Hacking The Mojo C-75 - Chip-Off Firmware Extraction
Vložit
- čas přidán 11. 06. 2024
- The Mojo C-75 is a professional grade Wi-Fi router. In this video, we will show how a limited shell is available over the RS-232 console port. Then we perform 2 x chip-off firmware extractions to pull the various filesystems off the device.
XGecu Software Mirror:
github.com/Kreeblah/XGecu_Sof...
XGecu Wine USB Driver DLL:
github.com/radiomanV/TL866/tr...
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity #righttorepair #jailbreak - Věda a technologie
I started with the AT&T router hacking video and now I'm hooked, ill deffo be coming back more, great videos man!
Lol same popped up for me today been watching all day
Same! Thank you algorithm. Balk balk!
Same
lol same here 😂😂
Same here 🎉
as a ex-employee of Mojo (and Airtight as it was previously known) this is super interesting to see how you're taking a shot at some of our older stuff; blast from the past for me! Keep it up.
A great video. By the way, the file system can be mounted directly in Linux with loop device:
mount -o loop,ro -t jffs2
Or It can be done in two steps with losetup and mount. You can check supported file system types by /proc/filesystem. Most penetration testing distros contains squashfs and jffs2 support.
"you're going to burn your self. It's going to happen"
I once picked up an iron like a pencil.... Then burned my desk when I dropped the iron.
We've all been there 😂
i was desoldering a capacitor... had a huge ground plane so it was sucking heat right out of the soldering pencil. so i had the cap pinched between my middle finger and thumb and was pushing off the PCB with my index finger. every now n then i would give it a push then let it heat some more. THEN... i pushed once more with my index finger but this time it made a strange sizzling sound. my finger actually smoked. when i looked at it it had a brownish white patch burned into my finger. YOWSERS!!!! probably one of the worst times ever getting burned.
@@mikehensley78 oof
If it smells like pork your doing it wrong
Yeah, that stock photo of the dumb brunett holding a soldering iron like a pen has caused an lot of industrial accidents. 😂
It might be a good idea to use kapton tape to protect the small surface mount components and a barrier if you're ever next to something plastic.
Also, it's good to know that if you're making/improvising your own desoldering braid in the future, you don't need a lot of it. I found that out the hard way when I fused a bunch of copper wire to a PCB while trying to desolder something.
I don’t look forward to the next part of anyone else’s videos as much as yours. I’ve tried doing some of this stuff in the past and usually gotten stumped, but watching your videos made me realize I just need to do it more because experience is the only way to get better at it.
Just discovered your channel while doing nothing at work. As someone has has made content(on other channels) the way you present everything in real time is amazing. You are a fantastic teacher
I'm one of the new subs and have watched quite a lot of your back catalog. This looks like an interesting one to dig deeper into. Great Content Matt 👍😃
I love your channel! By chance I saw the video of the AT&T router and I was fascinated. I find your work incredible and thank you for sharing it.
A trick for keeping the chips from getting mixed up is a small drop of colored nail polish in the corner of one. Then you can notate on your sheet which one it is.
a few nailpolish colors wtih bright base colors, and tooth pics, dab color on the corner of the chip and next to the identification silk screen before you desolder, take pic and make notes while it dries, then desolder. should survive flux and mild alcohol cleanup if needed between desolder and resolder as long as the board/chip was already clean where you dabbed the color.
Try running strings on the firmware.bin file and use the output as wordlist, worked for me, on a chinese IP camera.
Great videos btw. greetings from Austria!
Great video, love how you take it up a notch on the difficulty level!
yep... I might have scared myself thinking I bricked this device during the prep for the video :D hopefully can pull off the root shell!
Another amazing video Matt, Keep up the excellent content and thank you for sharing your knowledge
This is amazing, your explanation of every step of the process connects everything very clearly
And now we wait for a madlad to crack the hash.
I have learned so much watching your videos. I am a cybersecurity consultant and I love that there is always something new to learn!
Raw footage is always fun. Keep it up Matt. Your videos help me to see more device models than I tinker with. Aside from that your techniques and phrases are great fun for me to watch and learn :D You can work on some IP camera hacking btw.
Man I Love your work, I was just watching the series about arlo q camera, I really would love you to continue the series
At around 6:30 it used `more` command to display out the help page. You can just do ESC + !/bin/sh to get a shell... While inside the --more-- prompt.
would you say that's "more" to the point? ;)
You Don't need the ESC it seems.
Unfortunately it uses the BusyBox version of more that doesn't support any of that
I am learning like never before ! keep them coming!
Fantastic video, thank you for creating it, really good walk through
Man i love your videos, ive learned so much. Excited to see the conclusion of this one, writing your own hash to the root account or just deleting the hash maybe?
Another Awesome upload! Thanks Matt!
Is not like I want to hack things, but after watching your videos I want to learn how to. Love your content.
Great video. Excited to see what you share in the next.
It actually is T48 in the photo. It only has 40-pin ZIF socket (unlike 48-pin for T56) and no power switch or external power jack near the USB socket. Otherwise they look pretty similar.
glad i came across your channel!
@8:28, I think that you may have a problem with the lens that's connected with the camera port. You can change it to improve the field of view. I have a similar microscope and the view fills the whole screen with no black on the sides.
@10:30 I think that you maybe don't need to use flux when de-soldering components. I usually use the flux when soldering the components only. This will save you a lot.
Have you tried foam pads instead of cotton for cleaning flux? They are a bit more expensive but work a lot better. Found your channel a few days ago and enjoying it. The algorithm must like you. I have only recently gotten down to doing SMD soldering as part of my services or gotten good enough but working with firmwares and devices like this is very much in my interests. Keep it up you are appreciated.
Cool stuff bro. More, more, more!
I don't understand 2/3 of what you are on about, but I like the videos anyway.
hey, i also got into hardware hacking because of your videos, its really fun so thanks for that
If you mount (instead of using jefferson) the filesystem, then modify the contents of the /etc/shadow entry for root's from the config's, and re-flash the chip, you change the root's password to be the same as the config user, no? If that doesn't work, you can modify the default shell that "config" uses to be set-uid root... Basically, once you have access to the filesystem, it's game over :-) And btw - very nice videos, Matt! Excellent channel.
@35:29 "Private key in DER format" did you spot that? Looks interesting.
If you are looking for rs232 serial on a modern pc, there make pcie rs232 2:34 2:36 cards and also internal usb to serial converters that plug into a normal usb2 header.. saves a bit of external cables
but when you burn out a port or damage a pin, more pita and $ to replace. most usb-serial adapters of any quality are perfectly fine for console stuff, if you need better reliability at higher speeds or cable lengths, get an FTDI based cable.
Amazing video, you should try IoT devices like pcbs of air fryers, washing machines or fridges that connect to wifi.
Are you planning on changing the login shell in /etc/passwd? Also, does the firmware have any signature checking to prevent that or keep the device from booting?
After 20 years I learned from you about binwalk 😂
I'm hooked on your channel anyway you can zoom in on the Terminal it would really help following along.
Waiting eagerly for that "another video"
Seems like I'd always try a test clip before hassling with all the possibly destructive chip removal. Usually even if the injection of power wakes other stuff (like the SoC) up you can find the reset line and hold them hostage so they can't interfere with interrogation.
Great channel... I have a suggestion for a device that, if it can be hacked and repurposed, could help a lot of people. It's the Echo Connect, which Amazon just decided we can no longer use, even though we bought them. It hooks up to your VoIP line or land line and connects allows you top answer your phone or make calls from any Amazon Echo device in your home. I'm guessing there is a server component, and such, but it' running a DSP Group DVF9918, which looks like a pretty capable SoC. If there is a way to repurpose this, or even better bring back its utility... as a developer (and I've worked on embedded systems from industrial to automotive, and enterprise level at Fortune 500 companies), I'd definitely consider the challenge if I could gain access to this device.
binwalk uses signatures to hex detect the FS. A signature is a hex value. Those files usually have multiple hex values that binwalk will see as separate files. If you are getting a lot of errors, you may need to manually extract the files. Using dd to cut the excess data using the binwalk to identify the memory location.
yep this is exactly what I do when binwalk splits so much stuff out like that. might show this in the next video.
Very cool
Hey man, this great video. Next video please try TP-Link TL-WR940N
I have a Watchguard AP320 at home, and this looks 100% identical (at least from the outside), I wonder if the internals and firmware are the same.
It is the same device(based on WikiDevi pictures). Also openwrt is avalible for it.
999th like 😂..binge watching all your videos
7:10 ah the source code, aka, the disassembly from the binary, that's source code for reverse engineers !
I got an impinj rfid reader that I have dumped the nand. Maybe we can collab on getting root? I was using binwalk a different way and would love to try these methods as I was mounting the bin at specific cylinders of the dump. Overall this video sparked me to try again with a simpler approach
think you could do something with the ZyXel C3000Z? it's got the same sort of faux shell idea.
You could chang the group for the config user to make it another root user, or you could duplicate the config password over the root password. Then upload the file.
Can you hack isp locked bridge mode alphion 1143 ont? Thank you
Why not just use a SOIC clip on these type of chips? That's what I did to dump the firmware on my Ubiquity Switch.
U5 looks a bit misplaced at 8:12 - did you desolder it before or did it come like this from factory?
that was me :D
@mattbrwn Great video, easy to understand. I'd be interested to see what you could with a generic 4G usb stick modem. I really want the ability to use one as a basic 4g modem, with AT commands and simple IO connnection, just to send text messages as part of a project.
I've backed up the firmware off my stuff myself.
THE only solder flux I have ever used besides the occasional copper pipe acid and the 2% in the solder core is the pine rosin I dug out of a tree 8 years ago. I just don't know how it will do with hot air.
Awsome
Yeah!
Hey, I recently rooted a similar access point, and after dumping the firmware and reading through the config shell scripts, I noticed a command injection vulnerability in the "radartool" command, which allowed me to simply spawn an sh shell and use su to escalate to root. I'm not sure if that vuln exists here, but the config shells and the software look awfully similar.
Very interesting 🤔
I wonder if you have an old smartphone ying around, maybe two and you extract the bootloader from the one that is not bricked and see if it revives
heyy matt , I have a router with me and i got into the U-boot. But facing some issues with the firmware extraction process.
Can you provide any platform to contact you..
what is your linux distrubation and desktop enviroment?
You can save yourself all the chip cleaning time if you don't use flux when taking the chip off. The flux insulates the legs which is why you have to clean it in the first place. Without flux, your programmer will typically read the chip just fine without any cleaning. Also no need to remove the solder from the chip's legs.
Completely unrelated question: where did you get your workbench?
Benchdepot. Warning: it's not cheap
can you make video on how to make custom firmware like openwrt for unsupported/unlisted router? thanks
Super man to the rescue
Can u hack Huawei hg523a as I have same and want to hack it
The only bad thing about software just for Windows is that the antivirus software in Windows deletes these kind of utilities and sometimes without telling you. It is Microsoft's silent way of telling you they don't want you to have any fun!
stick 'em in a folder and assign security exclusions to them to address this
Brown Town!
W matt brown
❤
lol, I saw the chip reversed, I guess you were busy doing the video :)
I wonder do all the embedded device file systems unencrypted? Have you ever seen a system is decrypted during the boot time with the aes key hosted on a tpm chip? Does anyone see such solution for such attacks?
seems like that would call for some sort of microcontroller or something feeding the memory chip the correct decrypt key at initialization. other than that it should be very similar to what was showcased on this video i would imagine.
OR
i guess you could dump the chip then decrypt it once you got the data onto your machine.
Cable boxes boot from an encrypted firmware. They decrypt it during the boot process. I'm not sure if any use TPMs, but that would make stuff hard to work with, since the key is stored securely. Assuming that they encrypt communication in transit, side channel attacks will be harder as well.
Some more expensive microcontrollers and FPGAs also have a volatile storage inside for an encryption key as well and the facilities do decryption on the chip itself.
@@Jeff-ss6qtthey probably have a bit more code in the bootrom of the cpu that unlocks the flash. I have had many tv boxes with encrypted firmware and compressed things and the cpu bootrom actually unlocked the chip before reading from it and decrypting it
I'm streaming potatoe-cam in 1080p HD :) Shows the real content is the words.
Immediately I think of Austin Powers getting his mojo back.
Old skool? Damn, he just put me to sleep.
Hey, you forgot the links in the description, it's relatively easy to read it, but still.
RIP. fixing this now
@@mattbrwn No problem! Thanks for the fix.
Can you hack so called smart TV's?
amazing content, any chance you can hack into a facebook portal go to see if we can resurrect the hardware for private use now that facebook has discontinued the device ?
can you hack a wifi repeater device
mattt now ps4 can be hacked with fw 11.00. Can launch linux but need a good people like you for make a good 3d powered linux..
Are you interested in investigating firmware of a chinese NES hdmi stick?
Got it for free but I failed to make any changes to the fw as it fails to boot with modified binary (checksum?). It has allwinner a10s, 128mb ram, boots linux 3.4.10 off sd card using script.bin and system.img. Doesn't have any built-in network interfaces and it doesn't have uart. It does have internal USB but supposedly lacks HID drivers as connected keyboard isn't recognized.
Got both files and pictures of the mobo if you want. My goal is to repurpose it, eg. as apcupsd daemon via USB ethernet :)
Im surprised someone hasnt already cracked that hash for you. lol
The powder blue serial cable with the RJ-45 port on one end is known as a "rollover cable." Definitely not ethernet! :)
TIL
I don't know if you will read this comment
Can you try hack the huawei 4G Router 3 Pro (Huawei B535-932)
Mine currently using the isp provider firmware and its lock to its sims (I want to use different sim but the isp not giving the code), also the isp provider also lock the bands that I can use the bands I can use is 3,28,41 but if I have the original firmware I have this band 1,3,7,8,20,28,32,38,41
I haven’t used gloves when dealing with PCBs. Probably should have. Pray I don’t get California.
🤣
Create new root password, hash it, put in shadow file, write shadow file to chip, log-in.
It seems like you know where the next video is headed ;)
@@mattbrwn i did exactly that to a router i had because i did not know its password and i could patch the commandline to load init=/bin/sh but it was a limited shell and changing the password through there did nothing for the normal startup
Had the same thought, done that with a IP camera
How to do this? You use openssl?
@@xrafter the shadow file uses known algorithms (MD5, SHA-512, etc). You just put a character that specifics the hashing algorithm, the hash, the salt (if any) and save it.
(It's more complicated than that but you can get the idea.)
May I suggest to not cut out any failed attempts and dead ends, the end goal is not nearly as interesting and educational as the journey and detective work that leads to it. For example you mentioned that you tried to guess the password at it didn't work out, that's fine, you can still include that segment, there is a lot to learn from it. You said that it took a long time to figure out the cross compiling issues but didn't include any of that in the video.
I'm in the middle of watching this. From my perspective, those two things don't add much value. I do agree overall. But, cutting that stuff out is important. The only compromise I could think of would be non-cut videos on a separate channel or patreon like some others do.
You need to follow through on your projects. I just sat through the three videos you did a year ago about the Arlo Q, in the third one you promised another video where you were going to modify the firmware and write it back. Yet, you never posted it. I've seen several other aborted dead-end stuff as well where follow up videos never come. When people watch you, they're investing their time and for that investment they're expecting resolution. I for one am clicking on the option to stop your channel videos being recommended to me as I'm not going to be caught out like that again by you.
Bro chill out he had some personal stuff going on 😭😭
There’s really no need to be so brusque here. It also comes across as incredibly entitled. I’ve found Matt’s videos super informative and helpful.
man stop whining , his content is free for us all to enjoy.
Dude, is this your first day on the internet? That's not how this works. Unless you hired Matt to make videos, he doesn't owe you anything.
I usually ignore these ungrateful entitled comments, but this time, I am going to say something. It takes a lot of effort and time for him to make these FREE videos. He is sharing valuable knowledge that someone would pay thousands for! So, if you don't believe me, don't be lazy and do your own research - if you survive, you may even appreciate it 😅