Cisco Routing/Switching – Validate Firmware Image with MD5

Validating an image after transferring it from you computer to your switch or router is a smart thing to do when upgrading a firmware image to be sure that an image was properly transferred from point A to point B so you will not reboot and have a corrupt bin file, a quick and easy way to do this is by comparing an MD5 hash of the file on your computer and one of the file on the router or switch after it has been transmitted. Validating an image using an MD5 hash should not be used to check against tampering of the image as MD5 has been cracked, sha256 would be better to use but for the purposes of validating a successful file transfer between 2 trusted hosts behind a firewall MD5 works fine.

The first thing you will want to do is generate an MD5 hash of the file that is on your computer that you will be transferring to your switch or router. If you are using Windows MD5Summer is a good utility, Linux you can issue the command ‘md5sum /path/to/firmware.bin’

The MD5 hash of the file should look something similar to this ’78f0d9d16a68f8d6e2adca48d38d79c9′. Copy the MD5 hash you have generated to a text file on your computer for reference later.

Now copy the file to the router/switch, below is a command example of copying it off of your computer from the router/switch if your computer is running a tftp server

 

Once the image has completed transferring you will want to generate an MD5 hash of the file on the router/switch and compare that against the hash of the file on your computer. Below is an example of that command

This command will have your router/switch generate an MD5 hash of the .bin file on flash and will compare it against a hash that you specify, in this case our original hash is ’78f0d9d16a68f8d6e2adca48d38d79c9′, you would replace that with whatever hash you originally generated on your computer.

After issuing that command you will see output similar to below

The last string is your MD5 hash generated from the router/switch and as long as that matches you can be sure that your file made it to your switch fully intact.

 

If you are not familiar with cryptographic hashes it is good to understand that no matter what device you move your file to through whatever means (flash drive, TFTP, FTP, etc) this hash should always be the same, if the has is not the same your image has either been corrupted during the transfer or possibly tampered with and you will need to re transmit it. As I stated earlier in the article MD5 is no longer cryptographicly secure and can be spoofed if your file is tampered with, so to validate integrity from an un-trusted source such as an image directly from the internet you will want to generate a SHA256 hash and compare that against the known good hash that the software vendor has published and then transmit that known safe image to your router or switch.

Be the first to comment

Leave a Reply

Your email address will not be published.


*