Dan JulioThe first part of the drone I took apart was the camera. It is a complete linux machine based on the HiSilicon HI3518 ARM SOC that usually finds a home in Web Cams along with a USB-connected WiFi module and a 4-wire connection to the Drone itself. It was fairly easy to figure out that two wires were power (GND and 3.3 volts), one wire was a GPIO trigger from the drone (via it's dedicated remote control to take a picture or start a video) and one wire was control data from the app to control the drone itself. I initially assumed that data was traditional PPM but later analysis showed it was a serial stream. I found two test points which I correctly surmised where a serial port was was rewarded with 115,200 baud 8N1 goodness when they were connected to a 3.3V FTDI 230X USB-serial interface.
It seems that this board is essentially a web-cam with an additional process added to allow it to control a quad-copter. It seems that this chip is used in a lot of "cheap" web-cams that have lots of potential exploits including hardwired login credentials. I found lists of username/password combinations online that various security researchers had found on a lot of products. I tried them all without any success. It turns out that the ProMark people are a little more security conscious but I didn't know that at this point in the reverse engineering process.
Interesting aside: The board runs at between 300-400 mA at 3.3V when no-one is connected. It takes around 500 mA when someone is connected and above 600 mA when streaming video.
U-Boot 2010.06 (Jul 26 2016 - 01:40:47)
Check spi flash controller v350... Found
Spi(cs1) ID: 0xEF 0x40 0x17 0x00 0x00 0x00
Spi(cs1): Block:64KB Chip:8MB Name:"W25Q64FV"
In: serial
Out: serial
Err: serial
uboot version:2.0.2
Hit any key to stop autoboot: 1 ... 0
Booting from SPI Flash...
8192 KiB hi_sfc at 0:0 is now current device
## Booting kernel from Legacy Image at 81000000 ...
Image Name: Linux-3.0.8
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 1723048 Bytes = 1.6 MiB
Load Address: 80008000
Entry Point: 80008000
Loading Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
Linux version 3.0.8 (root@hiber) (gcc version 5.2.0 (Buildroot 2015.11.1) ) #4 Thu Aug 25 05:42:37 EDT 2016
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: hi3518
Memory policy: ECC disabled, Data cache writeback
AXI bus clock 200000000.
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 10160
Kernel command line: mem=40M mmz=24M console=ttyAMA0,115200n8 mtdparts=hi_sfc:512k(uboot)ro,256k(uboot-env),256k(mfd),3m(kernel),4m(rootfs) hieth.mdioifu=1 hieth.mdioifd=1 hieth.phyaddru=0 hieth.phyaddrd=1 root=/dev/mtdblock4 rootfstype=squashfs,jffs2
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 40MB = 40MB total
Memory: 35852k/35852k available, 5108k reserved, 0K highmem
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
DMA : 0xffc00000 - 0xffe00000 ( 2 MB)
vmalloc : 0xc3000000 - 0xfe000000 ( 944 MB)
lowmem : 0xc0000000 - 0xc2800000 ( 40 MB)
modules : 0xbf000000 - 0xc0000000 ( 16 MB)
.init : 0xc0008000 - 0xc0027000 ( 124 kB)
.text : 0xc0027000 - 0xc044b000 (4240 kB)
.data : 0xc044c000 - 0xc047d740 ( 198 kB)
.bss : 0xc047d764 - 0xc0496d70 ( 102 kB)
SLUB: Genslabs=13, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:128 nr_irqs:128 128
sched_clock: 32 bits at 100MHz, resolution 10ns, wraps every 42949ms
Calibrating delay loop... 218.72 BogoMIPS (lpj=1093632)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
devtmpfs: initialized
NET: Registered protocol family 16
Serial: AMBA PL011 UART driver
uart:0: ttyAMA0 at MMIO 0x20080000 (irq = 5) is a PL011 rev2
console [ttyAMA0] enabled
uart:1: ttyAMA1 at MMIO 0x20090000 (irq = 5) is a PL011 rev2
bio: create slab at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource timer1
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
JFFS2 version 2.2. (NAND) .. 2001-2006 Red Hat, Inc.
fuse init (API version 7.16)
msgmni has been set to 70
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered (default)
io scheduler cfq registered
brd: module loaded
Spi id table Version 1.22
Spi(cs1) ID: 0xEF 0x40 0x17 0x00 0x00 0x00
SPI FLASH start_up_mode is 3 Bytes
Spi(cs1):
Block:64KB
Chip:8MB
Name:"W25Q64FV"
spi size: 8MB
chip num: 1
5 cmdlinepart partitions found on MTD device hi_sfc
Creating 5 MTD partitions on "hi_sfc":
0x000000000000-0x000000080000 : "uboot"
0x000000080000-0x0000000c0000 : "uboot-env"
0x0000000c0000-0x000000100000 : "mfd"
0x000000100000-0x000000400000 : "kernel"
0x000000400000-0x000000800000 : "rootfs"
Fixed MDIO Bus: probed
himii: probed
RTL871X: module init start
RTL871X: rtl8188eu v4.3.24_16705.20160509
RTL871X: build time: Aug 25 2016 05:41:55
usbcore: registered new interface driver rtl8188eu
RTL871X: module init ret=0
usbmon: debugfs is not available
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
hiusb-ehci hiusb-ehci.0: HIUSB EHCI
hiusb-ehci hiusb-ehci.0: new USB bus registered, assigned bus number 1
hiusb-ehci hiusb-ehci.0: irq 15, io mem 0x100b0000
hiusb-ehci hiusb-ehci.0: USB 0.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
hiusb-ohci hiusb-ohci.0: HIUSB OHCI
hiusb-ohci hiusb-ohci.0: new USB bus registered, assigned bus number 2
hiusb-ohci hiusb-ohci.0: irq 16, io mem 0x100a0000
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
sp805-wdt dev:wdog: registration successful
TCP cubic registered
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
registered taskstats version 1
.VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
devtmpfs: mounted
Freeing init memory: 124K
usb 1-1: new high speed USB device number 2 using hiusb-ehci
bFWReady == _FALSE call reset 8051...
mount: mounting devtmpfs on /dev failed: Device or resource busy
Starting logging: RTL871X: hal_com_config_channel_plan chplan:0x08
RTL871X: rtw_ndev_init(wlan0) if1 mac_addr=00:0a:e2:1f:49:59
OK
Starting mdev...
Starting watchdog...
read-only file system detected...done
Starting himpp: Hisilicon Media Memory Zone Manager
hi3518_base: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
Hisilicon UMAP device driver interface: v3.00
pa:82800000, va:c3240000
load sys.ko ...OK!
load viu.ko ...OK!
ISP Mod init!
load vpss.ko ....OK!
load venc.ko ...OK!
load group.ko ...OK!
load chnl.ko ...OK!
load h264e.ko ...OK!
load jpege.ko ...OK!
load rc.ko ...OK!
load region.ko ....OK!
load vda.ko ....OK!
hi_i2c init is ok!
acodec inited!
insert audio
==== Your input Sensor type is gc1014 ====
OK
Starting system message bus: done
Starting hostapd: crc0_ok=1
crc1_ok=1
crc0_ok=1
crc1_ok=1
crc0_ok=1
crc1_ok=1
OK
Starting network...
==> rtl8188e_iol_efuse_patch
ADDRCONF(NETDEV_UP): wlan0: link is not ready
RTL871X: assoc success
ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
Starting httpd: OK
Starting udhcpd: OK
Starting led-status: OK
Starting live-streamer: OK
Starting aircraft-ctl: OK
Welcome to IPCAM
ipcam login:
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.