Full backup of stock firmware for ER605 – solved

I wanted to post this as I was stuck on this and didn’t get an answer. I saw mention of some others also saying they didn’t get it working, so I thought I’d share what I did.

Apologies to some if I’m stating the obvious, but as I’m learning, this can be the “Idiot’s Guide”. I take no credit for this as other’s contributions (like those linked below) deserve any appreciation.

I have an ER605 v2 and I wanted to flash it with OpenWRT, but due to the circumstances I’ll be using it for, being able to restore to stock TP-Link firmware is essential. As recommended by chill1Penguin’s guide step 4, an MTD partition backup is recommended.

I tried to follow this and failed several attempts, so I will share what did work for me.

First off, you’ve got to get root access, which is step 3. I had some issues with this. Coming from a Windows box, I usually use Putty to SSH into things. I unboxed my brand new ER605, plugged it into my PC and accessed it on 192.168.0.1 (default). Using chill1Pengin’s steps 1, 2 & 3 I was able to get to root – hooray. (I was also lucky that my ER605 shipped with v2.0.0 so I didn’t have to downgrade or change anything).

I moved to step 4 and got very confused as I was trying to paste the full MTD backup script into my router in my Putty session. It is not meant to run on your router! You need to run it in a Linux OS and then connect to your router! (This should be obvious as it actually states this above the script, but I had not properly read/understood).

Luckily, I have a couple of Linux distros running on my PC using WSL. I opened the Ubuntu OS and tried to SSH into the router.

ssh root@192.168.0.1

Unable to negotiate with 192.168.0.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,kexguess2@matt.ucc.asn.au

This is mentioned in step 3 and the recommended fix is to use

-o KexAlgorithms=+diffie-hellman-group1-sha1

However, when I do this, it complains about the other thing

ssh root@192.168.0.1 -o KexAlgorithms=+diffie-hellman-group1-sha1

Unable to negotiate with 192.168.0.1 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

The recommendation was to use -o hostkeyalgorithms=ssh-rsa for this. Confused at this point, I wondered if a different Distro would change anything.

I switched to Oracle Linux 8 and tried to SSH into the router and this worked just fine. No errors about SSH algorithms and needing extra options at all.

Now I’m up to step 4. I paste the script into my console and run it, but fails as per my post here. I spend some time trying to work out why, googling and also trying it on online bash script validators (which showed there was nothing wrong with the script). I decided to try the same script in Ubuntu (but on a different router that I didn’t have the same SSH algorithm problems). It ran just fine! So the problem was with the way that some Linux Distros (Oracle Linux 8 in this case) had slightly different syntax required for bash scripts.

Attacking the SSH login problem next, I worked out that I actually needed BOTH options to SSH into the ER605. To be specific, I used ssh -o hostkeyalgorithms=ssh-rsa -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.0.1

(Seems obvious once I tried it)

Once I’d confirmed login via SSH and exited the session back into Ubuntu’s console, I edited the script to add in both SSH algorithm options. The edit looked like this:

cat << "EOF" > mtdbk.sh

#!/bin/bash

set -e

function die() {

echo "${@}"

exit 2

}

OUTPUT_FILE="mtd_backup.tgz"

OPENWRT="root@192.168.0.1"

TMPDIR=$(mktemp -d)

BACKUP_DIR="${TMPDIR}/mtd_backup"

mkdir -p "${BACKUP_DIR}"

SSH_CONTROL="${TMPDIR}/ssh_control"

function cleanup() {

set +e

echo "Closing master SSH connection"

"${SSH_CMD[@]}" -O stop

echo "Removing temporary backup files"

rm -r "${TMPDIR}"

}

trap cleanup EXIT

# Open master ssh connection, to avoid the need to authenticate multiple times

echo "Opening master SSH connection"

ssh -o "ControlMaster=yes" -o "ControlPath=${SSH_CONTROL}" -o "ControlPersist=10" -o hostkeyalgorithms=ssh-rsa -o KexAlgorithms=+diffie-hellman-group1-sha1 -n -N "${OPENWRT}"

# This is the command we'll use to reuse the master connection

SSH_CMD=(ssh -o "ControlMaster=no" -o "ControlPath=${SSH_CONTROL}" -n "${OPENWRT}")

# List remote mtd devices from /proc/mtd. The first line is just a table

# header, so skip it (using tail)

"${SSH_CMD[@]}" 'cat /proc/mtd' | tail -n+2 | while read; do

MTD_DEV=$(echo ${REPLY} | cut -f1 -d:)

MTD_NAME=$(echo ${REPLY} | cut -f2 -d\")

echo "Backing up ${MTD_DEV} (${MTD_NAME})"

# It's important that the remote command only prints the actual file

# contents to stdout, otherwise our backup files will be corrupted. Other

# info must be printed to stderr instead. Luckily, this is how the dd

# command already behaves by default, so no additional flags are needed.

"${SSH_CMD[@]}" "dd if='/dev/${MTD_DEV}ro'" > "${BACKUP_DIR}/${MTD_DEV}_${MTD_NAME}.backup" || die "dd failed, aborting..."

done

# Use gzip and tar to compress the backup files

echo "Compressing backup files to \"${OUTPUT_FILE}\""

(cd "${TMPDIR}" && tar czf - "$(basename "${BACKUP_DIR}")") > "${OUTPUT_FILE}" || die 'tar failed, aborting...'

# Clean up a little earlier, so the completion message is the last thing the user sees

cleanup

# Reset signal handler

trap EXIT

echo -e "\nMTD backup complete. Extract the files using:\ntar xzf \"${OUTPUT_FILE}\""

EOF

I pasted this into the console and pressed Enter to complete it.

Then I gave the newly created file execute permissions with chmod +x mtdbk.sh and then ran it with ./mtdbk.sh

It completed as expected. Here is a copy of the output

# ./mtdbk.sh

Opening master SSH connection

root@192.168.0.1's password:

Backing up mtd0 (Bootloader)

1024+0 records in

1024+0 records out

Backing up mtd1 (Config)

1024+0 records in

1024+0 records out

Backing up mtd2 (Factory)

512+0 records in

512+0 records out

Backing up mtd3 (firmware)

255488+0 records in

255488+0 records out

Backing up mtd4 (panic-oops)

4096+0 records in

4096+0 records out

Backing up mtd5 (partition-table)

496+0 records in

496+0 records out

Backing up mtd6 (support-list)

496+0 records in

496+0 records out

Backing up mtd7 (device-info)

1+1 records in

1+1 records out

Backing up mtd8 (device-info.b)

1+1 records in

1+1 records out

Backing up mtd9 (tddp)

496+0 records in

496+0 records out

Backing up mtd10 (tddp.b)

496+0 records in

496+0 records out

Backing up mtd11 (bootloader)

1024+0 records in

1024+0 records out

Backing up mtd12 (kernel)

3712+0 records in

3712+0 records out

Backing up mtd13 (rootfs)

22784+0 records in

22784+0 records out

Backing up mtd14 (firmware-info)

0+1 records in

0+1 records out

Backing up mtd15 (extra-para)

744+0 records in

744+0 records out

Backing up mtd16 (log)

4216+0 records in

4216+0 records out

Backing up mtd17 (rootfs_data)

20584+0 records in

20584+0 records out

Backing up mtd18 (bootloader.b)

1024+0 records in

1024+0 records out

Backing up mtd19 (kernel.b)

3712+0 records in

3712+0 records out

Backing up mtd20 (rootfs.b)

22784+0 records in

22784+0 records out

Backing up mtd21 (firmware-info.b)

0+1 records in

0+1 records out

Backing up mtd22 (extra-para.b)

744+0 records in

744+0 records out

Backing up mtd23 (log.b)

4216+0 records in

4216+0 records out

Backing up mtd24 (rootfs_data.b)

20584+0 records in

20584+0 records out

Compressing backup files to "mtd_backup.tgz"

Closing master SSH connection

Stop listening request sent.

Removing temporary backup files

MTD backup complete. Extract the files using:

tar xzf "mtd_backup.tgz"

Now the backup is complete! As I’m using Linux via WSL, I can just look in Windows Explorer and find the backup file under \\wsl.localhost\Ubuntu\root

Now I have a successful full backup of my untouched ER605 stock system, I will move onto flashing with OpenWRT, then I will test reverting back to stock again, just to confirm.

2 Likes

Thank you, are you happy if this gets added to https://openwrt.org/toh/tp-link/er605_v2 with credit to yourself?

Yeah, sure, if it can help others, happy for it to be there.

Hello!

Hope I can get some answers here.
I'm stuck with this, and can't get it to work for the love in me!
I used your exact script (changing only the IP address), and I get nothing from the backup script:

root@9853aa2f6b71:/# bash mtdbk.sh
Opening master SSH connection
The authenticity of host '172.16.20.1 (172.16.20.1)' can't be established.
RSA key fingerprint is SHA256:1tjo/CMgf/SNADPRUXpF+1EaTIShb8lZW3Y6yXe4UkQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.16.20.1' (RSA) to the list of known hosts.
root@172.16.20.1's password:
Compressing backup files to "mtd_backup.tgz"
Closing master SSH connection
Stop listening request sent.
Removing temporary backup files

MTD backup complete. Extract the files using:
tar xzf "mtd_backup.tgz"

Now my work computer is a mac. I've tried both from MacOS itself, as well as from two different Linux environments within Docker.

Please help!

I am certainly no expert here, but looking at your output it looks like the backup script is working in that you can log in, make a file and the "complete" message happens.
However all the output for which partitions are being backed up and their number of records in and out is not shown (it goes straight from the password at login to compressing the file without the list of partitions in between). Seems like the script is running OK, but not finding what it needs to actually backup?
It looks like your MAC or other Linux environments are OK if you can get to this point (my trouble was not actually being able to get the script to login properly). If you can login and get output, then that part is OK.
As to why it doesn't find the partitions needed and provide the output (like I had above) - I don't know sorry, but you might want to look into the actual router environment you're running this on. Is there a reason it doesn't find the partitions to backup?

Hi r5e, I've been following your steps on the ER605 thread as I've encountered some of the same problems as you did.

I was able to make the full MTD backup, and flash OpenWRT successfully on this unit, and now I want to revert back to Stock Firmware.

I see that this isn't the case with most users in this forum (not many users seem to care to do a roll back), but I see you have shown interest in doing so too.

Did you succeed in your attempts? I've encountered a problem in my scenario, where the mtd3 partition backup is bigger than my initramfs available buffer. This seems to restrict the flash write proccess as wget gets stalled nearing the end of the file transfer using the instruction:

wget -O- http://[url to mtd3.img on a local http server] | ubiformat /dev/mtd3 -S [size of the image in bytes] -y -f -

ubiformat quits with the following error:

ubiformat: error!: file "-" is too large (130809856 bytes)
           error 0 (No error information)

I'd love to know your input, thanks in advance!

I only got as far as getting the backup working (and posted this thread on it). As I understand it, you won't be able to simply restore as TP-Link had actually changed their partitions making OpenWRT not possible to run without adjusting them first. To make adjusting them possible, chill1penguin made a great little script here. When you click the "Adjust UBI Layout" button there it will warn you that once this is done, it won't be possible to revert to the TP-Link firmware again without a serial connection. Sadly, he didn't make a script to reformat back to the TP-Link sized partitions. I think this would be the only way for it to be possible without serial.

I was also keen to test restore, but currently the only way to do this was to solder pins onto the board and do it via serial. I did solder a header on and test the connection. However, after playing with this a bit, I abandoned actually reverting via serial as I realised that my main aim was simply to prove it was possible. Once I had to solder pins, I sort of proved that it wasn't. At the end of the day, I was happier with the OpenWRT firmware (build on v23) than I was with the TP-Link (actually built on v14) so i decided to leave it there.

I'd still be keen to see someone reverse engineer what chill1penuin did and be able to adjust the UBI layouts not only for OpenWRT, but also back to other partition sizes such as the manufacturer's stock setting. However, no one has done this yet (that I have seen).

Thanks for your response @r5e

I think you are absolutely right, without the correct UBI layout there's no way back. Do you think @chill1Penguin would be willing to add a "revert to stock layout" button and script on his project? Is all the information available to do so?

I've connected through serial console, booted initramfs via TFTP, and have access to unmount/flash MTD3 at the moment. If any of this information is valuable to you or anyone else I can do a step by step of the process

2 Likes

Yeah, I think we're on the same page. I'd love it if there was a "revert" option that either @chill1Penguin, or someone else could add. I'm guessing the info is available if someone were so inclined, but we'd need someone in the community who was able to spend the time. I would imagine that once more people start working around this, that more models (ER7206, 8411) might also get opened up a bit more. I think TP changed their partition layout, I'm suspecting it may have been to do with some funky features their Omada platform has around live firmware updates where it is possible to upgrade them remotely without fear of losing them. It may be key to understanding all these Omada models to be able to map how their partitions are done so the community can have confidence to modify in either direction.
Re your progress so far - I do know someone who bricked their ER605 mid-flash (but has not yet been game to solder pins and use serial) and I think any steps you could share could certainly give confidence to anyone who may need to do the same.

1 Like

tp-link er605 stock firmware is compressed, and loaded into RAM upon boot, with an overlay in /tmp, lzma compressed, the same trick is used on the er605v1, which is 16/128 yet reports a much bigger stock partition.
So you seem to have the uncompressed version.

Hi everyone, I made a little step by step for returning back to stock firmware using the UART on the ER605 v2 here.

I hope you find it useful!

2 Likes

Is hard to find the right way to become openwrt to the er605v2.
Will be nice to have a step by step tutorial for:

  1. Backup with ssh and UART
  2. Flash openwrt with SSH and UART
  3. Restore original firmware with UART

Thanks in advanced for someone can do this.

The direct root login with ssh is no longer possible with firmware version 2.1.1. and above. As far as I understood the script, the additional login steps (enable, debug) are not supported.

Mounting a memory stick (with the web interface) and copying the partitions onto it from a root shell seems to be the quickest workaround. See Looking for info and possibility of (future) support of TP-Link Omada er605 Router - #355 by goetz for a script doing this.

Don't forget to save the output of ubinfo -a as well. You need this to restore the partitioning.