Hacking The Mojo C-75 - Root Shell via Firmware Modification

One advice i have for you when soldering , is lower your soldering temperature, its way too high , thats why u knock off that resistor so easily. Also you run the risk of just taking off pads at that temperature. I usually just have my soldering station at around 300c for this small thermal mass jobs. Great video btw

I absolutely love that you didn't edit out the agonising wait on booting up to confirm it worked. Great videos as always. Thanks.

This was a great vid. The soldering is doable, the firmware mod is doable too. The important bits are explained well. And bonus points for using Vim. Thank you.

So many things to say.
1. love the videos. it's refreshing to have a old youtube style walk through including and explaining mistakes.
2. I appreciate you reading and using comment suggestions like zooming in on the command line.

A bit of advice when soldering those types of chips with more than 6 pins:
I've found it easiest to do when there isn't any solder applied to the pads beforehand - what I do is I put a blob of flux in the middle to just hold the chip in place and then carefully go around and manually apply solder to each pin with the soldering iron once the chip is aligned. Maybe also loog into getting a pointier tip for the soldering iron for that.
Cheers for the great content!

Really loved the section where you covered improper soldering let to flash chip not being recorgnized. When working with hardware modifications, there are truly many potential points of failure - such as chips not being soldered correctly, components getting damaged from overheating during the soldering/desoldering process, firmware corruption, other PCB components on PCB getting dislodged etc etc. This type of work undoubtedly demands a tremendous amount of hardwork and patience. Great work, Matt, and thank you for sharing this. I really enjoy your videos.

one of the best channels. keep pumping out the content in same format

Some people are just going through products because they have money.. others go throug them like.. "hey, let's go meet your makers and find out what they didn't tell you... you could do." 😂

Loving the hacking series. we can re-use/re-purpose old devices

I love your style of presentation and the information with/of all the failed attempts. Very instructive and good to follow. Lerned a lot over the time with your videos. Thanks for sharing. I'm already looking forward to the continuation :)

Great Job! Looking forward to the next one to see what you found in the network traffic; as we used to do some crazy things specifically around spectrum jamming/etc

Hey matt, just wanna say I absolutely love your videos!

Digging your videos Matt!! Thanks for taking the time to make them!

Great content, love your stuff man. Keep it up! Looking forward to seeing that traffic you mentioned

incredible. Love this stuff man!

Really cool video. Love your content :)

This stuff is really interesting! Thanks for another cool video! Look forward to the next one one this device :D

Good stuff, thanks for putting the whole process together

Awesome murderfication! :)

Very interesting stuff, do please continue!

Now, let's try to find where they installed the backdoor on this system! ;D

Just some technicalities and nothing of importance, Matt: "... now, that the solder turned COLD ...".
Hehehehee. Don't talk that way if professionals are in the room. I may be wrong, because I am German, but I sense that "cold" in conjunction with solder-joints also means a VERY BAD THING in english: Unstable, weak and bad connections (romantics ... the old days ... with LEAD ... were so much better! Just joking. You could see cold solder joints easier with that poison as pat of the solder-alloy). May I suggest: "... until it turns SOLID"? Which is actually what it does, changing its state of aggregation and forming a mechanical and electrical, reliable connection. Well, until you move or shake the joint while the solder is cooling down, which may result in that so called "cold solder joint". A reason for headaches, failures, I mean unrepeatable sporadic failures, in the future.
I'm sorry if I got too emotional when I am talking about our(my?) NEMESIS as e-engineers and service personal, etc. Hehehehe:)

Excited for this one!

Awesome video, thank you once again :)

Nice video. As to XGecu issues, I'm also using an XGecu programmer (TL866II Plus) but I've never experienced any of these. Possibly because I don't use flux when removing the chip, so chip legs don't get covered in non-conductive thing. As to erase failing, never seen this before as well. I suspect this might be an artifact of running the software in wine.

damn, I'm impressed over the upload rate

Nice work, Matt! Looking fwd to what you'll do now that you are root :-)

Great video

Awesome!

nice! great good tutorial.

This is very nice work. One question though.. non of the firmware or password file is not verified with a check sum or some sort of signature with other chip. That’s a little bit interesting. You said you have done this first time but is this way a common implementation?
One more time, great job!

Great job on your work! My guess on the write fail at 25MHz is that the second socket for the smd adds too much capacitance to have a reliable communication.

YEAHHH BABY, YEAH

Tried to imagine when a developer/contributor committed the “cowardly” message to the upstream code as a joke, and that message is still there to these days. 😁😂

I've seen a similar behavior when writing custom bootloader code where it fails to respond in time to the erase command, or responds with failure, although the erase was successful

this is awesome stuff! How would have you dealt with it if the microchips had the "erase if read" bit set and the name/logo had been scratched off the surface? This is what I usually see when manufacturers want to add protection to these products.

I'd have binary edited the flash image directly. The salted hash is the same length, so it's a drop in replacement. The image is unencrypted and uncompressed, and the filesystem image within it, is unencrypted and uncompressed. No change in file size, and a bunch of recombination steps, get skipped.

Great

Isn't it way easier to resolder the chip with the soldering iron instead of hot air? I always do it this way

Are you going to follow up with a way to root without hardware mods? Is there any setuid, or something that a stock box could be rooted with? Not sure if there is anything, but maybe? Or are you closing this series out?

You will become viral

I wish I was smart like this..

Are able or going to do phones at some point? I'm probably asking too much, but my own research is leading to dead ends. I also want to modify a phone with a snapdragon one of these days. I have a J7 Prime (Metro) and the bootloader is locked. Essentially the settings for bootloader unlocking in developer options seems to be permanently disabled. The phone is made by samsung and it's a Galaxy J7 Prime (MetroPCS) model. Probably impossible for me, but I am aiming to have a cool lab too one day.

I've just discovered your channel and... whaou ! Now I'm looking for any device in my home where I can try to hack 😅 my concern is that I've heard that some chips may have some safety erase function in case of unauthorized access 😢 have you ever encountered this case ?

Does it default to little endian or your native system endian?
Either case it is good to have the -b to make it repudicable.

Didn't know mkfs could make a binary image from a "regular" directory. I thought they used dd or something for that.

Hello friends anyone know how i can repacking the firmware and bypass the crc signatures

After seeing this I am happy I've bought "older" version of that programmer called TL866-II, because there is minipro - the alternative control software for that programmer made by David Griffith, which is perfectly hassle free…and it has command line interface which is easy to integrate with other parts of build chain like gmake. As far as I know there is also some experimental support for newer programmer in the last version, so maybe, just maybe, there would be some way how to modify it to your device too…which, in fact, would be great. The original software is horrible.
Is it possible to mount jffs filesystem in rw mode through loop device? Idk, but if this is possible, then it would be much easier way how to modify that firmware file. Some FS cannot be mounted this way (e.g. iso9660) but sometimes, well, you are lucky enough :3.

Couldn't you have avoided lots of erase block size and endianness by mounting the original firmware as a loopfs, modify /etc/passwd, and then unmount and unloop it?

Whats up, everybody!?!

It would have been much easier to mount your copy of the image file with the loop device, alter the shadow file, and unmount it. No having to dork around with trying to repackage the exploded contents.

nice

Disassemble hikvision camera to hack firmware

You could have just changed the config user shell and you could gain root that way without overwriting the root user password

firmware murderfication ... priceless.

sent you a msg on linkedin :-)

Why not just he edit the disk image directly with the hash? Skip all the mkfs stuff.

This was great

informative, and entertaining, and I would give ya a B on the solder job. LOL, I like the comment also from @lifeless11111 however the heat isn't as much an issue is the tip size when work with surface mount parts.