Dashcam Hacking

I’ve been playing around with my Blackvue dashcam a bit recently. Partly for fun and partly to figure out if I can copy videos from it to my iPhone’s camera roll. Having Googled about a bit, I found an unusually helpful Amazon review, where someone talked about FTP-ing onto the camera and copying off the videos.

http://www.amazon.com/review/R5EAUUH05X1FZ/ref=cm_cr_pr_viewpnt#R5EAUUH05X1FZ

I liked the idea of this, so I gave it a go. Unfortunately, the Amazon post was about a DR500 and it seems Blackvue have changed a few things on the DR650 that I have, so my attempts didn’t work. I’ll explain a bit about what I did though, so anyone else that’s going down the same road can hopefully save some time.

According to the Amazon review, the Blackvue has a default IP address of 192.168.8.1. I confirmed this by scanning the network for devices. Sure enough, 192.168.8.1 was the only IP address on the network. A quick ping test showed a response from that address too, so a good start!

I tried putting the camera’s IP address into my web browser whilst connected to the camera’s WiFi & I got the following page:

Blackvue_web_root

Not especially useful, it’s just a blank page with “Blackvue” written on it, but it does confirm two things; I’ve got the right IP address for the camera and it’s running a web service. I tried a few variations on the URL, such as http://192.168.8.1/Blackvue, but none of them bore any fruit. Something I’d read on a forum indicated that there was a live stream available at http://192.168.8.1/blackvue_live.cgi, so I tried this. Sure enough, I got a live stream up on my screen:

Blackvue_web_live

I tried a few guesses at what the URL might be for the live stream of the rear camera, but I couldn’t figure it out. I then tried running a web crawler against the web site to see what pages were available, but nothing was returned. I guess this means that all the available pages are cgi scripts. Without being able to access the filesystem of the camera’s web root, I wouldn’t know what cgi scripts are availble, so I tried ssh-ing to the device. No joy.

Next, I tried a port scan on it, so see what my options were for getting into it. The following was returned:

Blackvue_scan

Looks like it’s a bit more tied down than the older DR500. There’s no telnet or FTP open, just DNS (port 53), which won’t be much use to me, and http (port 80), which I’d already found. It’d be great if I could somehow start an ssh server on there, but without getting into it in the first place, I can’t do that.

At this point, I’m bit stuck for a way to access the device. I need to start ssh, or ftp, or some sort of service that I can use to pull the files off the device. I downloaded the firmware for the camera from Pittasoft’s website. I thought if I could inspect the code, I could maybe modify it to give me a way in. Unfortunately, the firmware ships as a single binary file. I tried inspecting this, but I haven’t had much joy yet.

So, stuck again, I got to thinking how the Blackvue app copies files from the camera to the app. If the only service available for it to do this is http, then the files must either be available for download via http, or the app must run some sort of cgi script that starts an ssh/ftp server and copies the files over, then stops the server. My next trick will be to open the app and download a video clip, then do another port scan to see if something has been opened up during the transfer.

What would be really useful would be to get a look at the web root of a DR500, as I suspect most of the cgi scripts etc would be the same or similar to the DR650. I might be able to work out a way in if I could see what the scripts are doing. Unfortunately, I don’t have access to a DR500 to do this, so if you do and you’ve tried anything like this, I’d be interested to hear your comments.

UPDATE 17/10/2014:
I had a bit more of a play with the Blackvue today. I tried copying a video from the camera to my iPhone and running a port scan on the camera whilst doing so to see if the transfer had opened up FTP, or SSH or something. Nothing. This means that the videos must be transferred via HTTP download, which limits my options for getting into the camera. What I really want to do is start an SSH or telnet session on there, so I can do whatever I want, however with only port 80 available to me, that may be difficult.

You may have heard of a bug called ShellShock that’s been in the headlines recently. ShellShock is a bug in the way the bash shell handles environment variables and it’s possible to exploit it via cgi scripts on a vulnerable server. The DR650 uses a cgi script to serve the live feed. Thinking that it may well initiate bash in some way, I thought I’d try and exploit ShellShock on the DR650 to break into it and start an SSH shell.

I tried the following to try and start an ssh server on the camera:

wget -U “() { test;};echo \”Content-type: text/plain\”; echo; echo; /sbin/service sshd start” http://192.168.8.1/blackvue_live.cgi

What I’m trying to do here is set the Content-Type variable and add a bit of code on the end to try to exploit ShellShock and get bash to execute a command to start an SSH server. This didn’t work. There’s lots of reasons why that might be the case – the device might not be running a vulnerable version of bash (unlikely), the cgi script might not call bash, the command I’m trying to run might not be valid, the script might not use Content-Type, or a myriad of other reasons. I tried a few different permutations of this hack, before deciding to quit & try another approach.

From a bit of research, I believe that the DR650 uses a Texas Instruments chipset, running a DaVinci platform. A bit of digging shows that this platform is based on a Linux distribution called MontaVista. I’ll do a bit more research into that platform and see if I can refine my methods for getting into it.

In the meantime, I began looking through the firmware image I downloaded, having discovered it was gzipped and unzipped it. I’ve found a few useful bits of data. There seem to be very few files hosted by the camera’s web service. They are:

System/www/blackvue_live.cgi
System/www/blackvue_vod.cgi
System/www/upload.cgi
System/www/index.html

I already found the index.html and the blackvue_live.cgi, but I didn’t know about the other two. The upload.cgi file seems to be used to upload new config & firmware to the camera and blackvue_vod.cgi returns a list of video files stored on the camera. Could be useful!

upload.cgi
upload

blackvue_vod.cgi
blackvue_vod

The blackvue_vod.cgi file looked very interesting. I said earlier that the video files must be downloaded via HTTP, but I didn’t know their location. The output of blackvue_vod.cgi indicates that the files are in the web server’s docroot, under a /Record folder. The script also returns the full path & filename of every file available. I immediately tried a wget of one of the files and sure enough, it was downloaded onto my laptop 🙂

[~]$ wget http://192.168.8.1/Record/20141017_163635_NF.mp4
–2014-10-17 16:38:17– http://192.168.8.1/Record/20141017_163635_NF.mp4
Connecting to 192.168.8.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 64500078 (62M) [text/plain]
Saving to: ‘20141017_163635_NF.mp4’

100%[======================================================================>] 64,500,078 1.05MB/s in 60s

2014-10-17 16:39:16 (1.03 MB/s) – ‘20141017_163635_NF.mp4’ saved [64500078/64500078]

[~]$

Excellent! My original intention was to download the videos onto my iPhone’s camera roll so that I could then transfer them onto my laptop, but with this, I can hook my laptop up to the camera’s WiFi and download the videos straight to it. So, time to automate it a bit. I can get a list of files with a simple curl command:

[~]$ curl http://192.168.8.1/blackvue_vod.cgi
v:1.00
n:/Record/20141014_202528_NF.mp4,s:1000000
n:/Record/20141014_202528_NR.mp4,s:1000000
n:/Record/20141014_202629_NF.mp4,s:1000000
n:/Record/20141014_202629_NR.mp4,s:1000000
…..

This is then easily tidied up a bit with some simple sed to give me just the path and filenames:

[~]$ curl http://192.168.8.1/blackvue_vod.cgi | sed ‘s/^n://’ | sed ‘s/,s:1000000//’ | tail
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 16508 0 16508 0 0 283k 0 –:–:– –:–:– –:–:– 424k
/Record/20141017_163635_NF.mp4
/Record/20141017_163635_NR.mp4
/Record/20141017_163736_NF.mp4
/Record/20141017_163736_NR.mp4
/Record/20141017_163837_NF.mp4
/Record/20141017_163837_NR.mp4
/Record/20141017_163937_NF.mp4
/Record/20141017_163937_NR.mp4
/Record/20141017_164052_PF.mp4
/Record/20141017_164052_PR.mp4
[~]$

This returns the paths of the most recent 10 videos. I can then use a simple for loop to pipe this into wget to download the videos:

[~]$ for file in `curl http://192.168.8.1/blackvue_vod.cgi | sed ‘s/^n://’ | sed ‘s/,s:1000000//’ | tail`
> do
> wget http://192.168.8.1$file
> done
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 16332 0 16332 0 0 170k 0 –:–:– –:–:– –:–:– 201k
–2014-10-17 16:44:57– http://192.168.8.1/Record/20141017_163837_NF.mp4
Connecting to 192.168.8.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 63807644 (61M) [text/plain]
Saving to: ‘20141017_163837_NF.mp4’

100%[======================================================================>] 63,807,644 2.32MB/s in 55s

2014-10-17 16:45:52 (1.11 MB/s) – ‘20141017_163837_NF.mp4’ saved [63807644/63807644]

–2014-10-17 16:45:52– http://192.168.8.1/Record/20141017_163837_NR.mp4
Connecting to 192.168.8.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 23644147 (23M) [text/plain]
Saving to: ‘20141017_163837_NR.mp4’

100%[======================================================================>] 23,644,147 1018KB/s in 20s

2014-10-17 16:46:12 (1.16 MB/s) – ‘20141017_163837_NR.mp4’ saved [23644147/23644147]
……

It takes around a minute to download a video from the front camera and around 20-30 seconds for the rear camera. I probably don’t want to be downloading the entire contents of the memory card each time, but I can easily tell it to just download the videos from today:

[~]$ export BVDATE=`date +%Y%m%d`
[~]$ echo $BVDATE
20141017
[~]$ for file in `curl http://192.168.8.1/blackvue_vod.cgi | sed ‘s/^n://’ | sed ‘s/,s:1000000//’ | grep $BVDATE`
> do
> wget http://192.168.8.1$file
> done

All I need to do now is put this in a script, then I can download today’s videos by simply connecting my laptop to the camera’s WiFi and running the script.

I’m still interested in hacking the camera and getting a shell on there to play around a bit more, so I’ll continue to try to find a way in.

UPDATE (09/02/2015):

A recent update to the BlackVue app on the iPhone has enabled another option for exporting video – “COPY TO ALBUM” (no need to shout!). This copies the file to the camera roll:

iPhone 6 024

Advertisements

26 Comments

Filed under Cars, Gadgets

26 responses to “Dashcam Hacking

  1. Chris

    This is a fantastic post. I recently bought the DR650GW-2CH, and my goal was to automatically pull the videos from the camera to my phone at the end of the day, in a way that did not require removing the SD card. I started with the same approach, looking for SSH or FTP services running on the device. Same conclusion that all we have to work with is the web service on port 80. Your discovery of the “blackvue_vod.cgi” which returns the file listing is very good. I can now make a script which downloads the video files, and use that with “tasker” (a popular android automation app). Imagine this scenario: I am close to home (GPS based), my phone auto connects to the blackvue and downloads any video files not previously downloaded. Then I can archive those to my home network if needed.

    Thank you for the head start on the bash script too. That will work nicely to automate downloading from the camera. Please post any further progress you made, and I will do the same.

  2. steve

    I’m not as savy in wget as your are… I’m able to run the vob cgi script to get the filenames on the 650. Can you provide instructions on how to get files off in a simple windows environment?

  3. steve

    I did get it running… I used a standard windows .bat file and curl.exe and wget.exe. I also used a winword macro to manipulate the text file. Any clue on where the GPS data is stored?

  4. steve

    OK… found them. In the same /Record folder there are .gps files and .3gf. Looks like there is no GPS data in the file for Parking mode. The file exists, it’s just empty.

    • Hi Steve, apologies, I’ve been away & offline over Christmas. Sounds like you’ve sorted things out yourself though. I’m afraid I’m not that familar with Windows, so all the commands in this blog were run via Cygwin on a Windows laptop. Sounds like you’ve found native curl & wget clients for Windows, so there’s another option. Like you say, the GPS files are also in the /Record folder and you can use them separately if you wish, to import them into Google Earth for example, which can do some cool stuff, like show which bits of your journey were fast & slow via different colours on the route line. Lots of possibilities! I hadn’t noticed the GPS files are empty for parking mode, though it makes sense I guess. It presumably only bothers writing GPS data if the coordinates are different to the last entry.

      Glad you’ve found this post useful and found a way to get the data off your dashcam. Please comment again if you find anything else new or interesting!

  5. Angelo K

    Is there any way of downloading these videos to my iphones dropbox account? I have a jailbroken device with ifile. I am okay with technical stuff, just not programming. Much appreciated.

    • Hi Angelo,

      This sounds like one of those things that should be dead easy, but will probably end up being a pain, I’m afraid! The only way I can think of to get files between applications on iOS is to either use the camera roll, which we already know the Blackvue app doesn’t use, or to use copy & paste. One of the options in the Blackvue app, when you hold down on a video file is to “copy”. I don’t know whether the Dropbox app lets you paste things into it, but if it does, that might be worth a try. If not, then I’m not sure how you’d be able to do, unless you could find an iOS wget app that allows you to upload to Dropbox or something. It seems a fairly obvious upgrade for Blackvue to offer upload to Dropbox in their list of options within their app, so maybe they’ll implement this in a future update. Fingers crossed!

  6. steve

    Thanks for the reply… You did a superb job getting all the details needed (many thanks)… I have since written a python script to do the work and created a distributable .exe file so it can run “stand alone” (no more clunky Word macro).

    Also, I did try it with the latest version of Blackvue 650 firmware (1.003) and it still works fine (was a little worried they’d change something that would interfere with the file xfer, but that wasn’t the case).

    I also found another forum (http://blackvueshop.co.uk/forum/viewforum.php?id=18) that has a bunch of interesting stuff (like how to coerce the 802.11 b/g/n WIFI mode via the CONFIG.INI file).

    The folks that administer the site also did a bunch of testing on various SD CARDs and give their opinions on the best one to use (see http://blackvueshop.co.uk/forum/viewtopic.php?id=220). Their findings were somewhat counter intuitive to me… If your SD Cards read/write speed is too fast, camera performance can be degraded… hmmm, still not sure why… but I’ll take their word for it 🙂

    Again, thanks so much for the information you dug up.

    Regards
    Steve

    • Thanks for the tip Steve, I’ll have a good read through the forum! It does sound counter-intuitive that a higher speed card would degrade the performance, though not out of the realm of possibility. I’ve found before (in other areas of IT than dashcams!) that if you improve the IO throughput, you can end up just overloading the CPU, as it no longer has the breathing time it expects whilst waiting on IO. This can then cause all sorts of problems, conceivably even overheating issues in a device like a dashcam. I’ll look into that thread a bit more, as I’d be interested to hear the logic behind it.

  7. Jester

    OK, I read this entire page and I find it all very interesting. I just have 1 problem. How did you get your laptop to connect to the Blackvue’s Wifi? I just tried over the weekend and I kept getting an error stating that it could not connect. I am using Windows 7 Ultimate if this makes a difference.

    I see the SSID and I enter the same password that I use with my iphone, it seems like it tries to connect, but doesn’t. Are they any settings that I need to make to the wifi adapter prior to connecting?

    Please help, would love to be able to transfer the files directly to the laptop…

    • Hi Jester,

      It doesn’t sound like you’re doing anything wrong. I use Windows 7 on my laptop to connect and if you’re using the same password as you use successfully on your iPhone, it should work fine. One point I picked up from your comment though – are you trying to connect with your laptop at the same time that your phone is connected? I’m pretty sure it’s an adhoc network, so you can only connect one device at a time. If your iPhone is set up to automatically connect to your BlackVue, try turning off WiFi on it to stop it connecting, then try with your laptop.

  8. Hi, nice post!

    I’m trying to make a web application that gets images from the Blackvue camera (sort of a live stream) from any location. The idea is to have an Android phone in the car with a web server running on it, connected via cellular data.

    I have requested an update in which Pittasoft will add a feature to make wifi stay on all the time (prevent it from automatically turn off after 15 minutes). They have confirmed this and the feature will be included in the next firmware update.

    To save data usage there can’t be any continuous upload of images, only on request form a client. The web server must listen for the request and then fetch the current image off the Blackvue, and then send it via cellular back to the client. By the way, is it possible to connect to both wifi and cellular at the same time with an Android device?

    Any ideas as to how this might be done?

  9. sirloins

    I found that to view the back camera you can use the following URL:

    http://ip_of_blackvue/blackvue_live.cgi?direction=R

  10. Any chance for a link to download those “stand alone” solutions.. PLEASE

  11. Yes.. something along a batch file or executable “exe” .. Or.. from start to finish the commands you are using.

  12. Los_benitos

    Great discovery. A bit of doctoring to get this working with an automated script on my Synology NAS :-).

    Not been able to access the GPS files this way as yet, does anyone know the naming convention I can use to get them?

  13. Great post! I wrote a little command line .NET utility to pull the files from the camera: https://github.com/morrisonbrett/BlackVueDownloader

    • rog

      Sounds cool – how do I run this? And I’m assuming since it’s .NET – Windows only?

    • Sam

      Hi
      I have downloaded your package as zip file. How to use or install it on windows 7 computer. It does not have exe file. Please help

    • Lewis Brooks

      Hi, had anybody tried using a wireless client to latch onto the camera WiFi pulling it onto a home network?

      The subnet is the issue and I’ve tried routing which worked to the point of accessing the wireless client bit I couldn’t access the streams.

  14. Björn

    Thanks for your detective work 🙂
    I’m using blackvue cloud to automagically connect my 650GW to my local network and then use your script in .sh file to download todays videos via the cloud client local ip:

    export BVDATE=`date +%Y%m%d`
    echo $BVDATE
    for file in `curl http://192.168.1.53/blackvue_vod.cgi | sed ‘s/^n://’ | sed ‘s/,s:1000000//’ | sed $’s/\r//’ | grep $BVDATE`;do wget http://192.168.1.53$file; done

    Note the extra sed $’s/\r//’ to remove line breaks.
    I’ll try to run this on my Synology NAS and run it every night through task scheduler to archive my dashcam.

  15. Björn

    Updated:

    The script now downloads all files including metadata files. Because I strip the F.mp4 and R.mp4 from the file, the $file list contains double results. Downloading of double results is skipped though.
    When a .gps file is 0KB, it isn’t downloaded. Partially downloaded .mp4 files will be resumed if you need to restart the script.

    Put this in a blackvue.sh, change the IP to your blackvue’s IP and run it with sh blackvue.sh

    export BVDATE=`date +%Y%m%d`
    echo $BVDATE
    for file in `curl http://192.168.1.53/blackvue_vod.cgi | sed ‘s/^n://’ | sed ‘s/F.mp4//’ | sed ‘s/R.mp4//’ | sed ‘s/,s:1000000//’ | sed $’s/\r//’ | grep $BVDATE`; do wget -c http://192.168.1.53$file\F.mp4; wget -c http://192.168.1.53$file\R.mp4; wget -nc http://192.168.1.53$file\F.thm; wget -nc http://192.168.1.53$file\R.thm; wget -nc http://192.168.1.53$file.gps; wget -nc http://192.168.1.53$file.3gf; done

  16. Pingback: Download all files from Blackvue dashcam to your Synology over Wifi - Björns Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s