11 KiB
11 KiB
ACTIONPRO X7
Research
Hardware
- SOC:
Ambarella, A7L-B1-RH, A1402, N6T96-AN8, 1N1 - WiFi:
Atheros AR6103G-BM2D, P0BV68.2BE5, P0BV68.2B, 1441 - Flash:
ATO, 1440N, MST5F08G16G, NH-2106, 5FGHG46V17W
USB Details
Bus 005 Device 017: ID 4255:1000 GoPro 9FF2 [Digital Photo Display]
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x4255 GoPro
idProduct 0x1000 9FF2 [Digital Photo Display]
bcdDevice 0.00
iManufacturer 1 AMON
iProduct 2 MST-X7
iSerial 3 123456789ABC
bNumConfigurations 2
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0020
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 8 Mass Storage
bInterfaceSubClass 6 SCSI
bInterfaceProtocol 80 Bulk-Only
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0020
bNumInterfaces 1
bConfigurationValue 2
iConfiguration 0
bmAttributes 0xc0
Self Powered
MaxPower 2mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 8 Mass Storage
bInterfaceSubClass 6 SCSI
bInterfaceProtocol 80 Bulk-Only
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Research: File/Drive Access by Action Manager 1.3
Opening Drive/Device:
CreateFile():
Desired Access: Generic Read/Write
Disposition: Open
Options: Synchronous IO Non-Alert, Non-Directory File
Attributes: n/a
ShareMode: Read, Write
AllocationSize: n/a
OpenResult: Opened
Sending Command:
Windows Application sends IOCTL_SCSI_PASS_THROUGH with DeviceIoControl().
Research: Access Point
After connecting to the access point (AP), it is possible to connect to the camera via telnet.
- Host:
192.168.42.1 - Username:
root - Password: no password required
$ telnet 192.168.42.1
Trying 192.168.42.1...
Connected to 192.168.42.1.
Escape character is '^]'.
buildroot login: root
# uname -a
Linux buildroot 2.6.38.8 #1 PREEMPT Mon Dec 15 21:04:04 KST 2014 armv6l GNU/Linux
# ps
PID USER TIME COMMAND
1 root 0:02 init
2 root 0:00 [kthreadd]
3 root 0:00 [ksoftirqd/0]
4 root 0:00 [kworker/0:0]
5 root 0:00 [kworker/u:0]
6 root 0:00 [khelper]
351 root 0:00 [sync_supers]
353 root 0:00 [bdi-default]
355 root 0:00 [kblockd]
356 root 0:00 [ipc_bh 0]
357 root 0:00 [ipc_bh 1]
448 root 0:00 [kworker/u:2]
452 root 0:00 [rpciod]
453 root 0:01 [kworker/0:1]
462 root 0:00 [kswapd0]
463 root 0:00 [fsnotify_mark]
464 root 0:00 [aio]
465 root 0:00 [nfsiod]
468 root 0:00 [crypto]
512 root 0:00 [mtdblock0]
519 root 0:00 [mtdblock1]
524 root 0:00 [mtdblock2]
529 root 0:00 [mtdblock3]
534 root 0:00 [mtdblock4]
539 root 0:00 [mtdblock5]
544 root 0:00 [mtdblock6]
549 root 0:00 [mtdblock7]
554 root 0:00 [mtdblock8]
559 root 0:00 [mtdblock9]
564 root 0:00 [mtdblock10]
569 root 0:00 [mtdblock11]
574 root 0:00 [mtdblock12]
579 root 0:00 [mtdblock13]
584 root 0:00 [mtdblock14]
593 root 0:00 [ubi_bgt0d]
597 root 0:00 [mmcqd/0]
604 root 0:00 [lkvfs_bh 0]
609 root 0:00 {rcS} /bin/sh /etc/init.d/rcS
617 root 0:00 [ubifs_bgt0_1]
636 dbus 0:00 dbus-daemon --system
648 root 0:00 {S50service} /bin/sh /etc/init.d/S50service start
656 root 0:06 vffs /tmp/fuse_a -l a -C 1 -o big_writes -s
659 root 0:00 vffs /tmp/fuse_d -l d -C 1 -o big_writes -s
662 root 0:00 vffs /tmp/fuse -l f -s
674 root 0:00 ombra
677 root 0:00 dvf2web --daemon
678 root 0:00 /usr/bin/AmbaStreamSVC
680 root 0:00 amba_mq_handler
683 root 0:00 network_message_daemon
691 root 0:00 /usr/bin/lu_lnxfio_stream
703 root 0:15 [AR6K Async]
711 root 0:18 [ksdioirqd/mmc1]
780 nobody 0:00 dnsmasq --nodns -5 -K -R -n --dhcp-range=192.168.42.2,192.168.42.6,infinite
814 root 0:05 hostapd -B /tmp/hostapd.conf
829 root 0:00 telnetd
842 root 0:00 cherokee-worker -a -C /etc/cherokee.conf -j -s -d
848 root 0:00 cgiBridge
854 root 0:00 remote_ctrl
1493 root 0:00 -sh
1498 root 0:00 ps
# mount
rootfs on / type rootfs (rw)
ubi0:linux on / type ubifs (ro,relatime)
devtmpfs on /dev type devtmpfs (rw,relatime,size=18668k,nr_inodes=4667,mode=755)
none on /dev type tmpfs (rw,relatime)
proc on /proc type proc (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,relatime,mode=777)
tmpfs on /tmp type tmpfs (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
ubi0:pref on /pref type ubifs (rw,sync,relatime)
1 on /tmp/fuse_a type fuse.1 (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
1 on /tmp/fuse_d type fuse.1 (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
f on /tmp/fuse type fuse.f (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
f on /var/www/shutter type fuse.f (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
tmpfs on /var/www/live type tmpfs (rw,relatime)
1 on /var/www/pref type fuse.1 (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
tmpfs on /var/www/mjpeg type tmpfs (rw,relatime)
# lsmod
ar6000 370159 0 - Live 0x7f000000
# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:295 errors:0 dropped:0 overruns:0 frame:0
TX packets:295 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15356 (14.9 KiB) TX bytes:15356 (14.9 KiB)
wlan0 Link encap:Ethernet HWaddr 1C:4A:F7:00:6F:E4
inet addr:192.168.42.1 Bcast:192.168.42.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:38148 errors:0 dropped:0 overruns:0 frame:0
TX packets:3815 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15639749 (14.9 MiB) TX bytes:632131 (617.3 KiB)
# iwconfig
lo no wireless extensions.
wlan0 AR6000 802.11ng ESSID:"X7APP" Nickname:""
NWID:off/any Mode:Master Frequency:2.462 GHz
Access Point: 1C:4A:F7:00:6F:E4 Bit Rate:52 Mb/s Tx-Power=15 dBm
Sensitivity=0/3
RTS thr=0 B Fragment thr=0 B
Encryption key:00 Security mode:open
Power Management:on
Link Quality:95 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
#
Research: Code Snippets using ioctl()
Trying to reproduce IOCTL_SCSI_PASS_THROUGH with Linux.
Cancled, way to complicated, the USB massstorage interface is an easier target.
Research: USB data transfer
Is it possible to just write to the usb interface instead?
USBPcap: Linux Host and Windows Guest
Identify the bus where the camera is connected to:
Bus 005 Device 017: ID 4255:1000 GoPro 9FF2 [Digital Photo Display]
Load usbmon to capture usb traffic with Wireshark:
modprobe usbmon
With Wireshark the usbmon<busid> (e.g. usbmon5) is selected as packet capture source.
After filtering the following filter rule will only display relevant packets:
(usb.device_address == 17 ) && (scsi.spc.opcode == 0xfd || scsi.spc.opcode == 0xfe || scsi.spc.opcode == 0xff)
Vendor specific commands:
0xfd: set AP ssid0xfe: set AP passphrase0xff: syncronize time
Example packets:
0xfd:
0000 fd 00 58 37 41 50 50 00 00 00 00 00 00 00 00 00 ..X7APP.........
0xfe:
0000 fe 00 58 37 41 50 50 41 53 53 00 00 00 00 00 00 ..X7APPASS......
Synchrize time 0xff:
0000 ff 00 07 e5 08 0a 0b 24 00 00 00 00 00 00 00 00 .......$........
────┐ ─┐ ─┐ ─┐ ─┐ ─┐
│ │ │ │ │ │
│ │ │ │ │ └─ Seconds
│ │ │ │ └──── Minutes
│ │ │ └─────── Hour
│ │ └────────── Day
│ └───────────── Month
└──────────────── Year
Current challange
After requesting the sense and Direct Access the correct data is not sent.