Hacking an AT&T 4G Router For Fun and User Freedom
HTML-код
- Опубликовано: 7 май 2024
- AT&T doesn't want their customers to modify their own devices. In this video, I show how hardware hackers can take back control of their devices through the process of firmware extraction and firmware analysis. Specifically, we take a look at the CDS-9010 LTE router and extract the superadmin credentials via the UART U-Boot interface.
AT&T Forum Questions:
- forums.att.com/conversations/...
- forums.att.com/conversations/...
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity #righttorepair #jailbreak - Наука
Bro's face is like Jim Carrey
LOL I get this all the time.
@mattbrwn It's weird how that happens sometimes.
There's a dude working as a parole officer (for youth) for Oregon who looks just like Ryan Reynolds. I'm pretty sure he's in a official blue book somewhere.
"Cable modem" guy! 😄
@@mattbrwnyou're about to get something else in a second brb
Best! What a great video. Well done
didn't expect to find a wizard today.
i think that was one of the better explanations and demos i have seen. smart dude for sure.
They arrive precisely when they mean to.
How is this wizardry? All of this is fully documented ad-nauseum in the OpenWRT wiki...
Nice fully agree there! Looks like Bowtie Ape "w/ a plant on it's head", does too * `~{[:rC[})-B
@@supermaster2012Because he understands and explains . Like most others DO NOT … To give the POWER back to the PEOPLE. Who cares it’s on wiki. Wtf, wiki didn’t make a RUclips explaining this awesomeness. People try and crush a mofo via cpu… true haters
Please don't stop, and keep doing it, it's so interesting to watch it.
That's what she said..
I am a high school Cybersecurity teacher. This content is pure gold. Amazing work. 🎉 This was a pleasure to watch.
i think its amazing whatever school you work at provides classes like that, i wouldve loved that back in the day
Seriously, what school you working at? That's pretty awesome if you ask me.
they teach cybersecurity in high schools now?? that's incredible!
@@wileysneak PLTW... Project Lead the Way. The curriculum is really cool. Kids love it.
@@meekmtck5917 Southern California schools, but many schools have this as a newish subject.
The SoC and modem in this router are common and supported by OpenWRT, it would be cool to see port for this device as part of more open firmware in the future!
yeah, those things using custom linux with init instead of systemd are slow as hell to boot
I'm pretty sure it's actually running a (very modified) OpenWRT anyway. some of the data in the "strings" output against the extracted config match up with those found in openwrt configurations (eg: NintendoCapable=0)
@@__Ben Yes it most likely does, but the differences between years outdated proprietary version that OEMs use and official is extremely large.
@@__Ben That interface looks a hell of a lot like a barely customized DD-WRT install.
AT&T shameless gpl viol;ator by not releasing the source code of the kernel used
This is the first video that I see of yours, and let me say I loved it. You explain really well and seem so passionate that it is contagious. Great work!
+1 this
hell yeah. +1
+1, clear explanations, fun to watch.
That's one splendid hack, and a pretty easy one at that. Since it's Linux based, AT&T is obliged to publish the parts of the software that are GPL licensed, like Cisco/Linksys famously was with their WRT54GL back in the 2000s. Device configuration, user data etc. can be protected and fortunately they did a lousy job at that, when you're in, you're in. Also, I saw a Raspberry Pi reference in the UART output, it makes things interesting as to how the system was built or developed.
You're truly exercising your right to own things here - you'd make Louis Rossmann proud!
Raspi I believe is the code name for the custom firmware AT&T has on these.
One neat thing about these is the wireless settings in the web ui for SSID are not restricted meaning you can put anything. I put a lenny face in and it took it and broadcasts it with no issue. You cant just put in spaces though as it will default to ATT_AP24 for 2.4 GHz and ATT_AP5AC for 5Ghz. at least thats what it does on mine.
The webui is very VERY similar to the Readynet routers I have as they allow like 5 SSID's per radio to be active. and the overall look and feel resembles a DD-WRT UI
ky5 tr00n
@LouisRossman
@@waltergonzalezpaz5995 that's @rossmannrepairgroup but I doubt tagging in a comment does anything.
“raspi” is not “raspberry pi” but rather “ralink spi”
ATT pulling a good ol sony, locking a device down after the fact only incentivizing breaking it open completely.
excellent work!
I believe the "phone" ports on that device are for an ATA gateway, which would provide POTS lines from the cellular interface.
very interesting. I've never messed with anything with POTS before. makes me think of the phone phreaking scene back in the day
they can be very useful if you ever wanna do some retro hacking, it lets you simulate a phone line so you can dial from modem to modem without ever touching the "real" network
I believe this is correct, the phone ports on this particular unit are for POTS line out (aka. landline phone hookup via cellular). Although I'm pretty sure I've seen these cellular modems that ALSO support POTS line in for DSL connection. Either way, for all the cellular modems like this I've seen I can't recall ever seeing someone actually use this feature, lol.
I've been hacking on a similar AT&T cell hotspot type device, and can confirm the POTS lines are to hook up a phone and make phone calls in and out from the cell radio. The ZTE M279 based devices used by AT&T also had an open web config interface.
ATA? You just gave me a Telix flashback.
Most of the routers/modems that I have dissembled would have a password hashed and not stored in plaintext, so eventually I have to modify the bin file locally on laptop and then write it back to device with custom password hash.
This is a great video for people who wants to get started.
You can copy that hash and run password list program and check if there is one before that
Nevermind what it uses to encode the password, set the normal user password to the one you would like to use in the root account and then copy the user password to the root password, you can get a spi writer and modify the file.
PROM incoming?
My guy - your videos are off the chain. You've got a talented way of explaining and walking through these activities. Keep it up!
As someone with a computer engineering background, this video is up my wheelhouse. I loved your explanations and contexts you gave. I knew at the end that you were going to check if SSH was enabled.
Dude, I've been in the Software Industry for 20+ years and I am stumped why you only have 18.3K subscribers 🤔
Really liked this video, reminds me of the stuff I use to do for fun, I had to subscribe to your channel to help you growth - Great Job 😀
Because people be dumb
It's probably because the video is far too quiet and can't be heard without absolutely cranking your setup and having notifications blast your windows out of your house.
Yea....no. Your sound settings are probably jacked up, likely on some surround setting which would manifest in the way you described it. But there is nothing wrong with the audio of his video. Just sayin.@AngelaTheSephira
@@rupertwellington3744 According to Audacity, his audio is at -12 dBFS, which is not the proper leveling. It should be about -6 (the safe option) -4 (RUclips itself's recommendation), or preferably, -0 and allow RUclips to level it on it's own.
@@rupertwellington3744 I replied, but RUclips ate it.
According to Audacity, his leveling is at -12. This is not the normal RUclips leveling, so it's way too quiet. RUclips itself levels anything above -4 to -4. This is where it should be, but alas, it isn't. And my setup is on All Channel Stereo. On Direct-to-Speaker, it's even worse.
I wasn't aware of this but this process made a surprising amount of sense. You're very good at explaining what your are doing. Thanks for opening up a rabbit hole. Looking forward for more.
Loved the troubleshooting to identify the UART pins. Super well explained!!
You did a really good job doing this live. I appreciated how authentic it was and that I was able to learn through your process. Well done + thank you.
Hey Matt, great work! I love that you explain it in detail, even though you already explained in other videos. Its nice for people who are getting into this "hobby". Great videos, keep it up.
The POTS port is for VOIP lines. Great video.
This was awesome to watch, I just subscribed. I've been slowly getting into Kali, hacking into my personal devices, etc. This showed me I can do so much more!
Great video. Always looking for more channels like this. Youve earned a sub!
I’m starting starting classes for cybersecurity and this video feels like discovering the secrets the Jedi don’t want me to know. Great video, thank you!
As someone who’s never done this but is super interested in tech, I loved this. First video I’ve seen from you. Loved how you take the time to explain your logic and the “why” behind your decisions. I sub’d and look forward to the next!
I've recently started to look into hardware debugging and found your channel. love your content. keep making it. i'm learning a lot
In Paraguay they do the same. Those ISP guys don't want savvy people to me with those devices. But we want to do more than browsing the web with those devices. Thanks a lot for this amazing job.🎉
This was super interesting to watch. Also, it's always nice to obtain root access of owned devices. Don't want companies to sell restricted access crap.
This channel under rated!
Please keep doing more content!
Bro, im loving all the new content!
This is awesome. I’m an iOS engineer. Going to start learning some server side programming at work next week, but this hardware hacking is magic to me and very cool and entertaining. Keep it up!
This is awesome! You demystified lots of things for me in this video, including finding rx and tx for a device with a multi meter. Kudos, and keep up the good work! Subbed.
Just found your channel and subbed. I'm just starting my journey into hardware hacking. Your explanation of this device has supercharged my journey!!! Truly hope you keep hacking this devices LTE side & openwrt routing 🙏
Edited for spelling: dang autocorrect 😅
First time seeing your channel. Really enjoyed it! Now I might have to look for stuff like this. lol great job!
Definitely keep producing this kind of content! I enjoyed your video enough to watch the whole thing all the way through!
Excellent Sir!!! Very well explained with no stupid outro's and intro's. Clear explanation at a great pace. Actually one of the first video's in a long time that I have watched end to end.
Yes, please keep doing content like this. Seeing your thoughts process is helpful, like where the likely vulnerabilities are. I've desoldeded SPI flashes to pull the filesystem when I had uboot shell, iirc. Would have been good to have this video back then.
Nice stuff, good explanation. A suggestion for the next more hardcore step in fw hacking - get a device with a locked bootloader and extract the creds by sniffing the SPI traffic from the flash chip on boot with a logic analyzer. Would be watching this 100%
Better yet just pull the SPI chip and read it out with an Arduino! No logic analyzer needed.
@@pcguy619 Oh dude, the arduino adapter isn't that good man, i mean you can try but if you need something new i'd recommend an spi programmer.
That was amazing and very informative. I loved every minute of it, Your breakdowns of your thinking process during each step was fantastic and made a very complex thing seem approachable. Keep the videos coming, I would love to see what you hack in to next!
Fantastic. You made quick work of that, far faster than I expected.
That's so funny. I just did this exact same thing to my unit that I have a week ago. And it took me hours to figure it out. Now watching your video, it could have been done in. minutes However my password was different
very interesting. If you join our discord server I'd be super curious what other values in that CONFIG are different and what are the same.
Right! I commented above wondering if there was some relationship between the device serial number and the superadmin password… a little ASCII's decimal to binary, a few shifting of bits left or right, and ending with a binary to decimal's ASCII characters.
Dude you are my new favorite channel. I’m such a nerd but this is gripping content. Please keep it coming
Great video! First time, immediate sub. I'm a cybersecurity student, but I always wondered how hardware hacking worked. This video is a window into this area, and I will be following to learn more. Thank you.
BTW, some people have said you look like Jim Carrey, but I'm getting Matt Damon vibes.
Some AT&T manager will click dislike on this video 😂😂😂
Waiting for You to start interacting with the LTE modem.
working on it :D
@@mattbrwnDefinitely upload a vid when you do! You seem like a great presenter!
First time watcher: subscribed. Love it! Thank you.
Outstanding breakdown of the process. I felt the excitement when you were able to login! Brilliant stuff!
Wait, did that really go that smoothly? You guessed the UART settings and pinouts the first time? The password was in clear?
The dislikes are from AT&T XDD
I'm just getting into hardware hacking and these videos are like gold to me! Thank you! Keep em coming!
Super interesting and your demo was so well constructed. Subscribed!
"raspi" ..... 🤔🤔🤔
yeah I saw that too. no clue if they reused any code...
@@mattbrwnMost likely means Ralink SPI, rather the raspberry pi.
A tip for everyone here: anything with an IP address which joins a network likely runs Linux and can be attacked through JTAG. JTAG is supposed to be disabled on production units but it's cheaper to manufacture and leave it open/connected. Some manufacturers can send a software update to blow an e-fuse which would disable it😋
Or uart which often is also left open
Very good nice, nice that you explained various things in more detail as you went through rather than just assuming everyone knows it already :D
hey, thanks so much for this video. I'm keeping old routers and tv box in the hope of being able to use them for a new purpose and this tutorial is a wonderful first step towards that goal. keep it up man!
My dude really needed to break out the python to math out the simplest hex conversion ever
You’re an amazing teacher! I learned so much so please keep it up! I just subscribed!
Very solid tutorial. I’m familiar with this stuff, but not confidently so. You do an excellent job demonstrating all the little things that are hard to know without being shown. I learned a lot. Thanks so much for sharing.
Dude this is a really good video. Like seriously you should be proud of this. Keep up the good work bro. Fantastic
Very relevant, consistently on topic and free from undue disturbances or annoting omissions. Also interesting.
This is cool content. I love these short and high level overviews. This is basically how I imagined in my mind dumping flash to a file for hacking would be. I subbed.
Congrats on the vid blowing up, glad I found your channel
To be honest, as someone who knew already where this is gonna go it was interessting to watch and listen. Thanks for the entertainment 👋
That was fun to watch. The process in general. Very interesting to see. Thanks!
I enjoyed watching this. The whole process step by step was really interesting. I was tracking with your thought process. This was awesome from hardware hacking to software hacking, and all the tools that you used.
This was really cool to watch, please keep making videos like this!
Excelent video! Good delivery, good detail. I could see and follow everything you were doing.Thank you. :)
Hey Matt. Thanks for the video. You are far more capable than I am. I'm learning. Seeing your process is inspiring and I'm so appreciative. Please keep making more like this.
Love this kinda stuff! Subscribed! 👍🏻
Really good, clear explanation of your thought process. You have natural talent. Keep the videos coming!
Great video! Clear, concise, and thorough 🤘
great video! Very interesting how that can be done as "easily" as you did it. Very appreciative of folks like you out there doing this kind of thing to return power to the users.
This is fantastic. Subscribed about 1/3 through this video. New fan 🙌🙌
Me too!
I learned more in 30 minutes than I've learned in college this semester. Thank you! +Subscribed
I don’t know anything about the hardware hacking and easy to say this is a bit over my head. But you did a great job of explaining things without getting into the weeds. Great presentation!
Hey it was very impressive to see your process of discovery and execution. I love to tinker with old junk as well but i definitely don't have the same level of skills as you do. Thanks for bringing us along. Looking forward to future content for sure!
I have to say, its been a while since a watched a new channel, and a long video like this one ? longgg time.... I really enjoyed it man
Great content! Really enjoying catching up on it all, keep up the great work
This is amazing Matt, well explained, thank you!
Thanks, Matt! Amazing work as always!
I smiled through your whole video and similarly laughed when you tried to log into the web interface the first time.
So relatable
Writing your own parser in python for the hex dump was a nice touch. Keep it up man, you have my sub.
I enjoyed watching. Keep it up Matt. Fun stuff! :)
Awesome video. Your process was great to watch.
Sick. I know the very basic stuff like flashing custom firmwares but this was awesome. Subscribed
I love how you explain everything in detail... Thank you
Loved the hyper-tutorialesque approach of the video! Made me feel at home, even though I already know part of what you teach!
thanks for making these. i used to tinker with some old cable modems with my busPirate v3 over UART etc. nothing crazy, but recently ive been getting back into hardware hacking (just got the buspirate5) and yeh, these old modems are a perfect entry point to mess around. glad to see someone really digging in step by step
I started programming with game development and its still my main interest, but damn every time I watch something like this it seems so fun and you always explain everything really well.
Awesome trip down memory lane Matt … more content like this PLEASE!
Thanks Matt for always sharing and explaining thoroughly!
Excelent video, simple (you made it look simple) and well explained. Cheers
This was awesome to watch! Thanks for showing! I wanna see more like that.
Wow very smoothly you got that much data .
I'm a freshman student of cyber security domain and I'm also interested in electronic gadgets so i hope one day I'll become like you ...
Epic bro. Was nice they put that pre-included the serial port for you lol.
What an incredibly cool video. It blows me away that such a huge oversight was found.
Great video. I really liked this. Good work!
(after watching the whole thing): This was very fun to watch and amazing.
Coming from a code novice. :)
I didn't understand a single thing you did, but I watched every second. I wish I could go back and learn stuff like this.
Cool intro into using the UART interface! I didn't know you could actually access the device like that through it.
This was one of the most informative videos I’ve ever watched. Is the serial port basically the JTAG on the device?
I really enjoyed this, Matt.
I love watching stuff like this. It gets me in the mood to work on my projects as well.
I wonder why AT&T did not want people accessing something they now owned?
It's kind of strange. If there is anything in there that might give you a hint, please make an updated video.
It will be interesting to know if AT&T is trying to hide something.
It honestly makes me think they are spying on your internet usage while your devices are logged into the system.
You might want to check for outbound traffic going to an IP address that you know you have not accessed.
You never know. You might uncover something here.
Good luck, and yeah, continue doing stuff like this. Very cool, and Subbed as well.
Because it's a branded / managed service. If you want your own device to manage, don't buy their branded device. (of course, they generally don't allow that anymore... lost revenue, and higher support costs.)
@@jfbeam So you're telling people to do something you know might not even be an option offered to them?
@@jannikheidemann3805 Do it if you can/want to. If the provider doesnt allow it, try to find a different provider if thats important to you. If you cant, that sucks. The root issue here is companies like AT&T wanting to milk consumers for every last dollar. They want us to own nothing and be happy.
I would love to see more content like this! Great video and content presentation.
Awesome info! Yes-do more. I subscribed after watching this video! Thanks and keep em coming!
Love watching your videos. Keep making content for us!