Skip to content

Instantly share code, notes, and snippets.

@cr3ative

cr3ative/gist:8340001

Last active February 14, 2024 03:31
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save cr3ative/8340001 to your computer and use it in GitHub Desktop.
Save cr3ative/8340001 to your computer and use it in GitHub Desktop.
Download ZIP
Drift HD Ghost - Technical Notes and Root
Raw
gistfile1.md

## Drift HD Ghost - Technical Notes and Root

Note: Please don't attempt anything here unless you are comfortable with the possibility of permanently damaging your camera. I also do not guarantee your camera is the same as mine - this is just for information and fun! It goes without saying that I take no responsibility for what you do with this information, and it will probably invalidate your warranty too.

It is reported that the firmware re-flash does not appear to disable the debug network on a Ghost S.

  • Most of this was found by simply running strings over publically available firmware and software, then searching around for anything interesting.
  • The camera runs on the Ambarella A5S chipset, which appears to run PrKERNEL (implementing uItron): http://www.esol.com/embedded/prkernelv4.html, then boots Linux as a process inside the uItron OS.
  • There's lots of references to BOSS in the firmware, presumably a codename for this chipset from Ambarella.
  • The code on the device-side is a very close implementation of the Ambarella S5 SDK from what I can see.
  • It runs both autoexec.ash and autoexec.tcl on the following drives, on boot: a,b,c,d,e,f,g,l,z
    • Note: This scripting runs in uItron not Linux.
  • The copy of Linux contains BusyBox.
  • Something responds to Telnet by default with a hostname of "buildroot".
    • We now know this to be Linux, not uItron
    • The user "default" can log in but not receive shell, as it has no permissions to "/".
  • Firmware and base code all made by Ambarella, but with a lot stripped out - there are function names listed in the code which haven't been implemented by Drift - for example DLNA, P2P WiFi, etc.
  • The Ambarella chipset was also used in the GoPro Hero 2 and 3.
  • For the Web API, this doesn't tell us anything which strings doesn't, but is at least publically available from Drift Innovation: http://driftinnovation.com/wp-content/uploads/2013/07/Drift_Android-Source_Code_05-06-13.pdf - meaning that hopefully they aren't too fussy about people poking around.

Exploring Telnet

Let's assume that Linux is the OS responding to telnet, but we have no root password to log in to it. So, reading from Evil Wombat's excellent work here:

http://goprouser.freeforums.org/hero3-black-firmware-studies-physical-teardown-photos-t10016-20.html

Let's check we have the "lu_util":

Paul$ grep "lu_util" strings.txt 
lu_util

Yep! So, if my knowledge of BusyBox serves me correctly, we can create the following autoexec.ash to reset the root password. We wait 15 seconds for Linux to boot (As EW suggests):

sleep 15
lu_util exec 'chpasswd root:banana'

Now to test... no dice. Still a blocked telnet login.

Going through the strings, I can see that we have something called lu_exec. I'll try that with a shorter delay, and a different password manipulation command:

sleep 4
lu_exec 'passwd -d root'

But again, no dice. And when WiFi is enabled, it crashes the camera software. This could be because it tries to execute something as root with the password it expects - I'm not sure. Hmm. Let's just try this the hard way.

We can easily find what appears to be the passwd line for "root" on the Linux OS, using strings again:

root:imgFde3ewynik:0:0:99999:7:::

This was presumably generated by BusyBox so is in DES-format. And wasn't very secure - imgFde3ewynik == DES(123456)!

Exploring Root

Important: The following creates a WiFi network which you will have to reflash your device to disable, unless you find where the debug shell script is.

As we just found out, the root password is 123456. To get a usable root shell, do the following.

  • Enable WiFi

  • Join the network

  • Telnet to the device (192.168.42.1)

  • Username is "root"

  • Password is "123456"

  • It will then show:

    Press CTRL+C now if you want to skip hibernation
killall hostapd

  • And the camera will soft-reboot

  • The camera might now make the "EGO+" network, or the camera might keep broadcasting on the "HD HERO XXX" network.

    • In the strings results for EGO+, it appears to be a SoftAP network, but I'm not sure what the context is or how it activates. I've had both these scenarios happen.

  • This reboot will drop your connection. Keep telnet open and restore your connection to the device, either on the original "HD HERO XXX" SSID or the "EGO+" SSID. The telnet session will restore.

  • The restored session will greet you with this:

     sleep 1
 boot_done:  rval 0 !
 amba_mq_recv_message: Identifier removed
  The mqueue is removed !! 
 wlan0     Link encap:Ethernet  HWaddr BC:0F:2B:22:77:A1  
           inet addr:192.168.42.1  Bcast:192.168.42.255  Mask:255.255.255.0
           BROADCAST MULTICAST  MTU:1500  Metric:1
           RX packets:1247 errors:0 dropped:41 overruns:0 frame:0
           TX packets:642 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000 
           RX bytes:335471 (327.6 KiB)  TX bytes:61913 (60.4 KiB)
 
 Configuration file: /tmp/hostapd.conf
 Using interface wlan0 with hwaddr bc:0f:2b:22:77:a1 and ssid 'EGO+'
 boot_done:  rval 0 !
 amba_mq_recv_message: Identifier removed
  The mqueue is removed !! 
 #

  • And that's root!

  • It's clearly run a script on-login, which establishes the "debug" network or "SoftAP", possibly. Your guess is as good as mine, but it's persistent - from now on, your camera will broadcast a WiFi network when it boots, until you find a script which turns this behaviour off or reflash the camera's firmware, which luckily undoes this.

  • You can now issue commands:

     # ifconfig
 lo        Link encap:Local Loopback  
           inet addr:127.0.0.1  Mask:255.0.0.0
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:17 errors:0 dropped:0 overruns:0 frame:0
           TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:1122 (1.0 KiB)  TX bytes:1122 (1.0 KiB)
 
 wlan0     Link encap:Ethernet  HWaddr BC:0F:2B:22:77:A1  
           inet addr:192.168.42.1  Bcast:192.168.42.255  Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:1767 errors:0 dropped:59 overruns:0 frame:0
           TX packets:895 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000 
           RX bytes:440533 (430.2 KiB)  TX bytes:99272 (96.9 KiB)

  • To disable the "service" network mode (which is silently broadcasting EGO+/HD HERO XXX without a status icon(!)), you may need to reflash your firmware or research the scripts on the device to undo the login script's work.

Some extra thoughts:

I simply got root, went "woo" and wrote this. Hence my firmware flash to disable the AP debug(?) mode. Here's some thoughts on this:

  • This "mode" seems to refer to ap_start.sh. There's also p2p_start.sh. You could try and find these.
  • I think that when you log in it runs load.sh. Not sure. Haven't checked.

The folder where those scripts sit - /usr/local/share/script/ - is referred to a lot, and contains things like enable/disable softAP scripts. It appears these are Ambarella SDK utilites as the GoPro tinkerers identified a similar set of scripts.

## Notes on the firmware image itself

Evil Wombat made a firmware splitter for Ambarella S5 SDK devices here: https://github.com/evilwombat/gopro-fw-tools

And when we split the Drift Ghost firmware, the sections we get back are:

Saving section 0 to section_0 at offset 2304 len 2048 CRC 0x8d876811
Saving section 1 to section_1 at offset 6400 len 154376 CRC 0x74559d35
Saving section 2 to section_2 at offset 162048 len 59144 CRC 0x3407bf3c
Saving section 3 to section_3 at offset 223488 len 6201348 CRC 0x22256448
Saving section 4 to section_4 at offset 6426880 len 4929988 CRC 0xa28fa865
Saving section 5 to section_5 at offset 11358464 len 10448896 CRC 0x065642b2
Saving section 6 to section_6 at offset 21809408 len 2711816 CRC 0xc9c3f82c
Saving section 7 to section_7 at offset 24523008 len 30015488 CRC 0x3d6d3ef4
Saving section 8 to section_8 at offset 54540544 len 1024 CRC 0xefb5af2e
End of file reached.

These look broadly similar to Evil Wombat's guesswork on what they do (I've updated the sizes for Drift):

Section     Size   Guess on what it is
---------   ----   -------------------
section_0   2.0K   BST bootloader - sets up DDR and friends
section_1   151K   AMBoot bootloader - loads other things
section_2    58K   HAL - a set of chip-specific APIs ??
section_3   5.9M   Main camera software - RTOS image
section_4   4.7M   Linux kernel
section_5    10M   ROMFS for main camera software
section_6   2.6M   DSP image ??
section_7    29M   rootfs for Linux (ubifs)
section_8   1.0K   Blank (for storing preferences??)

Commands

Found again in strings, this appears to be the full command list which you can issue to the camera, although some do not work through the web interface (seen below), like fd_list_files and fd_enable_dlna, etc.

Those MIGHT work through autoexec.ash in uItron rather than Linux - we won't know until we try.

fd_set_capture_mode
fd_dzoom
fd_set_video_res
fd_set_video_fov
fd_set_photo_res
fd_set_photo_self_timer
fd_set_wifi_mode_ap
fd_set_wifi_mode_station
fd_set_wifi_client
fd_set_mic_sensitivity
fd_set_time
fd_set_camera_off
fd_set_camera_name
fd_del_media_file
fd_set_photo_continue_shooting
fd_set_photo_ae
fd_set_photo_wb
fd_set_photo_contrast
fd_set_video_anti_flicker
fd_send_app_status
fd_record_2
fd_list_files
fd_enable_dlna
fd_get_latest_media_file
fd_get_latest_media_file_2
fd_set_video_resolution
fd_set_video_framerate
fd_set_video_exposure
fd_enable_video_tagging
fd_set_video_tagging_interval
fd_set_video_self_timer
fd_set_photo_resolution
fd_set_photo_exposure
fd_set_photo_fov
fd_set_timelapse_resolution
fd_set_timelapse_exposure
fd_set_timelapse_fov
fd_set_timelapse_self_timer
fd_set_timelapse_interval
fd_set_photoburst_resolution
fd_set_photoburst_exposure
fd_set_photoburst_fov
fd_set_photoburst_self_timer
fd_set_photoburst_capture_rate
fd_set_photoburst_duration
fd_set_speaker_volume
fd_enable_date_time_stamp
fd_set_lcd_brightness
fd_set_lcd_off
fd_enable_led_indicator
fd_save_setting
fd_load_setting
fd_set_camera_language
fd_enable_remote_control_led_indicator
fd_enable_dzoom
fd_set_video_format
fd_enable_remote_control
fd_enable_remote_control_pairing
fd_record
fd_restore_default_setting
fd_get_camera_battery
fd_get_camera_freespace
fd_get_camera_info
fd_reboot_camera
fd_get_camera_status
fd_get_record_status_2
fd_get_camera_status_2
fd_get_cgi_version
fd_restore_photoburst_default_setting
fd_restore_video_default_setting
fd_restore_photo_default_setting
fd_restore_timelapse_default_setting
fd_restore_wifi_default_setting
fd_restore_camera_default_setting
fd_get_video_setting
fd_get_photo_setting
fd_get_timelapse_setting
fd_get_photoburst_setting
fd_get_wifi_setting
fd_get_camera_setting
fd_get_record_status
fd_format_sd_card
fd_tagging_video
fd_taking_photo
@KonradIT
Copy link

Nice! I have a gopro hero3 black and I did a lot of autoexec.ash hacks for the camera, repo: github.com/konradit/autoexechack
A hack for writing in the LCD:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment