U-Boot Bootloader Firmware Extraction Tools
Vložit
- čas přidán 5. 05. 2024
- U-Boot is a common bootloader found in embedded Linux systems that if left unlocked can be used to extract firmware from the device. In this video I demo some new python tools to automate file extraction from ext4 mmc file systems using uboot's ext4ls and ext4load commands.
firmwaretools Github Repo:
github.com/nmatt0/firmwaretoo...
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity - Věda a technologie
Keen to see you tackle a more realistic device, say without the full uboot version, a login prompt for UART, encrypted firmware etc. that's what I keep getting lately, or not being able to find a file system at all after desoldering and reading the memory chip 😢
Thanks for making these videos! I watch them purely for education and entertainment, even though i have no professional relationship with any of this. I really find your videos very interesting to watch and easy to grasp, so please keep them going!!!
This is awesome to hear :)
@@mattbrwnMatt, in the future please could you move the picture-in-picture to the top-right corner? On one of the last videos, you had two terminal sessions side by side and the command line in the right hand session was obscured by the inset video of you. Was hard to follow along.
Nice job as always Matt. Really like the firmware tools, awesome automation for this extraction analysis.
I love these videos. I love watching the process from start to finish.
Love your stuff! This is super useful for what I'm trying to do right now with my router, keep up the awesome work!
Nice job Matt 👍
Lots of really good info here, thanks!
Thank you , the content is awesome, good information!!
Thank you for the content, great insights, as always!
Thanks, Matt. Uboot has always seemed a bit mystical to me. Very practical example.
Awesome work dude!
Good stuff
Surprised to see that your parse uboot dump wasn't just wrapping a call to 'xxd -r'
why use bash when python do trick? ;)
awesome tool. i will be putting it to work and def makes life a whole lot easier to just be able to fetch the actual files rather than MD. Can you elaborate on any write methods which can help write files or strings back to a location on an ext4fs via uboot.
yeah I'm going to work on adding a tool that will do that. You do it the opposite way of reading.
First write data to memory with the "mw" command. Second write file to filesystem with the "ext4write".
@@mattbrwn will def give it a shot. thank you.
Matt make a video on extracting the files on locked down phones like Samsung, extracting the files that tell the device can use ADB or that tell the device if the OEM is on or not so we can extract them and change the values then push them back to the device to gain root access
Don't you think the reset is simply caused by you overwriting code in memory that is currently being executed? Maybe the bootloader code itself, or interrupt vectors?
that's a good point. that could totally be it.
if i have a firmware extracted from a device (example wifi camera), is there any way to modify the firmware? can you make such video?
It depends on a lot of factors: what is the flash layout? what is the actual underlying system? what modifications do you want to make? Join us on discord (invite in description) and some of the community might be able to help you learn :)
@@mattbrwn sadly i am not that far in, i just found the UART pins and managed to execute some useless commands, noticed that its a U-boot. just wanted to know if extracting the firmware is worth the effort for future modifications of the functionalities. for example i have many old wifi Chinese cameras, but they turned down the servers and now you cant connect the cameras, so i wanted to connect LAN module instead of the WiFi module that they use and that way make them work again, but i will probably have to change some settings for the camera to use the LAN connection instead the WiFi.
thank you for the replay, i will definitely check and join the discord.
Can you do this to cell phones?
I have a Device, that boots it's normal OS after 30-60 seconds in u-boot command-prompt. Any chance to interrupt this autoboot?
Can you interact with the uboot menu during that time? Come join us in discord for help with stuff like this 😁
@@mattbrwnso good to see you back on here Matt. I really enjoy your content and was worried when you stopped posting a year or so ago. Hope all is well. I am now catching up with the last few weeks content.
bootretry is an environment variable containing the current delay in effect. Negative values mean boot retry will not occur. Unfortunately, *this value is only sampled on startup* - changing it will *not* prevent boot retry in the current session.
If your build supports saving environment variables persistently:
u-boot> setenv bootretry -1
u-boot> saveenv
Otherwise you would have to modify the source and rebuild. If you wanted to get rid of that behavior entirely you could do something like
`grep -r CONFIG_BOOT_RETRY *`, remove those lines, rebuild, and reflash.
Definitely make sure you have a backup means of booting or flashing before overwriting the existing U-Boot, just in case
What's the sensitive nature of the device? I don't understand why you would not want the viewers to know what it is?
Ugh, that thumbnail font. FIAWAAE EHTAACTION?
10:35 probably memory mapped io or memory that's being used by the bootloader.
Hack the Facebook portal plus 15.6 please