Hacking the Arlo Q Security Camera: Bootloader Reverse Engineering
Vložit
- čas přidán 30. 06. 2024
- In this video, we continue hacking on the Arlo Q security camera. Today we reverse engineer the extracted firmware to better understand how the bootloader security is implemented.
unsalted sha256 bootloader password hash:
dd62e7962d63044fd1b190091930939affb172e578bb941728bd4e4478250641
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter:amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#iot #hacking #bootloader #reverseengineering #firmware - Věda a technologie
Hey Matt, loved the video as per usual. I’ve cracked the hash for the boot loader, the password is: ngpriv106
Wow, that was fast! How did you manage that?
Damn that was quick, nice job!
I am interested to know too. Sharing is caring
Nice.
Looks fairly simple.. I'd imagine you had some GPU power to get done so quickly.
While you likely wouldn't find this string in a rainbow table, the combination of 9 lowercase letters and 0-9 gives us 9^36 iterations to get through. Modern CPUs and GPUs could knock that around quickly. Few hours at most.
Absolute Legend!
Great video Matt, amazing explanations. Very easy to follow and understand!
What a goldmine of a channel!
I know the hash has been cracked now, but if you wanted to get into the older firmware without having to do a chip-off you could also have tried interrupting the boot process a few times, ideally with a reset. This would simulate the crashing firmware that this sort of A/B deployment is supposed to protect against and may have caused the boot loader to fail back to the old version.
It has? In what video does he do that? I couldn't find that hash in those pre-computed lookup tables and using leaked password lists didn't work either. I doubt he could brute-force that hash
nvm, I missed the fixed comment somehow
Bruh this is top quality content. Thank you so much 🙏
Thanks for the videos I learned a lot from your videos.
Thanks Matt....Great video.
Hi @mattbrwn...
Just discovering your channel now...
Where are you on part 4 of this serie?? :D
Awesome videos, keep it up!
Device got bricked.
@@mattbrwn That's a shame! I was really looking forward for more!
Thanks!
@@mattbrwn
WHAT THE BRICK!
@@mattbrwn😢
Very interesting videos!
Great video
Amazing as always !ganbatte!!
Really good content
Is it not possible for you to write your own known hash into the flash chip raw data dump or is this data retained in the armarello chip??
This should be possible. I'm working on this method for a future video.
Hey Matt thanks for the video. How did you know that the hash was unsalted? Was it in a previous video?
Good question! I discussed it in the first video.
The bootloader prints out the password hash of what you enter for a password attempt. So I was able to type "password" in, hit enter, and confirm that the password matched the unsalted sha256 hash of "password"
@@mattbrwn
What a legend!
Cool video . But GPIO simply means general purpose input / output pin. GPIO isn't any type of mechanism..
Here i come hash cat.. guess the rainbow road was to easy a route
bom video matt: o bootloader é u-boot ?
No this is not uboot. Ambarella SoCs use a custom bootloader called amboot.
Did you end up making the 3rd video in this ARLO Q series?
Unfortunately my device got bricked so I wasn't able to make the next video.
@@mattbrwn That's too bad, how did that happen? 😯
Is there more coming??
What tools would you recommend for a beginner
I'm trying to put together a playlist about all my tools but that's a work in progress.
For getting UART access you really just need a simple TTL-232R cable:
ftdichip.com/products/ttl-232r-3v3/
Says it will take a month but im having trouble getting both cpu and GPU running at same time... I don't have much experience with hashcat so if anyone knows whats going wrong im using hashcat launcher
Any updates on what happened with the arlo?
Hope all is alright
Haha thanks for asking! Doing good. Closing on a house so that's been taking a lot of my free time lately. Will post new videos after that is finished.
Maybe somthing like if (1=1) may work
Sir, i have been facings problems on my blutooth speaker, every time I turn it on it prompted heavy annoying sounds like "Bluetooth pairing is on" "usb mode" etc. How can we remove these prompts, or customise the blutooth device name. Also could we make a device which could connect to multiple bluetooth devices and simultaneously output all of them from one source/smartphone 🤔
check out darieee . he does that kind of thing.
I'm guessing they beefed up their passwords after this recent CVE: nvd.nist.gov/vuln/detail/CVE-2016-10115
One option may be to fuzz the UART inputs? Perhaps something in the password check logic may have a bug
I thought this was going to be the case as well! check the pinned comment! someone cracked it already 😂