BGA is still a terrible process even if you're the best solder soldier in the universe. And off-board connections to a complicated eMMC chip would be a nightmare anyway, nothing like an 8-pin flash.
I'm fine with all the soldering stuff... Know what threw me? It's embarrassing as hell. The hdmi port on an xbox, I couldn't do it... I wrecked the board. I'm reballing fine, pretty sure I could solder a gnats dick to a unicorn eyelash... Xbox hdmi? Nope, no can do. Maybe I was just having a bad day, I'm gonna just go with that.
Paused at 4:39... I thought 239.x.x.x was in the private multicast range, so it should not be routable via public internet? Unless there is a VPN/tunnel set up on this device what hits a remote private network and that makes 239.x 'local' again. At this point I would assume it's looking for locally-installed optional device like a base station, and stop trying to chase down that address from a data leakage perspective. Resuming the video...
Its to communicate with the ALPR server that is installed in the car. The whole system is not connected to the public internet. It's connected to the laptop in the car in another interface. The laptop does not route traffic. All communication is handled by the app installed on the laptop.
The trouble is, the foundation has a goal to sell cheap computers for education. Which is a noble goal, but they make limited money. You have the likes of Mororola buying these up and no doubt charging the U.S government 10x the price, and making all the profit. Because of this the Foundation will get bought and all their good work will come to naught when the buyer doubles the price over-night.
The way these cameras work is there is an ALPR server in the police car. I think you are going to find that there is no ALRP magic happening in the camera because the in car server is huge and has big fans on it so I think that is where it recognizes the plates. I would think the camera just sends a processed image to the server. In all the cases I seen, the server has ports for each camera and the server connects to the in car laptop via another network interface. Since the laptop is not routing traffic, the ALPR system has no direct connection to the internet. There is vigilan software on the laptop that talks to the in car server and then the software talks to the police network over a VPN to get the hot lists, show alerts, etc. The server also has a GPS module and send every plate it reads and the location back to the police network where officers can later look up a plate and find out where you have been. Fun side note, there are ALPR cameras at fixed locations like intersections, highways, traffic light, etc that are also feed into the same database. Since the cameras have no access to the internet, I think the ping to the public internet must be for manufacturing or troubleshooting purposes. Where I work, the police cars have no access to the internet except an allow list for sites like PD email, body camera websites etc. All police data is accessed via a VPN.
This is correct. What is in this video is a ip camera. A small component of a much much larger system. This devise simply converts a license plate number to text and sends it off. The radio network is used to send that data and is fully encrypted. The ip camera is part of the vehicles lan. All wired and air gapped.
@@mediocreman2 I would imagine it varies by agency but where I work the laptops are only allowed to access a small number of websites. Rather than a blocked website list there is a list of allowed websites and everything else is blocked. The ALPR network is offline meaning the entire ALPR network and cameras can not directly access the internet. Diagram: Internet (Filtered) >> Laptop
@@anthonyvharris The ALPR in car server does the heavy lifting and the laptop is what recieves the license plate numbers. The cameras do nothing more that take the video feed and send it to the in car server. The data communication is handled via a VPN connection back the state/county network. Most police agencies use CradlePoint router to connect to the cellular network. The data is sent over the cellular network encrypted and not over the police radio network, the two are not connected in any way (in my case).
@aquatrax123 you aren't far off in your thinking. I'm only a couple min into this video and he's already stated some things that he has no idea of how that work (which in fairness, he did mention/hint that). There is a specific way this stuff is to be setup and many installers/integrators don't do it correctly.
well done on their part for coming up with such a secure password LOL. Didn't even bother changing the default user or building their own OS image. Kinda neat to see, didn't expect that. Thanks Matt, i'm looking forward to the firmware reversing!!
I’ve worked with a competing brand of ALPR. The cameras are all connected to the in-car server using a non-routable private network. The server using multicast packets to find the cameras. You then use the in-car computer to interface with and program the server. The in-car computer runs a dedicated software that interfaces with a remote database, either local to the agency using a VPN or to a publicly accessible server. The in-car computer downloads known wanted plates while all unknown plates are then queried against the server which usually has the ability to query State driver registry. All plates scanned are logged by the in-car server. As each plate is scanned and queried, the image of the plate, vehicle make/model and owner information is displayed on the in-car software. If the plate is a known wanted plate, the software throws an alarm and an alert instructing the officer to pull over the vehicle.
It also logs the location the plate was scanned. For more data analysis, Law Enforcement can map the sightings of plates in areas. This is extremely useful for metadata if a plate was observed/recorded in or near a crime that needs investigation in to what vehicles were in the area. This gives law enforcement an idea where that vehicle frequents "lives". FLOCK has taken this a ran with it. HUGE cases are being completed with much, much more ease with the advancement of the software side with ALRP.
@@thesneakyapguy7172 sorry I don't think losing my civil liberties is worth making a DA's life easier... seriously the amount of spying we are under 24/7 I think would have made the KGB go "that's a bit much"
Raspberry pie do not really have a shortage quite simply they have always operated at maximum factory capacity. It’s just resellers buying insane quantities that means you can’t buy one.
@UKsystems Yep, I've always found the term 'shortage' odd to use, when it's fairly steady production but more an artificial buy-out. But in stocking terms I guess that is 'shorting' so it tracks otherwise, just doesn't intuitively feel right as there are 2 unique and distinct scenarios. But also I'm sure the RPi foundation is dealing with both at the same time in many cases.
I've run these ALPR cameras on my repo trucks since the early 2010 to 2012 and this is very interesting to watch cause I'm now in Cyber Security. Can't wait to see what data is being phoned home without consent from the users
Excellent work ! and fun to watch you - even as Senior Electrical Engineer in the Automotive Market. Your vast knowledge on Linux/Raspi thrills me. May I ask what's your age and education ?
Matt, another well thought out stream! As with the other posts, very interesting to see the PI configuration used in this device. One question, are you planning to have any live streams in 2025? The interaction last time was a lot of fun. Have a happy New Year celebration 🎉
Some years ago I saw a TV program interviewing people who had jobs driving around with license plate scanners. The purpose was to find cars for which owners had stopped paying and were therefore up for repossession. The drivers just tried to find likely locations such as malls, apartment complexes, trailer parks, etc. The data was then used by the higher-ups to search for target plate numbers.
7:09. Wow i never expected to see a Rpi compute module or any *pi to be used in such a product! Tinkerer hardware inside a serious product. I have seen pi's used for digital signs or kiosks but never in such Products
They aren’t a hardware. The computer models are designed and approved for various industrial processes and they are reliable quite simply the compute modules are their best seller to commercial customers as they are way more models than you would ever realise why design your own circuit board this part when there’s already a working design, don’t reinvent the wheel.
I work in health care and there's a company that installed some little dosimeter relays. I cracked one open and it's literally a raspberry Pi inside with a fancy case. Of course, the price is insanely high. If you ever wonder why healthcare is so expensive, this is just one of the reasons.
@@mediocreman2the hardware itself is only the smallest part of what you're paying for. It's all the R&D, calibration, validation and regulatory work that's required to give you certainty that it's giving you correct readings you're going to base life-critical decisions on. Good service isn't cheap, we're just stymied by a layer of greed on top of all of that.
@@mediocreman2 it’s the liability issue in healthcare. The manufacture has to cover their butts with a multimillion dollar bond against any issues that might arise out of misuse or equipment failure both now and in the future should they go out of business. Most of the elevated costs were caused by greedy attournies who were successful in twisting a case into their clients favor before a court of law. They are almost certain to land one third, or more, of the settlement.
The big problem is that he is uploaded and retained by third-party vendors. And you never know what these third parties are doing with the information.
Well done. Let's see if you can hack the "number plate recognition system" to "randomize" one or two characters before that data is sent out to the database!
A good way to entangle the Law enforcement agency in a swatting situation. Not cool. Especially how some officers come off as if being "god" in some circumstances. Imagine if that tags your kids car, who is totally innocent, and they are falsely accused of a crime or worse……
@@Subgunman It would be considered an attack on the network if you were to inject random bad data into the database. Somewhat like a ddos attack. Don't do that.
@@BrickTamlandOfficial not me, but the original commentor aryanzijlstra6649 made the comment about randomizing just two characters in the output files of the plates. I only offered a warning as to what can happen to innocent individuals. Having worked with several department about 20 years ago I happened to be privy to an email that came in from DHS. Very disturbing.
Do the plate readers have ir filters? While it won't stop a cop from targeting you, it will stop the plate readers from their job and could make things interesting with the fuzz.(literally and figuratively)
Most jurisdictions have laws, statutes, or ordinances prohibiting anything that interferes with visibility. Ex: Minnesota statute 169, section 79.7, quoting relevant part: The person driving the motor vehicle shall keep the plate legible and unobstructed and free from grease, dust, or other blurring material so that the lettering is plainly visible at all times. It is unlawful to cover any assigned letters and numbers or the name of the state of origin of a license plate with any material whatever, including any clear or colorless material that affects the plate's visibility or reflectivity. I'm painfully aware of this because when I was young, I drove a rather conspicuous vehicle. A couple of local cops got a kick out of harassing me, and would try to cite me whenever there was snow or the smallest amount of dust/dirt on my license plates, among other nuisances. This was prior to cell phones having cameras, so I took to carrying a small digital camera with me wherever I went. Every time I stopped for gas, I'd take a picture of the freshly-cleaned license plate (alongside the daily newspaper, thus proving the date) so I had a record of regularly cleaning it. The next time a cop did this, I calmly took the ticket and set a court date. When I showed the photos to the judge, the reply was the most beautiful tirade from the bench directed at the officer: "How many times have you issued this man unnecessary tickets to force him to keep a photo album of his license plate? THIS IS NOT LAW ENFORCEMENT, IT'S HARASSMENT. YOU SHOULD BE ASHAMED." The cop didn't reply, perhaps assuming the question was rhetorical. I did my best to keep my composure while saying, "Pardon me, but this is the fifth time, your honor." Not only did the judge dismiss the ticket and waive the court fee, she had the bailiff remove the cop from the courtroom - meaning all remaining tickets he had written that were in court that day would be a default judgement in favor of the other party! Prosecutor tried to reschedule them but the judge refused. Totally worth it.
Very Interesting. One thing i don’t understand is you talk about not needing to desolder the flash chip off the device and then read all the partitions off the PI board. Are the os partitions duplicated or is the flash chip simple used for other stuff.
How do I begin learning this stuff? I guess it’s called embedded systems or something? I want to apply it to cars so I can reverse engineer controllers on the car
Many controllers in the car self-destruct the internal computers when you open the case so you have to be very careful how you learn it and I love the automotive stuff. You can’t even have a data sheet without signing up for a license and paying a lot of money just to see what the chips do.
I worked for a repo company, the cameras just report all plate Metadata, another application or service processes the data and puts out a ping for last known location. So when a bank wants the car back the repo guy can check for any pings, in the network. Network because it's pay per seat and data is shared across users.
In other videos Matt already essentially did this tutorial in process of examining a device, I think one of the more recent IPCam ones. You could do full MITM where you essentially run NAT on a device with two NICs and then watch everything passing through with tcpdump (to a file, opened later with wireshark) or wireshark directly (I would probably use a custom OpenWRT therefore tcpdump to a pcap-file and then copy that over and open it on a computer with a GUI). But if you have dual NICs on a computer with a GUI and feel like setting up a whole NAT ecosystem that works too. Or use a hub where all ports are shared (as opposed to a switch) or a manged switch with a port configured to monitor/mirror the target device port, and then sniff everything in a more bystander position. The first option is better since you can then easily do actual MITM attacks on HTTPS connections, if any, and see what's inside those. Which was also demonstrated in the same video once you find it.
I wonder if it matters whether it's a private vs public ownership (parking garage or repo tow truck vs police), and if it differs in UK/Europe vs N. America?
Usually speaking as a vehicle has entered a carpark accessible to the public or somewhere like that the same rules apply to some degree like in a lot of places you may be required to have insurance and also there is a reasonable expectation that that vehicle has travelled on the road to get thereso that also takes into account the fact that they would have the power usually to check with that vehicle is taxed insured and things like that because it’s gone on the road to enter the premises
Thanks for the breakdown! I need some advice: My OKX wallet holds some USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). What's the best way to send them to Binance?
On the cameras and IR LEDs I believe they are always active to read plates (as license plates are IR reflective apart from the digits) which makes recognition easier. I would guess there is an IR camera and a full RGB camera so one can be used for identification and the other for displaying it in context.
Why roll your own half assed file server when there's perfectly good standard (half assed) file server protocols with wide support already available? There's no need to reinvent the wheel.
Hi Matt, Thank you for the hardworking hacking videos - these are awesome! Some thoughts on the device - Given the context that the device is used in - i.e. Law enforcement - it'll be A) Locked in anpolice car and B) Running over a VPN with numerous network security arrangements. No way is this device touching the internet bare-back 😆
I have something kind of like that but it's for cameras you mount to a pole. If you want to check it out let me know I have two of them I'd be willing to let you see one
I've been interested in getting one of these 'police' LPR cameras to tinker with, and what you've found reinforces my choice to have ALL of my cameras on an isolated VLAN with ZERO internet access... my (Dauha) cameras bang away at various DNS servers that I didn't provision to them constantly... And if they made contact, who knows what they'd try to send out...
Seems strange that they would use an off the shelf rasp Pi unit in a device that links to government databases and other fun things. I suppose it keeps dev costs down and means the police departments can be screwed out of more money for a less safe product.
In my opinion, there is nothing wrong with this. The user base is larger, more people report bugs. We all eat with the same spoons but different food :) Similarly, here almost everything depends on how the code is implemented and what settings. And of course the price, probably the price affects 99% )))
Why would you design your own SBC when the RPi is a known good platform that fits your needs exactly? In a perfect world this thing is airgapped and configured in a way that makes it just as safe as a custom solution.
I’ve been working on a free open source web app. Just a hobby project, maybe have 100 users max right now. And I’ve been worried about security concerns, trying to harden things. Seeing this lack of security concerns on a commercial product makes me feel like I’m trying too hard.
I wonder how the police would react if one coated a plate with IR blocking coating. The plate would be clearly visible to human eyes, but they'd have to admit to using this device if they harass you over it.
Ctrl+L should clear terminal screens so you don't have to type "clear" all the time. If you have ssh access you may have a look at sshfs to get live access to remote filesystems. Samba is an extra layer which can mess up Linux filesystem attributes and encodings.
Quite common because there are no checks and balances in the system. It is usually a private company who will issue the citation( illegal in many municipalities) and they are guaranteed a cut of the money paid in the fine. They just go with the tag and don’t bother to investigate further if it matches the make, model and color of the car and neither do many police agencies.
I worked for Digital recognition network (vigilant video) for nearly a decade after we started in the founders garage as a ops manager. If you have questions I may be of assistance.
The hardcoded ip is recovery database network or RDN. It is the platform where all the vins are loaded with the assignments or purpose of the cameras searching for the plate id. Just started video so I'm sure I got more to add.
from what Ive been told these are pretty sneaky devices. capable of reading multiple plates at a time, the make model/color of the vehicle, and running it thru the BMV checking the registered owner of the plate for wants/warrants. It can also pull up public court records of said person for previous crimes. Flagging anything they have marked as "suspicious" PC to stop.
I fine with license plate readers on a few conditions. One, no logs of read plates that are of no interest. Two, only can search limited databases such stolen vehicles and Amber alerts.
the flir traficam has the same idea with a compute module on a carrier board, but its not a pi, spoilers! password protected root shell, open uboot bootloader, and a epic TAU2 thermal camera that outputs NTSC video by default!
If you ask me, I still believe these devices should be banned along with traffic license plate readers. In my humble opinion this violates are Constitutional right to freedom of movement and further more, though not stated in the US Constitution we as Americans should also have the right to remain Anonymous while exercising freedom of movement. I do understand that these systems help with catching car thieves and alike but it just doesn't sit well with me. People complain about China's surveillance, I'd argue we've matched it or perhaps surpassed it. Fruit for thought.
@@Voice_0f_Liberty I agree. Most people around the world are unable to maintain any level of privacy. We are far, far closer to a surveillance state than the dreaded USSR was.
Usually a police car would have a dash cam and the server on board that handles. This would also cross reference with that however it’s only suitable at certain ranges and it’s not really suitable however possible it would cross reference
Well in most cases is devices physically secured so you need to understand that physical security quite often indicates something like this. It’s like you putting a password or your computer then leaving it outside on the street at night it won’t be there when you wake up or if you don’t have a password, but it’s locked in your house. The chances are it will still be there and no one will have access it.
@UKsystemsphysical security means nothing if you can just ssh into the box. They probably imaged thousands or tens of thousands of these things. It also wouldn’t be too difficult to derive a password based on a single password plus the serial number on startup. Can still recover the password from the device if you have the device itself protected. That is where physical security would make more sense being a genuine security matter.
@ how are you often? Can’t SSH into the box because it connects to the cars internal surfer and only that server can communicate to the Internet as the server auto also acts as a router and encrypt the traffic usually via a VPN into the police headquarters so it’s quite a lot
Doesn't surprise me the password is 12345. There are typically multiple cameras on board tied to some onboard compute module that is connected via cellular (Firstnet or similar prioritized cellular) VPN. These cameras might as well be commodity cameras as their only purpose ia to provide a stream to the computer. LPRs require specific zoom and FOV settings to recognize and grab license plates as cars are travelling. Department probably never checks the camera for hardware security as it's behind a departments firewall on private cellular, behind a on vehicle firewall/gateway and streams locally to the vehicle. Security through obscurity at its best. Youd be surprised how much cheap low end tinkerer hardware makes it to commercial products behind a badge
opensource hardware and software can be incredibly secure but the second I saw that they were using a raspberry pi and had ssh enabled I know the password was going to be something stupid simple to guess.
Those pi CM3 Modules kinda remind me of those old Pentium 2 processors that were a card you would shove into a slot. I'd like to get one of these devices to monitor my property line for people throwing trash along my property.
Most modern cameras can be set to turn on when motion is detected. Get the highest resolution you can afford. Nothing like trying to identify a grainy image from a low camera at night
That's a blast from the past! One of the first computers my dad bought in the late 90s and early 2000s from a work friend had I believe a Pentium 3 in that form factor. I was still pretty young and I was always fascinated by that type of CPU.
theres a service called Flock. My local police use it. There's cameras around and they want to catch a certain plate/vehicle. They put that info in the Flock "readers" and it alerts police. My local police have been using LPRs in Wal-Marts. If you pull up in a stolen car, the LPR reports you to the police. My guess is they thought they could stop mass shoplifts if they used a stolen car to cover themselves up. Also I guess if you were robbing the store too you might use one. But it'll be an issue when your license in invalid for whatever reason or unknown to you, you pull up to Wal-Mart to buy baby food and when you come outside the police have your car surrounded ready to arrest you on driving on suspended license ready to jail you for a weekend or some extreme like holidays. My uncle's license number was input wrong at a court house. Dude is like Hank Hill doesn't do anything wrong. His license came up invalid during a random stop. Cop laughed at him knowing this and told him go fix your license at the courthouse. He has multiple cars and one of the registrations were not marked off as valid which starts a chain of events in Florida where everything gets suspended
you sir, need to do a stint as some electronics repair channel assistant and learn to solder with confidence.
BGA is still a terrible process even if you're the best solder soldier in the universe. And off-board connections to a complicated eMMC chip would be a nightmare anyway, nothing like an 8-pin flash.
Most people: Matt why do you desolder the chip so often instead of using XYZ method?
Others: Why don't you desolder the chip? Skill issue?
@@mattbrwn whatever you do, there always be someone on the Internet telling you’re doing it wrong 😂
@@mattbrwn i never tried to reball a chip. i had enough problems with tiny wires and needles
I'm fine with all the soldering stuff... Know what threw me? It's embarrassing as hell.
The hdmi port on an xbox, I couldn't do it... I wrecked the board.
I'm reballing fine, pretty sure I could solder a gnats dick to a unicorn eyelash... Xbox hdmi? Nope, no can do.
Maybe I was just having a bad day, I'm gonna just go with that.
Paused at 4:39... I thought 239.x.x.x was in the private multicast range, so it should not be routable via public internet? Unless there is a VPN/tunnel set up on this device what hits a remote private network and that makes 239.x 'local' again. At this point I would assume it's looking for locally-installed optional device like a base station, and stop trying to chase down that address from a data leakage perspective. Resuming the video...
You’re correct. This is a multicast address.
Spot on
looking at the system...this is true..there is a base station
Its to communicate with the ALPR server that is installed in the car. The whole system is not connected to the public internet. It's connected to the laptop in the car in another interface. The laptop does not route traffic. All communication is handled by the app installed on the laptop.
Yep, also can confirm.
I love it when "unexpected rpi in the wild"
The trouble is, the foundation has a goal to sell cheap computers for education. Which is a noble goal, but they make limited money. You have the likes of Mororola buying these up and no doubt charging the U.S government 10x the price, and making all the profit. Because of this the Foundation will get bought and all their good work will come to naught when the buyer doubles the price over-night.
The way these cameras work is there is an ALPR server in the police car. I think you are going to find that there is no ALRP magic happening in the camera because the in car server is huge and has big fans on it so I think that is where it recognizes the plates. I would think the camera just sends a processed image to the server. In all the cases I seen, the server has ports for each camera and the server connects to the in car laptop via another network interface. Since the laptop is not routing traffic, the ALPR system has no direct connection to the internet. There is vigilan software on the laptop that talks to the in car server and then the software talks to the police network over a VPN to get the hot lists, show alerts, etc. The server also has a GPS module and send every plate it reads and the location back to the police network where officers can later look up a plate and find out where you have been. Fun side note, there are ALPR cameras at fixed locations like intersections, highways, traffic light, etc that are also feed into the same database. Since the cameras have no access to the internet, I think the ping to the public internet must be for manufacturing or troubleshooting purposes. Where I work, the police cars have no access to the internet except an allow list for sites like PD email, body camera websites etc. All police data is accessed via a VPN.
But the police network is completely offline?
This is correct. What is in this video is a ip camera. A small component of a much much larger system. This devise simply converts a license plate number to text and sends it off. The radio network is used to send that data and is fully encrypted. The ip camera is part of the vehicles lan. All wired and air gapped.
@@mediocreman2 I would imagine it varies by agency but where I work the laptops are only allowed to access a small number of websites. Rather than a blocked website list there is a list of allowed websites and everything else is blocked. The ALPR network is offline meaning the entire ALPR network and cameras can not directly access the internet. Diagram: Internet (Filtered) >> Laptop
@@anthonyvharris The ALPR in car server does the heavy lifting and the laptop is what recieves the license plate numbers. The cameras do nothing more that take the video feed and send it to the in car server. The data communication is handled via a VPN connection back the state/county network. Most police agencies use CradlePoint router to connect to the cellular network. The data is sent over the cellular network encrypted and not over the police radio network, the two are not connected in any way (in my case).
@aquatrax123 you aren't far off in your thinking. I'm only a couple min into this video and he's already stated some things that he has no idea of how that work (which in fairness, he did mention/hint that).
There is a specific way this stuff is to be setup and many installers/integrators don't do it correctly.
well done on their part for coming up with such a secure password LOL. Didn't even bother changing the default user or building their own OS image. Kinda neat to see, didn't expect that. Thanks Matt, i'm looking forward to the firmware reversing!!
surprised, but not shocked.
Obligatory Spaceballs meme about luggage combination must be put here )
I’ve worked with a competing brand of ALPR. The cameras are all connected to the in-car server using a non-routable private network. The server using multicast packets to find the cameras. You then use the in-car computer to interface with and program the server. The in-car computer runs a dedicated software that interfaces with a remote database, either local to the agency using a VPN or to a publicly accessible server. The in-car computer downloads known wanted plates while all unknown plates are then queried against the server which usually has the ability to query State driver registry. All plates scanned are logged by the in-car server. As each plate is scanned and queried, the image of the plate, vehicle make/model and owner information is displayed on the in-car software. If the plate is a known wanted plate, the software throws an alarm and an alert instructing the officer to pull over the vehicle.
Ok but these /\/\otorola ALPR units are also installed on poles on the side of the road... those are probably on some kind of larger WAN no?
It also logs the location the plate was scanned. For more data analysis, Law Enforcement can map the sightings of plates in areas. This is extremely useful for metadata if a plate was observed/recorded in or near a crime that needs investigation in to what vehicles were in the area. This gives law enforcement an idea where that vehicle frequents "lives".
FLOCK has taken this a ran with it. HUGE cases are being completed with much, much more ease with the advancement of the software side with ALRP.
@@thesneakyapguy7172 sorry I don't think losing my civil liberties is worth making a DA's life easier... seriously the amount of spying we are under 24/7 I think would have made the KGB go "that's a bit much"
@@FLECOMwhy did you type “Motorola” like that?
So that's why the raspberry pi was dealing with a chip shortage.... Another Scooby Doo mystery solved
Raspberry pie do not really have a shortage quite simply they have always operated at maximum factory capacity. It’s just resellers buying insane quantities that means you can’t buy one.
@UKsystems Yep, I've always found the term 'shortage' odd to use, when it's fairly steady production but more an artificial buy-out. But in stocking terms I guess that is 'shorting' so it tracks otherwise, just doesn't intuitively feel right as there are 2 unique and distinct scenarios. But also I'm sure the RPi foundation is dealing with both at the same time in many cases.
Artificial shortages = excuse to raise price = more profit for those on the money side.
One of your videos got recommended to me a couple of days ago and I instantly became a new subscriber, love your content man!
it happen to me too
Someday you will tell this story to ur grandkiz
I've run these ALPR cameras on my repo trucks since the early 2010 to 2012 and this is very interesting to watch cause I'm now in Cyber Security. Can't wait to see what data is being phoned home without consent from the users
I happen to know firsthand ....
@marcusmccarty1786 and…..?
Excellent work ! and fun to watch you - even as Senior Electrical Engineer in the Automotive Market. Your vast knowledge on Linux/Raspi thrills me. May I ask what's your age and education ?
Liar.
I kind of wish you had started making this videos 20 years ago when I was a kid lol... This is gold.
Matt, another well thought out stream! As with the other posts, very interesting to see the PI configuration used in this device.
One question, are you planning to have any live streams in 2025? The interaction last time was a lot of fun.
Have a happy New Year celebration 🎉
Wow 🎉 Eagerly waiting for the next instalment. So good!
Some years ago I saw a TV program interviewing people who had jobs driving around with license plate scanners. The purpose was to find cars for which owners had stopped paying and were therefore up for repossession. The drivers just tried to find likely locations such as malls, apartment complexes, trailer parks, etc. The data was then used by the higher-ups to search for target plate numbers.
Matt, really appreciate all these uploads these last few weeks. Christmas break just got real fun.
7:09. Wow i never expected to see a Rpi compute module or any *pi to be used in such a product! Tinkerer hardware inside a serious product. I have seen pi's used for digital signs or kiosks but never in such Products
They aren’t a hardware. The computer models are designed and approved for various industrial processes and they are reliable quite simply the compute modules are their best seller to commercial customers as they are way more models than you would ever realise why design your own circuit board this part when there’s already a working design, don’t reinvent the wheel.
I work in health care and there's a company that installed some little dosimeter relays. I cracked one open and it's literally a raspberry Pi inside with a fancy case. Of course, the price is insanely high. If you ever wonder why healthcare is so expensive, this is just one of the reasons.
@@mediocreman2the hardware itself is only the smallest part of what you're paying for. It's all the R&D, calibration, validation and regulatory work that's required to give you certainty that it's giving you correct readings you're going to base life-critical decisions on. Good service isn't cheap, we're just stymied by a layer of greed on top of all of that.
@@mediocreman2 it’s the liability issue in healthcare. The manufacture has to cover their butts with a multimillion dollar bond against any issues that might arise out of misuse or equipment failure both now and in the future should they go out of business. Most of the elevated costs were caused by greedy attournies who were successful in twisting a case into their clients favor before a court of law. They are almost certain to land one third, or more, of the settlement.
never clicked so fast in my life
Yeah you have, that time you were watching porn hub and your mum walked in 😅😅
Give it time
Great start! I can’t wait for the entire series!
The big problem is that he is uploaded and retained by third-party vendors. And you never know what these third parties are doing with the information.
So cool you passthrough a GPU between Game and cracking rig. Kudos, youngster!
I watched it during my break time. Enjoyed the whole process
I found I love low level hardware. I now watch all Matt's videos in hopes I learn something. I usually do.
Well done. Let's see if you can hack the "number plate recognition system" to "randomize" one or two characters before that data is sent out to the database!
A good way to entangle the Law enforcement agency in a swatting situation. Not cool. Especially how some officers come off as if being "god" in some circumstances. Imagine if that tags your kids car, who is totally innocent, and they are falsely accused of a crime or worse……
@@Subgunman It would be considered an attack on the network if you were to inject random bad data into the database. Somewhat like a ddos attack. Don't do that.
@@BrickTamlandOfficial not me, but the original commentor aryanzijlstra6649 made the comment about randomizing just two characters in the output files of the plates. I only offered a warning as to what can happen to innocent individuals. Having worked with several department about 20 years ago I happened to be privy to an email that came in from DHS. Very disturbing.
Do the plate readers have ir filters?
While it won't stop a cop from targeting you, it will stop the plate readers from their job and could make things interesting with the fuzz.(literally and figuratively)
Exactly the angle Im interested in... ;)
Most jurisdictions have laws, statutes, or ordinances prohibiting anything that interferes with visibility. Ex: Minnesota statute 169, section 79.7, quoting relevant part:
The person driving the motor vehicle shall keep the plate legible and unobstructed and free from grease, dust, or other blurring material so that the lettering is plainly visible at all times. It is unlawful to cover any assigned letters and numbers or the name of the state of origin of a license plate with any material whatever, including any clear or colorless material that affects the plate's visibility or reflectivity.
I'm painfully aware of this because when I was young, I drove a rather conspicuous vehicle. A couple of local cops got a kick out of harassing me, and would try to cite me whenever there was snow or the smallest amount of dust/dirt on my license plates, among other nuisances. This was prior to cell phones having cameras, so I took to carrying a small digital camera with me wherever I went. Every time I stopped for gas, I'd take a picture of the freshly-cleaned license plate (alongside the daily newspaper, thus proving the date) so I had a record of regularly cleaning it. The next time a cop did this, I calmly took the ticket and set a court date. When I showed the photos to the judge, the reply was the most beautiful tirade from the bench directed at the officer: "How many times have you issued this man unnecessary tickets to force him to keep a photo album of his license plate? THIS IS NOT LAW ENFORCEMENT, IT'S HARASSMENT. YOU SHOULD BE ASHAMED." The cop didn't reply, perhaps assuming the question was rhetorical. I did my best to keep my composure while saying, "Pardon me, but this is the fifth time, your honor." Not only did the judge dismiss the ticket and waive the court fee, she had the bailiff remove the cop from the courtroom - meaning all remaining tickets he had written that were in court that day would be a default judgement in favor of the other party! Prosecutor tried to reschedule them but the judge refused. Totally worth it.
Thanks for the vid! Quick question: what are you using to split your terminal like that?
i3wm. Those are two separate terminals
Very Interesting. One thing i don’t understand is you talk about not needing to desolder the flash chip off the device and then read all the partitions off the PI board. Are the os partitions duplicated or is the flash chip simple used for other stuff.
How do I begin learning this stuff? I guess it’s called embedded systems or something? I want to apply it to cars so I can reverse engineer controllers on the car
Many controllers in the car self-destruct the internal computers when you open the case so you have to be very careful how you learn it and I love the automotive stuff. You can’t even have a data sheet without signing up for a license and paying a lot of money just to see what the chips do.
I'm guessing BMW ECUs
loving these vids Matt - keep it up!
I worked for a repo company, the cameras just report all plate Metadata, another application or service processes the data and puts out a ping for last known location. So when a bank wants the car back the repo guy can check for any pings, in the network. Network because it's pay per seat and data is shared across users.
Can you do a video on how you analyze Wireshark packets from an external device?
In other videos Matt already essentially did this tutorial in process of examining a device, I think one of the more recent IPCam ones.
You could do full MITM where you essentially run NAT on a device with two NICs and then watch everything passing through with tcpdump (to a file, opened later with wireshark) or wireshark directly (I would probably use a custom OpenWRT therefore tcpdump to a pcap-file and then copy that over and open it on a computer with a GUI). But if you have dual NICs on a computer with a GUI and feel like setting up a whole NAT ecosystem that works too.
Or use a hub where all ports are shared (as opposed to a switch) or a manged switch with a port configured to monitor/mirror the target device port, and then sniff everything in a more bystander position.
The first option is better since you can then easily do actual MITM attacks on HTTPS connections, if any, and see what's inside those. Which was also demonstrated in the same video once you find it.
Did you leave a link to where you got the board from? & price
I wonder if it matters whether it's a private vs public ownership (parking garage or repo tow truck vs police), and if it differs in UK/Europe vs N. America?
Usually speaking as a vehicle has entered a carpark accessible to the public or somewhere like that the same rules apply to some degree like in a lot of places you may be required to have insurance and also there is a reasonable expectation that that vehicle has travelled on the road to get thereso that also takes into account the fact that they would have the power usually to check with that vehicle is taxed insured and things like that because it’s gone on the road to enter the premises
New here, Love the content! Liked and sub'd. Question for you or chat, did you mean port 445 here not 554 for samba or mount a share (2:58)?
Yeah I did. Might have mixed that up when saying it
@@mattbrwn Thanks for clarifying. Keep up the good content. Im traversing through your catalog now. Great stuff for me to learn and follow along too.
Can you hack a Flock LPR camera as well?
Seeing a PI in a LPR is like finding a fresh bag of raspberries in a LPR.
What would you have used instead?
Thanks for the breakdown! I need some advice: My OKX wallet holds some USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). What's the best way to send them to Binance?
After seeing the Pass, Spaceballs come to mind.
Why do you use a VM for password cracking? Why not on the host system?
I didn't quite understand the part about the password-does it involve brute force or a dictionary attack?
Merci pour cette très bonne vidéo.
dictionary
On the cameras and IR LEDs I believe they are always active to read plates (as license plates are IR reflective apart from the digits) which makes recognition easier.
I would guess there is an IR camera and a full RGB camera so one can be used for identification and the other for displaying it in context.
Cool walkthrough brother.
Around 22:00 was a serious ROFL moment. It's running SAMBA! Shortcuts abound in this product design.
Why roll your own half assed file server when there's perfectly good standard (half assed) file server protocols with wide support already available? There's no need to reinvent the wheel.
great job! enjoy watching you work (aka play...)
I used to use, install and service these for a repo company. These are plugged into a MCU. so the ports are not exposed outside of the MCU.
Hi Matt,
Thank you for the hardworking hacking videos - these are awesome!
Some thoughts on the device - Given the context that the device is used in - i.e. Law enforcement - it'll be A) Locked in anpolice car and B) Running over a VPN with numerous network security arrangements. No way is this device touching the internet bare-back 😆
I have something kind of like that but it's for cameras you mount to a pole. If you want to check it out let me know I have two of them I'd be willing to let you see one
Matt your video bitrate appears to be incredibly low
I like a lot of your videos, but damn, this is awesome!!!!!
I've been interested in getting one of these 'police' LPR cameras to tinker with, and what you've found reinforces my choice to have ALL of my cameras on an isolated VLAN with ZERO internet access... my (Dauha) cameras bang away at various DNS servers that I didn't provision to them constantly... And if they made contact, who knows what they'd try to send out...
You are the man! Great content!
Awesome presentation
next one will be "Hacking a Department Server PC - Firmware Extraction and Password Cracking"
Seems strange that they would use an off the shelf rasp Pi unit in a device that links to government databases and other fun things. I suppose it keeps dev costs down and means the police departments can be screwed out of more money for a less safe product.
In my opinion, there is nothing wrong with this. The user base is larger, more people report bugs. We all eat with the same spoons but different food :) Similarly, here almost everything depends on how the code is implemented and what settings. And of course the price, probably the price affects 99% )))
Police reporting bugs on a product, you must be newto earth @@Misimpa,
@@Misimpasuch braindead comment
@ can you read? Maybe you not from Earth. Commercial board widespread on the market, many users and bug reports most of them are free :)
Why would you design your own SBC when the RPi is a known good platform that fits your needs exactly? In a perfect world this thing is airgapped and configured in a way that makes it just as safe as a custom solution.
I’ve been working on a free open source web app. Just a hobby project, maybe have 100 users max right now. And I’ve been worried about security concerns, trying to harden things. Seeing this lack of security concerns on a commercial product makes me feel like I’m trying too hard.
Had no idea there are a flood of these on the secondary market....another rabbit hole!
appreciate your time and work on all these items.
how about ubiquity devices like lite beam m5
This is what I call epic find! :) Nice one :)
I wonder how the police would react if one coated a plate with IR blocking coating.
The plate would be clearly visible to human eyes, but they'd have to admit to using this device if they harass you over it.
If you don't have a polarized microscope light yet I highly recommend getting one. You can control how much glare there is.
Greats from Germany !
Ctrl+L should clear terminal screens so you don't have to type "clear" all the time.
If you have ssh access you may have a look at sshfs to get live access to remote filesystems. Samba is an extra layer which can mess up Linux filesystem attributes and encodings.
My wife got a ticket for a license plate and car that was not hers
Quite common because there are no checks and balances in the system. It is usually a private company who will issue the citation( illegal in many municipalities) and they are guaranteed a cut of the money paid in the fine. They just go with the tag and don’t bother to investigate further if it matches the make, model and color of the car and neither do many police agencies.
I worked for Digital recognition network (vigilant video) for nearly a decade after we started in the founders garage as a ops manager. If you have questions I may be of assistance.
The hardcoded ip is recovery database network or RDN. It is the platform where all the vins are loaded with the assignments or purpose of the cameras searching for the plate id. Just started video so I'm sure I got more to add.
Amazing job, as usual!
from what Ive been told these are pretty sneaky devices. capable of reading multiple plates at a time, the make model/color of the vehicle, and running it thru the BMV checking the registered owner of the plate for wants/warrants. It can also pull up public court records of said person for previous crimes. Flagging anything they have marked as "suspicious" PC to stop.
I think it's time to put camera blocking leds in our plate lights now.
cant wait for the next chapter of this.
Ip 239.83,83.83 is a multicast address….. which in most cases is not publicly routeable
I fine with license plate readers on a few conditions. One, no logs of read plates that are of no interest. Two, only can search limited databases such stolen vehicles and Amber alerts.
Part 2 please i want to see more
Any update on that knockoff chrome cast?
the flir traficam has the same idea with a compute module on a carrier board, but its not a pi, spoilers! password protected root shell, open uboot bootloader, and a epic TAU2 thermal camera that outputs NTSC video by default!
See if the weights are local to the machine. If you download them you can make adversarial images to defeat them.
Police endangering national security for profit. How cute.
On a "made in PRC" device. Just when you thought you've seen everything
US government moment
If you ask me, I still believe these devices should be banned along with traffic license plate readers. In my humble opinion this violates are Constitutional right to freedom of movement and further more, though not stated in the US Constitution we as Americans should also have the right to remain Anonymous while exercising freedom of movement. I do understand that these systems help with catching car thieves and alike but it just doesn't sit well with me. People complain about China's surveillance, I'd argue we've matched it or perhaps surpassed it. Fruit for thought.
@@Voice_0f_Liberty I agree. Most people around the world are unable to maintain any level of privacy. We are far, far closer to a surveillance state than the dreaded USSR was.
@@Griff_Is_Real Valid point. Couldn't of said it better myself. Glad someone else shares my optimistic outlook lol.
TP Link is under major scrutiny. Can you test some of there enterprise stuff, like the omada systems. Thanks
Interesting case study 🧐
my eyes almost popped out of my head when i saw this posted
Mass surveillance? Everyone drives around with a huge placard on thier car which ANYONE can see , photo, video or write down.
I bet you'll be able to do shell injection by showing it fake license plates, maybe get shell, maybe just make it misread
Usually a police car would have a dash cam and the server on board that handles. This would also cross reference with that however it’s only suitable at certain ranges and it’s not really suitable however possible it would cross reference
Read my mind
Please make a video about the vm setup you have.
I really thought they would use the same default password as other raspberrypi products, not 12345.
How long would it really take to set the password to a uuid? Seriously, how lazy are you manufacturer?
Well in most cases is devices physically secured so you need to understand that physical security quite often indicates something like this. It’s like you putting a password or your computer then leaving it outside on the street at night it won’t be there when you wake up or if you don’t have a password, but it’s locked in your house. The chances are it will still be there and no one will have access it.
@UKsystemsphysical security means nothing if you can just ssh into the box. They probably imaged thousands or tens of thousands of these things. It also wouldn’t be too difficult to derive a password based on a single password plus the serial number on startup. Can still recover the password from the device if you have the device itself protected. That is where physical security would make more sense being a genuine security matter.
@ how are you often? Can’t SSH into the box because it connects to the cars internal surfer and only that server can communicate to the Internet as the server auto also acts as a router and encrypt the traffic usually via a VPN into the police headquarters so it’s quite a lot
Another great video, thanks!
After each video I discover another gadget I have to buy.
really amazing hands on content
You are the best! Do you have any course that i can learning this skills?
In before the cease and desist takedown
Doesn't surprise me the password is 12345. There are typically multiple cameras on board tied to some onboard compute module that is connected via cellular (Firstnet or similar prioritized cellular) VPN. These cameras might as well be commodity cameras as their only purpose ia to provide a stream to the computer. LPRs require specific zoom and FOV settings to recognize and grab license plates as cars are travelling. Department probably never checks the camera for hardware security as it's behind a departments firewall on private cellular, behind a on vehicle firewall/gateway and streams locally to the vehicle. Security through obscurity at its best. Youd be surprised how much cheap low end tinkerer hardware makes it to commercial products behind a badge
To add if you think this is bad don't pull the cover off of Connected Vehicle systems😂
Another idea is the Flock Automatic License Plate Reader cameras also.
new sub,. stay off the radar camera man :)
opensource hardware and software can be incredibly secure but the second I saw that they were using a raspberry pi and had ssh enabled I know the password was going to be something stupid simple to guess.
We need to clarify the federal language for private car owners
Those pi CM3 Modules kinda remind me of those old Pentium 2 processors that were a card you would shove into a slot. I'd like to get one of these devices to monitor my property line for people throwing trash along my property.
Most modern cameras can be set to turn on when motion is detected. Get the highest resolution you can afford. Nothing like trying to identify a grainy image from a low camera at night
That's a blast from the past! One of the first computers my dad bought in the late 90s and early 2000s from a work friend had I believe a Pentium 3 in that form factor. I was still pretty young and I was always fascinated by that type of CPU.
theres a service called Flock. My local police use it. There's cameras around and they want to catch a certain plate/vehicle. They put that info in the Flock "readers" and it alerts police. My local police have been using LPRs in Wal-Marts. If you pull up in a stolen car, the LPR reports you to the police. My guess is they thought they could stop mass shoplifts if they used a stolen car to cover themselves up. Also I guess if you were robbing the store too you might use one. But it'll be an issue when your license in invalid for whatever reason or unknown to you, you pull up to Wal-Mart to buy baby food and when you come outside the police have your car surrounded ready to arrest you on driving on suspended license ready to jail you for a weekend or some extreme like holidays. My uncle's license number was input wrong at a court house. Dude is like Hank Hill doesn't do anything wrong. His license came up invalid during a random stop. Cop laughed at him knowing this and told him go fix your license at the courthouse. He has multiple cars and one of the registrations were not marked off as valid which starts a chain of events in Florida where everything gets suspended
See what other samba shares there are besides the home shares
"System Volume Information" and a bunch of xml files. I can smell the security bugs and loopholes. I bet `nm` will be of help on the binaries.
Why are we doing this?
Dump device to github?