About this Video

• Video Title: Chip-Off Firmware Extraction - Hikvision Security Camera
• Channel: Matt Brown
• Speakers: Matt Brown
• Duration: 00:27:50

Introduction

This video documents Matt Brown's attempt to obtain a root shell on a Hikvision security camera. Initial attempts using bootloader access fail, leading to a chip-off firmware extraction as the next step. The video details the process of removing the eMMC chip and extracting the firmware.

Key Takeaways

1. Bootloader Limitations: The camera's bootloader prevents modification of key environmental variables needed for root shell access.
2. Chip-Off Extraction: To overcome bootloader restrictions, a chip-off firmware extraction is performed. This involves removing the eMMC chip from the camera's PCB.
3. eMMC Chip Removal and Extraction: The video demonstrates the careful process of removing the BGA eMMC chip using hot air and cleaning the chip and PCB. A specialized chip reader (Xeeku T76) is used to extract the firmware.
4. Firmware Analysis: The extracted firmware is analyzed using various tools (strings, hex editor) to locate and identify the boot arguments, paving the way for modification.
5. Planned Firmware Modification: The video concludes with plans to modify the extracted firmware to achieve root shell access in a subsequent video.

About this Video

• Video Title: Chip-Off Firmware Extraction - Hikvision Security Camera
• Channel: Matt Brown
• Speakers: Matt Brown
• Duration: 00:27:50

Introduction

This video details Matt Brown's process of obtaining a root shell on a Hikvision security camera. He initially attempts to modify environmental variables within the bootloader but finds them read-only. This necessitates a chip-off firmware extraction, which is the focus of the video. The video shows the physical removal of the eMMC chip and subsequent firmware extraction and analysis.

Key Takeaways

1. Bootloader Limitations: The boot args environmental variable within the Hikvision security camera's U-boot bootloader is read-only, preventing direct modification to achieve root shell access via standard bootloader commands (set env, env).
2. Chip-Off Extraction Technique: To modify the boot args, Matt performs a chip-off extraction. This involves:
   • Disassembly: Carefully opening the camera to access the eMMC chip.
   • Desoldering: Removing the BGA eMMC chip using a hot air rework station. Precise temperature control is crucial to avoid damaging the chip or the PCB. Flux is used to aid in desoldering, but minimal flux is used initially to avoid extra cleaning.
   • Cleaning: Cleaning the chip and the PCB pads with isopropyl alcohol and Q-tips to remove residual solder and flux.
   • Chip Reading: Using a Xeeku T76 eMMC chip reader with a compatible adapter (selecting the correct size is important based on the chip's physical dimensions, confirmed using calipers). The software requires a Windows environment; Matt uses RDP to access a Windows machine.
   • Initial Challenges: The initial chip profile ("femNN") was not recognized by the software, necessitating selection of a similar 8GB chip profile ("4C"). 8-bit reading was attempted first, falling back to lower bit rates if needed for incircuit reading.
3. Firmware Analysis Techniques: After extracting the firmware, Matt employs several tools for analysis:
   • strings command: To search for readable text strings within the firmware image, revealing potentially relevant information, like boot arguments.
   • Hex Editor: To visually inspect the firmware's hexadecimal code, specifically locating and examining the section containing the U-boot environment variables. This allows for precise identification of the boot args location and format.
   • binwalk: An open-source tool used for analyzing various firmware file types to discover embedded files and file systems within the extracted firmware image.
   • diff command: To compare the original and modified firmware files to confirm changes.
4. Firmware Modification Plan: Matt identifies the boot args within the firmware image and plans to modify them by replacing /linux rc with /bin sh in a subsequent video, enabling a root shell. The modification considers the null termination of the string and avoids adding extra characters.

Follow-up Questions

1. What specific environmental variable in the Hikvision security camera's bootloader prevented Matt from obtaining a root shell? (The boot args variable)
2. What tools did Matt Brown use to extract the firmware from the eMMC chip, and what were the steps in the process? (Xeeku T76 eMMC reader, compatible adapter, hot air rework station, isopropyl alcohol, Q-tips, tweezers). The steps involved disassembly, desoldering, cleaning, and then reading the chip via the reader.
3. What specific changes does Matt Brown plan to make to the extracted firmware in order to gain root shell access? (Replace /linux rc with /bin sh in the boot args string.)
4. What challenges did Matt encounter while using the Xeeku T76 chip reader, and how did he resolve them? (The software did not recognize the initial chip profile. He resolved this by selecting a similar 8GB profile.)
5. Ask anything...