I have recently pick up a BlackVue dash cam. Overall I am extremely happy with the device, it does just as it should do and faithfully records the view from my windshield day and night, driving or parked.

The quality of the video is great and it has some great Wi-Fi features that allow me to show off my videos while sitting in the lounge room rather then having to eject the SD card and lug around my laptop.

So I downloaded the app and check out all the options and this got me thinking about its ease of use and what may be going on behind the scenes. What really got me thinking is when I then attempted to connect to the BlackVue Wi-Fi network from my laptop and was able to connect without issue. This is coupled with a nice map in the android client that what appeared to show the locations of other cloud enabled BlackVue cameras in a easy to read map. With this in mind I decided to peer a little deeper.

To perform these actions I fired up packet capture software on my Android phone and ran through each of the actions in the app, I then replicated these from my PC to see the results. So lets see what I found

Firstly when you connect to the device I was given an IP on 10.99.77.x/255 range. If my I was given 10.99.77.8 with a gateway of 10.99.77.1. It appears that only one device can be on the network at a time as if I tried to place both my phone and the android client onto the network at the same time, the second device doesn’t allow me to. (I didn’t try statically setting the IP to see if it would authenticate and the issue was a DHCP issue)

When I scan the 10.99.11.7 I find two open ports, 80 – HTTP and 53 – DNS. First up lets try the HTTP. When I browse to the address it simply returns the word BlackVue. After watching the client I found the following out however

Initial Command – Version Info.

This makes sense, the first thing you want to do is ensure that you can talk to the device, that the device is who you expect it to be and if a firmware update is required. So we send the command

This returns a text file with a .bin extension. When viewing the file the contents are

All seems fairly straight forward, I would guess that the version info may update on change maybe, would need to check it again after a change.

Video List Command

Next command (This is where it gets fun) is the command to list the videos on the device.

returns

Great, I have cut out a lot of the videos as it records in about 2 minute loops. but you can see from the file list above that it shows the

  • Date (20160903) – 3rd Sept 2016
  • Time (_175245) – 5:24pm
  • Type of recording (_NF) – Normal (PF for Parking)

I am not sure what the s:1000000 is for, maybe timezone? or the n on at the beginning. (Maybe this means next video?)

Get Video Command

To download the video or view it you just present the host with the video name

This returns the video, pretty straight forward.

Config Command

The last command I found was the Config Command

This returns the configuration as a text file onscreen

There is a bit more to it then that, but you get the idea and some are passwords of some format, so best not to paste those up on the web.

To put the configuration file back again it is a POST form with the config.ini file as the attachment to /upload.cgi

Thoughts

All of the communication between the client and BlackVue is in HTTP. I understand this is the easiest way to do the communication as there is no way to verify a SSL certificate while connected to the device (No internet access), HTTP is easy to use for communication and the network is fairly isolated in terms of having a passphrase to reduce the likely hood of prying eyes from seeing the details.

However, every device will come out with a similar SSID and passphrase from the factory. The app does ask you to change it but I bet that most people don’t.

With a handy map like this

Screenshot_2016-09-05-06-24-28

to help you track down devices this might be a issue if you could get close enough to one and the defaults are the same as the factory settings you could gain access to their videos on the device.

I am assuming that the devices above are cloud enabled and may not like to connect to local Wi-Fi networks at the same time given the issues I had trying to get two devices connected at the same time, however I was able to set a Cloud Wi-Fi network and connect to the device without issue. If you went for a walk through the local shopping center you may be able to track down a few by looking for the SSID that aren’t cloud enabled.

I will dig into it all a little more at a later time, but that gives a good overview of the device and its communication methods, GoPro, you’re next!