I wish these videos were longer, i would love to sit here and listen for hours to you rambling about the innerworkings of a device nobody has ever heard of
try bird watching... DUDE... he just took of the f chip & blabla ! the are a lot of videos of this individual taking appart chips and whatever... then going in ssh looking at bootloader. SO ? sorry to be rude but that is all
I love your videos man but they are just too damn short! I would happily sit here listening for a few hours whilst you ramble on figuring out how to extract the firmware.
Here’s another example of me wishing you’d number your videos. I’d like to see the next video but it isn’t on my list and I have to go search for it. I’m unsure if I’ll be successful. Excellent work btw, I like how detailed you are. I’m a newbie at this hobby and details are important so I can follow along easier.
Great work and thanks for sharing, Matt:) Side-note, Tip, Womansplaining: Calipers 4TheWin! So you can measure the dimensions of the package. Works when soldered in and after some time you memorize the dimensions of TSSOP/SSOP/SOP/etc anyways. "To measure is to know!" And as a poor-(wo)men's-alternative: Print out a sheet with the whole zoo of electronics packages in the scale of 1:1
I really enjoy seeing how you methodically figure out how things tic and then bypass the security like its not even there. Firmware should be open, so we may use hardware as we see fit.
This style of yt is getting smaller, but in your advantage, it makes you shine. I love the direct, no bullshit music, graphics, and sponsoring of services that I won't do... Now if you did os system explanations, some frp lock removal.... some wifi router config.... no hurry, you haven't posted anything i find boring....
Yep indeed, it's pin 99 on the SoC muxed to UART2_TX quite early on. It's supposed to be pulled up externally + there are some suspicious test points at the other side, but, generally speaking, manufacturers rarely care enough to break this one out in any convenient way
Watching SMD's getting soldered onto PCB's is so satisfying... don't judge, I'm just saying what everyone's thinking. BTW, @Matt Brown, I switched to those little foam tipped eye makeup brushes which really elevated my flux clean up game over the Q tips, give 'em shot.
@17:23 it clearly says HDCP :D "HDCP stands for High-bandwidth Digital Content Protection. The purpose of HDCP is to protect digital copyrighted content as it travels from a device to your TV, usually through an HDMI, DVI or DisplayPort connection." You might be able to interface that programmer with flashrom, I'm not sure if it is but it should be possible to implement! I own a "Willem EPROM Programmer", it also supports SPI flash memory like these but these days I generally use a very cheap ch341a_spi USB device.
Towards the end of the video I could swear I had seen "lzma" somewhere, went back to strings and watched closely while pausing, thought I was going crazy 😂
It's only 8MB though - the 980MB partition a couple above it will be the interesting one I would think...
6 месяцев назад+23
There's seem to be a compressed LZMA region, i'm pretty sure it's what you seen as high entropy, i'd bet it's the compressed rootfs mounted by the bootloader. Many times the MAC address is the one injected for the Wifi, as those modules don't have any hardcoded, Really interested to see your deep dive analysis. I'll join your discord, hopefully i can find the dump and analyze it myself also. I'd buy one of these if these if there's the possibility of a custom Firmware.
great stuff bro! been so much into software have been slacking on the hardware firmware side of things, good to have this under my belt especially with todays supply chain being chip tainted
I really want to see the next one! Disagree with some of the comments about your video being too short. It is just long enough so that I watch the whole thing and it leave me wanting next weeks episode! It is too short but that’s a good thing, in a way.
is that the program freezing the video on my computer when i open my OBS.. I was doing two different things.. but noticed this freeze.. and that it stopped if the obs was entirely exited and i had to refresh..
Don't know if someone already mentioned it, but I would bet that key you saw mentioned at the start is unrelated to the encryption. It has "HDCP" in it, which would make more sense to be HDMI Content Protection instead.
Really? What did you learn? Nothing but more propraganda, every device you own is made by chinese/taiwanese companies. America makes nothing and tbis guy has no clue
Glad to see this video, I don't understand the RUclips algorithm but videos like this don't show up when I search for them, but they magically appear on the homepage 🗿. And I have 4 devices like that that can't connect even though they have been reset
The silkscreen of footprint on the board is a bit akward due to it being a fairly universal footprint. I do agree with you about the lead free solder, its definitely leaded solder seeing how easy it melted. No issues with using leaded solder in in China.
I like how you spend way too much time going over all the laymen stuff like how to solder then jump through all the coding log processes and writing…lol
It is like reading and flashing a motherboard BIOS chip, I did it many times, but after this, I didn't understand anything anymore, but this is really cool.
and CRC is just cyclic redundancy check used all over to ensure data integrity I believe....so baciasll the string after that is just the HDCP key needed to get around content protection - I mean not get around it but actually use it properly
You've got a fairly standard ALi Tech sat receiver dump :-) These run off a proprietary TDS2 RTOS. The HCSEMI clone chips have a FreeRTOS SDK available, but it's not as stable tbh
to clean stuff you can use an old toothbrush instead of qtips so it doesnt left off any fibers, at least to remove the most of flux witout much hussle.
16:20 'anonymous' and '88888888' sounds like a default user-password pair, 8x 8 being the password, IIRC the '8' is a lucky number in china, so eight 8x would be sth like seven 7s in US.
88888888 is an extremely common password for Chinese devices. I have a WiFi-controlled programmable LED sign that has a Wifi hotspot with that password.
They put two footprints on top of one another so if the wide version of the chip is unavailable they can use a regular soic8. We did the same but we at least made a package with nice looking silk so it didn't look so crap
I would guess it's compressed based on the output of strings including "unzip" but it's possible there's also some encryption of the bootloader or whatever.
China is taking a big risk having most of their systems run a proprietary OS made by an American company. Hard to change that though, given the cultural attachment to Windows - shown by most Chinese software only being available on that OS.
There were multiple strings that referred LZMA and unzip "main code". I think that the code is just compressed, and the key if for hdmi drm not the firmware.
Bog standard LZMA. binwalk -e handles it well, but any unlzma tool will suffice. An RTOS2 SDK seems to come with the unmodified LZMA build from Igor Pavlov, too
Nice. One thing - that SW you are using, it is not (only) Chinese crap, it is standard crap. Those ergonomy-hells are created mostly by HW engineers who's simply doesn't understand how (and why) to make user friendly GUI. :)
Great video this was fun! Please do something on a Vortex phone, Oxtab tablet or other freeware. TV devices are big duh, I have an M-95 4k box that was immediate full throttle/unresponsive... turns out they're pretty much all spyware. Tried to hack my google acct from Shenzen. Oops. But devices handed out to the elderly etc are no longer motorola or lg, but chinese companies with knock off Galaxy designs and questionable Android builds.
How about modding a xiaomi 4c router (which is really cheap) to port usb(it has two open data pins) and openwrt (just enable ohci and ehci in kernel while complling) and then make a wifi pineapple(decompile pineapple rom and port using overlay) bcz they both use mips24kc :) then tada 15$ pineapple 🍍 btw it has better specs then original pineapple...
i have the xiaomi 4A gigabit and its super easy to openwrt, don't need to open it can do it just by firmware upgrade, and YES please someone make a pineapple out of it, I got part way there and had to move on to other things but I still have it and WISH someone would make it a package!!!
I think the XGecu Software isn't that bad, it's rather barebones and packs a shtload of functions in a no-frills kind of way. To be honest it kinda feels like someones project rather than a productof a big evil chinese spyware flinging knockoff company.... A Linux Version and an API to add new programming algorithms and chips would be banger, though.
@@mattbrwn I still remember my utter disbelief when I first saw the older version popping up, together with a boatload of zif adapter sockets, for a total price of less than one tenth of what a single tsop adapter for a "respectable" programmer cost.
Sadly often when you put the clip on it powers the flash but also the soc/cpu its connected to which then tries to read from it and messes up the firmware read
Yeah this exact platform has no trouble being dumped via the cheap ass clip usually shipped with CH341A kit. The LZMA packed firmware gets extracted to the RAM, and the SPI chip gets almost no accesses at all
I used bug prove for complication software.İt's can't decyrpt firmware if it's encyrpted but if it's uncrypted bugprove can good job and you can detect old binarys,vulnarabilities etc.
Nice video, Matt! Tks for share your knowledge! It's possible extracting the firmware via software? connecting via terminal (adb) and copy some partitions? sometimes i have dificult to consider what is the firmware, e.g all image firmware or only bootloader firmware.
@@309electronics5 This one doesn't, everything is proprietary. Doesn't like to respond over USB, as well. There's usually some form of OTA on these, though, but dumping is tough
does it not work out of the box? Is there a further use goal to add to it or is this just pull the firmware cause you can as title kind of obviously states?
hey Matt, I like you videos and watched many of them. I am a student who loves hardware hacking. I started electronics basics and Arduino to kinda get familiar with the hardware stuff. do you have any roadmaps to be successful in this field of job ?
I wish these videos were longer, i would love to sit here and listen for hours to you rambling about the innerworkings of a device nobody has ever heard of
try bird watching... DUDE... he just took of the f chip & blabla ! the are a lot of videos of this individual taking appart chips and whatever... then going in ssh looking at bootloader. SO ? sorry to be rude but that is all
I love your videos man but they are just too damn short! I would happily sit here listening for a few hours whilst you ramble on figuring out how to extract the firmware.
Haha I was just thinking the same thing
Short? Is 25 minutes, a whole episode
This!
I disagree he could easily cut it down to 5 mins and that includes the intro video.
Lullaby.
Here’s another example of me wishing you’d number your videos. I’d like to see the next video but it isn’t on my list and I have to go search for it. I’m unsure if I’ll be successful. Excellent work btw, I like how detailed you are. I’m a newbie at this hobby and details are important so I can follow along easier.
Great work and thanks for sharing, Matt:)
Side-note, Tip, Womansplaining: Calipers 4TheWin! So you can measure the dimensions of the package. Works when soldered in and after some time you memorize the dimensions of TSSOP/SSOP/SOP/etc anyways. "To measure is to know!" And as a poor-(wo)men's-alternative: Print out a sheet with the whole zoo of electronics packages in the scale of 1:1
Do you have a link to a sheet that you can link to for us other newbies?
@@KallePihlajasaari i got an actual ruler with different package sizes on it..
I really enjoy seeing how you methodically figure out how things tic and then bypass the security like its not even there. Firmware should be open, so we may use hardware as we see fit.
binwalker said on the bottom that there's LZMA compressed data. Uncompressed size is 7M! probably squashfs!
Also saw in the string something about unzip length.
This style of yt is getting smaller, but in your advantage, it makes you shine. I love the direct, no bullshit music, graphics, and sponsoring of services that I won't do...
Now if you did os system explanations, some frp lock removal.... some wifi router config.... no hurry, you haven't posted anything i find boring....
16:58, there's reference to SC16550UART so there's good possibility of a UART output somewhere on that board for the bootloader
Yep indeed, it's pin 99 on the SoC muxed to UART2_TX quite early on. It's supposed to be pulled up externally + there are some suspicious test points at the other side, but, generally speaking, manufacturers rarely care enough to break this one out in any convenient way
Might be on the usb port. Sometimes they do that.
Watching SMD's getting soldered onto PCB's is so satisfying... don't judge, I'm just saying what everyone's thinking.
BTW, @Matt Brown, I switched to those little foam tipped eye makeup brushes which really elevated my flux clean up game over the Q tips, give 'em shot.
I'll have to try that. Getting those Qtip hairs everywhere is annoying
@17:23 it clearly says HDCP :D
"HDCP stands for High-bandwidth Digital Content Protection. The purpose of HDCP is to protect digital copyrighted content as it travels from a device to your TV, usually through an HDMI, DVI or DisplayPort connection."
You might be able to interface that programmer with flashrom, I'm not sure if it is but it should be possible to implement!
I own a "Willem EPROM Programmer", it also supports SPI flash memory like these but these days I generally use a very cheap ch341a_spi USB device.
My new favorite tech channel! Can't wait for the next hack adventure!
What exactly did he hack?
14:47 At the bottom it says LZMA compressed data
Glad I'm not the only one to see this.
Rootfs is probably compressed within LZMA and then uncompressed and mounted via the bootloader.
I was just about to comment this, seems like it will be fairly easy to get access to the rootfs. +1
cliffhanger !
Towards the end of the video I could swear I had seen "lzma" somewhere, went back to strings and watched closely while pausing, thought I was going crazy 😂
It's only 8MB though - the 980MB partition a couple above it will be the interesting one I would think...
There's seem to be a compressed LZMA region, i'm pretty sure it's what you seen as high entropy, i'd bet it's the compressed rootfs mounted by the bootloader. Many times the MAC address is the one injected for the Wifi, as those modules don't have any hardcoded,
Really interested to see your deep dive analysis. I'll join your discord, hopefully i can find the dump and analyze it myself also. I'd buy one of these if these if there's the possibility of a custom Firmware.
I think you're spot on about LZMA being the rootfs and that it's uncompressed and then mounted by the bootloader.
I bet it's going to be a kernel with the built in rootfs. No reason for these little gadgets to pivot root to a real file system
@@allwitchesdancei had a miracast device that had a full rootfs and a kernel. It even had a recovery kernel. Mine used a Actions semiconductor SOC
Yeah a custom one is possible, but I bet you won't like the only FreeRTOS-based SDK available
great stuff bro! been so much into software have been slacking on the hardware firmware side of things, good to have this under my belt especially with todays supply chain being chip tainted
Really good work, youtube's algorithm brought me here!
same. a few weeks ago a Matt Brown video was in my recommended vids. i been subbed/watching ever since.
I really want to see the next one! Disagree with some of the comments about your video being too short. It is just long enough so that I watch the whole thing and it leave me wanting next weeks episode! It is too short but that’s a good thing, in a way.
Love your videos,I saw in strings HDCP which is hdmi copyright protection
is that the program freezing the video on my computer when i open my OBS.. I was doing two different things.. but noticed this freeze.. and that it stopped if the obs was entirely exited and i had to refresh..
I love this kind of videos where you showcase your adventure! Hope to see some in depth analysis in the future regarding the fw :D ty Matt
Ive been loving those tuts thanks its hard to get info like this in a video
Don't know if someone already mentioned it, but I would bet that key you saw mentioned at the start is unrelated to the encryption. It has "HDCP" in it, which would make more sense to be HDMI Content Protection instead.
Another banger as per usual
Really? What did you learn? Nothing but more propraganda, every device you own is made by chinese/taiwanese companies.
America makes nothing and tbis guy has no clue
Glad to see this video, I don't understand the RUclips algorithm but videos like this don't show up when I search for them, but they magically appear on the homepage 🗿. And I have 4 devices like that that can't connect even though they have been reset
The silkscreen of footprint on the board is a bit akward due to it being a fairly universal footprint.
I do agree with you about the lead free solder, its definitely leaded solder seeing how easy it melted.
No issues with using leaded solder in in China.
Great video I just subscribed. I really enjoyed the one shot approach. Nice job. I am fixing to check out the second part!
@Matt Brown good sir. you are on fire lately. another awesome video.
Thank you youtube for showing me this channel! I love this kind of electronics hacking!
Thanks Matt for your great video. I love to see how you can pull these out and get the information from it.
Good job, looking foward to see more progress.
Matt this was absolutely fantastic. Thanks for sharing!
Cannot wait for part two
Another great video! Keep them coming!
I like how you spend way too much time going over all the laymen stuff like how to solder then jump through all the coding log processes and writing…lol
Cool stuff! Thank you for sharing your electronic adventures!
I like that D+ and D- are easy to trace out. Thanks for showing your process, I just got Xgpro working in anticipation for my T48 to show up tomorrow
Let's wait for the next video about it,interested!
Great video Matt,!!!
love your videos, i also think there too short... i enjoy complete and in-depth look into IoT
It is like reading and flashing a motherboard BIOS chip, I did it many times, but after this, I didn't understand anything anymore, but this is really cool.
Loved this man awesome work!
17:18, NCRCHDCPKey refers to HDCP, or high-bandwidth digital content protection, it is not an encryption key for the firmware
and CRC is just cyclic redundancy check used all over to ensure data integrity I believe....so baciasll the string after that is just the HDCP key needed to get around content protection - I mean not get around it but actually use it properly
You've got a fairly standard ALi Tech sat receiver dump :-) These run off a proprietary TDS2 RTOS. The HCSEMI clone chips have a FreeRTOS SDK available, but it's not as stable tbh
And here I was wondering why the NCRC string seemed so familiar.... likely MIPS based as well
I think I ventured into the fun side of RUclips
very cool stuff. I look forward to learning from ya
to clean stuff you can use an old toothbrush instead of qtips so it doesnt left off any fibers, at least to remove the most of flux witout much hussle.
16:20 'anonymous' and '88888888' sounds like a default user-password pair, 8x 8 being the password, IIRC the '8' is a lucky number in china, so eight 8x would be sth like seven 7s in US.
"anonymous" as the username makes me think of FTP.
just came to say the same thing - thats exactly what it is
Probably a firmware update check
88888888 is an extremely common password for Chinese devices. I have a WiFi-controlled programmable LED sign that has a Wifi hotspot with that password.
I have no idea what’s going on but I watched the whole thing
using possibly compromised sw to dump a knockoff product.
like it! 😏
They put two footprints on top of one another so if the wide version of the chip is unavailable they can use a regular soic8.
We did the same but we at least made a package with nice looking silk so it didn't look so crap
The two lzma blobs are probably the kernel and initramfs
One's the kernel, and another (usually) the localization data. This thingie doesn't need any fs at all
I would guess it's compressed based on the output of strings including "unzip" but it's possible there's also some encryption of the bootloader or whatever.
China is taking a big risk having most of their systems run a proprietary OS made by an American company. Hard to change that though, given the cultural attachment to Windows - shown by most Chinese software only being available on that OS.
They're fine, they've got the source code...
this is the perfect video to listen to in the background lmao
8:16 What the FLUX is going on here ?! 😂
always interesting to watch
I wonder if the filesystem is compressed in a non-standard way.
Another great video!
Nice soldering skills, I have one of this device in which the micro USB is detached. I am yet to solder
that entropy spike is totally compression; probably a ramfs of some kind, looks like it showed up at the bottom of binwalk.
Dude I've the same thing 😅 gotta follow this guy now
There were multiple strings that referred LZMA and unzip "main code". I think that the code is just compressed, and the key if for hdmi drm not the firmware.
Great video! I have a question, witch temperature do you set on your heat gun?
Nice! I'm curious to discover how to decompress/decrypt those data!
Bog standard LZMA. binwalk -e handles it well, but any unlzma tool will suffice. An RTOS2 SDK seems to come with the unmodified LZMA build from Igor Pavlov, too
Great job! Which microscope / camera do you use?
"the logo for the company that makes this device" SHERLOCK!
You've got LZMA compressed data there. That might explain the entropy results you're seeing.
Nice videos! How hot do you set the hot air gun to remove a component without destroying it?
What analyzation software do you use in 18:50 ? I subscribed to your channel , great content
That's binwalk program running -E [capital e for Entropy, if -e it will extract firmware "structure" I guess ]....
1:01 You say, "*to* your TV", but I read "*on* your TV".
Why do you keep hitting the Return key so often?
"lets just not think about that right now" lol
Waiting for the next part. Any idea when it will pop up here?
dude are you an american knockoff of china?
By the way great video Here goes the subscribe puk!!!
Nice. One thing - that SW you are using, it is not (only) Chinese crap, it is standard crap. Those ergonomy-hells are created mostly by HW engineers who's simply doesn't understand how (and why) to make user friendly GUI. :)
It had a hdcp string above so that encrypted data propably contains hdmi hdcp handshake key too.
The good thing about dumping the firmware is that you can just buy another flash chip and reflash it if it breaks.
Not unless the firmware ties itself to the flash Unique ID, and Chinese-sourced thingies usually DO... as a form of copycat protection
I think if it's encrypted, entropy is almost exactly 1. If it's compressed it might be slightly lower
Great video this was fun! Please do something on a Vortex phone, Oxtab tablet or other freeware. TV devices are big duh, I have an M-95 4k box that was immediate full throttle/unresponsive... turns out they're pretty much all spyware. Tried to hack my google acct from Shenzen. Oops. But devices handed out to the elderly etc are no longer motorola or lg, but chinese companies with knock off Galaxy designs and questionable Android builds.
You said you didn't open it.. then you said you opened it.. 😂
can you make a video on synology TC500
How about modding a xiaomi 4c router (which is really cheap) to port usb(it has two open data pins) and openwrt (just enable ohci and ehci in kernel while complling) and then make a wifi pineapple(decompile pineapple rom and port using overlay) bcz they both use mips24kc :) then tada 15$ pineapple 🍍 btw it has better specs then original pineapple...
I can't try this bcz of my upcoming entrance exam for varsity...
i have the xiaomi 4A gigabit and its super easy to openwrt, don't need to open it can do it just by firmware upgrade, and YES please someone make a pineapple out of it, I got part way there and had to move on to other things but I still have it and WISH someone would make it a package!!!
I think the XGecu Software isn't that bad, it's rather barebones and packs a shtload of functions in a no-frills kind of way.
To be honest it kinda feels like someones project rather than a productof a big evil chinese spyware flinging knockoff company....
A Linux Version and an API to add new programming algorithms and chips would be banger, though.
Totally agree. As much as I complain about XGecu it's the best thing we've got.
@@mattbrwn I still remember my utter disbelief when I first saw the older version popping up, together with a boatload of zif adapter sockets, for a total price of less than one tenth of what a single tsop adapter for a "respectable" programmer cost.
This is awesome
Hi Matt, do they make clips for SOP8s that size? Seems like that would be quicker than desoldering that chip, then again it came off with no issue. :)
Sadly often when you put the clip on it powers the flash but also the soc/cpu its connected to which then tries to read from it and messes up the firmware read
Yeah this exact platform has no trouble being dumped via the cheap ass clip usually shipped with CH341A kit. The LZMA packed firmware gets extracted to the RAM, and the SPI chip gets almost no accesses at all
I'm just here to tickle the RUclips gods don't mind me
this broke my tv 💀
I watch these even though i feel like Homer Simpson.
Goated vids
I used bug prove for complication software.İt's can't decyrpt firmware if it's encyrpted but if it's uncrypted bugprove can good job and you can detect old binarys,vulnarabilities etc.
Nice video, Matt! Tks for share your knowledge!
It's possible extracting the firmware via software? connecting via terminal (adb) and copy some partitions? sometimes i have dificult to consider what is the firmware, e.g all image firmware or only bootloader firmware.
Adb is android only. If a device runs Uboot as bootloader you can interrupt the boot process and dump the flash.
@@309electronics5 This one doesn't, everything is proprietary. Doesn't like to respond over USB, as well. There's usually some form of OTA on these, though, but dumping is tough
Where can I find this software you use called Xgpro in 5:00 ?
Please make a video on how to rebuild the firmware and calculate the checksum
What happened to the dynamic analysis vid?
Love it
Are these not cracking videos?
Fantastic
If the XGecu Pro software is windows, how do you run it in linux? Are you using WINE or Bottles... I am incredibly curious?
Wine
what terminal ui is that when you check through the device i’m trying to learn more about the software you use
The anycast logo looks like it was stolen from Paul Daniels of Apple fixing fame...
The problem of Chromecast devices is too small internal storage, and i am curious can you replace the original with a bigger one?
does it not work out of the box? Is there a further use goal to add to it or is this just pull the firmware cause you can as title kind of obviously states?
hey Matt, I like you videos and watched many of them. I am a student who loves hardware hacking. I started electronics basics and Arduino to kinda get familiar with the hardware stuff. do you have any roadmaps to be successful in this field of job ?