[HOWTO] Installing OpenWrt on Check Point L-50

Hello community!

I recently did several OpenWrt installs on Check Point L-50 devices and thought I'd write up how to do it. Before I start, I must acknowledge those who already did something similar, particularly @magicmouses, whose contributions were crucial to my understanding of the task at hand.

This HOWTO is aimed at relatively new users, including those for whom this will be their first firmware reflash ever. Also, if after reading this, some of those users conclude that this is too much work, they can send me a private message; I may have an already reflashed L-50 looking for a new home. :slight_smile:

This said, let's get down to business. The L-50 is fairly versatile (eight LAN ports, a WAN port, and a DMZ port that can be pressed into service as either the ninth LAN port or the second WAN port) and comes in four flavors. L-50 is a wired router, L-50W is a wired-and-wireless router, L-50D is a wired router with a built-in ADSL modem. and L-50WD is all three in one. The initial OpenWrt installation for all four is essentially identical.

Part One — Getting Ready

First of all, if you’re new to this, remember: this has been done before (in more ways than one). With this in mind, in my version of how to do this, you will need, in addition to an operational L-50, (1) a computer running Linux. (2) a console cable (I used the kind that connects the RJ-45 console port on the L-50 to a USB port on my computer), (3) a USB stick with a FAT file system (1 GB of space will be plenty), and (4) a pair of CAT cables to connect the L-50 to an upstream device and a client device.

Your computer should have two important utilities, screen and kwboot. Most major Linux distributions have them in repositories. Use your favorite search engine to figure out how to get these utilities installed on your machine.

Next, visit the device information page for the L-50 on the OpenWrt site:

https://openwrt.org/toh/check_point/l-50

Download two files for the current version of OpenWrt, (1) an installation image (aka "u-boot image", aka uImage), and (2) a sysupgrade image. For version 21.02.3, current as of this writing, the links are:

https://downloads.openwrt.org/releases/21.02.3/targets/kirkwood/generic/openwrt-21.02.3-kirkwood-checkpoint_l-50-initramfs-uImage
https://downloads.openwrt.org/releases/21.02.3/targets/kirkwood/generic/openwrt-21.02.3-kirkwood-checkpoint_l-50-squashfs-sysupgrade.bin

While you're downloading stuff, also download something called u-boot.kwb:

http://downloads.openwrt.org/snapshots/targets/kirkwood/generic/u-boot-l-50/u-boot.kwb

Place all three files in the same directory on your computer. After that, copy the three files onto a USB stick. That’s it for preparations.

Part Two — Reconnaissance

Turn on the L-50 and let it boot. While it is booting, connect the L-50 to your computer with a console cable. When the L-50 looks like it’s done booting, run the following command in terminal on your computer to open a console connection to the L-50:

sudo screen /dev/ttyUSB0 115200

Next, with the L-50 connected to your computer, press and hold for 15 seconds the Factory Defaults (not Reboot!!!) button on the back of the L-50 (it’s a recessed button, so you will need something like a ballpoint pen to press and hold it). The power indicator light will turn solid red, indicating that the unit is resetting. Release the button and start watching the console output on your computer. Eventually, you will see a message, This is a first boot, then, another message, Press any key to stop boot. At that point, press Enter to gain access to the command line. You will be told you’ve entered the ”expert mode” and asked to create the “expert password”. Follow the prompts.

Note
Some L-50 units, rather than enter the ”expert mode” and ask to create the “expert password”, would prompt for login name and password straightaway. In these cases, you can log in with login name admin and password admin (these are default credentials set by the manufacturer).

When the housekeeping is done and you have command line, type:

ls /mnt

Then, connect the USB stick to the L-50, give it a few seconds to be detected (there will be a message on the console about a new device), and run the same command again. Look for an item in the second output that wasn’t in the first; this is where your USB stick has been mounted. Verify this by changing to that directory and listing its contents (there should be the files you put there). Note it for future reference. In my case, the mount point was /mnt/usb2.

Next, make a backup copy of the existing firmware just in case. Remember, your mount point may or may not be /mnt/usb2, so change the of argument of the following command if necessary to reflect that.

dd if=/dev/mtd2 of=/mnt/usb2/bootldr-env.bin

Next, collect the MAC addresses of all devices that have them:

ifconfig -a

Save the device names and MAC addresses that match them (you can do it by screengrab, or by logging your screen session, or by redirecting the output of ifconfig into a text file on the USB stick). Most likely, you will end up with a pool of MAC addresses that begins with the MAC address printed on the bottom of the L-50 and continues incrementally from there.

This concludes the information gathering stage. Close the console connection (press Ctrl-a, then k, then y) and turn off the L-50. Remove the USB stick from the L-50.

Part Three — The Decisive Victory

Your computer is still connected to the L-50, and the L-50 is off. Change to the directory where you placed the files downloaded in Part One and run the following command in terminal:

sudo kwboot -B 115200 /dev/ttyUSB0 -b u-boot.kwb -p -t

Note that u-boot.kwb is passed as an input to the kwboot utility, so it’s important to be in the directory where the file u-boot.kwb resides, otherwise, kwboot won’t find u-boot.kwb and will exit with an error message.

With kwboot running, turn on the L-50 and watch the output. Eventually, there will be a message saying, Sending boot image..., then, percentages of completion will start counting. After it counts all the way to 100%, pay attention: there will be a message saying, Hit any key to stop autoboot. When you see it, press Enter. There will be a few more lines of output, and then, a command prompt that looks like this:

=>

Time to start typing… First, find the list of MAC addresses you collected in Part Two. Use it to create a block of setenv commands similar to one given a few paragraphs below in your favorite text editor. Be sure to change only MAC addresses. In other words, each line should consist of the command (setenv), environment variable name (something-something-addr) and the MAC address.

If the MAC address you have for eth0 doesn’t match the MAC address printed on the label affixed to the bottom of the L-50, use the one on the label.

In the worst-case scenario, if you completely messed up Part Two and have nothing to work with at this stage, start with the MAC address printed on the bottom of the L-50 and increment the MAC address for each new device. For example, if the MAC address on the bottom of the L-50 is 01:23:45:67:89:ab, you can do:

setenv eth0addr 01:23:45:67:89:ab
setenv eth1addr 01:23:45:67:89:ac
setenv lan1_mac_addr 01:23:45:67:89:ad
setenv lan2_mac_addr 01:23:45:67:89:ae
setenv lan3_mac_addr 01:23:45:67:89:af
setenv lan4_mac_addr 01:23:45:67:89:b0
setenv lan5_mac_addr 01:23:45:67:89:b1
setenv lan6_mac_addr 01:23:45:67:89:b2
setenv lan7_mac_addr 01:23:45:67:89:b3
setenv lan8_mac_addr 01:23:45:67:89:b4
setenv dmz_mac_addr 01:23:45:67:89:b5
setenv dsl_mac_addr 01:23:45:67:89:b6

Just keep counting your hexadecimals… If you’re copying and pasting between a text editor and the terminal, be sure to copy and paste one line at a time; console connections sometimes do funny things if you try to paste several commands at once.

Next, start copying stuff onto the L-50. Connect the USB stick to the L-50 and run the commands below. Be sure the name of the uImage file in the second-to-last command matches what you have on your USB stick. Also, it is still a good idea to execute commands one at a time if you’re copying and pasting, rather than typing directly into the terminal.

mw 0x0800000 0xffff 0x100000
nand erase 0x0 100000
usb start
fatload usb 0 0x0800000 u-boot.kwb
nand write 0x0800000 0x0 0x100000
saveenv
fatload usb 0 0x0800000 openwrt-21.02.3-kirkwood-checkpoint_l-50-initramfs-uImage
bootm 0x800000

After you run the last command, OpenWrt will start. However, at this stage it resides only in RAM, not in the permanent storage. To settle it permanently, you need to perform a system upgrade. There are at least two ways of doing it, (1) over the Internet, and (2) over the LAN. It all depends on what works on your L-50 right now.

If you can get an Internet connection via the WAN port, you can do:

sysupgrade https://downloads.openwrt.org/releases/21.02.3/targets/kirkwood/generic/openwrt-21.02.3-kirkwood-checkpoint_l-50-squashfs-sysupgrade.bin

The URL is the one you already used in Part One to download the upgrade image.

If you can get a connection to the L-50 on the LAN port from your computer, open a new terminal, change to the directory where you put the sysupgrade image and do:

scp openwrt-kirkwood-checkpoint_l-50-squashfs-sysupgrade.bin root@192.168.1.1:/tmp

Right now, there is no root password on the L-50, so if you’re asked for a password, just hit Enter. Once the file is transferred, return to the first terminal window and do:

sysupgrade /tmp/openwrt-kirkwood-checkpoint_l-50-squashfs-sysupgrade.bin

Either way, once the system upgrade is completed, the L-50 will run OpenWrt. By default, the port marked WAN on the device will be the WAN port (nifty, huh? :slight_smile: ) working as a DHCP client of the upstream device, while the DMZ port, eight LAN ports and the wireless connection, if present, will all be bridged into a single LAN (the L-50 will be the DHCP server and the default gateway for that LAN and will be located at 192.168.1.1). The wireless connection, however, will be disabled; you will need to enable and configure it via command-line interface or through LuCI as described in the OpenWrt documentation.

Now you can end your kwboot session (press Crtl-\, then c), disconnect the console cable, and connect to the L-50 by Ethernet to do some actual network administration on it.

3 Likes

This is an excellent write up for installing on the L-50 device. Please consider updating the L-50 toh page with this information or adding a link to this write-up to the page.

Thank you for the kind words!

As for putting this into the TOH, I don't think it fits with the TOH approach to documentation. TOH seems to be documenting (tersely) the "whatto" (tasks to be done) for advanced users, rather than "howto" (ways to get those tasks done) for new users, and there may be different "hows" for any given "what"; I am only showing one option out of many. Also, TOH has a section on TFTP, which I didn't even mention.

So, from where I sit, my work is exactly where it needs to be. It's findable on the forum already, and eventually, it will be findable via search engines. That should be adequate for the rest of the L-50's earthly existence. Incidentally, if memory serves, the L-50 passed end of life in June 2022. :slight_smile:

L-50 passed end of life in June 2022

Which makes them ideal for re-purposing to OpenWrt!

1 Like

As a happy owner of a repurposed L-50W, I agree wholeheartedly! :slight_smile: For my use case, the L-50W with OpenWrt is damn near perfect. Desktop form factor, 10 Gigabit Ethernet ports, built-in wireless (yes, it's N, but for my needs, it's adequate), low power consumption (I have not measured it, but the thing requires a 30-watt AC adapter) -- what's not to like in a home/small business setting? And it's still commercial-grade hardware. Correct me if I'm wrong, but the consensus on Kirkland seems to be rather favorable; people tend to like this architecture overall.

I expect there will be quite a few opportunities to snag a used L-50 in the coming months as they are purged from corporate networks; this is one of the reasons I put up this HOWTO. I'd like people to take advantage of this...