I have this router which was custom flashed and paired with a 4gb usb external root. The problem is I want to know what is on its filesystem, but the partitions are encrypted only to be decrypted at boot with cryptsetup.
I have access to serial and I know where the decryption keys are since the path is displayed during init boot, but the serial root console is disabled.
With this being the case I am trying to dump the flash memory so that I can uncompress it and take the keys so I can mount the USB drive myself in a full linux environment to take a look at what this router is hiding.
I know for the most part of what I need to do and have been semi successful, although I need a bit of help working with uboot.
My plan of attack is to dump the flash via the `md` command and then use Ruby scripting to take the hex dump, clean it up, and convert it into a binary firmware image, which I can further reverse from there.
My problem is I don't quite understand how `md` works. I have it dumping partial flash memory but I don't understand how to make it dump the entire memory.
Here are the environment and version of uboot.
hornet> printenv bootargs=console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),2752k(rootfs),896k(uImage),64k(NVRAM),64k(ART) bootcmd=bootm 0x9f020000 bootdelay=1 baudrate=115200 ethaddr=0xba:0xbe:0xfa:0xce:0x07:0x41 ipaddr=192.168.1.111 serverip=192.168.1.100 stdin=serial stdout=serial stderr=serial ethact=eth0 Environment size: 362/65532 bytes hornet> ? ? - alias for 'help' bootm - boot application image from memory cp - memory copy erase - erase FLASH memory help - print online help md - memory display mm - memory modify (auto-incrementing) mtest - simple RAM test mw - memory write (fill) nm - memory modify (constant address) printenv- print environment variables progmac - Set ethernet MAC addresses reset - Perform RESET of the CPU setenv - set environment variables tftpboot- boot image via network using TFTP protocol version - print monitor version hornet> version U-Boot 1.1.4 (Aug 17 2012 - 15:21:03) hornet> help md md [.b, .w, .l] address [# of objects] - memory display
I know the start of the flash kernel is 0x9f020000, but how to I tell `md` to read the entire flash. If I run `md.b 0x9f020000` by itself it prints something like the first 40 bytes. If I supply a [# of objects] variable in hex it does read more, but how can I tell it to read only the full firmware image and not any further into memory, because I have a feeling if I supply to large of a hex number it will start reading past the firmware into other regions of memory.
Any help is appreciated!
Edit:: Would it work if I specified the beginning of the firmware image, and then the total size of the flash memory on the router? Or is the beginning of the firmware image where it boots, not the real beginning of the flash. I am basically only wanting to extract the firmware binary.
Edit2:: The router seems to be a unmodded mr3020 if it matters.
I found this on the wiki page
Bytes transferred = 3932160 (3c0000 hex) hornet> erase 0x9f020000 +0x3c0000 First 0x2 last 0x3d sector size 0x10000 61 Erased 60 sectors hornet> cp.b 0x80000000 0x9f020000 0x3c0000 Copy to Flash... write addr: 9f020000
Does this mean that 0x3c0000 is the size of the flash?
(Last edited by abduct on 30 Apr 2015, 00:12)