Full backup of stock firmware for ER605 – solved

I wanted to post this as I was stuck on this and didn’t get an answer. I saw mention of some others also saying they didn’t get it working, so I thought I’d share what I did.

Apologies to some if I’m stating the obvious, but as I’m learning, this can be the “Idiot’s Guide”. I take no credit for this as other’s contributions (like those linked below) deserve any appreciation.

I have an ER605 v2 and I wanted to flash it with OpenWRT, but due to the circumstances I’ll be using it for, being able to restore to stock TP-Link firmware is essential. As recommended by chill1Penguin’s guide step 4, an MTD partition backup is recommended.

I tried to follow this and failed several attempts, so I will share what did work for me.

First off, you’ve got to get root access, which is step 3. I had some issues with this. Coming from a Windows box, I usually use Putty to SSH into things. I unboxed my brand new ER605, plugged it into my PC and accessed it on 192.168.0.1 (default). Using chill1Pengin’s steps 1, 2 & 3 I was able to get to root – hooray. (I was also lucky that my ER605 shipped with v2.0.0 so I didn’t have to downgrade or change anything).

I moved to step 4 and got very confused as I was trying to paste the full MTD backup script into my router in my Putty session. It is not meant to run on your router! You need to run it in a Linux OS and then connect to your router! (This should be obvious as it actually states this above the script, but I had not properly read/understood).

Luckily, I have a couple of Linux distros running on my PC using WSL. I opened the Ubuntu OS and tried to SSH into the router.

ssh root@192.168.0.1

Unable to negotiate with 192.168.0.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,kexguess2@matt.ucc.asn.au

This is mentioned in step 3 and the recommended fix is to use

-o KexAlgorithms=+diffie-hellman-group1-sha1

However, when I do this, it complains about the other thing

ssh root@192.168.0.1 -o KexAlgorithms=+diffie-hellman-group1-sha1

Unable to negotiate with 192.168.0.1 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

The recommendation was to use -o hostkeyalgorithms=ssh-rsa for this. Confused at this point, I wondered if a different Distro would change anything.

I switched to Oracle Linux 8 and tried to SSH into the router and this worked just fine. No errors about SSH algorithms and needing extra options at all.

Now I’m up to step 4. I paste the script into my console and run it, but fails as per my post here. I spend some time trying to work out why, googling and also trying it on online bash script validators (which showed there was nothing wrong with the script). I decided to try the same script in Ubuntu (but on a different router that I didn’t have the same SSH algorithm problems). It ran just fine! So the problem was with the way that some Linux Distros (Oracle Linux 8 in this case) had slightly different syntax required for bash scripts.

Attacking the SSH login problem next, I worked out that I actually needed BOTH options to SSH into the ER605. To be specific, I used ssh -o hostkeyalgorithms=ssh-rsa -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.0.1

(Seems obvious once I tried it)

Once I’d confirmed login via SSH and exited the session back into Ubuntu’s console, I edited the script to add in both SSH algorithm options. The edit looked like this:

cat << "EOF" > mtdbk.sh

#!/bin/bash

set -e

function die() {

echo "${@}"

exit 2

}

OUTPUT_FILE="mtd_backup.tgz"

OPENWRT="root@192.168.0.1"

TMPDIR=$(mktemp -d)

BACKUP_DIR="${TMPDIR}/mtd_backup"

mkdir -p "${BACKUP_DIR}"

SSH_CONTROL="${TMPDIR}/ssh_control"

function cleanup() {

set +e

echo "Closing master SSH connection"

"${SSH_CMD[@]}" -O stop

echo "Removing temporary backup files"

rm -r "${TMPDIR}"

}

trap cleanup EXIT

# Open master ssh connection, to avoid the need to authenticate multiple times

echo "Opening master SSH connection"

ssh -o "ControlMaster=yes" -o "ControlPath=${SSH_CONTROL}" -o "ControlPersist=10" -o hostkeyalgorithms=ssh-rsa -o KexAlgorithms=+diffie-hellman-group1-sha1 -n -N "${OPENWRT}"

# This is the command we'll use to reuse the master connection

SSH_CMD=(ssh -o "ControlMaster=no" -o "ControlPath=${SSH_CONTROL}" -n "${OPENWRT}")

# List remote mtd devices from /proc/mtd. The first line is just a table

# header, so skip it (using tail)

"${SSH_CMD[@]}" 'cat /proc/mtd' | tail -n+2 | while read; do

MTD_DEV=$(echo ${REPLY} | cut -f1 -d:)

MTD_NAME=$(echo ${REPLY} | cut -f2 -d\")

echo "Backing up ${MTD_DEV} (${MTD_NAME})"

# It's important that the remote command only prints the actual file

# contents to stdout, otherwise our backup files will be corrupted. Other

# info must be printed to stderr instead. Luckily, this is how the dd

# command already behaves by default, so no additional flags are needed.

"${SSH_CMD[@]}" "dd if='/dev/${MTD_DEV}ro'" > "${BACKUP_DIR}/${MTD_DEV}_${MTD_NAME}.backup" || die "dd failed, aborting..."

done

# Use gzip and tar to compress the backup files

echo "Compressing backup files to \"${OUTPUT_FILE}\""

(cd "${TMPDIR}" && tar czf - "$(basename "${BACKUP_DIR}")") > "${OUTPUT_FILE}" || die 'tar failed, aborting...'

# Clean up a little earlier, so the completion message is the last thing the user sees

cleanup

# Reset signal handler

trap EXIT

echo -e "\nMTD backup complete. Extract the files using:\ntar xzf \"${OUTPUT_FILE}\""

EOF

I pasted this into the console and pressed Enter to complete it.

Then I gave the newly created file execute permissions with chmod +x mtdbk.sh and then ran it with ./mtdbk.sh

It completed as expected. Here is a copy of the output

# ./mtdbk.sh

Opening master SSH connection

root@192.168.0.1's password:

Backing up mtd0 (Bootloader)

1024+0 records in

1024+0 records out

Backing up mtd1 (Config)

1024+0 records in

1024+0 records out

Backing up mtd2 (Factory)

512+0 records in

512+0 records out

Backing up mtd3 (firmware)

255488+0 records in

255488+0 records out

Backing up mtd4 (panic-oops)

4096+0 records in

4096+0 records out

Backing up mtd5 (partition-table)

496+0 records in

496+0 records out

Backing up mtd6 (support-list)

496+0 records in

496+0 records out

Backing up mtd7 (device-info)

1+1 records in

1+1 records out

Backing up mtd8 (device-info.b)

1+1 records in

1+1 records out

Backing up mtd9 (tddp)

496+0 records in

496+0 records out

Backing up mtd10 (tddp.b)

496+0 records in

496+0 records out

Backing up mtd11 (bootloader)

1024+0 records in

1024+0 records out

Backing up mtd12 (kernel)

3712+0 records in

3712+0 records out

Backing up mtd13 (rootfs)

22784+0 records in

22784+0 records out

Backing up mtd14 (firmware-info)

0+1 records in

0+1 records out

Backing up mtd15 (extra-para)

744+0 records in

744+0 records out

Backing up mtd16 (log)

4216+0 records in

4216+0 records out

Backing up mtd17 (rootfs_data)

20584+0 records in

20584+0 records out

Backing up mtd18 (bootloader.b)

1024+0 records in

1024+0 records out

Backing up mtd19 (kernel.b)

3712+0 records in

3712+0 records out

Backing up mtd20 (rootfs.b)

22784+0 records in

22784+0 records out

Backing up mtd21 (firmware-info.b)

0+1 records in

0+1 records out

Backing up mtd22 (extra-para.b)

744+0 records in

744+0 records out

Backing up mtd23 (log.b)

4216+0 records in

4216+0 records out

Backing up mtd24 (rootfs_data.b)

20584+0 records in

20584+0 records out

Compressing backup files to "mtd_backup.tgz"

Closing master SSH connection

Stop listening request sent.

Removing temporary backup files

MTD backup complete. Extract the files using:

tar xzf "mtd_backup.tgz"

Now the backup is complete! As I’m using Linux via WSL, I can just look in Windows Explorer and find the backup file under \\wsl.localhost\Ubuntu\root

Now I have a successful full backup of my untouched ER605 stock system, I will move onto flashing with OpenWRT, then I will test reverting back to stock again, just to confirm.

1 Like

Thank you, are you happy if this gets added to https://openwrt.org/toh/tp-link/er605_v2 with credit to yourself?

Yeah, sure, if it can help others, happy for it to be there.