Hello, Dashcam!
Last week sometime, I forget when, but some lady tried to run us off the road by cutting us off, which brought back to mind the fact that we really should have a dashcam. We had one in the van the entire time, and when we sold it I moved that one over into the VT, but it was a NavMan which basically implies it was always a piece of shit.
What to replace it with? To the internet! BlackVue cameras get some pretty good reviews, though in retrospect I think most of the positive reviews are from people who don’t really know what they’re looking at. Still, this one does full-HD at 60fps, has front and rear cameras, and looks to do everything I want. It also comes with some Internet of Shit style features to boot. I nearly sprang for the DR900S, which would give us 4k on the front camera, but it was about 2x what I really wanted to spend and comparing videos of them.
So I had the DR-750S on my wish list for a while, and today I noticed a sale on the DR-750X. What’s the difference? It seems like there’s not a lot, except that it has the hard-wired battery-monitor stuff built in. Since I wanted to hard-wire it anyway that seems pretty good value, and the sale price dropped it down into my buy-range so I bought it. It got here on Thursday, and I just threw the front camera in with the cigarette lighter adaptor haphazardly connected.
Today, I set about installing it properly. I found a spot to fish power through from the rear auxiliary battery (which does not exist yet, but after new years’ I plan on doing that), up the rear pillar (staying as far as humanly possible away from the curtain airbags), before joining the rear camera video cable and running up the centre of the roof lining. By pulling the third brake light, the rear courtesy lamp, and the front courtesy lamps down I was able to fish everything through reasonably easy, and all those three things came out with zero tools which I was pleasantly surprised by.
So I had everything buttoned up right around lunch time, which left me the afternoon to play. Let’s see how bad this Internet of Things crap is.
I switched it’s wifi hotspot on, connected my phone to it with an absolutely dogshit Android application, and started exploring. It has the ability to connect as a client to our home network, that seems better than a dedicated network surely? So I did that and… the HTTP server I found on the internal network wasn’t there! Hmm.
I would later learn that this HTTP server is tied to the WAP feature - if you turn it off, it’s disabled. But how to explore this? Why, let’s do what all the hardware hackers do and grab the firmware. Downloaded it, ran binwalk which extracted a tarball of a linux filesystem, among a few other things. Easy enough!
After exploring around a bit, I learned how the HTTP daemon is started (it uses boa
for HTTP daemon, and it’s tied to the hostapd
process, if you push the wifi button to turn it off, it kills the boa
process). I couldn’t work out how to grab the videos, but lucky someone else has already figured that out - basically, the webserver has a blackvue_vod.cgi
script, which dumps out effectively a list of files. Then download the file from /Record
and play it. Nothing to it!
I spent a bit of time trying to figure out if I could grab an RCE on it, because that’d let me start the webserver without the AP running, and also let me kill their goofy cloud client thing I’ll never use. I found a few interesting things:
- The root password’s MD5 hash is readable in the firmware, the hash is
$1$$qRPK7m23GJusamGpoGLby/
. After an embarassingly comedic effort setting things up to crack it, I learned that this is the MD5crypt string for an empty password with an empty salt:
>>> crypt.crypt('', '$1$$')
'$1$$qRPK7m23GJusamGpoGLby/'
Pity there’s nothing listening to use the credentials with.
-
The system itself is, I think, a massive violation of the GPL. At least, I can’t find any sources available for download, but it’s definitely based off Linux, with busybox, possibly Alpine’s shell, and a ton of other GPL stuff in the firmware.
-
As mentioned above, the http daemon is
boa
, and it’s stopped and started with the wireless access point function (started bydo_ap.sh
from the look of things, and killed with a killall when it’s disabled). -
You can pass upload a config file directly to it via upload.cgi, but you can also just edit the one on the SD card and it’s respected. Chiefly interesting in this, for me, was the ability to shut the voice prompts up… there are a few things that aren’t available in the configuration menu that you can change directly in the config file though.
So what to do about connectivity? It seems I must leave the AP on for now, but that doesn’t mean it has to be usable. By putting some garbage characters on the PSK we’re able to generate a PSK that no real client would be able to guess, and the HTTP server still starts. So it’s connected to my home network, and then I can run a quick bash script to pull any new files off it when the car is parked. At present this doesn’t work well, because the car is not on long enough in the driveway, but when I get it hard-wired to the auxiliary battery it’ll be on 24/7.
I’m thinking I’ll spin up an extra Wifi network though, and firewall it. In particular, I want to test if it will drop off the network if it can’t access Blackvue’s cloud services… I have no real interest in using this feature, so it’s basically just a permanent vulnerability if I leave it enabled. I don’t want “cloud”, I just want the thing to connect to a specific Wifi access point!