Intro to hardware security: UART access and SPI firmware extraction
Рет қаралды 61,434
Күн бұрынThis is an introduction to hardware security for beginners. I will show you how to connect to the Linux terminal of a TP-Link wireless router using UART, and also how to dump its firmware using a SPI programmer. My aim has been to use the most affordable and accessible tools, so everyone can start without breaking the bank.
As promised in the video, here’s the list of tools that I used or mentioned:
The target: www.tp-link.com/us/home-netwo...
The advanced UART adapter that I mentioned: www.crowdsupply.com/pylo/muart
Programmer I used to dump the firmware: github.com/boseji/CH341-Store
Software I used to dump the firmware: flashrom.org/Flashrom
Software used to extract the firmware contents: github.com/ReFirmLabs/binwalk
For the UART you can use any USB-UART adapter (sometimes called USB to TTL). I used an adapter based on PL2303, but FT232 is more common (the one with the 3.3/5v switch was based on FT232)
If you need more guides, check these out:
www.thezdi.com/blog/2019/9/2/...
nvisium.com/blog/2019/08/07/e...
jcjc-dev.com/2016/04/08/rever...
blog.rapid7.com/2019/02/20/io...
I had to cut some corners to prepare a short and easy to understand video. For example I skipped the part on detecting the UART pins on the boards using an oscilloscope or logic analyzer.
If you have questions or comments, you can reach me via Twitter: / mehdi0x61
@bradkaral1188 Жыл бұрын
Very well done. Clearly explained, step-by-step.
@Lin-yo3og 2 жыл бұрын
So grateful, it's a good tutoring video with so much detailed explanation.
@hypnos4754 19 күн бұрын
Great video. This is a process that I’ve never done myself, and I always wondered what it’s like. The explanation of the required tools (and why they’re needed) is really good as well.
@stevecross9159 3 жыл бұрын
From the UK. Hi Mehdi good introduction I need to go over the video again but it's a good start!!
@vediam 9 ай бұрын
Merhaba, izlediğim en faydalı video bu oldu diyebilirim. Detaylı ve dolu dolu içerikle hazırladığınız bu video için Allah sizden razı olsun. Çok çok çok sağolun, elinize sağlık.
@karaniii Күн бұрын
Wonderful video. Hopefully you will have more of this. Cheers mate
@shivamhw 2 жыл бұрын
bahut badhiya dost.. great video,
@squirre17 2 жыл бұрын
Thank you very much😘. Looking forward to more practice hank-on work video.
@anantoslab 10 ай бұрын
Need more details video about this topic. You are great ❤. Love from Bangladesh.
@oulachoulach4883 Жыл бұрын
BROTHER, YOU ARE THE BEST!!! You oooh really helped me!! THANK YOU VERY
@parsbitex 9 ай бұрын
it was so good , grateful for this tutorial
@qzorn4440 3 жыл бұрын
Gee, this is very interesting and great way for troubleshooting a lot devices... thanks...:)
@SaeedBeigiRizi 4 жыл бұрын
that was a complete tutorial. thanks in advanced
@nikolatesla9917 4 жыл бұрын
just as a suggestion: first introduce the devices in video and mention them by typing their name beside them in the first scene of video,i enjoyed it ThanX
@Dumbc0mment 3 жыл бұрын
Thx you Mehdi, I learned a lot
@soroush92 Жыл бұрын
Thx Mahdi jaan. Would u please upload more videos like this? Amazing bro.
@n.w.aicecube5713 2 жыл бұрын
Very well explained
@bigbooduh Жыл бұрын
Legend Mehdi! Thanks for this
@parag9999mun Жыл бұрын
It was alot helpfull. Thank you man
@emreru5687 4 жыл бұрын
Thanks you (خیلی ممنون آقا مهدی)
@riadhch5643 3 жыл бұрын
Thank you Mr Mehdi so helpful
@AbhishekMishra-bq9ox 3 жыл бұрын
Plz make more thank u for making this type video
@MehdiHacks 3 жыл бұрын
I will try my best. 👍 Please subscribe to get notified of my upcoming videos
@AbhishekMishra-bq9ox 2 жыл бұрын
I already subscribed you
@brentself 7 ай бұрын
Great information in this video. Louder audio would be great, as I struggled to hear everything when the volume was set to maximum value.
@RafaelSousa-pj1ok 4 жыл бұрын
Great video! Thanks a lot!
@drewsam6387 3 жыл бұрын
dunno if anyone cares but if you guys are bored like me during the covid times then you can watch all of the latest movies and series on instaflixxer. Been streaming with my girlfriend recently =)
@stevensamuel1968 3 жыл бұрын
@Drew Sam Definitely, have been watching on Instaflixxer for since november myself :D
@abdullahnadeem1823 Жыл бұрын
wow, this is the exact router I have. I'm actually surprised it works so well for such a cheap price
@myname-mz3lo 11 ай бұрын
its cheap because it has zero security lol
@abdullahnadeem1823 11 ай бұрын
@@myname-mz3lo and zero functionalities 😅
@abdelazizsaad7676 3 жыл бұрын
This is great, thanks a lot.
@bobmcbob4399 Жыл бұрын
13:29 "3: System Boot system code via Flash" - this is option 3 in the uboot boot menu. It is possible to send a different option via serial keyboard input - like boot to root shell. But this may not be always possible. But in this case, you get to a shell from the get-go.
@rohitdeswal1224 2 жыл бұрын
Great video . Can you give other vulnerable devices list to practice
@Eptapus 4 ай бұрын
It would be nice to have a video where you edit the firmware and you flash it back to the device!
@dzfinch5008 9 ай бұрын
Thank you
@Ali-gj4du 4 жыл бұрын
I liked it :)
@parvazno Жыл бұрын
آفرین مهندس
@user-oc1qh7pk1w 2 жыл бұрын
impressive from Republic of Korea.
@JorgeLuis-hy8im 2 жыл бұрын
PL2303 has the right voltage? I meaning 3.3 by default. I get confused about the right voltage, do you have another video about the voltage? If you test the PL2303 pins, what voltage do you get?
@jayachandra677 3 жыл бұрын
Great video, Mr electroboom
@tamiriiiii Жыл бұрын
using UART access, if the device have telnet, but disabled, can we enable it !
@qusaykambal6903 2 жыл бұрын
Hi How can i reverse engineering dump any eeprom for example s2943 i try ghidra but iam not get any thing
@nachiketathakur697 2 жыл бұрын
Great tutorial, thanks for sharing... just a question... I do not have the UART pins on the PCB. What options do I have?
@MehdiHacks 2 жыл бұрын
Finding them is not very difficult. Do you have any pin headers on the board at all?
@pipony8939 2 жыл бұрын
i also not have. how do i know what connect to what? and the usb i bought from adafruit doesnt says which is what
@phantom700X 4 ай бұрын
Thank you for information. I have LPC1778 I i tried to read with Flash magic . And i get massage, security violation in device. What i can do ?! I Wann get the firmware.
@perinoveriza1658 3 жыл бұрын
More content about this
@nilmango675 4 жыл бұрын
thanks a lot. how we can extract portable wireless modems firmware? (4G or TD/LTE) for example modems which is locked. i mean they restricted to work only with specific SIM Cards.
@MehdiHacks 4 жыл бұрын
Well it depends on the modem. I don't know about your modem, but I have seen some that save all the required info on a config file. If you access it via UART, you can edit the file and bypass the limitations.
@miftahulfaris4400 2 жыл бұрын
can CH341 also be used for UART?
@toncho1986 3 жыл бұрын
Nice video, pal!! I have this question rolling in my mind: why is it so important to work on the firmware?Can we "attack" another thing?
@MehdiHacks 3 жыл бұрын
Because the firmware contains the actual code, and it might be possible to find remote vulnerabilities and therefore attack other similar devices remotely. Another thing that you can try locally, is hardware fault injection (including voltage glitching, electromagnetic fault injection, etc)
@toncho1986 3 жыл бұрын
@@MehdiHacks Thank you for replying!. Dude, how can i contact you?. I need to ask you some more questions about UART and firmware! :)
@MehdiHacks 3 жыл бұрын
@@toncho1986 You're welcome. You can reach me via Twitter: twitter.com/mehdi0x61
@toncho1986 3 жыл бұрын
@@MehdiHacks Dude, have you got any email?. I do not use Twitter :/
@MehdiHacks 3 жыл бұрын
@@toncho1986 DF2HF[at sign]pm.me
@HawK40x 5 күн бұрын
Can you repack the bin again by making some changes
@alwill1016 Жыл бұрын
Hey guys by any chance does anyone know how I can pipe all the output from the terminal into a txt file on Linux. I've tried tee, >, >>, and script and still have yet to get the terminal output into a txt file.
@tocube1 4 жыл бұрын
Cute ^-^
@abdoubenadada7310 2 жыл бұрын
can we extract the firmware of tplink td-w8961n v3 ?
@aminamiri8604 3 жыл бұрын
plz upload more videos
@johndavid8303 Жыл бұрын
Hello, to to extract firmware from MCU with builtin flash memory such as Atmel ATSAMD21J?
@barryu4762 3 ай бұрын
hello, is it possible to flash firmware in UART mode?
@rohitdeswal1224 2 жыл бұрын
Plz make more videos
@TouChA0 2 жыл бұрын
can i cahnge the ip address of this retour using this method?
@mjyanimations1062 3 жыл бұрын
Pretty sure eeprom isn't even a ROM. Its and can be erased and flashed many times. Data can be modified by the device itself, so its also used in microcontrollers to store data after power off.
@amkoshesh6205 2 жыл бұрын
Flash file of other modems From which site should I get it? Free . Safe file .
@manassehabraham5589 2 жыл бұрын
Nice video.....u sound like electroboom
@sebastianseng5278 Жыл бұрын
what if i wanna save a project but i use free trial? can soone help
@linux-tut Жыл бұрын
Dump or Extract U-Boot from the running board. OR Dump memory to a file from the U-Boot console using the Memory Display command. This will be helpful in debugging in the situation like you have a board with U-Boot running and don't have the same version of U-Boot binary and want to test on another board. kzbin.info/www/bejne/r3WpfpZ4g6yKabc
@neettalk Жыл бұрын
Hi, I used 115200 Baud rate for UART, which is connected to the IP camera board, but as soon as I give the power, the putty window displays garbage values, need your inputs/suggestion
@JordanPlayz158 Жыл бұрын
Sounds like you may have the baud rate wrong, there are not many standard baud rates so it should not take too long to bruteforce the right one.
@ClickClack_Bam 7 ай бұрын
@@JordanPlayz158I second this for anybody reading this for future reference. I'm new at this but have seen that the wrong baudrate will give you garbage.
@Pinwiru Жыл бұрын
pues el firmware de tp-link se puede bajar sin compilar
@Unknown2023_1 3 жыл бұрын
سلام ضمن تشکر از آموزش و اطلاعاتی که منتشر کردید . من بخوام با ماژول uart از یک مودم 4g دامپ تهیه کنم و سپس این دامپ و برگردونم رو یک مودم دیگه از همین مدل آیا امکانش هست ؟ یا نیاز به پروگرامر مثل اونی که شما تو فیلم استفاده کردید دارم ؟ با تشکر
@MehdiHacks 3 жыл бұрын
سلام. بسته به مدل فلش ممکنه بشه با UART روش بازنویسی کرد ولی سرراست ترین روش استفاده از پروگرمر هست.
@chachouamohamed8557 Жыл бұрын
hallo bro can help me for my TPLINK re 450 v3 ..it briked ... thanks bro video
@Dadadu16 2 ай бұрын
How do you identify which pin hole is for gnd, rx, tx, when there's nothing write on the pcb?
@MehdiHacks 2 ай бұрын
Usually ground is the easiest to identify (simply using a multimeter's continuity mode, with other known grounds). RX and TX can be identified using multiple methods: one is to simply try (there's no harm in using them in the wrong order), second is to use a logic analyzer to "see" what's happening on the wire. I think some UART tools also can auto-discover it. Usually one has lots of data/activity going on, while the other is simply quiet, which means even a voltmeter can be used to identify RX (using fluctuations in the voltage)
@bucketaos8066 Жыл бұрын
I am undable to enter into the shell, it keeps saying cmd is “echo “” > /etc/TZ”
@fjfkfkdkdkdk 4 ай бұрын
Why not read the firmware via UART?
@carlosdevelop9296 2 жыл бұрын
Is it possible to repair mi stick tv software with this method?
@MehdiHacks 2 жыл бұрын
Hmmm. What do you mean? You can (re)write the firmware using SPI, if that's what you meant.
@gwyn7727 3 жыл бұрын
Is there a universal usb thing that supports jtag,spi,uart,rs232,i2c?
@MehdiHacks 3 жыл бұрын
Yes. Bus pirate, Hydrabus, Shikra, Tigard, ...
@manasafarmandspringresort2577 3 жыл бұрын
Hi sir do you have dump file ac23 english ver?
@MehdiHacks 3 жыл бұрын
Hey. Unfortunately not.
@seupedro9924 3 жыл бұрын
why not use V pin in UART?
@JordanPlayz158 Жыл бұрын
I could be wrong but the VCC pin from UART is only needed if the device doesn't have its own means of providing power.
@bororobo3805 Жыл бұрын
We found Electroboom's younger brother 🤣
@MehdiHacks Жыл бұрын
That made me smile :D
@hackwithprogramming7849 Жыл бұрын
Is python installed on that WiFi router terminal??? Plz anyone reply 🥺🥺🥺🥺🥺🥺🥺🥺🥺😭😭😭😭😭😭😭plz ?
@MehdiHacks Жыл бұрын
To my knowledge, no.
@hackwithprogramming7849 Жыл бұрын
@@MehdiHacks ok than tell me one thing which default programming language is there in that linux shell there. like in windows we have .VBS as default....... Except bash script
@youtubbiz Жыл бұрын
اینتر کیبوردت سالمه هنوز؟
@tocube1 3 жыл бұрын
آقا مهدی توییتر نداری فالو کنیم؟ توی about چنل چیزی نبود
@MehdiHacks 3 жыл бұрын
سلام. انتهای متن ویدیو لینک توییترم رو گذاشتم (mehdi0x61)
@tocube1 3 жыл бұрын
@@MehdiHacks اع چه جالب. فالوتون داشتم از قبل. متشکرم
@kattoOrSmthxD Жыл бұрын
bro sounds like electrobooooooooooom
@JakeBromie 17 күн бұрын
my house almost burned down
@eadge1999 Жыл бұрын
You talk for long time out side the core of the address
@guyonadino 2 ай бұрын
IS THIS ELECTROBOOM ??? whats bro doing here
@MehdiHacks 2 ай бұрын
Haha. My name is Mehdi and I sound like him, but I'm not ElectroBOOM
@guyonadino 2 ай бұрын
@@MehdiHacks but youre still sus!! and also keep uploading vids
@arashlabaf2172 4 жыл бұрын
خب ویدئو فارسی هم بذار☹️
@rjbrake Жыл бұрын
derka derka
@iss_lily Жыл бұрын
SIMlock code of Huawei B5318-42
OWASP Foundation
Рет қаралды 1,6 МЛН
Linux.conf.au 2012 -- Ballarat, Australia
Рет қаралды 798 М.
Technically Unsure
Рет қаралды 74 М.
Dave's Garage
Рет қаралды 1 МЛН
ProTech
Рет қаралды 102 М.
spline
Рет қаралды 527 М.
Яблочный Маньяк
Рет қаралды 66 М.