Hacking the Arlo Q Security Camera: Bootloader Reverse Engineering

День тому

In this video, we continue hacking on the Arlo Q security camera. Today we reverse engineer the extracted firmware to better understand how the bootloader security is implemented.
unsalted sha256 bootloader password hash:
dd62e7962d63044fd1b190091930939affb172e578bb941728bd4e4478250641
🛠️ Stuff I Use 🛠️
🪛 Tools:
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4aaCOGt
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#iot #hacking #bootloader #reverseengineering #firmware

КОМЕНТАРІ: 52

@jakesec633 Рік тому

Hey Matt, loved the video as per usual. I’ve cracked the hash for the boot loader, the password is: ngpriv106

@fusseldieb Рік тому

Wow, that was fast! How did you manage that?

@neb_setabed Рік тому

Damn that was quick, nice job!

@Knolraab Рік тому

I am interested to know too. Sharing is caring

@nerdy_dav Рік тому

Nice. Looks fairly simple.. I'd imagine you had some GPU power to get done so quickly. While you likely wouldn't find this string in a rainbow table, the combination of 9 lowercase letters and 0-9 gives us 9^36 iterations to get through. Modern CPUs and GPUs could knock that around quickly. Few hours at most.

@mattbrwn Рік тому

Absolute Legend!

@AlexKiraly 4 місяці тому

What a goldmine of a channel!

@hallisern Рік тому

Great video Matt, amazing explanations. Very easy to follow and understand!

@kiyotaka31337 Рік тому

Thanks for the videos I learned a lot from your videos.

@ersonthemesa Рік тому

Thanks Matt....Great video.

@kmsec1337 6 місяців тому

Bruh this is top quality content. Thank you so much 🙏

@neon_Nomad Рік тому

Amazing as always !ganbatte!!

@NeverGiveUpYo 8 місяців тому

Really good content

@malucullus9100 Рік тому

I know the hash has been cracked now, but if you wanted to get into the older firmware without having to do a chip-off you could also have tried interrupting the boot process a few times, ideally with a reset. This would simulate the crashing firmware that this sort of A/B deployment is supposed to protect against and may have caused the boot loader to fail back to the old version.

@azus5576 2 місяці тому

It has? In what video does he do that? I couldn't find that hash in those pre-computed lookup tables and using leaked password lists didn't work either. I doubt he could brute-force that hash

@azus5576 2 місяці тому

nvm, I missed the fixed comment somehow

@Henrik229 Рік тому

Very interesting videos!

@markf8819 Рік тому

Great video

@bassimyounis5803 Рік тому

Hey Matt thanks for the video. How did you know that the hash was unsalted? Was it in a previous video?

@mattbrwn Рік тому

Good question! I discussed it in the first video. The bootloader prints out the password hash of what you enter for a password attempt. So I was able to type "password" in, hit enter, and confirm that the password matched the unsalted sha256 hash of "password"

@neon_Nomad Рік тому

Here i come hash cat.. guess the rainbow road was to easy a route

@Autokey_Security_Services Рік тому

Is it not possible for you to write your own known hash into the flash chip raw data dump or is this data retained in the armarello chip??

@mattbrwn Рік тому

This should be possible. I'm working on this method for a future video.

@Ski4974 7 місяців тому

Did you end up making the 3rd video in this ARLO Q series?

@mattbrwn 7 місяців тому

Unfortunately my device got bricked so I wasn't able to make the next video.

@Ski4974 7 місяців тому

@@mattbrwn That's too bad, how did that happen? 😯

@neon_Nomad Рік тому

Says it will take a month but im having trouble getting both cpu and GPU running at same time... I don't have much experience with hashcat so if anyone knows whats going wrong im using hashcat launcher

@habiks 9 місяців тому

Cool video . But GPIO simply means general purpose input / output pin. GPIO isn't any type of mechanism..

@gersonsoares6628 Рік тому

bom video matt: o bootloader é u-boot ?

@mattbrwn Рік тому

No this is not uboot. Ambarella SoCs use a custom bootloader called amboot.

@jordantekelenburg Рік тому

Is there more coming??

@markf8819 Рік тому

What tools would you recommend for a beginner

@mattbrwn Рік тому

I'm trying to put together a playlist about all my tools but that's a work in progress. For getting UART access you really just need a simple TTL-232R cable: ftdichip.com/products/ttl-232r-3v3/

@ahmedsammoud1924 Рік тому

Any updates on what happened with the arlo?

@neon_Nomad Рік тому

Hope all is alright

@mattbrwn Рік тому

Haha thanks for asking! Doing good. Closing on a house so that's been taking a lot of my free time lately. Will post new videos after that is finished.

@isheamongus811 4 місяці тому

Maybe somthing like if (1=1) may work

@same4047 Рік тому

Sir, i have been facings problems on my blutooth speaker, every time I turn it on it prompted heavy annoying sounds like "Bluetooth pairing is on" "usb mode" etc. How can we remove these prompts, or customise the blutooth device name. Also could we make a device which could connect to multiple bluetooth devices and simultaneously output all of them from one source/smartphone 🤔

@tyronetyrone2652 7 місяців тому

@bomber78963 Рік тому

I'm guessing they beefed up their passwords after this recent CVE: nvd.nist.gov/vuln/detail/CVE-2016-10115 One option may be to fuzz the UART inputs? Perhaps something in the password check logic may have a bug

@mattbrwn Рік тому

I thought this was going to be the case as well! check the pinned comment! someone cracked it already 😂