You are here: OpenWrt Wiki » Table of Hardware » Belkin » Belkin F5D8230-4 v2000

Belkin F5D8230-4 v2000

One of Belkin's "Pre-N" routers. This page is specifically about the v2xxx units with Realtek RTL8651B SoC, and research is based on a v2001 unit. The v1000 used a Broadcom SoC and information about it is available elsewhere.

Supported Versions

Version/Model	S/N	OpenWrt Version Supported	Model Specific Notes
v1xxx	?	?	Works if MiniPCI card is replaced (Airgo not supported)
v2xxx	?	WIP	Realtek SoC not yet in toolchain

Hardware Highlights

CPU	Ram	Flash	Network	USB	Serial	JTag
Realtek RTL8651B	16MB	4MB	4x1	No	?	?

This board is also known as the RT3105W-D56 (probably the Askey OEM model).

More RTL8651B info available here

Installation

Possible methods:

Use serial console to load RAM image, flash from OpenWRT shell
Use serial console to directly flash
Use Belkin web interface flasher (build compatible image)

OEM easy installation

No such technique exists yet. The Belkin web upgrade file format needs to be understood in order to generate custom firmware images which will be accepted (mostly the checksum algorithm, which may be the same as for other Belkin routers – untested as of yet). Much of the other header information has been correctly guessed at (see below).

OEM installation using the TFTP method

If the router has a corrupted "RUN" image in flash, it will default to recovery mode. Unlike the Broadcom SoC with CFE, it does not wait for a "TFTP put" – you have to set up a BOOTP and TFTP server and tell it what file to grab (similar to the TFTP boot method below). Without using a serial console method to trigger the recovery (or flash) it does not seem likely there will be an easy method for forcibly flashing via recovery mode such as on Broadcom hardware, there is apparently no equivalent to the "boot_wait" mode.

Upgrading OpenWRT

If you have already installed OpenWrt (which you couldn't have done yet) and like to reflash for e.g. upgrading to a new OpenWrt version you can upgrade using the mtd command line tool. It is important that you put the firmware image into the ramdisk (/tmp) before you start flashing.

LuCI Web Upgrade Process

Browse to http://192.168.1.1/cgi-bin/luci/mini/system/upgrade/ LuCI Upgrade URL
Upload TRX file to LuCI
Wait for reboot

Terminal Upgrade Process

Login as root via SSH on 192.168.1.1
Use the following commands to upgrade.

cd /tmp/
wget http://downloads.openwrt.org/latest/brcm-2.4/openwrt-brcm-2.4-squashfs.trx
mtd write /tmp/openwrt-brcm-2.4-squashfs.trx linux && reboot

Hardware

Info

Architecture: MIPS32 MSB (Lexra LX5280 core w/MMU)

Vendor: Realtek

Bootloader: ROME

System-On-Chip: Realtek RTL8651B

CPU Speed: 200 Mhz

Flash-Chip: MX 29LV320ABTC-90

Flash size: 4 MiB

RAM-Chip: 2 x EtronTech EM638165TS-7

RAM size: 16 MiB

Wireless: Airgo AGN103BB-01 (MiniPCI) (possible driver here)

Ethernet: Switch in CPU

USB: USB1.1 on-chip, no obvious connections on this board (possibly available with hardware mod)

Serial: Yes

JTAG: maybe

Photos

(forthcoming)

Model Number

Front:

Photo of front

Back:

Photo of back

Opening the case

Note: This will void your warranty!

To remove the cover simply remove the four obvious corner screws on the bottom and pull apart easily.
There are four obvious screws holding the PCB to the bottom cover.
To completely free the top cover, carefully disconnect the three antenna cables from the MiniPCI card.
To remove the MiniPCI card, use a thin dull object to tear out the adhesive foam mounting sandwiched between the card and the board. There is not much to damage in that area but be careful anyway. Replace with Velcro or similar to regain solid mounting but still be easily removable. Once card is freed, it removes like any MiniPCI does using the release tabs on the edges of the socket, and can be replaced by some other card with driver support (Broadcom, Atheros…)
To access the important guts, carefully pry the lid off the larger ("top side") shield can, referred to in this document as the "system can". It is not soldered and comes off very easily.

Main PCB

(photos forthcoming)

Serial

There is a 4-pin white header ("JP1") inside the system can which is the serial port. This is the confirmed pinout, and the terminal settings are 38400 8N1:

(Towards LED edge of board)
+3.5V
GND
(output)
(input)
(Towards "J7")

Direction here is relative the device. So, "output" would connect to the PC "input" so you could see the console data and "input" would connect to the PC "output" so you could enter commands. All the usual Tx and Rx stuff gets confusing so I went with this more descriptive method.

JTAG

Possible JTAG located in system can at micro header J7 (12 pin, probably standard). To be verified and tested.

Realtek SoC supports MIPS EJTAG 2.0, so the question is whether the board has the SoC JTAG pins connected or not. JTAG identifiers should be these, if connection is figured out:

ManufID: 6
PartNumber: 5280

See port.jtag for more JTAG details.

Specific Configuration

Interfaces

OpenWRT designations to be determined.

Interfaces within original Belkin 2.01.02 firmware are below:

Interface Name	Description	Default configuration
(bridge?)	LAN & WiFi	192.168.2.1/24
rtl0	Ethernet core device?	?
et0	LAN ports (1 to 4)	None
et1	WAN port	DHCP
wlan0	Airgo WiFi	Open, SSID = "Belkin_Pre_N_"

Switch Ports (for VLANs)

There don't appear to be any VLANs. The Realtek SoC provides two separate MAC interfaces in hardware, one is chained to a built-in switch chip and drives the LAN ports (eth0), and the other is apparently connected to the WAN port (eth1).

Failsafe mode

If you forgot your password, broken one of the startup scripts, firewalled yourself or corrupted the JFFS2 partition, you can get back in by using OpenWrt's failsafe mode.

Boot into failsafe mode

Unplug the router's power cord.
Connect the router's LAN1 port directly to your PC.
Configure your PC with a static IP address between 192.168.1.2 and 192.168.1.254. E. g. 192.168.1.2 (gateway and DNS is not required).
Plug the power on and wait for the DMZ LED to light up.
While the DMZ LED is on immediately press any button (Reset and Secure Easy Setup will work) a few times .
If done right the DMZ LED will quickly flash 3 times every second.
You should be able to telnet to the router at 192.168.1.1 now (no username and password)

What to do in failsafe mode?

NOTE: The root file system in failsafe mode is the SquashFS partition mounted in readonly mode. To switch to the normal writable root file system run mount_root and make any changes. Run mount_root now.

Forgot/lost your password and you like to set a new one

passwd

Forgot the routers IP address

uci get network.lan.ipaddr

You accidentally run 'ipkg upgrade' or filled up the flash by installing to big packages (clean the JFFS2 partition and start over)

mtd -r erase rootfs_data If you are done with failsafe mode power cycle the router and boot in normal mode.

Buttons

The Belkin F5D8230-4 v2xxx has one button, Reset, located on the bottom in the right rear corner (viewing unit from the "front"), near one of the main case screw holes - it is labeled and requires a reasonable length poking tool. The button may be able to be used with hotplug events, but may be hard-wired to reset the board (verification pending).

BUTTON	Event
Reset	reset

Basic configuration

This space for rent.

Hardware mods

Nothing yet

Other Info

Belkin GPL Source

Available here

broken tgz archive, inside a broken tar.gz archive (BRAVO!)
unpacks a bunch of stuff if you force it (probably not all the files are there)
does not include toolchain (uClinux)
won't build (probably due to lack of all the files)
contacted Belkin so maybe they put up a repack that isn't truncated and broken
have to use other Realtek based GPL sources from other manufacturers in the mean time

GPL Source Highlights

Apparently uses GoAhead WebServer as its httpd

Belkin Firmware (bin) Format

Examination of latest firmware bin (f5d8230-4-v2_2.01.02_usa.bin):

Belkin (overall) Structures

All multibyte "uint" types are big-endian unless otherwise specified.

file offset	format	example	description
`0x00000000`	file magic?	`02 FF FF 00`	(most likely) Belkin magic number for this model
`0x00000004`	uint32	`00 33 40 55`	Total File Size, including headers (size of bin file on disk)
`0x00000008`	file checksum?	`D1 55 1D C1`	(most likely) Total File Checksum (TODO: algorithm)
`0x0000000c`-`0x0000001b`		`00 80 00 00`…	?
`0x0000001c`	node magic	`30 52 44 48`	reversed ASCII = "HDR0"
`0x00000020`	uint32	`00 33 30 1C`	"HDR0" Size, including "HDR0" header (from `0x1c` onward)
`0x00000024`	node checksum?	`FD 3E 8C 6F`	(most likely) "HDR0" Checksum (TODO: algorithm)
`0x00000028`-`0x00000037`		`00 80 00 00`…	?
"HDR0" Payload
`0x00000038`			Realtek Image "WEB" Header (see below)
`0x00000050`			Realtek Image "RUN" Header (see below)
`0x00000068`			"kernel.bin" (probably wrapped in some structure defining load addresses, etc)
`0x000d860e`			null padding
`0x000e0038`			rootfs (cromfs)
offsets below this point depend on the "HDR0" Node Size! (listed offsets are based on the specific `f5d8230-4-v2_2.01.02_usa.bin` file) Note: `0x0000001c` + `0x0033301c` = `0x00333038`
`0x00333038`	node magic	`52 41 56 4E`	reversed ASCII = "NVAR"
`0x0000003c`	uint32	`00 00 10 1D`	"NVAR" Size, including "NVAR" header (from `0x333038` onward)
`0x00333040`	node checksum?	`7C AC 9A 85`	(most likely) "NVAR" Checksum (TODO: algorithm)
`0x00333044`			"NVAR" Payload
`(EOF)`

Realtek ROME Structures

Note: image offset is within the ROME image itself (not file offsets in the bin file)
Most of this info comes directly from the structures and defines in rtl_image.h in the GPL source.
In the example file, there are two headers – the main "WEB" header, and within the "WEB" Image Body is an immediate "RUN" header, and then within the "RUN" Image Body is the actual executable code.

"WEB" Header (begins at `0x38` in example file)
offset	format	example	description
`0x00000000`	magic	`59 A0 E8 42`	Product Magic
`0x00000004`	uint16	`D9 2F`	Image Type » `0xb162` ⇒ "RDIR" » `0xea43` ⇒ "BOOT" » `0x8dc9` ⇒ "RUN" » `0xd92f` ⇒ "WEB" » `0x2a05` ⇒ "CCFG" » `0x6ce8` ⇒ "DCFG" » `0xc371` ⇒ "LOG"
`0x00000006`	uint8	`01`	Image Header Version
`0x00000007`	uint8	`00`	"reserved1" (padding for 32-bit alignment)
`0x00000008`	uint32	`07 D5 08 01`	Image Creation Date (in Network Order) » B1B2:year(0..65535) (big-endian) » B3:month(1..12) » B4:day(1..31) (example = 2005-08-01)
`0x0000000c`	uint32	`10 38 2F 00`	Image Creation Time (in Network Order) » B1:hour(0..23) » B2:minute(0..59) » B3:second(0..59) (example = 4:56:47PM)
`0x00000010`	uint32	`00 33 2F E8`	Image Body Length (not including header)
`0x00000014`	uint16	`00 00`	"reserved2" (unused?)
`0x00000016`	uint8	`F0`	Image Body Checksum (running byte XOR)
`0x00000017`	uint8	`7C`	Image Header Checksum (running byte XOR)
`0x00000018`			Image Body
"RUN" Header (begins at `0x50` in example file, `0x18` in the Realtek "WEB" Image)
offset	format	example	description
`0x00000000`	magic	`59 A0 E8 42`	Product Magic
`0x00000004`	uint16	`8D C9`	Image Type » `0xb162` ⇒ "RDIR" » `0xea43` ⇒ "BOOT" » `0x8dc9` ⇒ "RUN" » `0xd92f` ⇒ "WEB" » `0x2a05` ⇒ "CCFG" » `0x6ce8` ⇒ "DCFG" » `0xc371` ⇒ "LOG"
`0x00000006`	uint8	`01`	Image Header Version
`0x00000007`	uint8	`00`	"reserved1" (padding for 32-bit alignment)
`0x00000008`	uint32	`07 D5 08 01`	Image Creation Date (in Network Order) » B1B2:year(0..65535) (big-endian) » B3:month(1..12) » B4:day(1..31) (example = 2005-08-01)
`0x0000000c`	uint32	`10 38 2E 00`	Image Creation Time (in Network Order) » B1:hour(0..23) » B2:minute(0..59) » B3:second(0..59) (example = 4:56:46PM)
`0x00000010`	uint32	`00 0D 85 A6`	Image Body Length (not including header)
`0x00000014`	uint16	`00 00`	"reserved2" (unused?)
`0x00000016`	uint8	`DE`	Image Body Checksum (running byte XOR)
`0x00000017`	uint8	`3B`	Image Header Checksum (running byte XOR)
`0x00000018`			Image Body

Kernel is in the "RUN" Image Body
The "WEB" Image Body includes the "RUN" Image, then a bunch of 00 padding, and finally the rootfs
Compressed ROMFS (cromfs) root filesystem @ bin file offset 0x000e0038 (can be extracted, mounted, and examined)

BONUS: "file" magic definitions

These can be added to your /usr/share/file/magic list (wherever it is on your system) to allow the "file" command to tell you most of the info about proper ROME binaries. This can be a quick test to make sure the header is right, or a quicker way to extract certain info than firing up the hex editor.
Don't forget to do something like sudo file -C -m /usr/share/file/magic ; sudo mv magic.mgc /usr/share/file/magic.mgc to recompile your magics so that "file" will use them. Furthermore, all spaces up to "\b" or other text should be tab characters (the wiki, and/or copy-paste will probably mangle them).

# Realtek ROME binaries
0 belong  0x59a0e842 Realtek ROME Binary
>4 beshort  0xb162  \b RDIR Image
>4 beshort  0xea43  \b BOOT Image
>4 beshort  0x8dc9  \b RUN Image
>4 beshort  0xd92f  \b WEB Image
>4 beshort  0x2a05  \b CCFG Image
>4 beshort  0x6ce8  \b DCFG Image
>4 beshort  0xc371  \b LOG Image
>6 byte x \b, version %d
>16 belong x \b, payload size %d
>8 beshort x \b (built %04d-
>10 byte x \b%02d-
>11 byte x \b%02d
>12 byte x \b %02d:
>13 byte x \b%02d:
>14 byte x \b%02d)

After these are properly installed, you can do stuff like this:

$ file rome.boot
rome.boot: Realtek ROME Binary RUN Image, version 1, payload size 886182 (built 2005-08-01 16:56:46)

Booting from TFTP

Setup BOOTP server connected to any LAN port. Use something like this (ISC DHCP3 server):

subnet 10.7.7.0 netmask 255.255.255.0 {
  range 10.7.7.100 10.7.7.200;
  option domain-name-servers 10.7.7.1;
  option domain-name "dev.lan";
  option routers 10.7.7.1;
  option broadcast-address 10.7.7.255;
  default-lease-time 600;
  max-lease-time 7200;
}
host f5d8230 {
  hardware ethernet 00:11:50:d1:3b:30;
  fixed-address 10.7.7.7;
  server-name "10.7.7.1";
  next-server 10.7.7.1;
  filename "rome.boot";
}

If you copy the above config, don't forget to make the ethernet MAC properly match your unit, and config your ethernet for 10.7.7.1 before firing up dhcpd
Place "RUN" image in /tftpboot/rome.boot, complete with proper "RUN" header
Connect serial console (standard TTL level shifter setup)
Press reset, select "b" from ROME boot menu before timeout
Enjoy booting directly from your file instead of flash image

Note: if you extract the "RUN" image from the default firmware file (dd if=f5d8230-4-v2_2.01.02_usa.bin of=rome.boot bs=1 count=886206 skip=80) then booting this way is mainly just a proof-of-concept, since it will still use flash as rootfs due to kernel flag "root=/dev/mtdblock4", so nothing will really be different.
Creating a custom "RUN" image with different rootfs settings (nfs?) would be much more useful for an interim hacking platform during development and testing of a working OpenWRT environment without repeated flashing of kernel and rootfs.

Interesting Discoveries from rootfs/console

Kernel 2.4.26-uc0
uClibc 0.9.26
BusyBox v0.60.0
Moreton Bay DHCP Client v0.9.5
Includes IPV6 iptables target modules (unused?)

ROME Boot Menu
(c)Copyright Realtek, Inc. 2003 Project ROME LOADER Version 00.00.18(uClinux) (Mar 10 2005 18:43:35) Sub version 1.00.00 for identification [865xB] CPU Clock Rate: 200MHz, Memory Clock Rate: 130MHz AMD/Fujitsu Standard CFI Query Table v1.1 at 0x0040 Detected flash size: total 4MB. SDRAM size: 16MB +TFTP +Auto UART +Bank1:ROM Here we try to capture the default reset button: None. --== Loader Menu ==-- 'r' to update run image 'a' to change config 'l' to update loader 'g' to load run image without updating Flash 'o' to update flash with ROM file 's' to test SDRAM memory 't' to test flash memory 'e' to erase flash memory
Boot Messages
Loading runtime image ... Unzip image from address: 0xbe020000 Unexpected end of file Start runtime image at 80000400. ********************************** Powered by Realtek RTL8651B SoC, rev 1 ********************************** SDRAM size: 16MB CPU revision is: 0000ff00 Init MMU (16 entries) Primary instruction cache 0kB, linesize 0 bytes. Primary data cache 0kB, linesize 0 bytes. Linux version 2.4.26-uc0 (fangsongmao@compile-server) (gcc version 3.3.3) #6 Mon Aug 1 16:55:02 CST 2005 Determined physical RAM map: memory: 01000000 @ 00000000 (usable) NOFS reserved @ 0x8027fff0 On node 0 totalpages: 4096 zone(0): 4096 pages. zone(1): 0 pages. zone(2): 0 pages. Kernel command line: root=/dev/mtdblock4 IRR(0)=c0000000 Calibrating delay loop... 199.06 BogoMIPS Memory: 13640k/16384k available (2067k kernel code, 2744k reserved, 104k data, 104k init, 0k highmem) Dentry cache hash table entries: 2048 (order: 2, 16384 bytes) Inode cache hash table entries: 1024 (order: 1, 8192 bytes) Mount cache hash table entries: 512 (order: 0, 4096 bytes) Buffer cache hash table entries: 1024 (order: 0, 4096 bytes) Page-cache hash table entries: 4096 (order: 2, 16384 bytes) Checking for 'wait' instruction... unavailable. POSIX conformance testing by UNIFIX NEW PCI Driver...isLinuxCompliantEndianMode=False(Big Endian) Found Airgo PCI, function=0! Memory Space 0 data=0xfffe0000 size=0x20000 Memory Space 1 data=0xfff80000 size=0x80000 PCI device exists: slot 0 function 0 VendorID 17cb DeviceID 1 bbd40000 Found Airgo PCI, function=1! Found Airgo PCI, function=2! Found Airgo PCI, function=3! Found Airgo PCI, function=4! Found Airgo PCI, function=5! Found Airgo PCI, function=6! Found Airgo PCI, function=7! memory mapping BAnum=0 slot=0 func=0 memory mapping BAnum=1 slot=0 func=0 assign mem base 1bf00000~1bf7ffff at bbd40014 size=524288 assign mem base 1bf80000~1bf9ffff at bbd40010 size=131072 Find Total 1 PCI functions Found 00:00 [17cb/0001] 000200 00 Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Initializing RT netlink socket Starting kswapd devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au) devfs: boot_options: 0x1 pty: 256 Unix98 ptys configured Serial driver version 5.05c (2001-07-08) with MANY_PORTS SERIAL_PCI enabled Probing RTL8651 home gateway controller... Initialize RTL865x ASIC and driver chip name: 8651B, chip revid: 1 Initialize mbuf... creating default 2 interfaces...eth0 IRR(6)=c0040000 ===> Request IRQ 6 for eth0, ret=0 eth1 ...OK PPP generic driver version 2.4.2 PPP BSD Compression module registered flash device: 3d0000 at be000000 Amd/Fujitsu Extended Query Table v1.1 at 0x0040 number of CFI chips: 1 Using word write method Creating 8 MTD partitions on "Physically mapped flash": 0x00000000-0x00004000 : "boot1" 0x0000a000-0x00010000 : "boot2" 0x00010000-0x00020000 : "boot3" 0x00020000-0x00100000 : "kernel" 0x00100000-0x003e0000 : "rootfs" 0x003f0000-0x00400000 : "nvram" 0x00008000-0x0000a000 : "dnvram" 0x00020000-0x003e0000 : "linux" NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP, IGMP IP: routing cache hash table of 512 buckets, 4Kbytes TCP: Hash tables configured (established 1024 bind 2048) GRE over IPv4 tunneling driver ip_conntrack version 2.1 (128 buckets, 1024 max) - 344 bytes per conntrack ip_conntrack_pptp version $Revision: 1.1.1.1 $ loaded ip_nat_pptp version $Revision: 1.1.1.1 $ loaded ip_tables: (C) 2000-2002 Netfilter core team NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. VFS: Mounted root (cramfs filesystem) readonly. Mounted devfs on /dev Freeing unused kernel memory: 104k freed Bad boy: serial (at 0x8009d9bc) called us without a dev_id! IRR(4)=c0c40000 ===> Request IRQ 4 for serial, ret=0 __flash_base=0x2ac62000 __crmr_addr=0x2aaaf104 share memory not exist Trying to free free IRQ4 Bad boy: serial (at 0x8009d9bc) called us without a dev_id! ===> Request IRQ 4 for serial, ret=0 noconsole=0 insmod: et.o: no module by that name found insmod: led.o: no module by that name found setup_rtl8651 System initializing... AMD/Fujitsu Standard CFI Query Table v1.1 at 0x0040 cfgmgr_integrityCheck: ok remote disable 0 ffffffff rtl8651_user_pid set to 1 pRomeCfgParam->ifCfgParam[0].connType = 2 Bring up ext port 6.. Rx shift=10002 Using /lib/modules/2.4.26-uc0/kernel/drivers/net/askey/airgo/ccd.o Using /lib/modules/2.4.26-uc0/kernel/drivers/net/askey/airgo/wns_mod.o Using /lib/modules/2.4.26-uc0/kernel/drivers/net/askey/airgo/pol_nosdram.o # MAC Monitoring Register = 0x00000000 # Setup System Clock Rate for Watch Dog plm probe (plm_dump_buf @ C0027100) &bdh 807F4170 bdh A07E0000 np->hif_regs->bus_slave.hif_ctrl.val 00000000 np->hif_regs->bus_slave.hif_ctrl.val 000000C0 wlan0: PCI Revision = 3, Slot Name[00:00.0], Slot#[0] wlan0: at BAR0 = 0xbbf80000, BAR1 = 0xbbf00000, IRQ 5. IRR(5)=c0c40000 ===> Request IRQ 5 for wlan0, ret=0 wlan0: request_irq, err = 0 wlan0: plm_reg_init Succeeded wlan0: MAC:00:11:50:d1:94:d0 wlan0: plm_get_radio_eeprominfo(), err = 0 wlan0: OFFSET of dev->priv[0x6C] wlan0: OFFSET of np->hif_regs[0x1060] wlan0: OFFSET of np->stats_mac_td_ring_flush_cnt[0xD40] wlan0: OFFSET of np->stats_mac_td_cnt[0xD2C] Register shadow 18 ccd_msg_handler_shadow 18 2 C0028534 Hit enter to continue...System initializing... remote disable 0 rtl8651_user_pid set to 1 ffffffff pRomeCfgParam -Set IGMP Default Upstream interface >(eth0) ... iSUCCESS!! fCfgParam[0].connType = 2 cfg wan to dhcp client ... PPPoE Passthru disabled. Drop Unknown PPPoE PADT disabled. IPv6 Passthru disabled. IPX Passthru disabled. NETBIOS Passthru disabled. Total 0 wlan cards iwcontrol: not found find_pid_by_name(): 0 start_lan(): pid_count(0), pid(717624756) ,name(ani8021x_aa) start_lan(): The first time to execute wsm and ani8021x_aa Starting MAC FW module...radioID = 0 NUM_RADIO 1 - param_addr = 0x807f50a8 start at C0039400 [0][1a][3][1125] bg = 1, nTx = 1, nRx = 2, cb=0, ap=1, mpci=0 [0][11][3][1] Sending CFG_DNLD_REQ Reserve port 6 for peripheral device use. (0x40) Total WLAN/WDS links: 1 [0][11][3][1] CFG size 3252 bytes MAGIC dword is 0xdeaddead [0][11][3][1] CFG hdr totParams 187 intParams 144 strBufSize 756/1596 [0][10][3][1] CFG RDET MIN PULSE WIDTH = 100 [0][10][3][1] CFG RDET MAX PULSE WIDTH = 100 [0][10][3][1] CFG RDET PULSE WIDTH MARGIN = 4 [0][10][3][1] CFG RDET PULSE TR CNT1 = 3 [0][10][3][1] CFG RDET PULSE TR CNT2 = 3 [0][10][3][1] CFG RDET PULSE TR CNT3 = 5 [0][10][3][1] CFG RDET RSSI TH = 60 [0][10][3][1] CFG RDET MIN IAT = 5000 [0][10][3][1] CFG RDET MAX IAT = 65535 [0][10][3][1] CFG RDET MEAS DEL = 77 [0][12][2][80] received unexpected SME_STOP_BSS_REQ in state 0, for role 0 [0][12][2][80] eLIM_SME_OFFLINE_STATE Applied commit-all global settings wlan0: Rcvd a eWSM_DRV_RADIO_DISABLE_REQ for radio[0] Delete port 0 from peripheral port set. (0x40) Total WLAN/WDS links: 0 mac_mod_exit: Cleaning MAC FW module: radio Id 0 Starting MAC FW module...radioID = 0 NUM_RADIO 1 - param_addr = 0x807f50a8 start at C0039400 [0][1a][3][1266] bg = 1, nTx = 1, nRx = 2, cb=0, ap=1, mpci=0 [0][11][3][1] Sending CFG_DNLD_REQ Reserve port 6 for peripheral device use. (0x40) Total WLAN/WDS links: 1 info, Moreton Bay DHCP Server (v0.9.5) started [0][11][3][1] CFG size 3252 bytes MAGIC dword is 0xdeaddead [0][11][3][1] CFG hdr totParams 187 intParams 144 strBufSize 756/1596 [0][10][3][1] CFG RDET MIN PULSE WIDTH = 100 [0][10][3][1] CFG RDET MAX PULSE WIDTH = 100 [0][10][3][1] CFG RDET PULSE WIDTH MARGIN = 4 [0][10][3][1] CFG RDET PULSE TR CNT1 = 3 [0][10][3][1] CFG RDET PULSE TR CNT2 = 3 [0][10][3][1] CFG RDET PULSE TR CNT3 = 5 [0][10][3][1] CFG RDET RSSI TH = 60 [0][10][3][1] CFG RDET MIN IAT = 5000 [0][10][3][1] CFG RDET MAX IAT = 65535 [0][10][3][1] CFG RDET MEAS DEL = 77 killall: upnp: no process killed /proc/sys/net/ipv4/ip_masq_udp_dloose: No such file or directory info, Moreton Bay DHCP Client (v0.9.5) started __flash_base=0x2ac62000 __crmr_addr=0x2aaaf104 dhcpc client deconfig ifCfgParam[0].ipAddr: 0.0.0.0 ifCfgParam[0].ipMask: 0.0.0.0 ifCfgParam[0].gwAddr: 0.0.0.0 ifCfgParam[0].dnsPrimaryAddr: 0.0.0.0 ifCfgParam[0].dnsSecondaryAddr: 0.0.0.0 ifCfgParam[0].winsPrimaryAddr: 0.0.0.0 ifCfgParam[0].winsSecondaryAddr: 0.0.0.0 rtl8651_delNaptMapping: ret -6 rtl8651_delRoute(default): ret -3 rtl8651_delIpIntf: ret -2710 target 239.0.0.0 SIOCDELRT: No such process debug, Sending select for 10.9.8.135... info, Lease of 10.9.8.135 obtained, lease time 43200 __flash_base=0x2ac62000 __crmr_addr=0x2aaaf104 ip 10.9.8.135 subnet 255.255.255.0 => Check subnet overlapping .... No Overlap! ifCfgParam[0].ipAddr: 0.0.0.0 ifCfgParam[0].ipMask: 0.0.0.0 ifCfgParam[0].gwAddr: 0.0.0.0 ifCfgParam[0].dnsPrimaryAddr: 0.0.0.0 ifCfgParam[0].dnsSecondaryAddr: 0.0.0.0 ifCfgParam[0].winsPrimaryAddr: 0.0.0.0 ifCfgParam[0].winsSecondaryAddr: 0.0.0.0 rtl8651_delNaptMapping: ret -6 rtl8651_delRoute(default): ret -3 rtl8651_delIpIntf: ret -2710 target 239.0.0.0 SIOCDELRT: No such process router 10.9.8.1 target default ifCfgParam[0].ipAddr: 10.9.8.135 ifCfgParam[0].ipMask: 255.255.255.0 ifCfgParam[0].gwAddr: 10.9.8.1 ifCfgParam[0].dnsPrimaryAddr: 10.9.8.1 ifCfgParam[0].dnsSecondaryAddr: 0.0.0.0 ifCfgParam[0].winsPrimaryAddr: 0.0.0.0 ifCfgParam[0].winsSecondaryAddr: 0.0.0.0 /bin/dnrd: not found killall: crond: no process killed run crond crond offset=/bin/rdate: not found 0 /bin/rdate: not found target 239.0.0.0 SIOCDELRT: No such process /bin/rdate: not found target 239.0.0.0 /bin/upnpd: not found Hit enter to continue... /bin/dnrd: not found row_size(): Can't open /tmp/log_web exlog(): Loged message(WAN DHCP Client Connected IP 10.9.8.135) into /tmp/log_web.lck directly start_wan_done(): start_firewall remote disable 0 ffffffff eth1: No such process eth0: No such process none pppoe find_pid_by_name(): 0 first start set_dyndns set_dyndns: Users don't fill enough information interval=2592000 killall: ntpclient: no process killed (): open /tmp/route_check.pid successfully Hit enter to continue...

ROME Boot Menu

(c)Copyright Realtek, Inc. 2003
Project ROME LOADER
Version 00.00.18(uClinux) (Mar 10 2005 18:43:35)
Sub version 1.00.00 for identification
[865xB] CPU Clock Rate: 200MHz, Memory Clock Rate: 130MHz
AMD/Fujitsu Standard CFI Query Table v1.1 at 0x0040
Detected flash size: total 4MB.
SDRAM size: 16MB
+TFTP +Auto UART +Bank1:ROM 
Here we try to capture the default reset button:  None.

--== Loader Menu ==--
'r' to update run image
'a' to change config
'l' to update loader
'g' to load run image without updating Flash
'o' to update flash with ROM file
's' to test SDRAM memory
't' to test flash memory
'e' to erase flash memory

Boot Messages

Loading runtime image ...

Unzip image from address: 0xbe020000

Unexpected end of file

Start runtime image at 80000400.

************************************
Powered by Realtek RTL8651B SoC, rev 1
************************************
SDRAM size: 16MB
CPU revision is: 0000ff00
Init MMU (16 entries)
Primary instruction cache 0kB, linesize 0 bytes.
Primary data cache 0kB, linesize 0 bytes.
Linux version 2.4.26-uc0 (fangsongmao@compile-server) (gcc version 3.3.3)
 #6 Mon Aug 1 16:55:02 CST 2005
Determined physical RAM map:
 memory: 01000000 @ 00000000 (usable)
NOFS reserved @ 0x8027fff0
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock4
IRR(0)=c0000000
Calibrating delay loop... 199.06 BogoMIPS
Memory: 13640k/16384k available (2067k kernel code, 2744k reserved, 104k data,
 104k init, 0k highmem)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
Checking for 'wait' instruction...  unavailable.
POSIX conformance testing by UNIFIX
NEW PCI Driver...isLinuxCompliantEndianMode=False(Big Endian)
Found Airgo PCI, function=0!
Memory Space 0 data=0xfffe0000 size=0x20000
Memory Space 1 data=0xfff80000 size=0x80000
PCI device exists: slot 0 function 0 VendorID 17cb DeviceID 1 bbd40000
Found Airgo PCI, function=1!
Found Airgo PCI, function=2!
Found Airgo PCI, function=3!
Found Airgo PCI, function=4!
Found Airgo PCI, function=5!
Found Airgo PCI, function=6!
Found Airgo PCI, function=7!
memory mapping BAnum=0 slot=0 func=0
memory mapping BAnum=1 slot=0 func=0
assign mem base 1bf00000~1bf7ffff at bbd40014 size=524288
assign mem base 1bf80000~1bf9ffff at bbd40010 size=131072
Find Total 1 PCI functions
Found 00:00 [17cb/0001] 000200 00
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SERIAL_PCI enabled
Probing RTL8651 home gateway controller...
Initialize RTL865x ASIC and driver
chip name: 8651B, chip revid: 1
   Initialize mbuf...
   creating default 2 interfaces...eth0 IRR(6)=c0040000
===> Request IRQ 6 for eth0, ret=0
eth1 ...OK
PPP generic driver version 2.4.2
PPP BSD Compression module registered
flash device: 3d0000 at be000000
 Amd/Fujitsu Extended Query Table v1.1 at 0x0040
number of CFI chips: 1
Using word write method
Creating 8 MTD partitions on "Physically mapped flash":
0x00000000-0x00004000 : "boot1"
0x0000a000-0x00010000 : "boot2"
0x00010000-0x00020000 : "boot3"
0x00020000-0x00100000 : "kernel"
0x00100000-0x003e0000 : "rootfs"
0x003f0000-0x00400000 : "nvram"
0x00008000-0x0000a000 : "dnvram"
0x00020000-0x003e0000 : "linux"
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
GRE over IPv4 tunneling driver
ip_conntrack version 2.1 (128 buckets, 1024 max) - 344 bytes per conntrack
ip_conntrack_pptp version $Revision: 1.1.1.1 $ loaded
ip_nat_pptp version $Revision: 1.1.1.1 $ loaded
ip_tables: (C) 2000-2002 Netfilter core team
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
VFS: Mounted root (cramfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 104k freed
Bad boy: serial (at 0x8009d9bc) called us without a dev_id!
IRR(4)=c0c40000
===> Request IRQ 4 for serial, ret=0
__flash_base=0x2ac62000
__crmr_addr=0x2aaaf104
share memory not exist
Trying to free free IRQ4
Bad boy: serial (at 0x8009d9bc) called us without a dev_id!
===> Request IRQ 4 for serial, ret=0
noconsole=0
insmod: et.o: no module by that name found
insmod: led.o: no module by that name found
setup_rtl8651
System initializing...
AMD/Fujitsu Standard CFI Query Table v1.1 at 0x0040
  
cfgmgr_integrityCheck: ok
remote disable        0        ffffffff
rtl8651_user_pid set to 1
pRomeCfgParam->ifCfgParam[0].connType = 2
Bring up ext  port 6..
Rx shift=10002
Using /lib/modules/2.4.26-uc0/kernel/drivers/net/askey/airgo/ccd.o
Using /lib/modules/2.4.26-uc0/kernel/drivers/net/askey/airgo/wns_mod.o
Using /lib/modules/2.4.26-uc0/kernel/drivers/net/askey/airgo/pol_nosdram.o
# MAC Monitoring Register = 0x00000000
# Setup System Clock Rate for Watch Dog
plm probe (plm_dump_buf @ C0027100)
&bdh 807F4170 bdh A07E0000
np->hif_regs->bus_slave.hif_ctrl.val 00000000
np->hif_regs->bus_slave.hif_ctrl.val 000000C0
wlan0: PCI Revision = 3, Slot Name[00:00.0], Slot#[0]
wlan0: at BAR0 = 0xbbf80000, BAR1 = 0xbbf00000, IRQ 5.
IRR(5)=c0c40000
===> Request IRQ 5 for wlan0, ret=0
wlan0: request_irq, err = 0
wlan0: plm_reg_init Succeeded
wlan0: MAC:00:11:50:d1:94:d0
wlan0: plm_get_radio_eeprominfo(), err = 0
wlan0: OFFSET of dev->priv[0x6C]
wlan0: OFFSET of np->hif_regs[0x1060]
wlan0: OFFSET of np->stats_mac_td_ring_flush_cnt[0xD40]
wlan0: OFFSET of np->stats_mac_td_cnt[0xD2C]
Register shadow 18
ccd_msg_handler_shadow 18 2 C0028534
Hit enter to continue...System initializing...
remote disable        0     rtl8651_user_pid set to 1
   ffffffff
pRomeCfgParam
-Set IGMP Default Upstream interface >(eth0) ... iSUCCESS!!
fCfgParam[0].connType = 2
cfg wan to dhcp client ...
PPPoE Passthru disabled.
Drop Unknown PPPoE PADT disabled.
IPv6 Passthru disabled.
IPX Passthru disabled.
NETBIOS Passthru disabled.
Total 0 wlan cards
iwcontrol: not found
find_pid_by_name(): 0
start_lan(): pid_count(0), pid(717624756) ,name(ani8021x_aa)
start_lan(): The first time to execute wsm and ani8021x_aa
Starting MAC FW module...radioID = 0 NUM_RADIO 1 - param_addr = 0x807f50a8
 start at C0039400
[0][1a][3][1125] bg = 1, nTx = 1, nRx = 2, cb=0, ap=1, mpci=0
[0][11][3][1] Sending CFG_DNLD_REQ
Reserve port 6 for peripheral device use. (0x40)
Total WLAN/WDS links: 1
[0][11][3][1] CFG size 3252 bytes MAGIC dword is 0xdeaddead
[0][11][3][1] CFG hdr totParams 187 intParams 144 strBufSize 756/1596
[0][10][3][1] CFG RDET MIN PULSE WIDTH = 100
[0][10][3][1] CFG RDET MAX PULSE WIDTH = 100
[0][10][3][1] CFG RDET PULSE WIDTH MARGIN = 4
[0][10][3][1] CFG RDET PULSE TR CNT1 = 3
[0][10][3][1] CFG RDET PULSE TR CNT2 = 3
[0][10][3][1] CFG RDET PULSE TR CNT3 = 5
[0][10][3][1] CFG RDET RSSI TH = 60
[0][10][3][1] CFG RDET MIN IAT = 5000
[0][10][3][1] CFG RDET MAX IAT = 65535
[0][10][3][1] CFG RDET MEAS DEL  = 77
[0][12][2][80] received unexpected SME_STOP_BSS_REQ in state 0, for role 0
[0][12][2][80] eLIM_SME_OFFLINE_STATE
Applied commit-all global settings
wlan0: Rcvd a eWSM_DRV_RADIO_DISABLE_REQ for radio[0]
Delete port 0 from peripheral port set. (0x40)
Total WLAN/WDS links: 0
mac_mod_exit: Cleaning MAC FW module: radio Id 0
Starting MAC FW module...radioID = 0 NUM_RADIO 1 - param_addr = 0x807f50a8
 start at C0039400
[0][1a][3][1266] bg = 1, nTx = 1, nRx = 2, cb=0, ap=1, mpci=0
[0][11][3][1] Sending CFG_DNLD_REQ
Reserve port 6 for peripheral device use. (0x40)
Total WLAN/WDS links: 1
info, Moreton Bay DHCP Server (v0.9.5) started
[0][11][3][1] CFG size 3252 bytes MAGIC dword is 0xdeaddead
[0][11][3][1] CFG hdr totParams 187 intParams 144 strBufSize 756/1596
[0][10][3][1] CFG RDET MIN PULSE WIDTH = 100
[0][10][3][1] CFG RDET MAX PULSE WIDTH = 100
[0][10][3][1] CFG RDET PULSE WIDTH MARGIN = 4
[0][10][3][1] CFG RDET PULSE TR CNT1 = 3
[0][10][3][1] CFG RDET PULSE TR CNT2 = 3
[0][10][3][1] CFG RDET PULSE TR CNT3 = 5
[0][10][3][1] CFG RDET RSSI TH = 60
[0][10][3][1] CFG RDET MIN IAT = 5000
[0][10][3][1] CFG RDET MAX IAT = 65535
[0][10][3][1] CFG RDET MEAS DEL  = 77
killall: upnp: no process killed
/proc/sys/net/ipv4/ip_masq_udp_dloose: No such file or directory
info, Moreton Bay DHCP Client (v0.9.5) started
__flash_base=0x2ac62000
__crmr_addr=0x2aaaf104
dhcpc client deconfig
ifCfgParam[0].ipAddr: 0.0.0.0
ifCfgParam[0].ipMask: 0.0.0.0
ifCfgParam[0].gwAddr: 0.0.0.0
ifCfgParam[0].dnsPrimaryAddr: 0.0.0.0
ifCfgParam[0].dnsSecondaryAddr: 0.0.0.0
ifCfgParam[0].winsPrimaryAddr: 0.0.0.0
ifCfgParam[0].winsSecondaryAddr: 0.0.0.0
rtl8651_delNaptMapping: ret -6
rtl8651_delRoute(default): ret -3
rtl8651_delIpIntf: ret -2710
target 239.0.0.0
SIOCDELRT: No such process
debug, Sending select for 10.9.8.135...
info, Lease of 10.9.8.135 obtained, lease time 43200
__flash_base=0x2ac62000
__crmr_addr=0x2aaaf104
ip  10.9.8.135
subnet 255.255.255.0
=> Check subnet overlapping .... No Overlap!
ifCfgParam[0].ipAddr: 0.0.0.0
ifCfgParam[0].ipMask: 0.0.0.0
ifCfgParam[0].gwAddr: 0.0.0.0
ifCfgParam[0].dnsPrimaryAddr: 0.0.0.0
ifCfgParam[0].dnsSecondaryAddr: 0.0.0.0
ifCfgParam[0].winsPrimaryAddr: 0.0.0.0
ifCfgParam[0].winsSecondaryAddr: 0.0.0.0
rtl8651_delNaptMapping: ret -6
rtl8651_delRoute(default): ret -3
rtl8651_delIpIntf: ret -2710
target 239.0.0.0
SIOCDELRT: No such process
router 10.9.8.1
target default
ifCfgParam[0].ipAddr: 10.9.8.135
ifCfgParam[0].ipMask: 255.255.255.0
ifCfgParam[0].gwAddr: 10.9.8.1
ifCfgParam[0].dnsPrimaryAddr: 10.9.8.1
ifCfgParam[0].dnsSecondaryAddr: 0.0.0.0
ifCfgParam[0].winsPrimaryAddr: 0.0.0.0
ifCfgParam[0].winsSecondaryAddr: 0.0.0.0
/bin/dnrd: not found
killall: crond: no process killed
run crond
crond offset=/bin/rdate: not found
0
/bin/rdate: not found
target 239.0.0.0
SIOCDELRT: No such process
/bin/rdate: not found
target 239.0.0.0
/bin/upnpd: not found
Hit enter to continue...
/bin/dnrd: not found
row_size(): Can't open /tmp/log_web
exlog(): Loged message(WAN DHCP Client Connected IP 10.9.8.135)
 into /tmp/log_web.lck directly
start_wan_done(): start_firewall
remote disable        0        ffffffff
eth1: No such process
eth0: No such process
none pppoe
find_pid_by_name(): 0
first start set_dyndns
set_dyndns: Users don't fill enough information
interval=2592000
killall: ntpclient: no process killed
(): open /tmp/route_check.pid  successfully
Hit enter to continue...

/proc/cpuinfo
system type : Philips Nino processor : 0 cpu model : R3000 V0.0 BogoMIPS : 199.06 wait instruction : no microsecond timers : no tlb_entries : 16 extra interrupt vector : no hardware watchpoint : no VCED exceptions : not available VCEI exceptions : not available
/proc/mtd
dev: size erasesize name mtd0: 00004000 00002000 "boot1" mtd1: 00006000 00002000 "boot2" mtd2: 00010000 00010000 "boot3" mtd3: 000e0000 00010000 "kernel" mtd4: 002e0000 00010000 "rootfs" mtd5: 00010000 00010000 "nvram" mtd6: 00002000 00002000 "dnvram" mtd7: 003c0000 00010000 "linux"

/proc/cpuinfo

system type             : Philips Nino
processor               : 0
cpu model               : R3000 V0.0
BogoMIPS                : 199.06
wait instruction        : no
microsecond timers      : no
tlb_entries             : 16
extra interrupt vector  : no
hardware watchpoint     : no
VCED exceptions         : not available
VCEI exceptions         : not available

/proc/mtd

dev:    size   erasesize  name
mtd0: 00004000 00002000 "boot1"
mtd1: 00006000 00002000 "boot2"
mtd2: 00010000 00010000 "boot3"
mtd3: 000e0000 00010000 "kernel"
mtd4: 002e0000 00010000 "rootfs"
mtd5: 00010000 00010000 "nvram"
mtd6: 00002000 00002000 "dnvram"
mtd7: 003c0000 00010000 "linux"

Hidden Web Interface Pages

test.html (see also the vars in the "for test" section in NVRAM below - no idea what these do yet)
system.log (gives 404, but symlinked to /var/system.log - maybe some other method?)

NVRAM Info

NVRAM (defaults?) from firmware
# NVRAM control belkin_router=1 restore_defaults=0 fw_reset=0 et1phyaddr=0 et0phyaddr=30 boardflags=0x0388 hw_model=F5D8230-4 v2 fw_magic=0x02088200 tftp_ipaddr=192.168.2.1 model_check=1 # OS parameters lan_ifname=eth1 lan_ifnames=eth0 eth2 lan_hwnames=et0 il0 wl0 wl1 wan_access=eth1 wan_ifname=eth0 wan_ifnames= wan_hwname=et1 os_name=linux os_version=2.01.02 language=English user_conf_ver=1.01 kernel_mods=et fw_src=http://networking.belkin.com/update/files/usa/mimoV2/g_router.html fw_id=RT3105W-D56 RADIO_MODULE=airgo # Miscellaneous parameters timer_interval=3600 log_level=0 time_zone=PST8PDT upnp_enable=0 os_server= stats_server= console_loglevel=1 log_tftp=0 log_tftp_server= login_timeout=10 remote_config_ip= remote_access_port=80 route_check_host=heartbeat.belkin.com et1macaddr_copy= dyndns_auto=1 # LAN Default lan_proto=dhcp lan_ipaddr=192.168.2.1 lan_netmask=255.255.255.0 m_lan_ipaddr=192.168.2.1 m_lan_netmask=255.255.255.0 default_lan_ipaddr=192.168.2.1 default_lan_netmask=255.255.255.0 default_lan_gateway=192.168.2.1 default_lan_dhcp_client_br=0 default_lan_proto_br=static default_lan_dhcp_client_nat=0 default_lan_proto_nat=dhcp default_lan_ipaddr_br=192.168.2.254 default_lan_netmask_br=255.255.255.0 lan_stp=0 lan_gateway=192.168.2.1 lan_dns= lan_dhcp_client=0 BridgeFlag=0 NatFlag=1 # WAN Default wan_proto=dhcp wan_ipaddr=0.0.0.0 wan_netmask=0.0.0.0 wan_gateway=0.0.0.0 wan_dns= wan_wins= wan_hostname= wan_domain= wan_lease=864000 static_route= #new wireless driver virables wl_ifname=eth2 wl0_ifname=wlan0 wl_ssid=Belkin_Pre_N_ wl_ssid_d=Belkin_Pre_N_ wl_country=USA wl_closed=0 wl_country_code=US wl_radio=1 wl_mode=ap wl_lazywds=0 wl_wds= wl_wep=off wl_wep_mode=0 wl_crypto=tkip wl_auth=0 wl_key=1 wl_key1=F wl_key2= wl_key3= wl_key4= wl_maclist= wl_mac= wl_macmode=disabled wl_rate=0 wl_rateset=set2 wl_channel=0 wl_frag=2346 wl_rts=2347 wl_dtim=1 wl_bcn=100 wl_gmode=1 wl_afterburner=auto wl_gmode_protection=auto wl_hwaddr= wl_phytype=g wl_phytypes=g wl_unit=0 wl_frameburst=off wl_wpa_psk= wl_wpa_gtk_rekey=900 wl_radius_ipaddr= wl_radius_port=1812 wl_radius_key= wl_radius_timeout=30 wl_radius_maxtries=3 wl_auth_mode=disabled wl_ibss=1 wl_psk_obscure= wl_wep128_manual=1 wl_wep64_manual=1 wl_qos=1 wl_density=0 wl_plcphdr=long wl_proximity=0 wl_wme=0 ssid_updated=0 wl_akm= pa0maxpwr=60 # Manual m_wan_ipaddr= m_wan_netmask= m_wan_gateway= m_wan_dns= m_wan_wins= m_wan_hostname= m_wan_domain=Belkin m_wan_aliasip= m_wan_moreip= m_autodns=1 # LAN filters fi= ft= fu= fm= # new firewall features default_policy=0 mac_filter=0 ip_filter=0 tcp_filter=0 udp_filter=0 internal_policy=1 wan_ping=1 firewall_enable=1 filter_enable=1 http_wan_enable=0 dos_enable=1 # Port forwards fwt= fwu= dmz_ipaddr= fwi= fwi_des= fj= fg= fw_auto_detect=0 fm= # DHCP server parameters dhcp_start=192.168.2.2 dhcp_end=192.168.2.100 dhcp_lease=0 dhcp_dns= dhcp_autodns=1 # Web server parameters http_username= http_passwd= http_wanport=80 http_lanport=80 # PPPoE parameters pppoe_username= pppoe_passwd= pppoe_idletime_min=5 pppoe_idletime=300 pppoe_keepalive=1 pppoe_demand=0 pppoe_ifname=eth0 pppoe_auth_mode=auto pppoe_mru=1454 pppoe_mtu=1454 pppoe_servicename= pppoe_dns= pppoe_autodns=1 # PPTP parameters pptp_username= pptp_password= pptp_server_ipaddr= pptp_ipaddr= pptp_netmask= pptp_idle_disconnect= pptp_idle_interval= pptp_conn_id= # NTP Default ntp_dst_enabled=1 ntp_enable=1 ntp_timezone=5 ntp_sync_interval=1 ntp_server=192.43.244.18 132.163.4.102 user_time_yr=1970 user_time_mo=1 user_time_dd=1 user_time_hr=0 user_time_mn=0 user_time_update=0 #Cerberian #ceb_enable=0 ceb_email_enable=1 #ceb_subsc=2 ceb_timeout=10 ceb_unavail_block=1 #ceb_report_enable=0 #ceb_expire=0 ceb_nag=1 # big pond parameters (added by bin 01/24/03) bpa_username= bpa_passwd= bpa_server= bpa_state= bpa_manual_enable= #iapp daemon iappd_oid=00:30:bd device_type=1 # DynDNS dyndns_username= dyndns_password= dyndns_hostname= #for test epi_ttcp_host=192.168.2.100 radioID=0 gain=d dumpfilename=gram_capture.txt tftpServer=192.168.2.100 test_delay=0

NVRAM (defaults?) from firmware

# NVRAM control
*belkin_router=1
restore_defaults=0
fw_reset=0
*et1phyaddr=0
*et0phyaddr=30
*boardflags=0x0388
*hw_model=F5D8230-4 v2
*fw_magic=0x02088200
tftp_ipaddr=192.168.2.1
model_check=1

# OS parameters
lan_ifname=eth1
*lan_ifnames=eth0 eth2
lan_hwnames=et0 il0 wl0 wl1
wan_access=eth1
wan_ifname=eth0
wan_ifnames=
wan_hwname=et1
os_name=linux
*os_version=2.01.02

*language=English
*user_conf_ver=1.01
*kernel_mods=et
*fw_src=http://networking.belkin.com/update/files/usa/mimoV2/g_router.html
fw_id=RT3105W-D56
*RADIO_MODULE=airgo

# Miscellaneous parameters
timer_interval=3600
log_level=0
time_zone=PST8PDT
upnp_enable=0
os_server=
stats_server=
console_loglevel=1
log_tftp=0
log_tftp_server=
login_timeout=10
remote_config_ip=
remote_access_port=80
route_check_host=heartbeat.belkin.com
et1macaddr_copy=
dyndns_auto=1

# LAN Default
lan_proto=dhcp
lan_ipaddr=192.168.2.1
lan_netmask=255.255.255.0
m_lan_ipaddr=192.168.2.1
m_lan_netmask=255.255.255.0
default_lan_ipaddr=192.168.2.1
default_lan_netmask=255.255.255.0
default_lan_gateway=192.168.2.1
default_lan_dhcp_client_br=0
default_lan_proto_br=static
default_lan_dhcp_client_nat=0
default_lan_proto_nat=dhcp
default_lan_ipaddr_br=192.168.2.254
default_lan_netmask_br=255.255.255.0
*lan_stp=0
lan_gateway=192.168.2.1
lan_dns=
lan_dhcp_client=0
BridgeFlag=0
NatFlag=1

# WAN Default
wan_proto=dhcp
wan_ipaddr=0.0.0.0
wan_netmask=0.0.0.0
wan_gateway=0.0.0.0
wan_dns=
wan_wins=
wan_hostname=
wan_domain=
wan_lease=864000
static_route=

#new wireless driver virables
wl_ifname=eth2
wl0_ifname=wlan0
wl_ssid=Belkin_Pre_N_
wl_ssid_d=Belkin_Pre_N_
wl_country=USA
wl_closed=0
*wl_country_code=US
wl_radio=1
wl_mode=ap
wl_lazywds=0
wl_wds=
wl_wep=off
wl_wep_mode=0
wl_crypto=tkip
wl_auth=0
wl_key=1
wl_key1=F
wl_key2=
wl_key3=
wl_key4=
wl_maclist=
wl_mac=
wl_macmode=disabled
wl_rate=0
wl_rateset=set2
wl_channel=0
wl_frag=2346
wl_rts=2347
wl_dtim=1
wl_bcn=100
wl_gmode=1
wl_afterburner=auto
wl_gmode_protection=auto
wl_hwaddr=
wl_phytype=g
wl_phytypes=g
wl_unit=0
wl_frameburst=off
wl_wpa_psk=
wl_wpa_gtk_rekey=900
wl_radius_ipaddr=
wl_radius_port=1812
wl_radius_key=
wl_radius_timeout=30
wl_radius_maxtries=3
wl_auth_mode=disabled
wl_ibss=1
wl_psk_obscure=
wl_wep128_manual=1
wl_wep64_manual=1
wl_qos=1
wl_density=0
wl_plcphdr=long
wl_proximity=0
*wl_wme=0
ssid_updated=0
wl_akm=
pa0maxpwr=60

# Manual
m_wan_ipaddr=
m_wan_netmask=
m_wan_gateway=
m_wan_dns=
m_wan_wins=
m_wan_hostname=
m_wan_domain=Belkin
m_wan_aliasip=
m_wan_moreip=
m_autodns=1

# LAN filters
fi=
ft=
fu=
fm=

# new firewall features
default_policy=0
mac_filter=0
ip_filter=0
tcp_filter=0
udp_filter=0
internal_policy=1
wan_ping=1
firewall_enable=1
filter_enable=1
http_wan_enable=0
dos_enable=1

# Port forwards
fwt=
fwu=
dmz_ipaddr=
fwi=
fwi_des=
fj=
fg=
fw_auto_detect=0
fm=

# DHCP server parameters
dhcp_start=192.168.2.2
dhcp_end=192.168.2.100
dhcp_lease=0
dhcp_dns=
dhcp_autodns=1

# Web server parameters
http_username=
http_passwd=
http_wanport=80
http_lanport=80

# PPPoE parameters
pppoe_username=
pppoe_passwd=
pppoe_idletime_min=5
pppoe_idletime=300
pppoe_keepalive=1
pppoe_demand=0
pppoe_ifname=eth0
pppoe_auth_mode=auto
pppoe_mru=1454
pppoe_mtu=1454
pppoe_servicename=
pppoe_dns=
pppoe_autodns=1

# PPTP parameters
pptp_username=
pptp_password=
pptp_server_ipaddr=
pptp_ipaddr=
pptp_netmask=
pptp_idle_disconnect=
pptp_idle_interval=
pptp_conn_id=

#   NTP Default
ntp_dst_enabled=1
ntp_enable=1
ntp_timezone=5
ntp_sync_interval=1
ntp_server=192.43.244.18 132.163.4.102
user_time_yr=1970
user_time_mo=1
user_time_dd=1
user_time_hr=0
user_time_mn=0
user_time_update=0

#Cerberian
#ceb_enable=0
ceb_email_enable=1
#ceb_subsc=2
ceb_timeout=10
ceb_unavail_block=1
#ceb_report_enable=0
#ceb_expire=0
ceb_nag=1

# big pond parameters (added by bin 01/24/03)
bpa_username=
bpa_passwd=
bpa_server=
bpa_state=
bpa_manual_enable=

#iapp daemon
*iappd_oid=00:30:bd
*device_type=1

# DynDNS
dyndns_username=
dyndns_password=
dyndns_hostname=

#for test
epi_ttcp_host=192.168.2.100
radioID=0
gain=d
dumpfilename=gram_capture.txt
tftpServer=192.168.2.100
test_delay=0

—-

TOH/Table of Hardware

toh/belkin/f5d8230-4v2.txt · Last modified: 2011/03/10 21:31 by orca

Wiki Search

Actions

Donate

Translations