Copy original firmware /dev/mtd for restore

For Developers
1

how to copy the original firmware before making any changes for a possible recovery on a router currently not supported by Openwrt

cat /proc/mtd
dev: size erasesize name
mtd0: 07f80000 00020000 "ALL"
mtd1: 00080000 00020000 "Bootloader"
mtd2: 00080000 00020000 "Config"
mtd3: 00040000 00020000 "Factory"
mtd4: 01ec0000 00020000 "Kernel"
mtd5: 01ec0000 00020000 "Kernel2"
mtd6: 00100000 00020000 "wwan"
mtd7: 01000000 00020000 "data"
mtd8: 00100000 00020000 "rom-d"
mtd9: 00080000 00020000 "reserve"

I currently ran the following commands

dd if=/dev/mtd0 of=/tmp/copy_dd_mtd0.bin
dd if=/dev/mtd1 of=/tmp/copy_dd_mtd1.bin
dd if=/dev/mtd2 of=/tmp/copy_dd_mtd2.bin
dd if=/dev/mtd3 of=/tmp/copy_dd_mtd3.bin
dd if=/dev/mtd4 of=/tmp/copy_dd_mtd4.bin
dd if=/dev/mtd5 of=/tmp/copy_dd_mtd5.bin
dd if=/dev/mtd6 of=/tmp/copy_dd_mtd6.bin
dd if=/dev/mtd7 of=/tmp/copy_dd_mtd7.bin
dd if=/dev/mtd8 of=/tmp/copy_dd_mtd8.bin
dd if=/dev/mtd9 of=/tmp/copy_dd_mtd9.bin

the files copied to my PC

Is there anything else I should do before making this
changes and/or anything else?

2

If those files are te correct size then no... Just note that most partitions are read-only and to restore them you need to install mtd-rw then load it modprobe mtd-rw i_want_a_brick=1 and only then will writing work.

1 Like
3

Meanwhile, thanks for the reply,
which unfortunately doesn't help me in the list of devices I find

ls -la /dev/mt*
crw-r--r--    1 root     root       90,   0 Jan  1  1970 /dev/mtd0
crw-r--r--    1 root     root       90,   1 Jan  1  1970 /dev/mtd0ro
crw-r--r--    1 root     root       90,   2 Jan  1  1970 /dev/mtd1
crw-r--r--    1 root     root       90,   3 Jan  1  1970 /dev/mtd1ro
crw-r--r--    1 root     root       90,   4 Jan  1  1970 /dev/mtd2
crw-r--r--    1 root     root       90,   5 Jan  1  1970 /dev/mtd2ro
crw-r--r--    1 root     root       90,   6 Jan  1  1970 /dev/mtd3
crw-r--r--    1 root     root       90,   7 Jan  1  1970 /dev/mtd3ro
crw-r--r--    1 root     root       90,   8 Jan  1  1970 /dev/mtd4
crw-r--r--    1 root     root       90,   9 Jan  1  1970 /dev/mtd4ro
crw-r--r--    1 root     root       90,  10 Jan  1  1970 /dev/mtd5
crw-r--r--    1 root     root       90,  11 Jan  1  1970 /dev/mtd5ro
crw-r--r--    1 root     root       90,  12 Jan  1  1970 /dev/mtd6
crw-r--r--    1 root     root       90,  13 Jan  1  1970 /dev/mtd6ro
crw-r--r--    1 root     root       90,  14 Jan  1  1970 /dev/mtd7
crw-r--r--    1 root     root       90,  15 Jan  1  1970 /dev/mtd7ro
crw-r--r--    1 root     root       90,  16 Jan  1  1970 /dev/mtd8
crw-r--r--    1 root     root       90,  17 Jan  1  1970 /dev/mtd8ro
crw-r--r--    1 root     root       90,  18 Jan  1  1970 /dev/mtd9
crw-r--r--    1 root     root       90,  19 Jan  1  1970 /dev/mtd9ro
brw-r--r--    1 root     root       31,   0 Jan  1  1970 /dev/mtdblock0
brw-r--r--    1 root     root       31,   1 Jan  1  1970 /dev/mtdblock1
brw-r--r--    1 root     root       31,   2 Jan  1  1970 /dev/mtdblock2
brw-r--r--    1 root     root       31,   3 Jan  1  1970 /dev/mtdblock3
brw-r--r--    1 root     root       31,   4 Jan  1  1970 /dev/mtdblock4
brw-r--r--    1 root     root       31,   5 Jan  1  1970 /dev/mtdblock5
brw-r--r--    1 root     root       31,   6 Jan  1  1970 /dev/mtdblock6
brw-r--r--    1 root     root       31,   7 Jan  1  1970 /dev/mtdblock7
brw-r--r--    1 root     root       31,   8 Jan  1  1970 /dev/mtdblock8
brw-r--r--    1 root     root       31,   9 Jan  1  1970 /dev/mtdblock9
crw-r--r--    1 root     root      250,   0 Jan  1  1970 /dev/mtr0

and among the loadable modules I find:

find /lib -iname "*mtd*"
/lib/udev/rules.d/75-probe_mtd.rules
/lib/udev/mtd_probe

so in your opinion I can't create copies of the flash partitions to restore in case of my changes and/or anything else?

4

You can but to modify them (including restoring) you need to load mtd-rw as otherwise the kernel will block you.

1 Like
5

I hope to clarify my idea

the router I have is Zyxle LTE5398-M904 which is currently not supported by Openwrt (hope ported soon)

which has Openwrt based firmware

uname -a
Linux LTE5398-M904 3.10.14 #1 SMP Tue Jun 28 10:51:01 CST 2022 mips GNU/Linux

cat /etc/opkg.conf 
src/gz barrier_breaker http://downloads.openwrt.org/snapshots/trunk/ramips/packages
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay

I have ssh access to the root user

but unfortunately I was unable to download any kernel modules
so my hands are tied.

I would like to understand how to make backup copies of the original firmware, in the hypothesis of executing the following commands (taken from a router very similar to the one I have)

I find the following commands:

 nvram
Usage:
        nvram get <section> <name>
                 Get a value from the section by name. It operates in cache.
        nvram set <section> <name> <value>
                 Set a value into the section by name. It operates in cache.
        nvram del <section> <name>
                 Delete an entry in the section by name. It operates in cache.
        nvram commit 
                 Flush cache into flash.
        nvram layout 
                 Display nvram sections layout.
        nvram show [section]
                 Display all entries in nvram. Section name is optional.
        nvram loadfile <section> <filename>
                 Load nvram entries from a file, and flush it into the partition's section.
        nvram clear  <section>
                 DANGEROUS! Clear all nvram entries to the partition inside flash.

root@LTE5398-M904:~# mt
mtd_write  mtr
root@LTE5398-M904:~# mtd_write 
Usage: mtd [<options> ...] <command> [<arguments> ...] <device>

The device is in the format of mtdX (eg: mtd4) or its label.
mtd recognizes these commands:
        unlock                  unlock the device
        erase                   erase all data on device
        write <imagefile>|-     write <imagefile> (use - for stdin) to device
        writeflash <imagefile> <n> <offset> <device> write <imagefile> to  n bytes from offset of <device>
        readflash  <imagefile> <n> <offset> <device> read n bytes from offset of <device> to <imagefile>
        erasesector <offset> <device> erase one sector from offset of <device>
Following options are available:
        -q                      quiet mode (once: no [w] on writing,
                                           twice: no status messages)
        -r                      reboot after successful command
        -e <device>             erase <device> before executing the command
        -v                      output writing info. (1 more -v would output HTML format.)
        -o <num>                file offset 
        -l <num>                length in file
        -w                      read after write action to check
Example: To write linux.trx to mtd4 labeled as linux and reboot afterwards
         mtd -r write linux.trx linux
6

you can backup the Mtd's in real openwrt at lest later versions
you may have done this I can't tell
but presuming you have all the MTD's
if the factory format is the same as just a raw dump
then you may be able to craft the firmware to flash back
at lest the uboot / kernal part
but with NAND there is error correction and bad block management
if this charges it may not be easily able to put it back in a raw state
so unless you are intimate with the devices workings
it's hard to say how or if it would work it may need a device specific second layer
to handle bad blocks and partition locations in flash

it's better to find the OEM firmware files and factory recover modes to
return it back to operating conditions
at some point you many need to restore things like radio calibration data "ART"
but it's better to do this only if needed & a peace at a time

2 Likes
7

Thank you for your answer

I understand that I will have to wait for the developers' contribution

thanks to all the developers :+1:

now I understand that it is a long and tiring process in discovering all the specifications and variables that allow porting the device to Openwrt

8

In any linux based system, you can read the contents of mtd partitions (and in your case, if you just concatenate the files you'll get the whole rom dump), so if you did everything correctly in the first post, you already have a backup.

Since you asked in OpenWrt forum, I incorrectly assumed that you are already running normal OpenWrt on the device.

Modern OpenWrt (19.07 and newer) versions for most targets use DTS (Device Tree) files to specify what hardware is available on the device, and this also includes MTD flash and partitions. Either way (using DTS or not), some partitions are intentionally marked as read-only so users don't overwrite them by mistake. To write to these you need kmod-mtd-rw - source on github, and OpenWrt provides it as a package.

You can always write to the flash chip using a dedicated external programmer hardware.

General note: having a router running some firmware "based on OpenWrt" doesn't help that much. It only means that the chip vendor used OpenWrt as a base (in your case version 14.07 - almost 10 years old at this point) and then added proprietary changes that we don't have access to unless someone sues them and requests GPL code or the vendor itself releases it. But if a similar device is supported and there are open or even upstream drivers, then it is not that much work to support it.

1 Like
9

Thank you for your answer

10

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.