Posted: Mon Feb 26, 2007 9:42 Post subject: Belkin F5D-7231 v1212 history
Long story short, i got one of these, wasn't exactly happy with the features. So i bit the bullet and installed the generic micro firmware on it. Result: wireless worked ok, lan ports dead (all leds on). Been reading all topics i could find about the problem, but none matched my problem.
So I pulled the box apart, and this doesn't look exactly like other 723x. Processor is BCM 5352, flash is an amd (spansion) 29lv160, 8 meg ram ESMT chip.FCC ID H8NRT2406W means this thing is an askey, however i couldn't find an askey rt2406w. Hooked both serial and JTAG on it, booted it to see what it says. Apparently the micro firmware didn't support the integrated LAN on the 5352. Tried to reflash it with a different version from the web interface, apparently it goes ok (updating / rebooting) but reboots with the exact same version of dd-wrt that was running.
At this point i went to the debrick tool, backed up the whle flash and reflashed another kernel (can't remember exactly which one, but i took one that should have worked on the 5352). Box didn't boot anymore.
Upon close inspection of wholeflash.bin, it looks like this box is running a compressed CFE. The compressed CFE and the decompression part are stored in the first 128kb. Kernel starts at 128kb, nvram if i remember correctly was around its normal offset , but not quite.
At this point i took a 256k CFE that did support 5352 , flashed it in, and this is the point where the sh*t hit the fan. Box didn't boot anymore. Long story short, i flashed every cfe i could find with no result. Serial was completely silent at boot, no reaction even after 10 minutes. I reflashed the cfe from my backup and ... :
Serial console message is:
Had a bad feeling at this point. So probably my backup was corrupt. Went and cut the gzipped cfe from the cfe backup, tried unpacking, sure enough gunzip said same thing.
Went onto belkin's and picked up F5D7231-4 UK v5.01.11.BIN. Looked it up in a hexeditor, and I realized the file was somehow not right. Upon close inspection realized the file had a special structure , checked around to see if there was a tool to unpack it, there wasn't so i went and wrote one. Unpacked the firmware ok, result was a 2 mbyte flash file which contained everything (cfe, kernel and nvram). Flashed it to the box, boot, and....nothing. Not even "decompressing/checksum failed".
So i took another route. Since the decompression code from my original cfe worked, i cut the gzipped cfe from the firmware update, and pasted it in my old cfe. It was smaller than the one already in, so it didn't overwrite anything. Flashed, reboot, decompressing failed. Argh.
Downloaded IDA, disassembled my cfe, went and patched the checksum check, flashed rebooted: "decompressing...done" hurray ! Well not really, after 5 minutes it was still stuck.
So there it is, i'm kinda out of ideeas. Any ideeas guys ? Anyone has maybe a working cfe for this thing ?
No luck yet, and didn't have too much time to fiddle with it so far. It's sitting here on the desk with the jtag wires in it.
I suspect it needs a either a custom CFE for this type of RAM, or a RAM chip swap ( so maybe it'll boot with another already-built CFE). On the other hand it would be nice if someone could dump a CFE from their box and send it....