the bootloader installs the firmware. if you corrupt the bootloader, it can't install anything anymore. you'd need to physically access the chip to use an external flashing device.
Some devices have non-writable bootloaders. They have an internal fuse that blows after the first write, so the chip's bootloader is locked. That means you can always flash a new firmware, but you can't fix any bugs in the bootloader.
Or a JTAG interface that the chip has in silicon and recovery is always possible from bare-metal. Dunno if that’s technically in the MCU’s bootloader or if the boot loader comes after.
Still requires a truck roll but at least you don’t need a hot air workstation.
> Or a JTAG interface that the chip has in silicon and recovery is always possible from bare-metal. Dunno if that’s technically in the MCU’s bootloader or if the boot loader comes after.
If the vendor's actually trying to lock down the platform they'll usually burn the JTAG fuses as well. It's hit or miss though, I've definitely come across heavily locked down devices that still have JTAG/SWD enabled.
Edit: To your question, JTAG is usually physical silicon, not part of the bootloader.
> the bootloader installs the firmware. if you corrupt the bootloader, it can't install anything anymore.
That seems like awful design? Can't you have an alternate immutable bootloader that can only be enable with a physical switch? Or via some alternate port or something? That way they can update the live one while still having a fallback/downgrade path in case it has issues.
That's good idea I wish they would have such a "safety-switch".
However I assume that any malware doesn't want to be detected so I would have hard time knowing whether I should flip the switch or not, in a typical scenario.
That was likely the point that whoever did it was trying to make, that they were an extremely bad device.
1) The ISP exposed some form of external management they used to access them they shoudldn't have
2) The attacker overcame whatever security used on said management interface
3) Once in, the attacker could simply overwrite the first few sectors of the nand to make them unbootable without local hardware serial console.
4) There was no failsafe recovery mechanism it would seem
An actual "modem" would mostly likely prove volatile/immutable by nature, but anything with a "router" built into it is far more vulnerable that typically run for poorly secured tiny linux systems, and subject to Chinese enshittification.
