Hacking The Mojo C-75 - Chip-Off Firmware Extraction

I started with the AT&T router hacking video and now I'm hooked, ill deffo be coming back more, great videos man!

as a ex-employee of Mojo (and Airtight as it was previously known) this is super interesting to see how you're taking a shot at some of our older stuff; blast from the past for me! Keep it up.

Update: losetup method can not be used for JFFS2 because JFFS2 is based on MTD device, Matt has uploaded a video which demonstrates that this method doesn't work and he found mtdram and mtdblock which is the right solution to this use case. Loop device is a kind of block device and most filesystems are based on block device so it's still a generic method to mount filesystem in file.
Original post:
A great video. By the way, the file system can be mounted directly in Linux with loop device:
mount -o loop,ro -t jffs2
Or It can be done in two steps with losetup and mount. You can check supported file system types by /proc/filesystem. Most penetration testing distros contains squashfs and jffs2 support.

"you're going to burn your self. It's going to happen"
I once picked up an iron like a pencil.... Then burned my desk when I dropped the iron.

It might be a good idea to use kapton tape to protect the small surface mount components and a barrier if you're ever next to something plastic.
Also, it's good to know that if you're making/improvising your own desoldering braid in the future, you don't need a lot of it. I found that out the hard way when I fused a bunch of copper wire to a PCB while trying to desolder something.

I love your channel! By chance I saw the video of the AT&T router and I was fascinated. I find your work incredible and thank you for sharing it.

I'm one of the new subs and have watched quite a lot of your back catalog. This looks like an interesting one to dig deeper into. Great Content Matt 👍😃

Another amazing video Matt, Keep up the excellent content and thank you for sharing your knowledge

Raw footage is always fun. Keep it up Matt. Your videos help me to see more device models than I tinker with. Aside from that your techniques and phrases are great fun for me to watch and learn :D You can work on some IP camera hacking btw.

This is amazing, your explanation of every step of the process connects everything very clearly

I don’t look forward to the next part of anyone else’s videos as much as yours. I’ve tried doing some of this stuff in the past and usually gotten stumped, but watching your videos made me realize I just need to do it more because experience is the only way to get better at it.

Great video, love how you take it up a notch on the difficulty level!

Try running strings on the firmware.bin file and use the output as wordlist, worked for me, on a chinese IP camera.
Great videos btw. greetings from Austria!

Man I Love your work, I was just watching the series about arlo q camera, I really would love you to continue the series

I have learned so much watching your videos. I am a cybersecurity consultant and I love that there is always something new to learn!

Just discovered your channel while doing nothing at work. As someone has has made content(on other channels) the way you present everything in real time is amazing. You are a fantastic teacher

I am learning like never before ! keep them coming!

Great video. Excited to see what you share in the next.

Fantastic video, thank you for creating it, really good walk through

Another Awesome upload! Thanks Matt!

A trick for keeping the chips from getting mixed up is a small drop of colored nail polish in the corner of one. Then you can notate on your sheet which one it is.

At around 6:30 it used `more` command to display out the help page. You can just do ESC + !/bin/sh to get a shell... While inside the --more-- prompt.

Man i love your videos, ive learned so much. Excited to see the conclusion of this one, writing your own hash to the root account or just deleting the hash maybe?

glad i came across your channel!

Cool stuff bro. More, more, more!

And now we wait for a madlad to crack the hash.

@8:28, I think that you may have a problem with the lens that's connected with the camera port. You can change it to improve the field of view. I have a similar microscope and the view fills the whole screen with no black on the sides.
@10:30 I think that you maybe don't need to use flux when de-soldering components. I usually use the flux when soldering the components only. This will save you a lot.

Is not like I want to hack things, but after watching your videos I want to learn how to. Love your content.

It actually is T48 in the photo. It only has 40-pin ZIF socket (unlike 48-pin for T56) and no power switch or external power jack near the USB socket. Otherwise they look pretty similar.

hey, i also got into hardware hacking because of your videos, its really fun so thanks for that

Hey. Great info videos. I would be very interested in seeing one on a finestra helium miner.

Have you tried foam pads instead of cotton for cleaning flux? They are a bit more expensive but work a lot better. Found your channel a few days ago and enjoying it. The algorithm must like you. I have only recently gotten down to doing SMD soldering as part of my services or gotten good enough but working with firmwares and devices like this is very much in my interests. Keep it up you are appreciated.

Amazing video, you should try IoT devices like pcbs of air fryers, washing machines or fridges that connect to wifi.

If you mount (instead of using jefferson) the filesystem, then modify the contents of the /etc/shadow entry for root's from the config's, and re-flash the chip, you change the root's password to be the same as the config user, no? If that doesn't work, you can modify the default shell that "config" uses to be set-uid root... Basically, once you have access to the filesystem, it's game over :-) And btw - very nice videos, Matt! Excellent channel.

If you are looking for rs232 serial on a modern pc, there make pcie rs232 2:34 2:36 cards and also internal usb to serial converters that plug into a normal usb2 header.. saves a bit of external cables

I don't understand 2/3 of what you are on about, but I like the videos anyway.

binwalk uses signatures to hex detect the FS. A signature is a hex value. Those files usually have multiple hex values that binwalk will see as separate files. If you are getting a lot of errors, you may need to manually extract the files. Using dd to cut the excess data using the binwalk to identify the memory location.

@35:29 "Private key in DER format" did you spot that? Looks interesting.

I'm hooked on your channel anyway you can zoom in on the Terminal it would really help following along.

Great channel... I have a suggestion for a device that, if it can be hacked and repurposed, could help a lot of people. It's the Echo Connect, which Amazon just decided we can no longer use, even though we bought them. It hooks up to your VoIP line or land line and connects allows you top answer your phone or make calls from any Amazon Echo device in your home. I'm guessing there is a server component, and such, but it' running a DSP Group DVF9918, which looks like a pretty capable SoC. If there is a way to repurpose this, or even better bring back its utility... as a developer (and I've worked on embedded systems from industrial to automotive, and enterprise level at Fortune 500 companies), I'd definitely consider the challenge if I could gain access to this device.

After 20 years I learned from you about binwalk 😂

Waiting eagerly for that "another video"

Seems like I'd always try a test clip before hassling with all the possibly destructive chip removal. Usually even if the injection of power wakes other stuff (like the SoC) up you can find the reset line and hold them hostage so they can't interfere with interrogation.

Hey man, this great video. Next video please try TP-Link TL-WR940N

Very cool

Hey Matt, did you saw the Software minipro from David Griffith? Looks like that is a native Linux- & Unix Software for the Xgecu T48.

999th like 😂..binge watching all your videos

Are you planning on changing the login shell in /etc/passwd? Also, does the firmware have any signature checking to prevent that or keep the device from booting?

You could chang the group for the config user to make it another root user, or you could duplicate the config password over the root password. Then upload the file.

Can you hack isp locked bridge mode alphion 1143 ont? Thank you

@mattbrwn Great video, easy to understand. I'd be interested to see what you could with a generic 4G usb stick modem. I really want the ability to use one as a basic 4g modem, with AT commands and simple IO connnection, just to send text messages as part of a project.

I got an impinj rfid reader that I have dumped the nand. Maybe we can collab on getting root? I was using binwalk a different way and would love to try these methods as I was mounting the bin at specific cylinders of the dump. Overall this video sparked me to try again with a simpler approach

think you could do something with the ZyXel C3000Z? it's got the same sort of faux shell idea.

Awsome

7:10 ah the source code, aka, the disassembly from the binary, that's source code for reverse engineers !

heyy matt , I have a router with me and i got into the U-boot. But facing some issues with the firmware extraction process.
Can you provide any platform to contact you..

I've backed up the firmware off my stuff myself.

Have an idea for some devices that would be interesting to see if you can get a shell on.

Why not just use a SOIC clip on these type of chips? That's what I did to dump the firmware on my Ubiquity Switch.

I have a Watchguard AP320 at home, and this looks 100% identical (at least from the outside), I wonder if the internals and firmware are the same.

THE only solder flux I have ever used besides the occasional copper pipe acid and the 2% in the solder core is the pine rosin I dug out of a tree 8 years ago. I just don't know how it will do with hot air.

can you make video on how to make custom firmware like openwrt for unsupported/unlisted router? thanks

Can u hack Huawei hg523a as I have same and want to hack it

Yeah!

I wonder if you have an old smartphone ying around, maybe two and you extract the bootloader from the one that is not bricked and see if it revives

what is your linux distrubation and desktop enviroment?

U5 looks a bit misplaced at 8:12 - did you desolder it before or did it come like this from factory?

You can save yourself all the chip cleaning time if you don't use flux when taking the chip off. The flux insulates the legs which is why you have to clean it in the first place. Without flux, your programmer will typically read the chip just fine without any cleaning. Also no need to remove the solder from the chip's legs.

Hey, I recently rooted a similar access point, and after dumping the firmware and reading through the config shell scripts, I noticed a command injection vulnerability in the "radartool" command, which allowed me to simply spawn an sh shell and use su to escalate to root. I'm not sure if that vuln exists here, but the config shells and the software look awfully similar.

Super man to the rescue

I wonder do all the embedded device file systems unencrypted? Have you ever seen a system is decrypted during the boot time with the aes key hosted on a tpm chip? Does anyone see such solution for such attacks?

Hey
Ive been trying to extract a similar kind of router from tp link and when ive tried to extract the firmware using binwalk i got only the lzma files
Could that mean that my extraction wasnt good enough or this thing could be happening?
Thank you

lol, I saw the chip reversed, I guess you were busy doing the video :)

The only bad thing about software just for Windows is that the antivirus software in Windows deletes these kind of utilities and sometimes without telling you. It is Microsoft's silent way of telling you they don't want you to have any fun!

❤

Without the files, I can only surmise a guess. I think you might be running into jffs journaling with the multiple files. Rather then extract the bin file you could use losetup to mount the image as a loopback device. At that point it should be possible to interact with the device with standard tools.

Does the config/config usr/pwd give some clues about how the root password are hashed?

W matt brown

Brown Town!

Immediately I think of Austin Powers getting his mojo back.

I'm streaming potatoe-cam in 1080p HD :) Shows the real content is the words.

Old skool? Damn, he just put me to sleep.

Can you hack so called smart TV's?

amazing content, any chance you can hack into a facebook portal go to see if we can resurrect the hardware for private use now that facebook has discontinued the device ?

Completely unrelated question: where did you get your workbench?

Hey, you forgot the links in the description, it's relatively easy to read it, but still.

can you hack a wifi repeater device

Im surprised someone hasnt already cracked that hash for you. lol

mattt now ps4 can be hacked with fw 11.00. Can launch linux but need a good people like you for make a good 3d powered linux..

Are you interested in investigating firmware of a chinese NES hdmi stick?
Got it for free but I failed to make any changes to the fw as it fails to boot with modified binary (checksum?). It has allwinner a10s, 128mb ram, boots linux 3.4.10 off sd card using script.bin and system.img. Doesn't have any built-in network interfaces and it doesn't have uart. It does have internal USB but supposedly lacks HID drivers as connected keyboard isn't recognized.
Got both files and pictures of the mobo if you want. My goal is to repurpose it, eg. as apcupsd daemon via USB ethernet :)

I haven’t used gloves when dealing with PCBs. Probably should have. Pray I don’t get California.

That's not a serial port... This is a serial port. (pulls out a 25pin)

I don't know if you will read this comment
Can you try hack the huawei 4G Router 3 Pro (Huawei B535-932)
Mine currently using the isp provider firmware and its lock to its sims (I want to use different sim but the isp not giving the code), also the isp provider also lock the bands that I can use the bands I can use is 3,28,41 but if I have the original firmware I have this band 1,3,7,8,20,28,32,38,41

Create new root password, hash it, put in shadow file, write shadow file to chip, log-in.

The powder blue serial cable with the RJ-45 port on one end is known as a "rollover cable." Definitely not ethernet! :)

May I suggest to not cut out any failed attempts and dead ends, the end goal is not nearly as interesting and educational as the journey and detective work that leads to it. For example you mentioned that you tried to guess the password at it didn't work out, that's fine, you can still include that segment, there is a lot to learn from it. You said that it took a long time to figure out the cross compiling issues but didn't include any of that in the video.

You need to follow through on your projects. I just sat through the three videos you did a year ago about the Arlo Q, in the third one you promised another video where you were going to modify the firmware and write it back. Yet, you never posted it. I've seen several other aborted dead-end stuff as well where follow up videos never come. When people watch you, they're investing their time and for that investment they're expecting resolution. I for one am clicking on the option to stop your channel videos being recommended to me as I'm not going to be caught out like that again by you.