Get yourself a number of 4-6mm barrel jacks with some terminal caps on the wired end that you can either gator clip or screw into a bench supply. Way way easier than having to solder onto the board. I work on a bunch of home routers to recycle/refurb them with OpenWRT, DD-WRT, etc. It's pretty easy to keep a handful of barrel jack bench supply adapters around for your exact use. :D
That was kind of a dream result! I actually have this Netgear router, i can’t think of anything I would want to modify in the fw right now but its good to know I have the option
Dude, I love this content, watching your process uncut, unscripted, showing how you troubleshoot rather than just having it all worked out ahead of time and watching it all work the first time. I Learn so much more this way as I’m staring my hardware hacking endeavor. You’re a stud, keep it up man, I’m sending your vids to all my buddies, if you make it out to defcon one year, hit me up.
A device firmware have a lot in common with a docker container. The ro OS is the container, the rw filesystem is the docker volume, and the nvram is the docker environment. (.env)
Great Video Ive got an old Netgear router where the wan port stopped working after a thunder storm. Nothing to loose by pulling it apart and seeing what it does. Maybe I’ll even spot a fried component on the board. I couldn’t help but notice your positive power wire insulation was stripped back to within a cats knacker of shorting out on one of those shields. Maybe it was just the camera angle. 🤠
40:00 (ish): netstat is probably taking a long time because it's trying to do reverse DNS lookups on the IP addresses it's encountering. Try adding a "-n" flag on it next time to avoid this behavior. This same behavior applies to a lot of other common shell utilities such as ping, traceroute, tcpdump, etc. Edit: BTW, I've just discovered your channel and am enjoying your videos immensely. I work in security engineering, and I've always been interested in embedded hardware hacking.
I want you to make a video about modifying the firmware in the embedded system. Because during my case I have /bin/psh which is a protected shell for the uart. The only way to get around this is modifying the firmware and assigning /bin/sh for it. When I try to do it, LZMA compression turns out to be a big pain. So looking forward for those videos. Btw this video is good overall.
To be honest, I think its better that way that debug port is clearly marked as such and if you plug into it, the device dosent give you any trouble to get to root. Afterall its your device it does mean to "own" to get the lovely root shell.
i just bought one of those from a goodwill bin for about 50 cents it's got some features i might actually use though I'm not using it as my main router but pretty cool you have a video on one since i just found your channel also it's probably not recommended but i just used a 1.5 amp power supply since its what i had on hand that fit
Matt I noticed wlanconfigd process @27:30 Dare say they leave the UART open for debugging purposes from the factory to load the firmware? To mitigate this don't some more secure IoT devices blow an efuse to prevent physical access to the firmware? I have a few quite expensive STM32 devices, but I feel I need the STLink firmware tool to have a crack for a n00b like myself.
So the STM32 is a microcontroller which has internal flash. Most/all Linux embedded devices use external flash that is seperate from the CPU. This is why firmware extraction on a microcontroller is harder.
Phyisical access means 'all bets are off' ie; it's your router, you own it and there's not much point in them bothering to try and lock out UART(If your not microsoft or apple, it's prolly a waste of money for them). Interesting that it uses bitdefender and OpenVPN etc.. Scary how many ports they have open omg...
@mattbrwn Do you have any experience with Sonicwall devices? I've got uart on a sonicwave 231c that I retrieved from ewaste and would like to dig in on it. I have two, one is factory reset and the other is still sitting while I poke at the open one.
netstat needs "-n" to quit trying to do reverse-dns lookups on every IP (which is why it's slow when there is no accessible DNS server) also netstat is officially deprecated, 'ss -nlp' is the new command, although some busyboxen may not have that at all
The AX series nighthawk wifi 6 routers (at least the one I have) the UART section is not populated with componets on the PCB. The pads are all there, just empty. Dosen't matter really anymore since the router bricked itself due to a failed update that happened to take place when my ISP decided to do some maintenance and the update was partial and now the power led flashes red constantly. No TFTP connection, obviously no UART access. She's a brick.
It would drive me crazy getting constantly interrupted by the ping and the other commands outputs, especially if you have to enumerate for hours. Would it be possible to start an ssh server and connect that way to get a proper shell/environment?
Yep most openwrt devices will have the dropbear ssh server you can start. I definitely setup ssh when doing longer looks at a device like this because of the annoying console output you mentioned.
I have a pair of R8000's I flashed to DD-WRT for the extra features and especially better security over negears trash firmware. I recently changed out my gateway to a 4x10G/5x2.5G NIC - 8 core Qotom box running an open source firewall - I keep those R8000's around when I need a quick, portable 1G network preconfigured I can take with me on the road (in a car, not a plane).
Is this the netgear nighthawk 1750 (r6700) or (r6400) or (6350)? There's also different versions of them...do you happen to know? I'm just wondering if all of them have the pins on the board or not. I wanna buy one on ebay to follow along. They're pretty cheap. ** This appears to be a r6700 V3. After you listed the ps command, it mentioned it.
21:25 - This is most likely TFTP, most routers have this functionality, and you can flash firmware with this protocol, commonly used to load custom firmware like OpenWRT, DD-WRT, etc.
Hey Matt, did you ever finish off the Arlo videos? I watched one yesterday and was pumped for the next one after you said what you were going to do in the next one.......then there is no next one? 😭 you always seem to stop a series right when I need it most, like firmware modification or reverse engineering, noooooo! I've been doing this stuff for a while so would be awesome to see your approach to more challenging stuff. You should show us something like a device that has encrypted firmware, or something where binwalk gives you no results and you have to figure it out, or extracting the firmware is much harder because the flash has protections in place you need to change, or show us modifying some firmware to bypass something and re-flashing the device etc. Also, please keep showing the raw footage, not edited, the little struggles along the way are the most useful to see! Or you might mention extra things that are super helpful 👍
Hey @Matt , I am trying to remotely monitor my home network. How would you do this? Currently, I'm looking to use my esp32. Do you know the best method? Or I have a Nexus 7 running nethunter. Ideally, I'd have a battery bank for power, monitoring over WiFi. Any resources or help is appreciated 😊
@mattbrwn internet traffic, and any unauthorized access. I think someone is using my credentials to access my stuff. But 2fa sometimes doesn't work even for me. Whatever you think could help.
I want to monitor web traffic. I think someone is using my creds to log on and snoop. So that level of monitoring is what I'm seeking 😅 my iPad and pc are left there, so if they are being accessed w/o permission and then snooping is what I assume is happening. P.s. if I just change password I won't catch the culprit.
Hey Matt, I’ve been interested in iot security and was trying to follow along with my netgear ac1900 c7000v2, I’m able to get a terminal but the party ends as it gets stuck at the console handover boot -> real, my assumption is because of the baudrate? Would you happen to have any experience with this router?
They might have UART disabled after the bootloader on that model. hop into our discord and post some screenshots + terminal output for some more detailed help.
with those four pins exposed like that could you still have gotten the root shell without soldering the extra wires and just used that usb cable and the power supply?
Hey Matt. Have you ever done any console hacking? For example the good old PS3 metldr2 would be a nice challenge. A very, very hard one tho. Hackers unfortunately turned away from the PS3 a long time ago, so someone skilled is needed to nail it down for good...
If you have access to a gen2 unifi switch, please do a video on that devices. Unifi removed the switch console port, so any information on how to access the console will be useful (firmware recovery)
One question.. why not make life easier and have a couple barrel plugs with pre soldered wires and just hook them up with clips instead of soldering onto the connector
I would have just tried a 12V adapter at a lower amp rating. If it didn't work, you could also cut the barrel plug (with some cord) off the adapter with too low a current rating. The soldering while perfectly doable, seems like a lot more work. That said, I'm lacking in gaining root shell access on devices I'm playing with, hence my presence here.
Hello Matt. Really like your channel. Could you suggest resources and hardware for a noob like me? I have a lot of experience with raspberry pi's and basic electronics, but would like to learn hardware hacking as well. Thank you in advance.
Do you have a specific thing that you want to learn? Hardware hacking is a wide category that includes a bunch of stuff. But generally I always have fun grabbing a device from ewaste or a thrift store and learning as much as I can about that target device.
@@mattbrwn Thank you very much for taking the time to respond to my questions. I’m looking for the basics: Essential hardware needed (UART readers, etc.), Essential Software to interact with the target item, and Essential reference material to be able to learn how to interact with the target item. Also, simple projects that a noob would be able to work on. I have Raspberry Pi’s and Raspberry Pi Pico’s (with pico probe). Would I be able to use those to interact with the items?
I've got the same router with DDWRT on it but don't use it because I'm not sure exactly how to set it up and use all the fun cyber security options. I flashed it in hopes of using my phone as a modem and using the Router as a router via USB but I can't find any good tutorials on it.
Oh my god, you don’t have a spare barrel jack laying around? Even if you have to chop it off a spare wall wart it would have been better than having to solder leads to the circuit board
Hey Matt, where would I get a hold of you? I have a Wi-Fi pineapple I want to donate to you. I don't know. Wat you could do that??👍 Thank you for all your expertise.
If all you wanted to get is the wifi password, why not connect with WPS and see the password? Would be more interesting if we needed to get admin login of router config page.
![Kodak Black - Versatile 4 [Official Video]](http://i.ytimg.com/vi/VcP_1Ua__vY/mqdefault.jpg)
NOTE: Audio is terrible. It was recorded using the wrong mic the entire time.
Still a great vid. Going to try to find some vulns in one of my routers now.
No problem
Still great! Thanks and keep it up.
it wasnt even that bad man honestly and i am super picky about audio. content is really helpful TY
Get yourself a number of 4-6mm barrel jacks with some terminal caps on the wired end that you can either gator clip or screw into a bench supply. Way way easier than having to solder onto the board. I work on a bunch of home routers to recycle/refurb them with OpenWRT, DD-WRT, etc. It's pretty easy to keep a handful of barrel jack bench supply adapters around for your exact use. :D
I just made a barrel to alligator clips before I saw this lol
That was kind of a dream result!
I actually have this Netgear router, i can’t think of anything I would want to modify in the fw right now but its good to know I have the option
Wake up. New Matt Brown video. Off work. Its gonna be a good day
Matt who? This is Jim Carrey.
You might want to try those DC barrel connectors with screw terminals on the other end. It is commonly used on analog security cameras.
That would have been better, but sometimes perfect is the enemy of forward progress.
@@mattbrwn true
Dude, I love this content, watching your process uncut, unscripted, showing how you troubleshoot rather than just having it all worked out ahead of time and watching it all work the first time. I Learn so much more this way as I’m staring my hardware hacking endeavor. You’re a stud, keep it up man, I’m sending your vids to all my buddies, if you make it out to defcon one year, hit me up.
Thanks for making these videos. Very informative.
Amazing Video Matt, Keep it up and thank you for sharing your knowledge and experience with the community
Keep them coming. These are really good
Matt is really coming back.
A device firmware have a lot in common with a docker container. The ro OS is the container, the rw filesystem is the docker volume, and the nvram is the docker environment. (.env)
interesting
Great Video
Ive got an old Netgear router where the wan port stopped working after a thunder storm.
Nothing to loose by pulling it apart and seeing what it does. Maybe I’ll even spot a fried component on the board.
I couldn’t help but notice your positive power wire insulation was stripped back to within a cats knacker of shorting out on one of those shields.
Maybe it was just the camera angle. 🤠
Just stumbled upon your channel, so glad I did this stuff is mad interesting 🤙🏽
40:00 (ish): netstat is probably taking a long time because it's trying to do reverse DNS lookups on the IP addresses it's encountering. Try adding a "-n" flag on it next time to avoid this behavior. This same behavior applies to a lot of other common shell utilities such as ping, traceroute, tcpdump, etc.
Edit: BTW, I've just discovered your channel and am enjoying your videos immensely. I work in security engineering, and I've always been interested in embedded hardware hacking.
I want you to make a video about modifying the firmware in the embedded system. Because during my case I have /bin/psh which is a protected shell for the uart. The only way to get around this is modifying the firmware and assigning /bin/sh for it. When I try to do it, LZMA compression turns out to be a big pain. So looking forward for those videos. Btw this video is good overall.
Oh yeah I've ran into systems with those annoying limited shells. It feels like you are so close and yet so far from your goal at the same time.
@@mattbrwn yes exactly.
To be honest, I think its better that way that debug port is clearly marked as such and if you plug into it, the device dosent give you any trouble to get to root. Afterall its your device it does mean to "own" to get the lovely root shell.
That face when he found the same router as yours in e-waste...😔
i just bought one of those from a goodwill bin for about 50 cents it's got some features i might actually use though I'm not using it as my main router but pretty cool you have a video on one since i just found your channel also it's probably not recommended but i just used a 1.5 amp power supply since its what i had on hand that fit
In situations like this I would recommend soldering the ground to one of the metal shields as their a little easier to attach a wire to.
Matt I noticed wlanconfigd process @27:30 Dare say they leave the UART open for debugging purposes from the factory to load the firmware?
To mitigate this don't some more secure IoT devices blow an efuse to prevent physical access to the firmware? I have a few quite expensive STM32 devices, but I feel I need the STLink firmware tool to have a crack for a n00b like myself.
So the STM32 is a microcontroller which has internal flash. Most/all Linux embedded devices use external flash that is seperate from the CPU. This is why firmware extraction on a microcontroller is harder.
Phyisical access means 'all bets are off' ie; it's your router, you own it and there's not much point in them bothering to try and lock out UART(If your not microsoft or apple, it's prolly a waste of money for them). Interesting that it uses bitdefender and OpenVPN etc.. Scary how many ports they have open omg...
I love this stuff man thank you!
22:11 What is your checklist if you face login prompt there (apart from guessing defaults) please do a video on that
my "Hacking The Mojo C-75 - Root Shell via Firmware Modification" video is a really good example for that situation.
Great one Matt love your hardware reversing vids! I like how you leave nothing abstracted. Hope to see you at DEFCON!
I wish I could be at Defcon this year but I won't be able to make it due to some personal reasons. (Very positive ones 😊)
@@mattbrwn well I appreciate your material so much Matt!
@mattbrwn what is the make/model of your microscope? Maybe list the tech you use in the description. I am a newb. Thanks
AmScope SM-4NTP 7X-45X
Great video!!!. I just want to know which linux you are using and which window manager it is and it's theme? Thank you.
Arch Linux with i3wm
@mattbrwn Do you have any experience with Sonicwall devices? I've got uart on a sonicwave 231c that I retrieved from ewaste and would like to dig in on it. I have two, one is factory reset and the other is still sitting while I poke at the open one.
No experience with that stuff no. Would love to see any progress you make!
I've got an XR300, but it doesn't go to a shell, it just keeps repeating connection info for DumaOS... How can I get to the root shell?
netstat needs "-n" to quit trying to do reverse-dns lookups on every IP (which is why it's slow when there is no accessible DNS server)
also netstat is officially deprecated, 'ss -nlp' is the new command, although some busyboxen may not have that at all
is it possible to compile a custom version of openwrt for this ?
Yep I bet openwrt/ddwrt already supports this device 😀
@@mattbrwnIndeed they do, I have one with dd-wrt 🔥
The AX series nighthawk wifi 6 routers (at least the one I have) the UART section is not populated with componets on the PCB. The pads are all there, just empty.
Dosen't matter really anymore since the router bricked itself due to a failed update that happened to take place when my ISP decided to do some maintenance and the update was partial and now the power led flashes red constantly. No TFTP connection, obviously no UART access. She's a brick.
Can you do a cable modem or even a cable set top box would be interesting to see whats inside 🎉
ruclips.net/video/yI7LdGyXsns/видео.html
@mattbrwn ohhh didn't even see that am of to watch it
It would drive me crazy getting constantly interrupted by the ping and the other commands outputs, especially if you have to enumerate for hours. Would it be possible to start an ssh server and connect that way to get a proper shell/environment?
Yep most openwrt devices will have the dropbear ssh server you can start. I definitely setup ssh when doing longer looks at a device like this because of the annoying console output you mentioned.
22:00 These things often have a TFTP-based recovery app for flashing firmware back on after a bricking event.
This is fun video. I have a few old routers i may have to crack open for science :D
I have a pair of R8000's I flashed to DD-WRT for the extra features and especially better security over negears trash firmware. I recently changed out my gateway to a 4x10G/5x2.5G NIC - 8 core Qotom box running an open source firewall - I keep those R8000's around when I need a quick, portable 1G network preconfigured I can take with me on the road (in a car, not a plane).
Is this the netgear nighthawk 1750 (r6700) or (r6400) or (6350)? There's also different versions of them...do you happen to know? I'm just wondering if all of them have the pins on the board or not. I wanna buy one on ebay to follow along. They're pretty cheap.
** This appears to be a r6700 V3. After you listed the ps command, it mentioned it.
21:25 - This is most likely TFTP, most routers have this functionality, and you can flash firmware with this protocol, commonly used to load custom firmware like OpenWRT, DD-WRT, etc.
Hey Matt, did you ever finish off the Arlo videos? I watched one yesterday and was pumped for the next one after you said what you were going to do in the next one.......then there is no next one? 😭 you always seem to stop a series right when I need it most, like firmware modification or reverse engineering, noooooo!
I've been doing this stuff for a while so would be awesome to see your approach to more challenging stuff. You should show us something like a device that has encrypted firmware, or something where binwalk gives you no results and you have to figure it out, or extracting the firmware is much harder because the flash has protections in place you need to change, or show us modifying some firmware to bypass something and re-flashing the device etc.
Also, please keep showing the raw footage, not edited, the little struggles along the way are the most useful to see! Or you might mention extra things that are super helpful 👍
I bricked the Arlo device which ended that video series unfortunately. I am trying to do more long form videos where you see the whole process 😁
@@mattbrwn Ahh damn! We've all been there haha, keep them coming 🦾
Hey @Matt , I am trying to remotely monitor my home network. How would you do this?
Currently, I'm looking to use my esp32. Do you know the best method? Or I have a Nexus 7 running nethunter. Ideally, I'd have a battery bank for power, monitoring over WiFi. Any resources or help is appreciated 😊
When you say you want to monitor your network what specifically do you want to monitor for?
@mattbrwn internet traffic, and any unauthorized access. I think someone is using my credentials to access my stuff. But 2fa sometimes doesn't work even for me. Whatever you think could help.
I want to monitor web traffic. I think someone is using my creds to log on and snoop. So that level of monitoring is what I'm seeking 😅 my iPad and pc are left there, so if they are being accessed w/o permission and then snooping is what I assume is happening.
P.s. if I just change password I won't catch the culprit.
@@Iron_CondorrYou can do a simple wireshark or go full SIEM mode. The book Cybersecurity for Small Networks fits your need perfectly.
Is all your heat getting sucked into that return vent
Hey Matt, I’ve been interested in iot security and was trying to follow along with my netgear ac1900 c7000v2, I’m able to get a terminal but the party ends as it gets stuck at the console handover boot -> real, my assumption is because of the baudrate? Would you happen to have any experience with this router?
They might have UART disabled after the bootloader on that model. hop into our discord and post some screenshots + terminal output for some more detailed help.
with those four pins exposed like that could you still have gotten the root shell without soldering the extra wires and just used that usb cable and the power supply?
Hey Matt.
Have you ever done any console hacking?
For example the good old PS3 metldr2 would be a nice challenge. A very, very hard one tho.
Hackers unfortunately turned away from the PS3 a long time ago, so someone skilled is needed to nail it down for good...
No I haven't and unfortunately I gave away my PS3 a few years ago
If you have access to a gen2 unifi switch, please do a video on that devices. Unifi removed the switch console port, so any information on how to access the console will be useful (firmware recovery)
I was surprised that you didn't feed 12V ( V++) back through your jtag connector...
Very cool
You should get your self an assortment of barrel Jack sizes and put connectors on them for your psu.
Matt, is there a hardware version for this router?
I really want to see how you will find somebug on IoT device from the beginning (dump firmware, Reverse,...). Love your contents
I think that full arc should be possible on this device.
@@mattbrwn thats awesome man,
Hay matt what WM are using for your OS, looks really clean and easy on the resources. Love the videos ❤
using i3wm with i3gaps
bro do u sell those devices or accept any from users b/c i have a box of old devices i could send you to tinker with
I'm working on a solution where ppl can send me stuff. stay tuned.
There's an app and you can also enable auto updates on netgear devices now.
One question.. why not make life easier and have a couple barrel plugs with pre soldered wires and just hook them up with clips instead of soldering onto the connector
Sure. But I'm working with what I have. It doesn't have to be perfect. We are engineers not scientists 🙂
I would have just tried a 12V adapter at a lower amp rating. If it didn't work, you could also cut the barrel plug (with some cord) off the adapter with too low a current rating. The soldering while perfectly doable, seems like a lot more work. That said, I'm lacking in gaining root shell access on devices I'm playing with, hence my presence here.
Just 400 likes? This deserves 400k. Come on netizens, come on yt algo, give him what he deserves. Btw have a subscribe.
Hello Matt. Really like your channel. Could you suggest resources and hardware for a noob like me? I have a lot of experience with raspberry pi's and basic electronics, but would like to learn hardware hacking as well. Thank you in advance.
Do you have a specific thing that you want to learn? Hardware hacking is a wide category that includes a bunch of stuff. But generally I always have fun grabbing a device from ewaste or a thrift store and learning as much as I can about that target device.
@@mattbrwn Thank you very much for taking the time to respond to my questions. I’m looking for the basics: Essential hardware needed (UART readers, etc.), Essential Software to interact with the target item, and Essential reference material to be able to learn how to interact with the target item. Also, simple projects that a noob would be able to work on. I have Raspberry Pi’s and Raspberry Pi Pico’s (with pico probe). Would I be able to use those to interact with the items?
@@mattbrwn Wow.... Thanks for your non-help with resources.
Excelente trabajo.
I've got the same router with DDWRT on it but don't use it because I'm not sure exactly how to set it up and use all the fun cyber security options. I flashed it in hopes of using my phone as a modem and using the Router as a router via USB but I can't find any good tutorials on it.
Great content!
tin the wires first, and keep your poor tip clean...
also, apply solder to the work, not the iron.
AND FLUX
OpenVPN => Router acts as server, client key/cert are for devices to connect to it
Yeah that makes sense now that I think about it. Wouldn't have the server key sitting their otherwise...
Bitdefender in an anti virus software, did not expect to see it in there
Oh my god, you don’t have a spare barrel jack laying around? Even if you have to chop it off a spare wall wart it would have been better than having to solder leads to the circuit board
Hi can you hack some Weather Windstations serial? 😀 The Tempest Weatherflow
if it can run a aftermarket firmware like dd-wrt or tomato all these types of routers are easy to hack.
10:00 shorten those ends before it shorts to the board somewhere.
Great video bro .. very useful and informative video....bro please improve your videos voice quality
Smart TV?
Hey Matt, where would I get a hold of you? I have a Wi-Fi pineapple I want to donate to you. I don't know. Wat you could do that??👍 Thank you for all your expertise.
If all you wanted to get is the wifi password, why not connect with WPS and see the password? Would be more interesting if we needed to get admin login of router config page.
any Anemometer would be 🙏👍👍
Cool. Nice man cave as well
you a bad mf and important - stay you
try netstat with -p ( helps to see the process tied to the port) Not uncommon for developers to use non standard ports.
Any other 12v adapter would have worked fine, no need for it to be 2.5 exact. 12 mins start of video was a waste
And when you don't have it then? Bro is watching free video and complaining,
Vol on 69%
who's Jeannine? Couldn't help myself and pause the video in the section that was blurred lol
Second
vgtr bell
vegertable
Hack a Roku
first
that router is beast. you can use merlin firmware.
I was able to do this and you do not need 'nvram show', just run 'routerinfo'
nvm, just shows defaults