Reverse Engineering Camera Firmware (IP CAM)

Hesam Seyed Mousavi, March 25, 2015

Source: IPCFirmware

blog.mousavi.fr

 

Hesam Seyed Mousavi 348

In this tutorial we are going to understand the ip camera firmware software like what actually running inside ip camera by doing some reverse engineering on the firmware of ip camera.
For reverse engineering we need to have camera firmware image you can get from you camera vendor website for flush or upgrade the camera firmware.
Camera firmware is nothing but the complied or compressed .bin file for flashing the camera or upgrades the firmware.

Hesam Seyed Mousavi Reverse Engineering Camera Firmware (IP CAM) 1

Here the interface of the ip camera so that we can browse the .bin firmware file and upgrade the camera firmware.
But here are not going to upgrade the firmware but reverse engineer it for fun and profit.
Now we need to get the camera firmware from the vendor.

Hesam Seyed Mousavi Reverse Engineering Camera Firmware (IP CAM) 2

Here the required the bin camera file or firmware.
First we need to analyze that what this file is all about (using Linux file utility)

Hesam Seyed Mousavi Reverse Engineering Camera Firmware (IP CAM) 3

So using file utility we did not find any interesting thing. Let move further
Now we are going to use hexdump and string utility against the firmware for more information.

Hesam Seyed Mousavi Reverse Engineering Camera Firmware (IP CAM) 4

Hesam Seyed Mousavi 5

So first we need to look at the strings output and analyze it.

Heam Seyed Mousavi 6

Here we can see that firmware is based on LINUX OPERATING SYSTEM for embedded devices. So let also see the hexdump may be it can reveal more interesting things for us.

Hesam Seyed Mousavi 7

But looking at the hexdump we didn’t figure out any new interesting things only we can see html and other commands cgi scripts callings.
Now we are going to use binwalk against the firmware image it may give some false result.

Hesam Seyed Mousavi 8

It give very useful information like the compressesion method used is gzip and the file system is squashfs little endian version 3 and more interesting information.
Now we know that firmware is based on Linux and the file system is squashfs and the compressed data format is gzip now we are going to use another utility so that we can extract and decompress the data.

Hesam Seyed Mousavi 9

Here the firmware has been extracted using the firmware mod kit utility.

Now we can also decompress the data and we find very interesting things inside it (decompression can be done using decompression utility for squashfs system included in firmware mod kit)
Here we can see that the camera firmware is from sercommn (vendor)

Hesam Seyed Mousavi 10

Now we can see all the file system inside the firmware image and everything

Hesam Seyed Mousavi 11

Hesam Seyed Mousavi 12

Here we can see each n every cgi and other files and folder inside the camera’s webserver.

Hesam Seyed Mousavi 13

Here is the index html file which is running inside the camera, model is 8061.
So finally you reverse engineered the camera image or firmware hack it according to your own wish (make required manipulation according to need).

Source: IPCFirmware

blog.mousavi.fr

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s