Brutkey

kajer :notverified:
@kajer@infosec.exchange
kajer :notverified:
@kajer@infosec.exchange

Can not set time in shell w/o root permissions.

kajer :notverified:
@kajer@infosec.exchange

okay, I missed the fact that the Android OS is convinced that the date is 1970

this may pose a problem

kajer :notverified:
@kajer@infosec.exchange

I will be testing that SIM in a different cellular modem soon enough, but I am starting to think the cam I got off of ebay is not quite right.

Watching the local logcat, there are a lot of permission errors and device errors. The QTI logging service on the SCRCPY console seems to never connect to the local logging services.

I got a bitbold and hit one of factort reset buttons in another homebrew flock app, and that did reset the device a f ew time with filesystem stuff in the console logs. Yes all the system apps remained in place, so no flock APKs were harmed... Although. I'm not sure if this camera had enough to work fully in the first place.

I can never get the camera to boot to it's ADB bridge consistently and rarely can I actually get the camera's local wifi hotspot to enable.

Also, the back button seems to enable hotspot mode, but, no network level ADB connections. :(

kajer :notverified:
@kajer@infosec.exchange

I have a feeling that the camera is halting the boot process due to the missing sim card and the modem not initializing.

I have yet to fully figure out the custom app ecosystem that makes up these cameras.

kajer :notverified:
@kajer@infosec.exchange

I will be testing that SIM in a different cellular modem soon enough, but I am starting to think the cam I got off of ebay is not quite right.

Watching the local logcat, there are a lot of permission errors and device errors. The QTI logging service on the SCRCPY console seems to never connect to the local logging services.

I got a bitbold and hit one of factort reset buttons in another homebrew flock app, and that did reset the device a f ew time with filesystem stuff in the console logs. Yes all the system apps remained in place, so no flock APKs were harmed... Although. I'm not sure if this camera had enough to work fully in the first place.

I can never get the camera to boot to it's ADB bridge consistently and rarely can I actually get the camera's local wifi hotspot to enable.

Also, the back button seems to enable hotspot mode, but, no network level ADB connections. :(

kajer :notverified:
@kajer@infosec.exchange

also, fun fact. the eSIM in the Flock cellular module is not electronic sim, but "e"mbedded sim... meaning it's a standard SIM card.

a sim card on a workbench
kajer :notverified:
@kajer@infosec.exchange

SCRCPY WORKS!!!!

kajer :notverified:
@kajer@infosec.exchange

fuck ALPR tech

Positive thoughts?

These are so unlocked and so open, if these fucking devices ever made ewaste piles, the dev boards are so easy to harvest and repurpose as an unlocked android 8.1 dev board. Serial port is marked by G T R on the silk screen, and power seems wide input 12v tolerant.

The case of the cam has no intrusion detection.

There is no epoxy or potting or conformal coatring. I'm not sure there is even conformal coating. THe outer housing is sealed with a nice thicc gasket. Even the T20 security torx have o-rings. This is funny because the battery says not to charge in a sealed container.

I have yet to explore the back case button behavior, since I am stealing 3.3v for the serial TTL from that header. Now that I have adb bridge access via USB, i can remove the serial link and connect that button to see what logcat says.

The last bit for me to explore is to see if the 7 pin plug has any useful data on the bottom 3 pins.

Now I get to re-learn android hax0ring all over again, yay!

kajer :notverified:
@kajer@infosec.exchange

🤔🤔

I haven't tried to use SCRCPY

It wasn't listed as a "feature" in adb, but the logcat output indicates there is a "display" and "sleep" modes when pressing one of the buttons on the board.

Now I can't wait to go home and try it.

Stupid day jobs...

kajer :notverified:
@kajer@infosec.exchange

So, flock cameras are android 8.1 dev kits with debug kernels, unlocked bootloader, and full shell access ... In prod.

the mini usb port can do OTG to an extent or be an adb port depending on the dip switch. When it's in ADP mode, it's a crapshoot on the USB device id, and usb_modeswitch doesn't do anything.

Using adb, one can push/pull at will. Granted it's not a root shell, and su isn't installed, but holding buttons on power up can get you fastboot.

It's android 8.1, and plenty of su zip files can be applied.

The buttons... Power and volume down. Just enough to be useful in fastboot.

I plan on dumping the flock specific APK files and attempting a decompiling. Maybe hard coded API keys blobupsidedown

kajer :notverified:
@kajer@infosec.exchange

fuck ALPR tech

Positive thoughts?

These are so unlocked and so open, if these fucking devices ever made ewaste piles, the dev boards are so easy to harvest and repurpose as an unlocked android 8.1 dev board. Serial port is marked by G T R on the silk screen, and power seems wide input 12v tolerant.

The case of the cam has no intrusion detection.

There is no epoxy or potting or conformal coatring. I'm not sure there is even conformal coating. THe outer housing is sealed with a nice thicc gasket. Even the T20 security torx have o-rings. This is funny because the battery says not to charge in a sealed container.

I have yet to explore the back case button behavior, since I am stealing 3.3v for the serial TTL from that header. Now that I have adb bridge access via USB, i can remove the serial link and connect that button to see what logcat says.

The last bit for me to explore is to see if the 7 pin plug has any useful data on the bottom 3 pins.

Now I get to re-learn android hax0ring all over again, yay!

kajer :notverified:
@kajer@infosec.exchange

[ 0.000000] *******************************************************
[ 0.000000] NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
[ 0.000000]
[ 0.000000] trace_printk() being used. Allocating extra memory.
[ 0.000000]
[ 0.000000] This means that this is a DEBUG kernel and it is
[ 0.000000] unsafe for produciton use.
[ 0.000000]
[ 0.000000] If you see this message and you are not debugging
[ 0.000000] the kernel, report this immediately to your vendor!
[ 0.000000]
[ 0.000000] NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
[ 0.000000] *******************************************************

kajer :notverified:
@kajer@infosec.exchange

So, flock cameras are android 8.1 dev kits with debug kernels, unlocked bootloader, and full shell access ... In prod.

the mini usb port can do OTG to an extent or be an adb port depending on the dip switch. When it's in ADP mode, it's a crapshoot on the USB device id, and usb_modeswitch doesn't do anything.

Using adb, one can push/pull at will. Granted it's not a root shell, and su isn't installed, but holding buttons on power up can get you fastboot.

It's android 8.1, and plenty of su zip files can be applied.

The buttons... Power and volume down. Just enough to be useful in fastboot.

I plan on dumping the flock specific APK files and attempting a decompiling. Maybe hard coded API keys blobupsidedown

kajer :notverified:
@kajer@infosec.exchange

[ 0.000000] *******************************************************
[ 0.000000] NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
[ 0.000000]
[ 0.000000] trace_printk() being used. Allocating extra memory.
[ 0.000000]
[ 0.000000] This means that this is a DEBUG kernel and it is
[ 0.000000] unsafe for produciton use.
[ 0.000000]
[ 0.000000] If you see this message and you are not debugging
[ 0.000000] the kernel, report this immediately to your vendor!
[ 0.000000]
[ 0.000000] NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
[ 0.000000] *******************************************************