Accessing the contents of Goluk T-series dashcams

Introduction

The Goluk T-series – at the time of writing, T1, T2, and T3 – are car dashcams. They are cheaper and arguably better-quality than the popular Blackvue brand.

The cameras are wifi-enabled; each presents as a wifi access point with somewhat-configurable SSID and configurable password. The intended access method is via the Goluk app, which is available for IOS and Android. The user’s smartphone is connected to the camera’s wifi AP and then the app is used to configure and manage the camera, and download videos.

I wanted to be able to download the contents of my dashcam automatically when it came in to range of home. At the moment, there is no published way to do this.

This document assumes some knowledge of the UNIX (Mac/Linux) commandline, basic networking, wifi, and HTTP.

Quick HOWTO

  1. Connect to the camera’s wifi network.
  2. Obtain an IP address from the camera by DHCP.
  3. Empty all of the videos out of the camera:

Note that this step will consume disk space up to the size of the camera’s sdcard on the host where it’s run, and depending on the quality of your wifi link – and the current goluk devices only support 802.11n, not 802.11ac – may take a long time.

$ for i in 1 2 4 ; do for j in `curl -s http://192.168.62.1/api/\
videolist?type=$i\&maxcount=8000|grep id|awk '{print $2}'|\
sed s/\"//|sed s/\"\,//` ; do echo $j ;\
 curl -s http://localhost:9000/api/video?id=$j > $j.mp4\
 ; done ; done

Hints for further investigation

Network setup

The Goluk cameras appear to default to IP 192.168.62.1/24; addresses on this subnet are served by the on-board dnsmasq DHCP server, and associated binaries (eg the phone apps) appear to contain the 192.168.62.1 address hardcoded. This is potentially awkward if you want to connect to more than one camera at once.

Other documentation

Goluk provide some API documentation on their github site at https://github.com/Goluk – however, this is aimed at the writers of Android and IOS apps, rather than someone who wishes to interact directly with the camera.

It does reveal some clues about the interface to the cameras – particularly, if “strings” is run on the GolukSDK file:

$ strings GolukSDK |grep http\:|grep api http://192.168.62.1/api/video?id=%@ http://192.168.62.1/api/video?id=%@_%@ {
"QueryFileList":"http://%s/api/videolist",
"DownloadDelVideo":"http://%s/api/video", 
"DownloadThum":"http://%s/api/thumb",
"DownloadPic":"http://%s/api/pic", 
"SnapshotPic":"http://%s/api/snapshot?id=0",
"GetIPCInfo":"http://%s/api/systeminfo", 
"GSenssorCfg":"http://%s/api/record",
"RestoreIPC":"http://%s/api/restore", 
"GetSDUsage":"http://%s/api/sd",
"FormatSDCard":"http://%s/api/sdformat", 
"TriggerRec":"http://%s/api/wonderful",
"ImPrintShow":"http://%s/api/conf_logo", 
"HDRMode":"http://%s/api/conf_hdr",
"IPCMotionCFG":"http://%s/api/conf_mode",
"SpeakerCfg":"http://%s/api/conf_voice", 
"RebootIPC":"http://%s/api/reboot",
"APCfg":"http://%s/api/ap", 
"WifiStationCfg":"http://%s/api/wifi",
"UpdatdIPC":"http://%s/api/upgrade", 
"IPCTime":"http://%s/api/time",
"RecordLoop":"http://%s/api/record", 
"RecAudioCfg":"http://%s/api/record",
"KitCfg":"http://%s/api/kit", 
"TimeSyncCfg":"http://%s/api/conf_timesync",
"PicCfg":"http://%s/api/conf_pic", 
"AutoRotationCfg":"http://%s/api/auto_flip",
"ADASCfg":"http://%s/api/adas", 
"Bind":"http://%s/api/bind?isbind=1",
"Upgrade":"http://%s/upgrade", 
"VideoCfg":"http://%s/api/conf_stream",
"VoiceType":"http://%s/api/conf_voice_type",
"PowerOffTime":"http://%s/api/conf_powoff_time",
"VideoResolution":"http://%s/api/conf_event_resolution",
"ModifyVolume":"http://%s/api/conf_volume",
"VideoTimeConf":"http://%s/api/conf_event_time",
"OSDConf":"http://%s/api/conf_logo",
"CapacityList":"http://%s/api/capacity_list",
"LiveStart":"http://%s/api/pushstream_start",
"LiveStatus":"http://%s/api/pushstream_status",
"LiveStop":"http://%s/api/pushstream_stop",
"LiveContinue":"http://%s/api/pushstream_continue",
"SetIPCLogo":"http://%s/api/carinfo", 
"BINDUUID":"http://%s/api/binduuid",
"DEFLICKERMODE":"http://%s/api/conf_anti_flicker",
"VODCfgInfo":"http://%s/api/tunnel", 
"MOTION_SW":"http://%s/api/motion_sw" }

Camera API calls

The API calls listed in the “strings” output above are somewhat obscure. Some appear to be GET, others are possibly POST. Some accept or require parameters which are not simple to determine.

I have not researched the majority of the possible API calls.

QueryFileList http://%s/api/videolist

GET request. Serves a list of the available videos on the device.

Requires parameter “type=n” where n is one of the following:

  • 1: “NRM” videos – those produced continuously while the vehicle is being driven. By default these are 3 minutes long.
  • 2: “URG” videos – those produced when motion is detected outside the vehicle while it is parked. By default these are 12 seconds long.
  • 4: “WND” videos – those saved when the hardware button to save video at a time of interesting events is pressed by the camera user. By default these are 12 seconds long.
  • 5: “NRM_TL” videos – timelapse videos created while parked, if the corresponding option in settings (introduced in the 1.7 firmware release during the summer of 2018) is enabled.

Accepts optional parameter “maxcount=n” where n is the maximum number of results (videos) which will be returned. The largest possible value of “maxcount” appears to be 8000.

Example
GET http://192.168.62.1/api/videolist?type=1&maxcount=200
{
	"data":	{
		"total":	3,
		"list":	[{
				"id":	"NRM_20180130123812",
				"type":	1,
				"resolution":	"1080p",
				"period":	179,
				"time":	1517315892,
				"timestamp":	"20180130123812",
				"size":	291015449,
				"location":	"NRM_20180130123812.mp4",
				"withSnapshot":	1,
				"withThumb":	1,
				"withGps":	0
			}, {
				"id":	"NRM_20180130124113",
				"type":	1,
				"resolution":	"1080p",
				"period":	179,
				"time":	1517316073,
				"timestamp":	"20180130124113",
				"size":	291067965,
				"location":	"NRM_20180130124113.mp4",
				"withSnapshot":	1,
				"withThumb":	1,
				"withGps":	0
			}, {
				"id":	"NRM_20180130124413",
				"type":	1,
				"resolution":	"1080p",
				"period":	72,
				"time":	1517316253,
				"timestamp":	"20180130124413",
				"size":	117221480,
				"location":	"NRM_20180130124413.mp4",
				"withSnapshot":	1,
				"withThumb":	1,
				"withGps":	0
			}]
	},
	"msg":	"OK",
	"result":	0
}

DownloadDelVideo http://%s/api/video

GET request. Requires a parameter “id=x” where x is an id taken from the “videolist” call above. Retrieves a video from the device and returns it in mpeg4 (h264) format.

SnapshotPic http://%s/api/snapshot

GET request. Requires no parameters. Takes a picture immediately and returns it in JPG format.

GetIPCInfo http://%s/api/systeminfo

GET request. Requires no parameters. Serves the device’s serial number, hardware and software version, and type.

GetSDUsage http://%s/api/sd

GET request. Requires no parameters. Serves a summary of available and used storage on the device.

Camera internals

The cameras appear to run Linux with the nginx web server listening on port 80, dnsmasq listening on port 53, a rtsp server on port 554, and a telnet server on port 23:

$ nmap 192.168.62.1

Nmap scan report for 192.168.62.1
Host is up (0.017s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
554/tcp open rtsp

As of software T2U_V1.6.0516.0959 this appears to be nginx 1.9.6 and dnsmasq 2.7.1.

The telnet server gives away the camera OEM, Ambarella:

$ telnet 192.168.62.1
Trying 192.168.62.1...
Connected to 192.168.62.1.
Escape character is '^]'.

Ambarella login:

It’s unlikely that the login details are highly secure, but at the time of writing they are not known to the author. The common suggestion of “root/123456” does not work.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: