Extracting Firmware from External Memory via JTAG

Рет қаралды 106,364

Күн бұрын

Demonstration of extracting firmware from an embedded system through the JTAG interface.
The target board is a MIPS-based Linksys WRT54G v2 router containing an Intel 28F320 4MB external Flash memory. Tools used are the Bus Blaster JTAG hardware interface (dangerousprototypes.com/docs/B...) and UrJTAG open source software (urjtag.org).
It's Nerd Thunder month! Check out the folks mentioned at the end of the video:
- Exploitee.rs (IoT/consumer), exploitee.rs
- Chris Eagle (IDA/reverse engineering), github.com/cseagle
- Azeria (ARM exploitation), azeria-labs.com
- Craig Heffner (Routers/network), www.devttys0.com

Пікірлер: 85

@jimmylim893 4 жыл бұрын

hollyyy.. how in the world only 5000+ people interested in this sort of thing to date...

@Elfnetdesigns 4 жыл бұрын

the other billions are more interested in Twitter drama and the next new iPhone..

@jimmylim893 4 жыл бұрын

@@Elfnetdesigns good one... Heart breaking fvcking truth..

@studyonly9857 2 жыл бұрын

Gthvfrt!!!!!

@spamlogs2701 2 жыл бұрын

How can u expect someone to wanna watch this crap? Imagine ur grandpa trying to understand this mumbo jumbo.. that’s what 90% of the popular is like when it comes to this. Ur a small niche

@huhulili9021 2 жыл бұрын

True only 57k + after 3 years, this is a depressing world

@renakunisaki 4 жыл бұрын

Thank you for explaining every step. It's so frustrating when a tutorial just pulls some information out of their arse without explaining it.

@HackaweekTV 5 жыл бұрын

Nice one Joe! Good to see you hackin hardware! :) Have a great new year and... KEEP ON HACKIN!

@1ManWrenching 5 жыл бұрын

Could this be used to get a proprietary boot loader out of a chip? Like say, the Teensy 3.2?

@coondogtheman 5 жыл бұрын

I'd be curious as to the processing power of these things and if any type of software can be run on them. Maybe games.

@myramgrand 2 жыл бұрын

He is so engaging and real! Great presentation!

@binaryfreaks 5 жыл бұрын

hi joe, I just received my bus blaster v4.1 but I'm experience some issues... can you tell me some tips about it? the error: warning: TDO seems to be stuck at 1

@Cotten- Жыл бұрын

You are such a great teacher. I wish I could shadow you.

@brucelau6929 4 жыл бұрын

Thanks. It helps a lot.

@FennecTECH 4 жыл бұрын

God i love WRT54G routers. I was sad when i smoked mine :(

@hmbrt12 3 жыл бұрын

Wooooooaaaahhh!!! Thanks!!⚡🤖👌🏼

@dillonjensen3728 4 жыл бұрын

Good video!

@gabrielsennheiser 4 жыл бұрын

I'd like to see a tutorial using the rasberry pi gpio pins and openocd to say recover a bricked netgear n900 (wndr4500v1/2)

@koenigsbier50 Жыл бұрын

I wish I could upvote this video a thousand times. This is awesome !

@xl000 Жыл бұрын

is there a situation where you end up with something similar to a process dump and have to RE some unknow program in order to get the data you're looking for ? I mean grepping / parsing through the output of strings looks relativeley easy, but what if there are defensive contermeasures ? I can imagine ways to protect a private key, but this would always be defeated as the CPU is basically dong what we' re asking it to do. I guess that' s what Apple secure enclase is about

@juniorlucival 4 жыл бұрын

? when the software don't have chip information ? how will identify the parameters?

@rikvermeer1325 2 жыл бұрын

What would be a way to use JTAG to learn about the devices' internal serial communication? Could you point me in a direction?

@eddyboh2723 2 жыл бұрын

Question, would this work if instead of using a sound blaster adapter, I were to use a small female 20pin to female USB 3.0 output adapter?

@TommyAventador Жыл бұрын

I wonder if this would work on new iphones to retrieve icloud email?

@usbbdm 5 жыл бұрын

Just in case you do not know, using USB JTAG NT can read the 4M flash under 20 seconds. Not 5 hours. That is too long. Check my videos on routers programming.

@samuelubina5157 Жыл бұрын

SO SIR , SHOW US YOUr CHANNEL!!! SO we can be fully inform about this stuff your talking about!!!!

@sarupk 11 ай бұрын

thank you!!!!

@rayfelch954 4 жыл бұрын

That's awesome if you have 'ejtag' support, but what if your target is MIPS32 and your 'initbus ejtag' request gets you 'error: not found EJCONTROL or EJIMPCODE register'? I've tried this on a linksys-wrt54gl v6 router, same exact setup using busblaster with no luck... thanks for your great videos. I love my JTAGULATOR btw

@Elfnetdesigns 4 жыл бұрын

UGH v6 is the cheapest of the cheap of the WRT54G series... hardly any memory to work with and very limited features. You can barely get DD-WRT on them and they still work sort of stable snd that DD-WRT is a stripped down version designed to fit on the small memory of the v6.. You are better off with a V2 or something in the 802.11N era. 54G was nice 20 years ago but is a dead horse these days..

@zerodegrekelvin2 3 жыл бұрын

Thanks for the demo of poor man Bus Blaster JTAG 8-) I mostly use/loan the BDI2000/3000 from where I worked and I feel pain when you waited 5h to extract 4MB. When I say "poor man" it does not mean pejorative, more of MacGyver compliment.

@hazromanescconstantin3637 4 жыл бұрын

You can acces data from Arm processor with password protection ?

@woolfy02 7 ай бұрын

I just got a bus pirate 3.6a and, I'm wanting to connect to a device using JTAG. The available pins on it are: TDO,TDI,TMS,TCK,GND,RESET Do I just connect it the same named pin, as from the bus pirate to the device? (Like TDO - TDO, TDI - TDI...etc etc for all of them). Years ago, I used uart but, I'm not seeing those connections on the board I'm trying to mess around with. I just can't seem to find a guide / tutorial that explains how to set it up, for newbs.

@cocosloan3748 4 жыл бұрын

Cool !

@redhat_guitar Жыл бұрын

Can you please list down the pins used on the bus blaster? I see you didnt use the Clk pin i wonder why ir em i wrong ?

@DatamedicsRecovery 4 жыл бұрын

Hi Joe. Any chance you would consider learning how to jtag newer WD HDD PCBs? WD has decided to lock out their PCBs in a way that prevents the normal vendor specific ATA commands from doing things like read/write the ROM code, etc. and it's becoming an issue for data recovery. I know some guys are already unlocking them via jtag, but they are selling their unlocked boards at a crazy markup. The knowledge of how to do this is definitely worth some $$ for me, but I'm no jtag expert. It's knowledge I'd be willing to pay for.

@rootcoolk 5 жыл бұрын

Cool Man

@tristunalekzander5608 3 жыл бұрын

I just get "invalid parameter: unknown cable driver 'jtagkey'" ... I have installed the necessary drivers please help and thanks

@israelcruz7597 3 жыл бұрын

Why would users not use higher level GUI-based software (Free) to do the same thing with pull-down menus?

@petejackson7976 4 жыл бұрын

How do you identify where to connect cables from the interface to the target machine?

@Elfnetdesigns 4 жыл бұрын

datasheets

@samsamuels1421 2 жыл бұрын

Hi joe do you have a course i have another tipe of Device the metros will work?

@gmorb666 2 жыл бұрын

Is this process just dumping the spi firmware? So i have xgecu on hand i can just read it straight from the rom instead of waiting 5 hours through jtag, correct?

@fapdayz 2 жыл бұрын

Connect to libftd2xx driver is successful After "detect" command there is error: usbconn_ftd2xx_flush(): Received less bytes than requested.

@csabertui Жыл бұрын

I'v done a loads of JTAG in the early 2010's sometimes it can be a pain...

@jairoripoll1301 2 жыл бұрын

buenas noches como podria conectar launchpad EXP430G2ET A UN CHIP M430F149 VIA JTAP

@alexluzinki206 Жыл бұрын

nice

@rahulsethi_ 5 жыл бұрын

what if the data shown by string function is encrypted??

@renakunisaki 4 жыл бұрын

It will always have a lot of false positives, just ignore those.

@Thebloggermustdie 5 жыл бұрын

:( I thought you were going to to jtag something from the hotel. Cool video

@Elfnetdesigns 4 жыл бұрын

Like cracking the hotels radius security on their wifi? you dont need jtag for that lol just the right hardware and some know-how.

@steliosstamatakis844 Жыл бұрын

can you use jtagulator new features and not busbluster for this?

@shutrumpracing2451 2 жыл бұрын

can you do this on an altera max7000?

@scanners99 2 жыл бұрын

Creo que Te amo

@vondarycrentsil9180 4 жыл бұрын

Can u extract anki robot vector firmware? Pls , and thanks

@johnpapadopoulos8440 5 жыл бұрын

Nice job. Is it possible to use that jtag for bootloop phone brick? TIA

@Elfnetdesigns 4 жыл бұрын

you put the wrong firmware in or tried to load a "hacked" firmware and got it in a good ole loop huh? Phones are not worth it once the bootloop, as cheap as they are these days you can buy a brand new tracfone smartphone with service cheaper than you can buy the jtag reader for..

@tono_01 4 жыл бұрын

@@Elfnetdesigns Your answer seems to be a bit over generalised to me. Phones that are expensive can get bootloop too and it would be interesting to know if you can repair them with this technique.... @John Papadopoulos: In principle, yes you can repair them using this same technique. BUT..... firmware for cellphones require a lot of knowledge if you start poking into them yourself..... They might have encryption that you need to defeat before you can write the code to the device, the more expensive ones (Iphones) do not have JTAG anymore. Or if they do, you need to know very good whoch part of the firmware is for what part of the phone (baseband, phone itself etc.). In my opinion: not an easy task.

@iitguwahaticseairunder500r2 2 жыл бұрын

You just used this in the recent samsung video!!

@iitguwahaticseairunder500r2 2 жыл бұрын

To kingpin 👑

@antoniosegura950 6 ай бұрын

Great teacher,cfe mac generator for back to the life a dead wrt,im lost the original firmwares,v2,im looking for a cfe bootloader generator to match with generic original firmware,any clue?,and many thanks

@antoniosegura950 6 ай бұрын

Im use a usbjtagnt

@beckerf4n Жыл бұрын

can you, for god sake, the same with the karma drone?

@Veso266 4 жыл бұрын

how would UrJTAG damage your hardware?

@309electronics5 Жыл бұрын

deleting the firmwarw from the device without backup or when an error occurs

@salmantalash4515 4 жыл бұрын

can we do it in windows

@dariadaria9255 3 жыл бұрын

Can someone please tell me best JTAG vendors in market?

@ddlc7022 2 жыл бұрын

How do you install or set urJTAG for MAC ?

@ddlc7022 2 жыл бұрын

Joe any comment ?

@antoniosegura950 6 ай бұрын

Or how edit cfe mac adress in firmware

@RicardoCooper 5 жыл бұрын

Five hours? Thankfully I have a FlashcatUSB and USBJTAG NOT that can read this much faster! P.S. I already know the pinout but, can the JTAGulator be used with the WRT54G?