# ACTIONPRO X7 ## Research ### Hardware * SOC: `Ambarella, A7L-B1-RH, A1402, N6T96-AN8, 1N1` * WiFi: `Atheros AR6103G-BM2D, P0BV68.2BE5, P0BV68.2B, 1441` * Flash: `ATO, 1440N, MST5F08G16G, NH-2106, 5FGHG46V17W` **USB Details** ``` Bus 005 Device 017: ID 4255:1000 GoPro 9FF2 [Digital Photo Display] Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x4255 GoPro idProduct 0x1000 9FF2 [Digital Photo Display] bcdDevice 0.00 iManufacturer 1 AMON iProduct 2 MST-X7 iSerial 3 123456789ABC bNumConfigurations 2 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0020 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 6 SCSI bInterfaceProtocol 80 Bulk-Only iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0020 bNumInterfaces 1 bConfigurationValue 2 iConfiguration 0 bmAttributes 0xc0 Self Powered MaxPower 2mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 6 SCSI bInterfaceProtocol 80 Bulk-Only iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 ``` ### Research: File/Drive Access by Action Manager 1.3 Opening Drive/Device: ``` CreateFile(): Desired Access: Generic Read/Write Disposition: Open Options: Synchronous IO Non-Alert, Non-Directory File Attributes: n/a ShareMode: Read, Write AllocationSize: n/a OpenResult: Opened ``` Sending Command: Windows Application sends `IOCTL_SCSI_PASS_THROUGH` with `DeviceIoControl()`. ### Research: Access Point After connecting to the access point (AP), it is possible to connect to the camera via telnet. * Host: `192.168.42.1` * Username: `root` * Password: _no password required_ ``` $ telnet 192.168.42.1 Trying 192.168.42.1... Connected to 192.168.42.1. Escape character is '^]'. buildroot login: root # uname -a Linux buildroot 2.6.38.8 #1 PREEMPT Mon Dec 15 21:04:04 KST 2014 armv6l GNU/Linux # ps PID USER TIME COMMAND 1 root 0:02 init 2 root 0:00 [kthreadd] 3 root 0:00 [ksoftirqd/0] 4 root 0:00 [kworker/0:0] 5 root 0:00 [kworker/u:0] 6 root 0:00 [khelper] 351 root 0:00 [sync_supers] 353 root 0:00 [bdi-default] 355 root 0:00 [kblockd] 356 root 0:00 [ipc_bh 0] 357 root 0:00 [ipc_bh 1] 448 root 0:00 [kworker/u:2] 452 root 0:00 [rpciod] 453 root 0:01 [kworker/0:1] 462 root 0:00 [kswapd0] 463 root 0:00 [fsnotify_mark] 464 root 0:00 [aio] 465 root 0:00 [nfsiod] 468 root 0:00 [crypto] 512 root 0:00 [mtdblock0] 519 root 0:00 [mtdblock1] 524 root 0:00 [mtdblock2] 529 root 0:00 [mtdblock3] 534 root 0:00 [mtdblock4] 539 root 0:00 [mtdblock5] 544 root 0:00 [mtdblock6] 549 root 0:00 [mtdblock7] 554 root 0:00 [mtdblock8] 559 root 0:00 [mtdblock9] 564 root 0:00 [mtdblock10] 569 root 0:00 [mtdblock11] 574 root 0:00 [mtdblock12] 579 root 0:00 [mtdblock13] 584 root 0:00 [mtdblock14] 593 root 0:00 [ubi_bgt0d] 597 root 0:00 [mmcqd/0] 604 root 0:00 [lkvfs_bh 0] 609 root 0:00 {rcS} /bin/sh /etc/init.d/rcS 617 root 0:00 [ubifs_bgt0_1] 636 dbus 0:00 dbus-daemon --system 648 root 0:00 {S50service} /bin/sh /etc/init.d/S50service start 656 root 0:06 vffs /tmp/fuse_a -l a -C 1 -o big_writes -s 659 root 0:00 vffs /tmp/fuse_d -l d -C 1 -o big_writes -s 662 root 0:00 vffs /tmp/fuse -l f -s 674 root 0:00 ombra 677 root 0:00 dvf2web --daemon 678 root 0:00 /usr/bin/AmbaStreamSVC 680 root 0:00 amba_mq_handler 683 root 0:00 network_message_daemon 691 root 0:00 /usr/bin/lu_lnxfio_stream 703 root 0:15 [AR6K Async] 711 root 0:18 [ksdioirqd/mmc1] 780 nobody 0:00 dnsmasq --nodns -5 -K -R -n --dhcp-range=192.168.42.2,192.168.42.6,infinite 814 root 0:05 hostapd -B /tmp/hostapd.conf 829 root 0:00 telnetd 842 root 0:00 cherokee-worker -a -C /etc/cherokee.conf -j -s -d 848 root 0:00 cgiBridge 854 root 0:00 remote_ctrl 1493 root 0:00 -sh 1498 root 0:00 ps # mount rootfs on / type rootfs (rw) ubi0:linux on / type ubifs (ro,relatime) devtmpfs on /dev type devtmpfs (rw,relatime,size=18668k,nr_inodes=4667,mode=755) none on /dev type tmpfs (rw,relatime) proc on /proc type proc (rw,relatime) devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620) tmpfs on /dev/shm type tmpfs (rw,relatime,mode=777) tmpfs on /tmp type tmpfs (rw,relatime) sysfs on /sys type sysfs (rw,relatime) ubi0:pref on /pref type ubifs (rw,sync,relatime) 1 on /tmp/fuse_a type fuse.1 (rw,nosuid,nodev,relatime,user_id=0,group_id=0) 1 on /tmp/fuse_d type fuse.1 (rw,nosuid,nodev,relatime,user_id=0,group_id=0) f on /tmp/fuse type fuse.f (rw,nosuid,nodev,relatime,user_id=0,group_id=0) f on /var/www/shutter type fuse.f (rw,nosuid,nodev,relatime,user_id=0,group_id=0) tmpfs on /var/www/live type tmpfs (rw,relatime) 1 on /var/www/pref type fuse.1 (rw,nosuid,nodev,relatime,user_id=0,group_id=0) tmpfs on /var/www/mjpeg type tmpfs (rw,relatime) # lsmod ar6000 370159 0 - Live 0x7f000000 # ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:295 errors:0 dropped:0 overruns:0 frame:0 TX packets:295 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:15356 (14.9 KiB) TX bytes:15356 (14.9 KiB) wlan0 Link encap:Ethernet HWaddr 1C:4A:F7:00:6F:E4 inet addr:192.168.42.1 Bcast:192.168.42.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:38148 errors:0 dropped:0 overruns:0 frame:0 TX packets:3815 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:15639749 (14.9 MiB) TX bytes:632131 (617.3 KiB) # iwconfig lo no wireless extensions. wlan0 AR6000 802.11ng ESSID:"X7APP" Nickname:"" NWID:off/any Mode:Master Frequency:2.462 GHz Access Point: 1C:4A:F7:00:6F:E4 Bit Rate:52 Mb/s Tx-Power=15 dBm Sensitivity=0/3 RTS thr=0 B Fragment thr=0 B Encryption key:00 Security mode:open Power Management:on Link Quality:95 Signal level:0 Noise level:0 Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 # ``` ### Research: Code Snippets using ioctl() Trying to reproduce `IOCTL_SCSI_PASS_THROUGH` with Linux. Cancled, way to complicated, the USB massstorage interface is an easier target. ### Research: USB data transfer Is it possible to just write to the usb interface instead? #### USBPcap: Linux Host and Windows Guest Identify the bus where the camera is connected to: ``` Bus 005 Device 017: ID 4255:1000 GoPro 9FF2 [Digital Photo Display] ``` Load usbmon to capture usb traffic with Wireshark: ``` modprobe usbmon ``` With Wireshark the `usbmon` (e.g. `usbmon5`) is selected as packet capture source. After filtering the following filter rule will only display relevant packets: ``` (usb.device_address == 17 ) && (scsi.spc.opcode == 0xfd || scsi.spc.opcode == 0xfe || scsi.spc.opcode == 0xff) ``` Vendor specific commands: * `0xfd`: set AP ssid * `0xfe`: set AP passphrase * `0xff`: syncronize time Example packets: `0xfd`: ``` 0000 fd 00 58 37 41 50 50 00 00 00 00 00 00 00 00 00 ..X7APP......... ``` `0xfe`: ``` 0000 fe 00 58 37 41 50 50 41 53 53 00 00 00 00 00 00 ..X7APPASS...... ``` Synchrize time `0xff`: ``` 0000 ff 00 07 e5 08 0a 0b 24 00 00 00 00 00 00 00 00 .......$........ ────┐ ─┐ ─┐ ─┐ ─┐ ─┐ │ │ │ │ │ │ │ │ │ │ │ └─ Seconds │ │ │ │ └──── Minutes │ │ │ └─────── Hour │ │ └────────── Day │ └───────────── Month └──────────────── Year ``` **Current challange** After requesting the `sense` and Direct Access the correct data is not sent.