GO Deep Pro (1 of 2)

GO Deep Pro
Analyzing GoPro's WIFI.
In this little post we are going to analyze the traffic of this tinny but powerful camera: GoPro Hero 3.

May be there is someone that did not know but the GoPro's serie 3 (Hero 3) got embedded WiFi feature that give you the functionality to control the cam and see it in real time. The same function can be added for the Hero2 buying the wifi backpack, that works just same like the embedded in the hero 3.

The camera got a direct button to start this feature (turn on the wifi). This button start the AP mode of the wifi and start an embedded web browser. The default SSID for the wifi is something like "GOPRO-BP#####" (where # part of the serial number of the camera), new firmwares come with just "goprohero" as default ssid, and without  any password. TO change the ssid and the password of the camera you need to follow steps that basically re flash the firmware of the camera (is not something that normally people do...).


To access to the features of control the cam you need to connect to the wifi.

When you connect to the cam you obtain the IP range 10.5.5.X (first ip is 100), and always the cam is 10.5.5.9  (the reply from the dhcp server also contains the 10.5.5.9 as default gateway and primary dns 8.8.8.8 and secundary 4.4.4.4

When you open the Android GOPRO APP, 2 petitions are triggered:

1 - DNS Query a gopro.com
2 - Connection HTTP a 10.5.5.9 

If the DNS query is responding, the app starts making petition to the url of the GoPro (The web server on internet of the brand) and youtube channel too, starting to show on the app the Videos of the days.

If the connection to 10.5.5.9 is correct (open port) there is a series of query that start to happen, we are going to analyze those:

1: GET /bacpac/cv HTTP/1.1\r\n 
The reply of that GET is a file called CV, thats contain the SSID of the camera's wifi. (Because the gopro's android app can't know the wifi name or the password, what better than ask to the camera itself??) 

2: GET /bacpac/sd HTTP/1.1\\r\\n
The reply to this GETis a file called SD, this file contains the password of the SSID of the cam. Yes, in plain text. The same password that you need to execute future functions on the cam,  the cam itself give it to you. I guess this is for easiest way to use the app (for beginners users).

3: GET /bacpac/se?t=1234
The app start making this GETs every 2 seconds. The reply is a 12 Bytes file called SE with some data (no in plain text) of the cam. Like, battery level, for example, and used like a "ping" to know the cam still there. From now, all the "commands" sent to the camera are with the parameter "t" with the password, in plain. Also when you are upgrading the firmware (or just changing the ssid and password) the software just let you put numbers, letters, @, - and _. No special characters, because this will broke in some cases the URL for commands. So we know what characters we are not going to use when cracking ;). 

Commands found:

PW: (Power)
A: GET /bacpac/PW?t=1234&p=%01
Command PW: To power on and off the camera, value %01 power on and %0 0 to off. 

PV: (Preview)
B: GET /camera/PV?t=1234&p=%01
(Note here that the URL folder changed)
Command PV: This command start the "preview" mode on the camera. This basically open the port 8080 with the Cherokee web server pointing to the SD contends and a folder with streaming files. Value %01 off and %02 on (different from power values)

Live Stream: 
C: GET /live/amba.m3u8 (TO the port 8080)
This download the file amba.m3u8, common live stream file that you can play it on media player classic or vlc players (to se the preview in normal browsers)

All in this server (8080) are without any autentication. Content of the amba.m3u8 file: 
#EXTM3U
#EXT-X-TARGETDURATION:1
#EXT-X-VERSION:3
#EXT-X-ALLOW-CACHE:NO
#EXT-X-MEDIA-SEQUENCE:7016
#EXTINF:0.26693,
amba_hls-16.ts
#EXTINF:0.26693,
amba_hls-1.ts
#EXTINF:0.26693,
amba_hls-2.ts
#EXTINF:0.26693,
amba_hls-3.ts
#EXTINF:0.26693,
amba_hls-4.ts
#EXTINF:0.26693,
amba_hls-5.ts
#EXTINF:0.26693,
amba_hls-6.ts
#EXTINF:0.26693,
amba_hls-7.ts

SH: (Shooter)
D: GET /bacpac/SH?t=1234&p=%01
Command SH: Enable or Disable the shutter, depending on what mode the camera is. If you are in photo mode, %01 will take a photo. if you are in video or time lapse mode, %01 will start the recording and you will need to send to stop the %0 0 recording. Its almost the same like hit the physical button .

CM: (ChangeMode)
E: GET /camera/CM?t=1234&p=
The command CM changes the camera mode (the starting mode is not altered). 


Modificator
%0 0: Video Mode
%01: Photo Mode
%02: Burst Mode
%03:
Time Lapse Mode

VR: (VideoRecording)
F: GET /camera/VR?t=1234&p=
Command VR change the Video Recording formats.
Modificators: 


%0 0: WVGA 60
%01:
%02: 720 30
%03: 720 60
%04: 960 30
%05:
%06: 1080 30

TM: (Time)
G: GET /camera/TM?t=1234&p=%0d%07%07%10%2b%2d
The command TM sets the date to the internal clock of the cam.

LL: (Locate)
H: GET /camera/LL?t=1234&p=%01
Command LL start the buzzer to easily found your camera (following the sound). This beeps sounds will keep runing until you send the %0 0 value.

CN: (ChangeName)
I: GET /camera/CN?t=1234&p=%09Nombre_Nuevo
The command CN changes the internal camera's name (not the WIfi SSID). 


DL: (Delete)
J: GET /camera/DL?t=1234
Command DL deletes the last file on the SD. 

DA: (Delete All)
K: GET /camera/DA?t=1234
This command deletes all the SD content (Including the .LRV files (.LRV files are lower video quality files generated by the camera during the recording). Does not format the SD and does not delete any other file (For example a file that you copy to the sd. 

Others Curiosities: 
When the camera start, its generate a file called /MISC/version.txt where you can find some data about the cam. This file is obtained from some app to show you some data about the cam (you can get it over the preview web server (on port 8080). This is the content of the file:


{
"info version":"1.1",
"firmware version":"HD3.01.01.10",
"wifi version": "3.4.2.9",
"wifi bootloader version": "0.2.2",
"wifi mac":"xx:xx:xx:xx:xx:xx",
"camera type":"Hero3-White Edition",

Also the JAVA applet from gopro.com that help you to update the camera, get this file.


Some toughs  about the security:

Beyond the obviously (the password sent in plain text via URL parameter and no SSL or TTL), and if we settle with the wifi password security to access the camera, some thinks arise:

  • If we disconect the wifi of the cellphone (some android for example at not detecting internet change the wifi on the next in list) or you leave the app on background and remember to check email by changing the wifi by hand, some times the GoPro APP sends that "ping" (GET /bacpac/se?t=1234) to the gateway on the new wifi. So the password of your cam is now on some navigation logs
  • Same happens if your gopro get out of battery or you shutdown the wifi physically on the cam. 
  • Like we said early, because the limitation of characters on the password (that will be send on the url) you know that there is not special character on the wifi password, may be making a little (just a little) less complicated to make a brute force on the wifi password. 
  • If you have access to the Wifi of the cam, you got access to everything. Its very common that a normal user will not change the wifi settings, so there is a lots of cams arround the world, with no password. Remember that change the ssid and password involves to re flash the camera.
  • You got full access to the firmware files (even to gopro guys put all in open source). Making a little more easy take a look to the source code. 
WebServer

    When you enable the Preview (streaming) the camera oipen the port 8080 thats maps to a local cherrokee server (running in port 80 locally) you got access to the SD. This is what you see:
GoPro Connector PIN-Out (in case that someone like to start doing cool thinks on it):



  1. GND
  2. R video out – component Pb/Cb or composite (composite video out activated by grounding ID3 and ID4, component video out activate by grounding ID2 – only valid for old firmwares, current versions require eeprom).
  3. G video out – component Y
  4. B video out – component Pr/Cr
  5. USB +5V power
  6. as above
  7. USB Data+
  8. USB Data-
  9. GND
  10. Audio out Right
  11. Audio out Left
  12. Pwr/Mode button (tie to ground to activate)
  13. Playback mode button (tie to ground to activate)
  14. Audio in Right
  15. Audio in Left
  16. IR input
  17. Trig digital output
  18. GND (?)
  19. ID1 digital input
  20. ID2 digital input
  21. ID3 digital input
  22. ID4 digital input
  23. Adapter output – power output for external equipment (follows internal battery power).
  24. as above, but only powered when camera is on
  25. VBat+ external power input ?
  26. as above
  27. GND
  28. DATA interface I2C
  29. CLK interface I2C
  30. GND

1 comments :

Click here for comments
October 20, 2015 at 2:21 AM ×

Nice Blog

Selamat Jenifer Jack dapat PERTAMAX...! Silahkan antri di pom terdekat heheheh...
Balas
avatar
admin
Post a Comment
Thanks for your comment