Open IP Camera Forum

Development => Similar Hardware => Topic started by: ArminTamzarian on February 14, 2012, 02:09:47 pm

Title: AC13 Brookstone Rover
Post by: ArminTamzarian on February 14, 2012, 02:09:47 pm
Hi all.

I have been a proud owner of the off-brand Loftek CXS 2200 and have been happily using it for the past year. I've even written a Chrome extension to act as a monitor to remotely view and control the camera when I am at work with much success- so needless to say I am rather familiar with at least the API for the camera.

Fast forward to last week and I came in possession of a Brookstone Rover (http://www.brookstone.com/rover-remote-control-spy-tank-for-ipad) and, unable to resist, quickly voided the warranty by unscrewing all fasteners and popped the top off. Imagine my surprise to discover that the innards looked almost exactly like that of my Loftek camera! It makes sense though when you consider that the camera platform contains:


So essentially it looks like they are using the camera platform as-is but utilizing the pan/tilt motors to drive the rover using left/right tank-tread style control. Brookstone lists the device as being "Designed and Manufactured by Brookstone and goes by the model number AC13". Upon connecting to the ad-hoc wifi that the rover creates I confirmed this by accessing the
app-specified IP address (http://192.168.1.100) and logging in with user/pass: AC13/AC13. Poking around it is easy to see that the in-built web server responds to the expected decoder_control.cgi, get_camera_params.cgi, camera_control.cgi, etc. and even has the expected misspelling of "Device Embeded(sic) Web UI Version" in the Web UI. However, it does not appear to support the videostream.asf or videostream.cgi URLs.

Obviously no one has the firmware for this device yet, and I have thus far hit a brick wall trying to get any usable information from the Brookstone customer/technical service. However, I would like to be able to start hacking away at this device as soon as possible to accomplish three main goals:


The first should be easy enough once I get my hands on the right battery and charging circuit. However, I will need firmware access to accomplish the others. There is a mysterious 3-pin port on the bottom of the device that Brookstone refuses to acknowledge, but I am thus far unable to determine if it is a serial/JTAG/proprietary port. I have a Bus Pirate on the way from China right now so I should be able to get info on that shortly.

So I guess the long and short of it is this: Does anyone else have any experience with this device? If so any info would be appreciated. The only other place that I can find that has relevant information was in this Android development thread (http://androidcommunity.com/forums/f44/brookstone-rover-app-81730) that documents the binary protocol used. ]However, as I learn more information I will be sure to document it here and any other appropriate location.
Title: Re: AC13 Brookstone Rover
Post by: schufti on February 14, 2012, 04:12:05 pm
how about publishing some pictures from the pcb?
if it's a US based company they should comply with the GPL
Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on February 14, 2012, 04:16:59 pm
I will try to get some pictures up tomorrow night. Good call on the GPL compliance, however if they're only leveraging uCLinux and not necessarily modifying any portion of it they shouldn't be required to release any of their custom firmware right? If they're only using tools to host a web interface and proxying communication to a custom handler that should be well within the scope of the GPL.
Title: Re: AC13 Brookstone Rover
Post by: schufti on February 15, 2012, 12:03:24 pm
In general, they are only allowed to keep code secret that was entirely written by them or only uses parts that don't require publishing of source (eg BSD et al).

But it is an old fight, if you have to open your source if it uses a gpl'd library, or is a kerneldriver not running in userspace, etc

But it doesn't excuse them if they buy the camera as "black box" their product is based - allthough only in part - on a part that relies on gpl source ....  but I'm only layman

Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on February 18, 2012, 02:34:59 pm
Sorry for the delay, but here are the pictures and what little information can be gleaned at this time. The entire album of picures can be viewed at the following location: Brookstone AC13 Rover (http://imgur.com/a/50QXS)

Pictures were taken with an iPhone 3S, so quality is not phenomenal. Click on the pictures for a full-sized image.

The virginal unmolested Rover:
(http://i.imgur.com/8A2iol.jpg) (http://imgur.com/8A2io)

The internal components after facing the wrath of the screwdriver and wire cutters:
(http://i.imgur.com/EJkqul.jpg) (http://imgur.com/EJkqu)

A closer image of the main board:
(http://i.imgur.com/02nbdl.jpg) (http://imgur.com/02nbd)

Notes:

A view of the flash ship underneath the wireless module:
(http://i.imgur.com/67Mvel.jpg) (http://imgur.com/67Mve)

A closer view of the top set of interface pads:
(http://i.imgur.com/vI80ul.jpg) (http://imgur.com/vI80u)

A closer view of the middle and bottom set of interface pads:
(http://i.imgur.com/uVZUCl.jpg) (http://imgur.com/uVZUC)

Notes:

A view of the wireless interface module:
(http://i.imgur.com/wggXrl.jpg) (http://imgur.com/wggXr)

Notes:

So this is all the information I have thus far. What do you think? Want any more information that I have access to at this time?

I will be sure to post any more information I can discover as it becomes available.
Title: Re: AC13 Brookstone Rover
Post by: schufti on February 18, 2012, 04:10:56 pm
thanks, nice to see such simple design.

The next step would be dumping the fw and webui to look for modifications ...
Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on February 22, 2012, 03:40:08 pm
Yeah. Will do so as soon as my hardware gets here from China. Delivery looks sometime between March 5 and 13  :o Since it looks like the system utilizes the 4MB flash ship that will hopefully give us some much appreciated room to modify and add additional components.

While I wait for that to get here I've been busying myself by working on some utilities to manage WebUI files based on some information found here on the site. Hopefully this will help make things go quickly once I can get a proper firmware dump from the device.
Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on March 01, 2012, 02:12:22 pm
Well, I got my stuff and was able to connect to the device. Here is the boot log. Note that after the boot process finishes there is a pause and then it reboots. I think it'll do this until a device connects to its WIFI AP.

Code: [Select]
W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on May 11 2010
Memory Size is 0x1000000 Bytes, Flash Size is 0x400000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:

MAC Address         : 00:00:00:00:00:01
IP Address          : 0.0.0.0
DHCP Client         : Enabled
CACHE               : Enabled
BL buffer base      : 0x00300000
BL buffer size      : 0x00100000
Baud Rate           : 115200
USB Interface       : Enabled
Serial Number       : 0x00BC614E


For help on the available commands type 'h'

Press ESC to enter debug mode ......
Cache enabled!
Processing image 1 ...
Processing image 2 ...
Processing image 3 ...
Processing image 4 ...
Processing image 5 ...
Processing image 6 ...
Processing image 7 ...
Unzip image 7 ...
Executing image 7 ...
Linux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #1481 ?? 6?? 15 11:04:25 CST 2011
Processor: Winbond W90N745 revision 1
Architecture: W90N745
On node 0 totalpages: 4096
zone(0): 0 pages.
zone(1): 4096 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/rom0 rw
Calibrating delay loop... 39.83 BogoMIPS
Memory: 16MB = 16MB total
Memory: 14616KB available (1278K code, 206K data, 40K init)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
PTZ Driver has been installed successfully.
Winbond W90N745 Serial driver version 1.0 (2005-08-15) with no serial options enabled
ttyS00 at 0xfff80000 (irq = 9) is a W90N745
Winbond W90N7451 Serial driver version 1.0 (2005-08-15) with no serial options enabled
ttyS00 at 0xfff80100 (irq = 10) is a W90N7451
I2C Bus Driver has been installed successfully.
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 7F0E0000-7F172BFF [VIRTUAL 7F0E0000-7F172BFF] (RO)
S29GL032N Flash Detected
01 eth0 initial ok!
which:0
PPP generic driver version 2.4.2
Linux video capture interface: v1.00
Winbond Audio Driver v1.0 Initialization successfully.
usb.c: registered new driver hub
add a static ohci host controller device
: USB OHCI at membase 0xfff05000, IRQ 15
hc_alloc_ohci
usb-ohci.c: AMD756 erratum 4 workaround
hc_reset
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver audio
audio.c: v1.0.0:USB Audio Class driver
usb.c: registered new driver serial
usbserial.c: USB Serial Driver core v1.4
rtusb init --->
usb.c: registered new driver rt2870
dvm usb cam driver 0.0.0.1 by Maverick Gao in 2010-8-3
usb.c: registered new driver dvm
dvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20
usb.c: registered new driver dvm usb cam driver for sonix288
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
VFS: Mounted root (romfs filesystem) readonly.
Freeing init memory: 40K
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
Shell invoked to run file: /bin/init
Command: mount -t proc none /proc
Command: mount -t ramfs none /usr
Command: mount -t ramfs none /swap
Command: mount -t ramfs none /var/run
Command: mount -t ramfs none /etc
Command: mount -t ramfs none /flash
Command: mount -t ramfs none /home
Command: mount -t ramfs none /tmp
Command: mkdir /tmp/run
Command: camera&
[8]
Command: sh

Sash command shell (version 1.1.1)
/> new USB device :80fb4004-fed6c0
hub.c: new USB device 2, assigned address 2
new USB device :80fb4604-fed6c0
hub.c: new USB device 1, assigned address 3
probing sonix288 usb camera ...
dvm camera registered as video0
p1[7]:1,j 3,config->bNumInterfaces:4
usbaudio: device 3 audiocontrol interface 2 has 1 input and 0 output AudioStreaming interfaces
usbaudio: valid input sample rate 16000
usbaudio: device 3 interface 3 altsetting 1: format 0x00000010 sratelo 16000 sratehi 16000 attributes 0x01
usbaudio: valid input sample rate 48000
usbaudio: device 3 interface 3 altsetting 2: format 0x00000010 sratelo 48000 sratehi 48000 attributes 0x01
usbaudio: registered dsp 14,35
usbaudio: warning: found 1 of 0 logical channels.
usbaudio: assuming the channel found is the master channel (got a Philips camera?). Should be fine.
usbaudio: registered mixer 14,32
usb_audio_parsecontrol: usb_audio_state at 00ff3b20
params length is 3572
sw version is 1.5.0.0
aw version is 1.1.0.0
video0 opened
5 0
wifi car mode is 1
SIOCSIFFLAGS: Unknown error 1
0x1300 = 00073200
inet_sr.c INET_rinput 321
action===1
options==33
inet_sr.c INET_setroute 75
*args===255.255.255.255
*args===netmask
*args===eth1
[29]
inet_sr.c INET_rinput 321
action===1
options==33
inet_sr.c INET_setroute 75
*args===default
*args===gw
*args===eth1
__pthread_initial_thread_bos:294000
manage pid:32
Prepare Audio Buffer
usb.c: USB disconnect on device 2 address 2
RtmpOSNetDevDetach(): RtmpOSNetDeviceDetach(), dev->name=eth1!

Now, as far as dumping the firmware- I have tried many different software packages (screen, kermit, ZTerm, etc...) and many different keys, but when the message "Press ESC to enter debug mode" is displayed nothing I can do seems to force the bootloader into debug mode.

I know that my device is transmitting characters (verified in loopback mode) so I'm not positive what the problem is. Has anyone encountered this before?
Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on March 01, 2012, 02:42:39 pm
Nevermind regarding my problem regarding transmitting characters. Turns out I was using the wrong transmit pin on my device...  :-[ *derp*
Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on March 01, 2012, 04:20:46 pm
Code: [Select]
Press ESC to enter debug mode .

bootloader > ls -al
Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000048 exec:0x7F010000 -af
Image: 7 name:linux base:0x7F020000 size:0x000AE264 exec:0x00008000 -acxz
Image: 6 name:romfs base:0x7F0E0000 size:0x00092C00 exec:0x7F0E0000 -a

So:

ImageBaseSize (Hex)Pages
BOOT INFO0x7F0100000x000000481
linux0x7F0200000x000AE2642786
romfs0x7F0E00000x00092C002348
Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on March 01, 2012, 10:05:37 pm
Okay, I was able to get the firmware files from the partitions and have attached them to this post.

Also I went ahead and wrote a conversion utility to convert the dump information to the binary format.

Now to figure out what goodies are contained within...
Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on March 02, 2012, 02:27:55 pm
Back again with another installment. This time with both the raw dump from the WebUI memory layout (0x7F200000 - 0x7F2AFFFF) as well as the extracted contents. Enjoy!

Code: [Select]
[13:31:52] asuka:webui$ ls -go *
-rw-r--r--  1    1625 Mar  2 13:14 Factory_light.htm
-rw-r--r--  1    3471 Mar  2 13:14 Factory_mic.htm
-rw-r--r--  1    3066 Mar  2 13:14 Factory_motor.htm
-rw-r--r--  1    3356 Mar  2 13:14 Factory_video.htm
-rw-r--r--  1     797 Mar  2 13:14 acctronfactorytestforac13.htm
-rw-r--r--  1    1256 Mar  2 13:14 admin.htm
-rw-r--r--  1    1048 Mar  2 13:14 admin_content.htm
-rw-r--r--  1    1254 Mar  2 13:14 alias.htm
-rw-r--r--  1    1190 Mar  2 13:14 backup.htm
-rw-r--r--  1     994 Mar  2 13:14 factory.htm
-rw-r--r--  1     372 Mar  2 13:14 index.htm
-rw-r--r--  1     799 Mar  2 13:14 index1.htm
-rw-r--r--  1    1778 Mar  2 13:14 public.js
-rw-r--r--  1     933 Mar  2 13:14 reboot.htm
-rw-r--r--  1     928 Mar  2 13:14 reboots.htm
-rw-r--r--  1    1383 Mar  2 13:14 status.htm
-rw-r--r--  1    3622 Mar  2 13:14 style.css
-rw-r--r--  1    2018 Mar  2 13:14 upgrade.htm
-rw-r--r--  1    1635 Mar  2 13:14 user.htm
-rw-r--r--  1   11009 Mar  2 13:14 wireless.htm

codebase:
total 304
-rw-r--r--  1   155648 Mar  2 13:14 DVM_IPCam2.ocx

english:
total 40
-rw-r--r--  1   20179 Mar  2 13:14 string.js

images:
total 168
-rw-r--r--  1    3516 Mar  2 13:14 alarm.wav
-rw-r--r--  1   11886 Mar  2 13:14 down.bmp
-rw-r--r--  1   11758 Mar  2 13:14 left.bmp
-rw-r--r--  1    5288 Mar  2 13:14 light_down.gif
-rw-r--r--  1    5708 Mar  2 13:14 light_up.gif
-rw-r--r--  1    4193 Mar  2 13:14 mic_down.GIF
-rw-r--r--  1    4634 Mar  2 13:14 mic_up.gif
-rw-r--r--  1   11758 Mar  2 13:14 right.bmp
-rw-r--r--  1   11886 Mar  2 13:14 up.bmp

simple_chinese:
total 40
-rw-r--r--  1   20102 Mar  2 13:14 string.js

Note that I still have not seen hide not hair of the internally referenced CGI scripts (which is really what I was after). Does anyone know where I can find these files on the file system?

Also, here is the info contained within romfs as well for completeness sake with the extracted files attached. Not much but this is all of it:

Code: [Select]
[13:29:57] asuka:romfs_data$ ls -go *
bin:
total 1016
-rwxr-x---  1   76877 Mar  2 12:26 camera
-rwxr-x---  1   40713 Mar  2 12:26 dhcpc
-rwxr-x---  1   44766 Mar  2 12:26 dhcpcd
-rwxr-x---  1   24590 Mar  2 12:26 dhcpd
-rwxr-x---  1     929 Mar  2 12:26 fcc_ce.wlan
-rwxr-x---  1   21610 Mar  2 12:26 ifconfig
-rwxr-x---  1     234 Mar  2 12:26 init
-rwxr-x---  1   38300 Mar  2 12:26 iwconfig
-rwxr-x---  1   33630 Mar  2 12:26 iwpriv
drwxr-x---  6     204 Mar  2 12:26 mypppd
-rwxr-x---  1   28824 Mar  2 12:26 route
-rwxr-x---  1    2048 Mar  2 12:26 rt73.bin
-rwxr-x---  1   31043 Mar  2 12:26 sh
-rwxr-x---  1   48520 Mar  2 12:26 wetctl
-rwxr-x---  1   96327 Mar  2 12:26 wpa_supplicant

dev:
total 0
drwxr-x---  2    68 Mar  2 12:26 pts
drwxr-x---  3   102 Mar  2 12:26 usb

etc:

flash:

home:

proc:

swap:

tmp:

usr:

var:
total 0
drwxr-x---  2   68 Mar  2 12:26 run
Title: Re: AC13 Brookstone Rover
Post by: schufti on March 02, 2012, 03:58:07 pm
it's the "camera" binary that does all the magic. It is init, webserver, cgi, you name it.

Most likely it is a quick 'n' dirty  copy & paste job of mostly open source code parts and should therefor be published but sue the chinese ...
Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on March 02, 2012, 04:45:45 pm
Good call. I double checked and after unpacking the executables I was able to extract the following strings:

Code: [Select]
bFLT
VUUU
I,X!
BNEG
.\gfff
gfff
@ #!
@ #!
@ c!
@ c!
video stop
audio stop
host stop
av stop
switch wifi car toy mode
malloc memory error size:%d times:%d !
ifconfig eth1 up
eth1
ifconfig eth1 down
192.168.1.100
255.255.255.0
192.168.1.1
/etc/rt73sta.dat
open /etc/rt73sta.dat error
/etc/RT2870STA.dat
open /etc/RT2870STA.dat error
Adhoc
Infra
[Default]
SSID=%s
NetworkType=%s
Channel=%d
AuthMode=OPEN
EncrypType=NONE
AuthMode=WEPAUTO
EncrypType=WEP
DefaultKeyID=%d
Key1Type=%d
Key2Type=%d
Key3Type=%d
Key4Type=%d
Key1Str=%s
Key2Str=%s
Key3Str=%s
Key4Str=%s
AuthMode=WPAPSK
EncrypType=TKIP
WPAPSK=%s
AuthMode=WPANONE
EncrypType=AES
WPAPSK=%s
AuthMode=WPAPSK
EncrypType=AES
WPAPSK=%s
AuthMode=WPA2PSK
EncrypType=AES
WPAPSK=%s
AuthMode=WPANONE
EncrypType=TKIP
WPAPSK=%s
AuthMode=WPA2PSK
EncrypType=TKIP
WPAPSK=%s
ifconfig eth1
 netmask
route add -net 255.255.255.255 netmask 255.255.255.255 eth1
/etc/dhcpd.conf
subnet %s
/etc/dhcpd.iplist
dhcpd eth1 &
route add default gw
 eth1
/etc/host.conf
open host.conf error
order bind
/etc/resolv.conf
open resolv.conf error
nameserver 202.96.128.166
nameserver 202.96.134.133
nameserver %s
up wireless
[Default]
CountryRegion=5
Channel=0
%s: open /etc/RT2870STA.dat error
do_wifi_scan
%s: ioctl SIOCSIWSCAN failed
%s: ioctl SIOCGIWSCAN failed %d
get_wifi_scan_result
params length is %d
read factory params error !
factory params zone not inited !
factory params zone checksum uncorrect!
can not allocte enough memory for reinit factory zone !
AC13
reinit factory zone error !
read camera params error !
camera params zone not inited !
camera params zone checksum uncorrect!
reinit camera params zone error !
sw version is %s
/proc/flash_4m
aw checksum not correct !
aw not exist !
can not allocte enough memory for read aw!
read aw error !
aw has error format: file is too long
/home
read aw error: can not create file !
aw has error format: filename is too long
aw has error format: size not match %d %d
aw size exceed %d!
aw version is %s
ifconfig lo 127.0.0.1
/dev/video0
open video device error
%d %d
/proc/net/vt6656
/proc/net/zd1211b
/proc/net/rt2571wf
/proc/net/rt3070
can not find wifi network device !
/proc/wau8812
/proc/ac97
/proc/p1_p1
wifi car mode is %d
AC13_%s
restore factory params
write camera params error !
write factory params error !
aw upgrade file has error format !
%s: malloc memory failed
WriteAW
aw upgrade file has error checksum !
encode error
/dev/i2c0
can not open i2c device
write i2c error
read i2c error
get image err
try to reopen video
MO_O
MO_V
GET
POST
?456789:;<=
 !"#$%&'()*+,-./0123
/dev/dsp
open audio device error
/dev/mixer
/dev/dsp0
/dev/mixer0
open mixer device error
/dev/dsp2
/dev/mixer2
create audio msg queue error!
create audio thread error!
audio = 1
audio = 0
speak = 1
speak = 0
audio timeout
create video msg queue error!
create video thread error!
send video msg error!
create av msg queue error!
create host thread error!
create av thread error!
recv a opr video end from client %d
MO_O
MO_I
create socket error !
bind error !
create listen socket error !
listen error !
/home
accept socket error !
255.255.255.255
192.168.1.100
255.255.255.0
192.168.1.1
send av msg error!
send av keep alive
av wait connect timeout %d
av connection %d is disconnected
MO_V
av stop video %d
send audio msg error
av client logon in %d
audio lost 128
av client %d send error %d
%02x
set_param: can not malloc memory
<HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
<BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4>
Authorization required.
</BODY></HTML>
HTTP/1.1 401 Unauthorized
Server: Netwave IP Camera
Date: %s
WWW-Authenticate: Basic realm="AC13_%s"
Content-Type: text/html
Content-Length: %d
Connection: close
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: text/plain
Content-Length: %d
Cache-Control: no-cache
Connection: close
<HTML><HEAD><TITLE>%d %s</TITLE></HEAD>
<BODY BGCOLOR="#cc9999"><H4>%d %s</H4>
</BODY></HTML>
HTTP/1.1 %d %s
Server: Netwave IP Camera
Date: %s
Content-Type: text/html
Content-Length: %d
Connection: close
%a, %d %b %Y %H:%M:%S GMT
process_HTTP_REQ: can not find the first line
Authorization:
Basic
process_HTTP_REQ: Authorization must be Basic
get_auth_info: auth word is too long
Content-Length:
Content-Type:
boundary=
process_HTTP_REQ: can not find the end of http head
post
process_HTTP_REQ: not support this method %s
Not Implemented
Method is not implemented.
process_HTTP_REQ: only support absolute path
Bad Request
Bad filename.
index.htm
.cgi
process_HTTP_REQ: http frame size exceed 8192
process_HTTP_REQ: can not recv total http head
process_HTTP_REQ: head is over 768 bytes. It's Hack attack !!!
Can't parse request.
.ocx
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: application/octet-stream
Content-Length: %d
Connection: close
.exe
.cab
.rar
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: application/rar
Content-Length: %d
Connection: close
.zip
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: application/zip
Content-Length: %d
Connection: close
.css
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: text/css
Content-Length: %d
Cache-Control: private
Connection: close
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: text/javascript
Content-Length: %d
Cache-Control: private
Connection: close
.jpg
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: image/jpeg
Content-Length: %d
Cache-Control: private
Connection: close
.gif
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: image/gif
Content-Length: %d
Cache-Control: private
Connection: close
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: text/html
Content-Length: %d
Cache-Control: private
Connection: close
do_file: can not find file %s
Not Found
File not found.
decoder_control.cgi
decoder control.cgi
wifi_car_control.cgi
camera_control.cgi
get_wifi_link.cgi
restore_factory.cgi
upgrade_firmware.cgi
upgrade_htmls.cgi
get_params.cgi
set_params.cgi
wifi_scan.cgi
get_wifi_scan_result.cgi
check_user.cgi
backup_params.cgi
restore_params.cgi
do_cgi: unknown cgi
user
/proc/net/wireless
eth1
var link_quality=%d;
var signal_level=%d;
var noise_level=%d;
command
next_url
error: illegal params.
param
value
var %s='
sys_ver
app_ver
alias
adhoc_ssid
username
userpwd
var resolution=%d;
mask
gateway
var port=%d;
wifi_ssid
var wifi_encrypt=%d;
var wifi_defkey=%d;
wifi_key1
wifi_key2
wifi_key3
wifi_key4
var wifi_authtype=%d;
var wifi_keyformat=%d;
var wifi_key1_bits=%d;
var wifi_key2_bits=%d;
var wifi_key3_bits=%d;
var wifi_key4_bits=%d;
wifi_wpa_psk
port
resolution
wifi_encrypt
wifi_defkey
wifi_authtype
wifi_keyformat
wifi_key1_bits
wifi_key2_bits
wifi_key3_bits
wifi_key4_bits
reboot
error: this cgi only support post method.
error: illegal file.
/swap/firmware.bin
error: busy, try later.
error: system error, try later.
error: illegal http frame.
error: network error.
var ap_bssid=new Array();
var ap_ssid=new Array();
var ap_mode=new Array();
var ap_security=new Array();
ap_bssid[%d]='%02x%02x%02x%02x%02x%02x';
%s[%d]='
ap_ssid
ap_mode[%d]=%d;
ap_security[%d]=%d;
var ap_number=%d;
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: application/octet-stream
Content-Length: %d
Content-disposition: filename="params.bin"
Connection: close
/dev/ptz0
can not open ptz device !!!
/dev/i2c0
%s: can not open i2c device
_i2c_read
%s: read i2c error
_i2c_write
%s: write i2c error
Not enough memory in %s %d.
Msg.c
Init mutex for msg mutex failed!
Init semphore for msg consumer failed!
Init semphore for msg producer failed!
Not enough memory in %s %d.
Help/C_List.c
***********testsigpipe*************
manage pid:%d
__pthread_initial_thread_bos:%x
********************************
cntpair is %d
*******************l is %x
,`Can not open File :%s
Read Header Failed
Magic %x,Versoin %d
Invalid Magic
Please use 'genbin' to create image file
linux.bin
romfs.img
Malloc %d memory failed
%x :blockSize <=0
Buffer length is less than image_footer->length when read_func==NULL
Block Not Alignment
Write Firmwate Corrupt
image_footer->image_checksum:%x,sum:%x
image_footer->checksum:%x,sum:%x
Buffer length(%d) is less than image_footer->length(%d) when write_func==NULL
Can not find image %d
????
%m/%d/%y
%Y-%m-%d
%H:%M
%H:%M:%S
()*+
,M4.1.0,M10.5.0
/etc/TZ
$VVZ
 $(,048<CJR\eluy}
6<BFKPWair{~
ASCII
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
June
July
August
September
October
November
December
%a %b %e %H:%M:%S %Y
%m/%d/%y
%H:%M:%S
%I:%M:%S %p
^[yY]
^[nN]
(nil)
(null)
hlLq
%n[csoupxXid
/bin/sh
""##$$$%%&&
 +0-#'I
npxXoudifFeEgGaACScs
hlLjztqZ
Unknown error
Success
Operation not permitted
No such file or directory
No such process
Interrupted system call
Input/output error
No such device or address
Argument list too long
Exec format error
Bad file descriptor
No child processes
Resource temporarily unavailable
Cannot allocate memory
Permission denied
Bad address
Block device required
Device or resource busy
File exists
Invalid cross-device link
No such device
Not a directory
Is a directory
Invalid argument
Too many open files in system
Too many open files
Inappropriate ioctl for device
Text file busy
File too large
No space left on device
Illegal seek
Read-only file system
Too many links
Broken pipe
Numerical argument out of domain
Numerical result out of range
Resource deadlock avoided
File name too long
No locks available
Function not implemented
Directory not empty
Too many levels of symbolic links
No message of desired type
Identifier removed
Channel number out of range
Level 2 not synchronized
Level 3 halted
Level 3 reset
Link number out of range
Protocol driver not attached
No CSI structure available
Level 2 halted
Invalid exchange
Invalid request descriptor
Exchange full
No anode
Invalid request code
Invalid slot
Bad font file format
Device not a stream
No data available
Timer expired
Out of streams resources
Machine is not on the network
Package not installed
Object is remote
Link has been severed
Advertise error
Srmount error
Communication error on send
Protocol error
Multihop attempted
RFS specific error
Bad message
Value too large for defined data type
Name not unique on network
File descriptor in bad state
Remote address changed
Can not access a needed shared library
Accessing a corrupted shared library
.lib section in a.out corrupted
Attempting to link in too many shared libraries
Cannot exec a shared library directly
Invalid or incomplete multibyte or wide character
Interrupted system call should be restarted
Streams pipe error
Too many users
Socket operation on non-socket
Destination address required
Message too long
Protocol wrong type for socket
Protocol not available
Protocol not supported
Socket type not supported
Operation not supported
Protocol family not supported
Address family not supported by protocol
Address already in use
Cannot assign requested address
Network is down
Network is unreachable
Network dropped connection on reset
Software caused connection abort
Connection reset by peer
No buffer space available
Transport endpoint is already connected
Transport endpoint is not connected
Cannot send after transport endpoint shutdown
Too many references: cannot splice
Connection timed out
Connection refused
Host is down
No route to host
Operation already in progress
Operation now in progress
Stale NFS file handle
Structure needs cleaning
Not a XENIX named type file
No XENIX semaphores available
Is a named type file
Remote I/O error
Disk quota exceeded
No medium found
Wrong medium type
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

Unpacked camera executable included for those interested. Also, I found what I was looking for. Specifically a cgi to control the rover itself in Factory_motor.htm and verified to be in the camera executable: wifi_car_control.cgi
Title: Re: AC13 Brookstone Rover
Post by: admin on March 04, 2012, 08:38:48 am
Looks exactly the same as the usual firmware too.
Title: Re: AC13 Brookstone Rover
Post by: serosenstein on March 20, 2012, 08:11:40 pm
Hi, this is a great thread! I just got one of the AC13 Rovers and am curious to interact with it from a computer UI and more-so over WAN.  Is there any update on this? I am unsure how to send commands to the wifi_car_control.cgi.  I used the standard format (?command=4, etc.) and netcat to no avail.  I've looked at the RoverOpen Android project and tried to look at some of the source, but am not too familiar with java/C++.

Keep up the good work!
Title: Re: AC13 Brookstone Rover
Post by: mpopovi on March 21, 2012, 05:55:26 pm
Hello, I see that you guys are trying to get into the Foscam (or similar) camera. My colleague and I have tried everything we can think of to try to extract the audio from the camera onto our iphones or androids. We know its in the MO_V, its G.726 but we cannot seem to extract the data. We wiresharked it and still are having a tough time pulling the  audio out. Please HELP!
Title: Re: AC13 Brookstone Rover
Post by: rjordan on March 31, 2012, 02:23:50 pm
I don't know about the rest, but #2 on your list (connect to router) seems to be possible with this url:

http://192.168.1.100/wireless.htm

I've gotten it to connect to my WAP, but it doesn't seem to have an option to enable DHCP.  Has anyone else tried this?
Title: Re: AC13 Brookstone Rover
Post by: serosenstein on April 21, 2012, 02:08:41 pm
Very interesting, I've played around with it and looked at the source on the page and seems there is a ap_mode=infra option.  However, I haven't been able to connect to my AP yet. Any tips?
Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on May 30, 2012, 02:13:26 pm
Hi all. Sorry for the near abandonment of the thread. Apparently my subscription to the thread stopped emailing me so I figured there was a notable lack of interest.

Right now I am fed up with the cobbled together nature of the camera application and have started down the road of replacing the main application wholesale with a light HTTP server (lighttpd, klone, etc.) with CGI support and necessary configuration options. To start off I am currently trying to get a cross-compiling environment set up under Arch linux but am running into trouble at the moment.

I have the development SDK installed but am unhappy with the build toolchain it provides, so I will be looking into using standard arm-elf-gcc tools to compile the executables and manually remix the rootfs partition. All told this will take a long time and I haven't a lot of time to devote, but I will update with any progress as well as put any information both here and source on Github.

Let me know if you're interested in this effort.
Title: Re: AC13 Brookstone Rover
Post by: admin on May 30, 2012, 06:18:15 pm
Seeing as its pretty much identical hardware, you may as well look at the existing stuff.

There is a 2.6 kernel, and a 2.4 kernel available, and compile tools + instructions for both.
Those are in the uCLinux forum, and in the wiki.

What SDK do you have?

If its different, suggest PM me, and I'll upload to the files section.
Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on May 31, 2012, 03:23:24 pm
Yeah, I ended up reneging on my goals and backtracked into shoehorning the standard W90N745_PR BSP into an Arch Linux install. I was able to get Mathopd (http://www.mathopd.org/) compiled using the ARM tools and I will be looking into reflashing the board with a few more tools in order to run some tests.

I am interested in getting a more recent kernel on the board than the standard 2.4 that comes with the BSP, but from what I can see on the forums so far the 2.6 and 3.0 kernels are currently having trouble with the wireless. Unfortunately this is a showstopper for me as this board does not appear to have an ethernet connection on it and I will need the wireless to be functional in order to communicate with it remotely.

I will report back with any more successes.
Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on June 06, 2012, 06:10:17 pm
Progress is slow due to both my lack of knowledge and the available tools for OSX. One problem is the issue of finding a terminal program that has proper XMODEM send support- as most have already discovered the best bet is using minicom or ckermit with lrzsz which is itself properly borked due to flushing issues.

Oh a whim I went ahead and whipped up a quick XMODEM/XMODEM-CRC implementation in Python based off of pySerial and can be accessed/forked at https://github.com/ArminTamzarian/txmodem (https://github.com/ArminTamzarian/txmodem). I can now upload to the rover's memory space using the non-invasive mx 0x8000 but all I end up with so far is a g 0x8000 execution that can only be described as a giant ball of crashfail or silenthang.

So now it's a matter of backing things out and getting to a mode where I can upload and execute something useful before forging too much further ahead. More updates as they come...
Title: Re: AC13 Brookstone Rover
Post by: slarti on July 01, 2012, 01:32:05 pm

Hi,

  • The power leads are connected directly from the battery compartment (6AA -> ~9.0V) and soldered onto the main board instead of using a plug or connector. >:( Also, I didn't look too closely but I did not notice any power regulation circuity, so be careful what you feed this device.

The switching regulator is nearby the elkos. The elkos themself and the coil are part of the 3.3V regulation circuit.

  • There is a decent amount of space in the shell behind the battery compartment. Probably enough to hold a properly size Li-Po battery cell and charging circuitry.

The space is definitely big enough to keep 3*2 flat Li-Ion cells. I added an additional regulator for reducing the voltage to ~10V to prevent the motor drivers from to high currents. This is located on the left motor/gear-block. The battery spce is now to hold the cables for charging the Li-Ion cells with an external RC-charger.

BR,

slarti
Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on July 01, 2012, 03:40:31 pm
Thanks for the info slarti. Didn't get too much of a chance to trace a lot so good find on the regulator. Do you have any pics of the guts with the batteries in place and additional regulators? Would be nice to get a schematic with pins specified along with part lists for others looking to mod in this same fashion.

What li-ion cells are you using or are you just leveraging a standard rc batter pack with normal connector and charger?
Title: Re: AC13 Brookstone Rover
Post by: admin on July 06, 2012, 12:07:32 am
I used mathopd too :)

Actually compiling tips for that are in the forum.

I'm working on the 2.4 side a bit more these days, as I hired a student developer to work on things.
I think I'm learning more about how much I actually know showing him the ropes, so thats good :)

Right now doing some GPIO related stuff, I'll probably release that soonish up on github, as its generically useful.

Also looks like I'm finally getting compatible with the "original" linux image, as I can get everything up using that now with my own binaries finally.  Took me a while, and quite a bit of tracing through disassembler though :)

Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on July 06, 2012, 08:16:04 am
I used mathopd too :)

Actually compiling tips for that are in the forum.

Hah! Never thought to do a search on the forum for that specific software. Although now I see that multiple people have come to the conclusion that mathopd is a good solution for the web server side of things, so I guess we've all independently verified its usefulness. I think I already have it compIling to a useful state, but when I get some time I will actually try uploading it to the rover and see his it performs. However, part of that will require getting the wireless networking functioning with my router. So small steps.

Good to we are all in the same page thought will be very interested in the code for the GPIO as I will need to use that via cgi for wheel control.
Title: Re: AC13 Brookstone Rover
Post by: nanunh on August 10, 2012, 11:53:16 am
Armin and others - great job with this thread. :) Just saw it today and I love it... ;D

I worked on decoding the binary communication protocol described on the android forum and now look fwd to diving deeper with renewed enthusiasm.

My goal is to have complete control over the AC13 and the ArDrone and them making them talk to each other someday - hardware wise they both are very similar technically - except one is a ground vehicle and the other flys!!!
Title: Re: AC13 Brookstone Rover
Post by: webhansen on August 29, 2012, 03:43:46 pm
I came across your project and wanted to ask a couple of questions... I have the AC13 rover also and have pulled it apart to use it in another project.  It is working great!  I'm not experienced with modifying code, electronics, etc.  Mechanical modifications are easy though.  I have two questions...

1)can the Loftek camera be used to make a "rover"?  Actually, can I use either of the motors that pan and tilt to turn a single wheel, or could the control signal for pan or tilt be used to run a new servo or stepper motor? 

2)can the Loftek camera connect directly to a device like a smart phone without going through the internet (like the rover does)?

Sorry for the really basic questions.  I can't afford to waste money on a camera that I can't use.

My project...
I need to find a way to view camera feed and turn a simple wheel when I'm out in the middle of no where without internet connectivity (I'd still have access to my smart phone's wifi capability though, just no network to connect to unless the camera broadcasts one).  I can do this using the AC13 parts, but I'm trying to build a second cheap prototype with parts that are readily available and relatively cheap (less than the rover).  I don't have experience to write my own android or iphone app or to alter code or scripts.  I'd be willing to pay someone that could create this type of system for me though.  I know I could do the same type of thing using an RF camera and monitor and an R/C RF receiver to run a servo, but that would require an R/C controller.  Using a smart phone is much easier - no need for another "monitor" or controller.  I'm making something that my brother needs to be able to use out on the farm (no cell coverage).  He has a smart phone and an ipod touch, but not R/C stuff.

Thanks for any help you can give!
Title: Re: AC13 Brookstone Rover
Post by: nanunh on September 13, 2012, 10:36:09 am
Admin, Armin Tamzarian,

Would be grateful if you could please provide information on which port/connector on the ac13 was used with the Bus Pirate and what protocol was used to extract info? I have some cycles to dig into other stuff that may be of interest.

Webhansen,

My interpretation of Armin's first post is that AC13 is basically a clever copy of the Loftex camera to drive left/right motors instead of tilt/pan motors. All inside a new tank casing. So you could theoretically convert the ac13 to an ip webcam and webcam to a tank :)


Thx, nanu
Title: Re: AC13 Brookstone Rover
Post by: ArminTamzarian on September 13, 2012, 12:08:53 pm
Would be grateful if you could please provide information on which port/connector on the ac13 was used with the Bus Pirate and what protocol was used to extract info? I have some cycles to dig into other stuff that may be of interest.

I just interfaces with the serial port that was on the underside of the rover. It's the only 3 pin connector so it was kind of hard to not miss. I just set the Bus Pirate to UART, 115200/8/N/1, Idle 1, Normal. then I set it to Transparent Bridge using the (1) macro, let the Bus Pirate reset into that mode, and then fired up the rover and went to town.

Here is a shot of the rover hooked up to my BP with a note on the colorings and to which they are hooked up. Note that depending on your version of the BP and the coloring scheme of your wiring harness your connection may differ. Just refer to which pins are TX/RX/GND for your BP's UART mode.

(http://i.imgur.com/yI9Fxl.jpg) (http://imgur.com/yI9Fx)

My interpretation of Armin's first post is that AC13 is basically a clever copy of the Loftex camera to drive left/right motors instead of tilt/pan motors. All inside a new tank casing. So you could theoretically convert the ac13 to an ip webcam and webcam to a tank :)

This is 100% correct. :) Just replace the term "Loftek" with "Nuvoton" (since if I understand correctly that is the parent company providing the camera hardware to the cloning agencies). It's all just PWM motor control without the limit switches that are present on the cameras.
Title: Re: AC13 Brookstone Rover
Post by: nanunh on September 13, 2012, 11:15:05 pm
Hi Armin,

Thanks a ton for posting details on the Bus Pirate wiring! I will try that out after getting my setup ready. In the mean time I looked through the files that have uploaded

1.camera.unz.tar - untars to camera.unz
2.dump_to_binary.py.tar - untars to a python file
3.firmware.tar - untars to three files Boot_info, linux and romfs
4.romfs.tar - untars to linux directory structure
5.webui.bin.tar - untars to webui.bin
6.webui.tar - untars to a www kind of directory

After untarring the files, I found webui.tar and romfs.tar to have some readily understandable content. Are the other files just raw content extracted from the flash device? And what is the dump_to_binary python files used for? I also couldn't find any cgi files -

Thx once again!

PS: The ArDrone from Parrot may also be having the same kind of hardware and software - if you are interested in hacking that let me know - I may have a spare one...
Title: Re: AC13 Brookstone Rover
Post by: Juddy on December 26, 2012, 11:14:16 pm
Hi guys!

For Christmas I received an AC13, and sure enough 24 hours later I've pulled it a part.

My question is, I've got 4, 9.6 volt 750mHa NiCad batteries. Do you seen any problems with me putting these in parallel and running the rover off of them?

Also anyluck on extending the range of the rover??? I only get 30feet! And that's even at night out doors!

I'm also thinking of playing around with the motors and replacing them with something bigger.... Ideas????
Title: Re: AC13 Brookstone Rover
Post by: ralim on February 04, 2013, 09:39:07 pm
Hello,
I bought one of these rovers in Australia from JayCar http://www.jaycar.com.au/productView.asp?ID=GT3598 (http://www.jaycar.com.au/productView.asp?ID=GT3598).

However this rover does not work with rover open / any resources i can find except the iPhone app.
I have captured network data between it and the phone if anyone knows how to go about decoding it :|
I have tried a few times to work on this and every time i get stonewalled by not knowing as much as i would like.. I am attempting to write a C# library for the rover for future hacking, and not being able to talk to it and gain video is really annoying (i can do movements using the commands from the debug website)...

Thanks,
Ralim
Title: Re: AC13 Brookstone Rover
Post by: ntc490 on February 10, 2013, 10:16:52 pm
Great info guys.  I stumbled across your thread while doing my own teardown on wikipedia.  Check out http://techbloginator.wordpress.com/2013/02/09/spytank-teardown/.  Looks like a couple of guys leaving comments there might be able to help.  I'm getting more and more tempted to dive in with both feet.

Although I have the newer version of the Rover it looks extremely similar.  I'll post back if we find out anything substantial.  For now it's mostly pics and a few ideas on how the circuit breaks down.
Title: Re: AC13 Brookstone Rover
Post by: ralim on February 14, 2013, 10:01:13 pm
ntc, nice Teardown :)
My unit seems to be a mix of two here, it has similar logic internally to yours (same boards) but i am missing the stepper to raise / lower the camera... :S

Please, if anyone knows anything about getting the images off these newer ones i would really appreciate it :) [I have network packets logged etc, just dont know how to go from those -> working code..]

If that makes any sense..

Thanks,
Ralim 
Title: Re: AC13 Brookstone Rover
Post by: robot83 on September 03, 2013, 04:43:59 pm
Hi guys,
First of all thanks for this post, you did a great job!

I bought last week a "Logicom Spy C Tank" and tried to control it from my computer. The good news is that it looks very similar to Brookstone rover (the official android application's code is almost the same as the one for Brookstone Rover).

I tried to control my robot by sockets via the protocol MO_O or MO_V but it's really hard to figure out the array of bytes I have to send especially when I try to "login" (heading: MO_O, operation: 2). It seems that there is a blowfish encryption which makes thing complicated, basically it's not always the same byte array which are sent for "authentification" (in addition I am more C# developper and not Java)..so as you probably understood, no success.. :( 

However, the following cgi commands works very well:
http://192.168.1.100/decoder_control.cgi
http://192.168.1.100/wifi_car_control.cgi

I can thus control the robot and move its camera however (same for Rover) the streaming command is not supported. (ex: videostream.asf, videostream.cgi or even snapshot.cgi)

Has anyone managed to find a way to get the camera streaming (or a snapshot) via this kind of webservice?
Title: Re: AC13 Brookstone Rover
Post by: ralim on September 03, 2013, 07:35:07 pm
Hi guys,
First of all thanks for this post, you did a great job!

I bought last week a "Logicom Spy C Tank" and tried to control it from my computer. The good news is that it looks very similar to Brookstone rover (the official android application's code is almost the same as the one for Brookstone Rover).

I tried to control my robot by sockets via the protocol MO_O or MO_V but it's really hard to figure out the array of bytes I have to send especially when I try to "login" (heading: MO_O, operation: 2). It seems that there is a blowfish encryption which makes thing complicated, basically it's not always the same byte array which are sent for "authentification" (in addition I am more C# developper and not Java)..so as you probably understood, no success.. :( 

However, the following cgi commands works very well:
http://192.168.1.100/decoder_control.cgi
http://192.168.1.100/wifi_car_control.cgi

I can thus control the robot and move its camera however (same for Rover) the streaming command is not supported. (ex: videostream.asf, videostream.cgi or even snapshot.cgi)

Has anyone managed to find a way to get the camera streaming (or a snapshot) via this kind of webservice?

Hi,
There seems to be many many variants of this model..
i discovered the same issue with finding a stream from the camera, there is a python script floating around the 'net that attempts to read from the camera. I had issues with it not working with my model, but perhaps you can have success with it?
It appears the tank only sends images when you request them and doesnt actually "stream" them ??

Thanks,
Ralim
Title: Re: AC13 Brookstone Rover
Post by: robot83 on September 05, 2013, 04:34:44 pm
Hi Ralim,

Thanks for your reply! I checked this python script..unfortunately it seems that it has been done for the rover 1.0 where login request (through MO_O/MO_V bytes protocol) is not complicated as for rover 2.0 or SpyCTank, i.e. it does not go to this blowfish encryption and all these mess...

I am now trying to play with DVM_IPCam2.ocx that you can find in the WebUI (192.168.1.100/codebase/DVM_IPCam2.ocx). I just tried to reference this library in my .NET project, unfortunately I get nice COM exception for the time beiing..

It looks like I will have to come back on network traffic analysis in order to find the logic to create the protocol.. :(

I let you know if I manage to do something (looks like it will take time...)
Title: Re: AC13 Brookstone Rover
Post by: ralim on September 05, 2013, 08:24:13 pm

Hi, robot83…
Ah, could it be this basic system underneath the blowfish?
Could you upload that ocx file somewhere? I'll have a toy with it too if you want :)
Also have you tried disassembling the file to gleam insight?

Maybe doing a network capture over a long period of time and hunting for patterns in the encryption? (Haven't done much work on network analysis sadly)…

- Ralim
Hi Ralim,

Thanks for your reply! I checked this python script..unfortunately it seems that it has been done for the rover 1.0 where login request (through MO_O/MO_V bytes protocol) is not complicated as for rover 2.0 or SpyCTank, i.e. it does not go to this blowfish encryption and all these mess...

I am now trying to play with DVM_IPCam2.ocx that you can find in the WebUI (192.168.1.100/codebase/DVM_IPCam2.ocx). I just tried to reference this library in my .NET project, unfortunately I get nice COM exception for the time beiing..

It looks like I will have to come back on network traffic analysis in order to find the logic to create the protocol.. :(

I let you know if I manage to do something (looks like it will take time...)
Title: Re: AC13 Brookstone Rover
Post by: contra on September 19, 2013, 01:07:49 am
Hello everyone -

I've been using information from this thread to assist me in writing a client library in Node.JS. The code is here https://github.com/wearefractal/rover and completely open source. I have also compiled some research and firmware files from here and other sites. Feel free to fork it, open issues, etc.

So far it can do everything but receive video and output audio to the speakers. This has only been tested on the 2.0 Rover. I am working on the wire protocol and will add more features when that happens.
Title: Re: AC13 Brookstone Rover
Post by: contra on September 23, 2013, 06:52:04 pm
Hi again -

I have reverse engineered the android APK and got the source code for the command encoder.

https://gist.github.com/Contra/6678097

This should shed a lot of light on how the commands are generated and parsed.
Title: Re: AC13 Brookstone Rover
Post by: ivanf on March 27, 2014, 06:13:51 am
Hi

I was wondering if anyone has any idea / walk-through in terms of you can connect this to the router and and use it through the web if possible.

Also is it possible to set a wi-fi password for the robot? It's pretty insecure as your neighbors can spy in your house if they just connect to its open wifi it and use the app..

Thanks
Title: Re: AC13 Brookstone Rover
Post by: diefldrmas on June 28, 2014, 09:42:35 pm
Has anyone notice this looks like the old Foscam software, also when I did an NMAP on the device I got this back.

80/tcp open  http    Netwave webcam http config
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:E0:4C:07:EF:53 (Realtek Semiconductor)
Device type: specialized|webcam
Running: AirMagnet Linux 2.4.X, Foscam Linux 2.4.X, Instar Linux 2.4.X
OS CPE: cpe:/h:airmagnet:smartedge cpe:/h:foscam:fi8904w cpe:/h:foscam:f18910w cpe:/h:foscam:f18918w cpe:/h:instar:in-3010
OS details: AirMagnet SmartEdge wireless sensor; or Foscam FI8904W, FI8910W, or FI8918W, or Instar IN-3010 surveillance camera (Linux 2.4)

My guess they are using the same commands that move the PTZ to move the rover. Also wow-wee rovio runs FOSCAM software.
Title: Re: AC13 Brookstone Rover
Post by: TheUberOverLord on October 23, 2015, 06:14:53 pm
This post has nothing to do with Foscam, it's related to robot.




---------------------------------
Notice, our smart IP cameras no longer uses 2CU App, we developed CoT Pro (http://www.cotapp.net) App.

There are some similarities with some CGI commands for the AC13 Brookstone Rover that exactly match with Foscam MJPEG based IP Cameras CGI commands.

Don

---------------------------------

Live Real-Time Demos Of Using Any IP Cameras in websites and web pages: Click Here (http://107.170.59.150/)