I started with the AT&T router hacking video and now I'm hooked, ill deffo be coming back more, great videos man!

@scotthewitt6047

2 ай бұрын

Lol same popped up for me today been watching all day

@I_wish_I_knew_something

2 ай бұрын

Same! Thank you algorithm. Balk balk!

@BillRittenhouse

2 ай бұрын

Same

@techwith_tj

2 ай бұрын

lol same here 😂😂

@ImRiz1

2 ай бұрын

Same here 🎉

as a ex-employee of Mojo (and Airtight as it was previously known) this is super interesting to see how you're taking a shot at some of our older stuff; blast from the past for me! Keep it up.

Update: losetup method can not be used for JFFS2 because JFFS2 is based on MTD device, Matt has uploaded a video which demonstrates that this method doesn't work and he found mtdram and mtdblock which is the right solution to this use case. Loop device is a kind of block device and most filesystems are based on block device so it's still a generic method to mount filesystem in file. Original post: A great video. By the way, the file system can be mounted directly in Linux with loop device: mount -o loop,ro -t jffs2 Or It can be done in two steps with losetup and mount. You can check supported file system types by /proc/filesystem. Most penetration testing distros contains squashfs and jffs2 support.

@TheBuddyCassius

Ай бұрын

If there are multiple partitions you can losetup to get a loopback device first and then mount the individual block device too.

@HenryWu-rc5gw

Ай бұрын

@@TheBuddyCassius For multiple partitions we need partprobe or kpartx to tell Linux kernel to probe the partition table on this virtual block device then we can mount /dev/loopXpY.

@TheBuddyCassius

Ай бұрын

@@HenryWu-rc5gw You can do a partscan with an losetup parameter.

It might be a good idea to use kapton tape to protect the small surface mount components and a barrier if you're ever next to something plastic. Also, it's good to know that if you're making/improvising your own desoldering braid in the future, you don't need a lot of it. I found that out the hard way when I fused a bunch of copper wire to a PCB while trying to desolder something.

"you're going to burn your self. It's going to happen" I once picked up an iron like a pencil.... Then burned my desk when I dropped the iron.

@mattbrwn

2 ай бұрын

We've all been there 😂

@mikehensley78

2 ай бұрын

i was desoldering a capacitor... had a huge ground plane so it was sucking heat right out of the soldering pencil. so i had the cap pinched between my middle finger and thumb and was pushing off the PCB with my index finger. every now n then i would give it a push then let it heat some more. THEN... i pushed once more with my index finger but this time it made a strange sizzling sound. my finger actually smoked. when i looked at it it had a brownish white patch burned into my finger. YOWSERS!!!! probably one of the worst times ever getting burned.

@Falney

2 ай бұрын

@@mikehensley78 oof

@gomberfu

2 ай бұрын

If it smells like pork your doing it wrong

@5nowChain5

2 ай бұрын

Yeah, that stock photo of the dumb brunett holding a soldering iron like a pen has caused an lot of industrial accidents. 😂

I love your channel! By chance I saw the video of the AT&T router and I was fascinated. I find your work incredible and thank you for sharing it.

Just discovered your channel while doing nothing at work. As someone has has made content(on other channels) the way you present everything in real time is amazing. You are a fantastic teacher

A trick for keeping the chips from getting mixed up is a small drop of colored nail polish in the corner of one. Then you can notate on your sheet which one it is.

@omegatotal

2 ай бұрын

a few nailpolish colors wtih bright base colors, and tooth pics, dab color on the corner of the chip and next to the identification silk screen before you desolder, take pic and make notes while it dries, then desolder. should survive flux and mild alcohol cleanup if needed between desolder and resolder as long as the board/chip was already clean where you dabbed the color.

I don’t look forward to the next part of anyone else’s videos as much as yours. I’ve tried doing some of this stuff in the past and usually gotten stumped, but watching your videos made me realize I just need to do it more because experience is the only way to get better at it.

I have learned so much watching your videos. I am a cybersecurity consultant and I love that there is always something new to learn!

I'm one of the new subs and have watched quite a lot of your back catalog. This looks like an interesting one to dig deeper into. Great Content Matt 👍😃

This is amazing, your explanation of every step of the process connects everything very clearly

Great video, love how you take it up a notch on the difficulty level!

@mattbrwn

2 ай бұрын

yep... I might have scared myself thinking I bricked this device during the prep for the video :D hopefully can pull off the root shell!

Try running strings on the firmware.bin file and use the output as wordlist, worked for me, on a chinese IP camera. Great videos btw. greetings from Austria!

At around 6:30 it used `more` command to display out the help page. You can just do ESC + !/bin/sh to get a shell... While inside the --more-- prompt.

@mikehensley78

2 ай бұрын

would you say that's "more" to the point? ;)

@xrafter

2 ай бұрын

You Don't need the ESC it seems.

@mattbrwn

2 ай бұрын

Unfortunately it uses the BusyBox version of more that doesn't support any of that

Another amazing video Matt, Keep up the excellent content and thank you for sharing your knowledge

Raw footage is always fun. Keep it up Matt. Your videos help me to see more device models than I tinker with. Aside from that your techniques and phrases are great fun for me to watch and learn :D You can work on some IP camera hacking btw.

Man I Love your work, I was just watching the series about arlo q camera, I really would love you to continue the series

I am learning like never before ! keep them coming!

And now we wait for a madlad to crack the hash.

Fantastic video, thank you for creating it, really good walk through

Another Awesome upload! Thanks Matt!

Great video. Excited to see what you share in the next.

@8:28, I think that you may have a problem with the lens that's connected with the camera port. You can change it to improve the field of view. I have a similar microscope and the view fills the whole screen with no black on the sides. @10:30 I think that you maybe don't need to use flux when de-soldering components. I usually use the flux when soldering the components only. This will save you a lot.

It actually is T48 in the photo. It only has 40-pin ZIF socket (unlike 48-pin for T56) and no power switch or external power jack near the USB socket. Otherwise they look pretty similar.

Man i love your videos, ive learned so much. Excited to see the conclusion of this one, writing your own hash to the root account or just deleting the hash maybe?

Is not like I want to hack things, but after watching your videos I want to learn how to. Love your content.

glad i came across your channel!

Cool stuff bro. More, more, more!

Hey. Great info videos. I would be very interested in seeing one on a finestra helium miner.

Have you tried foam pads instead of cotton for cleaning flux? They are a bit more expensive but work a lot better. Found your channel a few days ago and enjoying it. The algorithm must like you. I have only recently gotten down to doing SMD soldering as part of my services or gotten good enough but working with firmwares and devices like this is very much in my interests. Keep it up you are appreciated.

hey, i also got into hardware hacking because of your videos, its really fun so thanks for that

If you are looking for rs232 serial on a modern pc, there make pcie rs232 2:34 2:36 cards and also internal usb to serial converters that plug into a normal usb2 header.. saves a bit of external cables

@omegatotal

2 ай бұрын

but when you burn out a port or damage a pin, more pita and $ to replace. most usb-serial adapters of any quality are perfectly fine for console stuff, if you need better reliability at higher speeds or cable lengths, get an FTDI based cable.

Amazing video, you should try IoT devices like pcbs of air fryers, washing machines or fridges that connect to wifi.

Seems like I'd always try a test clip before hassling with all the possibly destructive chip removal. Usually even if the injection of power wakes other stuff (like the SoC) up you can find the reset line and hold them hostage so they can't interfere with interrogation.

I don't understand 2/3 of what you are on about, but I like the videos anyway.

binwalk uses signatures to hex detect the FS. A signature is a hex value. Those files usually have multiple hex values that binwalk will see as separate files. If you are getting a lot of errors, you may need to manually extract the files. Using dd to cut the excess data using the binwalk to identify the memory location.

@mattbrwn

2 ай бұрын

yep this is exactly what I do when binwalk splits so much stuff out like that. might show this in the next video.

Great channel... I have a suggestion for a device that, if it can be hacked and repurposed, could help a lot of people. It's the Echo Connect, which Amazon just decided we can no longer use, even though we bought them. It hooks up to your VoIP line or land line and connects allows you top answer your phone or make calls from any Amazon Echo device in your home. I'm guessing there is a server component, and such, but it' running a DSP Group DVF9918, which looks like a pretty capable SoC. If there is a way to repurpose this, or even better bring back its utility... as a developer (and I've worked on embedded systems from industrial to automotive, and enterprise level at Fortune 500 companies), I'd definitely consider the challenge if I could gain access to this device.

If you mount (instead of using jefferson) the filesystem, then modify the contents of the /etc/shadow entry for root's from the config's, and re-flash the chip, you change the root's password to be the same as the config user, no? If that doesn't work, you can modify the default shell that "config" uses to be set-uid root... Basically, once you have access to the filesystem, it's game over :-) And btw - very nice videos, Matt! Excellent channel.

I'm hooked on your channel anyway you can zoom in on the Terminal it would really help following along.

@35:29 "Private key in DER format" did you spot that? Looks interesting.

Waiting eagerly for that "another video"

After 20 years I learned from you about binwalk 😂

Hey Matt, did you saw the Software minipro from David Griffith? Looks like that is a native Linux- & Unix Software for the Xgecu T48.

Are you planning on changing the login shell in /etc/passwd? Also, does the firmware have any signature checking to prevent that or keep the device from booting?

Hey man, this great video. Next video please try TP-Link TL-WR940N

Very cool

I got an impinj rfid reader that I have dumped the nand. Maybe we can collab on getting root? I was using binwalk a different way and would love to try these methods as I was mounting the bin at specific cylinders of the dump. Overall this video sparked me to try again with a simpler approach

THE only solder flux I have ever used besides the occasional copper pipe acid and the 2% in the solder core is the pine rosin I dug out of a tree 8 years ago. I just don't know how it will do with hot air.

Have an idea for some devices that would be interesting to see if you can get a shell on.

I have a Watchguard AP320 at home, and this looks 100% identical (at least from the outside), I wonder if the internals and firmware are the same.

@proxer05_

2 ай бұрын

It is the same device(based on WikiDevi pictures). Also openwrt is avalible for it.

think you could do something with the ZyXel C3000Z? it's got the same sort of faux shell idea.

I've backed up the firmware off my stuff myself.

7:10 ah the source code, aka, the disassembly from the binary, that's source code for reverse engineers !

@mattbrwn Great video, easy to understand. I'd be interested to see what you could with a generic 4G usb stick modem. I really want the ability to use one as a basic 4g modem, with AT commands and simple IO connnection, just to send text messages as part of a project.

Can you hack isp locked bridge mode alphion 1143 ont? Thank you

You could chang the group for the config user to make it another root user, or you could duplicate the config password over the root password. Then upload the file.

I wonder if you have an old smartphone ying around, maybe two and you extract the bootloader from the one that is not bricked and see if it revives

Why not just use a SOIC clip on these type of chips? That's what I did to dump the firmware on my Ubiquity Switch.

heyy matt , I have a router with me and i got into the U-boot. But facing some issues with the firmware extraction process. Can you provide any platform to contact you..

Awsome

what is your linux distrubation and desktop enviroment?

You can save yourself all the chip cleaning time if you don't use flux when taking the chip off. The flux insulates the legs which is why you have to clean it in the first place. Without flux, your programmer will typically read the chip just fine without any cleaning. Also no need to remove the solder from the chip's legs.

Hey, I recently rooted a similar access point, and after dumping the firmware and reading through the config shell scripts, I noticed a command injection vulnerability in the "radartool" command, which allowed me to simply spawn an sh shell and use su to escalate to root. I'm not sure if that vuln exists here, but the config shells and the software look awfully similar.

@mattbrwn

2 ай бұрын

Very interesting 🤔

can you make video on how to make custom firmware like openwrt for unsupported/unlisted router? thanks

Yeah!

999th like 😂..binge watching all your videos

U5 looks a bit misplaced at 8:12 - did you desolder it before or did it come like this from factory?

@mattbrwn

2 ай бұрын

that was me :D

Without the files, I can only surmise a guess. I think you might be running into jffs journaling with the multiple files. Rather then extract the bin file you could use losetup to mount the image as a loopback device. At that point it should be possible to interact with the device with standard tools.

Does the config/config usr/pwd give some clues about how the root password are hashed?

@mattbrwn

Ай бұрын

Yeah there is a binary that sets the root password to something completely random on first boot after factory reset. Spent 3 hours down that RE rabbit hole.

Can u hack Huawei hg523a as I have same and want to hack it

Hey Ive been trying to extract a similar kind of router from tp link and when ive tried to extract the firmware using binwalk i got only the lzma files Could that mean that my extraction wasnt good enough or this thing could be happening? Thank you

@mattbrwn

Ай бұрын

Yeah it could. Did you get any filesystem detections with binwalk? Also you can hop on our discord for a more detailed discussion

@ronbublil954

Ай бұрын

@@mattbrwn no, binwalk didnt detect any kind of a filesystem Just those lzma data files and a bunch of these Zyxel files too

Super man to the rescue

lol, I saw the chip reversed, I guess you were busy doing the video :)

The only bad thing about software just for Windows is that the antivirus software in Windows deletes these kind of utilities and sometimes without telling you. It is Microsoft's silent way of telling you they don't want you to have any fun!

@aaaronmiller100

2 ай бұрын

stick 'em in a folder and assign security exclusions to them to address this

I wonder do all the embedded device file systems unencrypted? Have you ever seen a system is decrypted during the boot time with the aes key hosted on a tpm chip? Does anyone see such solution for such attacks?

@mikehensley78

2 ай бұрын

seems like that would call for some sort of microcontroller or something feeding the memory chip the correct decrypt key at initialization. other than that it should be very similar to what was showcased on this video i would imagine. OR i guess you could dump the chip then decrypt it once you got the data onto your machine.

@Jeff-ss6qt

2 ай бұрын

Cable boxes boot from an encrypted firmware. They decrypt it during the boot process. I'm not sure if any use TPMs, but that would make stuff hard to work with, since the key is stored securely. Assuming that they encrypt communication in transit, side channel attacks will be harder as well. Some more expensive microcontrollers and FPGAs also have a volatile storage inside for an encryption key as well and the facilities do decryption on the chip itself.

@309electronics5

2 ай бұрын

​@@Jeff-ss6qtthey probably have a bit more code in the bootrom of the cpu that unlocks the flash. I have had many tv boxes with encrypted firmware and compressed things and the cpu bootrom actually unlocked the chip before reading from it and decrypting it

❤

Brown Town!

Immediately I think of Austin Powers getting his mojo back.

W matt brown

Hey, you forgot the links in the description, it's relatively easy to read it, but still.

@mattbrwn

2 ай бұрын

RIP. fixing this now

@SkippyDa

2 ай бұрын

@@mattbrwn No problem! Thanks for the fix.

Completely unrelated question: where did you get your workbench?

@mattbrwn

2 ай бұрын

Benchdepot. Warning: it's not cheap

@xenoxaos1

8 күн бұрын

​@@mattbrwnthe cheaper option is to get plywood with birch laminated veneer and make it so it bolts directly to the wall... I have about 20 linear feet of desk that's like 3 feet deep

Can you hack so called smart TV's?

amazing content, any chance you can hack into a facebook portal go to see if we can resurrect the hardware for private use now that facebook has discontinued the device ?

I'm streaming potatoe-cam in 1080p HD :) Shows the real content is the words.

Old skool? Damn, he just put me to sleep.

can you hack a wifi repeater device

mattt now ps4 can be hacked with fw 11.00. Can launch linux but need a good people like you for make a good 3d powered linux..

Im surprised someone hasnt already cracked that hash for you. lol

Are you interested in investigating firmware of a chinese NES hdmi stick? Got it for free but I failed to make any changes to the fw as it fails to boot with modified binary (checksum?). It has allwinner a10s, 128mb ram, boots linux 3.4.10 off sd card using script.bin and system.img. Doesn't have any built-in network interfaces and it doesn't have uart. It does have internal USB but supposedly lacks HID drivers as connected keyboard isn't recognized. Got both files and pictures of the mobo if you want. My goal is to repurpose it, eg. as apcupsd daemon via USB ethernet :)

That's not a serial port... This is a serial port. (pulls out a 25pin)

I don't know if you will read this comment Can you try hack the huawei 4G Router 3 Pro (Huawei B535-932) Mine currently using the isp provider firmware and its lock to its sims (I want to use different sim but the isp not giving the code), also the isp provider also lock the bands that I can use the bands I can use is 3,28,41 but if I have the original firmware I have this band 1,3,7,8,20,28,32,38,41

I haven’t used gloves when dealing with PCBs. Probably should have. Pray I don’t get California.

@mattbrwn

2 ай бұрын

🤣

The powder blue serial cable with the RJ-45 port on one end is known as a "rollover cable." Definitely not ethernet! :)

@mattbrwn

2 ай бұрын

TIL

@xenoxaos1

8 күн бұрын

​@@mattbrwnthere are actually a few types of console cables... This just happens to be the most common type for the last... Decade or two... Working in a data center it's yelled out as "console cable" "that blue cable" or "the Cisco cable"... One thing you have to remember is that they can't be used on a UPS serial port... Even though they look like a normal rj45 they're actually 10 pins instead of 8 and the way they're wired immediately send a shutdown trigger to the UPS.

Create new root password, hash it, put in shadow file, write shadow file to chip, log-in.

@mattbrwn

2 ай бұрын

It seems like you know where the next video is headed ;)

@309electronics5

2 ай бұрын

​@@mattbrwn i did exactly that to a router i had because i did not know its password and i could patch the commandline to load init=/bin/sh but it was a limited shell and changing the password through there did nothing for the normal startup

@Danny323f

2 ай бұрын

Had the same thought, done that with a IP camera

@xrafter

2 ай бұрын

How to do this? You use openssl?

@ethangibson8645

2 ай бұрын

@@xrafter the shadow file uses known algorithms (MD5, SHA-512, etc). You just put a character that specifics the hashing algorithm, the hash, the salt (if any) and save it. (It's more complicated than that but you can get the idea.)

May I suggest to not cut out any failed attempts and dead ends, the end goal is not nearly as interesting and educational as the journey and detective work that leads to it. For example you mentioned that you tried to guess the password at it didn't work out, that's fine, you can still include that segment, there is a lot to learn from it. You said that it took a long time to figure out the cross compiling issues but didn't include any of that in the video.

@petersdrue

2 ай бұрын

I'm in the middle of watching this. From my perspective, those two things don't add much value. I do agree overall. But, cutting that stuff out is important. The only compromise I could think of would be non-cut videos on a separate channel or patreon like some others do.

You need to follow through on your projects. I just sat through the three videos you did a year ago about the Arlo Q, in the third one you promised another video where you were going to modify the firmware and write it back. Yet, you never posted it. I've seen several other aborted dead-end stuff as well where follow up videos never come. When people watch you, they're investing their time and for that investment they're expecting resolution. I for one am clicking on the option to stop your channel videos being recommended to me as I'm not going to be caught out like that again by you.

@peeboo

2 ай бұрын

Bro chill out he had some personal stuff going on 😭😭

@marcosscriven

2 ай бұрын

There’s really no need to be so brusque here. It also comes across as incredibly entitled. I’ve found Matt’s videos super informative and helpful.

@bogganalseryd2324

2 ай бұрын

man stop whining , his content is free for us all to enjoy.

@MarshallLevin

2 ай бұрын

Dude, is this your first day on the internet? That's not how this works. Unless you hired Matt to make videos, he doesn't owe you anything.

@projectsspecial9224

2 ай бұрын

I usually ignore these ungrateful entitled comments, but this time, I am going to say something. It takes a lot of effort and time for him to make these FREE videos. He is sharing valuable knowledge that someone would pay thousands for! So, if you don't believe me, don't be lazy and do your own research - if you survive, you may even appreciate it 😅