FlockBlocker is a pocket-sized device that can be plugged into a Flock Falcon camera. Once plugged in, the device automatically sends shell commands to the Falcon camera using the exposed serial UART in the external connector. This UART shell does not require a login and provides a low-privileged shell on firmware versions we have looked at.

What can it do?

This prototype simply creates a file in the /sdcard partition on the target device as a proof of concept. Before plugging the device in, the /sdcard partition contained the following files:

msm8953_32:/ $ ls -l /sdcard/

total 52
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Alarms
drwxrwx--x 3 root sdcard_rw 4096 1970-01-01 01:12 Android
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 DCIM
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Download
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Movies
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Music
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Notifications
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Pictures
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Podcasts
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Ringtones
-rw-rw---- 1 root sdcard_rw 3179 2025-12-11 05:59 modem-reset.log
-rw-rw---- 1 root sdcard_rw 2363 2025-12-11 05:59 modem-shutdown.log
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 wlan_logs
msm8953_32:/ $ 

After the payload executed, a new file was created.

msm8953_32:/ $ ls -l /sdcard/
total 56
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Alarms
drwxrwx--x 3 root sdcard_rw 4096 1970-01-01 01:12 Android
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 DCIM
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Download
-rw-rw---- 1 root sdcard_rw   15 2025-12-11 06:04 HACKED   <-- New file
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Movies
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Music
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Notifications
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Pictures
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Podcasts
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 Ringtones
-rw-rw---- 1 root sdcard_rw 3366 1970-01-01 01:25 modem-reset.log
-rw-rw---- 1 root sdcard_rw 2502 1970-01-01 01:25 modem-shutdown.log
drwxrwx--x 2 root sdcard_rw 4096 1970-01-01 01:12 wlan_logs
msm8953_32:/ $ 

Contents of the file:

msm8953_32:/ $ cat /sdcard/HACKED

You got pwned!

FlockBlocker can be reprogrammed to enter any series of commands desired. Such commands could perform actions on the device such as:

• Turning the device off.
• Disabling the battery, requiring on-site repair of the battery.
• Installing new applications.

If combined with a privilege escalation vulnerability, a payload could potentially perform such actions as:

• Access images stored on the device.
• Inject fake images into the Flock system.
• Manipulate the AI model used to detect vehicles and other objects.

The Falcon cameras we have access to are not fully functional and so we are unable to develop a more complicated or interesting payload proof of concept at this time.

Where do I get one?

You can make one yourself! Read through this post to learn how to make it. You can download the STL and code from Codeberg. Then you can use FlockBlocker in your own research!

Background

Several Eyes Off Eugene members have been performing technical research on Flock Falcon ALPR devices acquired through legal means. Most of what was discovered has already been found and published by security researchers such as Gainsec and Kajer. In fact, both of those researchers provided us with various hardware to aid in our own research. So thank you to the both of them for their generosity and for sharing their research with the public!

Something we learned from prior research was that the Flock Falcon cameras use a Lantronix SD624A Audio Kit SOM under the hood. This board is connected to custom daughter boards that control the various peripherals on the Falcon device, such as the infrared LEDs, camera, battery, etc. The SOM is the blue PCB in the photo below.

All of the main computer components are on this SOM. The device runs an unsupported version of Android and has a debug kernel.

Serial UART Shell

We also learned that there is a serial UART port exposed on the Flock daughter board, though it is typically not populated. We soldered on three wires in order to interface with the UART.

It turns out that this UART exposes an low-privilege Android command shell with no login required. It's not root, but it's still a shell.

The Connector

One thing that we discovered that we hadn't seen published anywhere was related to the unusual electrical connector on the back of the Flock Falcon camera.

This is a 7-pin connector, though only six of the pins are electrically connected. The three top pins are thicker than the bottom four. We spent a lot of time trying to figure out what exactly this connector is and where we could purchase its mate for experimentation. However, we were never able to find a perfect match. The closest we found was an Amphenol connector on page 42 of this catalog.

It still didn't seem quite right, though. Very close, but not right. In spite of not being able to find the correct connector, we still wanted to know what all the pins were used for. We were able to determine the purpose of 5/6 connected pins.

As you can see from the image, the top three pins are for a solar panel, ground, and a 12V line. When the camera is turned on, the 12V pin provides power. One of the bottom pins is not connected. Another one is still unknown to us. But, we were surprised to learn that two of the bottom pins were directly connected to the UART. This means that if you can get physical access to a Flock Falcon camera, you can connect an FTDI to these pins plus the ground pin and get a shell on the device.

This was really interesting because a malicious actor could theoretically attempt to take control of the device through this interface without even needing a password.

Obstacles

The biggest hurdle to actually pulling off an attack like this is simply being able to physically reach the device, as many of them are installed 12 feet up on a pole.

However, we've also seen many installations on smaller 6 foot poles just stuck in the ground. A camera on a pole like that would be easy to reach.

With that in mind, we thought it was worth exploring this exposed UART shell. First, we had to figure out how to connect wires to these pins without a connector. We found that the four small pins were just the right size for standard DuPont jumper wires. These are inexpensive and easy to come by. The three larger pins required a different solution. We found that 0.062" Molex pins were just right. After wiring up the UART RX and TX pins along with the ground pin, we were able to confirm with an FTDI that we could get a low privileged shell with no login required through this connector.

Custom Connector

Assuming an attacker can physically reach the device, the next hurdle would be finding a way to actually plug the FTDI into the Falcon port. Since we were unable to find a source for the 7-pin connectors, we would have to connect each wire individually, which is cumbersome and slow. But, we were able to build our own plug as a proof of concept to demonstrate that it could be done inexpensively and easily, as long as you have access to a 3d printer.

To build this test plug, we first measured the connector on the back of the Falcon with calipers. We then created a top-down 2D image of the connector.

Once we had the image, we imported it into a 3d modeling tool where we could extrude it into a 3d model. With a few more tweaks we had the test design complete.

This plug is designed to act as a sort of shell that sits inside the Flock connector and allows all seven pins to come through.

The holes were a tad small, but forcing the plug into the Flock connector caused them to open up to the correct size, while being snug.

The next step was to add a wire to each pin. Although we only really needed three pins, we needed to cover them all to prevent hot glue from sticking to the unused pins in the next step.

Finally we fired up the hot glue gun and just jammed a bunch of hot glue down into the connector, taking care not to allow any of the pins to touch each other. Having each pin covered ensured the hot glue would not adhere to the pin, causing the plug to be glued to the camera connector.

This actually worked surprisingly well. We were able to remove and reinsert the plug many times without any problems. This proved that the concept was sound and we could fairely easily build our own connector.

Final Design

With the ability to make a functional connector, the final hurdle for an attacker would be time. Even if an attacker were able to reach a Falcon camera and also bring a custom plug to interface with the UART, they would still be standing there out in the open with a laptop connected to the camera. Not exactly inconspicuous. Is it possible to work around this hurdle?

For this, we turned to an approach similar to the USB Rubber Ducky penetration testing tool. The USB Rubber Ducky looks like a USB thumb drive, but actually simulates a USB keyboard. If an attacker plugs the device into a computer, the computer will think it is a keyboard and the device will being automatically typing in keystrokes and commands that the attacker configured ahead of time. We thought we could use a similar approach here.

The idea was to create a small device that could easily be plugged into the Flock connector and would automatically execute a predetermined payload. This would be small, fast, and inconspicuous. It also turns out to be quite inexpensive!

We had already learned we could create a custom plug for the connector. The next step was to find some electronics hardware we could use that could talk to the serial UART. Ideally it would be small, inexpensive, and easy to work with. We found just the thing with Adafruit's Trinket M0.

The Trinket M0 runs on 3.3V logic, which matches the Flock camera's serial UART voltage. It also has built-in support for serial communication at that logic level, as well as a USB port with another serial interface. It has a few built-in LEDs, is tiny, and cost less than $9 USD at the time of this writing! What's more is the device can run CircuitPython, which makes it incredibly easy to program. We were able to write all of our code in a simple Python script. When plugged into a computer, the Trinket shows up as a USB drive. We simply copy our Python script over to the drive and it starts running our code. Incredibly simple. It was perfect.

The last thing to figure out was power. The Trinket M0 requires between 3V and 6V input power. It will regulate it down to the required 3V. We didn't want to have to include a battery. Luckily the Flock connector includes ground and 12V pins. We could power the Trinket from this 12V pin, but we'd have to regulate the voltage down to something the Trinket could handle. Adafruit also sells a 3.3V buck converter. This circuit accepts up to 21V and regulates it down to 3.3V. It's also tiny, which was perfect for our application. It cost less than $6 USD at the time of this writing.

The buck converter connected to the Trinket using just the GND and 3V pins. We used headers for this. We also attached a 2-pin header to the buck convertor's Vin and En pins, though the En pin was actually unecessary.

With the electronics finished, we needed to attach the plug. However, we wanted to make this thing easier on the eyes. We designed a small 3d-printable case, big enough to house the electronics. It comes in two pieces. One piece is the main case.

The second piece is a cover which has an integrated plug. The plug is printed face down, which requires support material for a successful print.

This version of the plug differs from the original test version. This one is not just a shell. It actually is much thicker and has longer holes to fit the DuPont and Molex connectors inside the plastic within the connector. This required a bit of manual work after the print since our 3D printer did not print the holes exactly the right size. They were a bit small. We ended up drilling the smaller holes out with a 5/16" drill bit, and the larger holes with a 7/64" bit. This seemed to be pretty much perfect for the connectors to fit snugly inside. We also had to sand down bits of the connector to get it to fit nicely into its mate.

This time we didn't use hot glue, but instead just a bit of super glue. This is likely not as strong, but it was less messy and didn't risk melting the wire insulation.

The last step was to solder the wires up to the electronics, keeping the wires short so it would fit in the case.

After sliding the circuit into the case, the top snapped in place.

One final modification was to drill a small hole in the back of the case just over the Trinket's LED. This was we could use it to indicate status of the payload.

The Code

Code can be found on Codeberg. It's fairly simple. It first sets up the status LED and serial ports. Then it checks the /sdcard mount on the Falcon over and over to ensure it is mounted. On our Falcon camera, it takes a few minutes for /sdcard to mount. During this loop, it blinks the red LED light so the user can see that it is waiting. Once it detects that /sdcard was mounted, it runs a command to create the file "/sdcard/HACKED" with the contents "You got pwned!" as a proof of concept. After that, it turns the status LED to solid on so the user knows the payload ran successfully. The commands entered can easily be updated by modifying the following line:

uart.write(b"echo 'You got pwned!' > /sdcard/HACKED\r\n")

Additional lines may be added to submit more than one command.

Future

We would love to build a more interesting payload for this device. However, the Falcon devices we currently have access to are running a very old firmware and also do not appear fully functional. FockBlocker can likely be combined with Gainsec's research to build a payload that can completely compromise the target device. If we obtain a Falcon with a more recent functional firmware, we will give it a try.