Hacking the Arlo Q Security Camera: Bootloader Reverse Engineering

Matt Brown
Matt Brown
15,701
0
Published 2023-01-28
In this video, we continue hacking on the Arlo Q security camera. Today we reverse engineer the extracted firmware to better understand how the bootloader security is implemented.

unsalted sha256 bootloader password hash:
dd62e7962d63044fd1b190091930939affb172e578bb941728bd4e4478250641

IoT Hackers Hangout Community Discord Invite:
discord.com/invite/vgAcxYdJ7A

🛠️ Stuff I Use 🛠️

🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter:amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB

🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx

🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb

About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.

- Soli Deo Gloria

💻 Social:
twitter: twitter.com/nmatt0
linkedin: www.linkedin.com/in/mattbrwn/
github: github.com/nmatt0/

#iot #hacking #bootloader #reverseengineering #firmware
All Comments (21)
  • @jakesec633
    Hey Matt, loved the video as per usual. I’ve cracked the hash for the boot loader, the password is: ngpriv106
  • @hallisern
    Great video Matt, amazing explanations. Very easy to follow and understand!
  • @malucullus9100
    I know the hash has been cracked now, but if you wanted to get into the older firmware without having to do a chip-off you could also have tried interrupting the boot process a few times, ideally with a reset. This would simulate the crashing firmware that this sort of A/B deployment is supposed to protect against and may have caused the boot loader to fail back to the old version.
  • @charlesdorval394
    Damn man you're good! I like how you show your discovery process, so much awesome tricks!
  • @kmsec1337
    Bruh this is top quality content. Thank you so much 🙏
  • @kiyotaka31337
    Thanks for the videos I learned a lot from your videos.
  • @LucaCostantino1
    Hi @mattbrwn... Just discovering your channel now... Where are you on part 4 of this serie?? :D Awesome videos, keep it up!
  • @neon_Nomad
    Here i come hash cat.. guess the rainbow road was to easy a route
  • @bassimyounis5803
    Hey Matt thanks for the video. How did you know that the hash was unsalted? Was it in a previous video?
  • @Autokey_Security_Services
    Is it not possible for you to write your own known hash into the flash chip raw data dump or is this data retained in the armarello chip??
  • @neon_Nomad
    Says it will take a month but im having trouble getting both cpu and GPU running at same time... I don't have much experience with hashcat so if anyone knows whats going wrong im using hashcat launcher
  • @Ski4974
    Did you end up making the 3rd video in this ARLO Q series?