Hacking a Knockoff Google Chromecast - Firmware Extraction

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's up everybody this is Matt Brown with another iot hacking video today I have a Chinese knockoff Chromecast device that I got from a mall in Southeast Asia and we are going to begin our journey of reverse engineering this device we're going to start with firmware extraction and this is going to be one take this video I have not attempted to extract this firmare before I've only done a minimal amount of Recon and we're going to see all of the ups and downs of what I go through to get the firmware off of this device so let's go over to my workbench and get started all right so here is our knockoff chomecast device you can see there it's called anycast um here's the box that it came in uh just your standard knockoff language share online streaming to your TV you know uh very very professional stuff here so uh I don't really care about that I just want to open up this piece of hardware and see how it works and so I've got my uh little iFix it tool here and so we're going to go ahead and crack this open there's no screws uh this case just kind of Pops open like that and we can see what is inside and I'm just going to discard this shell because we really don't need that anymore um now we're going to actually dive underneath the microscope to take an even closer look at this device so uh here you can see uh what is uh the main uh compute that we have here on this fake chomecast device uh next to it we have the memory so can see all of these uh all the the the buses here between the CPU and the memory um over here uh it's easier to see on this side of the board actually we have the micro USB which Powers the device um and may do a little bit more but we'll save that for another video uh here we have a little push button and over here we have what we're going to be looking at uh today uh I mean obviously we have the HDMI part of the dongle here so uh right here is our spy flash chip and we're going to go ahead and just zoom in nice and tight on this make sure it's nice and in Focus uh so here we can see the identifying information on our flash chip and the main number that I am interested in here is uh the uh G25 Q32 C marking that we see on this chip um also notice uh yeah that we see um yeah there's this G logo above the other G and uh this is kind of a logo for the company that makes this device so we're going to go ahead and just pop over to my computer really fast and bring up my Flash Reader the and the software that works with that Flash Reader to see a little bit of the Recon that I did like I said I did open up this device and do a little research on this flash chip and I have identified that flash chip within this software this is the XG pro software that goes with the exu universal programmer that I have over on my desk so here I have this device pulled up or this this chip I've searched for it and you can see that I I had to do a little Googling to figure out that it's actually called the GD 25q 32c so that is the one little bit of Recon I did I I I found out that other name just with a bit of Googling and that got us here uh you'll notice that this chip has a bunch of different package types that it supports and so here the package type we're going to we're going to be using is the sop8 package and so we click on that and then if we go into device info it's going to show us that hey here's how you position the chip in the reader once once we get the chip off of the board but my goal today is to desolder this chip for the board put it into our Universal programmer and then extract that firmware off onto our computer and then do our first stages of analysis on that firmware that we extracted uh there will definitely be more analysis of that firmware for later videos but just wanted to show you the little bit of Recon the little bit of cheating that I did in this process to make sure that my Flash Reader would uh not fail me in the end so let's go back to our microscope and I am going to just zoom this out as far as we can go and over on my desk I have my hot air ready to go I'm going to take some flux and I'm going to just put a little bit of flux on either edge of this chip and this is really just going to help with the desoldering process getting that solder to flow uh now I got my hot air station firing up here and I'm going to just kind of try to first heat the general area around the Chip And I am going to turn on there's it's going to get a little loud cuz I'm going to turn on my fume extractor to not breathe all this stuff in [Music] and then with my other hand I'm going to be holding my tweezers to wait for this to get hot enough for me to pull it off oh and that was quick very nice all right that was that was way faster than I expected that to be all right that's probably because I'm used to doing that as like 48 pin chips that take a year to pull off Okay so we've got our chip here and now I'm going to yeah just move it to a clean relatively clean spot on my workspace let's get let's zoom in a little bit and so now it's going to fling away let's get it back in there so I've got a bunch of that flux e you can see it there uh so what I'm going to do now is I'm going to take some some Q-tips and some isopropyl alcohol and we're just going to clean as much of that flux off of here as we can uh while trying not to get too many of these fibers caught on the bottom of those legs like I did there all right start with another end of the Q-tip just go back and forth there very gently and to flip it over clean off the top clean off the legs on the sides and that's just GNA get that flux off of there as much as we can I'll grab one more Q-tip and do that again because I think I still got a little bit on this corner down here all right looks good and you know what there's not normally I would like try to like clean any residual solder on these legs but these legs look pretty clean yeah I I'm not seeing a whole bunch of solder sticking to them so I think we're pretty good so I'm going to go ahead and just throw some more hot air at this and that's going to just evaporate away any of that isopropyl alcohol and now we have ourselves a pretty clean ship there so there it is and uh you can see it when it's under the microscope you're just going to have to believe me now because it's really zoomed out so this corner of the chip here in the upper leftand corner there is a DOT on the chip indicating that this is pin one and if you remember we had our software our our software that works with this Universal programmer and let me just uh face it this way because the this shows us that the pin one indicator for this system is is it's telling us that it's all the way up here and so it wanted us to have our socket placed all the way at the bottom of the reader again I'll just like flashback here so you can see right there in the software it's telling us that it wants the chip to be all the way at the bottom but that pin one it wants it to be facing uh towards the top so what we're going to do is we're going to take that chip and we're going to place it in just like it had it had it shown in that diagram so we're going to push in on our socket oh man okay that's hilarious ious okay so this is fail number one so this is the wrong socket so now I have to look through my bag of of Tricks here and I have to see is this the right socket nope so this one was too big this one's too small I'm just like letting this chip fly around so got a bag of other sockets here let's see if this is the right size this is what happens when I do this in one take and I don't rehearse it ahead of time all right this looks like this one is the right size oh yeah all right so I'm actually going to use the microscope to help me make sure that this is aligned in the socket uh I can kind of do it by hand uh just by my eyeballs but it's always helpful to have the microscope so here we go obviously it's blurry going to have to get in Focus there and now we just want to make sure that this is all the way at the bottom and that we're making contact with all those legs there we go and we can obviously use the microscope to verify uh again like I said no solder really stuck to this chip but that there's no solder like bridging uh in between these different pins on the chip so uh we did that pretty well now let's move our microscope away so now you can see how this gets inserted so uh this there's this locking mechanism here and so we unlock it and you can see how it opens up all these all these spaces to put these pins in going to drop that in and then we're going to lock it and it's connected so now we should be able to go over to our desk and switch to our screen here okay and this is the moment of truth that we are going to check this uh we're going to do pin detect so uh it should be able to read the chip ID and it should match with what the XU this XG pro software expects to be the chip ID but if those are off a little bit you can always take pin detect off and just try to do the read anyway which I have done at times uh let's see how this goes this is always a bit nerve-wracking to see if this will actually work we're going to go to device read whoa all right you see that bar go across you get excited because something good happened and then something even better happened we get like asky data here so ncrc bootloader you know this is good this is very good all right we have a good firmware read it seems so now what we're going to do is we're going to I've got a location that we're going to save this so I'm running this XG pro software it's Windows only software it's terrible probably Chinese spyware uh yeah don't yeah let's just not think about that right right now um we're going to save it to a directory to a file called called firmware.bin so we're going to hit save as files been saved and let's pop over into our terminal let's make that bigger and now we have our file here there we go it's a it's a it's a foreg file that's what we expected and we can let's just let's just run file on it okay it didn't it didn't identify anything that's that's to be expected now let's run binw walk we're not even going to run with the dash e flag which is the extraction flag let's just see if it identifies anything interesting inside of there um yeah I almost wondered if it wouldn't I am going to have to do more research into that c into that CPU uh device because this device has some signs of looking like nothing I've ever looked at in in my life so it has this J boot stag header uh throughout the thing um but no like real file systems were detected so like I said this is going to have to be uh there's going to have to be some extended analysis that I do that I can't do all on camera but I am going to show some of the initial analysis that I would do if I'm not really getting a file system to extract out of this so the first thing is let's run strings on it and just see if we get any kind of interesting strings whoa we get uh we get BYU which is like the that's like the Chinese Google or whatever so so that's that's super interesting again Chinese device uh might be calling back to to bu.com we get some things that look like a MAC address so that's that's interesting that's that's pretty pretty interesting um fave group okay any cast Okay this is interesting because any cast is like that's like another name on the box here so for this device um okay and then I see something that looks like just I mean this is just like garbage all right so let's uh let's like make it only find longer strings and let's look from the top okay so we have the bootloader identifier string right at the top um some other interesting stuff yeah I can't I can't say for certain if this is a Linux device yet right I haven't seen any like signs that it is expand RAM EXT very interesting all right okay this all looks maybe like something that's a part yeah yeah yeah yeah this is all part of the boot loader here all all all those things up there must be related to the boot loader oh and that's it that's all the strings okay um and I saw something up here something about a key it does make you wonder if some of this is encrypted and binwalk actually has a tool that helps you try to figure out if some data inside of firmware is encrypted and it's A- capital E flag not lowercase e that does extraction - capital E does an entropy check and it should if I have all the libraries installed correctly it should actually graph out the entropy there we go let's move that to the other side so my face is not in the way that is exactly what I thought okay so here we can see that the entropy is like low so this is at the beginning and uh and towards the end there and what that tells me is that there's like there's data and you see that text at the beginning and some at the end when we run strings but you see this middle section where it is like right up at one what this is a Telltale sign of is one of two things and uh mathematically you can go study this in cryptography or like you know number Theory or whatever um it's hard to tell it could be one of two things it's probably one of two things it's either compressed data or it's encrypted data but you can't tell just by an entropy calculation which it is right um it could be secure like secure crypto or it could just be like compression right that you just have to know the right compression algorithm to decompress the data um but that is very interesting again potential en encrypted uh maybe by something else that's like you know contained in the bootloader itself but like I said that's going to need to wait for a later time so um that is the firmware file though that we have extracted from this system we've got some interesting strings and we've got some data that now when we put this chip back on the device we can do some we can try to do some Dynamic analysis of different pins on the CPU maybe get some Ur data and all of that so we are also going to show in this video reattaching the the chip so we're going to make sure that we can uh yeah solder this chip back on so that the device works for our Dynamic analysis for next time so let's pop over to the desk and we will do that really fast F so we're going to pull the flash chip off set our reader to the side we don't need that anymore we got a very good read ah that still has flux on it so whenever I'm using flux I like like sometimes if I'm just using solder I don't use I don't wear gloves but that flux it it's nasty on your hands and when you wash your hands it still feels like it's there so I'm going to put some gloves on and we're going to uh so this is something I probably should have looked at beforehand but uh let's let's pop over the microscope and look at things from this perspective let's get in Focus there we go so uh obviously the chip we know where where pin one is and if I would have been paying attention before I took the chip off I would have known that but you can actually see here there is a there's a diagram of the chip here and it's telling me that pin one is located on this pin right here that's this little circle this is a really poorly like etched like drawn diagram on this PCB but it is telling me that it wants the chip to sit if I can get it up here like this right so you pin one indicator on the board and on the Chip And so I'm just going to kind of set that in the place where I uh oh actually no I'm not going to do that uh we're going to throw a little bit more flux down here I'm going to take my soldering iron and I'm gonna get some good solder here so that we can solder it back on just fine but U right yeah we're going to turn on our air extraction you know this solder seemed pretty good so I'm just going to add a little bit of good solder to it get it heated up all right that looks great again the chip came off so fast that I like it almost makes me wonder if this is not lead free solder that they had on the board but I mean most stuff that's man when it's manufactured does use lead free solder all right so I've got the chip kind of in the right spot and now I'm just going to throw hot air at it and then with that flux there when the chip heats up should just kind of Pop right into position it it is actually it does actually look like it's in the right position though so oh there you go you saw it slide just a little bit right into place it's like a like a magnet it just knows where its home is at when you got flux and hot solder all right that looks great okay so I'm going to let that cool for a little bit and I can turn off my air extraction and I'm going to wait uh a little bit before I put the isopropyl alcohol in there because it'll like it'll boil it off the chip if it's so hot but I have yet to I have yet to Breck a chip because I do this too fast so there you can see it it's so hot it like it evaporates it off really fast but just going to try to clean up that mess of the flux that I created do some more and there we go that chip is reattached that looks good that looks good so we are now ready to do our Dynamic analysis which we will do in our next video I want to thank everybody for watching if you watch to the end please uh subscribe that's a a free way that you can support this channel to keep uh growing it and getting it out there to more people uh and definitely comment below join our Discord if you have questions you can definitely give me a YouTube comment below this video but there's going to be way more people that can help you in our Discord we have over a thousand people in there now and growing so want to thank every everybody who's been a part of that I got nothing else for you have a great day
Info
Channel: Matt Brown
Views: 55,672
Rating: undefined out of 5
Keywords:
Id: 01Rq17rmzrY
Channel Id: undefined
Length: 25min 3sec (1503 seconds)
Published: Thu Jul 11 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.