提交 #773162: yitechnology YI Home Camera 2 2.1.1_20171024151200 HTTP Firmware OTA Without Cryptographic Signature信息

标题	yitechnology YI Home Camera 2 2.1.1_20171024151200 HTTP Firmware OTA Without Cryptographic Signature
描述	## Firmware Identification The latest firmware file `2.1.1_20171024151200home` was downloaded from YI Technology's official page. https://www2.yitechnology.com/support/firmware_home/id/9 SHA-256 hashes for independent verification at each extraction stage: ``` $ sha256sum 2.1.1_20171024151200home a5fef3fda624f77dc4369f64b85e9cba79df02eb6298460eca8e7304db418fb0 2.1.1_20171024151200home $ file 2.1.1_20171024151200home 2.1.1_20171024151200home: data $ hexdump -C 2.1.1_20171024151200home \| head -3 00000000 41 4e 54 53 49 4d 47 00 a0 4e 02 00 10 c9 33 01 \|ANTSIMG..N....3.\| 00000010 00 01 00 00 01 00 00 00 00 01 00 00 00 02 00 00 \|................\| 00000020 00 00 00 02 00 00 00 00 1b 8a f5 c2 32 2e 31 2e \|............2.1.\| $ binwalk 2.1.1_20171024151200home DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 512 0x200 UBI erase count header, version: 1, EC: 0x0 [..] ``` The UBI image at offset 0x200 was extracted with `binwalk -Me` and the UBIFS volume unpacked with `ubireader_extract_files`, yielding a 672-file filesystem. Firmware download URLs were extracted from the `ipc` binary via `strings`. The `upgrade_tool` binary was analyzed via `strings` for any signature-related functionality, and the complete absence of signing-related symbols or strings was confirmed. Binary hashes for independent verification: ``` $ sha256sum home/web/ipc aaf9adad66f7d40cbbace1a99d65a4a9051acf9faf06fb0a1ae000663cd1ae72 home/web/ipc $ sha256sum usr/local/bin/upgrade_tool 4098be7fbb2943b16ec89689a2b3578163f57579dc08edbad72ea57a92b3d5bf usr/local/bin/upgrade_tool ``` The device performs over-the-air (OTA) firmware updates by downloading images over unencrypted HTTP from multiple regional servers. The binary responsible for validating and flashing the downloaded image (`upgrade_tool`) performs only two checks before accepting a firmware image: 1. A `magic_num` header field - a static, predictable value that is present in any legitimate firmware image and can be extracted by any attacker who downloads one 2. A CRC32 checksum - a non-cryptographic error-detection code, trivially computed by the attacker after constructing a malicious image No cryptographic signature verification is performed. String analysis of `upgrade_tool` confirms the complete absence of any RSA, ECDSA, SHA-256, or certificate-related functionality: ``` $ strings usr/local/bin/upgrade_tool \| grep -iE "sign\|rsa\|ecdsa\|sha256\|verify\|certif" (no output) ``` The firmware is downloaded from the following HTTP (not HTTPS) URLs, extracted from the `ipc` binary: ``` $ strings home/web/ipc \| grep "http://download" http://download.xiaoyi.com/yifirmware/smarthomecam/ http://download.xiaoyi.com.tw/smarthomecam/ http://download.us.xiaoyi.com/yifirmware/smarthomecam/ http://download.eu.xiaoyi.com/yifirmware/smarthomecam/ ``` The `upgrade_tool` is invoked by `ipc` with the downloaded image path: ``` /bak/usr/local/bin/upgrade_tool /tmp/upgrade/home.bin ``` The only validation-related strings are magic number and CRC32 checks: ``` $ strings usr/local/bin/upgrade_tool \| grep -iE "magic\|crc" FDT_ERR_BADMAGIC crc32 = 0x%08x magic = 0x%08x magic = 0x%08X upgrade_flprog_get_table : Invalid dev magic: 0x%08x(0x%08x) Invalid partition table magic(%d): 0x%08x(0x%08x) Invalid dev magic: 0x%08x(0x%08x) The header crc32 is 0x%08x imageHead.magic_num %s error ############### check success crc %x, time = %ld ########### payload [%d] crc error [%x %x] image_crc = 0x%08x ``` The magic number validated by `upgrade_tool` is the ASCII string `ANTSIMG`, confirmed both in the `upgrade_tool` binary and at byte offset 0 of the actual firmware file: ``` $ strings usr/local/bin/upgrade_tool \| grep -B1 -A1 "imageHead" ANTSIMG imageHead.magic_num %s error read payloadHead error ``` ``` $ hexdump -C 2.1.1_20171024151200home \| head -2 00000000 41 4e 54 53 49 4d 47 00 a0 4e 02 00 10 c9 33 01 \|ANTSIMG..N....3.\| 00000010 00 01 00 00 01 00 00 00 00 01 00 00 00 02 00 00 \|................\| ``` The `imageHead.magic_num %s error` format confirms the magic is compared as a string against `"ANTSIMG"`. The firmware header is a simple structure: 7-byte magic, followed by size fields and a CRC32. An attacker constructing a malicious firmware image places `ANTSIMG` at offset 0 and computes a valid CRC32 - both trivial operations. A network-adjacent attacker (on the same local network, or positioned to intercept traffic between the camera and the internet - man-in-the-middle) can inject malicious firmware. The resulting compromise is firmware-level and persistent - it survives factory resets because the flash storage itself has been overwritten. There is no recovery mechanism available to the device owner without physical access and specialized flash tools..
来源	⚠️ https://www2.yitechnology.com/support/firmware_home/id/9
用户	0rbitingZer0 (UID 96146)
提交	2026-03-05 18時58分 (3 月前)
管理	2026-03-19 21時46分 (14 days later)
状态	已接受
VulDB条目	351768 [Yi Technology YI Home Camera 2 2.1.1_20171024151200 HTTP Firmware Update home/web/ipc 弱身份验证]
积分	20

◂ 上一步一览下一步 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!