Hacking The Mojo C-75 - Root Shell via Firmware Modification

Подписаться 67 тыс.

Просмотров 17 тыс.

50% 1

The Mojo C-75 is a professional grade Wi-Fi router. In this video, we modified the extracted firmware to update the root password hash in the /etc/shadow file to a password we know. Then we reattach the flash chip to the PCB and get a root shell.
mkfs.jffs2 man page:
man.archlinux....
XGecu Software Mirror:
github.com/Kre...
XGecu Wine USB Driver DLL:
github.com/rad...
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nma...
#hacking #iot #cybersecurity #righttorepair #jailbreak

Опубликовано:

28 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 93

@Lifeless11111 4 месяца назад

One advice i have for you when soldering , is lower your soldering temperature, its way too high , thats why u knock off that resistor so easily. Also you run the risk of just taking off pads at that temperature. I usually just have my soldering station at around 300c for this small thermal mass jobs. Great video btw

@marcosscriven 4 месяца назад

I absolutely love that you didn't edit out the agonising wait on booting up to confirm it worked. Great videos as always. Thanks.

@mattbrwn 4 месяца назад

haha yeah that wait always seems to take forever!

@neilblunden1266 4 месяца назад

those are the times when i start deep cleaning my keyboard , otherwise it never gets done.

@NyahStuff 4 месяца назад

A bit of advice when soldering those types of chips with more than 6 pins: I've found it easiest to do when there isn't any solder applied to the pads beforehand - what I do is I put a blob of flux in the middle to just hold the chip in place and then carefully go around and manually apply solder to each pin with the soldering iron once the chip is aligned. Maybe also loog into getting a pointier tip for the soldering iron for that. Cheers for the great content!

@bertblankenstein3738 4 месяца назад

One of the benefits by soldering the chip by iron is that it doesn't get another cycle of hot air baking.

@micahrunyon2743 4 месяца назад

So many things to say. 1. love the videos. it's refreshing to have a old youtube style walk through including and explaining mistakes. 2. I appreciate you reading and using comment suggestions like zooming in on the command line.

@roguesecurity 4 месяца назад

Really loved the section where you covered improper soldering let to flash chip not being recorgnized. When working with hardware modifications, there are truly many potential points of failure - such as chips not being soldered correctly, components getting damaged from overheating during the soldering/desoldering process, firmware corruption, other PCB components on PCB getting dislodged etc etc. This type of work undoubtedly demands a tremendous amount of hardwork and patience. Great work, Matt, and thank you for sharing this. I really enjoy your videos.

@Garock2 2 месяца назад

Congratz. This video opened my mind for these kind of modifications xD keep up the good work

@j_r_- 4 месяца назад

Loving the hacking series. we can re-use/re-purpose old devices

@elektroschmaus 4 месяца назад

I love your style of presentation and the information with/of all the failed attempts. Very instructive and good to follow. Lerned a lot over the time with your videos. Thanks for sharing. I'm already looking forward to the continuation :)

@TechieGanesh 4 месяца назад

Hey matt, just wanna say I absolutely love your videos!

@inq752 4 месяца назад

one of the best channels. keep pumping out the content in same format

@hugocusson6496 Месяц назад

A little soldering advice, lower your heat, and avoid touching the iron with the solderdirectly. Touch one end of the pad with the iron and the other with the solder. Perfect shiny pads every time.

@jake7112 4 месяца назад

Great content, love your stuff man. Keep it up! Looking forward to seeing that traffic you mentioned

@Alfred-Neuman 4 месяца назад

Now, let's try to find where they installed the backdoor on this system! ;D

@Rilch 4 месяца назад

This stuff is really interesting! Thanks for another cool video! Look forward to the next one one this device :D

@tangerinq 4 месяца назад

Nice video. As to XGecu issues, I'm also using an XGecu programmer (TL866II Plus) but I've never experienced any of these. Possibly because I don't use flux when removing the chip, so chip legs don't get covered in non-conductive thing. As to erase failing, never seen this before as well. I suspect this might be an artifact of running the software in wine.

@Lachlan.Wright 4 месяца назад

incredible. Love this stuff man!

@DataToTheZero 4 месяца назад

Excited for this one!

@mikehensley78 4 месяца назад

hell yeah!

@foobar9761 4 месяца назад

Very interesting stuff, do please continue!

@deniz-akkaya-x 4 месяца назад

This is very nice work. One question though.. non of the firmware or password file is not verified with a check sum or some sort of signature with other chip. That’s a little bit interesting. You said you have done this first time but is this way a common implementation? One more time, great job!

@mattbrwn 4 месяца назад

Yes some embedded systems will use secure boot to verify the kernel, filesystems, etc. but in practice you don't see it implemented much on consumer IoT devices.

@zisumevoli96 4 месяца назад

I've seen a similar behavior when writing custom bootloader code where it fails to respond in time to the erase command, or responds with failure, although the erase was successful

@ThanassisTsiodras 4 месяца назад

Nice work, Matt! Looking fwd to what you'll do now that you are root :-)

@Th3V01d73 4 месяца назад

Really cool video. Love your content :)

@richardj163 4 месяца назад

Awesome video, thank you once again :)

@AnthonyZenrick 4 месяца назад

I'd have binary edited the flash image directly. The salted hash is the same length, so it's a drop in replacement. The image is unencrypted and uncompressed, and the filesystem image within it, is unencrypted and uncompressed. No change in file size, and a bunch of recombination steps, get skipped.

@mattbrwn 4 месяца назад

This is a good idea, however: "the filesystem image within it, is ... uncompressed" This is not true. > strings u8fw.bin | grep 'root:$1' | wc -l 0

@thomapple 4 месяца назад

Isn't it way easier to resolder the chip with the soldering iron instead of hot air? I always do it this way

@RobertGallop 4 месяца назад

Are you going to follow up with a way to root without hardware mods? Is there any setuid, or something that a stock box could be rooted with? Not sure if there is anything, but maybe? Or are you closing this series out?

@mattbrwn 4 месяца назад

not closing the series out, but haven't found a way to root without firmware mod yet.

@RobertGallop 4 месяца назад

Good luck sir, your skills are awesome to observe, if there is one you’ll get it! And I look forward to learning what you find!

@memejeff 4 месяца назад

Great video

@HandFromCoffin 4 месяца назад

I wish I was smart like this..

@Gritaremos 4 месяца назад

this is awesome stuff! How would have you dealt with it if the microchips had the "erase if read" bit set and the name/logo had been scratched off the surface? This is what I usually see when manufacturers want to add protection to these products.

@mattbrwn 4 месяца назад

"erase if read" I've never seen something like this before on an discrete flash chip. You might be thinking of an internal flash on a microcontroller? Think about it: How would the CPU ever read flash data if it erased itself on a read operation?

@Gritaremos 4 месяца назад

@@mattbrwn Great point! I guess I was thinking of a microcontroller. I am assuming at that point it may be easier to find the flash chip and attack it instead?

@AymanAlhkeemi 3 месяца назад

Hello friends anyone know how i can repacking the firmware and bypass the crc signatures

@chaman469 4 месяца назад

I've just discovered your channel and... whaou ! Now I'm looking for any device in my home where I can try to hack 😅 my concern is that I've heard that some chips may have some safety erase function in case of unauthorized access 😢 have you ever encountered this case ?

@mattbrwn 4 месяца назад

Never encountered this. Just go for it. Make sure it's a device you are ok bricking!

@Electrically-Electronic 4 месяца назад

Great

@xrafter 4 месяца назад

Does it default to little endian or your native system endian? Either case it is good to have the -b to make it repudicable.

@mattbrwn 4 месяца назад

you might be right. might be the native system's endianness.

@Spudz76 4 месяца назад

"File systems are created with the same endianness as the host, unless the -b or -l options are specified." from the manpage

@AlfaOxTrot. 4 месяца назад

You will become viral

@mikehensley78 4 месяца назад

Whats up, everybody!?!

@nagytormas Месяц назад

Good job! Do your self a favor and buy a "sop 16 clip"

@PrimalNaCl 4 месяца назад

It would have been much easier to mount your copy of the image file with the loop device, alter the shadow file, and unmount it. No having to dork around with trying to repackage the exploded contents.

@Spudz76 4 месяца назад

Not without using mtdram or nandsim both of which also need to be told how to act like the real flash chip (aka still have to know the right eraseblock size and all)

@PrimalNaCl 4 месяца назад

@@Spudz76 mtdram or block2mtd; nandsim is a brutal pita to get right. Regardless, outside of nandsim, it's a faster/easier iterative process (even in a pure brute-force scenario) than repackaging the exploded fs, writing to actual nand, resolding to the board, and holding one's breath during the boot process. :)

@garyl6031 4 месяца назад

firmware murderfication ... priceless.

@CandyGramForMongo_ 3 месяца назад

Why not just he edit the disk image directly with the hash? Skip all the mkfs stuff.

@Chris-kx5lp 4 месяца назад

This was great

@MichaelLindsey 4 месяца назад

informative, and entertaining, and I would give ya a B on the solder job. LOL, I like the comment also from @lifeless11111 however the heat isn't as much an issue is the tip size when work with surface mount parts.

@DrXJ 4 месяца назад

Some people are just going through products because they have money.. others go throug them like.. "hey, let's go meet your makers and find out what they didn't tell you... you could do." 😂

@bertblankenstein3738 4 месяца назад

This was a great vid. The soldering is doable, the firmware mod is doable too. The important bits are explained well. And bonus points for using Vim. Thank you.

@dieSpinnt 3 месяца назад

Just some technicalities and nothing of importance, Matt: "... now, that the solder turned COLD ...". Hehehehee. Don't talk that way if professionals are in the room. I may be wrong, because I am German, but I sense that "cold" in conjunction with solder-joints also means a VERY BAD THING in english: Unstable, weak and bad connections (romantics ... the old days ... with LEAD ... were so much better! Just joking. You could see cold solder joints easier with that poison as pat of the solder-alloy). May I suggest: "... until it turns SOLID"? Which is actually what it does, changing its state of aggregation and forming a mechanical and electrical, reliable connection. Well, until you move or shake the joint while the solder is cooling down, which may result in that so called "cold solder joint". A reason for headaches, failures, I mean unrepeatable sporadic failures, in the future. I'm sorry if I got too emotional when I am talking about our(my?) NEMESIS as e-engineers and service personal, etc. Hehehehe:)

@pablopoo 4 месяца назад

Tried to imagine when a developer/contributor committed the “cowardly” message to the upstream code as a joke, and that message is still there to these days. 😁😂

@mattbrwn 4 месяца назад

github.com/torvalds/linux/blob/eb6a9339efeb6f3d2b5c86fdf2382cdc293eca2c/fs/jffs2/scan.c#L266

@Rilch 4 месяца назад

@@mattbrwn 12 years ago x D

@Spudz76 4 месяца назад

"Cowardly refusing" is widespread, such as if you try to tell tar to make an empty archive. Basically the oldest meme in the UNIXsphere.

@kockry 4 месяца назад

Disassemble hikvision camera to hack firmware

@mikehensley78 4 месяца назад

Awesome murderfication! :)

@DawidKellerman 3 месяца назад

Earned you a subscribe! ;)

@NikiBretschneider 4 месяца назад

After seeing this I am happy I've bought "older" version of that programmer called TL866-II, because there is minipro - the alternative control software for that programmer made by David Griffith, which is perfectly hassle free…and it has command line interface which is easy to integrate with other parts of build chain like gmake. As far as I know there is also some experimental support for newer programmer in the last version, so maybe, just maybe, there would be some way how to modify it to your device too…which, in fact, would be great. The original software is horrible. Is it possible to mount jffs filesystem in rw mode through loop device? Idk, but if this is possible, then it would be much easier way how to modify that firmware file. Some FS cannot be mounted this way (e.g. iso9660) but sometimes, well, you are lucky enough :3.

@mattbrwn 4 месяца назад

Yeah I saw that project for the TL866-II. Really want that for the T56

@ColinMcCormack Месяц назад

Alternatively, you could overwrite the UID to 0 for config's password in /etc/passwd - then configure user has uid 0, root!

@ColinMcCormack Месяц назад

Oh. I'm wrong - I should have watched to the end. So change shell cmd to bash in passwd

@georgzimmer4627 4 месяца назад

Awesome!

@robertkeyes258 4 месяца назад

Couldn't you have avoided lots of erase block size and endianness by mounting the original firmware as a loopfs, modify /etc/passwd, and then unmount and unloop it?

@Spudz76 4 месяца назад

Not without using mtdram or nandsim both of which also need to be told how to act like the real flash chip (aka still have to know the right eraseblock size and all)

@xrafter 4 месяца назад

Didn't know mkfs could make a binary image from a "regular" directory. I thought they used dd or something for that.

@Hyp3rb34m 4 месяца назад

Great Job! Looking forward to the next one to see what you found in the network traffic; as we used to do some crazy things specifically around spectrum jamming/etc

@samhorowitz7593 4 месяца назад

Digging your videos Matt!! Thanks for taking the time to make them!

@RickDkkrd 4 месяца назад

Good stuff, thanks for putting the whole process together

@Saturate0806 4 месяца назад

damn, I'm impressed over the upload rate

@avri210984 4 месяца назад

You could have just changed the config user shell and you could gain root that way without overwriting the root user password

@xrafter 4 месяца назад

If config isn't able to run sh then that won't work. However it seems all of that is provided by busybox. So I would assume you can't change the permissions of one command withoud affecting the entire suite.

@xrafter 4 месяца назад

Also the config user has a UID 0 shared with another 2. I didn't know this was possible. Anyway, UID 0 means he should be able to run sh.

@mattbrwn 4 месяца назад

I could have just changed X and gained root, where X is an infinite set of firmware modifications. ;)

@seba123321 4 месяца назад

nice! great good tutorial.

@memejeff 4 месяца назад

YEAHHH BABY, YEAH

@al_lazy3519 4 месяца назад

Great job on your work! My guess on the write fail at 25MHz is that the second socket for the smd adds too much capacitance to have a reliable communication.

@mattbrwn 4 месяца назад

yeah that makes sense!