Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:troubleshooting:tftpserver [2022/04/04 08:04] – changed tftp warning paragraph, etc aterikdocs:guide-user:troubleshooting:tftpserver [2024/04/28 17:45] – Logical restructuring anf small fixes jalakas
Line 1: Line 1:
-====== Setting up a TFTP server for TFTP Recovery/Install ======+===== What is TFTP Recovery over Ethernet? =====
  
-__WARNING__ : TFTP server & client tools //(based on TFTP protocol)// uses much lesser //(or almost no)// securityto make sure low level data transfer can occur easily between devices //(in the hand of user who have devices in front of him/her)//. So access to TFTP-client (''tftp'') and TFTP-Server (''tftpd'') tool/app must be made secure, primarily from hackers from internet //(and TFTP-Server & Client both must also be kept secure isolated from harmful/ignorant internal users or from hijacked computers, inside your own LAN network)//. If necessary, create separate subnet under 2nd level router, then work / develop / troubleshoot under that subnet with devices which will handle TFTP client/server protocolsIf your computer is also used as desktop computer for general purpose, then make sure TFTP-client & TFTP-server, both are placed behind a firewall //(''frwl'')// system or rules, firewall rules should be: //(frwl rule # 1)// allow TFTP traffic when connections originated from local LAN ip.address range and also ended into local LAN ip.address range, //(frwl rule # 2)// TFTP traffic is Not-Allowed when it is from/to ''127.0.0.1'' or ''lo'', //(frwl rule # 3)// TFTP traffic is Not-Allowed when originated from Internet-ip-address //(aka: NON private-LAN ip-address ranges, & NON Local-loop ip-address)//, And you must also make sure to do this: after your work is done or when you pause for other work, then make sure the TFTP-server //(and TFTP-client)// is completely disabled in your OS/distro : turn off TFTP-Server service / processdisable TFTP-server startup script file, and **move** the TFTP-client (''tftp'') & the TFTP-server (''tftpd'') executable / binary //(''bin'')// files out of all folders mentioned in your PATH variable, and also move bin files out of the folder which is mentioned in startup-script //(if such is used)//. If you keep TFTP-Server running or if you keep the TFTP-client tool available to run anytime, then abusive hackers can abuse/exploit it to load harmful firmware and/or change sensitive security settings in your existing router firmware. +On most devices, the vendor provides boot loader on discreet partition that is untouched by firmware updatesIn case of failed flash process or in case of a misconfiguration, the device's boot loader usually remains untouched and can therefore be used to reflash the firmware and recover the device.
- +
- +
-===== What is TFTP Recovery over Ethernet? =====+
  
-On most devices, the vendor provided boot loader is a partition separated from the actual firmware. In case of a failed flash process or in case of a misconfiguration, the device's boot loader usually is still untouched and fully working. It the boot loader has a built-in "TFTP recovery mode", it enables to regain control of a device with a broken firmware partition, by allowing a recovery flash process (which will also reset your configuration to the device defaults). +There are two potential modes of operation:
  
-For many routers the recovery works by starting a TFTP server on your computerThen device with the broken firmware has to be started up in TFTP recovery mode. Some devices then will pull the network-provided firmware file over TFTP network protocol to the OpenWrt and hopefully recover with a successful emergency flash process.+**1. TFTP recovery client**
  
-Some devices do not have automatic pull function and they need manual TFTP copy commands in recovery mode to get firmware from TFTP and firmware install.+For many routers, the recovery process requires you to host the firmware image on a TFTP server on your computer. Then device with the broken firmware then has to be started up in TFTP recovery mode. Some devices then will automatically pull the network-provided firmware file over TFTP network protocol to the OpenWrt and hopefully recover with a successful emergency flash process.
  
-NOTE: Some other routers, e.g. many Netgear routers, have TFTP server on themselves, and the PC needs to act as TFTP client. The "TFTP recovery mode" can also mean that, so look carefully at info about your router to find out which method your router possibly supports.+Other devices do not have automatic pull function and they need you to manually TFTP copy commands in recovery mode to download the firmware via TFTP and initiative the install.
  
-The below article mainly advises on the "TFTP client at router" recovery.+**2. TFTP recovery server**
  
 +Some other routers, e.g. many Netgear routers, run a TFTP server in recovery mode, and you need to upload the firmware to the device using a TFTP client.
  
-===== Is TFTP recovery over Ethernet Supported by my Device? =====+The below article mainly advises on the first mode of recovery, i.e. the router runs a TFTP client and you need to host the firmware image on a TFTP server. 
 +\\ 
 +===== Is TFTP Recovery over Ethernet supported by my device? =====
  
 TFTP recovery over Ethernet is not supported by every router model. TFTP recovery is based on a device- and vendor-specific boot loader that may or may not be present on your device. Check the OpenWrt device page for your precise model to find out, if your device has a boot loader supporting TFTP recovery. If your device supports it, then this recovery function will still be present in your device boot loader, after OpenWrt firmware has been flashed onto the device. TFTP recovery over Ethernet is not supported by every router model. TFTP recovery is based on a device- and vendor-specific boot loader that may or may not be present on your device. Check the OpenWrt device page for your precise model to find out, if your device has a boot loader supporting TFTP recovery. If your device supports it, then this recovery function will still be present in your device boot loader, after OpenWrt firmware has been flashed onto the device.
  
 Note: Note:
-  * Your device boot loader could alternatively have implemented TFTP recovery over [[:docs:techref:hardware:port.serial.cables|serial cable]], which is not covered on this page. +● Your device boot loader could alternatively have implemented TFTP recovery over [[:docs:techref:hardware:port.serial.cables|serial cable]], which is not covered on this page. 
-  Your device could also have [[docs:guide-user:troubleshooting:vendor_specific_rescue|other means of recovery]].\\ +● Your device could also have [[docs:guide-user:troubleshooting:vendor_specific_rescue|other means of recovery]]. 
- +\\
 ===== Setting up TFTP Recovery/Install ===== ===== Setting up TFTP Recovery/Install =====
  
Line 33: Line 32:
   - Set the IP address of your computer's Ethernet interface as described in the Device Page for your model.   - Set the IP address of your computer's Ethernet interface as described in the Device Page for your model.
   - Start the TFTP server on your computer.   - Start the TFTP server on your computer.
-  - Connect your computer and your device with Ethewnet cable. +  - Connect your computer and your device with Ethernet cable. 
-  - Power up the router and press a device-specific button to start firmware recovery over TFTP, +  - Power up the router and press a device-specific button to start firmware recovery over TFTP, or access boot loader recovery options and install recovery firmware over TFTP. 
-  - or access boot loader recovery options and install recovery firmware over TFTP.+  - Stop the TFTP server on your computer 
 +\\ 
 +==== Setting up a TFTP server for TFTP Recovery/Install ====
  
 +{{page>meta:infobox:tftp_warning&noheader&nofooter&noeditbtn}}
 +Access to TFTP-client (''tftp'') and TFTP-server (''tftpd'') tool/app must be made secure, from //(primarily)// hackers in internet //(and TFTP-server & client both must also be kept securely isolated from harmful/ignorant internal users or from hijacked computers, inside your own LAN network)//. If necessary, create a separate subnet under a 2nd level router, then work / develop / troubleshoot under that separate subnet with network devices which will handle TFTP client/server protocols.
  
-===== Setting up TFTP Server =====+If your computer is also used as a desktop computer for general purpose or for other purpose than build/compile, then make sure TFTP-client & TFTP-server, are both placed behind a firewall //(''frwl'')// system or rules<sup>[[https://unix.stackexchange.com/questions/99270/|1]], [[https://www.cyberciti.biz/faq/install-configure-tftp-server-ubuntu-debian-howto/|2]]</sup>. Firewall rules should be:
  
 +  * //(frwl rule # 1)// allow TFTP traffic (UDP 69) only when connections originate from a local LAN ip.address range and also end in the local LAN ip.address range
 +  * //(frwl rule # 2)// TFTP traffic is Not-Allowed when it is from/to ''127.0.0.1'' or ''lo''
 +  * //(frwl rule # 3)// TFTP traffic is Not-Allowed when originated from Internet-ip-address //(aka: NON private-LAN ip-address ranges)//
  
-==== On macOS ==== +And you must also make sure to do this: after your develop / troubleshooting etc work is done or when you pause to goto other work, then make sure the TFTP-server and TFTP-client both are completely disabled in your OS/distro : turn off TFTP-server service / process, disable TFTP-server startup script file, and **move** the TFTP-client (''tftp''& the TFTP-server (''tftpd'') executable binary //(''bin'')// files out of all folders mentioned in your PATH variableinto a different folder (which is NOT in the PATH variable), and also move bin files out of the folder which is mentioned in startup-script //(if such is used)//.
- +
-macOS provides a native tftpd server that runs the command line. However, it is not verified to work on recent versions (10.15.x). So alternative option-1 is: use ''dnsmasq'' instead. There are also GUI //(frontend/wrapper)// applications that are available for users who prefer such//(in example: TFTPServer.app)//. Alternative option-2 is: use MacPorts //(or other)// package-manager & obtain tftpd server & dnsmasq, more info is here: [[:docs:guide-developer:toolchain:buildroot.exigence.macosx|buildroot.exigence.macosx]].+
  
 +**<color #ed1c24>If you keep TFTP-server running or if you keep the TFTP-client tool available to run anytime, then abusive hackers can abuse/exploit it, to load harmful firmware and/or to change sensitive security settings inside your existing router firmware<sup>[[https://nvd.nist.gov/vuln/detail/CVE-2020-26130|1]], [[https://www.cvedetails.com/vulnerability-list.php?vendor_id=98&product_id=0&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=4|2]], [[https://www.cvedetails.com/vulnerability-list/vendor_id-7940/Tftp-server.html|3]], [[https://www.cvedetails.com/vulnerability-list/vendor_id-1305/product_id-2282/Solarwinds-Tftp-Server.html|4]], [[https://www.cvedetails.com/vulnerability-list/vendor_id-16/product_id-1628/Cisco-Tftp-Server.html|5]], [[https://nvd.nist.gov/vuln/detail/CVE-2019-0603|6]]</sup>, etc.</color>**
 +\\ \\
 +==== Setting up a TFTP server on macOS ====
  
 +macOS provides a native tftpd server that runs the command line. However, it is not verified to work on recent versions (10.15.x). So alternative option-1 is: use ''dnsmasq'' instead. Alternative option-2 is: use MacPorts //(or other)// package-manager & obtain tftpd server & dnsmasq, more info is here: [[:docs:guide-developer:toolchain:buildroot.exigence.macosx|buildroot.exigence.macosx]]. There are also GUI //(frontend/wrapper)// applications //(for CLI based tftp, tftpd tools)// that are available for users who prefer such, //(in example: ''TftpServer**.**app'')//. There are also GUI based tftp & tftpd app, //(in example: ''PumpKIN**.**app'')//.
 +\\ \\
 === dnsmasq (on macOS): === === dnsmasq (on macOS): ===
  
 Dnsmasq can be installed easily via [[https://brew.sh|Homebrew]] or [[https://www.macports.org/|MacPorts]] and has the advantage of being able to offer a DHCP server if necessary. Dnsmasq can be installed easily via [[https://brew.sh|Homebrew]] or [[https://www.macports.org/|MacPorts]] and has the advantage of being able to offer a DHCP server if necessary.
-  * Launch it in this way (if you use Homebrew pkg-mngr):<code bash> $ sudo /usr/local/opt/dnsmasq/sbin/dnsmasq -i enX -p 0 -z --enable-tftp --tftp-root /tmp</code> 
-  * Launch it in this way (if you use MacPorts pkg-mngr):<code bash> $ sudo /opt/local/sbin/dnsmasq -i enX -p 0 -z --enable-tftp --tftp-root /tmp</code> 
- 
-Replace ''enX'' with the interface identifier of your ethernet adapter (use ''ifconfig'' to find it out) and ''/tmp'' to the directory containing the image you want to serve. Don't forget to kill the process (e.g. using the ''Activity Monitor'') before you want to start a new instance of ''dnsmasq''. 
  
 +● Launch it in this way (if you use Homebrew pkg-mngr): <code bash> $ sudo /usr/local/opt/dnsmasq/sbin/dnsmasq -i enX -p 0 -z --enable-tftp --tftp-root /tmp </code>
 +● Launch it in this way (if you use MacPorts pkg-mngr): <code bash> $ sudo /opt/local/sbin/dnsmasq -i enX -p 0 -z --enable-tftp --tftp-root /tmp </code>
  
 +Replace ''enX'' with the interface identifier of your Ethernet adapter (use ''ifconfig'' to find it out) and ''/tmp'' to the directory containing the image you want to serve. Don't forget to kill the process (e.g. using the ''Activity Monitor'') before you want to start a new instance of ''dnsmasq''.
 +\\ \\
 === macOS Command-Line Native tftpd: === === macOS Command-Line Native tftpd: ===
  
 For recent versions of macOS, the system-supplied ''tftpd'' is managed with ''launchctl''. Users should be comfortable with command-line usage and ''sudo'' to take this approach. As confirmed on macOS Sierra 10.12.6 and macOS Mojave 10.14.2, the general steps involved are For recent versions of macOS, the system-supplied ''tftpd'' is managed with ''launchctl''. Users should be comfortable with command-line usage and ''sudo'' to take this approach. As confirmed on macOS Sierra 10.12.6 and macOS Mojave 10.14.2, the general steps involved are
  
-  * Configure your network interface for the proper server address for your device. Using System Preferences > Network is perhaps the easiest. +● Configure your network interface for the proper server address for your device. Using System Preferences > Network is perhaps the easiest. 
-  Connect your device to the network interface +● Connect your device to the network interface. 
-  Start ''tftpd'' <code bash>+● Start ''tftpd'' <code bash> 
 $ sudo cp path/to/file/to/serve.bin /private/tftpboot/the_name_the_device_is_looking_for.bin $ sudo cp path/to/file/to/serve.bin /private/tftpboot/the_name_the_device_is_looking_for.bin
-$ sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist</code> +$ sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist </code> 
- +● Confirm ''tfptd'' is running by looking for the UDP listener on port 69 <code bash> 
-  * Confirm ''tfptd'' is running by looking for the UDP listener on port 69 <code bash>+
 $ netstat -an | fgrep \*.69     $ netstat -an | fgrep \*.69    
 udp4            0  *.69                   *.*                               </code> udp4            0  *.69                   *.*                               </code>
 +● Activate your device's recovery/TFTP mode
 +  * When done with ''tftpd'', shut it down with <code bash> $ sudo launchctl unload -F /System/Library/LaunchDaemons/tftp.plist </code>
 +\\
 +=== TftpServer.app (on macOS): ===
  
-  * Activate your device's recovery/TFTP mode +As an example of a GUI wrapper (aka: frontend) based TFTP server, the ''TftpServer**.**app'' from http://ww2.unime.it/flr/tftpserver/ provides a pleasant GUI frontend / wrapper around macOS native command that makes the process less error prone. Info from older site on usage of this app is [[https://web.archive.org/web/20200427215239/http://ww2.unime.it/flr/tftpserver/|here]]. 
-  * When done with ''tftpd'', shut it down with <code bash> $ sudo launchctl unload -F /System/Library/LaunchDaemons/tftp.plist</code> +  * This procedure was tested with ''TftpServer.app'' v 3.4.1 on OSX 10.10.5 in December 2016. 
- +  * The v3.4.1 ''TftpServer.dmg'' file has SHA256: eb71d62da9c0dd6cdf54d604e87083e1a4e7084f8da4bc4e8c196da19e012583 & size: 656,775 bytes, and the "TftpServer**.**app" has 731,378 bytes. DMG file contains APP file. We found mention of updated version v3.5.1 on author's older website via ''Internet Archive Wayback Machine'', obtained on April 27, 2020<sup>[[https://web.archive.org/web/20200427215239/http://ww2.unime.it/flr/tftpserver/|1]]</sup>. 
- +  * Author's contact info: //fabrizio.larosa.nospam**@**unime5**.**it// (//remove the ''.nospam'' portion & remove the ''5'', to get author's actual email address//) or //fab.larosa.spamnotallowed**@**gmail1**.**com// (//remove the ''.spamnotallowed'' portion & remove the ''1'', to get author's actual email address//).
-=== TFTPServer.app on macOS: === +
- +
-As an example of a GUI-driven TFTP server, TFTPServer.app from http://ww2.unime.it/flr/tftpserver/ provides a pleasant GUI frontend / wrapper around macOS native command that makes the process less error prone. This procedure was tested with ''TftpServer.app'' v 3.4.1 on OSX 10.10.5 in December 2016. The v3.4.1 ''TftpServer.dmg'' file has SHA256: eb71d62da9c0dd6cdf54d604e87083e1a4e7084f8da4bc4e8c196da19e012583 (656,775 bytes)The dmg file contains the app file. We found mention of updated version v3.5.1 on author's older website via ''Internet Archive Wayback Machine'', obtained on April 27, 2020<sup>[[https://web.archive.org/web/20200427215239/http://ww2.unime.it/flr/tftpserver/|1]]</sup>. Author's contact info: //fabrizio.larosa.nospam**@**unime5**.**it// (//remove the ''.nospam'' portion & remove the ''5'', to get author's actual email address//) or //fab.larosa.spamnotallowed**@**gmail1**.**com// (//remove the ''.spamnotallowed'' portion & remove the ''1'', to get author's actual email address//). Info from older site on this app usage is [[https://web.archive.org/web/20200427215239/http://ww2.unime.it/flr/tftpserver/|here]].+
  
   - Download ''dmg'' file from the URL<sup>[[http://ww2.unime.it/flr/tftpserver/|1]]</sup> mentioned above, and install the ''TftpServer.app'' inside that ''dmg'' file. Do not download this app or dmg file from any untrustworthy websites. Do not download unknown version or "new" versions, that is not-shared or not-mentioned by actual author.   - Download ''dmg'' file from the URL<sup>[[http://ww2.unime.it/flr/tftpserver/|1]]</sup> mentioned above, and install the ''TftpServer.app'' inside that ''dmg'' file. Do not download this app or dmg file from any untrustworthy websites. Do not download unknown version or "new" versions, that is not-shared or not-mentioned by actual author.
Line 86: Line 95:
   - //Note:// TftpServer.app may give warnings about file permissions. Use the "Fix" buttons at the bottom of the window to set the permissions properly.   - //Note:// TftpServer.app may give warnings about file permissions. Use the "Fix" buttons at the bottom of the window to set the permissions properly.
   - Click "Stop TFTP" or quit the application to stop the TFTP server.   - Click "Stop TFTP" or quit the application to stop the TFTP server.
 +  - Precautions : keep this app firewalled //(and allow only LAN based TFTP)//, or disable this app when you are done working with TFTP, or disable this app when you pause to goto other work. Do not keep this app continuously running.
 +\\
 +=== PumpKIN.app (on macOS): ===
  
 +This app ''PumpKIN.app'' has GUI interface and also contains builtin TFTP server & client functionalities, it can be obtained from https://kin.klever.net/pumpkin/ website. [[https://kin.klever.net/pumpkin/binaries/|Dnld]], [[https://kin.klever.net/pumpkin/repository/|Src]], Tech description [[https://kin.klever.net/pumpkin/description/|here]], Help file [[https://kin.klever.net/pumpkin/help/|here]]. 
 +  * It is developed by Michael Krelin ( //hacker.nospam**@**klever5**.**net// , //remove the ''.nospam'' portion & remove the ''5'', to get author's actual contact info// ). 
 +  * The ''pumpkin-0.0.1-osx.dmg'' file has SHA256: 0f857db4ae91907946cfc050f72a17714524d3380fb1e8bc8cb25acfd5f83a67 & size: 796,711 bytes, and the ''PumpKIN.app'' size: 876,994 bytes. 
 +  * Precautions : keep this app firewalled //(and allow only LAN based TFTP)//, or disable this app when you are done working with TFTP, or disable this app when you pause to goto other work. Do not keep this app continuously running. 
 +\\
 === Tools/Pkgs via Pkg-Mngr (on macOS): === === Tools/Pkgs via Pkg-Mngr (on macOS): ===
  
 macOS compatible //(3rd-party)// pkg-mngr //(package-manager)// info is displayed in [[:docs:guide-developer:toolchain:buildroot.exigence.macosx|buildroot.exigence.macosx]] page, inside ''Install Package Manager'' section. macOS compatible //(3rd-party)// pkg-mngr //(package-manager)// info is displayed in [[:docs:guide-developer:toolchain:buildroot.exigence.macosx|buildroot.exigence.macosx]] page, inside ''Install Package Manager'' section.
  
-if you have MacPorts pkg-mngr, then run**:** <code bash>sudo port install inetutils dnsmasq</code>+if you have MacPorts pkg-mngr, then run**:** <code bash> sudo port install inetutils dnsmasq </code>
   * the ''inetutils'' pkg includes ''telnet'', ''ftp'', ''rsh'', ''rlogin'', ''tftp'' client tools, and also includes corresponding daemons/servers, as bundle<sup>[[https://ports.macports.org/search/?q=utils&name=on|1]]</sup>.   * the ''inetutils'' pkg includes ''telnet'', ''ftp'', ''rsh'', ''rlogin'', ''tftp'' client tools, and also includes corresponding daemons/servers, as bundle<sup>[[https://ports.macports.org/search/?q=utils&name=on|1]]</sup>.
 +\\
 +==== Setting up a TFTP server on Windows ====
  
 +While there is a command line TFTP **client** feature in Windows, Microsoft has stopped shipping a tftp **server** for security reasons. A third party tftp server will therefore be required.
  
-==== On Windows ==== +The built-in client tftp feature can be installed from an administrator cmd.exe command prompt as follows: <code>Dism /online /Enable-Feature /FeatureName:TFTP /All</code> (You can use the client to test if your TFTP server is working.) 
- +\\ 
-While there is a command line TFTP server/client feature in windows, it's easier to use a third party one that has proper graphical interface+Regardless of which TFTP server below that you choose to use, you will need to open local firewall rule to allow inbound client TFTP connections from the local subnet. For security reasons, only traffic from the local LAN subnet should be allowed. Start cmd.exe prompt as admin then run: 
- +<code>netsh advfirewall firewall add rule name="TFTP" dir=in action=allow protocol=udp localport=69 remoteip=localsubnet interfacetype=lan profile=private,public</code> 
 +\\
 === Tftpd64 (on Windows): === === Tftpd64 (on Windows): ===
  
Line 109: Line 128:
 Place the file you want to send (the firmware file usually) in the same folder where you find the **Tftpd64** program file. The folder exposed through TFTP can be changed by clicking on Browse button, but in most situations you don't need to do that. Place the file you want to send (the firmware file usually) in the same folder where you find the **Tftpd64** program file. The folder exposed through TFTP can be changed by clicking on Browse button, but in most situations you don't need to do that.
  
-Configure your ethernet port according to your device's own recovery method as detailed in [[docs:guide-user:troubleshooting:vendor_specific_rescue|Rescue from failed firmware upgrade]], note that in most cases you can't use that port to connect to the internet until you reconfigure it back like it was before.+Configure your Ethernet port according to your device's own recovery method as detailed in [[docs:guide-user:troubleshooting:vendor_specific_rescue|Rescue from failed firmware upgrade]], note that in most cases you can't use that port to connect to the internet until you reconfigure it back like it was before.
  
-Double-click on the **Tftpd64** program file and you should get a Windows Firewall popup asking you to grant access. Check both options, to allow **Tftpd64** to communicate over both home/work and public networks. This is very important, if the Windows Firewall blocks your TFTP server you won't be able to access it from the device you want to recover.+This application might stop listening on the local UDP port at the very moment that you need it, i.e. when the router at the other end of the network connection restarts. To work around this issue, do one of the following: 
 +  * Disable [[https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/disable-media-sensing-feature-for-tcpip|media sensing]]:<code>netsh interface ipv4 set global dhcpmediasense=disabled 
 +netsh interface ipv6 set global dhcpmediasense=disabled</code> 
 +  * Use a switch between the TFTP host and the client router so that the network link of the Windows machine remains up while the router is rebooting. 
 + 
 +Double-click on the **Tftpd64** program file and you should get a Windows Firewall popup asking you to grant access. Check both options, to allow **Tftpd64** to communicate over both home/work but //not// public networks. This is very important, if the Windows Firewall blocks your TFTP server you won't be able to access it from the device you want to recover.
  
 Click on the drop-down menu called **Server Interfaces** and select your PC's Ethernet port. Click on the drop-down menu called **Server Interfaces** and select your PC's Ethernet port.
  
 Now the TFTP server is online and ready, and the file(s) in it can be accessed as normal. Now the TFTP server is online and ready, and the file(s) in it can be accessed as normal.
- +\\ \\
 === Tiny PXE (on Windows): === === Tiny PXE (on Windows): ===
  
 [[http://reboot.pro/files/file/303-tiny-pxe-server/|Tiny PXE]] seems to do the same as Tftpd64 plus BOOTP support (particularly useful for [[:toh:mikrotik:common|MikroTik devices]]). [[http://reboot.pro/files/file/303-tiny-pxe-server/|Tiny PXE]] seems to do the same as Tftpd64 plus BOOTP support (particularly useful for [[:toh:mikrotik:common|MikroTik devices]]).
 +\\ \\
 +=== Solarwinds TFTP Server ===
  
 +A free TFTP server for Windows can be downloaded [[https://www.solarwinds.com/free-tools/free-tftp-server|here]] (registration is required).
  
-==== On Linux ====+  * The default install will use the directory ''C:\TFTP-Root'' - place your firmware file in this directory and rename it per the instructions for your specific device. 
 +  * Under File | Configure | Security, set "Send files" as the only permissible action. 
 +  * Change the local LAN IP address of your computer to the static IP that your router expects. 
 +  * Follow the procedure for your specific router to trigger its TFTP client to download the firmware image you are hosting. 
 +  * Watch the Solarwinds console to ensure that the router has downloaded the firmware file.
  
 +<color #ed1c24>**Important: Stop the TFTP service and prevent it from auto-restarting as soon as you are done so your machine is not left in an insecure configuration:**</color>
 +<code>
 +sc config "Solarwinds TFTP Server" start=demand
 +sc stop "Solarwinds TFTP Server"
 +</code>
 +\\
 +==== Setting up a TFTP server on Linux ====
 +=== dnsmasq (on Linux): ===
  
-=== Dnsmasq (on Linux): ===+**dnsmasq** is pre-installed in most distributions.
  
-**Dnsmasq** is pre-installed in most distributions.  +Create directory where you want to put the recovery image file: <code bash> 
-Put an image file into your directory - actual name will vary.  +bash mkdir /srv/tftp </code>
-Then run TFTP server:<code bash> +
-dnsmasq --port=0 --enable-tftp --tftp-root=/path/to/firmware/directory --tftp-no-blocksize --user=root --group=root +
-Check if your TFTP server is listening: +
-# netstat -lunp | grep 69</code>+
  
 +Put an image file into your directory - actual name will vary: <code bash>
 +bash#  cp ~/tp_recovery.bin /srv/tftp </code>
  
-=== atftpd (on Linux): ===  +Run TFTP server: <code bash> 
 +bash#  dnsmasq --listen-address=0.0.0.0 --port=0 --enable-tftp --tftp-root=/srv/tftp --tftp-no-blocksize --user=root --group=root </code> 
 + 
 +Check if your TFTP server is listening: <code bash> 
 +bash#  netstat -lunp | grep 69 </code> 
 +\\ 
 +=== atftpd (on Linux): ===
  
 You can also use **atftpd**: You can also use **atftpd**:
 <columns 100% 50% - -> <columns 100% 50% - ->
-Install atftpd from repository on Debian/Ubuntu/Mint +Install atftpd from repository on Debian/Ubuntu/Mint: <code bash> 
-  # apt install atftpd+bash apt install atftpd </code>
 <newcolumn> <newcolumn>
-Install atftpd from repository on RedHat/Fedora/Centos +Install atftpd from repository on RedHat/Fedora/Centos: <code bash> 
-  # yum install atftpd+bash yum install atftpd </code>
 </columns> </columns>
  
-Create directory where you want to put the image file <code bash> +Create directory where you want to put the recovery image file<code bash> 
-  # mkdir /srv/tftp </code> +bash#  mkdir /srv/tftp </code>
-Put an image file into your directory - actual name will vary <code bash+
-  cp ~/tp_recovery.bin /srv/tftp </code> +
-Change the ownership of the folder and the file in it <code bash> +
-  # chown nobody:nogroup -R /srv/tftp </code> +
-Run TFTP server (run as daemon, do not fork, log events to stdout) <code bash> +
-  # atftpd --daemon --no-fork --logfile - /srv/tftp </code> +
-Check if your TFTP server is listening <code bash> +
-  # netstat -lunp|grep 69 </code> +
-  * //If not set, you should try running TFTP server as superuser.//+
  
 +Put an image file into your directory - actual name will vary: <code bash>
 +bash#  cp ~/tp_recovery.bin /srv/tftp </code>
 +
 +Change the ownership of the folder and the file in it: <code bash>
 +bash#  chown nobody:nogroup -R /srv/tftp </code>
 +
 +Run TFTP server (run as daemon, do not fork, log events to stdout): <code bash>
 +bash#  atftpd --daemon --no-fork --logfile - /srv/tftp </code>
 +
 +Check if your TFTP server is listening: <code bash>
 +bash#  netstat -lunp|grep 69 </code>
 +  * //If not set, you should try running TFTP server as superuser.//
 +\\
 +=== Testing TFTP server (on Linux): ===
  
-==== Testing TFTP server ==== 
 **Check that you can in fact pull the file from your TFTP server.** **Check that you can in fact pull the file from your TFTP server.**
-Preferably from another computer call your TFTP server IP: (//or if not possible, in same server call IP 0.0.0.0//+Preferably from another computer call your TFTP server IP: (//or if not possible, in same server call IP 0.0.0.0//): <code bash> 
-  # tftp 192.168.0.66 +bash tftp 192.168.0.66 
-  tftp> get tp_recovery.bin +tftp> get tp_recovery.bin 
-  Received 8152633 bytes in 0.8 seconds +Received 8152633 bytes in 0.8 seconds 
-  tftp> quit+tftp> quit </code>
 If you have received the file, congratulations, it's ready. If you have received the file, congratulations, it's ready.
 +\\ \\
 +===== Troubleshooting steps =====
  
- 
-===== Troubleshooting ===== 
 TFTP file transfer doesn't work from local computer TFTP file transfer doesn't work from local computer
   * Check if your TFTP server is running and listening   * Check if your TFTP server is running and listening
Line 179: Line 225:
   * Check if server IP is set correctly   * Check if server IP is set correctly
   * Make sure server firewall allows inbound TFTP on UDP port 69   * Make sure server firewall allows inbound TFTP on UDP port 69
 +  * Check that you have opened up UDP 69 traffic from the local subnet in the host firewall.
 +  * Restart the server if you have just changed the local host IP address.
 TFTP file transfer works from another computer, but not from router: TFTP file transfer works from another computer, but not from router:
   * Check if server IP is set correctly (same as router is searching for)   * Check if server IP is set correctly (same as router is searching for)
 +  * Check that the host running the TFTP server is using the specific fixed IP address and subnet mask that your router is expecting to use.
   * Try using alternate cable, a crossover cable or alternate switch/speed   * Try using alternate cable, a crossover cable or alternate switch/speed
   * Try connecting to an alternate port on the router / routers switch   * Try connecting to an alternate port on the router / routers switch
Line 189: Line 238:
   * Try an alternate server software, client software or TFTP transfer mode   * Try an alternate server software, client software or TFTP transfer mode
   * If you get some activity, timing can often yield results, power cycle the router and start the transfer earlier or later...   * If you get some activity, timing can often yield results, power cycle the router and start the transfer earlier or later...
 +  * Check that you have downloaded a firmware image that contains "tftp" in its filename, and that you have renamed this file to the specific OEM filename that your router is expecting.
 +  * Run a packet sniffing tool like [[https://www.wireshark.org/|Wireshark]], while using "tftp" as the display filter.
  • Last modified: 2024/10/10 14:15
  • by trendy