Raymarine's electronics are not very secure. This is no secret, but there really isn't a drive to reverse engineer or hack them. But the way they're selling their high end solutions for a large amount of money is ridiculous. What even is "SeaTalk"? It's a serial connection. They could have done the same thing with ethernet or just a few wires. It's all a market cornering money grab. So I decided to try and imitate what (I think) is one of their more expensive features: viewing the MFD on a TV screen.
I have a mild irritation about the overpricedness of the system add-on that would enable this functionality which was half of the motivation for this project. The other half was that my parents thought it would be cool if their boat could do this. I told them I could do it for under $50. I worked somewhat quickly on reverse engineering the mechanism by which the RayViewer app showed the Multifunction Display's screen on a mobile device in real time.
The MFD broadcasts its own network. Your phone or tablet can connect to this network and, magically, the RayViewer app will display what's currently on the screen. The RayControl app will allow you to interact with it. I don't care so much about the control bit as much as I care about the video streaming.
Now, I understand that I can just plug a phone or tablet into a screen using an HDMI adapter, but that's silly. And, if my parents didn't have a tablet, it would cost more money than its worth. So no. I also understand that I could get any single board computer, install Android, and install the app, but that defeats the purpose of leaving the Raymarine ecosystem. So we'll be implementing a solution without the use of anything written by Raymarine.
The first thing I did was a port scan. I did this with both my mobile phone (using my favorite network scanner, Fing), and nmap on my computer. They both came up with the same results.
My first thought was that this was X11. That would make sense as it's a desktop with touch controls. But the X11 is password protected. I did not know the username or password. So I could not do it this way. This was depressing, because I wasn't sure how else to do it.
So I went ahead and decompiled the RayViewer app. Boy oh boy was it obfuscated. I looked for evidence of X11. There was none. But it used libffmpeg and libstreamer. This was a big hint. Then, I came across what I was looking for. The function that created the URL from which to stream.
We know immediately from this string that this is an RTSP stream. Okay, so now what? We don't know anything else about this. I found it impossible to trace what the components of the url meant. The string "raymarine-mfd-rtsp-path" showed up nowhere else in the code. This was, to say the least, infuriating. Then I came across another interesting string. This was a log string. Log strings are great because they're never obfuscated.
mDns. ZeroConf. That's how it was finding the information. So, I downloaded and installed a ZeroConf searcher on my phone (I could have used my computer, but I have used and like this app, so I just went with it), and scanned the MFD's WIFI network. And guess what I found. Literally everything I needed.
We know the IP address, we have the port (which I would have never guessed because it showed up on no port scan), and the RTSP path. Is it time to try to load it in VLC? Yes, yes it is.
The video stream was the native resolution of the display, and was more or less fluid. It ran at about a second and a half delay. That's acceptable for a simple chart with very little motion. I was very happy with this. So now came the question, how do I get this video stream on a TV?
My first thought was to use a Chromecast, but I don't know of a good way to hack a Chromecast to do this, nor do I know of any RTSP app for Chromecast. So I decided to make a custom device based on my new favorite single board computer: the OrangePi. They're just as good as the RaspberryPi (in some cases better) and cheaper. There are also more kinds of these, so you can get exactly what you need. In my case, I got an OrangePi Lite. It's perfect with its HDMI output and builtin WiFi and not much more. The plan is to add an IR sensor and to repurpose a small remote to control it (switch between the two MFDs on their boat), and some other stuff. I'm sure I can find a small one in one of my boxes. They'll connect to the WiFi network and then show a fullscreen VLC instance that shows the stream it's connected too. Easy. The hard part is waiting for the boards from China.
In a future blogpost, I've dreamed up an interesting device. This bad boy will have four wifi interfaces so it can connect to both MFDs at the same time, connect to some other WiFi that has a path out to the internet, and then broadcast a network that bridges the other three together and firewalls you off so that you can be on shady public dock WiFi without worrying about data or devices bleeding over. Heck, you can even VPN back to your home network!
Is the OrangePi Lite capable of handling four networks, the communication between them, and one or two streams over said network? Dude I don't know. It'd be cool if it could.
I don't get back down to where they live very often anymore, but I think it'd be an interesting project to pick up next time I do. And I think it'd be one of the few things that could possibly marketed. But we'll see if that ever pans out.
No comments:
Post a Comment