Hikvision Firmware Decrypted

By: Brian Karas, Published on Mar 09, 2017

A developer has decrypted Hikvision's firmware, allowing examination of Hikvision's device source code and contents.

In this report, we overview the tool, showing you how it works, sharing a Hikvision's camera decrypted firmware and overviewing some things to look for inside.

* ********* *** ********* Hikvision's ********, ******** *********** of *********'* ****** ****** code *** ********.

** **** ******, ** overview *** ****, ******* you *** ** *****, ******* a *********'* ****** ********* firmware *** *********** **** things ** **** *** inside.

[***************]

Utility ********

*** *********, ***********, ********* *** ******* ** the ******* **** ** ipcamtalk. "*******" ** ***** for "********* ******/********". ** decrypts *** ******** ****** Hikvision ******** ******, ******** the ********* **** ******* to *******, *** ******* them **** *** ****** required ** ******* ** on * ****** ** recorder. *** ****** ******* takes * *** *******.

*** ******* ******** "** and **" ****** ********* *** "k41 *** ***" ******** platforms, ***** ****** *** majority ** *********'* **** popular ** *******, *** 7600-series *********.

Hikpack *****

* ** *** ***** environment ** ******** ** run *** ******* *******. For ***** ******* * linux *******, * *********** of ********** *** * ***-***** ***** ***** ***** *** ** ****.

** *** ******* *** need ********* ******** ****** (********* firmware ********* **** [**** no ****** *********]), ***** you **** ****** ***** the ********* *******:

** *** ***** ** ****** with ************* (*.*., ******** language **** *******), ******* "-L *" ** **** it ** ******* *** image ** ** ******* version:

*** ********* ******** ** left ****** ** *** specified ********* ("*****" ** this ****), ***** *** be *******, ** ******** further ** ******** *****.

Sample ********* ********

***** **** *******, *** is **** ** ******* *** extract *********'* ******** ******** images ** *** * set ** ******** *****. Using ******* ** .*** ***** ********* ****** additional ***** *** *********** to *******.

******* **** *** ****, displays *** *** *********** / ********** ** *********'* firmware:

**** *********** ******** **** the ********* *****:

*** ********* "*****.***-**************" ******** the **** ** *** linux ********* ****** **** runs ** *** ******. From **** ********* ** can **** ** /***/****** *** see ** ******** * single *****:

**** ***** **** ***** is * ****-***** "****" user, **** ***** ** not **********, ** ********* linux ***** ** ***** a **** **** ** run ********* *****. *** lack ** ***** ***** would ******** **** ***** process ** *** ****** runs ** ****, ***** can **** ** ***** exploitable ********** ** ********** are ***** ** ***** processes.

/***/****.*/*** ***** *** ********* and ******** *** ****** kicks ** **** ** starts:

*** *********** **** **** is *** ******** ******** rule, ******* *** ****** to **** *********** ****** in ** **** ** (SSH). ***** ****** ** no **** ** **** SSH *********** ** *** is *** ******* ** the ******.

********* *** /***/*** **** that ** ****** ***** this **** ***** *** first ******* ***** "********", * ****** *** server **** ** ******** devices:

** *** ******** **** was ******* ***, *** would **** ****** ** able ** **** *** access ** *** ******, which ***** **** ******* you ** **** *** root ******** ** *** camera.

***** ** **** * binary **** ****** "*************", whose **** ******* ** could ** ****** **** other ********* ** ******* system-level ******** ** ******** to ***** *******.

***** **** ** ***** items ******** ** ******** security *****, **** ** call **** ******** *** Hikvision ***** ****** ** keep ** *** ****** running, *** ******* ** a ******** ****, ******* of ****** *** ******* SSH ** ***.

Firmware ********** **** ********

*** ********* ******** ****** both *********** *** ********* to ******* *** ***** workings ** *** ********. With **** **** *** analysis ** ** ******** to ***** *** ********** ********** that *** ** *********, backdoors, ***. **** ** how *** ****** ***** ******** *** **** ******** **** **********, **** *********** managed ** ******* ******** files *** **** ******* them *** **********.

****** ********* ** *** need ****** ** ******** files ** **** *********** components ** * ******, having **** ****** ***** their *** **** ******. *** ********* **** *** researcher *** ******* ******** used ** **+ *** brands ****** **** ** **** this **** ******** ******** approach.

 

Comments (16)

Good Stuff, keep it coming.

 Funny I didnt have to de-crypt it But then again I use real tool set OS

Binwalk from source does a better job than from the repos in my opinion

Kali_screenshot

Surprised we are doing firmware dumps on here though< i had been debating whether or not post some.

What version of Kali are you running if you don't mind me asking?

I assume the only reason to have a server running and blocking all inc connection instead of not having the server running at all, would be to be able to access the server via a backdoor...

Or am i being influenced by all those hacks and cia/nsa docs recently? =P

So,  

is there a bookdoor? or "phone home" ?

This decrypted firmware download will lead Hikvision into serious issues. Now all the bored ppl. out there start playing with their Kali-Toolbox (decompilers and soucecode vulnerability scanners) and they WILL find many new attack vectors. 

Hikvision should prepare for a massive demand of firmware updates... 

It's been known how to decrypt the firmware for a long while. Most of the obvious vulnerabilities have been found.

You also don't get sourcecode out of a firmware image.

Could also be a test to verify port 22 is indeed blocked before shipping?

There is no need to a block a port that is not running any services. 

Unless I misread, SSH is running:

 

"Examining the /etc/app file that is called after this line shows the first command loads "dropbear", a common SSH server used on embedded devices:"

 

"why Hikvision would choose to keep an SSH server running, but blocked by a firewall rule, instead of simply not running SSH at all."

Because they can disable the firewall rule by a hidden cgi or whatever... the answer is in the download. 

Here's an interesting thought.  I'm not sure I agree with my thought yet, but it's worth a discussion... how about Hikvision just open sources their camera firmware?  They make money on hardware sales and if they open source it, they would benefit from the community contributing to their code (or at the very least scrutinizing the security vulnerabilities).  There may be a few pieces that they'd want to keep to themselves, like any advanced encoding features, or perhaps some of the analytics, but they could also benefit from the transparency of allowing others to see the source.

Most parts of the firmware are open source anyways.

A Linux system always contains many GPL based packages.

The GPL terms of use allow everybody who's interested to request the source code of all GPL licensed packages at any time. The manufacturer has to send you a file that includes all GPL parts and all of his modifications to GPL based code. The "copyleft" of the GPL requires the manufacturer to publish his modifications to GPL code also under GPL license. This applies e.g. to driver/kernel modifications to support the different SoC's.

Please check yourself: https://en.wikipedia.org/wiki/GNU_General_Public_License

Does Hikvision provide such a GPL download?

Hikvision does now, actually. See Hikvision Discloses Open Source Software Used

Just some of the software used under GPL:

  • GCC library
  • Linux kernel
  • busybox 1.19.3
  • u-boot
  • udev 114
  • IPTables 1.4.18
  • ppp - Pauls PPP Package 2.4.3
  • RP PPP OE 3.8
  • wpa_supplicant 0.7.2

 

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Subnetting for Video Surveillance on Apr 30, 2019
This guide explains when subnetting is used on security networks, and how it works. We explain how to add or remove IP addresses to your range,...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 22, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Warning: Windows 7 Update Crashing NVRs on Aug 26, 2019
Windows 7 updates are causing VMS servers to fail to boot. After running the update, impacted systems do not boot as normal, instead display this...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...

Most Recent Industry Reports

Brivo Business Profile 2020 on Jan 27, 2020
Brivo has been doing cloud access for more than 20 years. Is the 2020s the decade that cloud access becomes the norm? CEO Steve Van Till recently...
Favorite VMS / NVR Manufacturers 2020 on Jan 27, 2020
In 2018, a new winner emerged and a former top choice declined. Now, there is a new #1, a new top 5 finisher and 2 major VMSes in decline. Our...
"Hikvision Football Arena" Lithuania Causes Controversy on Jan 24, 2020
Controversy has arisen in Lithuania over Hikvision becoming a soccer team's top sponsor and gaining naming rights to their arena, with one local MP...
Axis and Genetec Drop IFSEC 2020 on Jan 23, 2020
Two of the best-known video surveillance manufacturers are dropping IFSEC International 2020, joining Milestone who dropped IFSEC in 2019. The...
Multipoint Door Lock Tutorial on Jan 23, 2020
Despite widespread use, locked doors are notoriously weak at stopping entry, and thousands can be misspent on locks that leave doors quite...
Avigilon Shifts Cloud Strategy - Merges Blue and ACC on Jan 23, 2020
Avigilon is shifting its cloud strategy, phasing out its Blue web-managed surveillance platform as a stand-alone brand and merging it with its ACC...
Verkada Paying $100 For Referrals Just To Demo on Jan 22, 2020
Some companies pay for referrals when the referral becomes a customer. Verkada is taking it to the next level - paying $100 referrals fees simply...
Camera Analytics Shootout 2020 - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jan 22, 2020
Analytics are hot again, thanks to a slew of AI-powered cameras, but whose analytics really work? And how do these new smart cameras compare to top...
Intersec 2020 Final Show Report on Jan 21, 2020
IPVM spent all 3 days at the Intersec 2020 show interviewing various companies and finding key trends. We cover: Middle East Enterprise...
Vehicle & Long Range Access Reader Tutorial on Jan 21, 2020
One of the classic challenges for access control are parking lots and garages, where the user's credential is far from the reader. With modern...