|
|
|
|
|
|
by 127361
927 days ago
|
|
|
Some old Realtek switch chips featured a protocol called RRCP[1] where you could write to the hardware registers using a specific type of Ethernet frame. So I guess a CCP-designed backdoor would probably detect a specially encrypted WiFi packet and allow then internal memory of the device to be written/read over the air. The key would be hardwired into the chip, part of the random logic - so there will be no visible block to identify on visual inspection of the die. Or more subtly they could insert (or just not fix) a bug which allows packet descriptors to be overwritten on reception of a certain malformed WiFi packet, e.g. too short or long, which makes it possible to overwrite regions of the device's memory and thus compromise it. A SDR might be required to transmit the malformed packet(s). By the way, I wonder if modern Realtek switch chips might still support RRCP, and an undocumented EEPROM bit or strapping resistor might re-enable it? 1. https://en.wikipedia.org/wiki/Realtek_Remote_Control_Protoco... |
|
|
You can write these registers via the management interface or via the EEPROM. It will not respond to discovery packets, but get and set packets work fine.
This chip also has a 8051 core that can access the internal bus and can tx/rx network packets. To use it you either attach external SPI flash (large program) or write the program into the internal RAM in the chip (small program).
All documented stuff, no secret details.