i extracted the secrets of my son's baby monitor
Ғылым және технология
My wife and I are having a baby. I, being a security researcher, have been tasked with the fun job of buying all the gadgets. I wanted to make sure that my son's baby monitor wasn't able to be hacked. Baby monitors have been the topic of TONS of security research over the last ten years.
In this video, we explore the process of extracting the firmware from the DXR-8 Pro by Infant Optics, and see if we can prove that the signal between this device and the camera is encrypted. This is the second video in a series of videos where I audit the security of the device and see if it's safe for me to use when little homie arrives.
Video Inspired by @BenEater ( • Hacking a weird TV cen... )
🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
🏫 COURSES 🏫
www.udemy.com/course/c-progra...
🔥🔥🔥 SOCIALS 🔥🔥🔥
Low Level Merch!: www.linktr.ee/lowlevellearning
Follow me on Twitter: / lowleveltweets
Follow me on Twitch: / lowlevellearning
Join me on Discord!: / discord
Пікірлер: 521
I've gotten LOTS of questions about the shirt! Merch can be found at lowlevel.store Thanks for watching!
@adderek
Жыл бұрын
Should be "Everything is open source if you can read machine code/opcodes" ;)
@wulliest
Жыл бұрын
I love the shirt - it's a shame there's no UK / EU option.
@everythingpony
Жыл бұрын
Any update? Is it safe?
@cobwebblocks
Жыл бұрын
invalid config atm :/ "Only one step left! To finish setting up your new web address, go to your domain settings, click "Connect existing domain", and enter:" website domain can't say the domain probably (youtube does not like links)
@derpsakry4464
11 ай бұрын
@@everythingpony yeah we need to know
The "h264enc" symbol you refer to at 7:09 is likely to do with an H.264 video encoder, not any encryption.
@awli8861
Жыл бұрын
Finally someone noticed
@xiki1506
11 ай бұрын
🧠
@sanantohomie
10 ай бұрын
@@awli8861 not every person knows "everything" in terms of puter speak - especially if you are looking at it through a lens that already wants to "see" the word encryption. For video people, the enc is obvious, to other's it's not.
@TheBarretNL
10 ай бұрын
@@awli8861 Yeah we wasted our time on this one, dude had 0 idea wtf he was doing.
@TwoLeggedTriceratops
10 ай бұрын
Y he didn’t know dis
build your own camera/monitor. you already know these products do not have professional programmers writing the code. at best, the poor hardware guy has to write the code. at worse, they outsource to a questionable country
@LowLevelLearning
Жыл бұрын
I honestly considered this at first. Alas, I procrastinated.
@sudiir12345
Жыл бұрын
Well, if you plan on making one in the future and require someone to design PCB or write some embedded code, LMK, Happy to help
@nil0bject
Жыл бұрын
@@LowLevelLearning if you have any spare raspberry pi's or other low powered linux sbc, plug in an arducam, get a wired or bluetooth mic and speaker, install homebridge/etc and add it to your smart home security system. i do this for my dogs
@daliuskal
Жыл бұрын
By the time he's finished making his own baby monitor he won't need it anymore
@milesprower6641
Жыл бұрын
@@LowLevelLearning mood
It's fortunate that the RTOS has a command shell at all; I do embedded programming, and very few of our products have any interactive monitor or shell at all; I have a module that I use during early development, but it is never included in the build for the versions that go through security or quality testing since it would be a potential attack surface. Even the devices with Linux as the RTOS have the serial drivers hacked to only support output.
@user-fm7uq4fb3f
Жыл бұрын
You would be surprised how many devices out there just straight up give you a root tty or the bootloaders console on some random uart port on the pcb. There's also jtag, swd and stuff like that which often just stay enabled and provide handy little testpads or unpopulated rows of pins as well. The xbox 360 for example could be hacked early on by jacking into some jtag pins that were left easily accessible to anyone
@HappyBeezerStudios
Жыл бұрын
That reminds me that my DVT-B reciever has a what looks like a serial port on the back. Would be interesting to look into that.
@TinkerWorX
Жыл бұрын
It is honestly a bit concerning. The products I've worked on we also have a very simple terminal for use in debugging, but it's never part of production.
@mishaproduction
Жыл бұрын
My old security camera DVR had the root filesystem mounted as read-write, open telnetd, and open uart with root.
@TheEvilWalrusLord
Жыл бұрын
This video and these threads making me realize I know actually nothing
Actually, just having encryption is NOT the end of the story.. Of more importance, once you have confirmed that it is using encryption is that it is using the encryption properly (correct and robust crypto mode) and also handing keys properly and securely (ie, session keys or user specified key, and not a fixed key stored in the firmware image).. So many devices link in a crypto library and then either don't use the crypto correctly (eg using ECB mode to get around sync issues), or they hardcode a keystring in the software that every device on the planet uses...
@autohmae
Жыл бұрын
The Snowden documents showed: the crypto is usually pretty good, but the code around it using the crypto is often broken in all kinds of ways.
@wolphin732
11 ай бұрын
@@autohmae WEP... if it was implemented correctly and had been designed by a crypto engineer... would have been reasonable... but it wasn't so had major flaws.
@autohmae
11 ай бұрын
@@wolphin732 WEP is one of those self-made cryptos... no real expert was involved as far as I'm aware. And what a mess it was.
Seeing or not seeing a symbol/string for encryption would not tell you that its actually using encryption or not. Try to look for uint8_t array[16] or general mentions of lengths of 16. The chip could have buit in aes encryption. Also, don't forget that production code is more often than not using -Os and -ffunction-sections -fdata-sections -gc-sections etc, to strip down a lot of code. While -Os "generally" doesn't like to inline code, if the function was used only once, there might not be a call to it. As an aside, the standard of encryption in consumer level hardware is very low. I know this might sound dumb, but some people consider data-whitening as "encryption" by obscurity. Best of luck.
@BogdanTheGeek
Жыл бұрын
Forgot to also mention the obvious, most RF chips have built in encryption in the fifo.
@LowLevelLearning
Жыл бұрын
I'll have to look into this, that's a good point. They might have the RF chip mapped as a peripheral and be doing the encryption there.
@BogdanTheGeek
Жыл бұрын
Check for some spi calls as well. Have you identified the chips on the board and found datasheets for the relevant ones? I always start with the hardware so I know what to look for. Especially with reverse engineering hardware, a dead giveaway of what a function might be doing is seeing the peripheral init code, which is easy to spot if you have the datasheet.
@Saturn49YT
Жыл бұрын
+1. It is very unlikely a device like this would be doing encryption/decryption on an ARM CPU for video - it would have to be offloaded to some dedicated chip. Capture the raw data on the "wire" - does it look random or like H.264?
@GamerSuper91
10 ай бұрын
@@LowLevelLearning Hi new subs. how to find the config.bin decrypt key from my modem called freebox pop or illiad box?
H264 is a commonly used video codec (together with H265, VP9, and AV1). That H264Enc function is encoding some video blob. The odd part is that I would expect the camera to encode and the video monitor to decode. Oh well
@samuelblake
Жыл бұрын
h.264 is a tighter video/audio compression for less data needing sent wirelessly. Still needs the "CPU Umph" on the other end to decode it though (as you stated above). :)
@youhackforme
Жыл бұрын
Might be bidirectional communication
@wkm345
Жыл бұрын
@@youhackforme communication of what? unless specified (lossless compression), H264 most of the time does lossy compresion. What good is information if it might get lost in compression?
@youhackforme
Жыл бұрын
@@wkm345 like two way video communication. In case the monitor wants to send back an image of whoever is watching
@sergeyvas123
Жыл бұрын
@@samuelblake h264 is not video/audio. It's video only.
We're never gonna get that 3rd promised episode in this series, I'm guessing
Great series and very informative. I don’t often work with the hardware side of things, so it’s great to see all the little hurdles you face. I’m looking forward to the next video. Thanks for sharing!
@LowLevelLearning
Жыл бұрын
Awesome, thank you!
A5A5 can't be used in the way stated. In flash you are limited by the number of erases you can perform on a given cell. You can only write '0's, and erasing will give you '1's. So practically you'd have to erase A5A5... before you write. Blank flash is almost always FFFF. A5A5 could be programmed memory for debug purposes or to ensure an invalid opcode. At least in thumb, I believe FFFF may be something valid like move 0 to r0, or somesuch.
@caralynx
Жыл бұрын
Yeah I'd like to know where he got that assumption from. Most manufacturers end up either writing null bytes in unused space or leaving those bytes unprogrammed. Kind of sounds to me like an explanation made up on the spot to explain an observation.
@AlexandruJora
10 ай бұрын
I’ve seen A5A5 used by some RTOS as initial stack memory values so that if a stack overflows its allocated size the RTOS can detect it and call a hook before all hell breaks loose.
06:52 h264 is a video codec, so enc would stand for encode it is most commonly referred to as x264 the h stands for hvec, as 264 is part of the hevc family of codecs thats why you may encounter it as h264, h.264 or just plainly x264
Running into "manufacturer default" doesn't mean, that you actually have all the firmware. In some chips you don't have equally sized pages, so you want to pack bootloader and ISR vector in page 0, then store some mfg/NV data (i.e. for pairing) but actual firmware can be stored in last page. It is just matter of linker script
The user manual for this product shows it uses 2.4 GHz FHSS modulation (not WiFi) , which requires the camera and monitor to be paired. I'll guess the video stream is not encrypted, because there's no possibility of accessing it unless you have a paired receiver within range. I'm enjoying your channel, particularly the reverse engineering content.
@element4element4
Жыл бұрын
But if you have an SDR, say a HackRF one, can't you just capture the RF signals and demodulate it?
@mikegofton1
Жыл бұрын
@@element4element4 I've used an RTL-SDR to demodulate ASK and FM , I'm not sure how you'd go about doing that for FHSS as you need to 'de-hop' the carrier and that requires knowing the pseudo random frequency hop sequence which is set in the pairing process.
@JaykPuten
Жыл бұрын
@@mikegofton1 never underestimate a programmer with a weird... Interest and the lengths they'll go to achieve that goal (See this video as an example)
@user-fm7uq4fb3f
Жыл бұрын
FHSS is not any form of encryption. There was a cool shmoocon talk about it years and years ago I think, i gotta go rewatch it but just hopping frequencies a bit isn't enough
@martinwhitaker5096
Жыл бұрын
I have a similar monitor that uses a proprietary RF link at 2.4ghz. It claims to be encrypted, but quite frankly I don't care. The range, at most, is around 50 meters. The chances of anybody within range having the hardware, skills, time and desire to eavesdrop is negligible. Plus, even if they did they just get the world's dullest video stream of a sometimes sleeping baby.
LLL my man… it’s be so amazing watching you and your channel explode over the last little while. I’m so happy for you and excited to see all the great content to come ! 🎉
Sounds like you need a mixed-mode oscilloscope and capture the data between the chips. Many more expensive ones can save that data to a stream you can then see what happens. Some chips allow the firmware to be encoded not as much encrypted. Big-endian and little-endian also can be an issue.
@GRBtutorials
Жыл бұрын
Or a logic analyzer, which is much cheaper than an MSO.
@davidwhite2011
Жыл бұрын
@@GRBtutorials I will give you that...
The firmware extract technique ist awesome!
@LowLevelLearning
Жыл бұрын
Thank you!
Congrats! Keep it up. So far I think Ive seen just about every tool used in the latest DEFCON vids!
Good work! I appreciate that you share your process. Good mixture of technical information without being verbose.
That might be security by obscurity. We'll see what you'll find in RF but I'm guessing that radio channel is somewhat custom or not typical. I admire your effort to go through console. I'd probably desolder relevant IC's and just read them with a programmer ;)
@swim-bike-blake
11 ай бұрын
I am not a security expert by any means. I'm just a sales engineer for a tech firm, but that does mean I get fun toys to play with and have the real enginerds fix when I break them. All that to say, when we set this exact monitor up in our house, our WIPS sensors on our WatchGuard Wireless APs went crazy. It appears to be using straight up standard 2.4GHz on channel 11. WIPS was able to show traffic (this is where I don't have the expertise) but we accepted the risk because the wifi enabled one we used previously (Owlet) made its first hop out of the network to China, then South Korea before trying to establish a connection in the US. My wife couldn't get the camera to work and I found Geolocation policies shutting it down on packet #2 lol.
There 3 types of hackers Black hats/white hats And hardware hackers
@LowLevelLearning
Жыл бұрын
4th: BASEDHAT Hackers
@stapler942
Жыл бұрын
Does white hat include ROM hackers? ;)
@BloomSirenixx
Жыл бұрын
@@LowLevelLearning aka hackers of multiple spaces(hardware and software) that are white/gray hats
@BloomSirenixx
Жыл бұрын
@@stapler942 yes :D
Hey that’s the kind we have! I wasn’t sold on the encryption claims myself, but ultimately I decided that the fact that it was a locally-paired 2.4GHz camera limited our attack surface to just our neighbors so it was probably okay. I’m looking forward to seeing what you learn about it :)
Just 2 minutes into the video and I've already learned a lot. Great content, new sub. Thank you!
Nice video! One thing that I've seen in several products who go the ASIC route is putting the crypto routines into the mask ROM. Depending on how privilege isolation works (or does not work) on your device you might just be able to dump the crypto routines straight out of ROM. It's often-but-not-always mapped starting at 0, because the boot vector table needs to be there anyway and often comes from mask ROM. If they do implement some form of execution isolation, like a separate page table, then it can be harder to dump. Looking forward to the next video!
Just subscribed. This kind of content stimulates my inner nerd. I can't wait to see what you found!
I was thinking about your efforts, and it occurred to me that folks have probably built Baby Monitors using Raspberry PI's and that they are probably about the same price or cheaper that way than buying them off the shelf. I have not studied the projects, so not sure if they include Encryption, but I'll bet that's easy to add - comparatively. So, you might consider doing another video after this project to analyze the RaspPi baby monitors projects out there and if they don't encrypt, then fixing one of the projects so it does. Just a thought. I'm following you to see what you find. Cheers.
One thing but before I state it, I really appreciate your effort and engineering skills. I appreciate the device chosen and the genuine story of concern too. Here’s the thing- wouldn’t you want to see the encryption be on the camera and decryption happening on the monitor? I also feel there are many other methods of encryption and it may not be so literal in the code.
I've just gone through my YT homepage asking for every channel with a 'shocked face' thumbnail never to be recommended again.
Awesome video. I love watching people reverse firmware, its kinda like a detective movie. I actually tried my hand at reverse-engineering some firmware too, well, I crashed and burned on that hill. My problem is that I don't want to take the device apart, so I tried using the update image, but binwalk just showed some corrupted stuff, and in the end I figured its compressed, but no idea how to decompress it. Its raw deflate I think so if you know any tools to decompress that I would be glad.
@user-fm7uq4fb3f
Жыл бұрын
What device/firmware? I could take a look at it if you want, I love messing with firmware lol
Great video 👏 waiting for the next one. I realized how easy was to get video from my webcameras that use RTSP protocol.
Love the video, really interesting, and your shirt says it all, a true mantra. But imo I would have instantly gone intercepting the packets of data between the monitor and the camera, however that wouldn't make as good of story line for the video series. Teaching and showing practical purpose, I take my hat off for you sir.
Where do you normally stream? Will def follow along your vids my dude :D
I love this channel and community. I had a good time watching you hack this one, learned a bit too.
*somehow* this dude actually knows that 10100101 is manufacture default memory value, but *doesn't* know that h264 is mpeg encoding
7:18 "H264" is famously a Video Encoder, like MPEG2 but newer and better. Others might have grabbed a $20 SDR dongle and examined the over-the-air signal to see if it's encrypted or not. 7:35 - yeah that. :-)
I have no idea how i didnt discover this channel earlier. This is amazing content, thank you!!!
good stuff, i have to visit you on a stream one day becasue ascii dump and then riding with regexes was what i initially thought when i saw RTOSes memdump interface ;d can't wait till next video when i could challenge my own thoughts regarding capturing and decoding packets :)
Congrats on being a father ... Could you dump and android firmware , bootloader, and all that good tihs.
@InfiniteQuest86
Жыл бұрын
It's possible, but it's much easier to just go online and download those. It's available for all devices for free.
If it's encrypted there needs to be a method of key exchange. It sounds nice to encrypt but it's a hassle if the key fail. With powerline I need to restart the devices every month because the encryption key fail after a month or 2 months. Even if it's encrypted there is a problem with the key exchange: a static key for all devices isn't very good as all devices use the same key. But it's better to use a simple XOR static key then nothing at all. Even a static AES key is sometime used in the firmware world and you find examples in the datasheets all over the world.
YESSS!!!!!! I have one of these due soon and wanted to do the same thing but im not smart enough. Thank you!!
This video is such a perfect advertisement for your Twitch, haha... As soon as I recognized that you streamed this whole thing, I followed you.
Can't wait to see how the RF capture works!
My guess was that encryption was an idea at some point but got screwed because of performance. Can you tell, if a UDP port for the videostream got used? If yes, it COULD (not a "must" tbh) be a lil sign. Also is there any way to get a GUI, for "normal" configuration? if yes, maybe you can toggle there on the enc
WHAT A COOL VIDEO! I am so impressed and excited to see what's coming!
This is really interesting stuff. I don’t understand a lot of the software side of things but I appreciate the work involved. Now, bear with me here because I realise I know nothing compared to the rest of you guys, but my first question would be “Who and why would someone go to the trouble of hacking in to my baby monitor?” I’m all for protecting your children (I have four of them!) but surely someone would need to know I had a specific type of camera, know I had a baby to watch and then be in range and have all the appropriate equipment with them and the time to do it. Having asked that, I still understand the value in reverse engineering stuff like this and the learning potential of it. Thanks
This guy is smart, I am really enjoying this series.
I would probably have started with capturing the packages and analyzing them, but your approach is also interesting.
Why would someone hate regex ... it's awesome.
hey great vid my dude in the future when you dump the firmware i believe it would be easier to translate the flash dump if you just made a list of the memory addresses same as you did than piping the address data into the strings linux util or alternatavely something like binwalk or even using a tool like cyberchef
Every so often I like to humble myself by listening to smart people talk about subjects I know nothing about. This video served me well.
Cool! I couldn't find the RF data capture video... did it disappear?
Cool shirt man! Loved the vid 👍
I may be wrong here, but from my experience you can only write a flash bit from 1 to 0, if you want to do a 1 you will need to erase the whole page. So those A5 could have been out there to make sure no one could put any code there without erasing a larger block of flash possibly bricking the device
I would have just started with trying to pickup whatever it was sending over the air, which is easier if it's a WiFi device that sends the information over the your personal network or some will over the internet (for creepy baby watching at home while working I guess), as that's a quicker job to do... Though I am curious what it radio spectrum it uses to send the audio and video (I've never owned a baby monitor) Though to be fair this isn't the spirit of the channel, and you never know when someone wherever the firmware was made out in a super easy backdoor for watching random babies...or houses I'm also not so much a hardware hacker which is why I love this channel
@Dratchev241
Жыл бұрын
in the USA it would have to be a band where fcc part 15 transmit is allowed. so likely 2.4ghz.
The "uhou ! We're hacking!" Killed me 😂😂
Any plans on uploading the stream here? I'd really like to watch it from beginning to end since I recently had a similar project and I'd like to compare notes and learn from your methods.
That’s funny, at the beginning of the video I was thinking “it would be easier just to look at what is actually being transmitted”.
I was recently using a kids walkie talkie with about a 60ft range and picked up someones baby monitor. The lady on the other end was mortified. I told her I was as shocked as she was, apologised, then promised to use a different frequency LOL
Your channel is so undervalued!
Your shirt.. oh man, that got me laughing. I love it!
great channel! awesome video! and very cool t-shirt man! congrats
H264 is a video encoding format. It is not encrypted if that's all that's in there.
new to the channel, really cool stuff you do
As a viewer, it would’ve been good to know at the beginning that it’s not a wifi based monitor. That fact makes it so much more secure alone. Encryption on top of that is a nice cherry on top though
encrypting the firmware allows them to ensure signed and unmodified updates. plenty of youtubers willing to modify firmware, make a video, and farm ad revenue by scaring people....
Just want to say. My company uses chips designed by sonix. And we hate them with passion. My best guess would be the communication is not encrypted or it's a simple ROT13/XOR cipher. Personally I wouldn't touch anything that runs on a SONIX chip alone, without some secondary CPU to mask SONIX's buggy firmware.
Nothing was found "Found Something Concerning."
This is how a programmer who’s a father shows his love for his kids - by making sure their data is encrypted. But for real, those home videos of a baby monitor getting hacked and some random talking to your kids through it when you’re asleep or in a different room not actively watching the monitor is absolutely creepy as fuck. These systems should be encrypted by default.
There are two kinds of people: those who hate regex, and those who get shit done.
Sonicare toothbrushes have several programming pads inside (easy to see in teardowns online). Not sure how interesting they are, just FYI
Learning about Firmware lately, thank you for this great lesson. Any advice on how to ready/open an *.ufw file? (Firmware Update File)
I can't find the video with the RF capture. It's hard to tell which videos are part of the series when they're not numbered.
@LowLevelLearning
Жыл бұрын
RF video isn't out yet. I'm still working on it :) Thanks for watching!
H.264 is a video compression standard (in fact the same one used by youtube) so not related to encryption, unfortunately
Your shirt has a point there... Needs an asterisks though with something like "though nobody can read your code, if your code isn't readable" Talking about those Malwareguys using obfuscators on their (just-in-time-compiled, interpreted) Javascript and Python Code.
Ngl, I'd probably have started with RF sniffing and skipped trying to get a shell and pull data from the device
Baby monitors are not encrypted. When I was in the army, we would do convoys from one base to another and in one housing projects that was close to the freeway. I would always get three baby monitors. One day the mother came Charging into her babies room screaming who’s there? It was then that I realized our radio frequency for convoy was the same one her particular baby monitor used. I made note in convoy notes on location for further briefing of convoy vehicles, not to use our SINGAR radios within a half mile of that location. I informed the mother that we are military convoy in route and that we will be out of range within one minute time. After this determination, it became SOP for Our convoys not to transmit on stated frequency plus or minus half mile from said location. I can only imagine her sitting in the living room while her baby was sleeping only to hear a bunch of men talking weird mambo jumbo in her babies bedroom.
If I had a dollar for every time I dumped some memory by repeatedly reading hex encoded memory regions out through the uboot serial console lol Nice video, I was thinking maybe you should just take a look at the rf right before you said it :D Are you gonna use something fancy that can transmit too or just use some RTL-SDR to prove its not encrypted? If you use something with a transmitter you can go a step further and inject your own video signal into the baby monitor and overwrite the actual cameras signal. It'd be awesome to see some spy movie shit irl :P
The HDCP encryption used by HDMI may be the reason for the cipher library. They are required to obfuscate any master keys.
Did you make an rf capture and analysis?
On a low end processor without hardware encode/decode it is most likely that any encryption would be simple XOR and/or rotate.
Hi. Does it connect to the internet through your WiFi? If it does, why not use a proxy or just wireshark it?
there are tools that look for the sboxes, pads, IVs, coefficients, and tables for known encryption algorithms, they'll either be there or not, and the API patterns are Init, Update, Final ... it would be a lot of overhead to do it in software, and you can probably find some chip documentation about AES units & instructions. bottom line though, if it's not doing tls or diffie hellman or some per session key, it's as good as unencrypted even if it's technically enciphering it
you could do a mitm attack posing as your router and just see the data being sent to it and at that point you can see if its encrypted or not, but this depends on the camera and how it communicates ofc
Ooh the E5 is good, I have absolutely no idea what you are talking about, but for some reason made me a bit optimistic
What is the regex editor he's using at 4:50? Would help me make good regular expressions of my own.
@haraldgutzinger6099
10 ай бұрын
regexr
So I can manipulate my Lab’s experiment SCADA system’s probes to report different readings than what they actually recorded ?
I have an old media-streamer I wanted to throw away but while taking it apart I found out that it also had an open serial port. I connected that to my PC and was able to get a root shell without any password. I was able to back up the eMMC but I want to install a normal Linux on it. Do you know a way I can do that without de-soldering the eMMC chip? I'm not that good at soldering.
Since there is some kind of "cipher" library being compiled with, but there is no sign of encrypt/decrypt functions it might be the case of device actually using hardware encryption being built into silicon hardware. Many low power devices/MCUs implement such hardware to offload CPU heavy functions to actual encryption hardware peripheral. By using hardware peripheral, configured to directly access data via DMA or some other hardware register based means it might not need to actually use any functions to actually encrypt/decrypt in the code and cipher library is only there to configure encryption hardware. OFC this is just a theory, confirming data is actually encrypted that way requires further look into device operation/code/RF output.
Fantastic work! Two different kinds of people though, I'd have started with an RF capture because my assembly knowledge is..... Lacking..... To say the least lol
Biopsychosocial engineer says: dude is smart. Any reasonable baby mama would want that seed
I'm sure others have mentioned, if you'd like to do more hardware hacking, it's probably a good idea to invest in a universal programmer. It'll dump flash a lot faster than using UART, which you may or may not have depending on the hardware. Respectable, though. That's how I started off dumping firmware when I didn't have a programmer (and desoldering alloy to prevent MCU interference while trying to read the flash). Regarding reading from memory, you should not assume that it's the firmware off flash that you're reading from address 0. It could just be a small segment that contains the vector table and some boot up code, and more likely to be SRAM or perhaps boot ROM than flash. Memory mapped flash is generally somewhere else. A different ARM Sonix chip that I had been messing with has the region at 0 be remappable to either boot ROM or program RAM, where the boot ROM loads some bits of the flash into the program RAM, switches mapping to program RAM, and the loaded code does additional loading into PSRAM. Knowing that it's an ARM processor (you could have read the chip's product description on Sonix's website instead of guessing from a memory dump), you probably could have found a JTAG port that would have allowed you to dump much faster than using UART.
H.264 is a video compression codec. It is not encryption.
just found this channel, subscribed, and will be buying that shirt next check!
I would have used a SDR to answer the question you posed about video transmission encryption.
"some hate regex" how could anyone hate regex? it's so powerful and handy.
you may be the only one i've heard of that enjoys solarized thats pretty cool
Can't wait to see the next video on this!
@7:11 could H264 be the video codec?
I can't find the video you say your made, about the RF capture?
@LowLevelLearning
10 ай бұрын
Still working on it :)
Cool video bro keep them coming!
I never even considered that this could happen