One advice i have for you when soldering , is lower your soldering temperature, its way too high , thats why u knock off that resistor so easily. Also you run the risk of just taking off pads at that temperature. I usually just have my soldering station at around 300c for this small thermal mass jobs. Great video btw

I absolutely love that you didn't edit out the agonising wait on booting up to confirm it worked. Great videos as always. Thanks.

This was a great vid. The soldering is doable, the firmware mod is doable too. The important bits are explained well. And bonus points for using Vim. Thank you.

So many things to say. 1. love the videos. it's refreshing to have a old youtube style walk through including and explaining mistakes. 2. I appreciate you reading and using comment suggestions like zooming in on the command line.

A bit of advice when soldering those types of chips with more than 6 pins: I've found it easiest to do when there isn't any solder applied to the pads beforehand - what I do is I put a blob of flux in the middle to just hold the chip in place and then carefully go around and manually apply solder to each pin with the soldering iron once the chip is aligned. Maybe also loog into getting a pointier tip for the soldering iron for that. Cheers for the great content!

Loving the hacking series. we can re-use/re-purpose old devices

Really loved the section where you covered improper soldering let to flash chip not being recorgnized. When working with hardware modifications, there are truly many potential points of failure - such as chips not being soldered correctly, components getting damaged from overheating during the soldering/desoldering process, firmware corruption, other PCB components on PCB getting dislodged etc etc. This type of work undoubtedly demands a tremendous amount of hardwork and patience. Great work, Matt, and thank you for sharing this. I really enjoy your videos.

Congratz. This video opened my mind for these kind of modifications xD keep up the good work

one of the best channels. keep pumping out the content in same format

I love your style of presentation and the information with/of all the failed attempts. Very instructive and good to follow. Lerned a lot over the time with your videos. Thanks for sharing. I'm already looking forward to the continuation :)

Hey matt, just wanna say I absolutely love your videos!

Great Job! Looking forward to the next one to see what you found in the network traffic; as we used to do some crazy things specifically around spectrum jamming/etc

Digging your videos Matt!! Thanks for taking the time to make them!

Great content, love your stuff man. Keep it up! Looking forward to seeing that traffic you mentioned

Some people are just going through products because they have money.. others go throug them like.. "hey, let's go meet your makers and find out what they didn't tell you... you could do." 😂

Excited for this one!

This stuff is really interesting! Thanks for another cool video! Look forward to the next one one this device :D

Very interesting stuff, do please continue!

incredible. Love this stuff man!

damn, I'm impressed over the upload rate

A little soldering advice, lower your heat, and avoid touching the iron with the solderdirectly. Touch one end of the pad with the iron and the other with the solder. Perfect shiny pads every time.

Awesome murderfication! :)

Good stuff, thanks for putting the whole process together

Nice video. As to XGecu issues, I'm also using an XGecu programmer (TL866II Plus) but I've never experienced any of these. Possibly because I don't use flux when removing the chip, so chip legs don't get covered in non-conductive thing. As to erase failing, never seen this before as well. I suspect this might be an artifact of running the software in wine.

Awesome video, thank you once again :)

Really cool video. Love your content :)

Nice work, Matt! Looking fwd to what you'll do now that you are root :-)

Now, let's try to find where they installed the backdoor on this system! ;D

Great job on your work! My guess on the write fail at 25MHz is that the second socket for the smd adds too much capacitance to have a reliable communication.

Just some technicalities and nothing of importance, Matt: "... now, that the solder turned COLD ...". Hehehehee. Don't talk that way if professionals are in the room. I may be wrong, because I am German, but I sense that "cold" in conjunction with solder-joints also means a VERY BAD THING in english: Unstable, weak and bad connections (romantics ... the old days ... with LEAD ... were so much better! Just joking. You could see cold solder joints easier with that poison as pat of the solder-alloy). May I suggest: "... until it turns SOLID"? Which is actually what it does, changing its state of aggregation and forming a mechanical and electrical, reliable connection. Well, until you move or shake the joint while the solder is cooling down, which may result in that so called "cold solder joint". A reason for headaches, failures, I mean unrepeatable sporadic failures, in the future. I'm sorry if I got too emotional when I am talking about our(my?) NEMESIS as e-engineers and service personal, etc. Hehehehe:)

Awesome!

Tried to imagine when a developer/contributor committed the “cowardly” message to the upstream code as a joke, and that message is still there to these days. 😁😂

YEAHHH BABY, YEAH

This is very nice work. One question though.. non of the firmware or password file is not verified with a check sum or some sort of signature with other chip. That’s a little bit interesting. You said you have done this first time but is this way a common implementation? One more time, great job!

Great video

I'd have binary edited the flash image directly. The salted hash is the same length, so it's a drop in replacement. The image is unencrypted and uncompressed, and the filesystem image within it, is unencrypted and uncompressed. No change in file size, and a bunch of recombination steps, get skipped.

nice! great good tutorial.

I've seen a similar behavior when writing custom bootloader code where it fails to respond in time to the erase command, or responds with failure, although the erase was successful

Earned you a subscribe! ;)

Great

this is awesome stuff! How would have you dealt with it if the microchips had the "erase if read" bit set and the name/logo had been scratched off the surface? This is what I usually see when manufacturers want to add protection to these products.

Are you going to follow up with a way to root without hardware mods? Is there any setuid, or something that a stock box could be rooted with? Not sure if there is anything, but maybe? Or are you closing this series out?

I wish I was smart like this..

After seeing this I am happy I've bought "older" version of that programmer called TL866-II, because there is minipro - the alternative control software for that programmer made by David Griffith, which is perfectly hassle free…and it has command line interface which is easy to integrate with other parts of build chain like gmake. As far as I know there is also some experimental support for newer programmer in the last version, so maybe, just maybe, there would be some way how to modify it to your device too…which, in fact, would be great. The original software is horrible. Is it possible to mount jffs filesystem in rw mode through loop device? Idk, but if this is possible, then it would be much easier way how to modify that firmware file. Some FS cannot be mounted this way (e.g. iso9660) but sometimes, well, you are lucky enough :3.

Isn't it way easier to resolder the chip with the soldering iron instead of hot air? I always do it this way

Didn't know mkfs could make a binary image from a "regular" directory. I thought they used dd or something for that.

You will become viral

I've just discovered your channel and... whaou ! Now I'm looking for any device in my home where I can try to hack 😅 my concern is that I've heard that some chips may have some safety erase function in case of unauthorized access 😢 have you ever encountered this case ?

25:00 what type and temp you solder have?

Whats up, everybody!?!

Alternatively, you could overwrite the UID to 0 for config's password in /etc/passwd - then configure user has uid 0, root!

Couldn't you have avoided lots of erase block size and endianness by mounting the original firmware as a loopfs, modify /etc/passwd, and then unmount and unloop it?

Does it default to little endian or your native system endian? Either case it is good to have the -b to make it repudicable.

Good job! Do your self a favor and buy a "sop 16 clip"

It would have been much easier to mount your copy of the image file with the loop device, alter the shadow file, and unmount it. No having to dork around with trying to repackage the exploded contents.

Hello friends anyone know how i can repacking the firmware and bypass the crc signatures

nice

Why not just he edit the disk image directly with the hash? Skip all the mkfs stuff.

You could have just changed the config user shell and you could gain root that way without overwriting the root user password

sent you a msg on linkedin :-)

firmware murderfication ... priceless.

Disassemble hikvision camera to hack firmware

This was great

informative, and entertaining, and I would give ya a B on the solder job. LOL, I like the comment also from @lifeless11111 however the heat isn't as much an issue is the tip size when work with surface mount parts.