invalid config atm :/ "Only one step left! To finish setting up your new web address, go to your domain settings, click "Connect existing domain", and enter:" website domain can't say the domain probably (youtube does not like links)
@@awli8861 not every person knows "everything" in terms of puter speak - especially if you are looking at it through a lens that already wants to "see" the word encryption. For video people, the enc is obvious, to other's it's not.
It's fortunate that the RTOS has a command shell at all; I do embedded programming, and very few of our products have any interactive monitor or shell at all; I have a module that I use during early development, but it is never included in the build for the versions that go through security or quality testing since it would be a potential attack surface. Even the devices with Linux as the RTOS have the serial drivers hacked to only support output.
You would be surprised how many devices out there just straight up give you a root tty or the bootloaders console on some random uart port on the pcb. There's also jtag, swd and stuff like that which often just stay enabled and provide handy little testpads or unpopulated rows of pins as well. The xbox 360 for example could be hacked early on by jacking into some jtag pins that were left easily accessible to anyone
It is honestly a bit concerning. The products I've worked on we also have a very simple terminal for use in debugging, but it's never part of production.
build your own camera/monitor. you already know these products do not have professional programmers writing the code. at best, the poor hardware guy has to write the code. at worse, they outsource to a questionable country
@@LowLevelTV if you have any spare raspberry pi's or other low powered linux sbc, plug in an arducam, get a wired or bluetooth mic and speaker, install homebridge/etc and add it to your smart home security system. i do this for my dogs
Great series and very informative. I don’t often work with the hardware side of things, so it’s great to see all the little hurdles you face. I’m looking forward to the next video. Thanks for sharing!
Actually, just having encryption is NOT the end of the story.. Of more importance, once you have confirmed that it is using encryption is that it is using the encryption properly (correct and robust crypto mode) and also handing keys properly and securely (ie, session keys or user specified key, and not a fixed key stored in the firmware image).. So many devices link in a crypto library and then either don't use the crypto correctly (eg using ECB mode to get around sync issues), or they hardcode a keystring in the software that every device on the planet uses...
@@autohmae WEP... if it was implemented correctly and had been designed by a crypto engineer... would have been reasonable... but it wasn't so had major flaws.
H264 is a commonly used video codec (together with H265, VP9, and AV1). That H264Enc function is encoding some video blob. The odd part is that I would expect the camera to encode and the video monitor to decode. Oh well
h.264 is a tighter video/audio compression for less data needing sent wirelessly. Still needs the "CPU Umph" on the other end to decode it though (as you stated above). :)
@@youhackforme communication of what? unless specified (lossless compression), H264 most of the time does lossy compresion. What good is information if it might get lost in compression?
Seeing or not seeing a symbol/string for encryption would not tell you that its actually using encryption or not. Try to look for uint8_t array[16] or general mentions of lengths of 16. The chip could have buit in aes encryption. Also, don't forget that production code is more often than not using -Os and -ffunction-sections -fdata-sections -gc-sections etc, to strip down a lot of code. While -Os "generally" doesn't like to inline code, if the function was used only once, there might not be a call to it. As an aside, the standard of encryption in consumer level hardware is very low. I know this might sound dumb, but some people consider data-whitening as "encryption" by obscurity. Best of luck.
Check for some spi calls as well. Have you identified the chips on the board and found datasheets for the relevant ones? I always start with the hardware so I know what to look for. Especially with reverse engineering hardware, a dead giveaway of what a function might be doing is seeing the peripheral init code, which is easy to spot if you have the datasheet.
+1. It is very unlikely a device like this would be doing encryption/decryption on an ARM CPU for video - it would have to be offloaded to some dedicated chip. Capture the raw data on the "wire" - does it look random or like H.264?
LLL my man… it’s be so amazing watching you and your channel explode over the last little while. I’m so happy for you and excited to see all the great content to come ! 🎉
A5A5 can't be used in the way stated. In flash you are limited by the number of erases you can perform on a given cell. You can only write '0's, and erasing will give you '1's. So practically you'd have to erase A5A5... before you write. Blank flash is almost always FFFF. A5A5 could be programmed memory for debug purposes or to ensure an invalid opcode. At least in thumb, I believe FFFF may be something valid like move 0 to r0, or somesuch.
Yeah I'd like to know where he got that assumption from. Most manufacturers end up either writing null bytes in unused space or leaving those bytes unprogrammed. Kind of sounds to me like an explanation made up on the spot to explain an observation.
I’ve seen A5A5 used by some RTOS as initial stack memory values so that if a stack overflows its allocated size the RTOS can detect it and call a hook before all hell breaks loose.
Running into "manufacturer default" doesn't mean, that you actually have all the firmware. In some chips you don't have equally sized pages, so you want to pack bootloader and ISR vector in page 0, then store some mfg/NV data (i.e. for pairing) but actual firmware can be stored in last page. It is just matter of linker script
This is how a programmer who’s a father shows his love for his kids - by making sure their data is encrypted. But for real, those home videos of a baby monitor getting hacked and some random talking to your kids through it when you’re asleep or in a different room not actively watching the monitor is absolutely creepy as fuck. These systems should be encrypted by default.
The user manual for this product shows it uses 2.4 GHz FHSS modulation (not WiFi) , which requires the camera and monitor to be paired. I'll guess the video stream is not encrypted, because there's no possibility of accessing it unless you have a paired receiver within range. I'm enjoying your channel, particularly the reverse engineering content.
@@element4element4 I've used an RTL-SDR to demodulate ASK and FM , I'm not sure how you'd go about doing that for FHSS as you need to 'de-hop' the carrier and that requires knowing the pseudo random frequency hop sequence which is set in the pairing process.
FHSS is not any form of encryption. There was a cool shmoocon talk about it years and years ago I think, i gotta go rewatch it but just hopping frequencies a bit isn't enough
I have a similar monitor that uses a proprietary RF link at 2.4ghz. It claims to be encrypted, but quite frankly I don't care. The range, at most, is around 50 meters. The chances of anybody within range having the hardware, skills, time and desire to eavesdrop is negligible. Plus, even if they did they just get the world's dullest video stream of a sometimes sleeping baby.
Sounds like you need a mixed-mode oscilloscope and capture the data between the chips. Many more expensive ones can save that data to a stream you can then see what happens. Some chips allow the firmware to be encoded not as much encrypted. Big-endian and little-endian also can be an issue.
06:52 h264 is a video codec, so enc would stand for encode it is most commonly referred to as x264 the h stands for hvec, as 264 is part of the hevc family of codecs thats why you may encounter it as h264, h.264 or just plainly x264
Hey that’s the kind we have! I wasn’t sold on the encryption claims myself, but ultimately I decided that the fact that it was a locally-paired 2.4GHz camera limited our attack surface to just our neighbors so it was probably okay. I’m looking forward to seeing what you learn about it :)
One thing but before I state it, I really appreciate your effort and engineering skills. I appreciate the device chosen and the genuine story of concern too. Here’s the thing- wouldn’t you want to see the encryption be on the camera and decryption happening on the monitor? I also feel there are many other methods of encryption and it may not be so literal in the code.
That might be security by obscurity. We'll see what you'll find in RF but I'm guessing that radio channel is somewhat custom or not typical. I admire your effort to go through console. I'd probably desolder relevant IC's and just read them with a programmer ;)
I am not a security expert by any means. I'm just a sales engineer for a tech firm, but that does mean I get fun toys to play with and have the real enginerds fix when I break them. All that to say, when we set this exact monitor up in our house, our WIPS sensors on our WatchGuard Wireless APs went crazy. It appears to be using straight up standard 2.4GHz on channel 11. WIPS was able to show traffic (this is where I don't have the expertise) but we accepted the risk because the wifi enabled one we used previously (Owlet) made its first hop out of the network to China, then South Korea before trying to establish a connection in the US. My wife couldn't get the camera to work and I found Geolocation policies shutting it down on packet #2 lol.
I was thinking about your efforts, and it occurred to me that folks have probably built Baby Monitors using Raspberry PI's and that they are probably about the same price or cheaper that way than buying them off the shelf. I have not studied the projects, so not sure if they include Encryption, but I'll bet that's easy to add - comparatively. So, you might consider doing another video after this project to analyze the RaspPi baby monitors projects out there and if they don't encrypt, then fixing one of the projects so it does. Just a thought. I'm following you to see what you find. Cheers.
I was recently using a kids walkie talkie with about a 60ft range and picked up someones baby monitor. The lady on the other end was mortified. I told her I was as shocked as she was, apologised, then promised to use a different frequency LOL
Awesome video. I love watching people reverse firmware, its kinda like a detective movie. I actually tried my hand at reverse-engineering some firmware too, well, I crashed and burned on that hill. My problem is that I don't want to take the device apart, so I tried using the update image, but binwalk just showed some corrupted stuff, and in the end I figured its compressed, but no idea how to decompress it. Its raw deflate I think so if you know any tools to decompress that I would be glad.
I would have just started with trying to pickup whatever it was sending over the air, which is easier if it's a WiFi device that sends the information over the your personal network or some will over the internet (for creepy baby watching at home while working I guess), as that's a quicker job to do... Though I am curious what it radio spectrum it uses to send the audio and video (I've never owned a baby monitor) Though to be fair this isn't the spirit of the channel, and you never know when someone wherever the firmware was made out in a super easy backdoor for watching random babies...or houses I'm also not so much a hardware hacker which is why I love this channel
Baby monitors are not encrypted. When I was in the army, we would do convoys from one base to another and in one housing projects that was close to the freeway. I would always get three baby monitors. One day the mother came Charging into her babies room screaming who’s there? It was then that I realized our radio frequency for convoy was the same one her particular baby monitor used. I made note in convoy notes on location for further briefing of convoy vehicles, not to use our SINGAR radios within a half mile of that location. I informed the mother that we are military convoy in route and that we will be out of range within one minute time. After this determination, it became SOP for Our convoys not to transmit on stated frequency plus or minus half mile from said location. I can only imagine her sitting in the living room while her baby was sleeping only to hear a bunch of men talking weird mambo jumbo in her babies bedroom.
If it's encrypted there needs to be a method of key exchange. It sounds nice to encrypt but it's a hassle if the key fail. With powerline I need to restart the devices every month because the encryption key fail after a month or 2 months. Even if it's encrypted there is a problem with the key exchange: a static key for all devices isn't very good as all devices use the same key. But it's better to use a simple XOR static key then nothing at all. Even a static AES key is sometime used in the firmware world and you find examples in the datasheets all over the world.
Nice video! One thing that I've seen in several products who go the ASIC route is putting the crypto routines into the mask ROM. Depending on how privilege isolation works (or does not work) on your device you might just be able to dump the crypto routines straight out of ROM. It's often-but-not-always mapped starting at 0, because the boot vector table needs to be there anyway and often comes from mask ROM. If they do implement some form of execution isolation, like a separate page table, then it can be harder to dump. Looking forward to the next video!
ASICs can be encapsulated in the microprocessor can. In the Apple M1 and M2, the multi-layers are used for parallel comm paths... that users can't access.
Love the video, really interesting, and your shirt says it all, a true mantra. But imo I would have instantly gone intercepting the packets of data between the monitor and the camera, however that wouldn't make as good of story line for the video series. Teaching and showing practical purpose, I take my hat off for you sir.
As a viewer, it would’ve been good to know at the beginning that it’s not a wifi based monitor. That fact makes it so much more secure alone. Encryption on top of that is a nice cherry on top though
Cool video! As a student of information theory and RF systems & SW myself, I love seeing stuff like this. Questions like this can be tricky to answer from an outsider's depending on how they chose to implement their design. RF stuff is usually done in layers on the OSI model. Encryption is commonly used on the presentation layer, which is just below the application layer. Meaning there are a number of other things that happen before you even get there that would need to be truly understood first. Could you maybe pick something out before then? Sure? Possibly? But it's highly unlikely. Your best bet is to find instructions that lead to preparing the H264 frames before sending them across the network. Looking at the PHY (Doing some type of analog over the air RF Capture) won't particularly tell you if it's encrypted or not straight away. The PHY will have a modulation scheme you'd need to demod first. It isn't always straightforward either, modulation schemes now can get fairly complicated and have numerous components superimposed on top of one another (In phase and quadrature are some examples). You may also have pilot symbol sequences to handle channel estimation or synch signals. There also may be other barriers to get to the baseband symbols from the PHY such as data whitening, or spread spectrum frequency hopping to help the device play nice with regulations. The link layer usually does forward error correction as well, so that would also be present, you'd need to figure that out and have a decoder for that. You may also have channel access control scheduling to take into account to handle numerous devices. The network layer might be where things start getting a bit more familiar, but even that there's no guarantees. You also have source coding, or in this case compression. I noticed H264 codec labels, which is a video compression standard that's fairly common. Really cool theory as well. All in all, a simple RF capture probably won't tell you whether or not this is an encrypted signal. There's a reason RF com protocol analyzers cost so much money. Long winded way to say, your best bet is exactly what you had been doing. Scan the binary to see if any clues about ciphering, key generation, key scheduling, etc... otherwise you might as well be re-designing all of this yourself.
I may be wrong here, but from my experience you can only write a flash bit from 1 to 0, if you want to do a 1 you will need to erase the whole page. So those A5 could have been out there to make sure no one could put any code there without erasing a larger block of flash possibly bricking the device
Your shirt has a point there... Needs an asterisks though with something like "though nobody can read your code, if your code isn't readable" Talking about those Malwareguys using obfuscators on their (just-in-time-compiled, interpreted) Javascript and Python Code.
Just want to say. My company uses chips designed by sonix. And we hate them with passion. My best guess would be the communication is not encrypted or it's a simple ROT13/XOR cipher. Personally I wouldn't touch anything that runs on a SONIX chip alone, without some secondary CPU to mask SONIX's buggy firmware.
Since there is some kind of "cipher" library being compiled with, but there is no sign of encrypt/decrypt functions it might be the case of device actually using hardware encryption being built into silicon hardware. Many low power devices/MCUs implement such hardware to offload CPU heavy functions to actual encryption hardware peripheral. By using hardware peripheral, configured to directly access data via DMA or some other hardware register based means it might not need to actually use any functions to actually encrypt/decrypt in the code and cipher library is only there to configure encryption hardware. OFC this is just a theory, confirming data is actually encrypted that way requires further look into device operation/code/RF output.
I have a wifi cam I use as a baby monitor that would try to reach out to ips in china, so I had to block every port on it from the router. it was pretty freaky. I still have the wifi cam and would love to dump it , I know you can SSH to it.
This is really interesting stuff. I don’t understand a lot of the software side of things but I appreciate the work involved. Now, bear with me here because I realise I know nothing compared to the rest of you guys, but my first question would be “Who and why would someone go to the trouble of hacking in to my baby monitor?” I’m all for protecting your children (I have four of them!) but surely someone would need to know I had a specific type of camera, know I had a baby to watch and then be in range and have all the appropriate equipment with them and the time to do it. Having asked that, I still understand the value in reverse engineering stuff like this and the learning potential of it. Thanks
Ages ago, I worked for a firm that was trying to make highly secure systems. The project required an encrypted CPU and memory controller. Every data transfer in or out of the CPU was scrambled, every byte sent to RAM was scrambled again! A hacker, with probes in the guts of the computer, wouldn't be able to makes sense of anything! Long story sideways: the project failed in prototype stage. Our own logic-probes couldn't troubleshoot the encrypted data-streams! We made a puzzle that we weren't smart enough to solve. We got paid; who cares if the thing worked?
Any plans on uploading the stream here? I'd really like to watch it from beginning to end since I recently had a similar project and I'd like to compare notes and learn from your methods.
7:18 "H264" is famously a Video Encoder, like MPEG2 but newer and better. Others might have grabbed a $20 SDR dongle and examined the over-the-air signal to see if it's encrypted or not. 7:35 - yeah that. :-)
Wow, it's fascinating to see how much effort and attention to detail goes into ensuring the security of devices we use every day, even something as seemingly simple as a baby monitor. Thank you for sharing your expertise and knowledge with us in this informative video.
As long as your baby isnt made from solid gold, or use the baby monitor to stream your creditcard information 24/7 from a high elevation, I think in reality your fine😂
The very fact that they didn't compile out the UART interface is the only red flag you need. In all my RTOS experience, we always compile it out, it's zero effort.
Even if you compile it out, there are still ways to bring it back (unless the chip has an initialized security lockout bit of course). That’s how I was able to access hisilicon IPCs. The read-only bootrom emitted a bit sequence on UART that allowed for firmware flashing over serial. I used it to load my own program into SRAM and then dump both the bootrom and nand flash memory.
Me having damn near zero idea regarding computer stuff let alone the independent stuff such as code to any degree what so ever while watching this "Hmmm interesting"
Fantastic work! Two different kinds of people though, I'd have started with an RF capture because my assembly knowledge is..... Lacking..... To say the least lol
I'm sure this has been mentioned plenty of times given how late I am to the video, but H.264 is a video encoding standard. It has nothing to do with encryption (and almost certainly nothing to do with whatever that CIPHER was referencing).
encrypting the firmware allows them to ensure signed and unmodified updates. plenty of youtubers willing to modify firmware, make a video, and farm ad revenue by scaring people....
Seems to me it would have been easier and more productive to sniff data/packets from the onset, especially given that the next video seems to head in that direction anyway.
I had the same concerns myself when I had my kid, in fact her 4th birthday was recently. I came to similar conclusions with many monitors but from the RF approach. Being a ham and all, I was particularly interested in that, even tho I am an IT systems engineer. It's not encrypted. None that I could find were. However, the range on this monitor (which is the one I ultimately settled on) is fairly limited (tho was enough for 2000sqft house + a little into the yard. If someone was trying to sniff the rf it would be pretty obvious as no one sits in their car in front of my house, so that would be unusual. I'll take airgap w/ some known vulnerability over IoT / Internet required any day. Congrats on the kid, it's a wild ride.
I've gotten LOTS of questions about the shirt! Merch can be found at lowlevel.store Thanks for watching!
Should be "Everything is open source if you can read machine code/opcodes" ;)
I love the shirt - it's a shame there's no UK / EU option.
Any update? Is it safe?
invalid config atm :/ "Only one step left!
To finish setting up your new web address, go to your domain settings, click "Connect existing domain", and enter:" website domain can't say the domain probably (youtube does not like links)
@@everythingpony yeah we need to know
The "h264enc" symbol you refer to at 7:09 is likely to do with an H.264 video encoder, not any encryption.
Finally someone noticed
🧠
@@awli8861 not every person knows "everything" in terms of puter speak - especially if you are looking at it through a lens that already wants to "see" the word encryption. For video people, the enc is obvious, to other's it's not.
@@awli8861 Yeah we wasted our time on this one, dude had 0 idea wtf he was doing.
Y he didn’t know dis
We're never gonna get that 3rd promised episode in this series, I'm guessing
It's fortunate that the RTOS has a command shell at all; I do embedded programming, and very few of our products have any interactive monitor or shell at all; I have a module that I use during early development, but it is never included in the build for the versions that go through security or quality testing since it would be a potential attack surface. Even the devices with Linux as the RTOS have the serial drivers hacked to only support output.
You would be surprised how many devices out there just straight up give you a root tty or the bootloaders console on some random uart port on the pcb. There's also jtag, swd and stuff like that which often just stay enabled and provide handy little testpads or unpopulated rows of pins as well. The xbox 360 for example could be hacked early on by jacking into some jtag pins that were left easily accessible to anyone
That reminds me that my DVT-B reciever has a what looks like a serial port on the back. Would be interesting to look into that.
It is honestly a bit concerning. The products I've worked on we also have a very simple terminal for use in debugging, but it's never part of production.
My old security camera DVR had the root filesystem mounted as read-write, open telnetd, and open uart with root.
This video and these threads making me realize I know actually nothing
build your own camera/monitor. you already know these products do not have professional programmers writing the code. at best, the poor hardware guy has to write the code. at worse, they outsource to a questionable country
I honestly considered this at first. Alas, I procrastinated.
Well, if you plan on making one in the future and require someone to design PCB or write some embedded code, LMK, Happy to help
@@LowLevelTV if you have any spare raspberry pi's or other low powered linux sbc, plug in an arducam, get a wired or bluetooth mic and speaker, install homebridge/etc and add it to your smart home security system. i do this for my dogs
By the time he's finished making his own baby monitor he won't need it anymore
@@LowLevelTV mood
*somehow* this dude actually knows that 10100101 is manufacture default memory value, but *doesn't* know that h264 is mpeg encoding
Great series and very informative. I don’t often work with the hardware side of things, so it’s great to see all the little hurdles you face. I’m looking forward to the next video. Thanks for sharing!
Awesome, thank you!
Actually, just having encryption is NOT the end of the story.. Of more importance, once you have confirmed that it is using encryption is that it is using the encryption properly (correct and robust crypto mode) and also handing keys properly and securely (ie, session keys or user specified key, and not a fixed key stored in the firmware image).. So many devices link in a crypto library and then either don't use the crypto correctly (eg using ECB mode to get around sync issues), or they hardcode a keystring in the software that every device on the planet uses...
The Snowden documents showed: the crypto is usually pretty good, but the code around it using the crypto is often broken in all kinds of ways.
@@autohmae WEP... if it was implemented correctly and had been designed by a crypto engineer... would have been reasonable... but it wasn't so had major flaws.
@@wolphin732 WEP is one of those self-made cryptos... no real expert was involved as far as I'm aware. And what a mess it was.
H264 is a commonly used video codec (together with H265, VP9, and AV1). That H264Enc function is encoding some video blob. The odd part is that I would expect the camera to encode and the video monitor to decode. Oh well
h.264 is a tighter video/audio compression for less data needing sent wirelessly. Still needs the "CPU Umph" on the other end to decode it though (as you stated above). :)
Might be bidirectional communication
@@youhackforme communication of what? unless specified (lossless compression), H264 most of the time does lossy compresion. What good is information if it might get lost in compression?
@@wkm345 like two way video communication. In case the monitor wants to send back an image of whoever is watching
@@samuelblake h264 is not video/audio. It's video only.
Seeing or not seeing a symbol/string for encryption would not tell you that its actually using encryption or not. Try to look for uint8_t array[16] or general mentions of lengths of 16. The chip could have buit in aes encryption. Also, don't forget that production code is more often than not using -Os and -ffunction-sections -fdata-sections -gc-sections etc, to strip down a lot of code. While -Os "generally" doesn't like to inline code, if the function was used only once, there might not be a call to it.
As an aside, the standard of encryption in consumer level hardware is very low. I know this might sound dumb, but some people consider data-whitening as "encryption" by obscurity.
Best of luck.
Forgot to also mention the obvious, most RF chips have built in encryption in the fifo.
I'll have to look into this, that's a good point. They might have the RF chip mapped as a peripheral and be doing the encryption there.
Check for some spi calls as well. Have you identified the chips on the board and found datasheets for the relevant ones? I always start with the hardware so I know what to look for. Especially with reverse engineering hardware, a dead giveaway of what a function might be doing is seeing the peripheral init code, which is easy to spot if you have the datasheet.
+1. It is very unlikely a device like this would be doing encryption/decryption on an ARM CPU for video - it would have to be offloaded to some dedicated chip. Capture the raw data on the "wire" - does it look random or like H.264?
@@LowLevelTV Hi new subs. how to find the config.bin decrypt key from my modem called freebox pop or illiad box?
LLL my man… it’s be so amazing watching you and your channel explode over the last little while. I’m so happy for you and excited to see all the great content to come ! 🎉
A5A5 can't be used in the way stated. In flash you are limited by the number of erases you can perform on a given cell. You can only write '0's, and erasing will give you '1's. So practically you'd have to erase A5A5... before you write. Blank flash is almost always FFFF. A5A5 could be programmed memory for debug purposes or to ensure an invalid opcode. At least in thumb, I believe FFFF may be something valid like move 0 to r0, or somesuch.
Yeah I'd like to know where he got that assumption from. Most manufacturers end up either writing null bytes in unused space or leaving those bytes unprogrammed. Kind of sounds to me like an explanation made up on the spot to explain an observation.
I’ve seen A5A5 used by some RTOS as initial stack memory values so that if a stack overflows its allocated size the RTOS can detect it and call a hook before all hell breaks loose.
I've just gone through my YT homepage asking for every channel with a 'shocked face' thumbnail never to be recommended again.
The firmware extract technique ist awesome!
Thank you!
Running into "manufacturer default" doesn't mean, that you actually have all the firmware. In some chips you don't have equally sized pages, so you want to pack bootloader and ISR vector in page 0, then store some mfg/NV data (i.e. for pairing) but actual firmware can be stored in last page. It is just matter of linker script
This is how a programmer who’s a father shows his love for his kids - by making sure their data is encrypted. But for real, those home videos of a baby monitor getting hacked and some random talking to your kids through it when you’re asleep or in a different room not actively watching the monitor is absolutely creepy as fuck. These systems should be encrypted by default.
The user manual for this product shows it uses 2.4 GHz FHSS modulation (not WiFi) , which requires the camera and monitor to be paired.
I'll guess the video stream is not encrypted, because there's no possibility of accessing it unless you have a paired receiver within range.
I'm enjoying your channel, particularly the reverse engineering content.
But if you have an SDR, say a HackRF one, can't you just capture the RF signals and demodulate it?
@@element4element4 I've used an RTL-SDR to demodulate ASK and FM , I'm not sure how you'd go about doing that for FHSS as you need to 'de-hop' the carrier and that requires knowing the pseudo random frequency hop sequence which is set in the pairing process.
@@mikegofton1 never underestimate a programmer with a weird... Interest and the lengths they'll go to achieve that goal
(See this video as an example)
FHSS is not any form of encryption. There was a cool shmoocon talk about it years and years ago I think, i gotta go rewatch it but just hopping frequencies a bit isn't enough
I have a similar monitor that uses a proprietary RF link at 2.4ghz.
It claims to be encrypted, but quite frankly I don't care.
The range, at most, is around 50 meters. The chances of anybody within range having the hardware, skills, time and desire to eavesdrop is negligible.
Plus, even if they did they just get the world's dullest video stream of a sometimes sleeping baby.
Nothing was found "Found Something Concerning."
That’s funny, at the beginning of the video I was thinking “it would be easier just to look at what is actually being transmitted”.
Sounds like you need a mixed-mode oscilloscope and capture the data between the chips. Many more expensive ones can save that data to a stream you can then see what happens. Some chips allow the firmware to be encoded not as much encrypted. Big-endian and little-endian also can be an issue.
Or a logic analyzer, which is much cheaper than an MSO.
@@GRBtutorials I will give you that...
Congrats! Keep it up. So far I think Ive seen just about every tool used in the latest DEFCON vids!
Just 2 minutes into the video and I've already learned a lot. Great content, new sub. Thank you!
06:52
h264 is a video codec, so enc would stand for encode
it is most commonly referred to as x264
the h stands for hvec, as 264 is part of the hevc family of codecs
thats why you may encounter it as h264, h.264 or just plainly x264
Hey that’s the kind we have!
I wasn’t sold on the encryption claims myself, but ultimately I decided that the fact that it was a locally-paired 2.4GHz camera limited our attack surface to just our neighbors so it was probably okay. I’m looking forward to seeing what you learn about it :)
Just subscribed. This kind of content stimulates my inner nerd. I can't wait to see what you found!
One thing but before I state it, I really appreciate your effort and engineering skills. I appreciate the device chosen and the genuine story of concern too. Here’s the thing- wouldn’t you want to see the encryption be on the camera and decryption happening on the monitor? I also feel there are many other methods of encryption and it may not be so literal in the code.
That might be security by obscurity. We'll see what you'll find in RF but I'm guessing that radio channel is somewhat custom or not typical.
I admire your effort to go through console. I'd probably desolder relevant IC's and just read them with a programmer ;)
I am not a security expert by any means. I'm just a sales engineer for a tech firm, but that does mean I get fun toys to play with and have the real enginerds fix when I break them. All that to say, when we set this exact monitor up in our house, our WIPS sensors on our WatchGuard Wireless APs went crazy. It appears to be using straight up standard 2.4GHz on channel 11. WIPS was able to show traffic (this is where I don't have the expertise) but we accepted the risk because the wifi enabled one we used previously (Owlet) made its first hop out of the network to China, then South Korea before trying to establish a connection in the US. My wife couldn't get the camera to work and I found Geolocation policies shutting it down on packet #2 lol.
H.264 is a video compression codec. It is not encryption.
Every so often I like to humble myself by listening to smart people talk about subjects I know nothing about. This video served me well.
I was thinking about your efforts, and it occurred to me that folks have probably built Baby Monitors using Raspberry PI's and that they are probably about the same price or cheaper that way than buying them off the shelf. I have not studied the projects, so not sure if they include Encryption, but I'll bet that's easy to add - comparatively. So, you might consider doing another video after this project to analyze the RaspPi baby monitors projects out there and if they don't encrypt, then fixing one of the projects so it does. Just a thought. I'm following you to see what you find. Cheers.
This guy is smart, I am really enjoying this series.
This video is such a perfect advertisement for your Twitch, haha... As soon as I recognized that you streamed this whole thing, I followed you.
"... h264enc might encrypt or not ..."
> multimedia developers typing furiously in the comment section.
I was recently using a kids walkie talkie with about a 60ft range and picked up someones baby monitor. The lady on the other end was mortified. I told her I was as shocked as she was, apologised, then promised to use a different frequency LOL
Good work! I appreciate that you share your process. Good mixture of technical information without being verbose.
Biopsychosocial engineer says: dude is smart. Any reasonable baby mama would want that seed
The "uhou ! We're hacking!" Killed me 😂😂
Where do you normally stream? Will def follow along your vids my dude :D
Awesome video. I love watching people reverse firmware, its kinda like a detective movie.
I actually tried my hand at reverse-engineering some firmware too, well, I crashed and burned on that hill. My problem is that I don't want to take the device apart, so I tried using the update image, but binwalk just showed some corrupted stuff, and in the end I figured its compressed, but no idea how to decompress it. Its raw deflate I think so if you know any tools to decompress that I would be glad.
What device/firmware? I could take a look at it if you want, I love messing with firmware lol
There 3 types of hackers
Black hats/white hats
And hardware hackers
4th: BASEDHAT Hackers
Does white hat include ROM hackers? ;)
@@LowLevelTV aka hackers of multiple spaces(hardware and software) that are white/gray hats
@@stapler942 yes :D
great channel! awesome video! and very cool t-shirt man! congrats
Your channel is so undervalued!
I would have just started with trying to pickup whatever it was sending over the air, which is easier if it's a WiFi device that sends the information over the your personal network or some will over the internet (for creepy baby watching at home while working I guess), as that's a quicker job to do...
Though I am curious what it radio spectrum it uses to send the audio and video (I've never owned a baby monitor)
Though to be fair this isn't the spirit of the channel, and you never know when someone wherever the firmware was made out in a super easy backdoor for watching random babies...or houses
I'm also not so much a hardware hacker which is why I love this channel
in the USA it would have to be a band where fcc part 15 transmit is allowed. so likely 2.4ghz.
I have no idea how i didnt discover this channel earlier. This is amazing content, thank you!!!
Cool shirt man! Loved the vid 👍
Baby monitors are not encrypted. When I was in the army, we would do convoys from one base to another and in one housing projects that was close to the freeway. I would always get three baby monitors. One day the mother came Charging into her babies room screaming who’s there? It was then that I realized our radio frequency for convoy was the same one her particular baby monitor used. I made note in convoy notes on location for further briefing of convoy vehicles, not to use our SINGAR radios within a half mile of that location. I informed the mother that we are military convoy in route and that we will be out of range within one minute time. After this determination, it became SOP for Our convoys not to transmit on stated frequency plus or minus half mile from said location. I can only imagine her sitting in the living room while her baby was sleeping only to hear a bunch of men talking weird mambo jumbo in her babies bedroom.
Congrats on being a father ...
Could you dump and android firmware , bootloader, and all that good tihs.
It's possible, but it's much easier to just go online and download those. It's available for all devices for free.
YESSS!!!!!!
I have one of these due soon and wanted to do the same thing but im not smart enough. Thank you!!
I love this channel and community. I had a good time watching you hack this one, learned a bit too.
If it's encrypted there needs to be a method of key exchange. It sounds nice to encrypt but it's a hassle if the key fail. With powerline I need to restart the devices every month because the encryption key fail after a month or 2 months. Even if it's encrypted there is a problem with the key exchange: a static key for all devices isn't very good as all devices use the same key. But it's better to use a simple XOR static key then nothing at all. Even a static AES key is sometime used in the firmware world and you find examples in the datasheets all over the world.
Can't wait to see the next video on this!
Why would someone hate regex ... it's awesome.
Nice video! One thing that I've seen in several products who go the ASIC route is putting the crypto routines into the mask ROM. Depending on how privilege isolation works (or does not work) on your device you might just be able to dump the crypto routines straight out of ROM. It's often-but-not-always mapped starting at 0, because the boot vector table needs to be there anyway and often comes from mask ROM. If they do implement some form of execution isolation, like a separate page table, then it can be harder to dump. Looking forward to the next video!
ASICs can be encapsulated in the microprocessor can. In the Apple M1 and M2, the multi-layers are used for parallel comm paths... that users can't access.
Cool! I couldn't find the RF data capture video... did it disappear?
@@ooglek any luck sir?
@@blitzkrieghopAZ Nope, can't find it still.
Love the video, really interesting, and your shirt says it all, a true mantra. But imo I would have instantly gone intercepting the packets of data between the monitor and the camera, however that wouldn't make as good of story line for the video series. Teaching and showing practical purpose, I take my hat off for you sir.
WHAT A COOL VIDEO! I am so impressed and excited to see what's coming!
As a viewer, it would’ve been good to know at the beginning that it’s not a wifi based monitor. That fact makes it so much more secure alone. Encryption on top of that is a nice cherry on top though
Sonicare toothbrushes have several programming pads inside (easy to see in teardowns online). Not sure how interesting they are, just FYI
Cool video!
As a student of information theory and RF systems & SW myself, I love seeing stuff like this.
Questions like this can be tricky to answer from an outsider's depending on how they chose to implement their design.
RF stuff is usually done in layers on the OSI model. Encryption is commonly used on the presentation layer, which is just below the application layer. Meaning there are a number of other things that happen before you even get there that would need to be truly understood first.
Could you maybe pick something out before then? Sure? Possibly? But it's highly unlikely.
Your best bet is to find instructions that lead to preparing the H264 frames before sending them across the network.
Looking at the PHY (Doing some type of analog over the air RF Capture) won't particularly tell you if it's encrypted or not straight away. The PHY will have a modulation scheme you'd need to demod first. It isn't always straightforward either, modulation schemes now can get fairly complicated and have numerous components superimposed on top of one another (In phase and quadrature are some examples). You may also have pilot symbol sequences to handle channel estimation or synch signals. There also may be other barriers to get to the baseband symbols from the PHY such as data whitening, or spread spectrum frequency hopping to help the device play nice with regulations. The link layer usually does forward error correction as well, so that would also be present, you'd need to figure that out and have a decoder for that. You may also have channel access control scheduling to take into account to handle numerous devices. The network layer might be where things start getting a bit more familiar, but even that there's no guarantees. You also have source coding, or in this case compression. I noticed H264 codec labels, which is a video compression standard that's fairly common. Really cool theory as well.
All in all, a simple RF capture probably won't tell you whether or not this is an encrypted signal.
There's a reason RF com protocol analyzers cost so much money.
Long winded way to say, your best bet is exactly what you had been doing. Scan the binary to see if any clues about ciphering, key generation, key scheduling, etc... otherwise you might as well be re-designing all of this yourself.
I can’t find the conclusion video?
5 months ago he said he was still working on it lol. Maybe it was harder than expected and then the baby arrived lol.
@@aspzx appreciate the response! I was keen and disappointed I couldn’t find it :P
I may be wrong here, but from my experience you can only write a flash bit from 1 to 0, if you want to do a 1 you will need to erase the whole page. So those A5 could have been out there to make sure no one could put any code there without erasing a larger block of flash possibly bricking the device
Can't wait to see how the RF capture works!
@@nordgaren2358 did this RF video occur?
@@blitzkrieghopAZ I think it was a stream. I was busy when it happened, I think. Maybe it's still on Twitch?
There are two kinds of people: those who hate regex, and those who get shit done.
Ooh the E5 is good, I have absolutely no idea what you are talking about, but for some reason made me a bit optimistic
Your shirt has a point there...
Needs an asterisks though with something like "though nobody can read your code, if your code isn't readable"
Talking about those Malwareguys using obfuscators on their (just-in-time-compiled, interpreted) Javascript and Python Code.
Great video 👏 waiting for the next one. I realized how easy was to get video from my webcameras that use RTSP protocol.
Just want to say. My company uses chips designed by sonix. And we hate them with passion. My best guess would be the communication is not encrypted or it's a simple ROT13/XOR cipher.
Personally I wouldn't touch anything that runs on a SONIX chip alone, without some secondary CPU to mask SONIX's buggy firmware.
Since there is some kind of "cipher" library being compiled with, but there is no sign of encrypt/decrypt functions it might be the case of device actually using hardware encryption being built into silicon hardware. Many low power devices/MCUs implement such hardware to offload CPU heavy functions to actual encryption hardware peripheral.
By using hardware peripheral, configured to directly access data via DMA or some other hardware register based means it might not need to actually use any functions to actually encrypt/decrypt in the code and cipher library is only there to configure encryption hardware.
OFC this is just a theory, confirming data is actually encrypted that way requires further look into device operation/code/RF output.
I have a wifi cam I use as a baby monitor that would try to reach out to ips in china, so I had to block every port on it from the router. it was pretty freaky. I still have the wifi cam and would love to dump it , I know you can SSH to it.
I can't find the video you say your made, about the RF capture?
Still working on it :)
@@LowLevelTV still?
@@Haydenz11 I'm guessing it wasn't interesting enough or it got scrapped
This is really interesting stuff. I don’t understand a lot of the software side of things but I appreciate the work involved. Now, bear with me here because I realise I know nothing compared to the rest of you guys, but my first question would be “Who and why would someone go to the trouble of hacking in to my baby monitor?” I’m all for protecting your children (I have four of them!) but surely someone would need to know I had a specific type of camera, know I had a baby to watch and then be in range and have all the appropriate equipment with them and the time to do it. Having asked that, I still understand the value in reverse engineering stuff like this and the learning potential of it. Thanks
Ages ago, I worked for a firm that was trying to make highly secure systems.
The project required an encrypted CPU and memory controller.
Every data transfer in or out of the CPU was scrambled, every byte sent to RAM was scrambled again!
A hacker, with probes in the guts of the computer, wouldn't be able to makes sense of anything!
Long story sideways: the project failed in prototype stage.
Our own logic-probes couldn't troubleshoot the encrypted data-streams!
We made a puzzle that we weren't smart enough to solve.
We got paid; who cares if the thing worked?
Any plans on uploading the stream here? I'd really like to watch it from beginning to end since I recently had a similar project and I'd like to compare notes and learn from your methods.
I would probably have started with capturing the packages and analyzing them, but your approach is also interesting.
The HDCP encryption used by HDMI may be the reason for the cipher library. They are required to obfuscate any master keys.
H264 is a video encoding format. It is not encrypted if that's all that's in there.
Ngl, I'd probably have started with RF sniffing and skipped trying to get a shell and pull data from the device
7:18 "H264" is famously a Video Encoder, like MPEG2 but newer and better.
Others might have grabbed a $20 SDR dongle and examined the over-the-air signal to see if it's encrypted or not. 7:35 - yeah that. :-)
Wow, it's fascinating to see how much effort and attention to detail goes into ensuring the security of devices we use every day, even something as seemingly simple as a baby monitor. Thank you for sharing your expertise and knowledge with us in this informative video.
As long as your baby isnt made from solid gold, or use the baby monitor to stream your creditcard information 24/7 from a high elevation, I think in reality your fine😂
"some hate regex" how could anyone hate regex? it's so powerful and handy.
new to the channel, really cool stuff you do
I can't find the video with the RF capture. It's hard to tell which videos are part of the series when they're not numbered.
RF video isn't out yet. I'm still working on it :)
Thanks for watching!
@@LowLevelTV Did you abandon it?
H.264 is a video compression standard (in fact the same one used by youtube) so not related to encryption, unfortunately
Turn up your heat and you won’t have to wear a stocking cap inside.
The very fact that they didn't compile out the UART interface is the only red flag you need.
In all my RTOS experience, we always compile it out, it's zero effort.
Even if you compile it out, there are still ways to bring it back (unless the chip has an initialized security lockout bit of course).
That’s how I was able to access hisilicon IPCs. The read-only bootrom emitted a bit sequence on UART that allowed for firmware flashing over serial. I used it to load my own program into SRAM and then dump both the bootrom and nand flash memory.
just found this channel, subscribed, and will be buying that shirt next check!
Did you make an rf capture and analysis?
Me having damn near zero idea regarding computer stuff let alone the independent stuff such as code to any degree what so ever while watching this
"Hmmm interesting"
you may be the only one i've heard of that enjoys solarized thats pretty cool
Fantastic work! Two different kinds of people though, I'd have started with an RF capture because my assembly knowledge is..... Lacking..... To say the least lol
I never even considered that this could happen
Hacking is so much more and less complicated than I thought.
I'm sure this has been mentioned plenty of times given how late I am to the video, but H.264 is a video encoding standard. It has nothing to do with encryption (and almost certainly nothing to do with whatever that CIPHER was referencing).
I would have used a SDR to answer the question you posed about video transmission encryption.
encrypting the firmware allows them to ensure signed and unmodified updates. plenty of youtubers willing to modify firmware, make a video, and farm ad revenue by scaring people....
Security researcher writes in description 'wasn't able to be hacked' yet cites the bibles of several fields in the description as well.
Seems to me it would have been easier and more productive to sniff data/packets from the onset, especially given that the next video seems to head in that direction anyway.
I had the same concerns myself when I had my kid, in fact her 4th birthday was recently. I came to similar conclusions with many monitors but from the RF approach. Being a ham and all, I was particularly interested in that, even tho I am an IT systems engineer. It's not encrypted. None that I could find were. However, the range on this monitor (which is the one I ultimately settled on) is fairly limited (tho was enough for 2000sqft house + a little into the yard. If someone was trying to sniff the rf it would be pretty obvious as no one sits in their car in front of my house, so that would be unusual. I'll take airgap w/ some known vulnerability over IoT / Internet required any day. Congrats on the kid, it's a wild ride.
Wholeheartedly agree with your last statement, the amount of dodgy stuff I see from cheap IP cameras is rediculous.