Identified Attack Profiles
Initial Exploration
Hardware Identification
Flash Dump
UART Boot Logs
Network Discovery
Neat Things Found:
- in
squashfs-root/etc_default/inittab, there is a line that says:Copyright (C) 2001 Erik Andersen <andersen@codepoet.org>and the site is still up- Erik Andersen created BusyBox, which puts a ton of common Linux utilities into a single binary. Tools like
ls,sh,cp,ping, etc.
- Erik Andersen created BusyBox, which puts a ton of common Linux utilities into a single binary. Tools like
Stopping project. Was able to use this camera as practice before starting on Ring cameras, which are more expensive and likely to be more difficult to get any access to. Any solution I find for this Blurams camera won’t apply to any Ring camera because I’ve been relying on the flash dump to reverse engineer and try to find a workaround. Ring will have different data on the flash chips.
Key Takeaways & Lessons Learned:
- Identified UART pins from unknown board
- Boot interrupt was disabled (evidence found later in flash dump)
- Used SOIC8 Clip and CH341A + Zif adapter to read Winbond NOR flash chip (avoided desoldering)
- NOR Flash is non-volatile storage that holds the firmware/bootloader. Keeps information without power.
- After exploring the dump, was able to enable root telnet
- NOR Flash is non-volatile storage that holds the firmware/bootloader. Keeps information without power.
- Used Ghidra to reverse engineer firmware binary blob
- Application name is “viCam”
- Tried to find how video is streamed from device, Real Time Streaming Protocol (RTSP) is not used. Some intentionally confusing/ obfuscated traffic is used.