Hacking The Mojo C-75 - Root Shell via Firmware Modification
ฝัง
- เผยแพร่เมื่อ 27 ก.ย. 2024
- The Mojo C-75 is a professional grade Wi-Fi router. In this video, we modified the extracted firmware to update the root password hash in the /etc/shadow file to a password we know. Then we reattach the flash chip to the PCB and get a root shell.
mkfs.jffs2 man page:
man.archlinux....
XGecu Software Mirror:
github.com/Kre...
XGecu Wine USB Driver DLL:
github.com/rad...
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nma...
#hacking #iot #cybersecurity #righttorepair #jailbreak
One advice i have for you when soldering , is lower your soldering temperature, its way too high , thats why u knock off that resistor so easily. Also you run the risk of just taking off pads at that temperature. I usually just have my soldering station at around 300c for this small thermal mass jobs. Great video btw
I absolutely love that you didn't edit out the agonising wait on booting up to confirm it worked. Great videos as always. Thanks.
haha yeah that wait always seems to take forever!
those are the times when i start deep cleaning my keyboard , otherwise it never gets done.
A bit of advice when soldering those types of chips with more than 6 pins:
I've found it easiest to do when there isn't any solder applied to the pads beforehand - what I do is I put a blob of flux in the middle to just hold the chip in place and then carefully go around and manually apply solder to each pin with the soldering iron once the chip is aligned. Maybe also loog into getting a pointier tip for the soldering iron for that.
Cheers for the great content!
One of the benefits by soldering the chip by iron is that it doesn't get another cycle of hot air baking.
So many things to say.
1. love the videos. it's refreshing to have a old youtube style walk through including and explaining mistakes.
2. I appreciate you reading and using comment suggestions like zooming in on the command line.
This was a great vid. The soldering is doable, the firmware mod is doable too. The important bits are explained well. And bonus points for using Vim. Thank you.
Really loved the section where you covered improper soldering let to flash chip not being recorgnized. When working with hardware modifications, there are truly many potential points of failure - such as chips not being soldered correctly, components getting damaged from overheating during the soldering/desoldering process, firmware corruption, other PCB components on PCB getting dislodged etc etc. This type of work undoubtedly demands a tremendous amount of hardwork and patience. Great work, Matt, and thank you for sharing this. I really enjoy your videos.
Congratz. This video opened my mind for these kind of modifications xD keep up the good work
Loving the hacking series. we can re-use/re-purpose old devices
I love your style of presentation and the information with/of all the failed attempts. Very instructive and good to follow. Lerned a lot over the time with your videos. Thanks for sharing. I'm already looking forward to the continuation :)
A little soldering advice, lower your heat, and avoid touching the iron with the solderdirectly. Touch one end of the pad with the iron and the other with the solder. Perfect shiny pads every time.
Hey matt, just wanna say I absolutely love your videos!
one of the best channels. keep pumping out the content in same format
Digging your videos Matt!! Thanks for taking the time to make them!
Now, let's try to find where they installed the backdoor on this system! ;D
Great content, love your stuff man. Keep it up! Looking forward to seeing that traffic you mentioned
Nice video. As to XGecu issues, I'm also using an XGecu programmer (TL866II Plus) but I've never experienced any of these. Possibly because I don't use flux when removing the chip, so chip legs don't get covered in non-conductive thing. As to erase failing, never seen this before as well. I suspect this might be an artifact of running the software in wine.
Awesome murderfication! :)
This stuff is really interesting! Thanks for another cool video! Look forward to the next one one this device :D
damn, I'm impressed over the upload rate
Excited for this one!
hell yeah!
Very interesting stuff, do please continue!
Nice work, Matt! Looking fwd to what you'll do now that you are root :-)
incredible. Love this stuff man!
This is very nice work. One question though.. non of the firmware or password file is not verified with a check sum or some sort of signature with other chip. That’s a little bit interesting. You said you have done this first time but is this way a common implementation?
One more time, great job!
Yes some embedded systems will use secure boot to verify the kernel, filesystems, etc. but in practice you don't see it implemented much on consumer IoT devices.
Awesome video, thank you once again :)
I'd have binary edited the flash image directly. The salted hash is the same length, so it's a drop in replacement. The image is unencrypted and uncompressed, and the filesystem image within it, is unencrypted and uncompressed. No change in file size, and a bunch of recombination steps, get skipped.
This is a good idea, however:
"the filesystem image within it, is ... uncompressed"
This is not true.
> strings u8fw.bin | grep 'root:$1' | wc -l
0
Really cool video. Love your content :)
I've seen a similar behavior when writing custom bootloader code where it fails to respond in time to the erase command, or responds with failure, although the erase was successful
Earned you a subscribe! ;)
Great video
Isn't it way easier to resolder the chip with the soldering iron instead of hot air? I always do it this way
I wish I was smart like this..
You will become viral
Hello friends anyone know how i can repacking the firmware and bypass the crc signatures
Are you going to follow up with a way to root without hardware mods? Is there any setuid, or something that a stock box could be rooted with? Not sure if there is anything, but maybe? Or are you closing this series out?
not closing the series out, but haven't found a way to root without firmware mod yet.
Good luck sir, your skills are awesome to observe, if there is one you’ll get it! And I look forward to learning what you find!
I've just discovered your channel and... whaou ! Now I'm looking for any device in my home where I can try to hack 😅 my concern is that I've heard that some chips may have some safety erase function in case of unauthorized access 😢 have you ever encountered this case ?
Never encountered this. Just go for it. Make sure it's a device you are ok bricking!
Whats up, everybody!?!
this is awesome stuff! How would have you dealt with it if the microchips had the "erase if read" bit set and the name/logo had been scratched off the surface? This is what I usually see when manufacturers want to add protection to these products.
"erase if read"
I've never seen something like this before on an discrete flash chip. You might be thinking of an internal flash on a microcontroller?
Think about it: How would the CPU ever read flash data if it erased itself on a read operation?
@@mattbrwn Great point! I guess I was thinking of a microcontroller. I am assuming at that point it may be easier to find the flash chip and attack it instead?
Great
Good job! Do your self a favor and buy a "sop 16 clip"
It would have been much easier to mount your copy of the image file with the loop device, alter the shadow file, and unmount it. No having to dork around with trying to repackage the exploded contents.
Not without using mtdram or nandsim both of which also need to be told how to act like the real flash chip (aka still have to know the right eraseblock size and all)
@@Spudz76 mtdram or block2mtd; nandsim is a brutal pita to get right. Regardless, outside of nandsim, it's a faster/easier iterative process (even in a pure brute-force scenario) than repackaging the exploded fs, writing to actual nand, resolding to the board, and holding one's breath during the boot process. :)
Why not just he edit the disk image directly with the hash? Skip all the mkfs stuff.
You could have just changed the config user shell and you could gain root that way without overwriting the root user password
If config isn't able to run sh then that won't work. However it seems all of that is provided by busybox. So I would assume you can't change the permissions of one command withoud affecting the entire suite.
Also the config user has a UID 0 shared with another 2. I didn't know this was possible. Anyway, UID 0 means he should be able to run sh.
I could have just changed X and gained root, where X is an infinite set of firmware modifications.
;)
Does it default to little endian or your native system endian?
Either case it is good to have the -b to make it repudicable.
you might be right. might be the native system's endianness.
"File systems are created with the same endianness as the host, unless the -b or -l options are specified." from the manpage
firmware murderfication ... priceless.
sent you a msg on linkedin :-)
This was great
informative, and entertaining, and I would give ya a B on the solder job. LOL, I like the comment also from @lifeless11111 however the heat isn't as much an issue is the tip size when work with surface mount parts.
Some people are just going through products because they have money.. others go throug them like.. "hey, let's go meet your makers and find out what they didn't tell you... you could do." 😂
Just some technicalities and nothing of importance, Matt: "... now, that the solder turned COLD ...".
Hehehehee. Don't talk that way if professionals are in the room. I may be wrong, because I am German, but I sense that "cold" in conjunction with solder-joints also means a VERY BAD THING in english: Unstable, weak and bad connections (romantics ... the old days ... with LEAD ... were so much better! Just joking. You could see cold solder joints easier with that poison as pat of the solder-alloy). May I suggest: "... until it turns SOLID"? Which is actually what it does, changing its state of aggregation and forming a mechanical and electrical, reliable connection. Well, until you move or shake the joint while the solder is cooling down, which may result in that so called "cold solder joint". A reason for headaches, failures, I mean unrepeatable sporadic failures, in the future.
I'm sorry if I got too emotional when I am talking about our(my?) NEMESIS as e-engineers and service personal, etc. Hehehehe:)
Tried to imagine when a developer/contributor committed the “cowardly” message to the upstream code as a joke, and that message is still there to these days. 😁😂
github.com/torvalds/linux/blob/eb6a9339efeb6f3d2b5c86fdf2382cdc293eca2c/fs/jffs2/scan.c#L266
@@mattbrwn 12 years ago x D
"Cowardly refusing" is widespread, such as if you try to tell tar to make an empty archive. Basically the oldest meme in the UNIXsphere.
Disassemble hikvision camera to hack firmware
Alternatively, you could overwrite the UID to 0 for config's password in /etc/passwd - then configure user has uid 0, root!
Oh. I'm wrong - I should have watched to the end. So change shell cmd to bash in passwd
After seeing this I am happy I've bought "older" version of that programmer called TL866-II, because there is minipro - the alternative control software for that programmer made by David Griffith, which is perfectly hassle free…and it has command line interface which is easy to integrate with other parts of build chain like gmake. As far as I know there is also some experimental support for newer programmer in the last version, so maybe, just maybe, there would be some way how to modify it to your device too…which, in fact, would be great. The original software is horrible.
Is it possible to mount jffs filesystem in rw mode through loop device? Idk, but if this is possible, then it would be much easier way how to modify that firmware file. Some FS cannot be mounted this way (e.g. iso9660) but sometimes, well, you are lucky enough :3.
Yeah I saw that project for the TL866-II. Really want that for the T56
Couldn't you have avoided lots of erase block size and endianness by mounting the original firmware as a loopfs, modify /etc/passwd, and then unmount and unloop it?
Not without using mtdram or nandsim both of which also need to be told how to act like the real flash chip (aka still have to know the right eraseblock size and all)
Awesome!
Didn't know mkfs could make a binary image from a "regular" directory. I thought they used dd or something for that.
Great Job! Looking forward to the next one to see what you found in the network traffic; as we used to do some crazy things specifically around spectrum jamming/etc
Good stuff, thanks for putting the whole process together
Great job on your work! My guess on the write fail at 25MHz is that the second socket for the smd adds too much capacitance to have a reliable communication.
yeah that makes sense!
nice! great good tutorial.
YEAHHH BABY, YEAH
nice