So basically he read out the chip then searched on Github by the model#, and found admin:!234, which could have been searched without reading it. lol Oh at 26:52 he said "it was at 15,000" while it's actually 150,000... slipping a bit this time. bahh
Thanks for these great videos! I think everyone would be well served by more people doing this kind of analysis to verify which brands of networkable hardware and iot devices do not ship with a backdoor
So for anyone reading that has this device, given a root shell is available via UART, you can copy (and likely write) flash chip from shell so you won't need to do chip off reading. Most devices will have some sort of network sending program such as nc, tftp, ftp etc. Alternatively a usb port or SD reader you can copy to directly. Then read from the flash dev files in /dev If no external storage devices available, and no obvious network sending commands, there are usually other ways though if it's a higher security environment (only signed programs are permitted for example) - you can often use something like hexdump /dev/mtd0 and log the output of uart and recombine into a bin file. There's usually a way. oh and depending on what file systems are supported by the kernel (cat /proc/filesystems) you may also be able to mount a network share using NFS or CIFS. Sometimes there's little choice but to get the soldering iron out, but I prefer to avoid it when possible. I've gotten a lot of test devices sent to me by a manufacturer for security analysis, and it would be embarrassing to ask for another device if I've killed the board :)
You would figuratively saying kick out chair from underneath you if try rewrite main squashfs that way. Everything else - yeah... probably would be fine.
@@MRooodddvvv Sometimes overwriting while mounted works, sometimes it doesn't. Even in those cases, generally the device has a way to change it during firmwaree upgrade - so can look at that method instead if needed (after disabling signing checks and the like) Or if you have a shell early after kernel start, just mount the SD card, copy the rootfs to it, mount -o bind it, start a new shell (so using busybox on SD card) and in the vast majority of situations you'll be OK. Especially for read only file systems.
Hi Matt! Adding a bit of flux to the board when adding that cap back on that was knocked off would help it float into place. If you have the component surrounded in flux, it also makes it less likely to fly away when the air flow is a bit too high.
A week ago I thought "I'll tear that shied off, seems far enough away" and it ripped away a bunch of traces, so I was completely expecting you to brick it when you said "We'll start with the physical pry method"
For future content, I'd love to watch you probe a smart TV for control protocols. Ways to change source input, switch on/off etc. Preferably Philips/android.
That componet was already mis-aligned before one stumbled upon it. One would wager people got sloppy at the place of the manufacturer, possibly because it was hidden by shielding.😂😮. Thanks for posting.
Anyone can help me here I bricked my router trying to install openwrt to an archer c50 v6. Now it wont boot properly. But I connected to the uart and I have some output but it kind of reset right away after 3 seconde and the information is not all clear lots of garbage in the txt-tested with multiple usb to ttl converter, It is a 3.3 v system and I have no way of unbricking that but reload the firmware on the eprom. I think. Anyone have some idea?
Matt, I keep asking if you can do a video on firmware modification? In particular, adding RTSP to a non RTSP ip camera? I think that would be a cool vid!
So a SOIC8 clip-on adapter did not work in this case? I have had success with shorting the CS pin and letting the CPU core hang and leaving the rest of the pins floating letting me read out the flash chip in-circuit. No need to de-solder the chip then.
I broke a pin off of one of the flash chips when trying to read it. Glad I'm not the only one breaking components... Upside is I learned how to repair the pins with a Dremel and several GPIO wires as a sacrifice lol.
Mostly, and yes, or you could use a pin grounding trick to crash/hang the CPU (if no available reset or enable line) since it can be alive as long as it has stopped trying to talk to the flash chip (most I2C pins go tristate aka disconnected unless selected/active).
The CPU usually does have the reset pin, but with BGA packages it may run somewhere under the chip, jump between the layers of the board, or be not connected at all. And even if it is wired and accessible, you still have to find which one of hundreds of those is reset first )
@@Spudz76you can only *assume* it won't access the chip again once it is glitched like that. While this may be true in some cases, it may as well watchdog reset itself or just retry the access while you're reading the flash. Depends on what is running on the chip and when exactly it was glitched. Also, finding the correct glitch timing, if any, could take way more time than just desoldering the flash chip and reading it off-circuit.
IMO always worth a try first, but sometimes applying VCC to the flash chip will wake up other parts of the device through the shared power rail, so you may have to locate something like the reset pin on the CPU to hold it from doing anything, or other method to make it crash and hang (stop sending flash commands at least). But a lot of times the programmer/clip don't supply enough current to wake up other things and then the read will be successful (CPU hangs itself for lack of current). It may not be the most reliable for writing however.
In my opinion those clips are dangerous: if you put it on the chip just a bit misaligned you can send an high voltage on the wrong pin and fry you microcontroller.
Those flash chips often work on the same 3.3v rail as the CPU does, so powering it through the test clip would also power up the CPU and make it boot and mess with the readings. Have to cut the shared power rail or hold the CPU in reset somehow to prevent that. It's just easier to desolder the flash chip and read it off-circuit.
By knocking off cap you probably just made it little bit less resistant to interference. Which is not good if you plan to depend on that device. Otherwise its just fine.
You should use a Dremel tool when removing hardware shields. Buy yourself one for Christmas 🎁. At 5:00 you sound like the kid from A Christmas Story without the f-bomb. 😁 Your workshop is impressive and looks like what everyone should aspire to.
Great video, but... the fact that you rooted a device with unchanged manufacturers password that is meant to be only used the 1st time the user logs in does not really say much. It would be nice to show cracking an actual password stored in user flash or eeprom
clearly no files exist in /var if you refer to the scrolled `tree` output (about @16:54). it is mounted from elsewhere like he said probably tmpfs (ramdisk) and then is populated by a boot script that copies relevant files in "live".
Kapton tape is heat resistant, but it does NOT protect other things from heat, ie it will NOT insulate. There is a big misconception here - the fact that Kapton tape is highly heat resistant does not imply it is an insulator.
@@erikp6614 Anything that stops the hot air flowing over the components clearly insulates those components. Look up the different types of heat transfer 😉
@@AlexusMaximusDE I perfectly know about different types of heat transfer, thank you. The tape will probably reduce convective heat transfer to some components a bit under the tape. However, you could use just about anything that can withstand the temperature for this.
@@feicodeboeryes, but the airflow is still hitting the tape, so the only benefit is added insulation from conduction and interfacial resistance. The tape is so thin that conductive resistance is minuscule, and interfacial resistance isn’t going to be much at all
belo video Matt, porque voce usou o gravador universal antes ? e o duck e bom para achar senhas ? um abraço e continua fazendos as engenharia reversas.
3 videos within a week!? Dreams do come true!!
Kudos for including the mistake in the video - we all make them.
So basically he read out the chip then searched on Github by the model#, and found admin:!234, which could have been searched without reading it. lol Oh at 26:52 he said "it was at 15,000" while it's actually 150,000... slipping a bit this time. bahh
I enjoy watching the entire process including mistakes. It feels more like something I could do.
You inspired me to pickup my old router and do cool stuff with it instead of letting it collect dust, Kudos man!
Thanks for these great videos!
I think everyone would be well served by more people doing this kind of analysis to verify which brands of networkable hardware and iot devices do not ship with a backdoor
So for anyone reading that has this device, given a root shell is available via UART, you can copy (and likely write) flash chip from shell so you won't need to do chip off reading.
Most devices will have some sort of network sending program such as nc, tftp, ftp etc. Alternatively a usb port or SD reader you can copy to directly.
Then read from the flash dev files in /dev
If no external storage devices available, and no obvious network sending commands, there are usually other ways though if it's a higher security environment (only signed programs are permitted for example) - you can often use something like hexdump /dev/mtd0 and log the output of uart and recombine into a bin file.
There's usually a way.
oh and depending on what file systems are supported by the kernel (cat /proc/filesystems) you may also be able to mount a network share using NFS or CIFS.
Sometimes there's little choice but to get the soldering iron out, but I prefer to avoid it when possible.
I've gotten a lot of test devices sent to me by a manufacturer for security analysis, and it would be embarrassing to ask for another device if I've killed the board :)
You would figuratively saying kick out chair from underneath you if try rewrite main squashfs that way. Everything else - yeah... probably would be fine.
@@MRooodddvvv Sometimes overwriting while mounted works, sometimes it doesn't. Even in those cases, generally the device has a way to change it during firmwaree upgrade - so can look at that method instead if needed (after disabling signing checks and the like)
Or if you have a shell early after kernel start, just mount the SD card, copy the rootfs to it, mount -o bind it, start a new shell (so using busybox on SD card) and in the vast majority of situations you'll be OK. Especially for read only file systems.
I love such recordings from life with all the pros and cons :D
This little board said "it's just as scratch" as it booted up. 🤣
Can put the Black Knight from Monty Python seal of approval on this device
Hi Matt! Adding a bit of flux to the board when adding that cap back on that was knocked off would help it float into place. If you have the component surrounded in flux, it also makes it less likely to fly away when the air flow is a bit too high.
A week ago I thought "I'll tear that shied off, seems far enough away" and it ripped away a bunch of traces, so I was completely expecting you to brick it when you said "We'll start with the physical pry method"
I usually don't mess stuff up like that I swear 🤣😬
super interesting and educational as always. Thx Matt 😀
You can use "cd -" to change dir from where you came from last.
lol yeah I blanked on that during the vid
10:08 "Perfectionist with shaky hands = worst combo" that's me 😂😂
A lot of those caps are just bypass caps. Not really a problem to loose a few.
Also, it looks like it was like that before you started.
That's what I thought but it was okay if you skip back a bit more. It happened slightly off camera.
Don’t use heat/air on those small passives, a good fine tip iron is a lot safer and won’t send the component flying
lol... i just watched the other video ...... because of you, i just started learning about uart.. soo thank you :)
HikVision cams would be interesting, please.
For future content, I'd love to watch you probe a smart TV for control protocols. Ways to change source input, switch on/off etc. Preferably Philips/android.
good point searching for the hash, no point in reinventing the wheel
That componet was already mis-aligned before one stumbled upon it. One would wager people got sloppy at the place of the manufacturer, possibly because it was hidden by shielding.😂😮. Thanks for posting.
1234? That's amazing, I have the same combination on my luggage!
mr perfectionist is a great teacher thank you
19:33 reading further down the paragraph shows the root password is freely available from TPLink :) By why doing things simply it says :)
Nice video! I really like your content!
Would it have been possible to just snip the shield in the area of the chip and bend the edges back to expose the chip for de-soldering?
Unrated youtuber!!!!!
4:43 famous last words!
Would love to see you have a look at the fritzbox 5490
Your videos are super . Keep it up
Hehe I wish I was slick and competent like this
You make it look easy
Also jealous of the tools 😆
Anyone can help me here I bricked my router trying to install openwrt to an archer c50 v6. Now it wont boot properly. But I connected to the uart and I have some output but it kind of reset right away after 3 seconde and the information is not all clear lots of garbage in the txt-tested with multiple usb to ttl converter, It is a 3.3 v system and I have no way of unbricking that but reload the firmware on the eprom. I think. Anyone have some idea?
Honey matt brown dropped another video
I lmao when that resistor flew away, nonetheless great vid!
Matt, Hi, Where can I buy that kind of tape that protects the parts from heat? Thank you.
Matt, I keep asking if you can do a video on firmware modification? In particular, adding RTSP to a non RTSP ip camera? I think that would be a cool vid!
What kind of snippers are those? I've never seen any with that middle part.
This was absolutely fun!!!
4:23 : pull-up resistor (pin 3) has left the chat.
Love it man, would you send me the required gear or a link of the actual hardware that I need to perform such an operation
i still cant unsquash the file system in the motorola/arris modem sb6121. i dont understand how you opened it
So a SOIC8 clip-on adapter did not work in this case? I have had success with shorting the CS pin and letting the CPU core hang and leaving the rest of the pins floating letting me read out the flash chip in-circuit. No need to de-solder the chip then.
Love ifixit tools. What I use for my consoles
I broke a pin off of one of the flash chips when trying to read it. Glad I'm not the only one breaking components... Upside is I learned how to repair the pins with a Dremel and several GPIO wires as a sacrifice lol.
To reduce shaky hand, tap your foot while you work. Strange but works!
Love the video! Thanks!.
🙌🙌
New here. Do you have a initial video on how you performed the setup?
Wow!
"A perfectionist with shaky hands"
I know the feeling :'(
A9 mini cam pls 😢
Did I miss something or you just unsoldered a cap ?? which you can put back in 2 secs ???
Question, the reason you can't dump the FW on the board, is if you power the ROM you power the board? Could the MCU have its enable pin "turned off?
Mostly, and yes, or you could use a pin grounding trick to crash/hang the CPU (if no available reset or enable line) since it can be alive as long as it has stopped trying to talk to the flash chip (most I2C pins go tristate aka disconnected unless selected/active).
The CPU usually does have the reset pin, but with BGA packages it may run somewhere under the chip, jump between the layers of the board, or be not connected at all. And even if it is wired and accessible, you still have to find which one of hundreds of those is reset first )
@@Spudz76you can only *assume* it won't access the chip again once it is glitched like that. While this may be true in some cases, it may as well watchdog reset itself or just retry the access while you're reading the flash. Depends on what is running on the chip and when exactly it was glitched.
Also, finding the correct glitch timing, if any, could take way more time than just desoldering the flash chip and reading it off-circuit.
💖💖💖💖
Pls do the same for Video Switchers.
My OCD is disagreeing with your use of flux. It’s saying that you need to spread it to all the pads, even though you don’t have to do that.
Thanks for the great video. What is your opinion on on on-board chip clips to extract the firmware? So you do not need to pull the chip off the board.
IMO always worth a try first, but sometimes applying VCC to the flash chip will wake up other parts of the device through the shared power rail, so you may have to locate something like the reset pin on the CPU to hold it from doing anything, or other method to make it crash and hang (stop sending flash commands at least). But a lot of times the programmer/clip don't supply enough current to wake up other things and then the read will be successful (CPU hangs itself for lack of current). It may not be the most reliable for writing however.
In my opinion those clips are dangerous: if you put it on the chip just a bit misaligned you can send an high voltage on the wrong pin and fry you microcontroller.
Thanks, can you show us the way, if we don‘t find the pass hash on Google?
brute force, takes years, no luck
You can always just solder wires onto the board and then components individually if you need them.
i tried to do fifdle with the dropbear server yeah it doesnt work sadly for me afaik its for their tether app
the text colour is transparent in comments till its posted for me for some reason anyone else have this issue?
wait, why you need to desolder it when you can use the SOP8. Thanks
Yeah I always wonder why not even try a test clip first.
Those flash chips often work on the same 3.3v rail as the CPU does, so powering it through the test clip would also power up the CPU and make it boot and mess with the readings.
Have to cut the shared power rail or hold the CPU in reset somehow to prevent that. It's just easier to desolder the flash chip and read it off-circuit.
how to do that on smartphones?
I'm waiting when you will operate on Mikrotik, and give results about how good or bad that device it is
You can guess target market based on locale available on the system. I can confirm you can buy dirt cheap merycus devices in Poland.
❤❤❤❤❤😊
By knocking off cap you probably just made it little bit less resistant to interference. Which is not good if you plan to depend on that device. Otherwise its just fine.
Why I cannot watch this on Netflix?
You should use a Dremel tool when removing hardware shields. Buy yourself one for Christmas 🎁. At 5:00 you sound like the kid from A Christmas Story without the f-bomb. 😁 Your workshop is impressive and looks like what everyone should aspire to.
Great video, but... the fact that you rooted a device with unchanged manufacturers password that is meant to be only used the 1st time the user logs in does not really say much. It would be nice to show cracking an actual password stored in user flash or eeprom
You didn't look at /var/passwd
clearly no files exist in /var if you refer to the scrolled `tree` output (about @16:54). it is mounted from elsewhere like he said probably tmpfs (ramdisk) and then is populated by a boot script that copies relevant files in "live".
Kapton tape is heat resistant, but it does NOT protect other things from heat, ie it will NOT insulate. There is a big misconception here - the fact that Kapton tape is highly heat resistant does not imply it is an insulator.
But it prevents the components from direct airflow making them more likely to stay in place.
@@erikp6614 Anything that stops the hot air flowing over the components clearly insulates those components. Look up the different types of heat transfer 😉
@@AlexusMaximusDE I perfectly know about different types of heat transfer, thank you. The tape will probably reduce convective heat transfer to some components a bit under the tape. However, you could use just about anything that can withstand the temperature for this.
@@feicodeboeryes, but the airflow is still hitting the tape, so the only benefit is added insulation from conduction and interfacial resistance. The tape is so thin that conductive resistance is minuscule, and interfacial resistance isn’t going to be much at all
6:00 hahah that made me laugh
I would be interested in deye
can you do crack unlocked code for router huawei v5 algorithm, this is the latest router of huawei
capacitors are optional
has somebody been at the eggnog?
new short content 5:01-5:11
Next time use SMD HEATSHIELD GEL.
Try on ZLT X28 5G CPE
Chinese Router
belo video Matt, porque voce usou o gravador universal antes ? e o duck e bom para achar senhas ? um abraço e continua fazendos as engenharia reversas.
user nobody is uid 0 !! WTF?
I bet you got that device just because of the type being the same as your initials.
Dell is looking for exploiters currently opened up every thing we also got more frequency bands to mess with recently
Are there tools that can be used on Windows?
Which you suggest?
28 11
why ppl waering gloves on youtube? is that some kind of....nah, nvm
maybe you show us all how to properly not hardcode a password on linux systems?
maybe stop fooling people with these clickbaity titles.
you have the mechanical aptitude of a teenager, and you talk like a bro timeshare salesman
because of one knocked capacitor? I'm guessing you are a teenager yourself
@@surewhynot6259 watch his other videos. It's more than a pattern.
Use flux for soldering iron or heat gun.your work will be easier