Great video as always! I hate the fact that you can do what I do, but I can't do what you do (yet)! Just a few tips on the solder/desolder process: When cleaning the chips' pins, avoid scrubbing them up and down as Matt did, because if the cotton catches a pin you can bend it out of shape and cause all sorts of problems! It's often better to roll the cotton bud between your fingers for a rotary motion, or sweep along the length of the pins outwards from the body. For soldering, a different method taught to me to reattach (after cleaning the pads of old solder) is to only add solder to pad 1, then heat with your iron and slide the chip pin 1 into place onto the pad and with the heat still applied you can align the chip perfectly. Then solder the diagonally opposite pin, check for alignment, then solder the remaining pins. The issue with not using flux for hot air resolder is either dry joints, or as we saw the chip blows away! Flux also helps keep the chip in place. Try to not heat any other components either, the last thing you need is to dislodge or lose an 0201 resistor! I agree it is a lot less messy without using flux, just a little more tricky sometimes. Try to avoid using high-power ultrasonic baths on most circuits as they can shatter any timing crystals on the board, even ones inside the chip itself. A bit of swishing around in an isoprop bath will clean off almost any flux with ease. If something does go wrong (it doesn't boot in this case), then remove the chip, clean the pads, and try again. Most chips have a thermal profile and cannot be heated to solder-melting temperatures for a long time without failing, so keep the hot air or iron on only as long as needed to melt the solder and reattach, and let it cool naturally in air. Don't use freeze spray or compressed air as you can crack the chip with the temperature delta. And my number one tip, learned from experience - make sure the power is off before attempting any of this :D
I'm nearly caught up on all your videos.. time to ramp up that upload schedule 😅🤣 I'm happy to live vicariously through you though; you're doing all the things I want to do but never have time for 😅
These videos are awesome man! I love how explicit you are. It is a huge pet peeve of mine that people half explain or explain outside of the intended audience or skill level and you do a fantastic job of keeping it within those boundaries.
Wonderful content as always. Thank you! Besides the arrow, you also have the "U" shaped latched printed on the board (white color) that would help identify first pin.
Amazing content. Concise, detailed, and clear. Would definitely love a tutorial series on reverse engineering or firmware extraction. Hell I am willing to pay for it!
Also worth noting, if you use a fiberglass pen to sand then an exacto knife to cut the power and ground traces (2 cuts to insure there is a gap) on the board you can use a SOIC/SOP chip clip or teast leads to pull the firmware in situ and need only a solder bridge to reconnect the traces. It's much faster this way if you find yourself in a situation where you might have to be regularly putting the chip back on and off multiple times. (Often when detecting how chages appear on the filesystem or raw spi memory when you can't easily root the device (or when its not running linux at all))
@nwellinghoff I'll work on recording one, I didn't think it was unique but I also don't feel like I learned it anywhere so probably good to get out there just in case.
hi matt, i have seen your last couple videos. I just wanted you to know you do a great job explaining things to noobs like me and I look forward to your videos.
Awesome video! Im a comp sci student with some decent knowledge of networks but ive recently been super interested in hardware. Its cool to see videos like these and I hope to keep seeing them! Im going to start watching them backwards, looking forward to learning more!
hey Matt- I've seen people extract firmware by attaching a clip on-top of a chip that's still on its PCB. (perhaps even on your channel?; not sure..) anyway- how do you know when a chip should/must be removed like you did here, rather than scanning it in-place...? Thanks!
See @Segphalt comment below. The chip must receive power, but you do not want to power the rest of the board, because this would also power the SoC, which would also start reading off the chip.
Worst case, It should not matter what the (password) has value wise because the pass is stored in that same hash value. Zero out that (hash) password for admin or root, save and burn the bin back to the chip and when prompted after post, if you simply hit enter without typing the password it should give you access.
I appreciate the time and effort you put into these videos! I like the format of the videos and how you've got everything set up. Switching between various video inputs, screen recordings, etc. is all done very well. Very interesting finds in the firmware as well! Are you involved with any reverse engineering communities out there? If so, are there any you'd recommend?
Loved it. God bless us all! Let's understand technology before we are controlled by what we don't understand. This is a great video and your explanation was easy to understand and practical! Thank you very much! We have to own our devices, whatever the cost we must not let our devices (especially our mobile phones and routers) communicate in ways we are not comfortable with or with entities which do not have our best interest in mind.
Nice content. Clean and succinct, good explanation of what you are going to do and why so we can follow along with better understanding of what we are seeing.
Great video, I love the basic walk-through that I feel like I understand what you did having never done it before. I’d be curious what kind of fight a higher end devices like a UniFi UDM would put up in this process.
Matt, can you show us sometime how to take a non RTSP ip security camera and upgrade it to use RTSP?? It's something I think would be really interesting! Love the videos, and btw, a colab video with you and Joe Grand would be crazy cool also if you could ever make that happen! 😀
Would be great to see some consumer device hacks and mods like Android TVs for example (imo there's little sense in hacking what's already based on a hacker-friendly project like openwrt)
I would be interested in what your fume extractor and microscope is as I am attempting to improve those myself. Also there are toxic/unhealthy fumes from Isopropyl Alcohol…
Where in the hell did you learn this? This is cool as shit. I just got my son his first computer and got him some logic game and some other learning stuff.... already killing it... I'm going to browse your channel, but I'll probably end up reaching out to find out about how the hell your into this.
There should be a socket option so you can easily swapped the chip e.g. for making changes to the filesystem for better debugging (set a custom root password etc)
Is the "I did not take a picture" part a hypothetical? Because you took a video of it. Btw, you can also just look for vcc and gnd, trace it out, and look at the data sheet.
Isn't flux mostly used to ensure proper bonding during soldering? Like I see lots of people use flux when removing components, but I don't see why you'd need it.
Flux removes oxidation and prevents oxidation. Without flux solder doesn't bond well to the copper/tin. In this case where everything was tinned the soldering went ok, but without flux new oxides are being formed in the process. It's best practice to use lots of flux and then clean everything after.
Hey @Matt Brown, I able to extraction of any firmware because i'm laptop repair technician but i don't know that do next after get firmware for any iot device. I use binwalk for Extraction but don't know more about how find vulnerability. I want move in hardware hacking please guide me!
Any recommendations? All of the "no clean" flux I've used still leaves a residue that needs cleaning. Especially important if you don't want anyone to know that you've had the chip off the board! Cleaning with isoprop also removes certain security markers and any ink which is a dead giveaway.
The issue with clip over chip is the power you need to provide the target chip in order to read it - often this will end up back-powering the whole circuit and can interfere with reading the chip at best, or damage the output drivers of either the host, target chip, or your reader. Safest option by far is to remove and read, then resolder, depending on your solder skills of course!
Would have been neat to modify the shadow file, repackage the filesystems and write it back to the chip to see if that could allow you to change the root password. Obviously not needed in this case since the password is already cracked
You could read chip's documentation. Maybe first few times you won't know what is what but over time you get to know series numbers and models so you don't even have to guess.
Often cause of doing it a lot and getting used to it. Flash chips often come in 8 pin packages and are kind of wide and start with 25xxxxx. Or a tsop package for larger devices or devices that use complex Operating systems, these flash chips are also inside usb drives. Often the manufacturer also hints what it is. Some common manufacturers are XMC, Cfeon, winbond
Flash chips (where the firmware is stored) often come in a common set of packages (physical dimensions) so after you have looked at enough PCBs you can immediately know which one has the firmware :D
i once sold a modified mp4 player that I was working on for fun. I renamed it's bluetooth name to 'Justin Bieber' and sold the (approximately. $50) noname player for $250. is this considered ethical hacking yet? 🙈
@@mattbrwnvevor sp? seems to be fairly common unit likely out of the same mfgs. Don't know what solution would work. Ultrasonic hot 111, then vapor phase rinse then dunk in pure alcohol used to be our std back in the day before paraxlene conformal coat. Maybe 70% iso in the ultrasonic then a spray bottle of 91% iso to rinse? Outside with a lid handy if it lights off 😊
at 20:59 it looks like the password recovered from the first hash is hardcoded as the telnet key. I thought it is pretty cool as sometimes people reusing passwords could save time rather than cracking hashes.
Great video as always! I hate the fact that you can do what I do, but I can't do what you do (yet)! Just a few tips on the solder/desolder process: When cleaning the chips' pins, avoid scrubbing them up and down as Matt did, because if the cotton catches a pin you can bend it out of shape and cause all sorts of problems! It's often better to roll the cotton bud between your fingers for a rotary motion, or sweep along the length of the pins outwards from the body. For soldering, a different method taught to me to reattach (after cleaning the pads of old solder) is to only add solder to pad 1, then heat with your iron and slide the chip pin 1 into place onto the pad and with the heat still applied you can align the chip perfectly. Then solder the diagonally opposite pin, check for alignment, then solder the remaining pins. The issue with not using flux for hot air resolder is either dry joints, or as we saw the chip blows away! Flux also helps keep the chip in place. Try to not heat any other components either, the last thing you need is to dislodge or lose an 0201 resistor! I agree it is a lot less messy without using flux, just a little more tricky sometimes. Try to avoid using high-power ultrasonic baths on most circuits as they can shatter any timing crystals on the board, even ones inside the chip itself. A bit of swishing around in an isoprop bath will clean off almost any flux with ease. If something does go wrong (it doesn't boot in this case), then remove the chip, clean the pads, and try again. Most chips have a thermal profile and cannot be heated to solder-melting temperatures for a long time without failing, so keep the hot air or iron on only as long as needed to melt the solder and reattach, and let it cool naturally in air. Don't use freeze spray or compressed air as you can crack the chip with the temperature delta. And my number one tip, learned from experience - make sure the power is off before attempting any of this :D
I think the consensus here is Matt isn't very mechanical, his hands are too soft and delicate.
I'm nearly caught up on all your videos.. time to ramp up that upload schedule 😅🤣 I'm happy to live vicariously through you though; you're doing all the things I want to do but never have time for 😅
These videos are awesome man! I love how explicit you are. It is a huge pet peeve of mine that people half explain or explain outside of the intended audience or skill level and you do a fantastic job of keeping it within those boundaries.
Please finish this as a series.
I watched this entire video. Now I need to binge watch the rest of this season 😂😂😂
Wonderful content as always. Thank you! Besides the arrow, you also have the "U" shaped latched printed on the board (white color) that would help identify first pin.
Amazing content. Concise, detailed, and clear. Would definitely love a tutorial series on reverse engineering or firmware extraction. Hell I am willing to pay for it!
Enjoyed the video! You should probably attach the antennas prior to firing up the board to prevent damage to the radios
Also worth noting, if you use a fiberglass pen to sand then an exacto knife to cut the power and ground traces (2 cuts to insure there is a gap) on the board you can use a SOIC/SOP chip clip or teast leads to pull the firmware in situ and need only a solder bridge to reconnect the traces. It's much faster this way if you find yourself in a situation where you might have to be regularly putting the chip back on and off multiple times. (Often when detecting how chages appear on the filesystem or raw spi memory when you can't easily root the device (or when its not running linux at all))
Can you point to a video that demonstrates this technique? Thanks!
@nwellinghoff I'll work on recording one, I didn't think it was unique but I also don't feel like I learned it anywhere so probably good to get out there just in case.
In a lot of your videos, you are examining directory trees. May I suggest the tool 'mc' to quickly explore without having to do all the typing?
going to have to finish watching this tomorrow
hi matt, i have seen your last couple videos. I just wanted you to know you do a great job explaining things to noobs like me and I look forward to your videos.
Just found your channel and am addicted.
Awesome video! Im a comp sci student with some decent knowledge of networks but ive recently been super interested in hardware. Its cool to see videos like these and I hope to keep seeing them! Im going to start watching them backwards, looking forward to learning more!
You know its a good vid when Matt got his hitman gloves on
hey Matt- I've seen people extract firmware by attaching a clip on-top of a chip that's still on its PCB. (perhaps even on your channel?; not sure..) anyway- how do you know when a chip should/must be removed like you did here, rather than scanning it in-place...? Thanks!
See @Segphalt comment below.
The chip must receive power, but you do not want to power the rest of the board, because this would also power the SoC, which would also start reading off the chip.
@@rubenfaelens2127Would it be possible to put everything else in reset?
Also u can use a arduino, stm32 or rp2040 based mcu for
Spi chip read, write and dump
Perfect timing! I need to do this for an old 3g modem I was working on soon
Worst case, It should not matter what the (password) has value wise because the pass is stored in that same hash value. Zero out that (hash) password for admin or root, save and burn the bin back to the chip and when prompted after post, if you simply hit enter without typing the password it should give you access.
Great video! Simple, clear, concise.
I never seen you dude, but just 'coz of your first few secs of your video I already liked you and subbed; we're of the same "Tribe": The Tinkerers 😁👍
I appreciate the time and effort you put into these videos! I like the format of the videos and how you've got everything set up. Switching between various video inputs, screen recordings, etc. is all done very well. Very interesting finds in the firmware as well! Are you involved with any reverse engineering communities out there? If so, are there any you'd recommend?
so clean extraction nice matt!
Loved it. God bless us all! Let's understand technology before we are controlled by what we don't understand. This is a great video and your explanation was easy to understand and practical! Thank you very much!
We have to own our devices, whatever the cost we must not let our devices (especially our mobile phones and routers) communicate in ways we are not comfortable with or with entities which do not have our best interest in mind.
Nice content. Clean and succinct, good explanation of what you are going to do and why so we can follow along with better understanding of what we are seeing.
Great video, I love the basic walk-through that I feel like I understand what you did having never done it before. I’d be curious what kind of fight a higher end devices like a UniFi UDM would put up in this process.
As always absolutely great video 😎
Why not to use ch341a with a test clip? You don't need to desolder it.
Exactly what I was thinkin'
I wonder if you could use that LTE card in a PC.
With changeable IMЕІ?
If you could find a driver Im sure you could
@@MichaelOfRohanwrite a driver pleb
There are LTE USB sticks which you can get on the free market though.
@@sloppycee lol riiiiight glwt
This is important work and highlights why you should never plug in a random brand wifi router to a corporate network.
Absolutely love your videos man!!!
I love watching these!
matt, you may try throwing some leaded solder on first to aid in removing it with the hot air. another good video, learning a lot from you.
Another amazing video!
love wathing these to see how others go about this sort of work.
I pickup a few tips and tricks.
Matt, can you show us sometime how to take a non RTSP ip security camera and upgrade it to use RTSP?? It's something I think would be really interesting! Love the videos, and btw, a colab video with you and Joe Grand would be crazy cool also if you could ever make that happen! 😀
Loving these videos, thanks!
cool one, straight forward and precise. Fun !
Waiting for the re-assemble of the firmware video. If you can show how to do it, I think I can buy a LR1200 to do the exercise, ;)
look at this guy using tools , real hackers use clipers man :))) . Glad I can see people going down this rabbit holes
Would be great to see some consumer device hacks and mods like Android TVs for example (imo there's little sense in hacking what's already based on a hacker-friendly project like openwrt)
Great video as always
I would be interested in what your fume extractor and microscope is as I am attempting to improve those myself.
Also there are toxic/unhealthy fumes from Isopropyl Alcohol…
great video. one day could you go into a deeper dive on how you pull firmware, and how it all works?
I don't know nothing but i watch you new sub
IOT-Noob here. What would be the correct thing to do instead of a hardcoded root pw on a IOT device?
depends on the context. but the more hardened devices I've seen don't allow password auth at all.
Flash encryption is also an option but often not readily available on anything but the newest mcu's/SoC's.
If it was me, I would generate a random password for each firmware. It's more secure, but way harder to debug
nice job bro! that's very interesting..
Where in the hell did you learn this? This is cool as shit. I just got my son his first computer and got him some logic game and some other learning stuff.... already killing it... I'm going to browse your channel, but I'll probably end up reaching out to find out about how the hell your into this.
There should be a socket option so you can easily swapped the chip e.g. for making changes to the filesystem for better debugging (set a custom root password etc)
This is great man; thank you!
nice vid. at 10:54, do you re-seat the chip often? i have the soic8 clip (like a clothespin) and it takes like 1h to clip it properly.
Hi Matt. Great video, and I subd' you sometime ago. I have to ask, which Tiling Window Manager are you using and do you share your dot files? Thanks.
awesome video!
so good
subbed
Is the "I did not take a picture" part a hypothetical? Because you took a video of it. Btw, you can also just look for vcc and gnd, trace it out, and look at the data sheet.
😲good stuff.
I wonder if they preprogram these spiflash chips or if they bootstrap some program into the main processor that flashes it.
If you're gonna use Copper stripe
you might as well use flux to get the best of hot air gun and the Copper stripe
Isn't flux mostly used to ensure proper bonding during soldering? Like I see lots of people use flux when removing components, but I don't see why you'd need it.
Flux removes oxidation and prevents oxidation. Without flux solder doesn't bond well to the copper/tin. In this case where everything was tinned the soldering went ok, but without flux new oxides are being formed in the process. It's best practice to use lots of flux and then clean everything after.
0:31 I pumped some hot air at the monitor after I saw the video title
Do you ever chase down the source for the GPL contaminated blobs?
I like all of it
Hi matt! Curious: what are the pro an cons of desoldering vs a clamp?
I used to hex edit the filesystem to wipe the password hash padding the gecos so the line was the same length.
Hey matt please recommend some book for hardware and lot hacking for beginners to expert like you
Very cool 😊
The URL pointing to the json file is a site for the router to upload statistics
Wonder what kind of solder he's using.
Yo matt which temp config do u use for ur heat air gun ??
around 870 F. but with hot air that's just one variable. its also about how fast the air flow is and how close you are to the component.
nice!!
Hey @Matt Brown, I able to extraction of any firmware because i'm laptop repair technician but i don't know that do next after get firmware for any iot device. I use binwalk for Extraction but don't know more about how find vulnerability. I want move in hardware hacking please guide me!
No clean flux is the way to go
Any recommendations? All of the "no clean" flux I've used still leaves a residue that needs cleaning. Especially important if you don't want anyone to know that you've had the chip off the board! Cleaning with isoprop also removes certain security markers and any ink which is a dead giveaway.
@@alanangelfire1217 I have used things that Voultar has recommended, Treela 8341 is a good one to start with
What is the advantage of using lead based solder?
Lower melting temp
Whats up with the large footprint overtop the little footprint?
Probably connected to the same SPI interface to the CPU. That would allow them to use a larger flash chip without having to design a new PCB
why do you prefer to go chip off over clip? i’m more of a novice but have had a lot of success with the clip for the T56
The issue with clip over chip is the power you need to provide the target chip in order to read it - often this will end up back-powering the whole circuit and can interfere with reading the chip at best, or damage the output drivers of either the host, target chip, or your reader. Safest option by far is to remove and read, then resolder, depending on your solder skills of course!
neat.
Would have been neat to modify the shadow file, repackage the filesystems and write it back to the chip to see if that could allow you to change the root password. Obviously not needed in this case since the password is already cracked
You don't look like a Matt Brown.....
(I'm playing wit cha)
you should talk with darknet diaries
Does that chip extraction method work for much larger chips?
Yeah it supports many different kinds
you missed in the userdata folder the product file had telnet instructions and username admin password cs2012
I have one doubt,
How can we conclude that particular (X) chip holds firmware?
You could read chip's documentation. Maybe first few times you won't know what is what but over time you get to know series numbers and models so you don't even have to guess.
Often cause of doing it a lot and getting used to it. Flash chips often come in 8 pin packages and are kind of wide and start with 25xxxxx. Or a tsop package for larger devices or devices that use complex Operating systems, these flash chips are also inside usb drives. Often the manufacturer also hints what it is. Some common manufacturers are XMC, Cfeon, winbond
Flash chips (where the firmware is stored) often come in a common set of packages (physical dimensions) so after you have looked at enough PCBs you can immediately know which one has the firmware :D
i once sold a modified mp4 player that I was working on for fun. I renamed it's bluetooth name to 'Justin Bieber' and sold the (approximately. $50) noname player for $250. is this considered ethical hacking yet? 🙈
Why not just read/flash it in-circuit..
Are people more conscious about how your handling stuff when your using leaded solder.
Please Try make video Chinese 5G router
Like Tozed 5G CPE , ZTE ,etc
Harbor Freight has an ultra sonic cleaner for 90 bucks.
Oh I might have to check that out ....
@@mattbrwnvevor sp? seems to be fairly common unit likely out of the same mfgs. Don't know what solution would work. Ultrasonic hot 111, then vapor phase rinse then dunk in pure alcohol used to be our std back in the day before paraxlene conformal coat. Maybe 70% iso in the ultrasonic then a spray bottle of 91% iso to rinse? Outside with a lid handy if it lights off 😊
Engagement
I can't take it bye
20:51 shows passwords in cleartext
Nice! 😎😜
Password/key is hardcoded @ 21:02 .... lol
Whats up, everybody!?
You talk too nuch
at 20:59 it looks like the password recovered from the first hash is hardcoded as the telnet key. I thought it is pretty cool as sometimes people reusing passwords could save time rather than cracking hashes.
Share the dump, see if so.eome can port openwrt to it