[Michael] sells a remote control spy tank through his company, and although it’s a toy, there’s an impressive amount of electronics in this R/C tank. It’s controlled from an Android or iDevice over a WiFi connection, something that simply won’t do if you’re trying to sell this to the hacker and maker crowd. The solution to this problem is Wireshark, and with a little bit of work this spy tank can be controlled from just about anything, from a microcontroller via WiFi to a Python app.
Wireshark, everyone’s favorite network packet analysis and capture tool, was used to listen in on the communications between an iPad and the tank. This immediately showed the video stream coming from the camera in the tank, and pointing VLC to the correct port displayed the video.
The motors in the tank were a little trickier, but looking at the data stream, a few packets stood out as being responsible for controlling the motors. After a little experimentation the simple command set was decoded and a Python app whipped up.
These spy tanks are cheap – about $70 from [Michael]’s company and the other usual vendors. It’s not a particularly useful piece of hardware, but someone out there is sure to do something cool with this bit of reverse engineering.
That is pretty cool. I like how simple that is. It would be a fun for a kid to start with.
Nice work! I built something kind of like this using an old phone and IOIO board on a tracked chassis, it was great fun. Design and code for the Android server on the not, as well as a simple Android client, are at http://shortcircuitsandinfiniteloops.blogspot.com/2013_06_01_archive.html?m=0 if it is of interest.
On the bot, rather.
Here it all about the board :D AHHAHAHHA!!!!
http://1220431.en.makepolo.com/products/The-Smallest-Tiny-802.11n-AP-Router-p91787161.html
I did something somewhat similar with one of those smartphone tanks. Brook stone makes two. One has just a camera and a light. The internals are a crappy wifi ip cam with the pan/tilt motors wired up to the tank treads.
The problem is that since its the same hardware as a wifi ip cam, it isn’t as strong at broadcasting wifi as is at receiving it. I managed to find some info on getting to some of the settings pages that were never removed from the firmware, but ended up getting it stuck in a state where it was no longer broadcasting wifi.
It sat on my shelf for a few years until I took it apart out of boredom. I managed to find a serial port on it and see what it was doing when booting.
I dumped its firmware and dug through it, trying to find a version of the wifi drivers that would work for that CPU or write a shell script that would run the connection commands.
Eventually it came down to the fact that any kind if encryption on wifi wouldn’t work with it, and the shell scripts wouldn’t execute at the right time.
Ended up using one of my damaged arduinos to watch the serial output from it booting and inject the commands to connect it to the wifi at the proper time.
The result is I can control it from any phone connected to my wifi, and I get better range since it is a wifi client and not ad-hoc.
These cheap little tanks are really neat and you can definitely use them for all sorts of things.
Here is a quick video showing the startup sequence for my Franken-Tank:
https://youtube.com/watch?v=HokFFPTHdNE
This one is actually a WiFi router with some extra programs tacked on at the end of the init script.
I managed to get into the admin interface and change it to a WiFi client, but unfortunately it will only join unsecured networks.
It still has its router management web interface and also has FTP running with anonymous read access to the entire FS!
I did the same thing where It stopped broadcasting by setting it to join my WPA2 secured network, restarted it, and… nothing. The reset button had no effect either.
Managed to find the datasheet and shorted the factory reset pin to un-brick it! yay!
This one is actually a WiFi Router!
It has the management web interface still open, plus FTP with anonymous read access to everything.
It works by running two extra programs at the end of its init script, one for the video, the other for the motors.
In the router’s management interface you can tell it to go into client mode and join a WiFi network.
I did the same thing as you, where I told it to join my WPA2 protected wifi, and then… nothing…
Thought I had bricked it, but managed to find from the datasheet the reset pin, shorted it and it went back to factory defaults!
So you can make it join a network, but only an unsecure one…
WiFi camera tanks to the Moon! Pack a lander full of little camera tanks, land on Moon and go exploring.
Don’t forget to harden everything against the radiation. Camera too!
Hi, I bricked my i-spy tank by changing it to client mode. Can someone tell me where to find the reset pins to short?
Hi robo,
Yeah, I did the same thing. Looks like you can only join a non-encrypted network in client mode.
You need to look at the pins that connect the smaller board onto the larger board.
Short pins 7 and 9 for about 5 seconds (I think, or 15 seconds?).
This post (in german) helped me work out what pins to short.
You want 7 (Reset to default) and 9 (GND)
http://meinpb.blogspot.com.au/2013/08/wlc-240-wifi.html
Hope you can rescue your tank!
Hi mic159,
Great work with wireshark and the python app. Works well. The keyboard buttons work without much delay but I have considerable latency with the video stream (to much to be of use). Is there a way of reducing the video latency?
Yeah, sometimes it gets laggy, try restarting the app a few times to see if it gets better.
I havent yet figured out a good way to catch back up when it lags behind.
Great article and I was able to write my own Python code on Mac OSX to control all motors , as well as stream video on port 8196.
Question: do you know how to control the speed? right now when I send the motor command like 1121, the motors will be on for 1 second, which makes it hard to control. Any idea?
Unfortunately there is no speed control, its either go or stop.
But to make it go forward only a little bit, instead of waiting the whole 1 second, you can tell it to stop sooner.
Send 1121 and it will start going forward.
Then send 1020 to make it stop.