This deep dive into the Linux-powered Reolink B800 IP camera started because of a broken promise from its manufacturer. When [George Hilliard] purchased a kit that included six of the cameras and a video recorder, the website said they were capable of outputting standard RTSP video. But once he took delivery of the goods, and naturally after his return window had closed, the site was updated to say that the cameras can only function with the included recorder.
Taking that as something of challenge, [George] got to work. His first big break came when he desoldered the camera’s SPI flash chip and replaced it with a socket. That allowed him to easily take the chip out of the device for reading and flashing as he tinkered with modifying the firmware. After adding cross-compiled versions of
strace to the extracted firmware, he bundled it back up and flashed it back to the hardware.
If you think that’s the end of the story, it isn’t. In fact, it’s just the beginning. While getting root-level access to the camera’s OS would have potentially allowed for [George] to dump all the proprietary software it was running and replace it with open alternatives, he decided to take a different approach.
Instead of replacing the camera’s original software, he used his newly granted root powers to analyze it and figure out how it worked. This allowed for to sniff out some very suspect “encryption” routines built into the software, and eventually write his own server side in Rust that finally allowed him to use the cameras with his own server…albeit with a bit more work than he bargained for.
Projects like these are a fantastic look at real world reverse engineering, and a reminder that sometimes achieving your ultimate goal means taking the long way around. Even if you’re not in the market for a hacked security camera, there’s no doubt that reading the thorough write-up [George] has prepared will teach you a few things. But of course, we’d expect no less from a guy who runs Linux on his business card.
Retro gaming is huge right now, and like probably millions of other people, [wrongbaud] found himself taking possession of a couple faux-classic gaming gadgets over the holidays. But unlike most people, who are now using said devices to replay games from their youth, he decided to tear into his new toys to see how they work.
The first to get pulled apart is a handheld The Oregon Trail game, which Hackaday readers may recall from a teardown we did back when it was first released. His work continues right where our teardown left off, by pulling the game’s two EEPROM chips out and dumping their contents. As expected, [wrongbaud] found that the I2C connected chip contained the game save information, and the SPI flash chip stored the actual game files.
Next up was an HDMI “stick” from Bandai Namco that allows the user to play a selection of NES games. Here again [wrongbaud] liberates the flash chip and dumps it for examination, this time using an ESP32 tool of his own creation. Inside the firmware image he’s able to identify several elements with the help of
binwalk, such as splash screen graphics and text strings.
But perhaps most interestingly, he found that
binwalk was able to automatically extract the NES ROMs themselves. After verifying they were standard ROMs with an NES emulator, he theorizes that repacking the firmware with different ROMs should be possible should anyone feel so inclined.
Both of these hacks are fantastic examples of how you can reverse engineer a device’s firmware with low cost hardware, open source tools, and a healthy dose of patience. Even if you aren’t interested in fiddling with The Oregon Trail or swapping out the Mappy ROM for Contra, this write-up is an invaluable resource for anyone looking to do their own firmware analysis.
This isn’t the first time [wrongbaud] has hacked around inside these extremely popular retro games, either. Just last month we covered some of his previous exploits with the re-released versions of Rampage and Mortal Kombat.
Hackaday Superconference is just a week away (precious few tickets remain), a celebration of all things Hackaday, which naturally includes creative projects making the most of their hardware. Every attendee gets a platform for hacking in the form of the conference badge.
To make the most of your badge hacking fun, plan ahead so you will have the extra components and the tools you need. At the most basic, bring along a serial to USB cable and a PIC programmer. These are common and if you don’t own them, ask around and you will likely be able to borrow them. Now is also the time to put in a parts order for any components you want to use but don’t have on hand!
The badge is hackable without any extras, but it’s designed for adding hardware and hacking the firmware. We’re excited to see what you can do with it. We gave an overview of this retro themed pocket computer a few days ago, today we’re inviting you to exploit its potential for your hardware hacks.
Continue reading “Supercon Badge Hardware Hacking: Here’s What To Bring”
I was under the impression that canon firmware hacking had fallen by the wayside a bit. [random guy] pointed out that Canon firmware hacking is still alive and well, but it’s the smaller consumer models that are getting the attention. Several cameras, like the A610 happen to share the same digic II image processor as my Rebel XT. By uploaded some modified firmware, you can shoot RAW format pics, and get quite a few other features as well. There’s even a HDK (Hack Developer Kit) for rolling your own firmware. Most of the work appears to have been written up in Russian, but there’s an english wiki and guide page to get you going.