doc:appunti:hardware:insta360_one_rs_wifi_reverse_engineering
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
doc:appunti:hardware:insta360_one_rs_wifi_reverse_engineering [2023/07/04 14:41] – [Capturing the WiFi traffic] niccolo | doc:appunti:hardware:insta360_one_rs_wifi_reverse_engineering [2023/09/08 10:45] – [Insta360: WiFi protocol reverse engineering] niccolo | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Insta360: WiFi protocol reverse engineering ====== | ====== Insta360: WiFi protocol reverse engineering ====== | ||
- | I purchased an **Insta360 ONE RS** action camera in June 2023, I'm rather satisfied by its performances, | + | I purchased an **[[insta360_one_rs|Insta360 ONE RS]]** action camera in June 2023, I'm rather satisfied by its performances, |
**What I need is a simple remote control** for my action camera, not another invasive and useless social network. Beside that, the app doesn' | **What I need is a simple remote control** for my action camera, not another invasive and useless social network. Beside that, the app doesn' | ||
Line 19: | Line 19: | ||
So I installed the Insta360 app into a **rooted** Android smartphone. On the same phone I'm running the **Termux** app where I installed the **tcpdump** package. So I discovered that the app talks to the Insta360 camera through the port **6666/ | So I installed the Insta360 app into a **rooted** Android smartphone. On the same phone I'm running the **Termux** app where I installed the **tcpdump** package. So I discovered that the app talks to the Insta360 camera through the port **6666/ | ||
- | ===== Running tcpdump | + | ===== Running tcpdump |
- | Download from **[[http:// | + | If your Android device is not rooted, you can still capture the WiFi traffic between the Android app and the Insta360 camera by just executing **tpcudmp** directly on the GNU/Linux operating system of the camera. You have to download and install the required binaries, which are fortunately provided by the **[[http:// |
+ | |||
+ | Download from **[[http:// | ||
* libc_2.27-11_aarch64-3.10.ipk | * libc_2.27-11_aarch64-3.10.ipk | ||
+ | * libgcc_8.4.0-11_aarch64-3.10.ipk | ||
* libpcap_1.10.4-1_aarch64-3.10.ipk | * libpcap_1.10.4-1_aarch64-3.10.ipk | ||
* librt_2.27-11_aarch64-3.10.ipk | * librt_2.27-11_aarch64-3.10.ipk | ||
Line 31: | Line 34: | ||
Create a directory into the SD card **/ | Create a directory into the SD card **/ | ||
+ | |||
+ | Suppose that the Android device running the Insta360 app has IP address 192.168.42.2, | ||
<code bash> | <code bash> | ||
#!/bin/sh | #!/bin/sh | ||
test -f / | test -f / | ||
- | / | + | / |
</ | </ | ||
+ | |||
+ | |||
+ | ===== Packets anatomy ===== | ||
+ | |||
+ | ==== Sent Packets ==== | ||
+ | |||
+ | === Sync Packet === | ||
+ | |||
+ | ^ Offset | ||
+ | | 0 | Packet Length | ||
+ | | 4 | 0x06 0x00 0x00 | 3 | Message Type: Sync Packet. | ||
+ | | 7 | syNceNdinS | ||
+ | |||
+ | === Keep Alive Packet === | ||
+ | |||
+ | ^ Offset | ||
+ | | 0 | Packet Length | ||
+ | | 4 | 0x05 0x00 0x00 | 3 | Message Type: Keep Alive. | ||
+ | |||
+ | === Phone Commands === | ||
+ | |||
+ | ^ Offset | ||
+ | | 0 | Packet Length | ||
+ | | 4 | 0x04 0x00 0x00 | ||
+ | | 7 | Message Code | ||
+ | | 9 | 0x02 | 1 | | ||
+ | | 10 | Sequence Number | ||
+ | | 13 | 0x80 0x00 0x00 | ||
+ | | 16 | Protobuf Message | ||
+ | |||
+ | |||
+ | ==== Received Packets ==== | ||
+ | |||
+ | === Notifications or Response to Phone Commands === | ||
+ | |||
+ | ^ Offset | ||
+ | | 0 | Packet Length | ||
+ | | 4 | 0x04 0x00 0x00 | 3 | Response Type: Phone Command. | ||
+ | | 7 | Response Code | ||
+ | | 9 | 0x02 | 1 | | ||
+ | | 10 | Sequence Number | ||
+ | | 13 | 0x80 | 1 | | ||
+ | | 14 | Unknown | ||
+ | | 16 | Protobuf Message | ||
Line 51: | Line 100: | ||
</ | </ | ||
- | Then **extract some protobuf binary messages from the tcpdump output**; in the following example we try to decode a binary message received from the camera by the Android app. It seems that each message is prefixed by a 12 bytes header (more on that later), so in the Python code strip that header away and keep only the message body before calling the '' | + | Then **extract some protobuf binary messages from the tcpdump output**; in the following example we try to decode a binary message received from the camera by the Android app. Each message is prefixed by a 12 bytes header (see packets anatomy, above), so in the Python code strip that header away and keep only the message body before calling the '' |
<code python> | <code python> | ||
Line 114: | Line 163: | ||
===== Getting the .proto definitions ===== | ===== Getting the .proto definitions ===== | ||
- | :!: **WARNING**: | + | :!: **WARNING**: |
To understand the messages structure of the messages exchanged betwwen the software and the camera **it is necessary to have the .proto files** that define the syntax, but how can you do it without having access to the non-free source codes of Insta360? | To understand the messages structure of the messages exchanged betwwen the software and the camera **it is necessary to have the .proto files** that define the syntax, but how can you do it without having access to the non-free source codes of Insta360? | ||
Line 183: | Line 232: | ||
===== Getting the .proto files from the Android APK ===== | ===== Getting the .proto files from the Android APK ===== | ||
+ | |||
+ | Download the .proto file extractor tool from **[[https:// | ||
<code bash> | <code bash> | ||
Line 219: | Line 270: | ||
echo " | echo " | ||
</ | </ | ||
+ | |||
+ | ===== The Insta360 Python remote program ===== | ||
+ | |||
+ | On the **[[https:// | ||
+ | |||
+ | |||
+ | ===== Unsolved Problems ===== | ||
+ | |||
+ | It seems **impossibile to change some settings via the WiFi API**; e.g. I was not able to change: | ||
+ | |||
+ | * Sharpness | ||
+ | * Prompt Sound | ||
+ | * Indicator Light (LEDs) | ||
+ | |||
+ | When some settings are changed via the WiFi API, **the preview on the camera screen does not reflect that change**; nor in the live stream, nor into the on-screen-display labels. E.g. white balance, capture resolution, fielf of view. Fortunately if you start the video capture, the settings are effective. | ||
+ | |||
+ | |||
+ | ===== White Balance Settings ===== | ||
+ | |||
+ | It is possible to change the white balance setting by changing the value of **white_balance** choosing from some enumerated presets or directly by changing the temperature value of **white_balance_value**. There seems to be some inconsistency between the labels assigned to the presets in the .proto files and the actual temperature values. I think that the best choice is to assign the white_balance_value, | ||
+ | |||
+ | ^ white_balance_value | ||
+ | | AUTO | 0 | WB_AUTO | ||
+ | | 2000 | 6 | | | ||
+ | | 2200 | 7 | | | ||
+ | | 2400 | 8 | | | ||
+ | | 2600 | 9 | | | ||
+ | | 2800 | 1 | WB_2700K | ||
+ | | 3000 | 10 | | | ||
+ | | 3200 | 11 | | | ||
+ | | 3400 | 12 | | | ||
+ | | 3600 | 13 | | | ||
+ | | 3800 | 14 | | | ||
+ | | 4000 | 2 | WB_4000K | ||
+ | | 4500 | 15 | | | ||
+ | | 5000 | 5 | WB_7500K | ||
+ | | 5500 | 16 | | | ||
+ | | 6000 | 17 | | | ||
+ | | 6500 | 3 | WB_5000K | ||
+ | | 7000 | 18 | | | ||
+ | | 7500 | 4 | WB_6500K | ||
+ | | 8000 | 19 | | | ||
+ | | 8500 | 20 | | | ||
+ | | 9000 | 21 | | | ||
+ | | 9500 | 22 | | | ||
+ | | 10000 | 23 | | | ||
+ | |||
===== Web References ===== | ===== Web References ===== |
doc/appunti/hardware/insta360_one_rs_wifi_reverse_engineering.txt · Last modified: 2023/09/08 10:46 by niccolo