> You would have to be a Hotz tier hacker if you wanted to do anything close to this only last year

This isn't true at all. Yes, LLMs have made it dramatically easier to analyse, debug and circumvent. Both for people who didn't have the skill to do this, and for people who know how to but just cannot be bothered because it's often a grind. This specific device turned out to be barely protected against anything. No encrypted firmware, no signature checking, and built-in SSH access. This would be extremely doable for any medium skilled person without an LLM with good motivation and effort.

You're referring to George Hotz, which is known for releasing the first PS3 hypervisor exploit. The PS3 was / is fully secured against attackers, of which the mere existence of a hypervisor layer is proof of. Producing an exploit required voltage glitching on physical hardware using an FPGA [1]. Perhaps an LLM can assist with mounting such an attack, but as there's no complete feedback loop, it still would require a lot of human effort.

[1] https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was...

From the article, it sounds like he used Claude Code as an alternative to Wireshark and Google to decode USB HID traffic and find protocol documentation, respectively.

I suppose this could save a bit of time if you don't already have Wireshark installed, with a minor risk of hallucinations.

Other than this, he used Docker for some reason* to edit ~root/.ssh/authorized_keys and /etc/shadow in the firmware tarball, then wrote a quick Python script to send the relevant HID messages and copy the modified tarball to a volume mounted from a USB drive exposed by the device in response to one of the HID messages.

Maybe he used Claude to do some of this other stuff. Who knows? But the only thing in the post or the linked scripts that wasn't immediately obvious to me is why he installed the whois package in his Ubuntu container, but it turns out that, in Debian, the mkpasswd utility is installed by the whois package for historical reasons[1].

So basically, you have to be an insane hacker, or else have a basic working knowledge of Linux system administration (or at least know how to use the man(1) command; then again Google would probably suffice as an alternative) and how to write trivial programs in any language with bindings to a USB HID library.

* Presumably because he was on a Mac and didn't have a Linux box handy to generate the hashed password (which requires using glibc crypt(3) in a way that isn't compatible with macOS libc crypt(3), so nontrivial on a Mac).

Not sure why he needed password authentication in the first place, but, at the author's request, I won't shoot him.

I will, however, point out that, unless the sshd_config file on the device already set PermitRootLogin to something other than the default "prohibit-password", password authentication wouldn't have worked to log in as root, even with PasswordAuthentication set to "yes".

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=116260

This 1000% - I’ve used AI to enable SSH in one Phase One digital back I own, and to reverse engineer and patch the firmware on another to make the back think it’s a different back - Credo 50 to IQ250! The internals are literally the Sam.

its really nice to not have to spend hours looking thru packet captures and stuff, i enjoy digging but as i'm getting older I have less time to spend 16 hour days looking at random firmware blobs

LLM are not capable of doing that for most things. Having an open ssh device does not require any special "skill".

If it’s embedded Linux with no HAB it’s not hard to make “adjustments.” Just use file and binwalk to figure out what it is and break it open.

Damn, maybe I can throw an agent at trying to unlock IMEI spoofing on my Unifi LTE modem. That one guy on twitter who does all the LTE modem unlocking never replied to my tweet :(

there’s barely any hacking here

the guy found this through looking at the firmware but nmap -p 22 would have also found this

So like the first thing you would do to attack the device

I found an issue exactly like this on an ISP-provided router. I am nowhere near geohot but also didn’t even do as much as the guy in the article lmao