Hacking the Arlo Q Security Camera: Firmware Extraction
HTML-код
- Опубликовано: 23 янв 2023
- In this video, we continue hacking on the Arlo Q security camera. Today we extract firmware from the nand flash of the device and reattach the chip to leave the camera in working order. We use binwalk to extract file systems from the flash contents extracted from the device.
Louis Rossmann's Arlo video:
• Arlo cameras take the ...
Arlo End of Life announcement:
kb.arlo.com/000063018/Arlo-Le...
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#righttorepair #jailbreak #firmware #iot #hacking 
Наука
anyone have a good rainbow table for unsalted sha256 hashes? alternatively, what's your go to wordlist?
1.Theres a website;p 2.remember that cybersecurity specialists usually have first dibs at creating a website
@@neon_Nomad my head hurt
Adding some low melt solder before you use the heat gun helps.
This is an awesome video series. Im loving seeing the guts of this camera.
As far as your soldering goes, if you ran some leaded solder over the pins of the IC first it would have come off easier. That factory solder is quite high temp and the leaded solder will mix with it and make it melt at a lower temp. Also they mace chip extraction solder that almost melts in your hand. Thats the best, however it is quite expensive.
EDIT: spelling
Another tip: I will heat the board before I wipe off the flux with cotton, and much of it comes off when hot. I try not to use the IPA because it spreads the flux around a lot. But with the amount of flux you used (and you used way too much, however you can NEVER have too much flux!) I would have hit it with IPA once or twice.
Love your stuff man. Keep doing what you are doing! Coming from network pentesting, having jumped into programming, then pentest labs and then SIEM stuff and IR competitions in college and wanting to have a better bottom up knowledge of devices, I find your videos extremely revealing.
It really helps if you apply some fresh solder to the pins before desoldering, so you don't have to heat the board that long. Even better if it was a juicy leaded solder.
Hmm yeah I'll have to try that. Makes sense
@@mattbrwn there are even alloys with low melting temperatures that work excellently for desoldering purposes. For example, Rose's metal has a melting temperature of 94-98 degrees Celsius. After applying it to the component's solder joints it becomes stupid easy to desolder the component with a hot air gun. I even flipped this trick with SMD plastic connectors without melting the said plastic (like I did in my iPod Classic mod, you can find my blog post by my username if you're interested).
However! The Rose's metal is quite brittle, so you need to remove it completely with the braid wick after desoldering
@@agarmash_How do you apply it? Do you use a soldering iron and rake the solder in beforehand or just lay a piece of solder on the pins before using the rework station?
@@attribute-4677 I usually grab some low-temperature alloy with the tip of my soldering iron, apply it to the pins of the component in question, and wipe off the remainings from the soldering iron tip (you don't really want to have it in your permanent solder joints).
Laying a piece of low-temperature alloy on the pins before using a hot air gun would work too, but generally, you don't need that much of this stuff to desolder a component.
Thanks Matt for giving me the courage to start in hardware stuff. I know it will be hard but i will stick with it til die. Those vids on your channel are so so great
When I take chips off I like to add some low melt (or even just reguler leaded) solder to the pins, less chance of cooking the chip/killing pads and comes off waaaaay easier :)
I enjoy these videos a lot. Thanks for sharing!
Great stuff! Can't wait for the next part
I'm wondering why you're using flux to remove the chip. From my understanding, flux just helps solder flow smoothly and cleans contacts. What will help with removing chips from the board would be adding lead solder and mixing with the unleaded solder on the board. The unleaded solder has a higher temperature at which it melts, where as the commonly used leaded solder melts at a lower temperature.
The RUclips algorithm leads me to another great RUclipsr
Thanks! The algorithm works in mysterious ways!
my nand is 64gb and when i copy the firmware by rt809h it only stuck at logo in another device and the data i collect from that 64gb nand is just “9.something” gb so i think as u said i have to copy it by ts56 or any of xgecu by selecting “include spare area” right? so that all the data i can get correctly and that i can write in another nand and can run the device. am i right sir? or i should select “none” option? please reply.
what temperature do you usually use to desolder?
Was there a link to part 1 somewhere or am I blind? Maybe add what part it is in the titles because looking at your channel I still have no idea which one is part one lol
Will you make a video about chip readers and all that stuff?
Why did all the flux go on the chip package, rather than a blob on either side where the pins are?
matt,what’s your reader name?or could you suggest some reader to buy😊
great educational video! I wonder if those classic wordlists for cracking user accounts would work with this.
Matt, you desolder at the same time, using the right attachment to you desoldering station. I have one on my station.
Genuinely interested to know how many Q-tips you go through per week lol 😅
Excellent videos. Could you hacking the firmware of microcontroller of the any air conditioner ?
Woopwoop part 2!
Louis would use a whole bottle of flux
True.
What flash reader are you using and where can i buy one?
That is the Xgecu T48 and I now recommend the upgraded Xgecu T56. eBay is where I got mine
@@mattbrwn thank you very much!!! Just getting into hardware hacking and your videos have taught me more in 2 days than I could have imagined! Keep up the awesome content 💪
hi Matt, can i dump the firmware without desolder the chip ?
the answer is often yes but it can be much harder and not worth it. you can technically do it with a logic analyzer but you will be at it for several days. if you can find a uart, spi, jtag, or similar bus on the chip and are able to connect to it on the board you could also dump the firmware.
Why didn't you change the hash in the dump and then rewrite it before soldering? Just to keep investigating in case you don't find the password.
might have to do that eventually. trying to be as least invasive as possible.
One thing to note about NAND is the ECC. If you modify something, you're going to have to update the spare area associated with that page as well. If you don't, best case it restores the original data, worst case it marks the page as bad and it won't read. The ECC algorithm used in this particular configuration may not be obvious (especially if it's hardware ECC), so fixing the spare data might not be trivial.
What linux distro are you using to do all this?
Arch Linux but all this stuff can be done with any kind of Linux you want.
@@mattbrwn Thank you for your work dude. I'm not even a script kiddie after a year or so but have learned a ton. 46 year old construction nerd who missed the boat but spend every spare moment learning. Your channel is in my rotation with Louis R too.
@@mattbrwn Kali Linux Manjaro and Straight Debian for me. Dragon OS im trying for SDR tools. Have a good day bro.
just heard about dragonOS from a training I'm in right now! I'll have to try that out. Getting SDR tools to work is a pain...
Some hash... somewhere over in the starss
The anticipation...is killing me ..when's that chip going to give
Yeah this one took longer than most. Could be a number of factors.
Not sure it my technique would work better but I'd use a bigger nozzle on the hot air, or take the nozzle off if that's the biggest one.
@@MCgranat999Sounds like a load of hot air to me .......u c what i did there
Cut it with them 3 d printing clippers ......my g😎
Sir plz help
My Nand Flash ic dump extract plz im send you. Please answer
Remember to follow the rainbow when working with hash
dude use a thin bristle toothbrush for cleaning :)
If you are afraid of chinese software phoning home, check out simplewall
1st
Why are we still using lead? Dont we know what happened to the Greeks, sure its a great sweetener but..
leaded solder works way better than lead-free.
Lead-free solder is a scam. It's better to produce less number of reliable devices using leaded solder than to use lead-free solder producing a ton of e-waste due to those solder failures. Obviously for environment, not for manufacturers.
@linus cat tips don't breathe it in either though
I don’t understand why you would want to extract firmware from a camera? Just go download it
How do you think the person providing the firmware got it?
@@SlammerSimming he means go to the support section of Arlo and download a firmware update and extract that. Sometimes that works, sometimes it doesn't or isn't available
He wants the password.
Great job glad the chip is still good:) just got my chip reader in but iv been focusing more on Tryhackme