Server:Server Status

Improving the Motorola Blink Baby Monitor/Camera (Part…6?!?)

After all this time...why am I still working on this? The cameras are dead, Motorola shut down the monitoreverywhere service, so the cameras are dead! You can't register them, or join to cameras remotely, right?

Well, they still work on the LAN, so if they're already on the wifi, you can use them as little RTSP streams. The problem is...I want to change my SSID's, and there's no way to rejoin to wifi without the app connecting with the (now offline) monitoreverywhere service.

Enter crazy old Joe. I had a Titanium Backup of the apk and my config from an android device I don't even have anymore. I was able to extract this and decompile it to learn how the app handles registration, then emulate that. First, from previous research, when you factory reset a camera it broadcasts a "Camera-######" SSID when you can connect to as it's open. You'll get a 192.168.2.# address, and the camera will be "192.168.2.1". From there, you can start performing operations on the camera, for example, If you go here in a web browser: http://192.168.2.1/?action=command&command=enable_telnet You will then be able to telnet to the camera.

From previous work, we know a lot of the scripts and commands on there, but I never found how to format the wifi request. So, I started poking through the apk. Here's some snippets that are useful:

this.cam_profile.setBasicAuth_usr("camera");
this.cam_profile.setBasicAuth_pass("000000");

The camera has a basic http authentication piece, and that is the default username and password...maybe. I also found this in defining the variables:

this.usr_name = usrName == null ? "" : usrName;
this.pass_wd = pwd == null ? "" : pwd;

So the user and password will either be "camera:000000" or ":". We can try both.

public String build_setup_core_request() {
    String auth_mode;
    String key_index;
    if (this.security_type.equalsIgnoreCase("WEP")) {
        auth_mode = this.auth_method.equalsIgnoreCase("Open") ? "0" : "1";
        key_index = String.format("%d", Integer.valueOf(Integer.parseInt(this.key_index) - 1));
    } else if (this.security_type.equalsIgnoreCase("OPEN")) {
        auth_mode = "0";
        key_index = "0";
    } else {
        auth_mode = "2";
        key_index = "0";
    }
    String ssid_len = String.format("%03d", Integer.valueOf(this.ssid.getBytes().length));
    String sec_key_len = String.format("%02d", Integer.valueOf(this.pass_string.length()));
    String usr_name_len = String.format("%02d", Integer.valueOf(this.usr_name.length()));
    String passwd_len = String.format("%02d", Integer.valueOf(this.pass_wd.length()));
    String setup_value = String.valueOf("1") + "00" + auth_mode + key_index + "0" + ssid_+ sec_key_len + "0000000" + usr_name_len + passwd_len + this.ssid + this.pass_string + .usr_name + this.pass_wd;
    if (shouldEncodeData()) {
        try {
            setup_value = URLEncoder.encode(setup_value, "UTF-8");
        } catch (UnsupportedEncodingException e) {
            e.printStackTrace();
        }
        Log.d(GcmIntentService.TAG, "Encode setup data");
    } else {
        Log.d(GcmIntentService.TAG, "No need to encode setup data.");
    }
    String setup_request = "/?action=command&command=setup_wireless_save&setup=" + setup_value;
    return setup_request;
}

That is exactly what we need. First of all, since the security type would be "WPA2/PSK" auth_mode is 2 and key_index is 0. The SSID length is formatted to be 3 digits (mine is 32 characters, so 032), and the passcode length is formatted to be 2 digits (mine is 26 characters, so 26).

That means the pieces needed break down into one of these 2:

1 00 2 0 0 032 26 000000 06 06 SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS PPPPPPPPPPPPPPPPPPPPPPPPPP camera 000000

or

1 00 2 0 0 032 26 000000 00 00 SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS PPPPPPPPPPPPPPPPPPPPPPPPPP

Following all that string concatenation, we have 2 options to set up the wifi, depending on which password configuration it needs (SSID and passcode are obfuscated):

http://192.168.2.1/?action=command&command=setup_wireless_save&setup=1002000322600000000606SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSPPPPPPPPPPPPPPPPPPPPPPPPPPcamera000000
http://192.168.2.1/?action=command&command=setup_wireless_save&setup=1002000322600000000000SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSPPPPPPPPPPPPPPPPPPPPPPPPPP

The 2nd one worked; the camera made a loud beep but the SSID was still active. I telnetted to the camera and this was in /var/log/messages:

Jan  1 15:54:57 MJPG-streamer [1901]: Org client thread : GET /?action=command&command=setup_wireless_save&setup=1002000322600000000000SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSPPPPPPPPPPPPPPPPPPPPPPPPPP HTTP/1.1^M
Jan  1 15:54:57 MJPG-streamer [1901]: After URL Encode : GET /?action=command&command=setup_wireless_save&setup=1002000322600000000000SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSPPPPPPPPPPPPPPPPPPPPPPPPPP HTTP/1.1^M
Jan  1 15:54:57 MJPG-streamer [1901]: Connect 192.168.2.11
Jan  1 15:54:57 MJPG-streamer [1901]: access granted
Jan  1 15:54:57 MJPG-streamer [1901]: command string: setup_wireless_save
Jan  1 15:54:57 MJPG-streamer [1901]: setup=1002000322600000000000SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSPPPPPPPPPPPPPPPPPPPPPPPPPP HTTP/1.1^M
Jan  1 15:54:57 MJPG-streamer [1901]: len=91
Jan  1 15:54:57 MJPG-streamer [1901]: 1002000322600000000000SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSPPPPPPPPPPPPPPPPPPPPPPPPPP HTTP/1.1^M
Jan  1 15:54:57 MJPG-streamer [1901]: len SSID 32 and index 9
Jan  1 15:54:57 MJPG-streamer [1901]: Key Length = 26
Jan  1 15:54:57 MJPG-streamer [1901]: String got is:0
Jan  1 15:54:57 MJPG-streamer [1901]: Len of workport is:0
Jan  1 15:54:57 MJPG-streamer [1901]: SSID='SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS' - Key='PPPPPPPPPPPPPPPPPPPPPPPPPP'
Jan  1 15:54:57 MJPG-streamer [1901]: Before sem wait
Jan  1 15:54:57 MJPG-streamer [1901]: After sem wait
Jan  1 15:54:57 MJPG-streamer [1901]: Finish init Flash
Jan  1 15:54:57 MJPG-streamer [1901]: Flash Init 20 (1901)
Jan  1 15:54:57 MJPG-streamer [1901]: Before sem post
Jan  1 15:54:57 MJPG-streamer [1901]: Flash DeInit 20 (1901)
Jan  1 15:54:57 MJPG-streamer [1901]: Finish deinit Flash
Jan  1 15:54:57 MJPG-streamer [1901]: After sem post
Jan  1 15:54:57 MJPG-streamer [1901]: ===WRITE TO FLASH===
Jan  1 15:54:57 MJPG-streamer [1901]: Before sem wait
Jan  1 15:54:57 MJPG-streamer [1901]: After sem wait
Jan  1 15:54:57 MJPG-streamer [1901]: Finish init Flash
Jan  1 15:54:57 MJPG-streamer [1901]: Flash Init 20 (1901)
Jan  1 15:54:57 MJPG-streamer [1901]: Before sem post
Jan  1 15:54:57 MJPG-streamer [1901]: Flash DeInit 20 (1901)
Jan  1 15:54:57 MJPG-streamer [1901]: Finish deinit Flash
Jan  1 15:54:57 MJPG-streamer [1901]: After sem post
Jan  1 15:54:57 MJPG-streamer [1901]: Wifi configuration saved successfully
Jan  1 15:54:57 MJPG-streamer [1901]: leaving

It looked like it took, so I rebooted the camera, and it connected and got its proper assigned DHCP address! I am able to view the camera connected to the correct SSID! As far as I'm concerned, the camera is now back to as operational as I want it to be, despite the vendor's abandoning of the device.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Improving the Motorola Blink Baby Monitor/Camera (Part 5)

So I took the camera apart and took a high-res picture of the PCB. The wifi sub-board is soldered on so I won't remove it yet to expose the ARM CPU. That being said, maybe there's a clue on here for how to mount and write to the flash memory:

IMG_2312

Read more »
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Improving the Motorola Blink Baby Monitor/Camera (Part 4)

I screwed up.

I finally did it, I figured out the commands to do a custom firmware, and I tried to flash it...now the camera is UNRESPONSIVE. It boots, but no network, the LED is on, can't talk to it, nada. I'm working on my backout plan now :) Hey, that's the price of hacking. Nevertheless, I've learned a TON which is worth sharing.

Below is the set of commands I used to generate my custom firmware. The original firmware is a tar.gz, which contains conprog.bin and rootfs.bin.gz, then rootfs.bin.gz unpacks into rootfs.bin which can be mounted with:

sudo mount -t romfs -o loop rootfs.bin /mnt/rootfs
Read more »
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Improving the Motorola Blink Baby Monitor/Camera (Part 3)

So, baby was born, meaning not much time for hacking. Hooray though! Lucas Alexander Gullo, 9/8/2014, 6 lb 9 oz, 19 inches. Hooray!

I haven't had a ton of time to work on things, but there is some progress. Motorola got back to me, though not completely. They've given me a link to a repo with their modified cambozola, which is here: https://github.com/nikhilvs/cambozola-bms I'm still waiting on the source for mjpeg-streamer, and some guidance on the parameters to make the romfs image. I contacted gpl-violations.org and they are also trying to press on the fact that the GPL should have been included since it has embedded linux

I did something kind of interesting hardware wise though. Theory is, wouldn't it be neat to be able to move the camera, say if wife wants to monitor him napping downstairs for a while? So I figured out a way to provide stop-gap portable power for the monitor, so it can be moved around. Best yet, I did it without actually modifying what comes in the box, it all taps onto the exterior. Take a look:

MotorolaBlinkPower

Basically, I got a high current portable USB battery which charges off a micro USB, then made a converter for the power brick it comes with to go to micro USB, and then built a USB to barrel plug cable. Here's my parts list:

Pretty simple solder job, just cut the USB cable in half and strip the wires, bam. I've only tested it briefly, but in about 5 hours on the battery it dropped from 100%->88% so I imagine it'll run for a VERY long time.

Hopefully I'll get to dig through the source a bit more in upcoming weeks, but feel free to use these findings in your own hacking.

Related Posts:


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Improving the Motorola Blink Baby Monitor/Camera (Part 2)

So, I was able to acquire the actual ROM image for the firmware. Here's a dump of the file structure. I found a few gems:

The contents of /etc/passwd:


root:x:0:0:root:/:/bin/sh
nobody:x:99:99:Nobody:/:/sbin/nologin
ftp:x:501:0:ftp:/var:/bin/sh
usb:x:504:100::/usb:

Also, this appears to be an init script mounting a bunch of things:

Read more »

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -