Rover 2 SpyTank Teardown

Brookstone Rover 2.0 SpyTank Teardown

Brookstone SpyTank

The Brookstone SpyTank is a track-driven spy cam with night vision that you can remote control using a tablet computer.  It includes auditory listening and loudspeaker functionality in its arsenal of intelligence gathering weaponry.  Drive it around to surveil targets, gather intelligence, and master your environment.  Your home may never be the same.

While the SpyTank provides an initial high level of fun for a wide range of users, it tends to lose its appeal fairly quickly.  It’s one of those toys that is relegated to the closet shortly after its first set of batteries die.

There are other reasons to buy the SpyTank, however.  Embedded Systems Designers will quickly realize that the SpyTank is a networkable, mobile, embedded computer with a cool camera.  For $150, it packs a big technology punch.  You would be very hard-pressed to put together a similar platform from off-the-shelf components for the same price.  It’s probably running Linux.  And hey – it just looks cool.

Product Review

In OE (Original Equipment) trim, the SpyTank worked well with an iPad tablet.  While it was controllable using a Kindle Fire HD and a Nexus 7 running Jelly Bean, video was not available on either Android platform.  Your mileage may vary with other Android tablets.

Controlling the tank using the app and live video feed alone is a little tricky as there is a perceivable delay between what you see on the tablet and real life.  You have to think ahead to avoid repeatedly smacking into obstacles.  The trickiness of the left and right track controls adds to the challenge.  With a little practice, you can make the tank stumble around where you want, but a steering wheel and forward/backward joystick would probably be more effective.  The experience of driving a tank may be part of the novelty to this little device, but the lack of control tactility is a limiting factor.

Teardown

Not only would “hacking” this platform be a good learning experience for those wishing to design similar technology, we may be able to make it function better.  While the SpyTank possesses a lot of potential as a development platform, the verdict is still out how easily it can be modified.  Follow along for some pictures of the SpyTank internals to get some ideas how you may use it for your own projects.  Maybe you can take it to the next level?  I’ll include some hints as to what that might entail.

The chassis comes apart very easily.  Simply remove all screws from the bottom of the tank and it will split in two main sections.  There aren’t even any hidden screws under stickers for tamper evidence.  Several sets of wires connect the two halves.  Unplug the necessary wires using the connectors for further disassembly.  All connectors have unique shapes and colors, so putting everything back together without making mistakes is relatively simple.

Top and Bottom Halves

Top and Bottom Side-By-Side

The top of the SpyTank holds the motorized camera turret, the Wifi module, antenna connector, a speaker for audio transmission, and the “status” LED.

Tank Top

The bottom of the SpyTank contains a drive-train, reset button, power LED, battery holder, park lights, and the main controller board.  Everything is connected to the controller board using connectors, which makes it easier to work on.  The tracks do not have to be removed, but they are easy to pull on and off.

Tank Bottom

The drive-train consists of a motor and gearbox in the back for the rear wheel and an idler wheel on the front.  A spring-loaded slide mechanism on the idler wheel keeps the rubberized tracks taught between each set of two wheels.  The idler wheel somewhat floats up and down because of the way the slide mechanism is connected to the chassis.  This floating action and the spring combine to provide a suspension for the tank as well.  Multitasking the spring like this is ingenious design; intended or not.

Front Suspension

The motor and gearbox are modular and look very easy to reuse.

Rear Motor and Gearbox

Shown below is the top of the control board.  It includes an anonymous CPU/SOC (System On Chip) with no markings on the 128 pin TQFP, a Winbond SDRAM chip, a ULN2803, four ME4542 ICs, two FP6188 ICs, a GPY0030B chip, an unknown IC labeled RC816, and an F84KYZZ IC.  Datasheets for the parts are shown below along with links.

Top of Control Board

The bottom of the control board features a flash chip and a few discrete components.  Looking at silk-screened labels on a PCB can often provide useful information.

Bottom of Control Board

We learn the location of a potential serial port which may aid in hacking the device.  These pins run down to a daughterboard on the bottom of the tank chassis.

UART Location

The motor for the camera allows users to point it up and down within the turret.  Judging from the number of wires, it looks like a stepper motor.

Motor for camera

A shot of the camera module itself.

Camera Module

The Wifi module links to the control board with four wires.  If you’re thinking USB, you’re probably right.  The markings on it are BL-RT3070-U2.

Wifi Module

Datasheets

• RAM:  Winbond SDRAM
• ROM:  S29GL032N
• CPU:  128 pin TQFP – no discernable labeling or markings
• RT3070 based Wifi module
• H-Bridge: ME4542
• Buck Regulator:  FP6188
• Audio Driver: GPY0030B
• Stepper Motor Driver: ULN2803
• Unknown IC: RC816
• Unknown IC: F84KYZZ

How It Works

The main drive motors are controlled by two H-Bridge circuits, which are made up of the ME4542 MOSFET ICs.  They’re probably switched by GPIO signals from the CPU and provide skid steer by allowing independent forward and backward commands on each side.

The ULN2803 is likely used as a stepper motor driver for the turret control motor.  It’s not a regular servo motor.  A limit switch allows the CPU to determine when the camera is pointing all the way up (or down maybe).  The user can move the turret in small “steps” with easy software control of the stepper motor.  It’s a simple and effective design.

The FP6188 chips provide voltage regulation for the device.  They convert the voltage the batteries provide into levels more palatable to the ICs and other circuitry.  They may provide power for motors, but it’s likely that the motors connect directly to the batteries.

The GPY0030B is an audio driver IC.  It’s likely used for the loudspeaker.  Users can send their voice from a controlling tablet to the tank for others to hear.

A mic is also included in the camera turret.  I’m not sure how that circuitry works.  There are a couple other ICs that may do the job.  I couldn’t locate datasheets for them.

The camera and Wifi module are probably connected via USB to the SOC.  The OS (Operating System) contains software to make them work.  Commands and audio are sent from the tablet to the tank, and video and audio are sent from the tank to the tablet.

Next Steps

The system is probably running Linux.  It takes a while to become ready after the power switch is turned on, which is typical of Linux.  A smaller RTOS would likely come up much faster.  The fact that the device requires networking, and streaming of sound and video also lends itself to a Linux system.  Linux already includes much of the software to make everything work.  The size of the RAM and Flash suggest a lean, but very workable Linux based system.

My guess is the CPU contains an ARM core.  Maybe it’s an Atmel ARM based CPU, for example?  Determining what CPU/SOC the SpyTank contains is a big part of making it highly customizable.  It is likely a lot can be done using the software already on the device, though.

The flash could be desoldered and probably socketed with relative ease.  This would allow hackers to examine the system’s root filesystem.  Doing this would tell us the instruction set of the SOC, and provide a list of software that’s on the system.  Modifications could be made to the system by reflashing the ROM with a programmer.  If the flash was socketed making changes becomes a fairly easy proposition.  Once a way into the system is established this method quickly becomes too slow, and faster ways to make changes become available.

The Wifi and camera are probably connected as USB devices.  Other devices like thumb-drives or ethernet bridges could be connected in their place.  The existing Wifi can probably be used for NFS or SSHFS mounts for quicker development.

A simple network probe for all open ports on the device might turn something interesting up.  Check out the nmap tool and hit it from your computer once associated to the device’s Wifi network.

One thing to commonly look for on an embedded system is a serial port.  The serial port is often used for console access.  It may not even require a password.

I mentioned a daughterboard on the bottom of the tank’s chassis earlier in the article.  That board exposes a reset switch and a connector for the serial port.  By removing two plates, the serial port pins are exposed for easy connection.  These pins are likely only 5V or 3.3V tolerant, so don’t connect a regular RS232 port to them.  You’ll probably need to get a level converter or special cable.  Take a look at the signals on a scope to get a hint.

Miscellaneous Diagrams

Shown here is the serial port access door.  Remove the larger door first by removing the screw, then remove the smaller cover by prying it from its hole.  The pins are GND, RX, TX from left to right in the picture below.

Serial Port Access

Here’s a listing of the connectors.  The “turret limit” connector probably also contains the mic signals.

Connector map

Have Fun

I may explore this system a little more in the future if I can find time.  It looks pretty easy to work with.  I initially scoured the net looking for a teardown on this little device, but couldn’t find anything.  Oddly enough, when I was searching part numbers for the Wifi unit, I came up with an AC13 Brookstone Rover article with a lot of great data.  It’s an older version of the same toy, but they look very similar.

Let me know if you find anything new about the SpyTank.  I will include updates here if I make any future progress.  Most of all – have fun!