Search results

Repack of the 5.5.53 firmware (R6 EN cameras) with the following changes: * Full-featured busybox * SSH access enabled * PSH (protected shell) disabled * Dropbear host key persists between reboots * Customizable init script IPC_R6_EN_STD_5.5.53_180730_mcr.zip — RGhost — файлообменник Enjoy.

This was tested on DS-7616NI-I2

It's been a while, time to upgrade. Here is the repack of the latest K51 NVR firmware. - full-featured busybox - persistent ssh keys - PSH removed NVR_K51_BL_ML_STD_V4.1.70_181114_mcr.zip — RGhost — файлообменник

The segfault during decryption in version 2.5 of Hikpack is a bug. It was fixed in 2.6 The current version is 2.8, but the last published was 2.5 I was planning to improve the decryption routine to take a password as an option, and then publish it, but never got to do that. Hikvision improved...

G1 can be downgraded relatively easily because its bootloader is not signed and its firmware update app can be manipulated to accept any firmware verson. I think I posted the recovery image that can flash unsigned firmware. I don't remember if it was also patched to accept major versions lower...

I need no credit. I need to be able to trust my cameras. :)

Neutrally-toned, paywalled article, outdated information, too much credit to DHS, no mentioning of researchers, published 6 months too late... Typical WSJ.

A new, direct communications channel is actually good news. Assuming there are humans on the other side, the best strategy here is to use it. Everyone with a question, start dialing. Take notes, and after the call, publish them online and describe your experience, good or bad. They will have to...

Fascinating. You seem to have discovered (accidentally, of course - I understand) a den of russian voyeuristic perverts who collaboratively use camera vulnerabilities to exercise their hand and arm muscles. It was very thoughtful of them to choose .hk domain for their home. Well, it was expected...

Repacked IPC_G1_EN_STD_5.4.5_170124 firmware with PSH disabled. You can load it after you install modified G1 minisystem (search this forum). It won't load via web GUI or through stock minisystem. IPC_G1_EN_STD_5.4.5_170124_mc.zip — RGhost — файлообменник Enjoy.

New file attached to OP. The minisystem can now load unsigned firmware, for example this one: IPC_G1_EN_STD_5.4.5_170124_mc.zip — RGhost — файлообменник This is IPC_G1_EN_STD_5.4.5_170124 modified to disable PSH. No other changes.

Attached is PSH-free minisystem image for G1. You can use it to get full filesystem access. The image comes with a full-featured busybox. The image allows loading unsigned firmware The image will work with U-Boot 3.1.6-279309 (May 11 2017-13:36:13) or earlier. to install rooted minisystem: -...

Just received a G1. Contrary to popular belief, G1 is not an english equivalent of G0. It is a different camera platform based on Ambarella S3L. It resembles R2 -- the amboot does not have any firmware parsing code, it boots a minisystem that flashes digicap.dav. Good news -- amboot does not...

It is possible, I just need to order a G1 to dump AES keys. I already have a pile of cameras I don't use... :) You won't be able to do much with it, unless you gain root access or modify the uboot to accept unsigned firmware. They now check signatures everywhere: - in the bootloader - in...

There are no hidden commands in uboot except "go." that loads sec.bin file from tftp. That file contains the rest of the u-boot, including all the commands you need to directly access ubifs filesystem or memory. Hikvision is obviously not interested in sharing sec.bin, but there have been leaks...

Holy I-frames! A tennis club with no Internet? That is worse than a golf club without a wine bar!

Details published yesterday in the full disclosure mailing list. Peeping toms and botnet herders are probably celebrating.

Don't know abour 3335, but other G0 cameras store it in the EMV chip. Here is flash layout from another G0 (mtd0-mtd12): name size start bld 0x0100000 0x0 env 0x0080000 0x0100000 enc 0x0080000 0x0180000 sysflg 0x0080000 0x0200000 dpt 0x0100000 0x0280000 sys0...

jfyi, I plan to disclose all details of the backdoor when 6 months pass, which will be the second week of September. Updates are available and 6 months is more than enough time to apply them. There are, however, hundreds of thousands of cameras accessible via the Internet that still contain the...

Congrats, you found how to read bootparams. Language code is at offset 0x10(int, 0x000002 in your dump). Region code (WR/CH/RR, etc) is a char at offset 0x55

The same binary in cameras with TI Davinci chipset is called Centaurus. Go figure. Centaurus is anotherTI chipset. I don't know if any hik cameras use that chipset, but I'd be interested to learn the name of the binary those cameras use.

Only those for which it has crypto keys. R2 referenced above is not currently supported.

It boils down to two things: - access to files containing encryption keys - ability to execute code on a live camera to extract keys not stored in nand flash For that, depending on the model, you need one or more of the following: - serial port access - shell access - kernel image -...

WR in the serial, or any other bootparam value as reported by the camera does not mean anything. Hacked cameras often display WR instead of the original CH. Serial number sticker on the camera and the box it came in is a more reliable indicator.

Maybe... The problem is that different cameras use different keys and packing methods and in many cases you need hardware access to extract keys. I cannot buy every hikvision camera on the market.

G0 5.3.3 may be using an earlier packing method. try -t r6 or -t r0

That is the long and hard way, and it requires some soldering skills, particularly with cameras that use TSOP48 flash chips with .5mm pin pitch. I only use this method when there is no other obvious way to access the OS. Once you get shell access, you can just write NAND programmatically. To...

And the keys: External auth key: 683F88130BD55E6EFFC7FBC7F3C3B76E Internal auth key: 375C5472E620ECA3181BA63CD5E68BE8 2nd external auth key: A25733E852F8467F8F339C7F07658F4D PIN: 5CEC99CAB916BB0A There are a few more keys for secure messaging, find them yourself :) EMV Datasheet: Google for...

And that is one of the reasons for the disclosure to be delayed.

And, here is the pinout. It is basically a standard ISO7816 smartcard that can be directly connected to a card reader. ATR: 3b 6d 00 00 68 6b 00 08 20 0a 19 18 96 02 62 00 be