Monthly Archives: October 2014

Dashcam Hacking

I’ve been playing around with my Blackvue dashcam a bit recently. Partly for fun and partly to figure out if I can copy videos from it to my iPhone’s camera roll. Having Googled about a bit, I found an unusually helpful Amazon review, where someone talked about FTP-ing onto the camera and copying off the videos.

http://www.amazon.com/review/R5EAUUH05X1FZ/ref=cm_cr_pr_viewpnt#R5EAUUH05X1FZ

I liked the idea of this, so I gave it a go. Unfortunately, the Amazon post was about a DR500 and it seems Blackvue have changed a few things on the DR650 that I have, so my attempts didn’t work. I’ll explain a bit about what I did though, so anyone else that’s going down the same road can hopefully save some time.

According to the Amazon review, the Blackvue has a default IP address of 192.168.8.1. I confirmed this by scanning the network for devices. Sure enough, 192.168.8.1 was the only IP address on the network. A quick ping test showed a response from that address too, so a good start!

I tried putting the camera’s IP address into my web browser whilst connected to the camera’s WiFi & I got the following page:

Blackvue_web_root

Not especially useful, it’s just a blank page with “Blackvue” written on it, but it does confirm two things; I’ve got the right IP address for the camera and it’s running a web service. I tried a few variations on the URL, such as http://192.168.8.1/Blackvue, but none of them bore any fruit. Something I’d read on a forum indicated that there was a live stream available at http://192.168.8.1/blackvue_live.cgi, so I tried this. Sure enough, I got a live stream up on my screen:

Blackvue_web_live

I tried a few guesses at what the URL might be for the live stream of the rear camera, but I couldn’t figure it out. I then tried running a web crawler against the web site to see what pages were available, but nothing was returned. I guess this means that all the available pages are cgi scripts. Without being able to access the filesystem of the camera’s web root, I wouldn’t know what cgi scripts are availble, so I tried ssh-ing to the device. No joy.

Next, I tried a port scan on it, so see what my options were for getting into it. The following was returned:

Blackvue_scan

Looks like it’s a bit more tied down than the older DR500. There’s no telnet or FTP open, just DNS (port 53), which won’t be much use to me, and http (port 80), which I’d already found. It’d be great if I could somehow start an ssh server on there, but without getting into it in the first place, I can’t do that.

At this point, I’m bit stuck for a way to access the device. I need to start ssh, or ftp, or some sort of service that I can use to pull the files off the device. I downloaded the firmware for the camera from Pittasoft’s website. I thought if I could inspect the code, I could maybe modify it to give me a way in. Unfortunately, the firmware ships as a single binary file. I tried inspecting this, but I haven’t had much joy yet.

So, stuck again, I got to thinking how the Blackvue app copies files from the camera to the app. If the only service available for it to do this is http, then the files must either be available for download via http, or the app must run some sort of cgi script that starts an ssh/ftp server and copies the files over, then stops the server. My next trick will be to open the app and download a video clip, then do another port scan to see if something has been opened up during the transfer.

What would be really useful would be to get a look at the web root of a DR500, as I suspect most of the cgi scripts etc would be the same or similar to the DR650. I might be able to work out a way in if I could see what the scripts are doing. Unfortunately, I don’t have access to a DR500 to do this, so if you do and you’ve tried anything like this, I’d be interested to hear your comments.

UPDATE 17/10/2014:
I had a bit more of a play with the Blackvue today. I tried copying a video from the camera to my iPhone and running a port scan on the camera whilst doing so to see if the transfer had opened up FTP, or SSH or something. Nothing. This means that the videos must be transferred via HTTP download, which limits my options for getting into the camera. What I really want to do is start an SSH or telnet session on there, so I can do whatever I want, however with only port 80 available to me, that may be difficult.

You may have heard of a bug called ShellShock that’s been in the headlines recently. ShellShock is a bug in the way the bash shell handles environment variables and it’s possible to exploit it via cgi scripts on a vulnerable server. The DR650 uses a cgi script to serve the live feed. Thinking that it may well initiate bash in some way, I thought I’d try and exploit ShellShock on the DR650 to break into it and start an SSH shell.

I tried the following to try and start an ssh server on the camera:

wget -U “() { test;};echo \”Content-type: text/plain\”; echo; echo; /sbin/service sshd start” http://192.168.8.1/blackvue_live.cgi

What I’m trying to do here is set the Content-Type variable and add a bit of code on the end to try to exploit ShellShock and get bash to execute a command to start an SSH server. This didn’t work. There’s lots of reasons why that might be the case – the device might not be running a vulnerable version of bash (unlikely), the cgi script might not call bash, the command I’m trying to run might not be valid, the script might not use Content-Type, or a myriad of other reasons. I tried a few different permutations of this hack, before deciding to quit & try another approach.

From a bit of research, I believe that the DR650 uses a Texas Instruments chipset, running a DaVinci platform. A bit of digging shows that this platform is based on a Linux distribution called MontaVista. I’ll do a bit more research into that platform and see if I can refine my methods for getting into it.

In the meantime, I began looking through the firmware image I downloaded, having discovered it was gzipped and unzipped it. I’ve found a few useful bits of data. There seem to be very few files hosted by the camera’s web service. They are:

System/www/blackvue_live.cgi
System/www/blackvue_vod.cgi
System/www/upload.cgi
System/www/index.html

I already found the index.html and the blackvue_live.cgi, but I didn’t know about the other two. The upload.cgi file seems to be used to upload new config & firmware to the camera and blackvue_vod.cgi returns a list of video files stored on the camera. Could be useful!

upload.cgi
upload

blackvue_vod.cgi
blackvue_vod

The blackvue_vod.cgi file looked very interesting. I said earlier that the video files must be downloaded via HTTP, but I didn’t know their location. The output of blackvue_vod.cgi indicates that the files are in the web server’s docroot, under a /Record folder. The script also returns the full path & filename of every file available. I immediately tried a wget of one of the files and sure enough, it was downloaded onto my laptop 🙂

[~]$ wget http://192.168.8.1/Record/20141017_163635_NF.mp4
–2014-10-17 16:38:17– http://192.168.8.1/Record/20141017_163635_NF.mp4
Connecting to 192.168.8.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 64500078 (62M) [text/plain]
Saving to: ‘20141017_163635_NF.mp4’

100%[======================================================================>] 64,500,078 1.05MB/s in 60s

2014-10-17 16:39:16 (1.03 MB/s) – ‘20141017_163635_NF.mp4’ saved [64500078/64500078]

[~]$

Excellent! My original intention was to download the videos onto my iPhone’s camera roll so that I could then transfer them onto my laptop, but with this, I can hook my laptop up to the camera’s WiFi and download the videos straight to it. So, time to automate it a bit. I can get a list of files with a simple curl command:

[~]$ curl http://192.168.8.1/blackvue_vod.cgi
v:1.00
n:/Record/20141014_202528_NF.mp4,s:1000000
n:/Record/20141014_202528_NR.mp4,s:1000000
n:/Record/20141014_202629_NF.mp4,s:1000000
n:/Record/20141014_202629_NR.mp4,s:1000000
…..

This is then easily tidied up a bit with some simple sed to give me just the path and filenames:

[~]$ curl http://192.168.8.1/blackvue_vod.cgi | sed ‘s/^n://’ | sed ‘s/,s:1000000//’ | tail
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 16508 0 16508 0 0 283k 0 –:–:– –:–:– –:–:– 424k
/Record/20141017_163635_NF.mp4
/Record/20141017_163635_NR.mp4
/Record/20141017_163736_NF.mp4
/Record/20141017_163736_NR.mp4
/Record/20141017_163837_NF.mp4
/Record/20141017_163837_NR.mp4
/Record/20141017_163937_NF.mp4
/Record/20141017_163937_NR.mp4
/Record/20141017_164052_PF.mp4
/Record/20141017_164052_PR.mp4
[~]$

This returns the paths of the most recent 10 videos. I can then use a simple for loop to pipe this into wget to download the videos:

[~]$ for file in `curl http://192.168.8.1/blackvue_vod.cgi | sed ‘s/^n://’ | sed ‘s/,s:1000000//’ | tail`
> do
> wget http://192.168.8.1$file
> done
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 16332 0 16332 0 0 170k 0 –:–:– –:–:– –:–:– 201k
–2014-10-17 16:44:57– http://192.168.8.1/Record/20141017_163837_NF.mp4
Connecting to 192.168.8.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 63807644 (61M) [text/plain]
Saving to: ‘20141017_163837_NF.mp4’

100%[======================================================================>] 63,807,644 2.32MB/s in 55s

2014-10-17 16:45:52 (1.11 MB/s) – ‘20141017_163837_NF.mp4’ saved [63807644/63807644]

–2014-10-17 16:45:52– http://192.168.8.1/Record/20141017_163837_NR.mp4
Connecting to 192.168.8.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 23644147 (23M) [text/plain]
Saving to: ‘20141017_163837_NR.mp4’

100%[======================================================================>] 23,644,147 1018KB/s in 20s

2014-10-17 16:46:12 (1.16 MB/s) – ‘20141017_163837_NR.mp4’ saved [23644147/23644147]
……

It takes around a minute to download a video from the front camera and around 20-30 seconds for the rear camera. I probably don’t want to be downloading the entire contents of the memory card each time, but I can easily tell it to just download the videos from today:

[~]$ export BVDATE=`date +%Y%m%d`
[~]$ echo $BVDATE
20141017
[~]$ for file in `curl http://192.168.8.1/blackvue_vod.cgi | sed ‘s/^n://’ | sed ‘s/,s:1000000//’ | grep $BVDATE`
> do
> wget http://192.168.8.1$file
> done

All I need to do now is put this in a script, then I can download today’s videos by simply connecting my laptop to the camera’s WiFi and running the script.

I’m still interested in hacking the camera and getting a shell on there to play around a bit more, so I’ll continue to try to find a way in.

UPDATE (09/02/2015):

A recent update to the BlackVue app on the iPhone has enabled another option for exporting video – “COPY TO ALBUM” (no need to shout!). This copies the file to the camera roll:

iPhone 6 024

Advertisements

34 Comments

Filed under Cars, Gadgets

Blackvue DR650GW-2CH Dash-Cam

A while ago, I started using a dashcam app on my iPhone called CarCorder. I used this for a while and whilst it did the job well enough, it was a bit of a pest having to put my phone in the windscreen mount every time I got in the car. Also, the app drained my phone’s battery pretty quickly if it wasn’t plugged in to power. As a consequence, I got out of the habit of using it.

I recently decided to splash out & buy a proper dashcam, so I drew up a list of “must have” requirements that went something like this:

  • Good quality video, day and night, ideally HD
  • Large capacity to store the footage
  • Small & unobtrusive design
  • Able to be left in the car and automatically record every journey without user intervention
  • Built in GPS

I also had some “wants” that I didn’t consider quite so important, but would really like to have:

  • A rear camera as well as front
  • Wifi, to be able to get the footage off the device without removing the SD card
  • Parking mode

I spent a while looking around at the various dashcams on the market and found a market flooded with cheap, but crappy devices. After digging a bit further, I managed to find a few devices from more reputable manufacturers that looked of acceptable quality, however most of them were of an absurd size. A lot of the devices I looked at had screens on the back of them. Personally, I can’t understand this. Why do I need to see on a screen what I can already see out of my window? This type of device would be no good, as I wanted something as small as possible that could sit discreetly in the car permanently. I did find a few cameras that seemed small & unobtrusive and were reviewed well and I decided that a Blackvue DR550DW-2CH met my requirements the best.

I deliberated over buying the DR550 for a while, whilst I read some reviews to see if it was as good as it seemed. During this time, Blackvue launched an updated version, the DR650GW-2CH. This was much the same as the 550, but with a couple of things that I appreciated; an all-black finish (without the silver ring of the 550) and compatability with 64GB micro SD cards (as opposed to 32GB on the 550).

Note that the “GW” in DR650GW-2CH means it has GPS and WiFi and the “2CH” means it’s two channel, so it has a rear camera.

The DR650GW-2CH seemed to meet all my requirements, so I took the plunge and bought one. I bought mine from here:

http://www.blackvue.eu/Blackvue_DR650GW.php

I paid £329 for the camera, with a free Smart Power kit. Of course, the day after mine arrived, they dropped the price to £310. Sigh.

The camera arrived last week and I took a few pics of the box:

On the left is a soft pouch, then the SmartPower kit and the Blackvue box on the right.
Blackvue_box_ext

The front camera (top) and rear camera (bottom).
Blackvue_box_int

The other bits that come in the box; cables, a micro-SD card reader and some cable tidy sticky pads.
Blackvue_box_bits

I installed my kit last week and found the installation really easy. They say they recommend having the device fitted by a professional, but I really wouldn’t bother if you’re at all handy with this sort of thing. It took me around half an hour to install and I wasn’t in any real hurry. Firstly, I fitted the front camera in a spot behind my rear view mirror. I have a bunch of sensors for lights & windscreen wipers behind my mirror, so I had to put mine slightly to the side. I then connected the power lead and ran it around the windscreen, under the passenger dash and along the transmission tunnel to a cigar lighter socket in my center console. The kit comes with little sticky pads to help you clip your cable to your windscreen, but I didn’t use any of these. Instead, I just tucked the cable in gaps in the trim as it gives a neater install, with the cables all completely invisible. Also, I have a heated windscreen and I wasn’t sure how well the glue on the sticky pads would cope with that.

The camera installed behind my rear-view mirror
Blackvue_front_closeBlackvue_front_screen

After fitting the power cable, the main device was ready to go! I still had to fit the rear camera though, so I ran the single cable from the front camera to the back of the car and installed the rear camera at the top of the rear window. I was a bit worried the cable wasn’t going to be long enough to reach to the rear camera whilst taking a slightly indirect route in order to hide the cable well. As it turned out, there was about 6″ spare cable in the end. Depending on the size of your car, this may or may not be an issue. My car is a Jaguar XF, so anything much bigger than that and you’ll probably struggle, but you should be ok with something around the same size, or smaller.

The rear camera
Blackvue_rear_closeBlackvue_rear_screen

I’ve read reports of the older DR550GW’s rear camera cable interfering with DAB radio antennas. My car has a DAB radio antenna in the rear window and the camera’s cable runs pretty close to it. I’ve had no issues with either my DAB radio, or the rear camera since installing it, so I guess the issue doesn’t apply to the DR650GW-2CH.

I have my power connector plugged into a cigar lighter socket, which means that the camera starts automatically when I unlock the car and turns off automatically when I lock it. My kit came with a Smart Power adapter, which looks like it’s designed to connect directly to the car’s battery. This has a little black box that controls the power to its own cigar lighter socket which you then plug your camera into. The idea is that the camera then has permanent power, meaning parking mode can be used. The black box is supposed to monitor the battery’s power level and cut power to the camera when it goes below a certain voltage, in order to prevent your camera from draining your car’s battery. I haven’t installed this yet, but I intend to, as soon as I’ve figured out my car’s fuseboxes well enough to find a suitable spare fuse to attach the device to.

Once my camera was set up in the car, I enabled WiFi, by simply pressing the WiFi button on the side of the camera. The camera responds with a voice confirmation of “WiFi enabled”. Nice. I then connected my iPhone to the WiFi network provided by the camera and opened the BlackVue app. I could then select the WiFi connection and view a live feed from the camera in order to position the cameras optimally. I had a look through the settings via the app and decided that I didn’t want most of the voice confirmation messages that you get when the camera powers on, off, records an event etc, but I still wanted voice confirmations when I turned WiFi on/off or enabled/disabled sound recording.

After going for a short test drive, I connected to the camera via the app again and downloaded the footage from the front and rear cameras to my phone. I could then view the videos from within the app, including a map overlay showing the car’s position, as well as a small bar at the bottom showing the car’s speed.

Video playback in the iPhone app
Blackvue_playback_front

I later on tried to copy the video from my phone onto my PC, but found that I couldn’t. When you save a video to “Internal Storage” in the Blackvue app, it doesn’t put it in your camera roll on iOS (not sure about on Android). Instead, it seems to keep the video within the app, meaning you can’t easily copy it off your phone. The options in the app let you upload it to YouTube, but that’s about the only way of getting video out of the app as far as I can tell. This seems like a bit of an oversight and hopefully a future software update will bring a way to get the footage off my phone. In the meantime, I’ve got a few ideas of how to get the videos into my phone’s camera roll and I’ll post an update if I have any luck. In the meantime, I can get the video onto my PC by simply removing the micro SD card from the camera and putting it into my PC. This is no worse than most of the other cameras on the market, so I’ve not lost a great deal here.

Options available for exporting videos within the Blackvue app
Blackvue_app_export

First impressions of the DR650GW-2CH are good. I’ll update this post as & when I play with it and discover more features.

3 Comments

Filed under Cars, Gadgets

Clifton Engagement Ring Presentation Case

I recently proposed to my girlfriend of five years (she said yes, you’ll be pleased to hear!). I chose to propose whilst away on holiday, which posed challenges with keeping it a surprise until the right moment. I was worried about getting the ring through airport security without them giving my game away, but I was more concerned about how to present the ring nicely when I proposed, whilst being able to conceal it until then.

Most rings come in a presentation box of some kind. These are usually perfectly nice, but reasonably bulky. As I was intending to propose in New York in September, the weather was pretty warm, so I wasn’t wearing a coat, or anything with a lot of scope for concealing a bulky ring presentation case.

Not long before we were due to go away to New York, I came across the Clifton presentation case, by a Vancouver based packaging designer called Andrew Zo. He’d designed a presentation case that elegantly answered my problem. His case is slim and small, about the size of a credit card and around 1cm thick. Here it is below against an iPhone 5 for a size comparison:
Clifton_closed_flatClifton_closed_side

The case holds the ring flat, but when opened, via some origami genius, it swivels the ring, so it’s presented upright in all its glistening glory…

ring1
(image credit Andrew Zo – http://andrewzo.com/)

With only just over a week to go until we flew to New York, I got in touch with Andrew to make sure he’d be able to get a case to me in time before I submitted an order via the website. Andrew was really helpful and understanding of my timescale predicament, despite high demand for the product. In the end, I paid for an express UPS delivery, which though expensive, got the case to me in time.

The case works really well and holds the ring snugly, presenting it beautifully. It’s expensive, at $99CAD but I figured you can’t put a price on that special moment and once converted to GBP, it works out at a more palatable £55 or so, depending on the exchange rate. If you’d like one, you can order online here:

http://clifton.andrewzo.com/product/clifton/

Here you can see my case open, showing where the ring slots into the holder and the cut-outs where it lives when closed:

Clifton_open

Summary:
A brilliant idea that elegantly solves a real problem for nervous men the world over. It’s pricey, but it’s also beautifully hand made from quality materials. I’m really glad I bought one and it served its purpose perfectly.

Leave a comment

Filed under Uncategorized

Issentiel iPhone 6 Pouch

Since my shiny new iPhone 6 (4.7″ version) arrived a week or so ago, I’ve been keeping it my pocket, unprotected by a case. For the past few years, I’ve used iPhone cases that I’d describe as leather slip pouches, where you slide your phone inside and remove it by pulling a toggle that lifts the phone out of the pouch. I guess it’s just personal preference, but I prefer to use my iPhone unhindered by cumbersome addenda. This type of case allows me to carry it around protected, but to be able to easily remove it from the case, so I can use it as Apple intended.

After ordering my iPhone 6, I had a look around for this type of case, but there were none that caught my eye. I used to use a Snugg case for my iPhone 5, which I liked a lot, but their iPhone 6 version isn’t yet available and is only available to pre-order in black, which I’m not so keen on:

http://www.thesnugg.co.uk/smartphone-cases/apple/iphone-6/pouch/black-pouch.aspx

After a bit more looking around, I found the Issentiel “Allure” range of iPhone 6 pouches in a variety of colours. They’re a bit pricey at £29.90, but a bit different too, so I thought I’d give them a go.

http://www.issentiel.co.uk/apple/iphone-6-leather-cases/iphone-6-leather-pouch-allure.html

I ordered a case from their website direct, which I was able to pay for via PayPal, so plus points for not making me type my card details. They dispatched the case, which I was able to track on its journey from France via FedEx tracking. When it arrived, it came in a well packaged parcel, in a rather unnecessarily fancy box.

issentiel_box

Opening the box revealed a sock for my leather pouch to live in. Again, a bit of an unnecessary extravagance.

issential_box_inside

Then, I got to the pouch itself and first impressions were good. It has a good quality feel, with nice detailing.

issentiel_top

I’ve been using it for a couple of days now and over the course of daily use, I’ve made the following observations, positive and negative:

+ I really like the style & colour. I was initially a bit unsure about the blue, but I like it. It’s different.
+ When I pull the toggle to remove the phone, a good 1/3 of the phone pops out. Some other cases have much shorter toggles where just a slither of phone is released & you have to grapple it out of the case

When the phone is in the case in my pocket, the ringer is more muted than I’d expect, meaning I end up turning up the volume, which then startles me when it’s on my desk outside of the case and it rings more loudly than I expect. This is probably because the holes in the bottom of the case for the speaker don’t line up at all with the actual speaker! Bit of a design flaw in my opinion. My old Snugg case for the iPhone 5 had the holes in just the right place.
issentiel_speaker
The tab that you pull to remove the phone doesn’t have a magnet built into it. My old Snugg case had a magetic tab, which used to attach itself to the case to keep it in place. I liked this. In comparison, this one just flops about. The plus side is that the tab itself is thinner and causes less of a bulge on the back of the case. I’m not even sure how useful the little magnet was in my old case, but I miss it all the same.

issentiel_back

issentiel_inside

Summary:

I think overall, I like the Issentiel case. The style and range of colours are great and a bit different from other cases on the market. I do think they’re a bit pricey though. The Snugg case is half the price (£14.99 vs. £29.90 for the Issentiel) and looks better designed in terms of functionality. Although the Snugg is currently only available in black leather, I’m sure more options will become available in time. I’d rather Issentiel saved some money on the overly fancy packaging and either spent it on development to put the speaker holes in the right place, or just made the thing cheaper.

Leave a comment

Filed under Uncategorized