Got a question. Is it legal to upload videos like this (with precise procuct model and reverse enginneered pass)? Or it maybe depends somehow on the product/country/license/...? Great work on this channel i see, subscribed :)

I recently discovered this channel and has become by far the most interesting one I have found in the last couple of years. I just have to say you are an incredible presenter, and every video just flies by. Looking forward to the next one. Cheers!

You should be able to tell ghidra to decode the password as a string! To do this, select the variable (local_8c, later renamed to password), and change its type to `char [9]` (8 letters plus null byte) by pressing ctrl+l (or right click and retype variable). Then, ghidra should hopefully change the hex value to a string!

The KZbin algorithms have gifted me the knowledge of your channel today! Looking forward to watching more of your videos!

Once again, love your content. You remind me of a boy I went to school with in the 80s. Great kid. He was a geek when geeks were not cool, but I considered him a friend and would take care of him and make sure no one picked on him. He invited me to his house one day. His room looked like yours, and he was showing me all this computer-related stuff. It was just exciting watching him and how much he loved everything computer-related. I remember his mother walking in. She was an absolutely beautiful woman, married to a science geek from RDU Science Labs. But she stood there and watched as her son was excitedly explaining everything to me and how happy he was to have me over there. She thanked me, invited me for dinner, and drove me home afterward. I will never forget this. She thanked me for making sure no one picked on or bullied her son and thanked me for being his friend. It broke my heart to listen to his mother talk about how people had treated him his entire life just because he liked computers. I promised her that while I was in school, no one would mess with him. And when I was not there, I had the guys I sat with during lunch, "The Cool Table," allow him to sit with them, as there were kids in our lunch who would pick on him. During middle and high school, this kid flourished, as no one messed with him anymore after I and the boys I hung out with all became friends with him. Even though I did not make it to high school, the crowd I hung with did, and they always made sure he was OK. I saw him about 20+ years ago. He was doing well for himself and was happily married. He introduced me to his wife and kids and the boy who helped him become the man he is today. I hope he is still doing well. Take care, Matt, and continue doing what you love and enjoy. Mine is designing websites and working on Delphi Software. Wayne

29:45 the reason why the rand seed is the same within a close time period is because the way that calling time(NULL) or as gihdra is showing it to be time(0x0) which is null and time() returns the unix timestamp to the second it was called so when u spam run the program the hashes will be very close and since the camera has no way of persisting time on bootup will always return the same salt which means rand() will always output the same "randomness"

Watching professionals work is so satisfying. You probably make a bunch of people think "that looks easy. I can do this!" When in reality it's because that's just how good you are at it.

Please keep spoiling us all with frequent video releases!

Literally as simple as a binary CTF challenge, as long as you can get the firmware. This is great content!

Very well done! As a person who started his IT career as a trainee computer operator feeding programs into mainframes on punch cards, and who gave up programming about the time C first emerged to start a career as a project manager instead, I can say what you were explaining is right up there with describing electricity to a Neanderthal (me). That said, I managed more or less to keep up with what you said you did to crack open the password. Along the way you clearly demonstrated a deep knowledge of the tools, command line prompts and their uses that enabled you to tease open what was going on. I'm in awe of your obvious expertise and experience, and your ability to convey your work in a manner that even a dinosaur can get his head around. I'd say you have a very bright future in technology, and you'd be very welcome to come work on any project I'd be running to deliver technology in this space. 😄

Excellent video!! Thanks! I paused the video at 18:00 and ran Hashcat myself. Took 36 seconds to brute force. Chinese security is #1!

Very nice Matt, your channel is gaining traction which is well-deserved!

Thanks for running through the whole process as you did it initially, super interesting. And kudos for the shout out to Joe Grant, that time video was awesome as well 😊

Awesome video! As an embedded developer, I used to do lots of hardware hacking including UART / debug console related stuff, u-boot, kernel args, root file systems, etc. I haven't been digging too much into password cracking and reverse engineering of programs. Watching you doing this kind of magic with hashcat and ghidra was pretty remarkable and makes me wanna try it myself. 😄 Unfortunately 90 % of my working time is not development and engineering anymore but documentation and project management. So for the time being I'll stick to your videos and enjoy the amazing things you're doing. Keep it coming. 👍

There is not a single “security” camera (or other IOT device) on the market that cannot be hacked. Rather easily actually. I love Matt’s ingenuity and persistence.

As a programmer, I scare more every time I watch Matt`s videos 😂 this a the best channel I ever could find.

Amazing video as always, you rock!

Dude, you're killin it!!!! Keep it up and you'll be the up there with John Hammond!

Soldering serial points I use pieces of thin gauge silicone wires instead of enameled wire.... Less stress on the pad and less risk of lifting the pad.

Clearly a hidden gem channel.

in answer to your question @27:23 "why does it act this way?" you're supposed to use a random salt to avoid it being a simple table lookup so they copied some sample password change code from elsewhere and replaced the function argument with a hardcoded string. The failure was doing the crypt() there at all rather than hardcoding a pre-hashed default password. Another note: recognizing "numbers" that are really just ASCII strings is an important skill when reversing. local_8c stood out the instant you loaded the function. You spent some time looking at them later but it's a useful shortcut to identify probable-text early on.

Very nice as always! You might want to update your hashcat. At some point last year, Hashcat gained the ability to autodetect hashtypes so you don't have to go looking for them anymore. You can also add a username into the hash too, but I don't know the syntax. Probably after the hash if I had to guess, like hash:user . You might want to look up some of Ippsec's HTB videos where he uses hashcat or look into documentation.

Love your vids... I only wish that when i was younger I had access to the wealth of knowledge the internet holds, and the cheap technology and computers that are around now... I was scratching around with no computer and rs and maplin catalogues as my reference sources to find pinouts etc... how things have changed...

I am applauding standing ... Amazingly great video. Structured, informative, interesting. Thank you!!

Those PCBite probes are pretty cool! Looks a lot easier than how I have mine setup ("Helping hands" tape and sewing needles lol) Definitely going to pick one of those up. Thanks for listing what you use for your setup and great video as always!

With modern consumer GPU throughput, I might even expect brute forcing an 8 digit password to be faster than the IO from a 100MB file. Now, with that said, I found your way to be pretty awesome. One of my favorite moments when it comes to cracking firmware password was watching the discord server for Marco Reps when an unsecured STM32 was read and we were all sortof looking at the binary dump and there was this random word in it. He tries it, and it works!

bro found this channel 2 days ago almost binge watched all your fkin videos. you are amazing

Very nice and well explained. Look forward to the next one.

very cool to do that, my young nephew is having a blast trying hack into an old router. my dude knows more than me

Enjoyed this, good analysis. Having plain strings in code makes things a lot easier :) To not make things quite so easy, in our code we use automation to obfuscate all strings except any that we want people to trivially find. We use a mix of emacs macros to obfuscate strings at the point of writing or maintaining code, either triggered interactively with a couple of keystrokes or in a batch process, and in sources where it's infeasible to manually identify strings to manipulate, we use a custom antlr based parser that's aware of the source syntax to identify such strings. Being language and context aware, the tool can exclude cases where it's unsafe or unnecessary, such as a string passed to sizeof() or being passed to certain macros, used in comments etc. With such tools, the process of having almost all literal strings manipulated in a very large codebase is manageable. Obviously the mechanisms for restoring data hidden in this way can be reverse engineered, but at least someone can't just run strings, grep, do a search in ghidra etc. and find them within a few seconds of getting their hands on the binaries.

I can only imagine how long doing this took and condensing it down to the smooth process you show is really appreciated.

I love that you walked through what things did, and why you needed to do them to get what you want

I usually dont comment on videos. But i have to tell you this is by far the most interesting video i have watched about hardware hacking! Keep up the good work

As a software developer it was interesting to see how you attacked it. Breaking in is like finding breadcrumbs, you get there little by little.

What the hell is this?and why I can't stop watching this?😂😂this is awesome this is what I dream to learn when I was a kid but never did... awesome content even if I don't know nothing about it!😂

I am no coder, but i can roughly follow your steps, and it was really interesting for me!

I'm definitely learning stuff here. Can't do this stuff on my own yet, but seeing it done with explanations is massively beneficial. Your channel is a gold mine!

Best hardware RE content on the platform! Great work!

Man, I did things like these all my life and I thought I was alone. So nice to find someone else who knows basically the same things! Well done!! 🙂

This dude is either already on a list, or working for the people that make the lists.

It is amazing seeing a pro working. It looks easy because you explain it in a very understandable way. Just perfect, i wish I'v encountered your channel way earlier. Sub + thumbs up. Waiting impatiently for the following part 🎉

Really well done, that was a remarkably accessible example of how to get root!

i love your easy way of explaining without being too high or low level.

Really cool video. Explained in a simple way that makes you feel brave enough to try it!

Just finished watching the first part. Hell yes.

Very cool presentation. Great channel! Thank You!

That was great, thanks. The password is clearly the release date of that version of the firmware. Other instances of that device (with different firmware) will have different passwords. Obviously you have shown that there are only 365 different possibilities with that scheme they've adopted. Just mentioning this in case someone tries your password on a different fw version

Understood perfectly! Because I am a C programmer and all the grep commands. Format strings and egrep or a "find" of a string.

Awesome stuff! I saw your most recent video and went back to your previous videos to learn about the firmware extraction and now this. Wanted to recommend maybe adding mid-video links (and video description links) to previous videos about reverse engineering this camera, just to make it easier for viewers to watch more of your videos

The previous video was really helpful. I think I want to extract firmware from a device in the future and it really helped!

This looks like a setup, that uart header was just too obvious. ;) Great video again!

Really interesting, I like the approach to the password, I would have not guessed that it was in reverse , great work 👍

These videos are great. Gets me interested in programming

i dont have the slightest bit of knowledge about reverse engineering but this looks amazing

A salt doesn't need to be truly random, the shtick of hash salting is to avoid rainbow tables and it can be an arbitrary number

I always watch your videos as soon as they are posted. High quality stuff!

Nice work reversing the password this way. If this would've failed, and as the system partition was mounted read-write, it might also have been possible to just replace the password in passwd with another hash from a known password.

That was fantastic man, great video!

Great video I really liked going down the rabbit hole with you and getting to follow along with your thought process on the entire thing.

question: could you have run #mount -o remount,rw / to get to the / directory?

Subbed! This is super cool

Love watching your videos man. Keep it up!

Nice job on the reverse engineering, definitely learned a few things!

13:00 The stuff shown here is not specific to this hardware. Similar steps work practically identically on PC, Mac or Android devices with unlocked boot loader. The boot loader may be different on each system so you have to learn that but once you get /bin/sh running, the steps are practically same for all Linux supported hardware. Normally the init system (which we replaced by /bin/sh) takes care of these things so we have to mount the filesystems manually. Basically the only thing you need to do is identify the init system of this specific Linux system. This device appears to run init system called "System V init" which is the traditional system. Other well known systems are "upstart" that Ubuntu used to use about a decade ago and "systemd" which practically every desktop and laptop Linux computer is using nowadays.

Glad you went through the process even though it would've been crazy fast to brute force. THANK-YOU!

This is awesome! Thank you! Looking forward to watching more of your content. I am just recently getting to the stage where I can follow a video like this - but wouldn't be able to figure out that %s is somehow related to C programming. anyway, thanks! I needed this.

There’s an “assault and battery” joke in there somewhere, when you were talking about how the salt gets generated using the random function, which is predictable due to not having a CMOS battery to keep the time.

It’s a date! That’s funny. It reminds me of a semi famous heat map chart of the frequency of occurrence of (I think) 4 digit number passcodes, and the hugely most frequent passcodes were possible dates of some variation on YYYY, MMDD, or DDMM. Point being that the huge candidate password file should include a list of all the permutations of YYYYMMDD, and similar date formats. If so, you wouldn’t have needed to do most of the really brilliant hacking. Thanks. Very interesting video! 😊

love to see you look at some tuya gear. especially their cctv cameras that do some really weird stuff on the network

Looking forward to more hands on ghidra firmware reversing

26:52 you can already see what password is. Ghidra just did not picked up that 'local_8c', 'local_88' and 'local_84' is just a null-terminated string layed-out on the stack. Ghidra showed them as u32 values, but if you reverse bytes (because ELF was little-endian I guess and we just need them one by one how they stored in memory) it's clearly a string of ASCII characters plus null at the end. 'crypt' function takes the address of 'local_8c' (which you renamed to 'password') but does not take the length because it expects null-terminated string. The password is "20170912".

Comment to feed the algorithm. You deserve alot more subs👍

Good video. All steps were explained in a compact and understandable way

I love side quests! Im not good in any of that, but its really interesting, keep doing that please 😀

Awesome video, full of great content!

For me, the fascinating thing about this isn’t the hacking, it’s the psychology. Probably the same person who coded it, with its complex hashing algorithm, gave it a password that’s a date. 😊

i really enjoy watching your videos!

is there any way to get the fw dump? i would really like to do some investigation

did basically this on a cheap camera once without even having it. Just grabbed the firmware update from the website. A root shell from command injection in the update mechanism was the cherry on top. Gotta somehow teach your friends to firewall their shit properly ;)

John the Ripper was able to crack that has using its own password list on my laptop in under a minute! I wasn't sure it was going to be correct, but watching the rest of the video, it turns out it was! What are chances?! Still great work on your part to unravel that the way you did!

Gedra is awesome. It decoded the bin file and then had all the function docs. Sure makes things easier.

Awesome video Matt.

Cool. watched the whole thing. liked and subscribed.

Muy bueno! Me encantó. Muchas gracias. Muy educativo!

For the password since the passwd file was there and it was changeable, you could have just hashed a new password and replaced the encoded password with a new one instead of trying to hack the old one out. I have done this for single board computers to get linux on them before. The raspberrypi gentoo page even has a pre-hashed password for raspberry on their page that can be used. Also since its so old instead of brute forcing it you could just decrypt it as I am pretty sure its very insecure at this point. Or you can just remove the hashed entry altogether and it will allow passwordless login for root.

Absolutely stunning !!! Great job !

Wow. You sir are a genius. I wish I had a tenth of your skills. You’re very knowledgeable on this stuff. How did you learn all this?

I bought a cheap IP camera back in the day, maybe 7-8 years ago, I still have it somewhere, and its password was a date too, formatted the same way. Totally different formfactor for the PCB and the housing and everything, but it seems like all of these chiner cameras are all running very similar setups.

Brilliant, really enjoyed this, you got my sub

Amazing video! You could just read the Linux source code instead of decompiling it to save a little work

That was pretty instructive ! Thanks for your work ! :D

It was very interesting and informative, thank you for your content!

That workbench behind you, the one with the scopes on top of it, what brand/model is that? I need to get something like that. Thanks. Cool videos, liked and subbed.

If you can touch it, you own it.

Your video is great. I spent my whole attention to it. Thank you Sir.

This is awesome. Subscribed!

This was really fun to see, Thank You.

I love your videos, you definitely make someone cry after seeing his not well designed password being cracked hahaha

Very instructive video !! Love it.

cool series, still have to watch the 3rd video. you have a great way of explaining things that keeps everything interesting for newbs and personally wants to make me get into hardware hacking. i'm heavy on the webapp / server and post-exploitation hacking side and this stuff is exciting to watch. Heard you mention a discord, so I hope it's welcoming to new hardware hackers because I plan to join. A few questions if you don't mind: - How do you pick your targets? - Can you explain how `srandom` and `time` played a factor in the creation of this password? I don't see the correlation to the underlying method of how they were used to generate a string as they did in Joe Grand's video. This seems a bit more nominal, like it's not puling from the clock and you said this is the same pass for all of these cameras? - I suppose there are a variety of ways to get a shell and escalate to root, but would you consider binary or kernel exploitation here (like LOLBins) or would that come after you exhausted reverse-engineering the binary for a string? (I missed whether or not there were other common system binaries available in your shell) I truly have no idea where to get started with hardware hacking but you have amazing content. I hope your discord has some direction or I can find more info on that beginner path from you.