By modifying the MTD map driver (responsible for mapping the root filesystem into
/dev/mtdblock0, thus allowing it to be used as the root fs!), I could access the whole flash memory of my router. It was very simple, and it allows to dump the
whole firmware, that is :
- CFE bootloader
- firmware header (the 256-bytes header described in FirmwareFormat)
- root filesystem image
- kernel
- some extra stuff, including the router settings ; decoding this might be useful to allow storage of new parameters (custom iptables rules, for instance)
You can download the
source and
compiled module (compile it like the module in the
KernelChmod trick) ; once the module is loaded, you should be able to access
/dev/mtdblock1 and dump it ; for instance, I used the netcat of a cross-compiled busybox (binary available
here) and did
busybox nc -l -p 1234 < /dev/mtdblock1, then on my PC
nc 192.168.1.1 1234 > flashdump. Wait a bit, and you have your flash image.
Splitting the firmware image into its components is very easy : the first 64KB is the CFE bootloader ; then there's a "header" telling the size of the root filesystem and the kernel. The remaining part is yet to be decoded.