#01 - Identifying Components - Hardware Hacking Tutorial

00:00

this is the first episode of the series

00:01

are rocking tutorial that is dedicated

00:05

to everything about our rocking kisses

00:07

for beginners but also advanced users

00:09

will find something useful on this

00:12

series the hard working process is

00:14

described based on information gathering

00:18

of hardware and software building an

00:21

emulation environment where to run

00:23

interesting binaries of our device and

00:25

eventually reverse-engineer them then

00:28

analyzing how the device works and then

00:32

at the end acting the device and

00:34

eventually modifying is firmer it is the

00:38

first episode we will talk about the

00:40

first steps of information gathering the

00:42

information gathering phase is based on

00:46

understanding who makes the device if

00:48

there is an original design manufacturer

00:51

because sometimes a company brands a

00:53

device or manufacturing device but

00:56

another company have designed the device

00:59

and development is firmer then we start

01:03

opening the device and trying to

01:05

identify is main device components we

01:08

are mainly interested in the system on a

01:10

chip and is architecture on amount of

01:13

RAM and the flash EEPROM but also to

01:16

understand if there are some other

01:18

interesting devices then we won't locate

01:21

the word interface in the JTAG interface

01:24

and ezra step information gathering

01:27

phase we want to get the firmer out of

01:30

the device and extract is the root

01:33

filesystem in this first episode we will

01:35

talk about the first steps of

01:37

information gathering up to identifying

01:40

device components I am a volatility on

01:44

petrol I have a background in digital

01:46

electronics and information technology

01:48

infrastructure and I wish to be your

01:50

friendly Italian acha neighbor willing

01:52

to share with you tools and techniques

01:54

but about our tracking that I learned by

01:58

myself acting many devices so let's

02:01

start

02:06

this router is the main device that we

02:08

will use during it is a tutorial series

02:11

the first step in information gathering

02:14

phase is to understand what kind of

02:16

device we have and is manufacture and

02:20

also to understand if there is an

02:22

original design manufacturer because

02:23

sometimes a company manufacturing device

02:27

but another company ever designed it and

02:30

develop it is firmer this router is

02:33

distributed in Italy by Lincoln Lincoln

02:35

is the biggest Italian internet service

02:39

provider because the wireless internet

02:41

service provider according to this label

02:46

it seems that this router has been

02:48

manufactured by Lincoln but Lincoln is

02:50

the name of the SP so this means that it

02:53

is only branded it not manufactured it

02:57

the manufacturer is someone else looking

03:00

at the label this device we are not able

03:02

to understand who is the original design

03:04

manufacturer of the device anyway we can

03:07

see that on the label do we have the

03:08

model name of the device the SSID of the

03:12

router the Wi-Fi default password the

03:16

LAN

03:16

MAC address or Ethernet MAC address and

03:19

the serial number of the device looking

03:22

at the manual we can understand that the

03:25

serial number starts with the string gmk

03:28

and then we have six digit for the data

03:31

of production 2g digits for the year two

03:34

digits for the month and two digits for

03:37

today of production then we have a 6

03:40

digit sequential number later we will

03:43

see that knowing this information is

03:45

very important to up the device and to

03:50

be able to generate the default Wi-Fi

03:53

password of the device in T's acting

03:57

tutorial we are we will always follow

03:59

the easiest part first

04:02

methodology this means that every time

04:04

we will always start with the easiest

04:07

path first so to get more information

04:10

about this device the first step the

04:13

easiest step is to search information on

04:16

Internet

04:17

so we will search information on

04:19

internet aunties device and we will

04:22

understand that this device has been

04:25

manufactured by Assad a suit Korean

04:27

company called gemtech they chased many

04:30

production site in Asian countries the

04:35

first step in the information gathering

04:36

phase is to look for our device on

04:39

Google because we are interested to know

04:42

as much as possible about our device we

04:45

can see that one of the first result is

04:48

the user manual and we also know that

04:50

the company that has produced our device

04:53

is Gentek we look at the user manual but

04:56

maybe there isn't there is the

04:58

information that we are looking for

05:00

because we are mainly interested in the

05:01

system monetary pressure from a flash

05:03

rom that is on our device so we return

05:08

back and we look at other search results

05:11

on Google one of these search results is

05:15

very interesting it is the search result

05:18

that the website tech info deport gives

05:21

us this is a website really interesting

05:24

with the lot of information on many many

05:26

devices it is a community driving

05:29

project so we don't have official

05:30

information and on some device we have

05:32

more information some other device we

05:34

have a less information in this case we

05:36

have a link to a product page but this

05:39

is an empty link pointing to an internet

05:42

service provider that is no more

05:44

information about this product that

05:47

maybe it is shipping in the past but we

05:50

have some other very useful information

05:52

like the FSS CC ID this is the ID given

05:56

to each device that is sold in the

06:01

United States FCC stands for Federal

06:04

Communication Commission and gives

06:07

approval to each device that they it is

06:10

compliant with radio emission regular

06:14

regulations so in this case we can click

06:18

on related link and we go to the FCC

06:21

website where the manufacturer has

06:24

provided some information about

06:29

device if we look at the information

06:32

available we can find some interesting

06:35

information for example we can see the

06:39

external photos of the device the ID

06:42

label of the device in this case this is

06:45

not our ID label it is a device

06:49

manufactured for another internet

06:51

service provider and we can see that in

06:53

this label there is the FCC ID and we

06:58

also have other information the FSC see

07:02

ID you can see that is not available on

07:04

my own device because my own device is

07:07

sold in Italy where there is no

07:10

obligation for the FSC see radio

07:13

emission compliance we can see that we

07:18

also have other information like for

07:20

example internal photos that can be very

07:22

useful to understand how the device is

07:26

manufactured what kind of component it

07:29

has onboard and so on but maybe pictures

07:31

are not big enough to read the marking

07:34

of each device component we also have

07:36

some other documentation like test

07:39

reports of radio emission tests and so

07:43

on but if we look at a detect tech

07:47

report website we can find some other

07:49

interesting information like for example

07:51

the name of the system-on-a-chip

07:54

in this case it is a magnetic chip we

07:57

can also see the name and amount on all

08:02

the flesh EPROM chip and the name and

08:06

amount on of of the ROM chip this is

08:10

really interesting information in our

08:14

initial stage of information gathering

08:17

in the links of interest we can also see

08:20

a pointer to a github project but this

08:24

is my own github project where I did a

08:27

reverse engineering of T's router so it

08:30

was not available when I started

08:33

searching for this device anyway in this

08:36

case there is a lot of information that

08:39

I put on my github repository

08:42

about this device another source of

08:46

information is open wrt website which is

08:49

a site dedicated to open source router

08:53

firmer open wrt but there is a database

08:56

of many many router with information on

08:59

hardware available to the router in this

09:01

case there is no information on our

09:04

device but anyway it is it is one other

09:09

side to search for at the beginning for

09:12

example if we search for another router

09:14

that an old router that I am it is DG 8

09:19

3 4G before we can see that we are able

09:24

to find a lot a lot of information the

09:27

system on a chip how to install the open

09:30

wrt software on this device and also

09:33

many other information including the

09:36

position layout of the fresh Abram the

09:39

position of the word interface and the

09:42

position of the JTAG interface and

09:44

including also pictures of the route of

09:47

the router pictures of is mainboard

09:51

and exact position of word interface and

09:53

the JTAG interface so this website

09:58

especially if we are doing some are

10:02

tracking on a router this is for sure a

10:04

website to track we got a lot of

10:08

information about this router on the

10:10

internet but the information that we got

10:13

was related to the same part number but

10:16

distributed but by different internet

10:18

service provider with a different label

10:20

format so probably it is a different

10:24

fair more and it is also possible that

10:27

the manufacturer have changed something

10:29

inside the router likely

10:31

system-on-a-chip their arm or the their

10:34

prompt so it is better to open the

10:36

device and to check by ourselves the

10:38

components that are inside device so we

10:44

open the device usually it is easy to

10:47

open device of these sides sometimes

10:50

this kind of device can air

10:52

some special screw so we can need some

10:54

special screwdriver but in different

10:58

devices like for example smartphones

11:00

smartwatches digital cameras and other

11:04

very small device it can be very very

11:07

difficult to open them sometimes we are

11:10

able to find tutorials on internet on

11:12

how to open a specific device and other

11:15

times we have to find the solution by

11:18

ourselves and can be really difficult on

11:21

some industrial-grade there isis it is

11:25

also possible that we have some

11:28

countermeasure to prevent the opening of

11:30

the device like for example using glue

11:33

instead of screw using glue but to keep

11:36

the shells together and inside the

11:39

device on some military-grade device we

11:43

can also have anti tampering circuitry

11:46

that will wipe out the content of the

11:48

air from if we open the device anyway i

11:51

have put a link below that will better

11:55

explain how to deal with this kind of

11:57

devices now that we open the device we

12:01

need to unscrew the motherboard from the

12:05

device and we can see that sometimes we

12:08

have it sinks that we able to remove to

12:11

look below them and to understand what

12:13

kind of components we have below

12:15

sometime it's easy sometimes can be more

12:18

difficult we can also have metal shield

12:22

use it to shield the radio frequencies

12:24

in this case often it is more difficult

12:27

to remove sometimes it is impossible to

12:30

remove without damaging the port if we

12:33

have multiple boards there are no

12:35

problem we can destroy one board at once

12:37

and what's below the metal shield and it

12:40

sings otherwise if we have only one

12:43

board we can not destroy it so in this

12:46

case we will move forward without

12:49

identifying the device because our

12:51

principle is always to follow this path

12:54

first so if an information is difficult

12:57

to get anyway we will move forward and

13:00

we will return back only if absolutely

13:03

needed

13:04

we can look at the values integrated

13:07

circuits on this motherboard but we can

13:10

see that often it is difficult to read

13:12

the part number on top of these

13:15

integrated circuits in this case we can

13:18

try to improve the readability of the

13:20

part number using a cotton and Howell to

13:24

clean up the surface of this part number

13:26

then wait for the article to dry out and

13:30

then use a chalk over these integrated

13:33

circuits then use a cotton again without

13:36

our code to remove the chalk and then

13:40

after not too strongly and then after

13:42

this it is usually easier to read the

13:45

part number we can also use a magnifying

13:48

glass or a magnifying lamp with the LED

13:51

light to read the part number on top of

13:56

these integrated circuits now that we

13:59

have been able to read the part number

14:02

on top of the integrated circuits we can

14:04

search on the internet and usually we

14:06

are able to find a lot of information

14:08

including the datasheet of this part of

14:11

these part numbers but in some cases

14:14

especially on some unusual Chinese

14:16

devices it is possible that we will find

14:19

nothing on the Internet in this case can

14:21

be useful to search on a Chinese search

14:25

engine light for example Baidu and maybe

14:28

only the search engine we will find

14:30

something in Chinese obviously but we

14:32

can use Google Translate to understand

14:34

at least what kind of device we have but

14:37

in our case on our motherboard there is

14:39

a normal device that we are able to find

14:43

a lot of information on the Internet the

14:45

system-on-a-chip

14:46

is a magnetic mt7 six to 180 chip it is

14:53

a chip based on a MIPS CPU dual-core cpu

14:58

running at eight hundred eight megahertz

15:02

the RAM is a Wimble chip it is a 128

15:07

megabyte Ram chip it is different of it

15:12

is different compared to what we found

15:15

on the tech deport website but then

15:18

it is the same science we also have an

15:21

unusual discrete logic component it is a

15:23

74 hc1 64 usual we don't have this

15:27

handle component on this motherboard but

15:30

in this case it can be useful for us

15:32

because it easy on to the chip to

15:35

identify VCC a ground and this can be

15:37

used as a reference point when we need

15:40

to take some voltage measurements on the

15:43

motherboard

15:44

we also are able to identify the NAND

15:48

flash device that it is a 128 megabytes

15:52

NAND flash device and tis confirm what

15:55

we found on the tech deport web beside

15:58

when when we searched this information

16:00

on the internet if you found this video

16:03

interesting please subscribe help this

16:06

channel grow share this video with your

16:08

friends interested in hard watching and

16:11

don't forget to click the subscribe

16:14

button below and the notification Bay to

16:17

be notified when new episodes will be

16:19

released and not forget to click the

16:22

apps the thumbs up icon and please give

16:27

me feedback on the comments below but

16:30

positive and negative I will appreciate

16:32

any type of feedback or feedback

16:35

especially suggestions and also if you

16:39

have enjoyed this video or also if you

16:42

don't don't like it this video but

16:45

especially suggestions are really really

16:47

welcome thank you for watching see you

16:50

again on this channel