Disassemble and Mod the D-Link DSL-5300 COBRA AC5300 Wave 2 MU-MIMO Wi-Fi Modem Router
1008 Views, 0 Favorites, 0 Comments
Disassemble and Mod the D-Link DSL-5300 COBRA AC5300 Wave 2 MU-MIMO Wi-Fi Modem Router
You need a phillips screwdriver and something to pry apart the plastic case (and a DSL-5300 to pull apart of course. Yes these are expensive, but they're very fast and high quality, and it's not too hard to open them up).
Unlike Netcomm - these D-Link routers have extremely tight security, and almost no customizable features. It features an open telnet port which requires a username and password, which nobody online seems to know, and which resisted all my guessing attempts.
This exercise it an attempt to get console access, so I can manually adjust my routing table to support my public IP addresses.
Supplies
- Phillips Screwdriver
- Pry Tool
- DSL-5300 :-)
Remove Screws From Under the 4 Feet
Pry off the 4 sticky feet and remove the 4 screws below them
Unclip the 5 Spots Keeping the Plastic Case Together
There's 3 clips along the back, and one on each side.
Pry something flat into the case and wiggle it to get them to release.
The clips are on the base, and hook into notches on the top. They hook from the inside out (the latch points outwards) so if you push the handle of he pry tool downwards, to flex the plastic outwards, the latches let go easily.
Observe the photos to work it out.
Connect USB TTL Serial Cable to the Console Header ?
There are two unpopulated 4-pin headers soldered on the board: CN1 and J1
There's also an unpopulated 16-pin solder pad CN14 and an unpopulated place for a 4-pin button PBZ7 CN4 located where it could become an externally-usable user-pressable feature.
There's a sticker on my board labelled: 1768670RK 1
Stay tuned for future updates - I'm about to experiment with CN1 and J1 to see what they do...
Update1: OK - so both connectors appear to be serial headers:
J1: has a pin labelled "1" - not sure what that is (+3.3v probably). pin 2 appears to be GND, pin 3 shows data with my oscilloscope so it is probably the TX pint - it was a lot of data at 500us resolution, so it looks like 115200 BAUD or higher. not sure what pin4 is - probably RX
CN1: identical to J1 (the pin towards the back edge is pin 1 - the top in my photo) - TX seems to be pin3, GND pin2
Update2: CN1 and J1 pins above are correct (pin2=GND, pin3=TX, pin4=RX), and 115200 is correct. You need a 5v Serial TTL adapter on this; 3.3v is enough to read the data, but not enough for the modem to read your typing.
CN1 is the VDSL modem console, but appears to be locked into a script which does nothing after booting (echos "cmd>" and your typing, but does nothing). ^C ends it, but it respawns again. Boot can be interrupted which drops you into pre-boot maintenance stuff (flashing menus etc)
J1 is a Switch console - a second MCU on the same device. It reports having 8 ports available, even though there's not that many sockets on the back.
Adjust Firmware Settings
The "config.bin" file you get when you save settings is base64 encoded, commencing with a 32bit binary unsigned integer indicating the size of the decoded text - this (on mac) puts it back into text:
dd if=config.bin bs=1 skip=4 | base64 -D > config.txt
Or you can edit the config.bin and remove the 1st 4 bytes, then use something like this:
openssl base64 -d -in config_edited.bin > config.txt
The file looks something like this - they checksum and digest and encrypt almost everything :-(
NumVariables=1735<br>Checksum=kleRgJUDZzEWgiw7HYH1Ovs7dz8pl1GKzCAJvg== boardtype= boardrev= boardflags=0x00000010 os_name=linux os_version=7.14.164.17 :Anti_Spoofing_enable=eZGjPSVm2siCjbcqBviipnsx1W9VPmQf5udU9gN13FM= :BandSteering=aiubQfCofkMp2NBIEMLjWxE3Zq3REFDC DDNS= DDNSAccount= :DDNSEnabled=PB3u5RafuM7hoSzWgCu0faw/Y7bQ9mgZ DDNSPassword= DDNSProvider= DDNSTimeout= DLNA_DeviceName= :DLNA_Enable=D9ut1B0/EhXs5Y27GAGqbsY9J9vnCIJd :FTP_Enabled=V6rzyWVNCmK1BDcSdvfm42IQFJSHZ3zY :FTP_Idletime=txWMkHwtdtCJzIfR/sYmNblFJWzHoOBO :FTP_MaxUsers=aNLwmYMf6P2dhhngRpRMf1hdYhxBWagH :FTP_Port=jkGrdaT/7K++H6sSBiuZUz4J1JfXyiPn (etc)