Extracting and Modifying Firmware with JTAG
HTML-код
- Опубликовано: 25 окт 2022
- In this video, we discuss how to extract firmware from a RP2040 microcontroller on the Defcon 30 badge using JTAG. A JLink debugger is used. We also push a modified version of the firmware back to the device.
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#iot #jtag #defon #raspberrypi #iotsecurity Наука
Oh my god, just found this channel and it's an absolute goldmine :-) thanks for all the awesome content!
Great video! Minor vim note: at @17:30, you can use capital R to enter Replace mode. That way you won't have to count anything. Just make sure you only modify ASCII characters.
Your channel is incredible!
Awesome video!! Could you do something with STM chips that are locked sometime soon? My vaguest of vague understanding is that you can sometimes do something with pulling boot select pins low to get it into a debug mode regardless of other configurations, but I don't have the first clue how to actually do that irl. Keep up the great videos m8!
I recently came across your channel and I love your videos. If you ever have a project where you gain practical functionality of a device by hacking it, that would make a great video. Like the security camera sending the stream to a self hosted storage server or other ideas you may have.
Great work 👌👏
Hi Matt, very Informative video. Is there any way to convert the binary dump to source code or to understand it better ?
Very nice
And that was preety amazing
Where is a repository link to PCB files of that badge? Looks like a nice little capacitive keyboard.
I just got a bus pirate 3.6a and, I'm wanting to connect to a device using JTAG. The available pins on it are:
TDO,TDI,TMS,TCK,GND,RESET
Do I just connect it the same named pin, as from the bus pirate to the device? (Like TDO - TDO, TDI - TDI...etc etc for all of them). Years ago, I used uart but, I'm not seeing those connections on the board I'm trying to mess around with. I just can't seem to find a guide / tutorial that explains how to set it up for newbs.
Where I could buy the student version of the j link
Trying to learn all of this and very overwhelmed. Are you able to access the jtag state machine this way? And command the actual registers? I’m reading how to do that, but nobody ever explains how they gain access to do that… and what they are typing the commands on/through…. Sorry if this is a stupid question
Does the J-link support Atmega32u4 ?
Very informative, great info! Thank you for making this. BTW your audio is really low.
Thanks! Trying to find the sweet spot with the audio
I am all for IOT companies not disabling JTAG. Just keep them away from evil maids, and you're all good.
So cool! What are you going to push to it next, if anything?
might require some big time reverse engineering :D I wonder if they released the source code to the badge......
@@mattbrwn another question: can it run doom (just thought of this)
@@mattbrwn have you thrown it into Ghidra yet? Assuming it’s an ELF, Is the binary stripped?
Do u have epon firmware for Zte
Dear sir I have a problem that the mcu has tooll0 pin reset pin vcc and ground .
How I can extract firmware from the mcu
Can you do the Huawei H112-372? how to get UART and JTAG.
How did you know to use the SI form of Mbit and not the binary form of Mbit?
Honestly I guessed 😅
What is the debugger model you are using?
xgecu tl866ii plus
Also have the newer xgecu t48
what microscope do you use for videos?
AmScope
amazing man, thank you for the cool stuff , hacked by nmat😊
Man I keep seeing JTAG written on different boards
I'm still a rookie, got a long waaay to go
You could have added the part where you locate the h/w key to crack it 😛
Why not just hook up to the SPI NOR flash and dump that way? flashrom, ftw.
This video was specially to demo JTAG
Yes the volume is very low on your end,
Are you in Hawaii Oahu? I thought i saw you at Waimalu Hi Starbucks?!
Lol nope. Opposite side of country
I dislike that connector style so much. The cable is expensive and the pins will bend easily.
16 megabits is 2 megabytes, which is 0x200000... Converting 20000000 decimal to hex is not 2 megabytes.
Your video is flipped.
lol good catch. I thought I fixed that... I'm kinda new to OBS
Now to find an old xbox 🤣
The last command is not supported by jlink commander v7.88j, start here^[nmatt@ripper badge]$, ..savebin is only working , I am trying to extract stm32f103r8,,