Dieter & Fiona

M

montecrypto

IPCT Contributor
Apr 20, 2016
104
305
-------- dieter 2.10.16 1473645726 fiona ----------
So, which one of you here is Dieter and how hot is Fiona? We need a picture. :)
The tagline comes from a hacked 5.4.20 firmware installed on an aliexpress camera.
 
  • Like
Reactions: alastairstevenson
Say hello to Dieter
d2e3be7ef7e38f0431a5bff402425ff0.jpg


and Fiona
fiona-1.jpg
 
So, I have just looked more closely at this dieter/fiona thing. Is a patcher application that turns CN G0 camera into EN. I must give credit to whomever wrote the patcher, called ppp -- it is wrapped in a stunningly clean and efficient crypto/obfuscator that appears to be written manually in pure assembler. Hikvision should track down the person who wrote the app and hire her/him. It is also possible that the person already works for hikvision, because their understanding of camera internals is quite high and the kernel on the hacked camera appears to be customized and recompiled from source.

Also, it turns out, there is a secondary market there where people license CN-to-EN patches to resellers and track every single camera they patch.

If anybody wants to explore the patcher -- it is attached.
 

Attachments

  • Like
Reactions: vasycara, fenderman, alastairstevenson and 1 other person
Intriguing.
I'm almost tempted to run it - but it's probably closely coupled to the target.
Maybe I need to have another look at QEMU - in my first foray I gave up as it seemed too complicated.
On the other hand - there is so much non-hardware code to explore, with Hikvision.

So how do they get the firmware into the G0 camera if the bootloader is fussy about what it lets in the door? Hardware intervention?
 
alastairstevenson said:
I'm almost tempted to run it - but it's probably closely coupled to the target.
Click to expand...
That is correct, It uses kernel syscalls directly and you need to run it on a G0 camera.
alastairstevenson said:
So how do they get the firmware into the G0 camera if the bootloader is fussy about what it lets in the door? Hardware intervention?
Click to expand...

I don't know how THEY do it, but that is actually the easiest part. Thanks to the cluelessness of some coder numpties, there are at least 3 ways to bypass signature checks and two of the three do not need any hardware modifications. One of the two methods is based on an architecture decision that is so dumb, I cannot even share it here.

I also find it incredibly funny that Dieter's patching application is incomparably better in code quality that the firmware it patches. Imagine a Lamborghini parked next to a pile of manure.
 
  • Like
Reactions: alastairstevenson and nayr
montecrypto said:
That is correct, It uses kernel syscalls directly and you need to run it on a G0 camera.


I don't know how THEY do it, but that is actually the easiest part. Thanks to the cluelessness of some coder numpties, there are at least 3 ways to bypass signature checks and two of the three do not need any hardware modifications. One of the two methods is based on an architecture decision that is so dumb, I cannot even share it here.

I also find it incredibly funny that Dieter's patching application is incomparably better in code quality that the firmware it patches. Imagine a Lamborghini parked next to a pile of manure.
Click to expand...
That's not unusual at all, they want to sell cameras, they don't give a damn how bad their code sucks.
 
hmjgriffon said:
That's not unusual at all, they want to sell cameras, they don't give a damn how bad their code sucks.
Click to expand...
Yes, but --- they made a big play about how the new cameras are 'unhackable'. Talk about pride before a fall!
And the CEO just recently made a big announcement about 'Never had any backdoors and never will' or words to that effect.
Maybe by now someone has whispered in his ear that he better not say that as it's not true.
 
alastairstevenson said:
Yes, but --- they made a big play about how the new cameras are 'unhackable'. Talk about pride before a fall!
And the CEO just recently made a big announcement about 'Never had any backdoors and never will' or words to that effect.
Maybe by now someone has whispered in his ear that he better not say that as it's not true.
Click to expand...
EVERY software can be hacked if someone works on it hard enough, I never believe anyone who says that, if someone wants you bad enough, you're screwed.
 
  • Like
Reactions: alastairstevenson and bp2008
Defender666 said:
How is this bin file supposed to be applied to a camera ?
Click to expand...

Well. you run it. What happens then is: the file decrypts itself using syscalls, then does a series of checks to make sure it is not being debugged. When all checks pass, it decrypts parts of itself again, drops busybox, talks to *.ipc.net, submits camera serial, model id, and bootparams ioctl data, gets a "license" file, decrypts the file (using camera serial number and datecode as key), which turns it into script, RUNS THAT SCRIPT, checksums a whole lot of files, creates a backdoor account (root:ERI2doRibqoC.:0:0:root:/root/:/bin/sh), starts dropbear on port 55555, makes a few changes, unpacks additional languages, and sends an email to <camera model+serial+date>@ipc.net using included busybox with sendmail support. Not exactly in that order.

The patcher itself is a simple kernel module that intercepts ioctl. 99% of time the guy spent on wrapping all that in crypto.

ipc.net appears to be owned by some domain squatter, and the only email address associated with it is rob@selvi.ipc.net. There are a couple of dudes named Rob Selvi on linked whose backgrounds make them good candidates to attribute the hack to. One of them happens to be an executive at Sonicwall. I hope it is the Sonicwall guy. Rob -- I know what you do for fun!!! Timestamps in the app use DD-MM-YY date format, so the guy is likely not from the US.
 
Last edited:
  • Like
Reactions: hmjgriffon, nayr, alastairstevenson and 1 other person
Wow!
Absolutely fascinating.
So the the site was active, it coughed up the script masquerading as a 'licence' file?
I wonder what it's all about?
It would be interesting to track down the originator - he/she sounds like a genius coder.
Computer says after approx zero seconds:
ERI2doRibqoC.:12345
ERI2doRibqoC.:12345
ERI2doRibqoC.:12345
Click to expand...
 
  • Like
Reactions: hmjgriffon
How can I run this on my chinese fisheye camera

The camera has telnet/ssh but root is not possible. Only can use admin account which does not give real linux shell.

Any one can explain how to even put this on the camera? Is this supposed to be flashed with webinterface.

Sorry I have some good java and php knowledge but all this flashing and binary stuff is not yet in my knowledge.
 
alastairstevenson said:
It would be interesting to track down the originator - he/she sounds like a genius coder.
Click to expand...

Not genius, but good and very determined. There is a lot of money involved and that evidently creates fierce competition among aliexpress vendors who sell cameras and separately among people who hack them. I have been approached by two sellers (or maybe "sellers") offering a percentage of profits in return for hacked firmware (which I rejected).
 
  • Like
Reactions: fenderman
Why not? Hack it for free...I would love to kick hikvision in the ass with all that crypto shit, and help little chinese sellers. They work harder then everyone else to earn there meal and I appreciate there work.
 
  • Like
Reactions: alastairstevenson
montecrypto said:
If anybody wants to explore the patcher -- it is attached.
Click to expand...

Montecrypto!
Thanks for attach.

Very interesting and well know this code style since R0 5.1.6 for chinese ipc. and othe version ;)
Other text string was there.

1st unpack your original file in atach for all for explore.

montecrypto said:
The patcher itself is a simple kernel module that intercepts ioctl. 99% of time the guy spent on wrapping all that in crypto.

ipc.net appears to be owned by some domain squatter, and the only email address associated with it is rob@selvi.ipc.net. There are a couple of dudes named Rob Selvi on linked whose backgrounds make them good candidates to attribute the hack to. One of them happens to be an executive at Sonicwall. I hope it is the Sonicwall guy. Rob -- I know what you do for fun!!! Timestamps in the app use DD-MM-YY date format, so the guy is likely not from the US.
Click to expand...

Remote activation and nothing else ;)
Easy, secured & remote ;)

montecrypto said:
I have been approached by two sellers (or maybe "sellers") offering a percentage of profits in return for hacked firmware (which I rejected).
Click to expand...
Right choice!
 

Attachments

  • Like
Reactions: nayr and Defender666
I repeat my question, how do we even get this bin run on the camera if we don't have ssh or telnet to the camera.
 
You must log in or register to reply here.
Top Bottom