News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Recent Posts

Pages: 1 ... 8 9 [10]
91
Nice!
92
Firmware / Re: Is there such a thing as OpenNVR firmware?
« Last post by admin on April 17, 2017, 10:06:25 pm »
Not really (opennvr firmware)

What you'll need to do is get hold of the SDK for the chipset, so that you can compile a kernel and app's.
Once you have that, then you can start building firmware and flash.

Issues are that not all hardware is identical, so you will have different NAND types, flash sizes, gpio usage etc.
Not insurmountable, but you'll generally want to pick the same hardware to develop, and port to.

The SDK for the HI3615C is here - http://pan.baidu.com/s/1o8TWZ0Y----

Let me know if you have problems downloading, I can put elsewhere.

Generally speaking, you'll want to open up whatever hardware you have.  Add serial headers, and connect up serial for minimal debugging, and for more serious stuff JTAG.  Boot up the hardware, and see what it tells you.  Hopefully you'll be able to see a boot log and bootloader, and communicate with it.

Developing with just serial is viable though if the hardware isn't too locked.
i.e. hopefully the device will have an accessible bootloader, then you can flash kernels and filesystems without too many headaches.

The flash will generally contain a bootloader (don't overwrite this, otherwise you'll need to use an SPI flasher or similar to rewrite).
The bootloader will load a kernel from the flash into ram, then execute it.
The kernel will then mount a filesystem from flash, and run the OS + programs.

A BSP or SDK allows you to build a kernel and programs (BSP = board support package.  SDK = software development kit).

Thats a brief overview.
93
Help / How to extract a .OV (extention) firmware file?
« Last post by G33RT on April 17, 2017, 12:24:07 pm »
Hi,

Does someone knows how to extract a .OV (extention) firmware file?

Any help on this is welcome!
94
Firmware / [REQUEST] Firmware for IPCC-B13L 960P 1.3MP (Hi3518 + AR0130)
« Last post by G33RT on April 15, 2017, 02:09:15 pm »
Hello,

I'm looking for the firmware of an IPCC-B13L 960P 1.3MP (Hi3518 + AR0130).
The manufacturer does not have the firmware for this camera at their support page.

The camera has two boards, one with the Hi3518 chip and one with the CCD sensor and schould be an Aptiva AR0130 CCD sensor.

The CCD board have the description: CCD_CAM_8M-142(A)
After searching I can not find anything about CCD CAM 8M-142.

At WebIF I could see Hard Ver: 7100-ar0130_960P
The firmware I had on this was: V2.0.6.1-X20-Build:20130928D

I have bricked the camera due to flashing a wrong firmware :-[

Does anybody knows if the whole firmware is located in the flash chip 25L12835F ?

Any help is welcome!
95
Firmware / Is there such a thing as OpenNVR firmware?
« Last post by legolad on April 10, 2017, 03:47:22 pm »
Hey folks,

I'm relatively new to this IPCam world and thanks to all of you I've managed to answer most of my questions.

I do still have a couple of questions that I'm hoping you can help with.

Question 1:
I recently picked up a few of the cheap chinese IPCams that are running this firmware:
V4.02.R11.00002520.10010.244000.00000
They have an internal ID of H264 50H20L_S39.

Based on what I've read in these forums and others, I believe this means they are running the HI3516C System on a Chip. Can any of you confirm this?

Question 2:
I see that we have an open source camera firmware available. Is anyone working on an open source NVR firmware?

I'm specifically thinking that it would be great if we had firmware that supported these generic NVR boxes out of China. For example, firmware that supports the HI3535 chip would be pretty good for someone like me who just wants a a few cameras at 1080p.

For me, I'm less concerned about people viewing my cams and more concerned about opening a back door into my home network. Having an open source firmware that is known to be secure and not part of some bot army might alleviate some of the worries many people seem to have regarding the security of these generic NVRs.

And yes, I realize I can double or triple my budget and get a better NVR. I might just do that. But first I wanted to understand what the minimum viable setup looks like.


96
Hacking & Modding / Re: Hacking the F19821 W V2 to control an Arduino Tank Rover
« Last post by nars on April 08, 2017, 09:09:49 am »
Sorry to bump this old topic, but I'm looking at how to repack firmware as well... after research theoretically I know how to do it but I didn't try it yet... would like to ask if you ever succeed doing it? Also did you update md5 for the jffs2 image on fwupgrade.md5 file? (by looking at the firmwareupdate binary apparently it does an md5sum -c to check integrity...)

Also, if you used mtdram... after mounting the jffs2 image and applying you changes... did you then unmount it and created new image file with the updates (dd back from mtdblock...)?
97
Hi krokos.

How did you copy files into cam?
My IP cam 8ELP 720p) has the same SoC but I apparently I haven't any transfer service like telnet or SSH.
But I have ftp.
Any idea how entering into its shell?

tnx
98
Hacking & Modding / Re: hacking ELP 720p cam
« Last post by cris.alberti on April 07, 2017, 09:43:58 am »
Here's the fw.

First of all I've used 7z to unpack the original bin file and here the files inside:

custom-x.cramfs.img
Install
InstallDesc
romfs-x.cramfs.img (with the pwd and system files)
u-boot.bin.img
u-boot.env.img
user-x.cramfs.img
web-x.cramfs.img

The following steps are the same for each file.

$ xxd -a custom-x.cramfs.img | head

00000000: 2705 1956 2654 4b3f 5761 3b3d 0000 7000  '..V&TK?Wa;=..p.
00000010: 0077 0000 007b 0000 be2a 4cf4 0502 0101  .w...{...*L.....
00000020: 6c69 6e75 7800 0000 0000 0000 0000 0000  linux...........
00000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000040: 453d cd28 0070 0000 0300 0000 0000 0000  E=.(.p..........
00000050: 436f 6d70 7265 7373 6564 2052 4f4d 4653  Compressed ROMFS
00000060: 122d e489 0000 0000 2e00 0000 2900 0000  .-..........)...
00000070: 436f 6d70 7265 7373 6564 0000 0000 0000  Compressed......
00000080: fd41 1402 5800 0014 c004 0000 ed41 1402  .A..X........A..
00000090: 7400 0014 430a 0000 4375 7374 6f6d 436f  t...C...CustomCo

$ binwalk custom-x.cramfs.img

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0                      0x0                         uImage header, header size: 64 bytes, header CRC: 0x26544B3F, created: 2016-06-15 11:25:49, image size: 28672 bytes, Data Address: 0x770000, Entry Point: 0x7B0000, data CRC: 0xBE2A4CF4, OS: Linux, CPU: ARM, image type: Standalone Program, compression type: gzip, image name: "linux"
64                   0x40                       CramFS filesystem, little endian, size: 28672 version 2 sorted_dirs CRC 0x89E42D12, edition 0, 46 blocks, 41 files


$ fdisk -l custom-x.cramfs.img

Disk custom-x.cramfs.img: 28 KiB, 28672 bytes, 56 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

$ dd if= custom-x.cramfs.img bs=64 skip=1 of=fs.custom

Now is ready to be opend with 7z and browsing in.

Into the fw (the romfs-x.cramfs.img  file) I've found two pwd files: passwd and passwd-
And after John's care:

 ./john --devices=0  --single  passwd

Apparently I've two system (?) credentials: root1919.....root1900
                                            root1907.....root1900

But I cannot enter into shell.

What can I do?

Tnx in advance for any reply.

99
Hacking & Modding / Re: hacking ELP 720p cam
« Last post by cris.alberti on April 07, 2017, 09:37:37 am »
If I try to connect through Raw protocol, port 9527 here is the output:


EasyCmsDevice send reg request, time = 1491392052
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:34:18, Time:155778 Min, Trail:155778 Min
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
Connect: 216.146.43.70 80 fail
EasyCmsDevice send reg request, time = 1491392173
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:36:18, Time:155780 Min, Trail:155780 Min
DdnsD: connect success!
DdnsD::DdnsSend GET /nic/update?hostname=xxxxxxxxxxxxxxx HTTP/1.0
Host: dynupdate.no-ip.com
Authorization: Basic Y3Jpc3RvMDpQNG56ZXIh
User-Agent: XiongmaiClinet-1.1 Linux


CDdnsBase::GetResponse HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Connection: close
Cache-Control: private, must-revalidate
pragma: no-cache
expires: -1
Date: Wed, 05 Apr 2017 11:50:42 GMT

nochg 82.49.103.224

DDNS Update: Request Successful
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
EasyCmsDevice send reg request, time = 1491392294
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:38:18, Time:155782 Min, Trail:155782 Min
Connect: 216.146.38.70 80 OK
checkip: HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 105

<html><head><title>Current IP Check</title></head><body>Current IP Address: 82.49.103.224</body></html>

>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
EasyCmsDevice send reg request, time = 1491392415
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:40:18, Time:155784 Min, Trail:155784 Min
Connect: 216.146.38.70 80 OK
checkip: HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 105

<html><head><title>Current IP Check</title></head><body>Current IP Address: 82.49.103.224</body></html>

>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
EasyCmsDevice send reg request, time = 1491392536
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:42:18, Time:155786 Min, Trail:155786 Min
Connect: 91.198.22.70 80 fail
NTPD: NTP host[193.204.114.232], port[24]
NTPD: Recv Packet Timeout!
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
DdnsD: connect success!
DdnsD::DdnsSend GET /nic/update?hostname=xxxxxxxxxxxxxxxxxxxxx HTTP/1.0
Host: dynupdate.no-ip.com
Authorization: Basic Y3Jpc3RvMDpQNG56ZXIh
User-Agent: XiongmaiClinet-1.1 Linux


Log in will be peformed with my webUI credentials. But the only command I can use is "user" with this output:

<html><head><title>Current IP Check</title></head><body>Current IP Address: 82.49.103.224</body></html>

 Ip add is http://192.168.1.10:8899/onvif/device_service
 Ip add is http://192.168.1.10:8899/onvif/device_service
 Ip add is http://192.168.1.10:8899/onvif/device_service
 Ip add is http://192.168.1.10:8899/onvif/device_service
user command usage:
                    user  -y : dump authority info
                    user  -group : dump full group info
                    user  -g     : dump group info
                    user  -user  : dump full user info
                    user  -u     : dump user info
                    user    -a     : dump all user name
                    user  -k : kick off user
                    user  -b : block user
                    user  -v : dump active user

100
Hacking & Modding / Re: hacking ELP 720p cam
« Last post by cris.alberti on April 07, 2017, 09:25:43 am »
nmap to all ports:

MAC Address: xxxxxxxxxxxxxxx (iStor Networks)
 Device type: general purpose
Running: Linux 2.6.X|3.X
 OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Uptime guess: 0.801 days (since Tue Mar 21 21:00:25 2017)
 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
 Service Info: Device: webcam
Not shown: 131040 closed ports

PORT      STATE         SERVICE       VERSION
80/tcp    open          http          uc-httpd 1.0.0
| http-methods: 
|_  Supported Methods: OPTIONS
|_http-title: NETSurveillance WEB

554/tcp   open          rtsp          LuxVision or Vacron DVR rtspd
|_rtsp-methods: OPTIONS, DESCRIBE, SETUP, TEARDOWN, GET_PARAMETER, PLAY, PAUSE

8899/tcp  open          soap          gSOAP 2.7
|_http-server-header: gSOAP/2.7
|_http-title: Site doesn't have a title (text/xml; charset=utf-8).

9527/tcp  open          unknown
| fingerprint-strings: 
|   GenericLines, NULL: 
|     HTTPD: fd: 55, IP: 0x501a8c0
|     RTP: onClientConnect enginedId 0 , clientId 0 , ip:port 192.168.1.5:25228 
|     HTTPD: invalid request
|     HTTPD: fd: 55, IP: 0x501a8c0
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|    HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|_    HTTPD: Catch a brok

9530/tcp  open          unknown

34567/tcp open          dhanalakshmi?

3702/udp  open          ws-discovery?
| fingerprint-strings: 
|   SIPOptions: 
|     <?xml version="1.0" encoding="UTF-8"?>
|_    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa5="http://www.w3.org/2005/08/addressing" xmlns:xop="http://www.w3.org/2004/08/xop/include" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:tt="http://www.onvif.org/ver10/schema" xmlns:ns1="http://www.w3.org/2005/05/xmlmime" xmlns:wstop="http://docs.oasis-open.org/wsn/t-1" xmlns:ns7="http://docs.oasis-open.org/wsrf/r-2" xmlns:ns2="http://docs.oasis-open.org/wsrf/bf-2" xmlns:dndl="http://www.onvif.org/ver10/network/wsdl/DiscoveryLookupBinding" xmlns:dnrd="http://www.onvif.org/ver10/network/wsdl/RemoteDiscoveryBinding" xmlns:d="http://schemas.xmlsoap.org/ws/2005/04/discovery" xmlns:dn="http://
8362/udp  open|filtered unknown
9148/udp  open|filtered unknown
12144/udp open|filtered unknown
14677/udp open|filtered unknown
16050/udp open|filtered unknown
16404/udp open|filtered unknown
18563/udp open|filtered unknown
19848/udp open|filtered unknown
24787/udp open|filtered unknown
26216/udp open|filtered unknown
26583/udp open|filtered unknown
26952/udp open|filtered unknown
28481/udp open|filtered unknown
34568/udp open|filtered unknown
36315/udp open|filtered unknown
41773/udp open|filtered unknown
43568/udp open|filtered unknown
46528/udp open|filtered unknown
47857/udp open|filtered unknown
57020/udp open|filtered unknown
58919/udp open|filtered unknown
59253/udp open|filtered unknown
59715/udp open|filtered unknown
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service

As far as I know:
- the 80 is for webUI;
- the 554 and 8899 are the streaming/ONVIF ports;
- the others? Maybe the activated NetServices?
- the UDP ports? Tunneling???????
Pages: 1 ... 8 9 [10]