[SOLVED] CFE question

Has anyone really dug into CFE loaders on routers or other devices? I was thinking of playing with a router just for fun but wanted to know any thoughts on this.

I'd be interested if routers tend to have tftp available usually or even pxe boot ability as typical.

Thanks.

May have to ask on embedded site too I guess.

I'm taking it you mean small household router/modems, not Cisco routers, which are different animals altogether.

The old approach to routers and that stuff was to use an eprom; That's read only, re-programmable by 21V applied to a PGM pin and erasable by UV. I think I had one in a 2400 bit modem. There is also PROM, which I'm sure is obsolete, i.e. Programmable Read Only Memory. This was because companies had a bottleneck erasing eproms, and PROMs were cheaper to buy and swap; no return needed.

After paying once when the eprom program was hacked, I'm sure everyone switched to battery backed ram or some such. We had several generations of that. The PC motherboard BIOS update is a fairly good way to go; you can't get in online, but there is one well-hidden-never-documented way in locally, which probably changes with every software version. They're all running some embedded OS now, so storage and capabilities are bigger. And instead of replacing eproms, it's 'download this update.' If I was on a router design team, I'd like to make writes to sensitive parts of the system impossible in hardware without user interfacing of some sort.

Still, if you get your hack right you can breach a router OS from online. Making it stick over a reboot is a much bigger hurdle, as there's (or there should be) write protection on the router OS. But competition is a good thing; if everyone had the same router, hacking routers might be worth doing.

I'd be surprised personally if any designs (even cfe) intentionally leave write access open to online attacks. There's far too much respect for hackers achievements to do that. Local network, maybe. The great security advantage of SoC designs is that you can program in your own thoughts in there, and nobody can read them back.

Thanks for the reply.

Yes, home router. Actually an rt68u. I used to see burners for eproms all over town, may be some but basically I wanted to get into the cfe only for learning more. I have an older asus router I thought I'd practice on. Brick is OK.

From the online material I've read it seems that many of these routers can be forced into cfe mode but there the options are not clear. I'm not sure if the writer of each device made choices or if other hardware factors come into this.

Just looking for anyone who has worked with cfe. Might have to get on some embedded site.

You're right, there's a lot of available options to manufacturers. I presume you read the basic stuff
https://wiki.openwrt.org/doc/techref/bootloader/cfe
http://melbourne.wireless.org.au/files/wrt54/cfe.pdf

Another good source of info you mightn't think of would be a datasheet for the particular BCM47XXX chip that's installed. I haven't used CFE, but I have worked extensively with embedded. Apparently most systems using cfe have to use a serial terminal to get in, with Ctrl_C or Escape keys being pressed during power up activate cfe. It sounds like a proper PITA for a one-off. In a factory situation it's fine. Some techie spends a day hacking into his first one, but does 50 the next day.

Here's where the data sheet becomes useful. You can look for various pins of interest, and see where the connections lead. (probably to some on-board socket) Alternatively google a manual for that little box and see what it says. It's a little early to start talking about bricks - we haven't started yet.

Thanks, maybe I'll wait until I get more info about this.

Yes, did see those. They were a good place to start.

Might break into it just to see where the serial connection may need to be soldered to. Doubt it is there.

Guess I'll mark this solved.

Thanks again.