On 12/19/24 10:20, Ted Mittelstaedt wrote:
The problem is that the CFE bootloaders (for Broadcom) and the uboot
bootloaders (for Atheros, Mediatek, etc.) that the factory puts in are mostly
horrible crap. A good bootloader would give you a 5 second pause on boot where
you could use a TFTP client to push an image and it would only write the image
to the linux partition. That would literally cover every possible factory
recovery scenario or dd-wrt or openwrt or freshtomato conversion routine. Even
better would be dumping the entire flash contents, including bootloader, art
partition, etc. on the thing if the tftp server available during the 5 second
received a get command for a specific filename.
In order to get a u-boot prompt on many TP-Link devices you have to type
"TPL\n" during the short window u-boot waits before booting from flash.
Vendors generally don't want end users screwing around with their
firmware, so try to be obstructive. Another trick is to not populate a
zero ohm resistor on their RX pin, to prevent unknowing users from
typing anything into the serial console. That way, they have access
during development, but during production, it takes an extra
vaguely-obscure step to debug. They usually don't try super hard, so
with moderate persistence someone is going to figure it out. Or, more
likely, has already figured it out and documented it on the Internet.
Often there are missing pull-up resistors on the JTAG ports. On the
TP-Link WDR3600, for example, there is a missing zero ohm resistor
connecting the CPU reset line and the 2x10 JTAG footprint. When using an
external SPI programmer, you are supplying power to the 3.3V power rail
on the board, so the CPU will typically start running. Ideally, you want
to hold the CPU in reset so that it isn't running code that potentially
also uses the SPI bus and conflicts with the external programmer. I
just did a 8MB-to-16MB flash swap on 6 or so of them, and it involved
copying the still-soldered 8MB SPI chip. I used two probes from a
SensePeek PC-bite (https://sensepeek.com/pcbite-20) to jumper the right
two tiny resistor pads together temporarily to hold reset low while I
was reading the flash with a SOIC-8 chip clip.
A local guy (Joe FitzPatrick: https://github.com/securelyfitz) made a
board, called the "Tigard" which is an FTDI swiss army knife for UART
and SPI and I2C:
https://www.crowdsupply.com/securinghw/tigard
I also made my own SPI programmer from a Pi Pico (running serprog
firmware, a protocol that flashrom and flashprog supports) and a custom PCB:
https://oshpark.com/shared_projects/1JIwcGvH
--
Russell Senior
[email protected]
