Watchdata EMV chips in R6, G0 and other cameras

Discussion in 'Hikvision' started by montecrypto, Jan 16, 2017.

Share This Page

  1. montecrypto

    montecrypto IPCT Contributor

    Joined:
    Apr 20, 2016
    Messages:
    104
    Likes Received:
    294
    So... It turns out that, unlike DVRs and older cameras, newer hikvision cams, including R6 and G0, store its configuration settings in smartcard chips. The chips are made by Watchdata and they run TimeCOS.

    Basically, your cameras have the same chip as you VISA credit card. That chip stores configuration information, like model name, and features. Kernel retrieves that using EMV PSE protocol.

    This means that permanently turning newer CN cameras into EN is considerably more challenging than just editing bootparams in a write-protected nand sector. Not impossible though.

    Thank you Gong Hongjia and Chen Chunmei for a well-executed portfolio cross-pollination! You guys rock! Happy new year! We all look forward to being able to use hik cameras instead of credit cards for buying crap on aliexpress. Oh, and you may want to ruffle some tech feathers at Hikvision, because the way they use Watchdata chips in cameras is really messed up. It looks like someone had a serious case of crypto-key diarrhea. The keys are all over the kernel. Different kinds. In the clear.
     
  2. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,884
    Likes Received:
    3,413
    Location:
    Scotland
    Lol!
    You're sure they're not honeypots, which if used trigger the built-in self-destruct?
     
  3. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,347
    Likes Received:
    5,237
    Location:
    Denver, CO
    built in self destruct? I knew it was a matter of time before Hikvisions started flashing them selves.
     
    hmjgriffon likes this.
  4. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,884
    Likes Received:
    3,413
    Location:
    Scotland
    Maybe I slightly misinterpreted this:
    But they do seem to have some fun ideas:
     
    hmjgriffon likes this.
  5. montecrypto

    montecrypto IPCT Contributor

    Joined:
    Apr 20, 2016
    Messages:
    104
    Likes Received:
    294
    If anybody is wondering how the EMV chip looks, here it is:

    emv.png
     
    nayr and fenderman like this.
  6. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,884
    Likes Received:
    3,413
    Location:
    Scotland
    Yep, seen them. Except mine have earlier date codes.
    Neat de-soldering.
     
    Tolting Colt Acres likes this.
  7. n0fx

    n0fx Getting the hang of it

    Joined:
    Jul 10, 2015
    Messages:
    147
    Likes Received:
    8
    Could this be the reason why it's harder to find newer cameras with hacked English firmware on them now? I was trying to order some DS-2CD2335-I and now they say they can't get them anymore or Hikvision is doing something to them so you can't flash them. I hope it's not the end of cheap Chinese cameras with English firmware.
     
  8. Zeddy

    Zeddy Getting the hang of it

    Joined:
    Jun 19, 2016
    Messages:
    90
    Likes Received:
    41
    What's the point? The HIKVision camera's didn't seem to have any features that others don't seem to have. Seems they haven't learnt the lessons from the Entertainment industry. It costs them money to keep people out, we try and get in for free.
     
    alastairstevenson likes this.
  9. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,884
    Likes Received:
    3,413
    Location:
    Scotland
    Yes indeed.
    And there are enough smart people out there to make it a pointless exercise. And bad for the brand.
     
  10. montecrypto

    montecrypto IPCT Contributor

    Joined:
    Apr 20, 2016
    Messages:
    104
    Likes Received:
    294
    And, here is the pinout. It is basically a standard ISO7816 smartcard that can be directly connected to a card reader.

    ATR: 3b 6d 00 00 68 6b 00 08 20 0a 19 18 96 02 62 00 be

    upload_2017-4-4_14-20-38.png
     
    fenderman and alastairstevenson like this.
  11. montecrypto

    montecrypto IPCT Contributor

    Joined:
    Apr 20, 2016
    Messages:
    104
    Likes Received:
    294
    And the keys:

    External auth key: 683F88130BD55E6EFFC7FBC7F3C3B76E
    Internal auth key: 375C5472E620ECA3181BA63CD5E68BE8
    2nd external auth key: A25733E852F8467F8F339C7F07658F4D
    PIN: 5CEC99CAB916BB0A
    There are a few more keys for secure messaging, find them yourself :)

    EMV Datasheet: Google for "watchdata timecos reference manual filetype: pdf"

    Now you have everything you need to read and possibly write (to be confirmed) EMV chips.
     
    kayl669, Zeddy, tangent and 2 others like this.
  12. JAFO

    JAFO n3wb

    Joined:
    Feb 23, 2017
    Messages:
    19
    Likes Received:
    18
    Some data from chip:
    g_chip_type at (null) : 00000001
    g_WDSn at c0616770 : 1839009d

    ====dump DecryptData 0xC061682C====
    c061682c: 10 79 69 6e 67 f3 51 2c 01 08 00 00 00 60 0b 00 .ying.Q,.....`..
    c061683c: 82 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

    ====dump DecryptData 0xC061682C====
    c061682c: 10 42 75 69 6c 64 4e 75 6d 32 30 30 36 31 31 30 .BuildNum2006110
    c061683c: 36 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6...............

    ====dump ProInfoDoor 0xC54E92C0====
    c54e92c0: 79 69 6e 67 f3 51 2c 01 64 f3 12 d0 e0 0f 5e a8 ying.Q,.d.....^.
    c54e92d0: 00 00 00 00 38 6d 9c c5 ac f9 04 c0 66 02 00 00 ....8m......f...
    c54e92e0: 68 2c 5f c0 a4 9a 99 c5 00 02 20 00 00 00 00 00 h,_....... .....
     
  13. JAFO

    JAFO n3wb

    Joined:
    Feb 23, 2017
    Messages:
    19
    Likes Received:
    18
    Some info about how motor runs:
    kernel calls early startup "open_card" function -> loads data from chip 9600 baud even parity using std gpio pins using half duplex mode.
    It's time critical and bad hw design, maybe crypto chip was added later in a panic mode ;-)
    (There are still free uart ports available)

    Later hikcomm.ko module calls "get_card_bp" and after that "spin_down" funcs (aes decrypting).
    And voilĂ , we have 0x100 bytes:

    53 57 4b 48 c4 0a 00 00 f4 00 00 00 00 00 01 00 SWKH............
    02 00 00 00 02 00 00 00 01 00 00 00 02 00 54 5a ..............TZ
    53 45 XX XX 00 01 00 00 00 00 00 00 01 00 01 00 SEXX............
    01 00 00 00 00 54 c4 15 19 58 3f 00 00 00 00 00 .....T...X?.....
    00 32 30 31 36 31 32 30 34 36 38 36 31 35 38 XX .20161204686158X
    XX XX 00 01 01 01 01 00 00 01 00 00 01 00 20 00 XX............ .
    01 01 00 00 36 25 01 00 00 00 00 00 00 00 00 00 ....6%..........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    44 53 2d 32 43 44 33 33 34 35 46 2d 49 00 00 00 DS-2CD3345F-I...
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

    Can someone friendly soul inform to me which one is for language ;-) ?

    btw, there is spin_up and spin_up2 funcs too...
     
  14. montecrypto

    montecrypto IPCT Contributor

    Joined:
    Apr 20, 2016
    Messages:
    104
    Likes Received:
    294
    Congrats, you found how to read bootparams. Language code is at offset 0x10(int, 0x000002 in your dump).
    Region code (WR/CH/RR, etc) is a char at offset 0x55
     
  15. JAFO

    JAFO n3wb

    Joined:
    Feb 23, 2017
    Messages:
    19
    Likes Received:
    18
    Much obliged !
     
    Oleglevsha likes this.
  16. JAFO

    JAFO n3wb

    Joined:
    Feb 23, 2017
    Messages:
    19
    Likes Received:
    18
    After fixing checksum:
    prtHardInfo
    Start at 1970-04-17 20:29:07
    Serial NO :DS-2CD3345F-I20161204AACH686158XXX
    V5.4.20 build 160726
    NetProcess Version: 1.7.1.204140 [16:40:42-Jul 11 2016]
    Db Encrypt Version: 65537
    Db Major Version: 1176
    Db svn info:
    Path: /Camera/Platform/Branches/branches_frontend_software_platform/db_process_for_5.4.20
    Last Changed Rev: 201703
    Last Changed Date: 2016-06-17 09:43:40 +0800 (Fri, 17 Jun 2016)
    hardwareVersion = 0x0
    hardWareExtVersion = 0x0
    encodeChans = 1
    decodeChans = 1
    alarmInNums = 0
    alarmOutNums = 0
    ataCtrlNums = 0
    flashChipNums = 0
    ramSize = 0x100
    networksNums = 1
    language = 1
    devType = 0x22536
    net reboot count = 0
    vi_type = 32
    Path: /Camera/Platform/Branches/branches_frontend_software_platform/IPC_develop_branch/ipc_e0_g0_r3_5.4.20
    Last Changed Rev: 210205
    Last Changed Date: 2016-07-25 21:49:11 +0800 (Mon, 25 Jul 2016)

    Almost there....web page gives:firmware language mismatch: /dav/webLib
    Something is missing but what...?
     
  17. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,884
    Likes Received:
    3,413
    Location:
    Scotland
    Impressive!
    And it doesn't reboot with an integrity violation?
    Is the checksum on the bootpara till a checksum-16?
    I doubt Hikvision are happy about their quote 'unhackable' new implementation.
    Dumb question - did you use the EN/ML firmware as the base? The CN firmware on a language=1 camera would do that.
     
  18. JAFO

    JAFO n3wb

    Joined:
    Feb 23, 2017
    Messages:
    19
    Likes Received:
    18
    My bad! It's cn g0 digicap I'm using.
    Yes, it's checksum-16, just sum of all bytevalues starting from 0x09 - 0xff.

    Nothing special or new, you can have again hacked english g0 from China.

    QuoteManagers, those promiseware sellers and most do not know reality:
    http://regretless.com/stuff/funny/dilbertProjectStatus.JPG
     
    alastairstevenson likes this.
  19. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,884
    Likes Received:
    3,413
    Location:
    Scotland
    I have a Chinese 3335 (I forget what firmware it has, some apparently stock 3.x version) that refuses to take any version of firmware I've given it by any method, G0, R6, nothing.
     
  20. JAFO

    JAFO n3wb

    Joined:
    Feb 23, 2017
    Messages:
    19
    Likes Received:
    18
    Please inform u-boot version, there may be a way...