Restore D-link DVG-N5204SP via UART

The theme of the firmware of routers through the UART interface is heavily trashed, cheated, but I could not find information on my router, so I think this topic will be useful, especially since there are a few questions on the forums about this, so they remain unanswered.

I got into the hands of a sabzheviy router, got for free, because "something did not work."
')
Having brought home, I found out that the router refuses to raise the LAN ports, while it pushes the other indicators while booting, and the WAN port picks up. Resetting with the Reset button did not help, although the lights behaved the same way as when resetting.

Well, well, there is a freebie freebie, and I really wanted to use this router to access the Internet via 3G / 4G flash drives in a country house. Yes, and with the possibility of raising the SIP Megaphone on it for the sake of interest.



Having read the manuals, I realized that none of the described ways to enter Emergency mode did not work, although when turning on the power and holding the Reset button, the router clearly entered into some mode in which the LAN ports were normally raised, but described in the 192.168.80.20 network manuals / 24, 192.168.1.2/24, 192.168.0.2/24, 192.168.8.10/24 did not match, no address was answered ( 192.168.80.21, 192.168.1.1, 192.168.0.1, 192.168.8.254 ).

I thought it was time to open this piece of iron to look at the insides:



The already soldered UART was noticed, in the lower left corner, over the WAN LED, it remained only to pick up the adapter and use it.

The local store bought a DCU-15 cable on PL2303 for 30p, disassembled and soldered to the right pins (do not swear for soldering, everything was done with a Chinese gas soldering iron for 150p, which barely warms, just wanted to give him a chance to live life for good reason):



The manuals for connecting telephone data cables to the UART ports are complete, so I will not describe it again.
For the connection I used Putty, an adequate transmission started at 38400 baud , it must be set in Putty and in the settings of the USB-COM port:



When turned on, the router cheerfully issued a list, asking me what I would like to do:

DDR DRAM 32 MB @ 195 MHz, SPI FLASH 8 M
--- Octtel (RTL89xxB) at 2011.05.16-13: 42 + 0800 version 1.1.26.0 [16bit] (390MHz)
--- Wireless regDomain --- MAC Address: 84: c9: b2: xx: xx: xx

Press 'i' to update system image.
Press 'k' to update kernel image.
Press 'r' to update root fs image.
Press 'l' to update loader.
Press 'c' to change target IP
Press 't' to change TFTP server IP
Press 'z' to change network MAC number config.
Press 'm' to change MAC and SN config.
Press 'y' to change wireless regDomain config.

There are many manuals for updating / restoring firmware for D-link DIR-300 and the like in the network, it describes how to restore the firmware directly by downloading from the server tftp, but not a single update item of this router requested the required file (firmware file downloaded from FTP D-link 'a has the .pack extension, and was already waiting for downloading on the tftp server).
I was temporarily disheartened, and I thought, maybe I can get something from the logs of the initial load of the router. If someone wants to see, I post on a known resource:

http://pastebin.com/hS9zVx5z

Spoiler for the log for some reason did not want to work, if someone tells me why, I will be grateful, and I will transfer it to the article.

In the logs did not find any mention of the available networks.

After the device was fully loaded, it became possible to use command input, which was implemented:

# ifconfig
br0 Link encap: Ethernet HWaddr 84: C9: B2: XX: XX: XX
inet addr: 192.168.8.254 Bcast: 192.168.8.255 Mask: 255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX packets: 0 errors: 0 dropped: 0 overruns: 0 frame: 64
TX packets: 41 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 0
RX bytes: 23275 (22.7 KiB) TX bytes: 0 (0.0 B)

eth0 Link encap: Ethernet HWaddr 84: C9: B2: XX: XX: XX
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX packets: 0 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 41 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 128
RX bytes: 0 (0.0 B) TX bytes: 1722 (1.6 KiB)
Interrupt: 15

eth1 Link encap: Ethernet HWaddr 84: C9: B2: XX: XX: XX
inet addr: 192.168.8.254 Bcast: 192.168.8.255 Mask: 255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX packets: 6320 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 1562 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 128
RX bytes: 1176595 (1.1 MiB) TX bytes: 1301150 (1.2 MiB)
Interrupt: 15

lo Link encap: Local Loopback
inet addr: 127.0.0.1 Mask: 255.0.0.0
UP LOOPBACK RUNNING MTU: 16436 Metric: 1
RX packets: 14 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 14 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 0
RX bytes: 1100 (1.0 KiB) TX bytes: 1100 (1.0 KiB)

As you can see, the br0 and eth1 interfaces have the same IP, but in the case of eth1, the usual link network \ 30 is configured.
It was decided to connect the cable to the WAN port to test this network. The router raised the port, and in the console brought out the fun:

NCS: Connection WAN established, IP = 192.168.8.254 Subnet Mask = 255.255.255.252

With the thoughts “well, now I don’t hide from me,” I climbed to the 192.168.8.253/30 network card

All 4 sent packets did not return alive, but the router in the console responded:
NCS: Icmp-Smurf attack detected, SA = 192.168.8.253 DA = 192.168.8.254
NCS: Icmp-Smurf attack detected, SA = 192.168.8.253 DA = 192.168.8.254
NCS: Icmp-Smurf attack detected, SA = 192.168.8.253 DA = 192.168.8.254
NCS: Icmp-Smurf attack detected, SA = 192.168.8.253 DA = 192.168.8.254

The next attempt to log in via telnet was a success, immediately climbed into the browser to launch the web-muzzle. It started !!! Joy knew no bounds. Now I had to try to restart it through the interface, these routers agree to upload the firmware via tftp only with IP 192.168.8.56 , so at this stage it was too early to think about the firmware.

What is strange is the settings of his WAN interface, which he shone:



After reset via the web, the router ceased to glow via the WAN, and the LAN interfaces did not rise either. But WLAN has risen.

It was decided to let him in the forehead:
# ifconfig br0 down
# ifconfig br0 up

After connecting the cable to the LAN port, the lightbulb blinked merrily.

The router was successfully flashed, connected to the Internet via a 3G modem. It was raised SIP Megaphone, dreams come true.
Then a lifelong rest in the clean air outside the city awaits him, will guard the site with a webcam.

Thanks for attention! I will be glad to adequate criticism.