Find new firmware for this IP Cam?

Cljs

Young grasshopper
Joined
May 21, 2014
Messages
48
Reaction score
19
I bought a 'OEM 2MP 1080p Bullet Camera 3.6mm Lens' from Empire Security this past year. A few months ago I realized that there was malware in the firmware, the 'brenz.pl' frame, detected by Chrome, which is apparently in the firmware of a lot of Chinese cameras. (Deliberate? To what end? I don't know)


I'd like to replace the firmware with something without malicious code. Empire did not respond to my email. Maybe I can just find firmware that will work.

Using Onvif Device Manager, the camera is identified as an NVT, model 53H20L_S39. The firmware version is V4.02.R11.00002532.10010.240100.ONVIF 2.4.

Any idea where I might find firmware without malware that will work on this camera?
 

gordo

Pulling my weight
Joined
Apr 17, 2014
Messages
252
Reaction score
186
You might try calling Empire on the phone. I was having a problem about a year and a half ago, and they didn't respond to emails. I called them and got the problem fixed.
 

Cljs

Young grasshopper
Joined
May 21, 2014
Messages
48
Reaction score
19
You might try calling Empire on the phone. I was having a problem about a year and a half ago, and they didn't respond to emails. I called them and got the problem fixed.
Website is down, and I noticed on their emails they never list a phone number. I wonder if they are out of business?
 

Cljs

Young grasshopper
Joined
May 21, 2014
Messages
48
Reaction score
19
That line of firmware is listed on quite a lot of site - but what's not clear is what hardware each version relates to.
An example is here : http://www.enster.com/faq/showfaq-21.html
These appear to match: same camera name and firmware version.

https://pan.sohu.net/f/MTY4MDcsaGR1Ymk.htm

Can I assume that there is a high risk of bricking the camera if I try to install the wrong firmware?

Does anyone here feel OK with having a camera with the Brenz.pl malware in the firmware on their network?
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
Can I assume that there is a high risk of bricking the camera if I try to install the wrong firmware?
Incorrect, you can assume there is a high risk of bricking the camera if you install the RIGHT firmware; and its virtually guaranteed if you install the wrong firmware.

there are rarely any recovery options; is it worth it?
 

Cljs

Young grasshopper
Joined
May 21, 2014
Messages
48
Reaction score
19
Incorrect, you can assume there is a high risk of bricking the camera if you install the RIGHT firmware; and its virtually guaranteed if you install the wrong firmware.

there are rarely any recovery options; is it worth it?
That's what I was afraid of.

Do you have an opinion about the risk of having a camera with this Brenz.pl malware on my network? (I ran the ShieldsUP! security profiling and it looks like my only open router ports are the ones I designated for my Blue Iris server, everything else is nonresponsive.)

If you found this malware on one of your cams, what would you do?
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
my cameras are on an isolated network w/out internet access so I wouldn't be too concerned about it personally; because I treat em all like they have malware even if I have no evidence of it.

you could block the domain on your network so it dont accidentally infect anything, or just throw it in the trash can.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Out of curiosity I unpacked the firmware and chucked the web archive at VirusTotal - zero hits from 54 AVs :
Code:
SHA256:           [TABLE]
[TR]
[TD][/TD]
[TD]             fc2714b1d84f436f34ef18c9f2e60ec43705086237dde2e48529baf5db1fc4ca           [/TD]
         [/TR]
                   [TR]
           [TD]File name:[/TD]
           [TD]web-x.cramfs.img[/TD]
         [/TR]
                            [TR]
           [TD]Detection ratio:[/TD]
           [TD="class: text-green"]             0 / 54           [/TD]
         [/TR]
                            [TR]
           [TD]Analysis date:[/TD]
           [TD]             2016-11-03 20:30:38 UTC              ( 0 minutes ago )                         [/TD]
[/TR]
[/TABLE]
A bit of an assumption, maybe optimistic, that any web-based malware would be in that specfic archive.
I may try the other archives later.
 

Cljs

Young grasshopper
Joined
May 21, 2014
Messages
48
Reaction score
19
Out of curiosity I unpacked the firmware and chucked the web archive at VirusTotal - zero hits from 54 AVs :
Code:
SHA256:           [TABLE]
[TR]
[TD][/TD]
[TD]             fc2714b1d84f436f34ef18c9f2e60ec43705086237dde2e48529baf5db1fc4ca[/TD]
[/TR]
[TR]
[TD]File name:[/TD]
[TD]web-x.cramfs.img[/TD]
[/TR]
[TR]
[TD]Detection ratio:[/TD]
[TD="class: text-green"]             0 / 54[/TD]
[/TR]
[TR]
[TD]Analysis date:[/TD]
[TD]             2016-11-03 20:30:38 UTC              ( 0 minutes ago )[/TD]
[/TR]
[/TABLE]
A bit of an assumption, maybe optimistic, that any web-based malware would be in that specfic archive.
I may try the other archives later.
To clarify, is that the firmware from the site that I linked?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
OK, so I stripped out the other modules and got them scanned at VirusTotal.
Just a few of the scanners didn't recognise all the Linux file formats.
All of the active files were correctly recognised for their Linux type by VirusTotal.
Zero threats were noted.
I also grepped all the files for any occurrences of the string and substrings brenz.pl and breza.pl with nothing found.
So - on the face of it, this firmware download appears to be benign.
Caveats though - malware can be obfuscated in a such way that it's shrouded from scanners, so a lack of a positive is not a guarantee of a negative.
 

Cljs

Young grasshopper
Joined
May 21, 2014
Messages
48
Reaction score
19
OK, so I stripped out the other modules and got them scanned at VirusTotal.
Just a few of the scanners didn't recognise all the Linux file formats.
All of the active files were correctly recognised for their Linux type by VirusTotal.
Zero threats were noted.
I also grepped all the files for any occurrences of the string and substrings brenz.pl and breza.pl with nothing found.
So - on the face of it, this firmware download appears to be benign.
Caveats though - malware can be obfuscated in a such way that it's shrouded from scanners, so a lack of a positive is not a guarantee of a negative.
Thanks for checking that. My biggest concern is whether this firmware will work in my camera, or will it brick it? Sounds like it is very difficult to know and that the bricking is a likely outcome. Risk/benefit equation, decision to take the risk depends on how dangerous this brenz.pl malware is.
 
Last edited by a moderator:

Cljs

Young grasshopper
Joined
May 21, 2014
Messages
48
Reaction score
19
unfortunately, the virus is present.
I can suggest you to use purified virus from the firmware. Made for my company
https://yadi.sk/d/E1uAcCFHtiNE9
Thanks for your help.

I noticed that this firmware that you linked to is called 'General_HZXM_IPC_HI3516C_53H20L_S38_V4.02.R11.Nat.OnvifS.20160511_Alarm.bin' , it has 53H20L_S38 in the filename.

My camera is
53H20L_S39. So probably for a different camera? Or would the same firmware work for both 53H20L_S38 and 53H20L_S39?
 
Top