Notices by kajer (kajer@infosec.exchange), page 2

@cR0w @ryanc I might still have that challenge in an archive somewhere... I should check.

https://ctftime.org/task/1189

@cR0w @ryanc we also used finger IIRC

Stop using 1.1.1.1
Stop using 8.8.8.8
Stop using 4.2.2.1

quad9 is less evil

also, fun fact. the eSIM in the Flock cellular module is not electronic sim, but "e"mbedded sim... meaning it's a standard SIM card.

SCRCPY WORKS!!!!

🤔

I haven't tried to use SCRCPY

It wasn't listed as a "feature" in adb, but the logcat output indicates there is a "display" and "sleep" modes when pressing one of the buttons on the board.

Now I can't wait to go home and try it.

Stupid day jobs...

fuck ALPR tech

Positive thoughts?

These are so unlocked and so open, if these fucking devices ever made ewaste piles, the dev boards are so easy to harvest and repurpose as an unlocked android 8.1 dev board. Serial port is marked by G T R on the silk screen, and power seems wide input 12v tolerant.

The case of the cam has no intrusion detection.

There is no epoxy or potting or conformal coatring. I'm not sure there is even conformal coating. THe outer housing is sealed with a nice thicc gasket. Even the T20 security torx have o-rings. This is funny because the battery says not to charge in a sealed container.

I have yet to explore the back case button behavior, since I am stealing 3.3v for the serial TTL from that header. Now that I have adb bridge access via USB, i can remove the serial link and connect that button to see what logcat says.

The last bit for me to explore is to see if the 7 pin plug has any useful data on the bottom 3 pins.

Now I get to re-learn android hax0ring all over again, yay!

Can not set time in shell w/o root permissions.

okay, I missed the fact that the Android OS is convinced that the date is 1970

this may pose a problem

I have a feeling that the camera is halting the boot process due to the missing sim card and the modem not initializing.

I have yet to fully figure out the custom app ecosystem that makes up these cameras.

I will be testing that SIM in a different cellular modem soon enough, but I am starting to think the cam I got off of ebay is not quite right.

Watching the local logcat, there are a lot of permission errors and device errors. The QTI logging service on the SCRCPY console seems to never connect to the local logging services.

I got a bitbold and hit one of factort reset buttons in another homebrew flock app, and that did reset the device a f ew time with filesystem stuff in the console logs. Yes all the system apps remained in place, so no flock APKs were harmed... Although. I'm not sure if this camera had enough to work fully in the first place.

I can never get the camera to boot to it's ADB bridge consistently and rarely can I actually get the camera's local wifi hotspot to enable.

Also, the back button seems to enable hotspot mode, but, no network level ADB connections. :(

I am pretty sure I am going to attempt to enable the remote control ports on 8888 / 9999 to see if those render any results before going down the root filesystem path.

But, for anyone looking for an interesting tid bit...

Triple-press the button on the back of the flock. You will enable wifi tethering. PSK is security

Tested the "e"SIM in other cellular modems I have. Nada. This particular camera's sim card seems to have been disabled.

Any of my Android hacker friends with a nice CLI based priv escalation (for Android 8.1) would do well to DM me please.

@rickoooooo

ha ha

yeeeeeeessssssssssssssss

@rickoooooo Sadly, the above blog post (:thread:) doesn't quite get me as far as I was hoping for when it comes to root on the Flock camera.

The "steps" posted in the blog are from memory at best. I think enough has been left out to make reproduction impossible.

I am going to keep drilling. I have the boot images extracted, and magisk 23 claimed it was able to patch, but a reboot caused a kernel panic

So... I'm going to attempt a few other magisk versions. v29(latest) also fails to patch or produce a new-boot.img

:(

There is an onboard app on the flock camera that offers to start a listener on port 8888/9999 and I have yet to explore that.

It's probably the last thing I do before going scorched earth and dumping the boot images via EDL

@rickoooooo linked this blog to me last night and I am going to attempt rooting the camera.

https://gainsec.com/2025/06/19/grounded-flight-device-2-root-shell-on-flock-safetys-falcon-sparrow-automated-license-plate-reader/

What I really want to see is where the image processing extracts the license plate text and try to pull some bobby tables actions. I have seen SQL references in how the local metadata processes are logging, so I think this could be an interesting defense.

Camera body has 8 deeply inset T-20 security torx.

Miserable piece of shit is getting opened soon.

Chips, unique ids cropped