Tag Archives: hacking

Dashcam Hacking

I’ve been playing around with my Blackvue dashcam a bit recently. Partly for fun and partly to figure out if I can copy videos from it to my iPhone’s camera roll. Having Googled about a bit, I found an unusually helpful Amazon review, where someone talked about FTP-ing onto the camera and copying off the videos.

http://www.amazon.com/review/R5EAUUH05X1FZ/ref=cm_cr_pr_viewpnt#R5EAUUH05X1FZ

I liked the idea of this, so I gave it a go. Unfortunately, the Amazon post was about a DR500 and it seems Blackvue have changed a few things on the DR650 that I have, so my attempts didn’t work. I’ll explain a bit about what I did though, so anyone else that’s going down the same road can hopefully save some time.

According to the Amazon review, the Blackvue has a default IP address of 192.168.8.1. I confirmed this by scanning the network for devices. Sure enough, 192.168.8.1 was the only IP address on the network. A quick ping test showed a response from that address too, so a good start!

I tried putting the camera’s IP address into my web browser whilst connected to the camera’s WiFi & I got the following page:

Blackvue_web_root

Not especially useful, it’s just a blank page with “Blackvue” written on it, but it does confirm two things; I’ve got the right IP address for the camera and it’s running a web service. I tried a few variations on the URL, such as http://192.168.8.1/Blackvue, but none of them bore any fruit. Something I’d read on a forum indicated that there was a live stream available at http://192.168.8.1/blackvue_live.cgi, so I tried this. Sure enough, I got a live stream up on my screen:

Blackvue_web_live

I tried a few guesses at what the URL might be for the live stream of the rear camera, but I couldn’t figure it out. I then tried running a web crawler against the web site to see what pages were available, but nothing was returned. I guess this means that all the available pages are cgi scripts. Without being able to access the filesystem of the camera’s web root, I wouldn’t know what cgi scripts are availble, so I tried ssh-ing to the device. No joy.

Next, I tried a port scan on it, so see what my options were for getting into it. The following was returned:

Blackvue_scan

Looks like it’s a bit more tied down than the older DR500. There’s no telnet or FTP open, just DNS (port 53), which won’t be much use to me, and http (port 80), which I’d already found. It’d be great if I could somehow start an ssh server on there, but without getting into it in the first place, I can’t do that.

At this point, I’m bit stuck for a way to access the device. I need to start ssh, or ftp, or some sort of service that I can use to pull the files off the device. I downloaded the firmware for the camera from Pittasoft’s website. I thought if I could inspect the code, I could maybe modify it to give me a way in. Unfortunately, the firmware ships as a single binary file. I tried inspecting this, but I haven’t had much joy yet.

So, stuck again, I got to thinking how the Blackvue app copies files from the camera to the app. If the only service available for it to do this is http, then the files must either be available for download via http, or the app must run some sort of cgi script that starts an ssh/ftp server and copies the files over, then stops the server. My next trick will be to open the app and download a video clip, then do another port scan to see if something has been opened up during the transfer.

What would be really useful would be to get a look at the web root of a DR500, as I suspect most of the cgi scripts etc would be the same or similar to the DR650. I might be able to work out a way in if I could see what the scripts are doing. Unfortunately, I don’t have access to a DR500 to do this, so if you do and you’ve tried anything like this, I’d be interested to hear your comments.

UPDATE 17/10/2014:
I had a bit more of a play with the Blackvue today. I tried copying a video from the camera to my iPhone and running a port scan on the camera whilst doing so to see if the transfer had opened up FTP, or SSH or something. Nothing. This means that the videos must be transferred via HTTP download, which limits my options for getting into the camera. What I really want to do is start an SSH or telnet session on there, so I can do whatever I want, however with only port 80 available to me, that may be difficult.

You may have heard of a bug called ShellShock that’s been in the headlines recently. ShellShock is a bug in the way the bash shell handles environment variables and it’s possible to exploit it via cgi scripts on a vulnerable server. The DR650 uses a cgi script to serve the live feed. Thinking that it may well initiate bash in some way, I thought I’d try and exploit ShellShock on the DR650 to break into it and start an SSH shell.

I tried the following to try and start an ssh server on the camera:

wget -U “() { test;};echo \”Content-type: text/plain\”; echo; echo; /sbin/service sshd start” http://192.168.8.1/blackvue_live.cgi

What I’m trying to do here is set the Content-Type variable and add a bit of code on the end to try to exploit ShellShock and get bash to execute a command to start an SSH server. This didn’t work. There’s lots of reasons why that might be the case – the device might not be running a vulnerable version of bash (unlikely), the cgi script might not call bash, the command I’m trying to run might not be valid, the script might not use Content-Type, or a myriad of other reasons. I tried a few different permutations of this hack, before deciding to quit & try another approach.

From a bit of research, I believe that the DR650 uses a Texas Instruments chipset, running a DaVinci platform. A bit of digging shows that this platform is based on a Linux distribution called MontaVista. I’ll do a bit more research into that platform and see if I can refine my methods for getting into it.

In the meantime, I began looking through the firmware image I downloaded, having discovered it was gzipped and unzipped it. I’ve found a few useful bits of data. There seem to be very few files hosted by the camera’s web service. They are:

System/www/blackvue_live.cgi
System/www/blackvue_vod.cgi
System/www/upload.cgi
System/www/index.html

I already found the index.html and the blackvue_live.cgi, but I didn’t know about the other two. The upload.cgi file seems to be used to upload new config & firmware to the camera and blackvue_vod.cgi returns a list of video files stored on the camera. Could be useful!

upload.cgi
upload

blackvue_vod.cgi
blackvue_vod

The blackvue_vod.cgi file looked very interesting. I said earlier that the video files must be downloaded via HTTP, but I didn’t know their location. The output of blackvue_vod.cgi indicates that the files are in the web server’s docroot, under a /Record folder. The script also returns the full path & filename of every file available. I immediately tried a wget of one of the files and sure enough, it was downloaded onto my laptop 🙂

[~]$ wget http://192.168.8.1/Record/20141017_163635_NF.mp4
–2014-10-17 16:38:17– http://192.168.8.1/Record/20141017_163635_NF.mp4
Connecting to 192.168.8.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 64500078 (62M) [text/plain]
Saving to: ‘20141017_163635_NF.mp4’

100%[======================================================================>] 64,500,078 1.05MB/s in 60s

2014-10-17 16:39:16 (1.03 MB/s) – ‘20141017_163635_NF.mp4’ saved [64500078/64500078]

[~]$

Excellent! My original intention was to download the videos onto my iPhone’s camera roll so that I could then transfer them onto my laptop, but with this, I can hook my laptop up to the camera’s WiFi and download the videos straight to it. So, time to automate it a bit. I can get a list of files with a simple curl command:

[~]$ curl http://192.168.8.1/blackvue_vod.cgi
v:1.00
n:/Record/20141014_202528_NF.mp4,s:1000000
n:/Record/20141014_202528_NR.mp4,s:1000000
n:/Record/20141014_202629_NF.mp4,s:1000000
n:/Record/20141014_202629_NR.mp4,s:1000000
…..

This is then easily tidied up a bit with some simple sed to give me just the path and filenames:

[~]$ curl http://192.168.8.1/blackvue_vod.cgi | sed ‘s/^n://’ | sed ‘s/,s:1000000//’ | tail
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 16508 0 16508 0 0 283k 0 –:–:– –:–:– –:–:– 424k
/Record/20141017_163635_NF.mp4
/Record/20141017_163635_NR.mp4
/Record/20141017_163736_NF.mp4
/Record/20141017_163736_NR.mp4
/Record/20141017_163837_NF.mp4
/Record/20141017_163837_NR.mp4
/Record/20141017_163937_NF.mp4
/Record/20141017_163937_NR.mp4
/Record/20141017_164052_PF.mp4
/Record/20141017_164052_PR.mp4
[~]$

This returns the paths of the most recent 10 videos. I can then use a simple for loop to pipe this into wget to download the videos:

[~]$ for file in `curl http://192.168.8.1/blackvue_vod.cgi | sed ‘s/^n://’ | sed ‘s/,s:1000000//’ | tail`
> do
> wget http://192.168.8.1$file
> done
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 16332 0 16332 0 0 170k 0 –:–:– –:–:– –:–:– 201k
–2014-10-17 16:44:57– http://192.168.8.1/Record/20141017_163837_NF.mp4
Connecting to 192.168.8.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 63807644 (61M) [text/plain]
Saving to: ‘20141017_163837_NF.mp4’

100%[======================================================================>] 63,807,644 2.32MB/s in 55s

2014-10-17 16:45:52 (1.11 MB/s) – ‘20141017_163837_NF.mp4’ saved [63807644/63807644]

–2014-10-17 16:45:52– http://192.168.8.1/Record/20141017_163837_NR.mp4
Connecting to 192.168.8.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 23644147 (23M) [text/plain]
Saving to: ‘20141017_163837_NR.mp4’

100%[======================================================================>] 23,644,147 1018KB/s in 20s

2014-10-17 16:46:12 (1.16 MB/s) – ‘20141017_163837_NR.mp4’ saved [23644147/23644147]
……

It takes around a minute to download a video from the front camera and around 20-30 seconds for the rear camera. I probably don’t want to be downloading the entire contents of the memory card each time, but I can easily tell it to just download the videos from today:

[~]$ export BVDATE=`date +%Y%m%d`
[~]$ echo $BVDATE
20141017
[~]$ for file in `curl http://192.168.8.1/blackvue_vod.cgi | sed ‘s/^n://’ | sed ‘s/,s:1000000//’ | grep $BVDATE`
> do
> wget http://192.168.8.1$file
> done

All I need to do now is put this in a script, then I can download today’s videos by simply connecting my laptop to the camera’s WiFi and running the script.

I’m still interested in hacking the camera and getting a shell on there to play around a bit more, so I’ll continue to try to find a way in.

UPDATE (09/02/2015):

A recent update to the BlackVue app on the iPhone has enabled another option for exporting video – “COPY TO ALBUM” (no need to shout!). This copies the file to the camera roll:

iPhone 6 024

26 Comments

Filed under Cars, Gadgets