Hacking a cheap security camera DVR

I had some free time this weekend, so I decided to poke around at this old DVR for a security camera system (ZOSI ZR08ZN) I had laying around. I’ll be honest — I didn’t have high hopes. It was a bit of a cheap product with very few features. But hey, it has made for an interesting weekend.

Initial Hardware Inspection

Upon opening the case of the DVR, I encountered several key components:

• Flash Chip: Marked with the label “KH25L12845G”.
• Headers: Two distinct 20-pin headers.
• USB Input: Standard USB input for potential updates or file transfers.

Pin Voltage Analysis

My immediate interest was drawn towards the 20-pin header, specifically the one that had visible leads, presumably running to the CPU. Some basic voltage/continuity testing gave me the following results:

Doesn’t exactly look like JTAG to me. There’s a chip on the board that looks to be a RS-485 converter, so I’m guess this is a much different kind of communication. Note to self, hook this up to the ol’ logic anaylzer for the next blog post.

Flash Chip Exploration

The flash chip marked “KH25L12845G” was another focal point. A brief overview from the datasheet reveals that this is a typical SOIC-8 SPI Flash chip with 16mb of storage. Not much else.

Incredibly photogenic though

Flash Memory Analysis

To better understand the software dynamics of the DVR system, I needed to dump the flash content. Here’s what I did:

I started by flashing the frser-duino to an Arduino Uno using the following commands:

git clone https://github.com/urjaman/frser-duino
cd frser-duino
make flash-u2

The flash chip was then carefully de-soldered using a rework station, applying hot air until the chip released from the board. That part always makes me sweat. Alas, all good. I then seated the desoldered chip into a SOIC-8 socket and put it onto a breadboard. The pin connections were setup as follows:

• Pins 3,7,8 (WP, HOLD, and VCC) to Arduino 3.3v
• Pin 4 (GND) to Arduino GND
• Pin 1 (CS) to Arduino pin 10
• Pin 5 (MOSI/SI/COPI) to Arduino pin 11
• Pin 6 (SCLK) to Arduino pin 13

Dumping the Flash Memory

For the actual dump, flashrom was employed with the following command:

flashrom -p serprog:dev=/dev/ttyACM0:115200 -r flash_dump.bin

had to specify the chip to make it work :)

Post extraction, binwalk was used to unpack the filesystem:

binwalk -e flash_dump.bin

Remarkably, I was presented with a complete embedded Linux filesystem (using Busybox, predictably).

Security Analysis

Jumping into the filesystem, I stumbled upon what appeared to be a backup passwd file named “/etc/passwd-”. This file contained a DES encrypted password (what a blast from the past!). With the assistance of hashcat and leveraging the rockyou.txt password list, the encryption was quickly deciphered:

hashcat -m 1500 hash.txt /usr/share/seclists/Passwords/rockyou.txt

The password read “helpme”. I felt this was a cry for help from either the underpaid Chinese developers or possibly the device itself. I didn’t expect much of a fight from the actual /etc/passwd entries, so I was kind of caught off guard. I still haven’t cracked it (maybe I’ll post a follow up). Worth noting: the only entries anywhere are for the root user. Hey, what do ya know, everything must run as root on this thing. Security!

What’s Next?

Well, I still haven’t touched the USB functionality. First glance at the update code looks a lot like a possible command injection via file name. Definitely looking forward to getting some more time to defile (I mean test?) this thing. I’m still kind of laughing at the lack of basic security on a device literally made for security. Hopefully I can report back soon. Fun times.

Check back soon!