Overview

The Polaroid Wave iD922 WiFi Camera is a decent handcam for outdoor recording and photography. The camera quality is rather nice and the selfie screen makes this a wonderfully fun hand-cam. It has expandable storage with an SD card slot, but the most interesting feature is its ability to stream video over its WiFi AP. Honestly, I can't find any use case for this as streaming is battery intensive, and not possible when charging... However, as the WiFi camera can make an AP and any device can connect to it, I tried to get it to stream to my laptop, and explored some of its software through its API. I even found a bug where the server seems to dump some of its memory when faced with a malformed request.

Python Streaming Code

Tool Used

Polaroid Wave WiFi CameraTarget Platform

NmapPort Scanning

JADXJava Decomping

ApktoolAPK Dissasembly

Python + OpenCVLaptop Streaming

Approach

I was interested as soon as I saw the camera had WiFi capabilities. I connected and found the camera's IP (192.168.1.8) through ipaddr, then nmapped it. I found two ports open, 80 and 8222. There was an HTTP site on port 80, but interestingly, it showed 'Object Not Found' at '/'. So I tried guessing a few common paths like '/index.html' and there was a 'JL2380 WiFi Control Demo' site with an html form to start streaming. So it seems the Polaroid Wave is based on this camera. The options in the page seem to freeze the server as once the form is submitted, it doesnt respond to any new requests. Port 8222 is where it streams images to, but streaming needs to be started using a GET request on SetMode.
It was time to take a look at the Android app to explore other endpoints. I downloaded the APK from APKpure and extracted it using apktool. Initially, I just grepped through the directory for the IP and fond a few strings. These were the endpoints I was looking for, which included '/SetMode', '/Setup', '/Storage' and a few commands passed as query parameters. Using this information, I was able to pull files stored on the SD card and get the current recorded image too. With this, I made a Python script which streamed these images and even implemented zooming, essentially doing everything the Android companion app could.

Challenges

This device is branded by Polaroid, but its original manufacturer is Jeilin, which doesnt share much firmware, or other information on its website. So, tracking down this specific camera was not possible, and I could not find anything useful to take a look at. Although the FCC-ID was provided most of the licence files were confidential and those that were not, did not reveal any new information.
On the hardware side, the camera build extremely compact and prying it open was a very difficult task, The PCB traces are also confusing and don't indicate obvious UART ports. Putting the camera back together was twice as difficult, as the battery had to be carefully oriented.

Next Steps

The Python app is just a simple implementation of the features and by no means an alternative to the Polaroid Wave app. Maybe to work on my frontend skills I would like to write a React based app with a polished UI/UX. The mystery of what actually runs on the device is still unsolved, as access to firmware seems impossible right now. Maybe with some help in microsoldering, I would like to try a chip-off firmware extraction. Also, a better look at the memory dump might reveal some more information.