Next steps:
I may setup an isolated wifi AP with a deny any/any rule and get the Flock camera to join that wifi AP rather than using cellular for internet access.
Then I can start simulating the domain names it's trying to phone home to to see what it's doing on the internet side of things.
The good news is the phone-home service doesn't trust a self-signed cert...
Will attempt to install a CA cert via network ADB to attempt to gain it's trust.
Ugh, here we go. Ordered up a TI BQ series SMBUS debugger...
Next steps:
I may setup an isolated wifi AP with a deny any/any rule and get the Flock camera to join that wifi AP rather than using cellular for internet access.
Then I can start simulating the domain names it's trying to phone home to to see what it's doing on the internet side of things.
This whole battery thing is leading me down a TI BQ-series rabbit hole.
I will need a SMBUS debugger to get in to the BMS to then unlock whatever lockdown mode this thing is in.
I need to stop messing with this battery BMS and go drink.
Ugh, here we go. Ordered up a TI BQ series SMBUS debugger...
I am attempting to charge the battery directly, we'll see if the BMS is the broblem or not.
Applying voltage to P+ pin of the back did NOT wake it up.
This whole battery thing is leading me down a TI BQ-series rabbit hole.
I will need a SMBUS debugger to get in to the BMS to then unlock whatever lockdown mode this thing is in.
I need to stop messing with this battery BMS and go drink.
Part of me thinks the Cellular APN used Twillo is probably an attack surface. Remember when Chrysler had that thing where all headunits had open ports on the cellular IP block?
Why not flock? Flock uses twillo APNs for cellular access (the camera I have) and port 8080 is bound to all IP interfaces...
Someone here with Twillo Cellular should scan the internal sandbox network for device with :1234 and :8080 open.
I am attempting to charge the battery directly, we'll see if the BMS is the broblem or not.
Applying voltage to P+ pin of the back did NOT wake it up.
As an aside, holy crap do these cameras have a NARROW field of view. The focal length is like 40+ feet. One can reasonably assume it's blind as a bat when you are on top of the device.
http://192.168.43.1:8080/api/v1/liveView/enable
This will actually get the camera feed to the MJPG server on http port 1234. Camera wattage goes up to ~5W when encoding camera to MJPEG.
Part of me thinks the Cellular APN used Twillo is probably an attack surface. Remember when Chrysler had that thing where all headunits had open ports on the cellular IP block?
Why not flock? Flock uses twillo APNs for cellular access (the camera I have) and port 8080 is bound to all IP interfaces...
Someone here with Twillo Cellular should scan the internal sandbox network for device with :1234 and :8080 open.
going to attempt to wake up the battery, but now to find a 10.8V charger :(
As an aside, holy crap do these cameras have a NARROW field of view. The focal length is like 40+ feet. One can reasonably assume it's blind as a bat when you are on top of the device.
http://192.168.43.1:8080/api/v1/liveView/enable
This will actually get the camera feed to the MJPG server on http port 1234. Camera wattage goes up to ~5W when encoding camera to MJPEG.
power analysis shows that the camera consumes ~2W idle so Solar panel input would drive the camera no problem during the day
but the battery disable command basically tells the BMS to stop outputting voltage.
Attack angle maybe? Turns a nice li-poly back in to a 0V brick.
going to attempt to wake up the battery, but now to find a 10.8V charger :(
oof, so disabling the battery is a one-way operation
the battery + line has no voltage anymore
power analysis shows that the camera consumes ~2W idle so Solar panel input would drive the camera no problem during the day
but the battery disable command basically tells the BMS to stop outputting voltage.
Attack angle maybe? Turns a nice li-poly back in to a 0V brick.
Started poking a bit more
Flock safety camera:
press the back button 3 times quickly to activate hotspot mode
psk security
Okay great, now what?
curl -X PUT http://192.168.43.1:8080/api/v1/system/adb/enable
adb connect 192.168.43.1
scrcpy or adb shell
boom!!! device access via network level debug tools
or....
adb shell reboot -p to power the device off.
or...
curl -X PUT http://192.168.43.1:8080/api/v1/system/battery/disable_internal
to keep the device from running at night disable the BMS in the battery pack, requiring factory reset human levels of intervention.
sadly, all of the flock native apps can NOT be disabled via adb pm disable :(
Still poking.
oof, so disabling the battery is a one-way operation
the battery + line has no voltage anymore
kajer :notverified: