02KH firmware header

[montecrypto]

Does anybody know how to decrypt a firmware blob for DS-2x22FWD,2x42FWD_5.3.6_151105

Here is the header, de-XORed as usual. The last 3 DWORDs are offset, length, and CRC of the firmware blob that immediately follows he header. The blob appears encrypted. How do I decrypt it? The camera is still in the mail, can't disassemble and look inside.

Here is the header. Note the "02KH" magic instead of "SWKH"

00000000 30 32 4B 48 │ 13 22 00 00 │ 6C 00 00 00 │ 00 00 00 00  02KH."..l.......
00000010 4A 68 8C 01 │ 01 00 00 00 │ FF FF FF FF │ FF FF FF FF  Jh .....
00000020 FF FF FF FF │ FF FF FF FF │ FF FF FF FF │ 31 32 30 30              1200
00000030 30 35 30 30 │ 33 31 31 31 │ 31 31 31 30 │ 30 31 31 00  050031111110011.
00000040 31 32 30 30 │ 30 35 30 30 │ 33 31 31 31 │ 31 31 31 30  1200050031111110
00000050 30 31 31 00 │ 01 6A 03 02 │ 05 2B 00 03 │ 87 00 06 47  011..j...+.. ..G
00000060 6C 00 00 00 │ DE 67 8C 01 │ 5E 58 71 C5 │              l... g .^Xq

 

[alastairstevenson]

I looks like you haven't read the PM I sent you some days ago -

 

[Enabler]

You're clearly a man with lots of skills

I'm just a little worried that if answers are posted in the open will just make Hikvision sign the firmware with a RSA private key just like they have with another model. We're effectively helping Hikvision make their stupid security measures better by pointing out the weaknesses.

Maybe anyone who is going to post something to help you could just PM you instead?

 

[alastairstevenson]

I'm just a little worried that if answers are posted in the open will just make Hikvision sign the firmware with a RSA private key just like they have with another model. We're effectively helping Hikvision make their stupid security measures better by pointing out the weaknesses.

You are quite right - and I have said as much in several PMs so far.

 

[montecrypto]

I'll start reading my PMs more regularly, thanks everybody. RSA signing would need a new bootloader. New bootloader would need to be located in external flash. The flash can be patched to bypass signature verification... HIK should really stop spending R&D cycles on pathetic "security" attempts.

There may be a better way for fix this problem... HIK products heavily use open source, but I have not received any licenses with my products. That actually violates OSS licenses. They do use GPL-licensed code (among Apache 2.0, LGPL, and possibly other), which means their software falls under GPL, which means they have to publish its source code.

A determined law firm might be able to force HIK to release the source code or ban their products from US/EU markets... Any lawyers here using HIK cameras to protect their mansions?

 

[alastairstevenson]

HIK products heavily use open source,

yes, but only in the non-proprietary parts such as the Linux kernel, the standard Linux libraries, a few modules such as OpenSSL.
Their own platform-specific libraries and their own executables are proprietary and not subject to any open-source responsibilities.

 

[Enabler]

You're totally right montecrypto - they do play fast and loose with GPL and it's variants. Being a Chinese company doesn't excuse them from following licensing terms.

Even in the kernel they have their own code and as such are obligated to release the entire source of all of if requested (they don't though I tried a few months ago). And anything else that has GPL'd code in it even if only a fragment.

I personally think changing these cameras to do what you want is great and wouldn't want to put people off - just sounding a note of caution about giving Hikvision pointers

 

[nayr]

thanks @montecrypto.. post it publicly, let em burn.. @everyone-else, if you think Hik can stay ahead of people hacking into them with the talent they have on staff then your wrong.

they are trying to prevent parallel imports, which I am legally entitled to do.. consumers are paying for the equipment, its theres to do with a they like.. Disrupt markets, bust antiquated business models, get people angry at hik.. then they might change for the better, and if they dont.. burn em down and someone better will take there place.

VPN to bypass Netflix restrictions is legal, its Netflix's problem with there contracts.. fuck em.. get the products you deserve at the same price as all of us.

They want globalisation only when it suits them (regional price discrimination, tax avoidance, copyright enforcement, etc), but not when it doesn't suit them (parallel imports).

@alastairstevenson, with gpl-3.0 it is a violation to put hardware in place to attempt to prevent people from modifying the licensed software running on it...

 

[alastairstevenson]

@everyone-else, if you think Hik can stay ahead of people hacking into them with the talent they have on staff then your wrong.

I disagree that they don't have the talent.
The current Hikvision firmware shows a level of sophistication and security knowledge way above the firmware I've seen from any other manufacturer - and I've examined a few.
This has been developed just over the last couple of years, with the stated aim of creating 'hack-proof' products.
But I agree that they won't be able to stay ahead of those who can figure out what they've done and circumvent the protective measures.
A foolish aim, unrealised, given the army of really smart people round the globe, where there is profit and lulz to be had.

with gpl-3.0 it is a violation to put hardware in place to attempt to prevent people from modifying the licensed software running on it...

Are you saying that this applies to Hikvision's proprietary software that has not been released under GPL?

 

[nayr]

I am saying all the GPL-3 code running on this device I have to be given access to modify for my own needs, if you lock down the system to prevent me from running custom code for the open source components then the product is in violation of the GPL, regardless of hik's software.

See: https://en.wikipedia.org/wiki/Tivoization

Creating a cryptographically secure trusted platform, there are nowhere near approaching.. they havent done anything all that sophisticated, lame obfuscation attempts with no actual protection at all.. I seen video games in the mid 90's put better work into locking everything down than this.

 

[montecrypto]

they havent done anything all that sophisticated, lame obfuscation attempts with no actual protection at all.. I seen video games in the mid 90's put better work into locking everything down than this.

Yep, I second that. Oh, the memories... Some of those old games' floppy/tape loaders were absolutely fascinating. There was a website with commented disassemblies, can't find it now.

 

[Speed666]

Hey, as i have a person in Hik - i will tell you why they block upgrades. HIK is copied in China using REv Eng. They copy hardware and then use original firmware. Be honest - writing software now is more cash-need than making a hardware. So to stop copying ( i know it sounds dumb - China copies China) they use RSA.

There is no other way to stop this than buying original hardware for West market. They are just looosing money - thats it. They ate own tail (i mean China).

I stopped fighting - i have a repacker for all firmwares until 5.3.5 (RSA) and then stopped. It's worthless. Now i have NDA and i am happy.

 

[nayr]

if you can figure out what Chinese factory a component was produced at, for the right money they will make you as many as you want..

if they checked firmware before applying it and didnt let people brick fraudulent stuff it would be a step in the right direction, but they cant even get that done right.. they dont care about us so why should we care about whats discussed publicly.

 

[whoslooking]

If you have ever seen how a Chinese factory works, the original item and fake item are made by the same workers at the same factory's.

Day they make the official item then night shift make the not so official version.

Sometimes components have to sourced from different suppliers to complete the manufacturing process and quality control goes out the window, but the end result is an almost identical product at a lower price.

 

[Enabler]

they dont care about us so why should we care about whats discussed publicly.

We're not trying to protect Hikvision and their stupid region locking - as I say they don't even bother adhering to GPL.

Just maybe not tell Hikvision what weaknesses their are, and thereby what they need to change to make it even harder

Let's not be a research team helping them improve their anti tampering measures. I'm sure Hikvision wouldn't mind a work for free team of clever people working hard to their benefit (albeit inadvertently)

 

[wzhick]

Why do you want from Hikvision comply the GPL? What you need - something comply or hacked firmware? Modify the firmware and do not require anything.
You also do not particularly comply anything... Do the trick.

You want to make yourself better. But no one is obliged to do it for you. Including Hikvsion.

At that time all firmwares for all lines hacked. Including RSA. Currently only two lines have digital signature inside.
Otherwise they would not be on sale.

 

[wzhick]

Me and my friend hacked hikvision encyption of digicap..tar files. It's AES and key is in kernel image. Unpacker and packer is ready. Release soon. Now we try to find the way to repack the whole firmware. It is already done, files is accepted by webinterface but camera reboots after it.

By the way ... After communicating with ItuneDVR release did not happen. )))
Guess - why? )))

 

[Speed666]

Want a release? I dont care since i have NDA i really dont care about Hik making new protections. Think about it and let me know. I can do this even today.

I will edit- i didnt release it because there were some emails from this forum not to do so. But now?

 

[wzhick]

Want a release?

I do not care, I have everything, and even more than you.

Want a release?I will edit- i didnt release it because there were some emails from this forum not to do so. But now?

Just that is what we recently discussed in another topic, in Russian. )

 

[Enabler]

Remember guys it's not a competition over who has the most secrets or is the best hacker. All you guys are awesome. It's us versus Hikvision.

I can't stop anyone who is determined to release tools etc but all it does is screw us in the long run and actually help Hikvision. Maybe I missed something but I don't see the point.