Chip-Off Firmware Extraction - Hikvision Security Camera

preview_player
Показать описание
eMMC firmware extraction of BGA flash chip on a hikvision security camera.

IoT Pentesting Certification from TCM:

Need IoT pentesting services?
Please consider Brown Fine Security:

Come join us on Discord for some device hacking!

🛠️ Stuff I Use 🛠️

🪛 Tools:

🫠 Soldering & Hot Air Rework Tools:

🔬 Microscope Setup:

About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.

- Soli Deo Gloria

💻 Social:

#hacking #iot #cybersecurity
  1. Matt Brown
Рекомендации по теме
Chip-Off Firmware Extraction 0:27:50

Chip-Off Firmware Extraction - Hikvision Security Camera

firmware thief 0:00:24

firmware thief

4G Camera (Hi3518ev300 0:00:47

4G Camera (Hi3518ev300 SOC) Firmware Decompress Fail - no boot

Hacker's Guide to 0:17:40

Hacker's Guide to UART Root Shells

MVMe SSDs And 0:00:16

MVMe SSDs And M.2 Drive Repair #computerrepair #ssd #hdd #nvme #vram #china #hikvision #electronic

How to fix 0:00:42

How to fix a dead HDD

How to Extract 0:02:05

How to Extract and Prepare Firmware

hard disk repair 0:00:11

hard disk repair 🥳

OSFC 2019 - 0:40:24

OSFC 2019 - binman: A data-controlled firmware packer for U-Boot

can we save 0:01:00

can we save data from this SSD | second attempt to recover data

CCTV Camera ka 0:00:56

CCTV Camera ka Backup Pendrive Me Kaise le | How to Backup Dahua DVR ,NVR through Pendrive

Sandisk 1TB Portable 0:00:57

Sandisk 1TB Portable SSD - Disassembly/Extracting NVMe Drive

HiSilicon IP Camera 0:05:46

HiSilicon IP Camera UART installation, Console into Linux U-Boot Zosi JTAG

Intro to Hardware 0:12:07

Intro to Hardware Reversing: Finding a UART and getting a shell

Tenvis T8810 IP 0:00:26

Tenvis T8810 IP Camera UART Kernel Hijack Root

WiFi Router Firmware 0:00:35

WiFi Router Firmware Backdoor Detection

Hacking the Arlo 0:28:38

Hacking the Arlo Q Security Camera: Failed Promises and Data Security

Zosi WiFi CCTV 0:09:44

Zosi WiFi CCTV Camera (Part 3) - Rooting via Uboot

GainStrong Oolite V3.3 0:06:26

GainStrong Oolite V3.3 update firmware with uboot web interface

Introducing Hikvision Smart 0:05:11

Introducing Hikvision Smart Interactive Tablet

Dahua Extract/Rebuild Firmware 0:00:55

Dahua Extract/Rebuild Firmware - Encrypt/Decrypt Firmware with Key

Smartwares CIP-39218AT flashing 0:14:04

Smartwares CIP-39218AT flashing OpenIPC firmware

How to use 0:13:08

How to use a BIOS flasher to rescue dead camera

(Macbook or iMac 0:01:00

(Macbook or iMac password reset): How to reset the password of Macbook or iMac.

Комментарии
Автор

I would for sure fix up the crc at the bottom of that block of text before going through the work of reballing

Renzo_
Автор

I like how you treat the digital calipers as an unnecessary tool, when its literally the only tool I have of the ones used for this project :)

ugh-meh
Автор

Have to wait the next video to know how uboot handle bad CRC. Maybe it will ignore but sometime not. Keep going buddy. Cheer!

susugar
Автор

Nice video! For the XGecu T76 software, when working with eMMC I just use the "AUTO EMMC" option and just auto-detect the eMMC with the "Analysys IC" button. eMMCs are inherently block storage devices (and eMMC standardizes its access that you don't really need the device-specific profiles most of the time), and the UserData.BIN can be treated like a hard disk image. I reckon that the U-Boot environment variable store lives in a partition listed in the MBR or GPT partition table.

11.5x13mm is the most common eMMC size, maybe 10x11 for really compact devices. 12x16 isn't really used anymore, nor is 14x18 except in BGA100 format.

ginbot
Автор

Absolute beast of a man. Good Teacher, great content. Good Stuff Matt thanks!

flywithusMSFS
Автор

A new video I get excited when there’s a new video

minerzcollective
Автор

This may be a very stupid question, but did you try the `-f` flag with `setenv`? If I understand the U-Boot docs correctly, that may allow you to overwrite read-only variables... Also, `setenv` seems to just be a direct alias for `env set`, not a separate command. Anyway, great video!

bene
Автор

I have extensive Hikvision but since hearing about the security concerns I have disconnected it to the outside world and instead use Home assistant to view the cameras remotely.

CrazedCrittic
Автор

Love your videos!!! Would love to see more advanced stuff such as finding vulns in apps and finding buffer overflows and command injections and using those to gain root.

hedgehogform
Автор

I do not expect a boot sequence check or firmware hash check from the developers which means you will boot right in the sh shell.
I would love to see the next video. ASAP please 😊

tyaprak
Автор

Great video always, @mattbrwn, may i ask what's the temprature of your hot air gun when you taking the chip off ?

geoffrey
Автор

Love your content man! Is that a new printer in the background 👀?

Spacehelm
Автор

Thanks Mat very interesting. Bring back memory of my past.

johncloar
Автор

Wonder if CPU does a FW checksum verification, waiting for the next part!

twizzter
Автор

do you use isolated uart converter? usually POE devices cant be connected to the computer ground without causing issues.

marekmatej
Автор

Great stuff, eagerly waiting for the next one 😄

JohnieBraaf
Автор

It is that difficult to replace the "linuxrc" file with a tailored one that spawns sh?

codures
Автор

You have tried to access memory through the JTAG connector ?

RaduRadi-le
Автор

Hey Matt, please make a video on voltage injection

exploreThe_
Автор

Does sed only change the first instance it finds or did he change ALL the instances of linuxrc?

turnkit
welcome to shbcf.ru