Conversation

Notices

1. Embed this notice
   kajer (kajer@infosec.exchange)'s status on Friday, 11-Jul-2025 12:50:22 JST kajer

   MicroUSB?!

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Friday, 11-Jul-2025 12:50:18 JST kajer

     in reply to

     [ 0.000000] **********************************************************
     [ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
     [ 0.000000] ** **
     [ 0.000000] ** trace_printk() being used. Allocating extra memory. **
     [ 0.000000] ** **
     [ 0.000000] ** This means that this is a DEBUG kernel and it is **
     [ 0.000000] ** unsafe for produciton use. **
     [ 0.000000] ** **
     [ 0.000000] ** If you see this message and you are not debugging **
     [ 0.000000] ** the kernel, report this immediately to your vendor! **
     [ 0.000000] ** **
     [ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
     [ 0.000000] **********************************************************

     scriptjunkie repeated this.
   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Friday, 11-Jul-2025 12:50:18 JST kajer

     in reply to

     So, flock cameras are android 8.1 dev kits with debug kernels, unlocked bootloader, and full shell access ... In prod.

     the mini usb port can do OTG to an extent or be an adb port depending on the dip switch. When it's in ADP mode, it's a crapshoot on the USB device id, and usb_modeswitch doesn't do anything.

     Using adb, one can push/pull at will. Granted it's not a root shell, and su isn't installed, but holding buttons on power up can get you fastboot.

     It's android 8.1, and plenty of su zip files can be applied.

     The buttons... Power and volume down. Just enough to be useful in fastboot.

     I plan on dumping the flock specific APK files and attempting a decompiling. Maybe hard coded API keys :blobupsidedown:

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Friday, 11-Jul-2025 12:50:19 JST kajer

     in reply to

     1|msm8953_32:/ $ cat /etc/passwd
     #

     THIS IS AN AUTOGENERATED FILE! DO NOT MODIFY!

     #

     Defined in file: "device/qcom/common/config.fs"

     qti_diag::2901:2901::/:/system/bin/sh
     rfs::2903:2903::/:/system/bin/sh
     rfs_shared::2904:2904::/:/system/bin/sh

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Friday, 11-Jul-2025 12:50:19 JST kajer

     in reply to

     /system is full of $vendor branded APK files

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Friday, 11-Jul-2025 12:50:19 JST kajer

     in reply to

     1|msm8953_32:/sys $ getprop ro.build.version.release

     8.1.0

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Friday, 11-Jul-2025 12:50:20 JST kajer

     in reply to

     Two more closeup

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Friday, 11-Jul-2025 12:50:20 JST kajer

     in reply to

     Oooo

     Flip a dip switch, plug USB

     05c6:901d Qualcomm, Inc. Android

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Friday, 11-Jul-2025 12:50:20 JST kajer

     in reply to

     [2854059.422692] usb 1-1.1: New USB device found, idVendor=05c6, idProduct=f000, bcdDevice= 3.18
     [2854059.422708] usb 1-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
     [2854059.422715] usb 1-1.1: Product: Android
     [2854059.422721] usb 1-1.1: Manufacturer: Android
     [2854059.422726] usb 1-1.1: SerialNumber: [redacted]
     [2854059.427519] usb-storage 1-1.1:1.0: USB Mass Storage device detected
     [2854059.428200] scsi host4: usb-storage 1-1.1:1.0

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Friday, 11-Jul-2025 12:50:20 JST kajer

     in reply to

     ooo

     Android Bootloader - UART_DM Initialized!!!
     [0] welcome to lk

     [10] platform_init()
     [10] target_init()
     [80] SDHC Running in HS400ES mode
     [90] WARNING: All phase passed.The selected phase may not be optimal
     [100] Done initialization of the card

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Friday, 11-Jul-2025 12:50:21 JST kajer

     in reply to

     Nothing of note under the lantronix daughter board

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Friday, 11-Jul-2025 12:50:21 JST kajer

     in reply to

     The back housing contains a momentary push button with led ring
     One internal cellular antenna
     One sma type antenna for the other cellular connection
     The weird 7 pin power data connection with only 6 pins connected

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Friday, 11-Jul-2025 12:50:21 JST kajer

     in reply to

     Front housing contains camera via ribbon cable and IR led ring, as well as God and both wifi antennas

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Friday, 11-Jul-2025 12:50:22 JST kajer

     in reply to

     Chips, unique ids cropped

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Monday, 14-Jul-2025 15:18:42 JST kajer

     in reply to

     • Rick O

     There is an onboard app on the flock camera that offers to start a listener on port 8888/9999 and I have yet to explore that.

     It's probably the last thing I do before going scorched earth and dumping the boot images via EDL

     @rickoooooo linked this blog to me last night and I am going to attempt rooting the camera.

     https://gainsec.com/2025/06/19/grounded-flight-device-2-root-shell-on-flock-safetys-falcon-sparrow-automated-license-plate-reader/

     What I really want to see is where the image processing extracts the license plate text and try to pull some bobby tables actions. I have seen SQL references in how the local metadata processes are logging, so I think this could be an interesting defense.

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Monday, 14-Jul-2025 15:18:42 JST kajer

     in reply to

     • Rick O

     @rickoooooo Sadly, the above blog post (:thread:) doesn't quite get me as far as I was hoping for when it comes to root on the Flock camera.

     The "steps" posted in the blog are from memory at best. I think enough has been left out to make reproduction impossible.

     I am going to keep drilling. I have the boot images extracted, and magisk 23 claimed it was able to patch, but a reboot caused a kernel panic

     So... I'm going to attempt a few other magisk versions. v29(latest) also fails to patch or produce a new-boot.img

     :(

     Ryan Castellucci :nonbinary_flag: repeated this.
   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Monday, 14-Jul-2025 15:18:42 JST kajer

     in reply to

     • Rick O

     @rickoooooo

     ha ha

     yeeeeeeessssssssssssssss

     msm8953_32:/ # whoami
     root
     
   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Monday, 14-Jul-2025 15:18:43 JST kajer

     in reply to

     Any of my Android hacker friends with a nice CLI based priv escalation (for Android 8.1) would do well to DM me please.

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Monday, 14-Jul-2025 15:18:43 JST kajer

     in reply to

     Tested the "e"SIM in other cellular modems I have. Nada. This particular camera's sim card seems to have been disabled.

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Monday, 14-Jul-2025 15:18:43 JST kajer

     in reply to

     I am pretty sure I am going to attempt to enable the remote control ports on 8888 / 9999 to see if those render any results before going down the root filesystem path.

     But, for anyone looking for an interesting tid bit...

     Triple-press the button on the back of the flock. You will enable wifi tethering. PSK is security

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Monday, 14-Jul-2025 15:18:44 JST kajer

     in reply to

     I will be testing that SIM in a different cellular modem soon enough, but I am starting to think the cam I got off of ebay is not quite right.

     Watching the local logcat, there are a lot of permission errors and device errors. The QTI logging service on the SCRCPY console seems to never connect to the local logging services.

     I got a bitbold and hit one of factort reset buttons in another homebrew flock app, and that did reset the device a f ew time with filesystem stuff in the console logs. Yes all the system apps remained in place, so no flock APKs were harmed... Although. I'm not sure if this camera had enough to work fully in the first place.

     I can never get the camera to boot to it's ADB bridge consistently and rarely can I actually get the camera's local wifi hotspot to enable.

     Also, the back button seems to enable hotspot mode, but, no network level ADB connections. :(

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Monday, 14-Jul-2025 15:18:44 JST kajer

     in reply to

     I have a feeling that the camera is halting the boot process due to the missing sim card and the modem not initializing.

     I have yet to fully figure out the custom app ecosystem that makes up these cameras.

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Monday, 14-Jul-2025 15:18:44 JST kajer

     in reply to

     okay, I missed the fact that the Android OS is convinced that the date is 1970

     this may pose a problem

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Monday, 14-Jul-2025 15:18:44 JST kajer

     in reply to

     Can not set time in shell w/o root permissions.

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Monday, 14-Jul-2025 15:18:45 JST kajer

     in reply to

     fuck ALPR tech

     Positive thoughts?

     These are so unlocked and so open, if these fucking devices ever made ewaste piles, the dev boards are so easy to harvest and repurpose as an unlocked android 8.1 dev board. Serial port is marked by G T R on the silk screen, and power seems wide input 12v tolerant.

     The case of the cam has no intrusion detection.

     There is no epoxy or potting or conformal coatring. I'm not sure there is even conformal coating. THe outer housing is sealed with a nice thicc gasket. Even the T20 security torx have o-rings. This is funny because the battery says not to charge in a sealed container.

     I have yet to explore the back case button behavior, since I am stealing 3.3v for the serial TTL from that header. Now that I have adb bridge access via USB, i can remove the serial link and connect that button to see what logcat says.

     The last bit for me to explore is to see if the 7 pin plug has any useful data on the bottom 3 pins.

     Now I get to re-learn android hax0ring all over again, yay!

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Monday, 14-Jul-2025 15:18:45 JST kajer

     in reply to

     🤔

     I haven't tried to use SCRCPY

     It wasn't listed as a "feature" in adb, but the logcat output indicates there is a "display" and "sleep" modes when pressing one of the buttons on the board.

     Now I can't wait to go home and try it.

     Stupid day jobs...

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Monday, 14-Jul-2025 15:18:45 JST kajer

     in reply to

     SCRCPY WORKS!!!!

   • Embed this notice
     kajer (kajer@infosec.exchange)'s status on Monday, 14-Jul-2025 15:18:45 JST kajer

     in reply to

     also, fun fact. the eSIM in the Flock cellular module is not electronic sim, but "e"mbedded sim... meaning it's a standard SIM card.