Breaking a Proprietary Chinese Encryption Protocol - Hacking the VStarcam CB73 Security Camera

I've managed to deobfuscate the original function. I was thinking about copy pasting it into the comments, but I rather made a pull request to the repo.

DEF CON 33 audience will be cheering!!

As a developer, I'm more looking for words like "Industry Standard" and "Peer reviewed"

80% of this video is flying over my head but im here because i can relate very much with your excitement! great work

The Encryption being broken is a feature not a bug

No doubt the jpg snapshot sent to the cloud is for thumbnails to show in your app, or something similar. But I imagine somewhere in CN there is a massive video wall with access to millions of "secure cameras" 😀

Matt: "I certainly do not trust this Chinese device".
China: "We certainly cant trust this Matt guy exploiting our devices".

Such an underrated channel... Fun and educational at the same time, great work, Matt!

I think what you call SEED is actually just the key. It is computed once initially by the portion of the decryption function that you skipped, and then for each byte of ciphertext:
1. 1 of the key's 4 bytes is selected based on the lower two bits of the previous ciphertext value: *(byte *)(SEED + (PREV & 3)) // remember that SEED here is a pointer
2. The previous byte of ciphertext is added to this byte, and the result is truncated to 8 bits
3. The result of this is used to index the table / S-Box.
So the only reason why you even had to go to the effort of brute-forcing the seed is because you had the lookup function wrong - it's really just a 32-bit key generated with zero entropy.

Great video! What I would personally do is not only looking at the decompiled code and look the disassembly as well as Ghidra gets confused now and then which may (or may not) explain some of the unknown code.

Impressive and so out of my area of expertise but so glad you guys exist and do this stuff for the benifit of the rest of us. Now only edit the findings together with some scary pictures, add some music and a David Attenborough voice over and its ready for the documentary secion of any stresming service

When I first started working on embedded systems with encryption requirements (1989) I did just that. The device was still in use 20 years later, by which time I was supremely embarrassed. Can't mention the product because it was military.

The mystery function is a hash function, it takes in and arbitrary length key (first parameter) and produces a 4 byte hash. Not sure what hash function this is, but the idea is the same as with something like PBKDF but jusy infinitely less secure.
Edit: the reason why you only have 4 possible "seeds" is because the hash is only 4 bytes long. The hash, or as you called it "seed" is infact the main decryption key, derived from a string passed in the first argument.

Imagine flooding the market with these devices solely to provide cover for your agent's clandestine communications with the home country.

You definitely should have had that camera sending pictures back to China while you were dismantling their amazing proprietary code. Doubt they look at the pics, but a hilarious thought none the less.

Matt I would like to say that you are inspiring me to invest more into binary reverse engineering, Thank you.

Proprietary encryption: xor cipher

This guy looks a lot better _without a hat_ but the content is always pure gold regardless

This is an excellent series to follow.

This camera series was awesome. Loved it.

I think SEED is some kind of struct that has 4 fields or it's even easier if you consider it an array. You didn't show the SUB41/CONCAT functions but I'm assuming they are some sort of deterministic way to create a seed based on a key (the key being the first parameter, param_1, which ironically is used only for a single character [the last one or the 21st, whichever comes first]).
The reason it's passed as a pointer is because they do pointer aritmetics to get to one of the 4 fields depending on the last 2 bits of the previous character. The math it does looks strange due to compiler optimizations/ghidra having problems to decompile it, if you interpret SEED as an unsigned char array of size 4 it would look like this:
TableIndex = (prev_character + SEED[previous_character & 3]) % 255
Key = P2P_Table[TableIndex]

Awesome work. You are extremely efficient. If you spent a week in that function, I’d have to spend a year in it.

So cool that you can figure that out and write python to decrypt... Great video.

VStarcam: Matt, STAAAHP!

What you want in encryption is "known implementation but still secure". If you cant break it even if you know how it works....

Basically, a one time pad being used more than one time. One of the two classic blunders!

I have to imagine all these chinese companies register their "encryption" with the government to include pre-built decoder filters in the transport infrastructure at local ISP that if/when they want, they simply replay whatever they want from anyone that crosses the great firewall.

funny that it works anyway, because looking at the ghidra decomp, it shouldn't be "seed + (prev & 3)" but "seed[prev & 3]" that shows how secure is it.
my guess about the code that you couldn't understand is that it encodes the 4 seed bytes into an int32 or that seed is of type byte[4]. (with some shenanigans based on the first parameter)

Decompiler (e.g. Ghidra) can't be fully trusted because compilation is a process which may drop part of high-level info which is necessary to recover original source code. Ability to read assembly code is very helpful to security researchers in that they may come across obfuscated code, boot loader, hand-written assembly, etc. Ghidra is a highly advanced tool which can speed up reverse engineering but it can't replace human reverse engineer.
PS: This encryption is weak...

Awesome work Matt ,I've been looking into cam FWs my self and found some interesting stuff (like some sort of cyrpto miner on a V380 cam) ,but if I had your programing skills I'd rather make DeClouded FWs for these Kind of Spyware so people can buy cheap stuff and use them safely in there HA projects ,instead of E-Wasting a ton of potential (I bet it would help the Channel a LOT as there are lots of people trying to do so)

All this made me realize that I need to build my own damned security cams. Thank you for all you're doing

Im learning something everytime you post. Thankyou!

the wireshark light theme frying my eyes out

Mmm, pickled seeds. That actually might taste good with pumpkin seeds!

Encrypting a data stream with a non-encrypted key.
"That's a bold strategy Cotton, let's see how it works!"
-- Dodgeball

You are some high end professional hacker,

can you do an episode about installing custom firmware on it?

Love these videos! I know you don’t claim to be an RF expert, have you ever thought about reverse engineering a cellular PiHat? I would love to see the results

I think this is the pseudo-code for that part:
int j = 0;
while ( j < strlen(param1) && j != 21 )
{
v10 = param1[j++];
LOBYTE(seed[0]) += v10;
BYTE1(seed[0]) -= v10;
BYTE2(seed[0]) += v10 / 3;
HIBYTE(seed[0]) ^= v10;
}

Very cool stuff. Your videos are inspiring as all this seems pretty accessible even without high end tools. What you really need is the curiosity to dig in deep.

23:54 The Python 'get_lookup' reveals the potential for an out-of-range index into the lookup table :-) It was present in the Ghidra decompiled code as well, but Python made it jump out of the screen at us. So maybe there's a hidden buffer overflow exploit lurking in the bushes too. It can happen when at least one of the four 'seed' bytes > 0x7F.

A lot of interesting knowledge shared in a great manner, thanks Matt!

Thank you. The &3 seems to be strange, maybe originally thought of one additional layer of rotating.

Awesome channel … THANK YOU!
I head up our radio comms system at work. (Public safety)
We USED to utilize ARC4/ADP (Motorola) encryption because it was “cheap”.
After being made aware of the vulnerabilities, we decided to go with AES-256.
I always have a sneaking suspicion that the same “intelligence community! that protected Pederast Hunter Biden also somehow managed to have vulnerabilities added to AES-256. I’m no expert, but I love my country and fear the prying eyes of my government - actually , ALL governments !
Thanks again for a great channel!

My god this guy is the biggest nerd, to ever walk this earth.

Jim Carrey as "Hacker" =D LOL.

Awesome video! But please do something with your mic next time, thanks! :)

I have little to no experience with decryption, but i like being submerged into this video A LOT

That was my first thought, a simple substitution maybe with a little bit shifting. If I understand correctly, that's essentially what it is.

Hail to you, Champion!

Awesome video! Looking forward to the next one 😁

I really enjoyed your content, looking forward to future videos!

Spotting bytes made me hungry. But I like to eat WHEN i'm hungry.

1st thing i would of done is passed back he decrypted value as encrypted to see if it reverts back to the value you past, likeall the n;s turning back into a's again then i prolly would of put the whole aplhabet in and see what comes out lol

That encryption algorithm is a hazard, man! I just wrote a comment, trying to analyze and point probable intentions and errors out, but i deleted it, it had no end....

At first I was ... whatever.
20 minutes in, Schneier+Turing intensified 😛

Thanks! Really good and informative, as usual!

Have a chinese camera called LS-WL342-20X LS Vision. Would love to see what you can do with it. Its a camera that you would think once you've bought it, you have access to all of its features, but apparently they make you pay more for what should already be apart of the firmware.

Hey man appreciate this video series. You do a great job of explaining exactly how you got to where you are with this process. I also think your thought process on decrypting the proprietary crypto was awesome. Proof not to roll your own crypto lol

I definitely like watching your video,, I,m learning as we go. Thank you!!

cryptogram and clear text, are the naming conventions there Matt;)

Fantastic Video! Thank you for sharing and all your effort ( :

Bro is the hero we didn't even know we needed

Hey Matt, amazing videos, keep the super work up, very informative.
Would you be able to hack Glinet routers? Anything similar to the portable ones similar to GL-MT3000 or GL-AXT1800?
Those devices are apparently very secure, they receive regular updates, would be interesting to see if there any suspicious activity going on.

Are you that guy from "Is it a good idea to microwave this?"

Your get_lookup function is somewhat wrong, bc it should not add (prev & 3) to the seed byte, but instead use (prev & 3) as a byte index of the seed. It would be more correct to declare seed as byte[4] instead of an int, and make SEED argument of the LookupElement function byte*, so that it is more obvious.

Amazing work! Thanks for sharing!

Excellent work and thank you for explaining your steps.

Amazing job! Thanks for sharing.

I can only imagine the horror of the Chinese engineers listening to Matt make this video.

22:15 The "SEED" is actually a proprietary hash of the "secret" (hardcoded) password and that's used as key for the actual encryption. And the actual encryption seems to be nearly static byte substitution cipher with slight obfuscation. I would guess the skill level of the original coder that implemented this is somewhere around first year CS student in university. You definitely shouldn't be trying to create your own encryption algorithm with that kind of skills.

Dude. What's it like being married to Mavis from hotel Transylvania?

Great work. Thank you!

Can anyone prove that proprietary encryption is worse than no encryption at all? Putting anything on servers in China is way up there, but I still think doing so without even basic encryption is maybe 1% worse for privacy.

I have some old security cameras lying around, perhaps I should do something similar.

Please collab with John Hammond , you have something unique to give among all the cybersecurity youtubers , and i would live to see your channel go boom

Absolutely love your content and your explanations

And I was calling WEP "WEt Paper bag" encryption ... so this must be something like wet toilet paper encryption in comparison!

That 4 byte hash function could be the crc32 hash function (?) Maybe

This video is your daily reminder that rolling your own encryption algorithms is nearly always a bad idea. It's hard to do it well, let alone robustly.

Proprietary encryption violates Kerckhoffs' principle fundamentally and suggests, at best, a severe misunderstanding about crypto.

This just hurt my brain.... In a good way 😂

35:32 lol. that's a little funny considering you're posting this to TH-cam

Nice video, now my immediate thought was wether you can encrypt a jpg file with malware on it and send it China, try and gain access to the server. How cool would that be?

[data] XOR 0xCC (CC as in CCP) - 'All your passwords are belong to us'

The mystery function reminds me of the Mersenne Twister or similar RNG (random number generator) algorithm. I haven’t played with your code but only gut feeling comment. Ideas?

Maybe its me misunderstanding Ghidra, but at 22:22 doesnt that mean the reference is simply used AS the seed, as in the pointer value to the memory on the stack. Makes me think the entire contents of the SEED value is absolutely useless and they are just using the address of the SEED instead.

what's your pogo pin setup? How do you keep the pins in place without having to hold onto them?

This looks to me very likely to be derived from RC4 S-Box.

I don’t know… I find some comfort in Apple being snobby and having their ways. I have dipped my foot back in the pool and using Windows laptop and Android phone (my side pieces), and the Google phone is ok but not as good as the iPhone, and the Windows laptop plays video games ok I guess, but pales in comparison to a MacBook. My Mac lasted for eight years with no issues until the hardware outlasted the software updates. The Windows laptop… even with protection… in less than a year it was subject to a DNS attack, and I was pretty darn careful. My faith in most of these products has been shaken, and I think I am sticking to cellular everything using zero WiFi.

china is really on dat sauce

I would have reversed the decrypt and encrypt functions in the android phone app since java is easier to reverse engineer

How are you finding these things with proprietary encryption in the first place? I'm into cryptography but want to get into hardware stuff and this sounds super cool. But I don't know what I would even look for to find something using proprietary encryption

I think the biggest thing this shows is disable the console output when you release a product.

This is really great tutorial + educational

That's a really nice video. I learned something new from it

This series was excellent.

10+ Chinese have thumbed down this video

Wait, wait, wait... You did not explain wheredid you get that binary from? Was it a daemon from the camera? How did you mount the filesystem?

I guess the most important question is : Are these products stealing private data? Have rouge commands come in to take snapshots and send them back out to the ethernet?
That would probably need time to observe.