Since I dont have a crystal ball, it's kind of hard to tell you to copy/paste command XYZ.
There's a couple options you have to dump the firmware. Some better than others but I'll name a few.
- If you can get a full shell on it, you can use
ddto dump and then copy off partitions. Something like:
dd if=/dev/mtd0 of=/tmp/mtd0then nc or scp it off (find a way). - If you can't get a shell, you can use
md. Your partition map has all the details you need. You can use minicom or alike toteeout stdout to a file, but note serial is slightly prone to errors.
Example:md.b 0x00 0x100000would start at 0x00 and print the next 0x100000 bytes to the console. You could then use https://github.com/gmbnomis/uboot-mdb-dump to convert that to a raw binary.
thanks for the advice.
back to work
If you have working SSH, then you can do it rather easy:
ssh user@wax_ip "dd if=dev/mtdN" | of=whatever.bin
1 Like
Thanks,
Done with one error:
dd if=/dev/mtd18 | ssh root@192.168.0.2 dd of=/root/wax218/mtd
18
[ 1019.905681] ubi0 error: ubi_open_volume: cannot open device 0, volume 2, error -16
dd: can't open '/dev/mtd18': Resource busy
Any idea to got it before I archive them?
For information, same error with the mtd18ro file:
[ 1420.740160] ubi0 error: ubi_open_volume: cannot open device 0, volume 2, error -16
dd: can't open '/dev/mtd18ro': Resource busy
root@WAX218:/tmp# mount
mtd:ubi_rootfs on /rom type squashfs (ro,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,noatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,noatime)
cgroup on /sys/fs/cgroup type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset,cpu,cpuacct,blkio,memory,devices,freezer,net_cls,pids)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noatime)
/dev/ubi0_2 on /overlay type ubifs (rw,noatime)
overlayfs:/overlay on / type overlay (rw,noatime,lowerdir=/,upperdir=/overlay/upper,workdir=/overlay/work)
tmpfs on /dev type tmpfs (rw,nosuid,relatime,size=512k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,mode=600,ptmxmode=000)
/dev/mtdblock19 on /lib/firmware/IPQ8074/WIFI_FW type squashfs (ro,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,noatime)
root@WAX218:/tmp#
root@WAX218:/tmp# df
Filesystem 1K-blocks Used Available Use% Mounted on
mtd:ubi_rootfs 17920 17920 0 100% /rom
tmpfs 212312 440 211872 0% /tmp
/dev/ubi0_2 73168 512 68884 1% /overlay
overlayfs:/overlay 73168 512 68884 1% /
tmpfs 512 0 512 0% /dev
/dev/mtdblock19 2304 2304 0 100% /lib/firmware/IPQ8074/WIFI_FW
root@WAX218:/tmp#
root@WAX218:/tmp# ls -lA /dev
lrwxrwxrwx 1 root root 15 Sep 6 02:33 caldata -> /dev/mtdblock11
crw-r--r-- 1 root root 5, 1 Sep 6 02:48 console
crw-r--r-- 1 root root 10, 61 Jan 1 1970 coresight-stm
crw-r--r-- 1 root root 10, 62 Jan 1 1970 coresight-tmc-etf
crw-r--r-- 1 root root 10, 63 Jan 1 1970 coresight-tmc-etr
crw-r--r-- 1 root root 10, 60 Jan 1 1970 cpu_dma_latency
crw-r--r-- 1 root root 10, 70 Sep 6 02:32 crypto
crw-r--r-- 1 root root 247, 0 Jan 1 1970 dcc_sram
crw-r--r-- 1 root root 239, 0 Sep 6 02:32 diag
crw-rw-rw- 1 root root 1, 7 Jan 1 1970 full
crw-r--r-- 1 root root 10, 229 Sep 6 02:32 fuse
crw-r--r-- 1 root root 10, 183 Jan 1 1970 hwrng
crw-r--r-- 1 root root 243, 0 Jan 1 1970 icesdcc
crw-r--r-- 1 root root 250, 0 Jan 1 1970 iio:device0
crw-r--r-- 1 root root 1, 11 Jan 1 1970 kmsg
srw-rw-rw- 1 root root 0 Sep 6 02:32 log
drwxr-xr-x 2 root root 60 Jan 1 1970 mapper
crw-r--r-- 1 root root 1, 1 Jan 1 1970 mem
crw-r--r-- 1 root root 10, 57 Jan 1 1970 memory_bandwidth
crw-r--r-- 1 root root 254, 0 Jan 1 1970 msm_sps
crw-r--r-- 1 root root 90, 0 Jan 1 1970 mtd0
crw-r--r-- 1 root root 90, 1 Jan 1 1970 mtd0ro
crw-r--r-- 1 root root 90, 2 Jan 1 1970 mtd1
crw-r--r-- 1 root root 90, 20 Jan 1 1970 mtd10
crw-r--r-- 1 root root 90, 21 Jan 1 1970 mtd10ro
crw-r--r-- 1 root root 90, 22 Jan 1 1970 mtd11
crw-r--r-- 1 root root 90, 23 Jan 1 1970 mtd11ro
crw-r--r-- 1 root root 90, 24 Jan 1 1970 mtd12
crw-r--r-- 1 root root 90, 25 Jan 1 1970 mtd12ro
crw-r--r-- 1 root root 90, 26 Jan 1 1970 mtd13
crw-r--r-- 1 root root 90, 27 Jan 1 1970 mtd13ro
crw-r--r-- 1 root root 90, 28 Jan 1 1970 mtd14
crw-r--r-- 1 root root 90, 29 Jan 1 1970 mtd14ro
crw-r--r-- 1 root root 90, 30 Jan 1 1970 mtd15
crw-r--r-- 1 root root 90, 31 Jan 1 1970 mtd15ro
crw-r--r-- 1 root root 90, 32 Jan 1 1970 mtd16
crw-r--r-- 1 root root 90, 33 Jan 1 1970 mtd16ro
crw-r--r-- 1 root root 90, 34 Jan 1 1970 mtd17
crw-r--r-- 1 root root 90, 35 Jan 1 1970 mtd17ro
crw-r--r-- 1 root root 90, 36 Jan 1 1970 mtd18
crw-r--r-- 1 root root 90, 37 Jan 1 1970 mtd18ro
crw-r--r-- 1 root root 90, 38 Sep 6 02:32 mtd19
crw-r--r-- 1 root root 90, 39 Sep 6 02:32 mtd19ro
crw-r--r-- 1 root root 90, 3 Jan 1 1970 mtd1ro
crw-r--r-- 1 root root 90, 4 Jan 1 1970 mtd2
crw-r--r-- 1 root root 90, 5 Jan 1 1970 mtd2ro
crw-r--r-- 1 root root 90, 6 Jan 1 1970 mtd3
crw-r--r-- 1 root root 90, 7 Jan 1 1970 mtd3ro
crw-r--r-- 1 root root 90, 8 Jan 1 1970 mtd4
crw-r--r-- 1 root root 90, 9 Jan 1 1970 mtd4ro
crw-r--r-- 1 root root 90, 10 Jan 1 1970 mtd5
crw-r--r-- 1 root root 90, 11 Jan 1 1970 mtd5ro
crw-r--r-- 1 root root 90, 12 Jan 1 1970 mtd6
crw-r--r-- 1 root root 90, 13 Jan 1 1970 mtd6ro
crw-r--r-- 1 root root 90, 14 Jan 1 1970 mtd7
crw-r--r-- 1 root root 90, 15 Jan 1 1970 mtd7ro
crw-r--r-- 1 root root 90, 16 Jan 1 1970 mtd8
crw-r--r-- 1 root root 90, 17 Jan 1 1970 mtd8ro
crw-r--r-- 1 root root 90, 18 Jan 1 1970 mtd9
crw-r--r-- 1 root root 90, 19 Jan 1 1970 mtd9ro
brw-r--r-- 1 root root 31, 0 Jan 1 1970 mtdblock0
brw-r--r-- 1 root root 31, 1 Jan 1 1970 mtdblock1
brw-r--r-- 1 root root 31, 10 Jan 1 1970 mtdblock10
brw-r--r-- 1 root root 31, 11 Jan 1 1970 mtdblock11
brw-r--r-- 1 root root 31, 12 Jan 1 1970 mtdblock12
brw-r--r-- 1 root root 31, 13 Jan 1 1970 mtdblock13
brw-r--r-- 1 root root 31, 14 Jan 1 1970 mtdblock14
brw-r--r-- 1 root root 31, 15 Jan 1 1970 mtdblock15
brw-r--r-- 1 root root 31, 16 Jan 1 1970 mtdblock16
brw-r--r-- 1 root root 31, 17 Jan 1 1970 mtdblock17
brw-r--r-- 1 root root 31, 18 Jan 1 1970 mtdblock18
brw-r--r-- 1 root root 31, 19 Sep 6 02:32 mtdblock19
brw-r--r-- 1 root root 31, 2 Jan 1 1970 mtdblock2
brw-r--r-- 1 root root 31, 3 Jan 1 1970 mtdblock3
brw-r--r-- 1 root root 31, 4 Jan 1 1970 mtdblock4
brw-r--r-- 1 root root 31, 5 Jan 1 1970 mtdblock5
brw-r--r-- 1 root root 31, 6 Jan 1 1970 mtdblock6
brw-r--r-- 1 root root 31, 7 Jan 1 1970 mtdblock7
brw-r--r-- 1 root root 31, 8 Jan 1 1970 mtdblock8
brw-r--r-- 1 root root 31, 9 Jan 1 1970 mtdblock9
drwxr-xr-x 2 root root 60 Sep 6 02:32 net
crw-r--r-- 1 root root 10, 59 Jan 1 1970 network_latency
crw-r--r-- 1 root root 10, 58 Jan 1 1970 network_throughput
crw-rw-rw- 1 root root 1, 3 Jan 1 1970 null
crw-r--r-- 1 root root 1, 4 Jan 1 1970 port
crw-rw-rw- 1 root root 5, 2 Jan 1 1970 ptmx
drwxr-xr-x 2 root root 0 Jan 1 1970 pts
brw-r--r-- 1 root root 1, 0 Jan 1 1970 ram0
brw-r--r-- 1 root root 1, 1 Jan 1 1970 ram1
brw-r--r-- 1 root root 1, 10 Jan 1 1970 ram10
brw-r--r-- 1 root root 1, 11 Jan 1 1970 ram11
brw-r--r-- 1 root root 1, 12 Jan 1 1970 ram12
brw-r--r-- 1 root root 1, 13 Jan 1 1970 ram13
brw-r--r-- 1 root root 1, 14 Jan 1 1970 ram14
brw-r--r-- 1 root root 1, 15 Jan 1 1970 ram15
brw-r--r-- 1 root root 1, 2 Jan 1 1970 ram2
brw-r--r-- 1 root root 1, 3 Jan 1 1970 ram3
brw-r--r-- 1 root root 1, 4 Jan 1 1970 ram4
brw-r--r-- 1 root root 1, 5 Jan 1 1970 ram5
brw-r--r-- 1 root root 1, 6 Jan 1 1970 ram6
brw-r--r-- 1 root root 1, 7 Jan 1 1970 ram7
brw-r--r-- 1 root root 1, 8 Jan 1 1970 ram8
brw-r--r-- 1 root root 1, 9 Jan 1 1970 ram9
crw-r--r-- 1 root root 1, 8 Jan 1 1970 random
lrwxrwxrwx 1 root root 14 Sep 6 02:32 root -> mtd:ubi_rootfs
lrwxrwxrwx 1 root root 8 Jan 1 1970 shm -> /tmp/shm
drwxr-xr-x 2 root root 60 Jan 1 1970 snd
crw-r--r-- 1 root root 242, 1 Jan 1 1970 subsys_q6v5-m3
crw-r--r-- 1 root root 242, 0 Jan 1 1970 subsys_q6v5-wcss
crw-r--r-- 1 root root 10, 254 Sep 6 02:32 switch_ssdk
crw-r--r-- 1 root root 5, 0 Sep 6 02:51 tty
crw------- 1 root root 246, 0 Sep 6 02:52 ttyMSM0
crw-r--r-- 1 root root 246, 1 Jan 1 1970 ttyMSM1
crw-r--r-- 1 root root 241, 0 Jan 1 1970 ubi0
crw-r--r-- 1 root root 241, 1 Jan 1 1970 ubi0_0
crw-r--r-- 1 root root 241, 2 Jan 1 1970 ubi0_1
crw-r--r-- 1 root root 241, 3 Jan 1 1970 ubi0_2
crw-r--r-- 1 root root 240, 0 Sep 6 02:32 ubi1
crw-r--r-- 1 root root 240, 2 Sep 6 02:32 ubi1_1
crw-r--r-- 1 root root 10, 56 Jan 1 1970 ubi_ctrl
crw-r--r-- 1 root root 1, 9 Jan 1 1970 urandom
crw-r--r-- 1 root root 10, 130 Jan 1 1970 watchdog
crw-r--r-- 1 root root 249, 0 Jan 1 1970 watchdog0
crw-rw-rw- 1 root root 1, 5 Jan 1 1970 zero
root@WAX218:/etc# cat /proc/mtd
dev: size erasesize name
mtd0: 00100000 00020000 "0:SBL1"
mtd1: 00100000 00020000 "0:MIBIB"
mtd2: 00300000 00020000 "0:QSEE"
mtd3: 00080000 00020000 "0:DEVCFG"
mtd4: 00080000 00020000 "0:APDP"
mtd5: 00080000 00020000 "0:RPM"
mtd6: 00080000 00020000 "0:CDT"
mtd7: 00080000 00020000 "0:APPSBLENV"
mtd8: 006a0000 00020000 "0:APPSBL"
mtd9: 00060000 00020000 "cert"
mtd10: 00100000 00020000 "userconfig"
mtd11: 00080000 00020000 "0:ART"
mtd12: 06f00000 00020000 "rootfs_1"
mtd13: 00900000 00020000 "0:WIFIFW_1"
mtd14: 06f00000 00020000 "rootfs"
mtd15: 00900000 00020000 "0:WIFIFW"
mtd16: 00554000 0001f000 "kernel"
mtd17: 0118f000 0001f000 "ubi_rootfs"
mtd18: 04f51000 0001f000 "rootfs_data"
mtd19: 0022e000 0001f000 "wifi_fw"
For information, here is the MAC Addresses:
root@WAX218:/tmp# ifconfig | grep HWaddr
ath0 Link encap:Ethernet HWaddr 94:A6:7E:B1:9E:34
ath11 Link encap:Ethernet HWaddr 94:A6:7E:B1:9E:35
br-lan Link encap:Ethernet HWaddr 94:A6:7E:B1:9E:33
br-mgmt Link encap:Ethernet HWaddr 9A:A6:7E:B1:9E:34
eth0 Link encap:Ethernet HWaddr 94:A6:7E:B1:9E:33
mgmt0 Link encap:Ethernet HWaddr 9A:A6:7E:B1:9E:34
wifi0 Link encap:Ethernet HWaddr 94:A6:7E:B1:9E:34
wifi1 Link encap:Ethernet HWaddr 94:A6:7E:B1:9E:35
On the label under the APl I have: 94:A6:7E:B1:9E:33
Unable to extract anything from 2 Netgear FWs:
~/wax218/Netgear_FW# binwalk WAX218_V2.1.1.3_firmware.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
25439778 0x1842E22 MySQL ISAM compressed data file Version 5
~/wax218/Netgear_FW#
~/wax218/Netgear_FW#
~/wax218/Netgear_FW# binwalk WAX218_V1.0.1.0_firmware.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
(no output)
Thanks a lot for looking at this device.
2:38am here, time to go to sleep
If that can help, HERE is the /etc