Tap to unmute

Accessing UART Console on 4G LTE Router - Hacking the Mercusys MB110

  Рет қаралды 21,239

Matt Brown

Matt Brown

Күн бұрын

Пікірлер: 88
@redbearrc6706
@redbearrc6706 Ай бұрын
Learning hardware hacking for a month now to get access to some ipc cameras and install OPENIPC. Then I found your channel and I really like this kind of hacking. I made some mistakes on the way blowing up or ruining some hardware but I am learning on the job ;-) Great tutorials Matt. I am 64 but learning every day.
@tisme1105
@tisme1105 Ай бұрын
never too late mate. got my major CVE when I was 45 and I feel 70 anyway :P
@redbearrc6706
@redbearrc6706 Ай бұрын
@tisme1105 Sorry but whatt is CVE?
@colingale
@colingale Ай бұрын
if you are going to play with Open IPC then i must reccomend you get the new Dangerous prototype Bus Pirate , it allows you to talk to most cpu's at most voltages, in most protocols"language" ,
@tisme1105
@tisme1105 Ай бұрын
@@redbearrc6706 Common Vulnerabilities and Exposures. Vulnerability basically meaning a security flaw that can be exploited.
@BrickTamlandOfficial
@BrickTamlandOfficial Ай бұрын
it is awesome when you make mistakes and fry really cheap hardware so when you start working with expensive hardware you don't make those mistakes.
@invitamemaritooo5523
@invitamemaritooo5523 Ай бұрын
I have been seen your videos for a month now, you make it look so simple to understand is scary. This is something not many people are able to do. Thank you for sharing your knowledge and time with us.
@xenoxaos1
@xenoxaos1 Ай бұрын
Mercusys actually provides their GPL tarballs. I'd start with that and check if they provide the uboot config and kernel configs. It's possible they have a hidden key command to unlock the terminal.
@herrZedt
@herrZedt 8 күн бұрын
For those looking for shortcuts, the root password for that device (and many devices) is also recoverable (in hashed form) from the downloadable firmware update, which for Mercusys (a brand of Tp-Link) is the usual 1234
@ClosetFemboy
@ClosetFemboy Ай бұрын
I ordered myself a T48 and some other equipment because of your videos. I am really interested in hardware hacking as I am slowly hitting the limits of what I can do with just software. I love your videos, thanks for the high quality work!
@damiangarcia609
@damiangarcia609 Ай бұрын
know people love your work bro. i started watching your channel since the beginning. brother dont ever stop making videos,this is pure gold.
@Lyle-In-NO
@Lyle-In-NO 23 күн бұрын
This is an absolutely amazing vid. Everything made complete sense, & I had no idea it is that "simple." Damn! I'm hooked & u got a new sub today, Mr Matt.
@dronus4x4
@dronus4x4 Ай бұрын
I really admire your methodical approach to your work. Very informative and easy to follow along. Thank you for creating these videos :)
@tisme1105
@tisme1105 Ай бұрын
Worth noting that there may be other small windows during 2nd stage bootloader execution that would react differently to the flash glitch. Admittedly it's very fast so a number of tries may be needed - and of course might not drop into simple/hush shell anyway. Much better to wire a button between GND and flash serial out to make it easier to control the glitch timing and avoid chance to ground something critical on the PCB by mistake.
@Piasecznik72
@Piasecznik72 Ай бұрын
You can connect pogopin into the chip and just short two wires. Much easier. Sure floating wires could act like antenna and introduce noise but at that speed should not be an issue. But if it does, just 100K resistor to ground should do the job. Love your videos. Cheers!
@tisme1105
@tisme1105 Ай бұрын
same - me poking the live circuit board on boot at time critical windows is a recipie for disaster :) but that's me :p
@zroozea
@zroozea Ай бұрын
Hello Matt, greetings from Mexico. Your videos are very good, more to start on this path of hardware hacking, and I wanted to ask you to consider activating the AI dubbing of KZbin, since I found it more functional to watch your content. Thank you for everything!
@avivbintangaringga
@avivbintangaringga Ай бұрын
I'm from APAC region too, can't wait to see the next video!
@pierremartel3552
@pierremartel3552 Ай бұрын
Learning every time I watch something here.
@th3v01d73
@th3v01d73 Ай бұрын
Really cool and super detailed video. Everytime something new to learn. Love ur work. 😍
@YouCanHasAccount
@YouCanHasAccount Ай бұрын
There's probably a very precise point where you can apply the SPI glitch such that U-Boot is running but before it has read in the environment variables that contain the boot script. Too difficult to time by hand though.
@SlinkyD
@SlinkyD Ай бұрын
13:35 Early in the boot process are fields for 'icache' and 'dcache' with 2^15-16 values that look important. I don't dive as deep as you but I would explore that part just to see what it do.
@xenoxaos1
@xenoxaos1 Ай бұрын
I and D cache are just level 1 cache on the processor for instructions and data... Unless there's a known hardware vulnerability that is related to them... It's just to make running the system faster.
@mask17ful
@mask17ful Ай бұрын
I am a DevOps engineer, some things are familar to me when you are talking about linux :) but now I know how do other people feel when I tell them what am I doing at my job :) lol
@Andrew-tt2cx
@Andrew-tt2cx Ай бұрын
Another great video Matt!
@murrij
@murrij Ай бұрын
Thank you so much for your work on this and sharing what you do.
@sonikempire
@sonikempire Ай бұрын
Great content, keep up the good work!
@mi8377
@mi8377 Ай бұрын
looking forward for part 2 :)
@pierremartel3552
@pierremartel3552 Ай бұрын
Can I ask a question about the section @14:39 we see the partition table of the flash, but in the creation process we see 'raspi' as the name of the flash, does it mean that the OS used is based on the raspbery pi ?
@tisme1105
@tisme1105 Ай бұрын
The board is Ralink, and if it's SPI flash then raspi is likely not rpi related.
@xenoxaos1
@xenoxaos1 Ай бұрын
It's a mediatek actually. The raspi is probably a a hacked together part of the bootloader. The developer was probably doing dev work on the flash using a rpi. The ralink could be a chunk of init code that was modified for support by copy pasta and not changed.
@pauliusz
@pauliusz Ай бұрын
@@xenoxaos1 Mediatek bought Ralink and rebranded their chips.
@xenoxaos1
@xenoxaos1 Ай бұрын
One thing that could be done to automate trying to glitch uboot is to have something watch the chip select line on the flash. It would probably hit it a few times before dropping into a place where you can glitch. If uboot reads updated configs after loading it would use default bootargs. However it might only use default bootargs and ignore updated ones. All depends on how it was built.
@draeath
@draeath 11 күн бұрын
You can also see which pin is ground through the solder mask, it's the only one bridged to the large copper plane under the mask.
@firex5250
@firex5250 Ай бұрын
Cool stuff as always.
@mikehensley78
@mikehensley78 Ай бұрын
This is something i've always wanted to do.... Ya know the cable TV boxes with TVR/DVR? I've always wanted to install my own linux OS on one of those boxes and use it on my LAN to access my mini-dlna server to watch my library of media. I come across those cable boxes at my local flea mkt all the time and have always wondered if that could be done.
@309electronics5
@309electronics5 Ай бұрын
It depends. Some manufacturers lock down the hardware a lot. Others dont. I once tried it on a humax but i could not get a bootloader shell or any output due to them having disabled the bootloader output in compile time. I had a ip phone which did have a uboot bootloader and some output and it allowed interrupting boot but i could not get a shell
@olokelo
@olokelo Ай бұрын
Awesome video! The only Mercusys wireless router I had was running VxWorks - the same OS as NASA used for the Mars mission :o It's proprietary and doesn't have much tools to reverse engineer it. Ultimately I gave up on it. Has anyone here had experience reverse engineering VxWorks or any other non-Unix OS for such devices?
@xenoxaos1
@xenoxaos1 Ай бұрын
VxWorks is a fairly common RTOS. Companies that need support and possible changes made and that require the testing and validation of VxWorks will often pay for it. Others needing a RTOS will often use an open source one.
@0q2628
@0q2628 Ай бұрын
me :) i have a tp link plc kit that seems to have some kind of vxworks firmware. but it's really weird and i haven't found anyone that had the same type yet. but i got the credentials for the ssh server that's running on there by intercepting them from the app, the username is "dropbear" and the password the one from web management, doesn't open a shell tho :(
@xenoxaos1
@xenoxaos1 Ай бұрын
19:00 the flash type is also listed in uboot most of the time.
@billf.2960
@billf.2960 Ай бұрын
Nice to include that this would probably be the same chip sets in these new UAVs.. they sure are different then the one puttering around the inside of my house for fun.. fast man.. how much lithium is scattered over the new battle fields.. no need to recycle i suppose.. but this would be the same chip sets more then likely in any UAV found.. and how to access the programming.. what ever condition it would be found in.. small chip.. easy read with the reader you use.. ordering one.. not for anything important as UAV, but home cameras.. and the fact that countries allow these cameras to be place all around their countries..
@20081toby
@20081toby Ай бұрын
If I might ask, what do you use for getting your voltage reading on the screen? I'm currently making some educational videos for work and having voltage visualized would be awesome!
@ikocheratcr
@ikocheratcr Ай бұрын
He made a video not long ago on how he setup that.
@DomGregori
@DomGregori Ай бұрын
Is there any project that anyone knows of that can monitor the UART and apply the glitching when it sees a certain text pattern? I know there’s the Chipwhisperer but that seems overkill for hobby hacking.
@bmacd11b
@bmacd11b Ай бұрын
Does your occupation take you over there regularly, Matt?
@FlandersKen
@FlandersKen Ай бұрын
you have the best fun i bet
@hkfuertes
@hkfuertes Ай бұрын
I have a question... I see you in lots of videos trying to dump the ROM... is that the same as binwalking the update file they usually provide?
@tisme1105
@tisme1105 Ай бұрын
Depends on a number of things. - is update encrypted? is the data on flash? - does update file include all bootloader stages? - even if so, reading the flash will also give things like user config and uboot env partition etc.
@JBNetwork
@JBNetwork Ай бұрын
Mercusys is TPLINK entry level brand.
@ParkwayProduction
@ParkwayProduction Ай бұрын
Rock on
@astrogerard
@astrogerard Ай бұрын
Sometimes sending a terminal BREAK command can stop the boot process.
@ShakeryGO
@ShakeryGO Ай бұрын
Is your enviroment is bspwm? Or something else?
@mattbrwn
@mattbrwn Ай бұрын
i3wm
@buug76
@buug76 Ай бұрын
I think these embedded systems disabled the SSL certificate verification cause the SSL certificate has a short life, and it hasn't the new chain. Instead of building a complicated system to update the certificate chain they disable the SSL verification (cheapest option).
@tankura
@tankura 13 күн бұрын
_+_ Thanks for sharing 🙏🙏🙏🙏🙏
@andrew_kopp
@andrew_kopp Ай бұрын
that ssh public key - shows admin as the username probably not root being used as the login.
@HenryWu-rc5gw
@HenryWu-rc5gw Ай бұрын
This device is an interesting target to hack because this company has built something called QuecPython which means it provides an easy way to execute code on LTE modem. The attack surface is very broad compared to other device.
@FilmFactry
@FilmFactry Ай бұрын
Would it ever be in chinese rather than english in the terminal?
@xenoxaos1
@xenoxaos1 Ай бұрын
Often the bootloader is in English as it's either open source or designed for a worldwide market.
@FilmFactry
@FilmFactry Ай бұрын
@@xenoxaos1 I was thinking that, but if you wanted to make it harder to hack, a Chinese firmware bootloader could cut many hackers out.
@tisme1105
@tisme1105 Ай бұрын
@@FilmFactry only a little - I've had to use google translate in some cases for non English strings when sec testing IoT - but if you are disasssembling/reversing code in IDA/ghidra anyway etc then most of what you are looking at is ARM instructions or C pseduocode anyway.
@aure_eti
@aure_eti Ай бұрын
This device is running Mediatek CPU, is it too vulnerable ? I remember some if not all Mediatek chip where at years ago
@tisme1105
@tisme1105 Ай бұрын
I found an unpatchable vulnerability on an recent still in production ARM SoC last year to bypass secure boot (not Mediatek) and break chain of trust to exec unsigned code, so always worth checking.
@xenoxaos1
@xenoxaos1 Ай бұрын
Unless something on the console says secure boot or signed image/kernel accessing flash is just a lot easier.
@tisme1105
@tisme1105 Ай бұрын
@@xenoxaos1 my comment was more general rather than this specific device. But in this yeah I don't see any signs of verification so very unlikely flash data encrypted. Uusually bootloaders shout about secure boot if it's in place. (not that secure boot necessarily means encrypted data one way or another).
@xenoxaos1
@xenoxaos1 Ай бұрын
In regards to finding a vulnerability, it is using a really old buildroot and kernel. Checking CVEs etc could find something.
@tisme1105
@tisme1105 Ай бұрын
@@xenoxaos1 definately. host of other open source programs/libraries too.
@omegatotal
@omegatotal Ай бұрын
fyi Audio levels on this video are low (YT reports Volume / Normalized 100% / 100% (content loudness -8.4dB)) Also, probably should make a video explaining basics of serial and how TTL differs, then just suggest people watch that.
@0xfadead
@0xfadead Ай бұрын
I think you meant USART instead of UART, since UART is asynchronous
@nsec-t3d
@nsec-t3d Ай бұрын
the goat
@dmitrysergeenko804
@dmitrysergeenko804 Ай бұрын
I saw it on 24:40 it says press enter to activate this console
@magoo9838
@magoo9838 Ай бұрын
Great!!!!!
@StevenHokins
@StevenHokins Ай бұрын
Just press enter to activate console 😊
@MRooodddvvv
@MRooodddvvv Ай бұрын
I don't like how most of this "4G" routers is actually two complete routers inside - one being 4G modem itself which is usually running linux too (some kind of stripped down android without GUI to be exact) and another router is connected to it over USB and acting like just USB-WIFI/ETHERNET bridge running full blown linux which looks like ridiculous overengineering and just ugly way of doing the job. There are still some normal 4G routers out there which do things normal way by having all router stuff on 4G chip itself.
@showupshowout
@showupshowout Ай бұрын
Mercusys is probably like why you choose us lol
@ivanmaglica264
@ivanmaglica264 Ай бұрын
Is this actually Linux? Device names match Linux nomenclature, but everything else is foreign
@ivanmaglica264
@ivanmaglica264 Ай бұрын
found it, 24:35 Linux 2.6.36, still, strange messages
@309electronics5
@309electronics5 Ай бұрын
Well Linux is free and opensource and can be tweaked the way you like so its not surprising
@PiotrK2022
@PiotrK2022 29 күн бұрын
@Matt Brown 2:30 Oh, man rly? Don't shit urself... Personally I don't see any problem with that - preheater +some chipqiuck + hotair->problem solved...
@CandyGramForMongo_
@CandyGramForMongo_ Ай бұрын
UART is not a protocol, it’s an interface. RS232 is a protocol.
@UncleKennybobs
@UncleKennybobs Ай бұрын
Be great if someone could unlock an Eero router to make it useful. The software makes it garbage.
@SeanBZA
@SeanBZA Ай бұрын
Got that exact router, it is made by Huawei.
@beaverbuoy3011
@beaverbuoy3011 Ай бұрын
:()
I built a 1,000,000,000 fps video camera to watch light move
29:08
AlphaPhoenix
Рет қаралды 932 М.
Жездуха 42-серия
29:26
Million Show
Рет қаралды 2,6 МЛН
Verizon ONT Firmware Extraction
29:34
Matt Brown
Рет қаралды 43 М.
Gaming on a Scientific Data Computer
25:15
Bringus Studios
Рет қаралды 1,2 МЛН
Upgrading our FREE internet to 25 gigabit! - Running Fiber to our Merch Office
32:19
Hacking an AT&T 4G Router For Fun and User Freedom
34:38
Matt Brown
Рет қаралды 650 М.
I tried finding Hidden Gems on AliExpress AGAIN! (Part 12)
15:04
GreatScott!
Рет қаралды 501 М.
Testing a $100 Mini PC: The Bmax B1 Plus
22:41
ExplainingComputers
Рет қаралды 744 М.
Homelab Caller ID
23:23
clabretro
Рет қаралды 35 М.
TWISTED: The dramatic history of twisted-pair Ethernet
28:30
The Serial Port
Рет қаралды 546 М.
Hacking The Mojo C-75 - Chip-Off Firmware Extraction
40:11
Matt Brown
Рет қаралды 35 М.
Жездуха 42-серия
29:26
Million Show
Рет қаралды 2,6 МЛН