Following on from my previous post, this will go deeper into the inner workings of the iSpy tank.
If you run an NMap scan on the tank, you will find that other than the ports found in the last article, it also has port 80 and 21 open.
There is a web interface on port 80, and when you connect it greets you with a password prompt.
After a little bit of searching on the internet, I found the username and password is "HAPPYCOW".
Inside, it appears that this tank is just a WiFi router! To get into the administration interface, click on “Settings” in the top right corner.
The other port, 21, is an FTP interface, so lets take a look at that. Anonymous login works!
To find out how it functions as a tank ontop of a WiFi router, we need to find the extra software it runs. A good place to start is the startup or "init" scripts. The one for the tank is at
# start web server boa iwpriv wlan0 set_mib led_type=3 ifconfig wlan0 down;ifconfig wlan0 up uvc_stream -r `flash get1 UVC_RESOLUTION` -f `flash get1 UVC_FRAME_RATE` -p `flash get1 UVC_PORT` -m MJPG -l 3 -b -d /dev/video0 uart_bridge 1 192.168.1.188 `flash get1 UART_SERVER_PORT` & #spook -c /etc/spook.conf -p 7070 &
Looking at the bottom of the file, there are two interesting programs it appears to be starting:
uvc_streamis an open-source mjpeg streamer, found here: leoz/mjpg-streamer.
uart_bridgeI assume is the daemon behind port 8150 that controls the motors. The name implies that the motor control is done by a separate chip and this is just a bridge to it.
Opening the covers
Inside the tank, it appears to be made up of two boards, one is the wifi router (the smaller one on top), and another larger one that takes care of power and controlling the motors.
The markings of the WiFi chip say mine has a RTL8196EU chip.
Reset to factory default
If you mess up the settings, and need to reset it (which happens to all of us, right?) here’s how to do it!
WARNING: This involves touching a LIVE circuit, If done incorrectly you could fry the whole thing, short the battery and/or electrocute yourself! Dont do this unless you know what you are doing and understand the risks!
IMPORTANT: This WILL void your warranty for sure!
Unfortunately the "Reset" button on the bottom of the tank does not reset the thing to factory defaults. To do that you will need to open up the tank, and find the reset pin on the smaller WiFi board.
To help locate the pin, there is a German blog post that documents the pinout of the WiFi board: http://meinpb.blogspot.com.au/2013/08/wlc-240-wifi.html
To reset the board back to factory defaults, pull pin 7 down for 15 seconds (short pin 7 and 9 with something conductive), then release. The pins are numbered the same as the table in the post, when looking down on the board from above.
When it comes back online, it will have a new SSID along the lines of
Joining your home WiFi network
To find out how to get the tank to join your own WiFi network, see part 3!