Hacking the Belkin F5D7632-4 Router (Part 1: The Firmware)
The Belkin F5D7632-4 was a router released across Europe (and possibly the US) in 2004-2005(?). It supports 2.4ghz Wireless a/b/g, and has a built in ADSL2+ Modem.
The router runs an awkward VXWorks-based firmware, produced by Broadcom, and modified by Belkin. It uses an IP/MAC-based authentication system, with just a password to login (default is blank). The firmware is comprised of mostly static
.stm pages, with
.exe files located in cgi-bin which do the actual work.
A quick NMAP scan will reveal TCP port
80, and sometimes TCP port
10101 which is some sort-of internal Belkin service that has not yet been deciphered. There is NO telnet or SSH port.
There are three unlisted pages in the firmware, which might help you out:
production.stm - “Mass Production” Allows you to change the MAC address and default IP address of the router, among some other things.
advanced.stm - Various advanced features, such as Wireless Beacon timing, some more firewall controls, as well as QoS settings. The page claims “these features are not supported”.
engineer.stm - I found this in the actual firmware file. However, I haven’t managed to get it to open on the WebUI. The firmware on the router refuses to admit that it exists. Seems to be mainly a statistics page.
Breaking down the firmware
The firmware is in the same format as the SMC7904, which is a bunch of ZIP files glued together, one after another.
Latest Firmware BIN from Belkin
Using the tool
binwalk, you can extract the 4 ZIP files and obtain their contents, which are the following:
- 345K ar0700db.bin (???)
- 357K ar0700mp.bin (???)
- 854K pfs.img (main firmware file, containing images, css, and STM files. custom PFS/0.9 format)
- 2.2M soho.bin (other main firmware file, containing the actual EXE files, kernel, config, etc. - unknown format)
soho.bin, you will find all sorts of strange things, for example, some sort-of telnet or serial console (search for “gConfig”), which I have not managed to access, since telnet is disabled, and there is no console available over UART other than the bootloader.
Extracting the PFS.IMG
Thanks to Domen Puncer, you can extract the proprietary PFS/0.9 format used by various routers. Simply compile the C file using “gcc pfs.c -o pfs” and you’re good to go.
While you cannot extract the EXE files, you can see the EXE file names, and you can extract the STM files which give you some insight into the firmware.