Drift HD Ghost - Technical Notes and Root
Note: Please don't attempt anything here unless you are comfortable with the possibility of permanently damaging your camera. I also do not guarantee your camera is the same as mine - this is just for information and fun! It goes without saying that I take no responsibility for what you do with this information, and it will probably invalidate your warranty too.
It is reported that the firmware re-flash does not appear to disable the debug network on a Ghost S.
strings
over publically available firmware and software, then searching around for anything interesting.strings
doesn't, but is at least publically available from Drift Innovation: http://driftinnovation.com/wp-content/uploads/2013/07/Drift_Android-Source_Code_05-06-13.pdf - meaning that hopefully they aren't too fussy about people poking around.Let's assume that Linux is the OS responding to telnet, but we have no root password to log in to it. So, reading from Evil Wombat's excellent work here:
http://goprouser.freeforums.org/hero3-black-firmware-studies-physical-teardown-photos-t10016-20.html
Let's check we have the "lu_util":
Paul$ grep "lu_util" strings.txt
lu_util
Yep! So, if my knowledge of BusyBox serves me correctly, we can create the following autoexec.ash to reset the root password. We wait 15 seconds for Linux to boot (As EW suggests):
sleep 15
lu_util exec 'chpasswd root:banana'
Now to test... no dice. Still a blocked telnet login.
Going through the strings, I can see that we have something called lu_exec. I'll try that with a shorter delay, and a different password manipulation command:
sleep 4
lu_exec 'passwd -d root'
But again, no dice. And when WiFi is enabled, it crashes the camera software. This could be because it tries to execute something as root with the password it expects - I'm not sure. Hmm. Let's just try this the hard way.
We can easily find what appears to be the passwd line for "root" on the Linux OS, using strings
again:
root:imgFde3ewynik:0:0:99999:7:::
This was presumably generated by BusyBox so is in DES-format. And wasn't very secure - imgFde3ewynik == DES(123456)
!
Important: The following creates a WiFi network which you will have to reflash your device to disable, unless you find where the debug shell script is.
As we just found out, the root password is 123456
. To get a usable root shell, do the following.
Enable WiFi
Join the network
Telnet to the device (192.168.42.1)
Username is "root"
Password is "123456"
It will then show:
Press CTRL+C now if you want to skip hibernation
killall hostapd
And the camera will soft-reboot
The camera might now make the "EGO+" network, or the camera might keep broadcasting on the "HD HERO XXX" network.
strings
results for EGO+, it appears to be a SoftAP network, but I'm not sure what the context is or how it activates. I've had both these scenarios happen.This reboot will drop your connection. Keep telnet open and restore your connection to the device, either on the original "HD HERO XXX" SSID or the "EGO+" SSID. The telnet session will restore.
The restored session will greet you with this:
sleep 1
boot_done: rval 0 !
amba_mq_recv_message: Identifier removed
The mqueue is removed !!
wlan0 Link encap:Ethernet HWaddr BC:0F:2B:22:77:A1
inet addr:192.168.42.1 Bcast:192.168.42.255 Mask:255.255.255.0
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:1247 errors:0 dropped:41 overruns:0 frame:0
TX packets:642 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:335471 (327.6 KiB) TX bytes:61913 (60.4 KiB)
Configuration file: /tmp/hostapd.conf
Using interface wlan0 with hwaddr bc:0f:2b:22:77:a1 and ssid 'EGO+'
boot_done: rval 0 !
amba_mq_recv_message: Identifier removed
The mqueue is removed !!
#
And that's root!
It's clearly run a script on-login, which establishes the "debug" network or "SoftAP", possibly. Your guess is as good as mine, but it's persistent - from now on, your camera will broadcast a WiFi network when it boots, until you find a script which turns this behaviour off or reflash the camera's firmware, which luckily undoes this.
You can now issue commands:
# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:17 errors:0 dropped:0 overruns:0 frame:0
TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1122 (1.0 KiB) TX bytes:1122 (1.0 KiB)
wlan0 Link encap:Ethernet HWaddr BC:0F:2B:22:77:A1
inet addr:192.168.42.1 Bcast:192.168.42.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1767 errors:0 dropped:59 overruns:0 frame:0
TX packets:895 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:440533 (430.2 KiB) TX bytes:99272 (96.9 KiB)
To disable the "service" network mode (which is silently broadcasting EGO+/HD HERO XXX without a status icon(!)), you may need to reflash your firmware or research the scripts on the device to undo the login script's work.
Some extra thoughts:
I simply got root, went "woo" and wrote this. Hence my firmware flash to disable the AP debug(?) mode. Here's some thoughts on this:
ap_start.sh
. There's also p2p_start.sh
. You could try and find these.load.sh
. Not sure. Haven't checked.The folder where those scripts sit - /usr/local/share/script/
- is referred to a lot, and contains things like enable/disable softAP scripts. It appears these are Ambarella SDK utilites as the GoPro tinkerers identified a similar set of scripts.
Evil Wombat made a firmware splitter for Ambarella S5 SDK devices here: https://github.com/evilwombat/gopro-fw-tools
And when we split the Drift Ghost firmware, the sections we get back are:
Saving section 0 to section_0 at offset 2304 len 2048 CRC 0x8d876811
Saving section 1 to section_1 at offset 6400 len 154376 CRC 0x74559d35
Saving section 2 to section_2 at offset 162048 len 59144 CRC 0x3407bf3c
Saving section 3 to section_3 at offset 223488 len 6201348 CRC 0x22256448
Saving section 4 to section_4 at offset 6426880 len 4929988 CRC 0xa28fa865
Saving section 5 to section_5 at offset 11358464 len 10448896 CRC 0x065642b2
Saving section 6 to section_6 at offset 21809408 len 2711816 CRC 0xc9c3f82c
Saving section 7 to section_7 at offset 24523008 len 30015488 CRC 0x3d6d3ef4
Saving section 8 to section_8 at offset 54540544 len 1024 CRC 0xefb5af2e
End of file reached.
These look broadly similar to Evil Wombat's guesswork on what they do (I've updated the sizes for Drift):
Section Size Guess on what it is
--------- ---- -------------------
section_0 2.0K BST bootloader - sets up DDR and friends
section_1 151K AMBoot bootloader - loads other things
section_2 58K HAL - a set of chip-specific APIs ??
section_3 5.9M Main camera software - RTOS image
section_4 4.7M Linux kernel
section_5 10M ROMFS for main camera software
section_6 2.6M DSP image ??
section_7 29M rootfs for Linux (ubifs)
section_8 1.0K Blank (for storing preferences??)
Found again in strings
, this appears to be the full command list which you can issue to the camera, although some do not work through the web interface (seen below), like fd_list_files and fd_enable_dlna, etc.
Those MIGHT work through autoexec.ash in uItron rather than Linux - we won't know until we try.
fd_set_capture_mode
fd_dzoom
fd_set_video_res
fd_set_video_fov
fd_set_photo_res
fd_set_photo_self_timer
fd_set_wifi_mode_ap
fd_set_wifi_mode_station
fd_set_wifi_client
fd_set_mic_sensitivity
fd_set_time
fd_set_camera_off
fd_set_camera_name
fd_del_media_file
fd_set_photo_continue_shooting
fd_set_photo_ae
fd_set_photo_wb
fd_set_photo_contrast
fd_set_video_anti_flicker
fd_send_app_status
fd_record_2
fd_list_files
fd_enable_dlna
fd_get_latest_media_file
fd_get_latest_media_file_2
fd_set_video_resolution
fd_set_video_framerate
fd_set_video_exposure
fd_enable_video_tagging
fd_set_video_tagging_interval
fd_set_video_self_timer
fd_set_photo_resolution
fd_set_photo_exposure
fd_set_photo_fov
fd_set_timelapse_resolution
fd_set_timelapse_exposure
fd_set_timelapse_fov
fd_set_timelapse_self_timer
fd_set_timelapse_interval
fd_set_photoburst_resolution
fd_set_photoburst_exposure
fd_set_photoburst_fov
fd_set_photoburst_self_timer
fd_set_photoburst_capture_rate
fd_set_photoburst_duration
fd_set_speaker_volume
fd_enable_date_time_stamp
fd_set_lcd_brightness
fd_set_lcd_off
fd_enable_led_indicator
fd_save_setting
fd_load_setting
fd_set_camera_language
fd_enable_remote_control_led_indicator
fd_enable_dzoom
fd_set_video_format
fd_enable_remote_control
fd_enable_remote_control_pairing
fd_record
fd_restore_default_setting
fd_get_camera_battery
fd_get_camera_freespace
fd_get_camera_info
fd_reboot_camera
fd_get_camera_status
fd_get_record_status_2
fd_get_camera_status_2
fd_get_cgi_version
fd_restore_photoburst_default_setting
fd_restore_video_default_setting
fd_restore_photo_default_setting
fd_restore_timelapse_default_setting
fd_restore_wifi_default_setting
fd_restore_camera_default_setting
fd_get_video_setting
fd_get_photo_setting
fd_get_timelapse_setting
fd_get_photoburst_setting
fd_get_wifi_setting
fd_get_camera_setting
fd_get_record_status
fd_format_sd_card
fd_tagging_video
fd_taking_photo