@mattbrwn It's weird how that happens sometimes. There's a dude working as a parole officer (for youth) for Oregon who looks just like Ryan Reynolds. I'm pretty sure he's in a official blue book somewhere.
That's one splendid hack, and a pretty easy one at that. Since it's Linux based, AT&T is obliged to publish the parts of the software that are GPL licensed, like Cisco/Linksys famously was with their WRT54GL back in the 2000s. Device configuration, user data etc. can be protected and fortunately they did a lousy job at that, when you're in, you're in. Also, I saw a Raspberry Pi reference in the UART output, it makes things interesting as to how the system was built or developed. You're truly exercising your right to own things here - you'd make Louis Rossmann proud!
Raspi I believe is the code name for the custom firmware AT&T has on these. One neat thing about these is the wireless settings in the web ui for SSID are not restricted meaning you can put anything. I put a lenny face in and it took it and broadcasts it with no issue. You cant just put in spaces though as it will default to ATT_AP24 for 2.4 GHz and ATT_AP5AC for 5Ghz. at least thats what it does on mine. The webui is very VERY similar to the Readynet routers I have as they allow like 5 SSID's per radio to be active. and the overall look and feel resembles a DD-WRT UI
As a Computer scientist, its all clear to me. As one can see, its not about knowing all steps in theory, its about exploring things based on your knowledge. Amazing work and combination of tools used to hack that thing off.
@@supermaster2012Because he understands and explains . Like most others DO NOT … To give the POWER back to the PEOPLE. Who cares it’s on wiki. Wtf, wiki didn’t make a UA-cam explaining this awesomeness. People try and crush a mofo via cpu… true haters
Most of the routers/modems that I have dissembled would have a password hashed and not stored in plaintext, so eventually I have to modify the bin file locally on laptop and then write it back to device with custom password hash. This is a great video for people who wants to get started.
Nevermind what it uses to encode the password, set the normal user password to the one you would like to use in the root account and then copy the user password to the root password, you can get a spi writer and modify the file.
Studying for my A+, just got my security + it’s amazing to be able to understand ~30% of what it happening. Keep up the good work and stick it to AT&T!
The SoC and modem in this router are common and supported by OpenWRT, it would be cool to see port for this device as part of more open firmware in the future!
I'm pretty sure it's actually running a (very modified) OpenWRT anyway. some of the data in the "strings" output against the extracted config match up with those found in openwrt configurations (eg: NintendoCapable=0)
I'm a tech software engineer and I watched you doing magic today. I do projects in python and other languages in my free time, and I felt your passion. I'm going watch and learn more from you buddy, keep going the good work!
they can be very useful if you ever wanna do some retro hacking, it lets you simulate a phone line so you can dial from modem to modem without ever touching the "real" network
I believe this is correct, the phone ports on this particular unit are for POTS line out (aka. landline phone hookup via cellular). Although I'm pretty sure I've seen these cellular modems that ALSO support POTS line in for DSL connection. Either way, for all the cellular modems like this I've seen I can't recall ever seeing someone actually use this feature, lol.
I've been hacking on a similar AT&T cell hotspot type device, and can confirm the POTS lines are to hook up a phone and make phone calls in and out from the cell radio. The ZTE M279 based devices used by AT&T also had an open web config interface.
great video :) btw - SPI isn't a type of flash storage, it's a communication protocol like UART. It stands for Serial Peripheral Interface. It's often used for flash memory though
This is the first video that I see of yours, and let me say I loved it. You explain really well and seem so passionate that it is contagious. Great work!
I have no affiliation with coding or anything like this, but I cannot agree more! This was a incredibly intriguing video and I wish I would've tried learning sooner
I’m starting starting classes for cybersecurity and this video feels like discovering the secrets the Jedi don’t want me to know. Great video, thank you!
I HIGHLY appreciate how you didn't assume knowledge of some electrical engineering or command-line concepts and explained what and why you were doing out loud!
I wasn't aware of this but this process made a surprising amount of sense. You're very good at explaining what your are doing. Thanks for opening up a rabbit hole. Looking forward for more.
This is awesome. I’m an iOS engineer. Going to start learning some server side programming at work next week, but this hardware hacking is magic to me and very cool and entertaining. Keep it up!
Dude, I've been in the Software Industry for 20+ years and I am stumped why you only have 18.3K subscribers 🤔 Really liked this video, reminds me of the stuff I use to do for fun, I had to subscribe to your channel to help you growth - Great Job 😀
It's probably because the video is far too quiet and can't be heard without absolutely cranking your setup and having notifications blast your windows out of your house.
Yea....no. Your sound settings are probably jacked up, likely on some surround setting which would manifest in the way you described it. But there is nothing wrong with the audio of his video. Just sayin.@AngelaTheSephira
@@rupertwellington3744 According to Audacity, his audio is at -12 dBFS, which is not the proper leveling. It should be about -6 (the safe option) -4 (UA-cam itself's recommendation), or preferably, -0 and allow UA-cam to level it on it's own.
@@rupertwellington3744 I replied, but UA-cam ate it. According to Audacity, his leveling is at -12. This is not the normal UA-cam leveling, so it's way too quiet. UA-cam itself levels anything above -4 to -4. This is where it should be, but alas, it isn't. And my setup is on All Channel Stereo. On Direct-to-Speaker, it's even worse.
As someone who’s never done this but is super interested in tech, I loved this. First video I’ve seen from you. Loved how you take the time to explain your logic and the “why” behind your decisions. I sub’d and look forward to the next!
Wonderful talk through while being hands on! In my experience only the very best teachers use this methodology to bring peeps up to speed. And you also list the hardware that you used as well! As an old retired electronic repair tech looking to get back in to a technical hobby in my twilight years; I want to personally thank you for taking the time to teach others. Keep up the good work.
Yeah this was super useful and makes me want to bust open some junk routers I have sitting around and make a frankensteined usb cable to see what I can see. OH! I even have proper jumpers from a knockoff arduino kit I got as a present like 12 years ago!
That was a totally cool hack. I’m long retired now but that takes me back 20 years when I used to do this sort of stuff almost daily. You’ve made an old man very happy. 🤗🤗🤗
Love the content! More LTE stuff, I use Verizon LTE sim in an OpenWRT router and a Foxconn Cat16 4x4 MIMO modem and get slamming speed up in the boonies 13 miles from any high speed internet end point other than DSL and these devices have been a life saver. Few tips, flat panel antenna with no more than 1.5-2 FT of coax on each antenna lead, high as you can to get over tree's and have direct line of sight to tower or the best signal clarity you can get with how high you are willing to go up in height, I have a 76ft tower and the modem with two flat panel 2x2 mimo antennas mounted on top pointed towards the tower. Have seen 160Mbps at times with only a 4G unlimited Red sim, no 5G!
As someone with a computer engineering background, this video is up my wheelhouse. I loved your explanations and contexts you gave. I knew at the end that you were going to check if SSH was enabled.
please keep making videos like this, this is the first video of your that i’ve seen but you’ve for sure made a new regular viewer here! i’ve just started out getting into this sort of thing and i usually don’t leave comments on youtube but you’re awesome and i want to watch more of your content and wanted to leave a comment encouraging you to keep making stuff like this :)
You did a really good job doing this live. I appreciated how authentic it was and that I was able to learn through your process. Well done + thank you.
Old school electronics guy, have my Associates degree from 1997 & have never been much of a programmer. Have to say this was great entertainment as well as highly educational. 😊😊😊 Yes my last lasses was in 2014 which was a programming class when i decided to try and finish my BSEE. 😂😂😂 not sure who i was fooling but did pass my C++ class and said nope😮😢😢😢. Anyhow i was able to follow your line of thoughts and SEVERAL commands. 🤔 🤔 🤔 Earned a new Subscriber!!! As well as some Gen-X approval ...😅😅😂😂
I'm not often impressed but you succeeded today. You came up as a random suggestion. I'm in Ireland, I've zero interest in at&t lol but I sat and watched your process. Loved every minute. I build and repair my own systems but I'm always sorry I never got into computer science/coding. I missed the train. Keep it pumping bro. Respect 👊
Nice stuff, good explanation. A suggestion for the next more hardcore step in fw hacking - get a device with a locked bootloader and extract the creds by sniffing the SPI traffic from the flash chip on boot with a logic analyzer. Would be watching this 100%
In Paraguay they do the same. Those ISP guys don't want savvy people to me with those devices. But we want to do more than browsing the web with those devices. Thanks a lot for this amazing job.🎉
Hey Matt, great work! I love that you explain it in detail, even though you already explained in other videos. Its nice for people who are getting into this "hobby". Great videos, keep it up.
This is awesome! You demystified lots of things for me in this video, including finding rx and tx for a device with a multi meter. Kudos, and keep up the good work! Subbed.
This was awesome to watch, I just subscribed. I've been slowly getting into Kali, hacking into my personal devices, etc. This showed me I can do so much more!
Just found your channel and subbed. I'm just starting my journey into hardware hacking. Your explanation of this device has supercharged my journey!!! Truly hope you keep hacking this devices LTE side & openwrt routing 🙏 Edited for spelling: dang autocorrect 😅
After getting to the command line interface at 15:40, my router didn't have the same "spi" command, only the "spi_nand" and "md" tools that freeze after reading some memory. So my workaround was: * I looked at the "printenv" output and found a "bootargs_base" var * I modified "bootargs_base" with the "setenv" command to include "init=/bin/sh", then ran the "boot" command * I looked at how the scripts in /etc/init.d/ mount the "config" partition and mounted it on /var/config * I searched through the files in /var/config/ for "PASSWORD" and eventually found the correct password Great video!
I smiled through your whole video and similarly laughed when you tried to log into the web interface the first time. So relatable Writing your own parser in python for the hex dump was a nice touch. Keep it up man, you have my sub.
That's so funny. I just did this exact same thing to my unit that I have a week ago. And it took me hours to figure it out. Now watching your video, it could have been done in. minutes However my password was different
Right! I commented above wondering if there was some relationship between the device serial number and the superadmin password… a little ASCII's decimal to binary, a few shifting of bits left or right, and ending with a binary to decimal's ASCII characters.
I work on cars for a living but this caught my eye and I’m super surprised this guy made this sound simple, I actually understood a lot of this and now I want to take a random stores modem to read it 😂
As someone who’s just getting into linux and hacking my pos hand me down laptops at work, so i can make them run properly without the bloat of windows- i applaud your video. it was great to follow along even though some of the stuff was above me. i still see many things that i recognize like initramfs and busybox shell. appreciate the content this is one of the best videos i’ve seen in a long time
34:28 "If I can do it, you can do it." I wish I could do that, that looks fun to be able to do that with devices but I am 100% sure that is something only a select few people can do as it looks like it takes a deep understanding of a lot of things. If it was possible I am sure there wouldn't be any internet forums asking for help about it LOL
You need help for sure but nothing that you can't learn with those forums in time.This router specifically was poorly designed and seems like a good start :D
Really cool Matt, I've seen similar configurations for Industrial LTE routers.. The POTS ports were initially intended for 2 line VoIP service they offered , not for dial out access (though it could still be accessed via hardware IO for that)
This is a fantastic multidisciplinary hack, non-destructive, and probably applicable to a wide range of devices. Excellent pacing, demonstrated with mistakes and recoveries from them. This is Ben Eater level stuff. Subscribed.
Dude! This is so cool, I'm studying to get an engineering degree and I hope to be as inquisitive and daring as you are I also find this to be so cool to watch! Human curiosity and perseverance are mind-blowing. Keep up the great work
oooh i love this kind of content, no bs, no trash talking.. even though i dont know that much about hardware hacking this was so cool to watch. this guy did get lost only one time and we all laugh at it at the same time :D subbed...
I’m nowhere near as technical but this was really entertaining and informative just watching the thought process and steps you take to reverse engineer this thing
After 3 min. thumb up, well, as non-english native speaker, it is still easy to understand everything what you talking about, looking forward for your tech-skills... man this is more fun to watch that clip than an hollywood movie. P.S. at 15 min, really cool how you investigating the router ^^
i usually skip fast through youtube videos, but i am watching this from start to end. Matt, i love the format, its very educational that you take us through the entire thoughtprocess, and just amazing that you master so much in terms of hardware and coding, linux and so on. you have for sure ignited a little spark in me :) i have a Bricked e-bike that i would like to see if its possible to get working.
If you see the first time he tries to login with the superadmin username firefox suggests it to him. He clearly had already done it before recorded the video. But its a walk through, so of course he tested it first before recording the video.
Loved the video! I have to confess that I envy your knowledge (in a good way). What you do seems to be super fun! Just so you know, here in Argentina, all ISP devices are managed by the ISP, and we don't have access to them. That's the common rule here. The issue is, if you manage to gain access to the device and change anything, as soon as you reconnect to the ISP network, they overwrite your settings with their own. So, unfortunately, there's not much you can change on your side.
I work with these CDS devices on a daily basis and I can't tell you how frustrating they are. These AT&T 9010's are not the only model that has this issue. Dataremote puts unique login creds on each device and makes it a huge pain for their customers to access them. I wish I could do what you just did here at my work lol.
Excellent Sir!!! Very well explained with no stupid outro's and intro's. Clear explanation at a great pace. Actually one of the first video's in a long time that I have watched end to end.
Wow very smoothly you got that much data . I'm a freshman student of cyber security domain and I'm also interested in electronic gadgets so i hope one day I'll become like you ...
Very cool! Great job explaining everything. I've got one of these at a client's office, and I was so frustrated by being unable to change any of the settings.
I enjoyed watching this. The whole process step by step was really interesting. I was tracking with your thought process. This was awesome from hardware hacking to software hacking, and all the tools that you used.
Great video! First time, immediate sub. I'm a cybersecurity student, but I always wondered how hardware hacking worked. This video is a window into this area, and I will be following to learn more. Thank you. BTW, some people have said you look like Jim Carrey, but I'm getting Matt Damon vibes.
OK this is the type of stuff that I really enjoy for whatever reason! Awesome content! I would have loved to hear what you mean when you say "You could do really fun things with this router if used with batteries and a sim card"
I love this :) just a quick correction: SPI isn't a flash type but it's a communication protocol type. The flash does use spi in this scenario, but SPI itself stands for Serial Peripheral Interface (and it's usually denoted by 4 wires, MISO, MOSI, CLK, and CS). SPI is faster than I2C and allows (in theory) an unlimited number of slave devices :)
So is that a static password...or will it randomly generate on each device? Very very very cool at getting thru and being able to poke around in the device...now you can possibly setup a SIM card and be able to host a "portable" wifi hotspot Most awesome! Keep em coming!!!!
UA-cam recommended this video for me, although I haven't done anything in that field for a very long time, this looks like a UA-cam channel that I will enjoy following.
That was very cool, I was probably able to follow along and understand about 20% of everything lol very cool though. Towards the end when you got to the part of the video where you did "fout.write..." at the 28:33 mark one of the lines of info it said "NintendoCapable" what does that mean??? Anyways I loved this video, like and subbed... Thanks
Love hardware hacking ever since I unbricked a router (bad custom ROM flash) with JTAG and making some hacked-together level shifters. You managed to make this entertaining the whole way through, at least for me! My ISP actually went the other way with "my" modem, which surprised me. When I first got it, I had to call them just to get bridged mode available... A few months down the line they pushed an update which put a toggle for it on the admin page. That would be a commendable move, except for the fact that the whole reason I wanted bridged mode was just to open ports without installing a smartphone app.
Great info!! Superb delivery!!! SUBSCRIBED question, by not changing the username and password, ATT can still log in via the web but not SSH right? To lock ATT out I would change the username and password, i am sure att would frown on that and perhap lock out the mac. But if i want to use it as a repeater or private cell network, that is ok.
This is cool content. I love these short and high level overviews. This is basically how I imagined in my mind dumping flash to a file for hacking would be. I subbed.
Incredible work! I'm going to be taking a cybersecurity program at my local college this fall and I think I just found my new favourite youtube channel hahaha
Wow...amazing work! I have one of these units and have been waiting for someone to finally "crack the code" so to speak. I do not possess anywhere near the ability to do this, but it's very interesting to watch. Too bad they just didn't use the same pw for all of them. If there was some way to SSH in without the pw, then I could probably change the pw. But alas, that is impossible. Anyway great job man!!
Bro's face is like Jim Carrey
LOL I get this all the time.
@mattbrwn It's weird how that happens sometimes.
There's a dude working as a parole officer (for youth) for Oregon who looks just like Ryan Reynolds. I'm pretty sure he's in a official blue book somewhere.
"Cable modem" guy! 😄
@@mattbrwnyou're about to get something else in a second brb
Best! What a great video. Well done
I am a high school Cybersecurity teacher. This content is pure gold. Amazing work. 🎉 This was a pleasure to watch.
i think its amazing whatever school you work at provides classes like that, i wouldve loved that back in the day
Seriously, what school you working at? That's pretty awesome if you ask me.
they teach cybersecurity in high schools now?? that's incredible!
@@wileysneak PLTW... Project Lead the Way. The curriculum is really cool. Kids love it.
@@meekmtck5917 Southern California schools, but many schools have this as a newish subject.
That's one splendid hack, and a pretty easy one at that. Since it's Linux based, AT&T is obliged to publish the parts of the software that are GPL licensed, like Cisco/Linksys famously was with their WRT54GL back in the 2000s. Device configuration, user data etc. can be protected and fortunately they did a lousy job at that, when you're in, you're in. Also, I saw a Raspberry Pi reference in the UART output, it makes things interesting as to how the system was built or developed.
You're truly exercising your right to own things here - you'd make Louis Rossmann proud!
Raspi I believe is the code name for the custom firmware AT&T has on these.
One neat thing about these is the wireless settings in the web ui for SSID are not restricted meaning you can put anything. I put a lenny face in and it took it and broadcasts it with no issue. You cant just put in spaces though as it will default to ATT_AP24 for 2.4 GHz and ATT_AP5AC for 5Ghz. at least thats what it does on mine.
The webui is very VERY similar to the Readynet routers I have as they allow like 5 SSID's per radio to be active. and the overall look and feel resembles a DD-WRT UI
@LouisRossman
@@waltergonzalezpaz5995 that's @rossmannrepairgroup but I doubt tagging in a comment does anything.
“raspi” is not “raspberry pi” but rather “ralink spi”
@@subtropical-yearning thanks for the correction.
Please don't stop, and keep doing it, it's so interesting to watch it.
That's what she said..
@@DTT420😂😂
That‘s.. Oh man
As a Computer scientist, its all clear to me. As one can see, its not about knowing all steps in theory, its about exploring things based on your knowledge. Amazing work and combination of tools used to hack that thing off.
didn't expect to find a wizard today.
i think that was one of the better explanations and demos i have seen. smart dude for sure.
They arrive precisely when they mean to.
How is this wizardry? All of this is fully documented ad-nauseum in the OpenWRT wiki...
Nice fully agree there! Looks like Bowtie Ape "w/ a plant on it's head", does too * `~{[:rC[})-B
@@supermaster2012Because he understands and explains . Like most others DO NOT … To give the POWER back to the PEOPLE. Who cares it’s on wiki. Wtf, wiki didn’t make a UA-cam explaining this awesomeness. People try and crush a mofo via cpu… true haters
in the 90's hackers use to say stuff like "if you cant break it open then you don't own it" so I'm glad the spirit is still living on
Most of the routers/modems that I have dissembled would have a password hashed and not stored in plaintext, so eventually I have to modify the bin file locally on laptop and then write it back to device with custom password hash.
This is a great video for people who wants to get started.
You can copy that hash and run password list program and check if there is one before that
Nevermind what it uses to encode the password, set the normal user password to the one you would like to use in the root account and then copy the user password to the root password, you can get a spi writer and modify the file.
PROM incoming?
@@fss1704that would work only if they don't properly salt their hashes. Which, judging by the lax security here, they probably wouldn't
Studying for my A+, just got my security + it’s amazing to be able to understand ~30% of what it happening. Keep up the good work and stick it to AT&T!
It doesn't seem like APSTND(DLC/LLC)P adheres anymore. Hope you have positive light in your studies.
@@Bill_Bacon
What?
The SoC and modem in this router are common and supported by OpenWRT, it would be cool to see port for this device as part of more open firmware in the future!
yeah, those things using custom linux with init instead of systemd are slow as hell to boot
I'm pretty sure it's actually running a (very modified) OpenWRT anyway. some of the data in the "strings" output against the extracted config match up with those found in openwrt configurations (eg: NintendoCapable=0)
@@__Ben Yes it most likely does, but the differences between years outdated proprietary version that OEMs use and official is extremely large.
@@__Ben That interface looks a hell of a lot like a barely customized DD-WRT install.
AT&T shameless gpl viol;ator by not releasing the source code of the kernel used
I'm a tech software engineer and I watched you doing magic today. I do projects in python and other languages in my free time, and I felt your passion. I'm going watch and learn more from you buddy, keep going the good work!
I believe the "phone" ports on that device are for an ATA gateway, which would provide POTS lines from the cellular interface.
very interesting. I've never messed with anything with POTS before. makes me think of the phone phreaking scene back in the day
they can be very useful if you ever wanna do some retro hacking, it lets you simulate a phone line so you can dial from modem to modem without ever touching the "real" network
I believe this is correct, the phone ports on this particular unit are for POTS line out (aka. landline phone hookup via cellular). Although I'm pretty sure I've seen these cellular modems that ALSO support POTS line in for DSL connection. Either way, for all the cellular modems like this I've seen I can't recall ever seeing someone actually use this feature, lol.
I've been hacking on a similar AT&T cell hotspot type device, and can confirm the POTS lines are to hook up a phone and make phone calls in and out from the cell radio. The ZTE M279 based devices used by AT&T also had an open web config interface.
ATA? You just gave me a Telix flashback.
great video :) btw - SPI isn't a type of flash storage, it's a communication protocol like UART. It stands for Serial Peripheral Interface. It's often used for flash memory though
This is the first video that I see of yours, and let me say I loved it. You explain really well and seem so passionate that it is contagious. Great work!
+1 this
hell yeah. +1
+1, clear explanations, fun to watch.
I have no affiliation with coding or anything like this, but I cannot agree more! This was a incredibly intriguing video and I wish I would've tried learning sooner
Same 1st time here and new subscriber. Awesome video.
I’m starting starting classes for cybersecurity and this video feels like discovering the secrets the Jedi don’t want me to know. Great video, thank you!
My guy - your videos are off the chain. You've got a talented way of explaining and walking through these activities. Keep it up!
I HIGHLY appreciate how you didn't assume knowledge of some electrical engineering or command-line concepts and explained what and why you were doing out loud!
I wasn't aware of this but this process made a surprising amount of sense. You're very good at explaining what your are doing. Thanks for opening up a rabbit hole. Looking forward for more.
ATT pulling a good ol sony, locking a device down after the fact only incentivizing breaking it open completely.
excellent work!
This is awesome. I’m an iOS engineer. Going to start learning some server side programming at work next week, but this hardware hacking is magic to me and very cool and entertaining. Keep it up!
iOS sucks so bad
Dude, I've been in the Software Industry for 20+ years and I am stumped why you only have 18.3K subscribers 🤔
Really liked this video, reminds me of the stuff I use to do for fun, I had to subscribe to your channel to help you growth - Great Job 😀
Because people be dumb
It's probably because the video is far too quiet and can't be heard without absolutely cranking your setup and having notifications blast your windows out of your house.
Yea....no. Your sound settings are probably jacked up, likely on some surround setting which would manifest in the way you described it. But there is nothing wrong with the audio of his video. Just sayin.@AngelaTheSephira
@@rupertwellington3744 According to Audacity, his audio is at -12 dBFS, which is not the proper leveling. It should be about -6 (the safe option) -4 (UA-cam itself's recommendation), or preferably, -0 and allow UA-cam to level it on it's own.
@@rupertwellington3744 I replied, but UA-cam ate it.
According to Audacity, his leveling is at -12. This is not the normal UA-cam leveling, so it's way too quiet. UA-cam itself levels anything above -4 to -4. This is where it should be, but alas, it isn't. And my setup is on All Channel Stereo. On Direct-to-Speaker, it's even worse.
As someone who’s never done this but is super interested in tech, I loved this. First video I’ve seen from you. Loved how you take the time to explain your logic and the “why” behind your decisions. I sub’d and look forward to the next!
Wonderful talk through while being hands on! In my experience only the very best teachers use this methodology to bring peeps up to speed. And you also list the hardware that you used as well!
As an old retired electronic repair tech looking to get back in to a technical hobby in my twilight years; I want to personally thank you for taking the time to teach others. Keep up the good work.
Loved the troubleshooting to identify the UART pins. Super well explained!!
Yeah this was super useful and makes me want to bust open some junk routers I have sitting around and make a frankensteined usb cable to see what I can see.
OH! I even have proper jumpers from a knockoff arduino kit I got as a present like 12 years ago!
That was a totally cool hack. I’m long retired now but that takes me back 20 years when I used to do this sort of stuff almost daily. You’ve made an old man very happy. 🤗🤗🤗
Love the content! More LTE stuff, I use Verizon LTE sim in an OpenWRT router and a Foxconn Cat16 4x4 MIMO modem and get slamming speed up in the boonies 13 miles from any high speed internet end point other than DSL and these devices have been a life saver. Few tips, flat panel antenna with no more than 1.5-2 FT of coax on each antenna lead, high as you can to get over tree's and have direct line of sight to tower or the best signal clarity you can get with how high you are willing to go up in height, I have a 76ft tower and the modem with two flat panel 2x2 mimo antennas mounted on top pointed towards the tower. Have seen 160Mbps at times with only a 4G unlimited Red sim, no 5G!
I learned more in 30 minutes than I've learned in college this semester. Thank you! +Subscribed
As someone with a computer engineering background, this video is up my wheelhouse. I loved your explanations and contexts you gave. I knew at the end that you were going to check if SSH was enabled.
please keep making videos like this, this is the first video of your that i’ve seen but you’ve for sure made a new regular viewer here! i’ve just started out getting into this sort of thing and i usually don’t leave comments on youtube but you’re awesome and i want to watch more of your content and wanted to leave a comment encouraging you to keep making stuff like this :)
You did a really good job doing this live. I appreciated how authentic it was and that I was able to learn through your process. Well done + thank you.
Old school electronics guy, have my Associates degree from 1997 & have never been much of a programmer. Have to say this was great entertainment as well as highly educational. 😊😊😊
Yes my last lasses was in 2014 which was a programming class when i decided to try and finish my BSEE. 😂😂😂 not sure who i was fooling but did pass my C++ class and said nope😮😢😢😢.
Anyhow i was able to follow your line of thoughts and SEVERAL commands. 🤔 🤔 🤔
Earned a new Subscriber!!!
As well as some Gen-X approval ...😅😅😂😂
The POTS port is for VOIP lines. Great video.
I'm not often impressed but you succeeded today. You came up as a random suggestion. I'm in Ireland, I've zero interest in at&t lol but I sat and watched your process. Loved every minute. I build and repair my own systems but I'm always sorry I never got into computer science/coding. I missed the train. Keep it pumping bro. Respect 👊
Nice stuff, good explanation. A suggestion for the next more hardcore step in fw hacking - get a device with a locked bootloader and extract the creds by sniffing the SPI traffic from the flash chip on boot with a logic analyzer. Would be watching this 100%
Better yet just pull the SPI chip and read it out with an Arduino! No logic analyzer needed.
@@pcguy619 Oh dude, the arduino adapter isn't that good man, i mean you can try but if you need something new i'd recommend an spi programmer.
Any reference video doing this thing?
In Paraguay they do the same. Those ISP guys don't want savvy people to me with those devices. But we want to do more than browsing the web with those devices. Thanks a lot for this amazing job.🎉
what else may we do other than browsing web?
@@em0p0nyhost a server at home
Hey Matt, great work! I love that you explain it in detail, even though you already explained in other videos. Its nice for people who are getting into this "hobby". Great videos, keep it up.
This is awesome! You demystified lots of things for me in this video, including finding rx and tx for a device with a multi meter. Kudos, and keep up the good work! Subbed.
This was awesome to watch, I just subscribed. I've been slowly getting into Kali, hacking into my personal devices, etc. This showed me I can do so much more!
I've recently started to look into hardware debugging and found your channel. love your content. keep making it. i'm learning a lot
Just found your channel and subbed. I'm just starting my journey into hardware hacking. Your explanation of this device has supercharged my journey!!! Truly hope you keep hacking this devices LTE side & openwrt routing 🙏
Edited for spelling: dang autocorrect 😅
INCLUDE ME IN YOUR CLASS PLEASE
After getting to the command line interface at 15:40, my router didn't have the same "spi" command, only the "spi_nand" and "md" tools that freeze after reading some memory. So my workaround was:
* I looked at the "printenv" output and found a "bootargs_base" var
* I modified "bootargs_base" with the "setenv" command to include "init=/bin/sh", then ran the "boot" command
* I looked at how the scripts in /etc/init.d/ mount the "config" partition and mounted it on /var/config
* I searched through the files in /var/config/ for "PASSWORD" and eventually found the correct password
Great video!
Hi Sir, can you please elaborate more on the steps for a noob? Having the same situation without the "spi" command. Thanks in advance
First time seeing your channel. Really enjoyed it! Now I might have to look for stuff like this. lol great job!
I smiled through your whole video and similarly laughed when you tried to log into the web interface the first time.
So relatable
Writing your own parser in python for the hex dump was a nice touch. Keep it up man, you have my sub.
That's so funny. I just did this exact same thing to my unit that I have a week ago. And it took me hours to figure it out. Now watching your video, it could have been done in. minutes However my password was different
very interesting. If you join our discord server I'd be super curious what other values in that CONFIG are different and what are the same.
Right! I commented above wondering if there was some relationship between the device serial number and the superadmin password… a little ASCII's decimal to binary, a few shifting of bits left or right, and ending with a binary to decimal's ASCII characters.
Really cool to see this uncut in practical, already knew about UART etc. but could never put the puzzle of informations together. Thanks a lot!
28:23 "NintendoCapable=0" coming out of the AT&T proprietary bootloader information made me shudder
I work on cars for a living but this caught my eye and I’m super surprised this guy made this sound simple, I actually understood a lot of this and now I want to take a random stores modem to read it 😂
I didn't understand a single thing you did, but I watched every second. I wish I could go back and learn stuff like this.
As someone who’s just getting into linux and hacking my pos hand me down laptops at work, so i can make them run properly without the bloat of windows- i applaud your video. it was great to follow along even though some of the stuff was above me. i still see many things that i recognize like initramfs and busybox shell. appreciate the content this is one of the best videos i’ve seen in a long time
34:28 "If I can do it, you can do it." I wish I could do that, that looks fun to be able to do that with devices but I am 100% sure that is something only a select few people can do as it looks like it takes a deep understanding of a lot of things. If it was possible I am sure there wouldn't be any internet forums asking for help about it LOL
You need help for sure but nothing that you can't learn with those forums in time.This router specifically was poorly designed and seems like a good start :D
Really cool Matt, I've seen similar configurations for Industrial LTE routers.. The POTS ports were initially intended for 2 line VoIP service they offered , not for dial out access (though it could still be accessed via hardware IO for that)
This channel under rated!
Please keep doing more content!
This is a fantastic multidisciplinary hack, non-destructive, and probably applicable to a wide range of devices. Excellent pacing, demonstrated with mistakes and recoveries from them. This is Ben Eater level stuff. Subscribed.
This guy is a genius hacker and expert with Linux. I learned more in this video than all years in school.
Dude! This is so cool, I'm studying to get an engineering degree and I hope to be as inquisitive and daring as you are I also find this to be so cool to watch! Human curiosity and perseverance are mind-blowing. Keep up the great work
Bro, im loving all the new content!
Wow, I have no idea how I got here. I’m not a tech person, I still type with 2 fingers! Seeing your process was great.
oooh i love this kind of content, no bs, no trash talking.. even though i dont know that much about hardware hacking this was so cool to watch. this guy did get lost only one time and we all laugh at it at the same time :D subbed...
where do you go to learn this stuff?
I’m nowhere near as technical but this was really entertaining and informative just watching the thought process and steps you take to reverse engineer this thing
Waiting for You to start interacting with the LTE modem.
working on it :D
@@mattbrwnDefinitely upload a vid when you do! You seem like a great presenter!
This man is the embodiment of 'physical access is total access'
Some AT&T manager will click dislike on this video 😂😂😂
Some tech working for the is probably liking the video
After 3 min. thumb up, well, as non-english native speaker, it is still easy to understand everything what you talking about, looking forward for your tech-skills... man this is more fun to watch that clip than an hollywood movie.
P.S. at 15 min, really cool how you investigating the router ^^
i actually jump when you able to crack the password and login to the web interface, lol
i usually skip fast through youtube videos, but i am watching this from start to end. Matt, i love the format, its very educational that you take us through the entire thoughtprocess, and just amazing that you master so much in terms of hardware and coding, linux and so on. you have for sure ignited a little spark in me :) i have a Bricked e-bike that i would like to see if its possible to get working.
Wait, did that really go that smoothly? You guessed the UART settings and pinouts the first time? The password was in clear?
If you see the first time he tries to login with the superadmin username firefox suggests it to him. He clearly had already done it before recorded the video. But its a walk through, so of course he tested it first before recording the video.
Loved the video! I have to confess that I envy your knowledge (in a good way). What you do seems to be super fun! Just so you know, here in Argentina, all ISP devices are managed by the ISP, and we don't have access to them. That's the common rule here. The issue is, if you manage to gain access to the device and change anything, as soon as you reconnect to the ISP network, they overwrite your settings with their own. So, unfortunately, there's not much you can change on your side.
The dislikes are from AT&T XDD
I work with these CDS devices on a daily basis and I can't tell you how frustrating they are.
These AT&T 9010's are not the only model that has this issue. Dataremote puts unique login creds on each device and makes it a huge pain for their customers to access them.
I wish I could do what you just did here at my work lol.
Dude - drink some water!!!
To be honest, as someone who knew already where this is gonna go it was interessting to watch and listen. Thanks for the entertainment 👋
Thanks for -leaving it in one cut- not editing parts out. Process is the process and rarely perfect.
Outstanding breakdown of the process. I felt the excitement when you were able to login! Brilliant stuff!
Amazing video, love the fact you forgot to clear your previous login and firefox suggested the username :)
Excellent Sir!!! Very well explained with no stupid outro's and intro's. Clear explanation at a great pace. Actually one of the first video's in a long time that I have watched end to end.
Wow very smoothly you got that much data .
I'm a freshman student of cyber security domain and I'm also interested in electronic gadgets so i hope one day I'll become like you ...
Very cool! Great job explaining everything. I've got one of these at a client's office, and I was so frustrated by being unable to change any of the settings.
Dude you are my new favorite channel. I’m such a nerd but this is gripping content. Please keep it coming
I enjoyed watching this. The whole process step by step was really interesting. I was tracking with your thought process. This was awesome from hardware hacking to software hacking, and all the tools that you used.
Thanks for the beginner level walk through and showing/explaining your logic and decisions. Super helpful to help me learn why you did what you did.
Great video! First time, immediate sub. I'm a cybersecurity student, but I always wondered how hardware hacking worked. This video is a window into this area, and I will be following to learn more. Thank you.
BTW, some people have said you look like Jim Carrey, but I'm getting Matt Damon vibes.
Definitely keep producing this kind of content! I enjoyed your video enough to watch the whole thing all the way through!
OK this is the type of stuff that I really enjoy for whatever reason! Awesome content! I would have loved to hear what you mean when you say "You could do really fun things with this router if used with batteries and a sim card"
This was one of the most informative videos I’ve ever watched. Is the serial port basically the JTAG on the device?
why only 40k subscribers? Bro you should be in millions. Loved it
I love this :) just a quick correction: SPI isn't a flash type but it's a communication protocol type. The flash does use spi in this scenario, but SPI itself stands for Serial Peripheral Interface (and it's usually denoted by 4 wires, MISO, MOSI, CLK, and CS). SPI is faster than I2C and allows (in theory) an unlimited number of slave devices :)
Cool intro into using the UART interface! I didn't know you could actually access the device like that through it.
Love to see 4G speed test on this router and also if it supports the 4G band change as well.
So is that a static password...or will it randomly generate on each device?
Very very very cool at getting thru and being able to poke around in the device...now you can possibly setup a SIM card and be able to host a "portable" wifi hotspot
Most awesome!
Keep em coming!!!!
UA-cam recommended this video for me, although I haven't done anything in that field for a very long time, this looks like a UA-cam channel that I will enjoy following.
That was very cool, I was probably able to follow along and understand about 20% of everything lol very cool though. Towards the end when you got to the part of the video where you did "fout.write..." at the 28:33 mark one of the lines of info it said "NintendoCapable" what does that mean??? Anyways I loved this video, like and subbed... Thanks
What's interesting is the interface looks remarkably similar to dd-wrt. Excellent video!
Love hardware hacking ever since I unbricked a router (bad custom ROM flash) with JTAG and making some hacked-together level shifters. You managed to make this entertaining the whole way through, at least for me!
My ISP actually went the other way with "my" modem, which surprised me. When I first got it, I had to call them just to get bridged mode available... A few months down the line they pushed an update which put a toggle for it on the admin page.
That would be a commendable move, except for the fact that the whole reason I wanted bridged mode was just to open ports without installing a smartphone app.
Great info!! Superb delivery!!! SUBSCRIBED
question, by not changing the username and password, ATT can still log in via the web but not SSH right?
To lock ATT out I would change the username and password, i am sure att would frown on that and perhap lock out the mac. But if i want to use it as a repeater or private cell network, that is ok.
Brother fellow hacker and networking guy. Solid video my friend!
This is cool content. I love these short and high level overviews. This is basically how I imagined in my mind dumping flash to a file for hacking would be. I subbed.
dude i loved how you exlpained every detail of the whole process. Keep up those vids we wanna see more and learn more!
Incredible work! I'm going to be taking a cybersecurity program at my local college this fall and I think I just found my new favourite youtube channel hahaha
Wow...amazing work! I have one of these units and have been waiting for someone to finally "crack the code" so to speak. I do not possess anywhere near the ability to do this, but it's very interesting to watch. Too bad they just didn't use the same pw for all of them. If there was some way to SSH in without the pw, then I could probably change the pw. But alas, that is impossible. Anyway great job man!!