Hikvision Firmware Decrypted

By: Brian Karas, Published on Mar 09, 2017

A developer has decrypted Hikvision's firmware, allowing examination of Hikvision's device source code and contents.

In this report, we overview the tool, showing you how it works, sharing a Hikvision's camera decrypted firmware and overviewing some things to look for inside.

* ********* *** ********* Hikvision's ********, ******** *********** of *********'* ****** ****** code *** ********.

** **** ******, ** overview *** ****, ******* you *** ** *****, ******* a *********'* ****** ********* firmware *** *********** **** things ** **** *** inside.

[***************]

Utility ********

*** *********, ***********, ********* *** ******* ** the ******* **** ** ipcamtalk. "*******" ** ***** for "********* ******/********". ** decrypts *** ******** ****** Hikvision ******** ******, ******** the ********* **** ******* to *******, *** ******* them **** *** ****** required ** ******* ** on * ****** ** recorder. *** ****** ******* takes * *** *******.

*** ******* ******** "** and **" ****** ********* *** "k41 *** ***" ******** platforms, ***** ****** *** majority ** *********'* **** popular ** *******, *** 7600-series *********.

Hikpack *****

* ** *** ***** environment ** ******** ** run *** ******* *******. For ***** ******* * linux *******, * *********** of ********** *** * ***-***** ***** ***** ***** *** ** ****.

** *** ******* *** need ********* ******** ****** (********* ******** ********* ****), ***** *** **** unpack ***** *** ********* command:

** *** ***** ** ****** with ************* (*.*., ******** language **** *******), ******* "-L *" ** **** it ** ******* *** image ** ** ******* version:

*** ********* ******** ** left ****** ** *** specified ********* ("*****" ** this ****), ***** *** be *******, ** ******** further ** ******** *****.

Sample ********* ********

***** **** *******, *** is **** ** ******* *** extract *********'* ******** ******** images ** *** * set ** ******** *****. Using ******* ** .*** ***** ********* ****** additional ***** *** *********** to *******.

******* **** *** ****, displays *** *** *********** / ********** ** *********'* firmware:

**** *********** ******** **** the ********* *****:

*** ********* "*****.***-**************" ******** the **** ** *** linux ********* ****** **** runs ** *** ******. From **** ********* ** can **** ** /***/****** *** see ** ******** * single *****:

**** ***** **** ***** is * ****-***** "****" user, **** ***** ** not **********, ** ********* linux ***** ** ***** a **** **** ** run ********* *****. *** lack ** ***** ***** would ******** **** ***** process ** *** ****** runs ** ****, ***** can **** ** ***** exploitable ********** ** ********** are ***** ** ***** processes.

/***/****.*/*** ***** *** ********* and ******** *** ****** kicks ** **** ** starts:

*** *********** **** **** is *** ******** ******** rule, ******* *** ****** to **** *********** ****** in ** **** ** (SSH). ***** ****** ** no **** ** **** SSH *********** ** *** is *** ******* ** the ******.

********* *** /***/*** **** that ** ****** ***** this **** ***** *** first ******* ***** "********", * ****** *** server **** ** ******** devices:

** *** ******** **** was ******* ***, *** would **** ****** ** able ** **** *** access ** *** ******, which ***** **** ******* you ** **** *** root ******** ** *** camera.

***** ** **** * binary **** ****** "*************", whose **** ******* ** could ** ****** **** other ********* ** ******* system-level ******** ** ******** to ***** *******.

***** **** ** ***** items ******** ** ******** security *****, **** ** call **** ******** *** Hikvision ***** ****** ** keep ** *** ****** running, *** ******* ** a ******** ****, ******* of ****** *** ******* SSH ** ***.

Firmware ********** **** ********

*** ********* ******** ****** both *********** *** ********* to ******* *** ***** workings ** *** ********. With **** **** *** analysis ** ** ******** to ***** *** ********** ********** that *** ** *********, backdoors, ***. **** ** how *** ****** ***** ******** *** **** ******** **** **********, **** *********** managed ** ******* ******** files *** **** ******* them *** **********.

****** ********* ** *** need ****** ** ******** files ** **** *********** components ** * ******, having **** ****** ***** their *** **** ******. *** ********* **** *** researcher *** ******* ******** used ** **+ *** brands ****** **** ** **** this **** ******** ******** approach.

 

Comments (16)

Good Stuff, keep it coming.

 Funny I didnt have to de-crypt it But then again I use real tool set OS

Binwalk from source does a better job than from the repos in my opinion

Kali_screenshot

Surprised we are doing firmware dumps on here though< i had been debating whether or not post some.

What version of Kali are you running if you don't mind me asking?

I assume the only reason to have a server running and blocking all inc connection instead of not having the server running at all, would be to be able to access the server via a backdoor...

Or am i being influenced by all those hacks and cia/nsa docs recently? =P

So,  

is there a bookdoor? or "phone home" ?

This decrypted firmware download will lead Hikvision into serious issues. Now all the bored ppl. out there start playing with their Kali-Toolbox (decompilers and soucecode vulnerability scanners) and they WILL find many new attack vectors. 

Hikvision should prepare for a massive demand of firmware updates... 

It's been known how to decrypt the firmware for a long while. Most of the obvious vulnerabilities have been found.

You also don't get sourcecode out of a firmware image.

Could also be a test to verify port 22 is indeed blocked before shipping?

There is no need to a block a port that is not running any services. 

Unless I misread, SSH is running:

 

"Examining the /etc/app file that is called after this line shows the first command loads "dropbear", a common SSH server used on embedded devices:"

 

"why Hikvision would choose to keep an SSH server running, but blocked by a firewall rule, instead of simply not running SSH at all."

Because they can disable the firewall rule by a hidden cgi or whatever... the answer is in the download. 

Here's an interesting thought.  I'm not sure I agree with my thought yet, but it's worth a discussion... how about Hikvision just open sources their camera firmware?  They make money on hardware sales and if they open source it, they would benefit from the community contributing to their code (or at the very least scrutinizing the security vulnerabilities).  There may be a few pieces that they'd want to keep to themselves, like any advanced encoding features, or perhaps some of the analytics, but they could also benefit from the transparency of allowing others to see the source.

Most parts of the firmware are open source anyways.

A Linux system always contains many GPL based packages.

The GPL terms of use allow everybody who's interested to request the source code of all GPL licensed packages at any time. The manufacturer has to send you a file that includes all GPL parts and all of his modifications to GPL based code. The "copyleft" of the GPL requires the manufacturer to publish his modifications to GPL code also under GPL license. This applies e.g. to driver/kernel modifications to support the different SoC's.

Please check yourself: https://en.wikipedia.org/wiki/GNU_General_Public_License

Does Hikvision provide such a GPL download?

Hikvision does now, actually. See Hikvision Discloses Open Source Software Used

Just some of the software used under GPL:

  • GCC library
  • Linux kernel
  • busybox 1.19.3
  • u-boot
  • udev 114
  • IPTables 1.4.18
  • ppp - Pauls PPP Package 2.4.3
  • RP PPP OE 3.8
  • wpa_supplicant 0.7.2

 

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Directory of 68 Video Surveillance Startups on Sep 18, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
US Army Base To Buy Banned Honeywell Surveillance on Sep 17, 2019
The U.S. Army's Fort Gordon, home to their Cyber Center of Excellence, has issued a solicitation to purchase Honeywell products that are US...
Installation Course - Last Chance - Register Now on Sep 12, 2019
Last Chance - Register Now - September 2019 Video Surveillance Install Course. Thursday, September 12th is your last chance to register for the...
US State Department: "Chinese Tech Giants" "Tools of the Chinese Communist Party" on Sep 12, 2019
The US State Department has called out "Chinese tech giants" for being "tools of the Chinese Communist Party" in a blunt new speech that makes...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Hikvision Lobbying Against And Preparing For Potential US Sanctions on Sep 09, 2019
Hikvision has been lobbying against and preparing for potential US sanctions, according to US government records, financial filings and partner...
Genetec Stratocast VSaaS Tested on Sep 05, 2019
The VSaaS market is rapidly expanding in 2019, with Verkada, Meraki, Eagle Eye, Avigilon and numerous startups growing their market share. When we...
Megvii Financials and Growth Examined on Aug 30, 2019
Megvii has already received more than a billion dollars in investment. Now, the company, a top China facial recognition provider, has filed for an...
Register Now - October 2019 IP Networking Course on Aug 28, 2019
Register now for the Fall 2019 IP Networking Course. This is the only networking course designed specifically for video surveillance...
In China, Foreign AI Companies Banned or Disadvantaged, Says Top China AI Company on Aug 28, 2019
Non-China (PRC) companies are prejudiced and unfairly targeted inside of the PRC's booming AI market, which not only denies them revenue inside of...

Most Recent Industry Reports

Directory of 68 Video Surveillance Startups on Sep 18, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
Uniview Prime Series 4K Camera Tested on Sep 18, 2019
Is the new Uniview 'Prime' better than the more expensive existing Uniview 'Pro'? In August, IPVM tested Uniview 4K 'Pro' but members advocated...
US Army Base To Buy Banned Honeywell Surveillance on Sep 17, 2019
The U.S. Army's Fort Gordon, home to their Cyber Center of Excellence, has issued a solicitation to purchase Honeywell products that are US...
Vivotek "Neural Network-Powered Detection Engine" Analytics Tested on Sep 17, 2019
Vivotek has released "a neural network-powered detection engine", named Smart Motion Detection, claiming that "swaying vegetation, vehicles passing...
Schmode is Back, Aims To Turn Boulder AI Into Giant on Sep 16, 2019
One of the most influential and controversial executives in the past decade is back. Bryan Schmode ascended and drove the hypergrowth of Avigilon...
Manufacturers Unhappy With Weak ASIS GSX 2019 And 2020 Shift on Sep 16, 2019
Manufacturers were generally unhappy with ASIS GSX, both for weak 2019 booth traffic and a scheduling shift for the 2020 show, according to a new...
How Cobalt Robotics May Disrupt Security on Sep 13, 2019
While security robots have largely become a joke over the last few years, one organization, Cobalt Robotics, has raised $50+ million from top US...
Panasonic 4K Camera Tested (WV-S2570L) on Sep 13, 2019
Panasonic has released their latest generation 4K dome, the WV-S2570L, claiming "Extreme image quality allows evidence to be captured even under...
ASIS GSX 2019 Final Show Report on Sep 12, 2019
IPVM went to Chicago for ASIS GSX 2019, with many exhibitors disappointed about traffic and the exhibitor schedule changing next year. However,...
Installation Course - Last Chance - Register Now on Sep 12, 2019
Last Chance - Register Now - September 2019 Video Surveillance Install Course. Thursday, September 12th is your last chance to register for the...