He found a big one in the /cgi/tmUnBlock.cgi.
Since he already was deep into the Linksys Firmware, looked for any obvious attack vectors. Rather than desolder the flash chip again, created a firmware update the router would accept and flashed it via the router’s web interface. He then desoldered the router’s flash and programmed it outside the system. The firmware required a similar patch. patched the bootloader with a little help from IDA pro. If the button were pressed it would boot into a recovery mode. To make matters worse, the bootloader also redefined and checked for the reset button. JTAG pod was pulling the pin low and causing the reset. TDI had been re-used as a GPIO in software, and assigned to the reset button on the back of the router. With a solder blob making the connection, he then found the router would connect to his JTAG debugger, and immediately reset. His first hurdle was a missing jumper connecting the TDI pin to the processor. With the firmware unlocked, went after the hardware JTAG. Since then, he’s re-enabled JTAG, cracked the “encryption” used for saving configuration backups, and now he’s devised a simple attack to change the admin password. When we last checked in on he had reverse engineered the obfuscation techniques used in the router’s firmware. Has been busy with his Linksys WRT120N router.
