Hikvision Firmware Decrypted

By: Brian Karas, Published on Mar 09, 2017

A developer has decrypted Hikvision's firmware, allowing examination of Hikvision's device source code and contents.

In this report, we overview the tool, showing you how it works, sharing a Hikvision's camera decrypted firmware and overviewing some things to look for inside.

* ********* *** ********* Hikvision's ********, ******** *********** of *********'* ****** ****** code *** ********.

** **** ******, ** overview *** ****, ******* you *** ** *****, sharing * *********'* ****** decrypted ******** *** *********** some ****** ** **** for ******.

[***************]

Utility ********

*** *********, ***********,********* *** ******* ** the ******* **** ** ipcamtalk. "*******" ** ***** for "********* ******/********". ** decrypts *** ******** ****** Hikvision ******** ******, ******** the ********* **** ******* to *******, *** ******* them **** *** ****** required ** ******* ** on * ****** ** recorder. *** ****** ******* takes * *** *******.

*** ******* ******** "** and **" ****** ********* and "*** *** ***" recorder *********, ***** ****** the ******** ** *********'* most ******* ** *******, and ****-****** *********.

Hikpack *****

* ** *** ***** environment ** ******** ** run *** ******* *******. For ***** ******* * linux *******, * *********** of************* ****-***** ***** ***** ******** ** ****.

** *** ******* *** need ********* ******** ****** (********* ******** ********* ****), ***** *** **** unpack ***** *** ********* command:

** *** ***** ** repack **** ************* (*.*., changing ******** **** *******), specify "-* *" ** tell ** ** ******* the ***** ** ** English *******:

*** ********* ******** ** left ****** ** *** specified ********* ("*****" ** this ****), ***** *** be *******, ** ******** further ** ******** *****.

Sample ********* ********

***** **** *******, *** is **** ** ******* and ******* *********'* ******** firmware ****** ** *** a *** ** ******** files. ************** .*** ***** ********* yields ********** ***** *** directories ** *******.

******* **** *** ****, displays *** *** *********** / ********** ** *********'* firmware:

**** *********** ******** **** the ********* *****:

*** ********* "*****.***-**************" ******** the **** ** *** linux ********* ****** **** runs ** *** ******. From **** ********* ** can **** ** /***/****** and *** ** ******** a ****** *****:

**** ***** **** ***** is * ****-***** "****" user, **** ***** ** not **********, ** ********* linux ***** ** ***** a **** **** ** run ********* *****. *** lack ** ***** ***** would ******** **** ***** process ** *** ****** runs ** ****, ***** can **** ** ***** exploitable ********** ** ********** are ***** ** ***** processes.

/***/****.*/*** ***** *** ********* and ******** *** ****** kicks ** **** ** starts:

*** *********** **** **** is *** ******** ******** rule, ******* *** ****** to **** *********** ****** in ** **** ** (SSH). ***** ****** ** no **** ** **** SSH *********** ** *** is *** ******* ** the ******.

********* *** /***/*** **** that ** ****** ***** this **** ***** *** first ******* ***** "********", * ****** *** server **** ** ******** devices:

** *** ******** **** was ******* ***, *** would **** ****** ** able ** **** *** access ** *** ******, which ***** **** ******* you ** **** *** root ******** ** *** camera.

***** ** **** * binary **** ****** "*************", whose **** ******* ** could ** ****** **** other ********* ** ******* system-level ******** ** ******** to ***** *******.

***** **** ** ***** items ******** ** ******** security *****, **** ** call **** ******** *** Hikvision ***** ****** ** keep ** *** ****** running, *** ******* ** a ******** ****, ******* of ****** *** ******* SSH ** ***.

Firmware ********** **** ********

*** ********* ******** ****** both *********** *** ********* to ******* *** ***** workings ** *** ********. With **** **** *** analysis ** ** ******** to ***** *** ********** weaknesses **** *** ** exploited, *********, ***. **** is *** *** *********** *************** ************ **********, **** *********** managed ** ******* ******** files *** **** ******* them *** **********.

****** ********* ** *** need ****** ** ******** files ** **** *********** components ** * ******, having **** ****** ***** their *** **** ******.*** ********* **** *** researcher *** ******* ******** used ** **+ *** brands****** **** ** **** this **** ******** ******** approach.

Comments (16)

Good Stuff, keep it coming.

Funny I didnt have to de-crypt it But then again I use real tool set OS

Binwalk from source does a better job than from the repos in my opinion

Kali_screenshot

Surprised we are doing firmware dumps on here though< i had been debating whether or not post some.

What version of Kali are you running if you don't mind me asking?

I assume the only reason to have a server running and blocking all inc connection instead of not having the server running at all, would be to be able to access the server via a backdoor...

Or am i being influenced by all those hacks and cia/nsa docs recently? =P

So,

is there a bookdoor? or "phone home" ?

This decrypted firmware download will lead Hikvision into serious issues. Now all the bored ppl. out there start playing with their Kali-Toolbox (decompilers and soucecode vulnerability scanners) and they WILL find many new attack vectors.

Hikvision should prepare for a massive demand of firmware updates...

It's been known how to decrypt the firmware for a long while. Most of the obvious vulnerabilities have been found.

You also don't get sourcecode out of a firmware image.

Could also be a test to verify port 22 is indeed blocked before shipping?

There is no need to a block a port that is not running any services.

Unless I misread, SSH is running:

"Examining the /etc/app file that is called after this line shows the first command loads "dropbear", a common SSH server used on embedded devices:"

"why Hikvision would choose to keep an SSH server running, but blocked by a firewall rule, instead of simply not running SSH at all."

Because they can disable the firewall rule by a hidden cgi or whatever... the answer is in the download.

Here's an interesting thought. I'm not sure I agree with my thought yet, but it's worth a discussion... how about Hikvision just open sources their camera firmware? They make money on hardware sales and if they open source it, they would benefit from the community contributing to their code (or at the very least scrutinizing the security vulnerabilities). There may be a few pieces that they'd want to keep to themselves, like any advanced encoding features, or perhaps some of the analytics, but they could also benefit from the transparency of allowing others to see the source.

Most parts of the firmware are open source anyways.

A Linux system always contains many GPL based packages.

The GPL terms of use allow everybody who's interested to request the source code of all GPL licensed packages at any time. The manufacturer has to send you a file that includes all GPL parts and all of his modifications to GPL based code. The "copyleft" of the GPL requires the manufacturer to publish his modifications to GPL code also under GPL license. This applies e.g. to driver/kernel modifications to support the different SoC's.

Please check yourself: https://en.wikipedia.org/wiki/GNU_General_Public_License

Does Hikvision provide such a GPL download?

Hikvision does now, actually. See Hikvision Discloses Open Source Software Used

Just some of the software used under GPL:

  • GCC library
  • Linux kernel
  • busybox 1.19.3
  • u-boot
  • udev 114
  • IPTables 1.4.18
  • ppp - Pauls PPP Package 2.4.3
  • RP PPP OE 3.8
  • wpa_supplicant 0.7.2
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Hikvision Global News Reports Directory on Jul 15, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Hikvision's Government Owner Website Blocked To World on Jul 11, 2019
Hikvision's PRC government owner, CETHIK, has had its website blocked outside of China, hiding a major information source proving Hikvision's...
RaySharp Revealed - Major China OEM For Western Consumer Video Surveillance on Jul 02, 2019
RaySharp is mostly unknown, even among people in the video surveillance industry, though it is a major supplier of OEM surveillance equipment such...
2019 Mid-Year Video Surveillance Guide on Jul 01, 2019
IPVM's new 400+ page Mid-Year Industry Guide brings all of these issues and events together in a single resource to read and review. It can be...
Directory of 60 Video Surveillance Startups on Jun 25, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
China Subway Facial Recognition System Examined on Jun 24, 2019
A China city of 6+ million people has installed facial recognition-enabled gates in subways, allowing commuters to enter stations by simply showing...
IFSEC 2019 Show Report on Jun 19, 2019
The UK's largest trade show, IFSEC, is underway and IPVM has been examining what is new and happening at the show. Inside, we cover: Huawei...
The Scheme Hikvision and China Importers Use To Avoid Tariffs on Jun 17, 2019
Hikvision and numerous China importers are avoiding 25% tariffs by including an SD card slot in their IP cameras to claim they are 'digital still...
NSA Director Keynoting Dahua and Hikvision Sponsored Cybersecurity Conference [Canceled] on Jun 13, 2019
The technical director for the NSA’s Cybersecurity Threat Operations Center will be keynoting a physical security cybersecurity conference that is...
Embattled $400 Million China Funded Philippines Surveillance System Proceeds on Jun 13, 2019
An embattled 12,000 camera surveillance system project that will cost ~$400 million will proceed.  The project contract was awarded, had its...

Most Recent Industry Reports

Mobile Access Usage Statistics 2019 on Jul 18, 2019
The ability to use mobile phones as access credentials is one of the biggest trends in a market that historically has been slow in adopting new...
New GDPR Guidelines for Video Surveillance Examined on Jul 18, 2019
The highest-level EU data protection authority has issued a new series of provisional video surveillance guidelines. While GDPR has been in...
Anyvision Aims For 2022 Revenue of $1 Billion on Jul 17, 2019
Only 3 video surveillance manufacturers do a billion dollars or more in annual revenue - Hikvision, Dahua, and Axis. Now, Anyvision plans to join...
HD Analog vs IP Guide on Jul 16, 2019
For years, HD resolution and single cable signal/power were IP camera advantages, with analog cameras limited to much lower resolution and...
How To Troubleshoot Wiegand Reader Problems - Inverted Wiring on Jul 16, 2019
Wiegand is the dominant method of connecting access readers, but problems can arise for installers. In fact, one of the most difficult reader...
ZeroEyes Gun Detection Startup on Jul 16, 2019
A gun detection video analytics startup, ZeroEyes, is being led by a group of 6 former Navy SEALs, aiming to "save lives" by using AI to assist...
Motorola Acquires Watchguard, Adds to Vigilant And Avigilon on Jul 15, 2019
2 years ago, Motorola had no position nor relevancy to video surveillance. Now, they own major video surveillance, LPR and body camera providers...
Hikvision Global News Reports Directory on Jul 15, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 15, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact