วีดีโอ

Cool beans! Looks like this is the only way we can actually get cameras to use on foss security setups.

I've done a lot of contacted IoT testing for some of the big companies. Given you had a root shell, no chip off writing of flash was needed. This device has pretty poor security: - no/poor secure boot implementation - poor uboot security - no verification of squashfs partition by previous stage - data on flash not encrypted via EFUSE keys Also fortunate not BGA chips. That said, not knocking the video - great tutorial on how to do chip off read/write.

Happy follower, and still very ADHD... cards linking to prior videos when you mention them (or a playlist or collection) would be lovely. Thank you for the work you do, and for explaining so well.

Very nice and well explained. I always enjoy your content.

So cool!

Great video as always. Can you tell us what the exact model is?

Try dmesg -n0 , perhaps it would stop loggin to the console..

So... U`ll MITM that TLS Connection to China? Or even look at those UDP packets?

Hi Matt, could you please add a link for the pogo pins? You mentioned that there was a link but I don't see it. Thanks 🙂

Good call on the bin compression

Your new compressed squash fs binary was few hundred bytes smaller. When you write it to firmware - what happens? Does it mean there will be few hundred bytes of the original squash fs binary remaining in the firmware? Does it remain as a dead (non accessible data)? Also, what would happen if tje new squash fs binary is larger even if by few bytes?

can you try ubiquiti devices

Great work! Do you think it's possible to reprogram the chips without having to take them off the board? Is it just easier to get all the pins aligned and stuff if you have it on its own?

Are you hacking free service or what

Great knowledge! Brilliant explanation! Thank you Mat!!!!!!!!!!!!!!!!!!!!!

Cool vid. Waiting on the episode of reverse Eng. Of these binaries

Awesome video Matt! Much appreciated with your knowledge and skills. Questions, have you ever tried doing a chip off and firmware extraction from a Secure Enclave chip from an iOS device? Curious as its super robust (maybe encrypted at rest itself). Godspeed!

The chip actually supports secure boot. Its such a shame that it wasn't implemented for this platform

Please explain to me why hack your own router what's the purpose what are you gaining just asking

Could you make a video detailing your education and how you got to your skill level? Vids are great, keep it up!

Very much agree with all other commenters on your format and detailed explanations! I would only encourage you to invest in slightly better cameras (resolution makes it blurry looking) and to beef up the lighting. It will make a huge difference to what the camera manages to capture.

Excellent video, I love these hacks, I learn a lot from them. If I may give you one point of feedback: for me the flow of information is a little too slow in the videos. I find myself reaching for the playback speed setting and skipping bits. Not to say I want you to turn it into some kind of awful TikTok channel, it's just that the information density could be higher imo.

1:32 "yOU Can see..." lol edit: while watching this, something came to mind. i want to explore this in a chroot now. what architecture is this cpu? can you maybe release the stock rootfs? would love to tinker around with it!

you are covered. Love your videos.

If new squashroot is different size does newfw.bin not have either leftover data or truncated data? Would a more complete newfw.bin not require two calls to dd with new count for the 1st and offset for 2nd?

This is a really awesome video, I would definitely love to see more of the process, like how you go about reversing the binaries you found or analyzing traffic as the device is being used

Really interesting stuff, brilliantly presented. Thanks!

yoooo droppin str8 heat!!

There's a "PEM private key" file. Is it encrypted and does it correspond to any of those PEM Certificates?

I love this channel! I've been into computers since DOS (that ages me), never attempted firmware mods like this but was heavily into decompiling and programming software as a hobby. I appreciate your simple explaining of not only procedures but why you are doing them. Keep it up and your channel will skyrocket!

As always great video

This was awesome. I love learning how to manipulate binary files. That's something I never got that deep into. Seeing these tools in action and having a reference to go back to is making me want to do more experimenting. Thank you!

can you do a firmware modification on a mikrotik device. they have a custom openwrt somehow look and work more stable

Been watching your vids since you started and they've all been very informational but the quality and format have become excellent. Thank you !

Nice video ! Quick question, in case you don't have a chip reader (or the ability to unsolder the memory chip), if you can anyway get a shell easily at boot, how would you extract files from that UART connection ? In this example /bin/cloud-iot. Thx

FYI: it looks like binwalk v3 has already been pushed to the arch repos, so unless you need your special fork you should be able to use the rust version with the main binary. It looks like you incidentally used v3 in the new binary without noticing when you ran the extract. Wonderful video as always.

You explain the whole process of working with hardware in a very understandable way, its not too caught up in details. The way you walk people through it makes it so easy to understand the basics of working with hardware which for me atleast was the most intimidating part. Since watching the channel I've been able to do a chip off firmware extraction, get a uart shell with my flipperzero as a bridge and locate a vulnerability in a router. It might not sound like a lot if you're watching this guy's videos but this is from someone with zero hardware experience or formal education. Big ups to Matt for being an excellent teacher🙏

really enjoyed the video, live that you explained every step of the way there great job! would love a vid where you explain a more general approach or one where you just explain where you find out what works and what wont work for certain chips or where you find you information

Nice video, Noob question, is it necessary to desolder the chip for reading / flashing? I've seen these clip-on soic cables.

IOT = idiotic obtuse trash

Why are you not connecting the tx and rx to the test points on the pcb that are nearby the chip (4 round ones) ??

TY well done video! I'd be interested in seeing where those custom binaries call out /bin/cloud-iot etc... what , if any, data is shared out with the tplink servers .

Great video, as always 👍 You could have used the break out Pads instead of the pins, not as fiddly😉

Are your start and stop bits for UART set correctly?

Isn't that a 3V flash chip? Minipro claims it's using 5V. Usually not something that'll kill the chip right away though, and maybe just a beta version artefact. (I ran 3.3V myself to a 1.8V flash recently and it survived so ..)

yay for open source! good vid too ;-)

I saw telnet daemon listening on loopback interface (127.0.0.1), so you could also run it on all interfaces and access shell remotely instead of using UART. I wonder if there is any form of ssh server available there which could be used instead of telnet.

PCbite probes are new to me. Thanks for mentioning them. I previously tried a pogo pin array which I got to work but the pin spacing was never quite right.

good informative content , thank you !

Awesome job thanks for the tips shared in the video nice job