-
Star
(156)
You must be signed in to star a gist -
Fork
(33)
You must be signed in to fork a gist
-
-
Save gabonator/74cdd6ab4f733ff047356198c781f27d to your computer and use it in GitHub Desktop.
| Summary of passwords by sperglord8008s, updated November 1. 2020. For login try "root", "default", "defaul" or "root" | |
| 00000000 | |
| 059AnkJ | |
| 4uvdzKqBkj.jg | |
| 7ujMko0admin | |
| 7ujMko0vizxv | |
| 123 | |
| 1111 | |
| 1234 | |
| 1234qwer | |
| 2601hx | |
| 12345 | |
| 54321 | |
| 123456 | |
| 666666 | |
| 888888 | |
| 1111111 | |
| /*6.=_ja | |
| anko | |
| anni2013 | |
| annie2012 | |
| avtech97 | |
| cat1029 | |
| ccadmin | |
| cxlinux | |
| default | |
| dreambox | |
| fxjvt1805 | |
| hdipc%No | |
| hi3518 | |
| hichiphx | |
| hipc3518 | |
| hkipc2016 | |
| hslwificam | |
| ikwb | |
| ipc71a | |
| IPCam@sw | |
| ivdev | |
| juantech | |
| jvbzd | |
| jvtsmart123 | |
| klv123 | |
| klv1234 | |
| meinsm | |
| OxhlwSG8 | |
| pass | |
| password | |
| realtek | |
| root | |
| hi3518 | |
| S2fGqNFs | |
| service | |
| smcadmin | |
| supervisor | |
| support | |
| system | |
| tech | |
| tlJwpbo6 | |
| ubnt | |
| user | |
| vhd1206 | |
| vizxv | |
| xc3511 | |
| xmhdipc | |
| zlxx. | |
| Zte521 |
/etc/shadow entry as follows:
root:$1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1:17500:0:99999:7:::
This camera was already discussed here:
Please. help me with hash $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1
I have a camera with the same password. After receiving the memory dump, I was able to find the password for u-boot. It is: HI2105CHIP
Sectroyer,
I saw that and I was quite impressed by that find, actually. It's a bit of a puzzle for me because I tried the password and it didn't work. I double checked my work and gave it a few more tries, but I wasn't able to log in as root. I tried it on a second purchase I had made and it didn't work there either. Mind you, I've got no theory why that password isn't working for me. I ended up copying my own encrypted string into /etc/shadow and went from there. If you've got some additional suggestions, I'm good to restore /etc/shadow and give it a go.
BTW... know if anywhere people are discussing software mods to these cameras? I'm hoping to supplement its AI humanoid tracking with just a little more filtering to make it more useful. (I'd like to exclude an area from detection when the camera is sitting all zoomed-out on its guard preset. Maybe add in some more aggressiveness while panning to keep up with an object that continues to move more and more out-of-frame. You get the idea.) But I'm missing my favorite troubleshooting/reverse-engineering tool in my toolbox right now, and that'd be strace.
Mind you, I've got no theory why that password isn't working for me.
This password is for u-boot, exactly as I quoted :)
I've got another camera with an unknown password. It is an awesome 5MP with 30x optical zoom PTZ camera, infrared LEDs, AI humanoid detection, SD card, built-in microphone and speaker, just about everything enabled. The only feature it doesn't seem to have are white lights, alarm input/output wires, and POE. Model is "C6F0SoZ3N0PcL2" running on an Hi3516EV300 with a Sony IMX335 sensor.
/etc/shadow entry as follows:
root:$1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1:17500:0:99999:7:::I see this encrypted password also mentioned on pages for two completely different cameras. I suspect we've got OEMs who are making only the most minimal updates to the original HiSilicon firmware:
C6F0SgZ3N0P9L2 https://55476f744974.wordpress.com/
CTIPC-275C1080P https://www.wolfteck.com/2019/03/07/getting_into_the_ctipc-275c1080p/I got into the camera via a path suggested elsewhere which had me change my WiFi SSID to:
SSID"|/usr/sbin/telnetd -l /bin/sh -p 24"But I didn't try it directly through the web interface. Instead, I made my own unpacker and repacker of the camera's config.bin files (provided below). I'm not a regular GitHub user, so forgive me as I paste some sloppy code here. Requires "coreutils" package (probably already installed) to do the md5sum computation, and then your standard dd, gzip, and tar commands. I hope this will be of use to some:
BASH SHELL SCRIPT (Linux):
**tomnt ** - Reads .bin and extracts the contents into a subdirectory called mnt (off the current directory)#!/bin/bash
if [ "$1" == "" ]
then
echo "usage: $0 [filename] (.bin will automatically be appended to filename)"
exit 1
fi
if [ -d mnt ]
then
echo "mnt directory: renaming to mnt.$$"
mv mnt mnt.$$
fi
filename="${1}.bin"
dd if="$filename" bs=512 skip=1 2>/dev/null > "$filename.tar.gz"
cp "$filename.tar.gz" "$filename.tar.gz.salted"
dd if="$filename" bs=1 skip=28 count=5 2>/dev/null >> "$filename.tar.gz.salted"
gunzip -k "$filename.tar.gz"
tar fvxp "$filename.tar"BASH SHELL SCRIPT (Linux):
**tobin ** - Takes the contents of a subdirectory called mnt and packs it into a .bin configuration file that's compatible with CamHi3510 type cameras.#!/bin/bash
if [ ! -d mnt ]
then
echo "mnt subdirectory (with camera config) is missing"
exit 2
fi
if [ "$1" == "" ]
then
echo "usage: $0 [filename] (.bin will automatically be appended to filename)"
exit 1
fi
filename="${1}.bin"
tar cpf $filename.tar mnt
cat $filename.tar | gzip -9 - > $filename.tar.gz
cp $filename.tar.gz $filename.tar.gz.salted
echo -n "IPCAM" >> $filename.tar.gz.salted
checksum=md5sum $filename.tar.gz.salted | cut -d" " -f1
echo -ne "PIHC\x01\x10" > $filename
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x00" >> $filename
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x00" >> $filename
x=wc -c $filename.tar.gz | cut -d" " -f1
printf "$(printf "%03o"$((x&255)) $ ((x>>8&255))$((x>>16&255)) $ ((x>>24&255)))" >> $filename
echo -ne "IPCAM" >> $filename
for i inseq 1 195
do
echo -ne "\x00" >> $filename
done
echo -ne "${checksum}" >> $filename
for i inseq 1 252
do
echo -ne "\x00" >> $filename
done
cat $filename.tar.gz >> $filenameThe basic idea is that you save the camera's .bin configuration file as something like "mysettings.bin", and then you extract it like "tomnt mysettings". From there, you go into mnt/mtd/ipc/conf and make all the changes that you want. Then you go back into your original directory, run something like "tobin mynewsettings" which creates "mynewsettings.bin" which you can then upload back to your camera.
I hope someone finds this helpful! This and other communities have really been a great help to me on this camera. My current challenge is seeing how I can figure out what PTZ calls / set codes and sequences result in what special commands for this camera. It seems that this camera (along with many others) have their own unique codes that you're pretty much on your own to figure out!
Thanks all.
Great info, Im pretty sure the password for your camera root is root:hkipc2016 , Also the preset you need to call for the PTZ OSD is most likely 95 or 123 or 84 or 88. Of ots not any of those the OSD is disabled and you will most likely only have IR Switch command somewhere, WhiteLight Switch and Maybe Auto Night enable disable along with the usual PTZ Check and Reset., I have a list of the most common PTZ commands somewhere in my HDD if you want a copy ill dig it up later. Kudos
Great info, Im pretty sure the password for your camera root is root:hkipc2016
John doesn't agree :)
Whats the P2P service thats paired with your Board, Im tipping Camhi Or maybe Hisee ,360eyes , Xmeye ?
But I'm missing my favorite troubleshooting/reverse-engineering tool in my toolbox right now, and that'd be strace.
What i do is to mount an nfs from a raspberry pi on the camera. On the nfs i have strace, strings, gdb, etc.
All of them prebuilt and statically linked. Works perfectly. I just mount the nfs and execute them directly from there, because on the camera, there's just about 1MB free.
Hi,
I've got the same PoE-PTZ-camera as @chunkster29
with /etc/shadow probably containing
root:$1$lPbKHYLS$r6JMTEm949/hCMv85Fsx9/:0:0:99999:7:::
I've invested some time analyzing the firmware, found some firmware images, UART/U-boot access, enable telnet. But wasn't able to crack the root password. If anybody is interested in some python scripts for PTZ, ,manual IR-shutter & co just drop me a line.
Leif
I've got replies for several people, and thank you to everyone! I'll have more to share later.
Great info, Im pretty sure the password for your camera root is root:hkipc2016 , Also the preset you need to call for the PTZ OSD is most likely 95 or 123 or 84 or 88. Of ots not any of those the OSD is disabled and you will most likely only have IR Switch command somewhere, WhiteLight Switch and Maybe Auto Night enable disable along with the usual PTZ Check and Reset., I have a list of the most common PTZ commands somewhere in my HDD if you want a copy ill dig it up later. Kudos
It seems that my particular camera (30x PTZ model C6F0SoZ3N0PcL2 on Hi3516EV300 with 5MP Sony IMX335 sensor) is using PTZ codes that are similar but still quite different from many other Camhi models. Hey, I've got some good news. As it turns out, I asked the seller some of these questions and this time they CC'd me and the manufacturer together and I got some better answers. Some may find this worthwhile, so I'll share:
5MP 30x PTZ w/Humanoid AI tracking --
Manufacturer: Shenzhen Bosesh Technology Co.,Ltd. They are by no means proud of its tracking features. Their most recent email read, "I was surprised about tracking because this version was released in November last year. The camera you bought may come with a test version of the tracking program. I can share some commands with you, but I don’t think they will work very well." When asked about some of the possibilities available with root access (which I did not expect any substantial reply to) they only had to say "I can’t give you more support about root, which is usually open to very, very close partner companies." (which is a fair enough answer).
I already had what PTZ codes they provided, except for the one which re-enables the AF/Zoom display in the lower-right corner. That was new! Of course, they caution me against finding my own PTZ codes "because there are 3 different camera supply components that use these commands. Even we don't know all the commands and functions, which is very dangerous." Good advice, no doubt.
Here are the codes that I've found for this particular model:
===========================================
CALL 66 -- ENABLE HUMANOID TRACKING
CALL 67 -- UNCLEAR FUNCTION TIED TO HUMANOID TRACKING (see example)
CALL 68 -- DISABLE HUMANOID TRACKING
CALL 69 -- ENABLE AUTO-ZOOM WHEN HUMANOID TRACKING
CALL 70 -- DISABLE AUTO-ZOOM WHEN HUMANOID TRACKING
CALL 76 -- CRUISE #1 (CONTINUALLY LOOPS PRESETS 1-16) [16 items]
CALL 77 -- CRUISE #2 (CONTINUALLY LOOPS PRESETS 17-32) [16 items]
CALL 78 -- CRUISE #3 (CONTINUALLY LOOPS PRESETS 33-48) [16 items]
CALL 79 -- CRUISE #4 (CONTINUALLY LOOPS PRESETS 49-64) [16 items]
CALL 80 -- CRUISE #5 (CONTINUALLY LOOPS PRESETS 65-76) [12 items]
CALL 81 -- CRUISE #6 (CONTINUALLY LOOPS PRESETS 81-94) [14 items]
CALL 82 -- MOVE CAMERA TO CENTER AT 1X ZOOM (unless this preset is overwritten by the user -- you probably don't want to do that but you can)
SET 86 -- SET GUARD POSITION. AFTER A DELAY WITHOUT ANY CAMERA OPERATIONS, THE CAMERA WILL RETURN TO THIS SPOT. The delay seems to be different depending on if you've done a CALL or if you manually pointed the camera somewhere else. The delay appears to be user-adjustable, but I have yet to figure out the codes which determine that.
CALL 86 -- STARTS THE GUARD FUNCTION (BE SURE TO SET THIS PRESET BEFORE CALLING THIS FUNCTION).
CALL 87 -- TURNS OFF GUARD FUNCTION.
CALL 91 -- RECALIBRATES THE CAMERA'S POINT/TILT SENSORS (BY MOVING TO THE LIMIT AND BACK TO ITS ORIGINAL POSITION) AND THEN REFOCUSES THE CAMERA.
CALL 92 -- BEWARE! CLEARS ALL PTZ PRESETS, MOVES THE CAMERA TO ITS STARTING POSITION, AND REFOCUSES CAMERA.
SET 95 -- UNKNOWN, BUT REQUIRES YOU TO SEND A SECOND SET 95 PTZ CODE BEFORE NORMALLY ACCEPTING ANY ADDITIONAL CODES. A function for an OSD menu that was not fully implemented?
CALL 96 -- STOPS CRUISE (OR STOP SCAN) AFTER THE NEXT POINT HAS BEEN REACHED.
CALL 97 -- A-B SCAN OR HORIZONTAL SCAN. SCANS BETWEEN PRESET 62 & 63 [AUTOMATICALLY ENDS BASED ON A CONDITION YET TO BE UNDERSTOOD & VERIFIED]. IF PRESETS 62 & 63 ARE NOT SET AND POINTING TO DIFFERENT DIRECTIONS, IT WILL INSTEAD DO A HORIZONTAL SCAN. NOTE THAT ZOOM AND FOCUS NOT ADJUSTED AND WILL REMAIN FIXED AT CURRENT SETTINGS WHEN CALLED. THIS IS IDENTICAL TO CALL 99, EXCEPT ITS SCAN PATTERN IS LESS PREDICTABLE BECAUSE IT WILL AT TIMES RANDOMLY REVERSE DIRECTION BEFORE REACHING ONE OF THE ENDPOINTS.
CALL 99 -- A-B SCAN OR HORIZONTAL SCAN. SCANS BETWEEN PRESET 62 & 63 [AUTOMATICALLY ENDS BASED ON A CONDITION YET TO BE UNDERSTOOD & VERIFIED]. IF PRESETS 62 & 63 ARE NOT SET AND POINTING TO DIFFERENT DIRECTIONS, IT WILL INSTEAD DO A HORIZONTAL SCAN. NOTE THAT ZOOM AND FOCUS NOT ADJUSTED AND WILL REMAIN FIXED AT CURRENT SETTINGS WHEN CALLED.
CALL 100 -- STOP CRUISING (OR STOP SCAN). Avoid setting this position (unless you know why you'd want to do that)
CALL 131 -- AUTO-DIM THE IR LEDs BASED ON AVAILABLE LIGHT ("auto")
CALL 132 -- TURN OFF THE IR LEDs ("closed")
CALL 133 -- TURN ON THE IR LEDs ("open")
CALL 141 -- SET LIGHT SENSITIVITY TO LOW (meaning not entirely clear - provided by seller, could not verify)
CALL 142 -- SET LIGHT SENSITIVITY TO HIGH (meaning not entirely clear - provided by seller, could not verify)
CALL 143 -- SET LIGHT SENSITIVITY TO DEFAULT (meaning not entirely clear - provided by seller, could not verify)
CALL 210 -- DELETE ALL PRESET POINTS (provided by seller, could not verify)
CALL 211 -- CAMERA ROTATION SPEED: LOW (provided by seller, could not verify)
CALL 212 -- CAMERA ROTATION SPEED: MED (provided by seller, could not verify)
CALL 213 -- CAMERA ROTATION SPEED: HIGH (provided by seller, could not verify)
CALL 233 followed by CALL 200 -- REMOVES DISPLAY OF AF/MF SETTING AND CURRENT ZOOM LEVEL (LOWER-RIGHT CORNER)
CALL 233 followed by CALL 201 -- RESTORES DISPLAY OF AF/MF SETTING AND CURRENT ZOOM LEVEL (LOWER-RIGHT CORNER)
CALL 253 -- RECALIBRATES ZOOM AND FOCUS MOTORS AND THEN RESTORES CURRENT SETTINGS
I have determined that the following sequence successfully enables all humanoid tracking features:
====================================================================
1. Aim the camera (using its point/tilt/zoom features) so that it is pointing towards an area that we'll call its "Guard Position". That will be where the camera automatically returns to after it has been idle for a while and hasn't been moving (automatically or manually) for a while.
2. SET 86. CALL 86. This stores your new guard position and then activates it.
3. CALL 66. CALL 69. This turns on Humanoid AI auto-tracking and auto-zoom.
4. Point the camera somewhere else (it doesn't have to be far, just a nudge to the RIGHT should work).
5. SET 67. CALL 67. This seems to actually engage the AI Humanoid tracking with an auto-return to the Guard Position.
If you notice that the camera is constantly focus hunting while in AI Humanoid Tracking mode, I have a solution (which someone else may be able to further simplify). I set another preset to the same place as the guard position (PRESET 86). So let's say that I set that to PRESET 1. Once that has been done just once, then after running all the codes above to turn on AI Humanoid Tracking, I would add:
1. MOVE RIGHT (just move the camera a very tiny bit in any direction)
2. CALL 1 (or whatever preset you'd established for this purpose).
To fully exit all AI Humanoid Tracking features, you could do a CALL 70, CALL 68, CALL 87.
ADDITIONAL NOTES:
==============
1. The built-in settings which adjust the IR LEDs don't seem to do anything. These PTZ codes are the only method that works.
2. It is possible to set a PTZ preset to positions like 91 and 92 which provide other functions. You won't be able to CALL those positions directly, but they're still accessible via CRUISE GROUPS. I noticed (but did not fully document) that under certain circumstances, when you SET a new position to a PRESET which already had a position stored in it, the preset's existing position is automatically copied into the next preset slot.
3. The conditions which automatically stops the A-B SCAN OR HORIZONTAL SCAN (CALL 97 and CALL 99) are yet to be determined. Humanoid detected? Motion detected? I haven't had a chance to chase this down.
4. The behavior of a cruise (CALL 76 through CALL 81) can be adjusted. A CALL 96 followed by a "cmd=setmotorattr&-panscan=1&-tiltscan=1" will cause the camera to slowly move between presets but not pausing between them. A CALL 96 followed by a "cmd=setmotorattr&-panscan=50&-tiltscan=50" causes it to quickly move between presets and pausing substantially between them.
5. AI Humanoid Tracking is more what I'd call Artificial Stupidity than Artificial Intelligence, but it seems to be good enough in most cases. You'll probably need to adjust the sensitivity level based on the specifics of your situation and how annoyed you are by false detections.
6. I suspect that some of the ONVIF data it provides about itself is wrong, but I haven't had a chance to chase down what all might be causing problems.
Here are some of the many PTZ codes I tried that DO NOT SEEM TO APPLY TO THIS CAMERA:
===============================================================
CALL 97+191 PART ACT (cruise tracking)
Cruise group tracking command: transfer: 93 (turn on) setting 93 (turn off)
Set tracking time 93-N (N is tracking time, the value is 20-255m)
Turn off tracking function command: transfer 94
Call 245 to control the direction of rotation
Call 246 to control the direction of rotation
Call 247 to slow down the speed of the pan/tilt
Call 248 to adjust the speed of the pan/tilt to medium speed
Call 249 to adjust the speed of the pan/tilt
Call 95 to enter OSD menu
Call 59 to enter OSD menu
Call preset No.95+No.93 to set OSD menu language to English
Time-limited tracking on and off setting method: 156+set+N+call, N=1 means continuous tracking (default), N=2 means limited time tracking.
Limited time tracking setting method: 157+set+N+set, N=5-30 seconds represents the duration of tracking,
Fixed-point tracking mode, judge whether the tracking target is moving. If the tracking target is not moving, whether to enable tracking after the camera detects a humanoid. Setting method: 155+setting+N+setting, N=1 means that as long as the target is detected, the tracking is turned on (default); N=2 means that the tracking is not turned on if the target is not moving.
I discovered a set of odd parameters with a well-known cgi-bin command (which I will not share) that effectively bricks the camera. After sending the code (requiring admin rights), the camera remained pingable but would not answer on any TCP-IP port. It ignored it's physical reset button and would not go back to a normal configuration. In my particular case, when power cycled, it went back to what it was doing at the time the command was sent, which was a continuous horizontal scan back-and-forth between the limits in each direction. I believe that this command altered an unrelated persistent setting which happened to cause all of its network processes to fail. The good news is that everyone is extremely unlikely to trip over this cgi-bin command unless they're trying out some pretty irrational settings to see what happens.
Whats the P2P service thats paired with your Board, Im tipping Camhi Or maybe Hisee ,360eyes , Xmeye ?
I think you're referring to /mnt/mtd/ipc/conf/platform.ini? If so, here's a partially censored quote:
xqunenable = "0 "
xqunmode = "1 "
xqunuuid = "SSAA-123456-ABCDE"
xqunpuship = "47.52.128.161 "
xqunsvraddr =
"SVLXABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ-$$"
I found configuration templates for all sorts of services (even one for "Amazon Echo"), but this is the only one that seems tied to the sticker and QR code on its wall-mount arm. Of course, if I've completely missed the mark here, just let me know what you're looking for. :)
What i do is to mount an nfs from a raspberry pi on the camera. On the nfs i have strace, strings, gdb, etc.
If anybody is interested in some python scripts for PTZ, ,manual IR-shutter & co just drop me a line.
PERFECT. I'm going to drop BOTH of you a line, and thank you!!
Also, if anyone is interested in this particular camera, drop me a line by sending an email to "camhi" at joshmccormick with a suffix of .com and I'll let you know where I purchased these for $130 shipped US. At least, I hope! (No commission, no affiliate code, none of that.) As of right now (April 12, 2021) they're out of stock. Hopefully that's temporary. :)
@jmccorm - wow! What a load of good info. Many thanxs.
I am tinkering with the same camera model for a while already and i am pretty pissed of, that this firmware can only do 15fps in the best case, despite the strong hardware and there's no way to switch the resolution down from 5MP to at least 3MP to get usable framerate.
Perhaps you could please ask the supplier, how do set the resolution down or fix that?
Thanxs a lot
Usually there is hw chip that has a list of supported formats. It doesn't matter what they are. If what you need is NOT on the list it means hw chip doesn't support it and you won't do anything to support it :)
Usually there is hw chip that has a list of supported formats. It doesn't matter what they are. If what you need is NOT on the list it means hw chip doesn't support it and you won't do anything to support it :)
Surprisingly, they list quite a few modes for the Hi3516EV300 chip...
Real-time multi-stream H.264/H.265 encoding capability:
− 2048 x 1536@30 fps + 720 x 576@30 fps
− 2304 x 1296@30 fps + 720 x 576@30 fps
− 2688 x 1520@25 fps + 720 x 576@25 fps
− 2592 x 1944@20 fps + 720 x 576@20 fps
...but my memory is that the spec sheets for the Hi3516EV300 seems to have evolved over time? I don't know if they're tweaking the firmware or if they're releasing better hardware under the same nameplate. One thing that caught my eye is that the spec sheet lists this as having an ARM Cortex-A7 CPU @900Mhz. I've only started poking around with the camera, but I want to say that they've got it only running at 400Mhz? That could be influencing that framerate ceiling. (BTW, I'm not familiar with U-Boot or device tree settings. If someone could hand-hold me through some mild overclocking, I'd appreciate it!)
...this firmware can only do 15fps in the best case. Perhaps you could please ask the supplier, how do set the resolution down or fix that?
I'm working on a list of bugs to send their way (and if someone's really familiar with ONVIF, I'd like to be able to talk about this camera's shortcomings without looking like a fool). I'll see if I can throw this into the list, but I have to temper your expectations here. I really don't expect them to offer any relief for several reasons. For me, a security camera with a 5MP image @15fps is not unusual by any means. But, yeah, I hear you. It would be nice to be able to step down the resolution to achieve a more fluid framerate.
Changing the conversation here (I'm hoping gabonator doesn't mind these adjacent topics), I'm wondering how much success others have had with ceiling-mounting these cameras? The existing wall mount has a really odd opening size for the camera (about 34mm) and I'm not finding anything like it in other brands of ceiling mounts. The good news is that I got lucky and found the perfect parts at Home Depot to adapt the existing wall mount to a ceiling mount configuration:
2 x Everbilt 5" Galvanized Corner Brace (1 x Amazon "B07G6Z1GPC" might substitute for it)
4 x Everbilt 1/4"-20 x 1" Machine Screws (round head combo)
4 x Everbilt 1/4"-20 Coarse Hex Nuts
6 x 1/4"x1 Lag Screw (attaches adapter to outdoor soffit or indoor ceiling)
Here's a picture that helps to show how it all goes together:
That's all I got for now. I hope to have more good info to drop as I keep working with this. 😄
BTW, has anyone dived into /mnt/mtd/ipc/conf/imx335.bin (or similar file for other models)? It is a text file. The amount of configurable items (assuming it is actually read by the camera) seems insane! Here's a small snippet...
[x10_param]
AutoGc = 48|40|36|33|30|27|25|23|20|18;
[all_param]
UpFrameIso = 400
DownFrameIso = 1000
[cl_static_ae]
MaxHistOffset = "24"
HistRatioSlope = "128"
AutoSpeed = "64"
AutoTolerance = "2"
AutoBlackDelayFrame = "8"
AutoWhiteDelayFrame = "0"
[cl_static_aerouteex]
TotalNum = "8"
RouteEXIntTime = " 32,20000, 40000, 40000, 50000, 50000, 83000, 83000"
RouteEXAGain = " 1024, 1024, 1024, 2048, 2048, 15872, 15872, 15872"
RouteEXDGain = " 1024, 1024, 1024, 1024, 1024, 1024, 1024, 1240"
RouteEXISPDGain = " 1024, 1024, 1024, 1024, 1024, 1024, 1024, 1024"
[cl_static_aeweight]
ExpWeight_0 = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
ExpWeight_1 = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
ExpWeight_2 = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
ExpWeight_3 = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
ExpWeight_4 = 1,1,1,1,1,2,2,2,2,2,2,2,1,1,1,1,1,
ExpWeight_5 = 1,1,1,1,1,2,2,3,3,3,2,2,1,1,1,1,1,
ExpWeight_6 = 1,1,1,1,2,2,3,3,3,3,3,2,2,1,1,1,1,
ExpWeight_7 = 1,1,1,1,2,3,3,3,3,3,3,3,2,1,1,1,1,
ExpWeight_8 = 1,1,1,1,2,2,3,3,3,3,3,2,2,1,1,1,1,
ExpWeight_9 = 1,1,1,1,1,2,2,3,3,3,2,2,1,1,1,1,1,
ExpWeight_10 = 1,1,1,1,1,2,2,2,2,2,2,2,1,1,1,1,1,
ExpWeight_11 = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
ExpWeight_12 = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
ExpWeight_13 = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
ExpWeight_14 = 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
[cl_static_ldci]
Enable = "1"
LDCIOpType = "0"
LDCIGaussLPFSigma = "28"
**[ SNIP! ]**
Buzzdev wrote:
What i do is to mount an nfs from a raspberry pi on the camera. On the nfs i have strace, strings, gdb, etc.
All of them prebuilt and statically linked. Works perfectly. I just mount the nfs and execute them directly from there, because on the camera, there's just about 1MB free.
I thought I'd share my NFS experience so far to see if I'm missing anything. I couldn't get NFS v3 or v4 to work, so I exported an NFS v2 filesystem on my Linux box and mounted it on my camera with the following command (after having made an /nfs directory):
mount -T nfs -o rw,nolock,vers=2 192.168.1.7:/nfs /nfs
I'm not missing anything here? It isn't capable of a v3 or v4 NFS client, is it? And it's not capable of NFS exports, right?
Thanks all.
EDIT: Buzzdev, I couldn't find your email address. I was hoping to get some help with the tools you discussed earlier. Would you mind providing your address or sending an email to "camhi" at joshmccormick with a suffix of .com ? Thank you so very much!
Good news for some of you who may have been looking for an indoor/outdoor ceiling mount for this camera. I happened to stumble across a ceiling mount on eBay which had an outside diameter of 41mm. I asked the seller if they could provide the inside diameter, and they reported 35mm which should be just fine. Unfortunately, it ships from China, and it lists for $27.99 on eBay (with an opportunity to make an offer). You'll find it here: https://www.ebay.com/itm/333925609768
Of course, some of these CamHi cameras are going to be different, so be sure to measure your own camera before ordering.
PS: I should really get a blog, shouldn't I?
Hey Buzzdev, thanks for reaching out to me in email. So since then, I've been able to set up the camera as an NFS client, and the mount is nice and stable like I hoped for. I've also been digging into the binaries on the camera and found some neat things (some of which would have been easier to discover had I pursued getting strace a little sooner).
The most useful thing I discovered was that you can control the camera's PTZ functions through /dev/ttyAMA1. It seems to accept PELCO-D commands, so (assuming you haven't change the camera's device ID or RS484 protocol), here are a few commands that can most people should be able to cut-and-paste (one-at-a-time, please):
Call 3
printf "\xff\x01\x00\x07\x00\x03\x0b" >> /dev/ttyAMA1
Call 9:
printf "\xff\x01\x00\x07\x40\x09\x51" >> /dev/ttyAMA1
Zoom In:
printf "\xFF\x01\x00\x20\x00\x00\x21" >> /dev/ttyAMA1
Zoom Out:
printf "\xFF\x01\x00\x40\x00\x00\x41" >> /dev/ttyAMA1
Pan Left:
printf "\xFF\x01\x00\x04\x3F\x00\x44" >> /dev/ttyAMA1
Stop:
printf "\xFF\x01\x00\x00\x00\x00\x01" >> /dev/ttyAMA1
Now that I've finally gotten strace running, I'm hoping to find some more interesting things. What I really want to find is some sort of map of what PTZ preset commands are valid and what they might do. (The preset codes for my particular camera seem quite a bit different than most.) Thank you and everyone for the help here!
can anyone help me to crack this hash
root:$6$IHr2t/DYrUxzIlrJ$7f2uAwLcGZDDpm6Zb6HiEAMzDd9iYGKZlYTyAFiJ4JQ5.aZpFHEavkweMTt5HEgLvvqc.qDFbD7yRjOHPjK0B/:0:0::/root:/bin/sh
Hi, since this is moving into some kind of "forum" or knowledge thread: I've got a generic "Megapixel Camera" with /form/setPTZCfg Endpoint. Since the rtsp stream was kind of buggy (even via wired ethernet) I've reverse engineered the video-port-90-protocol. See here for a link to fetch the video via TCP port 90 and feed it into a ffmeg HLS stream:
https://gist.github.com/ljakob/e38d8cfcc9efb99c204f62105c6f4c60
It runs on a Rasp4 with little CPU (warning: use tmpfs!)
I didn't go into protocol details, it's more a 1:1 wireshark capture that works for my camera. But since most bytes are zero it should work for everybody else. The protocol uses no authentication (as expected) and just feeds back the H264 stream (or what you've configured).
Have fun
Hi, Can I get the following root password cracked? This is the latest Wyze PAN camera:
root:$6$wyzecampan$iH01lm9SqCfUrc4.Jjp3BLUErTGiiB.pBk/60XuPYxQo7uZIoBjwUrCcoGeesbTa1EP5N/DC1a/GOMVW8qUVY1:10933:0:99999:7:::
and this (wyze home security hub):
root:$6$hmsgateway$A4aIJTn05K9yAgy7tAnw6hxPUn3xpwlTPlb8El8LCbTpq9THjqr4Q5CsWkNYgR6uYMI0lHyH5N6eqiNBJCVEY0:10933:0:99999:7:::
Hi,
I've got the same PoE-PTZ-camera as @chunkster29with /etc/shadow probably containing
root:$1$lPbKHYLS$r6JMTEm949/hCMv85Fsx9/:0:0:99999:7:::I've invested some time analyzing the firmware, found some firmware images, UART/U-boot access, enable telnet. But wasn't able to crack the root password. If anybody is interested in some python scripts for PTZ, ,manual IR-shutter & co just drop me a line.
Leif
I'll take some of that.
Hello, please somebody can crack:
root:$1$JYFTech$dt2mZnCIdoFSWAog1s.T41:10933:0:99999:7:::
Have you found the password for this hash?
@jmccorm, you wouldn't happen to be the one who wrote an amazingly in depth review for an amazon C6F0SoZ3N0PcL2 type camera, would you be? :)
Bravo, if so.
I'm looking to gain access to own and see what kind of cool shit I can do with it.
I'll have to parse this thread better when I have more time, appears to be a wealth of information here.
Actually, I've got 2 I'm going to crack:
YoLuke 5MP 20X PTZ - P2-20X5MP
YoLuke 5MP 4X PTZ - P1-4X-2.5-5MP
YoLuke offers great customer service. Very responsive and polite. I've bluntly asked them for the root telnet password and firmware source code. Seems as though the oem won't divulge that info to them. Or so they say.
I couldn't even get them to provide a copy of my camera's compiled firmware (V19.1.13.16.65-20201014).
So, let the hacking begin...
Triax TTF2 / Videopark NC-GBR2XXXA, NC-HAR2XXXB, NC-HBR2XXXB, NC-IT2XXX, NC-IDV2XXX, NC-HBR2XXX, NC-GAR2XXXA, NC-GB1R2XXX, NC-GB1R2XXX_Z, NC-GBR2XXX, NC-GBR2XXXA
Uart "disabled", activate telnet in options
root:ivideo
$1$yq01TaSp$lkN/azu3IxE97owy27pve.
I have hashcat running for several days now without luck. I have, however, broken into the camera and obtained root access. I don't need the root password but I'd like to know what it is for curiosity's sake.
How did you obtain root access?
Serial console, guessed the u-boot password (HI2105CHIP), and changed the boot parameter so that init was /bin/sh instead of linuxrc.
@sectroyer is it possible to decrypt this?
root:z1YC93pV6OlQI:17771:0:99999:7:::.
Hi, I also need the password for the hash: $1$JYFTech$dt2mZnCIdoFSWAog1s.T41
John is running now since a while on it, if I get it bruted, I'll post it.
My camera is labeled as QuanMin (https://www.amazon.es/dp/B08LPGYSHH)
Unfortunately I'm highly missing ONVIF support or rtsp stream etc to integrate this cam in MotionEye or whatever.
I found some interesting stuff in the camera itself, but not helpful yet to find a streaming possibility.
Telnet is open, I could login with "default" and no passwd.
In /mnt/config/xml I found interesting files:
DiscoveryMode and Security was before 0, I've changed it to 1 and it survives a reboot of the camera. But unfortunately still no rtsp port open...
I found the startscript that runs the camapp. Now I'd like to kill it to start it manually, maybe there's a parameter possible to activate discovery and therefore port 80 and 554 (hopefully). That's why I try to brute the root-passwd - it is not allowed to kill the process for 'default' and so I'm stuck actually.
Generally nice and cheap camera, but if I could ONLY use it in SmartLife, it's of no use for me. At least as long as SmartLife wants to sell cloudspace and facerecognition as monthly payment PER camera (ridiculous) and doesn't offer any possibility to connect to your own Netcloud server and own ObjectRecognition solution...
I've got another camera with an unknown password. It is an awesome 5MP with 30x optical zoom PTZ camera, infrared LEDs, AI humanoid detection, SD card, built-in microphone and speaker, just about everything enabled. The only feature it doesn't seem to have are white lights, alarm input/output wires, and POE. Model is "C6F0SoZ3N0PcL2" running on an Hi3516EV300 with a Sony IMX335 sensor.
/etc/shadow entry as follows:
root:$1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1:17500:0:99999:7:::
I see this encrypted password also mentioned on pages for two completely different cameras. I suspect we've got OEMs who are making only the most minimal updates to the original HiSilicon firmware:
C6F0SgZ3N0P9L2 https://55476f744974.wordpress.com/
CTIPC-275C1080P https://www.wolfteck.com/2019/03/07/getting_into_the_ctipc-275c1080p/
I got into the camera via a path suggested elsewhere which had me change my WiFi SSID to:
SSID"|/usr/sbin/telnetd -l /bin/sh -p 24"
But I didn't try it directly through the web interface. Instead, I made my own unpacker and repacker of the camera's config.bin files (provided below). I'm not a regular GitHub user, so forgive me as I paste some sloppy code here. Requires "coreutils" package (probably already installed) to do the md5sum computation, and then your standard dd, gzip, and tar commands. I hope this will be of use to some:
BASH SHELL SCRIPT (Linux):
tomnt - Reads .bin and extracts the contents into a subdirectory called mnt (off the current directory)
BASH SHELL SCRIPT (Linux):
tobin - Takes the contents of a subdirectory called mnt and packs it into a .bin configuration file that's compatible with CamHi3510 type cameras.
The basic idea is that you save the camera's .bin configuration file as something like "mysettings.bin", and then you extract it like "tomnt mysettings". From there, you go into mnt/mtd/ipc/conf and make all the changes that you want. Then you go back into your original directory, run something like "tobin mynewsettings" which creates "mynewsettings.bin" which you can then upload back to your camera.
I hope someone finds this helpful! This and other communities have really been a great help to me on this camera. My current challenge is seeing how I can figure out what PTZ calls / set codes and sequences result in what special commands for this camera. It seems that this camera (along with many others) have their own unique codes that you're pretty much on your own to figure out!
Thanks all.
EDIT: You may need to change "PIHC\x01\x10" in the tobin script to match whatever salt your camera in particular is using. At least for my configuration, those scripts will decode and re-encode a perfect formatted configuration file. And if you've got a custom .g711 sound file for your alarm, it'll be saved and restored along with everything else.