Hacking the Belkin F5D7632-4 (Part 3: Let's play with UART)
Normal boot process log
Accessing the hidden console
Originally I thought that the console was completely hidden and maybe used over that 10101 port. Fortunately I found this page about a similar model, which described pressing shift-0
to access the console.
Tested it out, and sure enough you CAN in-fact access the console by pressing SHIFT-0 while the router is booted up (not in recovery).
Here's the main menu:
If we press Firmware Upgrade
, you'll notice that the router connects to 192.168.2.100
(a hard coded IP address) via TFTP looking for a firmware upgrade. This could allow you to potentially flash custom firmware that the Web UI might not allow you to.
Firmware upgrade from: 192.168.2.100
RUNTASK id=22 TFTPget...
From some of the debugging messages, we can also see something called Belkin EZ-Install
, and that it's trying to close the port (maybe this is what port 10101
is?):
>> Belkin EZ-Install API Timeout! Close listening port ...
Here's the system menu, showing the "gConfig" first, and then the cisco-looking routing table:
Using the SOLOSW menu, we're able to access various options, most importantly the "Demo CLI", which allows us to dump the ENTIRE firmware. (even more than what comes with the belkin firmware files from their site)
I believe this firmware actually includes the firmware of the in-built ADSL modem, as I've noticed a lot more detail, for example, what looks like firmware for the CX94610
SOC.
Important: If you plan on dumping your firmware, be aware that it can take up to 2 hours. In my case it had taken roughly 1 hour and 30 minutes, using screen
with -L to save the screenlog.
Once the dump was completed, I opened the screenlog in VIM and extracted the firmware hexdump into it's own file.
Next I used xxd
to convert the hexdump back into binary format.
xxd -r < firmware.ascii > fw.bin
For those interested, here's the binwalk
output of our nice fresh 4.7mb fw.bin:
And of course, here's the download link: https://mega.nz/#!k94QyYTA!TyM8lHAZflQBxv92piEu0Iw11I36GgPZjXSsAwAcgf0
Bootloader Menu
To get into the bootloader, simply hit space as soon as you are prompted by the boot process. May take a few tries to get timing right.
Unfortunately the bootloader is quite crippled. Practically no commands work other than reset
and help
.
Recovery Mode UART Log
Note that when you press a key during recovery mode, you will be shown “I’m still alive …"
When pressing SHIFT-E while in recovery, we're also presented with a list of firmware/RAM(?) addresses.
So far this is all I know about this router. I've spent the past few days collecting resources, and trying to understand the router through poking and prodding, and this may now be the most thorough sources of information about this model.
Due to the CPU, I don't believe it's possible to run OpenWRT or DD-WRT on here. If anyone has any more information, feel free to email me (info+belkin at someguy123 dot com).