Hacking an AT&T 4G Router For Fun and User Freedom
Вставка
- Опубліковано 7 тра 2024
- AT&T doesn't want their customers to modify their own devices. In this video, I show how hardware hackers can take back control of their devices through the process of firmware extraction and firmware analysis. Specifically, we take a look at the CDS-9010 LTE router and extract the superadmin credentials via the UART U-Boot interface.
AT&T Forum Questions:
- forums.att.com/conversations/...
- forums.att.com/conversations/...
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity #righttorepair #jailbreak - Наука та технологія
Bro's face is like Jim Carrey
LOL I get this all the time.
@mattbrwn It's weird how that happens sometimes.
There's a dude working as a parole officer (for youth) for Oregon who looks just like Ryan Reynolds. I'm pretty sure he's in a official blue book somewhere.
"Cable modem" guy! 😄
@@mattbrwnyou're about to get something else in a second brb
Best! What a great video. Well done
didn't expect to find a wizard today.
i think that was one of the better explanations and demos i have seen. smart dude for sure.
They arrive precisely when they mean to.
How is this wizardry? All of this is fully documented ad-nauseum in the OpenWRT wiki...
Nice fully agree there! Looks like Bowtie Ape "w/ a plant on it's head", does too * `~{[:rC[})-B
Please don't stop, and keep doing it, it's so interesting to watch it.
That's what she said..
I am a high school Cybersecurity teacher. This content is pure gold. Amazing work. 🎉 This was a pleasure to watch.
i think its amazing whatever school you work at provides classes like that, i wouldve loved that back in the day
Seriously, what school you working at? That's pretty awesome if you ask me.
they teach cybersecurity in high schools now?? that's incredible!
@@wileysneak PLTW... Project Lead the Way. The curriculum is really cool. Kids love it.
@@meekmtck5917 Southern California schools, but many schools have this as a newish subject.
The SoC and modem in this router are common and supported by OpenWRT, it would be cool to see port for this device as part of more open firmware in the future!
yeah, those things using custom linux with init instead of systemd are slow as hell to boot
I'm pretty sure it's actually running a (very modified) OpenWRT anyway. some of the data in the "strings" output against the extracted config match up with those found in openwrt configurations (eg: NintendoCapable=0)
@@__Ben Yes it most likely does, but the differences between years outdated proprietary version that OEMs use and official is extremely large.
@@__Ben That interface looks a hell of a lot like a barely customized DD-WRT install.
AT&T shameless gpl viol;ator by not releasing the source code of the kernel used
That's one splendid hack, and a pretty easy one at that. Since it's Linux based, AT&T is obliged to publish the parts of the software that are GPL licensed, like Cisco/Linksys famously was with their WRT54GL back in the 2000s. Device configuration, user data etc. can be protected and fortunately they did a lousy job at that, when you're in, you're in. Also, I saw a Raspberry Pi reference in the UART output, it makes things interesting as to how the system was built or developed.
You're truly exercising your right to own things here - you'd make Louis Rossmann proud!
Raspi I believe is the code name for the custom firmware AT&T has on these.
One neat thing about these is the wireless settings in the web ui for SSID are not restricted meaning you can put anything. I put a lenny face in and it took it and broadcasts it with no issue. You cant just put in spaces though as it will default to ATT_AP24 for 2.4 GHz and ATT_AP5AC for 5Ghz. at least thats what it does on mine.
The webui is very VERY similar to the Readynet routers I have as they allow like 5 SSID's per radio to be active. and the overall look and feel resembles a DD-WRT UI
ky5 tr00n
@LouisRossman
@@waltergonzalezpaz5995 that's @rossmannrepairgroup but I doubt tagging in a comment does anything.
“raspi” is not “raspberry pi” but rather “ralink spi”
I believe the "phone" ports on that device are for an ATA gateway, which would provide POTS lines from the cellular interface.
very interesting. I've never messed with anything with POTS before. makes me think of the phone phreaking scene back in the day
they can be very useful if you ever wanna do some retro hacking, it lets you simulate a phone line so you can dial from modem to modem without ever touching the "real" network
I believe this is correct, the phone ports on this particular unit are for POTS line out (aka. landline phone hookup via cellular). Although I'm pretty sure I've seen these cellular modems that ALSO support POTS line in for DSL connection. Either way, for all the cellular modems like this I've seen I can't recall ever seeing someone actually use this feature, lol.
I've been hacking on a similar AT&T cell hotspot type device, and can confirm the POTS lines are to hook up a phone and make phone calls in and out from the cell radio. The ZTE M279 based devices used by AT&T also had an open web config interface.
ATA? You just gave me a Telix flashback.
This is the first video that I see of yours, and let me say I loved it. You explain really well and seem so passionate that it is contagious. Great work!
+1 this
hell yeah. +1
+1, clear explanations, fun to watch.
ATT pulling a good ol sony, locking a device down after the fact only incentivizing breaking it open completely.
excellent work!
Most of the routers/modems that I have dissembled would have a password hashed and not stored in plaintext, so eventually I have to modify the bin file locally on laptop and then write it back to device with custom password hash.
This is a great video for people who wants to get started.
You can copy that hash and run password list program and check if there is one before that
Nevermind what it uses to encode the password, set the normal user password to the one you would like to use in the root account and then copy the user password to the root password, you can get a spi writer and modify the file.
PROM incoming?
As someone with a computer engineering background, this video is up my wheelhouse. I loved your explanations and contexts you gave. I knew at the end that you were going to check if SSH was enabled.
Dude, I've been in the Software Industry for 20+ years and I am stumped why you only have 18.3K subscribers 🤔
Really liked this video, reminds me of the stuff I use to do for fun, I had to subscribe to your channel to help you growth - Great Job 😀
Because people be dumb
It's probably because the video is far too quiet and can't be heard without absolutely cranking your setup and having notifications blast your windows out of your house.
Yea....no. Your sound settings are probably jacked up, likely on some surround setting which would manifest in the way you described it. But there is nothing wrong with the audio of his video. Just sayin.@AngelaTheSephira
@@rupertwellington3744 According to Audacity, his audio is at -12 dBFS, which is not the proper leveling. It should be about -6 (the safe option) -4 (UA-cam itself's recommendation), or preferably, -0 and allow UA-cam to level it on it's own.
@@rupertwellington3744 I replied, but UA-cam ate it.
According to Audacity, his leveling is at -12. This is not the normal UA-cam leveling, so it's way too quiet. UA-cam itself levels anything above -4 to -4. This is where it should be, but alas, it isn't. And my setup is on All Channel Stereo. On Direct-to-Speaker, it's even worse.
My guy - your videos are off the chain. You've got a talented way of explaining and walking through these activities. Keep it up!
The POTS port is for VOIP lines. Great video.
I wasn't aware of this but this process made a surprising amount of sense. You're very good at explaining what your are doing. Thanks for opening up a rabbit hole. Looking forward for more.
In Paraguay they do the same. Those ISP guys don't want savvy people to me with those devices. But we want to do more than browsing the web with those devices. Thanks a lot for this amazing job.🎉
I’m starting starting classes for cybersecurity and this video feels like discovering the secrets the Jedi don’t want me to know. Great video, thank you!
Loved the troubleshooting to identify the UART pins. Super well explained!!
Nice stuff, good explanation. A suggestion for the next more hardcore step in fw hacking - get a device with a locked bootloader and extract the creds by sniffing the SPI traffic from the flash chip on boot with a logic analyzer. Would be watching this 100%
Better yet just pull the SPI chip and read it out with an Arduino! No logic analyzer needed.
@@pcguy619 Oh dude, the arduino adapter isn't that good man, i mean you can try but if you need something new i'd recommend an spi programmer.
This is awesome. I’m an iOS engineer. Going to start learning some server side programming at work next week, but this hardware hacking is magic to me and very cool and entertaining. Keep it up!
This was super interesting to watch. Also, it's always nice to obtain root access of owned devices. Don't want companies to sell restricted access crap.
You did a really good job doing this live. I appreciated how authentic it was and that I was able to learn through your process. Well done + thank you.
Hey Matt, great work! I love that you explain it in detail, even though you already explained in other videos. Its nice for people who are getting into this "hobby". Great videos, keep it up.
That's so funny. I just did this exact same thing to my unit that I have a week ago. And it took me hours to figure it out. Now watching your video, it could have been done in. minutes However my password was different
very interesting. If you join our discord server I'd be super curious what other values in that CONFIG are different and what are the same.
Right! I commented above wondering if there was some relationship between the device serial number and the superadmin password… a little ASCII's decimal to binary, a few shifting of bits left or right, and ending with a binary to decimal's ASCII characters.
As someone who’s never done this but is super interested in tech, I loved this. First video I’ve seen from you. Loved how you take the time to explain your logic and the “why” behind your decisions. I sub’d and look forward to the next!
This was awesome to watch, I just subscribed. I've been slowly getting into Kali, hacking into my personal devices, etc. This showed me I can do so much more!
I've recently started to look into hardware debugging and found your channel. love your content. keep making it. i'm learning a lot
This channel under rated!
Please keep doing more content!
This is awesome! You demystified lots of things for me in this video, including finding rx and tx for a device with a multi meter. Kudos, and keep up the good work! Subbed.
Yes, please keep doing content like this. Seeing your thoughts process is helpful, like where the likely vulnerabilities are. I've desoldeded SPI flashes to pull the filesystem when I had uboot shell, iirc. Would have been good to have this video back then.
First time seeing your channel. Really enjoyed it! Now I might have to look for stuff like this. lol great job!
Old school electronics guy, have my Associates degree from 1997 & have never been much of a programmer. Have to say this was great entertainment as well as highly educational. 😊😊😊
Yes my last lasses was in 2014 which was a programming class when i decided to try and finish my BSEE. 😂😂😂 not sure who i was fooling but did pass my C++ class and said nope😮😢😢😢.
Anyhow i was able to follow your line of thoughts and SEVERAL commands. 🤔 🤔 🤔
Earned a new Subscriber!!!
As well as some Gen-X approval ...😅😅😂😂
Definitely keep producing this kind of content! I enjoyed your video enough to watch the whole thing all the way through!
Bro, im loving all the new content!
Just found your channel and subbed. I'm just starting my journey into hardware hacking. Your explanation of this device has supercharged my journey!!! Truly hope you keep hacking this devices LTE side & openwrt routing 🙏
Edited for spelling: dang autocorrect 😅
Wow very smoothly you got that much data .
I'm a freshman student of cyber security domain and I'm also interested in electronic gadgets so i hope one day I'll become like you ...
Fantastic. You made quick work of that, far faster than I expected.
Some AT&T manager will click dislike on this video 😂😂😂
Dude you are my new favorite channel. I’m such a nerd but this is gripping content. Please keep it coming
I work with these CDS devices on a daily basis and I can't tell you how frustrating they are.
These AT&T 9010's are not the only model that has this issue. Dataremote puts unique login creds on each device and makes it a huge pain for their customers to access them.
I wish I could do what you just did here at my work lol.
Waiting for You to start interacting with the LTE modem.
working on it :D
@@mattbrwnDefinitely upload a vid when you do! You seem like a great presenter!
The dislikes are from AT&T XDD
I don’t know anything about the hardware hacking and easy to say this is a bit over my head. But you did a great job of explaining things without getting into the weeds. Great presentation!
That was amazing and very informative. I loved every minute of it, Your breakdowns of your thinking process during each step was fantastic and made a very complex thing seem approachable. Keep the videos coming, I would love to see what you hack in to next!
Wait, did that really go that smoothly? You guessed the UART settings and pinouts the first time? The password was in clear?
"raspi" ..... 🤔🤔🤔
yeah I saw that too. no clue if they reused any code...
@@mattbrwnMost likely means Ralink SPI, rather the raspberry pi.
Super interesting and your demo was so well constructed. Subscribed!
I started programming with game development and its still my main interest, but damn every time I watch something like this it seems so fun and you always explain everything really well.
A tip for everyone here: anything with an IP address which joins a network likely runs Linux and can be attacked through JTAG. JTAG is supposed to be disabled on production units but it's cheaper to manufacture and leave it open/connected. Some manufacturers can send a software update to blow an e-fuse which would disable it😋
Or uart which often is also left open
My dude really needed to break out the python to math out the simplest hex conversion ever
Very good nice, nice that you explained various things in more detail as you went through rather than just assuming everyone knows it already :D
First time watcher: subscribed. Love it! Thank you.
I smiled through your whole video and similarly laughed when you tried to log into the web interface the first time.
So relatable
Writing your own parser in python for the hex dump was a nice touch. Keep it up man, you have my sub.
This is cool content. I love these short and high level overviews. This is basically how I imagined in my mind dumping flash to a file for hacking would be. I subbed.
I enjoyed watching this. The whole process step by step was really interesting. I was tracking with your thought process. This was awesome from hardware hacking to software hacking, and all the tools that you used.
hey, thanks so much for this video. I'm keeping old routers and tv box in the hope of being able to use them for a new purpose and this tutorial is a wonderful first step towards that goal. keep it up man!
Dude this is a really good video. Like seriously you should be proud of this. Keep up the good work bro. Fantastic
I'm just getting into hardware hacking and these videos are like gold to me! Thank you! Keep em coming!
Great video. Always looking for more channels like this. Youve earned a sub!
Hey it was very impressive to see your process of discovery and execution. I love to tinker with old junk as well but i definitely don't have the same level of skills as you do. Thanks for bringing us along. Looking forward to future content for sure!
thanks for making these. i used to tinker with some old cable modems with my busPirate v3 over UART etc. nothing crazy, but recently ive been getting back into hardware hacking (just got the buspirate5) and yeh, these old modems are a perfect entry point to mess around. glad to see someone really digging in step by step
To be honest, as someone who knew already where this is gonna go it was interessting to watch and listen. Thanks for the entertainment 👋
Congrats on the vid blowing up, glad I found your channel
I've recently been getting into microcontrollers (my favorite right now is raspberry pi pico) and your channel is sick! Specifically I've been getting interested in firmware in the stuff that's around me. Imagine the security implications in buying a device at walmart, updating the firmware to communicate with something you control and then return the device to put it back on the shelf.
Security is fascinating and the more I learn the more I understand all security is penetrable with the right techniques
is this why all the newer devices I have looked at prompt you to change passwords as soon as boot it up?
Very solid tutorial. I’m familiar with this stuff, but not confidently so. You do an excellent job demonstrating all the little things that are hard to know without being shown. I learned a lot. Thanks so much for sharing.
I really enjoyed this, Matt.
I love watching stuff like this. It gets me in the mood to work on my projects as well.
I wonder why AT&T did not want people accessing something they now owned?
It's kind of strange. If there is anything in there that might give you a hint, please make an updated video.
It will be interesting to know if AT&T is trying to hide something.
It honestly makes me think they are spying on your internet usage while your devices are logged into the system.
You might want to check for outbound traffic going to an IP address that you know you have not accessed.
You never know. You might uncover something here.
Good luck, and yeah, continue doing stuff like this. Very cool, and Subbed as well.
Because it's a branded / managed service. If you want your own device to manage, don't buy their branded device. (of course, they generally don't allow that anymore... lost revenue, and higher support costs.)
@@jfbeam So you're telling people to do something you know might not even be an option offered to them?
@@jannikheidemann3805 Do it if you can/want to. If the provider doesnt allow it, try to find a different provider if thats important to you. If you cant, that sucks. The root issue here is companies like AT&T wanting to milk consumers for every last dollar. They want us to own nothing and be happy.
Really good, clear explanation of your thought process. You have natural talent. Keep the videos coming!
Wow, I have no idea how I got here. I’m not a tech person, I still type with 2 fingers! Seeing your process was great.
Very relevant, consistently on topic and free from undue disturbances or annoting omissions. Also interesting.
Great video! First time, immediate sub. I'm a cybersecurity student, but I always wondered how hardware hacking worked. This video is a window into this area, and I will be following to learn more. Thank you.
BTW, some people have said you look like Jim Carrey, but I'm getting Matt Damon vibes.
This was really cool to watch, please keep making videos like this!
That was fun to watch. The process in general. Very interesting to see. Thanks!
Excelent video! Good delivery, good detail. I could see and follow everything you were doing.Thank you. :)
great video! Very interesting how that can be done as "easily" as you did it. Very appreciative of folks like you out there doing this kind of thing to return power to the users.
Cool intro into using the UART interface! I didn't know you could actually access the device like that through it.
I have to say, its been a while since a watched a new channel, and a long video like this one ? longgg time.... I really enjoyed it man
Epic bro. Was nice they put that pre-included the serial port for you lol.
Love the content! More LTE stuff, I use Verizon LTE sim in an OpenWRT router and a Foxconn Cat16 4x4 MIMO modem and get slamming speed up in the boonies 13 miles from any high speed internet end point other than DSL and these devices have been a life saver. Few tips, flat panel antenna with no more than 1.5-2 FT of coax on each antenna lead, high as you can to get over tree's and have direct line of sight to tower or the best signal clarity you can get with how high you are willing to go up in height, I have a 76ft tower and the modem with two flat panel 2x2 mimo antennas mounted on top pointed towards the tower. Have seen 160Mbps at times with only a 4G unlimited Red sim, no 5G!
You’re an amazing teacher! I learned so much so please keep it up! I just subscribed!
So I had the bright idea of purchasing a AT&T Edgewater (now owned by another company.) EdgeMarc 4808 Multi-Service Voip gateway. I had to dive into U-boot and such. I got all the way into it. Then got stopped by a Hash password. I was able to U-Boot a version of Linux via TFT server. But, it did not have ran out of know how to get it to mount the MTD partitions. They are cruel enough to not give me write commands in U-Boot to write the file back after modifying the file. If you want to take on a task. Probably be better at it than me. I can even read the files from the partition and load them into memory. Would be a great tool for the 24 port fxs ports. If I can root the thing. On a side note. I got a cisco 4331 router with 4 fxs port. Got that to work for simple stuff. Still trying to get a T1 line up for a Avaya ip office 500 v2 pbx though.
Another comment said they were able to overwrite the hashed pass in spi with their own hashed pass then used that to login
Hey Matt. Thanks for the video. You are far more capable than I am. I'm learning. Seeing your process is inspiring and I'm so appreciative. Please keep making more like this.
Awesome trip down memory lane Matt … more content like this PLEASE!
Great content! Really enjoying catching up on it all, keep up the great work
Love this kinda stuff! Subscribed! 👍🏻
Loved the video! I have to confess that I envy your knowledge (in a good way). What you do seems to be super fun! Just so you know, here in Argentina, all ISP devices are managed by the ISP, and we don't have access to them. That's the common rule here. The issue is, if you manage to gain access to the device and change anything, as soon as you reconnect to the ISP network, they overwrite your settings with their own. So, unfortunately, there's not much you can change on your side.
Great work. How convenient they left the JTAG pins on the board. The webui looks like a modified / themed version of dd-wrt. I loved the step by step instructions.
Rx tx is not Jtag. It’s UART . Jtag is always accessible since they need them to program the chips which was one of the other headers which is usually tdo tdi tck tms and sometimes trst
I enjoyed watching. Keep it up Matt. Fun stuff! :)
Sick. I know the very basic stuff like flashing custom firmwares but this was awesome. Subscribed
Loved the hyper-tutorialesque approach of the video! Made me feel at home, even though I already know part of what you teach!
This is a fantastic multidisciplinary hack, non-destructive, and probably applicable to a wide range of devices. Excellent pacing, demonstrated with mistakes and recoveries from them. This is Ben Eater level stuff. Subscribed.
Very interesting stuff!! I am in the process of doing the same on a fiber gateway router for a local ISP that locked out its users of the web admin page also. You gave me a lot of nice stuff to test.
This was awesome to watch! Thanks for showing! I wanna see more like that.
I learned more in 30 minutes than I've learned in college this semester. Thank you! +Subscribed
Great video! Clear, concise, and thorough 🤘
Incredible work! I'm going to be taking a cybersecurity program at my local college this fall and I think I just found my new favourite youtube channel hahaha
Love to see 4G speed test on this router and also if it supports the 4G band change as well.
That was interesting, Thanks for explaining each step rather than just rushing through or worse having so awful music and being difficult to hear yourself. To me those ones are useless when they do those things because instead you would have to keep pausing it and also getting some song you don't like out of your head! Well done!
I didn't understand a single thing you did, but I watched every second. I wish I could go back and learn stuff like this.
What an incredibly cool video. It blows me away that such a huge oversight was found.
Thanks, Matt! Amazing work as always!