What Kind Of Cameras Do They Use On Ptz

I was recently given 3 rather locked-downwards network cameras. Each camera was pre-programmed to communicate with a specific website, and simply attach to a predefined wireless access point. Naturally, in that location was no supplied username or password.

I thought nearly how I might go access. Using a human being-in-the-middle attack to sniff the countersign, or trying to dump the firmware and examine that. Sadly, all the vulnerabilities previously reported no longer work. Subsequently a little flake of idea, I went for decided depression-tech solution; I striking the reset button! Yes, each photographic camera had a recessed switch, accessible only with a paperclip, which reset the device to factory settings after holding it down for ten seconds.

Anyhow, this is my voyage of discovery with the 3 cameras. They are:

All of them are manufactured by Taiwanese OEM Sercomm. Annoyingly, Sercomm don't have any customer services. They mostly resell the cameras to Linksys, Cisco, Xanboo.

SerComm don't offering any firmware, GPL downloads, or much data near the cameras - so it's all very much trial and error.

Defaults

Afterward resetting the cameras, they'll happily adhere upward to any wired network via the Ethernet port. Visit the IP address assigned past DHCP and you lot'll become to the admin console.
The default username is "administrator" - there is no password fix.
You tin now go and fiddle with all the settings.

High Resolution Manner

The cameras are meant to exist able to record at 720p - nonetheless the user interface doesn't seem to allow it.

Luckily, the API allows u.s.a. to force the resolution.

http://192.168.0.42/adm/set_group.cgi?group=H264&resolution=4

http://192.168.0.42/adm/set_group.cgi?grouping=JPEG&resolution=4

Wait! What? API?!

Oh yep, all the cameras come up with a variety of commands which tin exist controlled by simple a HTTP Become asking.

Discovering The API

As I said previously, Sercomm provides no documentation. Luckily, their resellers practise!
EyeSpy247 have the admin manual for the RC8221.
Utilize-IP have the admin manual for the OC821D.
I haven't nevertheless constitute a transmission for the RC8230 - but it uses almost of the same API commands. The but primary addition is the ability to move the camera via its pan/tile functionality. After a scrap of digging, I establish a discussion on how to activate this functionality.

Up:

http://192.168.0.42/pt/ptctrl.cgi?mv=U,10

Downwardly:

http://192.168.0.42/pt/ptctrl.cgi?mv=D,10

Left:

http://192.168.0.42/pt/ptctrl.cgi?mv=Fifty,11

Right:

http://192.168.0.42/pt/ptctrl.cgi?mv=R,xi

The manuals give all sorts of instructions, how to view video streams, become photos, set and get diverse options. There are, sadly, some omissions.

Sending Sounds

Ane of the tasks I wanted to accomplish was to brand the cameras play some of the turret sounds from the video game "Portal". This is proving tricky, despite the transmission'southward promises to the reverse.

It should exist possible to POST an sound file to the cameras, either in G.726, or 1000.711 (a-law or u-law). Despite creating the audio files correctly, and POSTing them to the cameras - they make non a peep!

curl -vv --data-binary @alaw8k.wav http://user:laissez passer@192.168.0.42/img/g711a.cgi

curl -vv -Ten Postal service -d @alaw8k.wav http://user:laissez passer@192.168.0.42/img/g711a.cgi --header "Content-Type:audio/x-wav"

I get a 200 OK, and the volume is set on the camera. Nigh vexing!

If yous think you can assistance, delight leave an respond on StackOverflow.

Arming - or lack thereof

With my other cameras, I can transport a command to arm or disarm. I don't need the move detection to send me emails every second of the day - only when I'grand out of the house.

Looking at the source lawmaking of ane of the pages, information technology looks similar it's possible to POST some data to /adm/file.cgi - just it's non conspicuously documented which parameters are required. It volition take me some fourth dimension to piece of work through the tangled nest of JavaScript.

E-mail

The cameras will ship video when they detect motion - although getting this to work isn't at all obvious.

Firstly, the password is hard-coded to be a maximum of xvi characters. If your password is "StarTrekIntoDarkness1" y'all're out of luck.
Secondly, the "Examination the Server" button doesn't actually work. Information technology randomly gave me errors about non being able to achieve the server. I struggled for hours until I discovered that the error messages were lying to me! If you enter the details correctly, and the camera has access to the Internet, it should merely work.

That said, once enabled, information technology volition happily send emails with large video attachments to you.

Video Audio

All the cameras have microphones, and all exercise audio triggering (sending an alarm when dissonance levels ascent). Even so none of the cameras would embed audio in with the video. When streaming over RTSP, it was possible to choice up audio from the microphone. Lowish quality, 8kHz, mono - just ameliorate than nothing.
Again, if anyone knows how to get the alert videos to include audio, please let me know!

Motility Detection

Setting the move detection expanse is very useful. You lot might want to ignore movement on the floor if you have a pet, or concentrate on a door handle. Sadly, with these cameras, you have to apply IE6 or greater to set the detection area.

You can endeavour and apply the API to set areas - but without beingness able to come across the area in question, it's an do in frustration.

For my needs, having total screen video detection is fine. I may have to borrow a Windows automobile if that changes.

Open Source

Each camera has an embedded Open Source folio at /adm/Licenses.txt which includes all the text of the relevant GPL etc.

All three cameras have the following Open Source components:
Davicom Ethernet driver
Linux kernel ii.6.18
wireless_tools 26
busybox 1.sixteen.0
dhcpcd 1.3.22-pl1
ez-ipupdate 3.0.11b7
iptables i.three.4
ppp 2.4.one
cron daemon
samba customer 3.06
glibc 2.eight
alsa-lib-ane.0.16
wpa_supplicant 0.4.5
NTP
thttpd-ii.25b

Interesting to annotation that BusyBox is an unstable release version from 2010, thhtpd supports IPv6 even though the cameras don't appear to.
wpa_supplicant is ancient - that may explain why it can't cope with SSIDs with spaces in them. I presume information technology'due south the hardware which won't scan the 5GHz range.
The Linux kernel is from 2006 - that'south common enough in embedded systems, merely I do wonder if it presents a security chance.

Security

The cameras offer an SSL connection. However, the certificate is self signed and uses MD5 with 1024 bits. Basically, a security signing which was advised confronting in 2010.
There'due south no way to supplant the certificate without replacing the firmware. If yous are willing to trust it, the connexion is secured via SSL.

Assuming you can ostend the certificate is correct, the encryption should exist sufficient to cease anyone but the NSA peeking through your cameras.

That said, the RTSP channel isn't protected past SSL. You can give a username/countersign, gear up time of day access, and restrict to specific IP addresses - but the video is transmitted in the clear.

For now, I'grand keeping my cameras on my LAN with no external access to them.

What Next

At the moment, I've ready the cameras up, but I'm not actively monitoring them - information technology's just also much piece of work to switch each of them on when I leave for work.

Then, if you tin can help....

1. How do I send sound to the cameras?
2. How practice I become sound with the video alerts?
3. How do I arm the cameras via the API?

Source: https://shkspr.mobi/blog/2013/11/hacking-around-with-network-cameras/

Posted by: garciagratin.blogspot.com

Share this post