I think, if there's a short enough implementation of base64 in binary format, then it can be transferred to the router using echo -en '\x02\x04\x42\x25' >> /tmp/base64 and so on and then executed. But where can I find smallish MIPS static binaries?
If the connection is "reasonable", perhaps something as simple as a CRC-32 check. You could also look for a sh implementation of MD5 (since this is simply a correctness check, with a devious middle-man being unlikely).
The idea was that gzip would provide checksum and would cut off the useless part of the partition. It did work, cat /dev/sdb1 | gunzip -c > router.flash.dump.img has produced file of exactly size of partition as intended.
However, as I mentioned, I wanted to find out a more universal way to do file-transfer with super-limiting options.
So, with those pieces, dd, and a half-decent sh implementation, you should be able to transfer a binary file over telnet, serial, what have you, and check that the result is [very likely] what was sent.
If the connection is "reasonable", perhaps something as simple as a CRC-32 check.
Yes, this can work, the reason why check is necessary is to make sure that you have managed to turn off all features of transfer method which can break the binary data, such as LF→CR+LF translation which was for some reason turned on by default for the serial.
If your router have web UI, you can try add or symlink your mtd dump file into web root, and run wget to get it from host PC.
Actually simlink to mtd partition directly works most of time, but origininal firmware tends to overwrite whatever it sees, so I had to use mtd0ro and like such to avoid getting my partitions overwritten.