Adding new device support - Phase (2): Backup of all flash content

saladin · June 26, 2023, 8:03pm

Hallo,

How can I do backup for all flash partitions contents to tftp from the bootloader (e.g.: U-Boot)?
and consequently; how can I do restore for such backup in case of new firmware failure?

I know that I can backup all partitions from Luci - > System - > Backup / Flash Firmware, but I would like to know how to do this from bootloader (U-Boot for example). also Luci page does not contain a tool to restore all partitions back to their previous contents.

Thanks!

andyboeh · June 26, 2023, 8:18pm

Depending on the vendor, you can or cannot do this. Some vendors lock down U-Boot and limit access o the flash chip. The same is true for the TFTP commands.

The easies way to dump the flash content (and restore it) is to run an initramfs build of OpenWrt via U-Boot. However, this only works if the boot loader allows to boot TFTP images.

That's on purpose. Writing to the flash IC is usually disabled except for the few partitions that require it. Also, it's dangerous to write to the flash IC while the file system is mounted.

Even from the console, you'll have to load the mtd-rw kernel module to enable write support. This is dangerous and I already killed a box by trying to restore a backup.

saladin · June 26, 2023, 9:13pm

Let’s assume U-Boot, most (if not all) of the routers I worked on - so far - use U-Boot, also U-Boot is more common AFAIK.

I fully agree with you, my goal here is to have the standard situation where we have access to router and U-Boot is accessible

Thanks for explanation, that is the first time I know this

saladin · June 27, 2023, 8:56am

Hi @andyboeh,

Do you think the following is correct?

Prepare the Environment:
- Set up a TFTP server to serve the OpenWrt initramfs image. for more information, consult this -> Page
- Ensure the target device is connected to the network and can communicate with the TFTP server.
- connect your computer to router serial interface. For more details about how to connect to serial, consult this -> Page
Build and Obtain the Initramfs Image:
- Build an initramfs image for your specific target device using the OpenWrt build system.
- Once built, obtain the initramfs image file, usually named openwrt-initramfs-*.bin.
Enter U-Boot Console:
- Power on or reset the target device.
- Interrupt the boot process to access the U-Boot console on the serial connection.
- This is typically achieved by pressing a specific key (e.g., Enter, Space, or Esc) during boot.
Set U-Boot Environment Variables:
- Set the necessary U-Boot environment variables to configure the TFTP boot process. Example variable values include:
  - ipaddr: IP address of the target device.
  - serverip: IP address of the TFTP server.
  - image_name: Name of the initramfs image file.
Load and Boot the Initramfs Image:
- Load the initramfs image from the TFTP server into memory: tftpboot ${loadaddr} ${image_name}
- Boot the loaded initramfs image: Boot the loaded initramfs image: bootm ${loadaddr}

Notes:
In many cases you do not need to specify the {loadaddr}, however in the case that you have to put {loadaddr} paramter then you have to exactly know and choose {loadaddr}, you need to review the output of bdinfo on u-boot, here is an example:

ar7240> bdinfo
boot_params = 0x83F77FB0
memstart    = 0x80000000
memsize     = 0x04000000
flashstart  = 0x9F000000
flashsize   = 0x01000000
flashoffset = 0x0002AABC
ethaddr     = 00:AA:BB:CC:DD:EE
ip_addr     = 192.168.1.20
baudrate    = 115200 bps
ar7240>

the {loadaddr} in this example is within the range between 0x80000000 and 0x84000000; this means address such as: 0x80060000 is a valid {loadaddr}

Access OpenWrt Initramfs:
- Once the device boots into OpenWrt initramfs, you will have access to the OpenWrt command-line interface.
How to Dump Flash Content:
- list all the flash blocks using command # cat /proc/mtd, foe example:

root@router:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00080000 00020000 "boot"
mtd1: 001a0000 00020000 "nvram"
mtd2: 00020000 00020000 "POT"
mtd3: 00060000 00020000 "POT"
mtd4: 00020000 00020000 "ML"
mtd5: 00020000 00020000 "ML"
mtd6: 00020000 00020000 "ML"
mtd7: 00020000 00020000 "ML"
mtd8: 00020000 00020000 "ML"
mtd9: 00020000 00020000 "ML"
mtd10: 00020000 00020000 "ML"
mtd11: 07c80000 00020000 "firmware"
mtd12: 0041ffe4 00020000 "linux"
mtd13: 07860000 00020000 "ubi"
root@router:~#

Use the appropriate commands in OpenWrt to dump the flash content to a file. For example, to dump the entire flash to a file named flash_dump.bin, you can use the dd command:

dd if=/dev/mtd0 of=/tmp/flash_dump_00.bin

repeat the commend for other flash partitions, change the source flash partition name (mtd1, mtd2, etc.) and destinations as (flash_dump_01.bin, flash_dump_02.bin, etc.).

N.B:
for NAND; you may change ‘mtd’ to ‘mtdblock’:

dd if=/dev/mtdblock0 of=/tmp/flash_dump_00.bin

How to Restore Flash Content:
- To restore the flash content from a previously dumped file, you can use the dd command in reverse:

dd if=/tmp/flash_dump_00.bin of=/dev/mtd0

N.B:
for NAND; you may change ‘mtd’ to ‘mtdblock’:

dd if=/tmp/flash_dump_00.bin of=/dev/mtdblock0

repeat the commend for other flash partitions (flash_dump_01.bin, flash_dump_02.bin, etc.), change the destination partitions name to (mtd1, mtd2, etc.)

Note: the specific commands and device-specific details may vary depending on your target device and the OpenWrt version you are using. Ensure that you refer to the appropriate documentation and resources for your specific device and version to obtain accurate command syntax and configuration details.

[UPDATE 23.12.2023]
Very important notes
steps (7 & 8) above really depend on your board hardware specifications, i.e. this may vary from board to board.
As a general role-of-thumb: It is better to first try to use a suitable programmer (and chip sockets) to backup and restore the whole firmware. There are many in the market such as (but not limited to):

XGECU T56 or T48 (supports many NAND flashes)
CH341A (suitable for NOR and SPI NAND flashes)
USBJTAG (suitable for NOR, SPI/ONFI NAND)

Using a programmer is needed in case you de-solder the flash or not.

In case you want to de-solder the flash,
You need to have the following:

MIcro de/soldering tools (You can find them on this comprehensive page for all tools, you do not need all the tools, but Microscope, Re-work station and Soldering machines are very essential)
Micro de/soldring skills (You can learn them from this page on YouTube)

Here is an example on YouTube for how to do de-soldering for NAND flash to extract and backup the firmware.

In case you do not want to de-solder the flash
You can use Fixture Probe connectors along with a programmer (e.g. XGECU, CH431A, etc); Make sure that you have also the suitable Clip connector; you can buy them from Ali Express on this page and this page

Choosing the right connector is outside the scope of this post, you can send me PM if you need further details or help.

andyboeh · June 30, 2023, 11:22am

Steps 7 and 8 won't work correctly on NAND-based devices, especially the restore function will brick you router (I learned this the hard way by destroying U-Boot on the NAND. This device is now a paperweight, until I find the time to desolder the TSSOP48 chip). You have to use /dev/mtdblock* instead of /dev/mtd* to correctly access the NAND (this is due to the OOB area which you don't want/need in your dump).

saladin · June 30, 2023, 5:46pm

Thanks! I adjusted the post above according to your feedback