Backing up Router Config

[Jeffrey Young]

I learned a long time ago the value of good backups. I do a rolling 31 day snap shot of both the jffs and USB using tar as a backup. Run daily from a cron job

 

[sbsnb]

I just do this from my PC as a batch file:

pscp -scp -p -r -i "router.ppk" -P 5543 admin@192.168.1.1:/jffs "E:\Router\RT-AX88U\jffs"
pscp -scp -p -r -i "router.ppk" -P 5543 admin@192.168.1.1:/opt "E:\Router\RT-AX88U\entware"
plink -i "router.ppk" -P 5543 -batch admin@192.168.1.1 nvram show > "E:\Router\RT-AX88U\\nvram.txt"

I prefer the nvram in text so I can find and read specific values.

 

[Lynx]

Concerning nvram, and:

nvram save mybackup.cfg

why is the output significantly different to the output downloaded from the GUI? Does that mean that the GUI should not be used to restore the nvram save? Am I missing anything?
Concerning JFFS, using the following form to save my JFFS:

tar -cf - -C /jffs . | rclone [..etc..]

seems to give an output that is almost identical to the JFFS save from the GUI. So I assume I could just use the GUI to restore that to JFFS?

tar --to-command=md5sum -xvf jffs_386.3.tar > out1
tar --to-command=md5sum -xvf backup_jffs.tar > out2
diff out1 out2

 

[ColinTaylor]

Concerning nvram, and:

why is the output significantly different to the output downloaded from the GUI? Does that mean that the GUI should not be used to restore the nvram save? Am I missing anything?

The save file is lightly encrypted using a random number. So each file will be completely different apart from the first few bytes in the header.

 

[Lynx]

Ah thank you!

Would using GUI to restore the NVRAM and JFFS be expected to keep everything running? I think I tried this earlier and saw that VPN wouldn't connect: error - check config. But maybe I didn't do something properly. Any thoughts?

 

[ColinTaylor]

Overwriting the currently running config with a different one from a backup I would expect to cause problems. So I always reboot the router immediately after doing any kind of restore.

 

[Lynx]

Thanks again for your input. I think I used the GUI to upload JFFS and then the CFG, which I think automatically performs a reset, but then notices VPN wouldn't connect with 'config error'. Maybe something gets lost in respect of VPN here though.

 

[sbsnb]

The save file is lightly encrypted using a random number. So each file will be completely different apart from the first few bytes in the header.

If the router just decrypts it and applies the settings, what's the point of the encryption in the first place? Perhaps it's salted or hashed with something indicating the router model to prevent restoring a settings file from an incompatible model?

 

[ColinTaylor]

If the router just decrypts it and applies the settings, what's the point of the encryption in the first place? Perhaps it's salted or hashed with something indicating the router model to prevent restoring a settings file from an incompatible model?

There's nothing clever going on, the format hasn't changed for years. It's more like obscuration than encryption. Probably because the user names and passwords were stored in nvram in plain text until very recently.

 

[Lynx]

If we save using 'nvram save' and upload using the GUI does the GUI still use the correct decryption process? I presume the 'nvram save' and 'nvram restore' encyrption/decryption is the same? Is the encryption/obfuscation just based on the output of 'nvram show'? We could presumably work out the encryption for fun?

 

[ColinTaylor]

If we save using 'nvram save' and upload using the GUI does the GUI still use the correct decryption process? I presume the 'nvram save' and 'nvram restore' encyrption/decryption is the same?

Yes, it's all the same file.

Is the encryption/obfuscation just based on the output of 'nvram show'? We could presumably work out the encryption for fun?

No need. There's already explanations of the encryption process online and you can look at the firmware source code to see it for yourself.

 

[Lynx]

Thanks So the encryption key is presumably stored in the output file give that it is randomly applied, so that the upload process can properly work notwithstanding the randomisation of the encryption key?

 

[ColinTaylor]

Thanks So the encryption key is presumably stored in the output file give that it is randomly applied, so that the upload process can properly work notwithstanding the randomisation of the encryption key?

Correct.