#05 - How To Get The Root File System - Hardware Hacking Tutorial

Рет қаралды 38,875

4 жыл бұрын

If you have downloaded the firmware file for your device from the supplier's website or if you have dumped the EEPROM from your device and you want to extract the root file system and other information, this is the video for you!
In this episode I will talk about the available options to understand where the root file system is located in the firmware image, and the tools to use to extract it with the purpose to analyse it.
In this episode we will use 3 different types of firmware file:
- An encrypted firmware update file for a digital camera, downloaded from the supplier's website. I will not succeed to extract the root file system, but we will learn something useful anyway.
- Another file is a firmware upgrade for home router, downloaded from the supplier's website; we will successfully extract the file system, with some minor issues.
- The last file is an EEPROM dump that we dumped from the sample Gemtek router in the previous episode.
- We will do everything on our Linux box using some simple tools:
- The "file" command, that gives very basic information about any type of file.
- The "strings" command, that prints embedded strings in a binary file.
- The "hexdump" command, that prints the hex dump of a file, including the ASCII equivalent of each byte.
- The "binwalk" software, it is able to scan a binary file searching signatures of many different file system images, of compressed data segments, of digital certificates and of many other type of information embedded on a single binary file. It is also able to show the running entropy of a file allowing us to understand if we have an encrypted or compressed segment inside the binary file.
- The "dd" command, it is able to dissect a file, easily extracting part of it, or reassembling a file putting together different parts.
** Links with additional Information **
Channel's Author: www.makemehack.com/2020/02/a-...
Channel's Web Site: www.makemehack.com/
The sample router (Gemtek WVRTM-127ACN) on techinfodepot: en.techinfodepot.shoutwiki.com...
The sample router (Gemtek WVRTM-127ACN) reverse engineered on GitHub, includes scripts to dump the EEPROM to a text file and to convert it back to binary file: github.com/digiampietro/hacki...
Canon EOS M50 firmware download page: www.canon.it/support/consumer...
D-Link DVA-5592 firmware: media.dlink.eu/ftp/products/d...
adbtools2, tools to hack the DVA-5592 router: github.com/digiampietro/adbto...
buildroot-armv7, emulation environment for the DVA-5592 router: github.com/digiampietro/build...
jefferson, to exctract JFFS2 file system images: github.com/sviehb/jefferson
Binwalk, a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images: github.com/ReFirmLabs/binwalk
One of the longest wikipedia article: en.wikipedia.org/wiki/List_of...
U-Boot, The Universal Boot Loader: www.denx.de/wiki/U-Boot

Пікірлер: 84

@thecriticalpoint 3 жыл бұрын

It really doesn't get any better than this. Less than 0.1% people know how to do what you can do and 99.9% of those people won't share their experience and approach because it's tradecraft, or because they suck at teaching. I studied computer engineering at Uni and none of these techniques were taught or applied. Your English is fine. It makes you sound like the Pope of 1337 Hacking Skillz.

@jorgebitar 2 ай бұрын

🤣 Pope... 🤣🤣🤣🤣

@ivanjimenez7723 3 жыл бұрын

This is by far the best series I have ever found explaining all of these concepts. Your instruction method is fantastic. It is so understandable and detailed... THANK YOU!

@ryankitching5936 Жыл бұрын

Thank thank thank you. This is incredible content.

@strategyoracle 4 жыл бұрын

Very clear and informative. You mention at the end about your English - I wouldn't describe it as bad! There certainly is no barrier to understanding due to language in my view.

@MakeMeHack 4 жыл бұрын

Hello Peter Upfold, thank you for your appreciation and support and thank you for your comment about my English, I am relieved to hear that. I read and list a lot of stuff in English, but I speak in English mainly with non-native speakers; I know that I have a marked Italian accent, and often, I mispronounce some words, but I am happy to know that this is not an obstacle.

@TOMJLAEL 11 ай бұрын

Looks like you've not made a video in 3+ years. Very sad! 😢 I agree with @strate in that there's definitely no issue with your English. For me personally, there are times that the accent is a little thick. And difficult for me to understand. But that's no fault of your own. First of all, people from different regions of the US can sometimes have difficult understanding one another. They're both speaking English. But it's a matter of accents. Secondly, you are speaking about some deeply technical topics here. Which is like a third language in of itself. Neither Italian or English. So definitely cut yourself some slack. 🤗 You're a brilliant man, and I genuinely appreciate your efforts in sharing your knowledge. Hope all is well!

@rydjaradat 3 жыл бұрын

The best channel ever , with continuous elaborative dedicated thought process . THIS IS SIMPLY PURE GOLD . Thank you sir for this channel please continue with more devices don't stop.

@tocube1 Жыл бұрын

Your English is no obstacle to your good explanations on the issues. it's been 2 years since your upload and I'm watching and enjoying it, which means it is informative and valuable, hence not expiring anytime soon. Thanks for the great content

@vladislavruttgers2791 Жыл бұрын

Very very high quality Content, the whole Series in fact is. Finally we have our friendly Italian Tech Nerd grandpa at our disposal. Love it :)

@luizboina3187 10 ай бұрын

You are Amazing, Valerio!!! Congrats on making this concise, didactic and useful material for us, I have 100% certain that a lot of people that don't comment on this series have the same feeling that I'm feeling right now. I'm Brazilian and I'm not confident about my English speaking as well but I can understand you perfectly, You're amazing!!!

@user-hi1nn6yd9q 3 жыл бұрын

Thank you for the great educational material! Thank you very much for that carefully worked on the drafting of the text. Thank you for sharing your experience. I've wanted these video tutorials for a long time

@pier-carlvenne8147 4 жыл бұрын

Thanks a lot for these videos! I found this one a lot more difficult to understand than the previous ones, but I will certainly watch it until I understand everything. Good job!

@MakeMeHack 4 жыл бұрын

Hi Pier-Carl, thank you for your support and for your feedback!

@lantapaukku7629 Жыл бұрын

English is clear enough, after watching from episode #01 I am no longer distracted the italian dancing accent with scretched vowels. :-) No pun. This is an excellent series!!

@magnusjonsson6720 4 жыл бұрын

I can only agree with others in the praise of these videos, you are great making something this complex actually understandable. I have been tinkering with electronics as hobby very long time and still find them really good to watch. Please keep it up, i will continue to watch and have shared on Facebook. Thumbs up :-)

@MakeMeHack 4 жыл бұрын

Hello Magnus Jönsson, thank you for your appreciation, and thank you very much for sharing this content!

@antoniromanowicz6814 3 жыл бұрын

Sir, tour knowledge, skills, experience karę impressive. Plus the fact that you are so passionate and eager to teach. I only hope that it will bring you prosperity. Alp the best in 2021.

@matitalatina 4 жыл бұрын

I love this series! Thank you for sharing your awesome knowledge!

@MakeMeHack 4 жыл бұрын

Hello matitalatina, thank you for your appreciation, I am really thankful for your support.

@disperatorul 2 жыл бұрын

Thank you for this. Very detailed and easy to follow. Please continue.

@SuspiciousAra 6 ай бұрын

Hi, thank you for your time, doing videos about these things. I have a digital osciloscope that i did not used it for 8 months and now is not booting up, doe not do recovery. I find your informations intriguing :) useful :) i will watch more of your videos to tru to understand where i go with all this information, at the moment i have zero ideas but a lot of confidence :D i will not throw away this osciloscope, i will fix it. maybe.... :D

@mmfix3851 2 жыл бұрын

There is no better explanation about this type information! Thank you so much !

@isthereanyname 2 жыл бұрын

Would love to see more videos! They are very informative. Thank you.

@ronwellman 3 жыл бұрын

Perfect. You knowledge is extensive and much appreciated. Thanks.

@DavideMenegalli 3 жыл бұрын

Sono capitato per caso sul tuo canale ma mi sono subito iscritto, perché adoro l'argomento :-) Grazie !!

@ducky0069 4 жыл бұрын

Thank you for sharing your experience I've been struggling not knowing the proper hacking techniques this gives me a better understanding and how to apply these techniques. best regards, ducky

@MakeMeHack 4 жыл бұрын

Hello ducky0069, thank you for your appreciation and support!

@infinitytech100 3 жыл бұрын

Thank you for sharing your experience I've been struggling not knowing the proper hacking techniques

@TymexComputing Жыл бұрын

Valerio di Giampietro and Marco Spiess are my favourite tech friends :) with a southern europe accent ;)

@TymexComputing Жыл бұрын

32:32 - English is ok - i can understand it - good that spoken slowly :) - i only needed to learn what does ardware acking mean and everything else was meaningful - BTW i think your video revealed some local system usernames ;) GDPR! l.fornalczyk (quelo) is one of them ;)

@jordancrombie2676 2 жыл бұрын

Great video…clear, and concise. Most wonderful content

@J01220 3 жыл бұрын

I love this series! Thank you for sharing

@claudiologiudice9253 2 жыл бұрын

Valerio you are a source on inspiration for all of us!! Thank you!!

@jdaniele 3 жыл бұрын

Amazing tutorial Valerio, you Rock! Thanks for sharing.

@bertblankenstein3738 6 ай бұрын

Ill have to watch again when I'm at the computer. I was messing around and was able to create some sort of filesystem but all the /dev files got linked to /dev/null for my protection so clearly fakeroot is in my future. Thank you.

@douglasheld 8 ай бұрын

22:41 I can recommend, instead of computing SHA sums, it is less typing and perhaps a bit less esoteric, to use /usr/bin/diff which will simply report nothing, or "Binary files differ". In either case, a full scan of each input file is needed so there is no efficiency gain of computing the hash.

@cralx2k 3 жыл бұрын

Thanks a lot for these AMAZING series.

@hanoma9fan Жыл бұрын

Vừa vào đã nổi cả da gà 藍giọng a Phúc hayyy quá, mong sẽ tiếp tục cover ạ ❤️

@TheRealKitWalker 3 жыл бұрын

Another useful tut. Thanks so much 😍😍✌️✌️

@becauro 3 жыл бұрын

Nice lesson. Do you intend to continue theses episodies ?

@gionibegood6950 2 жыл бұрын

you english is good and the contents of video very useful, thank you

@detective5253 Жыл бұрын

amazing tutorial! thank you so much for this

@danielecastro850 4 жыл бұрын

Sei un grande! io ci ho messo anni a scoprire tutto quello che hai spiegato fino al video #4. Tutta la parte di reverse-engineering del firmware l'avevo vista spiegata altrove su youtube ma non lentamente ed in modo chiaro ed ordinato come stai facendo tu: la tua non sarà una pronuncia british ma rende la tua trattazione semplice, lineare e quindi facile da digerire con termini inglesi semplici. Userò questo tuo metodo per confrontare il partition layout del FW originale con quello nel dts dell'immagine OpenWrt dell'AGPWI per cui ho aggiunto il supporto ufficiale. Come consiglio ti suggerisco di spiegare in modo più approfondito come funziona la JTAG internamente (scan-chain e TAP controller) ponendo l'accento sull'interfacciamento del controller TAP con le componenti interne delle nuove versioni della JTAG come EJTAG di MIPS e ARM-JTAG (flash memory controller, debug controller). In passato mi sono sempre rifiutato di usare la JTAG proprio perchè non capivo bene come funzionasse e, quindi, avevo paura di danneggiare i dispositivi. In giro per il web la JTAG non è ben spiegata per un neofita. Infine anche una breve spiegazione del DTS in linux, come buildare OpenWrt e come includere i driver per la gestione automatica del partition layout nel DTS credo sarebbero la ciliegina sulla torta :D

@MakeMeHack 3 жыл бұрын

Ciao Daniele, ti ringrazio moltissimo per il tuo commento e scusami se rispondo così in ritardo, sono stato distratto da un paio di progetti collaterali che mi hanno distolto momentaneamente da KZfaq. Anche io ci ho messo anni ad imparare quel poco che so, non sono infatti giovanissimo, ahimè :-) Appartengo alla generazione di quei giovani, più o meno coetanei di Linus Torvalds, che si sono appassionati a Linux quando Linux è stato rilasciato; io ho iniziato a giocarci nel 1993. Riguardo all'interfaccia JTAG ho visto che il video relativo è il più visualizzato per cui sicuramente ci tornerò, ti ringrazio dei validi consigli. Non essendo giovanissimo mi ricordo di quando lo standard JTAG venne emesso e l'accento che c'era allora (e che ho visto meno in seguito) era su controllabilità e osservabilità dei vari bit all'interno del chip. L'argomento del Device Tree e del building del firmware finora l'ho affrontato "di striscio" solo per costruire un ambiente di emulazione su QEMU, magari, anche qui, ci potrò tornare in seguito. Grazie di nuovo per i commenti ed i suggerimenti!

@danielecastro850 3 жыл бұрын

@@MakeMeHack Praticamente hai cominciato a smanettare con Linux quando sono nato... pazzesco... Io la JTAG ho avuto la fortuna di studiarla in un corso della magistrale di ingegneria. Senza quel corso non so se ad oggi l'avrei mai usata... ti dicevo del dts perchè generalmente quando sblocco un router cerco sempre di rimpiazzargli il firmware con OpenWrt e credo che in molti facciano una cosa del genere. Amo quel sistema operativo... comunque grazie a te della risposta, sono ansioso di vedere uscire gli altri video di questa serie e quelli della JTAG! :D

@wsws7939 Жыл бұрын

You are great! I learned a lot. Thanks

@yiannigeorgantas1551 2 жыл бұрын

Thank you for sharing! Great video

@arfjreyes 3 жыл бұрын

Hi valerio my hacker friend. Hope to you discuss more about binwalking in the future. Keep safe!

@MrFreeze79 3 жыл бұрын

this is soo fascinating, I'm trying to learn how to hack my surveillance camera which has firmware which doesn't allow me to use it on my own personal system. I own the cameras but it doesn't let me use them on their own. I need to learn this !

@enthdegree 3 жыл бұрын

amazing channel. do you have any book recommendations? thanks

@frankclements6296 Жыл бұрын

What happened to you Valerio?! Great content, would love to see more!

@ninetailscosmicfox5585 Жыл бұрын

Is it possible to combine entropy values with brute forcing techniques to create something more refined for breaking encryption? I feel like at least some encryption standards could be vulnerable to exposing useful sequences.

@ANSARI5X5 3 жыл бұрын

Thanks for sharing a good knowledge

@AtAGlimpse_UB 2 жыл бұрын

The thumbnail for fricking hilarious! XD

@kenneth123skate321 2 жыл бұрын

Exelent video tutorial !!!! tanks

@gersonsoares6628 3 жыл бұрын

parabens excelente,video ,tutorial

@Gimsys Жыл бұрын

The accent is music to my ears. Like someone said this is very valuable information

@xbeox 4 жыл бұрын

Muito bom. Tudo o que eu queria saber e muito mais.😊 Ja ganhou mais um subscripto

@MakeMeHack 4 жыл бұрын

Hello xbeox, thank you for your appreciation and support.

@SIMSTOREVN 2 жыл бұрын

thanks for sharing, Can I ask if we can extract the firmware from the huawei 4G modem, to load the device with the same code?

@starlinkpk 3 жыл бұрын

very informative

@sosscs 11 ай бұрын

no video on using OpenOCD with JTAG to extract firmware from the processor?

@gersonsoares6628 Жыл бұрын

seu VALERIO ,não vai fazer mais videos sobre hard hacking para 2022?

@madmushroom8639 11 ай бұрын

Love it!

@fahemabdelmalek5655 Жыл бұрын

thanks for sharing

@123chupachups Жыл бұрын

Grande!!😃

@Mikedunk 4 жыл бұрын

Thanks a lot for your Videos, how can I handle a list of .zlib files? After using binwalk to extract the files in the firmware the system folder is split into multiple .zlib files and multiple fs_1 folders. Also, how can I add Burp Suite's root certificate into the list of trusted certificates for traffic analysis? Thank you!

@MakeMeHack 4 жыл бұрын

Hello Emmanuel Wamuo, thank you for your appreciation. I suppose that Binwalk misidentifies the .zlib files extracting something that was not intended to be a separate file. If it creates multiple fs_x folders is because it identifies (maybe wrongly) multiple file systems or multiple partitions inside the firmware file. Do you have files inside the fs_x folders? Regarding adding the BurpSuite's trusted CA certificate, it depends on your device, you should find where it has current CA certificates and put the BurpSuite's certificate there, adding or replacing current certificates.

@mattli6464 Жыл бұрын

Impressive,thks

@lodmania5745 3 жыл бұрын

i found the firmware in internet but it is a zip file. according to the firmware upgrading procedure of the router it accepts zip file and not requesting password. unfortunately when i try to work with the same zip file in binwalk it cannot even unzip without the password. also i cant access to the bin file. please give me a lead. should i manually get the stock firmware out of router using a UART module?

@drygdryg2 3 жыл бұрын

Thank you for the useful information! I want to note that in some cases unsquashfs does not work because manufacturer made changes to squashfs-tools to pack own firmware. In such cases, sasquatch helps: github.com/devttys0/sasquatch For example, I recently discovered Netis WF2411 firmware, and unsquashfs was failing with "read_ids: Bad inode count in super block" - sasquatch helped me to extract router filesystem.

@chuxxsss Жыл бұрын

Did you hack Amigas?

@user-tz1xp4sl7e 2 жыл бұрын

Hello dear I am one of your subscribers recently and I have followed a number of your explanations about ((uart)), but I have questions that I did not get an answer for. Is it possible to contact you when you find the right time

@ecuunlock 4 жыл бұрын

Should be called hacking with Dracula!! Lol love your videos thanks!

@MakeMeHack 3 жыл бұрын

Thanks for the idea!

@raccoon7533 3 жыл бұрын

Hi, there is a firmware dumper available for your Canon M50 camera made by the Magic Lantern Team: www.magiclantern.fm/forum/index.php?topic=16534.0. This is a modified firmware update file which dumps the decrypted firmware to your cameras SD card without modifying the camera.

@EnzoEpinet 3 ай бұрын

Salve Valerio, le sue lezioni sono interessantissime e cerco di seguirle con passione ma purtroppo non ho le basi e la capacità di comprenderle. Sono un appassionato di elettronica e seguendo alcuni tutorial su youtube, sono riuscito ad estrarre l’immagine di una nand dissaldandola e successivamente risaldandola alla telecamera di cui ho perso la password. Fortunatamente la telecamera funziona ancora a seguito del mio intervento ma chiaramente non sono in grado di recuperare la password dell’utente admin. Sebbene immagino che lei sia una persona molto impegnata, le chiedo se potrebbe aiutarmi inviandole il link del file punto bin che ho ottenuto di circa 500 mb. Chiaramente continuerò ad apprezzare i suoi tutorial se non trovasse il tempo di aiutarmi. Chiedo scusa ai suoi iscritti per aver scritto in italiano. Grazie Enzo