Skip to main content

TFTP for remedy

·3 mins
tftp cisco firmware reimage
Table of Contents

Scenario - pitfall situation with a Cisco device #

Let’s assume that a hardware appliance needs to be completely reset, which requires a full recovery. This requires deploying a 1.2 GB boot image downloaded from the vendor portal.

But how can the data be made available so that even a device (in my case, a Cisco FTD appliance) in recovery mode can download it?

You probably have to use some insecure, outdated protocols that you would use only temporarily on the local network if possible.

Nice to meet you again 👋 TFTP!

When do you need TFTP today? #

Ok, so here it is, the sudden task of providing a TFTP server for a delicate image/netboot purpose, foreseeable that this task may become cumbersome, as at least macOS 12 as an operating system will not help us much out of the box.

But anyway, the point is to quickly perform a firmware restore on a hardware appliance without facing any major distractions on the way to the target.

The path to resolution taken here is for one-time use only (aka a “no intention to repeat this again” activity). So recorded here for the unlikely event… that something similar could happen to someone else.

Working out the ad-hoc task #

Assuming you have Python3 installed in a common way (i.e. Xcode Command Line Tools), you run this in a folder of your preference (erm, why not ephemeral in /tmp/trash-me-soon).

We use Python3 to start setting up the environment with virtualenv , then activate it immediately, and install our one dependency tftpy.

virtualenv venv
source venv/bin/activate
pip install tftpy

Edit a very simple script, named server.py here, with the following content

import tftpy

server = tftpy.TftpServer('tftp-data')
server.listen('0.0.0.0', 69)

Create the folder to serve (or receive) the data

mkdir tftp-data

Start running the simple TFTP server

python3 server.py

Test the base functionality of our “ad-hoc” tftp server by uploading some data

curl -T test.data tftp://127.0.0.1  #i.e. curl -T cisco-ftd-fp1k.6.6.1-91.SPA tftp://127.0.0.1

Now that the TFTP service is running, you need to know the local IP the service is running on and perhaps the port 69 as the specifications to supply, e.g. when restoring a Cisco FTD in depth, as one can learn in this super fun procedure further on.

Conclusion #

We have seen that we can build a quick solution using Python3 and tftpy to help deploy a large restore image via TFTP.

In case this should become a recurring task, I think preparing a RasPi 4 to serve FTP/TFTP is the better solution. But if it’s just a one-time task, such as a netboot image for a remedy Cisco FTD restore, the approach seems fine.