NEWS FLASH: DD-WRT now supports Belkin routers! DD-WRT is a polished and non-hackish solution. DD-WRT has WPA2 working. However they haven't figured out how to get the blasted v2000 switch to work right either...

This is the first public release of my custom firmware for Broadcom based Belkin wireless routers with 2mb flash chips.

Use at your own risk.

Features

This firmware tries to duplicate most of the functionality of the standard firmware, as well as expand functionality as much as possible. Added functionality includes:

• SSH login
• Can serve static DHCP leases
• Not limited to /24 networks
• Can operate as a wireless client
• Afterburner is enabled

Things currently broken or missing:

• No web configuration
• No PPPoE
• No BigPond
• WEP works, but WPA doesn't. The 'nas' binary for WPA is there but getting it to run is not simple. Apparently the OpenWRT guys have figured it out...
• WDS probably doesn't work. I do not have a second router to test with.
• UPNP can eat shit and die

Thing to be added someday:

• Dyndns support will be in next release
• Remote logging will be in next release
• IPv6 via 6to4 will be in the next release
• Dynamic/mesh routing
• Captive portal
• NAT-PMP support, as an alternative to the bloaty XML based UPNP

Things that will probably never happen:

Anything that requires OpenSSL. The smallest I've been able to get OpenSSL to compile to is around 1.5mb. With only 2mb flash to work with thats just too damn big. Not to mention the 8mb RAM is pretty tight too. This means OpenVPN in particular is out of the question. This also means IPsec IKE daemons such as raccoon, and the open source wpa_supplicant. OpenSSL's bloatyness seems to be a major setback to having strong security in such a small box.

Compatability and Known F5D7230-4 Hardware Versions

Note: This may not be 100% accurate. Corrections welcome.

v1000 v1010 v1110 v1111 v1112

These versions use an older version of the Broadcom chipset, with a seperate MiniPCI wireless card. They have 4mb flash space and 16mb RAM. They are not known to work yet. Since they have 4mb flash it should be possible to fit OpenWRT on them.

v1444

The only known working version so far. This is what I personally own and use. Several other v1444 owners have confirmed it works for them too.

These use a newer Broadcom chipset with the wireless built in to the board. They support Afterburner (High Speed Mode/G Plus/SpeedBooster/etc etc) however the stock firmware disables it. In fact, the F5D7230-4 v1444 and F5D7231-4 use the exact same firmware, with just a few nvram settings changed. They only have 2mb flash space and 8mb RAM.

Also of note is there are traces on the board for a USB port, which can be made functional by adding the proper parts. However there is currently no USB support compiled in to the firmware.

v2000

The v2000 only works partially. They will accept and boot the firmware, and they are accessible over wireless, but the ethernet does not work. (A differing bridge chip?) These have a slightly smaller case with two antennas.

They accept the same firmware as the v1444, and can be flashed with F5D7231-4 firmware to enable Afterburner just as the v1444 can. They also have traces for a USB port.

v3000

Uses a newer firmware version, the v3000 will not work with firmware for previous versions. The v3000 flash images no longer has nvram settings on the end of the firmware image, and has a different header on the image. Oddly, tftp flashing will not accept this header, and has to be removed.

v4000 v5000

The v4000 and newer F5D7230-4 have switched to a completely different chipset, and do not run Linux. (It appears to be the same TI chipset the WRT54GC uses) These versions have a much smaller case and only one antenna. They will never run this firmware. The (more expensive) F5D7231-4 retains the Broadcom chipset.

Compatibility with F5D7231-4 (High Speed Mode/G Plus)

v1000

Few people seem to own these. They cost far more and they seem to be nothing more than an F5D7230-4 v1444 with a few nvram settings changed to enable Afterburner. Thus they should work.

v1001

Appears to be equivlent to the F5D7230-4 v2000. Thus these should work when the v2000 works.

Why should I buy one?

They're cheap. These routers typically go for $20-$30 or less. However the currently supported versions only have 2mb flash space, which is very cramped. If you want a wireless router for cheap, and don't need anything fancy, (Like VPN) go grab one. However if you want to play with fancy hacks, I recommend you spend the extra money and get a Linksys WRT54G series router, which have 4-8mb flash space.

Where should I get one?

I got mine at Circuit City. Most electronics retail places have them. Beware, the older versions of the F5D7230-4 have probably been flushed out of the retail chain at this point. The version is listed on the box. Check before you buy.

Ebay is probably the best option for getting a compatible F5D7230-4. It's loaded with them. If the version isn't listed in the description or visible in the photos, ask the seller. The number of antennas is also a good hint. If its tiny and only has one antenna, don't bother with it.

How do I install it?

Please read the install guide.

Download: haxxed_beta1_F5D7231-4.bin

Please post questions, comments, bugs, success reports, etc to the Wiki page at SeattleWireless.

Usage

By default the router will start up in a configuration similar to the stock firmware. It will be accessable on the LAN as 192.168.2.1, it will serve a /24 network with DHCP. The wireless will be bridged with the LAN. It will try to get a DHCP lease on the WAN port and ipmasq it for the LAN.

The router is accessible via SSH on the LAN. Connect to root@192.168.2.1 and just hit enter for the password. Currently all configuration happens through SSH.

A web server will be available. To log in to the admin section, use username "admin" password "admin".

All configuration is stored in nvram variables. To change nvram variables, log in through SSH. Type "nvram set variable=value" to set variables. You will have to type "nvram commit" to write changes to flash ram, otherwise they will be lost when rebooting. Just type "reboot" at the shell prompt to reboot the router. You will have to reboot the router for most changes to take effect.

You can list nvram variables with "nvram get variable", and list all of them with "nvram show" which is a bit easier to handle if you pipe it through sort: "nvram show|sort"

A semi-commented list of all variables is available here.

Examples

Remember you have to type "nvram commit" and "reboot" for settings to take effect. Also, all examples assume default settings. How do you get back to default settings? Re-flash the firmware...

To change the root password, you will have to obtain a crypted password from another system. I have yet to figure out how to make passwd work right. Both classic crypt and MD5 hashes work.

nvram set root_passwd=<password hash>

To change the web administration password:

nvram set http_passwd=`httpd -m <newpasswd>`

All interfaces are configured through the same set of nvram variables, prefixed with the interface name. vlan0 is the LAN ports, however it is part of the br0 bridge by default. vlan1 is the WAN port. eth1 is the wireless, which is also part of the br0 bridge by default. Some examples:

To change the LAN IP address:

nvram set br0_ipaddr=10.0.0.1
nvram set br0_dhcp_start=10.0.0.100
nvram set br0_dhcp_end=10.0.0.199

To set the WAN port to a static IP:

nvram set vlan1_proto=static
nvram set vlan1_ipaddr=10.42.42.42
nvram set vlan1_netmask=255.255.255.0
nvram set vlan1_gateway=10.42.42.13

To set a custom MAC address on the WAN port:

nvram set vlan1_mac=00:00:DE:AD:BE:EF

Setting up static DHCP leases:

nvram set ethers="<macaddr> <ip>|<macaddr> <ip>|..."

Assigning static hostnames. Basically a hosts file. This gets served via DNS and is also used by the DHCP server.

nvram set hosts="<ip> <hostname>|<ip> <hostname>|..."

Port forwarding:

nvram set firewall_portfw="<proto>|<port>|<destip> <proto>|<port>|<destip> ..."

Act as a wireless client, the wireless becomes the WAN connection:

# Remove the wireless from the bridge
nvram set br0_interfaces=vlan0
# Don't configure the WAN interface
nvram set vlan1_proto=off
# Get an IP for the wireless with DHCP
nvram set eth1_proto=dhcp
# Set up the firewall to use the wireless as the WAN connection
nvram set firewall_wanif=eth1
# Act as wireless client (sta), rather than an access point (ap)
nvram set wl0_mode=sta
# The SSID we want to associate with
nvram set wl0_ssid=Foo
# Optional, reconfigure the bridge chip so the now useless WAN port becomes an additional LAN port
vlanconf_wan_off

Act as a wireless access point, bridging wireless to the LAN ports: (This one is untested)

# Note: the wireless stays bridged to the LAN, as is default
# Don't configure the WAN interface
nvram set vlan1_proto=off
# Set the bridge to the desired static IP configuration
nvram set br0_ipaddr=<ip>
nvram set br0_netmask=<netmask>
nvram set br0_gateway=<gateway>
# Turn the firewall/NAT off
nvram set firewall_enable=0
# Turn the DHCP server off
nvram set dhcp_interfaces=""
# Optional, reconfigure the bridge chip so the now useless WAN port becomes an additional LAN port
vlanconf_wan_off

What it contains

This firmware is based primarily on busybox, dropbear, and dnsmasq. I use the toolchain, kernel, uClibc and various other things from Linksys's WRT54GSv2 3.37.6 source release.

No Belkin firmware is used. With this firmware your Belkin is in effect a Linksys WRT54GS.

Many thanks to "Ian (Larry) Latter" for figuring out how to create and upload firmware to these things.

If you want to hack on it, for now you can compile the tools then grab the pieces. Putting them together goes something like this:

trx -o haxxed.trx haxxed.kernel.gz haxxed.cramfs
belky -o haxxed_F5D7231-4.bin -t haxxed.trx -u haxxed.conf

I tried to do as much as possible in shell script. I'll have to get my various source patches up soon.