Reverse engineering with #Ghidra: Breaking an embedded firmware encryption scheme

Very impressed by the quality of the tutorial.Clear, concice, straight to the point how I like em'. Ghidra truly is a powerful tool but once again in the hands of a capable person it is even better. Also, that encrypted firmware had no chance at all, when the key and the booty is in the hand of the attacker it's only a matter of time! No amount of obfuscation can change that simple fact.

Its nice to see some real hacking being done by someone that is good at it. You are also a really good teacher; clear and well paced, showing your mastery of the subject.

Wow, this tutorial is of amazing quality!

Since Ghidra is quite a new tool, it is quite difficult to find resources on it, so you're really doing the community an amazing service. This video made me subscribe.
I'm having trouble finding a resource on how to using Ghidra for embedded firmware which isn't unix based. (No MMU, just bare metal firmware) Liveoverflow did quite an interesting series on the STM32-based legder wallet, could you please point me to a resource on analysing the same type of embedded device with Ghidra?

"You should definitely make a video about reverse engineering basics"

This video is PAAACKED with great info. Keep them coming!

It was very interesting to watch the workflow and what programs were used to achieve the final goal.
I'm looking to get back into reversing, but I became too rusty and there is a ton of new programs, tools and techniques that I know nothing about.


I remember having fun with MSVS6, Cracker's Kit and OllyDbg on Windows XP. Those days seems so distant now..

The AES functions in the library does not use padding. So when running openssl from command line you have to use ”-nopad” to get the last 16 bytes (and avoid the error message).
Your key is also two zero bytes too short ”0000” (from the python script), but openssl will pad the key with zero bytes so it works anyway.

Very helpful video. I now see why my previous attempts understand reverse engineering were bound to fail. My way of approaching such a problem where not because I have only limit knowledge about x86 assembler - although that probably doesnt help either - it was more a misunderstanding of how to use the decompilation view. Thanks for this video, and I'm looking forward to the next videos

Amazing video. You make it easy to follow by being precise, and "answering" questions that may pop up as I watch it. Your videos are really packed with great information. I learned a lot. Thank you.

Amazing! I'm happy to see some comprehensive coverage of Ghidra. This is packed full of useful information for Ghidra. Being familiar with reversing only gets you so far with a given program.

That's really impressive. Thank you for walking us through.

Wonderful video. From what I see you've spent a great deal of time studying the firmware. Some basics on how you go about reverse engineering would be really helpful. Thanks.

I came to crack software, stayed for the full tutorial series. Really great stuff.

That was wonderful. I enjoyed watching this video as I was able to stay with it quite well. I was wondering how someone like yourself would approach disk encryption, like say, Veracrypt. What would be involved with that? If you had control of a machine, logged into Windows, with dismounted partitions.. could there be a way to decrypt? Thanks.

Excellent video and great channel!! Thank you for sharing your knowledge with us who are not yet experts in this matters. Golden things to learn here :)

This guy deserves more recognition! Extremely skilled! Subbed!

I'm a APCSA student with no experience with reverse engineering, this sounds like something very fun I can do and learn while quarantined.

I'm here from LiveOverflow's channel and I'm loving your content. Please make more of this stuff! :D

this is love dude...
you are awesome just keep them coming
Hope you explain some router firmware reversing and explaination for how these hackers are now exploiting the routers on a very large scale.
Thnaks in advance :)

Wow, great to see how this sort of stuff is done. Subscribed and look forward to checking out some of your other videos!

Great Work here!
Hope there will come more in the future! Very good explained and ez to follow.

Unbelievable quality of the content. Massive thanks, mate!

I'll in love with your channel! Please create a series of Reverse Engineering Basics!

As a user of Idea and doing some RE for time to time, this is very impressive !
All seems so easy but it is not.

Gateway to shell :D Good job Thomas, love the work you put in!!

Sorry a bit late :(

Wow it was so great,i am really fascinated by your method, i hope that soon as you can "please" make videos about reverse engineering basics, and maybe other things also !! big thanks <3 :)

thank you for your videos, its good if we can see more of your videos about CTF binary reverse. and please make your videos more easy to understand for beginners . thank you

I love your work! Nice and easy to understand. I looking forward your future videos.

Dude, please uploads more videos, you cannot imagine how we appreciate your videos. Thank you very much

Discovered your channel a couple of days ago and I'm loving the content! Regarding binwalk on macOS, I managed to install it with homebrew but it complains about failing to run external extractor unsquashfs, with several errors regarding squashfs-root, sasquatch etc. How did you get it running on macOS without errors? Or are you running a linux subsystem? Thanks in advance

This video is great. Alongside LiveOverflow one of the best RE videos on Youtube! Keep them coming.

Your videos are really very good. Thank you for them and please continue for new ones 👍🏻

wow - perfect example of a very skilled knowledge/intension mix. Thx for the work and sharing.

Sir. Not very many are able to articulate a lesson in a way my brain to absorb. Especially when it comes to variables in dialect. All said it can be frustrating at times. While I am going to have to rewatch this I would personally like to thank you for your time as well as your ability to clearly lay it out... I will mos def look for more of your tutorials

Awesome, love the information.
Your channel is great, hoping to see more of these in the future.

Question: when you were renaming variables, how did you establish that auStack48 was actually the userkey?

This is really helpful for understanding the Ghidra workflow. Thanks!

Awesome video...great information. What would you have done if you did not have access to the older firmware version, would this still be possible, just much harder?

Wonderful video. I noticed that the firmware for 1.11 is not on the site from what I see anymore? Can't really follow along in the video without that older update, is there a way you could link it so people could still follow along? Thank you, such great content!

Mate could you make more firmware hacking videos please. This is sick !!

As others already have said this video is very informative and in good quality. Good job!
I guess you are German? How did you learn all of this?

So glad I took the extra effort to put in security from the beginning in the firmware update system I've designed.

this is a high level of reverse engineering !
like + subscribe

Insider here: We know that the encryption is very basic and rather embarassing. We don't want to make it too easy, but we also know that even the "hardest encryption" will be cracked if enough time is invested. So this is the middle way..
Nice video, thanks for the tips!

So basically if they release a new version of this hardware, and implement the encrypted firmware from the factory, you would not be able to do this. (And offcourse, they should change the key to something else, than the one you showed)

Really great video and good explanation. Thanks you so much for it...

Id die to watch a reverse engineering basics tutorial. I was hooked just by watching for 2 minutes

For a moment I thought you are the presenter of SCADA: Gateway to shell from a CCC talk. Impressive work and video quality!

This video was so good, very well explained

Hi, very good tutorial indeed yet I'm not able to replay it as, the firmware files are'nt available anymore from Moxa. did you make a copy of the cited files or do you know were I can get them ? best

awesome video, really loved it. I'm very excited about the upcoming post on finding a vuln in the device.

Can't wait to see more of your Ghidra videos!

Wow! Thank you so much for such high quality video. Subscribed! Please keep going.

Incredible tutorial!

Do you do any other stuff? I would happily see some of it no matter what it is. You are awesome.

you are amazing man, i really hope u keep going with this

I'm watching all of your videos, very good content!

Woah, Man, that was awesome. I cant wait to see more from You!

Really nice video. I only hope that now you can upload more often.

Thank you for these tutorials!

Many thanks to Ghidra Ninja and the NSA!

Great video, thank you very much!

Does finding something like this warrant a CVE to the researcher?

Wow that was awesome 😊

great and amazing tutorial

I love this tool! ❤️❤️❤️

This is so great.
Keep it up.

Super advanced. Thanks for the video =)

So clean, so cool i love this video !

These are fantastic. Keep going

does Ghidra have malware/trackers built into it? I'd guess running it in a locked down VM is recommended, right ?

Awesome stuff, thank you!! :)

This channel is going to blow up! Subscribed.

Ghidra ninja can you suggest a course where I can start learning this stuff?
Thank you

What did you use to record the keybindings at the bottom?

Bro awsm video i have became a huge fan of youu you have got the skills man

This is so awesome! Sure hope NSA pays you well :*

I subscribed and enabled the notification. Thanks for the great video.

Phenomenal vid/tutorial!!

You should make more video man. Love your video <3

Very interesting, thanks for sharing!

You should make a video series on what each option means in Ghidra

damn tools are horrifyingly powerful nowadays.

Awesome, thank you !

your video encouraged me to hack into my router fw. I was able to crack the fw verification dunction :D now how do we compile it back so it can be flashed? i checked fw-mod-kit but i am not so sure.

Do one for Wireless Mic Systems like Shure and stuff like that

yeah man this is what am looking for . thx bro (y)

Quality of the video is excellent!

Fantastic video! I keep checking YouTube to see if you’ve uploaded.

Strong content!

woww! So much good info! Awesome!

Awesome! Thanks!

Well done.
Looks like ghidra is some decent tool.
Still wonder what NSAs endgame here is

sir you are a scholar and a gentleman, imma check all your vids

Smashed that subscribe and notify button fast AF! Keep them coming!

Mükenmel çok teşekkür ederim 🙏

what about a firmware that was encrypted from the beginning?

This video is amazing. Subbed

Wow this is reeeeally cool!!

great content

Does the Ghidra decompile assembly to a high level language?

Nice video bro :-)

It's funny how he clearly understands what he's looking at but still renames things to help himself understand what he's looking at more clearly...
Brain, you so silly...

Best video I’ve seen all week.

Your seeing now is a master at work🔥🔥🔥

Lol now you can aes-ecb-encrypt and make a custom firmware

awesome! cant wait for next video

super super cooooooool ! love it !

hi, i did buy a software with server confirmation. the owner has closed the servr an i have no more access. can you deactivate the pass and the server function?- if so please, contact me

Great video

Couldn't find the second part of this video. Is it uploaded yet?

Wait. Is this liveoverflow in incognito-mode?

Great vid. Thanks

can you reverse engineer nokia 1100 firmware (DCT4) encrytion to mod it to include my own images ringtones etc :)

The entropy of this video is enormous, I can see that without running binwalk -E.

excellent!

Gutes video ^^

Wowwwwww Super!

Genius! Got a New sub

Does Ghidra work on Linux?

Wish I had taken up programming as a kid, learning t h is as a middle aged guy is painful

I know it has been 2 years and moxa W2150A v1.11 is no longer available. So hopefully, somebody pls send me that firmware so I can do some cool experiment.

Danke Bruder. Hilft mir sehr

awesome man work on iot devices

I think it's creepy at this very time they're handing us this knowledge and power.. how much trouble are WE really in??!

everything flew over my head

I respect you

where is my wanna cry decrypt part 2??
we realy want it man
i enjoy ur videos even more than P0** videos
please make videos faster and 1 video about reverse engineering basics
<❤/>

wtf i just saw. You changed my life from today.

Boom! Subscribe button got hit ! The bell got hit !

Can this method apply gaming consoles example PS4 extra..

ps. how did you know it was ECB AES over CBC or otherwise?

please keep reversing engineer public

Don't know anything about decompilers and I'm wondering how does ghidra infer function names?

Subbed thanks to Reddit

cool.....heavy duty

DOPE AF

wow

wizardary

From where did u learn all these shits dude??

Holy shit.

Like si tu es aussi à l’HEIA