I have this router which was custom flashed and paired with a 4gb usb external root. The problem is I want to know what is on its filesystem, but the partitions are encrypted only to be decrypted at boot with cryptsetup.
I have access to serial and I know where the decryption keys are since the path is displayed during init boot, but the serial root console is disabled.
With this being the case I am trying to dump the flash memory so that I can uncompress it and take the keys so I can mount the USB drive myself in a full linux environment to take a look at what this router is hiding.
I know for the most part of what I need to do and have been semi successful, although I need a bit of help working with uboot.
My plan of attack is to dump the flash via the `md` command and then use Ruby scripting to take the hex dump, clean it up, and convert it into a binary firmware image, which I can further reverse from there.
My problem is I don't quite understand how `md` works. I have it dumping partial flash memory but I don't understand how to make it dump the entire memory.
Here are the environment and version of uboot.
hornet> printenv
bootargs=console=ttyS0,115200 root=31:02 rootfstype=squashfs init=/sbin/init mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),2752k(rootfs),896k(uImage),64k(NVRAM),64k(ART)
bootcmd=bootm 0x9f020000
bootdelay=1
baudrate=115200
ethaddr=0xba:0xbe:0xfa:0xce:0x07:0x41
ipaddr=192.168.1.111
serverip=192.168.1.100
stdin=serial
stdout=serial
stderr=serial
ethact=eth0
Environment size: 362/65532 bytes
hornet> ?
? - alias for 'help'
bootm - boot application image from memory
cp - memory copy
erase - erase FLASH memory
help - print online help
md - memory display
mm - memory modify (auto-incrementing)
mtest - simple RAM test
mw - memory write (fill)
nm - memory modify (constant address)
printenv- print environment variables
progmac - Set ethernet MAC addresses
reset - Perform RESET of the CPU
setenv - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version
hornet> version
U-Boot 1.1.4 (Aug 17 2012 - 15:21:03)
hornet> help md
md [.b, .w, .l] address [# of objects]
- memory display
I know the start of the flash kernel is 0x9f020000, but how to I tell `md` to read the entire flash. If I run `md.b 0x9f020000` by itself it prints something like the first 40 bytes. If I supply a [# of objects] variable in hex it does read more, but how can I tell it to read only the full firmware image and not any further into memory, because I have a feeling if I supply to large of a hex number it will start reading past the firmware into other regions of memory.
Any help is appreciated!
Thanks.
Edit:: Would it work if I specified the beginning of the firmware image, and then the total size of the flash memory on the router? Or is the beginning of the firmware image where it boots, not the real beginning of the flash. I am basically only wanting to extract the firmware binary.
Edit2:: The router seems to be a unmodded mr3020 if it matters.
I found this on the wiki page
Bytes transferred = 3932160 (3c0000 hex)
hornet> erase 0x9f020000 +0x3c0000
First 0x2 last 0x3d sector size 0x10000 61
Erased 60 sectors
hornet> cp.b 0x80000000 0x9f020000 0x3c0000
Copy to Flash... write addr: 9f020000
Does this mean that 0x3c0000 is the size of the flash?
(Last edited by abduct on 29 Apr 2015, 22:12)