[HOWTO] Installing OpenWrt on Check Point L-50

Hello community!

I recently did several OpenWrt installs on Check Point L-50 devices and thought I'd write up how to do it. Before I start, I must acknowledge those who already did something similar, particularly @magicmouses, whose contributions were crucial to my understanding of the task at hand.

This HOWTO is aimed at relatively new users, including those for whom this will be their first firmware reflash ever. Also, if after reading this, some of those users conclude that this is too much work, they can send me a private message; I may have an already reflashed L-50 looking for a new home. :slight_smile:

This said, let's get down to business. The L-50 is fairly versatile (eight LAN ports, a WAN port, and a DMZ port that can be pressed into service as either the ninth LAN port or the second WAN port) and comes in four flavors. L-50 is a wired router, L-50W is a wired-and-wireless router, L-50D is a wired router with a built-in ADSL modem. and L-50WD is all three in one. The initial OpenWrt installation for all four is essentially identical.

Part One — Getting Ready

First of all, if you’re new to this, remember: this has been done before (in more ways than one). With this in mind, in my version of how to do this, you will need, in addition to an operational L-50, (1) a computer running Linux. (2) a console cable (I used the kind that connects the RJ-45 console port on the L-50 to a USB port on my computer), (3) a USB stick with a FAT file system (1 GB of space will be plenty), and (4) a pair of CAT cables to connect the L-50 to an upstream device and a client device.

Your computer should have two important utilities, screen and kwboot. Most major Linux distributions have them in repositories. Use your favorite search engine to figure out how to get these utilities installed on your machine.

Next, visit the device information page for the L-50 on the OpenWrt site:

https://openwrt.org/toh/check_point/l-50

Download two files for the current version of OpenWrt, (1) an installation image (aka "u-boot image", aka uImage), and (2) a sysupgrade image. For version 21.02.3, current as of this writing, the links are:

https://downloads.openwrt.org/releases/21.02.3/targets/kirkwood/generic/openwrt-21.02.3-kirkwood-checkpoint_l-50-initramfs-uImage
https://downloads.openwrt.org/releases/21.02.3/targets/kirkwood/generic/openwrt-21.02.3-kirkwood-checkpoint_l-50-squashfs-sysupgrade.bin

While you're downloading stuff, also download something called u-boot.kwb:

http://downloads.openwrt.org/snapshots/targets/kirkwood/generic/u-boot-l-50/u-boot.kwb

Place all three files in the same directory on your computer. After that, copy the three files onto a USB stick. That’s it for preparations.

Part Two — Reconnaissance

Turn on the L-50 and let it boot. While it is booting, connect the L-50 to your computer with a console cable. When the L-50 looks like it’s done booting, run the following command in terminal on your computer to open a console connection to the L-50:

sudo screen /dev/ttyUSB0 115200

Next, with the L-50 connected to your computer, press and hold for 15 seconds the Factory Defaults (not Reboot!!!) button on the back of the L-50 (it’s a recessed button, so you will need something like a ballpoint pen to press and hold it). The power indicator light will turn solid red, indicating that the unit is resetting. Release the button and start watching the console output on your computer. Eventually, you will see a message, This is a first boot, then, another message, Press any key to stop boot. At that point, press Enter to gain access to the command line. You will be told you’ve entered the ”expert mode” and asked to create the “expert password”. Follow the prompts.

Note
Some L-50 units, rather than enter the ”expert mode” and ask to create the “expert password”, would prompt for login name and password straightaway. In these cases, you can log in with login name admin and password admin (these are default credentials set by the manufacturer).

When the housekeeping is done and you have command line, type:

ls /mnt

Then, connect the USB stick to the L-50, give it a few seconds to be detected (there will be a message on the console about a new device), and run the same command again. Look for an item in the second output that wasn’t in the first; this is where your USB stick has been mounted. Verify this by changing to that directory and listing its contents (there should be the files you put there). Note it for future reference. In my case, the mount point was /mnt/usb2.

Next, make a backup copy of the existing firmware just in case. Remember, your mount point may or may not be /mnt/usb2, so change the of argument of the following command if necessary to reflect that.

dd if=/dev/mtd2 of=/mnt/usb2/bootldr-env.bin

Next, collect the MAC addresses of all devices that have them:

ifconfig -a

Save the device names and MAC addresses that match them (you can do it by screengrab, or by logging your screen session, or by redirecting the output of ifconfig into a text file on the USB stick). Most likely, you will end up with a pool of MAC addresses that begins with the MAC address printed on the bottom of the L-50 and continues incrementally from there.

This concludes the information gathering stage. Close the console connection (press Ctrl-a, then k, then y) and turn off the L-50. Remove the USB stick from the L-50.

Part Three — The Decisive Victory

Your computer is still connected to the L-50, and the L-50 is off. Change to the directory where you placed the files downloaded in Part One and run the following command in terminal:

sudo kwboot -B 115200 /dev/ttyUSB0 -b u-boot.kwb -p -t

Note that u-boot.kwb is passed as an input to the kwboot utility, so it’s important to be in the directory where the file u-boot.kwb resides, otherwise, kwboot won’t find u-boot.kwb and will exit with an error message.

With kwboot running, turn on the L-50 and watch the output. Eventually, there will be a message saying, Sending boot image..., then, percentages of completion will start counting. After it counts all the way to 100%, pay attention: there will be a message saying, Hit any key to stop autoboot. When you see it, press Enter. There will be a few more lines of output, and then, a command prompt that looks like this:

=>

Time to start typing… First, find the list of MAC addresses you collected in Part Two. Use it to create a block of setenv commands similar to one given a few paragraphs below in your favorite text editor. Be sure to change only MAC addresses. In other words, each line should consist of the command (setenv), environment variable name (something-something-addr) and the MAC address.

If the MAC address you have for eth0 doesn’t match the MAC address printed on the label affixed to the bottom of the L-50, use the one on the label.

In the worst-case scenario, if you completely messed up Part Two and have nothing to work with at this stage, start with the MAC address printed on the bottom of the L-50 and increment the MAC address for each new device. For example, if the MAC address on the bottom of the L-50 is 01:23:45:67:89:ab, you can do:

setenv eth0addr 01:23:45:67:89:ab
setenv eth1addr 01:23:45:67:89:ac
setenv lan1_mac_addr 01:23:45:67:89:ad
setenv lan2_mac_addr 01:23:45:67:89:ae
setenv lan3_mac_addr 01:23:45:67:89:af
setenv lan4_mac_addr 01:23:45:67:89:b0
setenv lan5_mac_addr 01:23:45:67:89:b1
setenv lan6_mac_addr 01:23:45:67:89:b2
setenv lan7_mac_addr 01:23:45:67:89:b3
setenv lan8_mac_addr 01:23:45:67:89:b4
setenv dmz_mac_addr 01:23:45:67:89:b5
setenv dsl_mac_addr 01:23:45:67:89:b6

Just keep counting your hexadecimals… If you’re copying and pasting between a text editor and the terminal, be sure to copy and paste one line at a time; console connections sometimes do funny things if you try to paste several commands at once.

Next, start copying stuff onto the L-50. Connect the USB stick to the L-50 and run the commands below. Be sure the name of the uImage file in the second-to-last command matches what you have on your USB stick. Also, it is still a good idea to execute commands one at a time if you’re copying and pasting, rather than typing directly into the terminal.

mw 0x0800000 0xffff 0x100000
nand erase 0x0 100000
usb start
fatload usb 0 0x0800000 u-boot.kwb
nand write 0x0800000 0x0 0x100000
saveenv
fatload usb 0 0x0800000 openwrt-21.02.3-kirkwood-checkpoint_l-50-initramfs-uImage
bootm 0x800000

After you run the last command, OpenWrt will start. However, at this stage it resides only in RAM, not in the permanent storage. To settle it permanently, you need to perform a system upgrade. There are at least two ways of doing it, (1) over the Internet, and (2) over the LAN. It all depends on what works on your L-50 right now.

If you can get an Internet connection via the WAN port, you can do:

sysupgrade https://downloads.openwrt.org/releases/21.02.3/targets/kirkwood/generic/openwrt-21.02.3-kirkwood-checkpoint_l-50-squashfs-sysupgrade.bin

The URL is the one you already used in Part One to download the upgrade image.

If you can get a connection to the L-50 on the LAN port from your computer, open a new terminal, change to the directory where you put the sysupgrade image and do:

scp openwrt-kirkwood-checkpoint_l-50-squashfs-sysupgrade.bin root@192.168.1.1:/tmp

Right now, there is no root password on the L-50, so if you’re asked for a password, just hit Enter. Once the file is transferred, return to the first terminal window and do:

sysupgrade /tmp/openwrt-kirkwood-checkpoint_l-50-squashfs-sysupgrade.bin

Either way, once the system upgrade is completed, the L-50 will run OpenWrt. By default, the port marked WAN on the device will be the WAN port (nifty, huh? :slight_smile: ) working as a DHCP client of the upstream device, while the DMZ port, eight LAN ports and the wireless connection, if present, will all be bridged into a single LAN (the L-50 will be the DHCP server and the default gateway for that LAN and will be located at 192.168.1.1). The wireless connection, however, will be disabled; you will need to enable and configure it via command-line interface or through LuCI as described in the OpenWrt documentation.

Now you can end your kwboot session (press Crtl-\, then c), disconnect the console cable, and connect to the L-50 by Ethernet to do some actual network administration on it.

5 Likes

This is an excellent write up for installing on the L-50 device. Please consider updating the L-50 toh page with this information or adding a link to this write-up to the page.

1 Like

Thank you for the kind words!

As for putting this into the TOH, I don't think it fits with the TOH approach to documentation. TOH seems to be documenting (tersely) the "whatto" (tasks to be done) for advanced users, rather than "howto" (ways to get those tasks done) for new users, and there may be different "hows" for any given "what"; I am only showing one option out of many. Also, TOH has a section on TFTP, which I didn't even mention.

So, from where I sit, my work is exactly where it needs to be. It's findable on the forum already, and eventually, it will be findable via search engines. That should be adequate for the rest of the L-50's earthly existence. Incidentally, if memory serves, the L-50 passed end of life in June 2022. :slight_smile:

L-50 passed end of life in June 2022

Which makes them ideal for re-purposing to OpenWrt!

1 Like

As a happy owner of a repurposed L-50W, I agree wholeheartedly! :slight_smile: For my use case, the L-50W with OpenWrt is damn near perfect. Desktop form factor, 10 Gigabit Ethernet ports, built-in wireless (yes, it's N, but for my needs, it's adequate), low power consumption (I have not measured it, but the thing requires a 30-watt AC adapter) -- what's not to like in a home/small business setting? And it's still commercial-grade hardware. Correct me if I'm wrong, but the consensus on Kirkland seems to be rather favorable; people tend to like this architecture overall.

I expect there will be quite a few opportunities to snag a used L-50 in the coming months as they are purged from corporate networks; this is one of the reasons I put up this HOWTO. I'd like people to take advantage of this...

So Following your instructions i get Openwrt booted but it didn't seem to save the eth0 or eth1 mac addresses. I have a L-50W not sure if there is something different that needs to be configured

From the instructions above, OpenWrt is expecting MAC addresses to have been copied to the boot environment manually. If you didn't do that as part of the installation, you could cheat by putting MAC overrides on each interface based on the factory MAC on the sticker.

Guess i'll add data here. It did configure the lan1-8 mac addresses but didn't take for the eth0,1 which means i can't finish my install because wan is on eth0

question is if i set the mac with ip link set dev eth0 address

Will it stay after the install ?
(edit, No it doesn't)
Also apparently i can't reply more than 3 times so i'm just doing it here

When the box boots i get this
Error: ethernet-controller@72000 address not set.

Error: ethernet-controller@76000 address not set.
No ethernet found.

The mac address should be printed on the device somewhere. Find it and then write it to the u-boot environment by using the command:

fw_setenv ethaddr 00:1C:7F:XX:XX:6B
fw_setenv eth1addr 00:1C:7F:XX:XX:6C
fw_setenv lan1_mac_addr 00:1C:7F:XX:XX:6C
fw_setenv lan2_mac_addr 00:1C:7F:XX:XX:6D
fw_setenv lan3_mac_addr 00:1C:7F:XX:XX:6E
fw_setenv lan4_mac_addr 00:1C:7F:XX:XX:6F
fw_setenv lan5_mac_addr 00:1C:7F:XX:XX:70
fw_setenv lan6_mac_addr 00:1C:7F:XX:XX:71
fw_setenv lan7_mac_addr 00:1C:7F:XX:XX:72
fw_setenv lan8_mac_addr 00:1C:7F:XX:XX:73
fw_setenv dmz_mac_addr 00:1C:7F:XX:XX:74
fw_setenv dsl_mac_addr 00:1C:7F:XX:XX:75

Replacing the ethaddr with the correct mac address for your device and then incrementing for each additional address (Except for lan1_mac which should have the same address as eth1addr).

Let me start at the end. No, nothing is different about L-50W. The wireless card is a separate device, which doesn't require setup in the u-boot phase. OpenWrt recognizes and configures it at a later stage, during sysupgrade. The wired Ethernet, meanwhile, is integrated into the Kirkwood SoC (system-on-a-chip), so it needs some manual configuration in the u-boot stage.

Now, back to the matter at hand. I second the suggestion by @RaylynnKnight to use fw_setenv. The MAC address for eth0 is usually printed on a label on the bottom of the L-50(W). If you don't have the label, you can go on eBay, find a photo of an L-50(W) for sale, and copy the MAC address from there; it should still work.

Note that the first command suggested by @RaylynnKnight is

fw_setenv ethaddr 00:1C:7F:XX:XX:6B

In case this doesn't work, you can try a variation (slightly different variable name, same MAC address):

fw_setenv eth0addr 00:1C:7F:XX:XX:6B

In fact, you can safely execute both commands; they do not contradict each other in any way, and one of them ought to be what OpenWrt is looking for...

Looks like i just needed to run through the tutorial again. did the kwboot and pushed the uboot again and saved env and now it doesn't error on boot and also has mac addresses. Thanks all

That sometimes works, too, even though it closely matches the definition of insanity occasionally attributed to Albert Einstein (insanity is repeating the same actions over and over again expecting a different outcome)... :smile:

Thanks for the Quick Support from all! :slight_smile:

Just wanted to say thanks for a great tutorial! I was able to follow your instructions and update an L-50W to run OpenWRT! The only part I overlooked initially was to set the same MAC address for eth1addr and lan1_mac_addr since I struggled with getting a screen grab during Part Two. Another thing that was different for me was getting into Expert Mode, which in my case after seeing "This is a first boot" and never seeing "Press any key to stop boot." but once I pressed a key, I was at a limited command line, typing expert here got me the prompt to enter the expert password and I could carry on. Hope his helps anyone else struggling at this step. Happy networking!

What kind of performance can you expect from this device? Gigabit throughput?

@NC1

While following this tutorial I ran into similar issues as @aj2010owen. Turns out I had my usb stick formatted as fat32,This seemed to work just fine until it came time to use the ethernet ports. I got the same errors as AJ did. The fix for me was to format my usb in fat16 I did this by creating a partition smaller than 2gb then formatting it as fat after formatting the drive reported as fat16 after doing this everything went off without a hitch

Hope this can help someone in the future
Thanks to nick for the tutorial

Hello everyone,

I'm a bit new with this, i didn't come far, i installed screen and kwboot on my linux mint. And put the files from checkpoint on the usb. But sadly when i try to run the command

sudo screen /dev/ttyUSB0 115200

i get a error named cannot exec no such file or directory i tested if the Ethernet adapter is working and it is. i have tried some stuff but i can't figure it out. any suggestions or tips?

Kind Regards,

Dandough

I do realize that after few months You probably do not need answer anymore, but maybe someone will have same problem in the future.
Console cable in this device (and many others in fact) has rj45 connector on one end. But it is not ethernet. This is serial, so you need special console cable. For years most popular were simple rsr232 (DE-9) to rj45 cables. Nowadays a lot of computers are not equipped with serial ports, so usb to rj45 cables with built in usb to serial adapter became standard.
That's why /dev/ttyUSB0. With older cable type it should be something like /dev/ttyS0
If You want to buy such cable just google for Cisco console cable. Both versions, usb and rs232, are available for few bucks.

Btw, thanks @NC1 for great tutorial. My device is another saved from landfill. :slight_smile:

Anyone tried using this on Windows Subsystem for Linux using Ubuntu? I am able to get as far as backing up the firmware. But when I try to run this command

 kwboot -b 115200 /dev/ttyS1 -b ./u-boot.kwb -p -t

I get this error

/dev/ttyS1: Inappropriate ioctl for device

I am using a serial to RJ45 console cable that came with the Checkpoint unit from my desktop running WSL Ubuntu.

When giving the command

setserial -g /dev/ttyS1

I get

Cannot get serial info: Inappropriate ioctl for device

But

stty -F /dev/ttyS1

gives me

speed 115200 baud; line = 0;
min = 100; time = 2;
-icrnl -imaxbel
-opost -onlcr
-isig -icanon -echo