I've gotten LOTS of questions about the shirt! Merch can be found at lowlevel.store Thanks for watching!

We're never gonna get that 3rd promised episode in this series, I'm guessing

The "h264enc" symbol you refer to at 7:09 is likely to do with an H.264 video encoder, not any encryption.

It's fortunate that the RTOS has a command shell at all; I do embedded programming, and very few of our products have any interactive monitor or shell at all; I have a module that I use during early development, but it is never included in the build for the versions that go through security or quality testing since it would be a potential attack surface. Even the devices with Linux as the RTOS have the serial drivers hacked to only support output.

build your own camera/monitor. you already know these products do not have professional programmers writing the code. at best, the poor hardware guy has to write the code. at worse, they outsource to a questionable country

Actually, just having encryption is NOT the end of the story.. Of more importance, once you have confirmed that it is using encryption is that it is using the encryption properly (correct and robust crypto mode) and also handing keys properly and securely (ie, session keys or user specified key, and not a fixed key stored in the firmware image).. So many devices link in a crypto library and then either don't use the crypto correctly (eg using ECB mode to get around sync issues), or they hardcode a keystring in the software that every device on the planet uses...

H264 is a commonly used video codec (together with H265, VP9, and AV1). That H264Enc function is encoding some video blob. The odd part is that I would expect the camera to encode and the video monitor to decode. Oh well

Seeing or not seeing a symbol/string for encryption would not tell you that its actually using encryption or not. Try to look for uint8_t array[16] or general mentions of lengths of 16. The chip could have buit in aes encryption. Also, don't forget that production code is more often than not using -Os and -ffunction-sections -fdata-sections -gc-sections etc, to strip down a lot of code. While -Os "generally" doesn't like to inline code, if the function was used only once, there might not be a call to it. As an aside, the standard of encryption in consumer level hardware is very low. I know this might sound dumb, but some people consider data-whitening as "encryption" by obscurity. Best of luck.

This is how a programmer who’s a father shows his love for his kids - by making sure their data is encrypted. But for real, those home videos of a baby monitor getting hacked and some random talking to your kids through it when you’re asleep or in a different room not actively watching the monitor is absolutely creepy as fuck. These systems should be encrypted by default.

Great series and very informative. I don’t often work with the hardware side of things, so it’s great to see all the little hurdles you face. I’m looking forward to the next video. Thanks for sharing!

Running into "manufacturer default" doesn't mean, that you actually have all the firmware. In some chips you don't have equally sized pages, so you want to pack bootloader and ISR vector in page 0, then store some mfg/NV data (i.e. for pairing) but actual firmware can be stored in last page. It is just matter of linker script

A5A5 can't be used in the way stated. In flash you are limited by the number of erases you can perform on a given cell. You can only write '0's, and erasing will give you '1's. So practically you'd have to erase A5A5... before you write. Blank flash is almost always FFFF. A5A5 could be programmed memory for debug purposes or to ensure an invalid opcode. At least in thumb, I believe FFFF may be something valid like move 0 to r0, or somesuch.

The firmware extract technique ist awesome!

That’s funny, at the beginning of the video I was thinking “it would be easier just to look at what is actually being transmitted”.

06:52 h264 is a video codec, so enc would stand for encode it is most commonly referred to as x264 the h stands for hvec, as 264 is part of the hevc family of codecs thats why you may encounter it as h264, h.264 or just plainly x264

Hey that’s the kind we have! I wasn’t sold on the encryption claims myself, but ultimately I decided that the fact that it was a locally-paired 2.4GHz camera limited our attack surface to just our neighbors so it was probably okay. I’m looking forward to seeing what you learn about it :)

I've just gone through my YT homepage asking for every channel with a 'shocked face' thumbnail never to be recommended again.

Sounds like you need a mixed-mode oscilloscope and capture the data between the chips. Many more expensive ones can save that data to a stream you can then see what happens. Some chips allow the firmware to be encoded not as much encrypted. Big-endian and little-endian also can be an issue.

The user manual for this product shows it uses 2.4 GHz FHSS modulation (not WiFi) , which requires the camera and monitor to be paired. I'll guess the video stream is not encrypted, because there's no possibility of accessing it unless you have a paired receiver within range. I'm enjoying your channel, particularly the reverse engineering content.

*somehow* this dude actually knows that 10100101 is manufacture default memory value, but *doesn't* know that h264 is mpeg encoding

That might be security by obscurity. We'll see what you'll find in RF but I'm guessing that radio channel is somewhat custom or not typical. I admire your effort to go through console. I'd probably desolder relevant IC's and just read them with a programmer ;)

Every so often I like to humble myself by listening to smart people talk about subjects I know nothing about. This video served me well.

Congrats on being a father ... Could you dump and android firmware , bootloader, and all that good tihs.

Congrats! Keep it up. So far I think Ive seen just about every tool used in the latest DEFCON vids!

Nothing was found "Found Something Concerning."

Why would someone hate regex ... it's awesome.

LLL my man… it’s be so amazing watching you and your channel explode over the last little while. I’m so happy for you and excited to see all the great content to come ! 🎉

This guy is smart, I am really enjoying this series.

Just 2 minutes into the video and I've already learned a lot. Great content, new sub. Thank you!

Awesome video. I love watching people reverse firmware, its kinda like a detective movie. I actually tried my hand at reverse-engineering some firmware too, well, I crashed and burned on that hill. My problem is that I don't want to take the device apart, so I tried using the update image, but binwalk just showed some corrupted stuff, and in the end I figured its compressed, but no idea how to decompress it. Its raw deflate I think so if you know any tools to decompress that I would be glad.

There 3 types of hackers Black hats/white hats And hardware hackers

Can't wait to see the next video on this!

One thing but before I state it, I really appreciate your effort and engineering skills. I appreciate the device chosen and the genuine story of concern too. Here’s the thing- wouldn’t you want to see the encryption be on the camera and decryption happening on the monitor? I also feel there are many other methods of encryption and it may not be so literal in the code.

I was thinking about your efforts, and it occurred to me that folks have probably built Baby Monitors using Raspberry PI's and that they are probably about the same price or cheaper that way than buying them off the shelf. I have not studied the projects, so not sure if they include Encryption, but I'll bet that's easy to add - comparatively. So, you might consider doing another video after this project to analyze the RaspPi baby monitors projects out there and if they don't encrypt, then fixing one of the projects so it does. Just a thought. I'm following you to see what you find. Cheers.

7:18 "H264" is famously a Video Encoder, like MPEG2 but newer and better. Others might have grabbed a $20 SDR dongle and examined the over-the-air signal to see if it's encrypted or not. 7:35 - yeah that. :-)

Cool! I couldn't find the RF data capture video... did it disappear?

As a viewer, it would’ve been good to know at the beginning that it’s not a wifi based monitor. That fact makes it so much more secure alone. Encryption on top of that is a nice cherry on top though

Where do you normally stream? Will def follow along your vids my dude :D

Can't wait to see how the RF capture works!

I would have just started with trying to pickup whatever it was sending over the air, which is easier if it's a WiFi device that sends the information over the your personal network or some will over the internet (for creepy baby watching at home while working I guess), as that's a quicker job to do... Though I am curious what it radio spectrum it uses to send the audio and video (I've never owned a baby monitor) Though to be fair this isn't the spirit of the channel, and you never know when someone wherever the firmware was made out in a super easy backdoor for watching random babies...or houses I'm also not so much a hardware hacker which is why I love this channel

I was recently using a kids walkie talkie with about a 60ft range and picked up someones baby monitor. The lady on the other end was mortified. I told her I was as shocked as she was, apologised, then promised to use a different frequency LOL

Your channel is so undervalued!

This video is such a perfect advertisement for your Twitch, haha... As soon as I recognized that you streamed this whole thing, I followed you.

Hello, found you via algorithms. Thank you for sharing.

Just subscribed. This kind of content stimulates my inner nerd. I can't wait to see what you found!

Good work! I appreciate that you share your process. Good mixture of technical information without being verbose.

great channel! awesome video! and very cool t-shirt man! congrats

YESSS!!!!!! I have one of these due soon and wanted to do the same thing but im not smart enough. Thank you!!

Nice video! One thing that I've seen in several products who go the ASIC route is putting the crypto routines into the mask ROM. Depending on how privilege isolation works (or does not work) on your device you might just be able to dump the crypto routines straight out of ROM. It's often-but-not-always mapped starting at 0, because the boot vector table needs to be there anyway and often comes from mask ROM. If they do implement some form of execution isolation, like a separate page table, then it can be harder to dump. Looking forward to the next video!

ASICs can be encapsulated in the microprocessor can. In the Apple M1 and M2, the multi-layers are used for parallel comm paths... that users can't access.

I may be wrong here, but from my experience you can only write a flash bit from 1 to 0, if you want to do a 1 you will need to erase the whole page. So those A5 could have been out there to make sure no one could put any code there without erasing a larger block of flash possibly bricking the device

If it's encrypted there needs to be a method of key exchange. It sounds nice to encrypt but it's a hassle if the key fail. With powerline I need to restart the devices every month because the encryption key fail after a month or 2 months. Even if it's encrypted there is a problem with the key exchange: a static key for all devices isn't very good as all devices use the same key. But it's better to use a simple XOR static key then nothing at all. Even a static AES key is sometime used in the firmware world and you find examples in the datasheets all over the world.

H.264 is a video compression codec. It is not encryption.

I have no idea how i didnt discover this channel earlier. This is amazing content, thank you!!!

Your shirt has a point there... Needs an asterisks though with something like "though nobody can read your code, if your code isn't readable" Talking about those Malwareguys using obfuscators on their (just-in-time-compiled, interpreted) Javascript and Python Code.

Sonicare toothbrushes have several programming pads inside (easy to see in teardowns online). Not sure how interesting they are, just FYI

I love this channel and community. I had a good time watching you hack this one, learned a bit too.

Ooh the E5 is good, I have absolutely no idea what you are talking about, but for some reason made me a bit optimistic

Cool video! As a student of information theory and RF systems & SW myself, I love seeing stuff like this. Questions like this can be tricky to answer from an outsider's depending on how they chose to implement their design. RF stuff is usually done in layers on the OSI model. Encryption is commonly used on the presentation layer, which is just below the application layer. Meaning there are a number of other things that happen before you even get there that would need to be truly understood first. Could you maybe pick something out before then? Sure? Possibly? But it's highly unlikely. Your best bet is to find instructions that lead to preparing the H264 frames before sending them across the network. Looking at the PHY (Doing some type of analog over the air RF Capture) won't particularly tell you if it's encrypted or not straight away. The PHY will have a modulation scheme you'd need to demod first. It isn't always straightforward either, modulation schemes now can get fairly complicated and have numerous components superimposed on top of one another (In phase and quadrature are some examples). You may also have pilot symbol sequences to handle channel estimation or synch signals. There also may be other barriers to get to the baseband symbols from the PHY such as data whitening, or spread spectrum frequency hopping to help the device play nice with regulations. The link layer usually does forward error correction as well, so that would also be present, you'd need to figure that out and have a decoder for that. You may also have channel access control scheduling to take into account to handle numerous devices. The network layer might be where things start getting a bit more familiar, but even that there's no guarantees. You also have source coding, or in this case compression. I noticed H264 codec labels, which is a video compression standard that's fairly common. Really cool theory as well. All in all, a simple RF capture probably won't tell you whether or not this is an encrypted signal. There's a reason RF com protocol analyzers cost so much money. Long winded way to say, your best bet is exactly what you had been doing. Scan the binary to see if any clues about ciphering, key generation, key scheduling, etc... otherwise you might as well be re-designing all of this yourself.

Any plans on uploading the stream here? I'd really like to watch it from beginning to end since I recently had a similar project and I'd like to compare notes and learn from your methods.

encrypting the firmware allows them to ensure signed and unmodified updates. plenty of youtubers willing to modify firmware, make a video, and farm ad revenue by scaring people....

Just want to say. My company uses chips designed by sonix. And we hate them with passion. My best guess would be the communication is not encrypted or it's a simple ROT13/XOR cipher. Personally I wouldn't touch anything that runs on a SONIX chip alone, without some secondary CPU to mask SONIX's buggy firmware.

Cool shirt man! Loved the vid 👍

"some hate regex" how could anyone hate regex? it's so powerful and handy.

Baby monitors are not encrypted. When I was in the army, we would do convoys from one base to another and in one housing projects that was close to the freeway. I would always get three baby monitors. One day the mother came Charging into her babies room screaming who’s there? It was then that I realized our radio frequency for convoy was the same one her particular baby monitor used. I made note in convoy notes on location for further briefing of convoy vehicles, not to use our SINGAR radios within a half mile of that location. I informed the mother that we are military convoy in route and that we will be out of range within one minute time. After this determination, it became SOP for Our convoys not to transmit on stated frequency plus or minus half mile from said location. I can only imagine her sitting in the living room while her baby was sleeping only to hear a bunch of men talking weird mambo jumbo in her babies bedroom.

Seems to me it would have been easier and more productive to sniff data/packets from the onset, especially given that the next video seems to head in that direction anyway.

Since there is some kind of "cipher" library being compiled with, but there is no sign of encrypt/decrypt functions it might be the case of device actually using hardware encryption being built into silicon hardware. Many low power devices/MCUs implement such hardware to offload CPU heavy functions to actual encryption hardware peripheral. By using hardware peripheral, configured to directly access data via DMA or some other hardware register based means it might not need to actually use any functions to actually encrypt/decrypt in the code and cipher library is only there to configure encryption hardware. OFC this is just a theory, confirming data is actually encrypted that way requires further look into device operation/code/RF output.

The HDCP encryption used by HDMI may be the reason for the cipher library. They are required to obfuscate any master keys.

WHAT A COOL VIDEO! I am so impressed and excited to see what's coming!

Love the video, really interesting, and your shirt says it all, a true mantra. But imo I would have instantly gone intercepting the packets of data between the monitor and the camera, however that wouldn't make as good of story line for the video series. Teaching and showing practical purpose, I take my hat off for you sir.

The "uhou ! We're hacking!" Killed me 😂😂

Great video 👏 waiting for the next one. I realized how easy was to get video from my webcameras that use RTSP protocol.

Where did you buy such cool T-shirt??

This is really interesting stuff. I don’t understand a lot of the software side of things but I appreciate the work involved. Now, bear with me here because I realise I know nothing compared to the rest of you guys, but my first question would be “Who and why would someone go to the trouble of hacking in to my baby monitor?” I’m all for protecting your children (I have four of them!) but surely someone would need to know I had a specific type of camera, know I had a baby to watch and then be in range and have all the appropriate equipment with them and the time to do it. Having asked that, I still understand the value in reverse engineering stuff like this and the learning potential of it. Thanks

you may be the only one i've heard of that enjoys solarized thats pretty cool

I can’t find the conclusion video?

H264 is a video encoding format. It is not encrypted if that's all that's in there.

"... h264enc might encrypt or not ..." > multimedia developers typing furiously in the comment section.

I would probably have started with capturing the packages and analyzing them, but your approach is also interesting.

If I had a dollar for every time I dumped some memory by repeatedly reading hex encoded memory regions out through the uboot serial console lol Nice video, I was thinking maybe you should just take a look at the rf right before you said it :D Are you gonna use something fancy that can transmit too or just use some RTL-SDR to prove its not encrypted? If you use something with a transmitter you can go a step further and inject your own video signal into the baby monitor and overwrite the actual cameras signal. It'd be awesome to see some spy movie shit irl :P

The very fact that they didn't compile out the UART interface is the only red flag you need. In all my RTOS experience, we always compile it out, it's zero effort.

Wow, it's fascinating to see how much effort and attention to detail goes into ensuring the security of devices we use every day, even something as seemingly simple as a baby monitor. Thank you for sharing your expertise and knowledge with us in this informative video.

Me having damn near zero idea regarding computer stuff let alone the independent stuff such as code to any degree what so ever while watching this "Hmmm interesting"

Ngl, I'd probably have started with RF sniffing and skipped trying to get a shell and pull data from the device

Everything is open source if you read assembly - hand have an infinite amount of time

Based on Eufy/Anker, the default setting should be to "NOT TRUST" any vendor's marketing claims - especially re: privacy & security - ever.

Turn up your heat and you won’t have to wear a stocking cap inside.

Biopsychosocial engineer says: dude is smart. Any reasonable baby mama would want that seed

HATE REGEX?!? Regex rocks!! Totally worth the time to learn.

That is some serious binary reverse engineering dedication. I would have been too lazy and just started with an RF Capture (especially if it's wifi) lol

you could do a mitm attack posing as your router and just see the data being sent to it and at that point you can see if its encrypted or not, but this depends on the camera and how it communicates ofc

When is part 2 out?

I would have used a SDR to answer the question you posed about video transmission encryption.

Ages ago, I worked for a firm that was trying to make highly secure systems. The project required an encrypted CPU and memory controller. Every data transfer in or out of the CPU was scrambled, every byte sent to RAM was scrambled again! A hacker, with probes in the guts of the computer, wouldn't be able to makes sense of anything! Long story sideways: the project failed in prototype stage. Our own logic-probes couldn't troubleshoot the encrypted data-streams! We made a puzzle that we weren't smart enough to solve. We got paid; who cares if the thing worked?

I have a wifi cam I use as a baby monitor that would try to reach out to ips in china, so I had to block every port on it from the router. it was pretty freaky. I still have the wifi cam and would love to dump it , I know you can SSH to it.

Hacking is so much more and less complicated than I thought.

This is awesome. Please make reverse engineering course in udemy covering these aspects on various products

I never even considered that this could happen

Thanks, I want to be a father one day and think about how to be a good parent and keep my future children save. One thing definitly encrypted camera communication. Possibility that someone intercepts it 100%, probability 0,01%, but its 0,01% too much.

I see a lot of people in the comments suggesting getting a wifi camera instead. PLEASE do not do that, that is such a downgrade in security. At least with one of these direct 2.4ghz zigbee/zwave cameras, the attacker has to be within radio range to start working on it