No video
Hacking the Arlo Q Security Camera: Firmware Extraction
Рет қаралды 21,772
Жыл бұрынIn this video, we continue hacking on the Arlo Q security camera. Today we extract firmware from the nand flash of the device and reattach the chip to leave the camera in working order. We use binwalk to extract file systems from the flash contents extracted from the device.
Louis Rossmann's Arlo video:
• Arlo cameras take the ...
Arlo End of Life announcement:
kb.arlo.com/00...
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nma...
#righttorepair #jailbreak #firmware #iot #hacking
@mattbrwn Жыл бұрын
anyone have a good rainbow table for unsalted sha256 hashes? alternatively, what's your go to wordlist?
@neon_Nomad Жыл бұрын
1.Theres a website;p 2.remember that cybersecurity specialists usually have first dibs at creating a website
@weniweedeewiki.6237 Жыл бұрын
@@neon_Nomad my head hurt
@hammerdownfpv6351 3 ай бұрын
Adding some low melt solder before you use the heat gun helps.
@braddofner 3 ай бұрын
This is an awesome video series. Im loving seeing the guts of this camera. As far as your soldering goes, if you ran some leaded solder over the pins of the IC first it would have come off easier. That factory solder is quite high temp and the leaded solder will mix with it and make it melt at a lower temp. Also they mace chip extraction solder that almost melts in your hand. Thats the best, however it is quite expensive. EDIT: spelling Another tip: I will heat the board before I wipe off the flux with cotton, and much of it comes off when hot. I try not to use the IPA because it spreads the flux around a lot. But with the amount of flux you used (and you used way too much, however you can NEVER have too much flux!) I would have hit it with IPA once or twice.
@zezimadude13 10 ай бұрын
Love your stuff man. Keep doing what you are doing! Coming from network pentesting, having jumped into programming, then pentest labs and then SIEM stuff and IR competitions in college and wanting to have a better bottom up knowledge of devices, I find your videos extremely revealing.
@alexfedorov1160 Жыл бұрын
It really helps if you apply some fresh solder to the pins before desoldering, so you don't have to heat the board that long. Even better if it was a juicy leaded solder.
@mattbrwn Жыл бұрын
Hmm yeah I'll have to try that. Makes sense
@agarmash_ 3 ай бұрын
@@mattbrwn there are even alloys with low melting temperatures that work excellently for desoldering purposes. For example, Rose's metal has a melting temperature of 94-98 degrees Celsius. After applying it to the component's solder joints it becomes stupid easy to desolder the component with a hot air gun. I even flipped this trick with SMD plastic connectors without melting the said plastic (like I did in my iPod Classic mod, you can find my blog post by my username if you're interested). However! The Rose's metal is quite brittle, so you need to remove it completely with the braid wick after desoldering
@agarmash_ 2 ай бұрын
@@attribute-4677 I usually grab some low-temperature alloy with the tip of my soldering iron, apply it to the pins of the component in question, and wipe off the remainings from the soldering iron tip (you don't really want to have it in your permanent solder joints). Laying a piece of low-temperature alloy on the pins before using a hot air gun would work too, but generally, you don't need that much of this stuff to desolder a component.
@markf8819 Жыл бұрын
The KZbin algorithm leads me to another great KZbinr
@mattbrwn Жыл бұрын
Thanks! The algorithm works in mysterious ways!
@vergil9397 9 ай бұрын
Thanks Matt for giving me the courage to start in hardware stuff. I know it will be hard but i will stick with it til die. Those vids on your channel are so so great
@Julzilla 2 ай бұрын
When I take chips off I like to add some low melt (or even just reguler leaded) solder to the pins, less chance of cooking the chip/killing pads and comes off waaaaay easier :)
@xenoxaos1 27 күн бұрын
One of the nice things about these flash chips is that they only use like half of the pins.... So if you accidentally lift a pad it'll probably still work
@sunmicrosystems Жыл бұрын
Great stuff! Can't wait for the next part
@tomamore3 23 күн бұрын
Capcom tape! I love it! That's what it will now be called for the rest of my life.
@JamesColeman 2 ай бұрын
I'm wondering why you're using flux to remove the chip. From my understanding, flux just helps solder flow smoothly and cleans contacts. What will help with removing chips from the board would be adding lead solder and mixing with the unleaded solder on the board. The unleaded solder has a higher temperature at which it melts, where as the commonly used leaded solder melts at a lower temperature.
@the-joe-biden Ай бұрын
Might be there to help regulate the heat and to help with smoothly removing the chip without solder creating shorts
@Knolraab Жыл бұрын
I enjoy these videos a lot. Thanks for sharing!
@neon_Nomad Жыл бұрын
Louis would use a whole bottle of flux
@mattbrwn Жыл бұрын
True.
@nickstallman2328 2 ай бұрын
Why did all the flux go on the chip package, rather than a blob on either side where the pins are?
@0xbitbybit 9 ай бұрын
Was there a link to part 1 somewhere or am I blind? Maybe add what part it is in the titles because looking at your channel I still have no idea which one is part one lol
@rajuradios Жыл бұрын
my nand is 64gb and when i copy the firmware by rt809h it only stuck at logo in another device and the data i collect from that 64gb nand is just “9.something” gb so i think as u said i have to copy it by ts56 or any of xgecu by selecting “include spare area” right? so that all the data i can get correctly and that i can write in another nand and can run the device. am i right sir? or i should select “none” option? please reply.
@chuxxsss Жыл бұрын
Matt, you desolder at the same time, using the right attachment to you desoldering station. I have one on my station.
@Yreq Күн бұрын
Instead of cotton sticks dipped in IPA , try some atomizer pump (like in parumes , or hair conditioner) combined with a brush either soft one, or a harder one for scraping off some heavy shit . You would spread an even layer of IPA on the surface and avoid all the cotton mess at the same time. It works for me in most of applicatins
@gcm4312 Жыл бұрын
what temperature do you usually use to desolder?
@adagioleopard6415 Ай бұрын
Flux doesn't do much for removing components, it's more for soldering. Its an acid that eats the corosion off the tin on the legs of the chip, helping the solder bond to it. Adding it to chips when removing them does nothing. I've been working in electronic repair and manufacturing for over 5 years.
@mattbrwn Ай бұрын
Lol then why does rossmann use it
@ByDesignation Жыл бұрын
great educational video! I wonder if those classic wordlists for cracking user accounts would work with this.
@jamieharper5665 2 ай бұрын
Genuinely interested to know how many Q-tips you go through per week lol 😅
@vergil9397 7 ай бұрын
hi Matt, can i dump the firmware without desolder the chip ?
@lizardkeeper100 3 ай бұрын
the answer is often yes but it can be much harder and not worth it. you can technically do it with a logic analyzer but you will be at it for several days. if you can find a uart, spi, jtag, or similar bus on the chip and are able to connect to it on the board you could also dump the firmware.
@franciz2 Жыл бұрын
Why didn't you change the hash in the dump and then rewrite it before soldering? Just to keep investigating in case you don't find the password.
@mattbrwn Жыл бұрын
might have to do that eventually. trying to be as least invasive as possible.
@caralynx Жыл бұрын
One thing to note about NAND is the ECC. If you modify something, you're going to have to update the spare area associated with that page as well. If you don't, best case it restores the original data, worst case it marks the page as bad and it won't read. The ECC algorithm used in this particular configuration may not be obvious (especially if it's hardware ECC), so fixing the spare data might not be trivial.
@neon_Nomad Жыл бұрын
Woopwoop part 2!
@michaelstallsworth9995 3 ай бұрын
What flash reader are you using and where can i buy one?
@mattbrwn 3 ай бұрын
That is the Xgecu T48 and I now recommend the upgraded Xgecu T56. eBay is where I got mine
@michaelstallsworth9995 3 ай бұрын
@@mattbrwn thank you very much!!! Just getting into hardware hacking and your videos have taught me more in 2 days than I could have imagined! Keep up the awesome content 💪
@ArchiWorldRuS Жыл бұрын
Will you make a video about chip readers and all that stuff?
@geovaniferreira9626 10 ай бұрын
Excellent videos. Could you hacking the firmware of microcontroller of the any air conditioner ?
@eeee-xq6qz Жыл бұрын
matt,what’s your reader name?or could you suggest some reader to buy😊
@neon_Nomad Жыл бұрын
Some hash... somewhere over in the starss
@Mbro-dq2do 2 ай бұрын
What linux distro are you using to do all this?
@mattbrwn 2 ай бұрын
Arch Linux but all this stuff can be done with any kind of Linux you want.
@Mbro-dq2do 2 ай бұрын
@@mattbrwn Thank you for your work dude. I'm not even a script kiddie after a year or so but have learned a ton. 46 year old construction nerd who missed the boat but spend every spare moment learning. Your channel is in my rotation with Louis R too.
@Mbro-dq2do 2 ай бұрын
@@mattbrwn Kali Linux Manjaro and Straight Debian for me. Dragon OS im trying for SDR tools. Have a good day bro.
@mattbrwn 2 ай бұрын
just heard about dragonOS from a training I'm in right now! I'll have to try that out. Getting SDR tools to work is a pain...
@weniweedeewiki.6237 Жыл бұрын
The anticipation...is killing me ..when's that chip going to give
@mattbrwn Жыл бұрын
Yeah this one took longer than most. Could be a number of factors.
@MCgranat999 Жыл бұрын
Not sure it my technique would work better but I'd use a bigger nozzle on the hot air, or take the nozzle off if that's the biggest one.
@weniweedeewiki.6237 Жыл бұрын
@@MCgranat999Sounds like a load of hot air to me .......u c what i did there
@weniweedeewiki.6237 Жыл бұрын
Cut it with them 3 d printing clippers ......my g😎
@sonyledlcdspecialistsafzal1228 Жыл бұрын
Sir plz help My Nand Flash ic dump extract plz im send you. Please answer
@neon_Nomad Жыл бұрын
Remember to follow the rainbow when working with hash
@neon_Nomad Жыл бұрын
If you are afraid of chinese software phoning home, check out simplewall
@gavinpienaar2747 2 ай бұрын
dude use a thin bristle toothbrush for cleaning :)
@neon_Nomad Жыл бұрын
Why are we still using lead? Dont we know what happened to the Greeks, sure its a great sweetener but..
@mattbrwn Жыл бұрын
leaded solder works way better than lead-free.
@alexfedorov1160 Жыл бұрын
Lead-free solder is a scam. It's better to produce less number of reliable devices using leaded solder than to use lead-free solder producing a ton of e-waste due to those solder failures. Obviously for environment, not for manufacturers.
@bluppfisk Жыл бұрын
@linus cat tips don't breathe it in either though
@kixxthemanz437 7 ай бұрын
I don’t understand why you would want to extract firmware from a camera? Just go download it
@SlammerSimming 3 ай бұрын
How do you think the person providing the firmware got it?
@CorollaGTSSRX 3 ай бұрын
@@SlammerSimming he means go to the support section of Arlo and download a firmware update and extract that. Sometimes that works, sometimes it doesn't or isn't available
@charleshendry5978 2 ай бұрын
He wants the password.
@tinutom810 Жыл бұрын
1st
@neon_Nomad Жыл бұрын
Great job glad the chip is still good:) just got my chip reader in but iv been focusing more on Tryhackme
Matt Brown
Рет қаралды 144 М.
Andreas Spiess
Рет қаралды 534 М.
Matt Brown
Рет қаралды 14 М.