Nice. Looks fairly simple.. I'd imagine you had some GPU power to get done so quickly. While you likely wouldn't find this string in a rainbow table, the combination of 9 lowercase letters and 0-9 gives us 9^36 iterations to get through. Modern CPUs and GPUs could knock that around quickly. Few hours at most.
I know the hash has been cracked now, but if you wanted to get into the older firmware without having to do a chip-off you could also have tried interrupting the boot process a few times, ideally with a reset. This would simulate the crashing firmware that this sort of A/B deployment is supposed to protect against and may have caused the boot loader to fail back to the old version.
It has? In what video does he do that? I couldn't find that hash in those pre-computed lookup tables and using leaked password lists didn't work either. I doubt he could brute-force that hash
Good question! I discussed it in the first video. The bootloader prints out the password hash of what you enter for a password attempt. So I was able to type "password" in, hit enter, and confirm that the password matched the unsalted sha256 hash of "password"
Says it will take a month but im having trouble getting both cpu and GPU running at same time... I don't have much experience with hashcat so if anyone knows whats going wrong im using hashcat launcher
I'm trying to put together a playlist about all my tools but that's a work in progress. For getting UART access you really just need a simple TTL-232R cable: ftdichip.com/products/ttl-232r-3v3/
Haha thanks for asking! Doing good. Closing on a house so that's been taking a lot of my free time lately. Will post new videos after that is finished.
The fact they patched the backdoor before rugging their customers is an even bigger FU / kick in the teeth to them. Not only are they pretty much bricking your camera but denying you the chance to modify it to stream to local storage 😡
Sir, i have been facings problems on my blutooth speaker, every time I turn it on it prompted heavy annoying sounds like "Bluetooth pairing is on" "usb mode" etc. How can we remove these prompts, or customise the blutooth device name. Also could we make a device which could connect to multiple bluetooth devices and simultaneously output all of them from one source/smartphone 🤔
I'm guessing they beefed up their passwords after this recent CVE: nvd.nist.gov/vuln/detail/CVE-2016-10115 One option may be to fuzz the UART inputs? Perhaps something in the password check logic may have a bug
Hey Matt, loved the video as per usual. I’ve cracked the hash for the boot loader, the password is: ngpriv106
Wow, that was fast! How did you manage that?
Damn that was quick, nice job!
I am interested to know too. Sharing is caring
Nice.
Looks fairly simple.. I'd imagine you had some GPU power to get done so quickly.
While you likely wouldn't find this string in a rainbow table, the combination of 9 lowercase letters and 0-9 gives us 9^36 iterations to get through. Modern CPUs and GPUs could knock that around quickly. Few hours at most.
Absolute Legend!
What a goldmine of a channel!
true i just found his channel yesterday and it's very educating to watch !!
I know the hash has been cracked now, but if you wanted to get into the older firmware without having to do a chip-off you could also have tried interrupting the boot process a few times, ideally with a reset. This would simulate the crashing firmware that this sort of A/B deployment is supposed to protect against and may have caused the boot loader to fail back to the old version.
It has? In what video does he do that? I couldn't find that hash in those pre-computed lookup tables and using leaked password lists didn't work either. I doubt he could brute-force that hash
nvm, I missed the fixed comment somehow
Bruh this is top quality content. Thank you so much 🙏
Great video Matt, amazing explanations. Very easy to follow and understand!
Thanks Matt....Great video.
Thanks for the videos I learned a lot from your videos.
Hi @mattbrwn...
Just discovering your channel now...
Where are you on part 4 of this serie?? :D
Awesome videos, keep it up!
Device got bricked.
@@mattbrwn That's a shame! I was really looking forward for more!
Thanks!
@@mattbrwn
WHAT THE BRICK!
@@mattbrwn😢
I would sponsor a new one just to see the video!
Damn man you're good!
I like how you show your discovery process, so much awesome tricks!
Is it not possible for you to write your own known hash into the flash chip raw data dump or is this data retained in the armarello chip??
This should be possible. I'm working on this method for a future video.
Did you end up making the 3rd video in this ARLO Q series?
Unfortunately my device got bricked so I wasn't able to make the next video.
@@mattbrwn That's too bad, how did that happen? 😯
Hey Matt thanks for the video. How did you know that the hash was unsalted? Was it in a previous video?
Good question! I discussed it in the first video.
The bootloader prints out the password hash of what you enter for a password attempt. So I was able to type "password" in, hit enter, and confirm that the password matched the unsalted sha256 hash of "password"
@@mattbrwn
What a legend!
Great video
Amazing as always !ganbatte!!
Here i come hash cat.. guess the rainbow road was to easy a route
Is there more coming??
Very interesting videos!
Says it will take a month but im having trouble getting both cpu and GPU running at same time... I don't have much experience with hashcat so if anyone knows whats going wrong im using hashcat launcher
What tools would you recommend for a beginner
I'm trying to put together a playlist about all my tools but that's a work in progress.
For getting UART access you really just need a simple TTL-232R cable:
ftdichip.com/products/ttl-232r-3v3/
Really good content
bom video matt: o bootloader é u-boot ?
No this is not uboot. Ambarella SoCs use a custom bootloader called amboot.
Any updates on what happened with the arlo?
Hope all is alright
Haha thanks for asking! Doing good. Closing on a house so that's been taking a lot of my free time lately. Will post new videos after that is finished.
The fact they patched the backdoor before rugging their customers is an even bigger FU / kick in the teeth to them. Not only are they pretty much bricking your camera but denying you the chance to modify it to stream to local storage 😡
Maybe somthing like if (1=1) may work
Cool video . But GPIO simply means general purpose input / output pin. GPIO isn't any type of mechanism..
Sir, i have been facings problems on my blutooth speaker, every time I turn it on it prompted heavy annoying sounds like "Bluetooth pairing is on" "usb mode" etc. How can we remove these prompts, or customise the blutooth device name. Also could we make a device which could connect to multiple bluetooth devices and simultaneously output all of them from one source/smartphone 🤔
check out darieee . he does that kind of thing.
I'm guessing they beefed up their passwords after this recent CVE: nvd.nist.gov/vuln/detail/CVE-2016-10115
One option may be to fuzz the UART inputs? Perhaps something in the password check logic may have a bug
I thought this was going to be the case as well! check the pinned comment! someone cracked it already 😂