TTHS005 Camera about 826-x-ip-camera HOT 26 OPEN

Hi, I have the same Camera but from a different brand named KAMTRON (there seems to be a lot different brands like MAISI and PANNOVO). The Model is 826 (not 826-X) and the Softwareversion is the same (v3.4.1.1604071109).
I've already done some research on my own.

Searching for RTSP I found a way to get the current Picture as JPG.

http://local-ip-or-hostname/ccm/ccm_pic_get.jpg?hfrom_handle=887330&dsess=1&dsess_nid=NON-STATIC-SESSION-ID&dsess_sn=SERIALNUMBER&dtoken=p0_xxxxxxxxxx

Can you post the RTSP URL or does the Firmware need to be modificated?

Another thing I've noticed is, that the login-password is encrypted to a HEX string using the public available CryptoJS Library (functions are in core.js -> CryptoJS.enc.Hex.stringify and CryptoJS.enc.Hex.parse)

http://local-ip-or-hostname/ccm/cacs_login_req.js?hfrom_handle=653862&dlid=0xe&dnid=MMj86%5fVKY3VLg%2ehgp32mL%2e5BAWEOgQI&duser=SERIALNUMBER&dpass=PASSWORDHEXENCRYPTED&dsession_req=1&dparam__x_countz_=1&dparam=1&dparam_name=spv&dparam_value=v1

I'm not good at javascript, but to someone who is, it seems to be easy to decrypt the camera's password from the captured url.

I've also noticed, that the SessionID maybe expires after some time, as i was able to get the jpg picture with two different (recent) SessionIDs. But a very old one didn't work.

from 826-x-ip-camera.

Just to bump this discussion and as reference for someone still playing around with this - and to pay homage to @btsimonh again 👍 - as he mentioned there is a way to get the same static address and to get RTSP, but it requires a detour...

I installed this aler9/rtsp-simple-server as a docker container with exposed ports (I refer to that as server part in the following), which runs permanently and is bored most of the time, and I have ffmpeg installed.

I created a function node, which grabs the rtmp:// address from the ccm.play_info property. This one is fed into a custom exec node, which essentially does an ffmpeg <insert rtmp here as msg.payload> -c copy -f rtsp rtsp://<ip>:<port>/myroom where ip and port are the IP and exposed port of the machine running the server docker container. As a result, you can consume the stream with rtsp prefix under the same URI, i.e. rtsp://<ip>:<port>/myroom.

The ffmpeg and restreaming server part is causing no CPU load basically (4% on my powersave governed DietPi RPi Zero W), as they are just forwarding network packets mostly, so that is not a huge issue (I mean compared to copying individual pixels in a NodeRed image view, for example). The question is, what is the intended way to use all of this and how to leverage the behaviour of the exec node waiting for termination (or to better spawn a separate process).

One could run ffmpeg without the server part. ffmpeg will wait for the client to connect and will automatically terminate once the client disconnects - if the exec node waits for termination, the benefit is that you can restart everything once NodeRed gets aware of the node being terminated, but ffmpeg will be running as part of NodeRed. Obviously you won't get notice of a separate background process terminating (unless you do some bash script hacking to touch a file and do periodic checks on its timestamp or whatever). I can live with ffmpeg running as part of NodeRed, and I prefer using the server part, as it (a) enables streaming to multiple clients, (b) decouples the ffmpeg part from any client, and (c) it is still safe to have the exec node wait for termination, as I can respawn the stream then any time I get notice about the termination.

PS: the reason I came across all of this is that I installed some quite nice software for MacOS, GlanceCam, and while it worked out of the box for my other two webcams (a rather old Hootoo and an ESP32-Cam module), the Yatwin was not working and, seriously, I did not find any software that was working except IPCamViewer for Android or iOS.

from 826-x-ip-camera.

yes, it does look very similar.... if not identical.
Does it offer an upgrade at the moment from the UI?
I got my upgrade file by adding tcpdump on my main router, and dumping TCP packets whilst asking for the upgrade; this gave the URL of the upgrade file.... you may only get one shot at this, so pull the lan as soon as you see the download commence.
If not, I did get the impression that there should be a way to 'reset to factory defaults' which may remove any upgrade applied, but have not yet been successful.

I HAVE re-created the web login process and obtained RTSP and RTMP urls for video (by reverse engineering the local javascript web API). However, the URL is random and different for each session (their 'security').
I have successfully run flv.js based decoding in a browser.
(this work was done as a Node-Red flow in Javascript; now added to repo).

In terms of 'breaking in', uboot serial is your easiest option. The serial connections are easily seen in the pictures; i didn't even solder to them :).
The readme in https://github.com/btsimonh/826-x-ip-camera/tree/master/reference tells you how to extract the complete firmware to SD card, and then convert to a file in PC.
Split according to the linux bootlog.
From there, you need to extract both the root filesystem and the jffs2 partition.
this will give you sizes and checksums of the original tar file referenced in the upgrade file.
BUT... so far, I did not manage to create an upgrade file which did not contain a 'patch', so if you don't have an upgrade file, you may not be able to persuade it to run the script :(.

An alternative way to 'break in' without an upgrade file is to modify the jffs2. But note their JFFS2 does not support some modern options (very small mods which fit within the latest page MAY work, or find an older, compatible, JFFS2 implementation). If you can modify the jffs2, you are done.

(the upgrade hacks zips contain the original and modified scripts; in the filesystem the modified script lives at /devdata/dev_init.sh)

Please let me know how you get on, so we can update here for others.

P.S. be careful working with SD cards - it seems to like to format them with it's own FS, as yet not recognised, if the SD card is not that FS. The Uboot seems to have SD support, and you can mount an SD in linux (maybe only if you kill their app?).

from 826-x-ip-camera.

ok, additional info.
IF you find /dev_data/ipc_pack_diff in your JFFS2 filesystem, then that IS the upgrade file, and so can be extracted and modified.... and re-applied through the web interface.

from 826-x-ip-camera.

Since this thing is apparently running Linux, the manufacturer SHOULD be supplying the source for it. I would love to get this camera to provide a RTSP stream for Linux Motion, but the security issues are most important first, obviously. It would be super nice to figure out a way to add a custom kernel and get rid of the proprietary SD format and use ext4 instead.

Keep up the good work and thanks!

from 826-x-ip-camera.

quite a lot of the functionality is inside their monolithic executable. The chip SDK has some samples which could be built and run instead; the other opportunity is to find a camera with a 'better' executable which runs the same chipset (and sensor?), and transplant.
Getting to a std SD format would be nice (or at least preventing format) - then we would be able to use the SD card as the boot device (or at least the application store). (maybe we can just mount the SD card before app start - this may then prevent it from mounting and formatting it?)
The kernel is the std kernel from the SDK, and all source is available :). But it's the application which makes it do 'camera' things.
Another use for this hardware could be a custom camera robot - I read that the common 'Spy' robots are based on IP CCTV chipsets with the PTZ driving the motors; I'm tempted to add processes to talk to an arduino over serial, routing this to network to add additional sensors and motor control.

from 826-x-ip-camera.

Hi Phil,
yes, the session ID is given at login, and the URLs for pictures and video vary accordingly :(. So basically, you can't hook some software up which needs a statically configured RSTP address.
Best we could probably do is write a script or program for the local linux, and proxy a URL (maybe on another port) to the dynamic URL - i.e. have the program run at boot, to login to itself, obtain an RTSP stream address, and then proxy that address..... repeat as required....
Obtaining the various IDs was a right pain, and is at the moment only embodied on the node-red flow I created to do so. Using this, I can get video in my browser :). i.e. complete the login process and get the credentials required to then ask for video and get a dynamic URL, pass that to the browser (and use some dodgy player to play...).
s

from 826-x-ip-camera.

Wow, that was a quick reply.
your idea using a proxy sounds good. If nginx is running this should be possible.
But if you have access to the filesystem, why don't just modify the javascript to ignore the Session ID?

Obtaining the session ID is no pain for me. Just use your Browser's Tool

Vivaldi:

IE11:

I don't need the rstp stream for a fancy surveillance software. VLC would be fine to me.
So Maybe I can write a small program, which logs into the camera and then steals the session id. Then it creates a playlist and starts VLC.

Can you maybe give me the URL of the rstp stream, like in my example with getting the jpg image. So I can see if I'm also able to stream a video.

from 826-x-ip-camera.

example:
rtmp://192.168.1.173:7010/live/1jfiegbqdqhxq_p0_JCWJXJQCIPOJ
example RTSP:
rtsp://192.168.1.173:7020/live/1jfiegbqdqhxq_p0_JCWJXJQCIPOJ

The JCWJXJQCIPOJ bit changes sometimes. Although trying now, re-logging on to the camera seems to give the same URL; so not sure what prompts it to change.
Of course, in the browser you should be able to see this in debug - it will use it to set the URL on the player object? 👍

Although if you need RTSP, you may need to ask for it.... the default local camera http seems to ask for RTMP:.

from 826-x-ip-camera.

Thank you. Now I got RTMP to work.
RTSP doesn't work, port 7030 is not open on the device.
But for me it doesn't matter as long one protocol works.

So in this URL there is another unique/temporary ID different from the sess_nid. I'm sure it will change after rebooting the device.

I can't understand why they don't support rtmp://username:password@ip:7010/live/...

This would be a great feature for the camera and won't be a security issue, since there's still an authentication (yes I know the password is plain text, but It's my own network).

So I'm still thinking about how to get or bypass this ID.

from 826-x-ip-camera.

P.S. be careful working with SD cards - it seems to like to format them with it's own FS, as yet not recognised, if the SD card is not that FS. The Uboot seems to have SD support, and you can mount an SD in linux (maybe only if you kill their app?).

There is a Tool to Export Data from the SD-Card
http://us10.mipcm.com:2080/pub/windows/sdtool/v5.7.1.1807031100/windows_sdtool_v5.7.1.1807031100.exe

It seems the export.min.js decrypts the contents of the sd-card useing also the CryptoJS Library

from 826-x-ip-camera.

ohh.. good find. interesting a google search of v5.7.1.1807031100 gives a set of companies who use this....
And the extraction provides all the mlib. libraries that I had to reverse engineer last time!. They are the keys to logging... a key exchange is done, and a shared secret kept.

from 826-x-ip-camera.

I am using Fedora Linux and both Firefox and Chrome to access the camera directly. I get the interface, but when I hit play, I only get a black screen. I suspect this is why I am not able to retrieve the ccm_play.js in debugging. Are you accessing the camera's http via Windows or Linux?

BTW, this unit just updated to v5.1.8.1807231703.

EDIT: Just tried from Windows 7 in VirtualBox. It prompted me to install the mme plugin. I did. Now in windows (just as in linux), I get the initial photo with play button, but still only black screen once pressed. Weird!

from 826-x-ip-camera.

I also just noticed the GUI now allows one to upload the update manually. I wonder if the fw needs to be signed before it will accept it? If not, could be an easy way to make changes to the fw before updating it. Perhaps it was always there and I just never noticed before.

from 826-x-ip-camera.

hi Lexridge, if your based version is 4.6.2.1706161621, then the upgrade hack file should take with the manual upgrade method.
Would be good to get the url to the v5.1.8.1807231703 upgrade file - I did this using TCPDump on my router to see the traffic.... if you do manage to get this, let me know.
I'm on windows, and in the original UI, the video seems always flash based, so if you can enable flash, the original UI may work; else I have had it working with my Node-Red flow and flv.js (RTMP). Also, there is also a RTSP stream. just a pain that the URL changes....
(P.S. just looked at my cam to see if it's offering an upgrade; but of course it is not because it can;t see the internet any more!).

from 826-x-ip-camera.

the new upgrade patch is http://209.133.212.170.2080/version/ipc/gm8136/v5.1.6.1804251402/ipc_pack_patch_from_v4.6.2.1706161621.rtl8188fu_to_v5.1.6.1804251402.rtl8188fu.bin
I have not yet made a modified upgrade file from this.

from 826-x-ip-camera.

@Lexridge - 'I wonder if the fw needs to be signed before it will accept it?' - read the upgradefileformat part of the wiki - yes, it's easy to modify the script which is run at boot via modifying the upgrade file. The upgrade file is CRCed, but easily spoofed. Updating the actual firmware (the programs it runs) is much more difficult, because the upgrade file is a difference between two tar files, and the difference method is yet to be established. But, once you have broken in, you could compile, install, and run your own software easily. I've pulled the later version, and the script it contains is identical to the last version, so the modification method will work with this version; just cut and paste the script from the one I did, re-calculate the CRC, and you are done.

from 826-x-ip-camera.

@Phil-Rei do you confirm that this still works?

http://local-ip-or-hostname/ccm/cacs_login_req.js?hfrom_handle=653862&dlid=0xe&dnid=MMj86%5fVKY3VLg%2ehgp32mL%2e5BAWEOgQI&duser=SERIALNUMBER&dpass=PASSWORDHEXENCRYPTED&dsession_req=1&dparam__x_countz_=1&dparam=1&dparam_name=spv&dparam_value=v1

from 826-x-ip-camera.

I no longer have the camera and therefore cannot test it, sorry.
But I was never able to get a static link for a video or picture.

from 826-x-ip-camera.

you could have a look at my hacked about node-red flow, which operated various interfaces of the camera, including I think getting a URL. It's in the repo. (if you are not familiar with node-red, it's a visual javascript programming tool, so the code I've written is plain old JS, just split up into blocks....).

from 826-x-ip-camera.

I know node well, the question is how to get that specific url.

from 826-x-ip-camera.

it's been a long time since I worked on the camera :). If you have the time, then fire up node-red, and examine the flow; it's a very 'developmenty' flow, and may need 'require:require' in the settings.js of node-red to operate. From memory, you have to login to the camera to get a valid session, and then you can ask it for a url for video or pictures. I paused looking at it because it's video was not exactly 'standard', and so decoding in node was a pain - (I wanted to go into opencv4node).

from 826-x-ip-camera.

I can confirm that the jpg image get still works. made a firmware update today

http://192.168.0.160/ccm/ccm_pic_get.jpg?hfrom_handle=887330&dsess=1&dsess_nid=**SESSIONID**&dsess_sn=**SERIALNUMBER**&dtoken=p0_xxxxxxxxxx

thanks alot everyone

from 826-x-ip-camera.

I can confirm that the jpg image get still works. made a firmware update today

http://192.168.0.160/ccm/ccm_pic_get.jpg?hfrom_handle=887330&dsess=1&dsess_nid=**SESSIONID**&dsess_sn=**SERIALNUMBER**&dtoken=p0_xxxxxxxxxx

thanks alot everyone

I guess there is no way to obtain any static address? I ask because I plan to use the JPG URL in iSpy software to capture and record from the 826 camera for surveillance purposes.

from 826-x-ip-camera.

i don't think so. A small node server which generates the address and serves the image on a static address was my solution.

from 826-x-ip-camera.

so another finding is that you should run ffmpeg with -loglevel quiet -nostats flags, as the stats kills the exec node over time otherwise (buffer overrun)

from 826-x-ip-camera.