Hacking a Tiny Security Camera - VStarcam CB73 Firmware Extraction

Рет қаралды 37,746

Күн бұрын

Пікірлер: 139

@tonik2558 3 ай бұрын

The amount of high quality content you're putting out is amazing. I love that there's an audience for in-depth cybersecurity stuff

@a97807 3 ай бұрын

I think I am literally addicted to your channel.

@puolukkahillo1637 2 ай бұрын

Your videos are fantastic! I really love the way you show the whole physical process without delving too much into the theoretical details. I already have a grasp on the underlying concepts so just observing your workflow with commentary is wonderful!

@ripleysmith7583 3 ай бұрын

Love the channel. I was originally electronics technician and my work changed me to an IT guy so this is got the love for all the fun things. Keep up the good work..

@RoadRunnerMeep 3 ай бұрын

I like the fact that the software actually told you which pin was a bad connection :)

@danielcgomez 3 ай бұрын

I've always been very cautious with all types of IP Cameras ...would be interesting to see what you come up with regarding not only these Chinese cameras ...but also the more 'legit' cameras ...let's see what acronym agencies have their claws into our privacy.

@monad_tcp 3 ай бұрын

I call them Shodam Cameras.

@lifeai1889 3 ай бұрын

you can install openipc on the t31 chip, i have this model

@minutemadeinc 3 ай бұрын

@@lifeai1889also look at thingino as an openipc alternative

@WaffleStaffel 3 ай бұрын

I'm not the least bit concerned about China. With domestic products, I'm going to assume Moss@d or some Unit 8200 outfit has its grubby mitts all over them.

@kyoteecasey 3 ай бұрын

Great to see your process and tools being used here, you make it look easy! Going to watch the rest of the series over the weekend.

@Billy-mu8yu 3 ай бұрын

Another great video for sure. My only recurring request would be to make the videos longer. I’d love to see you continue digging into the firmware analysis / exploring the flash contents. I know you’ll make more videos, but it’d be great to be able to watch more of your initial analysis.. keep making the iot hacking videos, we love em!

@TheShutterNinja 3 ай бұрын

Ah, I always enjoy seeing the notice for a new video, it makes the work day go by faster. Thank you for this series.

@rainy-sec 3 ай бұрын

Wow, gotta say, im impressed, learn so many new things here, great job!

@dingokidneys 3 ай бұрын

I'm interested to see how this plays out as you dig deeper into this little device. Good stuff.

@Tenetri 3 ай бұрын

I'm hooked on these videos! I've always wanted to reverse engineer Chinese made tech to see what data it sends back to China. I'm really excited to see future videos, keep it up!

@ItsAuver 3 ай бұрын

Love waking up to a new Matt Brown video notification 😀. I'm looking forward to the binary reverse engineering!

@svob97 3 ай бұрын

Perfect video man, awesome content, you are explaining your thoughts very well, keep going! Looking forward to the next vid!

@marioruiz5404 3 ай бұрын

Soli Deo Gloria, well said man. Congrats, this hacker garage is awesome.

@mattbrwn 3 ай бұрын

✝️👑

@drakedorosh9332 3 ай бұрын

Great choice of subject. I have a few of these surveillance items that are definitely sketchy on some level. Even my fancy bird feeder might just as well been intended to spy on the customer as be used to watch birds. I wish I wasn't just a spectator though. There is so much to learn.

@jamescollier3 3 ай бұрын

just start doing it

@JuanesChiwirosky 3 ай бұрын

God I love reverse engineering videos 🎉🎉🎉

@wevecomesofar3825 3 ай бұрын

I'm absolutely loving your videos!

@luciopaiva 3 ай бұрын

Very interesting video, thanks!

@AbdelkaderBoudih 3 ай бұрын

The disable wifi is to save battery, as this can record in the card and trigger with motion

@booboo699254 3 ай бұрын

It also makes it more difficult to be found (via WIFI signal leakage)

@a46475 3 ай бұрын

...or for concealment reasons by not giving away its presence by communicating with another wireless device.

@MrDennisloi 3 ай бұрын

Awesome, I'm looking forward to the next steps!

@sw3nlab 3 ай бұрын

Неплохо Мэт. Молодец. Теперь осталось собрать свой evil/autoupdatechek под MIPS протестировать в QEMU , запаковать всё обратно и залить обратно в чип 😅

@Jeff-ss6qt 3 ай бұрын

I wouldn't discount the libraries too soon. It'd be a good way to hide stuff and have access to absolutely everything passing into them. They are open source, so can be modified to have anything included.

@akillercaterpiller 2 ай бұрын

Absolutely fascinating. Thanks for sharing!

@ESEben10 3 ай бұрын

Great episode!

@Dr.Schiwago 3 ай бұрын

Very cool, learning new tricks is very cool. Thanks man!

@raspberrypie1983 3 ай бұрын

Love to see it, when people do exactly what i would do with this things

@danialothman 3 ай бұрын

that is super cool Matt👍

@6LordMortus9 3 ай бұрын

Can't wait to see an update :)

@m0rjjj666 2 ай бұрын

I just discovered your channel. I am a software developer and DIY electroics is my hobby. The quality of your content is just amazing. I have a bunch of IoT devices that are cloud based, but they are still connectced to my local hosted home assistant. Would be could to follow along your journey and to hack my own devices. Thank you

@Tish0eX 3 ай бұрын

Nice content as always. You can check some cheap Chinese drone cameras also like Eachine E58. They have wifi camera but can be connected only to their proprietary app so if you can read/modify the firmware they can be more versatile.

@xDMG15x 3 ай бұрын

Please make a video when you reverse those binaries. The firmware extraction part is cool but it’s not always clear what the goal of extracting it is. I liked the netgear router one because discovering the passwords is a practical reason to want the firmware.

@mattbrwn 3 ай бұрын

Video drops Wednesday of this

@aot2002 3 ай бұрын

Very interested in seeing more ip cameras hacked and figuring out where they send data

@OwenThatOSDev 3 ай бұрын

tbh you are the best content creator I have seen, you keep your hands off of kids, and you actually educate people in interesting stuff!

@mohammadrazavi9058 9 күн бұрын

I believe having On/Off switch for Wi-Fi is amazing from Wireless security perspective

@Trick_in_hat 3 ай бұрын

Very interesting content, helps me better understand how it all it's together.

@ripplerxeon 3 ай бұрын

I really Enjoyed it

@dzxgame914 3 ай бұрын

Great skills, I feel at home with most of what u doing, amazing, thank you

@mynamesgus4295 3 ай бұрын

amazing video man

@tweebs1 3 ай бұрын

Really enjoy these. My first EPROM reader/writer used a similar ZIF socket but you needed a UV light to erase the chip. Any recommendations on a decently priced microscope? My eyes are old too...

@EzphoneLinuxleszbian-yb5pr 2 ай бұрын

i think i got a similar camera from looting, idk how to get it working tho as it doesnt have any markings, this video is super cool showing off how it's builded up

@al_lazy3519 3 ай бұрын

I think the wifi switch is to use that as some sort of spy camera and save battery, since it has a micro sd slot.

@vj7910 2 ай бұрын

Good quality video..Cheers

@namesurname201 3 ай бұрын

Thanks ❤

@isaacclark9825 3 ай бұрын

Is it common for the flash to be unencrypted? Great content!!!

@mattbrwn 3 ай бұрын

Yes it's usually unencrypted. There are some devices out there that do encryption but it's a hard thing to get right on embedded devices

@KSPseiko 3 ай бұрын

I don't believe battery I saw on the video has 2000 mAh capacity - as stated by manufacturer

@samuraidriver4x4 3 ай бұрын

Was expecting it to phone home to Baidu but Alibaba also checks out.😁

@309electronics5 3 ай бұрын

My tuya camera also has this ingenic t31 chip. I have also seen them a lot and it contains a riscV mcu core along side the mips! I managed to even disable the tuya app stack and enable telnet and rtsp!

@Titanek 3 ай бұрын

Wiggling.. Is that the small-scale version of "percussive maintenance"? :D

@mattbrwn 3 ай бұрын

very scientific here on this channel :D

@ff0x 2 ай бұрын

Just came across your channel - good stuff. You definitely deserve this comment and a like to help your algorithm. :)

@The_Real_Grand_Nagus 2 ай бұрын

If you're just looking for what the device is doing on the network and where it's sending data, wireshark may be a better option. You can configure your router so all the packets get sent through your Linux host as a gateway. Also the "autoupdate" binary is probably something that checks for and installs updates to the firmware. I would be suspicious if it does more, but I wouldn't automatically assume so.

@dexopt 3 ай бұрын

i just love seeing linux on tiny chips !

@309electronics5 3 ай бұрын

A large portion of the embedded world runs on Linux. Just shows how important and usefull Linux really is

@dexopt 3 ай бұрын

@@309electronics5 agreed 💯. its an amazing thing really. Even my printer runs on it.

@junior88fan64 3 ай бұрын

Well done Brainiac

@felixcosty 3 ай бұрын

Thanks for the video. What I always wanted to know is can the firmware be modded, put back on the device and make it you own, with out all the report back to home?

@joelsexton5594 3 ай бұрын

I've literally seen Hikvision cameras start opening ports on firewalls for inbound traffic with UPNP. I'm interested in what comes of this firmware.

@a46475 3 ай бұрын

I notice what appears to be a memory card slot so that could explain WiFi on/off switch.

@Veptis 3 ай бұрын

I always wondered how these "hacked IP cam" videos ended up on the web... But if people end up putting them in their bedrooms - I guess that's their bad to some degree?

@anominaty 3 ай бұрын

Hi can you reverse engineering a jiofi 3 Convert it into a wifi repeater The use of old technology its a good idea

@miked5444 3 ай бұрын

Wouldn't the address' in autoupgradecheck be primarily for OTA firmware updates?

@Melds 3 ай бұрын

Why do all of these devices go to tencent and alibaba? Are they like the AWS of China or are they involved with all of these hardware platforms?

@charleshines5700 3 ай бұрын

I can imagine someone using a thinner pad where the battery is and using a bigger battery. It wouldn't surprise me if someone did it already really.

@Dnsx_plus 3 ай бұрын

Why not just monitor network traffic by using some proxy kind of like burpsuite instead of having to reverse the binary or extract the firmware ?

@PlayerOne1999 3 ай бұрын

Why the frimware you extracted is in readable form?

@VoidFrost Ай бұрын

Why dump the firmware to analyze the file system BEFORE attempting to gain a shell? Wouldn't it make more sense to attempt to get a shell first?

@peytonk7367 3 ай бұрын

How hot does the hot air gun have to be for it to work? I have a hot air gun I could use but I don't know if it's hot enough.

@clearheadedness 3 ай бұрын

can this be used to find a away to use those cameras locally without a Chinese server connection?

@rhettpete 2 ай бұрын

Nice one

@PetrVr 3 ай бұрын

Just in a process of reversing different camera that sells where I am for good money. I was hoping that it will have similar chip that yours have T__ of MIPS architecture. Since I was planning to run Thingino firmware on it. Thingino is pretty cool project though. You might be interested in it. Anyway... Mine is running ARM AK3918 SoC, so Thingino firmware is not an option. So I am looking for a way how to stop it from sending data to China and use something like RTSP on LAN only.

@309electronics5 3 ай бұрын

What does it say on boot if it has a uart port? I had a tuya camera where i disabled the tuya init script and enabled telnet and rtsp

@PetrVr 3 ай бұрын

@@309electronics5 I Kinda went head on with dumping the firmware first. What you are mentioning should be possible, since there is some sort of config file that lists all services and other options like resolution etc., including RTSP with bool option next to it. I didn't yet have time to analyze device while it's running. Might get to do it later this week. Though I am hoping to have some option for modifying the firmware and either removing all embedded URL's the camera tries to talk to or I might try to just firewall-block all traffic to WAN coming from the camera, though I am not sure how that would work.

@bigdfig6083 2 ай бұрын

That will work exactly as you stated. Camera nic has xyz ipaddy and ALL packets from said ip get dropped at the fw. If you WANT it to send traffic through fw set rule for specific ip at other end though I would suggest allowing certain inbound traffic from explicitly listed addresses

@ShadyNetworker 12 күн бұрын

Wait, so, how in the hell does the "Flash read" actually work? Can you instruct those chips to simply send all onboard data or whats going on there?

@74357175 3 ай бұрын

Any decent IP cameras with open firmware?

@George-ec7ez 3 ай бұрын

Nice Haircut

@aarong9378 3 ай бұрын

Don't be a jerk.

@George-ec7ez 3 ай бұрын

@@aarong9378it wasnt meant as an insult, but I guess compliments dont translate well over the internet

@Channel-tm8ud 3 ай бұрын

Can't you read the firmware with the chip in place?

@UndeadAlex 3 ай бұрын

When in doubt, just wiggle it xD

@tente-outro 3 ай бұрын

let's watch

@hugovangalen 3 ай бұрын

I guess that by leaving the WiFi off, it won't accidentally connect to an open AP and reveal its presence. Or just to save power.

@Misimpa 3 ай бұрын

Cool but what about other projects?)

@alpha_pixel_ 3 ай бұрын

Try to hack into ezviz cameras. Check if it is compatible for custom firmware.

@drooplug 3 ай бұрын

What temperature do you use to desolder?

@benneh242 3 ай бұрын

Hey are you running xgpro under wine? It really won't play well for me that way and I've had to resort to a vm...

@markwhidby5148 3 ай бұрын

He said he did on an earlier video - the one for the fake Chromecast device.

@VantaCanadaBlack 2 ай бұрын

These can record locally to sd card when you turn wifi off.

@xiv3r 3 ай бұрын

How to unlock eeprom that has been permanent locked by Protection Lock Bits value 1

@kikihun9726 3 ай бұрын

looks like a simple remote access platform where you can download the clips to your phone without taking a risk to open your router port to the internet side. But that hardcoded ip address will fail overe the years if they go out of business.

@masterman1502 2 ай бұрын

IPs for Alibaba and Tencent are probably just their cloud services, so probably the camera vendor is hosting stuff there

@phuo2185 3 ай бұрын

can you pls make a video on synology tC500 camera , pls , pls , pls

@s80heb 3 ай бұрын

Can you hack a ledger nano

@monad_tcp 3 ай бұрын

9:46 that ZIF socket is really bad

@WWFYMN 3 ай бұрын

Hello, could you modify the firmware so that it is easier to get shell, maybe add ssh if it's not enabled or change the password if it has one

@mattbrwn 3 ай бұрын

Video of getting a shell drops Wednesday 😎

@WWFYMN 3 ай бұрын

@@mattbrwn ❤

@enricocialdini6194 2 ай бұрын

what did you put on the chip to detach it?

@bigdfig6083 2 ай бұрын

Flux and hot air

@mirceabereveanu8943 8 күн бұрын

GGs

@akshita_9597 3 ай бұрын

Try hacking Ring video doorbell

@КонстантинФаер-и1ц 3 ай бұрын

о, эту базу мы смотрим

@AchhcityNoob 3 ай бұрын

good 5to good been by he she life

@andrianoturner3958 3 ай бұрын

база

@FreshaThen 3 ай бұрын

I need to know your OS! 😅

@harrybrotherton9384 3 ай бұрын

Can anyone tell me what distro Matt uses?

@спасибки-у4к 3 ай бұрын

where google chromecast part 2?

@yaswanthkumarkoppanathi8074 3 ай бұрын

Is that arch linux

@xenoxaos1 3 ай бұрын

All my cameras are on a vlan that doesn't have any external access...

@mattbrwn 3 ай бұрын

No egress? Or only no ingress?

@al_lazy3519 3 ай бұрын

I know that might be a bit much, but do you have any material on that? I wanted to do something similar but when going beyond the settings of routers networking gets difficult

@xenoxaos1 3 ай бұрын

@@mattbrwn no egress or ingress... Only access to my other vlans. Dns resolves every domain name to a local ip. Also forwarding ntp to a local ntp server. My wifi ap has the ability to assign different ssids to different vlans. One SSID is just typical. One has dhcp with a set dns to pinhole... The third is basically a black hole that can only access IPs on first VLAN

@xenoxaos1 3 ай бұрын

@@al_lazy3519 you can't really do this with a normal router. One got an edgerouter pro 8 and a unifi ac pro access point and a 48 port Cisco PoE managed switch.

@PetrVr 3 ай бұрын

@@xenoxaos1 That is pretty cool setup. I am in process of replacing all my routers with OpenWRT capable routers, which to my knowledge supports VLANs. Though I havent thought about blocking all the WAN traffic on the VLAN specifically for the IPCams purposes. Just by an accident you don't have any blog article showing how you did that? :-)