Got a question. Is it legal to upload videos like this (with precise procuct model and reverse enginneered pass)? Or it maybe depends somehow on the product/country/license/...? Great work on this channel i see, subscribed :)
Lol I sure hope it's legal 🤣 But seriously: Let's reverse engineer this thought process. Why would we, consumers who OWN a product, come to the belief that we need to seek permission to take apart, reverse engineer, and tell others about OUR OWN PROPERTY? 🤔 Doomers: You'll own nothing and be happy. Me: I'll pwn things and be happy.
you mean, is it legal for him to share a video training others how to improve security in their products, AKA how the chinese are stealing and cloning your products and even using your own firmware against you.
@@mattbrwn 4 letters, DMCA. Same reason it’s technically illegal to rip a Blu-ray, although not enforced (at least en-masse). Does that apply here, especially to a device not made in the states? Not sure, but you should be. I love the content, look forward to more, just make sure you cover your 6.
29:45 the reason why the rand seed is the same within a close time period is because the way that calling time(NULL) or as gihdra is showing it to be time(0x0) which is null and time() returns the unix timestamp to the second it was called so when u spam run the program the hashes will be very close and since the camera has no way of persisting time on bootup will always return the same salt which means rand() will always output the same "randomness"
This can actually be a useful feature. If you know the inputs and the algorithm you have predictable output. If you don't know the input then the output is effectively random. Some encryption schemes depend on this. Mind you doing encryption right isn't trivial so diy encryption systems are generally about as secure as a zip tie on a vault door, sometimes up to a padlocked chain. They only keep the honest or very lazy out.
Dollars to donuts this function is called on factory reset as well as initialization, and that could happen any time after boot. They could have 'tested' by factory resetting and seeing different salts, not realizing that the first run would produce a very narrow set of salts.
The device may have a Real Time Clock (rtc), or the development board they were using did, so when testing they were getting different time values each run. The production units, though, were all at the RTC reset value + bootup time. It's a common mistake I've seen in embedded development.
@@danmerillat neither of which matters if they hard code a password. Back in the 90's when we used crack...before hashcat. This password would have been broken because it didn't just work through a list of known passwords(dictionary), it modified the strings to generate new passwords. Granted, it took a lot more compute to run. That should be relatively negligible these days.
So looking at some docs time(null) give the current time, if you say within one second you could just work through all of the reasonable seconds? Why is this not returning time based on milli- or microseconds (clock speed dependent obviously)?
I recently discovered this channel and has become by far the most interesting one I have found in the last couple of years. I just have to say you are an incredible presenter, and every video just flies by. Looking forward to the next one. Cheers!
You should be able to tell ghidra to decode the password as a string! To do this, select the variable (local_8c, later renamed to password), and change its type to `char [9]` (8 letters plus null byte) by pressing ctrl+l (or right click and retype variable). Then, ghidra should hopefully change the hex value to a string!
Once again, love your content. You remind me of a boy I went to school with in the 80s. Great kid. He was a geek when geeks were not cool, but I considered him a friend and would take care of him and make sure no one picked on him. He invited me to his house one day. His room looked like yours, and he was showing me all this computer-related stuff. It was just exciting watching him and how much he loved everything computer-related. I remember his mother walking in. She was an absolutely beautiful woman, married to a science geek from RDU Science Labs. But she stood there and watched as her son was excitedly explaining everything to me and how happy he was to have me over there. She thanked me, invited me for dinner, and drove me home afterward. I will never forget this. She thanked me for making sure no one picked on or bullied her son and thanked me for being his friend. It broke my heart to listen to his mother talk about how people had treated him his entire life just because he liked computers. I promised her that while I was in school, no one would mess with him. And when I was not there, I had the guys I sat with during lunch, "The Cool Table," allow him to sit with them, as there were kids in our lunch who would pick on him. During middle and high school, this kid flourished, as no one messed with him anymore after I and the boys I hung out with all became friends with him. Even though I did not make it to high school, the crowd I hung with did, and they always made sure he was OK. I saw him about 20+ years ago. He was doing well for himself and was happily married. He introduced me to his wife and kids and the boy who helped him become the man he is today. I hope he is still doing well. Take care, Matt, and continue doing what you love and enjoy. Mine is designing websites and working on Delphi Software. Wayne
Thanks for running through the whole process as you did it initially, super interesting. And kudos for the shout out to Joe Grant, that time video was awesome as well 😊
in answer to your question @27:23 "why does it act this way?" you're supposed to use a random salt to avoid it being a simple table lookup so they copied some sample password change code from elsewhere and replaced the function argument with a hardcoded string. The failure was doing the crypt() there at all rather than hardcoding a pre-hashed default password. Another note: recognizing "numbers" that are really just ASCII strings is an important skill when reversing. local_8c stood out the instant you loaded the function. You spent some time looking at them later but it's a useful shortcut to identify probable-text early on.
This, especially to be able to read numbers (their ascii representations are just 0x3N for N being your digit) is really helping your pattern recognition
To be fair, I don't think they were really concerned about security as you require physical access to the thing to do anything, and to be frank, once you have physical access it's REALLY hard to prevent a device from being cracked without hardware mitigations (like what iPhone does with their enclave, or POS terminals do with their self erasing volatile storage if the device is tampered with). I'd expect the same (or less) amount of 'security' for any north American device of similar nature.
I'm definitely learning stuff here. Can't do this stuff on my own yet, but seeing it done with explanations is massively beneficial. Your channel is a gold mine!
Awesome video! As an embedded developer, I used to do lots of hardware hacking including UART / debug console related stuff, u-boot, kernel args, root file systems, etc. I haven't been digging too much into password cracking and reverse engineering of programs. Watching you doing this kind of magic with hashcat and ghidra was pretty remarkable and makes me wanna try it myself. 😄 Unfortunately 90 % of my working time is not development and engineering anymore but documentation and project management. So for the time being I'll stick to your videos and enjoy the amazing things you're doing. Keep it coming. 👍
Those PCBite probes are pretty cool! Looks a lot easier than how I have mine setup ("Helping hands" tape and sewing needles lol) Definitely going to pick one of those up. Thanks for listing what you use for your setup and great video as always!
Very nice as always! You might want to update your hashcat. At some point last year, Hashcat gained the ability to autodetect hashtypes so you don't have to go looking for them anymore. You can also add a username into the hash too, but I don't know the syntax. Probably after the hash if I had to guess, like hash:user . You might want to look up some of Ippsec's HTB videos where he uses hashcat or look into documentation.
This series is very exciting! I have similar models pretty close to this one, so I'll be trying to do all this soon. Thanks Matt for doing and posting all this!
With modern consumer GPU throughput, I might even expect brute forcing an 8 digit password to be faster than the IO from a 100MB file. Now, with that said, I found your way to be pretty awesome. One of my favorite moments when it comes to cracking firmware password was watching the discord server for Marco Reps when an unsecured STM32 was read and we were all sortof looking at the binary dump and there was this random word in it. He tries it, and it works!
Enjoyed this, good analysis. Having plain strings in code makes things a lot easier :) To not make things quite so easy, in our code we use automation to obfuscate all strings except any that we want people to trivially find. We use a mix of emacs macros to obfuscate strings at the point of writing or maintaining code, either triggered interactively with a couple of keystrokes or in a batch process, and in sources where it's infeasible to manually identify strings to manipulate, we use a custom antlr based parser that's aware of the source syntax to identify such strings. Being language and context aware, the tool can exclude cases where it's unsafe or unnecessary, such as a string passed to sizeof() or being passed to certain macros, used in comments etc. With such tools, the process of having almost all literal strings manipulated in a very large codebase is manageable. Obviously the mechanisms for restoring data hidden in this way can be reverse engineered, but at least someone can't just run strings, grep, do a search in ghidra etc. and find them within a few seconds of getting their hands on the binaries.
Awesome stuff! I saw your most recent video and went back to your previous videos to learn about the firmware extraction and now this. Wanted to recommend maybe adding mid-video links (and video description links) to previous videos about reverse engineering this camera, just to make it easier for viewers to watch more of your videos
It is amazing seeing a pro working. It looks easy because you explain it in a very understandable way. Just perfect, i wish I'v encountered your channel way earlier. Sub + thumbs up. Waiting impatiently for the following part 🎉
Love your vids... I only wish that when i was younger I had access to the wealth of knowledge the internet holds, and the cheap technology and computers that are around now... I was scratching around with no computer and rs and maplin catalogues as my reference sources to find pinouts etc... how things have changed...
Soldering serial points I use pieces of thin gauge silicone wires instead of enameled wire.... Less stress on the pad and less risk of lifting the pad.
I just solder straight to them and knock up a strain relief with two screws straight into the bench top. I actually have a designated spot for this since, though I could care less about the number of holes in my desk (seems the more holes you have, the easier it is to jerry rig setups while simultaneously making it exponentially easier to lose SMCs). Just gotta keep your temps down.
I usually dont comment on videos. But i have to tell you this is by far the most interesting video i have watched about hardware hacking! Keep up the good work
Very well done! As a person who started his IT career as a trainee computer operator feeding programs into mainframes on punch cards, and who gave up programming about the time C first emerged to start a career as a project manager instead, I can say what you were explaining is right up there with describing electricity to a Neanderthal (me). That said, I managed more or less to keep up with what you said you did to crack open the password. Along the way you clearly demonstrated a deep knowledge of the tools, command line prompts and their uses that enabled you to tease open what was going on. I'm in awe of your obvious expertise and experience, and your ability to convey your work in a manner that even a dinosaur can get his head around. I'd say you have a very bright future in technology, and you'd be very welcome to come work on any project I'd be running to deliver technology in this space. 😄
Nice work reversing the password this way. If this would've failed, and as the system partition was mounted read-write, it might also have been possible to just replace the password in passwd with another hash from a known password.
That was great, thanks. The password is clearly the release date of that version of the firmware. Other instances of that device (with different firmware) will have different passwords. Obviously you have shown that there are only 365 different possibilities with that scheme they've adopted. Just mentioning this in case someone tries your password on a different fw version
@@mattbrwn I'm not minimising the effort or skill you put into uncovering the password. I am merely concerned that your throw-away remark that all the devices of that model in the world shared the same password not discourage anyone who tested that hypothesis and falsified it
This is awesome! Thank you! Looking forward to watching more of your content. I am just recently getting to the stage where I can follow a video like this - but wouldn't be able to figure out that %s is somehow related to C programming. anyway, thanks! I needed this.
There is not a single “security” camera (or other IOT device) on the market that cannot be hacked. Rather easily actually. I love Matt’s ingenuity and persistence.
@@stargazer7644 True, but hardcoded root password, known to manufacturer and China government is a completely different story. User cannot even change this password.
Great video! Using 4 cores of my minipc, john the ripper found the password in about 30 seconds from the hashed /etc/passwd . Might be an easier path forward for other devices since you can skip trying to reverse engineer the binaries.
Thanks for that video! Well done and super informative! But I am left with some questions: * How to avoid firmware extraction? * How to securely set root passwords for embedded devices? Any information upon my questions is very much appreciated!
13:00 The stuff shown here is not specific to this hardware. Similar steps work practically identically on PC, Mac or Android devices with unlocked boot loader. The boot loader may be different on each system so you have to learn that but once you get /bin/sh running, the steps are practically same for all Linux supported hardware. Normally the init system (which we replaced by /bin/sh) takes care of these things so we have to mount the filesystems manually. Basically the only thing you need to do is identify the init system of this specific Linux system. This device appears to run init system called "System V init" which is the traditional system. Other well known systems are "upstart" that Ubuntu used to use about a decade ago and "systemd" which practically every desktop and laptop Linux computer is using nowadays.
What the hell is this?and why I can't stop watching this?😂😂this is awesome this is what I dream to learn when I was a kid but never did... awesome content even if I don't know nothing about it!😂
Yes. But if the alt is taken from time without battery backed clock, the time is probably N seconds since boot and if the root password is set during initial boot of the system, the salt would be nearly always the same (probably same amount of seconds +/- one). However, crypt() with DES encryption is fast enough to run on GPU to be cracked in seconds without having any password lists. Even if the device had truly unique random passwords which are 8 character long, it could be cracked very rapidly simply by brute forcing all 8 byte long ASCII strings with offline attack. And if you're not interested in actual hardcoded root password, you could simply overwrite the hash with your own password once you boot the system by using /bin/sh as your init replacement.
@@MikkoRantalainen Does it matter if salt is random or not? It is stored as plain text in /etc/passwd. The only use case where I see difference would be if you had a large number of salted password hashes with the same salt - you could prepare rainbow table for that specific salt. The point here should be the fact that getting decent seed for pseudorandom on embeded or locked down devices is hard, while using repeatable salt on passwords (in this case!) means very little.
@@furmek The point is that if a given class of device always uses one of three possible salt values, it's indeed possible to create single set of rainbow tables for all those devices. If you're not afraid of rainbow tables, why use any kind of salt ever?
Haven't been part of this rabbit hole journey before, very cool! Does your terminal auto-detect baud rate and whatnot, or are those things almost always the same, like 9600? I've grown "UART curious" myself pondering if there are serial pins to explore on stuff
cool series, still have to watch the 3rd video. you have a great way of explaining things that keeps everything interesting for newbs and personally wants to make me get into hardware hacking. i'm heavy on the webapp / server and post-exploitation hacking side and this stuff is exciting to watch. Heard you mention a discord, so I hope it's welcoming to new hardware hackers because I plan to join. A few questions if you don't mind: - How do you pick your targets? - Can you explain how `srandom` and `time` played a factor in the creation of this password? I don't see the correlation to the underlying method of how they were used to generate a string as they did in Joe Grand's video. This seems a bit more nominal, like it's not puling from the clock and you said this is the same pass for all of these cameras? - I suppose there are a variety of ways to get a shell and escalate to root, but would you consider binary or kernel exploitation here (like LOLBins) or would that come after you exhausted reverse-engineering the binary for a string? (I missed whether or not there were other common system binaries available in your shell) I truly have no idea where to get started with hardware hacking but you have amazing content. I hope your discord has some direction or I can find more info on that beginner path from you.
That workbench behind you, the one with the scopes on top of it, what brand/model is that? I need to get something like that. Thanks. Cool videos, liked and subbed.
Yeah... I actually got in touch with a camera "seller" aka they just slapped their logo on it.... And asked for the telnet password.... They couldn't give it to me but they rebuilt a copy of the firmware for me with I think the password buster2020 but would log in with buater20
John the Ripper was able to crack that has using its own password list on my laptop in under a minute! I wasn't sure it was going to be correct, but watching the rest of the video, it turns out it was! What are chances?! Still great work on your part to unravel that the way you did!
Got a question. Is it legal to upload videos like this (with precise procuct model and reverse enginneered pass)? Or it maybe depends somehow on the product/country/license/...?
Great work on this channel i see, subscribed :)
Lol I sure hope it's legal 🤣
But seriously:
Let's reverse engineer this thought process. Why would we, consumers who OWN a product, come to the belief that we need to seek permission to take apart, reverse engineer, and tell others about OUR OWN PROPERTY? 🤔
Doomers: You'll own nothing and be happy.
Me: I'll pwn things and be happy.
yes and no. it's supposed to be legal but sometimes assholes pay lawyers when they're embarrassed by what researchers find.
you mean, is it legal for him to share a video training others how to improve security in their products, AKA how the chinese are stealing and cloning your products and even using your own firmware against you.
@@dennis8196 yes but replace Chinese with Everyone Ever and I agree 100%
@@mattbrwn 4 letters, DMCA. Same reason it’s technically illegal to rip a Blu-ray, although not enforced (at least en-masse).
Does that apply here, especially to a device not made in the states? Not sure, but you should be. I love the content, look forward to more, just make sure you cover your 6.
29:45 the reason why the rand seed is the same within a close time period is because the way that calling time(NULL) or as gihdra is showing it to be time(0x0) which is null and time() returns the unix timestamp to the second it was called so when u spam run the program the hashes will be very close and since the camera has no way of persisting time on bootup will always return the same salt which means rand() will always output the same "randomness"
This can actually be a useful feature. If you know the inputs and the algorithm you have predictable output. If you don't know the input then the output is effectively random. Some encryption schemes depend on this. Mind you doing encryption right isn't trivial so diy encryption systems are generally about as secure as a zip tie on a vault door, sometimes up to a padlocked chain. They only keep the honest or very lazy out.
Dollars to donuts this function is called on factory reset as well as initialization, and that could happen any time after boot. They could have 'tested' by factory resetting and seeing different salts, not realizing that the first run would produce a very narrow set of salts.
The device may have a Real Time Clock (rtc), or the development board they were using did, so when testing they were getting different time values each run. The production units, though, were all at the RTC reset value + bootup time. It's a common mistake I've seen in embedded development.
@@danmerillat neither of which matters if they hard code a password. Back in the 90's when we used crack...before hashcat. This password would have been broken because it didn't just work through a list of known passwords(dictionary), it modified the strings to generate new passwords. Granted, it took a lot more compute to run. That should be relatively negligible these days.
So looking at some docs time(null) give the current time, if you say within one second you could just work through all of the reasonable seconds? Why is this not returning time based on milli- or microseconds (clock speed dependent obviously)?
I recently discovered this channel and has become by far the most interesting one I have found in the last couple of years. I just have to say you are an incredible presenter, and every video just flies by. Looking forward to the next one. Cheers!
You should be able to tell ghidra to decode the password as a string! To do this, select the variable (local_8c, later renamed to password), and change its type to `char [9]` (8 letters plus null byte) by pressing ctrl+l (or right click and retype variable). Then, ghidra should hopefully change the hex value to a string!
nice! I'll give this a shot.
I wouldn't limit the string length though. Can it instead do a string until a null?
Good looking out!
@RowanHawkins that's assuming thr password is both a plain string and that its null terminated
@@RowanHawkins Yes you can. Just tell it to reinterpret the data as a c-string and it will do the rest.
The UA-cam algorithms have gifted me the knowledge of your channel today! Looking forward to watching more of your videos!
Literally as simple as a binary CTF challenge, as long as you can get the firmware.
This is great content!
Once again, love your content.
You remind me of a boy I went to school with in the 80s.
Great kid. He was a geek when geeks were not cool, but I considered him a friend and would take care of him and make sure no one picked on him.
He invited me to his house one day. His room looked like yours, and he was showing me all this computer-related stuff. It was just exciting watching him and how much he loved everything computer-related.
I remember his mother walking in. She was an absolutely beautiful woman, married to a science geek from RDU Science Labs.
But she stood there and watched as her son was excitedly explaining everything to me and how happy he was to have me over there.
She thanked me, invited me for dinner, and drove me home afterward.
I will never forget this.
She thanked me for making sure no one picked on or bullied her son and thanked me for being his friend. It broke my heart to listen to his mother talk about how people had treated him his entire life just because he liked computers.
I promised her that while I was in school, no one would mess with him. And when I was not there, I had the guys I sat with during lunch, "The Cool Table," allow him to sit with them, as there were kids in our lunch who would pick on him. During middle and high school, this kid flourished, as no one messed with him anymore after I and the boys I hung out with all became friends with him. Even though I did not make it to high school, the crowd I hung with did, and they always made sure he was OK.
I saw him about 20+ years ago. He was doing well for himself and was happily married. He introduced me to his wife and kids and the boy who helped him become the man he is today.
I hope he is still doing well.
Take care, Matt, and continue doing what you love and enjoy.
Mine is designing websites and working on Delphi Software.
Wayne
Please keep spoiling us all with frequent video releases!
Very nice Matt, your channel is gaining traction which is well-deserved!
Thanks for running through the whole process as you did it initially, super interesting. And kudos for the shout out to Joe Grant, that time video was awesome as well 😊
Thanks :) and yes all of Joe Grand's content is super high quality!
in answer to your question @27:23 "why does it act this way?" you're supposed to use a random salt to avoid it being a simple table lookup so they copied some sample password change code from elsewhere and replaced the function argument with a hardcoded string. The failure was doing the crypt() there at all rather than hardcoding a pre-hashed default password. Another note: recognizing "numbers" that are really just ASCII strings is an important skill when reversing. local_8c stood out the instant you loaded the function. You spent some time looking at them later but it's a useful shortcut to identify probable-text early on.
This, especially to be able to read numbers (their ascii representations are just 0x3N for N being your digit) is really helping your pattern recognition
Excellent video!! Thanks! I paused the video at 18:00 and ran Hashcat myself. Took 36 seconds to brute force. Chinese security is #1!
What you run hashcat on
@@nicholas4839 I ran: hashcat hash.txt -a 3, 1080TI, Started: Wed Jul 24 16:25:40 2024, Stopped: Wed Jul 24 16:28:24 2024, result: uTV43RfKc73oM:20170912
@@nicholas4839 his brain
To be fair, I don't think they were really concerned about security as you require physical access to the thing to do anything, and to be frank, once you have physical access it's REALLY hard to prevent a device from being cracked without hardware mitigations (like what iPhone does with their enclave, or POS terminals do with their self erasing volatile storage if the device is tampered with). I'd expect the same (or less) amount of 'security' for any north American device of similar nature.
Nice, beat me by 2 seconds, john took 38 pure CPU.
I'm definitely learning stuff here. Can't do this stuff on my own yet, but seeing it done with explanations is massively beneficial. Your channel is a gold mine!
Awesome video! As an embedded developer, I used to do lots of hardware hacking including UART / debug console related stuff, u-boot, kernel args, root file systems, etc. I haven't been digging too much into password cracking and reverse engineering of programs. Watching you doing this kind of magic with hashcat and ghidra was pretty remarkable and makes me wanna try it myself. 😄 Unfortunately 90 % of my working time is not development and engineering anymore but documentation and project management. So for the time being I'll stick to your videos and enjoy the amazing things you're doing. Keep it coming. 👍
Those PCBite probes are pretty cool! Looks a lot easier than how I have mine setup ("Helping hands" tape and sewing needles lol) Definitely going to pick one of those up. Thanks for listing what you use for your setup and great video as always!
Dude, you're killin it!!!! Keep it up and you'll be the up there with John Hammond!
I agree
Best hardware RE content on the platform! Great work!
Thanks 😎❤️
Very nice as always!
You might want to update your hashcat. At some point last year, Hashcat gained the ability to autodetect hashtypes so you don't have to go looking for them anymore.
You can also add a username into the hash too, but I don't know the syntax. Probably after the hash if I had to guess, like hash:user . You might want to look up some of Ippsec's HTB videos where he uses hashcat or look into documentation.
Oh awesome! I didn't know this. Thanks for sharing 😃
This series is very exciting! I have similar models pretty close to this one, so I'll be trying to do all this soon. Thanks Matt for doing and posting all this!
Amazing video as always, you rock!
With modern consumer GPU throughput, I might even expect brute forcing an 8 digit password to be faster than the IO from a 100MB file.
Now, with that said, I found your way to be pretty awesome. One of my favorite moments when it comes to cracking firmware password was watching the discord server for Marco Reps when an unsecured STM32 was read and we were all sortof looking at the binary dump and there was this random word in it. He tries it, and it works!
Clearly a hidden gem channel.
Enjoyed this, good analysis. Having plain strings in code makes things a lot easier :) To not make things quite so easy, in our code we use automation to obfuscate all strings except any that we want people to trivially find. We use a mix of emacs macros to obfuscate strings at the point of writing or maintaining code, either triggered interactively with a couple of keystrokes or in a batch process, and in sources where it's infeasible to manually identify strings to manipulate, we use a custom antlr based parser that's aware of the source syntax to identify such strings. Being language and context aware, the tool can exclude cases where it's unsafe or unnecessary, such as a string passed to sizeof() or being passed to certain macros, used in comments etc. With such tools, the process of having almost all literal strings manipulated in a very large codebase is manageable. Obviously the mechanisms for restoring data hidden in this way can be reverse engineered, but at least someone can't just run strings, grep, do a search in ghidra etc. and find them within a few seconds of getting their hands on the binaries.
Very nice and well explained. Look forward to the next one.
Awesome stuff! I saw your most recent video and went back to your previous videos to learn about the firmware extraction and now this.
Wanted to recommend maybe adding mid-video links (and video description links) to previous videos about reverse engineering this camera, just to make it easier for viewers to watch more of your videos
It is amazing seeing a pro working. It looks easy because you explain it in a very understandable way. Just perfect, i wish I'v encountered your channel way earlier. Sub + thumbs up. Waiting impatiently for the following part 🎉
Love your vids... I only wish that when i was younger I had access to the wealth of knowledge the internet holds, and the cheap technology and computers that are around now... I was scratching around with no computer and rs and maplin catalogues as my reference sources to find pinouts etc... how things have changed...
As a programmer, I scare more every time I watch Matt`s videos 😂 this a the best channel I ever could find.
I *love* these. It's one of the things I'd love to do if I had the time and money, but of course I don't, so watching you is close enough!!
I am applauding standing ... Amazingly great video. Structured, informative, interesting.
Thank you!!
Soldering serial points I use pieces of thin gauge silicone wires instead of enameled wire.... Less stress on the pad and less risk of lifting the pad.
Thanks for the tip 👍
I just solder straight to them and knock up a strain relief with two screws straight into the bench top. I actually have a designated spot for this since, though I could care less about the number of holes in my desk (seems the more holes you have, the easier it is to jerry rig setups while simultaneously making it exponentially easier to lose SMCs).
Just gotta keep your temps down.
I usually dont comment on videos. But i have to tell you this is by far the most interesting video i have watched about hardware hacking! Keep up the good work
Very well done! As a person who started his IT career as a trainee computer operator feeding programs into mainframes on punch cards, and who gave up programming about the time C first emerged to start a career as a project manager instead, I can say what you were explaining is right up there with describing electricity to a Neanderthal (me).
That said, I managed more or less to keep up with what you said you did to crack open the password.
Along the way you clearly demonstrated a deep knowledge of the tools, command line prompts and their uses that enabled you to tease open what was going on. I'm in awe of your obvious expertise and experience, and your ability to convey your work in a manner that even a dinosaur can get his head around.
I'd say you have a very bright future in technology, and you'd be very welcome to come work on any project I'd be running to deliver technology in this space. 😄
I can only imagine how long doing this took and condensing it down to the smooth process you show is really appreciated.
This looks like a setup, that uart header was just too obvious. ;) Great video again!
I love that you walked through what things did, and why you needed to do them to get what you want
This was a fantastic presentation - and a reminder that the 'S' in IoT stands for security.
I always watch your videos as soon as they are posted. High quality stuff!
Nice work reversing the password this way. If this would've failed, and as the system partition was mounted read-write, it might also have been possible to just replace the password in passwd with another hash from a known password.
The previous video was really helpful. I think I want to extract firmware from a device in the future and it really helped!
I am no coder, but i can roughly follow your steps, and it was really interesting for me!
That was great, thanks. The password is clearly the release date of that version of the firmware. Other instances of that device (with different firmware) will have different passwords. Obviously you have shown that there are only 365 different possibilities with that scheme they've adopted. Just mentioning this in case someone tries your password on a different fw version
Yep! weak passwords are always easily brute forced in retrospect.
@@mattbrwn I'm not minimising the effort or skill you put into uncovering the password. I am merely concerned that your throw-away remark that all the devices of that model in the world shared the same password not discourage anyone who tested that hypothesis and falsified it
is there any way to get the fw dump? i would really like to do some investigation
Comment to feed the algorithm.
You deserve alot more subs👍
string "alot" not found.
Really interesting, I like the approach to the password, I would have not guessed that it was in reverse , great work 👍
This is awesome! Thank you! Looking forward to watching more of your content. I am just recently getting to the stage where I can follow a video like this - but wouldn't be able to figure out that %s is somehow related to C programming. anyway, thanks! I needed this.
i love your easy way of explaining without being too high or low level.
There is not a single “security” camera (or other IOT device) on the market that cannot be hacked. Rather easily actually. I love Matt’s ingenuity and persistence.
There isn't a single device with a microprocessor in it that cannot be hacked if you have physical access to it.
@@stargazer7644 True, but hardcoded root password, known to manufacturer and China government is a completely different story. User cannot even change this password.
Some devices are much harder though. A properly manufactured and set up ICC bank card is very difficult to hack, even with physical access.
That was fantastic man, great video!
Great video I really liked going down the rabbit hole with you and getting to follow along with your thought process on the entire thing.
Love watching your videos man. Keep it up!
Really cool video. Explained in a simple way that makes you feel brave enough to try it!
Very cool presentation. Great channel! Thank You!
These videos are great. Gets me interested in programming
Great video! Using 4 cores of my minipc, john the ripper found the password in about 30 seconds from the hashed /etc/passwd . Might be an easier path forward for other devices since you can skip trying to reverse engineer the binaries.
Really well done, that was a remarkably accessible example of how to get root!
Nice job on the reverse engineering, definitely learned a few things!
Awesome video, full of great content!
Awesome video Matt.
Understood perfectly! Because I am a C programmer and all the grep commands. Format strings and egrep or a "find" of a string.
Good video. All steps were explained in a compact and understandable way
love to see you look at some tuya gear. especially their cctv cameras that do some really weird stuff on the network
I love side quests! Im not good in any of that, but its really interesting, keep doing that please 😀
well done Matt. You win an other one subscriber.
bro found this channel 2 days ago almost binge watched all your fkin videos. you are amazing
very cool to do that, my young nephew is having a blast trying hack into an old router. my dude knows more than me
Thanks for that video! Well done and super informative! But I am left with some questions: * How to avoid firmware extraction? * How to securely set root passwords for embedded devices? Any information upon my questions is very much appreciated!
Absolutely stunning !!! Great job !
super video - nice job !
13:00 The stuff shown here is not specific to this hardware. Similar steps work practically identically on PC, Mac or Android devices with unlocked boot loader. The boot loader may be different on each system so you have to learn that but once you get /bin/sh running, the steps are practically same for all Linux supported hardware. Normally the init system (which we replaced by /bin/sh) takes care of these things so we have to mount the filesystems manually.
Basically the only thing you need to do is identify the init system of this specific Linux system. This device appears to run init system called "System V init" which is the traditional system. Other well known systems are "upstart" that Ubuntu used to use about a decade ago and "systemd" which practically every desktop and laptop Linux computer is using nowadays.
Just finished watching the first part. Hell yes.
What the hell is this?and why I can't stop watching this?😂😂this is awesome this is what I dream to learn when I was a kid but never did... awesome content even if I don't know nothing about it!😂
Great video Matt!
That must have been written on 12th September 2017.
Great video! Super interesting following your working.
A salt doesn't need to be truly random, the shtick of hash salting is to avoid rainbow tables and it can be an arbitrary number
Yes. But if the alt is taken from time without battery backed clock, the time is probably N seconds since boot and if the root password is set during initial boot of the system, the salt would be nearly always the same (probably same amount of seconds +/- one). However, crypt() with DES encryption is fast enough to run on GPU to be cracked in seconds without having any password lists. Even if the device had truly unique random passwords which are 8 character long, it could be cracked very rapidly simply by brute forcing all 8 byte long ASCII strings with offline attack.
And if you're not interested in actual hardcoded root password, you could simply overwrite the hash with your own password once you boot the system by using /bin/sh as your init replacement.
@@MikkoRantalainen Does it matter if salt is random or not?
It is stored as plain text in /etc/passwd.
The only use case where I see difference would be if you had a large number of salted password hashes with the same salt - you could prepare rainbow table for that specific salt.
The point here should be the fact that getting decent seed for pseudorandom on embeded or locked down devices is hard, while using repeatable salt on passwords (in this case!) means very little.
@@furmek The point is that if a given class of device always uses one of three possible salt values, it's indeed possible to create single set of rainbow tables for all those devices.
If you're not afraid of rainbow tables, why use any kind of salt ever?
Haven't been part of this rabbit hole journey before, very cool! Does your terminal auto-detect baud rate and whatnot, or are those things almost always the same, like 9600? I've grown "UART curious" myself pondering if there are serial pins to explore on stuff
Most devices you find in the wild today will have their UART baud rate set to 115200. Some older devices will have it set lower
Muy bueno!
Me encantó. Muchas gracias. Muy educativo!
This was awesome :) Very educational, very valuable. Thanks for the video. Need to test it myself :)
Cool. watched the whole thing. liked and subscribed.
These videos are always so interesting. Thank you!
cool series, still have to watch the 3rd video. you have a great way of explaining things that keeps everything interesting for newbs and personally wants to make me get into hardware hacking. i'm heavy on the webapp / server and post-exploitation hacking side and this stuff is exciting to watch. Heard you mention a discord, so I hope it's welcoming to new hardware hackers because I plan to join. A few questions if you don't mind:
- How do you pick your targets?
- Can you explain how `srandom` and `time` played a factor in the creation of this password? I don't see the correlation to the underlying method of how they were used to generate a string as they did in Joe Grand's video. This seems a bit more nominal, like it's not puling from the clock and you said this is the same pass for all of these cameras?
- I suppose there are a variety of ways to get a shell and escalate to root, but would you consider binary or kernel exploitation here (like LOLBins) or would that come after you exhausted reverse-engineering the binary for a string? (I missed whether or not there were other common system binaries available in your shell)
I truly have no idea where to get started with hardware hacking but you have amazing content. I hope your discord has some direction or I can find more info on that beginner path from you.
Also I don't see you getting root, actually? Was the user:pass same for root? sudo?
This is awesome. Subscribed!
Subbed! This is super cool
That workbench behind you, the one with the scopes on top of it, what brand/model is that? I need to get something like that. Thanks. Cool videos, liked and subbed.
Benchpro :)
Brilliant, really enjoyed this, you got my sub
The best channel on UA-cam…
Very instructive video !! Love it.
It was very interesting and informative, thank you for your content!
Man, I did things like these all my life and I thought I was alone. So nice to find someone else who knows basically the same things! Well done!! 🙂
This was really fun to see, Thank You.
i dont have the slightest bit of knowledge about reverse engineering but this looks amazing
That was pretty instructive !
Thanks for your work ! :D
question: could you have run #mount -o remount,rw / to get to the / directory?
great video matt :)
Great video, and insta subbed!
16:23 is that a DES hash? Iirc those can only be 8 or 10 chars long ...came across a few of those in embedded devices... Brute force isn't that hard
correct the password is truncated
Yeah... I actually got in touch with a camera "seller" aka they just slapped their logo on it.... And asked for the telnet password.... They couldn't give it to me but they rebuilt a copy of the firmware for me with I think the password buster2020 but would log in with buater20
Yeah you could brute force it like it was a paper bag
great video, subbed!
Great Video !
what linux distro and UI are you using? I like the multi-shell interface setup, it has a nice retro-flair.
John the Ripper was able to crack that has using its own password list on my laptop in under a minute! I wasn't sure it was going to be correct, but watching the rest of the video, it turns out it was! What are chances?! Still great work on your part to unravel that the way you did!