Reverse Engineering An RC Spy Tank

[Michael] sells a remote control spy tank through his company, and although it’s a toy, there’s an impressive amount of electronics in this R/C tank. It’s controlled from an Android or iDevice over a WiFi connection, something that simply won’t do if you’re trying to sell this to the hacker and maker crowd. The solution to this problem is Wireshark, and with a little bit of work this spy tank can be controlled from just about anything, from a microcontroller via WiFi to a Python app.

Wireshark, everyone’s favorite network packet analysis and capture tool, was used to listen in on the communications between an iPad and the tank. This immediately showed the video stream coming from the camera in the tank, and pointing VLC to the correct port displayed the video.

The motors in the tank were a little trickier, but looking at the data stream, a few packets stood out as being responsible for controlling the motors. After a little experimentation the simple command set was decoded and a Python app whipped up.

These spy tanks are cheap – about $70 from [Michael]’s company and the other usual vendors. It’s not a particularly useful piece of hardware, but someone out there is sure to do something cool with this bit of reverse engineering.

15 thoughts on “Reverse Engineering An RC Spy Tank

  1. I did something somewhat similar with one of those smartphone tanks. Brook stone makes two. One has just a camera and a light. The internals are a crappy wifi ip cam with the pan/tilt motors wired up to the tank treads.

    The problem is that since its the same hardware as a wifi ip cam, it isn’t as strong at broadcasting wifi as is at receiving it. I managed to find some info on getting to some of the settings pages that were never removed from the firmware, but ended up getting it stuck in a state where it was no longer broadcasting wifi.
    It sat on my shelf for a few years until I took it apart out of boredom. I managed to find a serial port on it and see what it was doing when booting.

    I dumped its firmware and dug through it, trying to find a version of the wifi drivers that would work for that CPU or write a shell script that would run the connection commands.

    Eventually it came down to the fact that any kind if encryption on wifi wouldn’t work with it, and the shell scripts wouldn’t execute at the right time.

    Ended up using one of my damaged arduinos to watch the serial output from it booting and inject the commands to connect it to the wifi at the proper time.

    The result is I can control it from any phone connected to my wifi, and I get better range since it is a wifi client and not ad-hoc.

    These cheap little tanks are really neat and you can definitely use them for all sorts of things.

    Here is a quick video showing the startup sequence for my Franken-Tank:

    1. This one is actually a WiFi router with some extra programs tacked on at the end of the init script.
      I managed to get into the admin interface and change it to a WiFi client, but unfortunately it will only join unsecured networks.
      It still has its router management web interface and also has FTP running with anonymous read access to the entire FS!

      I did the same thing where It stopped broadcasting by setting it to join my WPA2 secured network, restarted it, and… nothing. The reset button had no effect either.
      Managed to find the datasheet and shorted the factory reset pin to un-brick it! yay!

    2. This one is actually a WiFi Router!
      It has the management web interface still open, plus FTP with anonymous read access to everything.

      It works by running two extra programs at the end of its init script, one for the video, the other for the motors.

      In the router’s management interface you can tell it to go into client mode and join a WiFi network.
      I did the same thing as you, where I told it to join my WPA2 protected wifi, and then… nothing…
      Thought I had bricked it, but managed to find from the datasheet the reset pin, shorted it and it went back to factory defaults!
      So you can make it join a network, but only an unsecure one…

    1. Hi robo,

      Yeah, I did the same thing. Looks like you can only join a non-encrypted network in client mode.

      You need to look at the pins that connect the smaller board onto the larger board.
      Short pins 7 and 9 for about 5 seconds (I think, or 15 seconds?).

      This post (in german) helped me work out what pins to short.
      You want 7 (Reset to default) and 9 (GND)
      http://meinpb.blogspot.com.au/2013/08/wlc-240-wifi.html

      Hope you can rescue your tank!

      1. Hi mic159,

        Great work with wireshark and the python app. Works well. The keyboard buttons work without much delay but I have considerable latency with the video stream (to much to be of use). Is there a way of reducing the video latency?

  2. Great article and I was able to write my own Python code on Mac OSX to control all motors , as well as stream video on port 8196.
    Question: do you know how to control the speed? right now when I send the motor command like 1121, the motors will be on for 1 second, which makes it hard to control. Any idea?

    1. Unfortunately there is no speed control, its either go or stop.
      But to make it go forward only a little bit, instead of waiting the whole 1 second, you can tell it to stop sooner.

      Send 1121 and it will start going forward.
      Then send 1020 to make it stop.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.