I work for Poly, formerly Polycom and now part of HP, and I found this pretty interesting as well. Cool stuff.

Great content! I like to see real and non-staged footage. Its authentic and just shows the raw and sometimes tedious process with all the mistakes and fuckups which are part of hacking and important for learning and improving.

You know it's a great week when we get two Matt Brown uploads in one week 😍

Thanks for making videos like this. My son is going to college soon to be an electrical engineer and these types of videos show interesting practical applications of what he's been studying in his electronics books.

Good video. Just a little tip when using the hot air. Point the nose vertical and move the nozel around the chip. You avoid lifting pads since the heat is distributed evenly. You almost had some lifted pads on the bottom 5 on the right.

I love the style of the videos. Showing working around problems giving a realistic look at practical work. Easy to follow, without being dumbed down. Love this.

The T56 is a great tool but I think growing a big greasy mustache is probably more useful in the long run.

+1 to using string -- I once ran that against a piece of malware and identified the employee who created it.. they had left some debug flags enabled and it displayed the path to some of the files including the C:\Users\

I love your channel. I didn’t make it through the computer engineering program at my university. But I still enjoy this kind of stuff a lot and your channel gives me inspiration to still keep learning. Thanks for making this

Great content. I am researching on IoT hacking to get in the domain and your videos are both fun and informative for me (and probably for other people like me). Waiting for the next episodes on this device and your future projects. Keep up!

Great stuff, keep showing the process, been having a few issues finding file systems myself with some of the stuff I've been looking at so very eager to see how you get on and what you try next :)

Incredible, love to see how you explore problems and how flexible your solutions are! Thanks for showing your work!

hi, Matt a little trick is to before remove nand , is make 1 pass using lead solder.... them hot air, this way less heat in pcb. tip 2 ..kkkk dont use qtip to clean ics.. it left all crap around (15.17) and it will avoid contact, use a a small brush like a old tooth brush

Very nice. Im building an open source framework for IoT and was just thinking if I should invest the time to configure encryption at rest by default. You convinced me :)

Please do more IoT hacking videos, im starting a course of IoT embedded systems around august and would like to get a cheat start with the help of your videos, which are really good.

Nice video I would love to see in the next videos about exploiting the firmware, what are you looking for, how to attack the services without falling into looking for published CVEs, but rather to discover new bugs or what things we should investigate either technical or knowledge to exploit such things at the application level, once extracted the firmware.

Keep up the great work Matt! We need more people sharing knowledge like you do :)

never thought these could be useful other than the amplifier/speaker being reclaimedf for other projects

Hardware management : catastrophic (dirty iron, not enough heat, seems Chinese flux,...) Software management : perfect Remains very interesting! Thanks

Man.....SO happy I found your channel! Amazing!!!

The XML files are how you configure Voip Phone. See if you can find the provisioning manual and accompanying software to figure out what's in each file. I suspect the files are encrypted and you may need the software or key to decrypt them.

to clean the chip before putting it into the reader, you can just dip the whole chip into alcohol... way faster and better than cleaning it with qtips. to clean the solder of the pins, you can put the solder wick on the table and put the pins on it, then run the soldering tip over them, i find it easier and safer that way (you wont bend the pins).

You should get one of those hot tweezers. With that you can use those solder braid as a brush, to brush away the solder from the chip without worring to deform the pin.

great video, thanks for your effort. question: why were the credentials, certificates, and logs part of the extracted firmware?

All solder braids have flux on them, but the "no-clean" ones have non electrically conductive flux. Theoretically you can leave it lathered in that flux and the chip will still work.

5:07 i didnt even know heating a rom would be safe for the data inside… well im not an electrical engineer or anything so yeah i just like these and one day want to extract data from a chip inside my childhood toy (probably midi and soundfont)

In regards to the q-tip fuzz getting hooked on the pins. My girlfriend uses these special type of cotton swabs called "glob mops" for cleaning her...medicinal tools. They're like normal cotton swabs, but they're packed really densely, and one end is packed to a fine point. May be useful for something like that 🤔

I always wanted to learn these hacking and low level things but currently learning web dev. Maybe one day i will learn these things which i always wanted to do. 🎉

Interesting. You could use openssl to decode the various certificates into a human friendly version for more details. Also - the 20 pin connector that you pointed out at the start of the video looks like a JTAG header. - one way to check would be to see if half of them (one row) should be joined to ground.

Matt, you're a legend dude. Thanks for the vids!

Dang bro u a straight up genius! your comprehension levels are impressive!

How's the firmware off these compared to those of Avaya? I did a little exploring on the Avaya J-series of phones and they employ some pretty creative ways of securing things.

think that connector is just a accessory connector. the jtag or serial will be pads near the soc. usually in a group that looks like enough pins.

That's a dope furnace you have there!

Damn didn’t even know about the t56 I do it the old fashioned way but I just bought one

Awesome! Just out of curiosity, have you ever considered attempting to extract firmware on raspberry pi & the closed source MIPI CSI-2 Camera ISP? It would be great if that could all be exposed & made compatible with other image sensors

Nifty! Thanks for sharing

the file system is likely on the processor itself, Its called SoC. there are ways to read those usually.

about the strings thing you were talking about. wouldn't it search for the nul byte too? like a few characters and then a nul byte

Most likely the pin header is for connecting JTAG. It could be possible to dump the FLASH and even debug the device using that port and no need to do any hardware job. All you need is a tool like PEEDI, BDI2000 or BDI3000.

No clean means that the flux is not conductive - if you don't clean, you won't short anything (but a bad connection is more likely) Right?

What about using OFRAK or Cutter to look into what you've got ahold of?

You don't see a file system as the device uses TFTP provided by the network to run the firmware from the ram directly. Cisco VOIP phones do the same thing. They call the (MAC ADDRESS).xml then call there model number.bin to run the .xml is stored on the device while the .bin is downloaded every time. Upon boot up they check the .xml vs the TFTP for consistency.

any reason why you don't dump while in circuit? you could use a 360 clip or similar. Less stress on desoldering.

binwalk -A will try to look for executable code instructions.

I like your microscope, is that one of those ones from Ali Express? I almost bought one a few years ago that Strange Parts recommended but decided to buy some extra meatballs for my spaghetti instead.

wow bad ass I just found your channel.. this great I am in!

that stuff is so interesting :O how u found out this is possible?

6:38 ultrasonic cleaner, life changer

what equipment do you use

18:35 Apparently spansion was purchased by cypress semiconductor, big stock merger. according to wikipedia.

Super interesting! Keep up the great work :D

Pretty good! One question for you: does this nand flash contain any kind of FTL? because I'd assume they'll NOT write to it like in a linear fashion, they must arrange blocks in some way.

comment in support!

nice lab!👌

You can definitely get solder braid that doesn't leave a residue? Just don't buy the cheapest of the cheap.

I subscribed after 25 seconds of this vid lol

Great video!

If those are PEM certs, I'm thinking it's the local (to the PolyCom) certificate store (like the trusted CAs).

I see you also use amtek flux. I’m guessing that’s what that was by the blurry syringe with the blue label

IIRC those Polycom conference room phones run VxWorks

Fyi you should probably blur raw certs too. They are just as secret as a password.

But for real, you should do some in-depth video of how to properly modify firmware

Awesmazing channel yo..❤❤

Put some solder ontop of the solderbraid (between the iron and braid) to help the heat transfer. Thank me later…

Hi, what adapter do you put the chip in?

XGecu T56 + clamp adapter is part of my lap as well - but I find it more usefull to use an adapter where you simply solder it on.(via hotair) No need to clean the chip. No bad connections. However I only found a tsop48 adapter - anyone found one for tsop56?

Awesome.

wtf u bluring, like someone will trace where the phone from and go hack them !?

you should try 70% alcohol for me its works better for cleaning flux

why 480p :(

Can’t you tell by the “0000” if it’s an actual dot?

He's got the gloves on so no fingerprints

Nice video. You remind me of my little sister. 👩 ..but she couldn’t solder the way you do.❤❤

15:42 So much hair stuff in there why you dont clean it right?

.5 solder wick works better to remove tiny pins . Thank you I learn do you think China does what you just did

plese lerning hacking licens router mikrotik

picture quality is low, like smudged and blurry

seems like social engineering is easier

😢😢😢

digital telephone devices existed wayy before the term IoT was invented. lets just call it what it is. great video though.

Boş şeydi. Hamısı sökülməlidi.

Thanks again for your content. They have truly helped me along being new to this (For me) hobby/passion. I do have a question on something I am working on. I dunno if you have a means in which i can contact you but if you do I would really appreciate any advice.

wow! when I saw that dot1x pem certificate my heart jumped. This is why all IT waste must be shredded, an "innocent" little phone just compromised someones network. Phone was probably factory reset by there IT staff too before it went into the trash.