Marcus Folkesson

Embedded Linux Artist

Rooting a VMC2040 security camera part 7: Conclusion and summary

Rooting a VMC2040 security camera part 7: Conclusion and summary Brief In this part we are going to give some thoughts about the security of the camera and what to do to prevent this kind of attack. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary Lets talk a bit about security Often when I talk with my clients about security of their products, I urge them to analyze what threat they want to protect against.

cover

Posted by Marcus Folkesson on Thursday, May 7, 2026

Rooting a VMC2040 security camera part 6: What did work

Rooting a VMC2040 security camera part 6: What did work Brief In this part I will show how I finally got root access to the camera. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary What about those symlinks in /config? startSPARROW creates three symlinks that points to an executable binary in the rootfs:

cover

Posted by Marcus Folkesson on Thursday, May 7, 2026

Rooting a VMC2040 security camera part 5: What didn't work

Rooting a VMC2040 security camera part 5: What didn't work Brief In this part I will write down the things I tried that didn't work. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary U-Boot Environment The first thing I tried was to modify the U-Boot environment variables as those were not verified against any signature.

cover

Posted by Marcus Folkesson on Thursday, May 7, 2026

Rooting a VMC2040 security camera part 4: Deeper analysis

Rooting a VMC2040 security camera part 4: Deeper analysis Brief This part will focus on gather as much information as possible about the system. As I in this stage don't know what I'm looking for, I will just try to document everything I find interesting. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary U-Boot environment I used dd to extract the U-Boot environment from the NAND dump.

cover

Posted by Marcus Folkesson on Thursday, May 7, 2026

Rooting a VMC2040 security camera part 3: Analyze the boot sequence

Rooting a VMC2040 security camera part 3: Analyze the boot sequence Brief In this part we will go through the init script to see what (and how!) services are started during the boot. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary Boot sequence I've tried to summarize the boot sequence in the diagram below.

cover

Posted by Marcus Folkesson on Thursday, May 7, 2026

Rooting a VMC2040 security camera part 2: Extract the firmware

Rooting a VMC2040 security camera part 2: Extract the firmware Brief As there were no exposed vulnerabilities via UART (no TX, only RX) or network (no open ports that could be exploited), I decided to extract the firmware from the SPINAND flash. This part of the series is about the process of extracting the firmware and analyzing it. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary Extract the firmware I have a XGECU-T48 programmer for such tasks.

cover

Posted by Marcus Folkesson on Thursday, May 7, 2026

Rooting a VMC2040 security camera part 1: Basic examination

Rooting a VMC2040 security camera part 1: Basic examination Brief My friend had a Arlo VMC2040 security camera [1] on his shelf. He bought it a while ago, but never really used it as it required a subscription to work properly. The only feature that he wanted was to get the video stream out from the camera without any cloud involvement, but that was unfortunately not possible. Here in Sweden we have a long holiday due to Easter, so I decided to take a look at the camera and see what's possible.

cover

Posted by Marcus Folkesson on Thursday, May 7, 2026

TIL - DNS queries with multiple interfaces

TIL - DNS queries with multiple interfaces TIL, Today I Learned, is more of a "I just figured this out: here are my notes, you may find them useful too" rather than a full blog post I must admin that I'm not one of those network gurus that knows everything about every protocol out there and how they work. But I have a pretty good understanding how things works, or at least that's what I tell myself :-)

cover

Posted by Marcus Folkesson on Thursday, March 26, 2026

Tracing function calls in C with -finstrument-functions

Tracing Function Calls in C with -finstrument-functions Some time ago, I wrote a blog post about mutex guards in the Linux kernel [1]. It uses a cool feature in GCC which allows you to cleanup resources when they go out of scope. I have a few of such GCC features that I use every now and then, which often show itself handy in the most unexpected way. -finstrument-functions is one of those.

cover

Posted by Marcus Folkesson on Thursday, March 19, 2026

Reverse engineer a serial key validator

Reverse engineer a serial key validator A bit of nostalgia As many kids in my generation, I grew up with video games and the big question was always "Who is gonna be the host for the LAN party this weekend?". Same question. Every. Single. Weekend. This was in late 90s, and we were about 10-12 years old, so we did not have a lot of money. We were lucky to have network equipment (mostly cables, switches, hubs.

cover

Posted by Marcus Folkesson on Wednesday, February 11, 2026