Hacking a Knockoff Google Chromecast - Firmware Extraction
Рет қаралды 91,368
27 күн бұрынIn this video, I extract the firmware from a Chinese Google Chromecast knockoff.
Need IoT pentesting or reverse engineering services?
Please consider Brown Fine Security:
brownfinesecurity.com/
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
Raspberry PI Pico: amzn.to/3XVMS3K
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
website: brownfinesecurity.com/
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity
@Icemourne_ 26 күн бұрын
14:47 At the bottom it says LZMA compressed data
@4megii 26 күн бұрын
Glad I'm not the only one to see this. Rootfs is probably compressed within LZMA and then uncompressed and mounted via the bootloader.
@RetroDelete 25 күн бұрын
I was just about to comment this, seems like it will be fairly easy to get access to the rootfs. +1
@monad_tcp 25 күн бұрын
cliffhanger !
@guiorgy 25 күн бұрын
Towards the end of the video I could swear I had seen "lzma" somewhere, went back to strings and watched closely while pausing, thought I was going crazy 😂
@pete3897 25 күн бұрын
It's only 8MB though - the 980MB partition a couple above it will be the interesting one I would think...
@Mr._Mythical 25 күн бұрын
I wish these videos were longer, i would love to sit here and listen for hours to you rambling about the innerworkings of a device nobody has ever heard of
@doubled8511 26 күн бұрын
I love your videos man but they are just too damn short! I would happily sit here listening for a few hours whilst you ramble on figuring out how to extract the firmware.
@kennwood 16 күн бұрын
Haha I was just thinking the same thing
@M0UAW_IO83 26 күн бұрын
16:58, there's reference to SC16550UART so there's good possibility of a UART output somewhere on that board for the bootloader
@bnister 25 күн бұрын
Yep indeed, it's pin 99 on the SoC muxed to UART2_TX quite early on. It's supposed to be pulled up externally + there are some suspicious test points at the other side, but, generally speaking, manufacturers rarely care enough to break this one out in any convenient way
@qwertykeyboard5901 24 күн бұрын
Might be on the usb port. Sometimes they do that.
@martontichi8611 26 күн бұрын
binwalker said on the bottom that there's LZMA compressed data. Uncompressed size is 7M! probably squashfs!
@dazealex 20 күн бұрын
Also saw in the string something about unzip length.
@dieSpinnt 26 күн бұрын
Great work and thanks for sharing, Matt:) Side-note, Tip, Womansplaining: Calipers 4TheWin! So you can measure the dimensions of the package. Works when soldered in and after some time you memorize the dimensions of TSSOP/SSOP/SOP/etc anyways. "To measure is to know!" And as a poor-(wo)men's-alternative: Print out a sheet with the whole zoo of electronics packages in the scale of 1:1
@KallePihlajasaari 17 күн бұрын
Do you have a link to a sheet that you can link to for us other newbies?
@unh0lyav3ng3r8 6 күн бұрын
@@KallePihlajasaari i got an actual ruler with different package sizes on it..
@sjoervanderploeg4340 26 күн бұрын
@17:23 it clearly says HDCP :D "HDCP stands for High-bandwidth Digital Content Protection. The purpose of HDCP is to protect digital copyrighted content as it travels from a device to your TV, usually through an HDMI, DVI or DisplayPort connection." You might be able to interface that programmer with flashrom, I'm not sure if it is but it should be possible to implement! I own a "Willem EPROM Programmer", it also supports SPI flash memory like these but these days I generally use a very cheap ch341a_spi USB device.
@tweebs1 25 күн бұрын
I really enjoy seeing how you methodically figure out how things tic and then bypass the security like its not even there. Firmware should be open, so we may use hardware as we see fit.
26 күн бұрын
There's seem to be a compressed LZMA region, i'm pretty sure it's what you seen as high entropy, i'd bet it's the compressed rootfs mounted by the bootloader. Many times the MAC address is the one injected for the Wifi, as those modules don't have any hardcoded, Really interested to see your deep dive analysis. I'll join your discord, hopefully i can find the dump and analyze it myself also. I'd buy one of these if these if there's the possibility of a custom Firmware.
@4megii 26 күн бұрын
I think you're spot on about LZMA being the rootfs and that it's uncompressed and then mounted by the bootloader.
@allwitchesdance 26 күн бұрын
I bet it's going to be a kernel with the built in rootfs. No reason for these little gadgets to pivot root to a real file system
@309electronics5 25 күн бұрын
@@allwitchesdancei had a miracast device that had a full rootfs and a kernel. It even had a recovery kernel. Mine used a Actions semiconductor SOC
@bnister 25 күн бұрын
Yeah a custom one is possible, but I bet you won't like the only FreeRTOS-based SDK available
@Z-Ack 26 күн бұрын
I like how you spend way too much time going over all the laymen stuff like how to solder then jump through all the coding log processes and writing…lol
@jamesdim 26 күн бұрын
My new favorite tech channel! Can't wait for the next hack adventure!
@saschaschnuppe3409 25 күн бұрын
What exactly did he hack?
@JerryThings 22 күн бұрын
I love this kind of videos where you showcase your adventure! Hope to see some in depth analysis in the future regarding the fw :D ty Matt
@TheWarhoop 26 күн бұрын
Watching SMD's getting soldered onto PCB's is so satisfying... don't judge, I'm just saying what everyone's thinking. BTW, @Matt Brown, I switched to those little foam tipped eye makeup brushes which really elevated my flux clean up game over the Q tips, give 'em shot.
@mattbrwn 26 күн бұрын
I'll have to try that. Getting those Qtip hairs everywhere is annoying
@A_F_Innovate 26 күн бұрын
Thanks Matt for your great video. I love to see how you can pull these out and get the information from it.
@rbmwiv 10 күн бұрын
Great video I just subscribed. I really enjoyed the one shot approach. Nice job. I am fixing to check out the second part!
@ChrisMIA 26 күн бұрын
great stuff bro! been so much into software have been slacking on the hardware firmware side of things, good to have this under my belt especially with todays supply chain being chip tainted
@wasabinow 26 күн бұрын
Cool stuff! Thank you for sharing your electronic adventures!
@adamkavala 14 күн бұрын
Good job, looking foward to see more progress.
@saad1983 26 күн бұрын
@Matt Brown good sir. you are on fire lately. another awesome video.
@samuraidriver4x4 26 күн бұрын
The silkscreen of footprint on the board is a bit akward due to it being a fairly universal footprint. I do agree with you about the lead free solder, its definitely leaded solder seeing how easy it melted. No issues with using leaded solder in in China.
@n2cthe1 26 күн бұрын
love your videos, i also think there too short... i enjoy complete and in-depth look into IoT
@paerrin1 26 күн бұрын
Another great video! Keep them coming!
@UndeadAlex 26 күн бұрын
Loved this man awesome work!
@tal1296 26 күн бұрын
Love your videos,I saw in strings HDCP which is hdmi copyright protection
@aldythsatya601 17 күн бұрын
Glad to see this video, I don't understand the KZbin algorithm but videos like this don't show up when I search for them, but they magically appear on the homepage 🗿. And I have 4 devices like that that can't connect even though they have been reset
@fronbasal 22 күн бұрын
Matt this was absolutely fantastic. Thanks for sharing!
@pamelax64 25 күн бұрын
Let's wait for the next video about it,interested!
@richiebricker 21 күн бұрын
very cool stuff. I look forward to learning from ya
@antivaxxtoaster8919 26 күн бұрын
Another banger as per usual
@Fatpumpumlovah2 26 күн бұрын
Really? What did you learn? Nothing but more propraganda, every device you own is made by chinese/taiwanese companies. America makes nothing and tbis guy has no clue
@functiontek 25 күн бұрын
Don't know if someone already mentioned it, but I would bet that key you saw mentioned at the start is unrelated to the encryption. It has "HDCP" in it, which would make more sense to be HDMI Content Protection instead.
@meowyahh 26 күн бұрын
Really good work, youtube's algorithm brought me here!
@mikehensley78 25 күн бұрын
same. a few weeks ago a Matt Brown video was in my recommended vids. i been subbed/watching ever since.
@mmkf 26 күн бұрын
I wonder if the filesystem is compressed in a non-standard way.
@pap3rw8 26 күн бұрын
I would guess it's compressed based on the output of strings including "unzip" but it's possible there's also some encryption of the bootloader or whatever.
@davidezequielborges392 26 күн бұрын
to clean stuff you can use an old toothbrush instead of qtips so it doesnt left off any fibers, at least to remove the most of flux witout much hussle.
@qweriop 24 күн бұрын
Thank you youtube for showing me this channel! I love this kind of electronics hacking!
@user-wy6iy7ij1z 20 күн бұрын
It is like reading and flashing a motherboard BIOS chip, I did it many times, but after this, I didn't understand anything anymore, but this is really cool.
@raraujo4951 24 күн бұрын
Great video Matt,!!!
@revancedsubsfuckgimp 24 күн бұрын
Great video! Instructions (sequences of 4 bytes that end with a 0x3x byte) kinda remind me of little endian MIPS (similar to how ARM instructions can be identified by the 0xEx bytes)
@riccardopolelli1825 25 күн бұрын
Cannot wait for part two
@jheimissantos8682 25 күн бұрын
Nice video, Matt! Tks for share your knowledge! It's possible extracting the firmware via software? connecting via terminal (adb) and copy some partitions? sometimes i have dificult to consider what is the firmware, e.g all image firmware or only bootloader firmware.
@309electronics5 25 күн бұрын
Adb is android only. If a device runs Uboot as bootloader you can interrupt the boot process and dump the flash.
@bnister 25 күн бұрын
@@309electronics5 This one doesn't, everything is proprietary. Doesn't like to respond over USB, as well. There's usually some form of OTA on these, though, but dumping is tough
@Sonny482 25 күн бұрын
Great job! Which microscope / camera do you use?
@surewill8190 26 күн бұрын
always interesting to watch
@arashgudarzi2623 26 күн бұрын
hey Matt, I like you videos and watched many of them. I am a student who loves hardware hacking. I started electronics basics and Arduino to kinda get familiar with the hardware stuff. do you have any roadmaps to be successful in this field of job ?
@matheuscezar6309 26 күн бұрын
Nice! I'm curious to discover how to decompress/decrypt those data!
@bnister 25 күн бұрын
Bog standard LZMA. binwalk -e handles it well, but any unlzma tool will suffice. An RTOS2 SDK seems to come with the unmodified LZMA build from Igor Pavlov, too
@videshx818 26 күн бұрын
Nice soldering skills, I have one of this device in which the micro USB is detached. I am yet to solder
@samuie2 25 күн бұрын
There were multiple strings that referred LZMA and unzip "main code". I think that the code is just compressed, and the key if for hdmi drm not the firmware.
@tomu1337 25 күн бұрын
Another great video!
@adagioleopard6415 26 күн бұрын
They put two footprints on top of one another so if the wide version of the chip is unavailable they can use a regular soic8. We did the same but we at least made a package with nice looking silk so it didn't look so crap
@bnister 25 күн бұрын
You've got a fairly standard ALi Tech sat receiver dump :-) These run off a proprietary TDS2 RTOS. The HCSEMI clone chips have a FreeRTOS SDK available, but it's not as stable tbh
@revancedsubsfuckgimp 24 күн бұрын
And here I was wondering why the NCRC string seemed so familiar.... likely MIPS based as well
@wlloxik 16 күн бұрын
this is the perfect video to listen to in the background lmao
@Ibrahim-rc8sn 26 күн бұрын
What analyzation software do you use in 18:50 ? I subscribed to your channel , great content
@ilyassamraoui3234 25 күн бұрын
That's binwalk program running -E [capital e for Entropy, if -e it will extract firmware "structure" I guess ]....
@mikesyr 26 күн бұрын
Hi Matt, do they make clips for SOP8s that size? Seems like that would be quicker than desoldering that chip, then again it came off with no issue. :)
@309electronics5 25 күн бұрын
Sadly often when you put the clip on it powers the flash but also the soc/cpu its connected to which then tries to read from it and messes up the firmware read
@bnister 25 күн бұрын
Yeah this exact platform has no trouble being dumped via the cheap ass clip usually shipped with CH341A kit. The LZMA packed firmware gets extracted to the RAM, and the SPI chip gets almost no accesses at all
@adnanalam6201 26 күн бұрын
Dude I've the same thing 😅 gotta follow this guy now
@quetzalcoatl-pl 25 күн бұрын
16:20 'anonymous' and '88888888' sounds like a default user-password pair, 8x 8 being the password, IIRC the '8' is a lucky number in china, so eight 8x would be sth like seven 7s in US.
@TerrisLeonis 20 күн бұрын
"anonymous" as the username makes me think of FTP.
@poweron3654 25 күн бұрын
17:18, NCRCHDCPKey refers to HDCP, or high-bandwidth digital content protection, it is not an encryption key for the firmware
@AymanAlhkeemi 21 күн бұрын
Please make a video on how to rebuild the firmware and calculate the checksum
@Roadbobek 5 күн бұрын
I have no idea what’s going on but I watched the whole thing
@-r-495 26 күн бұрын
using possibly compromised sw to dump a knockoff product. like it! 😏
@ratkaelzey 17 күн бұрын
kay, I’ve always scratched my head about the obsession around the kislux book totes and their practicality, but this one is adorable!! Congratulations
@MotSter 24 күн бұрын
does it not work out of the box? Is there a further use goal to add to it or is this just pull the firmware cause you can as title kind of obviously states?
@user-vg4io9sl9g 24 күн бұрын
The problem of Chromecast devices is too small internal storage, and i am curious can you replace the original with a bigger one?
@CosmicMyst 21 күн бұрын
I think I ventured into the fun side of KZbin
@duefourbail 18 күн бұрын
what terminal ui is that when you check through the device i’m trying to learn more about the software you use
@skeffers1988 26 күн бұрын
I have tryed to hack the m5 displays / ebike controller . I cant get the firmware extracted from this device over uart . I have 2 uart connections on this board this m5 display comes with the nuvoton MS51FCOAE whitch has more uart connections on it .
@pachapa3030 25 күн бұрын
This is awesome
@user-ff5yb9hh6c 26 күн бұрын
I used bug prove for complication software.İt's can't decyrpt firmware if it's encyrpted but if it's uncrypted bugprove can good job and you can detect old binarys,vulnarabilities etc.
@MrCustomabstract 26 күн бұрын
Goated vids
@Its2Reel4U 26 күн бұрын
Love it
@kikihun9726 25 күн бұрын
It had a hdcp string above so that encrypted data propably contains hdmi hdcp handshake key too.
@allwitchesdance 26 күн бұрын
The two lzma blobs are probably the kernel and initramfs
@bnister 24 күн бұрын
One's the kernel, and another (usually) the localization data. This thingie doesn't need any fs at all
@roelbrook7559 25 күн бұрын
You've got LZMA compressed data there. That might explain the entropy results you're seeing.
@nohaynoticias 19 күн бұрын
"the logo for the company that makes this device" SHERLOCK!
@Neolith100 26 күн бұрын
If the XGecu Pro software is windows, how do you run it in linux? Are you using WINE or Bottles... I am incredibly curious?
@mattbrwn 26 күн бұрын
Wine
@hafiz468 20 күн бұрын
8:16 What the FLUX is going on here ?! 😂
@rrrlasse2 12 сағат бұрын
I think if it's encrypted, entropy is almost exactly 1. If it's compressed it might be slightly lower
@toxicpsion 25 күн бұрын
that entropy spike is totally compression; probably a ramfs of some kind, looks like it showed up at the bottom of binwalk.
@phuo2185 18 күн бұрын
can you make a video on synology TC500
@reddinghiphop1 25 күн бұрын
Fantastic
@gatitomono47f77 17 күн бұрын
Hello I wonder I've seen that theres also clips for Ic's like the one you desoldered like would It have been easier to Connect with a clip to the reader or am I missing slmething
@mattbrwn 17 күн бұрын
I have clips to do that but I prefer to take the chip off
@Ibrahim-rc8sn 26 күн бұрын
Where can I find this software you use called Xgpro in 5:00 ?
@UndernetSystems 25 күн бұрын
The good thing about dumping the firmware is that you can just buy another flash chip and reflash it if it breaks.
@bnister 25 күн бұрын
Not unless the firmware ties itself to the flash Unique ID, and Chinese-sourced thingies usually DO... as a form of copycat protection
@andreamitchell4758 24 күн бұрын
Can you extract FW from a twinkly ARGB LED controller next
@jonathanzimmer8143 23 күн бұрын
Great video this was fun! Please do something on a Vortex phone, Oxtab tablet or other freeware. TV devices are big duh, I have an M-95 4k box that was immediate full throttle/unresponsive... turns out they're pretty much all spyware. Tried to hack my google acct from Shenzen. Oops. But devices handed out to the elderly etc are no longer motorola or lg, but chinese companies with knock off Galaxy designs and questionable Android builds.
@Cotten- 24 күн бұрын
What's up bro. I have a LG Stylo 6 that I'm trying to unlock the bootloader on. I can't get mtk client to recognize the device and I learned that someone else got theirs to become recognized by taking apart the phone and using a jumper wire on the board. Do you think that you could just Google a picture of the board and tell me which pins the jumper wire needs to touch for this process. If I blow my device up then I know that that's my problem. I trust your expertise which is why I'm asking you. Thanks for the videos either way I really appreciate them.
@frtls 26 күн бұрын
Are these not cracking videos?
@gamerriasaat6622 26 күн бұрын
How about modding a xiaomi 4c router (which is really cheap) to port usb(it has two open data pins) and openwrt (just enable ohci and ehci in kernel while complling) and then make a wifi pineapple(decompile pineapple rom and port using overlay) bcz they both use mips24kc :) then tada 15$ pineapple 🍍 btw it has better specs then original pineapple...
@gamerriasaat6622 26 күн бұрын
I can't try this bcz of my upcoming entrance exam for varsity...
@Holycurative9610 26 күн бұрын
The anycast logo looks like it was stolen from Paul Daniels of Apple fixing fame...
@VSteam81 26 күн бұрын
Just curious, what linux distro and DE/WM do you use?
@mattbrwn 26 күн бұрын
Arch Linux and i3wm
@VSteam81 26 күн бұрын
@@mattbrwn Holy shit that was fast. Nice! I've used i3 and its really cool to have something that is so configurable.
@foufou33g 24 күн бұрын
the key thinh seems HDCP related ?
@md.arifulislamarif8077 21 күн бұрын
sir Is it possible to read the program of IC provided by pic Microcontroller? Protected ic
@KallePihlajasaari 17 күн бұрын
Only if you are very dedicated and some security vulnerability has been discovered. Many times those offering such read out services do not share the vulnerabilities so you may have to spend time looking to find the operation that has the skills to defeat the security on your specific chip. Generally the older the chip the more likely it is that a security bypass exists.
@KnexJunkie 26 күн бұрын
I have specifik problem with Samsung A53 budget smartphone -- they have nice software to mirror cast towards smarter monitors sadly i got a special ROG 17 inch portable monitor with a battery in it with a stand that doesnt have this. / Also the casting devices mostly use a external power supply to be connected to a power port. + ather thing this monitor use a HDMI mini camera port in it also has USB c to usb c display support (sadly most newer phones dropped support for this). I was wondering how to make a ANYCAST or ather casting device into a portable configuration. I do know how to solve the HMDI thing with adapter probaly from big to mini + i dont know if theres a way to connect bluetooth to a cast device to use the Wifi from the phone for Netflix. --- Anyways i wonder if might be cheaper for me to look for ather phone then to build something to fix this problem XD --- it could be im confused somewhere in my thought process about casting devices but i sadly cant do Usb c to usb c display with this phone i own at the moment. because that would have save me a lot of hassle.
@kairu_b 26 күн бұрын
Interesting
@VulcanOnWheels 9 күн бұрын
1:01 You say, "*to* your TV", but I read "*on* your TV". Why do you keep hitting the Return key so often?
@hoteny 26 күн бұрын
Now you are an agent huh
@AppliedCryogenics 13 күн бұрын
Even if it's just video playback + TCP/IP stack + some RTOS, 4MB compressed seems wayyy too small to be the whole firmware.
@hafo821 24 күн бұрын
it´s not a SPY flash it´s SPI flash! 🤣😁
@mattbrwn 24 күн бұрын
I also say Sequel instead of SQL... 😂
@mikehensley78 26 күн бұрын
A day off work and hacking a cloned chromecast with MattyB! what else could ya ask for??
@georgeyreynolds 2 күн бұрын
A lot of these devices have malware on them which lies dormant. If it turns out to be android etc , mainly the Android TV types.
@309electronics5 25 күн бұрын
I actually had an miracast device which looked and worked simmilar to this. Just that it had an actions semiconductor soc and had 2 uarts onboard and i got a shell. Its funny to me how these chinese manufacturers manage to put Linux on everything (Shows how great Linux really is) but wont comply (at least my device type) with the GPL. Sadly yours might be running some custom os or a RTOS. Or its a weirdly formatted Unix os but thats unlikely. It might be encrypted and that the bootloader decrypts it and mounts the os
@bnister 24 күн бұрын
Nooope no Linux this time around, with no way to run one, to boot
@MrL22 25 күн бұрын
14:46 LZMA compressed block hinting at 7.8mb of uncompressed data.
Matt Brown
Рет қаралды 71 М.
Home Assistant Tips By Larry
Рет қаралды 6 М.
Matt Brown
Рет қаралды 112 М.
Matt Brown
Рет қаралды 137 М.
Aman Soni Official
Рет қаралды 9 МЛН
Nir Gaming
Рет қаралды 667 М.