Marcus Folkesson

Embedded Linux Artist

Rooting a VMC2040 security camera part 7: Conclusion and summary

Rooting a VMC2040 security camera part 7: Conclusion and summary Brief In this part we are going to give some thoughts about the security of the camera and what to do to prevent this kind of attack. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary Lets talk a bit about security Often when I talk with my clients about security of their products, I urge them to analyze what threat they want to protect against. cover

Posted by Marcus Folkesson on Thursday, May 7, 2026

Rooting a VMC2040 security camera part 6: What did work

Rooting a VMC2040 security camera part 6: What did work Brief In this part I will show how I finally got root access to the camera. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary What about those symlinks in /config? startSPARROW creates three symlinks that points to an executable binary in the rootfs: cover

Posted by Marcus Folkesson on Thursday, May 7, 2026

Rooting a VMC2040 security camera part 5: What didn't work

Rooting a VMC2040 security camera part 5: What didn't work Brief In this part I will write down the things I tried that didn't work. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary U-Boot Environment The first thing I tried was to modify the U-Boot environment variables as those were not verified against any signature. cover

Posted by Marcus Folkesson on Thursday, May 7, 2026

Rooting a VMC2040 security camera part 4: Deeper analysis

Rooting a VMC2040 security camera part 4: Deeper analysis Brief This part will focus on gather as much information as possible about the system. As I in this stage don't know what I'm looking for, I will just try to document everything I find interesting. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary U-Boot environment I used dd to extract the U-Boot environment from the NAND dump. cover

Posted by Marcus Folkesson on Thursday, May 7, 2026

Rooting a VMC2040 security camera part 3: Analyze the boot sequence

Rooting a VMC2040 security camera part 3: Analyze the boot sequence Brief In this part we will go through the init script to see what (and how!) services are started during the boot. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary Boot sequence I've tried to summarize the boot sequence in the diagram below. cover

Posted by Marcus Folkesson on Thursday, May 7, 2026

Rooting a VMC2040 security camera part 2: Extract the firmware

Rooting a VMC2040 security camera part 2: Extract the firmware Brief As there were no exposed vulnerabilities via UART (no TX, only RX) or network (no open ports that could be exploited), I decided to extract the firmware from the SPINAND flash. This part of the series is about the process of extracting the firmware and analyzing it. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary Extract the firmware I have a XGECU-T48 programmer for such tasks. cover

Posted by Marcus Folkesson on Thursday, May 7, 2026

Rooting a VMC2040 security camera part 1: Basic examination

Rooting a VMC2040 security camera part 1: Basic examination Brief My friend had a Arlo VMC2040 security camera [1] on his shelf. He bought it a while ago, but never really used it as it required a subscription to work properly. The only feature that he wanted was to get the video stream out from the camera without any cloud involvement, but that was unfortunately not possible. Here in Sweden we have a long holiday due to Easter, so I decided to take a look at the camera and see what's possible. cover

Posted by Marcus Folkesson on Thursday, May 7, 2026

I2C Bus Recovery

I2C Bus Recovery Brief I was working on a project where we had a problem with an I2C bus that was sporadically hanging during communication with a certain device. I2C works with open-drain lines, which means that devices can only pull the lines low, and a pull-up resistor is used to pull the line high. If a device misbehaves and holds one of the lines low, the bus will be stuck, and no further communication can take place. cover

Posted by Marcus Folkesson on Saturday, October 4, 2025

Mutex guards in the Linux kernel

Mutex guards in the Linux kernel I found an interresting thread [1] while searching my inbox for something completely unrelated. Peter Zijistra has written a few cleanup functions that where introduced in v6.4 with this commit: commit 54da6a0924311c7cf5015533991e44fb8eb12773 Author: Peter Zijlstra <peterz@infradead.org> Date: Fri May 26 12:23:48 2023 +0200 locking: Introduce __cleanup() based infrastructure Use __attribute__((__cleanup__(func))) to build: - simple auto-release pointers using __free() - 'classes' with constructor and destructor semantics for scope-based resource management.

Posted by Marcus Folkesson on Friday, December 1, 2023

Use b4 for kernel contributions

Use b4 for kernel contributions There is a little tool called b4 [1] that has been part of my workflow with the Linux kernel for a while. It's developed to be a tool used to simplify the work of the maintainers, but my main use of the tool has been to fetch patch series from the mailing list and apply them to my local git repository during reviews. I recently noticed that it got a lot of handy features (experimental though) for the contributors as well, which I now want to test! cover

Posted by Marcus Folkesson on Wednesday, August 23, 2023

avatar

Open Source Enthusiast

FEATURED TAGS
ai audio beer birds blacksmith booting buildroot camera clockwork cultivation debugging device drivers dnd docker gcc git go ham home control hugo i2c knives leatherwork libostree linux linux kernel network programming qemu radio repair reverse engineering swupdate systemd til tools u-boot udev v4l2 vim wireless yocto zephyr