Hacking the Belkin F5D7632-4 (Part 2: The hardware)

Hardware

• Model: Belkin F5D7632-4
• RAM: 16MB SDRAM (ISSI IS42S16400B-7TL)
• CPU: 264mhz Conexant CX94610-11Z ARM SOC (Same as used in Xavi 6978)
• Flash Storage: 2MB
• Wireless: 2.4ghz a/b/g - with external antennae (not removable)
• Ports:
  • 4x 100mbit Ethernet (Connected to Realtek RTL8306S chip)
  • Standard ADSL port (built-in modem)
  • 12V/1A DC Adapter port

Opening the device

Remove the two visible screws on back to open. You do not need to remove the rubber feet, however you do need to put a lot of force into the plastic to unclip it. I recommend using a curved plastic prying tool (e.g. the curved prying tool from iFixIt works great), or a guitar pick if that’s not available.

Split from the back using your hands, then split at each side by putting your tool under the edge of the sides and twist to unclip. Front can be painful to remove, but it will come off easily once you’ve unclipped both sides.

If you want to access the underside of the board for whatever reason, there is just one screw in the centre of board to hold it in place.

Related Devices

The belkin router is very similar to the SMC7904WBRA, however it has a Conexant SOC/CPU instead of a TI CPU. It uses the exact same pin layout for UART.

More information:

• https://wiki.openwrt.org/toh/xavi/xavi_7968
• https://wiki.openwrt.org/toh/smc/smc7904

Connecting to UART

The router has a 10-pin JTAG port located in the bottom right of the board. It may be possible to switch the port from UART mode, to JTAG mode with a jumper.

Luckily, the router comes with a full header on the 10-pin JTAG, so no soldering required.

Connect GND to the first top left pin (with the wifi antennae facing away from you), RX to the 3rd, TX to the 4th.

Do not connect VCC pin (3.3v), it causes the device to lock up.

UART runs at 38400 BAUD with 8n1 (NOT 115200 BAUD like the SMC7904WBRA)

Example on OSX/Linux:

sudo screen /dev/ttyUSB1 38400.-parenb.-cstopb.cs8

By default, you cannot enter anything into the console. By pressing SHIFT-0 you'll be able to access the real console, and do various tasks. Check out the next part for more details about this.

You can also access the bootloader during early boot by pressing space (scroll down to "Bootloader Menu" section)

Accessing Recovery Mode

Recovery mode is used if your main firmware gets corrupted. It allows you to flash a new firmware file onto the device.

1. Unplug the router.
2. Hold down the reset button.
3. Plug the power in (while holding reset).
4. Wait for all LEDs to go green.
5. You should now be able to access the firmware flash tool at 192.168.2.1 via Ethernet.

Note: This does not get you into any console via the UART, nor does it allow access via Telnet or SSH.

Continued: Part 3 (Playing with UART)