Finally, me and a coworker found out how to extract the files from the "firmware" mtd5 partition. The partition has a YAFFS1 filesystem, with 1024 pages and 16 bytes spare bytes and inside it there is a SquashFS filesystem. First, the 0xFF padding that happens every 0x10000 bytes must be r...

I don't know, but the math sounds similar to the way some of the enterprise SSD's or HD's drives are made (many of these are formatted with 520 or 528 bytes instead of the usual 512). The actual "cell" (or sector group) size on the device should be anyway 4096 bytes or a multiple, and the...

So, there are two "layers". 1024+16=1040 63*1040=65520 65520+16=65536 Interesting. It would make sense to have these extra 16 bytes at the end of a group of "sectors" to "get even" to a multiple of 1024, 64*1024=65536. Later I'll check if the 0xff separators where intr...

Spoiler alert: I DID IT. This is the short version, if someone wants a longer, detailed write-up, let me know and I'll post it here. Step 1: Trim the beginning of the file, until 0x10000 # dd if=mtd5.nanddump.bin of=mtd5_trimmed bs=1 skip=65536 Step 2: I noticed there were 16 0xFF separators every 6...

I was writing a long write-up on how I was troubleshooting the issue on the OOB but I found out something else was the problem. I downloaded the newest version available for squashfs-tools ( https://github.com/plougher/squashfs-tools ), compiled it with the tracing function enabled and fiddled aroun...

Nice find. :) The related blog post: https://www.j-michel.org/blog/2014/05/27/from-nand-chip-to-files explains in detail how the oob/spare data works :) , and on the main page: https://github.com/Hitsxx/NandTool/tree/master it is clear that you can use oob and page size instead of chip ID (as it se...

[double post]

Could be that MT uses non-standard Squashfs for devices or it was not correctly dumped or fs is corrupted on flash. I know for sure that from CHR image Squashfs can be extracted with binwalk , done it many times. I dumped using both OpenWRT's MTD backup function and dd tool. Also dumped with dd the...

I think unsquash Is very "strict" and expects a "sound" filesystem and throws a fit even if minor issues are found. I cannot remember if a tool for recovery/fix exists, something *like* dmde which Is excellent for other filesystems. 7-zip should be capable of reading a squashfs ...

Try with extract binwalk command line option: binwalk --run-as=root -e OpenWrt.mtd5.bin This should extract any supported extractable data found in image including Squashfs . Yes, that's exactly how I'm extracting the mtd's dump content. It creates a file named [XXXX].squashfs and tries to unsquash...

I was able to dump the MTD devices contents, by PXE booting the device using a OpenWRT firmware using this guide: https://openwrt.org/toh/mikrotik/common . After running binwalk on each dump file, a SquashFS filesystem was found: root@debian:/home/kauedg/Downloads/mtd# binwalk OpenWrt.mtd5.bin DECIM...

Is it possible to create a bit-by-bit image of a Mikrotik device and mount it on another OS, like Linux? I need to perform a forensic analysis on a Mikrotik device, but I was unable to extract the filesystem from the flash storage. Any technical articles por general guides on what to do/learn will b...