
Reverse engineering a camera protocol for fun and profit - wilsonfiifi
https://www.thirtythreeforty.net/posts/2020/05/hacking-reolink-cameras-for-fun-and-profit/
======
nvella
I must say, out of all the things to happen on a Thursday night I wouldn't
have expected to read an article where someone referenced my own code that I
wrote _when I was 15._ (5 years ago now... time flies) Here's the file I
presumed he looked at;
[https://github.com/nvella/sdvr/blob/master/pk.c](https://github.com/nvella/sdvr/blob/master/pk.c)

I was trying to reverse-engineer my parent's network CCTV DVR so I could
hopefully integrate it with Home Assistant - as far as I'm aware the sluggish
smartphone apps are still the only way to access those boxes. I wasn't ever
able to get as far as George did with his IP cameras; I hit a snag on trying
to correctly reassemble the H264 streams, so all I ever got out of it was
mostly corrupt still frames.

If you're reading this George, well done! :D

~~~
thrtythreeforty
Hi! Author here. You saved me a good day of figuring out what all the header
fields meant. I definitely appreciated finding your code!

~~~
thrtythreeforty
Also... When you were _15_? Geez, I think I knew what GWBASIC was at that age.
Kudos again.

~~~
nvella
Cheers :) Yeah, I was one of those kids that spent most of their free time
programming or otherwise tinkering with computers. I started with simple
systems scripting languages before moving to Ruby and getting a proper grip on
basic OOP stuff, C then shortly followed.

I don't really have any use for C today, but it definitely taught me _a lot_.
It was intimidating at first, but when the concept of pointers finally clicked
I felt like I had a sense of control in the language, and things were
relatively deterministic and predictable.

I did most of my projects in C for a few years, but eventually got sucked into
the JS ecosystem like pretty much everyone else at the time. These days I
mostly work in .NET - C# is constantly evolving, and with .NET Core it's
seemed to strike a good balance between powerful tooling, cross-platform
support, performance, and just fun language features. I'm pretty content for
now :)

------
syntaxing
That was a super fun read! I was super impressed with the content! It seems
like the "mastering embedded Linux" is extremely rich too [1]!

[1] [https://www.thirtythreeforty.net/posts/2019/08/mastering-
emb...](https://www.thirtythreeforty.net/posts/2019/08/mastering-embedded-
linux-part-1-concepts/)

------
gspr
These articles always make me feel two conflicting emotions at the same time:
_" I feel so inadequate because I couldn't do this reverse engineering
myself"_ and _" it feels good knowing that I'd do a better job than Charlie
even though I don't even work in that industry"_. Poor Charlie.

~~~
asddubs
charlie is a double agent who intentionally made the security weak so it could
be hacked and opened. i salute you charlie, fight the power!

~~~
consp
Charlie apparently also works at a large US car manufacturer as they do some
bit mashing as well as a form of "encryption" in their software tooling
(though only for the key as they then decrypt everything with the unmashed key
with salted 3DES so no xor there at least).

~~~
ryandrake
I would love to understand the software process breakdowns that allow that
"Charlie" code to make it into production! Almost everywhere I've worked, this
would have been instantly caught during code review and Charlie would have had
to answer to at least his peers for his crimes! Or, it would have been caught
during the integration phase, as there had to be some other team consuming the
byte stream and implementing the reverse to "decrypt" it. How on earth does
this make it through all the gates and out into the field??

1\. Were the requirements just vague? e.g. PRD just says "Encrypt the payload
somehow, lol" and junior engineer Charlie, not being a crypto expert, just
made something up? If so, that should have been caught and corrected by a code
review. More eyes than Charlie would have at least looked at it and should
have raised an alarm.

2\. Did the requirements actually say "The payload shall be XOR'ed with the
string 'Charlie is the designer of P2P!!' and then the bytes shuffled around
as such: [...]" and everyone agreed this would be great? Where is
engineering/security leadership push-back during the design phase, in that
case?

3\. Did the requirements call for proper encryption, and Charlie just ran out
of time and cobbled this together? Again--code review, maybe insufficient
project planning?

I mean, bugs slip in to code all the time, but this seems like something
deliberately done this way and deliberately ignored through the entire design,
development, test, and deploy process!

~~~
josteink
> I would love to understand the software process breakdowns that allow that
> "Charlie" code to make it into production!

In embedded systems FW-space is at a premium.

If you can avoid embedding a full crypto-stack in your firmware and replace it
with 5 lines of C, which provides at least some safety, more often than not
(depending on the use-case), that might be the right decision.

I mean, even if the encryption used here was proper RSA, the method discussed
in this article might lead to disclosing the key and cracking the protocol
anyway.

~~~
gspr
Except this thing runs a full-blown Linux! It's hardly the kind of severely
space-constrained system you're talking about.

~~~
josteink
I’ve worked with firmware’s where individual megabytes matter, and they’ve
been Linux-based too.

Just because it runs “full blown Linux” doesn’t mean you get more than 16MB to
play with.

~~~
gspr
And if we're talking _megabytes_ , there's no excuse not to do proper crypto.
MbedTLS, for example, gives you a basic TLS stack in 64kB ROM + 64kB RAM, and
a pretty splurgy one in 200kB.

Of course this can be way too much for small embedded systems, but if you can
afford to run Linux and use phrases like "individual megabytes matter", you
can definitely do proper crypto.

------
peter_d_sherman
>"The only thing that jumped out to me was the appearance of a sync word at
the beginning of each packet, 0xf0debc0a. (In little endian, this is
0x0abcdef0.) On a lark, I Googled this, and actually found a project on GitHub
from 2015..."

That is some excellent Google-Fu!

I had never thought about _Googling the reversed-endian versions of
hexadecimal constants_ \-- until you wrote about doing this; I think it's a
brilliant idea, so I'm adding it to my search engine technique toolbox.

In summation, it's a great idea!

It's both simple and elegant!

~~~
londons_explore
What surprises me is that there aren't more users of this constant...

~~~
ejolto
I usually see constants that are easier to read like 0xdeadbeef, 0x0c0ffee0 or
0xcafecafe

------
ChrisMarshallNY
This is a story after my own heart.

I have written a lot of ONVIF stuff, and have done pretty similar stuff with
WireShark and Cocoa Packet Analyzer.

Video is still surprisingly proprietary, even after all this time.

I got the ONVIF stuff sorted, but the challenges I deal with, these days, is
providing the video in a realtime streaming format that can be interpreted by
as many clients as possible (especially Apple). RT[S]P doesn’t really cut it.

~~~
imtringued
What prevents you from simply using Kurento with the Playerendpoint and
broadcasting the stream via WebRTC?

There is even a nice sample application that you can try out without having to
write any code.

[https://github.com/Kurento/kurento-tutorial-
java/tree/master...](https://github.com/Kurento/kurento-tutorial-
java/tree/master/kurento-player)

~~~
ChrisMarshallNY
Well...this is for Apple systems.

As you probably know, Apple is not just badly supported in the surveillance
industry, it is actively hated.

As I was working on the ONVIF stuff, I encountered this quite often. As soon
as people found out I was working on Apple stuff, the relationship would go
belly-up.

I ended up not bothering to renew my ONVIF membership, because it didn’t
really buy me anything.

I created a “breadboard” streaming server for ffmpeg[0], but I’ve put my ONVIF
stuff aside for a while, as I work on Bluetooth projects.

[0]
[https://github.com/RiftValleySoftware/RVS_MediaServer](https://github.com/RiftValleySoftware/RVS_MediaServer)

------
Already__Taken
I have a SWANN camera (some do rtsp, others not) only has port 900 open,
wonder if this would work on all these "proprietary" cameras.

The camera industry is shady AF with everything listed as call-for-price. I
hate trying to source anything for it.

------
kanobo
To the author: This site has major scrolling issues on Mac Safari in certain
dimensions. For example, my window width is at 1347px and when I scroll
quickly the layout goes crazy and everything flashes in different locations
until the scrolling or overscroll stops. Occurs on any page on this site and
in many other dimensions. Doesn't happen in Chrome though.

~~~
thrtythreeforty
Author here. How bizarre. Thanks for the report. I'll see if I can reproduce
the behavior (I don't normally use Macs so I have to test ad-hoc).

~~~
mschuster91
On Android (Chrome/SM-T719 tablet in portrait) the sidebar occupies over half
the screen.

------
guiambros
Oh wow, what a great read. When you thought it was over, there was another
entire level deeper in the rabbit hole. Fascinating post. HN at its best.

------
ponker
Huh, this gives me the same kind of frisson that a middle school football-
crazy boy must experience when his dad takes him to a football game when Tom
Brady is in town.

~~~
ngcc_hk
Or you do not know who is tom Brady and American football or even the rule,
but still enjoy it very much the whole analysts. Would read the embedded one.
Great work. Great read.

------
melbourne_mat
It's nice work. I always thought it would be a pain to implement a Wireshark
decoder but I was wrong!

One other approach that could have been taken: to add the desired protocols
into the camera directly. I assume you're just adding a control channel and
the video stream encapsulation would be minimal.

------
tpmx
> As a quick aside, it’s natural to wonder why this camera doesn’t support
> RTSP and/or ONVIF. After all, plenty of other Reolink cameras do. Because
> I’d like to give them the benefit of the doubt, I’ll propose the possibility
> that Reolink ran out of storage on this camera and had to axe some features.
> After all, a 16MB flash chip would cost a whole 20 cents extra. This is just
> a cost-saving measure and definitely not vendor lock-in, hmmm?

Don't underestimate the licensing cost of the software. Afaik most camera
vendors use
[http://www.live555.com/mediaServer/](http://www.live555.com/mediaServer/) for
the RTSP server software. There's a licensing cost for commercial use.

~~~
hunter2_
FWIW, Wyze manages to offer RTSP firmware (not pre-installed, but freely
available on their website) for their $25 cameras.

~~~
ctrager
I tried using their RTSP for my own motion detection logic (python, opencv,
pointing at my birdfeeder) but the stream is too glitchy. So far the Amcrest
IP2M-841 is working best for me.

------
hoseja
Poor Charlie. Does anyone know of a wireshark dissector tutorial similar to
the one in the article, but for proper C?

------
veaxvoid
How do you have motivation to do this kind of stuff in your free time?

~~~
osamagirl69
For me it was that I stopped reading the news, and generally 'consuming' the
media. Not only did it clear out several hours in the day, but it also
generally allowed me to focus on being productive instead of being outraged or
saddened by whatever was being peddled that day.

------
ponker
One thing that I'd like to mention is that the author of this post attended
Mississippi State University. I mention this because there is a widespread
stereotype of the Deep South as a place teeming with racists, rubes, the
willfully uneducated, etc... and I want to draw attention to the fact that
there are also technology geniuses that come from there too.

~~~
simmons
Many great people have come from Mississippi, or passed through on their
journey in life. Sadly, I think most of these great people end up leaving,
thus re-enforcing some of the problems the area faces.

I was thrilled to see a rigorous reverse engineering article. It's exactly the
sort of thing I always hope to find when I browse HN. But I have to admit, it
was a special delight to get to the end and find that the author was a fellow
MSU alum. :)

~~~
ponker
I think addressing the perception gap is part of this. No doubt that a lot of
people equate "Southern accent" with "stupid." I've seen many lists of "Top 20
black engineers" or "Rising female executives in tech" but haven't seen
something similar for Southerners, although I'd guess that in a typical FAANG
interview the Southerner is starting out with more unconscious bias against
them.

------
ctrager
I'm a retired software dev. Before the pandemic I hadn't coded in 4 years, but
somehow got the itch. One of the things I've been playing with is pointing a
security camera at my birdfeeder, but I'm not so interested in clips of boring
brown sparrows. Instead I want clips of bright red cardinals and bright yellow
goldfinches. So I wrote some python opencv code that reacts to color changes:
[https://github.com/ctrager/opencv_py/blob/master/red_yellow_...](https://github.com/ctrager/opencv_py/blob/master/red_yellow_blue.py)

This is working for me with an Amcrest camera, but I also got a Reolink E1
thinking it supported RTSP and felt cheated when I learned it didn't. I'll be
playing with Neolink the rest of the day. Thanks.

------
hownottowrite
"Charlie is the designer of P2P!!" should be on a shirt.

~~~
thrtythreeforty
Ha - sort of a shitty version of the DeCSS T-shirts, huh? I love it. Pity
nobody would know why it's funny... Or maybe that's part of the appeal. I
can't decide.

~~~
hownottowrite
You’d be surprised how many people would get it. This thread has some legs.

------
hunter2_
Hey, I'm in the market for some ONVIF/RTSP IPcams and saw Reolink highly
recommended time and time again. Upon seeing how their 8MP cams don't have
ONVIF but <=5MP do, I found this write-up just a week or two ago. Really cool
work! I hate to say it with the author in the room, but I pretty quickly
decided on 5MP to have everything work natively without also running bleeding
edge middleware ;)

------
mhaberl
I wonder did the Great Scrambler Charlie read this post. Proper encryption
takes time, just XOR it, XOR it all he always says :)

Great job and realy well written post.

------
justinlloyd
Things I have reverse engineered in recent memory, that perhaps deserve a
write-up.

Nextwave Piranha CNC protocol -- easy, about three days of work Virtucache for
VMWare ESXi -- easy-ish, about five days of work to completey take apart SONY
camera firmware -- quite hard, about two weeks of work Loc8tor tracking tags -
easy once I understood how active RFID works

------
skeletonjelly
Fantastic read. I feel very stupid now though xD

~~~
Polylactic_acid
These reverse engineering posts always do that. I'm pretty good at developing
software but I see people pull off insane reverse engineering efforts like
extracting encryption keys from a chip with 1000 security measures and I
wonder if I know anything.

~~~
enchiridion
Same here! Then I remember that problem to solution only takes a sentence or
two in the article, but might be few days of dead ends irl.

~~~
el_oni
Absolutely.

I found myself wondering while reading the article what the guys notes look
like. Does he screenshot everything and bullet point as he goes along? Or does
he hit a logical stopping point and write up what worked from A-B, B-C etc.?

It's massively inspiring though.

~~~
thrtythreeforty
The screenshots were definitely taken near the end of the project, while I
still had it all in my head but before I started writing.

In general, the process looked like:

\- Brainstorm and reverse engineer first. Have in the back of my mind that I'm
writing this up, and releasing a tool, at the end. This guides my search: no
your reader won't want to desolder something to use their camera, so yes you
need to speak the stock Baichuan protocol.

\- As I hit interesting things (like the Charlie Scrambler) start filling out
a Google Keep note with keywords that will remind me of them when I'm writing.

\- Take screenshots and produce other media, giving me a rough layout of
waypoints that the article has to hit.

\- Write the article, editorializing optional but recommended.

For me, my "writing mindset" is very different from my "engineering mindset."
Some days, I can pound out a new piece of code and sometimes it will even be a
decent design. Other days, I can write clear documentation. Very seldom can I
do both on the same day.

------
Retr0spectrum
Where can I purchase one of those SOIC sockets?

~~~
kogepathic
I found someone selling them on AliExpress, though at a high price point:
[https://www.aliexpress.com/item/4000990317952.html](https://www.aliexpress.com/item/4000990317952.html)

If you don't mind a different style (clam shell), you can get them for
significantly less:
[https://www.aliexpress.com/item/33025755888.html](https://www.aliexpress.com/item/33025755888.html)

I suspect both AliExpress listings are an order of magnitude more expensive
than they can be purchased on Taobao, but then you have to A) find it on
Taobao, and B) use a shipping agent in China to export it.

Found a US-based seller who has them for $3/each (min quantity 10):
[http://siliconkit.com/ocart/index.php?route=product/product&...](http://siliconkit.com/ocart/index.php?route=product/product&product_id=81)

Ah, the model number is listed on the flashrom wiki:
[https://www.flashrom.org/Technology#SO8.2FSOIC8:_Small-
Outli...](https://www.flashrom.org/Technology#SO8.2FSOIC8:_Small-
Outline_Integrated_Circuit.2C_8_pins)

Edit: Here's the Taobao link:
[https://item.taobao.com/item.htm?id=576521466919](https://item.taobao.com/item.htm?id=576521466919)

~~~
myself248
Thank you, I've been drooling over them on Dediprog for a while:
[https://www.dediprog.com/category/smt-
sockets](https://www.dediprog.com/category/smt-sockets) but their MOQ is
slightly offputting; I'd like just a few of each style to have on-hand.

------
dilly_bar
How can I get started doing something like this? Maybe there is an ASK HN
about this. Can someone point me to that?

I bombed digital systems classes (I didn't actually fail, but I really suck at
it) and I want to get better. I give out this info just to relay my feeble
grasp at what is happening here.

------
maxioatic
Super cool! I've never done any embedded device work but have an interest.

Seeing the layout of the flash in a straight forward image like this is pretty
inspirational honestly. Definitely will be checking out more of his work.

------
systemshutdown
For those of us interested in beginning to do RE, what does everyone suggest?

------
4x5-Guy
Definitely a blog I'll have to keep track of.

------
ngcc_hk
Great job!!! open some eyes on video world. Would start to hack my video
camera.

------
enchiridion
I don't really understand the busybox step. Can someone expand on what is
happening there?

------
enchiridion
I don't really understand the busybox step? Can someone expand on what is
happening there?

------
mobilio
Using binwalk you can unpack existing firmware and later you can build some
exec for same architecture (can be MIPS or ARM) and repack in new firmware.

------
AnnoyingSwede
Nice work dude!!

------
FL33TW00D
Brilliant.

