Hacking the Arlo Q Security Camera: Bootloader Reverse Engineering

Рет қаралды 14,327

Күн бұрын

In this video, we continue hacking on the Arlo Q security camera. Today we reverse engineer the extracted firmware to better understand how the bootloader security is implemented.
unsalted sha256 bootloader password hash:
dd62e7962d63044fd1b190091930939affb172e578bb941728bd4e4478250641
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter:amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#iot #hacking #bootloader #reverseengineering #firmware

Пікірлер: 62

@jakesec633 Жыл бұрын

Hey Matt, loved the video as per usual. I’ve cracked the hash for the boot loader, the password is: ngpriv106

@fusseldieb Жыл бұрын

Wow, that was fast! How did you manage that?

@neb_setabed Жыл бұрын

Damn that was quick, nice job!

@Knolraab Жыл бұрын

I am interested to know too. Sharing is caring

@nerdy_dav Жыл бұрын

Nice. Looks fairly simple.. I'd imagine you had some GPU power to get done so quickly. While you likely wouldn't find this string in a rainbow table, the combination of 9 lowercase letters and 0-9 gives us 9^36 iterations to get through. Modern CPUs and GPUs could knock that around quickly. Few hours at most.

@mattbrwn Жыл бұрын

Absolute Legend!

@malucullus9100 Жыл бұрын

I know the hash has been cracked now, but if you wanted to get into the older firmware without having to do a chip-off you could also have tried interrupting the boot process a few times, ideally with a reset. This would simulate the crashing firmware that this sort of A/B deployment is supposed to protect against and may have caused the boot loader to fail back to the old version.

@azus5576 3 ай бұрын

It has? In what video does he do that? I couldn't find that hash in those pre-computed lookup tables and using leaked password lists didn't work either. I doubt he could brute-force that hash

@azus5576 3 ай бұрын

nvm, I missed the fixed comment somehow

@AlexKiraly 4 ай бұрын

What a goldmine of a channel!

@hallisern Жыл бұрын

Great video Matt, amazing explanations. Very easy to follow and understand!

@kmsec1337 7 ай бұрын

Bruh this is top quality content. Thank you so much 🙏

@LucaCostantino1 12 күн бұрын

Hi @mattbrwn... Just discovering your channel now... Where are you on part 4 of this serie?? :D Awesome videos, keep it up!

@mattbrwn 12 күн бұрын

Device got bricked.

@LucaCostantino1 12 күн бұрын

@@mattbrwn That's a shame! I was really looking forward for more! Thanks!

@xrafter 7 күн бұрын

@@mattbrwn WHAT THE BRICK!

@ChimeFix 6 күн бұрын

@@mattbrwn😢

@kiyotaka31337 Жыл бұрын

Thanks for the videos I learned a lot from your videos.

@ersonthemesa Жыл бұрын

Thanks Matt....Great video.

@Henrik229 Жыл бұрын

Very interesting videos!

@neon_Nomad Жыл бұрын

Amazing as always !ganbatte!!

@markf8819 Жыл бұрын

Great video

@NeverGiveUpYo 9 ай бұрын

Really good content

@Autokey_Security_Services Жыл бұрын

Is it not possible for you to write your own known hash into the flash chip raw data dump or is this data retained in the armarello chip??

@mattbrwn Жыл бұрын

This should be possible. I'm working on this method for a future video.

@bassimyounis5803 Жыл бұрын

Hey Matt thanks for the video. How did you know that the hash was unsalted? Was it in a previous video?

@mattbrwn Жыл бұрын

Good question! I discussed it in the first video. The bootloader prints out the password hash of what you enter for a password attempt. So I was able to type "password" in, hit enter, and confirm that the password matched the unsalted sha256 hash of "password"

@xrafter 7 күн бұрын

@@mattbrwn What a legend!

@habiks 10 ай бұрын

Cool video . But GPIO simply means general purpose input / output pin. GPIO isn't any type of mechanism..

@neon_Nomad Жыл бұрын

Says it will take a month but im having trouble getting both cpu and GPU running at same time... I don't have much experience with hashcat so if anyone knows whats going wrong im using hashcat launcher

@Ski4974 8 ай бұрын

Did you end up making the 3rd video in this ARLO Q series?

@mattbrwn 8 ай бұрын

Unfortunately my device got bricked so I wasn't able to make the next video.

@Ski4974 8 ай бұрын

@@mattbrwn That's too bad, how did that happen? 😯

@gersonsoares6628 Жыл бұрын

bom video matt: o bootloader é u-boot ?

@mattbrwn Жыл бұрын

No this is not uboot. Ambarella SoCs use a custom bootloader called amboot.

@markf8819 Жыл бұрын

What tools would you recommend for a beginner

@mattbrwn Жыл бұрын

I'm trying to put together a playlist about all my tools but that's a work in progress. For getting UART access you really just need a simple TTL-232R cable: ftdichip.com/products/ttl-232r-3v3/

@ahmedsammoud1924 Жыл бұрын

Any updates on what happened with the arlo?

@neon_Nomad Жыл бұрын

Here i come hash cat.. guess the rainbow road was to easy a route

@jordantekelenburg Жыл бұрын

Is there more coming??

@same4047 Жыл бұрын

Sir, i have been facings problems on my blutooth speaker, every time I turn it on it prompted heavy annoying sounds like "Bluetooth pairing is on" "usb mode" etc. How can we remove these prompts, or customise the blutooth device name. Also could we make a device which could connect to multiple bluetooth devices and simultaneously output all of them from one source/smartphone 🤔

@jabbawok944 20 күн бұрын

check out darieee . he does that kind of thing.

@neon_Nomad Жыл бұрын

Hope all is alright

@mattbrwn Жыл бұрын

Haha thanks for asking! Doing good. Closing on a house so that's been taking a lot of my free time lately. Will post new videos after that is finished.

@isheamongus811 5 ай бұрын

Maybe somthing like if (1=1) may work

@tyronetyrone2652 8 ай бұрын

@bomber78963 Жыл бұрын

I'm guessing they beefed up their passwords after this recent CVE: nvd.nist.gov/vuln/detail/CVE-2016-10115 One option may be to fuzz the UART inputs? Perhaps something in the password check logic may have a bug

@mattbrwn Жыл бұрын

I thought this was going to be the case as well! check the pinned comment! someone cracked it already 😂