threadssetr.blogg.se

1. #REOLINK CLIENT WINDOWS INSTALL UPDATE#
2. #REOLINK CLIENT WINDOWS INSTALL SOFTWARE#
3. #REOLINK CLIENT WINDOWS INSTALL CODE#
4. #REOLINK CLIENT WINDOWS INSTALL CRACK#

If Reolink has compiled the extra functionality out, then the least the camera could do is give me a shell. The dvr binary for that camera was nearly 8 megabytes, while my victim’s was only a little over 3.Ĭlearly, the engineers compiled out the unneeded bits.

#REOLINK CLIENT WINDOWS INSTALL UPDATE#

The camera exhibited a remarkable lack of behavioral reform: no new ports opened, nothing.įor comparison, I downloaded and unpacked a firmware update for a different Reolink camera that did support RTSP. $ flashrom -p ft2232_spi:type=2232H,port=A -w pwned.bin $ dd if=new-squashfs.img of=pwned.bin bs=1 seek=$((0x370000)) conv=notrunc $ mksquashfs new-squashfs-root/ new-squashfs.img -comp xz -b 262144 -all-root -noappend I desoldered the flash and soldered on a socket instead. I was wanting to try out a really neat little SOIC socket I had discovered and ordered on Taobao a little while back.

My previous disassembly of the camera has already indicated that it uses SPI NOR flash-bog standard for a small Linux system like this.

#REOLINK CLIENT WINDOWS INSTALL CRACK#

With the protocol not immediately accessible, it was time to crack this camera open. This is just a cost-saving measure and definitely not vendor lock-in, hmmm? Pwning the camera So “all” I’d have to do is reverse engineer the rest of the protocol.Įasy peasy, right? Why doesn’t this camera support RTSP?Īs a quick aside, it’s natural to wonder why this camera doesn’t support RTSP and/or ONVIF.Īfter all, plenty of other Reolink cameras do.īecause I’d like to give them the benefit of the doubt, I’ll propose the possibility that Reolink ran out of storage on this camera and had to axe some features.Īfter all, a 16MB flash chip would cost a whole 20 cents extra. I felt pretty confident that the underlying video was using a well-known protocol (especially since the camera seemed to have dedicated video encoding hardware). In order to figure out whatever encryption and/or obfuscation the protocol was using, I planned to reverse engineer the firmware. Now Wireshark could show me the payload lengths and message IDs. This was easy and fun: Wireshark lets you write dissectors in Lua ( disclaimer: your definition of fun may vary). With what I knew, I was able to write a “Baichuan” protocol dissector for Wireshark using Mika’s awesome tutorial. In my experience, such tools immediately pay back your time investment by a factor of 4 or more.

Dissecting traffic with WiresharkĪlways, always spend time developing debug or analysis tools. Time to extract what I could-the header layout was correct-and move on.

#REOLINK CLIENT WINDOWS INSTALL CODE#

The payload appeared to be encrypted in my captures.įurthermore, the code wouldn’t even run due to some questionable pointer juggling. On a lark, I Googled this, and actually found a project on GitHub from 2015 which was attempting to retrieve data from Swann cameras!Ī quick look at the code told me that although they share the sync word and packet header, the protocols for my camera and these older cameras were very different. The only thing that jumped out to me was the appearance of a sync word at the beginning of each packet, 0xf0debc0a.

#REOLINK CLIENT WINDOWS INSTALL SOFTWARE#

The end result is a new piece of open-source software called Neolink, which allows Blue Iris, Shinobi, or other NVR software to receive video from unmodified Reolink cameras.Īs a first step, I fired up Wireshark and captured traffic between the camera and its official Reolink PC client 1. Most non-triumphant.īogus enough that I decided to pwn the camera, reverse engineer the protocol, and write my own software to get the video stream. This was, in the immortal words of Bill and Ted, bogus. Then, barely outside my return window, Reolink updated their support page to say that the cameras would only work with their 8-channel NVR or proprietary viewer apps. However, I bought these cameras because I believed they supported open standards such as ONVIF, so I’d just swap the NVR for a copy of Blue Iris running on my server.Īt the time, the Reolink support page clearly indicated that all of their non-battery-powered cameras supported RTSP.Īfter the system was installed, it became apparent that the cameras did not in fact support RTSP-the only port open on them was port 9000. Unfortunately, the NVR is pretty anemic: it’s clearly an existing model with slight changes to support 4K cameras, and it struggles to support more than one viewer at a time. It came in a “kit” of six cameras and an NVR (a dedicated recording box that also powers the cameras). It’s fairly nice hardware, actually-it has a 4K video sensor, a microphone, power over Ethernet, and is nominally waterproof. Way back in late 2019, I dissected a Reolink B800 IP camera to demonstrate the various parts of an embedded Linux system.