This one time, I bought a drone
A Vista with DroneView Tactic, to be specific. What follows is not
so much a blog post, but a late night list of things I did. It came
with this camera module:
Drone
- Connect with Android App
- Have problems, get frustrated
- Connect with Laptop
- nmap default route IP
- Find HTTP, HTTP on port 5, RTSP, Telnet, and something else
Http on Port 5
- Execute GET /
- Server reports it is a Hisilicon Ipcam, nothing but 400 errors
WebApp
- Browse to 192.168.234.1
- Guess the following accounts
- WebApp suggests downloading plugin. Save some for later
- Click System, then Device Info to fetch:
- Serial Number: QVCVvzhROpFMEtDySbXSOPwEsdbubvyM
- Hard Ver: ipc4288p-ytf-ov9712d
- Software Ver: V3.42.88.4808-X10-Build:20151015R
- Now we know there is an OmniVision OV9712 involved. This is just the image sensor though.
Windows Plugin
- Use innoextract to decompress installer.
- Grep for URLs
Android Application
- Use apktool to decompress and disassemble APK file.
- Grep for URLs
RTSP
- rtsp://192.168.234.1/11
- This is my bedroom, as seen by my drone sitting on my bed. The bed is green due to the green navigation LEDs on the drone. In the center of the frame are three plants I am watching for a friend.
Stream is 720p20. At this resolution vs_server struggles to keep up
- rtsp://192.168.234.1/12
- Stream is 360p59.94
Next Steps
- Charge battery
- Run through the Mirai password list against telnet.
- Look for command injection in the webapp.
- Look at how the Android and Windows actually work
- Request source code from the vendor
- Leverage thttpd/2.25b to dump /etc/passwd