INITIAL COMMANDS (DONE WHEN NAND INSERTED AND AFTER OPENWRT BOOTS, REBOOTS EVERY TIME NAND IS INSERTED)

syscfg init1 && echo "starting command prompt" > /dev/ttyS1 -- Does NAND init(?) then prints to client console (ttyS1)

syscfg -v && cat /proc/version -- Prints version info

syscfg config1 FPDoVsW6Ru+MkIWqA8a+m8mpoJnqANTeJGZCpLxvOy8= -- Sets first encryption key(?)

syscfg config2 TdNeNC3H19DtfFfDcOSa2XjpLBpsqp/kNgbxa76jKAE= -- Sets second encryption key(?)

syscfg cmd1 a43PWFpE0YeZVFjh0T+WpQ== 200 -- This reads raw syscfg from NAND and places it unencrypted as /tmp/pciedata, base64 arg seems to be another key





COMMANDS USED TO READ FDR

syscfg cmd3 4 -- Initiates seemingly sequential search on NAND FS looking for "appv" entries in FactoryData, saves contents encrypted in /tmp/facdata directory

cd /tmp/ && cp /tmp/facdata/1300062003_appv /tmp/pciedata && touch /tmp/n3.bin.gz && rm -f /tmp/n3.bin.gz && syscfg get > /dev/null 2>&1 && cat /tmp/encode && rm -f /tmp/pciedata && rtc --set 20141111111111 -- Sends first encryped appv file found to host as gzipped base64 encoded data

cd /tmp/ && cp /tmp/facdata/1300118001_appv /tmp/pciedata && touch /tmp/n3.bin.gz && rm -f /tmp/n3.bin.gz && syscfg get > /dev/null 2>&1 && cat /tmp/encode && rm -f /tmp/pciedata && rtc --set 20141111111111 -- Does the same thing again for second file

syscfg cmd3 5 151 1980 - Initiates another search for more factory data, which I cancel

syscfg cmd1 a43PWFpE0YeZVFjh0T+WpQ== 200 -- Reloads syscfg data from NAND, same as above