Mom, Dad... I found gold content. You're amazing at this stuff. I'm bringing all my friends.You earned a new sub.

Oh no a flat brim hat.. Jesus.. Why? Does it still have stickers?

how to connect the chip base with ST-LINK programmer to read its firmware , The chip is ATMEL microprocessor .

They are sending the commands and requests to the GPS module of the cellular connection

shouldnt you put a blur over amazon? mister Ashburn 20149

This guy is a genius hacker and expert with Linux. I learned more in this video than all years in school.

Not all heroes wear capes. Great video! Wow this is great work

I liked this video a lot. Keep on the good job. I learn a lot from your videos. Greetings from Spain

Have an idea for some devices that would be interesting to see if you can get a shell on.

I cant wait for next videos

Don't know if you picked up on it, but the company is called "Ellis and Ellis Consulting" supposedly, and the developer of the app is also "Louis Ellis" - so how about that... consistency :)

Hey, amazing videos! Thank you. I have couple of questions. 1. Can you explain how this extracted firmware is different from simply downloading latest firmware zip from the manufacturer's website? 2. isn't this UART root shell same as just enabling SSH via webinterface and simply logging in? I'm definitely confused.

@mattbrwn how can I send you material? I have a couple freight trackers that you may be able to compare to this.

It can work as built. The cell modem does not require AT commands to dial. It can be configured to Auto Answer and NEMA data is connected to the calling party. If you are old enough to have worked with dial up modems, and possibly was a Sysop for a BBS, you wild be familiar with the Auto Answer configuration. On modems , the dip switches could be set for auto answer or not. Without auto answer, the RI Ring Indicator signal would tell the program the modem was ringing. The program would reply with ATA which is the AT command Answer. To proceed, get all the info you can on modem AT commands and hardware configuration.

The SIM card itself is a microcontroller and can run custom applications. I would imagine there is a custom application running on the SIM card to poll the GPS coordinates and shit them out via the 4G LTE network to some shady server.

Just some technicalities and nothing of importance, Matt: "... now, that the solder turned COLD ...". Hehehehee. Don't talk that way if professionals are in the room. I may be wrong, because I am German, but I sense that "cold" in conjunction with solder-joints also means a VERY BAD THING in english: Unstable, weak and bad connections (romantics ... the old days ... with LEAD ... were so much better! Just joking. You could see cold solder joints easier with that poison as pat of the solder-alloy). May I suggest: "... until it turns SOLID"? Which is actually what it does, changing its state of aggregation and forming a mechanical and electrical, reliable connection. Well, until you move or shake the joint while the solder is cooling down, which may result in that so called "cold solder joint". A reason for headaches, failures, I mean unrepeatable sporadic failures, in the future. I'm sorry if I got too emotional when I am talking about our(my?) NEMESIS as e-engineers and service personal, etc. Hehehehe:)

Outstanding breakdown of the process. I felt the excitement when you were able to login! Brilliant stuff!

wow you are a gizmo i stg i watched your whole channel today, addicting seeing what you can do 🙈

The missing cpu is not a surprise. The simcom module almost certainly has an application processor on it. The company did a great thing - they put an MCU down to implement the basic functionality easily, then when they worked out how to use the application processor on the simcom module, they could drop the MCU without needing a pcb re-spin. Thats a sensible approach, I do it myself.

Trying to learn all of this and very overwhelmed. Are you able to access the jtag state machine this way? And command the actual registers? I’m reading how to do that, but nobody ever explains how they gain access to do that… and what they are typing the commands on/through…. Sorry if this is a stupid question

Exciting, great educational videos!

You Are the MAN, People like you are the reason for fun in this world

This is a great series and great channel, Keep HACKING hardware we like what you are doing . Here is an idea for a future video show us how to root shell a dsl or router of any kind over the lan remote. such async calls or other channels of coms

If you had dialup internet you may have seen or had to mess with AT commands. I have no idea if cellular has more or fewer commands but on dialup you could use them to set the baud rate of the connection and various other things. Back then if you had dialup and had an unreliable connection the AT commands would allow you to try different settings that may work better or worse. I don't know who still uses dialup connections these days but there are probably a few. Dialup of course, worked on land lines and some people still have those for phone service or they might have kept it so they could send faxes.

Great work

Somebody made an IoT beer fridge using a game console posture controller and you can find the video by searching for "Wii Balance Board". If you want to live dangerously you can get set up to do chip de-capping using hot concentrated nitric acid. There are a few videos on that as well. Recently someone has also posted a video of a galvo laser being used to decap some IC but it was a tricky procedure.

3 minutes in still 0 information...

Hey Matt, did you saw the Software minipro from David Griffith? Looks like that is a native Linux- & Unix Software for the Xgecu T48.

I adore your videos ! much love <3

I've seen enough Big Clive to know where this is going. It's a bunk device with no real use and it's all in the bogus app which likely uses your phone's location information, if any, and pretends to do things.

I hope to make video about extract dts file from boot in router cortex a15 and complie by openwrt and the router not supported by openwrt to make new profile to this device

if there is no connection between the gps module and the lte modem, I am guessing it uses triangulation rather than true gps.

you the man

Yeah. @ GlobeTracker they use similar GSM/LTE modules in their shipping container trackers. I think the module can be programmed just as a regular micro controller. Then it's just a question of how fast you wish to empty your battery by sending data. There is even a module with integrated MEMS accelerometer. Love what you do. Please keep it up :)

Love the detail in your videos, every time I see a new one it makes me want to tear apart everything I own and see what's inside but I'd be so lost, although I do know soldering and am in IT. Any courses you're aware of for already moderately technical people to dip their toes in the water, or maybe a good device or types of device(s) to learn with? I want like a baby's first reverse engineer

I guess the GPS outputs NMEA over serial and the cell modem might just relay the serial input to a pre defined receiver

Hey Matt, the discord invite link in the description is invalid

Without the files, I can only surmise a guess. I think you might be running into jffs journaling with the multiple files. Rather then extract the bin file you could use losetup to mount the image as a loopback device. At that point it should be possible to interact with the device with standard tools.

I hope you capture and reverse the communications between the two modules.

Far too many chip documents require an NDA before you can see how they work. This was a big part of the problem, then the solution, to Broadcom non disclosure requirements. They just dont work with open source requirements. Fortunately for the raspberry pi, an inside employee was able to convince them to cooperate.

Some of those sims have data caps, restricted apns, but some have shared network plans. Most are designed so you can't rip a sim out and run for free but you could in theory utilise the sim and direct to your own addresses and use inconspicuous amounts of data A lot of modern iot cell modems expect to get a gps module connected directly, I'd say there's a good routine doc that sends a status message that includes gps data, then whatever inbound server processes to show the user

That is sick, I very much enjoyed. I want to do this in my future andw as wondering where to start

You should be able to connect to the module via UART pins or USB and then adb to it. Hardware design datasheet will help you locate required pins.

I am betting this is using sim applets, the code is on the simcard. Reason for the unpopulated ic's is that the board can be populated with a microcontroller if you want a universial board that work with any simcard.

Maybe this device does not gets its location from the GPS chip at all. Maybe it gets its location from the cell network, which is less precise, but is still possible. In the first era of smartphones it was commom for cheaper phones not to have GPS and instead would use the cell network for location tracking, which was very imprecise, but it sort of worked.

That thing doesn't actually need a satelite nav ship... The LTE will simply be talking to two or more cell towers and voila.... triangulation is happening... Oh... a null modem schematic... just hook up something to the RX/TX/GND pins and sniff yourself silly... :-)

Maybe it does cellular triangulation for location data instead of gps? If then why would they add a GPS module? Btw, i love this series. Keep it coming :)

Great video Matt! I'm looking forward to the next ones. What watch are you wearing? It looks really nice!

Thanks for the video bro

SIMCOM modems (and modems in general) offer an SDK to run cutom code in em. Which is great for simple and cheap applications like this. Last time I checked out the SDK it seemed like a nightmare to learn