Why would anyone want to do this ?

Well quite simply put try using a touch screen out in the field especially in the landscape photography. It is a real pain. You’ve got glove on, it’s cold and wet and now you have to fiddle with a phone! When I am photographing, I don’t want to use a smartphone. I personally associate mobile photography with snapshots and not with serious landscape images.

So I had a curiosity if it would be possible to make a wireless remote controller using a ESP8266 or Raspberry Zero instead of the Android or iPhone application.

The first step would be just to get the shutter to fire and then add extra functionality. After some searching around I found a repository in C++ using TCP ports to connect to a FujiFilm camera. I figured if it runs on a desktop computer like a Mac or PC it may well run on a smaller embedded device such as a ESP8266 or Raspberry. But first I need to compile and test the code. Here’s how I got on…

Source Code

The source code for the reverse engineering the wireless client communication for the Fujifilm Camera can be downloaded for the git repo here https://github.com/hkr/fuji-cam-wifi-tool.

Using Visual Code and CMake

To compile the source code you just need CMake which is free and open source for Windows/Mac/Linux. However if you wish to develop the code further a IDE is recommended. Therefore as I code in Visual Studio I had a bias in the direction of Visual Code from Microsoft. Visual Code is an open source editor which can be used on any platform.

Software list:

The code can be updated and compile directly in the Visual Studio Code IDE making life easier to read and edit the logic of the software.

Following the link there is an excellent description how-to get CMake and Visual Code working together – https://medium.com/audelabs/c-development-using-visual-studio-code-cmake-and-lldb-d0f13d38c563

It compiles!!

Executing the Code

Testing the ‘Hacked Client’ on the Fujifilm Camera

Fuji Camera Wireless activated

Fuji Camera Wireless activated

Connecting to the FujiCamera

Connecting to the FujiCamera

.Seems to negotiate and recognise…

Client connected to the Fuji Camera

Client connected to the Fuji Camera

On the camera choose ‘ok’ then the following message appears :

Fuji Camera Client Connection

Fuji Camera Client Connection

Then the output from the terminal.

As you can see the ‘Hacked client’ code is out of date something has changed. Therefore we need to compare the TCP packets to a legitimate communication. The next section I attempt to record the TCP packets.

Capturing the Communication

First capture a working client such as Camera Remote from Fuji on an iPhone or Android connection using Wireshark.

To capture the communication between the camera and the mobile phone you’ll need WireShark to capture the TCP packets.

How to do this is simple, by connecting your computer to the same wireless ad hoc network the Fujifilm camera setups when in Wireless Mode. Once you’re connected to the camera’s network. Use Wireshark to capture the traffic. Ensure promiscuous mode is enabled on the interface you are listening to in Wireshark.

Tip: The traffic can be filter by TCP and port 55740, using the filter tcp.port eq 55740 in the filter box of Wireshark.

The screenshot (and the zip file) shows the bytes send back and forth during the registration and connecting to the camera from the proper client application.

I’ve captured the packets for the communicate for a Fujifilm XE-3 camera and a working Fujifilm Remote Camera Android application in the PCAPNG file. This file can be examined in the Wireshark Application by downloading the zip – Fuji XE-3 with Android Application.pcapng.

The same procedure can be done for the ‘Hacked Client’ the results I include in the zip: Fuji XE-3 with FujiCamWifi Code.pcapng

Now that I’ve captured both the real and fake client. What next ? I need a debugger. See in the next post how I get on. Feel free to comment and help out 🙂