Hacking a Motorola Automatic License Plate Reader - Firmware Extraction and Password Cracking
Вставка
- Опубліковано 14 січ 2025
- EFF ALPR article:
www.eff.org/de...
RPI Compute Breakout Board: amzn.to/3PcUd9l
Usbboot repo:
github.com/ras...
PCI Passthrough rabbit hole:
wiki.archlinux...
Hashcat Examples Page:
hashcat.net/wi...
Need IoT pentesting or reverse engineering services?
Please consider Brown Fine Security:
brownfinesecur...
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
Raspberry PI Pico: amzn.to/3XVMS3K
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4h4G7DD
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
Soli Deo Gloria
💻 Social:
website: brownfinesecur...
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nma...
#hacking #iot #cybersecurity
you sir, need to do a stint as some electronics repair channel assistant and learn to solder with confidence.
BGA is still a terrible process even if you're the best solder soldier in the universe. And off-board connections to a complicated eMMC chip would be a nightmare anyway, nothing like an 8-pin flash.
Most people: Matt why do you desolder the chip so often instead of using XYZ method?
Others: Why don't you desolder the chip? Skill issue?
@@mattbrwn whatever you do, there always be someone on the Internet telling you’re doing it wrong 😂
@@mattbrwn i never tried to reball a chip. i had enough problems with tiny wires and needles
I'm fine with all the soldering stuff... Know what threw me? It's embarrassing as hell.
The hdmi port on an xbox, I couldn't do it... I wrecked the board.
I'm reballing fine, pretty sure I could solder a gnats dick to a unicorn eyelash... Xbox hdmi? Nope, no can do.
Maybe I was just having a bad day, I'm gonna just go with that.
I've run these ALPR cameras on my repo trucks since the early 2010 to 2012 and this is very interesting to watch cause I'm now in Cyber Security. Can't wait to see what data is being phoned home without consent from the users
I happen to know firsthand ....
@marcusmccarty1786 and…..?
id be looking for something that says
"pointer vehicle"
Let me guess, selling data to 3rd parties, i.e. government entities.
None
That ip address is not Internet, it's a local multicast service.
Almost certainly used for automatic setup of the isolated in car network for this system.
I love it when "unexpected rpi in the wild"
The trouble is, the foundation has a goal to sell cheap computers for education. Which is a noble goal, but they make limited money. You have the likes of Mororola buying these up and no doubt charging the U.S government 10x the price, and making all the profit. Because of this the Foundation will get bought and all their good work will come to naught when the buyer doubles the price over-night.
@@wmouleSurely RPi Foundation's relationship with Broadcom will protect them.
IF Motorola want the SoC that RPi use, they can just buy them. The Foundation sells boards, not just chips, and Motorola can make thief own boards.
Me too. Makes me feel validated for using them in my projects. However, I must agree with what the user before me stated. Definitely not a good sign to see how useful they are for commercial items that cost a ton of money.
well done on their part for coming up with such a secure password LOL. Didn't even bother changing the default user or building their own OS image. Kinda neat to see, didn't expect that. Thanks Matt, i'm looking forward to the firmware reversing!!
surprised, but not shocked.
@@wiggipedia the old software developer in me isn't shocked. Could very well be a case of "Here's the prototype of how it all works, we need to lock it down before sale."
Manager: "Great."
also Manager later: "It's done ship it."
These devices run on an isolated LAN.
The "phone home" op address is local milticast, it does not route to WAN.
The way these cameras work is there is an ALPR server in the police car. I think you are going to find that there is no ALRP magic happening in the camera because the in car server is huge and has big fans on it so I think that is where it recognizes the plates. I would think the camera just sends a processed image to the server. In all the cases I seen, the server has ports for each camera and the server connects to the in car laptop via another network interface. Since the laptop is not routing traffic, the ALPR system has no direct connection to the internet. There is vigilan software on the laptop that talks to the in car server and then the software talks to the police network over a VPN to get the hot lists, show alerts, etc. The server also has a GPS module and send every plate it reads and the location back to the police network where officers can later look up a plate and find out where you have been. Fun side note, there are ALPR cameras at fixed locations like intersections, highways, traffic light, etc that are also feed into the same database. Since the cameras have no access to the internet, I think the ping to the public internet must be for manufacturing or troubleshooting purposes. Where I work, the police cars have no access to the internet except an allow list for sites like PD email, body camera websites etc. All police data is accessed via a VPN.
But the police network is completely offline?
This is correct. What is in this video is a ip camera. A small component of a much much larger system. This devise simply converts a license plate number to text and sends it off. The radio network is used to send that data and is fully encrypted. The ip camera is part of the vehicles lan. All wired and air gapped.
@@mediocreman2 I would imagine it varies by agency but where I work the laptops are only allowed to access a small number of websites. Rather than a blocked website list there is a list of allowed websites and everything else is blocked. The ALPR network is offline meaning the entire ALPR network and cameras can not directly access the internet. Diagram: Internet (Filtered) >> Laptop
@@anthonyvharris The ALPR in car server does the heavy lifting and the laptop is what recieves the license plate numbers. The cameras do nothing more that take the video feed and send it to the in car server. The data communication is handled via a VPN connection back the state/county network. Most police agencies use CradlePoint router to connect to the cellular network. The data is sent over the cellular network encrypted and not over the police radio network, the two are not connected in any way (in my case).
@aquatrax123 you aren't far off in your thinking. I'm only a couple min into this video and he's already stated some things that he has no idea of how that work (which in fairness, he did mention/hint that).
There is a specific way this stuff is to be setup and many installers/integrators don't do it correctly.
One of your videos got recommended to me a couple of days ago and I instantly became a new subscriber, love your content man!
it happen to me too
Someday you will tell this story to ur grandkiz
Paused at 4:39... I thought 239.x.x.x was in the private multicast range, so it should not be routable via public internet? Unless there is a VPN/tunnel set up on this device what hits a remote private network and that makes 239.x 'local' again. At this point I would assume it's looking for locally-installed optional device like a base station, and stop trying to chase down that address from a data leakage perspective. Resuming the video...
You’re correct. This is a multicast address.
Spot on
looking at the system...this is true..there is a base station
Its to communicate with the ALPR server that is installed in the car. The whole system is not connected to the public internet. It's connected to the laptop in the car in another interface. The laptop does not route traffic. All communication is handled by the app installed on the laptop.
Yep, also can confirm.
Ended up watching this series in reverse. Awesome stuff. I've subscribed. We need guys like you doing this kind of work. Much respect.
So that's why the raspberry pi was dealing with a chip shortage.... Another Scooby Doo mystery solved
Raspberry pie do not really have a shortage quite simply they have always operated at maximum factory capacity. It’s just resellers buying insane quantities that means you can’t buy one.
@UKsystems Yep, I've always found the term 'shortage' odd to use, when it's fairly steady production but more an artificial buy-out. But in stocking terms I guess that is 'shorting' so it tracks otherwise, just doesn't intuitively feel right as there are 2 unique and distinct scenarios. But also I'm sure the RPi foundation is dealing with both at the same time in many cases.
Artificial shortages = excuse to raise price = more profit for those on the money side.
@@Subgunmanbut raspberry pi's have more or less had the same price throughout the shortage the only ones benefiting are the scalpers. I had no problem even during the shortage as where i live it isn't that popular.
@ well there will never sorted his from the manufacturer. I wanted them couldn’t get some so they were able to do a one off sale to me or 500 perfectly happy it’s the retailers in the United States who have to wait. To order the stock because he has to be shipped from the United Kingdom and it’s creates a delays because they are doing it on purpose.
I kind of wish you had started making this videos 20 years ago when I was a kid lol... This is gold.
Obligatory Spaceballs meme about luggage combination must be put here )
"That's amazing! I've got the same combination on my luggage!" -Pres Skroob
Some years ago I saw a TV program interviewing people who had jobs driving around with license plate scanners. The purpose was to find cars for which owners had stopped paying and were therefore up for repossession. The drivers just tried to find likely locations such as malls, apartment complexes, trailer parks, etc. The data was then used by the higher-ups to search for target plate numbers.
Love your channel, Matt. It’s so informative while also entertaining. I’d be interested in a video where you talk about your hacking “rig”. You know, video cards installed, CPU, software you use, whatever window manager you are using, that sort of thing. I know you’ve discussed the contents of your bag, but I don’t think I’ve ever seen you go into detail on your home setup besides bits of info you drop in random videos.
I’ve worked with a competing brand of ALPR. The cameras are all connected to the in-car server using a non-routable private network. The server using multicast packets to find the cameras. You then use the in-car computer to interface with and program the server. The in-car computer runs a dedicated software that interfaces with a remote database, either local to the agency using a VPN or to a publicly accessible server. The in-car computer downloads known wanted plates while all unknown plates are then queried against the server which usually has the ability to query State driver registry. All plates scanned are logged by the in-car server. As each plate is scanned and queried, the image of the plate, vehicle make/model and owner information is displayed on the in-car software. If the plate is a known wanted plate, the software throws an alarm and an alert instructing the officer to pull over the vehicle.
Ok but these /\/\otorola ALPR units are also installed on poles on the side of the road... those are probably on some kind of larger WAN no?
It also logs the location the plate was scanned. For more data analysis, Law Enforcement can map the sightings of plates in areas. This is extremely useful for metadata if a plate was observed/recorded in or near a crime that needs investigation in to what vehicles were in the area. This gives law enforcement an idea where that vehicle frequents "lives".
FLOCK has taken this a ran with it. HUGE cases are being completed with much, much more ease with the advancement of the software side with ALRP.
@@thesneakyapguy7172 sorry I don't think losing my civil liberties is worth making a DA's life easier... seriously the amount of spying we are under 24/7 I think would have made the KGB go "that's a bit much"
@@FLECOMwhy did you type “Motorola” like that?
This can all be fixed with license plate covers whether tinted or not. Buy a clear one and scuff the side facing the plate with 400 grit sandpaper and big brother can't read a damn thing.
Love love love this content! ALPRs have given me the ick since they hit the scene. Frigging Lowe’s in my town has no less than 8 Flock Cameras watching inbound and outbound of their shared parking lot. These mobile, vehicle mounted ALPRs are even more insidious because they can’t be easily avoided. I also love the way these “public safety” companies name stuff too: “Reaper”, Talon”, “Asp”, Python, “Viper” Protect and serve my a**. Also love them using a Raspberry Pi and the default user and such a simple password. Protecting people’s privacy is a joke to these companies. We are all just walking piggy banks.
Excellent work ! and fun to watch you - even as Senior Electrical Engineer in the Automotive Market. Your vast knowledge on Linux/Raspi thrills me. May I ask what's your age and education ?
Admin pswd: That's amazing, I have the same combination on my luggage.
So cool you passthrough a GPU between Game and cracking rig. Kudos, youngster!
Matt, another well thought out stream! As with the other posts, very interesting to see the PI configuration used in this device.
One question, are you planning to have any live streams in 2025? The interaction last time was a lot of fun.
Have a happy New Year celebration 🎉
never clicked so fast in my life
Yeah you have, that time you were watching porn hub and your mum walked in 😅😅
Give it time
A back door key is available for many governments for foreign suppliers.
All the units are still active after a car crash etc if they powerd
Interesting bit of spam chaff in this thread; presumably the GPT model they're using thinks this video is about vehicular electronics.
But anyway, both posts reported.
Matt, really appreciate all these uploads these last few weeks. Christmas break just got real fun.
Wow 🎉 Eagerly waiting for the next instalment. So good!
Great start! I can’t wait for the entire series!
Two things that made me smile. Firstly, the use of the Raspberry Pi Module in a commercial product - got to hand it to them, their kit really is getting everywhere. Secondly, yet another example of very poor secuity standards on something you would think would be very secure from the get go. Matt is definately earning his money - well done.
I hate these systems so much. They’re such an invasion of privacy. Any other information I can get on them possible counter measures. I’ll always jump on.
The cameras are directly connected to a headless pc that lives in the trunk, another windows device provides the driver the data in an application over the LAN. My experience running lPRS was in a parking enforcement role, not LE but its essentially the same UI. These are also used by companies looking for vehicle recovery for un paid loans, and repo folks to pick the caars up.
I used to work for a car dealer, and they would contract with local tow yards to run a non descript fleet of normal passenger cars with these systems on them and would just have employees drive around to get it to ping on someons plates that belong to a car that was in repo. It not just police cars that have these.
It must have been in a black neighborhood 🧐
@@Mike_Greentea no they drove all around the city we sold a lot of cars it didn't have anything to do with race. you get rich people not paying for their shit sometimes too.
@@apIthletIcc lol
Never seen raspberry pi used in commercial industrial professional use products like these one I guess I learned something new.
I found I love low level hardware. I now watch all Matt's videos in hopes I learn something. I usually do.
Around 22:00 was a serious ROFL moment. It's running SAMBA! Shortcuts abound in this product design.
Why roll your own half assed file server when there's perfectly good standard (half assed) file server protocols with wide support already available? There's no need to reinvent the wheel.
Shame that all the shortcuts are restrained to an isolated LAN.
Had no idea there are a flood of these on the secondary market....another rabbit hole!
I watched it during my break time. Enjoyed the whole process
Very cool! Looking forward to watching you reverse the binary. Your videos inspired me to pop open an iot light switch i wasn’t using and extract the firmware from the onboard esp8266, but i’m definitely struggling to understand anything in ghidra haha. Anyway cool videos and looking forward to the next.
I'm happy i found your channel. I watched a bunch of your videos and learn a lot of your approach to hacking devices. You make it look so easy, now I want to try it for myself 😆
I love the single take, you explain a lot of details and all in all it is genuine, good content.
Keep it up!
The big problem is that he is uploaded and retained by third-party vendors. And you never know what these third parties are doing with the information.
7:09. Wow i never expected to see a Rpi compute module or any *pi to be used in such a product! Tinkerer hardware inside a serious product. I have seen pi's used for digital signs or kiosks but never in such Products
They aren’t a hardware. The computer models are designed and approved for various industrial processes and they are reliable quite simply the compute modules are their best seller to commercial customers as they are way more models than you would ever realise why design your own circuit board this part when there’s already a working design, don’t reinvent the wheel.
I work in health care and there's a company that installed some little dosimeter relays. I cracked one open and it's literally a raspberry Pi inside with a fancy case. Of course, the price is insanely high. If you ever wonder why healthcare is so expensive, this is just one of the reasons.
@@mediocreman2the hardware itself is only the smallest part of what you're paying for. It's all the R&D, calibration, validation and regulatory work that's required to give you certainty that it's giving you correct readings you're going to base life-critical decisions on. Good service isn't cheap, we're just stymied by a layer of greed on top of all of that.
@@mediocreman2 it’s the liability issue in healthcare. The manufacture has to cover their butts with a multimillion dollar bond against any issues that might arise out of misuse or equipment failure both now and in the future should they go out of business. Most of the elevated costs were caused by greedy attournies who were successful in twisting a case into their clients favor before a court of law. They are almost certain to land one third, or more, of the settlement.
@@mediocreman2 by using a SOM (system on module) like a Pi compute module the engineers are saving time (and thus cost) by not having to layout a much more complicated PCB connecting the processor to the memory, storage, ethernet phy, etc. While a fully integrated board would be cheaper at a high volume unless you reach that point using a seeming more expensive component (like a Pi) is overall less expensive
On the cameras and IR LEDs I believe they are always active to read plates (as license plates are IR reflective apart from the digits) which makes recognition easier.
I would guess there is an IR camera and a full RGB camera so one can be used for identification and the other for displaying it in context.
5:55 - the IR Blasters are for the cameras, day or night. They make the plate readily visible with respect to the printed characters on the plate for character recognition by the cameras and software.
The server itself is a CAD Computer in the car, its a whole setup that plugs into the CAD MDT Laptop the officer is looking at while sitting in the car, Vigilant uploads the plate to the officer and to the CAD Dispatch, then CAD reports back and if said vehicle has issues or the individual registered has warrants - presto, and alert is given.
Do the plate readers have ir filters?
While it won't stop a cop from targeting you, it will stop the plate readers from their job and could make things interesting with the fuzz.(literally and figuratively)
Exactly the angle Im interested in... ;)
Most jurisdictions have laws, statutes, or ordinances prohibiting anything that interferes with visibility. Ex: Minnesota statute 169, section 79.7, quoting relevant part:
The person driving the motor vehicle shall keep the plate legible and unobstructed and free from grease, dust, or other blurring material so that the lettering is plainly visible at all times. It is unlawful to cover any assigned letters and numbers or the name of the state of origin of a license plate with any material whatever, including any clear or colorless material that affects the plate's visibility or reflectivity.
I'm painfully aware of this because when I was young, I drove a rather conspicuous vehicle. A couple of local cops got a kick out of harassing me, and would try to cite me whenever there was snow or the smallest amount of dust/dirt on my license plates, among other nuisances. This was prior to cell phones having cameras, so I took to carrying a small digital camera with me wherever I went. Every time I stopped for gas, I'd take a picture of the freshly-cleaned license plate (alongside the daily newspaper, thus proving the date) so I had a record of regularly cleaning it. The next time a cop did this, I calmly took the ticket and set a court date. When I showed the photos to the judge, the reply was the most beautiful tirade from the bench directed at the officer: "How many times have you issued this man unnecessary tickets to force him to keep a photo album of his license plate? THIS IS NOT LAW ENFORCEMENT, IT'S HARASSMENT. YOU SHOULD BE ASHAMED." The cop didn't reply, perhaps assuming the question was rhetorical. I did my best to keep my composure while saying, "Pardon me, but this is the fifth time, your honor." Not only did the judge dismiss the ticket and waive the court fee, she had the bailiff remove the cop from the courtroom - meaning all remaining tickets he had written that were in court that day would be a default judgement in favor of the other party! Prosecutor tried to reschedule them but the judge refused. Totally worth it.
@@petergamache5368 But that does seem to be talking about visibility to the eye, and about things visibly covering the plate, not an IR light source that is invisible to the naked eye somewhere on the back of the car.
Maybe your bumper cover is loose and you need to use a black rubber bungee cord to make it sturdy. Or maybe your trunk lid needs a rope to make sure it stays down.
loving these vids Matt - keep it up!
Just leaving a comment so that I get recommended more of your videos. I really thought this was cool and somewhat random which is exactly my kind of thing.
It is jaw dropping that so many software engineers still fail to lock down their devices with so many stories about vulnerabilities in hardware 😞
So... how can I remote into it and make it error out when it reads my plate? Asking for a friend.
So I used to install devices like this, and I am a network administrator. These were never directly attached to the internet, they are normally attached to in "in car" network that is only reachable by the laptop or the device that gathers the camera information directly from the device. Then the central box or laptop, on a separate interface connects to the database servers. So do with that what you will.
*Why do you hate your fellow man so much?*
are you able to simply view the rtsp stream and run it into a poe NVR and not use their proprietary software? just view it like a poe security camera
Can you do a video on how you analyze Wireshark packets from an external device?
In other videos Matt already essentially did this tutorial in process of examining a device, I think one of the more recent IPCam ones.
You could do full MITM where you essentially run NAT on a device with two NICs and then watch everything passing through with tcpdump (to a file, opened later with wireshark) or wireshark directly (I would probably use a custom OpenWRT therefore tcpdump to a pcap-file and then copy that over and open it on a computer with a GUI). But if you have dual NICs on a computer with a GUI and feel like setting up a whole NAT ecosystem that works too.
Or use a hub where all ports are shared (as opposed to a switch) or a manged switch with a port configured to monitor/mirror the target device port, and then sniff everything in a more bystander position.
The first option is better since you can then easily do actual MITM attacks on HTTPS connections, if any, and see what's inside those. Which was also demonstrated in the same video once you find it.
Thanks for the vid! Quick question: what are you using to split your terminal like that?
i3wm. Those are two separate terminals
Police endangering national security for profit. How cute.
On a "made in PRC" device. Just when you thought you've seen everything
US government moment
If you ask me, I still believe these devices should be banned along with traffic license plate readers. In my humble opinion this violates are Constitutional right to freedom of movement and further more, though not stated in the US Constitution we as Americans should also have the right to remain Anonymous while exercising freedom of movement. I do understand that these systems help with catching car thieves and alike but it just doesn't sit well with me. People complain about China's surveillance, I'd argue we've matched it or perhaps surpassed it. Fruit for thought.
@@Voice_0f_Liberty I agree. Most people around the world are unable to maintain any level of privacy. We are far, far closer to a surveillance state than the dreaded USSR was.
@@Griff_Is_Real Valid point. Couldn't of said it better myself. Glad someone else shares my optimistic outlook lol.
I used to use, install and service these for a repo company. These are plugged into a MCU. so the ports are not exposed outside of the MCU.
Theoretically yes, in practice no. All installs of these cameras DO NOT have a comms box some literally just have a vigilant branded Poe switch and the software on the in car laptop is configured to communicate with cameras directly via their ip address. Even when there is a comms box in the kit there’s a config app that’s installed along with the software on the in car laptop that lets you control every aspect of the cameras with ZERO need for passwords encoded into the camera firmware.
@@JMattox615 are you able to simply view the stream like a poe security camera
It would be interesting to put a GPL request to the manufacturer for the build scripts and code for the camera. It is built on Linux so it would be interesting to see what they came back with.
I think it's time to put camera blocking leds in our plate lights now.
I've been interested in getting one of these 'police' LPR cameras to tinker with, and what you've found reinforces my choice to have ALL of my cameras on an isolated VLAN with ZERO internet access... my (Dauha) cameras bang away at various DNS servers that I didn't provision to them constantly... And if they made contact, who knows what they'd try to send out...
Seeing a PI in a LPR is like finding a fresh bag of raspberries in a LPR.
What would you have used instead?
Hey Matt, great content. I went ahead and picked up a VSR-20-915 and mapped the pins of the M12-XCode plug for PoE. Running wireshark on a directly wired Ethernet port I noticed that there is no ARP activity and apparently no DHCP Req coming from that particular unit. Have you looked at these units at all? I’m interested in seeing if the same/similar results are possible with these units
Do you have any tips for accessing UART if there are no pins (just flat spots for VCC, GND, TX and RX) and I don't want to solder? I was able to hold the tips of the wires on the ground and TX, start the device and see the bootloader process, but holding those cables in place is clearly not optimal. Any tips would be greatly appreciated! Thanks and keep up the awesome work!
Theres a device that holds a device in place with probes that are "fixable" in position. Its calldd a spider or somrthing i cannot remember. But all of the probes arms are articulating and stay in place. Ive never used one but ive had a few projects it would have come in handy on.
status=progress is a good one to use in dd friend great video so far this is interesting
I’ve never put 2 and 2 together until seeing this video but now it makes sense why Motorola acquired Avigilon.
Looks like some folks pointing out that this is only ever plugged in to a trusted network, but I think another fun application of this knowledge is to set up a DIY license plate scanner in your car using cheap units off ebay.
Well done. Let's see if you can hack the "number plate recognition system" to "randomize" one or two characters before that data is sent out to the database!
A good way to entangle the Law enforcement agency in a swatting situation. Not cool. Especially how some officers come off as if being "god" in some circumstances. Imagine if that tags your kids car, who is totally innocent, and they are falsely accused of a crime or worse……
@@Subgunman It would be considered an attack on the network if you were to inject random bad data into the database. Somewhat like a ddos attack. Don't do that.
@@BrickTamlandOfficial not me, but the original commentor aryanzijlstra6649 made the comment about randomizing just two characters in the output files of the plates. I only offered a warning as to what can happen to innocent individuals. Having worked with several department about 20 years ago I happened to be privy to an email that came in from DHS. Very disturbing.
I wonder how the police would react if one coated a plate with IR blocking coating.
The plate would be clearly visible to human eyes, but they'd have to admit to using this device if they harass you over it.
Hey Matt, I watched twice to see if I could see for myself, and I failed. Did you notice a pressure sensor inside the camera enclosure? I just got 2 and I'm wondering if I can monitor the pressure if I pressurize them with the schrader valve.
Holy Crap! This now begs the question of what law enforcement is actually paying for these plate readers? I bet it is a shockingly high price!
New here, Love the content! Liked and sub'd. Question for you or chat, did you mean port 445 here not 554 for samba or mount a share (2:58)?
Yeah I did. Might have mixed that up when saying it
@@mattbrwn Thanks for clarifying. Keep up the good content. Im traversing through your catalog now. Great stuff for me to learn and follow along too.
Very Interesting. One thing i don’t understand is you talk about not needing to desolder the flash chip off the device and then read all the partitions off the PI board. Are the os partitions duplicated or is the flash chip simple used for other stuff.
Can you hack a Flock LPR camera as well?
Many police departments have a constant connection of the readers feeding them to the dispatch center and they are GPS identified so their location is stored
great job! enjoy watching you work (aka play...)
next one will be "Hacking a Department Server PC - Firmware Extraction and Password Cracking"
I have an interest in this tech, but what Matt is doing is a bit over my head. What I want to know is: if I had one of these cameras, could I connect it to a laptop and have the camera send the images it captures to the laptop and some software on the laptop compare the images to a list of plates manually loaded in? Basically a simple, stand-alone ALPR system.
No. This is more or less just a fast IP camera. A police cruiser will have 4 of these on the 4 corners of the vehicle. They will all be networked to another computer that does the character recognition - i.e. plate reading. The magic going on in the camera itself is just making sure it is grabbing clear images from the camera sensors. The camera has to be fast in order to catch clear images of moving plates and the Pi is making sure that happens. You can use a raspberry pi and some linux packages like openALPR to read plates. But without having a hot list or DMV records of who the plates belong to, it isn’t all that useful. You could easily compare to your own hot list though with a little python script.
@@slipspectrum9253 Ok, thank you for explaining this. I can get hot lists no problem, I'd just like to work out how to build a system that would recognize plates as I am driving and sound an alert on a screen and show me the plate match.
What I am interested in is to see how the two cameras can read letters, digits and characters from any distant, any angle, daytime or nigh, and recognize them, interpret them into ASCII characters, send them to a central server to be processed and get back the result in real time. Is there a live person at the other end who looks at the license plate data and sends in the result manually or the whole thing is done autonomously .
After seeing the Pass, Spaceballs come to mind.
*And if at all possible, try and save the car*
Please make a video about the vm setup you have.
I like a lot of your videos, but damn, this is awesome!!!!!
appreciate your time and work on all these items.
Do you think you could upload the files of the product? i would love to run this locally.
If you don't have a polarized microscope light yet I highly recommend getting one. You can control how much glare there is.
Hi Matt,
Thank you for the hardworking hacking videos - these are awesome!
Some thoughts on the device - Given the context that the device is used in - i.e. Law enforcement - it'll be A) Locked in anpolice car and B) Running over a VPN with numerous network security arrangements. No way is this device touching the internet bare-back 😆
I have something kind of like that but it's for cameras you mount to a pole. If you want to check it out let me know I have two of them I'd be willing to let you see one
i just went down a rabbit hole watching this.
Seems strange that they would use an off the shelf rasp Pi unit in a device that links to government databases and other fun things. I suppose it keeps dev costs down and means the police departments can be screwed out of more money for a less safe product.
In my opinion, there is nothing wrong with this. The user base is larger, more people report bugs. We all eat with the same spoons but different food :) Similarly, here almost everything depends on how the code is implemented and what settings. And of course the price, probably the price affects 99% )))
Police reporting bugs on a product, you must be newto earth @@Misimpa,
@@Misimpasuch braindead comment
@ can you read? Maybe you not from Earth. Commercial board widespread on the market, many users and bug reports most of them are free :)
Why would you design your own SBC when the RPi is a known good platform that fits your needs exactly? In a perfect world this thing is airgapped and configured in a way that makes it just as safe as a custom solution.
Why do you use a VM for password cracking? Why not on the host system?
Because of how the passthough works.
He has at least 2 graphics cards / devices, one of which is used solely by the host and the other which has had it's driver blacklisted on the host but not on any of the VM's. Since the host won't load a blacklisted driver the card is effectively a 'free' device and can be exclusively taken over by the hypervisor / a running VM without having to go through the host OS.
I did this with one of our spare Watchguard Motorola 4RE DVRs that I removed from a decommissioned fleet car. Lots of cool stuff to find.
What window manager/desktop environment do you use?
So far, the part of the video that I found most disturbing was that the device (presumably installed in MANY police vehicles) is constantly phoning-home to the company that made the device. This could be revealing the location of the vehicles (if the scanner has access to GPS). It might allow the company (or someone who has hacked into the company) to inject any license plate into the ALERT-LIST (or to HIDE any license plate that they don't want Law Enforcement to be able to detect.) YIKES
its a multicast address, not a public v4 address.
@@sneaky909I wouldn't be surprised to learn that the manufacturer has back door access. In fact I'd be shocked to learn IF they didnt
The camera itself phones home to the comms box and/or the in car laptop. The comms box and/or in car laptop DOES phone home to drn, Motorola/Vigilant solutions, and and additional databases the agency has configured.
That's amazing, I've got the same combination on my luggage!
*Next time I'm gonna walk*
Whats weird too is that they used Arduino to program a M0 Arm Cortex chip in there, if its not in there, it used to be. The .ino.bin (seen at the 25:05) file is a compiled Arduino binary usually used for OTA updates.
cant wait for the next chapter of this.
Thank was nice, definite sub; thanks man!
Did you leave a link to where you got the board from? & price
Whoever changed the pi user's password to 12345 has officially unlocked max level fearless mode. Respect bro! LMAO
Love your work. My guess is you are dyslexia (as am I) and you use the vi command sequence 'xp' quite often. I find dyslexia to be of great value in learning IT concepts.
I worked for a repo company, the cameras just report all plate Metadata, another application or service processes the data and puts out a ping for last known location. So when a bank wants the car back the repo guy can check for any pings, in the network. Network because it's pay per seat and data is shared across users.
from what Ive been told these are pretty sneaky devices. capable of reading multiple plates at a time, the make model/color of the vehicle, and running it thru the BMV checking the registered owner of the plate for wants/warrants. It can also pull up public court records of said person for previous crimes. Flagging anything they have marked as "suspicious" PC to stop.
Best series yet!
Interested to see if you can get a video feed out of this one.
*Motorola Solutions has joined the chat
Good stuff man!🍻
12345! That's amazing. I have the same combination on my luggage!
1-2-3-4-5? Amazing! That's the combination on my luggage.
Is there a way to broadcast a scramble code to the readers?
Amazing job, as usual!
Ip 239.83,83.83 is a multicast address….. which in most cases is not publicly routeable