RTSP VLC Stream url:
rtsp://@192.168.0.20:554/live/profile.1/video
rtsp://@192.168.0.20:554/live/profile.0/video
Inline credentials are deprecated. You will be prompted for a username and password:
Username: admin
Password: pincode from the bottom of your device
The camera outputs 1920x1080@15fps
Pincode can be recovered by flashing old firmware which has a bunch of debugging stuff left on. There seems to be no difference between the two URLs. The RTSP stream seems to work on all versions of the firmware1.
The D-Link DCS-6100LH is a 2MP Wifi-only 5V IP Camera in a decent hardware package.
Despite D-Link support claims to the contrary 2 these devices ship with a working rtsp stream. This stream has been confirmed to be available on all versions of the firmware, 1.01-1.04 as of writing1.
The RTSP stream url was recovered by downgrading to version 1.01 of the firmware which also provides much more verbose console output. The stream url does not match any other published URLs. Downgrading should also allow recovery of the device pin. Downgrading is possible without hardware modification. Console access is achieved via RX and TX pins on the board.
As always: messing around with the firmware of these things risks irreparably bricking them. You do so at your own risk. I can't help if things go wrong.
In order to use the mydlink-app to setup the device it needs to be in setup mode. Setup mode is indicate by the LED flashing orange (not red). Setup mode can be acheived by, while the device is powered on, pressing the reset button for about one second. After some time the LED should start flashing orange. Be patient.
You must use the mydlink-app to connect the device to your wifi. However it seems that you can blacklist the mydlink domain or presumably block the device in your firewall and it will remain connected to your wifi3.
It is possible to boot the device into recovery mode and downgrade the firmware as of firmware version 1.04.05
Allow the device to boot and use a pin to hold down the reset button for around 10 seconds. The device will boot into firmware recovery mode indicate by that the LED is flashing red (not orange). It will expose itself as an access point with the name DCS-6100LH-XXXX, where XXXX is the last four characters of the units MAC. You can then connect to the camera's wifi access point using the password on the sticker on the base of the device (not the pin).
The onboard DHCP server will give you an IP resembling 192.168.0.40. You can access the recovery interface at http://192.168.0.20:80
You can then upload a firmware file, which you can download from:
DCS-6100LH A1 V1.00
DCS-6100LH A1 V1.01
DCS-6100LH A1 V1.02
DCS-6100LH A1 V1.03
If those links fail, then you can also find the firmware via their GPL portal, page 5 as of writing:
https://tsd.dlink.com.tw/downloads2008list.asp?t=1&Category=Product%20Data%20II%3EIP%20Surveillance%3EIP%20Cameras&pagetype=G
As of writing the device can be rooted without issue.
A serial console gan be achieved by opening up the camera. See issue #9 for pin locations.
A remote shell can be achieved thanks to an RCE exploit that has been found thanks to grocid. https://gist.github.com/grocid/becaff3b0c7bef3edcb5801b70b7af21
"DCS-6100LH-MACADDRESS"
Replace MACADDRESS with the mac address for your camera (for example: "DCS-6100LH-B0C5546518E7")
The mac address can be found on the quick start guide or the underside of the camera.
Put that through a md5 hash generator and the first 8 characters of the hash should be the root password
With thanks to AlixCozmo and as noted in #9
Open SystemConfig.ini
Find the OSD section and set OsdDisplayEnable to 0
OsdDisplayEnable = 0
This will disable the overlay
With thanks to AlixCozmo and as noted in #9
Open SystemConfig.ini
Find The Mydlink Section
Set light_status to 0
light_status = 0
With thanks to AlixCozmo and as noted in #9
Open /mnt/mtd/boot.sh
Comment out the following (near line 140):
/etc/init.d/S50telnet stop
This will prevent the telnet daemon from being stopped
With thanks to AlixCozmo and as noted in #9
The camera uses busybox, the syntax for the various commands can be found here: https://busybox.net/downloads/BusyBox.html
tftp -p -l SystemConfig.ini 192.168.xxx.xxx
The above command sends a file to a tftp server at address: 192.168.xxx.xxx
tftp -g -r test.txt 192.168.xxx.xxx
The above command gets a file from a tftp server at address: 192.168.xxx.xxx
Note: You need a tftp server to transfer and receive files from the camera.
If using windows, this is an option https://pjo2.github.io/tftpd64/
With thanks to AlixCozmo and as noted in #9
vi /mydlink/mydlink_watchdog.sh
- press i, add exit under #!/bin/sh, press esc, type :wq and press enter
Note
Needs to be checked, from looking at it in ghidra these are the cloud services - somehow the streamer still reported occasional connections from an Orange ASN, could be a bug or my network equipment
With thanks to DSchndr and as noted in #8
-
connect uart (115200, near the usb port)
-
press a button to stop uboot from booting and then
setenv bootargs console=ttyS1,9600 init=/bin/sh root=/dev/mtdblock3 rts-quadspi.channels=dual mtdparts=18030000.spic:16384k@0(global),320k@0k(boot),2304k@320k(kernel),3584k@2624k(rootfs),7744k@6208k(userdata),2048k@13952k(userdata2),384k@16000k(userdata3)
-
boot
-
change baud rate to 9600
-
passwd root 2x enter and you've opened pandoras box
-
reboot afterwards
-
enable telenet
With thanks to DSchndr and as noted in #8
Open
vi /mnt/conf/SystemConfig.ini
Edit as follows
WIFI_SECURITY_TYPE = 5 WIFI_SSID = [B64-Encoded] WIFI_PWD = [B64-Encoded] register_st = 1
Reboot
With thanks to DSchndr and as noted in #8
Stored in /mnt/conf/SystemConfig.ini
With thanks to DSchndr and as noted in #8
- Hold the reset button for 5 seconds, go to the firmware recovery page
- Upload the firmware you want the keys for (they probably come from da_adaptor, seed is quite obvious in the header of the update file)
- Seed, Key and IV plop out on the Serial port - decrypt with openssl aes-128-cbc -d -p -nopad -K "KEY" -iv "IV" -S "SEED" -in UPDATE.bin -out dec.bin
- Use binwalk to explore the package
With thanks to DSchndr and as noted in #8
cat cpuinfo outputs the following:
system type : Formosa
machine : RTS3903N EVB
processor : 0
cpu model : Taroko V0.2 FPU V0.1
BogoMIPS : 497.66
wait instruction : no
microsecond timers : yes
tlb_entries : 64
extra interrupt vector : no
hardware watchpoint : no
isa : mips1
ASEs implemented : mips16
shadow register sets : 1
kscratch registers : 0
package : 0
core : 0
VCED exceptions : not available
VCEI exceptions : not available
cat version outputs the following:
Linux version 4.9.51 (root@ubuntu) (gcc version 6.4.1 20180425 (Realtek RSDK-6.4.1 Build 3029) ) #78 Wed May 6 20:32:31 CST 2020
With thanks to AlixCozmo and as noted in #9
As usual, onboarding the device was painful.It required full internet access to complete the process and a mydlink account. My device wasn't new so it needed to be reset.
The quickstart guide4 says: "Reset and reinstall your device. Use a paperclip to press the recessed Reset button and the LED will turn solid red"
After onboarding I discovered the device wouldn't function without a working internet connection and also didn't expose anything to do with RTSP. Unless you are d-link. In Which case it happily streams RTSP offsite where they kindly allow us peons to stream it via their servers in an app or web browser.
I initially attempted to gain root access via the hardware pins5.
Remove the single black screw below the micro-usb power port. Squeeze the sides of the device and work the back off. Remove the remaining three silver screws. The board can now be removed from its chassis.
There are three obvious, but very tiny through holes next to the usb port. The hole next to the usb port is ground. Middle pin is TX. End pin is RX. I removed and trimmed some metal prongs from a female pcb connector, and carefully soldered them into the through holes.
I couldn't log in as root using any of the available pins or passwords and the latest firmware gives a lot less output.
Next I tried to use the instructions from bmorks defogger6 to get a root console. This failed because it couldn't find /bin/sh or /bin/bash. I don't know enough about this stuff to push any further so on a whim I decided to see if I could find old versions of the firmware.
As luck would have it I did, direct from D-Link. Not only that but the recovery mode allowed me to downgrade the firmware. Earlier versions have much more verbose output from their RTSP server and I was eventually able to figure out a working stream URL.
I also observed onvif related output(!) on the console. Username was admin and pass was the pincode. So there's probably onvif running on this thing, somewhere.
The Taiwanese D-Link support portal also links to versions of the firmware7
Footnotes
-
https://github.com/mouldybread/DCS-6100LH/issues/1 ↩ ↩2
-
https://community.home-assistant.io/t/anybody-hacked-adapted-d-link-dcs-6500lh/412703/6 ↩
-
https://github.com/mouldybread/DCS-6100LH/issues/3 ↩
-
https://media.dlink.eu/support/products/dcs/dcs-6100lh/documentation/dcs-6100lh_qig_reva1_1-00_eu_multi_20201102.pdf ↩
-
https://www.dlinktw.com.tw/techsupport/ProductInfo.aspx?m=DCS-6100LH ↩