UART Root Shell on Linux Router - Hacking the Totolink WiFi Router
Вставка
- Опубліковано 4 жов 2024
- In this video, we discover a hardcoded root password though the aid of OpenWRT's failsafe mode.
OpenWRT Failsafe Mode Docs:
openwrt.org/do...
Need IoT pentesting or reverse engineering services?
Please consider Brown Fine Security:
brownfinesecur...
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
Raspberry PI Pico: amzn.to/3XVMS3K
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
Soli Deo Gloria
💻 Social:
website: brownfinesecur...
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nma...
#hacking #iot #cybersecurity
Been a while since posting a video so thanks for viewing!
Was busy last month competing in a HackerOne Live Hacking Event with Amazon and AWS! Excited to get back to YT. 😎
Do you have a video about the base setup of the machine you use for this in general.
How nice of them to label and even populate the UART interface lol
Never worked on any big project but I'm always blown away by how easy people make it for themselves in production.
have I lost encrypted drives due to me forgetting the password yes, because I was supposed to remember it, have I made it harder for me to figure out a program after turning off all debugging information, yes, because only two three people were supposed to test it.
have I heard the line "omg the password is too hard";
=company(yearofthelordQ[1-4])
my passwords at work are usually =nameofcompany(24Q4).... or: equal name of the company the year I made the password and the quater that we are in.
why on earth would sara from CS ask the customer "pleas connect to the uart port and press F" now remount the partition and you should be all clear :)"
Mark from engineering should only need to press F on his testbench have the bench type the password and press R for reset or F for "I'm a big fuckup" or Factoryreset
I don't get why they would dump all that information in human readable characters in a production model... it's nice for rights to repair, but they could also just advertise it to the customer if that was the point: press the F button and you should be all good.
Awesome, just what I was looking forward to!
Coincidentally I just opened my old ASUS RT-AC57U V3 router and the UART is even labeled!
Strangely enough the router has a dropbear SSH server that you can turn on in advanced settings, but the entire rootfs seemed to be mounted as a tmpfs.
I'll post some comments here after I get a little bit more time to investigate the router later today.
It can be that the rootfs is a squashfs read only image
Man, "google the password hash" is such a forehead-knock moment, absolutely beautiful!
Its amazing to see ur projects u have opened me up to an whole new domain
Finally , i was waiting for the upload.
We know is a great day when there's a new drop by Matt Brown.
Your videos are what got me into technically-cumputers-but-almost-not-really type things like routers. I have 1 router, but im not gonna mess with it until the new year as im waiting to see if the company wants it back as i just upgraded my internet
Finally some use for those suspicious thingies trying to pass as TP-Link
To be fair I'm suspicious of any TP-Link product to begin with.
nice, really fun content to watch! keep up the good work!
Very useful video. Keep it up!
Another great video. Looking forward to the next one
LOL. You didn't remove the label. You cut it. Warranty not voided!
Lol good point.
Awesome Video.
Hah i am watching this while messing with a Tv settopbox via uart and compiling openwrt for my router i am also working on, but the router is laying on the side of my desk while my settopbox is near my keyboard. Its also partly due to your videos that i got inspired to go hardware hacking and uncovering the world of embedded Linux. Its also cause i just like messing arround with devices and stuff! And sometimes uncovering vulnerabilities and easter eggs/hidden elements
great video, subbed
Крутяк, новое видео!
Great video buddy!
Can you make a detailed tutorial about Openwrt firmware? I know my request is out of context but it would be helpful for me since I like your explaining style
Casual vacations to Southeast Asia ❤❤❤
Not just OpenWRT, but an ancient build -- not shocking, considering everything else, but still! Barrier Breaker on a contemporary device? Yikes.
The irony is I'm actively doing a uart install while watching this
Ok
oK
Nice video :)
for the algorithm
Oh totolink is the most insecure router I must say. Its cgi-bin is a vendor's software written in C and has full of os command injection, stack-based buffer overflow. They made a mitigation function to detect OS command injection but it's very to bypass it (I discovered this one and got a CVE)
p/s: I bricked my TOTOLInk testing a blind OS command injection (which writes a value into system) LoL. Reset button helped nothing lmao.
Almost too easy. But then, as you say, why do a load of hard work when someone else has already done it for you. Something to always remember before diving in headlong.
I enjoy your videos. Any chance you'd do a video on Qualcomm modem hacking inside mobile devices? Maybe not even physical, I'm just trying to understand how some things work and you're good at explaining things. The sim unlock flow is very interesting to me, i think i understand it but maybe I don't. I captured my network unlock https flow (oneplus device) which gave me some ideas of how it works but info on the depths of this topic is highly guarded it seems
That router is very similar to the Netgear X10 router
What terminal software is he using, looks clean
i3wm + i3 gaps config + xfce4-terminal
6:17 "Catution"......"Waitting"