Hacking an AT&T 4G Router For Fun and User Freedom

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's up everybody this is Matt Brown today we are taking a look at an AT&T LTE router that has been locked down AT&T does not want its users to be able to configure and control this device but by the end of this video we are going to take control and so we're going to give the power back to the users today and let's go over to my screen and show the problem uh CU it's it's not not just me that's noticed this I I'm I'm not a customer I just found this device in an E-Waste bin but I have seen while I was searching for the the uh web application credentials for this device a number of users complaining that they cannot log in to the web interface on this router that they purchased they AT&T business customers in in in some cases and they are asking they're saying hey like I I want to change the wireless settings on this device and AT&T coming back and being like Oh well uh the the Wii the password's on the back of the router no the Wi-Fi credentials are are on the back of the router not the credentials for this login page that you can access from being on the Wi-Fi network or being plugged into the ethernet port like I am um being on the land side of that Network normally if you own a router you can log into it and make changes but AT&T has developed a very specific firmware AT&T they didn't develop this router wholesale themselves it's a data remote uh made router that they have some custom firmware configuration loaded onto to make it locked down so that their customers can't get into this device and mess with its settings so we are going to attempt in this video to uh get back control of this device and fig figure out the login credentials the username and password to the system right um and you'll notice in some of these forms so so so this person is asking about this device they're saying hey I tried you know admin admin I tried a lot of common uh you know obvious guesses uh this user over here really did their research uh this is a a more upto-date version of this router but very same same situation there is this note of a dri admin some more Uh custom username password uh they're trying to guess um and these seem to be the default passwords for the default firmware the the kind of original OEM firmware that this router manufacturer makes but again AT&T has a custom firmware or a custom configuration that they've loaded onto this device to not let their users in but we're going to see if we can go over uh to our desk and if we can figure out a way to let the user in so with that I'm going to pop over to our desk Cam and you can see that I've already uh I've I've popped the top case off of our router and we're just going to take a look around so uh I open this device up as as a as a hardware hacker I immediately recognize some components uh we have a CPU we have some dram your your your your volatile memory over here we have a a flash chip of some kind and what's interesting if you if you're only used to being inside of standard Wi-Fi routers that have you know ethernet and wireless networks is uh this may be new to you so this is a cellular modem and over here is the SIM card slot so this device has uh the capability to either have the internet be from cellular or it actually does I don't think anybody uses it it it has uh pots pots connections here and I don't think in the at AT&T configuration they support the uh the like DSL or pots phone line method of getting internet um I'm pretty sure they only support the LTE method and so that is going to be the standard use case and so um that's kind of a cool thing that um I I definitely want to go down that rabbit hole in a different video but we're going to kind of ignore the LTE portion of this router today we're just going to try to gain access to that web interface and so looking around this device my eyes are immediately drawn to these pins right here there's actually five of them oftentimes you'll see a set of four four pins but I did not even solder these uh this uh these pins these connectors in here they were already nicely present like that for me and so what I'm going to do is I'm going to assume and then verify that that is a uart a serial connection to the underlying system that will allow me to interact with it if I know how to uh speak that serial protocol so the way that I'm going to try to find that first is I'm going to power off the device you can see those LEDs uh go out there I'm going to put my multimeter here into continuity mode and I'm going to hit it to the audible mode so that when I make a connection I get that uh that audio feedback from my multimeter so first thing I want to do on a device like this I want to find ground the really it's really easy to find ground on devices like this any of the shielded these shielded components so I can verify that these Shield shielded components are grounded by just touching two of them and I get that beep so now I know I can hold one of my multimeter probes there and what I want to do is I'm going to assume that there's going to be at least one of these pins that is ground and finding that like I said I can find a connection to ground in a lot of places on this board but I want to eliminate these pins some of these pins as candidates for two signals one is TX and the other is RX transmit and receive and so what I'm going to do is I'm going to go probe through here okay I get a beat so this is a ground pin here on the left nothing nothing nothing and that is grounded as well so the left and the rightmost pin uh in this set of five pins are connected to ground so now what I'm going to do is I'm going to switch over to voltage mode going to again just hold here this is an easier spot to hold for my ground and now I'm going to go and I'm going to click the button to turn on uh my power strip that's going to power this device and then I'm going to measure the voltage on these three pins in the middle to see if I can find the board's transmit pin the way I'm going to ID the board transmit pin is that if it's transmitting data I'm going to see this voltage fluctuate not be constant and so here we go going to hit the power probing okay I don't see some anything there there we see 3.3 volts and there you see that you see it's dropping down below that that high voltage of 3.3 volts okay so that is most likely a transmit pin I'm going down the line again to the next pin this is holding steady at 3. 3 volts okay so this is great so I have one pin that was kind of floating around zero one that was going back and forth between 0 and 3.3 and one that was just a solid 3.3 volts so that tells me that that middle pin that was fluctuating is definitely the transmit pin and then I'm going to guess that this the the the pin that is to the left of center is our is our uh receive pin on the board where we want to transmit data to it from our USB cable so what I have here is just kind of a standard uh uart USB cable here that has uh it actually has six wires here but we are only going to use three of them we only really need three to to interact with most uart systems we're going to need ground transmit and receive so first what we're going to do is connect up that ground to one of those ground pins I'm going to do the one that's all the way on the right and then we have our yellow and orange on this cable uh you're going to have to look at the pin out of your specific cable so on my cable the yellow wire here which then is connected to this green wire up here I probably should have color matched those uh that is our receive pin on the cable side so what I need to do is I need to connect the cable's receive pin to the board's transmit pin and so we're going to do that we we guessed it's that middle pin and then I'm going to make that other educated guess and connect the transmit pin of my cable to my candidate receive pin over here on the board so now I've got our three signals ground TX and RX ready to go and I'm going to get over to the computer I'm going to I'm going to turn the device off off and we're going to get ready to receive these signals okay so over here I have my command command ready I'm going to use picocom I'm going to guess the default B rate which is like in 95% of the cases on these modern Linux devices it's going to be 115 200 and then on my Linux system when I plug that USB cable in that other end of that that art adapter in to my system it's going to show up as Dev ttyusb0 so now I've got that open we're going to head over here we're going to watch what happens when we power on our device so we're going to see a bunch of output come along um it's going to pause here for a little bit and then it's going to continue to boot I'm actually going to scroll up so that it doesn't scroll down on me so the first thing that I see right here is it says please choose the operation and look at option number four there so it's so it's telling me to like press number four if I want to enter boot command line interface that is very useful that will allow me to pause the boot process the next time around that I you know reboot the system um that will allow me to pause in a in the boot loader and potentially have access to the boot loader where we can think do things like you know change configuration of the boot process maybe read some of the flash data things like that so now I'm just going to scroll down um here kernel command line this is always really good to note um I'm actually going to I'm actually going to take some notes this is this is what I'll I usually do my hacking process I'll just you know open up a little text file here I'll take some notes as I go along okay so so the kernel command line is very useful um right here it looks like I'm I'm getting you know it it's it's it's printing out stuff but if if for some reason it was like it completely went dark on you that might be because of something in the kernel command line that is causing that to happen so uh it's always good to know what's happening there I'm going to scroll down some more here in the boot process and I get to this this is always super helpful and something you'll often see printed out in the uart Shell uh when the Linux device is booting up this is the partition table of that flash chip that we identified over on the board and so we can see the address start and end addresses and that is very useful if we want to read the contents of those partitions out of Flash and uh extract those somehow so we're going to keep scrolling down um there's you know a bunch of information that we could we could look at so here I see something very interesting it's calling the change password command and it says password for super admin changed okay so this is really interesting and again maybe matches some of what we might expect the system to do right if there is some kind of uh customization that AT&T has on this system to set the password to some not like not usual non default default password uh maybe it's doing it in this boot process right so this is very interesting it says and and we have an indication maybe that the super admin is a user name that that is actually the username uh that we need to be entering you know into into this web interface right so all really cool stuff to know so I actually want to get back into that bootloader menu and see what I can do in there because you'll notice here I hit enter I'm not I'm not even getting a login prompt let alone like a shell or anything so I I I can't really do much with the system in this state after it's already been completely booted but we're going to remember that it told us that if we if we hit four we can potentially get into that boot menu so I'm going to power the device off on again and then I'm going to get over here to my keyboard I like smash something over on my desk all right but we have successfully gotten into the bootloader menu so here we'll uh we'll ask it for help right that's always a good place to start so you'll you'll recognize uh right away if you've uh if you've done this kind of stuff a lot right that this is a this this is you boot right um probably a heavily modified uboot uh a lot of device manufacturers do that they'll take the open source uboot project and and Fork it so uboot is a open- source boot loader um that targets Linux systems like this and so you'll see here we don't have a lot of commands if you've if you've watched my other videos you'll see that sometimes I'll get into a OT shell and they'll be like 50 or 75 commands that are available here we don't have that many but I do see one that again corresponds with what I saw on the board in relation to that flash chip so so SPI is a type of flash uh storage and so if I type no that's not the command I wanted if I type SPI it'll say well it'll say hey you need to write help SPI okay so so here are some of the sub commands for this spy thing I can I run the ID command which you know just tells me id of the chip I really don't care but there is this SPI read command that is very interesting that takes two arguments an address and a length so let's let's see what this does so if we just read from address zero and let's throw in like 10 now uh something I noticed right away cuz the documentation for these commands is often times like incomplete and terrible so you just have to experiment with them a thing to note about this command if we're going to use this for anything is that it is parsing that last argument at in HEX even if I don't do 0x in front 10 in HEX is 16 in decimal right and it's even telling us here read length 16 when we when we put in 10 right so it's so so that's good to know that any kind of length that we're going to specify we're going to have to convert that to hex so let's do that let's let's let's see what we would want to read from these partitions right so definitely the root file system would be something that would be interesting to pull off this device but my my mind actually goes first to this to these two config partitions those seem to me to be very interesting um just because you'll you'll often see devices that are configured that have sensitive things inside of some uh writable configuration partition where often times the root file system might be a readon partition where any kind of changes to a password or a credential or anything they're not stored there because that file system is intended to never change throughout the life cycle of the device so we're going to we're going to prep this the the the this command um but first oh yeah first let's let's look around okay so so this spy read so let's do spy read and so again so this is the start address over here so let's just take a Peak at this config partition right let's just read like uh 100 in heex whatever that is 256 that's what that's what it is uh got to know your hex so that's boring just a bunch of FS okay let's try this config back partition let's see if there's anything in there SPI read okay that address and then 100 okay now this looks like we've got some good data in here so that config back partition is interesting and I think it warrants us pulling the whole thing so to do that we're just going to kind of r write out what our Command is going to be and then we'll we'll paste it in so we're going to do spy read and then okay so we we know our start address that's here now we need to specify the length of this so I'm going to open up a python shell and we're just going to do a bunch of math here really quick so what we're going to do is we're going to take the end address and we're going to subtract it from the start address of our partition and then what we're going to going to do is we're just going to say let's convert that to hex and just like that we have our Command ready to uh perform our read so we can get rid of our python shell for now and oh okay yeah so what I'm going to do is I'm going to exit out of picocom by hitting CR a contr x really fast and what I'm going to do is I'm going to add an argument here I'm going to say D- log file and we'll just call it out. text so what this is going to do is all of the inputs and all of the outputs that happen over this uart this uart shell are going to be logged into this text file so when our Command when our SPI read commands prints out all of this hex it's going to get written into that file now it's going to be in a in it's going to be in a weird text format it's going to have all these like white spaces in the middle so then we're going to have to parse it but this is what's going to allow us to read this entire firmware or excuse me this entire partition out of this system over art from the bootloader okay so we are going to issue this spy read command and it's going to start scrolling in the meantime we're going to open up a shell here I think that's where we are good good good and we will wait for that to complete uh actually in the meantime so what we're going to do is we're going to write uh oh okay we have to move that to 103 and then let's go to that directory okay so now I got a couple Terminals and we've got this text file here so let's let's actually just go look at this text file okay so we can see my command the first line of output where it says read length it tells us how many bytes it read out and I'll hit down one more time and then all on one line inside this text file is every one of these hex bites printed as a string right so what I'm going to do is I'm going to clean up this file first just to make it easier for us to write a parser that's going to extract all these bytes out and convert them into into their binary form so I'm going to delete these first two lines and then this little like you know carrot M thing I'm going to hit X in Vim to delete that um this line at the end I'm going to delete that so now all I'm left with is the data and um we're going to make an obs observation about the data right here is that you'll see that the way this uboot output of this hex dump works is that if there's a a a leading zero it it it just doesn't include it in the bite right so here's this here's this bite that would normally be represented as a hex bite as zero one it just lists it as one so we're just going to have to be aware of that and account for that when we write our parser okay uh we'll save that file and now let's write some some python code together okay this is just going to be some really quick and dirty python code today so we're going to have a file name uh well let's call it like you know in FN name and we'll get that from the command line the first argument and then we're going to write this out to a file too when we when we can do all this data conversion so we'll do our B2 so those so in case you're wanting to understand how that's going to look so we're going to we're going to call our code like this and so it's going to take in that text file and then we'll call it out. bin so we're going to run our code like that and so this out. text is going to be put as in fname out. bin is going to be out FN name so now what we're going to do is we're going to open uh we're we're going to like open those files for reading and writing so this INF file we're going to call FN I'm going to say [Music] open and we're going to say we're just going to do R so we're just going to read from that file and it's all Text data so we don't need to put the the the B permission in here for binary and so then we're also going to do F out equals open out F name and here we are going to write and in a b and we're going to specify that b because some of the data that we're writing out is going to be in binary format it's not all going to be text so we're going to need to do that now we're going to say four line there's only one line but this is just I'm like doing it the quote unquote right way for line and F in then we're going to say line uh let's say like data equals line do split so what I'm doing with split is by default split if you don't specify any uh Arguments for that function what it does is that's my multimeter yelling at me to turn it off save battery so the split function it will split on Whit space and it'll strip out all Whit space to either side which is perfect for this use casee right because everything is separated by white space and so what I'm going to do is I'm going to call that and then I'm just going to I'm just going to print this out I always like to do print statements and just slowly build my python programs so here you'll see it now we're dealing with that data variable is an array of strings that represent all those bytes so now now you remember we have to deal with that case where I said that some of the data doesn't have uh that leading zero so what we're going to do is we're going to say for D in data so we're going to go through every one of these bytes Now We're looping through every bite and we're saying if the length of that bite of that data bite is equal to one then what I'm going to do is I'm going to say d equals 0 + D I'm going to add a zero to the beginning and then back out side of that conditional we're going to say uh actually we're going to say like out data equals byes and then we're going to say out data plus equals bytes from heex D so we're converting the each individual string repres represent representation of a hexte we're converting it to a a byes a bytes variable in Python and then we're appending it to our ever growing list of bytes that becomes out data so then we can I mean if we want one really quick sanity check before we finish this program it would look something like this and uh probably hit less to make it look interesting okay so now we're see now you're seeing that like string data there that's that's coming out of that and then the final uh part of this is going to be to write it to this output file so we just do F out. write out data and we're done so now when I run this program and it's not this program doesn't have okay I got rid of all my print statements which is good I run it there's no output because what it is doing is it's writing the file out to out. bin so now I can run strings and I get a bunch of data out of that stuff so now we have successfully completely uh pulled out of the bootloader that entire partition using that spy read command and now we've written just a really simple python script to convert that hex dump format back to the raw data and where we see a lot of interesting stuff in here and this is where it gets really fun because now uh let's get rid of this Source don't need that anymore exit so we can run strings out to in I don't know you think there'd be any like users or passwords in there well there are so um so before remember there was that there was that super admin right so here we can see the admin user configuration is set to Super admin well that's pretty interesting and right down here we see super web password is set to this value which honestly we would never would have guessed we never would have been able to bruteforce it but for the hardware hack we would not have this credential so let's go and try it on our web interface so let's try super admin paste that password and no route to host oh my gosh that's because the device isn't on wow that was anticlimactic we have to reboot we have to boot into the device we were paused in the bootloader that's why that's why it's not working all right so we pretty sure this is going to work but what we can do in the meantime is we can get ready for the next part so let's just track when this device comes back up online because we're all very interested for it to be back up and there is a bunch of other really interesting things uh in that config big partition it's very very very interesting uh stuff multiple different passwords actually in there so come on man I guess we could kind of like track the boot process of the device let's do that okay it's doing things yeah yeah yeah yeah yeah setting up the bridge interface yeah come on O Okay so okay now the system is up so now we can go back to here where we can try super admin and paste our password in and we're in we have now logged into the system as the super admin we have access we can go and configure this system to our hearts content now we could we could change that default SSID we could go in and reconfigure the password make any setting changes we want but oh wait there's more so this is the web login but I wonder if we could do anything else with this so let's go back here so yes it's very clearly on the network now so let's run an nmap scan really fast on this thing they have left SSH open on this device on the land so yeah I mean you wonder like like would they would they really reuse that password for for for the root log for the uh SSH login well they did and so I don't ID who am I whatever I'm root I'm actually super admin is what I am is the only is the only user on the system but uh they are the super admin is uid zero on this system and so now I can run this of course it's busy box so we just literally just run PS there we go um we can see what's running on this system there's drop bear which we're very thankful was running on the system drop bear is a lightweight SSH CL uh SSH server excuse me not a client um and we can now have full control like like completely full control of this device we could um really do whatever we want to with it and it it opens up a lot of interesting things you could do because this is an LTE device you could think of all sorts of fun uh applications that you could use this router for the other the interesting thing about this router is it actually has a the battery packs that you can load massive batteries in here and not have it powered uh by the standard power uh the standard uh AC wall jack and so you could actually have a rooted LT device that you could you could carry around with you and do all sorts of fun things and uh there you go AT&T you tried to keep us out but we got in anyway uh want to thank everyone for watching this video and uh just seeing seeing my process right uh I hope you'll see that I make mistakes along the way uh just like you do when you're probably exploring this or learning something new but uh if I can do it you can do it so uh thank you for watching uh let me know in the comments if you want me to keep doing content like this thank you and have a good day
Info
Channel: Matt Brown
Views: 351,257
Rating: undefined out of 5
Keywords:
Id: I1w_HQ7soSE
Channel Id: undefined
Length: 34min 38sec (2078 seconds)
Published: Wed May 08 2024
Related Videos
Let's Hack: Extracting Firmware from Amazon Echo Dot and Recovering User Data
Matt Brown
127K
PCMCIA Cards Hiding in Linksys Routers
clabretro
492K
How I hacked a hardware crypto wallet and recovered $2 million
Joe Grand
8.7M
Hacking a weird TV censoring device
Ben Eater
3M
OPNSense: Protect Your Home LAN With a Transparent Filtering Bridge with Step by Step Instructions
Dave's Garage
549K
Upgrading our FREE internet to 25 gigabit! - Running Fiber to our Merch Office
Linus Tech Tips
3.6M
Hacking a Knockoff Google Chromecast - Firmware Extraction
Matt Brown
57K
Apple Wanted this DESTROYED...
dosdude1
559K
4G GPS Tracker Reverse Engineering - GPS Digital Signal Decoding
Matt Brown
12K
Free Internet - Hacking Foreign Satellites
Peter Fairlie
616K
The ULTIMATE Raspberry Pi 5 NAS
Jeff Geerling
1.7M
Satellite Hackers Bible * DirecTV * Dish * Bell * Sky * FTA * IKS
Peter Fairlie
90K
Why I Chose Rust Over Zig
ThePrimeTime
15K
14 BANNED GADGETS YOU STILL CAN BUY ON AMAZON
TechZone
10M
researcher accidentally finds 0-day affecting his entire internet service provider
Low Level Learning
640K
Hacking The Mojo C-75 - Chip-Off Firmware Extraction
Matt Brown
26K
17 Hacker Tools in 7 Minutes - ALL Hak5 Gear
Hak5
393K
I HACKED my Internet Service Provider's router. So I could get rid of it.
Tomaž Zaman
1.2M
Why You Need a Pocket Router: Hotels, Airports, Airplanes, Cruise Ships - Stay Connected Anywhere!
Dave's Garage
1M
(483) ESP32 precision GPS receiver (incl. RTK-GPS Tutorial). How to earn money with it (DePIN)
Andreas Spiess
461K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.