Hacking the WiFi Spy Tank

Here at Kogan, we sell a Remote Control Spy Tank, aka “WiFi Spy Tank”, "I-Spy Tank", “EYE SPY” or “Instant Spy Tank”.

It's a fun little remote control car that is supposed to be driven from your iPhone, iPad or Android device by joining its wifi network. That wasn't enough for me, I wanted to be able to drive it around my house while I was not home.

The first step is to reverse engineer how the app talks to the tank, and that is what this post is about.

Disclaimer: Hacking (or in this case, Telnetting) into the WiFi Spy Tank may void your warranty.

Wireshark

To discover how the iPad app works, I used Wireshark to see all the communications between the iPad and the Tank.

Unfortunately, I couldnt get my laptop's in-built WiFi adaptor to go into monitor or promiscuous mode, so I used the TP-LINK WN722N.

wireshark.png
Video

From the screenshot, you can see that there appears to be an MJPEG http stream on port 8196. To test this out, you can use VLC to open the MJPEG stream on http://10.10.1.1:9876/, and you should be ale to see the camera!

Motors

The motor control is a bit more tricky, as it's not a standard interface. After looking at the packets a bit more, I can see there is also a small amount of traffic on port 8150, which is probably the way it controls the motors.

The data is a stream of small packets (2-4 bytes at a time). The first packet is 't1' in ASCII, then a 'KK' and '1020'. From this, we can assume that 't1' is the hello, 'KK' is a no-op, and '1020' is both motors off.

Driving the tank around a bit yields these codes:

Stop    = 1020
Forward = 1121
Back    = 1222

From here you can see the basics of the protocol, which is sets of two numbers: "{motor_number}{direction}".

Left motor = 1
Right motor = 2
Camera tilt = 3

Forward = 1
Back = 2
Stop = 0

To test this out, you can use the telnet command:

$ telnet 10.10.1.1 8150

Send the command “t1” and press enter. Then tell it to drive forward with “1121” and press enter. It should move forward!

$ telnet 10.10.1.1 8150
Trying 10.10.1.1...
Connected to 10.10.1.1.
Escape character is '^]'.
t1
1121

Python app

To put all this together, I wrote a python GTK application to control the tank. The code is available here: https://github.com/mic159/TankRemote

Michael Cooper