Matt Brown of Brown Fine Security recently published a video and blog post detailing how he reverse-engineered the firmware decryption mechanism used in Hanwha WiseNet security cameras. After acquiring a WiseNet XNF-8010RW camera and dumping its NAND flash, he discovered that the available firmware image was encrypted using OpenSSL with a “Salted__” header. The twist? The key needed to decrypt the firmware was embedded within the encrypted firmware itself, posing the classic chicken-and-egg problem.
To unravel this, Matt began with a string analysis of the firmware, uncovering OpenSSL decryption calls and several Base64-encoded key candidates labeled as MODELINFO_MODEL_DECRYPTIONKEY. By carving out ELF binaries and analyzing them with IDA Pro, he identified a key decryption function that used a hardcoded string (“zeppelin”), hashed it with SHA-256, and applied AES-256-CFB8 decryption. This yielded multiple model-specific passphrases, such as HTWXNF-8010R.
Using these passphrases with the appropriate digest method (MD5), he successfully decrypted the firmware image, granting access to a complete root file system. Further testing revealed that the decryption key format is predictable—simply the model name prefixed by “HTW.” This method was validated on other models, like the TNO-L4040TR, proving the scheme’s consistency.
Matt's full blog post is packed with code samples, screenshots, and detailed reverse engineering steps. You can also watch the accompanying video walkthrough, which walks through the entire process using IDA Pro.
Nicely done, Matt!