Hacking an AT&T 4G Router For Fun and User Freedom

Подписаться 30 тыс.

Просмотров 285 тыс.

50% 1

AT&T doesn't want their customers to modify their own devices. In this video, I show how hardware hackers can take back control of their devices through the process of firmware extraction and firmware analysis. Specifically, we take a look at the CDS-9010 LTE router and extract the superadmin credentials via the UART U-Boot interface.
AT&T Forum Questions:
- forums.att.com/conversations/...
- forums.att.com/conversations/...
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity #righttorepair #jailbreak

Наука

Опубликовано:

7 май 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 938

@wrathofainz Месяц назад

Bro's face is like Jim Carrey

@mattbrwn Месяц назад

LOL I get this all the time.

@wrathofainz Месяц назад

@mattbrwn It's weird how that happens sometimes. There's a dude working as a parole officer (for youth) for Oregon who looks just like Ryan Reynolds. I'm pretty sure he's in a official blue book somewhere.

@thomashenden71 Месяц назад

"Cable modem" guy! 😄

@H3aling808 29 дней назад

@@mattbrwnyou're about to get something else in a second brb

@GeorgeKaranikos 29 дней назад

Best! What a great video. Well done

@vp_bot Месяц назад

didn't expect to find a wizard today.

@mikehensley78 25 дней назад

i think that was one of the better explanations and demos i have seen. smart dude for sure.

@Shmancy_pants_69 23 дня назад

They arrive precisely when they mean to.

@supermaster2012 23 дня назад

How is this wizardry? All of this is fully documented ad-nauseum in the OpenWRT wiki...

@OurSpaceshipEarth 21 день назад

Nice fully agree there! Looks like Bowtie Ape "w/ a plant on it's head", does too * `~{[:rC[})-B

@rastaman4lk Месяц назад

Please don't stop, and keep doing it, it's so interesting to watch it.

@DTT420 19 дней назад

That's what she said..

@r0xjo0 21 день назад

I am a high school Cybersecurity teacher. This content is pure gold. Amazing work. 🎉 This was a pleasure to watch.

@jaygames6926 18 дней назад

i think its amazing whatever school you work at provides classes like that, i wouldve loved that back in the day

@meekmtck5917 17 дней назад

Seriously, what school you working at? That's pretty awesome if you ask me.

@wileysneak 17 дней назад

they teach cybersecurity in high schools now?? that's incredible!

@r0xjo0 16 дней назад

@@wileysneak PLTW... Project Lead the Way. The curriculum is really cool. Kids love it.

@r0xjo0 16 дней назад

@@meekmtck5917 Southern California schools, but many schools have this as a newish subject.

@troll338czytb8 Месяц назад

The SoC and modem in this router are common and supported by OpenWRT, it would be cool to see port for this device as part of more open firmware in the future!

@monad_tcp Месяц назад

yeah, those things using custom linux with init instead of systemd are slow as hell to boot

@__Ben Месяц назад

I'm pretty sure it's actually running a (very modified) OpenWRT anyway. some of the data in the "strings" output against the extracted config match up with those found in openwrt configurations (eg: NintendoCapable=0)

@troll338czytb8 Месяц назад

@@__Ben Yes it most likely does, but the differences between years outdated proprietary version that OEMs use and official is extremely large.

@Anaerin 29 дней назад

@@__Ben That interface looks a hell of a lot like a barely customized DD-WRT install.

@tacokoneko 29 дней назад

AT&T shameless gpl viol;ator by not releasing the source code of the kernel used

@MattMellen1337 Месяц назад

I believe the "phone" ports on that device are for an ATA gateway, which would provide POTS lines from the cellular interface.

@mattbrwn Месяц назад

very interesting. I've never messed with anything with POTS before. makes me think of the phone phreaking scene back in the day

@pozdroszejset4460 Месяц назад

they can be very useful if you ever wanna do some retro hacking, it lets you simulate a phone line so you can dial from modem to modem without ever touching the "real" network

@rebootretro Месяц назад

I believe this is correct, the phone ports on this particular unit are for POTS line out (aka. landline phone hookup via cellular). Although I'm pretty sure I've seen these cellular modems that ALSO support POTS line in for DSL connection. Either way, for all the cellular modems like this I've seen I can't recall ever seeing someone actually use this feature, lol.

@adventuresin9797 Месяц назад

I've been hacking on a similar AT&T cell hotspot type device, and can confirm the POTS lines are to hook up a phone and make phone calls in and out from the cell radio. The ZTE M279 based devices used by AT&T also had an open web config interface.

@drooplug 29 дней назад

ATA? You just gave me a Telix flashback.

@KeritechElectronics 25 дней назад

That's one splendid hack, and a pretty easy one at that. Since it's Linux based, AT&T is obliged to publish the parts of the software that are GPL licensed, like Cisco/Linksys famously was with their WRT54GL back in the 2000s. Device configuration, user data etc. can be protected and fortunately they did a lousy job at that, when you're in, you're in. Also, I saw a Raspberry Pi reference in the UART output, it makes things interesting as to how the system was built or developed. You're truly exercising your right to own things here - you'd make Louis Rossmann proud!

@Elfnetdesigns 23 дня назад

Raspi I believe is the code name for the custom firmware AT&T has on these. One neat thing about these is the wireless settings in the web ui for SSID are not restricted meaning you can put anything. I put a lenny face in and it took it and broadcasts it with no issue. You cant just put in spaces though as it will default to ATT_AP24 for 2.4 GHz and ATT_AP5AC for 5Ghz. at least thats what it does on mine. The webui is very VERY similar to the Readynet routers I have as they allow like 5 SSID's per radio to be active. and the overall look and feel resembles a DD-WRT UI

@user-fr3ew4cd9w 23 дня назад

ky5 tr00n

@waltergonzalezpaz5995 23 дня назад

@LouisRossman

@KeritechElectronics 23 дня назад

@@waltergonzalezpaz5995 that's @rossmannrepairgroup but I doubt tagging in a comment does anything.

@subtropical-yearning 19 дней назад

“raspi” is not “raspberry pi” but rather “ralink spi”

@noexisting5145 Месяц назад

This is the first video that I see of yours, and let me say I loved it. You explain really well and seem so passionate that it is contagious. Great work!

@kaydog890 27 дней назад

+1 this

@mikehensley78 25 дней назад

hell yeah. +1

@rbw9692 25 дней назад

+1, clear explanations, fun to watch.

@hburke7799 27 дней назад

ATT pulling a good ol sony, locking a device down after the fact only incentivizing breaking it open completely. excellent work!

@nappinggeek3 29 дней назад

Most of the routers/modems that I have dissembled would have a password hashed and not stored in plaintext, so eventually I have to modify the bin file locally on laptop and then write it back to device with custom password hash. This is a great video for people who wants to get started.

@xrafter 27 дней назад

You can copy that hash and run password list program and check if there is one before that

@fss1704 23 дня назад

Nevermind what it uses to encode the password, set the normal user password to the one you would like to use in the root account and then copy the user password to the root password, you can get a spi writer and modify the file.

@anupamkumar71 21 день назад

PROM incoming?

@AndrewMackoul 29 дней назад

As someone with a computer engineering background, this video is up my wheelhouse. I loved your explanations and contexts you gave. I knew at the end that you were going to check if SSH was enabled.

@UK-Expat-in-USA 25 дней назад

Dude, I've been in the Software Industry for 20+ years and I am stumped why you only have 18.3K subscribers 🤔 Really liked this video, reminds me of the stuff I use to do for fun, I had to subscribe to your channel to help you growth - Great Job 😀

@mrmarr8308 23 дня назад

Because people be dumb

@AngelaTheSephira 23 дня назад

It's probably because the video is far too quiet and can't be heard without absolutely cranking your setup and having notifications blast your windows out of your house.

@rupertwellington3744 17 дней назад

Yea....no. Your sound settings are probably jacked up, likely on some surround setting which would manifest in the way you described it. But there is nothing wrong with the audio of his video. Just sayin.@AngelaTheSephira

@AngelaTheSephira 17 дней назад

@@rupertwellington3744 According to Audacity, his audio is at -12 dBFS, which is not the proper leveling. It should be about -6 (the safe option) -4 (RU-vid itself's recommendation), or preferably, -0 and allow RU-vid to level it on it's own.

@AngelaTheSephira 17 дней назад

@@rupertwellington3744 I replied, but RU-vid ate it. According to Audacity, his leveling is at -12. This is not the normal RU-vid leveling, so it's way too quiet. RU-vid itself levels anything above -4 to -4. This is where it should be, but alas, it isn't. And my setup is on All Channel Stereo. On Direct-to-Speaker, it's even worse.

@carlsonjeffrey2006 Месяц назад

My guy - your videos are off the chain. You've got a talented way of explaining and walking through these activities. Keep it up!

@lejoshmont2093 29 дней назад

I wasn't aware of this but this process made a surprising amount of sense. You're very good at explaining what your are doing. Thanks for opening up a rabbit hole. Looking forward for more.

@m3ntalify 29 дней назад

You did a really good job doing this live. I appreciated how authentic it was and that I was able to learn through your process. Well done + thank you.

@mathewrtaylor 29 дней назад

Loved the troubleshooting to identify the UART pins. Super well explained!!

@ingermany1523 Месяц назад

Hey Matt, great work! I love that you explain it in detail, even though you already explained in other videos. Its nice for people who are getting into this "hobby". Great videos, keep it up.

@brithim 29 дней назад

This was awesome to watch, I just subscribed. I've been slowly getting into Kali, hacking into my personal devices, etc. This showed me I can do so much more!

@bryanb3693 27 дней назад

As someone who’s never done this but is super interested in tech, I loved this. First video I’ve seen from you. Loved how you take the time to explain your logic and the “why” behind your decisions. I sub’d and look forward to the next!

@user-pv5ym5bx9w 24 дня назад

I've recently started to look into hardware debugging and found your channel. love your content. keep making it. i'm learning a lot

@snarkykat 23 дня назад

Definitely keep producing this kind of content! I enjoyed your video enough to watch the whole thing all the way through!

@richardj163 28 дней назад

This channel under rated! Please keep doing more content!

@camel_2992 Месяц назад

Bro, im loving all the new content!

@BlurryBit 25 дней назад

This is awesome! You demystified lots of things for me in this video, including finding rx and tx for a device with a multi meter. Kudos, and keep up the good work! Subbed.

@Marcus-jt2ff 11 дней назад

This is awesome. I’m an iOS engineer. Going to start learning some server side programming at work next week, but this hardware hacking is magic to me and very cool and entertaining. Keep it up!

@meganwinters5163 28 дней назад

Just found your channel and subbed. I'm just starting my journey into hardware hacking. Your explanation of this device has supercharged my journey!!! Truly hope you keep hacking this devices LTE side & openwrt routing 🙏 Edited for spelling: dang autocorrect 😅

@mitchellstl Месяц назад

First time seeing your channel. Really enjoyed it! Now I might have to look for stuff like this. lol great job!

@ExzeroX 20 дней назад

That was amazing and very informative. I loved every minute of it, Your breakdowns of your thinking process during each step was fantastic and made a very complex thing seem approachable. Keep the videos coming, I would love to see what you hack in to next!

@zachkost-smith6923 29 дней назад

Yes, please keep doing content like this. Seeing your thoughts process is helpful, like where the likely vulnerabilities are. I've desoldeded SPI flashes to pull the filesystem when I had uboot shell, iirc. Would have been good to have this video back then.

@hcpitcher Месяц назад

The POTS port is for VOIP lines. Great video.

@waltergonzalezpaz5995 23 дня назад

In Paraguay they do the same. Those ISP guys don't want savvy people to me with those devices. But we want to do more than browsing the web with those devices. Thanks a lot for this amazing job.🎉

@kelseywilliams6561 6 дней назад

Dude you are my new favorite channel. I’m such a nerd but this is gripping content. Please keep it coming

@williambrasky3891 8 дней назад

Very solid tutorial. I’m familiar with this stuff, but not confidently so. You do an excellent job demonstrating all the little things that are hard to know without being shown. I learned a lot. Thanks so much for sharing.

@pathipati2001 28 дней назад

This was super interesting to watch. Also, it's always nice to obtain root access of owned devices. Don't want companies to sell restricted access crap.

@RickDkkrd 29 дней назад

Nice stuff, good explanation. A suggestion for the next more hardcore step in fw hacking - get a device with a locked bootloader and extract the creds by sniffing the SPI traffic from the flash chip on boot with a logic analyzer. Would be watching this 100%

@pcguy619 24 дня назад

Better yet just pull the SPI chip and read it out with an Arduino! No logic analyzer needed.

@fss1704 23 дня назад

@@pcguy619 Oh dude, the arduino adapter isn't that good man, i mean you can try but if you need something new i'd recommend an spi programmer.

@lukedyte3969 29 дней назад

Very good nice, nice that you explained various things in more detail as you went through rather than just assuming everyone knows it already :D

@DeaseNootz 13 дней назад

Great video. Always looking for more channels like this. Youve earned a sub!

@nazrth Месяц назад

That's so funny. I just did this exact same thing to my unit that I have a week ago. And it took me hours to figure it out. Now watching your video, it could have been done in. minutes However my password was different

@mattbrwn Месяц назад

very interesting. If you join our discord server I'd be super curious what other values in that CONFIG are different and what are the same.

@d0ugparker 20 дней назад

Right! I commented above wondering if there was some relationship between the device serial number and the superadmin password… a little ASCII's decimal to binary, a few shifting of bits left or right, and ending with a binary to decimal's ASCII characters.

@fatalinsomn1a182 16 дней назад

This is cool content. I love these short and high level overviews. This is basically how I imagined in my mind dumping flash to a file for hacking would be. I subbed.

@AshemaListener-bq4kl 24 дня назад

I smiled through your whole video and similarly laughed when you tried to log into the web interface the first time. So relatable Writing your own parser in python for the hex dump was a nice touch. Keep it up man, you have my sub.

@glaubhafieber 26 дней назад

Some AT&T manager will click dislike on this video 😂😂😂

@belski256 Месяц назад

Waiting for You to start interacting with the LTE modem.

@mattbrwn Месяц назад

working on it :D

@almc8445 27 дней назад

@@mattbrwnDefinitely upload a vid when you do! You seem like a great presenter!

@THENICKCHEESE Месяц назад

I'm just getting into hardware hacking and these videos are like gold to me! Thank you! Keep em coming!

@AceTrainerBanjo 19 дней назад

I’m starting starting classes for cybersecurity and this video feels like discovering the secrets the Jedi don’t want me to know. Great video, thank you!

@malvoliosf 27 дней назад

Wait, did that really go that smoothly? You guessed the UART settings and pinouts the first time? The password was in clear?

@alchemistrose928 24 дня назад

The dislikes are from AT&T XDD

@timothyingram6904 28 дней назад

I don’t know anything about the hardware hacking and easy to say this is a bit over my head. But you did a great job of explaining things without getting into the weeds. Great presentation!

@gutter_onion7855 29 дней назад

Fantastic. You made quick work of that, far faster than I expected.

@donwald3436 Месяц назад

"raspi" ..... 🤔🤔🤔

@mattbrwn Месяц назад

yeah I saw that too. no clue if they reused any code...

@rethinkingcanada2352 Месяц назад

@@mattbrwnMost likely means Ralink SPI, rather the raspberry pi.

@Melechtna 29 дней назад

My dude really needed to break out the python to math out the simplest hex conversion ever

@Dqrnan 27 дней назад

First time watcher: subscribed. Love it! Thank you.

@tmarkpolansky 15 дней назад

I enjoyed watching this. The whole process step by step was really interesting. I was tracking with your thought process. This was awesome from hardware hacking to software hacking, and all the tools that you used.

@carlsonjeffrey2006 Месяц назад

A tip for everyone here: anything with an IP address which joins a network likely runs Linux and can be attacked through JTAG. JTAG is supposed to be disabled on production units but it's cheaper to manufacture and leave it open/connected. Some manufacturers can send a software update to blow an e-fuse which would disable it😋

@309electronics5 29 дней назад

Or uart which often is also left open

@jcs0984 15 дней назад

I learned more in 30 minutes than I've learned in college this semester. Thank you! +Subscribed

@SlickMJM 9 дней назад

Hey Matt. Thanks for the video. You are far more capable than I am. I'm learning. Seeing your process is inspiring and I'm so appreciative. Please keep making more like this.

@TheDrGravy 20 дней назад

Congrats on the vid blowing up, glad I found your channel

@Ben79k 29 дней назад

Hey it was very impressive to see your process of discovery and execution. I love to tinker with old junk as well but i definitely don't have the same level of skills as you do. Thanks for bringing us along. Looking forward to future content for sure!

@loganjones8334 27 дней назад

Super interesting and your demo was so well constructed. Subscribed!

@OhadLutzky 24 дня назад

This is a fantastic multidisciplinary hack, non-destructive, and probably applicable to a wide range of devices. Excellent pacing, demonstrated with mistakes and recoveries from them. This is Ben Eater level stuff. Subscribed.

@lanishx8935 21 день назад

Really good, clear explanation of your thought process. You have natural talent. Keep the videos coming!

@randolphstokes 12 дней назад

Great video! First time, immediate sub. I'm a cybersecurity student, but I always wondered how hardware hacking worked. This video is a window into this area, and I will be following to learn more. Thank you. BTW, some people have said you look like Jim Carrey, but I'm getting Matt Damon vibes.

@steve55619 27 дней назад

Dude this is a really good video. Like seriously you should be proud of this. Keep up the good work bro. Fantastic

@beanlover117 22 дня назад

great video! Very interesting how that can be done as "easily" as you did it. Very appreciative of folks like you out there doing this kind of thing to return power to the users.

@marygauffin7290 29 дней назад

Very relevant, consistently on topic and free from undue disturbances or annoting omissions. Also interesting.

@etmount9424 25 дней назад

You’re an amazing teacher! I learned so much so please keep it up! I just subscribed!

@matth7621 17 дней назад

I didn't understand a single thing you did, but I watched every second. I wish I could go back and learn stuff like this.

@guigazalu 21 день назад

Loved the hyper-tutorialesque approach of the video! Made me feel at home, even though I already know part of what you teach!

@RedDeth 12 дней назад

Excelent video! Good delivery, good detail. I could see and follow everything you were doing.Thank you. :)

@nyxnix 27 дней назад

This was really cool to watch, please keep making videos like this!

@FunfakeElectronics 26 дней назад

hey, thanks so much for this video. I'm keeping old routers and tv box in the hope of being able to use them for a new purpose and this tutorial is a wonderful first step towards that goal. keep it up man!

@ifzwy 21 день назад

oooh i love this kind of content, no bs, no trash talking.. even though i dont know that much about hardware hacking this was so cool to watch. this guy did get lost only one time and we all laugh at it at the same time :D subbed...

@kenshintran1065 13 дней назад

That was fun to watch. The process in general. Very interesting to see. Thanks!

@pellechi1 11 дней назад

Awesome trip down memory lane Matt … more content like this PLEASE!

@Sphiiinxx 18 дней назад

To be honest, as someone who knew already where this is gonna go it was interessting to watch and listen. Thanks for the entertainment 👋

@idolpx 26 дней назад

I enjoyed watching. Keep it up Matt. Fun stuff! :)

@jammeri 26 дней назад

Cool intro into using the UART interface! I didn't know you could actually access the device like that through it.

@Casp1anX 3 часа назад

This is fantastic. Subscribed about 1/3 through this video. New fan 🙌🙌

@guerreroa85 18 дней назад

Sick. I know the very basic stuff like flashing custom firmwares but this was awesome. Subscribed

@B3ASTM0D3. 29 дней назад

Epic bro. Was nice they put that pre-included the serial port for you lol.

@pierremartel3552 23 дня назад

Very interesting stuff!! I am in the process of doing the same on a fiber gateway router for a local ISP that locked out its users of the web admin page also. You gave me a lot of nice stuff to test.

@serae6184 22 дня назад

Incredible work! I'm going to be taking a cybersecurity program at my local college this fall and I think I just found my new favourite youtube channel hahaha

@Nick1921945 15 дней назад

Great video. I really liked this. Good work! (after watching the whole thing): This was very fun to watch and amazing. Coming from a code novice. :)

@JDWatkins 29 дней назад

Please... Keep this content coming. I for one love it. Semi retired, getting into the Raspberry Pis , the LoRa devices as well as a few other goodies. Way out of my league here but, what the hell. Thank you for the content.

@PaulzePirate 28 дней назад

Great content! Really enjoying catching up on it all, keep up the great work

@kwaddamage8286 29 дней назад

thanks for making these. i used to tinker with some old cable modems with my busPirate v3 over UART etc. nothing crazy, but recently ive been getting back into hardware hacking (just got the buspirate5) and yeh, these old modems are a perfect entry point to mess around. glad to see someone really digging in step by step

@brendanhayes2752 15 дней назад

Wow, I have no idea how I got here. I’m not a tech person, I still type with 2 fingers! Seeing your process was great.

@richjamjam Месяц назад

Love this kinda stuff! Subscribed! 👍🏻

@mikecarroll757 29 дней назад

Great video! Clear, concise, and thorough 🤘

@ForeverMan 28 дней назад

I have to say, its been a while since a watched a new channel, and a long video like this one ? longgg time.... I really enjoyed it man

@rileyjohnson2973 22 дня назад

Dude! Well done, I’m a just some nerd in the army trying to learn python and you showed me one of the ways this stuff can be used. Thank you.

@UndeadAlex Месяц назад

I started programming with game development and its still my main interest, but damn every time I watch something like this it seems so fun and you always explain everything really well.

@BatmanBruceWayne 17 дней назад

Loved the video! I have to confess that I envy your knowledge (in a good way). What you do seems to be super fun! Just so you know, here in Argentina, all ISP devices are managed by the ISP, and we don't have access to them. That's the common rule here. The issue is, if you manage to gain access to the device and change anything, as soon as you reconnect to the ISP network, they overwrite your settings with their own. So, unfortunately, there's not much you can change on your side.

@prasadreddy9754 14 дней назад

Thats a wizard doing magical stuff , loved it and learned a lot keep on doing the good work , its very educational

@caleygoff4653 10 дней назад

good stuff man as a cybersecurity professional this is well organized and explained even for folks who don't quite understand how stuff lives in flash. 👏

@SiegeWhale 21 день назад

Fight the good fight, love it. Great walkthrough of your process - learned a ton!

@ikemkrueger 23 дня назад

This was awesome to watch! Thanks for showing! I wanna see more like that.

@dpyles9396 27 дней назад

Awesome info! Yes-do more. I subscribed after watching this video! Thanks and keep em coming!

@ayedurand 25 дней назад

Amazing stuff. I'll be looking at your old videos. Keep it up.

@anongagglefrak 19 дней назад

Another hero we all need, but some just don’t deserve. Rossman being another.instant sub! Thank you kind young sir. Sincerely an early gen xrrrrr. I do not discount your generation… I’m laughing at the world underestimating y’all. Carry on good man!