As an aside, holy crap do these cameras have a NARROW field of view. The focal length is like 40+ feet. One can reasonably assume it's blind as a bat when you are on top of the device.
http://192.168.43.1:8080/api/v1/liveView/enable
This will actually get the camera feed to the MJPG server on http port 1234. Camera wattage goes up to ~5W when encoding camera to MJPEG.
Part of me thinks the Cellular APN used Twillo is probably an attack surface. Remember when Chrysler had that thing where all headunits had open ports on the cellular IP block?
Why not flock? Flock uses twillo APNs for cellular access (the camera I have) and port 8080 is bound to all IP interfaces...
Someone here with Twillo Cellular should scan the internal sandbox network for device with :1234 and :8080 open.
I am attempting to charge the battery directly, we'll see if the BMS is the broblem or not.
Applying voltage to P+ pin of the back did NOT wake it up.
This whole battery thing is leading me down a TI BQ-series rabbit hole.
I will need a SMBUS debugger to get in to the BMS to then unlock whatever lockdown mode this thing is in.
I need to stop messing with this battery BMS and go drink.
Ugh, here we go. Ordered up a TI BQ series SMBUS debugger...
Next steps:
I may setup an isolated wifi AP with a deny any/any rule and get the Flock camera to join that wifi AP rather than using cellular for internet access.
Then I can start simulating the domain names it's trying to phone home to to see what it's doing on the internet side of things.
The good news is the phone-home service doesn't trust a self-signed cert...
Will attempt to install a CA cert via network ADB to attempt to gain it's trust.
and... BATTERY
HAHA YESSS
battery unlocked
Camera boots!
Now to attempt charging via the PV input
The unlock key may be DE CA FB AD
PV charging unlocked
setting voltage >14VDC will start charging the battery
The external bayyery pack has a label that shows voltage input is 14-24v and since everything uses the same pinout and connector, it's safe to assume that a solar panel can be directly connected to the camera body.
So I set the power supply to 18V/200ma and enabled output. The dumpsys adb command shows the battery voltage going up and that "AC" charging is enabled.
Even the system utility via scrcpy shows the battery charging and the percentage going up.
Nice.
Now to install a CA and to continue down the path of remote API takeover....
Speaking of which; The local API listener is only enabled in hotspot mode. So even if these devices were remotely accessible via cellular sandbox, port 8080 is not listening until someone does a triple-button-press on the device. :(
Sorry about the slow updates, but hardware/android debugging is not my day job, and I am poking at this stupid thing when I get free time here and there.
So yes, a local USER CA can be installed for "VPN and Apps" via the network adb bridge.
adb push ca.pem /data/local/tmp
adb shell am start -n com.android.certinstaller/.CertInstallerMain -a android.intent.action.VIEW -t application/x-x509-ca-cert -d file:///data/local/tmp/ca.pem
The certificate installer in the system menu doesn't work, but calling the intent via adb does work... But... You need SCRCPY running so you can answer all the required prompts and questions, as well as setting a screenlock due to how android does local CA things.
Now to setup a https server again to see if the phone-home service will talk to me.
Dang, looks like the certs required for the phone-home service to work are hard-coded in the app itself.
:(
Oh... This seems fun...
If you set a screen lock pin, and reboot...
The device will be stuck at a pre-boot password phase. Entering the PIN booted the device, and then it shut itself down right away. Booting again will do the same but without the shutdown.
So... uh, set a screenlock and reboot. done.
The screenlock can be a pin, password, swipe. etc.
Flock Safety Kill Chain thus far:
Press back button on camera three times quickly
connect to Flock-xxxxxx hotspot with PSK: security
curl -x PUT http://192.168.43.1:8080/api/v1/system/adb/enable
adb connect 192.168.43.1
scrcpy
set a PIN/PASSWORD
adb shell reboot -p
bye bye
since the camera has "encrypted" storage, the reboot will force the pre-boot password to be entered before loading the userdata partition. No userdata, no flock apps. No hotspot. Only USB adb bridge will get you scrcpy to then enter the password.
In theory you could use the usb adb to do some intent/keystroke commands to the screenlock screen, but scrcpy is already running, and easier.
If the camera doesn't get a boot password, it shuts down to a low power state until you press buttons on the internal boards locally.
I am no longer in possession of the above pictured flock safety camera. I have passed it on to the next person who may extract it's darker secrets. Look for updates in the future. I will link when that time comes.
kajer | sudo bash