 Hi, my name is Ryan Carter and today I'll be presenting on why my security camera screams like a banshee Just talking on signal analysis and reverse engineering of an audio encoding protocol Little bit about myself. I'm a software developer security engineer. I love to code love to automate love to solve problems I like to employ the hacker mindset like to break things into in cool and unexpected ways To learn more about the system and hopefully drive a drive an improvement that makes it better for everybody. I love food Love love cooking love baking Recipe hacking is a passion of mine and what I can get a delicious result You know it really makes my day and then of course the standard disclaimer applies here all opinions are my own Don't reflect the positions or thoughts of Anybody else or any current or previous employer. So let's get to it Got a few different sections to cover. We're going to touch on what it is that we're actually doing here the signal analysis piece application analysis hacking the signal and If all goes well, we'll we'll get to a demo so What are we doing here and why are we talking about wireless security cameras? So my original goal, you know before I even had the idea to to submit a DEF CON talk was to use an inexpensive wireless camera to monitor my my garden and This is the inexpensive camera. I selected You know, it's got an antenna suitable for outdoor use This one's kind of interesting and that it has a has a microphone and and a speaker So you could have a two-way communication if you wanted it And the nice thing about this is that it was it was cheap. So and it seemed like it would do the job This sounds fairly easy and straightforward. So what's the catch here? I discovered after purchasing the camera unboxing it and examining it that it requires a cloud application in order to enable and and pair the camera this There's there's no way to self set up the camera. There's no ad hoc wireless network Doesn't show up as a with a Bluetooth connection. There's a when you plug in the USB cable. There's there's no signals there whatsoever Also, there's no documentation online about this about this camera to any real technical depth Not that I was expecting much from from a $30 camera then of course What brings us here today is the bespoke protocol that it uses to That well that the vendor application uses to communicate and configure the wireless camera So take a take a listen to to this This is what really piqued my interest and set me down the path of trying to do a deaf con deaf con presentation So that's the sound that the that this is vendor application makes To interface with the camera and configure it to to connect to a wireless wireless network I have to say I was not expecting that that's it's not Not usually how you configure things like a like security cameras so my mugal after After finding out that it uses a sound wave signal to to configure the camera is to just to find out What was going on during the camera setup and see if I can't hack on it and replicate it and if possible cast off the shackles of the of the proprietary cloud-enabled You know cat app that the vendor supplies So let's let's investigate First thing you want to investigate is is the hardware and as I mentioned before You know it does have a USB cable This connector though only supplies power when I trace the leads. There's no no activity on the on the data pins Other investigative angles, of course, you know check for for Bluetooth check for ad hoc Wi-Fi and Unfortunately after many hours of trying all sorts of different permutations of Things pressing the reset button holding the reset button, you know scanning with why wireless scanners, etc Nothing nothing was advertising so That leaves that left me to investigate the the software in a little bit more detail This is the vendor application that comes with the camera. It's called Java And it's used to configure the cloud camera However, you know like I mentioned before I'm not really I wasn't really a fan of having to use this this proprietary cloud locked application Java requires an internet connection It also requires a username and password to be configured with With this this cloud setup So that that may be maybe a little frustrated and incentivize me to to poke around some more Now in order to analyze the vendor application, I You know I needed a test device. I didn't want to run this on my my primary phone Just being a security paranoid person that I am. I don't really have a trust for For applications that come from from dubious sources like the manufacturer of a $30 cloud-enabled camera And as I searched online for information either about the camera or the application You know probably not too surprising to hear that there wasn't very many if any results that that were that were found I Did uncover a few other camera models that seemed to use the sound audio wave signal approach to Configure the camera for Wi-Fi network. I I don't have any of those though, but I just more list them here as an interesting Interesting aside There are some cheap cameras though, which leverage a in my opinion a far superior approach to pairing the camera to a wireless network and that's having it having the app show a QR code that you then scan with the With the camera, I think the camera has well the camera and scanning a QR code is a fairly straightforward piece of You know as a fairly straightforward thing to do in 2021 So I I doubt or I should say I wonder if there'll be many if any more cameras out there Which which leverage this audio audio coded approach So now that we've taken a quick pass at the hardware and the software Let's let's think about this signal a little bit more see what we can see what we can identify and figure out And along the way, let's think about what are some things that we can we can think about or look for as we analyze the signal Of course, the first thing is we'll want to capture and visualize the signal We'll be looking for things like repetition that variation in replay You know and if possible, we'll try to fuzz and simulate the signal in a way that can I can hopefully track with with a valid valid encoding This is the the raw view of the signal is captured in as captured by audacity and Visualized in the spectrographic view Just taking a quick look at this. It's it's pretty clear that there are there distinct tones and It appears to be there appears to be steps. This isn't a continuous waveform that begets transmitted There's individual tones which are given certain slices of time, you know That are transmitted for a certain amount of time and then other tones are played after that Taking a look It seems like a lot of the signals are centering at least here around 3,500 Hertz With a few outliers on the low end of the range frequency range and the high end is as well So just that is something worth worth noting as we go about analyzing the signal Now let's see One thing that I thought as I was You know looking at the signal is is this similar to to a motor signal it's been an awful long time since I've heard a modem and Obviously Obviously modems and code there, you know, transmit information using using an audio signal. So We did it. I did a quick comparison against a recording of 56k dial-up modem establishing a connection and Just by looking at at these waveforms. It's it's pretty apparent that It's it's not a 56k k modem that the the spectrographs are substantially different And this this protocol this audio protocol that they're using to configure the camera is You know, it's bespoke in the sense that it's not you can't find information about it easily and it doesn't track with You know other common audio protocols that you might think of like modem or fax so Looking a little closer at this with it with our eyes We can we you know, I marked out a few sections that that appeared interesting just really highlighting the The signals that appear that are extraneous or that don't really track with what the rest of the signal offers and on the left of the of this slide here, I Put together I guess what I'm calling a collapsed spectrograph view Where I basically took all of the tones and I slid them all over all over to my left and Just lined them up to see which which tones and frequencies were represented You can see that you know, it does center around a 3,500 Hertz There's a small gap above before that 4,000 Hertz and then there appear to be some things at the at the higher and at the higher register range Now a picture is nice and it helps us understand Maybe how the how the signal is is structured. Yeah, but a picture can only take us so far We'd like to get more precise and better understand What is actually encoded in this signal and how the In kind of what the protocol is for we're actually encoding data into the signal With that with a manual approach, you know, we can keep using a tool such as audacity or other Audio editing tools that are out there with audacity though. I you can use this functionality called labeling you position the cursor over each one of those You know sections where whether it appears to be a distinct tone press control B And it will cause audacity to to label that time slice and mark the the frequency That's detected at that at that point in time And so you can see just in the signal in this picture here It might be a little smaller a little hard to see but I've got a bunch of labels on each one of these tones This next view here is the audacity view where you can View the labels that's it that you've that you've taken you can go to you know edit labels edit labels and You can export them to a text file Which you know you could run through some other type of automated analysis or plug it into a spreadsheet or what have you Let's take a little closer look at this And you can see that audacity is mapping a low and a high frequency that it detects at At at that time slice the these frequencies are a little variable So to me it looks like this this puts us in in the ballpark for what each of the Target tones are I don't imagine the the application the vendor application is really putting out 5101.89 Hertz. It's probably something a bit more a bit more round You know, but we'll figure figure out more about that as we go along in this process What what do we know now from doing our quick manual analysis? We can see that there's There is encoding going on There's there's a digitized signal, but the signal isn't binary. It's not like it's just two tones one and zero There's there's a range of frequencies represented here. So there's some type of digital encoding going on that the frequencies seem to be centered in the in the three to five kilohertz range and You know, my suspicion is that the signals that are outliers at the top and bottom are our control signals And that they they weren't a closer look For investigating how a signal how the signals put together and we see that there's repetition I noticed that in my analysis of the vendor application in the and the pairing tones that it produces the complete sequence Repeats itself multiple times at least three times So and then finally we can see that this is not a 56 K modem or a fax a fax signal the spectral analysis just just do not match so at this point We have to ask ourselves. Is there really much further that we can go in manual mode? And the answer there is is yes, but with with a set of caveats There's variability whenever you play back the audio signal I found that each time I played back even the same signal from the vendor application that audacity would Would would slightly vary that the audacity analysis would slightly vary in terms of which frequencies it You know it shows when you do the labeling process and of course manually going through the process of playing a signal from From an application recording it into an audio editor and doing that over and over again It's very time-consuming since Again the app repeats the same signal multiple times So even after you get a complete signal captured you have to wait for the app to finish its full cycle before you can kick off another test permutation and You know just to be clear the only options we have to configure in this vendor application are You know the SSID and like and the passphrase for the wireless network So there's not a whole lot of things that you can you can vary for the input Then one thing I noticed is that there's no readily apparent API To you know to leverage the the frequency detection portion of audacity. There's no CLI option There's no readily available API option and well I could have dug deeper into the audacity code base to Know better understand how that's put together and hook into it that really wasn't what wasn't what I was trying to go For that doesn't really that's more that would be more of an aside as opposed to helping me on my main journey to Reverse engineer and better understand this this audio signal So, you know with manual mode we can do black box signal reversing we can try to brute force reproduce the tones We can attempt to match generated tones with the spectrographic views and then of course just you know fuzzing generating permutations until we until we find a match This is a is a very tedious and a time-consuming process though so I was looking for a better way to Leverage what I have and what I know in order to improve this process So that really the next next step here is to do an analysis of the Android application since the Android application is what generates the audio signals and Let's take a closer look at this vendor application. So How do we go about analysis of an artifact of a software artifact and we could do things like Executing it and logging the results in a sandbox or a test environment. We can decompile the package We can look for strings, you know that anything that might relate to audio or sound or You know SSIDs and passwords things of that nature We can do a key method search since some this is a Android uses a higher-level language at least I should say this This APK is written to you know to a higher-level language and even though vendors can obfuscate their code It's it's a lot harder to obfuscate the underlying library functions that that you use as a vendor So you can do things you could do a search for You know Android system calls or Android libraries that that provide methods that you might need when dealing with audio and audio encoding You know once we figure out these code paths we can attempt to do high-speed fuzzing and then of course if we if we identify something that has been obfuscated We can we can try to go and de obfuscate it and Attribute the classes the methods the properties some other identifiers which makes more sense to humans and helps us better reason about the code To you know that to really figure out how this all works Now let's talk a little bit about preparation You need to you know prepare your computer to pull the APK off of your test device You know if you've done any of this if you've worked with Android before you've part you're probably already familiar this I need to make sure your developer mode is enabled that you've allowed USB debugging Make sure that you have Android studio installed and that version of adb is correctly Placed in your path so that way you can leverage it for the for the purposes of this You'll want to extract the the Android package You know and here I show a few commands that you can use if you want to you know follow along afterwards and try this You want to make sure that you take the output of each step and feed it into the next step since what I have here is really only applicable to a Blackberry priv because this is the the test device that I had lying around After all these years to do this analysis on Once you have the APK you can use a tool to decompile it I leveraged a JADX You can go to the github page pull the latest release and then it's a it's very simple to you to decompile the code Just a quick one liner You you will probably note that it'll show finished with errors I found that the errors did not negatively impact my analysis of the package and I was not impeded in my in my journey Once you're in once you have the decompiled sources you'll want to open up a new Android studio project You know open the decompiled sources from from JADX and then click a little button in the lower right hand corner That says configure the Android framework By configuring the Android framework it enables you to do things like find usages and Go to definition just all the goodness that you'd expect from from a modern IDE Once it's loaded you'll see a bunch of classes on the side You know this the one that I have highlighted there is a u.ly Which is clearly clearly obfuscated as you drill into there. There's there's a bunch of obfuscated classes and methods Now a quick note on obfuscated code What is obfuscation? Sometimes software makers want to hide their their implementations They want to impede you from figuring out how it how they work and You know from reverse engineering it to better understand what the you know what the underlying mechanisms of its of its operation are With with higher level languages you get a terse randomly generated identifiers You know you might have a class named lowercase a you might have a method named You know f 9 9 9 or just whatever the case case may be It's harder to obfuscate the use of system libraries and a higher level language since You know those those decompiled cleanly back to back to base libraries. So Why do we use Android studio or should say what what's the advantage of using Android studio is in your manual Obfuscation process, you know, it's a very slick ID. It's it's free. It's readily available You know it receives a lot of a lot of support a lot of people use it And then of course you get all the all the classic ID functionality like find usages go to declarations Things like that with Android in particular you get a log cat Instance or a log cat window which lets you search You can also target specific applications that are running on a phone to reduce the verbosity of The messages that that you see and better help you tailor your analysis Let's take a look at what we can do with this application So live log analysis You know, this is one of the first things I try because being a developer myself I know that oftentimes the debug logs will contain a wealth of information and As a regular user of the of the phone or the service or the application I regularly use just not going to see the debug output. So if you're rushing a release out the door And you don't disable your debug output, you know, somebody like me is going to come along and Hook up the device hook up the Android phone to to log cat and investigate for for messages if we're curious about what's going on Now let's take a look at What logs we get as we as we start this application. Here's the login screen Here's a little capture from from log cat and we can see that there's there's some interesting information In there there appears to be Some kind of an encoded payload There's some interesting strings in there and we appear to be getting both, you know informational and debug output So, you know, there's there's a URL the AP dot Java life net, you know, go Java's and And then as we as we kind of continue scrolling through the screen that there's a lot more messages like this When you try the camera pairing process You have to enter in the SSID in the password and At this stage we see that there's log output which Logs the the SSID the password and then what appears to be some kind of a randomly generated token and In this log output, I know it's really hard to see here But there's a there's a class that we can start to investigate and then there's a what appears to be an HTTP helper class Which is what helps send and receive messages back from the cloud cloud server Let's try to pair to a camera and see what we get so there's a button that says click to send the sound wave Yeah, just love it. It makes me smile when I when I see that and when we send the sound wave We we get some additional information and it may not look like much But there are a few strings here which which can help help in the analysis We found You know just to recap what we found so far. We found a distinctive characters We found URLs we found a class to investigate this a bind device new activity That sounds particularly fitting giving that we are trying to Enable and configure a new a new camera device So what does this lead us? We can continue our search by taking those strings that we found in the log output and searching for them within Android studio and As as I searched through the the the decompiled output. I found found a few things that looks like The the number one is used to delimit fields They they they call the random generated code. They call it a smart code then there's a Character sorry a string one that's appended at the end of this little message block and You know, even though Android studio is calling this message DB notify reached I kind of wonder if this isn't a Decompilation artifact of some kind because it really is just just the string of the character one So what is this smart code thing? I noticed that each time I tried to pair Via the camera to the to the cloud app this smart code would would change it It would be different every time and I could see by looking at this At this boot up code that yes every time that that you attempt to pair the camera you Get characters and numbers for six characters and that constitutes the smart code but the question still remains like what is this thing and Just after having gone through this this entire analysis process and seen it seen it change with every single time that I attempt to pair and noticing that whenever I paired the camera a message was sent from the from the application up to the cloud server That included the random code. I can only presume that The back-end cloud service uses this random code to tie this camera to my user account in the in the cloud since You know, it's that how else is the the camera going to identify that it you know belongs to my to my account So that that's the best case that I have for what this what this code is is used for As we continue looking through the strings we can see other strings which Guide us to processes. Sorry to functions methods that that it weren't for their investigation like run and play voice Both of those sound, you know, they sound good Let's let's take a closer look and do an extractive analysis at this point we've we've uncovered a lot of You know a lot of a lot of functions a lot of methods Static, you know at Constance in in the code base and we want to take You know the key sections out of the vendor application put them in a clean project so that way we can we can perform an analysis just a couple of notes on on setting up the The clean application if the you know if you're looking at another application, which like this application here Leverages native libraries. You'll need to manually create a JNI Libs folder Put all those compiled libraries into the JNI Libs directory and then you'll need to have make that make the Java class that matches The package structure has to be the same so this thing is called like calm.i think voice in the vendor application I can't call it calm.test.reverse engineer I have to name the package structure the same because the way that JNI works it Requires those two things to to match up and once you have your your sample test project setup. You're able to perform a black box analysis of the you know of the code that's used to generate the signal and Along this way one of the questions that I that I had it was well What are the exact tones that are being generated by the application to? to pair and bind with with the camera well, there's a there's a class called vcode table and As I ran it in this extracted project it produced a mapping of all of the the tones all the tones is along with the You know that the characters that they map to him So this is what the characters map to we have from zero to 48 75 Hertz And it's there are 16 16 states, so this is a hexadecimal, you know style a style encoding here Now Looking at what else we found here. There's a lot of findings We know that Android uses audio track to we know that the application uses audio track to play a signal And we've identified how it Creates the payload as far as you know the SSID that the password The random code and then the delimiters between those fields We've identified control tones like the frequency begin and frequency ends that are just static constants There's also a space tone, which you know is used for when two tones play back-to-back the same tone There's a little space tone that that pops in and that'll be better visualized And all they just line there's methods which play the characters There's the use of a CRC values to Help the camera know if it's received a complete signal or not So there's a been a wealth of information that we've uncovered through this this process so What do we know now we can reconstruct all of section one and section two of the signal? because each signal consists of three sections and And you know now that we can reconstruct section one and section two Really that just leaves a we've section three and I've highlighted in this image the part of the code which is sorry the part of the signal which Is is elusive at this stage of the in the analysis This this tone appears to be some type of error correction code It doesn't exactly track with that the CRC process that the rest of the code base uses though Which which left me wondering and since this is generated by My code that's in a native library it means that I need binary analysis to to dig deeper and Try to figure out what's going on here My tool of choice is is Jidra. Hedra. I don't know how to pronounce that It's it's a free tool. It's it's very capable and it does the job here So to get set up with Jidra that you'll want to visit there their github page Pull the latest release for your platform and then follow the follow the installation guide Once you have Jidra installed create a new project You know fill out all the wizard boxes. I just I just took basically all the defaults and give it a project name Click the dragon icon Import the the native library that you want to analyze in my case I just went with the x86 64 library since I'm a little bit more comfortable with x86 than I am with Arm libraries at the moment When you click the yes button, it'll go through and it'll do an analysis of of this compiled library Which you can then navigate in the UI So reverse engineering with Jidra We need to know what we're looking at here So you want to go to your Android studio project make sure that you identify which functions which methods are Which methods in the higher-level language map to functions in the compiled library Once you know that you can look in the in the symbol tree And you can see here that there's a number of a Java Java calm interops So J and I interfaces here in this native library The the methods that we're looking for are the get-and-voiced structures that are listed towards the bottom of the screen And here's a closer view on what you would see in Jidra as you do this analysis So now we just need to pick one of the functions and dig in I Focused on this intuitively named function called get voice-strecked Goki 2 So I love the spelling of voice and I don't know what Goki 2 means This is the function though that generates the the section 2 and section 3 output 4 for the audio signal One thing that I noticed as I was doing this analysis is that on the Java side you pass in eight parameters to this native function Yet on the on the compiled side when we look at this function at the function signature in Jidra There are 10 parameters here. So You know, it's it seems a little odd, but then Doing a little bit of reading I found that J and I calling conventions add a two parameters. There is a Yeah, let's talk about the note on J and I there's there's a J and I environment pointer And then there's an object pointer and these two parameters are front-loaded to the to the function signature So those first two are just the environment and and the object So I've a this top picture is the the raw decompiled view just with all the the generated identifiers that don't really make a lot of sense the The bottom picture shows it refactored in Jidra to that to indicate that the first two parameters are, you know, are J and I related Now let's continue the analysis Okay, so inside of Jidra. There's a function decompiler window and The nice thing about Jidra. It's it's like it's like most other IDEs that I've worked with You can right-click on an identifier. You can rename it. You can highlight it You know, you can do things that'll help you analyze the flow of how a particular parameter is used in and manipulated so this function, you know, this Get voice-strapped gokey to you it calls of calls another function that Leverages the inputs that are that are passed into this this function What I do when I do this type of analysis is for each screen that I'm that I'm on I try to do try to rename and Refactor the parameters and the methods the functions to names that actually make some some degree of human sense So that's what I'll be doing here This is the cleaned up view and I know what's small But the picture shows that each of those parameters are named to reflect What value they represent from the you know from the Android sign and then you know, I go from there I check the usages since this is decompiled, you know, there's there can be a lot of Sometimes it doesn't exactly make the most sense you like I noticed that input parameters are a copy to Local variables and then those local variables are then used elsewhere So in the analysis just keep in mind what you're looking at Track the flow through the local, you know through any type of intermediate steps that that it goes through to see where it winds up being manipulated Now this is the this is the raw view of that of that nested function Fortunately for me and almost conveniently so for this demo. This is a very small function. There's only it's only about 58 Yeah, I'm actually about 56 lines long. So it makes it pretty easy to analyze You know again since the the identifiers are all terse and auto-generated. I need to refactor those into something that I can use So start with what you know find a good starting point even if you can't get all the names to something human readable just to do what you know and as you reason through the code you'll find that It you know the rest of the pieces can fall into place sometimes if you enter what you know as I went through this and did all the renaming I found that the critical the critical section the critical operation that I needed to apply in and in my you know Reverse engineering project to replicate the signal three. It just came down to a shift so This is the line It takes the the CR seed SS ID and then it shifts it to the right so That that's a very simple operation for me to perform in my Replicated Android project. It is not something that I was able to figure out just by reasoning through the Java or My passing in inputs to the library function and fuzzing the output I think probably with enough time. I probably would have figured it out But you know just I get a little impatient and when I can go explore a little deeper and More fully understand how something works. I'll take that opportunity. So a shift. That's all I got to do to replicate section three Now let's think about hacking the signal. How can we recreate this and Manipulate it to serve our purposes So let's look again at what we know. This is the spectrographic way form of Of a complete pairing cycle The way form is comprised of three sections of a hexafide data Each section is prefixed and suffixed by control codes and section identifiers We know that when two sequential tones are Used there's a space tone that shows up in between it to help the camera better differentiate and identify You know distinct signals the duration of each tone that I found is about 50 to 60 milliseconds and We know the structure of each waveform section Let's look at section one. This is this one's a long one. It's got frequency begin. It's got Delimited SSID passphrase and in random code digits. It has a CRC's of a bunch of data put together And then it's got end tones section two is Incredibly simple by comparison. All it's about is it's the smart code and just making sure that There's a proper error correction on that that randomly generated code So that's that's very terse very short very easy to reason through Section three. Yeah, this one's a little bit longer as well. We have some CRC codes in there and we have another kind of like a Mutilated version of the smart code. There's the passphrase bytes another CRC and then that this thing wraps up so We can reproduce the signal now. We know Every aspect of every part of the signal and we are able to to recreate it as a result So that's where the the demo comes into play here. I created an application which can be used to pair these Wireless camera to a wireless network without having to use the the cloud application This enables the camera to be further analyzed using more traditional You know, but network network style of investigation techniques. So with that, let's go ahead and Let's take a look at the demo in this demo we'll be pairing the Wireless camera with a wireless network that's hosted on this laptop running host APD Advertising a DEF CON 29 SSID To do the pairing we will leverage the the reverse engineered application That that I created as part of this kind of reverse engineering process Where I've configured the SSID and passphrase now To get this camera to pair we need to wait for it to get into setup mode After I plug it in we'll want to wait for the flashing lights and at that point the camera should be susceptible to our suggestion that it paired to a specific network, so I'll plug the camera into the power bank and Start it up on boot the camera shows a solid green light to indicate that it has power After it goes through its setup sequence, you know, whatever that entails I can't haven't been able to really probe that It'll go into a flashing light mode Where we can pass it along our message, so let's give this a try Alright with that tone it should indicate that the camera has received our our pairing message and In the wire shark capture You will see that the camera is communicating with with the network and That it's that it's paired so that is looking good Let's take another look at the pairing this time from the screen recording that shows the wire shark Output of our packet capture as the camera goes through its initialization sequence receives our pairing code it should show up requesting an address which in this case I've Targeted to be a specific one in advance you can see here that It receives an IP address on the local demo network and It proceeds to query back home and attempt to You know attempt to call home and then do the cloud configuration bit We're gonna try Connecting to the cameras video now One thing I do want to note about this camera is that the the video Connection can be a little bit iffy It doesn't always work and Can require three four? You know sometimes upwards five different attempts to get the video signal to work Here I'm showing an attempt to connect to the camera using VLC and But surprise surprise it it fires right up so Go figure Let's go ahead and wrap this up now There are a few limitations that are worth noting It's not easy to discover the device's administrative password. It is six hexadecimal Characters and the password changes each time the camera is reset It doesn't seem to be tied to Mac or serial number So just kind of brute-forcing your way through it might be one one decent option the easiest option is just to have it pair once to the cloud and pull the Password off of that that is not Not the approach that I would prefer if at all possible though so It's not possible or not really very easy. I should say to decipher the camera to cloud communication Based off of some of the code that I've seen in the application and what I've intercepted between the camera and the the cloud servers The the camera has a local RSA key pair that changes on on reset or potentially between each request the payloads are encrypted and Sent over to the server. So even though you can View the payloads by setting up a self-signed demand in the middle server You can't really make sense of what the payloads are for saying So it could be worth some additional investigation You also get what you pay for even if you know the password it doesn't always connect VLC will sometimes connect and sometimes it will not so Just keep that in mind if you want to economize and save a buck or two on a cheap wireless camera So, thank you very much for attending my diff con talk. It's it's been a real pleasure to spend this time with you today So thanks