Upgrading the Insecure Army of Internet Things… onwards to the cameras

OK, you voted for me to 'not be lazy' and just find a way to update the firmware on the army of electronics that failed the latest security sweep. OK, so I have, or, am in progress. The NAS, well, that was a bit of a pain in the butt, but I soldered on a serial header, figured out its partitions, figured out how to run deboostrap and what a 'device tree structure' is so I could recreate the .dts file and thus kernel. And now its safe (because there was no newer firmware from the vendor).

On to the next candidate. The Hikvision DS-2CD3132-I.

Now, these inhabit the soffits of my house, outside where its cold, and ladders are needed. So i'm naturally a bit reluctant to brick them and need some sort of local reset button. But, well, once more into the breach.

Fortunately I have a spare to play with (this one mysteriously went purple+white, not black+white, and not colour), so it was decommissioned. But, it otherwise works for hackery.

There is something about the Hikvision cameras you should know. You see, a few years ago, Hikvision had a model where they sold them in China for cheap, and abroad for expensive. And, well, Internet commerce made that hard to maintain. So they went to war on their own resellers and started 'region coding' them (various hacks to their firmware that would hard-brick them if you upgraded them w/ English).

These Internet resellers hacked up some version of the software to make it work in English, and shipped them, but if you upgrade them, blammo. So, uh, caution is needed 🙂

So, armed with some google search, and not a lot of common sense, but some tools, lets investigate the patient.

Now, there is a bit of a recipe for unhacking them (or re-hacking? enhanced hacking?) which involves taking a copy of mtd6 flash block, changing a couple of bytes, and then recalculating the checksum. So, uh, lightly documented, lets try.

Because I want to have a shot at this working, it would be nice to have a console. After examining the innards with a magnifying glass for a bit, I find a micro mini 1.25 JST connector. The scope confirms these look like serial + ground signals. But I have no micro mini 1.25 JST connector ends. So I very carefully soldered a 3-pin 0.1" header. OK, power up, works, we are in. You are instantly logged in as root. nice.


U-Boot 1.3.4-121219 (Apr  8 2015 - 14:34:29)

ARM Clock: 480MHz
DDR Clock: 336MHz
Hit Ctrl+u to stop autoboot: 0
|BIND err|
Unknown command:null 
booting from pri part...
load kernel...
load ramdisk...
init started: BusyBox v1.19.3 (2014-07-11 11:25:54 CST)

OK, lets try, patch /dev/mtdblock6, now find the upgrade. Nice, the upgrade is 2-step (upgrade 1 newer and then newest). Except... the upgrade needs a 'WebComponents.exe' plugin. OK, fire up windows vm. Wait, its worse than that. This only works in Chrome older than '44', and Internet Explorer 7. Ugh, so even my Windows VM cannot upgrade.

OK, but you guys said I shouldn't be lazy.

So this leads to a moral quandry. To upgrade some older software, you need access to other older software. And this in turn has security flaws.  I mean, the irony here, I will likely have to install Windows XP (long off support) and let it have at least some network access, to upgrade this camera. Its kind of like saying I need to keep doctors around who have treated smallpox (and who themselves might have it!).

OK, installed Firefox 51 (I feel a bit dirty about that, but, well, its for a good cause and its not allowed Internet access and its in a segregated vm). And it runs the dreaded WebComponents.exe. Great. And now:

[01-10 16:42:27][pid:852][UNI_IF][ERROR][UPG_ASSERT] 0x484b5753 == tHeadDec.iMagicNum fail to eRetVal UPG_STAT_ERR_PACK_MAGIC=0x00000041!                                                      
[01-10 16:42:28][pid:852][UNI_IF][ERROR][UPG_ASSERT] UPG_STAT_OK == (eRet = firm_pack_head(pUpgInfo)) fail to eRetVal eRet=0x00000041!

So, sigh, what new hell is this? Oh the horror, you actually have to upgrade *all* of the intermediate versions. Not just rev-1 and rev, its rev-N, rev-N-1, ... until current. This will take all night? You sure I can't just be lazy? OK, no, will not accept that. So onwards.

OK, upgrade from 5.2.5 to 5.3.0 worked upgrade took, now it just endlessly reboots. This is definitely a job for tomorrow!


Leave a Reply

Your email address will not be published. Required fields are marked *