The conventional way of doing this is to use the command md to dump the firmware bytes as text characters to the terminal, pipe to a text file, and run a script to convert from ASCII to binary. Unfortunately, this process is very slow, I calculated that to dump the entire 256MiB of RAM would take 36 hours with a resulting text file larger than 1GB!

Thankfully, there is a quicker and easier way, thanks to some nifty USB tools bundled in with M-boot :-)

kiwi# usb
usb - USB sub-system

Usage:
usb reset [dev] - reset (rescan) USB controller
usb start [dev] - start (scan) USB controller
usb stop [f]  - stop USB [f]=force stop
usb tree  - show USB device tree
usb info [dev] - show available USB devices
usb storage  - show details of USB storage devices
usb dev [dev] - show or set current USB storage device
usb part [dev] - print partition table of one or all USB storage devices
usb read addr blk# cnt - read `cnt' blocks starting at block `blk#'
    to memory address `addr'
usb write addr blk# cnt - write `cnt' blocks starting at block `blk#'
    from memory address `addr'

The board has 2x USB2.0 ports. The first (USB 0) is internally connected to the WiFi chip. The second (USB 1) is exposed as a USB2.0 port for us to use. Plug a freshly FAT32 formatted USB pen/thumb drive into this port. Reset the port to discover the device:

kiwi# usb reset 1
(Re)start USB 1...
Check USB port[1]:
[USB] usb_lowlevel_init++
[USB] USB EHCI LIB VER: 2014.10.02
[USB] Port 1 is Enabled
[USB] TV_usb_init (UTMI Init) ++
[USB] UTMI Base BF207400
[USB] UHC Base BF201A00
[USB] USBC Base BF200F00
[USB] BC Base BF240A80
[USB] TV_usb_init--
[USB] Usb_host_Init++
[USB] Async base addr: 0xA7E1A100 
[USB] Reg 0x28: 0xA100 0xA7E1
[USB] disable run
[USB] Host Speed:2 
[USB] enable aynch 
[USB] Usb_host_Init--
[USB] FAILED
[USB] usb_lowlevel_init--[0]
scanning bus for devices... [USB] control1 max:40

[USB] interface[0] conf:1 value 8: 
1 USB Device(s) found
       scanning bus for storage devices... [USB] no_of_ep: 2
[USB] find bulk ep: 0
[USB] find bulk ep2: 1

[USB] bulk max packet size: ep(in) 0x200, ep2(out) 0x200
[USB] bulk0 is in
max lun:0
1 Storage Device(s) found

Confirm that you have plugged into the port is a USB storage device. The device is registered as storage device 0, not to be confused with port 0:

kiwi# usb storage
  Device 0: Vendor: Kingston Rev: 1.00 Prod: DT 100 G2       
            Type: Removable Hard Disk
            Capacity: 3824.0 MB = 3.7 GB (7831552 x 512)

First task is to dump the contents of the RAM (virtual address range 0x80000000 to 0x8FFFFFFF) to a binary file on the pen drive (USB storage device 0). Remember, this is contents of the RAM with the M-boot bootloader only, we have not yet loaded any application programs to memory. We will use the fatwrite command to achieve this, where the final argument is the number of bytes to write in hex:

kiwi# fatwrite usb 0 0x80000000 RAM.bin 0x10000000       
file RAM.bin not found
#################################################################
################################################################
################################################################

Second task is to use the spi_rdc command to write the contents of the SPI flash chip to RAM, the first argument is the start address in RAM to transfer the data to, the second the start address on the SPI flash chip, the third the number of bytes to transfer, all in hex. We then use fatwrite as before to write this data to a binary file on the pen drive, where the number of bytes to write is now the 16MiB capacity of the flash chip (0x1000000)

kiwi# spi_rdc 0x80000000 0 0x1000000
offset 0x0, size 0x1000000
Flash is detected (0x0C05, 0xC8, 0x40, 0x18)
initialization done!

kiwi# fatwrite usb 0 0x80000000 flash.bin 0x1000000    
file flash.bin not found
#################################################################
################################################################
################################################################
################################################################

We should now have two binary files on our USB pen drive, one a 256MiB dump of the RAM, the second a 16MiB dump of the SPI flash. Next we will analyze these files.

Updated 27th October 2023