Hikvision Firmware Decrypted

By Brian Karas, Published Mar 09, 2017, 01:16pm EST

A developer has decrypted Hikvision's firmware, allowing examination of Hikvision's device source code and contents.

In this report, we overview the tool, showing you how it works, sharing a Hikvision's camera decrypted firmware and overviewing some things to look for inside.

Utility ********

*** *********, ***********, ********* *** ******* ** the ******* **** ** ipcamtalk. "*******" ** ***** for "********* ******/********". ** decrypts *** ******** ****** Hikvision ******** ******, ******** the ********* **** ******* to *******, *** ******* them **** *** ****** required ** ******* ** on * ****** ** recorder. *** ****** ******* takes * *** *******.

*** ******* ******** "** and **" ****** ********* *** "k41 *** ***" ******** platforms, ***** ****** *** majority ** *********'* **** popular ** *******, *** 7600-series *********.

Hikpack *****

* ** *** ***** environment ** ******** ** run *** ******* *******. For ***** ******* * linux *******, * *********** of ********** *** * ***-***** ***** ***** ***** *** ** ****.

** *** ******* *** need ********* ******** ****** (********* firmware ********* **** [**** no ****** *********]), ***** you **** ****** ***** the ********* *******:

** *** ***** ** ****** with ************* (*.*., ******** language **** *******), ******* "-L *" ** **** it ** ******* *** image ** ** ******* version:

*** ********* ******** ** left ****** ** *** specified ********* ("*****" ** this ****), ***** *** be *******, ** ******** further ** ******** *****.

Sample ********* ********

***** **** *******, *** is **** ** ******* *** extract *********'* ******** ******** images ** *** * set ** ******** *****. Using ******* ** .*** ***** ********* ****** additional ***** *** *********** to *******.

******* **** *** ****, displays *** *** *********** / ********** ** *********'* firmware:

**** *********** ******** **** the ********* *****:

*** ********* "*****.***-**************" ******** the **** ** *** linux ********* ****** **** runs ** *** ******. From **** ********* ** can **** ** /***/****** *** see ** ******** * single *****:

**** ***** **** ***** is * ****-***** "****" user, **** ***** ** not **********, ** ********* linux ***** ** ***** a **** **** ** run ********* *****. *** lack ** ***** ***** would ******** **** ***** process ** *** ****** runs ** ****, ***** can **** ** ***** exploitable ********** ** ********** are ***** ** ***** processes.

/***/****.*/*** ***** *** ********* and ******** *** ****** kicks ** **** ** starts:

*** *********** **** **** is *** ******** ******** rule, ******* *** ****** to **** *********** ****** in ** **** ** (SSH). ***** ****** ** no **** ** **** SSH *********** ** *** is *** ******* ** the ******.

********* *** /***/*** **** that ** ****** ***** this **** ***** *** first ******* ***** "********", * ****** *** server **** ** ******** devices:

** *** ******** **** was ******* ***, *** would **** ****** ** able ** **** *** access ** *** ******, which ***** **** ******* you ** **** *** root ******** ** *** camera.

***** ** **** * binary **** ****** "*************", whose **** ******* ** could ** ****** **** other ********* ** ******* system-level ******** ** ******** to ***** *******.

***** **** ** ***** items ******** ** ******** security *****, **** ** call **** ******** *** Hikvision ***** ****** ** keep ** *** ****** running, *** ******* ** a ******** ****, ******* of ****** *** ******* SSH ** ***.

Firmware ********** **** ********

*** ********* ******** ****** both *********** *** ********* to ******* *** ***** workings ** *** ********. With **** **** *** analysis ** ** ******** to ***** *** ********** ********** that *** ** *********, backdoors, ***. **** ** how *** ****** ***** ******** *** **** ******** **** **********, **** *********** managed ** ******* ******** files *** **** ******* them *** **********.

****** ********* ** *** need ****** ** ******** files ** **** *********** components ** * ******, having **** ****** ***** their *** **** ******. *** ********* **** *** researcher *** ******* ******** used ** **+ *** brands ****** **** ** **** this **** ******** ******** approach.

 

Comments (16)

Good Stuff, keep it coming.

Agree: 3
Disagree
Informative
Unhelpful
Funny

 Funny I didnt have to de-crypt it But then again I use real tool set OS

Binwalk from source does a better job than from the repos in my opinion

Kali_screenshot

Surprised we are doing firmware dumps on here though< i had been debating whether or not post some.

Agree
Disagree
Informative: 4
Unhelpful
Funny

What version of Kali are you running if you don't mind me asking?

Agree
Disagree
Informative
Unhelpful
Funny

Kali_release

 

Agree
Disagree
Informative
Unhelpful
Funny

I assume the only reason to have a server running and blocking all inc connection instead of not having the server running at all, would be to be able to access the server via a backdoor...

Or am i being influenced by all those hacks and cia/nsa docs recently? =P

Agree
Disagree
Informative
Unhelpful
Funny

So,  

is there a bookdoor? or "phone home" ?

Agree
Disagree
Informative
Unhelpful
Funny

This decrypted firmware download will lead Hikvision into serious issues. Now all the bored ppl. out there start playing with their Kali-Toolbox (decompilers and soucecode vulnerability scanners) and they WILL find many new attack vectors. 

Hikvision should prepare for a massive demand of firmware updates... 

Agree: 5
Disagree
Informative: 1
Unhelpful
Funny

It's been known how to decrypt the firmware for a long while. Most of the obvious vulnerabilities have been found.

You also don't get sourcecode out of a firmware image.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Could also be a test to verify port 22 is indeed blocked before shipping?

Agree
Disagree
Informative
Unhelpful
Funny

There is no need to a block a port that is not running any services. 

Agree
Disagree
Informative
Unhelpful
Funny

Unless I misread, SSH is running:

 

"Examining the /etc/app file that is called after this line shows the first command loads "dropbear", a common SSH server used on embedded devices:"

 

"why Hikvision would choose to keep an SSH server running, but blocked by a firewall rule, instead of simply not running SSH at all."

Agree
Disagree
Informative
Unhelpful
Funny

Because they can disable the firewall rule by a hidden cgi or whatever... the answer is in the download. 

Agree: 3
Disagree
Informative
Unhelpful
Funny

Here's an interesting thought.  I'm not sure I agree with my thought yet, but it's worth a discussion... how about Hikvision just open sources their camera firmware?  They make money on hardware sales and if they open source it, they would benefit from the community contributing to their code (or at the very least scrutinizing the security vulnerabilities).  There may be a few pieces that they'd want to keep to themselves, like any advanced encoding features, or perhaps some of the analytics, but they could also benefit from the transparency of allowing others to see the source.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Most parts of the firmware are open source anyways.

A Linux system always contains many GPL based packages.

The GPL terms of use allow everybody who's interested to request the source code of all GPL licensed packages at any time. The manufacturer has to send you a file that includes all GPL parts and all of his modifications to GPL based code. The "copyleft" of the GPL requires the manufacturer to publish his modifications to GPL code also under GPL license. This applies e.g. to driver/kernel modifications to support the different SoC's.

Please check yourself: https://en.wikipedia.org/wiki/GNU_General_Public_License

Does Hikvision provide such a GPL download?

Agree
Disagree
Informative
Unhelpful
Funny

Hikvision does now, actually. See Hikvision Discloses Open Source Software Used

Just some of the software used under GPL:

  • GCC library
  • Linux kernel
  • busybox 1.19.3
  • u-boot
  • udev 114
  • IPTables 1.4.18
  • ppp - Pauls PPP Package 2.4.3
  • RP PPP OE 3.8
  • wpa_supplicant 0.7.2

 

Agree
Disagree
Informative: 1
Unhelpful
Funny
Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,943 reports, 926 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports