[PLUG] January speaker?

Russell Senior russell at pdxlinux.org
Fri Dec 20 00:40:13 UTC 2024



On 12/19/24 10:20, Ted Mittelstaedt wrote:
> The problem is that the CFE bootloaders (for Broadcom) and the uboot bootloaders (for Atheros, Mediatek, etc.) that the factory puts in are mostly horrible crap.  A good bootloader would give you a 5 second pause on boot where you could use a TFTP client to push an image and it would only write the image to the linux partition.  That would literally cover every possible factory recovery scenario or dd-wrt or openwrt or freshtomato conversion routine.  Even better would be dumping the entire flash contents, including bootloader, art partition, etc. on the thing if the tftp server available during the 5 second received a get command for a specific filename.

In order to get a u-boot prompt on many TP-Link devices you have to type 
"TPL\n" during the short window u-boot waits before booting from flash. 
Vendors generally don't want end users screwing around with their 
firmware, so try to be obstructive. Another trick is to not populate a 
zero ohm resistor on their RX pin, to prevent unknowing users from 
typing anything into the serial console. That way, they have access 
during development, but during production, it takes an extra 
vaguely-obscure step to debug. They usually don't try super hard, so 
with moderate persistence someone is going to figure it out. Or, more 
likely, has already figured it out and documented it on the Internet.

Often there are missing pull-up resistors on the JTAG ports. On the 
TP-Link WDR3600, for example, there is a missing zero ohm resistor 
connecting the CPU reset line and the 2x10 JTAG footprint. When using an 
external SPI programmer, you are supplying power to the 3.3V power rail 
on the board, so the CPU will typically start running. Ideally, you want 
to hold the CPU in reset so that it isn't running code that potentially 
also uses the SPI bus and conflicts with the external programmer.  I 
just did a 8MB-to-16MB flash swap on 6 or so of them, and it involved 
copying the still-soldered 8MB SPI chip. I used two probes from a 
SensePeek PC-bite (https://sensepeek.com/pcbite-20) to jumper the right 
two tiny resistor pads together temporarily to hold reset low while I 
was reading the flash with a SOIC-8 chip clip.

A local guy (Joe FitzPatrick: https://github.com/securelyfitz) made a 
board, called the "Tigard" which is an FTDI swiss army knife for UART 
and SPI and I2C:

   https://www.crowdsupply.com/securinghw/tigard

I also made my own SPI programmer from a Pi Pico (running serprog 
firmware, a protocol that flashrom and flashprog supports) and a custom PCB:

   https://oshpark.com/shared_projects/1JIwcGvH


-- 
Russell Senior
russell at pdxlinux.org






More information about the PLUG mailing list