However, I soon discovered that the firmware file I had downloaded contained encrypted data.Īfter searching available release notes for various versions of Bosch camera firmware, I found the following statement Article: 2 Bosch IP Video increased security with firmware ( ) I then unpacked it and attempted to do some reverse engineering and subsequently some bug hunting. An open-source tool we developed at Anvil Ventures which was capable of unpacking all tested versions of Bosch camera firmware 1 Anvil-Developed Open-Source Tool ( )Ī few quick Google searches didn’t turn up much public security research on the FlexiDome 7000, so I downloaded the current firmware image file.binwalk, a tool for identifying file contents, entropy measurement, and more.Hex editor: A computer program that allows for manipulation of the fundamental binary data that constitutes a computer file.This research demonstrates that although manufacturers offer firmware updates to enhance security for legacy products (in this case, through encryption), the limitations of legacy products may prevent them from achieving the level of security of current models that are designed to support the latest security functionality. This blog post demonstrates how I reverse engineered the firmware file format for the FlexiDome 7000, used that information to unpack earlier firmware versions, discovered how firmware encryption was implemented, reverse engineered the firmware encryption, and wrote an unpacker that supports all tested firmware versions.
While looking for new devices to perform reverse engineering on, I became interested in Bosch’s FlexiDome line of cameras, specifically the FlexiDome 7000, a day/night surveillance camera.