Recovery-Dump

---

BoxMatrix >> Development >> Recovery-Dump

@ BoxMatrix   -   IRC-Chat   -   Translate: de es fr it nl pl

News

Selectors

Models

Accessories

Components

Environment

Config

Commands

System

Webif

Software

Develop

Lexicon

Community

Project

Media

---

Tarballs

GPL-Browser

FW-Probes

FW-History

FW-News

Supportdata

Hardware

SVN

Trac

Freetz-News

Freetz-Timeline

Freetz-Releases

Freetz-Mirror

OpenWRT

Research

---

Contents 1 Recovery-Dump 1.1 Introduction 1.2 Realization 2 EVA-Commands 2.1 <connect> 2.2 USER 2.3 PASS 2.4 SYST 2.5 TYPE 2.6 MEDIA 2.7 P@SW 2.8 RETR 2.9 SETENV 2.10 STOR 2.11 <disconnect>

Recovery-Dump[edit]

Introduction[edit]

During development of FIT-Image and to improve push_firmware it is important to see how an AVM Recovery.exe performs the upload to EVA for each model. Currently this is done by running Wireshark during a recovery and analyze the strings in the dump. This is tiredsome work and requires the respective model and/or someone who is willing to perform and dump a recovery.

To save time and to be able to dump all recoveries independently it would be better to have some EVA simulation which directly creates a transscript. The idea of evasim server and its client recdump was born.

Realization[edit]

This is currently just collecting ideas and may change.

EVA-Simulation server evasim:

• All server stuff has to run on Linux as root.
• A virtual network interface has to be created at the default IP 192,168,178,1, as described here.
• The server will be an extended and also stripped down variant of this full featured Perl FTP server.
• A wrapper script controls the creation and destruction of the interface and server to simulate the reboot cycle.
• The server gets a special FTP command to set HWRevision and Branding of the emulated box.
• It then fetches the Environment of the respective model from BoxMatrix so the recovery could fetch it.

Recovery-Dump client recdump:

• All client stuff runs as a non privileged user
• A wrapper script extracts HWRevision and Branding from the recovery and sends it to the server.
• The Recovery.exe then is executed using WINE.
• After this the wrapper downloads the dump from the server and stores it as <recoveryname>.txt
• The formatting should be like this handcrafted recovery transscript.

Considerations;

• It would be a dream to have recovery transscripts of all recoveries ever, as RecDump listings in the Firmware-History.
• This task could not be performed on the BoxMatrix server but must be dispatched to my home, like the AVM-Tarballs scans.
• This would be useful for models which received repartitioning updates, keyword "Zwischenupdate" (intermediate updates).
• It would be a dream to automate user interactions and timing of the recovery and server using AutoIt for mass dumping.

EVA-Commands[edit]

For a recovery these EVA commands are required:

>> = to EVA
<< = from EVA

<connect>[edit]

Not a command but EVA responds

>> <connect>
<< 220 ADAM2 FTP Server ready

USER[edit]

>> USER adam2
<< 331 Password required for adam2

PASS[edit]

>> PASS adam2
<< 230 User adam2 successfully logged in

SYST[edit]

>> SYST
<< 215 AVM EVA Version 1.11177 0x0 0x4640D

TYPE[edit]

 >> TYPE I
 << 200 Type set to BINARY

MEDIA[edit]

>> MEDIA FLSH
<< 200 Media set to MEDIA_FLASH

>> MEDIA SDRAM
<< 200 Media set to MEDIA_SDRAM

P@SW[edit]

>> P@SW
<< 227 Entering Passive Mode (192,168,178,1,95,32)

RETR[edit]

A recovery first retreives the Bootloader-Environment to get all info about the target model.

>> RETR env
<< 150 Opening BINARY data connection
<< <env-blob>
<< 226 Transfer complete

A recovery retrieves the operating time counter to preserve it before cleaning the config partition[s].

>> RETR count
<< 150 Opening BINARY data connection
<< <counter-blob>
<< 226 Transfer complete

SETENV[edit]

For models which are not recovered by a put mtd memsize and kernel_args_tmp need to be set.

>> SETENV memsize 0x1dee0000
<< 200 SETENV command successful
>> SETENV kernel_args_tmp "avm_fwupdate mtdram1=0x1dee0000,0x20000000 mtdparts_ext=update-image.0:0x2120000@0x0(fit-image)"
<< 200 SETENV command successful

STOR[edit]

For NAND config models a recovery stores the cleaned config partition.

>> STOR mtdnand
<< 150 Opening BINARY data connection
>> <nandtffs-blob>
<< 226 Transfer complete

For models which are not recovered by a put mtd an absolute put (media SDRAM) is oerformed

<< 227 Entering Passive Mode (192,168,178,1,17,31)
>> STOR 0x1dee0000 0x20000000
<< 150 Opening BINARY data connection
>> <fitimg-blob>
<< 226 Transfer complete

<disconnect>[edit]

Not a commnd but EVA responds:

<< 221 Thank you for using the FTP service on ADAM2
<< 221 Goodbye.