Watchdata EMV chips in R6, G0 and other cameras

[montecrypto]

So... It turns out that, unlike DVRs and older cameras, newer hikvision cams, including R6 and G0, store its configuration settings in smartcard chips. The chips are made by Watchdata and they run TimeCOS.

Basically, your cameras have the same chip as you VISA credit card. That chip stores configuration information, like model name, and features. Kernel retrieves that using EMV PSE protocol.

This means that permanently turning newer CN cameras into EN is considerably more challenging than just editing bootparams in a write-protected nand sector. Not impossible though.

Thank you Gong Hongjia and Chen Chunmei for a well-executed portfolio cross-pollination! You guys rock! Happy new year! We all look forward to being able to use hik cameras instead of credit cards for buying crap on aliexpress. Oh, and you may want to ruffle some tech feathers at Hikvision, because the way they use Watchdata chips in cameras is really messed up. It looks like someone had a serious case of crypto-key diarrhea. The keys are all over the kernel. Different kinds. In the clear.

 

[alastairstevenson]

Lol!

It looks like someone had a serious case of crypto-key diarrhea.

You're sure they're not honeypots, which if used trigger the built-in self-destruct?

 

[nayr]

built in self destruct? I knew it was a matter of time before Hikvisions started flashing them selves.

 

[alastairstevenson]

built in self destruct?

Maybe I slightly misinterpreted this:

VFS: Busy inodes after unmount of %s. Self-destruct in 5 seconds. Have a nice day...

But they do seem to have some fun ideas:

hicken teriyaki
I would like the
I would like the General Gau's
I would like the General Gau's C
I would like the General Gau's Chicken, please,
I would like the General Gau's Chicken, please,
I would like the General Gau's Chicken, please, and wonton soup.

module is from the staging directory, the quality is unknown, you have been warned.

 

[montecrypto]

If anybody is wondering how the EMV chip looks, here it is:

 

[alastairstevenson]

Yep, seen them. Except mine have earlier date codes.
Neat de-soldering.

 

[n0fx]

Could this be the reason why it's harder to find newer cameras with hacked English firmware on them now? I was trying to order some DS-2CD2335-I and now they say they can't get them anymore or Hikvision is doing something to them so you can't flash them. I hope it's not the end of cheap Chinese cameras with English firmware.

 

[Zeddy]

What's the point? The HIKVision camera's didn't seem to have any features that others don't seem to have. Seems they haven't learnt the lessons from the Entertainment industry. It costs them money to keep people out, we try and get in for free.

 

[alastairstevenson]

It costs them money to keep people out, we try and get in for free.

Yes indeed.
And there are enough smart people out there to make it a pointless exercise. And bad for the brand.

 

[montecrypto]

And, here is the pinout. It is basically a standard ISO7816 smartcard that can be directly connected to a card reader.

ATR: 3b 6d 00 00 68 6b 00 08 20 0a 19 18 96 02 62 00 be

 

[montecrypto]

And the keys:

External auth key: 683F88130BD55E6EFFC7FBC7F3C3B76E
Internal auth key: 375C5472E620ECA3181BA63CD5E68BE8
2nd external auth key: A25733E852F8467F8F339C7F07658F4D
PIN: 5CEC99CAB916BB0A
There are a few more keys for secure messaging, find them yourself

EMV Datasheet: Google for "watchdata timecos reference manual filetype: pdf"

Now you have everything you need to read and possibly write (to be confirmed) EMV chips.

 

[JAFO]

Some data from chip:
g_chip_type at (null) : 00000001
g_WDSn at c0616770 : 1839009d

====dump DecryptData 0xC061682C====
c061682c: 10 79 69 6e 67 f3 51 2c 01 08 00 00 00 60 0b 00 .ying.Q,.....`..
c061683c: 82 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

====dump DecryptData 0xC061682C====
c061682c: 10 42 75 69 6c 64 4e 75 6d 32 30 30 36 31 31 30 .BuildNum2006110
c061683c: 36 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6...............

====dump ProInfoDoor 0xC54E92C0====
c54e92c0: 79 69 6e 67 f3 51 2c 01 64 f3 12 d0 e0 0f 5e a8 ying.Q,.d.....^.
c54e92d0: 00 00 00 00 38 6d 9c c5 ac f9 04 c0 66 02 00 00 ....8m......f...
c54e92e0: 68 2c 5f c0 a4 9a 99 c5 00 02 20 00 00 00 00 00 h,_....... .....

 

[JAFO]

Some info about how motor runs:
kernel calls early startup "open_card" function -> loads data from chip 9600 baud even parity using std gpio pins using half duplex mode.
It's time critical and bad hw design, maybe crypto chip was added later in a panic mode ;-)
(There are still free uart ports available)

Later hikcomm.ko module calls "get_card_bp" and after that "spin_down" funcs (aes decrypting).
And voilà, we have 0x100 bytes:

53 57 4b 48 c4 0a 00 00 f4 00 00 00 00 00 01 00 SWKH............
02 00 00 00 02 00 00 00 01 00 00 00 02 00 54 5a ..............TZ
53 45 XX XX 00 01 00 00 00 00 00 00 01 00 01 00 SEXX............
01 00 00 00 00 54 c4 15 19 58 3f 00 00 00 00 00 .....T...X?.....
00 32 30 31 36 31 32 30 34 36 38 36 31 35 38 XX .20161204686158X
XX XX 00 01 01 01 01 00 00 01 00 00 01 00 20 00 XX............ .
01 01 00 00 36 25 01 00 00 00 00 00 00 00 00 00 ....6%..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
44 53 2d 32 43 44 33 33 34 35 46 2d 49 00 00 00 DS-2CD3345F-I...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Can someone friendly soul inform to me which one is for language ;-) ?

btw, there is spin_up and spin_up2 funcs too...

 

[montecrypto]

Congrats, you found how to read bootparams. Language code is at offset 0x10(int, 0x000002 in your dump).
Region code (WR/CH/RR, etc) is a char at offset 0x55

 

[JAFO]

Much obliged !

 

[JAFO]

After fixing checksum:
prtHardInfo
Start at 1970-04-17 20:29:07
Serial NO S-2CD3345F-I20161204AACH686158XXX
V5.4.20 build 160726
NetProcess Version: 1.7.1.204140 [16:40:42-Jul 11 2016]
Db Encrypt Version: 65537
Db Major Version: 1176
Db svn info:
Path: /Camera/Platform/Branches/branches_frontend_software_platform/db_process_for_5.4.20
Last Changed Rev: 201703
Last Changed Date: 2016-06-17 09:43:40 +0800 (Fri, 17 Jun 2016)
hardwareVersion = 0x0
hardWareExtVersion = 0x0
encodeChans = 1
decodeChans = 1
alarmInNums = 0
alarmOutNums = 0
ataCtrlNums = 0
flashChipNums = 0
ramSize = 0x100
networksNums = 1
language = 1
devType = 0x22536
net reboot count = 0
vi_type = 32
Path: /Camera/Platform/Branches/branches_frontend_software_platform/IPC_develop_branch/ipc_e0_g0_r3_5.4.20
Last Changed Rev: 210205
Last Changed Date: 2016-07-25 21:49:11 +0800 (Mon, 25 Jul 2016)

Almost there....web page gives:firmware language mismatch: /dav/webLib
Something is missing but what...?

 

[alastairstevenson]

Impressive!
And it doesn't reboot with an integrity violation?
Is the checksum on the bootpara till a checksum-16?
I doubt Hikvision are happy about their quote 'unhackable' new implementation.

Almost there....web page gives:firmware language mismatch: /dav/webLib

Dumb question - did you use the EN/ML firmware as the base? The CN firmware on a language=1 camera would do that.

 

[JAFO]

My bad! It's cn g0 digicap I'm using.
Yes, it's checksum-16, just sum of all bytevalues starting from 0x09 - 0xff.

Nothing special or new, you can have again hacked english g0 from China.

QuoteManagers, those promiseware sellers and most do not know reality:
http://regretless.com/stuff/funny/dilbertProjectStatus.JPG

 

[alastairstevenson]

I have a Chinese 3335 (I forget what firmware it has, some apparently stock 3.x version) that refuses to take any version of firmware I've given it by any method, G0, R6, nothing.

 

[JAFO]

Please inform u-boot version, there may be a way...