How to back up original firmware mtd parts?

I want a generic advice. Suppose, you have a Wi-Fi router with Linux + busybox, running vendor's firmware, and it offers remote shell access by Telnet.

However, the router does not have those obvious options:

  1. There is no netcat, nc, wget, sshd.
  2. There is no support for USB mass storage
  3. There is nothing like hexdump, od, xxd, base64, uucp, uuencode, to convert binary to text
  4. There is no md5sum or sha256sum to check correctness of transmitted data if you somehow manage to transfer it
  5. There is no awk.

What are possible options to download the flash firmware image to the computer? Suppose /dev/mtd0 and others are available.

A "piped" (I'm not sure if that word even exists) telnet session running cat can be used to get the raw bits and then process the raw bits using the host (i.e. a UNIX machine) tools.

I once looked for a sh-based base64 encoder/decoder without much luck, and didn't have the patience to write one myself. I just found the following (untested)

and the follow on for ash at https://github.com/benchonaut/owrt-ash-b64-test-results

I think, if there's a short enough implementation of base64 in binary format, then it can be transferred to the router using echo -en '\x02\x04\x42\x25' >> /tmp/base64 and so on and then executed. But where can I find smallish MIPS static binaries?

If you can put a file or a link to it into the devices web server tree you can http it.

1 Like

I'm not a telnet expert, I've born way after it was cool... but the idea is like this:

First thing to test is this: try "batch running" the cat command inside the telnet.

echo 'cat /etc/os-release 1>&2' | telnet <ip> <port>

If that works, we can use the subshell to pipe the output to any host tool (i.e. hexdump)

(echo 'cat /etc/os-release 1>&2' | telnet <ip> <port>) 1>/dev/null 2>&1 | hexdump 

I didn't tested, I have no telnet... just an idea.

Yes, this is one of simplest solutions, I thought about it, but it won't work for say installing OpenWrt onto the device.

Suppose, this is done. How can we check data for correctness?

If the connection is "reasonable", perhaps something as simple as a CRC-32 check. You could also look for a sh implementation of MD5 (since this is simply a correctness check, with a devious middle-man being unlikely).

Is gzip available on the target? https://stackoverflow.com/questions/44804668/how-to-calculate-crc32-checksum-from-a-string-on-linux-bash -- seems that the gzip algorithm post-pends the CRC-32 on compression.

gzip is indeed there, but hexdump sadly is not.

However, in this particular case, it did give me a useful idea:
Mass storage was there, but with confusing device name, apparently because of Linux 2.4.x on the router.

gzip -c /dev/mtd/0ro > /dev/scsi/host0/bus0/target0/lun0/part1

The idea was that gzip would provide checksum and would cut off the useless part of the partition. It did work, cat /dev/sdb1 | gunzip -c > router.flash.dump.img has produced file of exactly size of partition as intended.

However, as I mentioned, I wanted to find out a more universal way to do file-transfer with super-limiting options.

I think some options for binary-to-printable-ASCII conversion in both directions have been discussed.

gzip was mainly an option to "avoid" writing a CRC generator in a limited shell, which I just found at

https://rosettacode.org/wiki/CRC-32#POSIX

So, with those pieces, dd, and a half-decent sh implementation, you should be able to transfer a binary file over telnet, serial, what have you, and check that the result is [very likely] what was sent.

Nice. I guess this crc32 can be turned into hexdump easily.
The key is

byte=$(printf '%d' "'${c}") # Converts the character into its byte value

This could be used to convert gzip tail into crc32 value.

If the connection is "reasonable", perhaps something as simple as a CRC-32 check.

Yes, this can work, the reason why check is necessary is to make sure that you have managed to turn off all features of transfer method which can break the binary data, such as LF→CR+LF translation which was for some reason turned on by default for the serial.

1 Like

If your router have web UI, you can try add or symlink your mtd dump file into web root, and run wget to get it from host PC.

If your router have web UI, you can try add or symlink your mtd dump file into web root, and run wget to get it from host PC.

Actually simlink to mtd partition directly works most of time, but origininal firmware tends to overwrite whatever it sees, so I had to use mtd0ro and like such to avoid getting my partitions overwritten.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.