One advice i have for you when soldering , is lower your soldering temperature, its way too high , thats why u knock off that resistor so easily. Also you run the risk of just taking off pads at that temperature. I usually just have my soldering station at around 300c for this small thermal mass jobs. Great video btw

I absolutely love that you didn't edit out the agonising wait on booting up to confirm it worked. Great videos as always. Thanks.

@mattbrwn

2 ай бұрын

haha yeah that wait always seems to take forever!

@neilblunden1266

2 ай бұрын

those are the times when i start deep cleaning my keyboard , otherwise it never gets done.

This was a great vid. The soldering is doable, the firmware mod is doable too. The important bits are explained well. And bonus points for using Vim. Thank you.

A bit of advice when soldering those types of chips with more than 6 pins: I've found it easiest to do when there isn't any solder applied to the pads beforehand - what I do is I put a blob of flux in the middle to just hold the chip in place and then carefully go around and manually apply solder to each pin with the soldering iron once the chip is aligned. Maybe also loog into getting a pointier tip for the soldering iron for that. Cheers for the great content!

@bertblankenstein3738

2 ай бұрын

One of the benefits by soldering the chip by iron is that it doesn't get another cycle of hot air baking.

So many things to say. 1. love the videos. it's refreshing to have a old youtube style walk through including and explaining mistakes. 2. I appreciate you reading and using comment suggestions like zooming in on the command line.

Really loved the section where you covered improper soldering let to flash chip not being recorgnized. When working with hardware modifications, there are truly many potential points of failure - such as chips not being soldered correctly, components getting damaged from overheating during the soldering/desoldering process, firmware corruption, other PCB components on PCB getting dislodged etc etc. This type of work undoubtedly demands a tremendous amount of hardwork and patience. Great work, Matt, and thank you for sharing this. I really enjoy your videos.

I love your style of presentation and the information with/of all the failed attempts. Very instructive and good to follow. Lerned a lot over the time with your videos. Thanks for sharing. I'm already looking forward to the continuation :)

Great Job! Looking forward to the next one to see what you found in the network traffic; as we used to do some crazy things specifically around spectrum jamming/etc

Digging your videos Matt!! Thanks for taking the time to make them!

Some people are just going through products because they have money.. others go throug them like.. "hey, let's go meet your makers and find out what they didn't tell you... you could do." 😂

Congratz. This video opened my mind for these kind of modifications xD keep up the good work

one of the best channels. keep pumping out the content in same format

Hey matt, just wanna say I absolutely love your videos!

Loving the hacking series. we can re-use/re-purpose old devices

Great content, love your stuff man. Keep it up! Looking forward to seeing that traffic you mentioned

This stuff is really interesting! Thanks for another cool video! Look forward to the next one one this device :D

incredible. Love this stuff man!

Good stuff, thanks for putting the whole process together

Very interesting stuff, do please continue!

Awesome murderfication! :)

Excited for this one!

@mikehensley78

2 ай бұрын

hell yeah!

Really cool video. Love your content :)

Awesome video, thank you once again :)

Nice work, Matt! Looking fwd to what you'll do now that you are root :-)

Nice video. As to XGecu issues, I'm also using an XGecu programmer (TL866II Plus) but I've never experienced any of these. Possibly because I don't use flux when removing the chip, so chip legs don't get covered in non-conductive thing. As to erase failing, never seen this before as well. I suspect this might be an artifact of running the software in wine.

damn, I'm impressed over the upload rate

Now, let's try to find where they installed the backdoor on this system! ;D

Great job on your work! My guess on the write fail at 25MHz is that the second socket for the smd adds too much capacitance to have a reliable communication.

@mattbrwn

2 ай бұрын

yeah that makes sense!

Awesome!

Just some technicalities and nothing of importance, Matt: "... now, that the solder turned COLD ...". Hehehehee. Don't talk that way if professionals are in the room. I may be wrong, because I am German, but I sense that "cold" in conjunction with solder-joints also means a VERY BAD THING in english: Unstable, weak and bad connections (romantics ... the old days ... with LEAD ... were so much better! Just joking. You could see cold solder joints easier with that poison as pat of the solder-alloy). May I suggest: "... until it turns SOLID"? Which is actually what it does, changing its state of aggregation and forming a mechanical and electrical, reliable connection. Well, until you move or shake the joint while the solder is cooling down, which may result in that so called "cold solder joint". A reason for headaches, failures, I mean unrepeatable sporadic failures, in the future. I'm sorry if I got too emotional when I am talking about our(my?) NEMESIS as e-engineers and service personal, etc. Hehehehe:)

I've seen a similar behavior when writing custom bootloader code where it fails to respond in time to the erase command, or responds with failure, although the erase was successful

Great video

nice! great good tutorial.

Earned you a subscribe! ;)

YEAHHH BABY, YEAH

This is very nice work. One question though.. non of the firmware or password file is not verified with a check sum or some sort of signature with other chip. That’s a little bit interesting. You said you have done this first time but is this way a common implementation? One more time, great job!

@mattbrwn

2 ай бұрын

Yes some embedded systems will use secure boot to verify the kernel, filesystems, etc. but in practice you don't see it implemented much on consumer IoT devices.

Tried to imagine when a developer/contributor committed the “cowardly” message to the upstream code as a joke, and that message is still there to these days. 😁😂

@mattbrwn

2 ай бұрын

github.com/torvalds/linux/blob/eb6a9339efeb6f3d2b5c86fdf2382cdc293eca2c/fs/jffs2/scan.c#L266

@Rilch

2 ай бұрын

@@mattbrwn 12 years ago x D

@Spudz76

2 ай бұрын

"Cowardly refusing" is widespread, such as if you try to tell tar to make an empty archive. Basically the oldest meme in the UNIXsphere.

Isn't it way easier to resolder the chip with the soldering iron instead of hot air? I always do it this way

I'd have binary edited the flash image directly. The salted hash is the same length, so it's a drop in replacement. The image is unencrypted and uncompressed, and the filesystem image within it, is unencrypted and uncompressed. No change in file size, and a bunch of recombination steps, get skipped.

@mattbrwn

2 ай бұрын

This is a good idea, however: "the filesystem image within it, is ... uncompressed" This is not true. > strings u8fw.bin | grep 'root:$1' | wc -l 0

Great

this is awesome stuff! How would have you dealt with it if the microchips had the "erase if read" bit set and the name/logo had been scratched off the surface? This is what I usually see when manufacturers want to add protection to these products.

@mattbrwn

2 ай бұрын

"erase if read" I've never seen something like this before on an discrete flash chip. You might be thinking of an internal flash on a microcontroller? Think about it: How would the CPU ever read flash data if it erased itself on a read operation?

@Gritaremos

2 ай бұрын

@@mattbrwn Great point! I guess I was thinking of a microcontroller. I am assuming at that point it may be easier to find the flash chip and attack it instead?

Hello friends anyone know how i can repacking the firmware and bypass the crc signatures

Didn't know mkfs could make a binary image from a "regular" directory. I thought they used dd or something for that.

You will become viral

I wish I was smart like this..

Are you going to follow up with a way to root without hardware mods? Is there any setuid, or something that a stock box could be rooted with? Not sure if there is anything, but maybe? Or are you closing this series out?

@mattbrwn

2 ай бұрын

not closing the series out, but haven't found a way to root without firmware mod yet.

@RobertGallop

2 ай бұрын

Good luck sir, your skills are awesome to observe, if there is one you’ll get it! And I look forward to learning what you find!

Does it default to little endian or your native system endian? Either case it is good to have the -b to make it repudicable.

@mattbrwn

2 ай бұрын

you might be right. might be the native system's endianness.

@Spudz76

2 ай бұрын

"File systems are created with the same endianness as the host, unless the -b or -l options are specified." from the manpage

I've just discovered your channel and... whaou ! Now I'm looking for any device in my home where I can try to hack 😅 my concern is that I've heard that some chips may have some safety erase function in case of unauthorized access 😢 have you ever encountered this case ?

@mattbrwn

2 ай бұрын

Never encountered this. Just go for it. Make sure it's a device you are ok bricking!

Whats up, everybody!?!

Couldn't you have avoided lots of erase block size and endianness by mounting the original firmware as a loopfs, modify /etc/passwd, and then unmount and unloop it?

@Spudz76

2 ай бұрын

Not without using mtdram or nandsim both of which also need to be told how to act like the real flash chip (aka still have to know the right eraseblock size and all)

After seeing this I am happy I've bought "older" version of that programmer called TL866-II, because there is minipro - the alternative control software for that programmer made by David Griffith, which is perfectly hassle free…and it has command line interface which is easy to integrate with other parts of build chain like gmake. As far as I know there is also some experimental support for newer programmer in the last version, so maybe, just maybe, there would be some way how to modify it to your device too…which, in fact, would be great. The original software is horrible. Is it possible to mount jffs filesystem in rw mode through loop device? Idk, but if this is possible, then it would be much easier way how to modify that firmware file. Some FS cannot be mounted this way (e.g. iso9660) but sometimes, well, you are lucky enough :3.

@mattbrwn

2 ай бұрын

Yeah I saw that project for the TL866-II. Really want that for the T56

nice

It would have been much easier to mount your copy of the image file with the loop device, alter the shadow file, and unmount it. No having to dork around with trying to repackage the exploded contents.

@Spudz76

2 ай бұрын

Not without using mtdram or nandsim both of which also need to be told how to act like the real flash chip (aka still have to know the right eraseblock size and all)

@PrimalNaCl

2 ай бұрын

@@Spudz76 mtdram or block2mtd; nandsim is a brutal pita to get right. Regardless, outside of nandsim, it's a faster/easier iterative process (even in a pure brute-force scenario) than repackaging the exploded fs, writing to actual nand, resolding to the board, and holding one's breath during the boot process. :)

Why not just he edit the disk image directly with the hash? Skip all the mkfs stuff.

sent you a msg on linkedin :-)

Disassemble hikvision camera to hack firmware

You could have just changed the config user shell and you could gain root that way without overwriting the root user password

@xrafter

2 ай бұрын

If config isn't able to run sh then that won't work. However it seems all of that is provided by busybox. So I would assume you can't change the permissions of one command withoud affecting the entire suite.

@xrafter

2 ай бұрын

Also the config user has a UID 0 shared with another 2. I didn't know this was possible. Anyway, UID 0 means he should be able to run sh.

@mattbrwn

2 ай бұрын

I could have just changed X and gained root, where X is an infinite set of firmware modifications. ;)

firmware murderfication ... priceless.

This was great

informative, and entertaining, and I would give ya a B on the solder job. LOL, I like the comment also from @lifeless11111 however the heat isn't as much an issue is the tip size when work with surface mount parts.