Original firmware contains 2 parts:

• Linux kernel with initrd (root fs)
• SquashFS image (/lib and /usr)

First you need to find string “hsqs” in firmware. It’s start part of SquashFS image.
Use Far Manager under Windows. It’s easiest way.
Press F3 to view file, F4 to switch to HEX mode and F7 to search “hsqs” string.

You see 0×260000 address. It’s hex offset to SquashFS image. For humans it means: 2432K. It’s standart offset, so I think you don’t need to find it again.

So now we can split kernel+initrd and SquashFS image:

dd if=DNS-300_runtime_v1.00b013.bin of=bootpImage-1.00.b13 bs=1024 count=2432
dd if=DNS-300_runtime_v1.00b013.bin of=cramfs-1.00.b013.img bs=1024 skip=2432

Don’t confuse about “cramfs...img” name. It’s SquashFS image, not CramFS, but D-Link’s developers uses filename “cram.img” and I follow that strange tradition.

To have initrd image, you need to find initrd offset in bootpImage file.
Use Far Manager again and search string ramdisk, or ramdisk.bin

It’s easy to see start part of initrd: 0xFD160 (1036640). I don’t know good method to split files so precisely, so I’ve used stupid procedure:

split -b 1036640 bootpImage-1.00.b13
cat xab xac > initrd-1.00.b13.gz
gunzip initrd-1.00.b13.gz

Now you should have two files:

• cramfs-1.00.b013.img
• initrd-1.00.b13

D-Link uses SquashFS 2.0 in their firmware, so you need Linux kernel with squashfs 2.0 support. I have compiled RPM for CentOS 4.3 i686 with SquashFS 2.0, so if you need I can share it.
To get access, you should mount image:

mkdir app-fs
mount -o loop -t squashfs cramfs-1.00.b013.img app-fs

mkdir initrd-100
mount -o loop initrd-1.00.b13 initrd-100