Really informative video, thank you! Sadly I see there will be fewer and fewer devices "hackable" in the near future as more and more manufacturers (especially of routers / e.g. DOCSIS 3.1) start using hardware based encryption technology for their ROM. With little to no possibility to ever read extracted data. What do you think about this?

@FlashbackTeam

Жыл бұрын

We see more vendors using all kinds of firmware protection in their devices but still quite a lot of this can be bypassed. We actually cover this topic and how to bypass firmware encryption in our training. Few examples that we have used or seen on real life devices: * Firmware upgrade is encrypted but there is decryption binary on the device. All you have to do is reverse or emulate the binary to decrypt outside of the device. * Firmware upgrade is encrypted but the actual firmware on the flash is not. * Firmware is encrypted but you can get access to a running system. * Firmware stored on flash is encrypted but encryption keys are not stored properly or are cached. * Firmware is protected by read-only fuse but it would be possible to bypass that check and extract firmware. * Side channel attacks allow to reveal encryption keys But if vendor did a really good job and encryption material is stored in hardware and it can't be retrieved easily or firmware can't be decrypted, you have to level up - find a zero day vulnerability using black box techniques, which we also did on few occasions. It's always a matter of how much time and energy you can invest on a target.

@Neeharpc

Жыл бұрын

@@FlashbackTeam what about qualcom chipsets ? can we hack it , because they lock the cpu and gpu clock. trustzone and other hardware controles the clock frequencies now , any way to hack it ?

@inod5656

Жыл бұрын

smells like scriptkiddy in here

@gayusschwulius8490

Жыл бұрын

Such encryption is inherently flawed because the mechanism to decrypt must reside within the device itself; so there's always - at least in theory - going to be a way to extract the decryption key from the device. I'm pretty sure the more common this becomes, the more people will find ways to do exactly that.

@cadmium1612

Жыл бұрын

@mr wpg Spoken like a true engineer. :)

Everything is explained clearly without wasting time or over-explaining. Well done.

@StarsManny

Жыл бұрын

That's exactly what I was going to say!

Very helpful for someone like myself just beginning to understand this stuff. Explaining the function and description of terminology is something i would normally have to do significant research for.

Please never delete this video, it's very helpful.

@reegyreegz

7 күн бұрын

Download it qnd save it

What an entertaining channel! I've been watching some pluralsight and udemy courses recently, and I wish the presenters of those courses had the same style and pace as you guys. You are always interesting. Well done!

Your videos are the best! Please don't stop making the tutorials! Thank you.

What a beautiful work!. Thank you for sharing your time and effort.

Damn this channel is so underrated.. just stumbled upon this while scrolling but definitely gonna stay for more .. Thanks for explaining this so well!

@FlashbackTeam

Жыл бұрын

Thank you for your kind words. We are working on a new video that we will release in the coming weeks. We are very excited about it and it's going to be just awesome! This time more into vulnerability research and exploit development.

wow.... this is one of the most fascinating videos I've ever seen on YT....

impressive stuff guys. I'm just getting started with electrical engineering. I've been seeing that a lot of intelligence agencies like to play games with each other at this level. It's all really fascinating.

So dope that you guys put this out for free. If it was near me I would totally attend your in-person training. A paid virtual event would also be awesome.

@FlashbackTeam

4 ай бұрын

We will be having both onsite and online trainings this year.

Perfect! Not to simple, not to complicated, with practical information.. Thank You

I just discovered your team, thank you so much for this interesting content!

Thanks for this content we can see al the time you have spend to make this incredible video !

This is really interesting, thank you for this content. Have you ever thought about analysing the SONOS smart speakers? I know that there is a lot of people interested in understanding these in order to be able to analyse the protocols used so that they can add their own DIY builds like with a raspberry pi to the network

Very interesting, and looking forward to more content!

Thanks for this content, it is really well explained.

That's nice. Great video brother!

Love these videos flashback team!

lol 😆🤣 9:55 oh Jesus got me cracking but all jokes aside this is one of the best well explained video on firmware extraction thanks

Simple, efficient, educative !

FYI: most routers are linux-based (e.g. Huawei created their own distro called "Dopra"), which means if you lucky then the flash isn't encrypted and you can mount EXT filesystem from it

@superslammer

Жыл бұрын

They usually add a header to the firmware that you need to strip out.

@KangJangkrik

Жыл бұрын

@@superslammer you're right! I did figured out weeks ago on my old huawei router

@superslammer

Жыл бұрын

@@KangJangkrik linux to the rescue :D

Yesss! I love to see you back! Pleasee consider to upload more often

WOW mind blow stunmbled on this channel and glued to the screen...

This channel is a treasure..

Damn this channel is a hidden gem

one of the essential videos on youtube )

You should consider offering a recorded ‘on demand’ version of the course. I would buy it!

Interesting. Look forward to more content.

thank you so much, Ive learnt alot from you in this video.

More information than from my technical degree in a few minutes

I'll be promoting you guys in all the forums I'm in ... STARTING with this video!!

Ima download it thanks for sharing!!

Very good hacking ! Nice job guys. I hope one day I can do your training session

Thank you, it works perfect!

Truly impressive!

Pls more videos ! Thats awesome

Nice! Used a similar process a few years back for some NAND flash. Didn't know about the hydrabus back then though. Instead I wrote a plugin using the older version of Saleae's SDK to dump the data of read commands to a binary file. Then had to do a little post-processing to get rid of the error correction codes that NAND has to transmit. Glad to see content showing an approach to the process!

@FlashbackTeam

Жыл бұрын

In the past we were using Teensy with custom code to dump NAND Flash. Worth giving it a try too! But of course the most efficient is to simply use a programmer, but less fun.

@AxWxK

Жыл бұрын

@@FlashbackTeam Lots of lessons learned! I don't think I knew what a programmer was at the time. We relied on the SoC's bootloader to copy the file system from flash and we just copied the bus. Asking the flash to kindly show us its memory would have definitely been more elegant 😂. Luckily the flash data at rest wasn't encrypted!

Lmao! Alright you got me with the Saleae joke.

He's so good at what he does.

Very nice simple and clean

I applaud your patience. My method of IoT “hacking” involves only two steps. Search, then destroy. I may start posting my handywork on another platform.

I particularly like the sound quality during the NOR description!

@FlashbackTeam

Жыл бұрын

Thank you! We are slowly improving our recording hardware and editing techniques :-)

I'd propose that while getting firmware images from a manufacturer's website is the easiest path, it still leaves the question of whether the firmware on the device is the same that is currently flashed to the device. While higher risk, and effort, pulling the firmware from the device is the most deterministic way to get the current firmware.

@FlashbackTeam

Жыл бұрын

Yes, that's a very good point. Plus you can find extra info, i. e. Device's config that is not part of the firmware downloaded from vendor.

this is some good quality stuff (even if i dont understand half of it lol)

I was waiting so bad for a new video! Great

that's really good!

Quite interesting video!. Im thinking to apply this tecnique to a grandstream fxs voip adapter: i have two, one working properly another bricked (extract ok -> write bricked). It seems a corrupted flash , so it worth the effort

I DEFINUTELY subscribed to this channel! F'ing quality bro!

I understand the general idea but executing it is a different story. I'm no hacker but this is very informative in itself. 👍

Nice info, thanks :)

Great work!

I will use this information to fix my kitchen stove as it had a rom checksum error. $400 is way to much for a control board. HACK THE PLANET. RIGHT TO REPAIR.

@nethacker91

4 ай бұрын

How did it go?

@jimlthor

3 ай бұрын

Burned down their home... 😢

@aegoni6176

5 күн бұрын

Hope they didn't sue you

@idiotwithasolderingiron

4 күн бұрын

I am an Idiot. I failed to get a ROM dump I could read. Might be encrypted. Anyone wanna look at it?

hanks lot Sir.. You helping us..

great video !

Muito bom !! Obrigado. Tudo de bom para ti Pedro e também para o Radek.

Hello, Flashback. I have a question. 16:59 and 17:42 The datasheet told us to use the Rising Clock. but why? Saleae told us the data use Falling Clock.

This is really cool! I wanna dump the firmware of my e-scooter to hack it a bit, I didn't realize it could be that trivial :-) hopefully I get lucky and I can read/write firmware that easily!

@FlashbackTeam

Жыл бұрын

We're happy you got inspired. Keep in mind that it all depends on where a firmware is stored. If it's external flash it is relatively easy. If firmware is stored within SoC/MCU then it won't be that easy as most likely there will be read protection that would need to be bypassed first.

@cheaterman49

Жыл бұрын

@@FlashbackTeam That's exactly what I was thinking - I use MCUs for work stuff, and it's not necessarily that easy to dump their firmware given their flash is on-chip! I'm just hoping I might get lucky with the e-scooters one way or another ; if not dumping existing firmware to reverse it and tweak it, then perhaps finding an open source reimplementation that I could flash onto the chip, or making a new board myself if I have to (the main control board in that scooter isn't the one doing power distribution to drive the motors, so it's not unrealistic to just make my own, just will take more time...)

Reassembling the memory from just sniffed traffic is feasible... But you only get the parts that are actually read. Might have to exercise the device a little so you get better coverage. Boot sequence might be enough to get a foot in.

Please regularly upload such a knowledgeable videos. After long time I am watching your videos. Love from India 🙏

Interesting. Thanks!

Iv just found this channel though a other channel and brother learning curve on both wow thinking 🤔 ik what I want to do

well Done! Very helpful, like from Pakistan

I remember encountering myself with a "Flashrom repository" or something like that. It had tons and tons of Flash Chips to look at, so much that I got overwhelmed with the information. It is great that nowadays reverse engineering is becoming something more common. Greetings from Paraguay.

@phr3ui559

8 ай бұрын

nice

Wow, it was cool to see how embedded devices get hacked as for man who is interested in embedded and IoT. Thanks for video

Amazing Video, Any time coming to India for training?!

Great resource

Really great video.. I've never done this, but have most of the tools and have been thinking of trying it just for fun.. I'm curious though - When you are powering that EEPROM from the clip, I'd be worried that I'd also be backfeeding power to the rest of the circuit, and potentially causing it to boot up, which might cause the MCU to start taking over the SPI bus.. Is there some way to guarantee you're only powering the memory that I'm missing, or is this really not as big of a problem as I am envisioning? Could techniques like finding the reset pin on the MCU and holding it low to prevent booting perhaps be a good workaround? Any other hints? How much experience is needed before I shouldn't expect to be completely lost in one of your in person training classes!?

@FlashbackTeam

Жыл бұрын

Hi. Thanks for your feedback. Very interesting questions. 1) From our experience, some boards would indeed be powered-up when we connect to the chip. Keep in mind, that we are supplying 3.3V so I assume it really depends on the board design. However, we didn't find it a big of an issue for us. When this happens, we usually wait a bit to increase the chance that the SPI bus is free. On many targets, after the boot process is finished and firmware placed in memory, there is much less data being fetched by a CPU compared to a booting stage. We just start our dump at that moment. Also, SPI protocol has that CS line which selects a chip. So all in all, it's not big of an issue for us. But keep in mind we are not electronics engineers, we are just hacking those devices using whatever works for us. 2) The reset pin technique is a very good idea. In fact we used it in the past on one of the target but for a different purpose. 3) If you can interrupt boot sequence, for example by entering bootloader menu, there should be very little interaction with the chip. 4) So far in most of the cases we didn't have to desolder SPI chip to read content from it. Usually in-circuit and it just works. It is on a contrary to NAND TSOP-48. Those almost never work in-circuit and we need to desolder it. 5) As for the training, it's an intermediate level course. The hardware part is on first day and we always use hw hacking only for the purpose of getting the firmware or enabling debugging. Sort of a first step in the chain. Then on the remaining days we move on to vulnerability finding and exploitation. For that reason, a student needs to have a good linux command line knowledge and some basics of reverse engineering and C knowledge. But we never leave anybody behind.

@phr3ui559

8 ай бұрын

which MCU

Excellent! used for hikvision

How extract firmware from a altera device with jtag? Great work!

Great video! Hey, is there a less expensive alternative to the Saleae Logic Analyzer that will achieve similar results?

@FlashbackTeam

Жыл бұрын

There are some Chinese clones of Saleae, such as this one: www.sigrok.org/wiki/MCU123_Saleae_Logic_clone Unfortunately Saleae doesn't sell the small 4 channel cheaper version that we show in the video any more. But keep in mind this version can't sniff high speed protocols like USB, while the other Saleae big boys can. If you're doing it as a hobby, I guess the Chinese clones work well enough. But if you are going to take this seriously, we highly recommend buying a proper Saleae.

pięknie, mega wideo ;)

Hi flashback team. I want to understand and do things like what u doing but I don't know where to start learning. I know C programming (intermediate), I know data structures and algorithms, currently learning digital electronics, operating system and computer networks but I don't know where to proceed further actually doing these things. Any advice is highly appreciated.

You guys with the accents are smart, sometimes its too much work to understand. You speak clearly, everything about the presentation is perfect. You make it easy to understand things I should already know. Thanks

@FlashbackTeam

Жыл бұрын

We are not native English speakers, but we always provide proper English subtitles (edited by us, not auto translated) in case you can't understand us / hate our voices :-)

Very Nice!

very informative video !

great video, I have a question though , I did EEPROM dump from a speedometer cluster quite a few times, nothing illegal, since I'm into car repair business , some vehicles come with bad clusters and guy would bring another one from a dump and asked me to program the mileage that would correspondent to vehicle being repaired , now there is a program that once you got your dump would calculate new hex value for new given mileage , however this generator software only works for certain vehicle brands, I wonder why same hex value for a given number gets interpreted as a different number in terms of mileage on different eeproms ? thanks

I found in my Rog Strix laptop some interface called JDEBUG2, which has 15 pins. Not really an embedded device, but I wanted to know more details on this interface and whether I can have some commands to show me laptop's diagnostics :).

@FlashbackTeam

Жыл бұрын

You can use a signal analyser like the one we show in the video to try and understand what it is. With that number of pins and name, a quick (probably wrong) guess would be JTAG. However, we would be very surprised if JTAG is enabled on a laptop shipped to the public!

@DamjanDimitrioski

Жыл бұрын

@@FlashbackTeam ok, but do you have any info about what could JDEBUG2 stands for? The only thing I can research on google is asus related posts and jdebug on the java JVM. I will try to crossmatch jtag and jdebug for a test on a new search quest :).

@FlashbackTeam

Жыл бұрын

Hard to tell what sort of debug interface it could be. I think best is if you find a schematic for this laptop. There should be a diagram and description of the interface. Maybe try to ask on some laptop repair forums / YT channels?

@ioanbustean7442

Жыл бұрын

@@DamjanDimitrioski JDEBUG2 is JTAG Debug (header number 2) :) It's a debugging interface for troubleshooting eventual motherboards issues.

@DamjanDimitrioski

Жыл бұрын

@@ioanbustean7442 thanks, any specific specification url or more info about header number 2?

Excelent video.

wow...nice!

Cool! I'd like to see more of the data extracted and what you can do with it. Translate to English so to speak.

I see lots of SOIC-8 flash chips like at 9:56 with a second set of pads at 90 degrees to the SOIC-8. I'd love to know what's going on here because it seems to common. I assume it's for some kind of SOIC-16 flash chip instead of the '8 but I've never heard anyone talk about it.

@phr3ui559

8 ай бұрын

send pic

@edgeeffect

2 ай бұрын

@@phr3ui559 06:27 09:56

Do we really need all the extra hardware(like hydra)? Cant we just use an arduino or even a breadboard mcu and program it to read from the memory? Or does hydra do more than just read from the memory?

How does it work this ID with a low-stage firmware in the Chinese devices like TP-LINK etc.? This same or manyway?

A new subscriber here, but is unfair when channels like this are Not popping up more often on the recommendations when the algorithm know I'm tech nerdy...

@FlashbackTeam

Жыл бұрын

Happy you like it! It looks like KZread algorithm finally decided to give our channel a chance!

Can you do it with a stm8s with Read-Out Protection? Im suffering trying to extract firmware from a Sinotimer three-phase protector

Nice video. Sad it used such a proprietary board, but thankful that board is open source.

Finally found something useful information 🤠

What is the name of the blue clip you're using to connect to the legs of the chip?

@FlashbackTeam

Жыл бұрын

They are called Ponoma clips, and they're much more expensive than "normal" clips, but well worth the extra money.

@MCgranat999

Жыл бұрын

Yeah, the normal clips are garbage. I'll check the Ponoma clip then! You're the first one I've done across that mentioned the name of the better clip so now I'll be able to actually buy one xP

You're my Master 🌹❤️

thx dude

Dear Santa.. I know what I want for Christmas. :D

I love you !!

What about reading firmware out of chips with included flash like STM32F4? They are often read-out protected against firmware extraction.

@FlashbackTeam

Жыл бұрын

You are right. In most of the cases, microcontrollers with internal flash are shipped with read protection. In those cases different techniques are needed. Unfortunately they are not-standardized and attack path would need to be unique per MCU family. One of the approaches here could be using fault injection to attack bootloader / early routines that checks a fuse state.

@arturschmidt2728

2 ай бұрын

Possibilities to going further into this for us? I need extract a firmware from uController too...

thanks for the video. I ve got one question. What is flash is internal to the MCU, so how would it be possible to extract the firmware ? Thank you.

@FlashbackTeam

4 ай бұрын

In such cases a target specific attack is required. It would need a separate research and maybe use different techniques like glitching.

Did you recently speak at Shmoocon about this, but on a higher/conceptual level? Someone with a similar accent did. Regardless, this video is what I was hoping for!

@FlashbackTeam

Жыл бұрын

We are glad you like it. We didn't speak at Shmoocon so it must have been somebody else.

Real stuff

Why are you not at BlackHat?! This was excellent video!

Amazing! Is there any plans to come to Brazil? Obrigado!

@FlashbackTeam

Жыл бұрын

Hi Fabiano, if the right opportunity pops up, for sure. We both would love to go there, we haven't been yet!

@fusca14tube

Жыл бұрын

@@FlashbackTeam Thanks

@FlashbackTeam

Жыл бұрын

@@fusca14tube de nada meu irmão ;)

So to glitch an SPI flash we have to figure out SCLK and then run a brute force to figure out time to glitch