MediaTek's router SoCs power a huge share of consumer Wi-Fi gear — TP-Link Archer, ASUS RT, Xiaomi Mi Router, GL.iNet, Linksys, dozens of smaller OEM brands. The boot chain is multi-stage (preloader → ATF → U-Boot → kernel) and each stage echoes to UART. BootIntel reads the full chain.
What BootIntel detects on MediaTek SoCs
- Preloader / Bootloader version — first lines of UART output (often "[BLDR] Build Time:..."). Stale preloaders have known fault-injection or USB-download-mode exposure.
- SPI-NAND / NOR layout — partition table echoed early. Surfaces "factory" partition (contains MAC, factory PIN, Wi-Fi calibration), "config" partition (writable user data — often plaintext credentials).
- U-Boot autoboot interrupt window — MediaTek-default builds typically expose the U-Boot CLI; OEMs sometimes disable, sometimes don't.
- Wireless calibration RF data partition — flagged because dumping it gives an attacker the device's factory-printed MAC and sometimes the WPA key for the default SSID.
- Vendor-locked debug stages — Xiaomi, ASUS, TP-Link each have their own production-disable flags. We catch when one of them is missing.
- OpenWrt-on-top fingerprint — many MediaTek devices run OpenWrt; we cross-link to the OpenWrt page for the userland findings.
What a typical MediaTek MT7621 boot log looks like
U-Boot 1.1.3 (Apr 25 2023 - 14:33:11)
Board: Ralink APSoC DRAM: 128 MB
relocate_code Pointer at: 87f48000
flash manufacture id: ef, device id 40 19
find flash: W25Q256JV
*** Warning - bad CRC, using default environment
============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC 7621A DualCore (MAC to MT7530 Mode)
DRAM component: 1024 Mbits DDR3
DRAM bus: 16 bit
Total memory: 128 MBytes
Flash component: SPI Flash
Date:Apr 25 2023 Time:14:33:11
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768
##### The CPU freq = 880 MHZ ####
estimate memory size =128 Mbytes
RESET MT7530...
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
You choose 3
3: System Boot system code via Flash.
[ 0.000000] Linux version 5.15.137 ([email protected])Example findings BootIntel surfaces
- Interruptable boot menu (CRITICAL) — lines 19-23 show the U-Boot menu. Anyone with serial access can pick option 1/2 to load arbitrary firmware via TFTP, or option 4 to drop to U-Boot CLI.
- U-Boot 1.1.3 from 2023 (HIGH) — that's an ancient U-Boot. CVEs in IP fragmentation handling, environment parsing, and USB stack are present. Most vendor MT7621 builds inherited this lineage.
- "Bad CRC, using default environment" (MEDIUM) — line 7. The U-Boot environment block didn't validate; the device fell back to defaults. If those defaults include factory TFTP server addresses, a rogue server on the LAN can serve firmware on next boot.
Related reading
- OpenWrt device guide — covers the userland on top of MediaTek SoCs.
- U-Boot Security Misconfigurations: The Top 10
- Finding UART Pins on an Unknown Board — MediaTek router boards usually have a 4-pin header right next to the SoC.