I recently did several OpenWrt installs on Check Point L-50 devices and thought I'd write up how to do it. Before I start, I must acknowledge those who already did something similar, particularly @magicmouses, whose contributions were crucial to my understanding of the task at hand.
This HOWTO is aimed at relatively new users, including those for whom this will be their first firmware reflash ever. Also, if after reading this, some of those users conclude that this is too much work, they can send me a private message; I may have an already reflashed L-50 looking for a new home.
This said, let's get down to business. The L-50 is fairly versatile (eight LAN ports, a WAN port, and a DMZ port that can be pressed into service as either the ninth LAN port or the second WAN port) and comes in four flavors. L-50 is a wired router, L-50W is a wired-and-wireless router, L-50D is a wired router with a built-in ADSL modem. and L-50WD is all three in one. The initial OpenWrt installation for all four is essentially identical.
First of all, if you’re new to this, remember: this has been done before (in more ways than one). With this in mind, in my version of how to do this, you will need, in addition to an operational L-50, (1) a computer running Linux. (2) a console cable (I used the kind that connects the RJ-45 console port on the L-50 to a USB port on my computer), (3) a USB stick with a FAT file system (1 GB of space will be plenty), and (4) a pair of CAT cables to connect the L-50 to an upstream device and a client device.
Your computer should have two important utilities,
kwboot. Most major Linux distributions have them in repositories. Use your favorite search engine to figure out how to get these utilities installed on your machine.
Next, visit the device information page for the L-50 on the OpenWrt site:
Download two files for the current version of OpenWrt, (1) an installation image (aka "u-boot image", aka
uImage), and (2) a sysupgrade image. For version 21.02.3, current as of this writing, the links are:
While you're downloading stuff, also download something called
Place all three files in the same directory on your computer. After that, copy the three files onto a USB stick. That’s it for preparations.
Turn on the L-50 and let it boot. While it is booting, connect the L-50 to your computer with a console cable. When the L-50 looks like it’s done booting, run the following command in terminal on your computer to open a console connection to the L-50:
sudo screen /dev/ttyUSB0 115200
Next, with the L-50 connected to your computer, press and hold for 15 seconds the
Factory Defaults (not
Reboot!!!) button on the back of the L-50 (it’s a recessed button, so you will need something like a ballpoint pen to press and hold it). The power indicator light will turn solid red, indicating that the unit is resetting. Release the button and start watching the console output on your computer. Eventually, you will see a message,
This is a first boot, then, another message,
Press any key to stop boot. At that point, press
Enter to gain access to the command line. You will be told you’ve entered the ”expert mode” and asked to create the “expert password”. Follow the prompts.
Some L-50 units, rather than enter the ”expert mode” and ask to create the “expert password”, would prompt for login name and password straightaway. In these cases, you can log in with login name admin and password admin (these are default credentials set by the manufacturer).
When the housekeeping is done and you have command line, type:
Then, connect the USB stick to the L-50, give it a few seconds to be detected (there will be a message on the console about a new device), and run the same command again. Look for an item in the second output that wasn’t in the first; this is where your USB stick has been mounted. Verify this by changing to that directory and listing its contents (there should be the files you put there). Note it for future reference. In my case, the mount point was
Next, make a backup copy of the existing firmware just in case. Remember, your mount point may or may not be
/mnt/usb2, so change the
of argument of the following command if necessary to reflect that.
dd if=/dev/mtd2 of=/mnt/usb2/bootldr-env.bin
Next, collect the MAC addresses of all devices that have them:
Save the device names and MAC addresses that match them (you can do it by screengrab, or by logging your
screen session, or by redirecting the output of
ifconfig into a text file on the USB stick). Most likely, you will end up with a pool of MAC addresses that begins with the MAC address printed on the bottom of the L-50 and continues incrementally from there.
This concludes the information gathering stage. Close the console connection (press
y) and turn off the L-50. Remove the USB stick from the L-50.
Your computer is still connected to the L-50, and the L-50 is off. Change to the directory where you placed the files downloaded in Part One and run the following command in terminal:
sudo kwboot -B 115200 /dev/ttyUSB0 -b u-boot.kwb -p -t
u-boot.kwb is passed as an input to the
kwboot utility, so it’s important to be in the directory where the file
u-boot.kwb resides, otherwise,
kwboot won’t find
u-boot.kwb and will exit with an error message.
kwboot running, turn on the L-50 and watch the output. Eventually, there will be a message saying,
Sending boot image..., then, percentages of completion will start counting. After it counts all the way to 100%, pay attention: there will be a message saying,
Hit any key to stop autoboot. When you see it, press
Enter. There will be a few more lines of output, and then, a command prompt that looks like this:
Time to start typing… First, find the list of MAC addresses you collected in Part Two. Use it to create a block of
setenv commands similar to one given a few paragraphs below in your favorite text editor. Be sure to change only MAC addresses. In other words, each line should consist of the command (
setenv), environment variable name (something-something-
addr) and the MAC address.
If the MAC address you have for
eth0 doesn’t match the MAC address printed on the label affixed to the bottom of the L-50, use the one on the label.
In the worst-case scenario, if you completely messed up Part Two and have nothing to work with at this stage, start with the MAC address printed on the bottom of the L-50 and increment the MAC address for each new device. For example, if the MAC address on the bottom of the L-50 is
01:23:45:67:89:ab, you can do:
setenv eth0addr 01:23:45:67:89:ab setenv eth1addr 01:23:45:67:89:ac setenv lan1_mac_addr 01:23:45:67:89:ad setenv lan2_mac_addr 01:23:45:67:89:ae setenv lan3_mac_addr 01:23:45:67:89:af setenv lan4_mac_addr 01:23:45:67:89:b0 setenv lan5_mac_addr 01:23:45:67:89:b1 setenv lan6_mac_addr 01:23:45:67:89:b2 setenv lan7_mac_addr 01:23:45:67:89:b3 setenv lan8_mac_addr 01:23:45:67:89:b4 setenv dmz_mac_addr 01:23:45:67:89:b5 setenv dsl_mac_addr 01:23:45:67:89:b6
Just keep counting your hexadecimals… If you’re copying and pasting between a text editor and the terminal, be sure to copy and paste one line at a time; console connections sometimes do funny things if you try to paste several commands at once.
Next, start copying stuff onto the L-50. Connect the USB stick to the L-50 and run the commands below. Be sure the name of the
uImage file in the second-to-last command matches what you have on your USB stick. Also, it is still a good idea to execute commands one at a time if you’re copying and pasting, rather than typing directly into the terminal.
mw 0x0800000 0xffff 0x100000 nand erase 0x0 100000 usb start fatload usb 0 0x0800000 u-boot.kwb nand write 0x0800000 0x0 0x100000 saveenv fatload usb 0 0x0800000 openwrt-21.02.3-kirkwood-checkpoint_l-50-initramfs-uImage bootm 0x800000
After you run the last command, OpenWrt will start. However, at this stage it resides only in RAM, not in the permanent storage. To settle it permanently, you need to perform a system upgrade. There are at least two ways of doing it, (1) over the Internet, and (2) over the LAN. It all depends on what works on your L-50 right now.
If you can get an Internet connection via the WAN port, you can do:
The URL is the one you already used in Part One to download the upgrade image.
If you can get a connection to the L-50 on the LAN port from your computer, open a new terminal, change to the directory where you put the sysupgrade image and do:
scp openwrt-kirkwood-checkpoint_l-50-squashfs-sysupgrade.bin firstname.lastname@example.org:/tmp
Right now, there is no root password on the L-50, so if you’re asked for a password, just hit
Enter. Once the file is transferred, return to the first terminal window and do:
Either way, once the system upgrade is completed, the L-50 will run OpenWrt. By default, the port marked WAN on the device will be the WAN port (nifty, huh? ) working as a DHCP client of the upstream device, while the DMZ port, eight LAN ports and the wireless connection, if present, will all be bridged into a single LAN (the L-50 will be the DHCP server and the default gateway for that LAN and will be located at 192.168.1.1). The wireless connection, however, will be disabled; you will need to enable and configure it via command-line interface or through LuCI as described in the OpenWrt documentation.
Now you can end your
kwboot session (press
c), disconnect the console cable, and connect to the L-50 by Ethernet to do some actual network administration on it.