@Batch Drav Sounds like you have some good recommendations, any other cool channels in the other categories you mentioned that I should also check out? :)
I'm a student that just got into embedded programming with STM32 less than a year ago and I LOVE THESE VIDEOS. They're very insightful and you make them such that they make anyone watching them curious to learn more. Thank you for making these, keep up the awesome work ♥️♥️
I have zero idea what's going on in any of these videos, and have no plans to ever learn anything related to them. Yet, I watch them all...the whole videos...and love them. What's wrong with me?
1:21 Some, that may not know, may be interested to know why f00dbabe appears as beba0df0 in memory. This is called "endianess." When read from memory, into a register, it will be read as f00dbabe. Each byte, like f0 or be, is read straight forward, but the order of the bytes is written into memory backward. Hence: beba0df0. Endianess is an important concept in RE.
Why is ur voice so calming, I was doing some Italian homework and listening to the video, i do it all the time, doing some homework and listening to ur videos, nice stuff ;)
I really love this kind of videos because I'm interested in this topic, but I'd never be patient enough to waste my time dealing with hardware. I love software though
I'm about to dive into ARM (was sitting with AVR for a long time). Thank You for explaining how some stuff is managed after compiler does its job! Probably I won't need those informations, but it's nice to know.
Whoa, just in time! I dumped my segway kickscooter (f103 cpu) firmware using fake update, which read it all from inside out. More skilled guys assembled it back together, as first 1kb was smashed by dumper. Now i understand, that it was just a table and it how it can be recovered.
@LiveOverFlow PLEASE MAKE A SERIES ON THE HACKERONE CTF! I'm stuck on a few levels and i've been going through all your videos for the 100th time trying to get some ideas. I think it's best if you just take a look at these CTF's!
Very nice video, and thanks for sharing this. Also do you happen to know how I can load the aarch64 I have downloaded the packages from GitHub and there isn't any explanations on how to post ida to look into because overtime I try to patch and assemble it returns Sorry, this processor module doesn't support the assembler. Any help on that would be greatly appreciated. Thank you.
Decap the chip, cover the flash memory and erase the fuses using a UV lamp. Easy peasy lemon squeezy. JK, this is much easier said than done. You could also try glitching it as they did with the Switch's processor, bypassing the fuse checking. Also easier said than done.
@@Spirit532 Well, yeah, now that I looked for it, it seems like STM32 have OTP memory (also known as PROM, programmable ROM, usually made out of antifuses) for JTAG lockout, so that leaves us with just three options: glitching, finding some kind of vulnerability in the fuse check, or some kind of extremely complex physical attack. The only scenario in which glitching or vulnerabilities in the fuse checking would be impossible to find would be if there was no fuse checking at all. If we were making a secure MCU with paranoid security, we could put JTAG (or other debug interface) handling code in OTP memory, and when locking it out, blow all the antifuses. Then the JTAG handling code would get converted to zeros or ones (which we could define as the opcode for NOP).
@@GRBtutorials The only best solution is glitching. I would love to see someone sharing a video on Glitching ;) it's a very sensitive topic to discuss in public :)
In STM32 MCUs, the firmware developer can lock the firmware and will prevent others from accessing it with serial wire debug (SWD), or JTAG. I wonder why the firmware inside the Ledger wasn't locked and kept open?
Nice video! Is it possible to change the BNE to a normal branch (or a JMP) to bypass the f00dbabe check, reupload to the chop, and then load custom firmware onto it?
Yes, but what's the point in doing that if you have physical access to the device? Might as well just load the custom firmware via JTAG from the beginning.
@@GRBtutorials yeah that's a fair point. I'm guessing you'd have to manufacture a foodbabe firmware and then fake a loading page with APLU commands for it right? That's the only way I can think of without jtag access
QuickishFM yeah, but load via aplu checks that the signature of the new firmware is done with correct private key (hopefully securely stored by developers). If I understand it correctly.
Not really. They are often combinations of f00d, babe, cafe, b00b, c0de - basically anything that is representable in hex in 4 characters to combine it to a full 8-character/32b value. Java uses cafebabe as the first 4 bytes of .class files (cf. Java's logo). And there was this little story not too long ago: mjg59.dreamwidth.org/14955.html
Yaya I know! :D It's SWD not JTAG
"Doesn't even support X86 64-Bit..." hmm wat? xD
How are you feeling about the GHIDRA release 2 months from now? It's apparently better than IDA.
@@insidiousx6506 He means x86_64 which is often shortened to x64, so that's why there may be confusion
Also you kind of got your two audio clips too close to one another at 7:47
Mr @LiveOverflow Are you gaay ?
One and only channel on TH-cam that uploads real hacking videos 😊
@Batch Drav yeah I agree buddy 😀
@Batch Drav Sounds like you have some good recommendations, any other cool channels in the other categories you mentioned that I should also check out? :)
Batch Drav thx, I'll check them out 😊
3 videos this week, we are honoured! Keep up the great work LiveOverflow :)
Jamown his real name is Michael Stevens
I really appreciate the fact that you are doing this for free. It has helped me a lot when I was learning how to understand software. Thank You :)
I'm a student that just got into embedded programming with STM32 less than a year ago and I LOVE THESE VIDEOS. They're very insightful and you make them such that they make anyone watching them curious to learn more. Thank you for making these, keep up the awesome work ♥️♥️
I have zero idea what's going on in any of these videos, and have no plans to ever learn anything related to them.
Yet, I watch them all...the whole videos...and love them. What's wrong with me?
Nothing! But it shows me that my videos can be entertaining regardless :3
what I most love about this series is the intro animation
1:21 Some, that may not know, may be interested to know why f00dbabe appears as beba0df0 in memory. This is called "endianess." When read from memory, into a register, it will be read as f00dbabe. Each byte, like f0 or be, is read straight forward, but the order of the bytes is written into memory backward. Hence: beba0df0. Endianess is an important concept in RE.
I like your videos because we get to see a different perspective of the arm architecture beyond basic coding.
Why is ur voice so calming, I was doing some Italian homework and listening to the video, i do it all the time, doing some homework and listening to ur videos, nice stuff ;)
I really love this kind of videos because I'm interested in this topic, but I'd never be patient enough to waste my time dealing with hardware.
I love software though
Can't be clickbait if they don't understand the title. ¯\_(ツ)_/¯
as long as you understand the video it's fine!
@@LiveOverflow Ahaha, thanks! Great content once again. :)
I'm about to dive into ARM (was sitting with AVR for a long time). Thank You for explaining how some stuff is managed after compiler does its job! Probably I won't need those informations, but it's nice to know.
IDA should sponsor you, bro. You made me want to buy a licence for my self
Absolutly amazing bro ! Thanks for sharing.
believe me ur great in hacking electronics. I'm an electronics engineer but don't know the most of the stuffs which u did.
I both love and h8 the fact that this is spanned over multiple videos. It allows me to appreciate and understand your videos but I hate the w8!
I wish I know magic to create videos too!!!!
Just rewatching this video and thinking about IDA, now I cant help but think if NSA knew about log4j when they released Ghidra.
Whoa, just in time!
I dumped my segway kickscooter (f103 cpu) firmware using fake update, which read it all from inside out. More skilled guys assembled it back together, as first 1kb was smashed by dumper. Now i understand, that it was just a table and it how it can be recovered.
You are a god for me, pls keep going!
@LiveOverFlow PLEASE MAKE A SERIES ON THE HACKERONE CTF! I'm stuck on a few levels and i've been going through all your videos for the 100th time trying to get some ideas. I think it's best if you just take a look at these CTF's!
never clicked on a video so fast without even reading the thumbnail or the title xd
Большое СПАСИБО!
Very nice video, and thanks for sharing this. Also do you happen to know how I can load the aarch64 I have downloaded the packages from GitHub and there isn't any explanations on how to post ida to look into because overtime I try to patch and assemble it returns Sorry, this processor module doesn't support the assembler. Any help on that would be greatly appreciated. Thank you.
Bro, we need advanced C tutorials. Something like what to do after you studied pointers, strings, structs. Maybe some libraries?
On most of the secure systems JTAG is locked. I would like to see how you unlock a JTAG if it is locked in the firmware :-)
Decap the chip, cover the flash memory and erase the fuses using a UV lamp. Easy peasy lemon squeezy. JK, this is much easier said than done. You could also try glitching it as they did with the Switch's processor, bypassing the fuse checking. Also easier said than done.
@@GRBtutorials On secure devices, fuses are generally OTP, physically destroyed transistors, not flash with secure bits.
@@Spirit532 Well, yeah, now that I looked for it, it seems like STM32 have OTP memory (also known as PROM, programmable ROM, usually made out of antifuses) for JTAG lockout, so that leaves us with just three options: glitching, finding some kind of vulnerability in the fuse check, or some kind of extremely complex physical attack. The only scenario in which glitching or vulnerabilities in the fuse checking would be impossible to find would be if there was no fuse checking at all. If we were making a secure MCU with paranoid security, we could put JTAG (or other debug interface) handling code in OTP memory, and when locking it out, blow all the antifuses. Then the JTAG handling code would get converted to zeros or ones (which we could define as the opcode for NOP).
For the STM32F0 sub-series exist some known vulnerabilities: www.aisec.fraunhofer.de/en/FirmwareProtection.html
@@GRBtutorials The only best solution is glitching. I would love to see someone sharing a video on Glitching ;) it's a very sensitive topic to discuss in public :)
I'm wondering what USB hub did you use and would you recommend it ?
Thanks!
In STM32 MCUs, the firmware developer can lock the firmware and will prevent others from accessing it with serial wire debug (SWD), or JTAG. I wonder why the firmware inside the Ledger wasn't locked and kept open?
You mean ReadOutProtection? I got the same question here, cause most of the devices that I checked have enabled 'ReadOutProtection'.
Nice video! Is it possible to change the BNE to a normal branch (or a JMP) to bypass the f00dbabe check, reupload to the chop, and then load custom firmware onto it?
Yes, but what's the point in doing that if you have physical access to the device? Might as well just load the custom firmware via JTAG from the beginning.
@@GRBtutorials yeah that's a fair point. I'm guessing you'd have to manufacture a foodbabe firmware and then fake a loading page with APLU commands for it right? That's the only way I can think of without jtag access
QuickishFM yeah, but load via aplu checks that the signature of the new firmware is done with correct private key (hopefully securely stored by developers). If I understand it correctly.
@@d3line Oh I see, makes more sense then
You need to make an collab with great scott
I love Great Scott's channel. He makes things, and these guys hacks into them.
I don't think that they'll get along well lol
how would we know who is talking? :P
thanks alot man this is very interesting
is it possible to get dumped firmware?
best videos well explained and for dislikers they r haters
Anyone have a suggestion to a free alternative to IDA for ARM reversing?
oh hey me from the past... turns out you found Ghidra and now rock at it ;)
Who else doesn't understand anything at all... Yet learns something....
Cool stuff
The ledger is just a huge CTF...
I understood absolutely nothing, but okay.
me too, but looks pretty cool, isnt it? XD
why use IDA 6.6 when IDA 7.0 is free?
Does that have arm? I dont even know. But I own 6.6 so I used that
@@LiveOverflow sorry i thought it did, i just checked and found that IDA freeware version supports only 16 architectures and ARM is not one of them.
RE > all
Resident Evil??? :D sure
@@TheVektast :Ffff
@@TheVektast ^^
Jese... one tease after another... :)
Nice
f00dbabe? what a strange name
Not really. They are often combinations of f00d, babe, cafe, b00b, c0de - basically anything that is representable in hex in 4 characters to combine it to a full 8-character/32b value. Java uses cafebabe as the first 4 bytes of .class files (cf. Java's logo). And there was this little story not too long ago: mjg59.dreamwidth.org/14955.html
you have to be careful with all this zeros, there are rumors that some people have broken their tongue for this reason 😜😜😜
IDA Can't find entrypoint because of, its a raw binary! But how the f*ck the processor know where to execute from the program?
First like
I both love and h8 the fact that this is spanned over multiple videos. It allows me to appreciate and understand your videos but I hate the w8!