How to back up original firmware mtd parts?

sefralgon · November 22, 2019, 6:16pm

I want a generic advice. Suppose, you have a Wi-Fi router with Linux + busybox, running vendor's firmware, and it offers remote shell access by Telnet.

However, the router does not have those obvious options:

There is no netcat, nc, wget, sshd.
There is no support for USB mass storage
There is nothing like hexdump, od, xxd, base64, uucp, uuencode, to convert binary to text
There is no md5sum or sha256sum to check correctness of transmitted data if you somehow manage to transfer it
There is no awk.

What are possible options to download the flash firmware image to the computer? Suppose /dev/mtd0 and others are available.

NoTengoBattery · November 22, 2019, 6:25pm

A "piped" (I'm not sure if that word even exists) telnet session running cat can be used to get the raw bits and then process the raw bits using the host (i.e. a UNIX machine) tools.

jeff · November 22, 2019, 6:25pm

I once looked for a sh-based base64 encoder/decoder without much luck, and didn't have the patience to write one myself. I just found the following (untested)

gist.github.com

https://gist.github.com/markusfisch/2648733

base64.sh

#!/bin/bash

# Fallback base64 en-/decoder for systems that lack a native implementation
#
# @param ... - flags
which base64 &>/dev/null || {
# if even od is missing
which od &>/dev/null || od()
{
	local C O=0 W=16

This file has been truncated. show original

and the follow on for ash at https://github.com/benchonaut/owrt-ash-b64-test-results

sefralgon · November 22, 2019, 6:50pm

I think, if there's a short enough implementation of base64 in binary format, then it can be transferred to the router using echo -en '\x02\x04\x42\x25' >> /tmp/base64 and so on and then executed. But where can I find smallish MIPS static binaries?

mk24 · November 22, 2019, 6:52pm

If you can put a file or a link to it into the devices web server tree you can http it.

NoTengoBattery · November 22, 2019, 6:53pm

I'm not a telnet expert, I've born way after it was cool... but the idea is like this:

First thing to test is this: try "batch running" the cat command inside the telnet.

echo 'cat /etc/os-release 1>&2' | telnet <ip> <port>

If that works, we can use the subshell to pipe the output to any host tool (i.e. hexdump)

(echo 'cat /etc/os-release 1>&2' | telnet <ip> <port>) 1>/dev/null 2>&1 | hexdump

I didn't tested, I have no telnet... just an idea.

sefralgon · November 22, 2019, 6:53pm

Yes, this is one of simplest solutions, I thought about it, but it won't work for say installing OpenWrt onto the device.

sefralgon · November 22, 2019, 7:39pm

Suppose, this is done. How can we check data for correctness?

jeff · November 22, 2019, 7:53pm

If the connection is "reasonable", perhaps something as simple as a CRC-32 check. You could also look for a sh implementation of MD5 (since this is simply a correctness check, with a devious middle-man being unlikely).

Is gzip available on the target? https://stackoverflow.com/questions/44804668/how-to-calculate-crc32-checksum-from-a-string-on-linux-bash -- seems that the gzip algorithm post-pends the CRC-32 on compression.

sefralgon · November 22, 2019, 9:27pm

gzip is indeed there, but hexdump sadly is not.

However, in this particular case, it did give me a useful idea:
Mass storage was there, but with confusing device name, apparently because of Linux 2.4.x on the router.

gzip -c /dev/mtd/0ro > /dev/scsi/host0/bus0/target0/lun0/part1

The idea was that gzip would provide checksum and would cut off the useless part of the partition. It did work, cat /dev/sdb1 | gunzip -c > router.flash.dump.img has produced file of exactly size of partition as intended.

However, as I mentioned, I wanted to find out a more universal way to do file-transfer with super-limiting options.

jeff · November 22, 2019, 9:37pm

I think some options for binary-to-printable-ASCII conversion in both directions have been discussed.

gzip was mainly an option to "avoid" writing a CRC generator in a limited shell, which I just found at

So, with those pieces, dd, and a half-decent sh implementation, you should be able to transfer a binary file over telnet, serial, what have you, and check that the result is [very likely] what was sent.

sefralgon · November 22, 2019, 9:42pm

Nice. I guess this crc32 can be turned into hexdump easily.
The key is

byte=$(printf '%d' "'${c}") # Converts the character into its byte value

This could be used to convert gzip tail into crc32 value.

sefralgon · November 22, 2019, 9:57pm

If the connection is "reasonable", perhaps something as simple as a CRC-32 check.

Yes, this can work, the reason why check is necessary is to make sure that you have managed to turn off all features of transfer method which can break the binary data, such as LF→CR+LF translation which was for some reason turned on by default for the serial.

ffee · November 23, 2019, 6:54am

If your router have web UI, you can try add or symlink your mtd dump file into web root, and run wget to get it from host PC.

sefralgon · November 25, 2019, 1:36pm

If your router have web UI, you can try add or symlink your mtd dump file into web root, and run wget to get it from host PC.

Actually simlink to mtd partition directly works most of time, but origininal firmware tends to overwrite whatever it sees, so I had to use mtd0ro and like such to avoid getting my partitions overwritten.

system · December 5, 2019, 1:36pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.