Sulkta-Coop/adacam
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
adacam/docs/research/adacam-master-audit.md

22 KiB
Raw Blame History

ADAcam (Hivemapper Bee) Master Device Audit

Date: 2026-03-29
Device ID: 2P007435
Assembly UUID: 3a43e0b9-ea21-5d94-bb45-92bdac8cde94
Firmware Version: 20260309193836

Executive Summary

The Hivemapper Bee dashcam (codename "Keembay") is running a heavily modified firmware that:

  1. Blocks all Hivemapper phone-home endpoints via /etc/hosts
  2. Blocks HERE data upload APIs (HERE plugin runs but can't upload)
  3. Masks Mender OTA updates to prevent firmware rollback
  4. Runs ADAMaps data collection via custom adacam_odc.py service
  5. Has reverse SSH tunnel configured to Lucy (192.168.0.5) for remote access

1. System Overview

Hardware

  • SoC: Intel Keembay KMB (ARM64 Cortex-A53, 4 cores @ 700MHz)
  • RAM: 3.5GB total (1.4GB used, 1.9GB cached)
  • Storage:
    • Root: 7.2GB (5.2GB used) - /dev/mmcblk0p12
    • Data: 23GB (8.1GB used) - /dev/mmcblk0p14
  • eMMC: Toshiba DG4064 64GB (11 partitions, A/B update scheme)
  • LTE Modem: Telit LE910C4-NF (IMEI: 351369652125828)
  • WiFi: Dual-band (2.4GHz + 5GHz), dual interface (AP + client mode)

OS

  • Distribution: meta-intel-ese Reference Distro 2.0-dunfell (Yocto-based)
  • Kernel: Linux 5.4.86-intel-lts-km #1 PREEMPT
  • Python: 3.8
  • Architecture: aarch64

Network Configuration

Interface IP Purpose
wlp1s0f0 192.168.0.10/24 WiFi AP (phone connects here)
wlp1s0f1 192.168.0.155/24 WiFi Client (home network)
br0 192.168.197.55/28 USB tethering bridge
wwan0 (down) LTE modem

Listening Ports

Port Process Purpose
22 sshd SSH access
53 dnsmasq DNS for connected devices
5000 adacam_odc.py ODC API (HTTP)
9001 datalogger Unknown
11492 depthai_gate ML inference gateway

2. Persistence Mechanism

/data/persist/install.sh

The device uses a persistence script at /data/persist/install.sh that survives RAUC OTA updates because it lives on the /data partition (not rootfs). This script:

  1. Installs SSH key for remote access:

    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII5ckRf/4SA84JOrmJtElHBT3dU9RC2Le5GBfqhWWVc8 root@keembay

  2. Creates bee-tunnel.service for reverse SSH to Lucy:

    ssh -i /data/ssh/bee_tunnel_key \
  -R 2222:localhost:22 \
  -L 19999:localhost:1340 \
  root@192.168.0.5

  3. Masks Mender OTA:

    systemctl stop mender
systemctl disable mender
systemctl mask mender

  4. Blocks Mender network access via iptables

  5. Blocks Hivemapper/HERE APIs via /etc/hosts

/etc/hosts Block List

0.0.0.0 account.api.here.com
0.0.0.0 direct.data.api.platform.here.com
0.0.0.0 api-lookup.data.api.platform.here.com
0.0.0.0 direct.data.api.platform.in.here.com
0.0.0.0 edge.hereapi.com
0.0.0.0 api-lookup.data.api.platform.sit.here.com
0.0.0.0 hivemapper.com
0.0.0.0 api.hivemapper.com
0.0.0.0 device.api.hivemapper.com

3. Running Services

Active Custom Services

Service Description Status
adacam-odc.service Combined ODC API + ADAMaps Forwarder Active
map-ai.service ML pipeline (object detection, classification) Active
depthai_gate.service DepthAI ML inference gateway Active
redis-handler.service Sensor fusion to Redis Active
hivemapper-data-logger.service GNSS/IMU data logger Active
video-processor.service Video encoding with timestamps Active
here-plugin.service HERE location services (blocked) Active
lte.service LTE modem controller Active
redis.service Redis state store Active
hostapd.service WiFi AP Active

Custom/Modified Services

Service Description Status
bee-tunnel.service Reverse SSH to Lucy ⚠️ Auto-restarting (can't reach Lucy)
bee-collector.service MapNet detection collector Disabled
adamaps-persist.service Persistence loader Failed (boot clock issue)

Disabled/Masked Services

Service Reason
mender.service Masked to prevent OTA updates
beekeeper-plugin Disabled in SQLite config

4. Data Flow Architecture

┌─────────────────────────────────────────────────────────────────┐
│                    HIVEMAPPER BEE CAMERA                         │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  ┌──────────────┐   ┌──────────────┐   ┌──────────────────────┐ │
│  │   Cameras    │   │  GNSS/IMU    │   │     LTE Modem        │ │
│  │  (Stereo)    │   │   u-blox     │   │   Telit LE910C4      │ │
│  └──────┬───────┘   └──────┬───────┘   └──────────────────────┘ │
│         │                  │                                     │
│         ▼                  ▼                                     │
│  ┌──────────────────────────────────────┐                       │
│  │          datalogger (Go binary)       │                       │
│  │   Parses GNSS, IMU at 197Hz/4Hz       │                       │
│  └─────────────────┬────────────────────┘                       │
│                    │                                             │
│                    ▼                                             │
│  ┌──────────────────────────────────────┐                       │
│  │          Redis (localhost:6379)       │                       │
│  │   GNSSFusion30Hz, FRAME_COUNT_RGB     │                       │
│  └─────────────────┬────────────────────┘                       │
│                    │                                             │
│         ┌──────────┴──────────┐                                 │
│         ▼                     ▼                                 │
│  ┌──────────────┐      ┌───────────────┐                       │
│  │ RedisHandler │      │    map-ai.py   │                       │
│  │  (C++ bin)   │      │  ML Pipeline   │                       │
│  └──────┬───────┘      └───────┬────────┘                       │
│         │                      │                                 │
│         ▼                      ▼                                 │
│  ┌──────────────┐      ┌───────────────┐                       │
│  │ SQLite DBs   │      │ depthai_gate  │                       │
│  │ sensors-v3   │      │  (VPU/HailoRT)│                       │
│  │ fusion-v3    │      └───────┬────────┘                       │
│  └──────────────┘              │                                 │
│                                ▼                                 │
│                   ┌────────────────────────┐                    │
│                   │   StoreLandmarks.py     │                    │
│                   │   Merges observations   │                    │
│                   │   Ray intersection      │                    │
│                   └───────────┬─────────────┘                    │
│                               │                                  │
│                               ▼                                  │
│                   ┌────────────────────────┐                    │
│                   │   odc-api.db (SQLite)   │                    │
│                   │   landmarks, framekms   │                    │
│                   │   map_features          │                    │
│                   └───────────┬─────────────┘                    │
│                               │                                  │
│                               ▼                                  │
│                   ┌────────────────────────┐                    │
│                   │     adacam_odc.py       │◄──── HERE plugin  │
│                   │   - HTTP API :5000      │      (blocked)    │
│                   │   - ADAMaps forwarder   │                    │
│                   │   - Cleanup tasks       │                    │
│                   └───────────┬─────────────┘                    │
│                               │                                  │
└───────────────────────────────┼──────────────────────────────────┘
                                │
                                ▼
                   ┌────────────────────────┐
                   │  https://api.adamaps.org │
                   │  /api/ingest            │
                   │  /api/images            │
                   └────────────────────────┘

5. ML Pipeline (map-ai.py)

Models Loaded

Model Hash Status Purpose
ObjectDetectionUS ee735d8f... Active YOLO v8, 22 classes
highlandUs 3a3c55c5... Active Secondary detection (19 classes)
laneDetection cc1bb1e9... Active Lane marking detection
classifySpeedLimit b35b5d62... Active Speed value OCR (5-85 mph)
classifySpeedTypeUS 779506c7... Active Speed sign type classifier
classifyTurnRule 2dc3689a... Active Turn restriction classifier
classifyOnRed 479a1d98... Active No-turn-on-red classifier
classifyHighwaySignType c997e90a... Active Highway sign classifier
hereClassifier 5c6b6885... Active HERE landmark classifier
embeddings cbcce4da... Active Feature embeddings

Detection Classes (ObjectDetectionUS)

  1. regulatory-speed-sign
  2. stop-sign
  3. parking-restriction-sign
  4. turn-restriction-sign
  5. highway-sign
  6. do-not-enter-sign
  7. one-way-sign
  8. yield-sign
  9. street-name-sign
  10. traffic-light
  11. general-orange-sign
  12. other-prohibitory-sign
  13. general-yellow-sign
  14. vehicle-flow-sign
  15. advisory-speed-sign
  16. no-parking-symbol-sign
  17. stop-sign-back
  18. fire hydrant
  19. parking-information-sign
  20. handicapped-parking
  21. multi-parking-sign

Highland US Classes (Secondary)

  • roadwork-cone, roadwork-post, roadwork-panel, roadwork-barrel, roadwork-barricade
  • face, license-plate (privacy classes - blurred)
  • one-way-sign, yield-sign, roadwork-sign, dead-end-sign
  • road-closed, low-clearance
  • deer-sign, cattle-sign, horse-sign
  • bump-sign, railroad-crossing, railroad-sign

Position Merging (StoreLandmarks.py)

The system uses sophisticated position estimation:

  1. Ray Intersection Method - Triangulates landmark position from multiple camera angles
  2. Stereo Depth - Uses stereo camera pair for depth estimation
  3. Minimum Enclosing Circle - Filters outlier observations (max radius 2m)
  4. Behind-camera rejection - Validates landmark is in front of camera
  5. Distance rejection - Max 50m for signs, 200m for utility poles

6. Databases

/data/recording/odc-api.db

Tables:

  • landmarks - Raw detection observations
  • map_features - Merged landmarks with position
  • framekm - 1km video chunks with metadata
  • config - Runtime configuration
  • deviceInfo - Device identification
  • model_zoo - ML model registry
  • plugins - Plugin enable/disable state
  • instrumentation - Telemetry/metrics

Current State:

  • 7,814 detections forwarded to ADAMaps
  • 2,921 images uploaded
  • Device Anonymous ID: fvhL2I-iCT

Plugin State:

Plugin Status
beekeeper-plugin disabled
here-plugin enabled (but API blocked)

/data/recording/redis_handler/*.db

  • fusion-v3-0-0.db - GNSS fusion data (15MB)
  • sensors-v3-0-0.db - IMU/sensor data (1.7MB)
  • gnss-raw-v3-0-0.db - Raw GNSS (4KB)

7. Redis State

Key Metrics

Key Value Description
MAP_AI_READY True ML pipeline active
FRAME_COUNT_RGB 5261 Frames processed
GnssFreqHz 3.98 GPS update rate
ImuFreqHz 197.29 IMU update rate
REDIS_HANDLER_SESSION_ID 1c6ce926 Current session

Current Position (GNSSFusion30Hz)

  • Latitude: 33.8838881°
  • Longitude: -118.3698625°
  • Speed: 0.009 m/s (stationary)
  • Heading: 109.03°
  • Location: Redondo Beach, CA (Cobb's driveway)

8. ADAMaps Integration

Configuration (/data/adacam/config.json)

{
  "api_key": "adamaps-ingest-2026",
  "api_url": "https://api.adamaps.org",
  "upload_images": true,
  "forward_detections": true,
  "poll_interval_sec": 30,
  "cleanup_after_days": 10
}

Forwarder State (/data/adacam/forwarder_state.json)

{
  "total_forwarded": 7814,
  "total_images": 2921,
  "last_forwarded_id": 7814,
  "last_forward_time": "2026-03-29T23:45:12"
}

adacam_odc.py Features

  • HTTP API at port 5000 (replaces stock odc-api)
  • ADAMaps Forwarder - Sends detections to https://api.adamaps.org/api/ingest
  • Image Upload - Sends detection frames to /api/images
  • USB Tethering Detection - Auto-configures br0 for phone USB
  • WiFi Management - API to connect to networks
  • Cleanup Task - Removes framekm files >10 days old
  • Live Preview - Camera preview capability

9. Network Security

Blocked Endpoints (via /etc/hosts)

All Hivemapper and HERE API endpoints are null-routed:

  • hivemapper.com, api.hivemapper.com, device.api.hivemapper.com
  • account.api.here.com, edge.hereapi.com
  • direct.data.api.platform.here.com

Mender OTA Blocked

  • Service masked via systemd
  • iptables rules drop traffic to hosted.mender.io, downloads.mender.io
  • Deep packet inspection blocks "mender.io" string

WiFi Configuration

AP Mode (wlp1s0f0):

  • SSID: (hidden, uses hardcoded hivemapper defaults)
  • Password: hivemapper
  • Mode: 5GHz, channel 36, WPA2

Client Mode (wlp1s0f1):

  • Connected to: "Plumb bob" (priority 10)
  • Also configured: "zerocool"

10. File System Layout

Key Directories

Path Purpose
/opt/dashcam/bin/ Core binaries (datalogger, RedisHandler)
/opt/map-ai/ ML pipeline Python code
/opt/video-processor/ Video encoding service
/opt/depthai-gate/ ML inference gateway
/data/adacam/ ADAMaps custom code
/data/mapnet/ Bee collector scripts
/data/persist/ Persistence scripts
/data/recording/ Sensor data, landmarks, framekms
/data/zoo/ ML model blobs (v1)
/data/zoo_v2/ ML model blobs (v2)
/data/plugins/here-plugin/ HERE plugin binary

Storage Usage

Directory Size
/data/recording 5.4GB
/data/swap 2.1GB
/data/gt_core 642MB
/data/zoo 80MB
/data/zoo_v2 60MB
/data/persistent 46MB

11. Key Source Files

/data/adacam/adacam_odc.py

Main service that:

  • Implements HTTP API on port 5000
  • Forwards detections to ADAMaps
  • Handles WiFi/USB tethering
  • Runs hourly cleanup of old data

/opt/map-ai/map-ai.py

ML pipeline orchestrator:

  • Loads ML models via depthai
  • Runs object detection (US/EU models)
  • Privacy blur (faces/plates)
  • Depth estimation (SGBM stereo)
  • Landmark position calculation
  • Classification routing

/opt/map-ai/nodes/StoreLandmarks.py

Position merging logic:

  • Groups detections by track_id
  • Ray intersection triangulation
  • Stereo depth confidence weighting
  • Outlier rejection via enclosing circle

/data/mapnet/bee_collector.py

Detection collector (currently disabled):

  • Polls odc-api for new landmarks
  • Sends to ADAMaps API
  • Also sends GPS track every 5 minutes
  • Uploads detection frames

/data/persist/install.sh

Persistence mechanism:

  • Runs at boot from /data partition
  • Installs SSH keys
  • Creates bee-tunnel service
  • Blocks Mender/Hivemapper/HERE

12. Binaries

/opt/dashcam/bin/datalogger

  • Type: ELF 64-bit ARM64 (Go, statically linked)
  • Purpose: GNSS/IMU data acquisition
  • Libraries: u-blox GPS parser, go-redis

/opt/dashcam/bin/RedisHandler

  • Type: ELF 64-bit ARM64 (C++, dynamically linked)
  • Purpose: Sensor fusion to Redis
  • Libraries: hiredis, redis++, protobuf

/usr/bin/depthai_gate

  • Type: Python 3 module with shell wrapper
  • Purpose: ML inference gateway via Flask API
  • Port: 11492
  • Features: Session management, firmware package extraction, watchdog

/data/plugins/here-plugin/here-plugin

  • Type: Symlink to /opt/here-plugin/here-plugin (C++ binary)
  • Purpose: HERE Maps integration (blocked)
  • APIs Called: (all blocked via /etc/hosts)
    • https://edge.hereapi.com/api/feedback/mapgap/v1
    • https://account.api.here.com/oauth2/token
    • https://direct.data.api.platform.here.com/direct/v1

13. Current Issues

⚠️ bee-tunnel.service

Status: Auto-restarting (exit code 255)
Issue: Cannot reach Lucy (192.168.0.5:22)
Impact: No remote access via reverse tunnel

adamaps-persist.service

Status: Failed at boot
Issue: Ran before RTC sync (timestamp shows 1970-01-01)
Impact: Persistence script may not have run properly

bee-collector.service

Status: Disabled
Issue: Service is not enabled
Impact: Not collecting detections via this path (adacam_odc handles it)

⚠️ LTE Service

Status: Active (monitor mode)
Issue: Frequent restarts in logs
Impact: LTE connectivity may be intermittent

14. Privacy Zones

/data/ppz.json

[[-118.36980581955551, 33.883710336622116, 100]]
  • Location: Cobb's house (Redondo Beach)
  • Radius: 100 meters
  • Purpose: No recording/detection within this zone

15. LTE Configuration

Modem: Telit LE910C4-NF

  • IMEI: 351369652125828
  • SIM ICCID: 89148000010586449753
  • Mode: QMI (Qualcomm MSM Interface)
  • Interface: wwan0 (currently DOWN)

/usr/bin/lte-init.py

Comprehensive LTE controller:

  • Supports Telit LE910C4-NF (NA) and LE910C4-WWXD (worldwide)
  • QMI and ECM connection modes
  • Auto-detects carrier for APN configuration
  • Signal strength monitoring
  • Network registration polling

16. Model Zoo Details

Version 1 Models (/data/zoo/)

Model Classes Input Size Purpose
ObjectDetectionUS 22 640x640 Primary detection
SpeedClassificationUS 22 (8 negative) 224 Speed value OCR
SpeedTypeUS 14 (9 negative) 224 Speed sign type
TurnRuleUS 6 224 Turn restrictions

Version 2 Models (/data/zoo_v2/)

Model Size Purpose
highlandUs.blob 9.3MB Secondary detection (19 classes)
laneDetection.blob 45MB Lane marking detection
hereClassifier.blob 7.6MB HERE landmark classifier (300+ classes)

17. Mender Configuration

/etc/mender/mender.conf

{
    "InventoryPollIntervalSeconds": 28800,
    "RetryPollIntervalSeconds": 300,
    "ServerURL": "https://docker.mender.io",
    "TenantToken": "dummy",
    "UpdatePollIntervalSeconds": 1800
}
  • Status: Masked (systemctl mask mender)
  • Network: Blocked via iptables
  • Purpose: Prevents Hivemapper from pushing firmware updates

18. Recommendations

Security

  1. Rotate SSH key - Current key is stored in multiple locations
  2. Review iptables rules - Verify mender.io blocking is active
  3. Check bee-tunnel - Currently failing to connect to Lucy

Maintenance

  1. Enable bee-collector if additional data collection needed
  2. Fix adamaps-persist timing issue
  3. Monitor LTE restarts - May indicate SIM/carrier issues

Data Collection

  1. 7,814 detections forwarded to ADAMaps successfully
  2. 2,921 images uploaded
  3. Current storage: 5.4GB recording data

Appendix A: Full Service List

adacam-odc.service          active   ADAcam Combined Service
bee-tunnel.service          restart  Reverse SSH tunnel to Lucy  
depthai_gate.service        active   DepthAI Gate
here-plugin.service         active   HERE Plugin (blocked)
hivemapper-data-logger.service active Data Logger
hostapd.service             active   WiFi AP
lte.service                 active   LTE controller
map-ai.service              active   Map AI
redis-handler.service       active   Sensor Fusion
redis.service               active   Redis
video-processor.service     active   Video Processor
bee-collector.service       dead     MapNet collector (disabled)
adamaps-persist.service     failed   Persistence loader
mender.service              masked   OTA updates (blocked)
beekeeper-plugin.service    dead     Beekeeper (disabled in DB)

Appendix B: Key File Checksums

File Purpose
/data/adacam/adacam_odc.py Main ADAMaps service
/data/persist/install.sh Boot persistence
/data/mapnet/bee_collector.py Detection collector
/opt/map-ai/map-ai.py ML pipeline
/opt/map-ai/nodes/StoreLandmarks.py Position merging

Audit completed 2026-03-29 17:56 PDT