Each of these “sections” was followed by what appeared to be binary data. The very first value (10 12 20 03) in the firmware was found in a handful of locations in the file, always at the start and the end of a 1024-byte long section. The first 1-2KB of data in a hex editor revealed a sparse set of values, followed by a large, seemingly random segment. Bosch Firmware Format HeadersĪt first glance, I found that this firmware file was broken into what appeared to be sections. an archive) or data segments that are directly written into the nonvolatile storage on a device. Many firmware file formats contain either separate files (i.e. When reverse engineering an unknown file format, it helps to consider the type of data a file is expected to contain. In a binary file or archive, these include length, one or more checksums, and other metadata. Other common fields can help a parser identify the contents and where in the file they are located. Magic numbers give a file parser a quick way to test the file before performing more intensive parsing. For example, ZIP files generally start with PK\x03\x04 as an identifier. Many file formats use one or more “magic numbers,” a constant numerical or text value used to identify the file as belonging to a certain format. Before we discuss that, it helps to understand that many file formats such as ZIP, Windows PE, and others have structural features in common. To explore these questions, I wanted to break the file down into metadata and actual firmware data. Where is some of the basic metadata stored? (Length, checksums, magic numbers, etc.).headers and then data, multiple sections) My initial process was to try to figure out the basic structure of the file. I loaded the file into a hex editor to begin working on it. I started with a sample firmware file prior to version 6.50, which I downloaded from the Bosch website ((EXTEGRA IP 9000 Firmware Maintenance Release Download ( ) ))This is a maintenance release of firmware for the EXTEGRA IP 9000 camera. To test this assumption, I downloaded several prior versions and began trying to reverse engineer the file format and obtain its contents. This statement led me to believe that I might be able to unpack a version prior to 6.50. In order to upload version 6.51 to a device running a firmware version below 6.50, you need to upgrade first to version 6.50, since older firmware versions do not support firmware file decryption. However, I soon discovered that the firmware file I had downloaded contained encrypted data.Īfter searching available release notes for various versions of Bosch camera firmware, I found the following statement Article: ((Bosch IP Video increased security with firmware ( ))) I then unpacked it and attempted to do some reverse engineering and subsequently some bug hunting. An open-source tool we developed at Anvil Ventures which was capable of unpacking all tested versions of Bosch camera firmware ((Anvil-Developed Open-Source Tool ( ) ))Ī few quick Google searches didn’t turn up much public security research on the FlexiDome 7000, so I downloaded the current firmware image file.binwalk, a tool for identifying file contents, entropy measurement, and more.Hex editor: A computer program that allows for manipulation of the fundamental binary data that constitutes a computer file.This research demonstrates that although manufacturers offer firmware updates to enhance security for legacy products (in this case, through encryption), the limitations of legacy products may prevent them from achieving the level of security of current models that are designed to support the latest security functionality. This blog post demonstrates how I reverse engineered the firmware file format for the FlexiDome 7000, used that information to unpack earlier firmware versions, discovered how firmware encryption was implemented, reverse engineered the firmware encryption, and wrote an unpacker that supports all tested firmware versions. While looking for new devices to perform reverse engineering on, I became interested in Bosch’s FlexiDome line of cameras, specifically the FlexiDome 7000, a day/night surveillance camera.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |