Це відео не доступне.
Перепрошуємо.

Extracting Firmware from External Memory via JTAG

Поділитися
Вставка
  • Опубліковано 14 сер 2024
  • Demonstration of extracting firmware from an embedded system through the JTAG interface.
    The target board is a MIPS-based Linksys WRT54G v2 router containing an Intel 28F320 4MB external Flash memory. Tools used are the Bus Blaster JTAG hardware interface (dangerousprotot...) and UrJTAG open source software (urjtag.org).
    It's Nerd Thunder month! Check out the folks mentioned at the end of the video:
    - Exploitee.rs (IoT/consumer), exploitee.rs
    - Chris Eagle (IDA/reverse engineering), github.com/cse...
    - Azeria (ARM exploitation), azeria-labs.com
    - Craig Heffner (Routers/network), www.devttys0.com

КОМЕНТАРІ • 85

  • @jimmylim893
    @jimmylim893 4 роки тому +26

    hollyyy.. how in the world only 5000+ people interested in this sort of thing to date...

    • @Elfnetdesigns
      @Elfnetdesigns 4 роки тому +13

      the other billions are more interested in Twitter drama and the next new iPhone..

    • @jimmylim893
      @jimmylim893 4 роки тому +1

      @@Elfnetdesigns good one... Heart breaking fvcking truth..

    • @studyonly9857
      @studyonly9857 2 роки тому

      Gthvfrt!!!!!

    • @spamlogs2701
      @spamlogs2701 2 роки тому

      How can u expect someone to wanna watch this crap? Imagine ur grandpa trying to understand this mumbo jumbo.. that’s what 90% of the popular is like when it comes to this. Ur a small niche

    • @huhulili9021
      @huhulili9021 2 роки тому +1

      True only 57k + after 3 years, this is a depressing world

  • @renakunisaki
    @renakunisaki 4 роки тому +16

    Thank you for explaining every step. It's so frustrating when a tutorial just pulls some information out of their arse without explaining it.

  • @HackaweekTV
    @HackaweekTV 5 років тому +4

    Nice one Joe! Good to see you hackin hardware! :) Have a great new year and...
    KEEP ON HACKIN!

  • @TommyAventador
    @TommyAventador 2 роки тому +1

    I wonder if this would work on new iphones to retrieve icloud email?

  • @1ManWrenching
    @1ManWrenching 5 років тому +4

    Could this be used to get a proprietary boot loader out of a chip? Like say, the Teensy 3.2?

  • @usbbdm
    @usbbdm 5 років тому +4

    Just in case you do not know, using USB JTAG NT can read the 4M flash under 20 seconds. Not 5 hours. That is too long. Check my videos on routers programming.

    • @samuelubina5157
      @samuelubina5157 Рік тому +1

      SO SIR , SHOW US YOUr CHANNEL!!! SO we can be fully inform about this stuff your talking about!!!!

  • @gabrielsennheiser
    @gabrielsennheiser 4 роки тому +3

    I'd like to see a tutorial using the rasberry pi gpio pins and openocd to say recover a bricked netgear n900 (wndr4500v1/2)

  • @Cotten-
    @Cotten- 2 роки тому +5

    You are such a great teacher. I wish I could shadow you.

  • @woolfy02
    @woolfy02 9 місяців тому

    I just got a bus pirate 3.6a and, I'm wanting to connect to a device using JTAG. The available pins on it are:
    TDO,TDI,TMS,TCK,GND,RESET
    Do I just connect it the same named pin, as from the bus pirate to the device? (Like TDO - TDO, TDI - TDI...etc etc for all of them). Years ago, I used uart but, I'm not seeing those connections on the board I'm trying to mess around with. I just can't seem to find a guide / tutorial that explains how to set it up, for newbs.

  • @koenigsbier50
    @koenigsbier50 Рік тому +4

    I wish I could upvote this video a thousand times. This is awesome !

  • @coondogtheman
    @coondogtheman 5 років тому +1

    I'd be curious as to the processing power of these things and if any type of software can be run on them. Maybe games.

  • @jairoripoll1301
    @jairoripoll1301 3 роки тому

    buenas noches como podria conectar launchpad EXP430G2ET A UN CHIP M430F149 VIA JTAP

  • @eddyboh2723
    @eddyboh2723 2 роки тому

    Question, would this work if instead of using a sound blaster adapter, I were to use a small female 20pin to female USB 3.0 output adapter?

  • @FennecTECH
    @FennecTECH 4 роки тому +2

    God i love WRT54G routers. I was sad when i smoked mine :(

  • @rayfelch954
    @rayfelch954 5 років тому +1

    That's awesome if you have 'ejtag' support, but what if your target is MIPS32 and your 'initbus ejtag' request gets you 'error: not found EJCONTROL or EJIMPCODE register'? I've tried this on a linksys-wrt54gl v6 router, same exact setup using busblaster with no luck... thanks for your great videos. I love my JTAGULATOR btw

    • @Elfnetdesigns
      @Elfnetdesigns 4 роки тому

      UGH v6 is the cheapest of the cheap of the WRT54G series... hardly any memory to work with and very limited features. You can barely get DD-WRT on them and they still work sort of stable snd that DD-WRT is a stripped down version designed to fit on the small memory of the v6.. You are better off with a V2 or something in the 802.11N era. 54G was nice 20 years ago but is a dead horse these days..

  • @myramgrand
    @myramgrand 2 роки тому

    He is so engaging and real! Great presentation!

  • @antoniosegura950
    @antoniosegura950 8 місяців тому

    Great teacher,cfe mac generator for back to the life a dead wrt,im lost the original firmwares,v2,im looking for a cfe bootloader generator to match with generic original firmware,any clue?,and many thanks

  • @rikvermeer1325
    @rikvermeer1325 2 роки тому

    What would be a way to use JTAG to learn about the devices' internal serial communication? Could you point me in a direction?

  • @zerodegrekelvin2
    @zerodegrekelvin2 3 роки тому

    Thanks for the demo of poor man Bus Blaster JTAG 8-) I mostly use/loan the BDI2000/3000 from where I worked and I feel pain when you waited 5h to extract 4MB.
    When I say "poor man" it does not mean pejorative, more of MacGyver compliment.

  • @DatamedicsRecovery
    @DatamedicsRecovery 4 роки тому +3

    Hi Joe. Any chance you would consider learning how to jtag newer WD HDD PCBs? WD has decided to lock out their PCBs in a way that prevents the normal vendor specific ATA commands from doing things like read/write the ROM code, etc. and it's becoming an issue for data recovery. I know some guys are already unlocking them via jtag, but they are selling their unlocked boards at a crazy markup. The knowledge of how to do this is definitely worth some $$ for me, but I'm no jtag expert. It's knowledge I'd be willing to pay for.

  • @xl000
    @xl000 2 роки тому

    is there a situation where you end up with something similar to a process dump and have to RE some unknow program in order to get the data you're looking for ?
    I mean grepping / parsing through the output of strings looks relativeley easy, but what if there are defensive contermeasures ? I can imagine ways to protect a private key, but this would always be defeated as the CPU is basically dong what we' re asking it to do. I guess that' s what Apple secure enclase is about

  • @tristunalekzander5608
    @tristunalekzander5608 3 роки тому

    I just get "invalid parameter: unknown cable driver 'jtagkey'" ... I have installed the necessary drivers please help and thanks

  • @redhat_guitar
    @redhat_guitar Рік тому

    Can you please list down the pins used on the bus blaster? I see you didnt use the Clk pin i wonder why ir em i wrong ?

  • @binaryfreaks
    @binaryfreaks 5 років тому +1

    hi joe, I just received my bus blaster v4.1 but I'm experience some issues... can you tell me some tips about it? the error: warning: TDO seems to be stuck at 1

  • @israelcruz7597
    @israelcruz7597 3 роки тому

    Why would users not use higher level GUI-based software (Free) to do the same thing with pull-down menus?

  • @fapdayz
    @fapdayz 2 роки тому

    Connect to libftd2xx driver is successful
    After "detect" command there is error:
    usbconn_ftd2xx_flush(): Received less bytes than requested.

  • @juniorlucival
    @juniorlucival 4 роки тому

    ? when the software don't have chip information ? how will identify the parameters?

  • @hmbrt12
    @hmbrt12 3 роки тому

    Wooooooaaaahhh!!! Thanks!!⚡🤖👌🏼

  • @samsamuels1421
    @samsamuels1421 2 роки тому

    Hi joe do you have a course i have another tipe of Device the metros will work?

  • @brucelau6929
    @brucelau6929 4 роки тому

    Thanks. It helps a lot.

  • @rahulsethi_
    @rahulsethi_ 5 років тому +1

    what if the data shown by string function is encrypted??

    • @renakunisaki
      @renakunisaki 4 роки тому

      It will always have a lot of false positives, just ignore those.

  • @csabertui
    @csabertui Рік тому

    I'v done a loads of JTAG in the early 2010's sometimes it can be a pain...

  • @dillonjensen3728
    @dillonjensen3728 4 роки тому

    Good video!

  • @gmorb666
    @gmorb666 2 роки тому

    Is this process just dumping the spi firmware? So i have xgecu on hand i can just read it straight from the rom instead of waiting 5 hours through jtag, correct?

  • @antoniosegura950
    @antoniosegura950 8 місяців тому

    Or how edit cfe mac adress in firmware

  • @hazromanescconstantin3637
    @hazromanescconstantin3637 4 роки тому

    You can acces data from Arm processor with password protection ?

  • @iitguwahaticseairunder500r2
    @iitguwahaticseairunder500r2 2 роки тому

    You just used this in the recent samsung video!!

  • @Thebloggermustdie
    @Thebloggermustdie 5 років тому +1

    :( I thought you were going to to jtag something from the hotel. Cool video

    • @Elfnetdesigns
      @Elfnetdesigns 4 роки тому

      Like cracking the hotels radius security on their wifi? you dont need jtag for that lol just the right hardware and some know-how.

  • @steliosstamatakis844
    @steliosstamatakis844 2 роки тому

    can you use jtagulator new features and not busbluster for this?

  • @sarupk
    @sarupk Рік тому

    thank you!!!!

  • @alexluzinki206
    @alexluzinki206 Рік тому

    nice

  • @beckerf4n
    @beckerf4n Рік тому

    can you, for god sake, the same with the karma drone?

  • @petejackson7976
    @petejackson7976 4 роки тому

    How do you identify where to connect cables from the interface to the target machine?

  • @shutrumpracing2451
    @shutrumpracing2451 2 роки тому

    can you do this on an altera max7000?

  • @vondarycrentsil9180
    @vondarycrentsil9180 4 роки тому

    Can u extract anki robot vector firmware? Pls , and thanks

  • @scanners99
    @scanners99 2 роки тому

    Creo que Te amo

  • @cocosloan3748
    @cocosloan3748 4 роки тому

    Cool !

  • @rootcoolk
    @rootcoolk 5 років тому

    Cool Man

  • @ddlc7022
    @ddlc7022 2 роки тому

    How do you install or set urJTAG for MAC ?

    • @ddlc7022
      @ddlc7022 2 роки тому

      Joe any comment ?

  • @dariadaria9255
    @dariadaria9255 4 роки тому

    Can someone please tell me best JTAG vendors in market?

  • @johnpapadopoulos8440
    @johnpapadopoulos8440 5 років тому

    Nice job. Is it possible to use that jtag for bootloop phone brick? TIA

    • @Elfnetdesigns
      @Elfnetdesigns 4 роки тому +1

      you put the wrong firmware in or tried to load a "hacked" firmware and got it in a good ole loop huh? Phones are not worth it once the bootloop, as cheap as they are these days you can buy a brand new tracfone smartphone with service cheaper than you can buy the jtag reader for..

    • @tono_01
      @tono_01 4 роки тому

      @@Elfnetdesigns Your answer seems to be a bit over generalised to me. Phones that are expensive can get bootloop too and it would be interesting to know if you can repair them with this technique.... @John Papadopoulos: In principle, yes you can repair them using this same technique. BUT..... firmware for cellphones require a lot of knowledge if you start poking into them yourself..... They might have encryption that you need to defeat before you can write the code to the device, the more expensive ones (Iphones) do not have JTAG anymore. Or if they do, you need to know very good whoch part of the firmware is for what part of the phone (baseband, phone itself etc.). In my opinion: not an easy task.

  • @salmantalash4515
    @salmantalash4515 4 роки тому

    can we do it in windows

  • @Veso266
    @Veso266 4 роки тому

    how would UrJTAG damage your hardware?

    • @309electronics5
      @309electronics5 Рік тому

      deleting the firmwarw from the device without backup or when an error occurs

  • @RicardoCooper
    @RicardoCooper 5 років тому

    Five hours?
    Thankfully I have a FlashcatUSB and USBJTAG NOT that can read this much faster!
    P.S. I already know the pinout but, can the JTAGulator be used with the WRT54G?

  • @AZ-be4hg
    @AZ-be4hg 2 роки тому

    5hrs to get 'admin' paaswd. Nice work,bro :)

  • @ThePlombix
    @ThePlombix 2 роки тому

    you need a mounain with your name on , youtube is not enought

  • @mugishastevenyoutubestuden9311
    @mugishastevenyoutubestuden9311 2 роки тому

    🖒🖒🖒

  • @hamburgermods1396
    @hamburgermods1396 2 роки тому

    yes yes just like the xbox360 jtag

  • @ArnaudMEURET
    @ArnaudMEURET Рік тому

    Quite fascinating that you pour your money in an Apple laptop where nothing works like everywhere else Unix…😅

  • @pardal902
    @pardal902 3 роки тому

    well, today I think 90% of JTag extracting is impossible, all vendors locking it.

  • @JTAG123Slamma
    @JTAG123Slamma Рік тому

    JTAG

  • @MukeshKumar-xi2dj
    @MukeshKumar-xi2dj 3 роки тому

    hi joegrand wanna some help

  • @-BILYAKIS-
    @-BILYAKIS- Рік тому +1

    in short, Software control Hardware

  • @joshse8709
    @joshse8709 2 роки тому +1

    U know how I know ur vegan?