Some old Realtek switch chips featured a protocol called RRCP[1] where you could write to the hardware registers using a specific type of Ethernet frame. So I guess a CCP-designed backdoor would probably detect a specially encrypted WiFi packet and allow then internal memory of the device to be written/read over the air. The key would be hardwired into the chip, part of the random logic - so there will be no visible block to identify on visual inspection of the die.
Or more subtly they could insert (or just not fix) a bug which allows packet descriptors to be overwritten on reception of a certain malformed WiFi packet, e.g. too short or long, which makes it possible to overwrite regions of the device's memory and thus compromise it. A SDR might be required to transmit the malformed packet(s).
By the way, I wonder if modern Realtek switch chips might still support RRCP, and an undocumented EEPROM bit or strapping resistor might re-enable it?
Many modern Realtek chips still support RRCP. You just need to enable it.
For example for RTL8370N:
Register 0x18d6 configures the 16-bit key, 0x18d4 selects which ports can use it (0xFF for all, normally only the cpu port), 0x18d3=0x1 enables it.
You can write these registers via the management interface or via the EEPROM. It will not respond to discovery packets, but get and set packets work fine.
This chip also has a 8051 core that can access the internal bus and can tx/rx network packets. To use it you either attach external SPI flash (large program) or write the program into the internal RAM in the chip (small program).
Thanks for that, I wonder how many switches out there have it enabled inadvertently, because of a mistake by the manufacturer?
By the way, Some of the Broadcom chips have an integrated 8051, with on-chip ROM firmware. There are leaked datasheets floating around somewhere as well. If someone has the time to dump the on-chip ROM, it would be interesting to see what's in there.
Note, some of the pins marked NC in the datasheet are in fact the 8051 UART TX/RX lines.
Or more subtly they could insert (or just not fix) a bug which allows packet descriptors to be overwritten on reception of a certain malformed WiFi packet, e.g. too short or long, which makes it possible to overwrite regions of the device's memory and thus compromise it. A SDR might be required to transmit the malformed packet(s).
By the way, I wonder if modern Realtek switch chips might still support RRCP, and an undocumented EEPROM bit or strapping resistor might re-enable it?
1. https://en.wikipedia.org/wiki/Realtek_Remote_Control_Protoco...