I'm curious to know if using a different firmware would be a valid way to secure a (potentially compromised) router, or is this kind of tampering done at the hardware level—in some hidden part of a microprocessor?
It's hard to imagine it's just software, as the router firmware could be validated against the manufacturer's own available on web sites. It could similarly be circumvented via a manufacturer software update (or open source alternative).
On the other hand, swapping out hardware en masse could get expensive, but the NSA has probably spent more for less.
NSA and company probably do it all levels, but any level below the OS is probably preferable because it is less risk of being caught.
Who would you know if they targeted only you with a microcode update for your Intel/AMD CPU that made crypto weaker? All the assembler instructions that you execute are just the same as someone with a proper microcode blob.
ucode blobs are usually signed with strong crypto (RSA-2048 on Intel iirc), so unless the NSA doesn't get the keys or the raw transistor layouts of the CPU in order to look for bugs, no way to mess with the bytecode.
