Drift HD Ghost - Technical Notes and Root
Note: Please don't attempt anything here unless you are comfortable with the possibility of permanently damaging your camera. I also do not guarantee your camera is the same as mine - this is just for information and fun! It goes without saying that I take no responsibility for what you do with this information, and it will probably invalidate your warranty too.
It is reported that the firmware re-flash does not appear to disable the debug network on a Ghost S.
stringsover publically available firmware and software, then searching around for anything interesting.
stringsdoesn't, but is at least publically available from Drift Innovation: http://driftinnovation.com/wp-content/uploads/2013/07/Drift_Android-Source_Code_05-06-13.pdf - meaning that hopefully they aren't too fussy about people poking around.
Let's assume that Linux is the OS responding to telnet, but we have no root password to log in to it. So, reading from Evil Wombat's excellent work here:
Let's check we have the "lu_util":
Paul$ grep "lu_util" strings.txt lu_util
Yep! So, if my knowledge of BusyBox serves me correctly, we can create the following autoexec.ash to reset the root password. We wait 15 seconds for Linux to boot (As EW suggests):
sleep 15 lu_util exec 'chpasswd root:banana'
Now to test... no dice. Still a blocked telnet login.
Going through the strings, I can see that we have something called lu_exec. I'll try that with a shorter delay, and a different password manipulation command:
sleep 4 lu_exec 'passwd -d root'
But again, no dice. And when WiFi is enabled, it crashes the camera software. This could be because it tries to execute something as root with the password it expects - I'm not sure. Hmm. Let's just try this the hard way.
We can easily find what appears to be the passwd line for "root" on the Linux OS, using
This was presumably generated by BusyBox so is in DES-format. And wasn't very secure -
imgFde3ewynik == DES(123456)!
Important: The following creates a WiFi network which you will have to reflash your device to disable, unless you find where the debug shell script is.
As we just found out, the root password is
123456. To get a usable root shell, do the following.
Join the network
Telnet to the device (192.168.42.1)
Username is "root"
Password is "123456"
It will then show:
Press CTRL+C now if you want to skip hibernation killall hostapd
And the camera will soft-reboot
The camera might now make the "EGO+" network, or the camera might keep broadcasting on the "HD HERO XXX" network.
stringsresults for EGO+, it appears to be a SoftAP network, but I'm not sure what the context is or how it activates. I've had both these scenarios happen.
This reboot will drop your connection. Keep telnet open and restore your connection to the device, either on the original "HD HERO XXX" SSID or the "EGO+" SSID. The telnet session will restore.
The restored session will greet you with this:
sleep 1 boot_done: rval 0 ! amba_mq_recv_message: Identifier removed The mqueue is removed !! wlan0 Link encap:Ethernet HWaddr BC:0F:2B:22:77:A1 inet addr:192.168.42.1 Bcast:192.168.42.255 Mask:255.255.255.0 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:1247 errors:0 dropped:41 overruns:0 frame:0 TX packets:642 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:335471 (327.6 KiB) TX bytes:61913 (60.4 KiB) Configuration file: /tmp/hostapd.conf Using interface wlan0 with hwaddr bc:0f:2b:22:77:a1 and ssid 'EGO+' boot_done: rval 0 ! amba_mq_recv_message: Identifier removed The mqueue is removed !! #
And that's root!
It's clearly run a script on-login, which establishes the "debug" network or "SoftAP", possibly. Your guess is as good as mine, but it's persistent - from now on, your camera will broadcast a WiFi network when it boots, until you find a script which turns this behaviour off or reflash the camera's firmware, which luckily undoes this.
You can now issue commands:
# ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:17 errors:0 dropped:0 overruns:0 frame:0 TX packets:17 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1122 (1.0 KiB) TX bytes:1122 (1.0 KiB) wlan0 Link encap:Ethernet HWaddr BC:0F:2B:22:77:A1 inet addr:192.168.42.1 Bcast:192.168.42.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1767 errors:0 dropped:59 overruns:0 frame:0 TX packets:895 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:440533 (430.2 KiB) TX bytes:99272 (96.9 KiB)
To disable the "service" network mode (which is silently broadcasting EGO+/HD HERO XXX without a status icon(!)), you may need to reflash your firmware or research the scripts on the device to undo the login script's work.
Some extra thoughts:
I simply got root, went "woo" and wrote this. Hence my firmware flash to disable the AP debug(?) mode. Here's some thoughts on this:
ap_start.sh. There's also
p2p_start.sh. You could try and find these.
load.sh. Not sure. Haven't checked.
The folder where those scripts sit -
/usr/local/share/script/ - is referred to a lot, and contains things like enable/disable softAP scripts. It appears these are Ambarella SDK utilites as the GoPro tinkerers identified a similar set of scripts.
Evil Wombat made a firmware splitter for Ambarella S5 SDK devices here: https://github.com/evilwombat/gopro-fw-tools
And when we split the Drift Ghost firmware, the sections we get back are:
Saving section 0 to section_0 at offset 2304 len 2048 CRC 0x8d876811 Saving section 1 to section_1 at offset 6400 len 154376 CRC 0x74559d35 Saving section 2 to section_2 at offset 162048 len 59144 CRC 0x3407bf3c Saving section 3 to section_3 at offset 223488 len 6201348 CRC 0x22256448 Saving section 4 to section_4 at offset 6426880 len 4929988 CRC 0xa28fa865 Saving section 5 to section_5 at offset 11358464 len 10448896 CRC 0x065642b2 Saving section 6 to section_6 at offset 21809408 len 2711816 CRC 0xc9c3f82c Saving section 7 to section_7 at offset 24523008 len 30015488 CRC 0x3d6d3ef4 Saving section 8 to section_8 at offset 54540544 len 1024 CRC 0xefb5af2e End of file reached.
These look broadly similar to Evil Wombat's guesswork on what they do (I've updated the sizes for Drift):
Section Size Guess on what it is --------- ---- ------------------- section_0 2.0K BST bootloader - sets up DDR and friends section_1 151K AMBoot bootloader - loads other things section_2 58K HAL - a set of chip-specific APIs ?? section_3 5.9M Main camera software - RTOS image section_4 4.7M Linux kernel section_5 10M ROMFS for main camera software section_6 2.6M DSP image ?? section_7 29M rootfs for Linux (ubifs) section_8 1.0K Blank (for storing preferences??)
Found again in
strings, this appears to be the full command list which you can issue to the camera, although some do not work through the web interface (seen below), like fd_list_files and fd_enable_dlna, etc.
Those MIGHT work through autoexec.ash in uItron rather than Linux - we won't know until we try.
fd_set_capture_mode fd_dzoom fd_set_video_res fd_set_video_fov fd_set_photo_res fd_set_photo_self_timer fd_set_wifi_mode_ap fd_set_wifi_mode_station fd_set_wifi_client fd_set_mic_sensitivity fd_set_time fd_set_camera_off fd_set_camera_name fd_del_media_file fd_set_photo_continue_shooting fd_set_photo_ae fd_set_photo_wb fd_set_photo_contrast fd_set_video_anti_flicker fd_send_app_status fd_record_2 fd_list_files fd_enable_dlna fd_get_latest_media_file fd_get_latest_media_file_2 fd_set_video_resolution fd_set_video_framerate fd_set_video_exposure fd_enable_video_tagging fd_set_video_tagging_interval fd_set_video_self_timer fd_set_photo_resolution fd_set_photo_exposure fd_set_photo_fov fd_set_timelapse_resolution fd_set_timelapse_exposure fd_set_timelapse_fov fd_set_timelapse_self_timer fd_set_timelapse_interval fd_set_photoburst_resolution fd_set_photoburst_exposure fd_set_photoburst_fov fd_set_photoburst_self_timer fd_set_photoburst_capture_rate fd_set_photoburst_duration fd_set_speaker_volume fd_enable_date_time_stamp fd_set_lcd_brightness fd_set_lcd_off fd_enable_led_indicator fd_save_setting fd_load_setting fd_set_camera_language fd_enable_remote_control_led_indicator fd_enable_dzoom fd_set_video_format fd_enable_remote_control fd_enable_remote_control_pairing fd_record fd_restore_default_setting fd_get_camera_battery fd_get_camera_freespace fd_get_camera_info fd_reboot_camera fd_get_camera_status fd_get_record_status_2 fd_get_camera_status_2 fd_get_cgi_version fd_restore_photoburst_default_setting fd_restore_video_default_setting fd_restore_photo_default_setting fd_restore_timelapse_default_setting fd_restore_wifi_default_setting fd_restore_camera_default_setting fd_get_video_setting fd_get_photo_setting fd_get_timelapse_setting fd_get_photoburst_setting fd_get_wifi_setting fd_get_camera_setting fd_get_record_status fd_format_sd_card fd_tagging_video fd_taking_photo