Saturday, 2 October 2010

d-link dsl-2640s

I managed to get hold of an almost new d-link sky router today. It didn't cost much as it is locked down to sky, but I was hoping I'd be able to flash it with a standard firmware, so that I can use it as a backup while I try to fix one of my other routers, both of which have hardware issues.

Meanwhile I've got the D-link sat on the side of my desk and am using it as a Wifi access point, while having a go at extracting the password generation code.

Here's a picture of the innards.

It is built around a Broadcom BCM63281KFBG, which according to a pdf I found on the Broadcom website, is a cost effective, low power chip, with support for power management. The Wifi chip is a BCM4313KML1G - single-band, IEEE 802.11n, with dual antenna support, although the router itself is only b and g capable.

As you can see there's minimal shielding on the wireless section, and judging by the PCB, the bcm63281 has an integrated switch. The inclusion of a power button at the rear, proved to be very useful while I was trying to access the shell.

It has four external Ethernet ports, and supports wireless 802.11b & g. The sky firmware includes support for WPA & WPA2, although you can't select WPA2 only. The firmware seems pretty good at automatically selecting an unused wifi channel, however it sometimes picks a channel used by a neighbour, possibly because they have their SSID hidden, so I found it necessary to manually select one.

The wifi signal is a little weak compared to my other routers, probably because of the internal antenna - the bit of steel with a wire attached at the bottom of the picture. I also wonder if they've limited the power output, to avoid causing interference issues due to the lack of shielding. There are unused solder pads on the PCB for a second antenna.

Mounting the router vertically improved the wifi reception by about 15%, and also makes the router run much cooler. It gets quite toasty while sitting on it's rubber feet, as the vents are at either end of the case. The wifi signal still doesn't match that of my other router's though, or even my neighbour's, it is however, more than adequate to reach opposite ends of my house.

Anyway, before trying to flash it, I wanted to try to access the shell, which, as it doesn't seem to have a telnet or ssh server running, requires a little hacking...

Getting root access didn't provide me with that much of a challenge, although the procedure I used did get a little complicated.

Needless to say it runs busybox under linux:-

BusyBox v1.00 (2010.06.23-05:56+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# ls
bin      dev      lib      mnt      proc     sys      usr      webs
data     etc      linuxrc  opt      sbin     tmp      var
#
# ls /bin
adsl            dnsproxy        iptables        ps              true
adslctl         dnsspoof        kill            pwd             udhcpd
brctl           dsldiagd        ln              pwr             umount
busybox         dumpmem         ls              pwrctl          upgrader
cat             eapd            mcpd            rawSocketTest   upnp
chmod           ebtables        mkdir           rm              urlfilterd
consoled        echo            mknod           sendarp         vlanctl
cp              epi_ttcp        mount           setmem          wl
date            ethctl          msh             sh              wlctl
ddnsd           ethswctl        nas             sleep           wlevt
deluser         false           nas4not         smd             wlmngr
df              fc              nvram           sntp            xdslctl
dhcpc           fcctl           nvramUpdate     ssk             xtm
dhcpd           flash_eraseall  ping            sysinfo         xtmctl
diapd           hotplug         ping6           telnetd
dmesg           httpd           pppd            tftpd
#
# ls /sbin
ethctl    ifconfig  insmod    logread   rmmod     syslogd
hotplug   init      klogd     reboot    route     vconfig
#
# help

Built-in commands:
-------------------
. : break cd continue eval exec exit export help login newgrp
read readonly set shift times trap umask wait [ busybox cat chmod
cp date deluser df dmesg echo expr false flash_eraseall ftpget
ifconfig init insmod kill killall klogd linuxrc ln logger logread
ls mkdir mknod mount msh nc ping ping6 ps pwd reboot rm rmmod
route sendarp sh sleep sysinfo syslogd test tftp tftpd top true
tty umount vconfig wget
#
#
cat cpuinfo
#
system type             : 96328avng
processor               : 0
cpu model               : Broadcom4350 V7.5
BogoMIPS                : 319.48
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available
#
#

Mem: 24400K used, 36880K free, 0K shrd, 2676K buff, 9752K cached
Load average: 0.13, 0.08, 0.01    (State: S=sleeping R=running, W=waiting)

 PID USER     STATUS   RSS  PPID %CPU %MEM COMMAND
 158 admin    SW         0     2  1.7  0.0 bcmsw
1098 admin    R        404  1096  0.5  0.6 exe
1002 admin    S        140     1  0.1  0.2 telnetd
 844 admin    S       1576   187  0.0  2.5 httpd
 188 admin    S       1448   187  0.0  2.3 ssk
 531 admin    S       1392   187  0.0  2.2 wlmngr
 187 admin    S        724   114  0.0  1.1 smd
 233 admin    S        640   187  0.0  1.0 mcpd
 608 admin    S        532   187  0.0  0.8 upgrader
1005 admin    S        500     1  0.0  0.8 pppd
 114 admin    S        464     1  0.0  0.7 sh
1096 admin    S        448  1002  0.0  0.7 sh
 195 admin    S        416   187  0.0  0.6 syslogd
   1 admin    S        392     0  0.0  0.6 init
 196 admin    S        344   187  0.0  0.5 klogd
 197 admin    S        340   187  0.0  0.5 sntp
 609 admin    S        288   187  0.0  0.4 dsldiagd
 250 admin    S        216     1  0.0  0.3 dnsspoof
 803 admin    S        212     1  0.0  0.3 nas
 799 admin    S        124     1  0.0  0.2 eapd
^C#
#
#
#



Running the PPP daemon manually, reveals that "ps" masks the chap password with a couple of asterisks.
1005 admin       500 S   pppd -c pppoa0 -a 0.0.38 -u mel@btbroadband.com -p **
1096 admin       448 S   /bin/sh
1103 admin       388 R   ps

If you've bought one off ebay, and want to check it works before flashing, the typical format of the pppd command is:-

/bin/pppd -c pppoa0 -a 0.0.38 -u USERNAME -p PASSWORD -f0 -z1500&

Obviously you'd need access to the shell first (I've written a program to provide telnet access and also to extract the password) and I suspect "pppd" will need to be run before connecting the router to the telephone line.

Finding a compatible firmware may prove to be very tricky though, I was hoping it would be the same hardware as the broadcom based dsl-2640b, however this router's design seems to be a new one.

 Update

D-Link have released the GPL source code

30 comments:

Adam said...

any chance you could publish the hack you used to gain access?

Richard said...

Yes. Just got one of these with my Sky broadband connection and we need a hack to extract the user id and password from it. It's not using the same userid and password generator as the previous Sky modems so they have changed their security approach again.

Richard said...

Just tried to telnet in. Telnet seems to be running but terminates immediately without prompts. Suspect it needs an embedded login or passkey sequence.

Mel said...

I've written an app to extract the authentication details, and hope to make it available very soon.

Adam said...

Could you tell us which exploits you used?

Stevie Wonder said...

So does that mean it can be upgraded to single band N at some point
via sofware?

Mel said...

Presumably apart from new firmware, it would require a second antenna, and there might also be a few components required for 802.11N missing. I also can't be absolutely sure if this version of the BCM4313 does support N as I wasn't able to find any details about the full product code.

Alex said...

Mel,

I've ordered an antenna and pigtail set and plan to retrofit it to the router.

Is there any way to find out if the WIFI power output has been restricted? Or if it's possible to increase the output? (like WRT).

Many thanks.

T1Cybernetic said...
This comment has been removed by the author.
T1Cybernetic said...

Is there any news on what firmware could be used on this, I always hated sky's firmware on the older Netgear and I quickly flashed to a Netgear official one so I am hoping to do the same with this router if possible (Currently running SKY 1.11)

No problems but I really wish it was a d-link firmware and interface.

Alex said...

Yes I second that. Non-Sky firmware would be a bonus.

By the way, retro fitted a 9inch high gain antenna and this vastly improved the wifi signal. I initially tried a 6inch antenna and this made an improvement but the 9inch one was even better. The antennas are only £1.50 off ebay anyway :-) and I had 2 reverse polarity pigtails for £3. Cheap and cheerful upgrade! You need a pretty good soldering iron and good eye sight as the solder pads are a bit small. I'll try and get a photo on here later.

Alex said...
This comment has been removed by the author.
Alex said...

Here it is, sorry about the quality.

http://img17.imageshack.us/img17/8599/skyrouter.jpg

KanjiMonster said...

Could you post a picture of the bottom of the board? I'm thinking of getting one of these and try to get OpenWRT to run on this, but I need serial access for that, and I didn't see any serial pins on the top.

KanjiMonster said...

Ah, almost forgot: does it come with *any* hints that it runs GPL'd software?

Alex said...

I think the serial pins are at the top of Mels picture. To the left of the bank of LAN sockets, and just to the right of the reset switch. You can just about make them out.

KanjiMonster said...

Got them. If anyone is interested, the serial settings are 115200 8N1, while the pins are (from "top"): [RX] [X] [VCC?][GND] [TX].

Kavi said...

Hi Alex,
Thx for reading. Your photo here http://img17.imageshack.us/img17/8599/skyrouter.jpg
shows the external appearance of the modifications you did successfully.

Is there anyway you could publish the photo details of the soldering pads on the board, like location?

Kavi said...

Hi Alex,
Thx for reading. Your photo here http://img17.imageshack.us/img17/8599/skyrouter.jpg
shows the external appearance of the modifications you did successfully.

Is there anyway you could publish the photo details of the soldering pads on the board, like location?

Doru Barbu said...

Hi!
Did any of you got the chance to grab the gpl source dump for the 1.11 version from D-Link's site? I think they took them down, can't find them anywhere. I've even e-mailed them about this and they replied with a generic "we-ll look into it" mail.
I managed to find 2.04 sources but I couldn't get any of the built images to boot, although everything appears to compile fine, board ids and everything check out (I'll provide the link on request)... The power and checkmark leds light up and that's all, it just hangs there. At least recovery works.
Thanks!

VG said...

please provide the link for the source code skyV2.04

VG said...

please provide the link for the source code skyV2.04

asbokid said...

The GPL'ed source code for the Sky-branded DLink DSL-2640s is here..

http://blog.gmane.org/gmane.law.gpl.violations.legal/month=20111201

http://www1.sky.com/opensourcesoftware/router/downloads.html

Where is Mel's source code now?

Doru Barbu said...

Apparently, the source archives published by sky are stripped of the binary drivers (aka useless if you want to use the dsl bit, possibly other stuff). I have not confirmed this myself yet, but I am looking into it.
On the other hand, the sources that I grabbed from ftp://ftp.dlink.co.uk/dlinktemp/DSL-2640S%20V2.04%20GPL%20Source%20Code/ build fine, and I have been able to flash a working image compiled from source.
I've been trying to modify the source to enable arbitrary vci/vpi and username/password combinations, but I haven't had too much free time to work on it, so progress is really slow, if any.

Mel said...

I also built working firmware from the source provided by d-link, and even modified them a bit. However to build a generic firmware, I had to resort to hacking around firmware extracted from another router.

I'm using it now, and I almost got it good enough to release, but there's still one major bug.

choky said...

Hi Mel, Doru & all,

I'm interested to know the progress of building/trying/using generic firmware for this DLink type, as I'm trying to use it for other ISP. May I know at least how you access it via telnet? I only know some basic of Unix.

Thanks

Max Port said...

Hi Mel, Any chance you are any closer to releasing the firmware you have built?

Me said...

Hi Mel,

Im currently looking at the D-Link dsl-2640s as a possible option for dd-wrt or alternative firmware flash. Im struggling to find very much information at all about the router other than what I found on your site (great site btw).

Are you still progressing this as a project?

Could you share your discoveries so far on how to gain telnet / ssh access to the router and any other information you are happy to part with? I would be very greatful as well as mentioning you in any resulting blog etc.

All the best either way! :)

Me said...

Hi Mel,

Im currently looking at the D-Link dsl-2640s as a possible option for dd-wrt or alternative firmware flash. Im struggling to find very much information at all about the router other than what I found on your site (great site btw).

Are you still progressing this as a project?

Could you share your discoveries so far on how to gain telnet / ssh access to the router and any other information you are happy to part with? I would be very greatful as well as mentioning you in any resulting blog etc.

All the best either way! :)

Vikram Chauhan said...

Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog post.

d-link support