|
D-Link DI-624+
This WiFi router currently acts as my access point.
I am highly fascinated by embedded hardware and therefore
couldn't keep my hands from this thing. So far I haven't
done anything to the firmware or whatever but just had
a look at both hard- and software. May the information
be of use to someone. The following is true for hardware
revision A1. If somebody has any information about A3
I would be grateful to get them.
Hardware
The original manufacturer of the boards is as usual
"Global Sun Tech". The board has the id "GL2454RT-IA1-B10
T2.0" plus a sticker with "A01" and features
1MB of Flash ROM and 8MB of SDRAM.
 |
 |
| Main board |
WiFi daughter board |
Some of the components used
| Manufacturer |
Chip ID |
Purpose |
| Brecis |
MSP2007 |
MIPS32 CPU, 170Mhz, 2 MAC, PCI, 55 GPIO |
| Marvell |
88E6060-RCJ |
6-Port Fast Ethernet Switch |
| MX |
29LV800ABTC-90 |
8Mbit 3V flash memory = 1MB |
| Hynix |
HY57V643220CT-6 |
SDRAM 3,3V 64Mx32 4Banks 166Mhz = 8MB |
| Altera |
EPM3032A |
PLD 600 Gates, 32 Macrocells, 2 Logic array blocks,
34 I/O Pins, 227Mhz |
The WiFi daughter module is a mini-PCI board with a
Texas Instruments TNETW1130 (ACX111) chip on it.
Firmware
The flash seems to be split into two parts: a basic
boot and recovery part and the user updateable part.
The basic part is always there and doesn't get overwritten
on a firmware update. So even if an update fails this
part can be used to recover the device.
The user updateable part represents the main software
with which the router runs. It is much bigger than the
1MB space the flash allows (around 2MB) and therefore
is only uploaded and saved in a packed form. The boot
part unpacks the main firmware during startup into the
SDRAM. The algorithm used is from the old ARJ archiver
and the firmwares available from D-Link can actually
be decompressed this way (you should get a file called
"NML.MEM" in the process).
The real time operating system used is called "ThreadX"
from Express Logic.
Internals
A test menu can be obtained by loading the page http://router-ip/weca.htm.
I however suggest that you don't mess around with it.
A bit more interesting is the file http://router-ip/NATLIST.TXT,
which contains the amount of seconds the router is up
and a list of all open NAT connections (as I don't do
NAT it's pretty empty in my case).
http://router-ip/CHKLST.TXT contains various data about
the firmware and the MAC addresses.
Probably the most interesting thing I could find out
so far is that the router provides its debugging log
through the TFTP interface. Using a TFTP client one
can download a file called "dbgout.txt" which
mostly contains the boot messages of the device:
Sytem starting ...
Created Inet main task.
Created clock tick task.
Created PING application task.
Created radiusClient_recvFrom task.
Created msg_ipc task.
Initializing 802.11g(I) Interface...OK !
Created wireless led task task.
mux_0g(I) applied.
[...]
However, after bootup almost no additional messages
are added, I only noticed TFTP errors so far.
A port scan of 1.15 revealed the following ports. The
device doesn't handle scanning too well, it can be a
cause for a reboot
Port State Service
53/udp open domain
69/udp open tftp
80/tcp open http
1226/udp open unknown
1812/udp open radius
8800/udp open unknown
So far I don't know what port 1226 or 8800 is for,
1226 is however not open anymore on 1.18. The firmware
contains a Telnet server but as you can see it is not
reachable or not started. I hope to somehow get it working,
though. Any help on this or any more information about
the device is highly welcome.
Back to top of page
|
