfg wan to dhcp client ...
PPPoE Passthru disabled.
Drop Unknown PPPoE PADT disabled.
IPv6 Passthru disabled.
IPX Passthru disabled.
NETBIOS Passthru disabled.
Total 0 wlan cards
iwcontrol: not found
find_pid_by_name(): 0
start_lan(): pid_count(0), pid(717624756) ,name(ani8021x_aa)
start_lan(): The first time to execute wsm and ani8021x_aa
Starting MAC FW module...radioID = 0 NUM_RADIO 1 - param_addr = 0x807f50a8
 start at C0039400
[0][1a][3][1125] bg = 1, nTx = 1, nRx = 2, cb=0, ap=1, mpci=0
[0][11][3][1] Sending CFG_DNLD_REQ
Reserve port 6 for peripheral device use. (0x40)
Total WLAN/WDS links: 1
[0][11][3][1] CFG size 3252 bytes MAGIC dword is 0xdeaddead
[0][11][3][1] CFG hdr totParams 187 intParams 144 strBufSize 756/1596
[0][10][3][1] CFG RDET MIN PULSE WIDTH = 100
[0][10][3][1] CFG RDET MAX PULSE WIDTH = 100
[0][10][3][1] CFG RDET PULSE WIDTH MARGIN = 4
[0][10][3][1] CFG RDET PULSE TR CNT1 = 3
[0][10][3][1] CFG RDET PULSE TR CNT2 = 3
[0][10][3][1] CFG RDET PULSE TR CNT3 = 5
[0][10][3][1] CFG RDET RSSI TH = 60
[0][10][3][1] CFG RDET MIN IAT = 5000
[0][10][3][1] CFG RDET MAX IAT = 65535
[0][10][3][1] CFG RDET MEAS DEL  = 77
[0][12][2][80] received unexpected SME_STOP_BSS_REQ in state 0, for role 0
[0][12][2][80] eLIM_SME_OFFLINE_STATE
Applied commit-all global settings
wlan0: Rcvd a eWSM_DRV_RADIO_DISABLE_REQ for radio[0]
Delete port 0 from peripheral port set. (0x40)
Total WLAN/WDS links: 0
mac_mod_exit: Cleaning MAC FW module: radio Id 0
Starting MAC FW module...radioID = 0 NUM_RADIO 1 - param_addr = 0x807f50a8
 start at C0039400
[0][1a][3][1266] bg = 1, nTx = 1, nRx = 2, cb=0, ap=1, mpci=0
[0][11][3][1] Sending CFG_DNLD_REQ
Reserve port 6 for peripheral device use. (0x40)
Total WLAN/WDS links: 1
info, Moreton Bay DHCP Server (v0.9.5) started
[0][11][3][1] CFG size 3252 bytes MAGIC dword is 0xdeaddead
[0][11][3][1] CFG hdr totParams 187 intParams 144 strBufSize 756/1596
[0][10][3][1] CFG RDET MIN PULSE WIDTH = 100
[0][10][3][1] CFG RDET MAX PULSE WIDTH = 100
[0][10][3][1] CFG RDET PULSE WIDTH MARGIN = 4
[0][10][3][1] CFG RDET PULSE TR CNT1 = 3
[0][10][3][1] CFG RDET PULSE TR CNT2 = 3
[0][10][3][1] CFG RDET PULSE TR CNT3 = 5
[0][10][3][1] CFG RDET RSSI TH = 60
[0][10][3][1] CFG RDET MIN IAT = 5000
[0][10][3][1] CFG RDET MAX IAT = 65535
[0][10][3][1] CFG RDET MEAS DEL  = 77
killall: upnp: no process killed
/proc/sys/net/ipv4/ip_masq_udp_dloose: No such file or directory
info, Moreton Bay DHCP Client (v0.9.5) started
__flash_base=0x2ac62000
__crmr_addr=0x2aaaf104
dhcpc client deconfig
ifCfgParam[0].ipAddr: 0.0.0.0
ifCfgParam[0].ipMask: 0.0.0.0
ifCfgParam[0].gwAddr: 0.0.0.0
ifCfgParam[0].dnsPrimaryAddr: 0.0.0.0
ifCfgParam[0].dnsSecondaryAddr: 0.0.0.0
ifCfgParam[0].winsPrimaryAddr: 0.0.0.0
ifCfgParam[0].winsSecondaryAddr: 0.0.0.0
rtl8651_delNaptMapping: ret -6
rtl8651_delRoute(default): ret -3
rtl8651_delIpIntf: ret -2710
target 239.0.0.0
SIOCDELRT: No such process
debug, Sending select for 10.9.8.135...
info, Lease of 10.9.8.135 obtained, lease time 43200
__flash_base=0x2ac62000
__crmr_addr=0x2aaaf104
ip  10.9.8.135
subnet 255.255.255.0
=> Check subnet overlapping .... No Overlap!
ifCfgParam[0].ipAddr: 0.0.0.0
ifCfgParam[0].ipMask: 0.0.0.0
ifCfgParam[0].gwAddr: 0.0.0.0
ifCfgParam[0].dnsPrimaryAddr: 0.0.0.0
ifCfgParam[0].dnsSecondaryAddr: 0.0.0.0
ifCfgParam[0].winsPrimaryAddr: 0.0.0.0
ifCfgParam[0].winsSecondaryAddr: 0.0.0.0
rtl8651_delNaptMapping: ret -6
rtl8651_delRoute(default): ret -3
rtl8651_delIpIntf: ret -2710
target 239.0.0.0
SIOCDELRT: No such process
router 10.9.8.1
target default
ifCfgParam[0].ipAddr: 10.9.8.135
ifCfgParam[0].ipMask: 255.255.255.0
ifCfgParam[0].gwAddr: 10.9.8.1
ifCfgParam[0].dnsPrimaryAddr: 10.9.8.1
ifCfgParam[0].dnsSecondaryAddr: 0.0.0.0
ifCfgParam[0].winsPrimaryAddr: 0.0.0.0
ifCfgParam[0].winsSecondaryAddr: 0.0.0.0
/bin/dnrd: not found
killall: crond: no process killed
run crond
crond offset=/bin/rdate: not found
0
/bin/rdate: not found
target 239.0.0.0
SIOCDELRT: No such process
/bin/rdate: not found
target 239.0.0.0
/bin/upnpd: not found
Hit enter to continue...
/bin/dnrd: not found
row_size(): Can't open /tmp/log_web
exlog(): Loged message(WAN DHCP Client Connected IP 10.9.8.135)
 into /tmp/log_web.lck directly
start_wan_done(): start_firewall
remote disable        0        ffffffff
eth1: No such process
eth0: No such process
none pppoe
find_pid_by_name(): 0
first start set_dyndns
set_dyndns: Users don't fill enough information
interval=2592000
killall: ntpclient: no process killed
(): open /tmp/route_check.pid  successfully
Hit enter to continue...
/proc/cpuinfo
system type             : Philips Nino
processor               : 0
cpu model               : R3000 V0.0
BogoMIPS                : 199.06
wait instruction        : no
microsecond timers      : no
tlb_entries             : 16
extra interrupt vector  : no
hardware watchpoint     : no
VCED exceptions         : not available
VCEI exceptions         : not available
/proc/mtd
dev:    size   erasesize  name
mtd0: 00004000 00002000 "boot1"
mtd1: 00006000 00002000 "boot2"
mtd2: 00010000 00010000 "boot3"
mtd3: 000e0000 00010000 "kernel"
mtd4: 002e0000 00010000 "rootfs"
mtd5: 00010000 00010000 "nvram"
mtd6: 00002000 00002000 "dnvram"
mtd7: 003c0000 00010000 "linux"

Hidden Web Interface Pages

  • test.html (see also the vars in the "for test" section in NVRAM below - no idea what these do yet)
  • system.log (gives 404, but symlinked to /var/system.log - maybe some other method?)

NVRAM Info

NVRAM (defaults?) from firmware
# NVRAM control
*belkin_router=1
restore_defaults=0
fw_reset=0
*et1phyaddr=0
*et0phyaddr=30
*boardflags=0x0388
*hw_model=F5D8230-4 v2
*fw_magic=0x02088200
tftp_ipaddr=192.168.2.1
model_check=1

# OS parameters
lan_ifname=eth1
*lan_ifnames=eth0 eth2
lan_hwnames=et0 il0 wl0 wl1
wan_access=eth1
wan_ifname=eth0
wan_ifnames=
wan_hwname=et1
os_name=linux
*os_version=2.01.02

*language=English
*user_conf_ver=1.01
*kernel_mods=et
*fw_src=http://networking.belkin.com/update/files/usa/mimoV2/g_router.html
fw_id=RT3105W-D56
*RADIO_MODULE=airgo

# Miscellaneous parameters
timer_interval=3600
log_level=0
time_zone=PST8PDT
upnp_enable=0
os_server=
stats_server=
console_loglevel=1
log_tftp=0
log_tftp_server=
login_timeout=10
remote_config_ip=
remote_access_port=80
route_check_host=heartbeat.belkin.com
et1macaddr_copy=
dyndns_auto=1

# LAN Default
lan_proto=dhcp
lan_ipaddr=192.168.2.1
lan_netmask=255.255.255.0
m_lan_ipaddr=192.168.2.1
m_lan_netmask=255.255.255.0
default_lan_ipaddr=192.168.2.1
default_lan_netmask=255.255.255.0
default_lan_gateway=192.168.2.1
default_lan_dhcp_client_br=0
default_lan_proto_br=static
default_lan_dhcp_client_nat=0
default_lan_proto_nat=dhcp
default_lan_ipaddr_br=192.168.2.254
default_lan_netmask_br=255.255.255.0
*lan_stp=0
lan_gateway=192.168.2.1
lan_dns=
lan_dhcp_client=0
BridgeFlag=0
NatFlag=1

# WAN Default
wan_proto=dhcp
wan_ipaddr=0.0.0.0
wan_netmask=0.0.0.0
wan_gateway=0.0.0.0
wan_dns=
wan_wins=
wan_hostname=
wan_domain=
wan_lease=864000
static_route=

#new wireless driver virables
wl_ifname=eth2
wl0_ifname=wlan0
wl_ssid=Belkin_Pre_N_
wl_ssid_d=Belkin_Pre_N_
wl_country=USA
wl_closed=0
*wl_country_code=US
wl_radio=1
wl_mode=ap
wl_lazywds=0
wl_wds=
wl_wep=off
wl_wep_mode=0
wl_crypto=tkip
wl_auth=0
wl_key=1
wl_key1=F
wl_key2=
wl_key3=
wl_key4=
wl_maclist=
wl_mac=
wl_macmode=disabled
wl_rate=0
wl_rateset=set2
wl_channel=0
wl_frag=2346
wl_rts=2347
wl_dtim=1
wl_bcn=100
wl_gmode=1
wl_afterburner=auto
wl_gmode_protection=auto
wl_hwaddr=
wl_phytype=g
wl_phytypes=g
wl_unit=0
wl_frameburst=off
wl_wpa_psk=
wl_wpa_gtk_rekey=900
wl_radius_ipaddr=
wl_radius_port=1812
wl_radius_key=
wl_radius_timeout=30
wl_radius_maxtries=3
wl_auth_mode=disabled
wl_ibss=1
wl_psk_obscure=
wl_wep128_manual=1
wl_wep64_manual=1
wl_qos=1
wl_density=0
wl_plcphdr=long
wl_proximity=0
*wl_wme=0
ssid_updated=0
wl_akm=
pa0maxpwr=60

# Manual
m_wan_ipaddr=
m_wan_netmask=
m_wan_gateway=
m_wan_dns=
m_wan_wins=
m_wan_hostname=
m_wan_domain=Belkin
m_wan_aliasip=
m_wan_moreip=
m_autodns=1

# LAN filters
fi=
ft=
fu=
fm=

# new firewall features
default_policy=0
mac_filter=0
ip_filter=0
tcp_filter=0
udp_filter=0
internal_policy=1
wan_ping=1
firewall_enable=1
filter_enable=1
http_wan_enable=0
dos_enable=1

# Port forwards
fwt=
fwu=
dmz_ipaddr=
fwi=
fwi_des=
fj=
fg=
fw_auto_detect=0
fm=

# DHCP server parameters
dhcp_start=192.168.2.2
dhcp_end=192.168.2.100
dhcp_lease=0
dhcp_dns=
dhcp_autodns=1

# Web server parameters
http_username=
http_passwd=
http_wanport=80
http_lanport=80

# PPPoE parameters
pppoe_username=
pppoe_passwd=
pppoe_idletime_min=5
pppoe_idletime=300
pppoe_keepalive=1
pppoe_demand=0
pppoe_ifname=eth0
pppoe_auth_mode=auto
pppoe_mru=1454
pppoe_mtu=1454
pppoe_servicename=
pppoe_dns=
pppoe_autodns=1

# PPTP parameters
pptp_username=
pptp_password=
pptp_server_ipaddr=
pptp_ipaddr=
pptp_netmask=
pptp_idle_disconnect=
pptp_idle_interval=
pptp_conn_id=

#   NTP Default
ntp_dst_enabled=1
ntp_enable=1
ntp_timezone=5
ntp_sync_interval=1
ntp_server=192.43.244.18 132.163.4.102
user_time_yr=1970
user_time_mo=1
user_time_dd=1
user_time_hr=0
user_time_mn=0
user_time_update=0

#Cerberian
#ceb_enable=0
ceb_email_enable=1
#ceb_subsc=2
ceb_timeout=10
ceb_unavail_block=1
#ceb_report_enable=0
#ceb_expire=0
ceb_nag=1

# big pond parameters (added by bin 01/24/03)
bpa_username=
bpa_passwd=
bpa_server=
bpa_state=
bpa_manual_enable=

#iapp daemon
*iappd_oid=00:30:bd
*device_type=1

# DynDNS
dyndns_username=
dyndns_password=
dyndns_hostname=

#for test
epi_ttcp_host=192.168.2.100
radioID=0
gain=d
dumpfilename=gram_capture.txt
tftpServer=192.168.2.100
test_delay=0

—-

Back to top

toh/belkin/f5d8230-4v2.txt · Last modified: 2011/03/10 21:31 (external edit)