Writing a Script for Uploading Blackvue Dr900s
I've been playing effectually with my Blackvue dashcam a bit recently. Partly for fun and partly to figure out if I can re-create videos from it to my iPhone's camera ringlet. Having Googled about a bit, I found an unusually helpful Amazon review, where someone talked almost FTP-ing onto the camera and copying off the videos.
http://world wide web.amazon.com/review/R5EAUUH05X1FZ/ref=cm_cr_pr_viewpnt#R5EAUUH05X1FZ
I liked the idea of this, then I gave information technology a go. Unfortunately, the Amazon mail was about a DR500 and it seems Blackvue take changed a few things on the DR650 that I accept, so my attempts didn't work. I'll explain a bit near what I did though, and then anyone else that's going downwardly the same road can hopefully save some time.
According to the Amazon review, the Blackvue has a default IP address of 192.168.8.ane. I confirmed this by scanning the network for devices. Sure enough, 192.168.8.1 was the only IP address on the network. A quick ping test showed a response from that accost too, so a proficient commencement!
I tried putting the camera's IP address into my web browser whilst connected to the camera's WiFi & I got the post-obit folio:
Not especially useful, it'south just a blank folio with "Blackvue" written on it, but it does confirm 2 things; I've got the right IP address for the camera and it'southward running a web service. I tried a few variations on the URL, such as http://192.168.8.i/Blackvue, but none of them bore whatever fruit. Something I'd read on a forum indicated that there was a live stream available at http://192.168.viii.1/blackvue_live.cgi, so I tried this. Certain enough, I got a live stream up on my screen:
I tried a few guesses at what the URL might be for the live stream of the rear camera, but I couldn't figure information technology out. I then tried running a web crawler confronting the spider web site to run across what pages were bachelor, but aught was returned. I guess this means that all the bachelor pages are cgi scripts. Without existence able to admission the filesystem of the photographic camera'southward spider web root, I wouldn't know what cgi scripts are availble, so I tried ssh-ing to the device. No joy.
Adjacent, I tried a port scan on it, so see what my options were for getting into it. The following was returned:
Looks like information technology'due south a bit more than tied down than the older DR500. In that location'southward no telnet or FTP open up, just DNS (port 53), which won't be much employ to me, and http (port 80), which I'd already establish. Information technology'd exist great if I could somehow start an ssh server on there, merely without getting into it in the first place, I tin can't do that.
At this indicate, I'm bit stuck for a way to access the device. I need to first ssh, or ftp, or some sort of service that I can use to pull the files off the device. I downloaded the firmware for the photographic camera from Pittasoft's website. I thought if I could inspect the code, I could mayhap modify information technology to give me a style in. Unfortunately, the firmware ships equally a single binary file. I tried inspecting this, only I haven't had much joy yet.
And then, stuck over again, I got to thinking how the Blackvue app copies files from the camera to the app. If the just service bachelor for it to do this is http, and then the files must either exist available for download via http, or the app must run some sort of cgi script that starts an ssh/ftp server and copies the files over, and so stops the server. My adjacent trick will be to open the app and download a video clip, then do another port browse to run across if something has been opened upwardly during the transfer.
What would be really useful would be to get a look at the web root of a DR500, as I suspect well-nigh of the cgi scripts etc would exist the same or similar to the DR650. I might be able to work out a way in if I could encounter what the scripts are doing. Unfortunately, I don't have access to a DR500 to do this, so if yous practise and you've tried annihilation like this, I'd exist interested to hear your comments.
UPDATE 17/10/2014:
I had a bit more of a play with the Blackvue today. I tried copying a video from the camera to my iPhone and running a port browse on the camera whilst doing so to see if the transfer had opened upwardly FTP, or SSH or something. Nix. This ways that the videos must be transferred via HTTP download, which limits my options for getting into the camera. What I really want to practise is start an SSH or telnet session on there, and then I can do any I want, all the same with just port fourscore available to me, that may exist hard.
Yous may have heard of a bug called ShellShock that'southward been in the headlines recently. ShellShock is a problems in the style the fustigate shell handles environs variables and it'due south possible to exploit it via cgi scripts on a vulnerable server. The DR650 uses a cgi script to serve the live feed. Thinking that it may well initiate fustigate in some mode, I idea I'd effort and exploit ShellShock on the DR650 to break into it and start an SSH beat.
I tried the following to try and start an ssh server on the camera:
wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /sbin/service sshd get-go" http://192.168.8.one/blackvue_live.cgi
What I'm trying to practise here is set the Content-Type variable and add a bit of code on the end to try to exploit ShellShock and get fustigate to execute a control to start an SSH server. This didn't work. There's lots of reasons why that might be the example – the device might not be running a vulnerable version of bash (unlikely), the cgi script might non call bash, the command I'm trying to run might non exist valid, the script might not use Content-Type, or a myriad of other reasons. I tried a few different permutations of this hack, before deciding to quit & try another approach.
From a bit of research, I believe that the DR650 uses a Texas Instruments chipset, running a DaVinci platform. A chip of excavation shows that this platform is based on a Linux distribution called MontaVista. I'll practise a bit more research into that platform and see if I can refine my methods for getting into information technology.
In the meantime, I began looking through the firmware image I downloaded, having discovered it was gzipped and unzipped it. I've institute a few useful bits of data. There seem to be very few files hosted past the camera's web service. They are:
System/www/blackvue_live.cgi
System/www/blackvue_vod.cgi
System/www/upload.cgi
System/www/index.html
I already found the index.html and the blackvue_live.cgi, simply I didn't know about the other two. The upload.cgi file seems to be used to upload new config & firmware to the camera and blackvue_vod.cgi returns a list of video files stored on the camera. Could be useful!
upload.cgi
blackvue_vod.cgi
The blackvue_vod.cgi file looked very interesting. I said before that the video files must be downloaded via HTTP, but I didn't know their location. The output of blackvue_vod.cgi indicates that the files are in the web server'due south docroot, under a /Tape folder. The script likewise returns the total path & filename of every file bachelor. I immediately tried a wget of i of the files and sure enough, information technology was downloaded onto my laptop 🙂
[~]$ wget http://192.168.viii.one/Record/20141017_163635_NF.mp4
–2014-ten-17 sixteen:38:17– http://192.168.8.i/Record/20141017_163635_NF.mp4
Connecting to 192.168.8.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 64500078 (62M) [text/manifestly]
Saving to: '20141017_163635_NF.mp4'100%[======================================================================>] 64,500,078 one.05MB/s in 60s
2014-10-17 16:39:xvi (1.03 MB/southward) – '20141017_163635_NF.mp4' saved [64500078/64500078]
[~]$
Excellent! My original intention was to download the videos onto my iPhone'due south photographic camera roll so that I could then transfer them onto my laptop, but with this, I can hook my laptop up to the camera's WiFi and download the videos straight to it. So, time to automate it a bit. I tin become a list of files with a simple coil command:
[~]$ curl http://192.168.8.1/blackvue_vod.cgi
five:i.00
n:/Record/20141014_202528_NF.mp4,s:1000000
north:/Tape/20141014_202528_NR.mp4,s:meg
northward:/Tape/20141014_202629_NF.mp4,s:million
north:/Record/20141014_202629_NR.mp4,south:meg
…..
This is then hands tidied upwardly a bit with some uncomplicated sed to give me but the path and filenames:
[~]$ roll http://192.168.eight.one/blackvue_vod.cgi | sed 's/^n://' | sed 's/,south:million//' | tail
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Full Spent Left Speed
100 16508 0 16508 0 0 283k 0 –:–:– –:–:– –:–:– 424k
/Record/20141017_163635_NF.mp4
/Record/20141017_163635_NR.mp4
/Record/20141017_163736_NF.mp4
/Record/20141017_163736_NR.mp4
/Record/20141017_163837_NF.mp4
/Tape/20141017_163837_NR.mp4
/Record/20141017_163937_NF.mp4
/Tape/20141017_163937_NR.mp4
/Record/20141017_164052_PF.mp4
/Tape/20141017_164052_PR.mp4
[~]$
This returns the paths of the virtually recent ten videos. I can then use a simple for loop to pipe this into wget to download the videos:
[~]$ for file in `curlicue http://192.168.8.i/blackvue_vod.cgi | sed 'south/^n://' | sed 'southward/,s:meg//' | tail`
> do
> wget http://192.168.viii.one$file
> done
% Total % Received % Xferd Average Speed Fourth dimension Time Time Current
Dload Upload Total Spent Left Speed
100 16332 0 16332 0 0 170k 0 –:–:– –:–:– –:–:– 201k
–2014-10-17 xvi:44:57– http://192.168.8.1/Tape/20141017_163837_NF.mp4
Connecting to 192.168.8.i:fourscore… connected.
HTTP asking sent, pending response… 200 OK
Length: 63807644 (61M) [text/plainly]
Saving to: '20141017_163837_NF.mp4'100%[======================================================================>] 63,807,644 two.32MB/southward in 55s
2014-10-17 16:45:52 (1.11 MB/southward) – '20141017_163837_NF.mp4' saved [63807644/63807644]
–2014-10-17 16:45:52– http://192.168.8.1/Record/20141017_163837_NR.mp4
Connecting to 192.168.8.i:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 23644147 (23M) [text/plain]
Saving to: '20141017_163837_NR.mp4'100%[======================================================================>] 23,644,147 1018KB/s in 20s
2014-10-17 16:46:12 (1.16 MB/due south) – '20141017_163837_NR.mp4' saved [23644147/23644147]
……
It takes around a infinitesimal to download a video from the forepart camera and around twenty-30 seconds for the rear camera. I probably don't want to be downloading the entire contents of the retention bill of fare each time, merely I tin can easily tell information technology to just download the videos from today:
[~]$ export BVDATE=`date +%Y%chiliad%d`
[~]$ echo $BVDATE
20141017
[~]$ for file in `coil http://192.168.8.1/blackvue_vod.cgi | sed 's/^northward://' | sed 's/,s:1000000//' | grep $BVDATE`
> do
> wget http://192.168.8.ane$file
> washed
All I need to practise now is put this in a script, then I tin download today'south videos by simply connecting my laptop to the photographic camera'southward WiFi and running the script.
I'm still interested in hacking the camera and getting a shell on at that place to play around a flake more, then I'll keep to endeavor to find a way in.
UPDATE (09/02/2015):
A recent update to the BlackVue app on the iPhone has enabled some other option for exporting video – "COPY TO Anthology" (no need to shout!). This copies the file to the camera roll:
Source: https://gadgetblogist.wordpress.com/2014/10/16/dashcam-hacking/
0 Response to "Writing a Script for Uploading Blackvue Dr900s"
Post a Comment