⬆️ ⬇️

Control I SPY TANK via computer

I got such a toy in my hands

image



Having played them a little from the phone, I decided to make control from the computer.





Reengineering



Armed with a laptop with WiFi, connected with it to the tank. It turned out that he had IP 10.10.1.1. First of all I decided to contact him via http via a browser at 10.10.1.1 : 80, but it was not there, the web-server on the tank was raised, but it was locked with a password, which upset me a little. Then I connect via FTP - it is also up and running, access is open, but only in read mode. Again disappointment.

The next step was a port scan. Among the list of open ports, two of them ( 8150 and 8196 ) seemed to me the most suspicious.

Checked them in the browser. Port 8150 did not answer me, but the MJPG stream was transmitted via port 8196 .



Further it turned out to be more difficult - to determine the management teams.

To do this, I sketched a simple little program that listens to port 8150 , installed the laptop's IP 10.10.1.1 and turned its WiFi into access point mode. Having connected to it from the phone, I tried to start the tank control program. As I expected, she connected to the port, which I listened to, but immediately flew out, it turned out she could not connect to the video transmission port. Having added the imitation of video transmission in my program, the program still started. After analyzing the data obtained from the management program, the management teams revealed that there were not so many.

All commands consist of two bytes.

The first byte is responsible for selecting the device to which the command is addressed:



The second byte is the direction of travel:



By combining these commands, you can easily control the tank, for example, to go ahead you need to send 4 bytes 0x31 0x31 0x32 0x31 .

The execution of a command, if no other command is sent, automatically ends in about 1s.

')

Connection



Constantly connecting directly to the tank, I did not want to, and I decided to use TP-LINK MR3020 router that had been lying around for a long time.

Having filled the OpenWrt firmware into it, I configured it as a client to connect to the tank's router. Next, I configured port forwarding 8150 and 8196 from the local interface to WiFi and connected it to the home router. Now it was possible to connect to the tank from the local network.



Control



Below is a simple C # code that controls a tank.

 Socket socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); //      socket.Connect(IPAddress.Parse("192.168.10.15"), 8150); //    3  /    //     socket.Send( new byte[] { 49, 49, 50, 49, 51, 48 }); // 1  Thread.Sleep(1000); // socket.Send( new byte[] { 49, 50, 50, 50, 51, 48 }); Thread.Sleep(1000); // socket.Send( new byte[] { 49, 50, 50, 49, 51, 48 }); Thread.Sleep(1000); // socket.Send( new byte[] { 49, 49, 50, 50, 51, 48 }); Thread.Sleep(1000); //  socket.Send( new byte[] { 49, 48, 50, 48, 51, 49 }); Thread.Sleep(1000); // socket.Send( new byte[] {49, 48, 50, 48, 51, 48}); socket.Disconnect(); 




I hope someone will come in handy.

Source: https://habr.com/ru/post/178003/



All Articles