> the bootloader installs the firmware. if you corrupt the bootloader, it can't install anything anymore.
That seems like awful design? Can't you have an alternate immutable bootloader that can only be enable with a physical switch? Or via some alternate port or something? That way they can update the live one while still having a fallback/downgrade path in case it has issues.
That's good idea I wish they would have such a "safety-switch".
However I assume that any malware doesn't want to be detected so I would have hard time knowing whether I should flip the switch or not, in a typical scenario.
That was likely the point that whoever did it was trying to make, that they were an extremely bad device.
1) The ISP exposed some form of external management they used to access them they shoudldn't have
2) The attacker overcame whatever security used on said management interface
3) Once in, the attacker could simply overwrite the first few sectors of the nand to make them unbootable without local hardware serial console.
4) There was no failsafe recovery mechanism it would seem
An actual "modem" would mostly likely prove volatile/immutable by nature, but anything with a "router" built into it is far more vulnerable that typically run for poorly secured tiny linux systems, and subject to Chinese enshittification.
That seems like awful design? Can't you have an alternate immutable bootloader that can only be enable with a physical switch? Or via some alternate port or something? That way they can update the live one while still having a fallback/downgrade path in case it has issues.