TTHS005 Camera #2
Comments
|
yes, it does look very similar.... if not identical. I HAVE re-created the web login process and obtained RTSP and RTMP urls for video (by reverse engineering the local javascript web API). However, the URL is random and different for each session (their 'security'). In terms of 'breaking in', uboot serial is your easiest option. The serial connections are easily seen in the pictures; i didn't even solder to them :). An alternative way to 'break in' without an upgrade file is to modify the jffs2. But note their JFFS2 does not support some modern options (very small mods which fit within the latest page MAY work, or find an older, compatible, JFFS2 implementation). If you can modify the jffs2, you are done. (the upgrade hacks zips contain the original and modified scripts; in the filesystem the modified script lives at /devdata/dev_init.sh) Please let me know how you get on, so we can update here for others. P.S. be careful working with SD cards - it seems to like to format them with it's own FS, as yet not recognised, if the SD card is not that FS. The Uboot seems to have SD support, and you can mount an SD in linux (maybe only if you kill their app?). |
|
ok, additional info. |
|
Since this thing is apparently running Linux, the manufacturer SHOULD be supplying the source for it. I would love to get this camera to provide a RTSP stream for Linux Motion, but the security issues are most important first, obviously. It would be super nice to figure out a way to add a custom kernel and get rid of the proprietary SD format and use ext4 instead. Keep up the good work and thanks! |
|
quite a lot of the functionality is inside their monolithic executable. The chip SDK has some samples which could be built and run instead; the other opportunity is to find a camera with a 'better' executable which runs the same chipset (and sensor?), and transplant. |
|
Hi, I have the same Camera but from a different brand named KAMTRON (there seems to be a lot different brands like MAISI and PANNOVO). The Model is 826 (not 826-X) and the Softwareversion is the same (v3.4.1.1604071109). Searching for RTSP I found a way to get the current Picture as JPG. http://local-ip-or-hostname/ccm/ccm_pic_get.jpg?hfrom_handle=887330&dsess=1&dsess_nid=NON-STATIC-SESSION-ID&dsess_sn=SERIALNUMBER&dtoken=p0_xxxxxxxxxx Can you post the RTSP URL or does the Firmware need to be modificated? Another thing I've noticed is, that the login-password is encrypted to a HEX string using the public available CryptoJS Library (functions are in core.js -> CryptoJS.enc.Hex.stringify and CryptoJS.enc.Hex.parse) http://local-ip-or-hostname/ccm/cacs_login_req.js?hfrom_handle=653862&dlid=0xe&dnid=MMj86%5fVKY3VLg%2ehgp32mL%2e5BAWEOgQI&duser=SERIALNUMBER&dpass=PASSWORDHEXENCRYPTED&dsession_req=1&dparam__x_countz_=1&dparam=1&dparam_name=spv&dparam_value=v1 I'm not good at javascript, but to someone who is, it seems to be easy to decrypt the camera's password from the captured url. I've also noticed, that the SessionID maybe expires after some time, as i was able to get the jpg picture with two different (recent) SessionIDs. But a very old one didn't work. |
|
Hi Phil, |
|
Wow, that was a quick reply. Obtaining the session ID is no pain for me. Just use your Browser's Tool Vivaldi: IE11: I don't need the rstp stream for a fancy surveillance software. VLC would be fine to me. Can you maybe give me the URL of the rstp stream, like in my example with getting the jpg image. So I can see if I'm also able to stream a video. |
|
example: The JCWJXJQCIPOJ bit changes sometimes. Although trying now, re-logging on to the camera seems to give the same URL; so not sure what prompts it to change. Although if you need RTSP, you may need to ask for it.... the default local camera http seems to ask for RTMP:. |
|
Thank you. Now I got RTMP to work. So in this URL there is another unique/temporary ID different from the sess_nid. I'm sure it will change after rebooting the device. I can't understand why they don't support rtmp://username:password@ip:7010/live/... This would be a great feature for the camera and won't be a security issue, since there's still an authentication (yes I know the password is plain text, but It's my own network). So I'm still thinking about how to get or bypass this ID. |
There is a Tool to Export Data from the SD-Card It seems the export.min.js decrypts the contents of the sd-card useing also the CryptoJS Library |
|
ohh.. good find. interesting a google search of v5.7.1.1807031100 gives a set of companies who use this.... |
|
I am using Fedora Linux and both Firefox and Chrome to access the camera directly. I get the interface, but when I hit play, I only get a black screen. I suspect this is why I am not able to retrieve the ccm_play.js in debugging. Are you accessing the camera's http via Windows or Linux? BTW, this unit just updated to v5.1.8.1807231703. EDIT: Just tried from Windows 7 in VirtualBox. It prompted me to install the mme plugin. I did. Now in windows (just as in linux), I get the initial photo with play button, but still only black screen once pressed. Weird! |
|
I also just noticed the GUI now allows one to upload the update manually. I wonder if the fw needs to be signed before it will accept it? If not, could be an easy way to make changes to the fw before updating it. Perhaps it was always there and I just never noticed before. |
|
hi Lexridge, if your based version is 4.6.2.1706161621, then the upgrade hack file should take with the manual upgrade method. |
|
the new upgrade patch is http://209.133.212.170.2080/version/ipc/gm8136/v5.1.6.1804251402/ipc_pack_patch_from_v4.6.2.1706161621.rtl8188fu_to_v5.1.6.1804251402.rtl8188fu.bin |
|
@Lexridge - 'I wonder if the fw needs to be signed before it will accept it?' - read the upgradefileformat part of the wiki - yes, it's easy to modify the script which is run at boot via modifying the upgrade file. The upgrade file is CRCed, but easily spoofed. Updating the actual firmware (the programs it runs) is much more difficult, because the upgrade file is a difference between two tar files, and the difference method is yet to be established. But, once you have broken in, you could compile, install, and run your own software easily. I've pulled the later version, and the script it contains is identical to the last version, so the modification method will work with this version; just cut and paste the script from the one I did, re-calculate the CRC, and you are done. |
|
@Phil-Rei do you confirm that this still works?
|
|
I no longer have the camera and therefore cannot test it, sorry. |
|
you could have a look at my hacked about node-red flow, which operated various interfaces of the camera, including I think getting a URL. It's in the repo. (if you are not familiar with node-red, it's a visual javascript programming tool, so the code I've written is plain old JS, just split up into blocks....). |
|
I know node well, the question is how to get that specific url. |
|
it's been a long time since I worked on the camera :). If you have the time, then fire up node-red, and examine the flow; it's a very 'developmenty' flow, and may need 'require:require' in the settings.js of node-red to operate. From memory, you have to login to the camera to get a valid session, and then you can ask it for a url for video or pictures. I paused looking at it because it's video was not exactly 'standard', and so decoding in node was a pain - (I wanted to go into opencv4node). |
|
I can confirm that the jpg image get still works. made a firmware update today
thanks alot everyone |
I guess there is no way to obtain any static address? I ask because I plan to use the JPG URL in iSpy software to capture and record from the 826 camera for surveillance purposes. |
|
i don't think so. A small node server which generates the address and serves the image on a static address was my solution. |
|
Just to bump this discussion and as reference for someone still playing around with this - and to pay homage to @btsimonh again 👍 - as he mentioned there is a way to get the same static address and to get RTSP, but it requires a detour... I installed this aler9/rtsp-simple-server as a docker container with exposed ports (I refer to that as server part in the following), which runs permanently and is bored most of the time, and I have ffmpeg installed. I created a function node, which grabs the The ffmpeg and restreaming server part is causing no CPU load basically (4% on my powersave governed DietPi RPi Zero W), as they are just forwarding network packets mostly, so that is not a huge issue (I mean compared to copying individual pixels in a NodeRed image view, for example). The question is, what is the intended way to use all of this and how to leverage the behaviour of the One could run ffmpeg without the server part. ffmpeg will wait for the client to connect and will automatically terminate once the client disconnects - if the PS: the reason I came across all of this is that I installed some quite nice software for MacOS, GlanceCam, and while it worked out of the box for my other two webcams (a rather old Hootoo and an ESP32-Cam module), the Yatwin was not working and, seriously, I did not find any software that was working except IPCamViewer for Android or iOS. |
|
so another finding is that you should run ffmpeg with |
Hello,
Found this repo by way of this post (http://www.openipcam.com/forum/index.php/topic,1429.msg5004.html#msg5004), the site appears to be nonfunctional (couldn't reply).
I have a TaoTronics TT-HS005 camera I picked up on a flash deal at one point. The manual is located here: https://www.taotronics.com/media/downloads/88-20005-181_TT-HS005%20User%20Guide%20(PC)%20-%20V1.1(20170307).pdf
It connects remotely to the "ehawk.taotronics.com" URL, which appears to be identical to the MIPC website (though skinned slightly different), so I believe it is a similar clone.
I'd like to use locally with my camera server, however I can't seem to locate a feed. I found my way to your post after an NMAP showed a similar "Tmrmt_hello" response. NMAP result below:
In the WebGUI, there are two versions listed, neither which match up with the uploads you provided. It appears to be running a slightly different version - I've tried uploading the ones on this site to no avail.
Are there upgrade.sh files I can copy to an SD card, can I modify the upgrade files, or any potential suggestions? I'm happy to pop it open and JTAG it if that's the next steps (done plenty of similar cracking of models; in the past I would unlock Vonage boxes for usage with FreePBX/Asterisk via serial console :))
The text was updated successfully, but these errors were encountered: