It's also completely reasonable to assume that the camera I got from ebay is damaged goods as well.
I can't get the local ports to output anything useful like the other blogs I have linked. Now, it's possible that the camera is not fully initialized due to me neutering the cellular radio out of the box either.
My argument against that is the fact that the SQLITE DBs are still recording motion events, and metadata tags for the recorded frames / videos. Under the hood, "something" is happening, but I can't see it via the local hotspot modes.
I have learned a lot, but I'm afraid that I may have reached my limits.
Started poking a bit more
Flock safety camera:
press the back button 3 times quickly to activate hotspot mode
psk security
Okay great, now what?
curl -X PUT http://192.168.43.1:8080/api/v1/system/adb/enable
adb connect 192.168.43.1
scrcpy or adb shell
boom!!! device access via network level debug tools
or....
adb shell reboot -p to power the device off.
or...
curl -X PUT http://192.168.43.1:8080/api/v1/system/battery/disable_internal
to keep the device from running at night disable the BMS in the battery pack, requiring factory reset human levels of intervention.
sadly, all of the flock native apps can NOT be disabled via adb pm disable :(
Still poking.
I did end up finding the staged jpg and mp4 files on the filesystem...
I'm not getting the impression that these ALPR cams actually do ALPR on the edge. The yolo_pico3_float16 model will detect vehicle, person, etc. I am pretty sure metadata is tagged to the "session" and the session associated jpg/mp4 files are uploaded to the flock servers.
I am not seeing anything remotely resembling OCR taking place on the edge hardware.
Take this with a big grain of salt though. I am a hobby hardware hacker. I took this camera apart for the fun of it. To help you all understand why these seem to be so popular... California is up to 16,293 flock cameras in service as of yesterday.
I was reallllly hoping to be able to pull a bobby tables against each edge device with a crafty "bumper sticker." But, I don't think the cameras do any actual image processing besides finding objects and tagging the metadata with the objects.
Oh and yes, person is an object that gets tagged.
It's also completely reasonable to assume that the camera I got from ebay is damaged goods as well.
I can't get the local ports to output anything useful like the other blogs I have linked. Now, it's possible that the camera is not fully initialized due to me neutering the cellular radio out of the box either.
My argument against that is the fact that the SQLITE DBs are still recording motion events, and metadata tags for the recorded frames / videos. Under the hood, "something" is happening, but I can't see it via the local hotspot modes.
I have learned a lot, but I'm afraid that I may have reached my limits.
So I found some interesting SQLITE DBs but I have yet to find anything in cleartext concerning license plate numbers.
I found the metadata, but nothing that looks like it is reading text to a string.
{
"cameraSerial": "cereal",
"cameraType": "FALCONV21",
"modelName": "yolo_pico3_float16",
"modelVersion": "1.1.0",
"results": {
"008b7d76-cac2-4a87-a244-04d7854dbe63": {
"detections": {
"7da22091-6d48-41c8-b690-ca8ccd5ef958": {
"className": "vehicle",
"confidence": 0.46829465,
"direction": {
"x": 0.0,
"y": 0.0
},
"quality": 207.50511,
"selected": false,
"trackId": "0f995d52-f2e8-4b20-a4f4-35e2dea5a9b0",
"xmax": 1024.0,
"xmin": 1.3713074,
"ymax": 768.0,
"ymin": 0.0
}
}
}
},
"schemaVersion": "1.0"
}
I did end up finding the staged jpg and mp4 files on the filesystem...
I'm not getting the impression that these ALPR cams actually do ALPR on the edge. The yolo_pico3_float16 model will detect vehicle, person, etc. I am pretty sure metadata is tagged to the "session" and the session associated jpg/mp4 files are uploaded to the flock servers.
I am not seeing anything remotely resembling OCR taking place on the edge hardware.
Take this with a big grain of salt though. I am a hobby hardware hacker. I took this camera apart for the fun of it. To help you all understand why these seem to be so popular... California is up to 16,293 flock cameras in service as of yesterday.
I was reallllly hoping to be able to pull a bobby tables against each edge device with a crafty "bumper sticker." But, I don't think the cameras do any actual image processing besides finding objects and tagging the metadata with the objects.
Oh and yes, person is an object that gets tagged.
@rickoooooo@social.authbypass.com
ha ha
yeeeeeeessssssssssssssss
msm8953_32:/ # whoami
root
So I found some interesting SQLITE DBs but I have yet to find anything in cleartext concerning license plate numbers.
I found the metadata, but nothing that looks like it is reading text to a string.
{
"cameraSerial": "cereal",
"cameraType": "FALCONV21",
"modelName": "yolo_pico3_float16",
"modelVersion": "1.1.0",
"results": {
"008b7d76-cac2-4a87-a244-04d7854dbe63": {
"detections": {
"7da22091-6d48-41c8-b690-ca8ccd5ef958": {
"className": "vehicle",
"confidence": 0.46829465,
"direction": {
"x": 0.0,
"y": 0.0
},
"quality": 207.50511,
"selected": false,
"trackId": "0f995d52-f2e8-4b20-a4f4-35e2dea5a9b0",
"xmax": 1024.0,
"xmin": 1.3713074,
"ymax": 768.0,
"ymin": 0.0
}
}
}
},
"schemaVersion": "1.0"
}
@rickoooooo@social.authbypass.com Sadly, the above blog post (
) doesn't quite get me as far as I was hoping for when it comes to root on the Flock camera.
The "steps" posted in the blog are from memory at best. I think enough has been left out to make reproduction impossible.
I am going to keep drilling. I have the boot images extracted, and magisk 23 claimed it was able to patch, but a reboot caused a kernel panic
So... I'm going to attempt a few other magisk versions. v29(latest) also fails to patch or produce a new-boot.img
:(
@rickoooooo@social.authbypass.com
ha ha
yeeeeeeessssssssssssssss
msm8953_32:/ # whoami
root
There is an onboard app on the flock camera that offers to start a listener on port 8888/9999 and I have yet to explore that.
It's probably the last thing I do before going scorched earth and dumping the boot images via EDL
@rickoooooo@social.authbypass.com linked this blog to me last night and I am going to attempt rooting the camera.
https://gainsec.com/2025/06/19/grounded-flight-device-2-root-shell-on-flock-safetys-falcon-sparrow-automated-license-plate-reader/
What I really want to see is where the image processing extracts the license plate text and try to pull some bobby tables actions. I have seen SQL references in how the local metadata processes are logging, so I think this could be an interesting defense.
@rickoooooo@social.authbypass.com Sadly, the above blog post () doesn't quite get me as far as I was hoping for when it comes to root on the Flock camera.
The "steps" posted in the blog are from memory at best. I think enough has been left out to make reproduction impossible.
I am going to keep drilling. I have the boot images extracted, and magisk 23 claimed it was able to patch, but a reboot caused a kernel panic
So... I'm going to attempt a few other magisk versions. v29(latest) also fails to patch or produce a new-boot.img
:(
I am pretty sure I am going to attempt to enable the remote control ports on 8888 / 9999 to see if those render any results before going down the root filesystem path.
But, for anyone looking for an interesting tid bit...
Triple-press the button on the back of the flock. You will enable wifi tethering. PSK is security
There is an onboard app on the flock camera that offers to start a listener on port 8888/9999 and I have yet to explore that.
It's probably the last thing I do before going scorched earth and dumping the boot images via EDL
@rickoooooo@social.authbypass.com linked this blog to me last night and I am going to attempt rooting the camera.
https://gainsec.com/2025/06/19/grounded-flight-device-2-root-shell-on-flock-safetys-falcon-sparrow-automated-license-plate-reader/
What I really want to see is where the image processing extracts the license plate text and try to pull some bobby tables actions. I have seen SQL references in how the local metadata processes are logging, so I think this could be an interesting defense.
Tested the "e"SIM in other cellular modems I have. Nada. This particular camera's sim card seems to have been disabled.
I am pretty sure I am going to attempt to enable the remote control ports on 8888 / 9999 to see if those render any results before going down the root filesystem path.
But, for anyone looking for an interesting tid bit...
Triple-press the button on the back of the flock. You will enable wifi tethering. PSK is security
Any of my Android hacker friends with a nice CLI based priv escalation (for Android 8.1) would do well to DM me please.
Tested the "e"SIM in other cellular modems I have. Nada. This particular camera's sim card seems to have been disabled.
Can not set time in shell w/o root permissions.
Any of my Android hacker friends with a nice CLI based priv escalation (for Android 8.1) would do well to DM me please.
kajer :notverified: