Brookstone rover app

[cry4pluto]

I would like to write an app that would allow me to drive my brookstone spy tank rover from an android device. Does anyone know the username and password to the wifi router that is built into the rover? I no longer have an Iphone and I really need the tank to annoy my cats. They are getting a little ****y.

Thanks,

[cry4pluto]

I did not mean to set off the profanity filter with my post. I should have just said that my cats are getting a little to big for their britches. I hope that all male poultry will forgive my insensitivity.

[MrQuincle]

UPDATE: Dear all, the following posts track my hacking endeavours, maybe interesting if you want to do something similar. But you can also go directly to the market. It's called RoverOpen and you can use the market and this thread to comment.

This robot was sold to me and my girlfriend as also coming with an android app... And although it wasn't on the package, I thought, ah, apparently there is one now available. Apparently not!

I found out that besides ports 80, there are two UDP ports open at 67 and 10000.

Code:

Interesting ports on 192.168.1.100:
Not shown: 998 closed ports
PORT      STATE         SERVICE
67/udp    open|filtered dhcps
10000/udp open|filtered unknown
MAC Address: 00:E0:4C:06:E7:10 (Realtek Semiconductor)

Nmap done: 1 IP address (1 host up) scanned in 1109.95 seconds

When I navigate towards http://192.168.1.100 which directs me to index1.htm and after hitting several times ESC (all default like username/password combinations I tried didn't work out), I ended at a place where I can replace firmware or the GUI.

Code:

Device Firmware Version
Device Embeded Web UI Version
Device ID

Pity, that the actual version numbers are not listed. Maybe it's ActiveX and it doesn't play well with Firefox on Linux. The wrongly spelled "Embeded" is also ubiquitous in Foscam IP cameras. But I've not yet opened the device.

[MrQuincle]

The index1.htm page served:

Code:

<html>
...
<script src="public.js"></script>
...
<script src="check_user.cgi"></script>
<script>
var language=getcookie('language');
if (language=='')
  language='english';
if (language=='simple_chinese')
  document.write('<script src="english/string.js"><\/script>');
else
  document.write('<script src="english/string.js"><\/script>');
</script>
<script src="get_params.cgi"></script>
<script>
if (alias='') alias=str_anonymous;
document.title=str_device+'('+alias+')';
</script>
<body><iframe ... src="admin.htm"></iframe></body>
</html>

The string.js contains many strings like str_rebootinfo, str_mode_activex, etc.

When I open the device there the ucontroller does not have any info displayed on it. The radio chip text says: bt-rt3070-U2

IMG_20111229_230248.jpg

I am still doubting if I will upload the "Device Embeded Web UI Version" from Foscam from for example here: http://www.gadgetvictims.com/2008/08...tory-page.html

[MrQuincle]

The chip on the bottom part of the SMD reads spansion s29gl032n90tfi040. According to Farnell (datasheet) this is 32MB flash.

IMG_20111231_004607.jpg

There is one open connector, I show a (I admit vague) close-up of it in the second picture.

IMG_20111231_005013.jpg

The labels read "+3.3V, GND, GPI010, and GPI09". This looks like a serial port (and not JTAG), where TX/RX is pin 9/10 (or reversed).

Edit: Serial port might be JTAG after all...

[MrQuincle]

From the IPCAM CGI SDK V1.7 spec (pdf) only:
- decoder_control.cgi
- camera_control.cgi
work, but require authorisation.

The Foscam IP cameras come also with Spansion flash: http://dangerousprototypes.com/forum...pic.php?t=1197

[MrQuincle]

I got the iphone from my bro for a minute, but wasn't successful in jailbreaking it to run tcpdump. Apparently redsn0w doesn't work so well with windows 7 in virtualbox (also not when running as admin and in compatibility mode - I tried XP SP2, SP3, Vista, 95, but I digress).

By just connecting to an ad-hoc network on a Linux box it only shows:

Code:

sudo tcpdump -AlxXs 1500 -vvv -i wlan0 port 80
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 1500 bytes

05:25:48.778585 IP (tos 0x0, ttl 64, id 26899, offset 0, flags [DF], proto TCP (6), length 64)
    iPhone.local.49164 > 127.0.0.1.www: Flags [S], cksum 0x23aa (correct), seq 2709763778, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 627236367 ecr 0,sackOK,eol], length 0
    0x0000:  4500 0040 6913 4000 4006 da63 0a2a 2b0b  E..@i.@.@..c.*+.
    0x0010:  c0a8 0164 c00c 0050 a183 b6c2 0000 0000  ...d...P........
    0x0020:  b002 ffff 23aa 0000 0204 05b4 0103 0302  ....#...........
    0x0030:  0101 080a 2562 de0f 0000 0000 0402 0000  ....%b..........
05:25:49.760488 IP (tos 0x0, ttl 64, id 40026, offset 0, flags [DF], proto TCP (6), length 64)
    iPhone.local.49164 > 127.0.0.1.www: Flags [S], cksum 0x23a1 (correct), seq 2709763778, win 65535, options [mss 1460,nop,wscale 2,nop,nop,TS val 627236376 ecr 0,sackOK,eol], length 0
    0x0000:  4500 0040 9c5a 4000 4006 a71c 0a2a 2b0b  E..@.Z@.@....*+.
    0x0010:  c0a8 0164 c00c 0050 a183 b6c2 0000 0000  ...d...P........
    0x0020:  b002 ffff 23a1 0000 0204 05b4 0103 0302  ....#...........
    0x0030:  0101 080a 2562 de18 0000 0000 0402 0000  ....%b..........

Seems my attempt by redirecting 192.168.1.100 to localhost makes it also loose the ACKs along the way. So, I would be really helped if someone would run tcpdump on a jailbreaked iphone / ipad connected to the rover. Thanks in advance!

[MrQuincle]

Okay,

Code:

http://192.168.1.100/check_user.cgi?user=AC13&pwd=AC13

Other cgi files:

Code:

wifi_scan.cgi
get_wifi_scan_result.cgi
get_param.cgi
set_param.cgi
backup_params.cgi

The wifi result shows (naturally) all networks in my apartment. The backup params script is interesting because it returns a binary file (with username and password too). If you're smart enough you can set using set_param.cgi one of the parameters listed in get_param.cgi. Regretfully it seems all kind of ssh/ftp stuff has been removed or moved.

[MrQuincle]

Up to finding a manner to stream images from the thing. The "normal" snapshot.cgi, videostream.cgi, or video.cgi scripts do not exist. There is an "images" directory, but it seems empty.

In the tcp traffic there is a reference to "456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz" when controlling the rover (and not only when making a snapshot). So there should be a JFIF somewhere, yes! There are .jpg files transfered here!

Yeah, success! We can grab images on my Linux box:

Code:

sudo driftnet -i wlan0

The only thing to know now is how the rover starts streaming images over port 80. As soon as someone figures that out, I can write the Android app!

Edit: Pastebin tcpdump at http://pastebin.com/zqbsQL7y

[Snowgnome]

MrQuincle Your the Man I'm not to sure how to find how the Images are streamed but if theres anything else i can possible help with Voice IT! I have a Rover and Rooted Android tablet...i'll Test for ya...It would be sick to have this app... I will donate