News:

Did you know - Google aren't very nice.  Apparently we're all evil pirates here on OpenIPCam, and they cancelled my adsense account due to that.  Sigh.

Author Topic: AC13 Brookstone Rover  (Read 69408 times)

September 13, 2012, 12:08:53 pm
Would be grateful if you could please provide information on which port/connector on the ac13 was used with the Bus Pirate and what protocol was used to extract info? I have some cycles to dig into other stuff that may be of interest.

I just interfaces with the serial port that was on the underside of the rover. It's the only 3 pin connector so it was kind of hard to not miss. I just set the Bus Pirate to UART, 115200/8/N/1, Idle 1, Normal. then I set it to Transparent Bridge using the (1) macro, let the Bus Pirate reset into that mode, and then fired up the rover and went to town.

Here is a shot of the rover hooked up to my BP with a note on the colorings and to which they are hooked up. Note that depending on your version of the BP and the coloring scheme of your wiring harness your connection may differ. Just refer to which pins are TX/RX/GND for your BP's UART mode.



My interpretation of Armin's first post is that AC13 is basically a clever copy of the Loftex camera to drive left/right motors instead of tilt/pan motors. All inside a new tank casing. So you could theoretically convert the ac13 to an ip webcam and webcam to a tank :)

This is 100% correct. :) Just replace the term "Loftek" with "Nuvoton" (since if I understand correctly that is the parent company providing the camera hardware to the cloning agencies). It's all just PWM motor control without the limit switches that are present on the cameras.

September 13, 2012, 11:15:05 pm
Hi Armin,

Thanks a ton for posting details on the Bus Pirate wiring! I will try that out after getting my setup ready. In the mean time I looked through the files that have uploaded

1.camera.unz.tar - untars to camera.unz
2.dump_to_binary.py.tar - untars to a python file
3.firmware.tar - untars to three files Boot_info, linux and romfs
4.romfs.tar - untars to linux directory structure
5.webui.bin.tar - untars to webui.bin
6.webui.tar - untars to a www kind of directory

After untarring the files, I found webui.tar and romfs.tar to have some readily understandable content. Are the other files just raw content extracted from the flash device? And what is the dump_to_binary python files used for? I also couldn't find any cgi files -

Thx once again!

PS: The ArDrone from Parrot may also be having the same kind of hardware and software - if you are interested in hacking that let me know - I may have a spare one...
« Last Edit: September 13, 2012, 11:18:42 pm by nanunh »

December 26, 2012, 11:14:16 pm
Hi guys!

For Christmas I received an AC13, and sure enough 24 hours later I've pulled it a part.

My question is, I've got 4, 9.6 volt 750mHa NiCad batteries. Do you seen any problems with me putting these in parallel and running the rover off of them?

Also anyluck on extending the range of the rover??? I only get 30feet! And that's even at night out doors!

I'm also thinking of playing around with the motors and replacing them with something bigger.... Ideas????

February 04, 2013, 09:39:07 pm
Hello,
I bought one of these rovers in Australia from JayCar http://www.jaycar.com.au/productView.asp?ID=GT3598.

However this rover does not work with rover open / any resources i can find except the iPhone app.
I have captured network data between it and the phone if anyone knows how to go about decoding it :|
I have tried a few times to work on this and every time i get stonewalled by not knowing as much as i would like.. I am attempting to write a C# library for the rover for future hacking, and not being able to talk to it and gain video is really annoying (i can do movements using the commands from the debug website)...

Thanks,
Ralim

February 10, 2013, 10:16:52 pm
Great info guys.  I stumbled across your thread while doing my own teardown on wikipedia.  Check out http://techbloginator.wordpress.com/2013/02/09/spytank-teardown/.  Looks like a couple of guys leaving comments there might be able to help.  I'm getting more and more tempted to dive in with both feet.

Although I have the newer version of the Rover it looks extremely similar.  I'll post back if we find out anything substantial.  For now it's mostly pics and a few ideas on how the circuit breaks down.

February 14, 2013, 10:01:13 pm
ntc, nice Teardown :)
My unit seems to be a mix of two here, it has similar logic internally to yours (same boards) but i am missing the stepper to raise / lower the camera... :S

Please, if anyone knows anything about getting the images off these newer ones i would really appreciate it :) [I have network packets logged etc, just dont know how to go from those -> working code..]

If that makes any sense..

Thanks,
Ralim 

September 03, 2013, 04:43:59 pm
Hi guys,
First of all thanks for this post, you did a great job!

I bought last week a "Logicom Spy C Tank" and tried to control it from my computer. The good news is that it looks very similar to Brookstone rover (the official android application's code is almost the same as the one for Brookstone Rover).

I tried to control my robot by sockets via the protocol MO_O or MO_V but it's really hard to figure out the array of bytes I have to send especially when I try to "login" (heading: MO_O, operation: 2). It seems that there is a blowfish encryption which makes thing complicated, basically it's not always the same byte array which are sent for "authentification" (in addition I am more C# developper and not Java)..so as you probably understood, no success.. :( 

However, the following cgi commands works very well:
http://192.168.1.100/decoder_control.cgi
http://192.168.1.100/wifi_car_control.cgi

I can thus control the robot and move its camera however (same for Rover) the streaming command is not supported. (ex: videostream.asf, videostream.cgi or even snapshot.cgi)

Has anyone managed to find a way to get the camera streaming (or a snapshot) via this kind of webservice?

September 03, 2013, 07:35:07 pm
Hi guys,
First of all thanks for this post, you did a great job!

I bought last week a "Logicom Spy C Tank" and tried to control it from my computer. The good news is that it looks very similar to Brookstone rover (the official android application's code is almost the same as the one for Brookstone Rover).

I tried to control my robot by sockets via the protocol MO_O or MO_V but it's really hard to figure out the array of bytes I have to send especially when I try to "login" (heading: MO_O, operation: 2). It seems that there is a blowfish encryption which makes thing complicated, basically it's not always the same byte array which are sent for "authentification" (in addition I am more C# developper and not Java)..so as you probably understood, no success.. :( 

However, the following cgi commands works very well:
http://192.168.1.100/decoder_control.cgi
http://192.168.1.100/wifi_car_control.cgi

I can thus control the robot and move its camera however (same for Rover) the streaming command is not supported. (ex: videostream.asf, videostream.cgi or even snapshot.cgi)

Has anyone managed to find a way to get the camera streaming (or a snapshot) via this kind of webservice?

Hi,
There seems to be many many variants of this model..
i discovered the same issue with finding a stream from the camera, there is a python script floating around the 'net that attempts to read from the camera. I had issues with it not working with my model, but perhaps you can have success with it?
It appears the tank only sends images when you request them and doesnt actually "stream" them ??

Thanks,
Ralim

September 05, 2013, 04:34:44 pm
Hi Ralim,

Thanks for your reply! I checked this python script..unfortunately it seems that it has been done for the rover 1.0 where login request (through MO_O/MO_V bytes protocol) is not complicated as for rover 2.0 or SpyCTank, i.e. it does not go to this blowfish encryption and all these mess...

I am now trying to play with DVM_IPCam2.ocx that you can find in the WebUI (192.168.1.100/codebase/DVM_IPCam2.ocx). I just tried to reference this library in my .NET project, unfortunately I get nice COM exception for the time beiing..

It looks like I will have to come back on network traffic analysis in order to find the logic to create the protocol.. :(

I let you know if I manage to do something (looks like it will take time...)

September 05, 2013, 08:24:13 pm

Hi, robot83…
Ah, could it be this basic system underneath the blowfish?
Could you upload that ocx file somewhere? I'll have a toy with it too if you want :)
Also have you tried disassembling the file to gleam insight?

Maybe doing a network capture over a long period of time and hunting for patterns in the encryption? (Haven't done much work on network analysis sadly)…

- Ralim
Hi Ralim,

Thanks for your reply! I checked this python script..unfortunately it seems that it has been done for the rover 1.0 where login request (through MO_O/MO_V bytes protocol) is not complicated as for rover 2.0 or SpyCTank, i.e. it does not go to this blowfish encryption and all these mess...

I am now trying to play with DVM_IPCam2.ocx that you can find in the WebUI (192.168.1.100/codebase/DVM_IPCam2.ocx). I just tried to reference this library in my .NET project, unfortunately I get nice COM exception for the time beiing..

It looks like I will have to come back on network traffic analysis in order to find the logic to create the protocol.. :(

I let you know if I manage to do something (looks like it will take time...)

September 19, 2013, 01:07:49 am
Hello everyone -

I've been using information from this thread to assist me in writing a client library in Node.JS. The code is here https://github.com/wearefractal/rover and completely open source. I have also compiled some research and firmware files from here and other sites. Feel free to fork it, open issues, etc.

So far it can do everything but receive video and output audio to the speakers. This has only been tested on the 2.0 Rover. I am working on the wire protocol and will add more features when that happens.

September 23, 2013, 06:52:04 pm
Hi again -

I have reverse engineered the android APK and got the source code for the command encoder.

https://gist.github.com/Contra/6678097

This should shed a lot of light on how the commands are generated and parsed.

  • No avatar
  • *
March 27, 2014, 06:13:51 am
Hi

I was wondering if anyone has any idea / walk-through in terms of you can connect this to the router and and use it through the web if possible.

Also is it possible to set a wi-fi password for the robot? It's pretty insecure as your neighbors can spy in your house if they just connect to its open wifi it and use the app..

Thanks

  • No avatar
  • *
June 28, 2014, 09:42:35 pm
Has anyone notice this looks like the old Foscam software, also when I did an NMAP on the device I got this back.

80/tcp open  http    Netwave webcam http config
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:E0:4C:07:EF:53 (Realtek Semiconductor)
Device type: specialized|webcam
Running: AirMagnet Linux 2.4.X, Foscam Linux 2.4.X, Instar Linux 2.4.X
OS CPE: cpe:/h:airmagnet:smartedge cpe:/h:foscam:fi8904w cpe:/h:foscam:f18910w cpe:/h:foscam:f18918w cpe:/h:instar:in-3010
OS details: AirMagnet SmartEdge wireless sensor; or Foscam FI8904W, FI8910W, or FI8918W, or Instar IN-3010 surveillance camera (Linux 2.4)

My guess they are using the same commands that move the PTZ to move the rover. Also wow-wee rovio runs FOSCAM software.
« Last Edit: June 28, 2014, 09:56:29 pm by diefldrmas »

  • ***
October 23, 2015, 06:14:53 pm
This post has nothing to do with Foscam, it's related to robot.




---------------------------------
Notice, our smart IP cameras no longer uses 2CU App, we developed CoT Pro App.

There are some similarities with some CGI commands for the AC13 Brookstone Rover that exactly match with Foscam MJPEG based IP Cameras CGI commands.

Don

---------------------------------

Live Real-Time Demos Of Using Any IP Cameras in websites and web pages: Click Here