Note that the following only applies to the TFTP server built into the 1.00.04 firmware. It seems that the TFTP server in the 1.00.06 firmware requires a full encapsulated image, and therefore is useless for flashing custom firmware (since we don't know how to rebuild a full encapsulated image with it's cryptographic hash).
So to use the instructions below, you need to reflash your router with 1.00.04 firmware first.
To access the built-in TFTP server, you need a TFTP client that can provide a password along with the file write request. Once such client can be found at http://redsand.net/projects/linksys-tftp/linksys-tftp.php for Linux and ftp://ftp.linksys.com/pub/network/tftp.exe for Windows.
Once you've used the SecretCGICommands to enable the TFTP server, and you've used the ShadowDataHack to change the protected admin password, then you can start writing files to the device to do certain things:
The TFTP server accepts a number of image files, determined by the correct content of the image file. The files that have been tested so far are:
This facility can be used to write modified images to the device.