Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
HiSilicon IP camera root passwords
Summary of passwords by sperglord8008s, updated November 1. 2020. For login try "root", "default", "defaul" or "root"
00000000
059AnkJ
4uvdzKqBkj.jg
7ujMko0admin
7ujMko0vizxv
123
1111
1234
1234qwer
2601hx
12345
54321
123456
666666
888888
1111111
/*6.=_ja
anko
anni2013
annie2012
avtech97
cat1029
ccadmin
cxlinux
default
dreambox
fxjvt1805
hdipc%No
hi3518
hichiphx
hipc3518
hkipc2016
hslwificam
ikwb
ipc71a
IPCam@sw
ivdev
juantech
jvbzd
jvtsmart123
klv123
klv1234
meinsm
OxhlwSG8
pass
password
realtek
root
hi3518
S2fGqNFs
service
smcadmin
supervisor
support
system
tech
tlJwpbo6
ubnt
user
vhd1206
vizxv
xc3511
xmhdipc
zlxx.
Zte521
@dc-admin

This comment has been minimized.

Copy link

@dc-admin dc-admin commented Jul 16, 2016

Hi! May be exists another telnet accounts? For my cam on Hi3518E all account failed. Thanks.

@bakroistvan

This comment has been minimized.

Copy link

@bakroistvan bakroistvan commented Aug 1, 2016

@OctopusKat

This comment has been minimized.

Copy link

@OctopusKat OctopusKat commented Sep 4, 2016

root:$1$MoCJ1nRA$NfsI1wlYcWoF5MbU4t3Og0:0:0::/root:/bin/sh
root:ivdev

More information coming soon!

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Oct 2, 2016

Mirai

@mmintas

This comment has been minimized.

Copy link

@mmintas mmintas commented Oct 2, 2016

Do you have any more info about this camera with root:ivdev?
I have the same one with 6100e(100万e) v3.08R08.20150129.89 firmware - the software redirects to http://server2.hd1000.net:82/
I need info how to grab rtsp and jpg from this camera (rtsp://ipadd:554 works but only main stream)

@mpl1337

This comment has been minimized.

Copy link

@mpl1337 mpl1337 commented Oct 3, 2016

Hey.

I Have a HI3516 cam
this one http://www.ebay.com/itm/351414907283?euid=e6a88781c0824cf0b2ee238edfdd7114&cp=1

Device ID: IPCAM
Device Type: C6F0SgZ3N0P0L0
Network connection: LAN
Current Client: 0
Software Version: V6.1.1.4.1-20160204
Webware Version: V1.0.1

all this passwords are not working.

IPCamera login: root<\r><\n>
Password: <\r><\n>
Login incorrect<\r><\n>

i have only serial access. Telnet is disabled

Nmap
Scanning 192.168.178.58 [1000 ports]
Discovered open port 8080/tcp on 192.168.178.58
Discovered open port 80/tcp on 192.168.178.58
Discovered open port 1935/tcp on 192.168.178.58
Discovered open port 1024/tcp on 192.168.178.58

do you have a idea how to enable telnet or get the shadow file?

or is the a way to flash a other firmware?

i only want to disbaled or remove the "Backdoors"

@cybermaus

This comment has been minimized.

Copy link

@cybermaus cybermaus commented Dec 3, 2016

@mmintas

for the 6100e(100万e) v3.08R08.20150129.89 camera:

onvif link http://192.168.20.115:20020/onvif/device_service
Main 1280x720 rtsp://admin:pwd@192.168.190.204/0
Sub 640x480 rtsp://admin:pwd@192.168.190.204/1

Also mmintas, thanks for the firmware link, was able to upgrade my camera from v3.00R04.20141118.89 to v3.00R04.20150129.89
Not that I noticed any improvements in the new firmware.

@OctopusKat

This comment has been minimized.

Copy link

@OctopusKat OctopusKat commented Jul 11, 2017

root:$1$RYIwEiRA$d5iRRVQ5ZeRTrJwGjRy.B0:0:0:root:/:/bin/sh
xmhdipc as password on this model:

dvrHelper

ID: 8043420004048425
product type: 50H10L
product: HI3518E_50H10L_S39
forward video chip: OV9712
DSP chip: HI3518E
LIBDVR: Complied at Oct 22 2014 09:50:09 SVN:887
dvrHelper version: Sep 22 2014
LIBDVR : Get xmauto Fialed ,xmauto = 1

     "Name" : "admin",
     "Password" : "tlJwpbo6",

     "Name" : "default",
     "Password" : "OxhlwSG8",
@OctopusKat

This comment has been minimized.

Copy link

@OctopusKat OctopusKat commented Jul 13, 2017

Welcome to Monitor Tech.

@denysvitali

This comment has been minimized.

Copy link

@denysvitali denysvitali commented Aug 31, 2017

Add:

root annie2012
@BASM

This comment has been minimized.

Copy link

@BASM BASM commented Oct 24, 2017

My IP cam HI3518 have telnet access, but I can't brute password, can any help me?

root:GIgEh3ZZNHRh2:0:0::/root:/bin/sh

@vertesmark

This comment has been minimized.

Copy link

@vertesmark vertesmark commented Nov 16, 2017

I have a similar camera: TH38J
hi3518ev200 based 2Mpixel
Processor : ARM926EJ-S rev 5 (v5l)
telnet (port:23) is open
password is: "hdipc%No" - took quite a few days with hashcat.
Filmware update is here (I extracted squashfs from filmware, got root hash from this way http://www.tpsee.com/deviceupdate/95-1.html)

@BASM

This comment has been minimized.

Copy link

@BASM BASM commented Nov 28, 2017

For my cam password: IPCam@sw

@V33RU

This comment has been minimized.

Copy link

@V33RU V33RU commented Dec 11, 2017

can anyone help me to crack this hash
$1$4dAkkeWK$HCy0K1z8E.wAuwgLV8bWd/

@cri

This comment has been minimized.

Copy link

@cri cri commented Jun 9, 2018

Hi all!

root:ipc71a

Is there anyone who knows how to avoid the system to rewrite default settings (including the pwd) after every reboot?

@JanLoebel

This comment has been minimized.

Copy link

@JanLoebel JanLoebel commented Jun 20, 2018

I've wrote something about the Hikam S6 (based on HI3518E):

https://gist.github.com/JanLoebel/b5dafcda555323785d32ccb7d643dbcd

@devdbell

This comment has been minimized.

Copy link

@devdbell devdbell commented Jun 22, 2018

can anyone pls help me to crack this hash?
$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0

@hotair1983

This comment has been minimized.

Copy link

@hotair1983 hotair1983 commented Aug 3, 2018

root pass need to my old camera

root:$1$asdjwjam$DOS2FrIr2xujxIGDVSjd21:13792:0:::::

@hotair1983

This comment has been minimized.

Copy link

@hotair1983 hotair1983 commented Aug 3, 2018

@BlueskyCan

hslwificam

@bolbers

This comment has been minimized.

Copy link

@bolbers bolbers commented Aug 30, 2018

time2 MP12 HD Cam:

root:$1$hDwZFK2z$NLzmlcsiUw2zAe8ol1EcI0:0:0::/root:/bin/sh

C:\john180j1w\run>john.exe Time2_china_cam.pwd
Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 128/128 SSSE3 12x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hipc3518         (root)
1g 4:14:59:27 DONE 3/3 (2018-08-19 06:23) 0.000002g/s 56859p/s 56859c/s 56859C/s hipc32sr..hipc3560

hipc3518 (root)

@tohax

This comment has been minimized.

Copy link

@tohax tohax commented Sep 18, 2018

Please. help me with hash $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1

@dam2k

This comment has been minimized.

Copy link

@dam2k dam2k commented Sep 24, 2018

revotech cam: 1080p root:ipc71a

@mutilator

This comment has been minimized.

Copy link

@mutilator mutilator commented Oct 11, 2018

Fredi Wireless spy camera
/etc/shadow
root:FCb/N1tGGXtP6:10957:0:99999:7:::

Decoded Password: 059AnkJ

@L4ky

This comment has been minimized.

Copy link

@L4ky L4ky commented Oct 20, 2018

revotech cam: 1080p root:ipc71a

Thank you!
Do you have strange traffic going outside from camera? Did you find something interesting?

@yuriizubkov

This comment has been minimized.

Copy link

@yuriizubkov yuriizubkov commented Nov 4, 2018

Fredi Wireless spy camera
/etc/shadow
root:FCb/N1tGGXtP6:10957:0:99999:7:::

Decoded Password: 059AnkJ

Petwant PF-103 pet smart feeder - same DES hash and password. Thanks!

@cribskip

This comment has been minimized.

Copy link

@cribskip cribskip commented Nov 8, 2018

root:anni2013

@piotrsedrowski

This comment has been minimized.

Copy link

@piotrsedrowski piotrsedrowski commented Nov 15, 2018

Hi,
can anyone help me with this hash:
root:$1$k1wheY2.$XCelh0nbndpez5N/ER6A00:0:0::/root:/bin/sh

@ale-trevizoli

This comment has been minimized.

Copy link

@ale-trevizoli ale-trevizoli commented Dec 29, 2018

Anyone can help me? It's HEROSPEED FIRMWARE (herospeed.net)
on simple open firmware on Notepad I found this

qqqq
qqqq
qqqq
qqqq
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
tmpfs /dev tmpfs defaults 0 0
tmpfs /tmp tmpfs defaults 0 0
#!/bin/sh
cd /opt/app/bin
./AVServer &
sleep 5
./SystemServer &
sleep 4
./boa -c /opt/app/config &
sleep 8
./DeviceSearch &
sleep 3
./WatchDog &
./HWatchDog &
/opt/Main &
#!/bin/sh
value=1

eval $(/bin/grep app /var/update)
var=$(echo "$app")

eval $(/bin/grep config /var/update)
var_c=$(echo "$config")

eval $(/bin/grep Main /var/update)
var_Main=$(echo "$Main")

eval $(/bin/grep LongseMiniServer /var/update)
var_Mini=$(echo "$LongseMiniServer")

if [ -f "/opt/Main.bak" ];then
echo "Main app will upgrade"
rm -f /opt/Main
mv /opt/Main.bak /opt/Main
chmod 755 /opt/Main
fi

if [ -f "/opt/LongseMiniServer.bak" ];then
echo "LongseMiniServer app will upgrade"
rm -f /opt/LongseMiniServer
mv /opt/LongseMiniServer.bak /opt/LongseMiniServer
chmod 755 /opt/LongseMiniServer
fi

mount -t jffs2 /dev/mtdblock3 /opt/app/
if [ 0 -eq $? ] && [ ! -L /opt/app/www/snap.jpg ] ; then
ln -s /dev/snap.jpg /opt/app/www/snap.jpg
fi

if [ -f "/opt/app/bin/TelnetSwitch" ];then
cp /opt/app/bin/TelnetSwitch /opt/TelnetSwitch
fi

if [[ $var -eq $value && $var_c -eq $value ]];then
echo "longse app mtd is OK!!"
ifconfig eth0 192.168.1.168 netmask 255.255.255.0
cd /opt/app/ko
./load3516d -i -sensor imx291 -osmem 64
/etc/init.d/startapp
else
echo "longse app mtd is not ok!!"
ifconfig eth0 192.168.1.168 netmask 255.255.255.0
sleep 1
/opt/Main &
/opt/LongseMiniServer &
fi
/opt/TelnetSwitch &

exit

root:7PJZu5rjtntsk:0:0::/root:/bin/sh
root:8QYQ7w7.s1xXM:0:0::/root:/bin/sh

@helivander

This comment has been minimized.

Copy link

@helivander helivander commented Jan 17, 2019

help-me to decode:
root:hbJdVywKWttVM:12430:0:99999:7:::

link from the firmware:
http://www.herospeed.net/en/index.php?m=content&c=index&a=lists&catid=12

@suprememoocow

This comment has been minimized.

Copy link

@suprememoocow suprememoocow commented Mar 3, 2019

My cheap Chinese ip camera:

Username: default
Password: none (not even prompted!)

🙀 😱

@cilynx

This comment has been minimized.

Copy link

@cilynx cilynx commented Mar 7, 2019

Please. help me with hash $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1

@tohax -- I haven't been able to crack it, but I did find a different way to root a camera with that same hash. Chances are fair it'll work on your camera as well.

@matiaspl

This comment has been minimized.

Copy link

@matiaspl matiaspl commented Apr 29, 2019

I have a Hi3521 device (console output here) that I was able to make a flash dump and hash extraction. U-boot is password protected. Hashcat gave me almost nothing (it decrypted the previous password from passwd- file, but not the current). Maybe someone might have a clue how to break in - I only have serial console, the box doesn't have any usb, ethernet or wifi.
root:4uvdzKqBkj.jg

@RomanGlova

This comment has been minimized.

Copy link

@RomanGlova RomanGlova commented May 2, 2019

Have same hash as tohax and cilynx, will try to put it on hashcat on my VC

@hotair1983

This comment has been minimized.

Copy link

@hotair1983 hotair1983 commented Jun 9, 2019

root pass need to NVR ZMODO ZP-NE14-S
root:$1$$6EWLm0KIyyVuSwSFNbVyS/:0:0::/root:/bin/sh

@mariarti

This comment has been minimized.

Copy link

@mariarti mariarti commented Jun 11, 2019

Please, help!
root:$1$$BZofx4soyTd/5HrIQGP5L/:0:0::/root:/bin/sh
camera ip-225-v1
Hi3518E RBCV100
sensor imx225
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
554/tcp open rtsp
2000/tcp open cisco-sccp
5000/tcp open upnp
8000/tcp open http-alt
7654/tcp open unknown
7655/tcp open unknown
24102/tcp open unknown
34567/tcp open dhanalakshmi

@ZigFisher

This comment has been minimized.

Copy link

@ZigFisher ZigFisher commented Jun 30, 2019

Please, help!
root:$1$$BZofx4soyTd/5HrIQGP5L/:0:0::/root:/bin/sh
camera ip-225-v1
Hi3518E RBCV100
sensor imx225

Here is the password - fxjvt1805 (TNX @metsys1 !)

More information - http://openipc.org

@francistheodorecatte

This comment has been minimized.

Copy link

@francistheodorecatte francistheodorecatte commented Jul 1, 2019

PTZ Optics ZCAM-VL:
Hi3516
root:vhd1206
default:vhd1206

@ReRandom

This comment has been minimized.

Copy link

@ReRandom ReRandom commented Jul 25, 2019

Please. help me with hash $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1

I have a camera with the same password. After receiving the memory dump, I was able to find the password for u-boot. It is: HI2105CHIP

@HclX

This comment has been minimized.

Copy link

@HclX HclX commented Aug 2, 2019

Can I get help with this hash:

root:$1$h.WNWVcj$I16bljj/Jcbxh/oQGCmVg.:0:0:99999:7:::

@MyCodeRocks

This comment has been minimized.

Copy link

@MyCodeRocks MyCodeRocks commented Sep 23, 2019

Also been using hashcat and john running for over two days and no log not sure if I am using the wrong sequence with Hashcat been using ?1?d with ?1?1?1?1?1?1

but this hash seems to be more complicated than a simple DES encrypt:
Hash:
root:Uu1Kq8MmXhxqA:0:0::/root:/bin/sh
This is for Hi3518 fish eye camera. (VR CAM) All the default wordlists for ip Cams have not worked either.

Can anyone help with either the right sequence to use in HashCat or running the has for me?

@inspectorelectro

This comment has been minimized.

Copy link

@inspectorelectro inspectorelectro commented Sep 28, 2019

Hi all..
Can anybody help me with pass for my camera?

root:Sd5ZXUyhT8kwQ:0:0::/root:/bin/sh

@inspectorelectro

This comment has been minimized.

Copy link

@inspectorelectro inspectorelectro commented Sep 29, 2019

Anybody????

@ajo-1

This comment has been minimized.

Copy link

@ajo-1 ajo-1 commented Dec 4, 2019

root:yE7gW4O0CSXXg:0:0::/root:/bin/sh

does anyone know the password?

@Brontus63

This comment has been minimized.

Copy link

@Brontus63 Brontus63 commented Dec 5, 2019

root:yE7gW4O0CSXXg:0:0::/root:/bin/sh

cxlinux

@sebastiannowicki

This comment has been minimized.

Copy link

@sebastiannowicki sebastiannowicki commented Dec 14, 2019

Hi,
can anyone help me with this hash:
root:$1$k1wheY2.$XCelh0nbndpez5N/ER6A00:0:0::/root:/bin/sh

Both hashcat and john output this:
root::0:0::/root:/bin/sh

So looks like this is blank root password (no password. just hit enter)

@HclX

This comment has been minimized.

Copy link

@HclX HclX commented Dec 15, 2019

root:$1$rmxcrLSF$Pbx3DU0y7W0eKIpAMRX351:17870:0:99999:7:::

@ZigFisher

This comment has been minimized.

Copy link

@ZigFisher ZigFisher commented Dec 27, 2019

Hello friends
Here's another u-boot password to the collection of HI3518EV200 board - hw-wenzi

More information - http://openipc.org

@MyCodeRocks

This comment has been minimized.

Copy link

@MyCodeRocks MyCodeRocks commented Dec 27, 2019

Can you post for which hash?

@ZigFisher

This comment has been minimized.

Copy link

@ZigFisher ZigFisher commented Dec 27, 2019

Can you post for which hash?

This is a U-Boot password, not a system password. He is in the open.

@dreamstarer

This comment has been minimized.

Copy link

@dreamstarer dreamstarer commented Apr 22, 2020

Can anyone help with root password for 8ch NVR Harex (Jovision)? Tried only "l u d" up to 6 symbols with hashcat, but I don't have resources for 7+ length guessing.

root:$1$y5hskMvE$Pdm4AgjJjNL5Uk08vgH/h0:0:0::/root:/bin/sh

@lcharles123

This comment has been minimized.

Copy link

@lcharles123 lcharles123 commented May 4, 2020

HD-IPC
the robot like cam
image: https://i.imgur.com/EZv0qmU.jpg
app LiveYes (implementation of CID system of athome like cam)
SoC: FH8810
Defaults:
app password: CID:123
web interface: admin:123456
telnet: root:123

@paus56

This comment has been minimized.

Copy link

@paus56 paus56 commented Jul 16, 2020

can anyone pls help me to crack this hash?
root:$1$WhMKHafk$SS6nPXGF4ErcQn6z3wMd8/:0:0::/root:/bin/sh

@sl1cks0l0

This comment has been minimized.

Copy link

@sl1cks0l0 sl1cks0l0 commented Jul 18, 2020

can anyone pls help me to crack this hash?
root:$1$WhMKHafk$SS6nPXGF4ErcQn6z3wMd8/:0:0::/root:/bin/sh

$1$WhMKHafk$SS6nPXGF4ErcQn6z3wMd8/:1234qwer
root:1234qwer

@Phantomn

This comment has been minimized.

Copy link

@Phantomn Phantomn commented Jul 21, 2020

root:$1$$5g0YQT0RMSzcGI5qmCiAy.:0:0::/root:/bin/sh
please crack this hash

@danny02craciunel

This comment has been minimized.

Copy link

@danny02craciunel danny02craciunel commented Jul 22, 2020

Can somebody help me with this hash pls?
root:fRW5anhWEAGwY:0:0::/root:/bin/sh

@Phantomn

This comment has been minimized.

Copy link

@Phantomn Phantomn commented Jul 28, 2020

Can somebody help me with this hash pls?
root:fRW5anhWEAGwY:0:0::/root:/bin/sh

"fRW5anhWEAGwY" is md5?

@sl1cks0l0

This comment has been minimized.

Copy link

@sl1cks0l0 sl1cks0l0 commented Jul 28, 2020

Can somebody help me with this hash pls?
root:fRW5anhWEAGwY:0:0::/root:/bin/sh

"fRW5anhWEAGwY" is md5?

it is DES(Unix)

@Phantomn

This comment has been minimized.

Copy link

@Phantomn Phantomn commented Jul 28, 2020

root:$1$$5g0YQT0RMSzcGI5qmCiAy.:0:0::/root:/bin/sh
please crack this hash

root:jvtsmart123

@MyCodeRocks

This comment has been minimized.

Copy link

@MyCodeRocks MyCodeRocks commented Jul 28, 2020

Can anyone crack this
root:Uu1Kq8MmXhxqA:0:0::/root:/bin/sh

@danny02craciunel

This comment has been minimized.

Copy link

@danny02craciunel danny02craciunel commented Jul 28, 2020

Can somebody help me with this hash pls?
root:fRW5anhWEAGwY:0:0::/root:/bin/sh

"fRW5anhWEAGwY" is md5?

it is DES(Unix)

Yes, it’s des. I’ve been using John the ripper for about a week, no result yet. If anybody has a better solution or a powerful pc, I would be grateful for any help 😁

@sl1cks0l0

This comment has been minimized.

Copy link

@sl1cks0l0 sl1cks0l0 commented Jul 28, 2020

Can somebody help me with this hash pls?
root:fRW5anhWEAGwY:0:0::/root:/bin/sh

"fRW5anhWEAGwY" is md5?

it is DES(Unix)

Yes, it’s des. I’ve been using John the ripper for about a week, no result yet. If anybody has a better solution or a powerful pc, I would be grateful for any help grin

what device/source is it from? any details?

@danny02craciunel

This comment has been minimized.

Copy link

@danny02craciunel danny02craciunel commented Jul 28, 2020

Can somebody help me with this hash pls?
root:fRW5anhWEAGwY:0:0::/root:/bin/sh

"fRW5anhWEAGwY" is md5?

it is DES(Unix)

Yes, it’s des. I’ve been using John the ripper for about a week, no result yet. If anybody has a better solution or a powerful pc, I would be grateful for any help grin

what device/source is it from? any details?

It’s from topsee (or tpsee) TH38M/M2 IPC firmware upgrade package_V2.5.2.42.
It can be downloaded from here http://120.25.235.239/deviceupdate/95-1.html

@sebastiannowicki

This comment has been minimized.

Copy link

@sebastiannowicki sebastiannowicki commented Jul 28, 2020

Can you help with this:
root:$1$$.MO09JyxBBNd9Xv0pXIqc0:0:0::/root:/bin/sh

It's from video doorbell Vidiline F-Ip-3704.

@sebastiannowicki

This comment has been minimized.

Copy link

@sebastiannowicki sebastiannowicki commented Jul 28, 2020

@sesse: This video door bell is based on Hi3518.

@sl1cks0l0

This comment has been minimized.

Copy link

@sl1cks0l0 sl1cks0l0 commented Jul 28, 2020

Hi everyone,

I believe this file is about Hi3518 based devices (typically video encoders), not a password cracking service for any random devices you may have lying about :-) Correct me if I'm wrong.

@sesse:
Correct, Hence me asking for details, since there seems to be multiple hashes being posted. ( Not like I should have to explain)
Are you telling users not to crack hashes in these comments?
Are you the owner, moderator, authority here?
Fact is, cracked hashes are being shared here for these Hi3518 based devices, you even shared your "cracked hash"
This was started like 4 years ago, you piped in about a month ago.

@gabonator

This comment has been minimized.

Copy link
Owner Author

@gabonator gabonator commented Jul 28, 2020

Hi everyone,
I believe this file is about Hi3518 based devices (typically video encoders), not a password cracking service for any random devices you may have lying about :-) Correct me if I'm wrong.

@sesse:
Correct, Hence me asking for details, since there seems to be multiple hashes being posted. ( Not like I should have to explain)
Are you telling users not to crack hashes in these comments?
Are you the owner, moderator, authority here?
Fact is, cracked hashes are being shared here for these Hi3518 based devices, you even shared your "cracked hash"
This was started like 4 years ago, you piped in about a month ago.

Hello guys, the idea behind this gist was to collect all known passwords for hisilicon based cameras (or other linux based cameras). Feel free to post your hashes here in this discussion, one day I will go through all your comments and collect new login/password pairs. Maybe I will create some spreadsheet on google docs... Or is there any volunteer who would like to take care of this? It seems there are also clever guys with ability to transform the hashes back to passwords, so thank you for contributing... And please dont forget to post also the name/model/manufacturer of your camera with your hashes. Have fun with hacking your cameras!

@deskjet482

This comment has been minimized.

Copy link

@deskjet482 deskjet482 commented Aug 29, 2020

hi3516d IPD-D53Y0701-BS

root:$1$EnVGPLqH$Jwh/FgaqrrHwHsmzHibnc1:0:0::/root:/bin/sh

root:hkipc2016

@hotair1983

This comment has been minimized.

Copy link

@hotair1983 hotair1983 commented Aug 29, 2020

Help:
root:X.pOwnufFAWYQ:0:0:root:/:/bin/sh
camera CPU XM530
Hardware: XM530_R80X20-PQ_8M

Password: ccadmin

@xenoxaos

This comment has been minimized.

Copy link

@xenoxaos xenoxaos commented Sep 14, 2020

hi3516d IPD-D53Y0701-BS

root:$1$EnVGPLqH$Jwh/FgaqrrHwHsmzHibnc1:0:0::/root:/bin/sh

root:hkipc2016

Thanks, I hadn't gotten that far cracking this one. I ended up just backdooring the cam and adding my own /mnt/flash/tmp/script/preRUN.sh that opened up a telnetd with no login to run on boot.

@dahook

This comment has been minimized.

Copy link

@dahook dahook commented Oct 27, 2020

Since I've been struggling with cracking this I thought I'd share :-)

Several internet sources states that the the password for a03e3thxwWU0g is "juantech" which is incorrect. The correct password is "/*6.=_ja".

i.e root:/*6.=_ja

root:a03e3thxwWU0g:0:0::/root:/bin/sh

@sl1cks0l0

This comment has been minimized.

Copy link

@sl1cks0l0 sl1cks0l0 commented Oct 27, 2020

Since I've been struggling with cracking this I thought I'd share :-)

Several internet sources states that the the password for a03e3thxwWU0g is "juantech" which is incorrect. The correct password is "/*6.=_ja".

i.e root:/*6.=_ja

root:a03e3thxwWU0g:0:0::/root:/bin/sh

nice find, thanks for sharing!
i've never come across any with that, but google sure does return the results you speak of

@dahook

This comment has been minimized.

Copy link

@dahook dahook commented Oct 27, 2020

Since I've been struggling with cracking this I thought I'd share :-)
Several internet sources states that the the password for a03e3thxwWU0g is "juantech" which is incorrect. The correct password is "/*6.=_ja".
i.e root:/*6.=_ja
root:a03e3thxwWU0g:0:0::/root:/bin/sh

nice find, thanks for sharing!
i've never come across any with that, but google sure does return the results you speak of

It's from a Hi3516C-based IP-camera. China no-name with the JUAN-based software, product number PE-3020-W5. Mine is one of those that sends e-mails with jpegs attached to lawishere@yeah.net so I thought I'd entertain myself with writing a new firmware. Starting with a basic RTSP-server and see were it goes from there :-)

@mr-petz

This comment has been minimized.

Copy link

@mr-petz mr-petz commented Oct 29, 2020

Hi,
can anyone pls help me to crack this hash?
root:$1$$8LecoU88mCXdvZAqbWZnn0:0:0::/root:/bin/sh

It's from a Hi3518-based IP-DoorBell.

@sperglord8008s

This comment has been minimized.

Copy link

@sperglord8008s sperglord8008s commented Oct 30, 2020

Try this list with if you cant find your password

00000000
059AnkJ
4uvdzKqBkj.jg
7ujMko0admin
7ujMko0vizxv
123
1111
1234
1234qwer
2601hx
12345
54321
123456
666666
888888
1111111
/*6.=_ja
anko
anni2013
annie2012
avtech97
cat1029
ccadmin
cxlinux
default
dreambox
fxjvt1805
hdipc%No
hi3518
hichiphx
hipc3518
hkipc2016
hslwificam
ikwb
ipc71a
IPCam@sw
ivdev
juantech
jvbzd
jvtsmart123
klv123
klv1234
meinsm
OxhlwSG8
pass
password
realtek
root
hi3518
S2fGqNFs
service
smcadmin
supervisor
support
system
tech
tlJwpbo6
ubnt
user
vhd1206
vizxv
xc3511
xmhdipc
zlxx.
Zte521

@mr-petz

This comment has been minimized.

Copy link

@mr-petz mr-petz commented Oct 31, 2020

Thank you. I've tried the list, but no password works.
root:$1$$8LecoU88mCXdvZAqbWZnn0:0:0::/root:/bin/sh

@sperglord8008s

This comment has been minimized.

Copy link

@sperglord8008s sperglord8008s commented Nov 2, 2020

Thank you. I've tried the list, but no password works.
root:$1$$8LecoU88mCXdvZAqbWZnn0:0:0::/root:/bin/sh

Your hash is missing a salt > $1 = md5crypt , It should be format in this way

000000$1$22222222$3333333333333

0000=Account
$1=Cipher Format
$2=Salt
$3=Hash

Example "root:$1$EnVGPLqH$Jwh/FgaqrrHwHsmzHibnc1"

@chunkster29

This comment has been minimized.

Copy link

@chunkster29 chunkster29 commented Dec 2, 2020

root:ab8nBoH3mb8.g:0:0::/root:/bin/sh

shadow file:
root:$1$lPbKHYLS$r6JMTEm949/hCMv85Fsx9/:0:0:99999:7:::

@Gauthamraju31

This comment has been minimized.

Copy link

@Gauthamraju31 Gauthamraju31 commented Dec 9, 2020

Anyone able to find out the shell password for Honeywell HIB2PI?

@solidssss

This comment has been minimized.

Copy link

@solidssss solidssss commented Dec 25, 2020

Can anyone crack this one?

root:$1$12345678$CTq8UQyYrE.vbbG7E8Mtj1:0:0::/root:/bin/sh

edit: it's a Nedis camera (WIFICI20CGY)

@gabonator

This comment has been minimized.

Copy link
Owner Author

@gabonator gabonator commented Dec 25, 2020

@chunkster29, @solidssss please tell us what kind of camera it is at first. Manufacturer, model, purchase link...

@solidssss

This comment has been minimized.

Copy link

@solidssss solidssss commented Dec 25, 2020

@gabonator it's a Nedis camera (WIFICI20CGY)

@idarednet

This comment has been minimized.

Copy link

@idarednet idarednet commented Jan 2, 2021

Need help with cracking this salty hash. Tried hashcat and several wordlists with rules with no luck.

root:$1$yFuJ6yns$33Bk0I91Ji0QMujkR/DPi1:0:0::/root:/bin/sh

This hash is in several SV3C L Series Cameras

@forGGe

This comment has been minimized.

Copy link

@forGGe forGGe commented Jan 4, 2021

Can you help with this:
root:$1$$.MO09JyxBBNd9Xv0pXIqc0:0:0::/root:/bin/sh

It's from video doorbell Vidiline F-Ip-3704.

Found the same in a doorbell FW of Slinex SL-07 IP
Can't crack yet :)

@sebastiannowicki

This comment has been minimized.

Copy link

@sebastiannowicki sebastiannowicki commented Jan 4, 2021

Can you help with this:
root:$1$$.MO09JyxBBNd9Xv0pXIqc0:0:0::/root:/bin/sh
It's from video doorbell Vidiline F-Ip-3704.

Found the same in a doorbell FW of Slinex SL-07 IP
Can't crack yet :)

My PC spend days running hashcat on my RTX2070. No luck.

@buzzdev

This comment has been minimized.

Copy link

@buzzdev buzzdev commented Jan 24, 2021

Please. help me with hash $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1

@tohax -- I haven't been able to crack it, but I did find a different way to root a camera with that same hash. Chances are fair it'll work on your camera as well.

Hi, do you have the config_packer already done and available, please?

@sectroyer

This comment has been minimized.

Copy link

@sectroyer sectroyer commented Jan 28, 2021

C721IP/CIP-37210:
root:7UZzpRuiyJi7E:I81ou812

@sectroyer

This comment has been minimized.

Copy link

@sectroyer sectroyer commented Jan 28, 2021

root:ab8nBoH3mb8.g:0:0::/root:/bin/sh

root:helpme:0:0::/root:/bin/sh

Hi all..
Can anybody help me with pass for my camera?

root:Sd5ZXUyhT8kwQ:0:0::/root:/bin/sh

root::0:0::/root:/bin/sh

My IP cam HI3518 have telnet access, but I can't brute password, can any help me?
root:GIgEh3ZZNHRh2:0:0::/root:/bin/sh

IPCam@sw

can anyone help me to crack this hash
$1$4dAkkeWK$HCy0K1z8E.wAuwgLV8bWd/

cloud39e

@ATuxford

This comment has been minimized.

Copy link

@ATuxford ATuxford commented Jan 29, 2021

Hi All, I hope you are able to help me out. I have an INESUN INS-HD54F camera which I can't use because there is something wrong with the OS. I haven't been able to find a firmware for this but it's based on the HI3516EV300 and reports as IPD-E2A5L18-BS on the serial output. I have connected to the internal serial port of the camera to get that info but I can't find the root password anywhere to log in to the OS. All of the passwords in the list so far haven't worked unfortunately. I don't know if I can get it into single user mode through U-Boot arguments or get it to dump the firmware through it, I haven't got that far.

Has anyone got any ideas?

EDIT: So I managed to dump the flash in the camera via TFTP and I have found at least one possibility for the root password, $1$0Me7S3z5$.uQ4Pr/QjJQ/0JUZI0w4m. but I will search through the whole file system to make sure that's not just a legacy hash left over from an update and it's changed. I'm trying to crack it now, hopefully it's just 6 characters. More updates to come.

@smysnk

This comment has been minimized.

Copy link

@smysnk smysnk commented Jan 30, 2021

jvs3516cs.bin root:Z2eoH2SgzVIfA:0:0::/root:/bin/sh jvth6cs2

@hevoc123

This comment has been minimized.

Copy link

@hevoc123 hevoc123 commented Jan 30, 2021

Thank you. I've tried the list, but no password works.
root:$1$$8LecoU88mCXdvZAqbWZnn0:0:0::/root:/bin/sh

Your hash is missing a salt > $1 = md5crypt , It should be format in this way

000000$1$22222222$3333333333333

0000=Account
$1=Cipher Format
$2=Salt
$3=Hash

Example "root:$1$EnVGPLqH$Jwh/FgaqrrHwHsmzHibnc1"

It is right format. Salt is empty. I need to encrypt this hash for my Beward DK103 too. Hash is similar for it.

@higuita

This comment has been minimized.

Copy link

@higuita higuita commented Feb 11, 2021

From a H264/h265 HDMI to network encoder

root:$1$SkeH7JZY$7qZCxNB.GP9n7v63.2bSx.:0:0:root:/home:/bin/sh
password: wabjtam (https://www.onlinehashcrack.com/jrfo2k6y0p)

For all those trying to crash password hash, you can use this free services for passwords until 8 characters (most of the above passwords). Above that you will have to pay

https://www.onlinehashcrack.com/

Or simply use john the ripper (https://www.openwall.com/john/)

@DropNot

This comment has been minimized.

Copy link

@DropNot DropNot commented Feb 11, 2021

Please can somebody crack:

root:04h6XLo9zAfEM:0:0::/root:/bin/sh

..for me? It's a Topcony 1080P Wireless IP Camera with a hi3518ev200 SoC

@higuita

This comment has been minimized.

Copy link

@higuita higuita commented Feb 11, 2021

@DropNot AS i said: https://www.onlinehashcrack.com/pv98ob7csh

It is just a matter to use the "hash identification" in the password top menu to see what format it have and then submit a task with the hash. It takes a few hours and that is it.

@DarkNekoRockman

This comment has been minimized.

Copy link

@DarkNekoRockman DarkNekoRockman commented Feb 16, 2021

Hello, please somebody can crack:

root:$1$JYFTech$dt2mZnCIdoFSWAog1s.T41:10933:0:99999:7:::

@DropNot

This comment has been minimized.

Copy link

@DropNot DropNot commented Feb 16, 2021

It takes a few hours and that is it.

Works well for many cases but not all. Five days on your queued task is about to return "Not Found", as did mine. Thanks for trying, at least.

Other suggestions/help welcome.

root:04h6XLo9zAfEM:0:0::/root:/bin/sh

@higuita

This comment has been minimized.

Copy link

@higuita higuita commented Feb 18, 2021

Works well for many cases but not all. Five days on your queued task is about to return "Not Found", as did mine. Thanks for trying, at least.
Other suggestions/help welcome.

well, if it failed, that translates that is is 8 character long or higher and may need bruteforce... you can pay for it if you think is worthy the money: https://www.onlinehashcrack.com/about-pricing.php (but add your own account/email, now everyone is using my email by reusing exactly my own address instead of creating their own 🤦‍♂️ )

You can also try installing "john the ripper" and try it yourself for "free" (you pay your electric bills) in your computer. As it is a easy algorithm, you probably can crack it yourself directly in a few days

@DropNot

This comment has been minimized.

Copy link

@DropNot DropNot commented Feb 18, 2021

now everyone is using my email by reusing exactly my own address instead of creating their own

Maybe remove the link you posted earlier, gifting everyone the chance to use onlinehashcrack without having to provide an email address?

Having ruled out onlinehashcrack (it failed) and jtr (laptop too slow/hot) I posted here in the hope that someone with a beefier setup might help. Still hoping :-)

My main aim was to add to this list a p/w for this specific camera. Booting into single user mode might suffice for my purposes so no, I'm not especially tempted to pay onlinehashcrack to have another go.

@sectroyer

This comment has been minimized.

Copy link

@sectroyer sectroyer commented Feb 21, 2021

well, if it failed, that translates that is is 8 character long or higher

No it isn't

Having ruled out onlinehashcrack (it failed) and jtr (laptop too slow/hot) I posted here in the hope that someone with a beefier setup might help. Still hoping :-)

No "beefy setup" required...

help-me to decode:
root:hbJdVywKWttVM:12430:0:99999:7:::

e177ab8e

Other suggestions/help welcome.

root:04h6XLo9zAfEM:0:0::/root:/bin/sh

sl.x.

@DropNot

This comment has been minimized.

Copy link

@DropNot DropNot commented Feb 22, 2021

well, if it failed, that translates that is is 8 character long or higher

No it isn't

Thanks, that's good to know.

No "beefy setup" required...

Other suggestions/help welcome.
root:04h6XLo9zAfEM:0:0::/root:/bin/sh

sl.x.

Thanks again. Another one for Gabonator's list.

Much to learn about jtr. With default options it failed to crack this hash over the course of several days. Armed with your solution I added --length=5 and it spat out an answer in seconds. Maybe I'm misunderstanding their use of the word "incremental".

Also curious as to how onlinehashcrack took five days to not crack this.

For anyone else looking at this Topcony camera, you can get a root shell via the (unmarked) serial port without the password, by interrupting U Boot (be quick) and typing:

setenv bootargs ${bootargs} single init=/bin/sh
sf probe 0;sf read 0x82000000 0x50000 0x170000;bootm 0x82000000

It's a barebones system at that point but you can mount the other filing systems, startup networking, camera and cloud tools quite easily

/etc/init.d/rcS

I'm trying to load a modified rootfs over nfs but what works elsewhere fails here.

@sectroyer

This comment has been minimized.

Copy link

@sectroyer sectroyer commented Mar 29, 2021

root pass need to my old camera

root:$1$asdjwjam$DOS2FrIr2xujxIGDVSjd21:13792:0:::::

23we98oi

root:7PJZu5rjtntsk:0:0::/root:/bin/sh
root:8QYQ7w7.s1xXM:0:0::/root:/bin/sh

root:7PJZu5rjtntsk:HI71323x
root:8QYQ7w7.s1xXM:HI0605v1
root:aVG8.5PMEOfnQ:WYom2020

Can somebody help me with this hash pls?
root:fRW5anhWEAGwY:0:0::/root:/bin/sh

root:fRW5anhWEAGwY:1.oN%cpi

but this hash seems to be more complicated than a simple DES encrypt:
Hash:
root:Uu1Kq8MmXhxqA:0:0::/root:/bin/sh
This is for Hi3518 fish eye camera. (VR CAM) All the default wordlists for ip Cams have not worked either.

root:Uu1Kq8MmXhxqA:j1/_6s*w

@jmccorm

This comment has been minimized.

Copy link

@jmccorm jmccorm commented Apr 10, 2021

I've got another camera with an unknown password. It is an awesome 5MP with 30x optical zoom PTZ camera, infrared LEDs, AI humanoid detection, SD card, built-in microphone and speaker, just about everything enabled. The only feature it doesn't seem to have are white lights, alarm input/output wires, and POE. Model is "C6F0SoZ3N0PcL2" running on an Hi3516EV300 with a Sony IMX335 sensor.

/etc/shadow entry as follows:
root:$1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1:17500:0:99999:7:::

I see this encrypted password also mentioned on pages for two completely different cameras. I suspect we've got OEMs who are making only the most minimal updates to the original HiSilicon firmware:
C6F0SgZ3N0P9L2 https://55476f744974.wordpress.com/
CTIPC-275C1080P https://www.wolfteck.com/2019/03/07/getting_into_the_ctipc-275c1080p/

I got into the camera via a path suggested elsewhere which had me change my WiFi SSID to:
SSID"|/usr/sbin/telnetd -l /bin/sh -p 24"

But I didn't try it directly through the web interface. Instead, I made my own unpacker and repacker of the camera's config.bin files (provided below). I'm not a regular GitHub user, so forgive me as I paste some sloppy code here. Requires "coreutils" package (probably already installed) to do the md5sum computation, and then your standard dd, gzip, and tar commands. I hope this will be of use to some:

BASH SHELL SCRIPT (Linux):
tomnt - Reads .bin and extracts the contents into a subdirectory called mnt (off the current directory)

#!/bin/bash

if [ "$1" == "" ]
then
echo "usage: $0 [filename] (.bin will automatically be appended to filename)"
exit 1
fi

if [ -d mnt ]
then
echo "mnt directory: renaming to mnt.$$"
mv mnt mnt.$$
fi

filename="${1}.bin"
dd if="$filename" bs=512 skip=1 2>/dev/null > "$filename.tar.gz"
cp "$filename.tar.gz" "$filename.tar.gz.salted"
dd if="$filename" bs=1 skip=28 count=5 2>/dev/null >> "$filename.tar.gz.salted"

gunzip -k "$filename.tar.gz"
tar fvxp "$filename.tar"

BASH SHELL SCRIPT (Linux):
tobin - Takes the contents of a subdirectory called mnt and packs it into a .bin configuration file that's compatible with CamHi3510 type cameras.

#!/bin/bash
if [ ! -d mnt ]
then
echo "mnt subdirectory (with camera config) is missing"
exit 2
fi

if [ "$1" == "" ]
then
echo "usage: $0 [filename] (.bin will automatically be appended to filename)"
exit 1
fi

filename="${1}.bin"
tar cpf $filename.tar mnt
cat $filename.tar | gzip -9 - > $filename.tar.gz

cp $filename.tar.gz $filename.tar.gz.salted
echo -n "IPCAM" >> $filename.tar.gz.salted
checksum=md5sum $filename.tar.gz.salted | cut -d" " -f1

echo -ne "PIHC\x01\x10" > $filename
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x00" >> $filename
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x00" >> $filename
x=wc -c $filename.tar.gz | cut -d" " -f1
printf "$(printf "\%03o" $((x&255)) $((x>>8&255)) $((x>>16&255)) $((x>>24&255)))" >> $filename
echo -ne "IPCAM" >> $filename
for i in seq 1 195
do
echo -ne "\x00" >> $filename
done

echo -ne "${checksum}" >> $filename
for i in seq 1 252
do
echo -ne "\x00" >> $filename
done

cat $filename.tar.gz >> $filename

The basic idea is that you save the camera's .bin configuration file as something like "mysettings.bin", and then you extract it like "tomnt mysettings". From there, you go into mnt/mtd/ipc/conf and make all the changes that you want. Then you go back into your original directory, run something like "tobin mynewsettings" which creates "mynewsettings.bin" which you can then upload back to your camera.

I hope someone finds this helpful! This and other communities have really been a great help to me on this camera. My current challenge is seeing how I can figure out what PTZ calls / set codes and sequences result in what special commands for this camera. It seems that this camera (along with many others) have their own unique codes that you're pretty much on your own to figure out!

Thanks all.

EDIT: You may need to change "PIHC\x01\x10" in the tobin script to match whatever salt your camera in particular is using. At least for my configuration, those scripts will decode and re-encode a perfect formatted configuration file. And if you've got a custom .g711 sound file for your alarm, it'll be saved and restored along with everything else.

@sectroyer

This comment has been minimized.

Copy link

@sectroyer sectroyer commented Apr 11, 2021

/etc/shadow entry as follows:
root:$1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1:17500:0:99999:7:::

This camera was already discussed here:

Please. help me with hash $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1

I have a camera with the same password. After receiving the memory dump, I was able to find the password for u-boot. It is: HI2105CHIP

@jmccorm

This comment has been minimized.

Copy link

@jmccorm jmccorm commented Apr 12, 2021

Sectroyer,

I saw that and I was quite impressed by that find, actually. It's a bit of a puzzle for me because I tried the password and it didn't work. I double checked my work and gave it a few more tries, but I wasn't able to log in as root. I tried it on a second purchase I had made and it didn't work there either. Mind you, I've got no theory why that password isn't working for me. I ended up copying my own encrypted string into /etc/shadow and went from there. If you've got some additional suggestions, I'm good to restore /etc/shadow and give it a go.

BTW... know if anywhere people are discussing software mods to these cameras? I'm hoping to supplement its AI humanoid tracking with just a little more filtering to make it more useful. (I'd like to exclude an area from detection when the camera is sitting all zoomed-out on its guard preset. Maybe add in some more aggressiveness while panning to keep up with an object that continues to move more and more out-of-frame. You get the idea.) But I'm missing my favorite troubleshooting/reverse-engineering tool in my toolbox right now, and that'd be strace.

@sectroyer

This comment has been minimized.

Copy link

@sectroyer sectroyer commented Apr 12, 2021

Mind you, I've got no theory why that password isn't working for me.

This password is for u-boot, exactly as I quoted :)

@sperglord8008s

This comment has been minimized.

Copy link

@sperglord8008s sperglord8008s commented Apr 12, 2021

I've got another camera with an unknown password. It is an awesome 5MP with 30x optical zoom PTZ camera, infrared LEDs, AI humanoid detection, SD card, built-in microphone and speaker, just about everything enabled. The only feature it doesn't seem to have are white lights, alarm input/output wires, and POE. Model is "C6F0SoZ3N0PcL2" running on an Hi3516EV300 with a Sony IMX335 sensor.

/etc/shadow entry as follows:
root:$1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1:17500:0:99999:7:::

I see this encrypted password also mentioned on pages for two completely different cameras. I suspect we've got OEMs who are making only the most minimal updates to the original HiSilicon firmware:
C6F0SgZ3N0P9L2 https://55476f744974.wordpress.com/
CTIPC-275C1080P https://www.wolfteck.com/2019/03/07/getting_into_the_ctipc-275c1080p/

I got into the camera via a path suggested elsewhere which had me change my WiFi SSID to:
SSID"|/usr/sbin/telnetd -l /bin/sh -p 24"

But I didn't try it directly through the web interface. Instead, I made my own unpacker and repacker of the camera's config.bin files (provided below). I'm not a regular GitHub user, so forgive me as I paste some sloppy code here. Requires "coreutils" package (probably already installed) to do the md5sum computation, and then your standard dd, gzip, and tar commands. I hope this will be of use to some:

BASH SHELL SCRIPT (Linux):
**tomnt ** - Reads .bin and extracts the contents into a subdirectory called mnt (off the current directory)

#!/bin/bash
if [ "$1" == "" ]
then
echo "usage: $0 [filename] (.bin will automatically be appended to filename)"
exit 1
fi
if [ -d mnt ]
then
echo "mnt directory: renaming to mnt.$$"
mv mnt mnt.$$
fi
filename="${1}.bin"
dd if="$filename" bs=512 skip=1 2>/dev/null > "$filename.tar.gz"
cp "$filename.tar.gz" "$filename.tar.gz.salted"
dd if="$filename" bs=1 skip=28 count=5 2>/dev/null >> "$filename.tar.gz.salted"
gunzip -k "$filename.tar.gz"
tar fvxp "$filename.tar"

BASH SHELL SCRIPT (Linux):
**tobin ** - Takes the contents of a subdirectory called mnt and packs it into a .bin configuration file that's compatible with CamHi3510 type cameras.

#!/bin/bash
if [ ! -d mnt ]
then
echo "mnt subdirectory (with camera config) is missing"
exit 2
fi
if [ "$1" == "" ]
then
echo "usage: $0 [filename] (.bin will automatically be appended to filename)"
exit 1
fi
filename="${1}.bin"
tar cpf $filename.tar mnt
cat $filename.tar | gzip -9 - > $filename.tar.gz
cp $filename.tar.gz $filename.tar.gz.salted
echo -n "IPCAM" >> $filename.tar.gz.salted
checksum=md5sum $filename.tar.gz.salted | cut -d" " -f1
echo -ne "PIHC\x01\x10" > $filename
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x00" >> $filename
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x00" >> $filename
x=wc -c $filename.tar.gz | cut -d" " -f1
printf "$(printf "%03o" $((x&255)) $((x>>8&255)) $((x>>16&255)) $((x>>24&255)))" >> $filename
echo -ne "IPCAM" >> $filename
for i in seq 1 195
do
echo -ne "\x00" >> $filename
done
echo -ne "${checksum}" >> $filename
for i in seq 1 252
do
echo -ne "\x00" >> $filename
done
cat $filename.tar.gz >> $filename

The basic idea is that you save the camera's .bin configuration file as something like "mysettings.bin", and then you extract it like "tomnt mysettings". From there, you go into mnt/mtd/ipc/conf and make all the changes that you want. Then you go back into your original directory, run something like "tobin mynewsettings" which creates "mynewsettings.bin" which you can then upload back to your camera.

I hope someone finds this helpful! This and other communities have really been a great help to me on this camera. My current challenge is seeing how I can figure out what PTZ calls / set codes and sequences result in what special commands for this camera. It seems that this camera (along with many others) have their own unique codes that you're pretty much on your own to figure out!

Thanks all.

Great info, Im pretty sure the password for your camera root is root:hkipc2016 , Also the preset you need to call for the PTZ OSD is most likely 95 or 123 or 84 or 88. Of ots not any of those the OSD is disabled and you will most likely only have IR Switch command somewhere, WhiteLight Switch and Maybe Auto Night enable disable along with the usual PTZ Check and Reset., I have a list of the most common PTZ commands somewhere in my HDD if you want a copy ill dig it up later. Kudos

@sectroyer

This comment has been minimized.

Copy link

@sectroyer sectroyer commented Apr 12, 2021

Great info, Im pretty sure the password for your camera root is root:hkipc2016

John doesn't agree :)

@sperglord8008s

This comment has been minimized.

Copy link

@sperglord8008s sperglord8008s commented Apr 12, 2021

Whats the P2P service thats paired with your Board, Im tipping Camhi Or maybe Hisee ,360eyes , Xmeye ?

@buzzdev

This comment has been minimized.

Copy link

@buzzdev buzzdev commented Apr 12, 2021

But I'm missing my favorite troubleshooting/reverse-engineering tool in my toolbox right now, and that'd be strace.

What i do is to mount an nfs from a raspberry pi on the camera. On the nfs i have strace, strings, gdb, etc.
All of them prebuilt and statically linked. Works perfectly. I just mount the nfs and execute them directly from there, because on the camera, there's just about 1MB free.

@ljakob

This comment has been minimized.

Copy link

@ljakob ljakob commented Apr 12, 2021

Hi,
I've got the same PoE-PTZ-camera as @chunkster29

with /etc/shadow probably containing
root:$1$lPbKHYLS$r6JMTEm949/hCMv85Fsx9/:0:0:99999:7:::

I've invested some time analyzing the firmware, found some firmware images, UART/U-boot access, enable telnet. But wasn't able to crack the root password. If anybody is interested in some python scripts for PTZ, ,manual IR-shutter & co just drop me a line.

Leif

@jmccorm

This comment has been minimized.

Copy link

@jmccorm jmccorm commented Apr 13, 2021

I've got replies for several people, and thank you to everyone! I'll have more to share later.

Great info, Im pretty sure the password for your camera root is root:hkipc2016 , Also the preset you need to call for the PTZ OSD is most likely 95 or 123 or 84 or 88. Of ots not any of those the OSD is disabled and you will most likely only have IR Switch command somewhere, WhiteLight Switch and Maybe Auto Night enable disable along with the usual PTZ Check and Reset., I have a list of the most common PTZ commands somewhere in my HDD if you want a copy ill dig it up later. Kudos

It seems that my particular camera (30x PTZ model C6F0SoZ3N0PcL2 on Hi3516EV300 with 5MP Sony IMX335 sensor) is using PTZ codes that are similar but still quite different from many other Camhi models. Hey, I've got some good news. As it turns out, I asked the seller some of these questions and this time they CC'd me and the manufacturer together and I got some better answers. Some may find this worthwhile, so I'll share:

5MP 30x PTZ w/Humanoid AI tracking --
Manufacturer: Shenzhen Bosesh Technology Co.,Ltd. They are by no means proud of its tracking features. Their most recent email read, "I was surprised about tracking because this version was released in November last year. The camera you bought may come with a test version of the tracking program. I can share some commands with you, but I don’t think they will work very well." When asked about some of the possibilities available with root access (which I did not expect any substantial reply to) they only had to say "I can’t give you more support about root, which is usually open to very, very close partner companies." (which is a fair enough answer).

I already had what PTZ codes they provided, except for the one which re-enables the AF/Zoom display in the lower-right corner. That was new! Of course, they caution me against finding my own PTZ codes "because there are 3 different camera supply components that use these commands. Even we don't know all the commands and functions, which is very dangerous." Good advice, no doubt.

Here are the codes that I've found for this particular model:
===========================================

CALL 66 -- ENABLE HUMANOID TRACKING
CALL 67 -- UNCLEAR FUNCTION TIED TO HUMANOID TRACKING (see example)
CALL 68 -- DISABLE HUMANOID TRACKING
CALL 69 -- ENABLE AUTO-ZOOM WHEN HUMANOID TRACKING
CALL 70 -- DISABLE AUTO-ZOOM WHEN HUMANOID TRACKING
CALL 76 -- CRUISE #1 (CONTINUALLY LOOPS PRESETS 1-16) [16 items]
CALL 77 -- CRUISE #2 (CONTINUALLY LOOPS PRESETS 17-32) [16 items]
CALL 78 -- CRUISE #3 (CONTINUALLY LOOPS PRESETS 33-48) [16 items]
CALL 79 -- CRUISE #4 (CONTINUALLY LOOPS PRESETS 49-64) [16 items]
CALL 80 -- CRUISE #5 (CONTINUALLY LOOPS PRESETS 65-76) [12 items]
CALL 81 -- CRUISE #6 (CONTINUALLY LOOPS PRESETS 81-94) [14 items]
CALL 82 -- MOVE CAMERA TO CENTER AT 1X ZOOM (unless this preset is overwritten by the user -- you probably don't want to do that but you can)
SET 86 -- SET GUARD POSITION. AFTER A DELAY WITHOUT ANY CAMERA OPERATIONS, THE CAMERA WILL RETURN TO THIS SPOT. The delay seems to be different depending on if you've done a CALL or if you manually pointed the camera somewhere else. The delay appears to be user-adjustable, but I have yet to figure out the codes which determine that.
CALL 86 -- STARTS THE GUARD FUNCTION (BE SURE TO SET THIS PRESET BEFORE CALLING THIS FUNCTION).
CALL 87 -- TURNS OFF GUARD FUNCTION.
CALL 91 -- RECALIBRATES THE CAMERA'S POINT/TILT SENSORS (BY MOVING TO THE LIMIT AND BACK TO ITS ORIGINAL POSITION) AND THEN REFOCUSES THE CAMERA.
CALL 92 -- BEWARE! CLEARS ALL PTZ PRESETS, MOVES THE CAMERA TO ITS STARTING POSITION, AND REFOCUSES CAMERA.
SET 95 -- UNKNOWN, BUT REQUIRES YOU TO SEND A SECOND SET 95 PTZ CODE BEFORE NORMALLY ACCEPTING ANY ADDITIONAL CODES. A function for an OSD menu that was not fully implemented?
CALL 96 -- STOPS CRUISE (OR STOP SCAN) AFTER THE NEXT POINT HAS BEEN REACHED.
CALL 97 -- A-B SCAN OR HORIZONTAL SCAN. SCANS BETWEEN PRESET 62 & 63 [AUTOMATICALLY ENDS BASED ON A CONDITION YET TO BE UNDERSTOOD & VERIFIED]. IF PRESETS 62 & 63 ARE NOT SET AND POINTING TO DIFFERENT DIRECTIONS, IT WILL INSTEAD DO A HORIZONTAL SCAN. NOTE THAT ZOOM AND FOCUS NOT ADJUSTED AND WILL REMAIN FIXED AT CURRENT SETTINGS WHEN CALLED. THIS IS IDENTICAL TO CALL 99, EXCEPT ITS SCAN PATTERN IS LESS PREDICTABLE BECAUSE IT WILL AT TIMES RANDOMLY REVERSE DIRECTION BEFORE REACHING ONE OF THE ENDPOINTS.
CALL 99 -- A-B SCAN OR HORIZONTAL SCAN. SCANS BETWEEN PRESET 62 & 63 [AUTOMATICALLY ENDS BASED ON A CONDITION YET TO BE UNDERSTOOD & VERIFIED]. IF PRESETS 62 & 63 ARE NOT SET AND POINTING TO DIFFERENT DIRECTIONS, IT WILL INSTEAD DO A HORIZONTAL SCAN. NOTE THAT ZOOM AND FOCUS NOT ADJUSTED AND WILL REMAIN FIXED AT CURRENT SETTINGS WHEN CALLED.
CALL 100 -- STOP CRUISING (OR STOP SCAN). Avoid setting this position (unless you know why you'd want to do that)
CALL 131 -- AUTO-DIM THE IR LEDs BASED ON AVAILABLE LIGHT ("auto")
CALL 132 -- TURN OFF THE IR LEDs ("closed")
CALL 133 -- TURN ON THE IR LEDs ("open")
CALL 141 -- SET LIGHT SENSITIVITY TO LOW (meaning not entirely clear - provided by seller, could not verify)
CALL 142 -- SET LIGHT SENSITIVITY TO HIGH (meaning not entirely clear - provided by seller, could not verify)
CALL 143 -- SET LIGHT SENSITIVITY TO DEFAULT (meaning not entirely clear - provided by seller, could not verify)
CALL 210 -- DELETE ALL PRESET POINTS (provided by seller, could not verify)
CALL 211 -- CAMERA ROTATION SPEED: LOW (provided by seller, could not verify)
CALL 212 -- CAMERA ROTATION SPEED: MED (provided by seller, could not verify)
CALL 213 -- CAMERA ROTATION SPEED: HIGH (provided by seller, could not verify)
CALL 233 followed by CALL 200 -- REMOVES DISPLAY OF AF/MF SETTING AND CURRENT ZOOM LEVEL (LOWER-RIGHT CORNER)
CALL 233 followed by CALL 201 -- RESTORES DISPLAY OF AF/MF SETTING AND CURRENT ZOOM LEVEL (LOWER-RIGHT CORNER)
CALL 253 -- RECALIBRATES ZOOM AND FOCUS MOTORS AND THEN RESTORES CURRENT SETTINGS

I have determined that the following sequence successfully enables all humanoid tracking features:
====================================================================

1. Aim the camera (using its point/tilt/zoom features) so that it is pointing towards an area that we'll call its "Guard Position". That will be where the camera automatically returns to after it has been idle for a while and hasn't been moving (automatically or manually) for a while.
2. SET 86. CALL 86. This stores your new guard position and then activates it.
3. CALL 66. CALL 69. This turns on Humanoid AI auto-tracking and auto-zoom.
4. Point the camera somewhere else (it doesn't have to be far, just a nudge to the RIGHT should work).
5. SET 67. CALL 67. This seems to actually engage the AI Humanoid tracking with an auto-return to the Guard Position.

If you notice that the camera is constantly focus hunting while in AI Humanoid Tracking mode, I have a solution (which someone else may be able to further simplify). I set another preset to the same place as the guard position (PRESET 86). So let's say that I set that to PRESET 1. Once that has been done just once, then after running all the codes above to turn on AI Humanoid Tracking, I would add:

1. MOVE RIGHT (just move the camera a very tiny bit in any direction)
2. CALL 1 (or whatever preset you'd established for this purpose).

To fully exit all AI Humanoid Tracking features, you could do a CALL 70, CALL 68, CALL 87.

ADDITIONAL NOTES:
==============

1. The built-in settings which adjust the IR LEDs don't seem to do anything. These PTZ codes are the only method that works.
2. It is possible to set a PTZ preset to positions like 91 and 92 which provide other functions. You won't be able to CALL those positions directly, but they're still accessible via CRUISE GROUPS. I noticed (but did not fully document) that under certain circumstances, when you SET a new position to a PRESET which already had a position stored in it, the preset's existing position is automatically copied into the next preset slot.
3. The conditions which automatically stops the A-B SCAN OR HORIZONTAL SCAN (CALL 97 and CALL 99) are yet to be determined. Humanoid detected? Motion detected? I haven't had a chance to chase this down.
4. The behavior of a cruise (CALL 76 through CALL 81) can be adjusted. A CALL 96 followed by a "cmd=setmotorattr&-panscan=1&-tiltscan=1" will cause the camera to slowly move between presets but not pausing between them. A CALL 96 followed by a "cmd=setmotorattr&-panscan=50&-tiltscan=50" causes it to quickly move between presets and pausing substantially between them.
5. AI Humanoid Tracking is more what I'd call Artificial Stupidity than Artificial Intelligence, but it seems to be good enough in most cases. You'll probably need to adjust the sensitivity level based on the specifics of your situation and how annoyed you are by false detections.
6. I suspect that some of the ONVIF data it provides about itself is wrong, but I haven't had a chance to chase down what all might be causing problems.

Here are some of the many PTZ codes I tried that DO NOT SEEM TO APPLY TO THIS CAMERA:
===============================================================

CALL 97+191				PART ACT (cruise tracking)
Cruise group tracking command: transfer: 93 (turn on) setting 93 (turn off)
Set tracking time 93-N (N is tracking time, the value is 20-255m)
Turn off tracking function command: transfer 94
Call 245 to control the direction of rotation
Call 246 to control the direction of rotation
Call 247 to slow down the speed of the pan/tilt
Call 248 to adjust the speed of the pan/tilt to medium speed
Call 249 to adjust the speed of the pan/tilt
Call 95 to enter OSD menu
Call 59 to enter OSD menu
Call preset No.95+No.93 to set OSD menu language to English
Time-limited tracking on and off setting method: 156+set+N+call, N=1 means continuous tracking (default), N=2 means limited time tracking.
Limited time tracking setting method: 157+set+N+set, N=5-30 seconds represents the duration of tracking,
Fixed-point tracking mode, judge whether the tracking target is moving. If the tracking target is not moving, whether to enable tracking after the camera detects a humanoid. Setting method: 155+setting+N+setting, N=1 means that as long as the target is detected, the tracking is turned on (default); N=2 means that the tracking is not turned on if the target is not moving.

I discovered a set of odd parameters with a well-known cgi-bin command (which I will not share) that effectively bricks the camera. After sending the code (requiring admin rights), the camera remained pingable but would not answer on any TCP-IP port. It ignored it's physical reset button and would not go back to a normal configuration. In my particular case, when power cycled, it went back to what it was doing at the time the command was sent, which was a continuous horizontal scan back-and-forth between the limits in each direction. I believe that this command altered an unrelated persistent setting which happened to cause all of its network processes to fail. The good news is that everyone is extremely unlikely to trip over this cgi-bin command unless they're trying out some pretty irrational settings to see what happens.

Whats the P2P service thats paired with your Board, Im tipping Camhi Or maybe Hisee ,360eyes , Xmeye ?

I think you're referring to /mnt/mtd/ipc/conf/platform.ini? If so, here's a partially censored quote:

xqunenable                     = "0              "
xqunmode                       = "1              "
xqunuuid                       = "SSAA-123456-ABCDE"
xqunpuship                     = "47.52.128.161  "
xqunsvraddr                    = 
"SVLXABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ-$$"

I found configuration templates for all sorts of services (even one for "Amazon Echo"), but this is the only one that seems tied to the sticker and QR code on its wall-mount arm. Of course, if I've completely missed the mark here, just let me know what you're looking for. :)

What i do is to mount an nfs from a raspberry pi on the camera. On the nfs i have strace, strings, gdb, etc.

If anybody is interested in some python scripts for PTZ, ,manual IR-shutter & co just drop me a line.

PERFECT. I'm going to drop BOTH of you a line, and thank you!!

Also, if anyone is interested in this particular camera, drop me a line by sending an email to "camhi" at joshmccormick with a suffix of .com and I'll let you know where I purchased these for $130 shipped US. At least, I hope! (No commission, no affiliate code, none of that.) As of right now (April 12, 2021) they're out of stock. Hopefully that's temporary. :)

@buzzdev

This comment has been minimized.

Copy link

@buzzdev buzzdev commented Apr 13, 2021

@jmccorm - wow! What a load of good info. Many thanxs.
I am tinkering with the same camera model for a while already and i am pretty pissed of, that this firmware can only do 15fps in the best case, despite the strong hardware and there's no way to switch the resolution down from 5MP to at least 3MP to get usable framerate.
Perhaps you could please ask the supplier, how do set the resolution down or fix that?
Thanxs a lot

@sectroyer

This comment has been minimized.

Copy link

@sectroyer sectroyer commented Apr 14, 2021

Usually there is hw chip that has a list of supported formats. It doesn't matter what they are. If what you need is NOT on the list it means hw chip doesn't support it and you won't do anything to support it :)

@jmccorm

This comment has been minimized.

Copy link

@jmccorm jmccorm commented Apr 14, 2021

Usually there is hw chip that has a list of supported formats. It doesn't matter what they are. If what you need is NOT on the list it means hw chip doesn't support it and you won't do anything to support it :)

Surprisingly, they list quite a few modes for the Hi3516EV300 chip...

Real-time multi-stream H.264/H.265 encoding capability:
− 2048 x 1536@30 fps + 720 x 576@30 fps
− 2304 x 1296@30 fps + 720 x 576@30 fps
− 2688 x 1520@25 fps + 720 x 576@25 fps
− 2592 x 1944@20 fps + 720 x 576@20 fps

...but my memory is that the spec sheets for the Hi3516EV300 seems to have evolved over time? I don't know if they're tweaking the firmware or if they're releasing better hardware under the same nameplate. One thing that caught my eye is that the spec sheet lists this as having an ARM Cortex-A7 CPU @900Mhz. I've only started poking around with the camera, but I want to say that they've got it only running at 400Mhz? That could be influencing that framerate ceiling. (BTW, I'm not familiar with U-Boot or device tree settings. If someone could hand-hold me through some mild overclocking, I'd appreciate it!)

...this firmware can only do 15fps in the best case. Perhaps you could please ask the supplier, how do set the resolution down or fix that?

I'm working on a list of bugs to send their way (and if someone's really familiar with ONVIF, I'd like to be able to talk about this camera's shortcomings without looking like a fool). I'll see if I can throw this into the list, but I have to temper your expectations here. I really don't expect them to offer any relief for several reasons. For me, a security camera with a 5MP image @15fps is not unusual by any means. But, yeah, I hear you. It would be nice to be able to step down the resolution to achieve a more fluid framerate.

Changing the conversation here (I'm hoping gabonator doesn't mind these adjacent topics), I'm wondering how much success others have had with ceiling-mounting these cameras? The existing wall mount has a really odd opening size for the camera (about 34mm) and I'm not finding anything like it in other brands of ceiling mounts. The good news is that I got lucky and found the perfect parts at Home Depot to adapt the existing wall mount to a ceiling mount configuration:

2 x Everbilt 5" Galvanized Corner Brace (1 x Amazon "B07G6Z1GPC" might substitute for it)
4 x Everbilt 1/4"-20 x 1" Machine Screws (round head combo)
4 x Everbilt 1/4"-20 Coarse Hex Nuts
6 x 1/4"x1 Lag Screw (attaches adapter to outdoor soffit or indoor ceiling)

Here's a picture that helps to show how it all goes together:
Ceiling Mount

That's all I got for now. I hope to have more good info to drop as I keep working with this. 😄

@jmccorm

This comment has been minimized.

Copy link

@jmccorm jmccorm commented Apr 14, 2021

BTW, has anyone dived into /mnt/mtd/ipc/conf/imx335.bin (or similar file for other models)? It is a text file. The amount of configurable items (assuming it is actually read by the camera) seems insane! Here's a small snippet...

[x10_param]
AutoGc = 48|40|36|33|30|27|25|23|20|18;
[all_param]
UpFrameIso = 400
DownFrameIso = 1000
[cl_static_ae]
MaxHistOffset              = "24"
HistRatioSlope             = "128"
AutoSpeed                      = "64"
AutoTolerance              = "2"
AutoBlackDelayFrame    = "8"
AutoWhiteDelayFrame    = "0"
[cl_static_aerouteex]
TotalNum                 = "8"
RouteEXIntTime           = "   32,20000, 40000, 40000, 50000, 50000, 83000, 83000"
RouteEXAGain             = " 1024, 1024,  1024,  2048,  2048, 15872, 15872, 15872"
RouteEXDGain             = " 1024, 1024,  1024,  1024,  1024,  1024,  1024,  1240"
RouteEXISPDGain          = " 1024, 1024,  1024,  1024,  1024,  1024,  1024,  1024"
[cl_static_aeweight]
ExpWeight_0   = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
ExpWeight_1   = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
ExpWeight_2   = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
ExpWeight_3   = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
ExpWeight_4   = 1,1,1,1,1,2,2,2,2,2,2,2,1,1,1,1,1,
ExpWeight_5   = 1,1,1,1,1,2,2,3,3,3,2,2,1,1,1,1,1,
ExpWeight_6   = 1,1,1,1,2,2,3,3,3,3,3,2,2,1,1,1,1,
ExpWeight_7   = 1,1,1,1,2,3,3,3,3,3,3,3,2,1,1,1,1,
ExpWeight_8   = 1,1,1,1,2,2,3,3,3,3,3,2,2,1,1,1,1,
ExpWeight_9   = 1,1,1,1,1,2,2,3,3,3,2,2,1,1,1,1,1,
ExpWeight_10  = 1,1,1,1,1,2,2,2,2,2,2,2,1,1,1,1,1,
ExpWeight_11  = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
ExpWeight_12  = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
ExpWeight_13  = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
ExpWeight_14  = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
[cl_static_ldci]
Enable                   = "1"
LDCIOpType               = "0"
LDCIGaussLPFSigma        = "28"
**[ SNIP! ]**
@jmccorm

This comment has been minimized.

Copy link

@jmccorm jmccorm commented Apr 16, 2021

Buzzdev wrote:

What i do is to mount an nfs from a raspberry pi on the camera. On the nfs i have strace, strings, gdb, etc.
All of them prebuilt and statically linked. Works perfectly. I just mount the nfs and execute them directly from there, because on the camera, there's just about 1MB free.

I thought I'd share my NFS experience so far to see if I'm missing anything. I couldn't get NFS v3 or v4 to work, so I exported an NFS v2 filesystem on my Linux box and mounted it on my camera with the following command (after having made an /nfs directory):
mount -T nfs -o rw,nolock,vers=2 192.168.1.7:/nfs /nfs

I'm not missing anything here? It isn't capable of a v3 or v4 NFS client, is it? And it's not capable of NFS exports, right?
Thanks all.

EDIT: Buzzdev, I couldn't find your email address. I was hoping to get some help with the tools you discussed earlier. Would you mind providing your address or sending an email to "camhi" at joshmccormick with a suffix of .com ? Thank you so very much!

@jmccorm

This comment has been minimized.

Copy link

@jmccorm jmccorm commented Apr 25, 2021

Good news for some of you who may have been looking for an indoor/outdoor ceiling mount for this camera. I happened to stumble across a ceiling mount on eBay which had an outside diameter of 41mm. I asked the seller if they could provide the inside diameter, and they reported 35mm which should be just fine. Unfortunately, it ships from China, and it lists for $27.99 on eBay (with an opportunity to make an offer). You'll find it here: https://www.ebay.com/itm/333925609768

Of course, some of these CamHi cameras are going to be different, so be sure to measure your own camera before ordering.

PS: I should really get a blog, shouldn't I?

@jmccorm

This comment has been minimized.

Copy link

@jmccorm jmccorm commented May 1, 2021

Hey Buzzdev, thanks for reaching out to me in email. So since then, I've been able to set up the camera as an NFS client, and the mount is nice and stable like I hoped for. I've also been digging into the binaries on the camera and found some neat things (some of which would have been easier to discover had I pursued getting strace a little sooner).

The most useful thing I discovered was that you can control the camera's PTZ functions through /dev/ttyAMA1. It seems to accept PELCO-D commands, so (assuming you haven't change the camera's device ID or RS484 protocol), here are a few commands that can most people should be able to cut-and-paste (one-at-a-time, please):

Call 3
printf "\xff\x01\x00\x07\x00\x03\x0b" >> /dev/ttyAMA1

Call 9:
printf "\xff\x01\x00\x07\x40\x09\x51" >> /dev/ttyAMA1

Zoom In:
printf "\xFF\x01\x00\x20\x00\x00\x21" >> /dev/ttyAMA1

Zoom Out:
printf "\xFF\x01\x00\x40\x00\x00\x41" >> /dev/ttyAMA1

Pan Left:
printf "\xFF\x01\x00\x04\x3F\x00\x44" >> /dev/ttyAMA1

Stop:
printf "\xFF\x01\x00\x00\x00\x00\x01" >> /dev/ttyAMA1

Now that I've finally gotten strace running, I'm hoping to find some more interesting things. What I really want to find is some sort of map of what PTZ preset commands are valid and what they might do. (The preset codes for my particular camera seem quite a bit different than most.) Thank you and everyone for the help here!

@hdipc

This comment has been minimized.

Copy link

@hdipc hdipc commented May 13, 2021

can anyone help me to crack this hash
root:$6$IHr2t/DYrUxzIlrJ$7f2uAwLcGZDDpm6Zb6HiEAMzDd9iYGKZlYTyAFiJ4JQ5.aZpFHEavkweMTt5HEgLvvqc.qDFbD7yRjOHPjK0B/:0:0::/root:/bin/sh

@ljakob

This comment has been minimized.

Copy link

@ljakob ljakob commented May 14, 2021

Hi, since this is moving into some kind of "forum" or knowledge thread: I've got a generic "Megapixel Camera" with /form/setPTZCfg Endpoint. Since the rtsp stream was kind of buggy (even via wired ethernet) I've reverse engineered the video-port-90-protocol. See here for a link to fetch the video via TCP port 90 and feed it into a ffmeg HLS stream:

https://gist.github.com/ljakob/e38d8cfcc9efb99c204f62105c6f4c60

It runs on a Rasp4 with little CPU (warning: use tmpfs!)

I didn't go into protocol details, it's more a 1:1 wireshark capture that works for my camera. But since most bytes are zero it should work for everybody else. The protocol uses no authentication (as expected) and just feeds back the H264 stream (or what you've configured).

Have fun

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment