The moment when you paused, slowed down... think... Hmm what's this other cert... then it works was great. Persistence paid off and you didn't let frustration get to you.
mount -o bind is super handy for read only filesystems (even /dev and /proc). I suspect if you grep -r in /etc there might be start up commands that copy pem files from read only locations to write locations that are then read by related programs when they start. Also most IoT devices like this will have extra logging that can be enabled that will print out not just http(s) requests/replies - but other encrypted protocols too.
This is really interesting to me, because we use 2 of these cameras in our family and I wondered if they are atleast more secure than the average Aliexpress chinese crap. Looking forward to more content!
Does the device lsof? Could you have used that to fint which program had cert fils opened and exactly which cert file it was using? Of looked for it in /proc/[pid]/fd?
There’s a way to find all processes which initiate TCP connection, but it needs a kernel feature called trace_event which is enabled by default. # Enable tracing of connect() which is used to initiate network connection. echo 1 > /sys/kernel/debug/tracing/events/syscalls/sys_enter_connect # filter trace result with addrlen == 0x10 (IPv4) or addrlen == 0x1c (IPv6) cat /sys/kernel/debug/tracing/trace | grep ‘addrlen: 1[0c]’ You may need to mount debugfs if /sys/kernel/debug is empty. You can investigate an existing process in detail if there’s strace on the device or you can cross-compile it. strace has a ‘-p’ argument which can be used to attach to existing process to monitor syscalls it initiated.
Firstly, i love your content. I come from a purely software side but want to get into hardware/embedded development. Your videos make me want to break down some of the devices I own. Secondly, this is very cool stuff, but to do any sort of hacking, this doesn't seem very feasible. I'd assume the https requests could pass along secrets or keys, you know... the important parts that maybe you can use to make your own requests, but things like oauth tokens which retain sessions don't buy as much, unless you can reuse those on other devices. MITM done this way maybe gets you a small window into what the device is doing, but can never be replicated in the wild due to this temporary the cert lives. I assume though your point with this video is to show how can you find information and where to get started if there are any true vulnerabilities which can be executed in the wild. Cool stuff though.
i had problems adding a camera to the app. the camera would be added and then dissappear in a few seconds and noone could reproduce the problem. it took about a month of arguing with the local dealership and two weeks worth of discussions directly with the chinese team at the worst time of covid to figure out that the problem was in my password containing a double qoute character (").
I extract the bin file from the prolink H500NK from its SPI flash ROM for fun. It contains 2 files after the binwalk -e, the 1 file is named 8020.7z. when I go to extract with 7zip it says the file has been compressed with lzma and the method is LZMA:23 .I tried to extract the file with xz and lzma, 7z, tried all those but it didn't help. so any suggestions or help? 😁😁😁
Its sad to see that TP-link is back to its old habits. Constantly hitting a list of NTP servers of other people racking up hundreds of megabytes of traffic each month, abusing it as a network test, they did the same Sh! in 2018 with a bunch of NIST servers.
Please make a video showing how to mount an image (forensic copy of the Android device) with hardware key enabled, if possible using QEMU (Hardcore challenge, but I believe you can do it)
That 'mount file to file' has just blown my mind.
Same!
same
The moment when you paused, slowed down... think... Hmm what's this other cert... then it works was great. Persistence paid off and you didn't let frustration get to you.
the path to Jedi - not many make it
Man, I love SaveItForParts! Thanks for sharing Matt! I love your videos too.
mount -o bind is super handy for read only filesystems (even /dev and /proc).
I suspect if you grep -r in /etc there might be start up commands that copy pem files from read only locations to write locations that are then read by related programs when they start.
Also most IoT devices like this will have extra logging that can be enabled that will print out not just http(s) requests/replies - but other encrypted protocols too.
You are the best at what you do!! Very in-depth knowledge.
This is really interesting to me, because we use 2 of these cameras in our family and I wondered if they are atleast more secure than the average Aliexpress chinese crap. Looking forward to more content!
The fact they are validating TLS and not sending any cleartext HTTP traffic means they are definitely better than average crap devices
Does the device lsof? Could you have used that to fint which program had cert fils opened and exactly which cert file it was using? Of looked for it in /proc/[pid]/fd?
@saveitforparts is such a cool dude. Definitely OG type of youtube content.
Thanks for the vids dude. Very helpful info for someone who's just poking around with hardware and firmware for fun as a hobby.
Instant sub bruv! 🔥
Nice use of bind mount on ro file system.
Nice , waiting for more content about the iot reverse engineering methods
bro i love saveitforparts channel
Cool stuff. Neat method to get your certificate onto the device.
There’s a way to find all processes which initiate TCP connection, but it needs a kernel feature called trace_event which is enabled by default.
# Enable tracing of connect() which is used to initiate network connection.
echo 1 > /sys/kernel/debug/tracing/events/syscalls/sys_enter_connect
# filter trace result with addrlen == 0x10 (IPv4) or addrlen == 0x1c (IPv6)
cat /sys/kernel/debug/tracing/trace | grep ‘addrlen: 1[0c]’
You may need to mount debugfs if /sys/kernel/debug is empty.
You can investigate an existing process in detail if there’s strace on the device or you can cross-compile it. strace has a ‘-p’ argument which can be used to attach to existing process to monitor syscalls it initiated.
Save it for parts is a great channel!
wow you are wery skilled guy, thanks to you i discovered art of hardware exploiting
Best hard hack channel!
mount --bind 🤯
Excellent analysis. From your results, can you comment if video/audio is being exfiltrated to servers in China ? Can we trust these cameras ?
Love SaveItForParts!
You could have used frida to trace cloud executable and bypassed SSL pinning ?
Firstly, i love your content. I come from a purely software side but want to get into hardware/embedded development. Your videos make me want to break down some of the devices I own.
Secondly, this is very cool stuff, but to do any sort of hacking, this doesn't seem very feasible. I'd assume the https requests could pass along secrets or keys, you know... the important parts that maybe you can use to make your own requests, but things like oauth tokens which retain sessions don't buy as much, unless you can reuse those on other devices. MITM done this way maybe gets you a small window into what the device is doing, but can never be replicated in the wild due to this temporary the cert lives.
I assume though your point with this video is to show how can you find information and where to get started if there are any true vulnerabilities which can be executed in the wild. Cool stuff though.
Could you juat down and up the wireless interface to force the certificate reload?
Thank you for sharing, I'll check him out. I'll also share then... Laurie Wired.
you are loved.
Matt could you do a video on how to put libre boot on a T520 laptop
is the 'mount bind' a technique used on iOS tethered jailbreaking method?
Late to the party, but lsof could probably have shown you what cert the process was using and save the trouble of replacing all the CA certs:
"google time" but it's in real duckduck time :P
nice work.
i had problems adding a camera to the app. the camera would be added and then dissappear in a few seconds and noone could reproduce the problem. it took about a month of arguing with the local dealership and two weeks worth of discussions directly with the chinese team at the worst time of covid to figure out that the problem was in my password containing a double qoute character (").
I extract the bin file from the prolink H500NK from its SPI flash ROM for fun. It contains 2 files after the binwalk -e, the 1 file is named 8020.7z. when I go to extract with 7zip it says the file has been compressed with lzma and the method is LZMA:23 .I tried to extract the file with xz and lzma, 7z, tried all those but it didn't help. so any suggestions or help? 😁😁😁
💖💖💖💖
More like this
Its sad to see that TP-link is back to its old habits.
Constantly hitting a list of NTP servers of other people racking up hundreds of megabytes of traffic each month, abusing it as a network test, they did the same Sh! in 2018 with a bunch of NIST servers.
Looks like ntp is on the chopping block again. Dont tell NIST. 🙄
Please make a video showing how to mount an image (forensic copy of the Android device) with hardware key enabled, if possible using QEMU (Hardcore challenge, but I believe you can do it)
Glowie asking other to do their job:
@@robertosutrisno8604 LMAO
@@robertosutrisno8604no kidding
Hi, my name is Werner Brandes. My voice is my passport. Verify me.
Sorry to state obvious but if its hackable how can you stop it without throwing away the cameras?.
try to edit your videos to reduce clutter and save viewers time