IoT Hacking - Netgear AC1750 NightHawk - Firmware Extraction via Root Shell
Vložit
- čas přidán 23. 04. 2024
- In this video we use the UART root shell discovered in the last video to show two common methods for extracting device firmware using shell access.
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity #reverseengineering #firmware - Věda a technologie
This series is becoming more fun with each new video. Small issues and pitfalls are making it better to both watch and learn new ideas. Looking forward to reversing the firmware. And I need to say that you earned my respect with your knowledge and video style!
Matts a fuckin god bro
I don't know why CZcams sent me here but, I just want to say that even though I don't know much about computers, your explanations and methods are still digestible and entertaining. Now excuse me while I do a bunch of googleing lol
Just a note: when you are feeding dd to or from pipes, you may be suprised with the results. If you don't believe me, try running "yes | dd of=/dev/shm/out bs=1024k count=10" multiple times, and check what the size of /dev/shm/out ends up on every run. Simply put: you want to use the "iflag=fullblock" option of "dd" if you want to always be sure there won't be short reads that may corrupt your image.
Ela synonomate
This one looked a lot easier than that 52 pin flash rom you lifted and extracted, swear you are taking the piss with the soldering effort on the power connector. We know you can solder Matt lol!
Your skills and explanations are legendary, great stuff!
And another banger! :D Keep it up Matt!
Thanks for another great video Matt!
There's a hidden lesson in this video: Never remove [vfat] removable media right after performing heavy IO without properly umounting. :)
looking forward reversing engineer😊
Very Clever.
Awesome!
waiting for next part
hey. Firstly, I would like to congratulate you on your work, I am a fan of yours. And I would like to ask you for help. I would like to install a clean Linux on an antiminer. Do you think it's possible? How would you do? Thanks.
Nice Videos
Do you use discord? I have a question on a BGA153 that your input would be awesome. Anyways suscribed finally some good in depth of IoT reverse engineering.
I'll be posting a video Friday about a community discord server I'm spinning up ;)
Question: instead of using netcat, could you use ftp (or sftp) instead to copy the files over? That would seem simpler (netcat is good stuff however). Just for some more irony, setup the shared usb drive to be publicly accessible (through the router's webcomsole) and put the binaries you need for extraction on there, and the firmware files there also, then for them back using your main rig.
There are lots of ways to do the file transfer. what is "simpler" is often a matter of opinion. I think netcat is easier than ftp/sftp but that's just me.
interesting, but i was wondring if network transfer couldn't be simplified by mounting network share as a filesystem on the router exactly like a flash drive, it does have some kind of file sharing software already after all
and the 2nd thought, you show a lot of videos how to break into a device like that, but did you ever made a video about what can you use such end of life internet device for. like that camera from a year ago did you ever made it working for you as a camera, or did you just got inside and was satisfied with it?
i woul be very interested in something like this, geting your hands on a eol trash device, aserting it's capabilities and repurposing it for a totaly different use
secure webcam >>> ip camera with web interface to see the broadcast live, or something similar
file sharing wifi router could possibly become low spec terminal server or bbs
Do you ever o have you mucked around with arduino and or pi? Be curious to see some of your microcontroller based ideas!
Thanks for all the videos. If you could make videos on network equipment that are about to end of life with cisco so it doesn't become ewaste and can install openwrt.
How do I start learning how to do this stuff?
This is a great series and great channel, Keep HACKING hardware we like what you are doing . Here is an idea for a future video show us how to root shell a dsl or router of any kind over the lan remote. such async calls or other channels of coms
Hey, amazing videos! Thank you.
I have couple of questions.
1. Can you explain how this extracted firmware is different from simply downloading latest firmware zip from the manufacturer's website?
2. isn't this UART root shell same as just enabling SSH via webinterface and simply logging in?
I'm definitely confused.
1. When you extract the firmware from the device itself you will often get writable partitions with device specific data that is not in the firmware file. Also, most newer devices don't let you just go to the manufacturer website and download the firmware file.
2. Some device's might allow you to login as root but many do not give you this level of access.
That makes sense. I was under the impression that if I got a root shell via ssh I was a root :-D Turns out they were tricking me all along.
Thanks for your explanation @mattbrwn
Haha dream scenario being dropped into a root shell, wish all devices were like that 😂 Makes life so much easier having a shell on the live device, see any debug output, see what's running, try exploits against it, rather than going the whole emulation route on your main box.
I did the netcat way on a recent router I checked out, was awesome, totally hadn't thought to use netcat in that way, worked a treat!
Another question, have you ever de-soldered a memory chip and read it using a programmer and still can't find a file system? Or binwalk extracts stuff and it's basically empty, maybe a handful of files in what it extracts? Most devices I've fiddled with recently are far from straightforward. Trying to find some resources on what to do when this happens, I'm guessing it's some read protection on the flash chip itself maybe?
Also, don't forget to remember your head is taking up the bottom right portion of the screen, so we can't see any commands you're typing behind your head haha
yeah definitely on microcontroller/RTOS systems you will not get any filesystems out of the flash chip readout. It those situations you can look at the strings or try to dive in an reverse engineering the binary code if you know the load address of the MCU target.
is there a way to extract full firmware and repackage it for use in another router of the same model?
In theory that would be possible.
I guess you already know this, so sorry if I'm teaching you how to suck eggs, but maybe for the benefit of others: dd piped into a statically configured base64 encoder is another option and then you can exfiltrate the binary data directly via the 7-bit ASCII available through root shell uart :)
Did you ever encounter a device that gave you uart but no write access? E.g. you see the device booting, you see "hit key to enter shell" but the device wouldnt accept any input. When i was hacking on a device i was only in uboot without internet or usb, so i retrieved the filesystem using kermit... Horrifying, it took like a day
Once had a device that showed the serial output @115200 but only responded to commands @9600 🤷♂️
Yep lots of devices have the device serial RX line disabled. Very sad indeed
@@mattbrwn There must be some way to enable it though right? The manufacturer must be able to debug them surely so they must re-enable them somehow?
Sometimes you can find lines on the physical board that are not connected. Bridging the connection may give you the ability to tx to the Rx line of the device. It's the manufacturers cheap way setting a roadblock. @@0xbitbybit
I have been watching your videos but there is not particular guidance for Hacking thing. i think you have to put that
I don’t know why this is labeled hacking. You are merely browsing an filesystem - or attempting to while using illogical tools to copy data. But yeah if you are gonna do it 1980 style with terminal sure.
If you ever have a device that doesn't have DD, couldn't you just use the cat command and >
So it would look like
cat /dev/sda1 > /path/backupfile.bin
My thoughts exactly. :)