By modifying the MTD map driver (responsible for mapping the root filesystem into /dev/mtdblock0, thus allowing it to be used as the root fs!), I could access the whole flash memory of my router. It was very simple, and it allows to dump the whole firmware, that is :
CFE bootloader
firmware header (the 256-bytes header described in FirmwareFormat)
root filesystem image
kernel
some extra stuff, including the router settings ; decoding this might be useful to allow storage of new parameters (custom iptables rules, for instance)
You can download the source and compiled module (compile it like the module in the KernelChmod trick) ; once the module is loaded, you should be able to access /dev/mtdblock1 and dump it ; for instance, I used the netcat of a cross-compiled busybox (binary available here) and did busybox nc -l -p 1234 < /dev/mtdblock1, then on my PC nc 192.168.1.1 1234 > flashdump. Wait a bit, and you have your flash image.
Splitting the firmware image into its components is very easy : the first 64KB is the CFE bootloader ; then there';s a "header" telling the size of the root filesystem and the kernel. The remaining part is yet to be decoded. |