Tag Archives: dashcam

Dashcam Hacking

I’ve been playing around with my Blackvue dashcam a bit recently. Partly for fun and partly to figure out if I can copy videos from it to my iPhone’s camera roll. Having Googled about a bit, I found an unusually helpful Amazon review, where someone talked about FTP-ing onto the camera and copying off the videos.

http://www.amazon.com/review/R5EAUUH05X1FZ/ref=cm_cr_pr_viewpnt#R5EAUUH05X1FZ

I liked the idea of this, so I gave it a go. Unfortunately, the Amazon post was about a DR500 and it seems Blackvue have changed a few things on the DR650 that I have, so my attempts didn’t work. I’ll explain a bit about what I did though, so anyone else that’s going down the same road can hopefully save some time.

According to the Amazon review, the Blackvue has a default IP address of 192.168.8.1. I confirmed this by scanning the network for devices. Sure enough, 192.168.8.1 was the only IP address on the network. A quick ping test showed a response from that address too, so a good start!

I tried putting the camera’s IP address into my web browser whilst connected to the camera’s WiFi & I got the following page:

Blackvue_web_root

Not especially useful, it’s just a blank page with “Blackvue” written on it, but it does confirm two things; I’ve got the right IP address for the camera and it’s running a web service. I tried a few variations on the URL, such as http://192.168.8.1/Blackvue, but none of them bore any fruit. Something I’d read on a forum indicated that there was a live stream available at http://192.168.8.1/blackvue_live.cgi, so I tried this. Sure enough, I got a live stream up on my screen:

Blackvue_web_live

I tried a few guesses at what the URL might be for the live stream of the rear camera, but I couldn’t figure it out. I then tried running a web crawler against the web site to see what pages were available, but nothing was returned. I guess this means that all the available pages are cgi scripts. Without being able to access the filesystem of the camera’s web root, I wouldn’t know what cgi scripts are availble, so I tried ssh-ing to the device. No joy.

Next, I tried a port scan on it, so see what my options were for getting into it. The following was returned:

Blackvue_scan

Looks like it’s a bit more tied down than the older DR500. There’s no telnet or FTP open, just DNS (port 53), which won’t be much use to me, and http (port 80), which I’d already found. It’d be great if I could somehow start an ssh server on there, but without getting into it in the first place, I can’t do that.

At this point, I’m bit stuck for a way to access the device. I need to start ssh, or ftp, or some sort of service that I can use to pull the files off the device. I downloaded the firmware for the camera from Pittasoft’s website. I thought if I could inspect the code, I could maybe modify it to give me a way in. Unfortunately, the firmware ships as a single binary file. I tried inspecting this, but I haven’t had much joy yet.

So, stuck again, I got to thinking how the Blackvue app copies files from the camera to the app. If the only service available for it to do this is http, then the files must either be available for download via http, or the app must run some sort of cgi script that starts an ssh/ftp server and copies the files over, then stops the server. My next trick will be to open the app and download a video clip, then do another port scan to see if something has been opened up during the transfer.

What would be really useful would be to get a look at the web root of a DR500, as I suspect most of the cgi scripts etc would be the same or similar to the DR650. I might be able to work out a way in if I could see what the scripts are doing. Unfortunately, I don’t have access to a DR500 to do this, so if you do and you’ve tried anything like this, I’d be interested to hear your comments.

UPDATE 17/10/2014:
I had a bit more of a play with the Blackvue today. I tried copying a video from the camera to my iPhone and running a port scan on the camera whilst doing so to see if the transfer had opened up FTP, or SSH or something. Nothing. This means that the videos must be transferred via HTTP download, which limits my options for getting into the camera. What I really want to do is start an SSH or telnet session on there, so I can do whatever I want, however with only port 80 available to me, that may be difficult.

You may have heard of a bug called ShellShock that’s been in the headlines recently. ShellShock is a bug in the way the bash shell handles environment variables and it’s possible to exploit it via cgi scripts on a vulnerable server. The DR650 uses a cgi script to serve the live feed. Thinking that it may well initiate bash in some way, I thought I’d try and exploit ShellShock on the DR650 to break into it and start an SSH shell.

I tried the following to try and start an ssh server on the camera:

wget -U “() { test;};echo \”Content-type: text/plain\”; echo; echo; /sbin/service sshd start” http://192.168.8.1/blackvue_live.cgi

What I’m trying to do here is set the Content-Type variable and add a bit of code on the end to try to exploit ShellShock and get bash to execute a command to start an SSH server. This didn’t work. There’s lots of reasons why that might be the case – the device might not be running a vulnerable version of bash (unlikely), the cgi script might not call bash, the command I’m trying to run might not be valid, the script might not use Content-Type, or a myriad of other reasons. I tried a few different permutations of this hack, before deciding to quit & try another approach.

From a bit of research, I believe that the DR650 uses a Texas Instruments chipset, running a DaVinci platform. A bit of digging shows that this platform is based on a Linux distribution called MontaVista. I’ll do a bit more research into that platform and see if I can refine my methods for getting into it.

In the meantime, I began looking through the firmware image I downloaded, having discovered it was gzipped and unzipped it. I’ve found a few useful bits of data. There seem to be very few files hosted by the camera’s web service. They are:

System/www/blackvue_live.cgi
System/www/blackvue_vod.cgi
System/www/upload.cgi
System/www/index.html

I already found the index.html and the blackvue_live.cgi, but I didn’t know about the other two. The upload.cgi file seems to be used to upload new config & firmware to the camera and blackvue_vod.cgi returns a list of video files stored on the camera. Could be useful!

upload.cgi
upload

blackvue_vod.cgi
blackvue_vod

The blackvue_vod.cgi file looked very interesting. I said earlier that the video files must be downloaded via HTTP, but I didn’t know their location. The output of blackvue_vod.cgi indicates that the files are in the web server’s docroot, under a /Record folder. The script also returns the full path & filename of every file available. I immediately tried a wget of one of the files and sure enough, it was downloaded onto my laptop 🙂

[~]$ wget http://192.168.8.1/Record/20141017_163635_NF.mp4
–2014-10-17 16:38:17– http://192.168.8.1/Record/20141017_163635_NF.mp4
Connecting to 192.168.8.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 64500078 (62M) [text/plain]
Saving to: ‘20141017_163635_NF.mp4’

100%[======================================================================>] 64,500,078 1.05MB/s in 60s

2014-10-17 16:39:16 (1.03 MB/s) – ‘20141017_163635_NF.mp4’ saved [64500078/64500078]

[~]$

Excellent! My original intention was to download the videos onto my iPhone’s camera roll so that I could then transfer them onto my laptop, but with this, I can hook my laptop up to the camera’s WiFi and download the videos straight to it. So, time to automate it a bit. I can get a list of files with a simple curl command:

[~]$ curl http://192.168.8.1/blackvue_vod.cgi
v:1.00
n:/Record/20141014_202528_NF.mp4,s:1000000
n:/Record/20141014_202528_NR.mp4,s:1000000
n:/Record/20141014_202629_NF.mp4,s:1000000
n:/Record/20141014_202629_NR.mp4,s:1000000
…..

This is then easily tidied up a bit with some simple sed to give me just the path and filenames:

[~]$ curl http://192.168.8.1/blackvue_vod.cgi | sed ‘s/^n://’ | sed ‘s/,s:1000000//’ | tail
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 16508 0 16508 0 0 283k 0 –:–:– –:–:– –:–:– 424k
/Record/20141017_163635_NF.mp4
/Record/20141017_163635_NR.mp4
/Record/20141017_163736_NF.mp4
/Record/20141017_163736_NR.mp4
/Record/20141017_163837_NF.mp4
/Record/20141017_163837_NR.mp4
/Record/20141017_163937_NF.mp4
/Record/20141017_163937_NR.mp4
/Record/20141017_164052_PF.mp4
/Record/20141017_164052_PR.mp4
[~]$

This returns the paths of the most recent 10 videos. I can then use a simple for loop to pipe this into wget to download the videos:

[~]$ for file in `curl http://192.168.8.1/blackvue_vod.cgi | sed ‘s/^n://’ | sed ‘s/,s:1000000//’ | tail`
> do
> wget http://192.168.8.1$file
> done
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 16332 0 16332 0 0 170k 0 –:–:– –:–:– –:–:– 201k
–2014-10-17 16:44:57– http://192.168.8.1/Record/20141017_163837_NF.mp4
Connecting to 192.168.8.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 63807644 (61M) [text/plain]
Saving to: ‘20141017_163837_NF.mp4’

100%[======================================================================>] 63,807,644 2.32MB/s in 55s

2014-10-17 16:45:52 (1.11 MB/s) – ‘20141017_163837_NF.mp4’ saved [63807644/63807644]

–2014-10-17 16:45:52– http://192.168.8.1/Record/20141017_163837_NR.mp4
Connecting to 192.168.8.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 23644147 (23M) [text/plain]
Saving to: ‘20141017_163837_NR.mp4’

100%[======================================================================>] 23,644,147 1018KB/s in 20s

2014-10-17 16:46:12 (1.16 MB/s) – ‘20141017_163837_NR.mp4’ saved [23644147/23644147]
……

It takes around a minute to download a video from the front camera and around 20-30 seconds for the rear camera. I probably don’t want to be downloading the entire contents of the memory card each time, but I can easily tell it to just download the videos from today:

[~]$ export BVDATE=`date +%Y%m%d`
[~]$ echo $BVDATE
20141017
[~]$ for file in `curl http://192.168.8.1/blackvue_vod.cgi | sed ‘s/^n://’ | sed ‘s/,s:1000000//’ | grep $BVDATE`
> do
> wget http://192.168.8.1$file
> done

All I need to do now is put this in a script, then I can download today’s videos by simply connecting my laptop to the camera’s WiFi and running the script.

I’m still interested in hacking the camera and getting a shell on there to play around a bit more, so I’ll continue to try to find a way in.

UPDATE (09/02/2015):

A recent update to the BlackVue app on the iPhone has enabled another option for exporting video – “COPY TO ALBUM” (no need to shout!). This copies the file to the camera roll:

iPhone 6 024

Advertisements

31 Comments

Filed under Cars, Gadgets

Blackvue DR650GW-2CH Dash-Cam

A while ago, I started using a dashcam app on my iPhone called CarCorder. I used this for a while and whilst it did the job well enough, it was a bit of a pest having to put my phone in the windscreen mount every time I got in the car. Also, the app drained my phone’s battery pretty quickly if it wasn’t plugged in to power. As a consequence, I got out of the habit of using it.

I recently decided to splash out & buy a proper dashcam, so I drew up a list of “must have” requirements that went something like this:

  • Good quality video, day and night, ideally HD
  • Large capacity to store the footage
  • Small & unobtrusive design
  • Able to be left in the car and automatically record every journey without user intervention
  • Built in GPS

I also had some “wants” that I didn’t consider quite so important, but would really like to have:

  • A rear camera as well as front
  • Wifi, to be able to get the footage off the device without removing the SD card
  • Parking mode

I spent a while looking around at the various dashcams on the market and found a market flooded with cheap, but crappy devices. After digging a bit further, I managed to find a few devices from more reputable manufacturers that looked of acceptable quality, however most of them were of an absurd size. A lot of the devices I looked at had screens on the back of them. Personally, I can’t understand this. Why do I need to see on a screen what I can already see out of my window? This type of device would be no good, as I wanted something as small as possible that could sit discreetly in the car permanently. I did find a few cameras that seemed small & unobtrusive and were reviewed well and I decided that a Blackvue DR550DW-2CH met my requirements the best.

I deliberated over buying the DR550 for a while, whilst I read some reviews to see if it was as good as it seemed. During this time, Blackvue launched an updated version, the DR650GW-2CH. This was much the same as the 550, but with a couple of things that I appreciated; an all-black finish (without the silver ring of the 550) and compatability with 64GB micro SD cards (as opposed to 32GB on the 550).

Note that the “GW” in DR650GW-2CH means it has GPS and WiFi and the “2CH” means it’s two channel, so it has a rear camera.

The DR650GW-2CH seemed to meet all my requirements, so I took the plunge and bought one. I bought mine from here:

http://www.blackvue.eu/Blackvue_DR650GW.php

I paid £329 for the camera, with a free Smart Power kit. Of course, the day after mine arrived, they dropped the price to £310. Sigh.

The camera arrived last week and I took a few pics of the box:

On the left is a soft pouch, then the SmartPower kit and the Blackvue box on the right.
Blackvue_box_ext

The front camera (top) and rear camera (bottom).
Blackvue_box_int

The other bits that come in the box; cables, a micro-SD card reader and some cable tidy sticky pads.
Blackvue_box_bits

I installed my kit last week and found the installation really easy. They say they recommend having the device fitted by a professional, but I really wouldn’t bother if you’re at all handy with this sort of thing. It took me around half an hour to install and I wasn’t in any real hurry. Firstly, I fitted the front camera in a spot behind my rear view mirror. I have a bunch of sensors for lights & windscreen wipers behind my mirror, so I had to put mine slightly to the side. I then connected the power lead and ran it around the windscreen, under the passenger dash and along the transmission tunnel to a cigar lighter socket in my center console. The kit comes with little sticky pads to help you clip your cable to your windscreen, but I didn’t use any of these. Instead, I just tucked the cable in gaps in the trim as it gives a neater install, with the cables all completely invisible. Also, I have a heated windscreen and I wasn’t sure how well the glue on the sticky pads would cope with that.

The camera installed behind my rear-view mirror
Blackvue_front_closeBlackvue_front_screen

After fitting the power cable, the main device was ready to go! I still had to fit the rear camera though, so I ran the single cable from the front camera to the back of the car and installed the rear camera at the top of the rear window. I was a bit worried the cable wasn’t going to be long enough to reach to the rear camera whilst taking a slightly indirect route in order to hide the cable well. As it turned out, there was about 6″ spare cable in the end. Depending on the size of your car, this may or may not be an issue. My car is a Jaguar XF, so anything much bigger than that and you’ll probably struggle, but you should be ok with something around the same size, or smaller.

The rear camera
Blackvue_rear_closeBlackvue_rear_screen

I’ve read reports of the older DR550GW’s rear camera cable interfering with DAB radio antennas. My car has a DAB radio antenna in the rear window and the camera’s cable runs pretty close to it. I’ve had no issues with either my DAB radio, or the rear camera since installing it, so I guess the issue doesn’t apply to the DR650GW-2CH.

I have my power connector plugged into a cigar lighter socket, which means that the camera starts automatically when I unlock the car and turns off automatically when I lock it. My kit came with a Smart Power adapter, which looks like it’s designed to connect directly to the car’s battery. This has a little black box that controls the power to its own cigar lighter socket which you then plug your camera into. The idea is that the camera then has permanent power, meaning parking mode can be used. The black box is supposed to monitor the battery’s power level and cut power to the camera when it goes below a certain voltage, in order to prevent your camera from draining your car’s battery. I haven’t installed this yet, but I intend to, as soon as I’ve figured out my car’s fuseboxes well enough to find a suitable spare fuse to attach the device to.

Once my camera was set up in the car, I enabled WiFi, by simply pressing the WiFi button on the side of the camera. The camera responds with a voice confirmation of “WiFi enabled”. Nice. I then connected my iPhone to the WiFi network provided by the camera and opened the BlackVue app. I could then select the WiFi connection and view a live feed from the camera in order to position the cameras optimally. I had a look through the settings via the app and decided that I didn’t want most of the voice confirmation messages that you get when the camera powers on, off, records an event etc, but I still wanted voice confirmations when I turned WiFi on/off or enabled/disabled sound recording.

After going for a short test drive, I connected to the camera via the app again and downloaded the footage from the front and rear cameras to my phone. I could then view the videos from within the app, including a map overlay showing the car’s position, as well as a small bar at the bottom showing the car’s speed.

Video playback in the iPhone app
Blackvue_playback_front

I later on tried to copy the video from my phone onto my PC, but found that I couldn’t. When you save a video to “Internal Storage” in the Blackvue app, it doesn’t put it in your camera roll on iOS (not sure about on Android). Instead, it seems to keep the video within the app, meaning you can’t easily copy it off your phone. The options in the app let you upload it to YouTube, but that’s about the only way of getting video out of the app as far as I can tell. This seems like a bit of an oversight and hopefully a future software update will bring a way to get the footage off my phone. In the meantime, I’ve got a few ideas of how to get the videos into my phone’s camera roll and I’ll post an update if I have any luck. In the meantime, I can get the video onto my PC by simply removing the micro SD card from the camera and putting it into my PC. This is no worse than most of the other cameras on the market, so I’ve not lost a great deal here.

Options available for exporting videos within the Blackvue app
Blackvue_app_export

First impressions of the DR650GW-2CH are good. I’ll update this post as & when I play with it and discover more features.

3 Comments

Filed under Cars, Gadgets