How to extract DTB from the firmware image


I am seeking help for how to extract DTB from the firmware image and convert DTB to DTS file.

Thank you!


The link shows how to convert DTB into DTS,

Do you know where DTB file is located and how how to extract it?

sample DTB extraction from Totolink X6000R firmware CS_C8380R_X6000R_IP04499_MT7981_SPI_16M256M_V9.4.0cu.652_B20230116_ALL.web

binwalk CS_C8380R_X6000R_IP04499_MT7981_SPI_16M256M_V9.4.0cu.652_B20230116_ALL.web

0             0x0             device tree image (dtb)
232           0xE8            LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 8464392 bytes
2840856       0x2B5918        device tree image (dtb)
2883584       0x2C0000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 11274846 bytes, 2663 inodes, blocksize: 262144 bytes, created: 2023-01-16 05:20:57

now we need to extract dtb from right part of the firmware

dd if=CS_C8380R_X6000R_IP04499_MT7981_SPI_16M256M_V9.4.0cu.652_B20230116_ALL.web of=dtb.bin skip=2840856 count=42729 bs=1

and convert it to text form

dtc -f -I dtb -O dts dtb.bin

Personally I've failed dtb extractions on firmware with linux kernel 2.6 .binwalk didn't show below entry at any point .Even when I was able to extract it using binwalk -e

device tree image (dtb)

and pydtc Tool (it's part of

Here is what I get when I tried on test firmware image i have

$ binwalk firmware.img 

0             0x0             Flattened device tree, size: 27004384 bytes, version: 17
1428          0x594           UBI erase count header, version: 1, EC: 0x0, VID header offset: 0x800, data offset: 0x1000


it does not show any DTB file

Well... "Flattened device tree" and "DTB" is the same. See

But what you've got there is a FIT image. Possibly with some unexpected contents? Hard for us to guess what this image is. You could also just look for "d0 0d fe ed" signatures in a hexdump of the image. Or run binwalk recursively with "-Me". Or maybe use mkimage to get an initial overview of the FIT image, and then go from there. Like:

bjorn@canardo:/usr/local/src/openwrt$ staging_dir/host/bin/mkimage  -l bin/r23456-81f667513a2d/targets/ramips/mt7621/openwrt-snapshot-ramips-mt7621-ubnt_unifi-6-lite-squashfs-sysupgrade.bin
FIT description: MIPS OpenWrt FIT (Flattened Image Tree)
Created:         Thu Jun 29 12:54:38 2023
 Image 0 (kernel-1)
  Description:  MIPS OpenWrt Linux-5.15.118
  Created:      Thu Jun 29 12:54:38 2023
  Type:         Kernel Image
  Compression:  lzma compressed
  Data Size:    2932336 Bytes = 2863.61 KiB = 2.80 MiB
  Architecture: MIPS
  OS:           Linux
  Load Address: 0x80001000
  Entry Point:  0x80001000
  Hash algo:    crc32
  Hash value:   ba90272c
  Hash algo:    sha1
  Hash value:   4a8ad8efc95301231b289db772718d19f0182ff5
 Image 1 (fdt-1)
  Description:  MIPS OpenWrt ubnt_unifi-6-lite device tree blob
  Created:      Thu Jun 29 12:54:38 2023
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    11371 Bytes = 11.10 KiB = 0.01 MiB
  Architecture: MIPS
  Load Address: 0x87000000
  Hash algo:    crc32
  Hash value:   a8683697
  Hash algo:    sha1
  Hash value:   47c58a6742b8e90170c9f9f6187ead8ad1911e62
 Default Configuration: 'config@1'
 Configuration 0 (config@1)
  Description:  OpenWrt ubnt_unifi-6-lite
  Kernel:       kernel-1
  FDT:          fdt-1

But any FDT/DTB should have shown up in the binwalk output. So it's probably not present at all, in an uncomressed and unencrypted form at least.

Why do you believe you can extract it from this image? And how useful is it, really? You could alternatively fetch the runtime bootloader expanded version from /sys/firmware/fdt