GoPro HERO7 Black Teardown

Posted by Mark Kirschenbaum on Oct 22, 2018

The GoPro HERO7 Black (codename: Tavarua) has been promoted as having "gimbal-like" stabilization. This leads to the question, what changed from the GoPro HERO6 to make the GoPro HERO7 Black ultra-smooth? The answer is:

Nothing substantial in hardware
New features in software

Hypoxic debugging the HERO7 hardware with a "Debug Cable"

All-in-all, they added an Apple MFI chip, a USB charger chip, and the big one... an additional 1GB of RAM. When you choose a GoPro HERO7 Black over a GoPro HERO6, you are really buying a software update and more RAM.

Minor Hardware Changes

An Apple MFI chip has been added so that the camera can automatically setup and get Wifi information from your Apple device. They can also now display this logo:
The detection of an USB charging device is no longer done by two separate systems: the PMIC and the authentication MCU. It now has it's own dedicated chip on the i2c bus.
The RAM is still running at 600Mhz, but it is now 2GB vs. 1GB.

GoPro HERO6/HERO7 insides
From an excellent video on the technology by GoPro Inc, "Behind the Lens"

GoPro HERO7 Black Design Wins

Similar to our GoPro HERO6 Teardown.

Socionext SC2000A custom	Imaging Processor "GoPro GP1" processor (M9M) Cortex A7 hardware Floating Point / CEVA DSP / Cortex M0 coprocessor
NEW Apple MFI	For Wi-Fi Accessory Configuration (WAC)
Changed DDR	2GB 600Mhz
NEW Pericom PI3USB9281	Protecting against bad chargers, detecting power, usb pin muxing.
NXP PCF85063A	Realtime Clock with Alarm. This was missing from the GoPro HERO6 writeup
eMMC	UHS-3 Approximately 1.2GB. Vendor unknown. For firmware & setting storage.
Qualcomm qca9377	WIFI/BLE Dual-band 1 x 1 802.11ac + Bluetooth 4.1 FCC: SPCH1
DSP Group DBMD4	"Ultra Low Power Always-On Voice Activation for Any Device"
UBlox UBX-M8030-CT	GPS Receiver u-blox M8 GNSS chip, WL-CSP47, Standard grade
Sony IMX277	Sensor 12MP 44fps max @ full res, 1/2.3, 1.55 pixel size, SLVS-EC 8Lane
Active Semi ACT9150	PMIC (Power Management IC) for Socionext. Power supply, charging, and LED control.
Sitronix st7570	Front Display 128 X 129 Mono LCD
FocalTech ft6306	Touch Panel Controller with display produced by JDI, NVD or US Micro
Sitronix st7796s	3.5" TFT \| 320x480
Microchip SAM L22	USB-C PD / Accessory Sentinel / Battery authentication / Reset Handler, most likely always "on" 64Kb Encrypted bootloader & app MCU_APP_CHP1 v. 1.0.9 upgraded fw MCU_BLD_CHP1 v. 5.0.2 upgraded fw
Bosch BHA250	Smart hub, accelerometer, eCompass
Bosch BMG250	Digital 3-axis angular rate sensor
Microphone Updated?	Unsure at this time if they just changed the mechanical audio tunnel, the waterproof membrane, or if it is in fact a new mic.

Can I make my GoPro HERO6 into a GoPro HERO7 Black?

The answer is a big maybe.

As with the GoPro HERO5/HERO 2018, there is no differences in the device tree between the GoPro HERO6/HERO7 Black. This means linux sees nothing different between the two cameras when it boots. The GoPro HERO6/7 don't use the DTB as much as a the HERO5 architecture, so this is not as much as an indicator as in the past.

The FCC ID of the GoPro HERO7 Black is the same as the GoPro HERO6, and with the Qualcomm Wifi/BLE being on the motherboard, they really couldn't change much without voiding their FCC certification. This is a great spot to point out that the GoPro HERO7 [White,Silver] are based on a brand new hardware with the Image Processor being from Qualcomm.

We predict the camera should boot up with 1GB of RAM and there is provisions in there to handle the 1GB DDR part in the early boot. However, it's going to crash hard as most of the allocating functions fall out when 2GB ram is not available. I've spent way too much time looking into how the memory map is defined and provisioned. In the end, it's honestly it's not worth my time. With that said, someone could setup the memory maps for 1GB and lock out the functions that run out of RAM.

Word on the street is they couldn't source the 1GB parts. If this was true, the provisioning for the 1GB devices would have been left in the firmware. I don't see this for most of the memory pool allocating functions so feel this holds a little weight.

Geek Out || Side Note
See FJ_GetMem, FJ_SetSDRAMMapMode for allocating methods. CAMFWV.bin[4:7] is where the camera device id is stored if you have the time to tweak each of the 13+ alignment type allocation types. Definitely do this only if you know what you are doing. I haven't determined if a ROM bootloader exists yet.

Should I worry about the GoPro HERO7 Black?

If you're using these cameras for military ops, an undercover journalist, or just someone who enjoys their privacy; be careful of how you use your GoPro Camera. In a future installment, I will elaborate on the various attack vectors, but wanted to give you my immediate recommendations first.

Your GoPro is Insecure

NEVER Use your camera with WiFi
The entropy of the WiFi password is so low that it can be 100% cracked in seconds via an offline attack. Once an attacker has access to your camera, they can download your footage, spy on you, get your GPS data, and even install malware onto your camera. Even though the camera uses WPA2-PSK, the complete password dictionary has only 260,000 entries. For example a GoPro Wifi password will look like: wave1234 or snow5678. In all, there are only 26 sports and four [0..9] numeric digits. 26 x 10^4 possibilities!
An offline attack will literally takes seconds to perform with a GPU. The battery life is the only limit to how long access will survive. The camera does stay "armed" for 8hrs in a low power mode. It could be woken up by an authenticated BLE device once every 8hrs to keep it armed for a very long time.
Note KonradIT did send GoPro a notice about this vulnerability, but a CVE does not exist. Our github repo with the full dictionary file https://github.com/hypoxic/gopro-pwCreator
NEVER Connect your camera directly to your computer over USB.
An attacker could have compromised your device, making it work as an Keyboard (trusted device) or an Ethernet over USB device. This can be used to trampoline or tunnel onto your network. If you are an at risk user, always use a card reader with a good virus scanner. If you are MIL, please use a non-operations computer.
The above vulnerabilities added with the Apple MFI authentication device, now makes your camera a skeleton key to your network. Remember Target got hacked through their HVAC provider.
Nothing can really prevent a user from an "Evil Maid" attack with any IOT (internet of things) devices. With that said, if your situation requires OPSEC, and the camera has been out of your hands, perform a Factory Reset and manually update the firmware.

As far as I can tell, none of these vulnerabilities have been exploited in the wild, but it would be easy for a threat actor to create a tainted device. These vulnerabilities are not new for IOT devices. What is new, is how commonplace these cameras are with military personnel and journalist on the run who require OPSEC.

Final Thoughts

Is the GoPro HERO7 Black worth it?

I'd say yes. Shaky video makes your viewer sick. If you can afford it, definitely spring for the software upgrade. The stabilization in GoPro HERO7 Black over the GoPro HERO6 is well worth the extra dough. The new features are pretty nice and add another tool to your toolbox.

More Information

Our GoPro HERO6 Teardown is a great resource for more in depth analysis about this camera as it's the same hardware. The raw data gleamed from the camera can be found on our Github account: https://github.com/hypoxic/gopro-HERO7

Please contact us for any GoPro, Yi, or Sony camera firmware adaptations or security needs.