Hacking the Arlo Q Security Camera: Firmware Extraction
Ғылым және технология
In this video, we continue hacking on the Arlo Q security camera. Today we extract firmware from the nand flash of the device and reattach the chip to leave the camera in working order. We use binwalk to extract file systems from the flash contents extracted from the device.
Louis Rossmann's Arlo video:
kzread.info/dash/bejne/gqaoxLuuYbK_mLw.html
Arlo End of Life announcement:
kb.arlo.com/000063018/Arlo-Legacy-Cameras-End-of-Life
IoT Hackers Hangout Community Discord Invite:
discord.com/invite/vgAcxYdJ7A
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: nmatt0
linkedin: www.linkedin.com/in/mattbrwn/
github: github.com/nmatt0/
#righttorepair #jailbreak #firmware #iot #hacking
Пікірлер: 63
anyone have a good rainbow table for unsalted sha256 hashes? alternatively, what's your go to wordlist?
@neon_Nomad
Жыл бұрын
1.Theres a website;p 2.remember that cybersecurity specialists usually have first dibs at creating a website
@weniweedeewiki.6237
Жыл бұрын
@@neon_Nomad my head hurt
Adding some low melt solder before you use the heat gun helps.
This is an awesome video series. Im loving seeing the guts of this camera. As far as your soldering goes, if you ran some leaded solder over the pins of the IC first it would have come off easier. That factory solder is quite high temp and the leaded solder will mix with it and make it melt at a lower temp. Also they mace chip extraction solder that almost melts in your hand. Thats the best, however it is quite expensive. EDIT: spelling Another tip: I will heat the board before I wipe off the flux with cotton, and much of it comes off when hot. I try not to use the IPA because it spreads the flux around a lot. But with the amount of flux you used (and you used way too much, however you can NEVER have too much flux!) I would have hit it with IPA once or twice.
Love your stuff man. Keep doing what you are doing! Coming from network pentesting, having jumped into programming, then pentest labs and then SIEM stuff and IR competitions in college and wanting to have a better bottom up knowledge of devices, I find your videos extremely revealing.
Thanks Matt for giving me the courage to start in hardware stuff. I know it will be hard but i will stick with it til die. Those vids on your channel are so so great
It really helps if you apply some fresh solder to the pins before desoldering, so you don't have to heat the board that long. Even better if it was a juicy leaded solder.
@mattbrwn
Жыл бұрын
Hmm yeah I'll have to try that. Makes sense
@agarmash_
Ай бұрын
@@mattbrwn there are even alloys with low melting temperatures that work excellently for desoldering purposes. For example, Rose's metal has a melting temperature of 94-98 degrees Celsius. After applying it to the component's solder joints it becomes stupid easy to desolder the component with a hot air gun. I even flipped this trick with SMD plastic connectors without melting the said plastic (like I did in my iPod Classic mod, you can find my blog post by my username if you're interested). However! The Rose's metal is quite brittle, so you need to remove it completely with the braid wick after desoldering
@agarmash_
Ай бұрын
@@attribute-4677 I usually grab some low-temperature alloy with the tip of my soldering iron, apply it to the pins of the component in question, and wipe off the remainings from the soldering iron tip (you don't really want to have it in your permanent solder joints). Laying a piece of low-temperature alloy on the pins before using a hot air gun would work too, but generally, you don't need that much of this stuff to desolder a component.
Great stuff! Can't wait for the next part
The KZread algorithm leads me to another great KZreadr
@mattbrwn
Жыл бұрын
Thanks! The algorithm works in mysterious ways!
I enjoy these videos a lot. Thanks for sharing!
I'm wondering why you're using flux to remove the chip. From my understanding, flux just helps solder flow smoothly and cleans contacts. What will help with removing chips from the board would be adding lead solder and mixing with the unleaded solder on the board. The unleaded solder has a higher temperature at which it melts, where as the commonly used leaded solder melts at a lower temperature.
Will you make a video about chip readers and all that stuff?
When I take chips off I like to add some low melt (or even just reguler leaded) solder to the pins, less chance of cooking the chip/killing pads and comes off waaaaay easier :)
what temperature do you usually use to desolder?
my nand is 64gb and when i copy the firmware by rt809h it only stuck at logo in another device and the data i collect from that 64gb nand is just “9.something” gb so i think as u said i have to copy it by ts56 or any of xgecu by selecting “include spare area” right? so that all the data i can get correctly and that i can write in another nand and can run the device. am i right sir? or i should select “none” option? please reply.
great educational video! I wonder if those classic wordlists for cracking user accounts would work with this.
Louis would use a whole bottle of flux
@mattbrwn
Жыл бұрын
True.
Excellent videos. Could you hacking the firmware of microcontroller of the any air conditioner ?
Woopwoop part 2!
Was there a link to part 1 somewhere or am I blind? Maybe add what part it is in the titles because looking at your channel I still have no idea which one is part one lol
matt,what’s your reader name?or could you suggest some reader to buy😊
Matt, you desolder at the same time, using the right attachment to you desoldering station. I have one on my station.
Why did all the flux go on the chip package, rather than a blob on either side where the pins are?
Genuinely interested to know how many Q-tips you go through per week lol 😅
What flash reader are you using and where can i buy one?
@mattbrwn
Ай бұрын
That is the Xgecu T48 and I now recommend the upgraded Xgecu T56. eBay is where I got mine
@michaelstallsworth9995
Ай бұрын
@@mattbrwn thank you very much!!! Just getting into hardware hacking and your videos have taught me more in 2 days than I could have imagined! Keep up the awesome content 💪
hi Matt, can i dump the firmware without desolder the chip ?
@lizardkeeper100
Ай бұрын
the answer is often yes but it can be much harder and not worth it. you can technically do it with a logic analyzer but you will be at it for several days. if you can find a uart, spi, jtag, or similar bus on the chip and are able to connect to it on the board you could also dump the firmware.
Why didn't you change the hash in the dump and then rewrite it before soldering? Just to keep investigating in case you don't find the password.
@mattbrwn
Жыл бұрын
might have to do that eventually. trying to be as least invasive as possible.
@caralynx
Жыл бұрын
One thing to note about NAND is the ECC. If you modify something, you're going to have to update the spare area associated with that page as well. If you don't, best case it restores the original data, worst case it marks the page as bad and it won't read. The ECC algorithm used in this particular configuration may not be obvious (especially if it's hardware ECC), so fixing the spare data might not be trivial.
What linux distro are you using to do all this?
@mattbrwn
Ай бұрын
Arch Linux but all this stuff can be done with any kind of Linux you want.
@Mbro-dq2do
Ай бұрын
@@mattbrwn Thank you for your work dude. I'm not even a script kiddie after a year or so but have learned a ton. 46 year old construction nerd who missed the boat but spend every spare moment learning. Your channel is in my rotation with Louis R too.
@Mbro-dq2do
Ай бұрын
@@mattbrwn Kali Linux Manjaro and Straight Debian for me. Dragon OS im trying for SDR tools. Have a good day bro.
@mattbrwn
Ай бұрын
just heard about dragonOS from a training I'm in right now! I'll have to try that out. Getting SDR tools to work is a pain...
Some hash... somewhere over in the starss
Cut it with them 3 d printing clippers ......my g😎
The anticipation...is killing me ..when's that chip going to give
@mattbrwn
Жыл бұрын
Yeah this one took longer than most. Could be a number of factors.
@MCgranat999
Жыл бұрын
Not sure it my technique would work better but I'd use a bigger nozzle on the hot air, or take the nozzle off if that's the biggest one.
@weniweedeewiki.6237
Жыл бұрын
@@MCgranat999Sounds like a load of hot air to me .......u c what i did there
1st
Sir plz help My Nand Flash ic dump extract plz im send you. Please answer
Remember to follow the rainbow when working with hash
dude use a thin bristle toothbrush for cleaning :)
Why are we still using lead? Dont we know what happened to the Greeks, sure its a great sweetener but..
@mattbrwn
Жыл бұрын
leaded solder works way better than lead-free.
@alexfedorov1160
Жыл бұрын
Lead-free solder is a scam. It's better to produce less number of reliable devices using leaded solder than to use lead-free solder producing a ton of e-waste due to those solder failures. Obviously for environment, not for manufacturers.
@bluppfisk
Жыл бұрын
@linus cat tips don't breathe it in either though
If you are afraid of chinese software phoning home, check out simplewall
I don’t understand why you would want to extract firmware from a camera? Just go download it
@SlammerSimming
Ай бұрын
How do you think the person providing the firmware got it?
@CorollaGTSSRX
Ай бұрын
@@SlammerSimming he means go to the support section of Arlo and download a firmware update and extract that. Sometimes that works, sometimes it doesn't or isn't available
@charleshendry5978
Ай бұрын
He wants the password.
Great job glad the chip is still good:) just got my chip reader in but iv been focusing more on Tryhackme