Completely Wipe Used Router to avoid Malware

otterz · February 19, 2023, 9:27pm

I have a Asus RT-ACRH13 , it had OpenWRT on it, I flashed it to factory, and back to OpenWRT .
Would that be enough to get rid of any malware that may have been on it when I bought it?
I am guessing switching back to Stock should delete all writable partitions?

d687r02j8g · February 19, 2023, 9:55pm

Where did you buy it from? Why do you think it would have malware on it?

Flashing openwrt/stock firmware should reset it to factory defaults and remove any prior software/settings.

slh · February 20, 2023, 1:09am

github.com

openwrt/openwrt/blob/master/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-rt-ac58u.dts#L182


      
          	};
          };
          
          
&blsp1_spi1 { /* BLSP1 QUP1 */
          	pinctrl-0 = <&spi_0_pins>;
          	pinctrl-names = "default";
          	status = "okay";
          	cs-gpios = <&tlmm 54 GPIO_ACTIVE_HIGH>,
          		   <&tlmm 59 GPIO_ACTIVE_HIGH>;
          
          
	flash@0 {
          		/*
          		 * U-boot looks for "n25q128a11" node,
          		 * if we don't have it, it will spit out the following warning:
          		 * "ipq: fdt fixup unable to find compatible node".
          		 */
          		compatible = "jedec,spi-nor";
          		reg = <0>;
          		linux,modalias = "m25p80", "mx25l1606e", "n25q128a11";
          		spi-max-frequency = <30000000>;

This would be the flash setup of your device:

a small 2 MB spi-nor flash, to contain first- and second stage bootloader, various device firmwares, calibration data, bootloader environment, etc.
a large 128 MB spi-nand chip, used in its entirety for kernel&rootfs(&overlay), what's usually known as 'firmware'

The spi-nor flash is never touched by OpenWrt, and presumably neither by OEM firmware upgrades (as doing so is failure prone), while the bootloader 'should' cease to exist at runtime, after the handover to the linux kernel, it's not completely possible to rule out malicious intent either stemming from there, or indirectly via MIBIB/ QSEE/ CDT.

If you consider yourself to be a high value/ risk target, you'd have to keep supply chain security in mind and/ or audit those partitions as well. Problems for auditing would entail finding a known-good reference (as they presumably aren't part of the OEM updates, maybe in the OEM GPL dump, if you're lucky) and that you are partially dealing with dynamic -device specific- contents (at the very least DDRPARAMS, APPSBLENV, ART).

otterz · February 20, 2023, 3:36am

Thanks for the info, that really helps. Is there any Openwrt router that flashing would guarantee that everything is erased, or do you think it's best to buy a new router to make sure it doesn't come with any surprises? I would trust a store, I just don't want to get something used in which the seller has added something.

flygarn12 · February 20, 2023, 11:51am

From a technical point of view you can’t really erase the malware or anything else on the flash memory.

The only thing you do is to overwrite the old data with new data and the rest of the memory is released as free empty space. But the data itself is untouched.

But even a malware without a registered memory address is pretty much inert.