News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Recent Posts

Pages: 1 [2] 3 4 ... 10
11
Hacking & Modding / Re: hacking ELP 720p cam
« Last post by cris.alberti on April 07, 2017, 09:37:37 am »
If I try to connect through Raw protocol, port 9527 here is the output:


EasyCmsDevice send reg request, time = 1491392052
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:34:18, Time:155778 Min, Trail:155778 Min
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
Connect: 216.146.43.70 80 fail
EasyCmsDevice send reg request, time = 1491392173
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:36:18, Time:155780 Min, Trail:155780 Min
DdnsD: connect success!
DdnsD::DdnsSend GET /nic/update?hostname=xxxxxxxxxxxxxxx HTTP/1.0
Host: dynupdate.no-ip.com
Authorization: Basic Y3Jpc3RvMDpQNG56ZXIh
User-Agent: XiongmaiClinet-1.1 Linux


CDdnsBase::GetResponse HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Connection: close
Cache-Control: private, must-revalidate
pragma: no-cache
expires: -1
Date: Wed, 05 Apr 2017 11:50:42 GMT

nochg 82.49.103.224

DDNS Update: Request Successful
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
EasyCmsDevice send reg request, time = 1491392294
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:38:18, Time:155782 Min, Trail:155782 Min
Connect: 216.146.38.70 80 OK
checkip: HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 105

<html><head><title>Current IP Check</title></head><body>Current IP Address: 82.49.103.224</body></html>

>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
EasyCmsDevice send reg request, time = 1491392415
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:40:18, Time:155784 Min, Trail:155784 Min
Connect: 216.146.38.70 80 OK
checkip: HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 105

<html><head><title>Current IP Check</title></head><body>Current IP Address: 82.49.103.224</body></html>

>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
EasyCmsDevice send reg request, time = 1491392536
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:42:18, Time:155786 Min, Trail:155786 Min
Connect: 91.198.22.70 80 fail
NTPD: NTP host[193.204.114.232], port[24]
NTPD: Recv Packet Timeout!
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
DdnsD: connect success!
DdnsD::DdnsSend GET /nic/update?hostname=xxxxxxxxxxxxxxxxxxxxx HTTP/1.0
Host: dynupdate.no-ip.com
Authorization: Basic Y3Jpc3RvMDpQNG56ZXIh
User-Agent: XiongmaiClinet-1.1 Linux


Log in will be peformed with my webUI credentials. But the only command I can use is "user" with this output:

<html><head><title>Current IP Check</title></head><body>Current IP Address: 82.49.103.224</body></html>

 Ip add is http://192.168.1.10:8899/onvif/device_service
 Ip add is http://192.168.1.10:8899/onvif/device_service
 Ip add is http://192.168.1.10:8899/onvif/device_service
 Ip add is http://192.168.1.10:8899/onvif/device_service
user command usage:
                    user  -y : dump authority info
                    user  -group : dump full group info
                    user  -g     : dump group info
                    user  -user  : dump full user info
                    user  -u     : dump user info
                    user    -a     : dump all user name
                    user  -k : kick off user
                    user  -b : block user
                    user  -v : dump active user

12
Hacking & Modding / Re: hacking ELP 720p cam
« Last post by cris.alberti on April 07, 2017, 09:25:43 am »
nmap to all ports:

MAC Address: xxxxxxxxxxxxxxx (iStor Networks)
 Device type: general purpose
Running: Linux 2.6.X|3.X
 OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Uptime guess: 0.801 days (since Tue Mar 21 21:00:25 2017)
 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
 Service Info: Device: webcam
Not shown: 131040 closed ports

PORT      STATE         SERVICE       VERSION
80/tcp    open          http          uc-httpd 1.0.0
| http-methods: 
|_  Supported Methods: OPTIONS
|_http-title: NETSurveillance WEB

554/tcp   open          rtsp          LuxVision or Vacron DVR rtspd
|_rtsp-methods: OPTIONS, DESCRIBE, SETUP, TEARDOWN, GET_PARAMETER, PLAY, PAUSE

8899/tcp  open          soap          gSOAP 2.7
|_http-server-header: gSOAP/2.7
|_http-title: Site doesn't have a title (text/xml; charset=utf-8).

9527/tcp  open          unknown
| fingerprint-strings: 
|   GenericLines, NULL: 
|     HTTPD: fd: 55, IP: 0x501a8c0
|     RTP: onClientConnect enginedId 0 , clientId 0 , ip:port 192.168.1.5:25228 
|     HTTPD: invalid request
|     HTTPD: fd: 55, IP: 0x501a8c0
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|    HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|_    HTTPD: Catch a brok

9530/tcp  open          unknown

34567/tcp open          dhanalakshmi?

3702/udp  open          ws-discovery?
| fingerprint-strings: 
|   SIPOptions: 
|     <?xml version="1.0" encoding="UTF-8"?>
|_    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa5="http://www.w3.org/2005/08/addressing" xmlns:xop="http://www.w3.org/2004/08/xop/include" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:tt="http://www.onvif.org/ver10/schema" xmlns:ns1="http://www.w3.org/2005/05/xmlmime" xmlns:wstop="http://docs.oasis-open.org/wsn/t-1" xmlns:ns7="http://docs.oasis-open.org/wsrf/r-2" xmlns:ns2="http://docs.oasis-open.org/wsrf/bf-2" xmlns:dndl="http://www.onvif.org/ver10/network/wsdl/DiscoveryLookupBinding" xmlns:dnrd="http://www.onvif.org/ver10/network/wsdl/RemoteDiscoveryBinding" xmlns:d="http://schemas.xmlsoap.org/ws/2005/04/discovery" xmlns:dn="http://
8362/udp  open|filtered unknown
9148/udp  open|filtered unknown
12144/udp open|filtered unknown
14677/udp open|filtered unknown
16050/udp open|filtered unknown
16404/udp open|filtered unknown
18563/udp open|filtered unknown
19848/udp open|filtered unknown
24787/udp open|filtered unknown
26216/udp open|filtered unknown
26583/udp open|filtered unknown
26952/udp open|filtered unknown
28481/udp open|filtered unknown
34568/udp open|filtered unknown
36315/udp open|filtered unknown
41773/udp open|filtered unknown
43568/udp open|filtered unknown
46528/udp open|filtered unknown
47857/udp open|filtered unknown
57020/udp open|filtered unknown
58919/udp open|filtered unknown
59253/udp open|filtered unknown
59715/udp open|filtered unknown
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service

As far as I know:
- the 80 is for webUI;
- the 554 and 8899 are the streaming/ONVIF ports;
- the others? Maybe the activated NetServices?
- the UDP ports? Tunneling???????
13
Hacking & Modding / hacking ELP 720p cam
« Last post by cris.alberti on April 07, 2017, 09:23:23 am »
Hi all!

I'd like to share with you my doubts and info about my basic approaches to ELP 720p, another cheap IP cam. Here is the link: (https://www.amazon.it/ELP-Macchina-Fotografica-Videocamere-Sorveglianza/dp/B016Q94M8O/ref=sr_1_1?ie=UTF8&qid=1491553982&sr=8-1-spons&keywords=720p&psc=1).

My goal would be entering into the shell and taking full control.

Problem is that apparently there's not any telnet or SSH service (according to nmap). And I prefer connecting remotely, without serial connection.
I've the last fw inside (firmware_General_HZXM_IPC_HI3518E_50H10L_S38_V4.02.R12.Nat.OnvifS.20160615_ALL), provided from this link (http://www.hkvstar.com/technology-news/china-ip-camera-configuration-firmware.html) and I was able to unpack it. But I think the shell/Busybox doesn't have all the app or the full app (i.e. telnetd, netcap, ...), useful for an injection approach or something like that.

I'm able to connect through the webUI: into the settings menu you can also configure NetServices like emailing, DDNS, FTP, ... The only useful browser to log in into webUI is IE11 without ActiveX control (because off the NPAPI plugin).
According to the info provided from the producer here the protocols: TCP / IP, HTTP, DHCP, DNS, DDNS, PPPoE, SMTP, NTP (HTTPS, RTP / RTSP, SIP, 802.1x, IPv6.

The cam sensor and the SoC: 1/4 "CMOS OV9712 + HI3518C (maybe a Hi3518E)

Connection: only eth (I use a powerline).

I'll show the nmap results in the next reply
14
Firmware / Re: EasyN 109 Full HD 2.0MP 1080p 5x Optical Zoom Firmware
« Last post by mrwildbob on April 02, 2017, 09:16:31 pm »
Are any of the EasyN cameras supported?  Tried to contact their support without response.  I like the camera, great quality.

Any help would be great.

thanx

boB
15
Firmware / Re: ID002A camera software needed
« Last post by whooper on March 16, 2017, 05:29:11 pm »
Looks like the power adapter was not in shape.
After adapter change the camera works fine with the default credentials.
16
Firmware / ID002A camera software needed
« Last post by whooper on March 11, 2017, 04:51:39 am »
Hi,
Does anyone have the full set of software for configuring for ID002A camera ?
The camera got IP address by DHCP and the web interface on port 81 is reachable.
I am not able to log in with admin/blank or admin/admin. After reset same behavior.
Maybe i need to update the firmware, but the tools cannot connect with admin/admin
17
Firmware / Re: To Find RX TX for Firmware Download
« Last post by mightywhitey on March 11, 2017, 12:51:41 am »
Did you figure out the RX/TX ?

If not, please upload a clearer picture... I just went through this myself about a week ago, so i'm willing to help.
18
Firmware / Re: Please i need help with my FOSCAM 9821
« Last post by dumaster on March 08, 2017, 04:37:53 pm »
Please I really need to fix this camera, I just need the complete binary file to write to flash, I can pay for it via paypal ....

Waiting
19
Similar Hardware / Grain Media GM8120x in Genius IPCAM 300R
« Last post by hz01 on March 06, 2017, 02:32:35 am »
I have an old Genius IPCAM 300R, but I can't use it.
Only 23 and 80 TCP ports are open, and there aren't any stream, picture, RTSP, anything...

Please, give me some instructions, which firmware is need to this device, and how can I replace/upgrade with it.
I know the linux (I use debian for 12 years), but the embedded systems are unknown area.


Some important datas from the device:
Code: [Select]
/ # netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State     
tcp        0      0 kamera:telnet           hz01linux:55032         ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  3      [ ]         STREAM     CONNECTED     40     
unix  3      [ ]         STREAM     CONNECTED     39     
/ # lsmod
Module                  Size  Used by    Not tainted
fmjpeg_drv            102308   0 (unused)
fmpeg4_drv             64044   2
fmcp_drv               33800   0 [fmjpeg_drv fmpeg4_drv]
fcap_drv               68944   1
/ # ls /lib/
ld-2.2.5.so             libm-2.2.5.so           libnss_files.so
ld-linux.so.2           libm.so                 libnss_files.so.2
libc-2.2.5.so           libm.so.6               libpthread-0.9.so
libc.so                 libnsl-2.2.5.so         libpthread.so
libc.so.6               libnsl.so               libpthread.so.0
libc.so_orig            libnsl.so.1             libresolv-2.2.5.so
libcrypt-2.2.5.so       libnss_compat-2.2.5.so  libresolv.so
libcrypt.so             libnss_compat.so        libresolv.so.2
libcrypt.so.1           libnss_compat.so.2      libstdc++.so
libdl-2.2.5.so          libnss_dns-2.2.5.so     libstdc++.so.6
libdl.so                libnss_dns.so           libstdc++.so.6.0.2
libdl.so.2              libnss_dns.so.2
libgcc_s.so.1           libnss_files-2.2.5.so
/ # cat /proc/cpuinfo
Processor       : Faraday FA526id(wb) rev 1 (v4l)
BogoMIPS        : 97.07
Features        : swp half

Hardware        : Faraday CPE
Revision        : 0000
Serial          : 0000000000000000
/ # cat /proc/version
Linux version 2.4.19-rmk4 (root@VMFatty) (gcc version 2.95.3 20010315 (release)) #2619 Fri Dec 4 12:23:20 CST 2009

(Sorry, I speak English a little...)
20
Firmware / EasyN 109 Full HD 2.0MP 1080p 5x Optical Zoom Firmware
« Last post by mrwildbob on February 28, 2017, 06:32:19 pm »
EasyN 109 Full HD 2.0MP 1080p 5x Optical Zoom Wireless PTZ P2P Outdoor IP Camera

Hi, new here, wanted to know if this camera is supported.  I couldn't find anything.  Wondering if anyone else knows.
Pages: 1 [2] 3 4 ... 10