Extracting and Modifying Firmware with JTAG
Рет қаралды 32,641
Жыл бұрынIn this video, we discuss how to extract firmware from a RP2040 microcontroller on the Defcon 30 badge using JTAG. A JLink debugger is used. We also push a modified version of the firmware back to the device.
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#iot #jtag #defon #raspberrypi #iotsecurity
@toadtws 8 ай бұрын
Great video! Minor vim note: at @17:30, you can use capital R to enter Replace mode. That way you won't have to count anything. Just make sure you only modify ASCII characters.
@JamesColeman 7 күн бұрын
I am all for IOT companies not disabling JTAG. Just keep them away from evil maids, and you're all good.
@jc4190 Жыл бұрын
Awesome video!! Could you do something with STM chips that are locked sometime soon? My vaguest of vague understanding is that you can sometimes do something with pulling boot select pins low to get it into a debug mode regardless of other configurations, but I don't have the first clue how to actually do that irl. Keep up the great videos m8!
@sammay1540 Жыл бұрын
I recently came across your channel and I love your videos. If you ever have a project where you gain practical functionality of a device by hacking it, that would make a great video. Like the security camera sending the stream to a self hosted storage server or other ideas you may have.
@goutham24693 Жыл бұрын
Hi Matt, very Informative video. Is there any way to convert the binary dump to source code or to understand it better ?
@Patrick-ky7ez 9 ай бұрын
Your channel is incredible!
@OMNI_INFINITY 11 ай бұрын
Where is a repository link to PCB files of that badge? Looks like a nice little capacitive keyboard.
@baghdadiabdellatif1581 5 ай бұрын
Great work 👌👏
@MiroslavObrtel 7 ай бұрын
And that was preety amazing
@welltonmanopelli3224 4 ай бұрын
Very nice
@mattp4953 Жыл бұрын
So cool! What are you going to push to it next, if anything?
@mattbrwn Жыл бұрын
might require some big time reverse engineering :D I wonder if they released the source code to the badge......
@mattp4953 Жыл бұрын
@@mattbrwn another question: can it run doom (just thought of this)
@mattp4953 Жыл бұрын
@@mattbrwn have you thrown it into Ghidra yet? Assuming it’s an ELF, Is the binary stripped?
@robertbauer6723 Жыл бұрын
Very informative, great info! Thank you for making this. BTW your audio is really low.
@mattbrwn Жыл бұрын
Thanks! Trying to find the sweet spot with the audio
@woolfy02 7 ай бұрын
I just got a bus pirate 3.6a and, I'm wanting to connect to a device using JTAG. The available pins on it are: TDO,TDI,TMS,TCK,GND,RESET Do I just connect it the same named pin, as from the bus pirate to the device? (Like TDO - TDO, TDI - TDI...etc etc for all of them). Years ago, I used uart but, I'm not seeing those connections on the board I'm trying to mess around with. I just can't seem to find a guide / tutorial that explains how to set it up for newbs.
@alanwake5927 Жыл бұрын
Where I could buy the student version of the j link
@abdennour183 20 күн бұрын
Does the J-link support Atmega32u4 ?
@michaelmclardy9165 Ай бұрын
Can you do the Huawei H112-372? how to get UART and JTAG.
@Finrow1 Жыл бұрын
How did you know to use the SI form of Mbit and not the binary form of Mbit?
@mattbrwn Жыл бұрын
Honestly I guessed 😅
@paololuise6514 Жыл бұрын
What is the debugger model you are using?
@mattbrwn Жыл бұрын
xgecu tl866ii plus Also have the newer xgecu t48
@a-listercrowley2737 Жыл бұрын
Man I keep seeing JTAG written on different boards I'm still a rookie, got a long waaay to go
@teltechservices7978 Жыл бұрын
amazing man, thank you for the cool stuff , hacked by nmat😊
@aduntoridasful 9 ай бұрын
what microscope do you use for videos?
@mattbrwn 8 ай бұрын
AmScope
@rajivsingh6633 4 ай бұрын
Dear sir I have a problem that the mcu has tooll0 pin reset pin vcc and ground . How I can extract firmware from the mcu
@turanamo 7 ай бұрын
You could have added the part where you locate the h/w key to crack it 😛
@PapaGeegee 11 ай бұрын
Do u have epon firmware for Zte
@jesussaeta8383 8 ай бұрын
Yes the volume is very low on your end,
@RussellSenior 8 ай бұрын
Why not just hook up to the SPI NOR flash and dump that way? flashrom, ftw.
@mattbrwn 8 ай бұрын
This video was specially to demo JTAG
@throwaway1076 Жыл бұрын
16 megabits is 2 megabytes, which is 0x200000... Converting 20000000 decimal to hex is not 2 megabytes.
@XenoTravis Жыл бұрын
I dislike that connector style so much. The cable is expensive and the pins will bend easily.
@BobCat0 Жыл бұрын
Your video is flipped.
@mattbrwn Жыл бұрын
lol good catch. I thought I fixed that... I'm kinda new to OBS
@bubbasplants189 13 күн бұрын
Now to find an old xbox 🤣
@levonrockerz4299 11 ай бұрын
The last command is not supported by jlink commander v7.88j, start here^[nmatt@ripper badge]$, ..savebin is only working , I am trying to extract stm32f103r8,,
Linux.conf.au 2012 -- Ballarat, Australia
Рет қаралды 796 М.
Low Level Learning
Рет қаралды 1,2 МЛН
Infinity Circus
Рет қаралды 10 МЛН
Photo Eedit
Рет қаралды 294 М.