Hikvision Firmware Decrypted

Author: Brian Karas, Published on Mar 09, 2017

A developer has decrypted Hikvision's firmware, allowing examination of Hikvision's device source code and contents.

In this report, we overview the tool, showing you how it works, sharing a Hikvision's camera decrypted firmware and overviewing some things to look for inside.

* ********* *** ********* *********'* ********, ******** *********** ** *********'* device ****** **** *** ********.

** **** ******, ** ******** *** ****, ******* *** *** it *****, ******* * *********'* ****** ********* ******** *** *********** some ****** ** **** *** ******.

[***************]

Utility ********

*** *********, ***********,********* *** ******* ** *** ******* **** ** *********. "*******" ** ***** *** "********* ******/********". ** ******** *** extracts ****** ********* ******** ******, ******** *** ********* **** ******* to *******, *** ******* **** **** *** ****** ******** ** install ** ** * ****** ** ********. *** ****** ******* takes * *** *******.

*** ******* ******** "** *** **" ****** ********* *** "*** and ***" ******** *********, ***** ****** *** ******** ** *********'* most ******* ** *******, *** ****-****** *********.

Hikpack *****

* ** *** ***** *********** ** ******** ** *** *** hikpack *******. *** ***** ******* * ***** *******, * *********** of************* ****-***** ***** ***** ******** ** ****.

** *** ******* *** **** ********* ******** ****** (********* ******** ********* ****), ***** *** **** ****** ***** *** ********* *******:

** *** ***** ** ****** **** ************* (*.*., ******** ******** from *******), ******* "-* *" ** **** ** ** ******* the ***** ** ** ******* *******:

*** ********* ******** ** **** ****** ** *** ********* ********* ("test1" ** **** ****), ***** *** ** *******, ** ******** further ** ******** *****.

Sample ********* ********

***** **** *******, *** ** **** ** ******* *** ******* Hikvision's ******** ******** ****** ** *** * *** ** ******** files. ************** .*** ***** ********* ****** ********** ***** *** *********** ** examine.

******* **** *** ****, ******** *** *** *********** / ********** of *********'* ********:

**** *********** ******** **** *** ********* *****:

*** ********* "*****.***-**************" ******** *** **** ** *** ***** ********* system **** **** ** *** ******. **** **** ********* ** can **** ** /***/****** *** *** ** ******** * ****** value:

**** ***** **** ***** ** * ****-***** "****" ****, **** alone ** *** **********, ** ********* ***** ***** ** ***** a **** **** ** *** ********* *****. *** **** ** other ***** ***** ******** **** ***** ******* ** *** ****** runs ** ****, ***** *** **** ** ***** *********** ********** if ********** *** ***** ** ***** *********.

/***/****.*/*** ***** *** ********* *** ******** *** ****** ***** ** when ** ******:

*** *********** **** **** ** *** ******** ******** ****, ******* the ****** ** **** *********** ****** ** ** **** ** (SSH). ***** ****** ** ** **** ** **** *** *********** if *** ** *** ******* ** *** ******.

********* *** /***/*** **** **** ** ****** ***** **** **** shows *** ***** ******* ***** "********", * ****** *** ****** **** ** ******** *******:

** *** ******** **** *** ******* ***, *** ***** **** likely ** **** ** **** *** ****** ** *** ******, which ***** **** ******* *** ** **** *** **** ******** of *** ******.

***** ** **** * ****** **** ****** "*************", ***** **** implies ** ***** ** ****** **** ***** ********* ** ******* system-level ******** ** ******** ** ***** *******.

***** **** ** ***** ***** ******** ** ******** ******** *****, they ** **** **** ******** *** ********* ***** ****** ** keep ** *** ****** *******, *** ******* ** * ******** rule, ******* ** ****** *** ******* *** ** ***.

Firmware ********** **** ********

*** ********* ******** ****** **** *********** *** ********* ** ******* the ***** ******** ** *** ********. **** **** **** *** analysis ** ** ******** ** ***** *** ********** ********** **** can ** *********, *********, ***. **** ** *** *** *********** *************** ************ **********, **** *********** ******* ** ******* ******** ***** *** then ******* **** *** **********.

****** ********* ** *** **** ****** ** ******** ***** ** find *********** ********** ** * ******, ****** **** ****** ***** their *** **** ******.*** ********* **** *** ********** *** ******* ******** **** ** 70+ *** ************ **** ** **** **** **** ******** ******** ********.

Comments (16)

Good Stuff, keep it coming.

Funny I didnt have to de-crypt it But then again I use real tool set OS

Binwalk from source does a better job than from the repos in my opinion

Kali_screenshot

Surprised we are doing firmware dumps on here though< i had been debating whether or not post some.

What version of Kali are you running if you don't mind me asking?

I assume the only reason to have a server running and blocking all inc connection instead of not having the server running at all, would be to be able to access the server via a backdoor...

Or am i being influenced by all those hacks and cia/nsa docs recently? =P

So,

is there a bookdoor? or "phone home" ?

This decrypted firmware download will lead Hikvision into serious issues. Now all the bored ppl. out there start playing with their Kali-Toolbox (decompilers and soucecode vulnerability scanners) and they WILL find many new attack vectors.

Hikvision should prepare for a massive demand of firmware updates...

It's been known how to decrypt the firmware for a long while. Most of the obvious vulnerabilities have been found.

You also don't get sourcecode out of a firmware image.

Could also be a test to verify port 22 is indeed blocked before shipping?

There is no need to a block a port that is not running any services.

Unless I misread, SSH is running:

"Examining the /etc/app file that is called after this line shows the first command loads "dropbear", a common SSH server used on embedded devices:"

"why Hikvision would choose to keep an SSH server running, but blocked by a firewall rule, instead of simply not running SSH at all."

Because they can disable the firewall rule by a hidden cgi or whatever... the answer is in the download.

Here's an interesting thought. I'm not sure I agree with my thought yet, but it's worth a discussion... how about Hikvision just open sources their camera firmware? They make money on hardware sales and if they open source it, they would benefit from the community contributing to their code (or at the very least scrutinizing the security vulnerabilities). There may be a few pieces that they'd want to keep to themselves, like any advanced encoding features, or perhaps some of the analytics, but they could also benefit from the transparency of allowing others to see the source.

Most parts of the firmware are open source anyways.

A Linux system always contains many GPL based packages.

The GPL terms of use allow everybody who's interested to request the source code of all GPL licensed packages at any time. The manufacturer has to send you a file that includes all GPL parts and all of his modifications to GPL based code. The "copyleft" of the GPL requires the manufacturer to publish his modifications to GPL code also under GPL license. This applies e.g. to driver/kernel modifications to support the different SoC's.

Please check yourself: https://en.wikipedia.org/wiki/GNU_General_Public_License

Does Hikvision provide such a GPL download?

Hikvision does now, actually. See Hikvision Discloses Open Source Software Used

Just some of the software used under GPL:

  • GCC library
  • Linux kernel
  • busybox 1.19.3
  • u-boot
  • udev 114
  • IPTables 1.4.18
  • ppp - Pauls PPP Package 2.4.3
  • RP PPP OE 3.8
  • wpa_supplicant 0.7.2
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

First US State, Vermont, Bans Dahua and Hikvision on Feb 21, 2019
The first US state, Vermont, has issued a ban on a number of Chinese and Russian manufacturers including the world's 2 largest video surveillance...
Massive Leak Of Chinese VMS Provider Exposes Xinjiang Surveillance on Feb 20, 2019
A subsidiary of China’s claimed largest VMS provider is tracking the precise location and ethnicity of millions in China’s Xinjiang region,...
Security Installation Tools Guide - 22 Tools Listed on Feb 19, 2019
In this guide, we cover 22 tools that security installers frequently use. This is one part of our upcoming Video Surveillance...
Hikvision 2018 Revenue Tops $7 Billion USD But Growth Slows To Low on Feb 15, 2019
Hikvision's annual revenue topped $7 billion for the first time in 2018, although growth slowed sharply. In this post, we analyze the latest...
Hikvision Chairman Praises United Front on Feb 14, 2019
Hikvision’s controlling shareholder held a meeting last month praising the United Front, a Communist Party organization known for its secretive...
US Senator Calls Hikvision and Dahua “Puppets of the Chinese Communist Party”, Urges Sanctions on Feb 07, 2019
Tom Cotton, Republican senator from Arkansas, has publicly called Hikvision and Dahua “puppets of the Chinese Communist Party and the People’s...
No Genetec Major Releases In Over A Year on Feb 06, 2019
Annual VMS licenses are a controversial practice in the video surveillance industry, with many questioning their need or value. However, enterprise...
3 UK MPs Call For Investigating Hikvision Over Xinjiang on Feb 04, 2019
3 UK members of Parliament, including 2 with direct comments to IPVM, have called for the UK government to investigate Hikvision's Xinjiang...
Hanwha Techwin Favorability Results 2019 on Jan 31, 2019
Hanwha Techwin's favorability results surged, in IPVM's 2019 study, going from barely neutral in 2016 to strongly net positive, as the results...
Dahua China Significant Job Cuts on Jan 28, 2019
Dahua China has cut a significant number of jobs in the past few months, according to numerous sources. This is a significant shift from Dahua's...

Most Recent Industry Reports

Outdoor Camera Mounting Hardware Guide on Feb 21, 2019
Mounting cameras outdoors can be challenging, requiring understanding different types of equipment and methods. In this guide, we teach this...
HID Favorability Results 2019 on Feb 21, 2019
HID favorability results were strong, in the 2019 IPVM integrator study of 200+ integrators, with a net +62% and low negativity as the table below...
First US State, Vermont, Bans Dahua and Hikvision on Feb 21, 2019
The first US state, Vermont, has issued a ban on a number of Chinese and Russian manufacturers including the world's 2 largest video surveillance...
ADI 'SAVE BIG' On FLIR And Hikvision Examined on Feb 20, 2019
One is a major US defense supplier. The other is owned by the Chinese government. But you can "SAVE BIG" on both at ADI. In this note, we...
BluB0x Company Profile on Feb 20, 2019
BluB0x has doubled in revenue every year since its founding in 2013, according to CEO Patrick Barry. We originally reported on them in 2015. At the...
Security Installation Tools Guide - 22 Tools Listed on Feb 19, 2019
In this guide, we cover 22 tools that security installers frequently use. This is one part of our upcoming Video Surveillance...
Sales Cuts At Rasilient on Feb 19, 2019
Over the past 2 years, video surveillance storage specialist Rasilient has expanded its workforce significantly, aiming to build its own branded...
Exacq Raises VMS Software Pricing Twice in Less Than a Year on Feb 18, 2019
Most VMSes regularly release new features, but rarely increase their prices. For the 3rd time in 4 years, and 2nd time in 8 months, since being...
Axis IR Multi Imager Camera Tested (P3717-PLE) on Feb 18, 2019
Axis has released their first IR multi imager, the P3717-PLE, a repositionable model listing 360° IR illumination and flexible positioning,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact