U-Boot Bootloader Firmware Extraction Tools
Рет қаралды 8,050
Күн бұрынU-Boot is a common bootloader found in embedded Linux systems that if left unlocked can be used to extract firmware from the device. In this video I demo some new python tools to automate file extraction from ext4 mmc file systems using uboot's ext4ls and ext4load commands.
firmwaretools Github Repo:
github.com/nma...
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nma...
#hacking #iot #cybersecurity
@0xbitbybit 4 ай бұрын
Keen to see you tackle a more realistic device, say without the full uboot version, a login prompt for UART, encrypted firmware etc. that's what I keep getting lately, or not being able to find a file system at all after desoldering and reading the memory chip 😢
@muh1h1 4 ай бұрын
Thanks for making these videos! I watch them purely for education and entertainment, even though i have no professional relationship with any of this. I really find your videos very interesting to watch and easy to grasp, so please keep them going!!!
@mattbrwn 4 ай бұрын
This is awesome to hear :)
@pinpinpoola 4 ай бұрын
@@mattbrwnMatt, in the future please could you move the picture-in-picture to the top-right corner? On one of the last videos, you had two terminal sessions side by side and the command line in the right hand session was obscured by the inset video of you. Was hard to follow along.
@mytechnotalent 4 ай бұрын
Nice job as always Matt. Really like the firmware tools, awesome automation for this extraction analysis.
@bartzilla333 2 ай бұрын
If you run 'bdinfo' that will give you the memory organization of U-Boot. Failures on md/mw on address could be; 1. Memory is mapped to CPU registers, 2 the address does not exist, or 3 U-boot could be running out of that memory rang. There could be a lot of things to cause failure.
@mattbrwn 2 ай бұрын
Yeah that makes sense. I was just writing over random blocks of memory :D
@TheRealWulfderay 4 ай бұрын
Thanks, Matt. Uboot has always seemed a bit mystical to me. Very practical example.
@alecsei393ify 4 ай бұрын
Thank you , the content is awesome, good information!!
@feff6754 4 ай бұрын
Lots of really good info here, thanks!
@charlesdorval394 Ай бұрын
Wow! That was sooooooooooooooo interesting! Thanks! I wish I had some device to mess around with now lol
@XYZ56771 4 ай бұрын
Thank you for the content, great insights, as always!
@kaderdz4564 2 ай бұрын
am i only person get entertained by watching your content 🤠 ❤ GOOD 👍 JOB 👌 BRO
@Spozinbro 4 ай бұрын
Love your stuff! This is super useful for what I'm trying to do right now with my router, keep up the awesome work!
@sonysav3813 4 ай бұрын
Nice job Matt 👍
@kixxthemanz437 3 ай бұрын
Matt make a video on extracting the files on locked down phones like Samsung, extracting the files that tell the device can use ADB or that tell the device if the OEM is on or not so we can extract them and change the values then push them back to the device to gain root access
@zachkost-smith6923 4 ай бұрын
Surprised to see that your parse uboot dump wasn't just wrapping a call to 'xxd -r'
@mattbrwn 4 ай бұрын
why use bash when python do trick? ;)
@tritnaha1345 Ай бұрын
You should give any Avaya J-series phone a try, they offer a pretty fun challenge
@sp33dracerx2 4 ай бұрын
Good stuff
@tomwimmenhove4652 3 ай бұрын
Don't you think the reset is simply caused by you overwriting code in memory that is currently being executed? Maybe the bootloader code itself, or interrupt vectors?
@mattbrwn 3 ай бұрын
that's a good point. that could totally be it.
@EricMarsi 4 ай бұрын
Awesome work dude!
@saad1983 4 ай бұрын
awesome tool. i will be putting it to work and def makes life a whole lot easier to just be able to fetch the actual files rather than MD. Can you elaborate on any write methods which can help write files or strings back to a location on an ext4fs via uboot.
@mattbrwn 4 ай бұрын
yeah I'm going to work on adding a tool that will do that. You do it the opposite way of reading. First write data to memory with the "mw" command. Second write file to filesystem with the "ext4write".
@saad1983 4 ай бұрын
@@mattbrwn will def give it a shot. thank you.
@xenoxaos1 4 ай бұрын
10:35 probably memory mapped io or memory that's being used by the bootloader.
@timmturner 3 ай бұрын
What's the sensitive nature of the device? I don't understand why you would not want the viewers to know what it is?
@Hobypyrocom 4 ай бұрын
if i have a firmware extracted from a device (example wifi camera), is there any way to modify the firmware? can you make such video?
@mattbrwn 4 ай бұрын
It depends on a lot of factors: what is the flash layout? what is the actual underlying system? what modifications do you want to make? Join us on discord (invite in description) and some of the community might be able to help you learn :)
@Hobypyrocom 4 ай бұрын
@@mattbrwn sadly i am not that far in, i just found the UART pins and managed to execute some useless commands, noticed that its a U-boot. just wanted to know if extracting the firmware is worth the effort for future modifications of the functionalities. for example i have many old wifi Chinese cameras, but they turned down the servers and now you cant connect the cameras, so i wanted to connect LAN module instead of the WiFi module that they use and that way make them work again, but i will probably have to change some settings for the camera to use the LAN connection instead the WiFi. thank you for the replay, i will definitely check and join the discord.
@wtftolate3782 3 ай бұрын
Can you do this to cell phones?
@MarshallLevin 4 ай бұрын
Ugh, that thumbnail font. FIAWAAE EHTAACTION?
@robertsimon6911 4 ай бұрын
I have a Device, that boots it's normal OS after 30-60 seconds in u-boot command-prompt. Any chance to interrupt this autoboot?
@mattbrwn 4 ай бұрын
Can you interact with the uboot menu during that time? Come join us in discord for help with stuff like this 😁
@pinpinpoola 4 ай бұрын
@@mattbrwnso good to see you back on here Matt. I really enjoy your content and was worried when you stopped posting a year or so ago. Hope all is well. I am now catching up with the last few weeks content.
@DJStompZone 4 ай бұрын
bootretry is an environment variable containing the current delay in effect. Negative values mean boot retry will not occur. Unfortunately, *this value is only sampled on startup* - changing it will *not* prevent boot retry in the current session. If your build supports saving environment variables persistently: u-boot> setenv bootretry -1 u-boot> saveenv Otherwise you would have to modify the source and rebuild. If you wanted to get rid of that behavior entirely you could do something like `grep -r CONFIG_BOOT_RETRY *`, remove those lines, rebuild, and reflash. Definitely make sure you have a backup means of booting or flashing before overwriting the existing U-Boot, just in case
@brighttech8922 3 ай бұрын
Hack the Facebook portal plus 15.6 please
@freerice9595 4 ай бұрын
I love these videos. I love watching the process from start to finish.