D-Link DSL-2640S


 * D-Link DSL-2640S - Mel's Notes (internal photo)
 * CPU: Broadcom BCM63281KFBG
 * WLAN: Broadcom BCM4313KML1G
 * GPL source code

cpuinfo
cat cpuinfo

system type            : 96328avng processor              : 0 cpu model              : Broadcom4350 V7.5 BogoMIPS               : 319.48 wait instruction       : yes microsecond timers     : yes tlb_entries            : 32 extra interrupt vector : no hardware watchpoint     : no ASEs implemented        : shadow register sets   : 1 core                   : 0 VCED exceptions        : not available VCEI exceptions        : not available

<!-- Saturday, 2 October 2010 D-Link DSL-2640S. I managed to get hold of an almost new d-link sky router today. It didn't cost much as it is locked down to sky, but I was hoping I'd be able to flash it with a standard firmware, so that I can use it as a backup while I try to fix one of my other routers, both of which have hardware issues.

Meanwhile I've got the D-link sat on the side of my desk and am using it as a Wifi access point, while having a go at extracting the password generation code.

Here's a picture of the innards.

It is built around a Broadcom BCM63281KFBG, which according to a pdf I found on the Broadcom website, is a cost effective, low power chip, with support for power management. The Wifi chip is a BCM4313KML1G - single-band, IEEE 802.11n, with dual antenna support, although the router itself is only b and g capable.

As you can see there's minimal shielding on the wireless section, and judging by the PCB, the bcm63281 has an integrated switch. The inclusion of a power button at the rear, proved to be very useful while I was trying to access the shell.

It has four external Ethernet ports, and supports wireless 802.11b & g. The sky firmware includes support for WPA & WPA2, although you can't select WPA2 only. The firmware seems pretty good at automatically selecting an unused wifi channel, however it sometimes picks a channel used by a neighbour, possibly because they have their SSID hidden, so I found it necessary to manually select one.

The wifi signal is a little weak compared to my other routers, probably because of the internal antenna - the bit of steel with a wire attached at the bottom of the picture. I also wonder if they've limited the power output, to avoid causing interference issues due to the lack of shielding. There are unused solder pads on the PCB for a second antenna.

Mounting the router vertically improved the wifi reception by about 15%, and also makes the router run much cooler. It gets quite toasty while sitting on it's rubber feet, as the vents are at either end of the case. The wifi signal still doesn't match that of my other router's though, or even my neighbour's, it is however, more than adequate to reach opposite ends of my house.

Anyway, before trying to flash it, I wanted to try to access the shell, which, as it doesn't seem to have a telnet or ssh server running, requires a little hacking...

Getting root access didn't provide me with that much of a challenge, although the procedure I used did get a little complicated.

Needless to say it runs busybox under linux:-

BusyBox v1.00 (2010.06.23-05:56+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands.

bin     dev      lib      mnt      proc     sys      usr      webs data    etc      linuxrc  opt      sbin     tmp      var
 * ls

adsl           dnsproxy        iptables        ps              true adslctl        dnsspoof        kill            pwd             udhcpd brctl          dsldiagd        ln              pwr             umount busybox        dumpmem         ls              pwrctl          upgrader cat            eapd            mcpd            rawSocketTest   upnp chmod          ebtables        mkdir           rm              urlfilterd consoled       echo            mknod           sendarp         vlanctl cp             epi_ttcp        mount           setmem          wl date            ethctl          msh             sh              wlctl ddnsd          ethswctl        nas             sleep           wlevt deluser        false           nas4not         smd             wlmngr df             fc              nvram           sntp            xdslctl dhcpc          fcctl           nvramUpdate     ssk             xtm dhcpd          flash_eraseall  ping            sysinfo         xtmctl diapd          hotplug         ping6           telnetd dmesg          httpd           pppd            tftpd
 * 1) ls /bin

ethctl   ifconfig  insmod    logread   rmmod     syslogd hotplug  init      klogd     reboot    route     vconfig
 * 1) ls /sbin


 * 1) help

Built-in commands: --- . : break cd continue eval exec exit export help login newgrp read readonly set shift times trap umask wait [ busybox cat chmod cp date deluser df dmesg echo expr false flash_eraseall ftpget ifconfig init insmod kill killall klogd linuxrc ln logger logread ls mkdir mknod mount msh nc ping ping6 ps pwd reboot rm rmmod route sendarp sh sleep sysinfo syslogd test tftp tftpd top true tty umount vconfig wget cat cpuinfo

system type            : 96328avng processor              : 0 cpu model              : Broadcom4350 V7.5 BogoMIPS               : 319.48 wait instruction       : yes microsecond timers     : yes tlb_entries            : 32 extra interrupt vector : no hardware watchpoint     : no ASEs implemented        : shadow register sets   : 1 core                   : 0 VCED exceptions        : not available VCEI exceptions        : not available Mem: 24400K used, 36880K free, 0K shrd, 2676K buff, 9752K cached Load average: 0.13, 0.08, 0.01   (State: S=sleeping R=running, W=waiting)

PID USER    STATUS   RSS  PPID %CPU %MEM COMMAND 158 admin   SW         0     2  1.7  0.0 bcmsw 1098 admin   R        404  1096  0.5  0.6 exe 1002 admin   S        140     1  0.1  0.2 telnetd 844 admin   S       1576   187  0.0  2.5 httpd 188 admin   S       1448   187  0.0  2.3 ssk 531 admin   S       1392   187  0.0  2.2 wlmngr 187 admin   S        724   114  0.0  1.1 smd 233 admin   S        640   187  0.0  1.0 mcpd 608 admin   S        532   187  0.0  0.8 upgrader 1005 admin   S        500     1  0.0  0.8 pppd 114 admin   S        464     1  0.0  0.7 sh 1096 admin    S        448  1002  0.0  0.7 sh 195 admin    S        416   187  0.0  0.6 syslogd 1 admin   S        392     0  0.0  0.6 init 196 admin   S        344   187  0.0  0.5 klogd 197 admin   S        340   187  0.0  0.5 sntp 609 admin   S        288   187  0.0  0.4 dsldiagd 250 admin   S        216     1  0.0  0.3 dnsspoof 803 admin   S        212     1  0.0  0.3 nas 799 admin   S        124     1  0.0  0.2 eapd ^C#

Running the PPP daemon manually, reveals that "ps" masks the chap password with a couple of asterisks.

1005 admin      500 S   pppd -c pppoa0 -a 0.0.38 -u mel@btbroadband.com -p ** 1096 admin      448 S   /bin/sh 1103 admin      388 R   ps

If you've bought one off ebay, and want to check it works before flashing, the typical format of the pppd command is:-

/bin/pppd -c pppoa0 -a 0.0.38 -u USERNAME -p PASSWORD -f0 -z1500&

Obviously you'd need access to the shell first (I've written a program to provide telnet access and also to extract the password) and I suspect "pppd" will need to be run before connecting the router to the telephone line.

Finding a compatible firmware may prove to be very tricky though, I was hoping it would be the same hardware as the broadcom based dsl-2640b, however this router's design seems to be a new one.

Update D-Link have released the GPL source code Posted by Mel at 10/02/2010 03:23:00 pm

Labels: DSL2640S -->