IoT Hacking - Polycom Conference Phone - Firmware Extraction
Рет қаралды 61,011
Ай бұрынIn this video we discuss the device firmware extraction of a Polycom conference phone device.
XGecu T56 universal programmer site:
autoelectric.cn/EN/TL866_main....
Wine wrapper for XGecu software:
github.com/radiomanV/TL866
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity #reverseengineering #firmware
@joedalecki7327 Ай бұрын
I work for Poly, formerly Polycom and now part of HP, and I found this pretty interesting as well. Cool stuff.
@jibjibam Ай бұрын
Sad to see giants of real videoconferencing turning into Microsoft's puppies.
@ClosestNearUtopia Ай бұрын
I dont, but still I think it was interesting…
@scottpageusmc 22 күн бұрын
Nice! Been using them since the early 90's.
@whodaFru4551 Ай бұрын
Great content! I like to see real and non-staged footage. Its authentic and just shows the raw and sometimes tedious process with all the mistakes and fuckups which are part of hacking and important for learning and improving.
@mattbrwn Ай бұрын
I hate video editing so it's a win-win!
@marlinderwall8873 Ай бұрын
Thanks for making videos like this. My son is going to college soon to be an electrical engineer and these types of videos show interesting practical applications of what he's been studying in his electronics books.
@Nexxxeh 27 күн бұрын
I love the style of the videos. Showing working around problems giving a realistic look at practical work. Easy to follow, without being dumbed down. Love this.
@cristonlevato2255 Ай бұрын
Great content. I am researching on IoT hacking to get in the domain and your videos are both fun and informative for me (and probably for other people like me). Waiting for the next episodes on this device and your future projects. Keep up!
@guillaumelavoie1544 28 күн бұрын
Incredible, love to see how you explore problems and how flexible your solutions are! Thanks for showing your work!
@ItsAuver Ай бұрын
You know it's a great week when we get two Matt Brown uploads in one week 😍
@WangLees Ай бұрын
Keep up the great work Matt! We need more people sharing knowledge like you do :)
@heyyyitsjosh 21 күн бұрын
I love your channel. I didn’t make it through the computer engineering program at my university. But I still enjoy this kind of stuff a lot and your channel gives me inspiration to still keep learning. Thanks for making this
@jsaenzMusic Ай бұрын
Man.....SO happy I found your channel! Amazing!!!
@0xbitbybit Ай бұрын
Great stuff, keep showing the process, been having a few issues finding file systems myself with some of the stuff I've been looking at so very eager to see how you get on and what you try next :)
@mattbrwn Ай бұрын
Won't be a filesystem on this one. It's a microcontroller so it's just a bunch of code/data
@0xbitbybit Ай бұрын
@@mattbrwn Ah really? Interesting! So what does that mean, straight into Ghidra for some reversing? Does that mean the web server is running directly on the microcontroller? 🤔
@levvayner4509 Ай бұрын
Very nice. Im building an open source framework for IoT and was just thinking if I should invest the time to configure encryption at rest by default. You convinced me :)
@spacewolfjr Ай бұрын
The T56 is a great tool but I think growing a big greasy mustache is probably more useful in the long run.
@alexpascal5403 Ай бұрын
I like grease. I also like Greece ironically. My favorite think tho is greasy Greeks. 🤔
@futureconsequence5374 Ай бұрын
Dang bro u a straight up genius! your comprehension levels are impressive!
@HollyTroll Ай бұрын
great video, thanks for your effort. question: why were the credentials, certificates, and logs part of the extracted firmware?
@spacewolfjr Ай бұрын
+1 to using string -- I once ran that against a piece of malware and identified the employee who created it.. they had left some debug flags enabled and it displayed the path to some of the files including the C:\Users\
@CA.papaBear 26 күн бұрын
thats an epic fail lol
@garridomonfrero Ай бұрын
Nice video I would love to see in the next videos about exploiting the firmware, what are you looking for, how to attack the services without falling into looking for published CVEs, but rather to discover new bugs or what things we should investigate either technical or knowledge to exploit such things at the application level, once extracted the firmware.
@in70x Ай бұрын
You generally just use binwalk and try and mount FS on loop back Dev then you can explore the file system (usually it’s squash but binwalk can handle that). Then you can re-host or disassemble what you want but most people pillage the files for secrets that are generally out in the open…. - Credential - MIT Vuln Researcher Person
@ChakaHamilton Ай бұрын
The XML files are how you configure Voip Phone. See if you can find the provisioning manual and accompanying software to figure out what's in each file. I suspect the files are encrypted and you may need the software or key to decrypt them.
@M.W.777 Ай бұрын
Nifty! Thanks for sharing
@Benimen106 Ай бұрын
Please do more IoT hacking videos, im starting a course of IoT embedded systems around august and would like to get a cheat start with the help of your videos, which are really good.
@SinyaAmathea Ай бұрын
Super interesting! Keep up the great work :D
@tritnaha1345 Ай бұрын
How's the firmware off these compared to those of Avaya? I did a little exploring on the Avaya J-series of phones and they employ some pretty creative ways of securing things.
@king_james_official 20 күн бұрын
about the strings thing you were talking about. wouldn't it search for the nul byte too? like a few characters and then a nul byte
@spacewolfjr Ай бұрын
That's a dope furnace you have there!
@Wiseprotocols 25 күн бұрын
Hi Joe. Tal vez existe un lector para memorias de iphone ?
@nv1t Ай бұрын
any reason why you don't dump while in circuit? you could use a 360 clip or similar. Less stress on desoldering.
@justinhealey-htcohio3798 Ай бұрын
Awesome! Just out of curiosity, have you ever considered attempting to extract firmware on raspberry pi & the closed source MIPI CSI-2 Camera ISP? It would be great if that could all be exposed & made compatible with other image sensors
@mohamadasriabdulazid4784 14 күн бұрын
You should get one of those hot tweezers. With that you can use those solder braid as a brush, to brush away the solder from the chip without worring to deform the pin.
@pedroveloso9707 Ай бұрын
hi, Matt a little trick is to before remove nand , is make 1 pass using lead solder.... them hot air, this way less heat in pcb. tip 2 ..kkkk dont use qtip to clean ics.. it left all crap around (15.17) and it will avoid contact, use a a small brush like a old tooth brush
@mattbrwn Ай бұрын
Yeah I do that sometimes and definitely should have done that here to speed things up.
@Spudz76 18 күн бұрын
Also there are high temp cleaning pads for things such as dab pipes made of a sort of fabric that are zero-fuzz, absorbent, and don't care how hot things are.
@jaybrooks1098 Ай бұрын
think that connector is just a accessory connector. the jtag or serial will be pads near the soc. usually in a group that looks like enough pins.
@tritnaha1345 Ай бұрын
What about using OFRAK or Cutter to look into what you've got ahold of?
@slincolne Ай бұрын
Interesting. You could use openssl to decode the various certificates into a human friendly version for more details. Also - the 20 pin connector that you pointed out at the start of the video looks like a JTAG header. - one way to check would be to see if half of them (one row) should be joined to ground.
@frogz Ай бұрын
never thought these could be useful other than the amplifier/speaker being reclaimedf for other projects
@zataritamods7499 Ай бұрын
In regards to the q-tip fuzz getting hooked on the pins. My girlfriend uses these special type of cotton swabs called "glob mops" for cleaning her...medicinal tools. They're like normal cotton swabs, but they're packed really densely, and one end is packed to a fine point. May be useful for something like that 🤔
@user-mp9um5qj3u Ай бұрын
I always wanted to learn these hacking and low level things but currently learning web dev. Maybe one day i will learn these things which i always wanted to do. 🎉
@self_taught_stuff Ай бұрын
to clean the chip before putting it into the reader, you can just dip the whole chip into alcohol... way faster and better than cleaning it with qtips. to clean the solder of the pins, you can put the solder wick on the table and put the pins on it, then run the soldering tip over them, i find it easier and safer that way (you wont bend the pins).
@feff6754 Ай бұрын
Great video!
@gordslater Ай бұрын
I subscribed after 25 seconds of this vid lol
@Macj707 Ай бұрын
wow bad ass I just found your channel.. this great I am in!
@phr3ui559 Ай бұрын
what equipment do you use
@pablopoo Ай бұрын
nice lab!👌
@user-hh9db5nx8t Ай бұрын
that stuff is so interesting :O how u found out this is possible?
@muddkipp_1 Ай бұрын
Awesmazing channel yo..❤❤
@tihomirborovski5661 Ай бұрын
Most likely the pin header is for connecting JTAG. It could be possible to dump the FLASH and even debug the device using that port and no need to do any hardware job. All you need is a tool like PEEDI, BDI2000 or BDI3000.
@in70x Ай бұрын
Damn didn’t even know about the t56 I do it the old fashioned way but I just bought one
@spacewolfjr Ай бұрын
I like your microscope, is that one of those ones from Ali Express? I almost bought one a few years ago that Strange Parts recommended but decided to buy some extra meatballs for my spaghetti instead.
@mattbrwn Ай бұрын
microscope is a AmScope SM-4NTP 7X-45X
@lambertax 24 күн бұрын
Hardware management : catastrophic (dirty iron, not enough heat, seems Chinese flux,...) Software management : perfect Remains very interesting! Thanks
@cocusar Ай бұрын
Pretty good! One question for you: does this nand flash contain any kind of FTL? because I'd assume they'll NOT write to it like in a linear fashion, they must arrange blocks in some way.
@mattbrwn Ай бұрын
Not sure but I think all the flash readers read the data block by block so it reads in order.
@cocusar Ай бұрын
@@mattbrwn Yeah, I thought the actual blocks and how they're divided was the responsibility of the OS, I assume it might be possible for you to find contiguous blocks without any problem. However, with your findings about the cross site injection, that kinda voids the need to figure out how that works. Worst case scenario you can go back to what it was before!
@johncsuti6118 29 күн бұрын
You don't see a file system as the device uses TFTP provided by the network to run the firmware from the ram directly. Cisco VOIP phones do the same thing. They call the (MAC ADDRESS).xml then call there model number.bin to run the .xml is stored on the device while the .bin is downloaded every time. Upon boot up they check the .xml vs the TFTP for consistency.
@lukakostic9820 Ай бұрын
Awesome.
@ngrader Ай бұрын
18:35 Apparently spansion was purchased by cypress semiconductor, big stock merger. according to wikipedia.
@hoteny Ай бұрын
5:07 i didnt even know heating a rom would be safe for the data inside… well im not an electrical engineer or anything so yeah i just like these and one day want to extract data from a chip inside my childhood toy (probably midi and soundfont)
@mattbrwn Ай бұрын
These components are heated to these temperatures when they are originally attached in the factory. Most component datasheets will document the proper temperature curves for heating and cooling the chip but I usually just go for it. :D
@isheamongus811 Ай бұрын
No clean means that the flux is not conductive - if you don't clean, you won't short anything (but a bad connection is more likely) Right?
@mattbrwn Ай бұрын
Ahhh that makes more sense! Thanks!
@user-lr3vb1hd3n Ай бұрын
comment in support!
@larsmojo Ай бұрын
XGecu T56 + clamp adapter is part of my lap as well - but I find it more usefull to use an adapter where you simply solder it on.(via hotair) No need to clean the chip. No bad connections. However I only found a tsop48 adapter - anyone found one for tsop56?
@alexpascal5403 Ай бұрын
Nice video. You remind me of my little sister. 👩 ..but she couldn’t solder the way you do.❤❤
@twitch54304 Ай бұрын
I see you also use amtek flux. I’m guessing that’s what that was by the blurry syringe with the blue label
@mattbrwn Ай бұрын
yep its amtech flux
@spacewolfjr Ай бұрын
If those are PEM certs, I'm thinking it's the local (to the PolyCom) certificate store (like the trusted CAs).
@spacewolfjr Ай бұрын
Annnd you just mentioned that, lol I should really watch to the end
@larryslobster7881 Ай бұрын
6:38 ultrasonic cleaner, life changer
@frosty1433 Ай бұрын
Fyi you should probably blur raw certs too. They are just as secret as a password.
@gabrielstangel919 Ай бұрын
why 480p :(
@gergopap7207 Ай бұрын
Hi, what adapter do you put the chip in?
@mattbrwn Ай бұрын
Xgecu T56
@gergopap7207 Ай бұрын
@@mattbrwnThanks, but I was thinking of the green one, where you put the chip directly? Or is it a full set? Where can I order the complete set? :) Thank you.
@gergopap7207 Ай бұрын
Thank you! I found it! I see! :)
@petereacmen716 Ай бұрын
IIRC those Polycom conference room phones run VxWorks
@mattbrwn Ай бұрын
yeah it definitely seems like an RTOS of some kind. will be discussing that more in video 3 ;)
@foobar8894 Ай бұрын
@@mattbrwn I'll admit i'm only thinking of this just now and not during the previous video, but running nmap OS detection could have been useful. That might have given you a hint about what to expect.
@francistheodorecatte Ай бұрын
there are some Nortel models of these that run linux/unistim instead of vxworks/sip
@tritnaha1345 Ай бұрын
@@francistheodorecattecorrect. Old unistim phones do. Newer ones are Android/Linux basically
@twitch54304 Ай бұрын
Can’t you tell by the “0000” if it’s an actual dot?
@mattbrwn Ай бұрын
2E
@68f100ranger Ай бұрын
the file system is likely on the processor itself, Its called SoC. there are ways to read those usually.
@309electronics5 5 күн бұрын
It could also be that it downloads its own firmware on boot via tftp
@lost4468yt 21 күн бұрын
You can definitely get solder braid that doesn't leave a residue? Just don't buy the cheapest of the cheap.
@inq752 23 күн бұрын
But for real, you should do some in-depth video of how to properly modify firmware
@user-mb5ng9nc2n Ай бұрын
plese lerning hacking licens router mikrotik
@DJ-Manuel 24 күн бұрын
Put some solder ontop of the solderbraid (between the iron and braid) to help the heat transfer. Thank me later…
@socialtraffichq5067 Ай бұрын
He's got the gloves on so no fingerprints
@nick9323 Ай бұрын
wtf u bluring, like someone will trace where the phone from and go hack them !?
@mattbrwn Ай бұрын
it was actually the nuclear launch codes.
@TouYubeTom Ай бұрын
picture quality is low, like smudged and blurry
@daniel777L Ай бұрын
why dont you buy him a more expensive microscope? his optics are perfectly suitable to showing his method. be happy he filmed at all, pathetic ungrate
@sharetripllc Ай бұрын
.5 solder wick works better to remove tiny pins . Thank you I learn do you think China does what you just did
@miliniosarcol2452 11 күн бұрын
😢😢😢
@yukit119 Ай бұрын
15:42 So much hair stuff in there why you dont clean it right?
@mattbrwn Ай бұрын
Because it works... This is engineering not art.
@yukit119 Ай бұрын
@@mattbrwn oh okey, true if it works it works. But why need art to be clean?
@yukit119 Ай бұрын
yes, but there is a possibility of a short circuit even if it works for you. Bad answer from you!
@king_james_official 20 күн бұрын
@@yukit119good luck shorting pins with cotton swab leavings ahhaha
@yukit119 20 күн бұрын
@@king_james_official in this case yes but its not only this HAHAHAHA kid
@IT10T 22 күн бұрын
seems like social engineering is easier
@jibjibam Ай бұрын
Boş şeydi. Hamısı sökülməlidi.
@asnifuashifj91274 Ай бұрын
digital telephone devices existed wayy before the term IoT was invented. lets just call it what it is. great video though.
@user-cg3tk7zi9r Ай бұрын
Thanks again for your content. They have truly helped me along being new to this (For me) hobby/passion. I do have a question on something I am working on. I dunno if you have a means in which i can contact you but if you do I would really appreciate any advice.
@mattbrwn Ай бұрын
twitter DMs are best for that kind of stuff
@user-cg3tk7zi9r Ай бұрын
@@mattbrwn alright I'll download the app thank you
@rickeverett3304 Ай бұрын
Av Pro that used these extensively…before cell phones with speaker functions. I just recycled three that were in an old tub. What purpose did you do this for, certainly not to salvage parts? Curious to how this helps anything since no one wants these anymore?
@IT-ud9tx 29 күн бұрын
wow! when I saw that dot1x pem certificate my heart jumped. This is why all IT waste must be shredded, an "innocent" little phone just compromised someones network. Phone was probably factory reset by there IT staff too before it went into the trash.
@SuckMyGreasyPrick Ай бұрын
ha, you blocked the username and password the first time, but I spotted them later on lol
Technically Unsure
Рет қаралды 74 М.
Fun Effects
Рет қаралды 18 МЛН
GStore Mobile
Рет қаралды 93 М.
Photographer Army
Рет қаралды 4,5 МЛН