https://www.marcusfolkesson.se/tags/reverse-engineering/ Recent content in Reverse Engineering on Marcus Folkesson Hugo en-us Thu, 07 May 2026 12:07:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part7/ Thu, 07 May 2026 12:07:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part7/ Rooting a VMC2040 security camera part 7: Conclusion and summary Brief In this part we are going to give some thoughts about the security of the camera and what to do to prevent this kind of attack. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary Lets talk a bit about security Often when I talk with my clients about security of their products, I urge them to analyze what threat they want to protect against. https://www.marcusfolkesson.se/blog/arlo-vmc2040-part6/ Thu, 07 May 2026 12:06:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part6/ Rooting a VMC2040 security camera part 6: What did work Brief In this part I will show how I finally got root access to the camera. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary What about those symlinks in /config? startSPARROW creates three symlinks that points to an executable binary in the rootfs: https://www.marcusfolkesson.se/blog/arlo-vmc2040-part5/ Thu, 07 May 2026 12:05:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part5/ Rooting a VMC2040 security camera part 5: What didn't work Brief In this part I will write down the things I tried that didn't work. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary U-Boot Environment The first thing I tried was to modify the U-Boot environment variables as those were not verified against any signature. https://www.marcusfolkesson.se/blog/arlo-vmc2040-part4/ Thu, 07 May 2026 12:04:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part4/ Rooting a VMC2040 security camera part 4: Deeper analysis Brief This part will focus on gather as much information as possible about the system. As I in this stage don't know what I'm looking for, I will just try to document everything I find interesting. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary U-Boot environment I used dd to extract the U-Boot environment from the NAND dump. https://www.marcusfolkesson.se/blog/arlo-vmc2040-part3/ Thu, 07 May 2026 12:03:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part3/ Rooting a VMC2040 security camera part 3: Analyze the boot sequence Brief In this part we will go through the init script to see what (and how!) services are started during the boot. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary Boot sequence I've tried to summarize the boot sequence in the diagram below. https://www.marcusfolkesson.se/blog/arlo-vmc2040-part2/ Thu, 07 May 2026 12:02:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part2/ Rooting a VMC2040 security camera part 2: Extract the firmware Brief As there were no exposed vulnerabilities via UART (no TX, only RX) or network (no open ports that could be exploited), I decided to extract the firmware from the SPINAND flash. This part of the series is about the process of extracting the firmware and analyzing it. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary Extract the firmware I have a XGECU-T48 programmer for such tasks. https://www.marcusfolkesson.se/blog/arlo-vmc2040-part1/ Thu, 07 May 2026 12:00:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part1/ Rooting a VMC2040 security camera part 1: Basic examination Brief My friend had a Arlo VMC2040 security camera [1] on his shelf. He bought it a while ago, but never really used it as it required a subscription to work properly. The only feature that he wanted was to get the video stream out from the camera without any cloud involvement, but that was unfortunately not possible. Here in Sweden we have a long holiday due to Easter, so I decided to take a look at the camera and see what's possible. https://www.marcusfolkesson.se/blog/reverse-engineer-serial-key-validator/ Wed, 11 Feb 2026 10:00:34 +0100 https://www.marcusfolkesson.se/blog/reverse-engineer-serial-key-validator/ Reverse engineer a serial key validator A bit of nostalgia As many kids in my generation, I grew up with video games and the big question was always "Who is gonna be the host for the LAN party this weekend?". Same question. Every. Single. Weekend. This was in late 90s, and we were about 10-12 years old, so we did not have a lot of money. We were lucky to have network equipment (mostly cables, switches, hubs.