HiSilicon IP camera root passwords

password.txt

Summary of passwords by sperglord8008s, updated November 1. 2020. For login try "root", "default", "defaul" or "root"

00000000
059AnkJ
4uvdzKqBkj.jg
7ujMko0admin
7ujMko0vizxv
123
1111
1234
1234qwer
2601hx
12345
54321
123456
666666
888888
1111111
/*6.=_ja
anko
anni2013
annie2012
avtech97
cat1029
ccadmin
cxlinux
default
dreambox
fxjvt1805
hdipc%No
hi3518
hichiphx
hipc3518
hkipc2016
hslwificam
ikwb
ipc71a
IPCam@sw
ivdev
juantech
jvbzd
jvtsmart123
klv123
klv1234
meinsm
OxhlwSG8
pass
password
realtek
root
hi3518
S2fGqNFs
service
smcadmin
supervisor
support
system
tech
tlJwpbo6
ubnt
user
vhd1206
vizxv
xc3511
xmhdipc
zlxx.
Zte521

@gabonator it's a Nedis camera (WIFICI20CGY)

Need help with cracking this salty hash. Tried hashcat and several wordlists with rules with no luck.

root:$1$yFuJ6yns$33Bk0I91Ji0QMujkR/DPi1:0:0::/root:/bin/sh

This hash is in several SV3C L Series Cameras

Can you help with this:
root:$1$$.MO09JyxBBNd9Xv0pXIqc0:0:0::/root:/bin/sh

It's from video doorbell Vidiline F-Ip-3704.

Found the same in a doorbell FW of Slinex SL-07 IP
Can't crack yet :)

Can you help with this:
root:$1$$.MO09JyxBBNd9Xv0pXIqc0:0:0::/root:/bin/sh
It's from video doorbell Vidiline F-Ip-3704.

Found the same in a doorbell FW of Slinex SL-07 IP
Can't crack yet :)

My PC spend days running hashcat on my RTX2070. No luck.

Please. help me with hash $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1

@tohax -- I haven't been able to crack it, but I did find a different way to root a camera with that same hash. Chances are fair it'll work on your camera as well.

Hi, do you have the config_packer already done and available, please?

C721IP/CIP-37210:
root:7UZzpRuiyJi7E:I81ou812

root:ab8nBoH3mb8.g:0:0::/root:/bin/sh

root:helpme:0:0::/root:/bin/sh

Hi all..
Can anybody help me with pass for my camera?

root:Sd5ZXUyhT8kwQ:0:0::/root:/bin/sh

root::0:0::/root:/bin/sh

My IP cam HI3518 have telnet access, but I can't brute password, can any help me?
root:GIgEh3ZZNHRh2:0:0::/root:/bin/sh

IPCam@sw

can anyone help me to crack this hash
$1$4dAkkeWK$HCy0K1z8E.wAuwgLV8bWd/

cloud39e

Hi All, I hope you are able to help me out. I have an INESUN INS-HD54F camera which I can't use because there is something wrong with the OS. I haven't been able to find a firmware for this but it's based on the HI3516EV300 and reports as IPD-E2A5L18-BS on the serial output. I have connected to the internal serial port of the camera to get that info but I can't find the root password anywhere to log in to the OS. All of the passwords in the list so far haven't worked unfortunately. I don't know if I can get it into single user mode through U-Boot arguments or get it to dump the firmware through it, I haven't got that far.

Has anyone got any ideas?

EDIT: So I managed to dump the flash in the camera via TFTP and I have found at least one possibility for the root password, $1$0Me7S3z5$.uQ4Pr/QjJQ/0JUZI0w4m. but I will search through the whole file system to make sure that's not just a legacy hash left over from an update and it's changed. I'm trying to crack it now, hopefully it's just 6 characters. More updates to come.

jvs3516cs.bin root:Z2eoH2SgzVIfA:0:0::/root:/bin/sh jvth6cs2

Thank you. I've tried the list, but no password works.
root:$1$$8LecoU88mCXdvZAqbWZnn0:0:0::/root:/bin/sh

Your hash is missing a salt > $1 = md5crypt , It should be format in this way

000000$1$22222222$3333333333333

0000=Account
$1=Cipher Format
$2=Salt
$3=Hash

Example "root:$1$EnVGPLqH$Jwh/FgaqrrHwHsmzHibnc1"

It is right format. Salt is empty. I need to encrypt this hash for my Beward DK103 too. Hash is similar for it.

From a H264/h265 HDMI to network encoder

root:$1$SkeH7JZY$7qZCxNB.GP9n7v63.2bSx.:0:0:root:/home:/bin/sh
password: wabjtam (https://www.onlinehashcrack.com/jrfo2k6y0p)

For all those trying to crash password hash, you can use this free services for passwords until 8 characters (most of the above passwords). Above that you will have to pay

https://www.onlinehashcrack.com/

Or simply use john the ripper (https://www.openwall.com/john/)

Please can somebody crack:

root:04h6XLo9zAfEM:0:0::/root:/bin/sh

..for me? It's a Topcony 1080P Wireless IP Camera with a hi3518ev200 SoC

@DropNot AS i said: https://www.onlinehashcrack.com/pv98ob7csh

It is just a matter to use the "hash identification" in the password top menu to see what format it have and then submit a task with the hash. It takes a few hours and that is it.

Hello, please somebody can crack:

root:$1$JYFTech$dt2mZnCIdoFSWAog1s.T41:10933:0:99999:7:::

It takes a few hours and that is it.

Works well for many cases but not all. Five days on your queued task is about to return "Not Found", as did mine. Thanks for trying, at least.

Other suggestions/help welcome.

root:04h6XLo9zAfEM:0:0::/root:/bin/sh

Works well for many cases but not all. Five days on your queued task is about to return "Not Found", as did mine. Thanks for trying, at least.
Other suggestions/help welcome.

well, if it failed, that translates that is is 8 character long or higher and may need bruteforce... you can pay for it if you think is worthy the money: https://www.onlinehashcrack.com/about-pricing.php (but add your own account/email, now everyone is using my email by reusing exactly my own address instead of creating their own 🤦‍♂️ )

You can also try installing "john the ripper" and try it yourself for "free" (you pay your electric bills) in your computer. As it is a easy algorithm, you probably can crack it yourself directly in a few days

now everyone is using my email by reusing exactly my own address instead of creating their own

Maybe remove the link you posted earlier, gifting everyone the chance to use onlinehashcrack without having to provide an email address?

Having ruled out onlinehashcrack (it failed) and jtr (laptop too slow/hot) I posted here in the hope that someone with a beefier setup might help. Still hoping :-)

My main aim was to add to this list a p/w for this specific camera. Booting into single user mode might suffice for my purposes so no, I'm not especially tempted to pay onlinehashcrack to have another go.

well, if it failed, that translates that is is 8 character long or higher

No it isn't

Having ruled out onlinehashcrack (it failed) and jtr (laptop too slow/hot) I posted here in the hope that someone with a beefier setup might help. Still hoping :-)

No "beefy setup" required...

help-me to decode:
root:hbJdVywKWttVM:12430:0:99999:7:::

e177ab8e

Other suggestions/help welcome.

root:04h6XLo9zAfEM:0:0::/root:/bin/sh

sl.x.

well, if it failed, that translates that is is 8 character long or higher

No it isn't

Thanks, that's good to know.

No "beefy setup" required...

Other suggestions/help welcome.
root:04h6XLo9zAfEM:0:0::/root:/bin/sh

sl.x.

Thanks again. Another one for Gabonator's list.

Much to learn about jtr. With default options it failed to crack this hash over the course of several days. Armed with your solution I added --length=5 and it spat out an answer in seconds. Maybe I'm misunderstanding their use of the word "incremental".

Also curious as to how onlinehashcrack took five days to not crack this.

For anyone else looking at this Topcony camera, you can get a root shell via the (unmarked) serial port without the password, by interrupting U Boot (be quick) and typing:

setenv bootargs ${bootargs} single init=/bin/sh
sf probe 0;sf read 0x82000000 0x50000 0x170000;bootm 0x82000000

It's a barebones system at that point but you can mount the other filing systems, startup networking, camera and cloud tools quite easily

/etc/init.d/rcS

I'm trying to load a modified rootfs over nfs but what works elsewhere fails here.

root pass need to my old camera

root:$1$asdjwjam$DOS2FrIr2xujxIGDVSjd21:13792:0:::::

23we98oi

root:7PJZu5rjtntsk:0:0::/root:/bin/sh
root:8QYQ7w7.s1xXM:0:0::/root:/bin/sh

root:7PJZu5rjtntsk:HI71323x
root:8QYQ7w7.s1xXM:HI0605v1
root:aVG8.5PMEOfnQ:WYom2020

Can somebody help me with this hash pls?
root:fRW5anhWEAGwY:0:0::/root:/bin/sh

root:fRW5anhWEAGwY:1.oN%cpi

but this hash seems to be more complicated than a simple DES encrypt:
Hash:
root:Uu1Kq8MmXhxqA:0:0::/root:/bin/sh
This is for Hi3518 fish eye camera. (VR CAM) All the default wordlists for ip Cams have not worked either.

root:Uu1Kq8MmXhxqA:j1/_6s*w

I've got another camera with an unknown password. It is an awesome 5MP with 30x optical zoom PTZ camera, infrared LEDs, AI humanoid detection, SD card, built-in microphone and speaker, just about everything enabled. The only feature it doesn't seem to have are white lights, alarm input/output wires, and POE. Model is "C6F0SoZ3N0PcL2" running on an Hi3516EV300 with a Sony IMX335 sensor.

/etc/shadow entry as follows:
root:$1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1:17500:0:99999:7:::

I see this encrypted password also mentioned on pages for two completely different cameras. I suspect we've got OEMs who are making only the most minimal updates to the original HiSilicon firmware:
C6F0SgZ3N0P9L2 https://55476f744974.wordpress.com/
CTIPC-275C1080P https://www.wolfteck.com/2019/03/07/getting_into_the_ctipc-275c1080p/

I got into the camera via a path suggested elsewhere which had me change my WiFi SSID to:
SSID"|/usr/sbin/telnetd -l /bin/sh -p 24"

But I didn't try it directly through the web interface. Instead, I made my own unpacker and repacker of the camera's config.bin files (provided below). I'm not a regular GitHub user, so forgive me as I paste some sloppy code here. Requires "coreutils" package (probably already installed) to do the md5sum computation, and then your standard dd, gzip, and tar commands. I hope this will be of use to some:

BASH SHELL SCRIPT (Linux):
tomnt - Reads .bin and extracts the contents into a subdirectory called mnt (off the current directory)

#!/bin/bash

if [ "$1" == "" ]
then
echo "usage: $0 [filename] (.bin will automatically be appended to filename)"
exit 1
fi

if [ -d mnt ]
then
echo "mnt directory: renaming to mnt.$$"
mv mnt mnt.$$
fi

filename="${1}.bin"
dd if="$filename" bs=512 skip=1 2>/dev/null > "$filename.tar.gz"
cp "$filename.tar.gz" "$filename.tar.gz.salted"
dd if="$filename" bs=1 skip=28 count=5 2>/dev/null >> "$filename.tar.gz.salted"

gunzip -k "$filename.tar.gz"
tar fvxp "$filename.tar"

BASH SHELL SCRIPT (Linux):
tobin - Takes the contents of a subdirectory called mnt and packs it into a .bin configuration file that's compatible with CamHi3510 type cameras.

#!/bin/bash
if [ ! -d mnt ]
then
echo "mnt subdirectory (with camera config) is missing"
exit 2
fi

if [ "$1" == "" ]
then
echo "usage: $0 [filename] (.bin will automatically be appended to filename)"
exit 1
fi

filename="${1}.bin"
tar cpf $filename.tar mnt
cat $filename.tar | gzip -9 - > $filename.tar.gz

cp $filename.tar.gz $filename.tar.gz.salted
echo -n "IPCAM" >> $filename.tar.gz.salted
checksum=md5sum $filename.tar.gz.salted | cut -d" " -f1

echo -ne "PIHC\x01\x10" > $filename
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x00" >> $filename
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x00" >> $filename
x=wc -c $filename.tar.gz | cut -d" " -f1
printf "$(printf "\%03o" $((x&255)) $((x>>8&255)) $((x>>16&255)) $((x>>24&255)))" >> $filename
echo -ne "IPCAM" >> $filename
for i in seq 1 195
do
echo -ne "\x00" >> $filename
done

echo -ne "${checksum}" >> $filename
for i in seq 1 252
do
echo -ne "\x00" >> $filename
done

cat $filename.tar.gz >> $filename

The basic idea is that you save the camera's .bin configuration file as something like "mysettings.bin", and then you extract it like "tomnt mysettings". From there, you go into mnt/mtd/ipc/conf and make all the changes that you want. Then you go back into your original directory, run something like "tobin mynewsettings" which creates "mynewsettings.bin" which you can then upload back to your camera.

I hope someone finds this helpful! This and other communities have really been a great help to me on this camera. My current challenge is seeing how I can figure out what PTZ calls / set codes and sequences result in what special commands for this camera. It seems that this camera (along with many others) have their own unique codes that you're pretty much on your own to figure out!

Thanks all.

EDIT: You may need to change "PIHC\x01\x10" in the tobin script to match whatever salt your camera in particular is using. At least for my configuration, those scripts will decode and re-encode a perfect formatted configuration file. And if you've got a custom .g711 sound file for your alarm, it'll be saved and restored along with everything else.

/etc/shadow entry as follows:
root:$1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1:17500:0:99999:7:::

This camera was already discussed here:

Please. help me with hash $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1

I have a camera with the same password. After receiving the memory dump, I was able to find the password for u-boot. It is: HI2105CHIP

Sectroyer,

I saw that and I was quite impressed by that find, actually. It's a bit of a puzzle for me because I tried the password and it didn't work. I double checked my work and gave it a few more tries, but I wasn't able to log in as root. I tried it on a second purchase I had made and it didn't work there either. Mind you, I've got no theory why that password isn't working for me. I ended up copying my own encrypted string into /etc/shadow and went from there. If you've got some additional suggestions, I'm good to restore /etc/shadow and give it a go.

BTW... know if anywhere people are discussing software mods to these cameras? I'm hoping to supplement its AI humanoid tracking with just a little more filtering to make it more useful. (I'd like to exclude an area from detection when the camera is sitting all zoomed-out on its guard preset. Maybe add in some more aggressiveness while panning to keep up with an object that continues to move more and more out-of-frame. You get the idea.) But I'm missing my favorite troubleshooting/reverse-engineering tool in my toolbox right now, and that'd be strace.

Mind you, I've got no theory why that password isn't working for me.

This password is for u-boot, exactly as I quoted :)

I've got another camera with an unknown password. It is an awesome 5MP with 30x optical zoom PTZ camera, infrared LEDs, AI humanoid detection, SD card, built-in microphone and speaker, just about everything enabled. The only feature it doesn't seem to have are white lights, alarm input/output wires, and POE. Model is "C6F0SoZ3N0PcL2" running on an Hi3516EV300 with a Sony IMX335 sensor.

/etc/shadow entry as follows:
root:$1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1:17500:0:99999:7:::

I see this encrypted password also mentioned on pages for two completely different cameras. I suspect we've got OEMs who are making only the most minimal updates to the original HiSilicon firmware:
C6F0SgZ3N0P9L2 https://55476f744974.wordpress.com/
CTIPC-275C1080P https://www.wolfteck.com/2019/03/07/getting_into_the_ctipc-275c1080p/

I got into the camera via a path suggested elsewhere which had me change my WiFi SSID to:
SSID"|/usr/sbin/telnetd -l /bin/sh -p 24"

But I didn't try it directly through the web interface. Instead, I made my own unpacker and repacker of the camera's config.bin files (provided below). I'm not a regular GitHub user, so forgive me as I paste some sloppy code here. Requires "coreutils" package (probably already installed) to do the md5sum computation, and then your standard dd, gzip, and tar commands. I hope this will be of use to some:

BASH SHELL SCRIPT (Linux):
**tomnt ** - Reads .bin and extracts the contents into a subdirectory called mnt (off the current directory)

#!/bin/bash
if [ "$1" == "" ]
then
echo "usage: $0 [filename] (.bin will automatically be appended to filename)"
exit 1
fi
if [ -d mnt ]
then
echo "mnt directory: renaming to mnt.$$"
mv mnt mnt.$$
fi
filename="${1}.bin"
dd if="$filename" bs=512 skip=1 2>/dev/null > "$filename.tar.gz"
cp "$filename.tar.gz" "$filename.tar.gz.salted"
dd if="$filename" bs=1 skip=28 count=5 2>/dev/null >> "$filename.tar.gz.salted"
gunzip -k "$filename.tar.gz"
tar fvxp "$filename.tar"

BASH SHELL SCRIPT (Linux):
**tobin ** - Takes the contents of a subdirectory called mnt and packs it into a .bin configuration file that's compatible with CamHi3510 type cameras.

#!/bin/bash
if [ ! -d mnt ]
then
echo "mnt subdirectory (with camera config) is missing"
exit 2
fi
if [ "$1" == "" ]
then
echo "usage: $0 [filename] (.bin will automatically be appended to filename)"
exit 1
fi
filename="${1}.bin"
tar cpf $filename.tar mnt
cat $filename.tar | gzip -9 - > $filename.tar.gz
cp $filename.tar.gz $filename.tar.gz.salted
echo -n "IPCAM" >> $filename.tar.gz.salted
checksum=md5sum $filename.tar.gz.salted | cut -d" " -f1
echo -ne "PIHC\x01\x10" > $filename
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x00" >> $filename
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x00" >> $filename
x=wc -c $filename.tar.gz | cut -d" " -f1
printf "$(printf "%03o" $((x&255)) $((x>>8&255)) $((x>>16&255)) $((x>>24&255)))" >> $filename
echo -ne "IPCAM" >> $filename
for i in seq 1 195
do
echo -ne "\x00" >> $filename
done
echo -ne "${checksum}" >> $filename
for i in seq 1 252
do
echo -ne "\x00" >> $filename
done
cat $filename.tar.gz >> $filename

The basic idea is that you save the camera's .bin configuration file as something like "mysettings.bin", and then you extract it like "tomnt mysettings". From there, you go into mnt/mtd/ipc/conf and make all the changes that you want. Then you go back into your original directory, run something like "tobin mynewsettings" which creates "mynewsettings.bin" which you can then upload back to your camera.

I hope someone finds this helpful! This and other communities have really been a great help to me on this camera. My current challenge is seeing how I can figure out what PTZ calls / set codes and sequences result in what special commands for this camera. It seems that this camera (along with many others) have their own unique codes that you're pretty much on your own to figure out!

Thanks all.

Great info, Im pretty sure the password for your camera root is root:hkipc2016 , Also the preset you need to call for the PTZ OSD is most likely 95 or 123 or 84 or 88. Of ots not any of those the OSD is disabled and you will most likely only have IR Switch command somewhere, WhiteLight Switch and Maybe Auto Night enable disable along with the usual PTZ Check and Reset., I have a list of the most common PTZ commands somewhere in my HDD if you want a copy ill dig it up later. Kudos

Great info, Im pretty sure the password for your camera root is root:hkipc2016

John doesn't agree :)

Whats the P2P service thats paired with your Board, Im tipping Camhi Or maybe Hisee ,360eyes , Xmeye ?

But I'm missing my favorite troubleshooting/reverse-engineering tool in my toolbox right now, and that'd be strace.

What i do is to mount an nfs from a raspberry pi on the camera. On the nfs i have strace, strings, gdb, etc.
All of them prebuilt and statically linked. Works perfectly. I just mount the nfs and execute them directly from there, because on the camera, there's just about 1MB free.

Hi,
I've got the same PoE-PTZ-camera as @chunkster29

with /etc/shadow probably containing
root:$1$lPbKHYLS$r6JMTEm949/hCMv85Fsx9/:0:0:99999:7:::

I've invested some time analyzing the firmware, found some firmware images, UART/U-boot access, enable telnet. But wasn't able to crack the root password. If anybody is interested in some python scripts for PTZ, ,manual IR-shutter & co just drop me a line.

Leif

I've got replies for several people, and thank you to everyone! I'll have more to share later.

Great info, Im pretty sure the password for your camera root is root:hkipc2016 , Also the preset you need to call for the PTZ OSD is most likely 95 or 123 or 84 or 88. Of ots not any of those the OSD is disabled and you will most likely only have IR Switch command somewhere, WhiteLight Switch and Maybe Auto Night enable disable along with the usual PTZ Check and Reset., I have a list of the most common PTZ commands somewhere in my HDD if you want a copy ill dig it up later. Kudos

It seems that my particular camera (30x PTZ model C6F0SoZ3N0PcL2 on Hi3516EV300 with 5MP Sony IMX335 sensor) is using PTZ codes that are similar but still quite different from many other Camhi models. Hey, I've got some good news. As it turns out, I asked the seller some of these questions and this time they CC'd me and the manufacturer together and I got some better answers. Some may find this worthwhile, so I'll share:

5MP 30x PTZ w/Humanoid AI tracking --
Manufacturer: Shenzhen Bosesh Technology Co.,Ltd. They are by no means proud of its tracking features. Their most recent email read, "I was surprised about tracking because this version was released in November last year. The camera you bought may come with a test version of the tracking program. I can share some commands with you, but I don’t think they will work very well." When asked about some of the possibilities available with root access (which I did not expect any substantial reply to) they only had to say "I can’t give you more support about root, which is usually open to very, very close partner companies." (which is a fair enough answer).

I already had what PTZ codes they provided, except for the one which re-enables the AF/Zoom display in the lower-right corner. That was new! Of course, they caution me against finding my own PTZ codes "because there are 3 different camera supply components that use these commands. Even we don't know all the commands and functions, which is very dangerous." Good advice, no doubt.

Here are the codes that I've found for this particular model:
===========================================

CALL 66 -- ENABLE HUMANOID TRACKING
CALL 67 -- UNCLEAR FUNCTION TIED TO HUMANOID TRACKING (see example)
CALL 68 -- DISABLE HUMANOID TRACKING
CALL 69 -- ENABLE AUTO-ZOOM WHEN HUMANOID TRACKING
CALL 70 -- DISABLE AUTO-ZOOM WHEN HUMANOID TRACKING
CALL 76 -- CRUISE #1 (CONTINUALLY LOOPS PRESETS 1-16) [16 items]
CALL 77 -- CRUISE #2 (CONTINUALLY LOOPS PRESETS 17-32) [16 items]
CALL 78 -- CRUISE #3 (CONTINUALLY LOOPS PRESETS 33-48) [16 items]
CALL 79 -- CRUISE #4 (CONTINUALLY LOOPS PRESETS 49-64) [16 items]
CALL 80 -- CRUISE #5 (CONTINUALLY LOOPS PRESETS 65-76) [12 items]
CALL 81 -- CRUISE #6 (CONTINUALLY LOOPS PRESETS 81-94) [14 items]
CALL 82 -- MOVE CAMERA TO CENTER AT 1X ZOOM (unless this preset is overwritten by the user -- you probably don't want to do that but you can)
SET 86 -- SET GUARD POSITION. AFTER A DELAY WITHOUT ANY CAMERA OPERATIONS, THE CAMERA WILL RETURN TO THIS SPOT. The delay seems to be different depending on if you've done a CALL or if you manually pointed the camera somewhere else. The delay appears to be user-adjustable, but I have yet to figure out the codes which determine that.
CALL 86 -- STARTS THE GUARD FUNCTION (BE SURE TO SET THIS PRESET BEFORE CALLING THIS FUNCTION).
CALL 87 -- TURNS OFF GUARD FUNCTION.
CALL 91 -- RECALIBRATES THE CAMERA'S POINT/TILT SENSORS (BY MOVING TO THE LIMIT AND BACK TO ITS ORIGINAL POSITION) AND THEN REFOCUSES THE CAMERA.
CALL 92 -- BEWARE! CLEARS ALL PTZ PRESETS, MOVES THE CAMERA TO ITS STARTING POSITION, AND REFOCUSES CAMERA.
SET 95 -- UNKNOWN, BUT REQUIRES YOU TO SEND A SECOND SET 95 PTZ CODE BEFORE NORMALLY ACCEPTING ANY ADDITIONAL CODES. A function for an OSD menu that was not fully implemented?
CALL 96 -- STOPS CRUISE (OR STOP SCAN) AFTER THE NEXT POINT HAS BEEN REACHED.
CALL 97 -- A-B SCAN OR HORIZONTAL SCAN. SCANS BETWEEN PRESET 62 & 63 [AUTOMATICALLY ENDS BASED ON A CONDITION YET TO BE UNDERSTOOD & VERIFIED]. IF PRESETS 62 & 63 ARE NOT SET AND POINTING TO DIFFERENT DIRECTIONS, IT WILL INSTEAD DO A HORIZONTAL SCAN. NOTE THAT ZOOM AND FOCUS NOT ADJUSTED AND WILL REMAIN FIXED AT CURRENT SETTINGS WHEN CALLED. THIS IS IDENTICAL TO CALL 99, EXCEPT ITS SCAN PATTERN IS LESS PREDICTABLE BECAUSE IT WILL AT TIMES RANDOMLY REVERSE DIRECTION BEFORE REACHING ONE OF THE ENDPOINTS.
CALL 99 -- A-B SCAN OR HORIZONTAL SCAN. SCANS BETWEEN PRESET 62 & 63 [AUTOMATICALLY ENDS BASED ON A CONDITION YET TO BE UNDERSTOOD & VERIFIED]. IF PRESETS 62 & 63 ARE NOT SET AND POINTING TO DIFFERENT DIRECTIONS, IT WILL INSTEAD DO A HORIZONTAL SCAN. NOTE THAT ZOOM AND FOCUS NOT ADJUSTED AND WILL REMAIN FIXED AT CURRENT SETTINGS WHEN CALLED.
CALL 100 -- STOP CRUISING (OR STOP SCAN). Avoid setting this position (unless you know why you'd want to do that)
CALL 131 -- AUTO-DIM THE IR LEDs BASED ON AVAILABLE LIGHT ("auto")
CALL 132 -- TURN OFF THE IR LEDs ("closed")
CALL 133 -- TURN ON THE IR LEDs ("open")
CALL 141 -- SET LIGHT SENSITIVITY TO LOW (meaning not entirely clear - provided by seller, could not verify)
CALL 142 -- SET LIGHT SENSITIVITY TO HIGH (meaning not entirely clear - provided by seller, could not verify)
CALL 143 -- SET LIGHT SENSITIVITY TO DEFAULT (meaning not entirely clear - provided by seller, could not verify)
CALL 210 -- DELETE ALL PRESET POINTS (provided by seller, could not verify)
CALL 211 -- CAMERA ROTATION SPEED: LOW (provided by seller, could not verify)
CALL 212 -- CAMERA ROTATION SPEED: MED (provided by seller, could not verify)
CALL 213 -- CAMERA ROTATION SPEED: HIGH (provided by seller, could not verify)
CALL 233 followed by CALL 200 -- REMOVES DISPLAY OF AF/MF SETTING AND CURRENT ZOOM LEVEL (LOWER-RIGHT CORNER)
CALL 233 followed by CALL 201 -- RESTORES DISPLAY OF AF/MF SETTING AND CURRENT ZOOM LEVEL (LOWER-RIGHT CORNER)
CALL 253 -- RECALIBRATES ZOOM AND FOCUS MOTORS AND THEN RESTORES CURRENT SETTINGS

I have determined that the following sequence successfully enables all humanoid tracking features:
====================================================================

1. Aim the camera (using its point/tilt/zoom features) so that it is pointing towards an area that we'll call its "Guard Position". That will be where the camera automatically returns to after it has been idle for a while and hasn't been moving (automatically or manually) for a while.
2. SET 86. CALL 86. This stores your new guard position and then activates it.
3. CALL 66. CALL 69. This turns on Humanoid AI auto-tracking and auto-zoom.
4. Point the camera somewhere else (it doesn't have to be far, just a nudge to the RIGHT should work).
5. SET 67. CALL 67. This seems to actually engage the AI Humanoid tracking with an auto-return to the Guard Position.

If you notice that the camera is constantly focus hunting while in AI Humanoid Tracking mode, I have a solution (which someone else may be able to further simplify). I set another preset to the same place as the guard position (PRESET 86). So let's say that I set that to PRESET 1. Once that has been done just once, then after running all the codes above to turn on AI Humanoid Tracking, I would add:

1. MOVE RIGHT (just move the camera a very tiny bit in any direction)
2. CALL 1 (or whatever preset you'd established for this purpose).

To fully exit all AI Humanoid Tracking features, you could do a CALL 70, CALL 68, CALL 87.

ADDITIONAL NOTES:
==============

1. The built-in settings which adjust the IR LEDs don't seem to do anything. These PTZ codes are the only method that works.
2. It is possible to set a PTZ preset to positions like 91 and 92 which provide other functions. You won't be able to CALL those positions directly, but they're still accessible via CRUISE GROUPS. I noticed (but did not fully document) that under certain circumstances, when you SET a new position to a PRESET which already had a position stored in it, the preset's existing position is automatically copied into the next preset slot.
3. The conditions which automatically stops the A-B SCAN OR HORIZONTAL SCAN (CALL 97 and CALL 99) are yet to be determined. Humanoid detected? Motion detected? I haven't had a chance to chase this down.
4. The behavior of a cruise (CALL 76 through CALL 81) can be adjusted. A CALL 96 followed by a "cmd=setmotorattr&-panscan=1&-tiltscan=1" will cause the camera to slowly move between presets but not pausing between them. A CALL 96 followed by a "cmd=setmotorattr&-panscan=50&-tiltscan=50" causes it to quickly move between presets and pausing substantially between them.
5. AI Humanoid Tracking is more what I'd call Artificial Stupidity than Artificial Intelligence, but it seems to be good enough in most cases. You'll probably need to adjust the sensitivity level based on the specifics of your situation and how annoyed you are by false detections.
6. I suspect that some of the ONVIF data it provides about itself is wrong, but I haven't had a chance to chase down what all might be causing problems.

Here are some of the many PTZ codes I tried that DO NOT SEEM TO APPLY TO THIS CAMERA:
===============================================================

CALL 97+191				PART ACT (cruise tracking)
Cruise group tracking command: transfer: 93 (turn on) setting 93 (turn off)
Set tracking time 93-N (N is tracking time, the value is 20-255m)
Turn off tracking function command: transfer 94
Call 245 to control the direction of rotation
Call 246 to control the direction of rotation
Call 247 to slow down the speed of the pan/tilt
Call 248 to adjust the speed of the pan/tilt to medium speed
Call 249 to adjust the speed of the pan/tilt
Call 95 to enter OSD menu
Call 59 to enter OSD menu
Call preset No.95+No.93 to set OSD menu language to English
Time-limited tracking on and off setting method: 156+set+N+call, N=1 means continuous tracking (default), N=2 means limited time tracking.
Limited time tracking setting method: 157+set+N+set, N=5-30 seconds represents the duration of tracking,
Fixed-point tracking mode, judge whether the tracking target is moving. If the tracking target is not moving, whether to enable tracking after the camera detects a humanoid. Setting method: 155+setting+N+setting, N=1 means that as long as the target is detected, the tracking is turned on (default); N=2 means that the tracking is not turned on if the target is not moving.

I discovered a set of odd parameters with a well-known cgi-bin command (which I will not share) that effectively bricks the camera. After sending the code (requiring admin rights), the camera remained pingable but would not answer on any TCP-IP port. It ignored it's physical reset button and would not go back to a normal configuration. In my particular case, when power cycled, it went back to what it was doing at the time the command was sent, which was a continuous horizontal scan back-and-forth between the limits in each direction. I believe that this command altered an unrelated persistent setting which happened to cause all of its network processes to fail. The good news is that everyone is extremely unlikely to trip over this cgi-bin command unless they're trying out some pretty irrational settings to see what happens.

Whats the P2P service thats paired with your Board, Im tipping Camhi Or maybe Hisee ,360eyes , Xmeye ?

I think you're referring to /mnt/mtd/ipc/conf/platform.ini? If so, here's a partially censored quote:

xqunenable                     = "0              "
xqunmode                       = "1              "
xqunuuid                       = "SSAA-123456-ABCDE"
xqunpuship                     = "47.52.128.161  "
xqunsvraddr                    = 
"SVLXABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ-$$"

I found configuration templates for all sorts of services (even one for "Amazon Echo"), but this is the only one that seems tied to the sticker and QR code on its wall-mount arm. Of course, if I've completely missed the mark here, just let me know what you're looking for. :)

What i do is to mount an nfs from a raspberry pi on the camera. On the nfs i have strace, strings, gdb, etc.

If anybody is interested in some python scripts for PTZ, ,manual IR-shutter & co just drop me a line.

PERFECT. I'm going to drop BOTH of you a line, and thank you!!

Also, if anyone is interested in this particular camera, drop me a line by sending an email to "camhi" at joshmccormick with a suffix of .com and I'll let you know where I purchased these for $130 shipped US. At least, I hope! (No commission, no affiliate code, none of that.) As of right now (April 12, 2021) they're out of stock. Hopefully that's temporary. :)