Jump to content
teknologs

hikvision ezviz hacked...

Recommended Posts

I bought the camera from china..

 

model: DS-2CD3Q10FD-IW

 

p2p feature did not work ezViz...

 

telnet 192.168.2.111

root

12345

 

setFtpService : enter

 

showServer: enter

# showServer
Enable: 1
LBS dev.ys7.com:8555
DAS 183.136.184.7:6806
MSG invalid
NTP 210.72.145.44:123
ALARM alarm.ezviz7.com:7400
STUN_1 183.136.184.7:6002
STUN_2 183.136.184.3:6003

 

change lbs server:

 

setLBS dev.ezviz7.com:8555 : ENTER

 

 

set lbs server success

 

available ezViz

1.thumb.JPG.ae52e68b634ffce25eb2ebfa3ccc9687.JPG

Share this post


Link to post
Share on other sites

Cool, a couple of questions if I may.

Why "setFtpService"?

Which version of firmware are you on?

FWIW, DS-2CD3XX0 v5.20 already has this enabled.

Share this post


Link to post
Share on other sites

teknologs

Good job!

It's not realy hacked, but very smartly tuned!!!

 

setFtpService - just list the prompt!

 

# setFtpService
Commands Usage

help      :  Printf the command usage list
getIp     :  Get the device's IP address
setIp     :  Set the device's IP address.
            Usage: setIp [IP ADDRESS]:[SUBNET MASK]
              e.g. setIp 192.168.1.10:255.255.255.0
setPort   :  Set the device's command PORT
            Usage: setPort [PORT NUMBER]
              e.g. setPort 8000
setGateway:  Set the device's gateway
            Usage: setGateway [GATEWAY ADDRESS]
              e.g. setGateway 192.168.1.1
setPacketType: Set the stream packet type
            Usage: setPacketType [PACKET TYPE]
              e.g.  setPacketType ps;  setPacketType rtp
getRtpLen :  Get the main stream rtp packet length.
setRtpLen :  Set the main stream rtp packet length.
            Usage: setRtpLen [packet len].
              e.g. setRtpLen 1000.
setDebug : Set debug parm.
             e.g. setDebug -l 2 -m rtsp -d 111
                  setDebug -h
getDebug : Get debug parm.
             e.g. getDebug
                  getDebug -h
debugLog : Print all debuginfo before.
             e.g. debugLog
                  debugLog -h
setV6ip  : Set the device's IP address
            Usage: setIp [IP ADDRESS]/[SUBNET LEN]
              e.g. setIp 2000:1:2:3:4:5:6:7/64
getAgingMode :  Get the aging mode.
setAgingMode :  Set the aging mode.
               Usage: setAgingMode [aging mode].
               e.g. setAgingMode 1.
getAgingTime :  Get the aging time.
setAgingTime :  Set the aging time.
               Usage: setAgingTime [aging time].
               e.g. setAgingTime 60.
setIrcmd  : Set the IR PWM value(0-100)
            Usage: setIrcmd [near] [mid] [far]
              e.g. setIrcmd 100 100 100
setRectFrame: Set the autotrack rectangle frame.
             Usage: setRectFrame [ENABLE].
             e.g.   setRectFrame 1.
getIrstate  : Get the IR PWM value(0-100)
getMcuInfo  : Get the information of Mcu
setFtpService :  Set ftp service state.(start/stop).
setItsMode  : Restart ITS lib after changing scene.              Usage: setItsMo
de [ENABLE](0/1).
InquireFanSwitch:       send Laser Cmd.
               e.g.   InquireFanSwitch .
StartLaser:     Start Laser.
CloseLaser:     Close Laser.
LaserMotReset:  Reset Motor of Laser.
EnlargeCur:     Enlarge electric current of Laser.
ReduceCur:      Reduce electric current of Laser.
SetCur:             Set electric current of Laser.(0~255)
               e.g.   SetCur 150.
LaserMotDirect: Set Motor Direct of Laser.(1~36)
               e.g.   LaserMotDirect 36.
LaserTeleOffset:Tele Offset.(0~255)
               e.g.   LaserTeleOffset 150.
setLaserMode:setLaserMode (0-auto,1-mannual.
               e.g.   setLaserMode 1.
getLaserMode:Laser control mode is 0 (0-auto, 1-mannual)
               e.g.   getLaserMode.
LaserWideOffset:Wide Offset.(0~255)
               e.g.   LaserWideOffset 150.
InqSwitch:  Inquiry Switch of Laser.
InqCurrent: Inquiry Current of Laser.
InqCurMotDirect: Inquiry Current Motor Direct of Laser.
setIrMode:setIrMode (0-auto,1-mannual.
               e.g.   setIrMode 1.
getIrMode:Ir control mode is 0 (0-auto, 1-mannual)
               e.g.   getIrMode.

********************************************************************************
***
showKey        : Get all the keys of civil platform
showServer     : Get all the servers of civil platform
showUpnp       : Get the local and nat port and address
showStatus     : Get the device status of civil platform
showDefence    : Get the defence plan
setLBS         : set the lbs address, e.g. setLBS 123.1.1.1 or set dev.ys7.com:8555
setAlarm       : set the alarmserver address. Usage as setLBS
setWlan:       : set the wifi ssid, just for test config. Usage: setWlan SSID
setdefence  : Set the defence plan
            Usage: setDefence [enable:1] [day:*] [start:hh:mm] [end:hh:mm]
              e.g. setDefence enable:1  day:3  start:7:30  end:13:0

********************************************************************************
***

 

In 5.2.0

#setLBS dev.ezviz7.com:8555
# showServer
Enable: 1
LBS dev.ezviz7.com:8555
DAS 107.21.63.234:6801
MSG invalid
NTP 210.72.145.44:123
ALARM invalid
STUN_1 stun1.ezviz7.com:6003
STUN_2 stun2.ezviz7.com:6004

 

 

In 5.1.6 after tined setLBS

 

# showServer
LBS dev.ezviz7.com:8555
DAS invalid
MSG invalid
NTP 210.72.145.44:123
ALARM alarm.ezviz7.com:7400
STUN_1 invalid
STUN_2 invalid

I tried to configure this in 5.1.6 and 5.2.0. But only 5.2.0 is a menu with EZVIZ.

Probably will have to force to resolve it in 5.1.6, to display a menu, and perhaps in others too it works.

ezviz001.thumb.jpg.2dbe1df49c0bd8f507836734f321d78c.jpg

Share this post


Link to post
Share on other sites

By the way!

In the European version of the IPC on the menu one, and in the Chinese version of the IPC, a little more!

ezviz003.jpg.80a0e116e5d8b9b8a1560db6a7e8c0f7.jpg

ezviz002.jpg.0c4214ec1374df8a8d1b0e51afdd0503.jpg

ezviz004.thumb.jpg.a172eec95c036494824fb9fdb9b115b0.jpg

Share this post


Link to post
Share on other sites

In original chinese version on the same IPC

 

# showServer

Enable: 1

LBS dev.ys7.com:8555

DAS 183.136.184.7:6805

MSG invalid

NTP 210.72.145.44:123

ALARM alarm.ezviz7.com:7400

STUN_1 183.136.184.7:6002

STUN_2 183.136.184.3:6003

 

After

 

# setLBS dev.ezviz7.com:8555

set lbs server success

 

# showServer

Enable: 1

LBS dev.ezviz7.com:8555

DAS 183.136.184.7:6805

MSG invalid

NTP 210.72.145.44:123

ALARM alarm.ezviz7.com:7400

STUN_1 183.136.184.7:6002

STUN_2 183.136.184.3:6003

 

# showServer

Enable: 1

LBS dev.ezviz7.com:8555

DAS 107.21.63.234:6801

MSG invalid

NTP 210.72.145.44:123

ALARM alarm.ezviz7.com:7400

STUN_1 183.136.184.7:6002

STUN_2 183.136.184.3:6003

 

#

ezviz005.thumb.jpg.008aec59e42937a4a5fbe8035ac1d419.jpg

Share this post


Link to post
Share on other sites
I bought the camera from china..

 

model: DS-2CD3Q10FD-IW

 

p2p feature did not work ezViz...

 

telnet 192.168.2.111

root

12345

 

i have the chinese version hikvizion C2/ when i dial my password (root/12345), it doesn't match. can you please tell me the login and password info?

Share this post


Link to post
Share on other sites

model: CS-C2-21WPRF

admin/12345 - too incorrect

 

It's new IPC from Hikvision?

What's firmware version?

Screenshot better!

Share this post


Link to post
Share on other sites

Hi, I tried to set my DS-2CD2032-I with 5.1.6, but the p2p cloud isn't enabled.

 

How I can enable it? I've set the LBS server...

 

 

# showServer

LBS dev.ezviz7.com:8555

DAS invalid

MSG invalid

NTP 210.72.145.44:123

ALARM alarm.hik-online.com:7200

STUN_1 invalid

STUN_2 invalid

 

Please help me...

Share this post


Link to post
Share on other sites
Hi, I tried to set my DS-2CD2032-I with 5.1.6, but the p2p cloud isn't enabled.

How I can enable it? I've set the LBS server...

# showServer

LBS dev.ezviz7.com:8555

DAS invalid

MSG invalid

NTP 210.72.145.44:123

ALARM alarm.hik-online.com:7200

STUN_1 invalid

STUN_2 invalid

Please help me...

 

I tried to configure this in 5.1.6 and 5.2.0. But only 5.2.0 is a menu with EZVIZ.

Probably will have to force to resolve it in 5.1.6, to display a menu, and perhaps in others too it works.

 

 

I tried to configure this in 5.1.6 and 5.2.0. But only 5.2.0 is a menu with EZVIZ.

Probably will have to force to resolve it in 5.1.6, to display a menu, and perhaps in others too it works.

 

You do not carefully read the upper posts!

Only works in 5.2.0.

In 5.1.6 it is necessary to study in detail the issue.

Share this post


Link to post
Share on other sites

Ok, EZVIZ isn't avaible in all 5.1.6 cameras (CH-US and EU versions)?

 

My Cam is chinese with english menu and if I update the firmware it will be in chinese...

 

I would mantain english menus

Share this post


Link to post
Share on other sites
Ok, EZVIZ isn't avaible in all 5.1.6 cameras (CH-US and EU versions)?

In 5.16 you would have to also enable the menus as they don't display until 5.20.

I have no idea how this is done but the API calls (ISAPI Image Service manual located on the disc) may give a clue.

Share this post


Link to post
Share on other sites
I bought the camera from china..

 

model: DS-2CD3Q10FD-IW

 

p2p feature did not work ezViz...

 

telnet 192.168.2.111

root

12345

 

setFtpService : enter

 

showServer: enter

# showServer
Enable: 1
LBS dev.ys7.com:8555
DAS 183.136.184.7:6806
MSG invalid
NTP 210.72.145.44:123
ALARM alarm.ezviz7.com:7400
STUN_1 183.136.184.7:6002
STUN_2 183.136.184.3:6003

 

change lbs server:

 

setLBS dev.ezviz7.com:8555 : ENTER

 

 

set lbs server success

 

available ezViz

 

after rebooting the device, setting lbs server is reset to dev.ys7.com:8555, p2p feature did not work ezViz ...

how to set up ezviz?

model: DS-2CD3Q10FD-IW

Share this post


Link to post
Share on other sites
Default is admin/12345

model: CS-C2-21WPRF

 

admin/12345 - too incorrect

 

i have the chinese version Ezviz (hikvision) C2/ when i dial my password (admin/12345), it doesn't match. can you please tell me the login and password info?

Share this post


Link to post
Share on other sites

after rebooting the device, setting lbs server is reset to dev.ys7.com:8555, p2p feature did not work ezViz ...

how to set up ezviz?

model: DS-2CD3Q10FD-IW

 

Before rebooting

setLBS dev.ezviz7.com:8555   : ENTER

It's work???

Share this post


Link to post
Share on other sites

Before rebooting

setLBS dev.ezviz7.com:8555   : ENTER

It's work???

 

what I'm doing:

# showServer
Enable: 1
LBS dev.ys7.com:8555
DAS 183.136.184.7:6817
MSG invalid
NTP 210.72.145.44:123
ALARM alarm.ezviz7.com:7400
STUN_1 invalid
STUN_2 invalid

setLBS dev.ezviz7.com:8555   : ENTER

# showServer
Enable: 1
LBS dev.ezviz7.com:8555
DAS 107.21.63.234:6801
MSG invalid
NTP 210.72.145.44:123
ALARM alarm.ezviz7.com:7400
STUN_1 183.136.184.7:6002
STUN_2 183.136.184.3:6003

ezviz is working properly

 

After rebooting - ezviz not working

# showServer
Enable: 1
LBS dev.ys7.com:8555
DAS 183.136.184.7:6817
MSG invalid
NTP 210.72.145.44:123
ALARM alarm.ezviz7.com:7400
STUN_1 invalid
STUN_2 invalid

Edited by Guest

Share this post


Link to post
Share on other sites

There seems little information about ezviz. I understand this is basically a security wrapper to access hikvision cameras as opposed to a VPN. Do OEM, non-Hikvision branded cameras work with this? I ask because I see on the website for setup it wants a camera serial number or something and I am wondering if a non-Hikvision brand will work. I am guessing no (?).

 

Does it work with any 5.2.0 hikvision camera, or just a couple of their indoor ones?

Share this post


Link to post
Share on other sites

In the Chinese IPC version is selected dev.ys7.com, and in the European dev.ezviz7.com. I saw this in the code davinci.

Firmware 5.2.0 is multilanguage and for a series of IPC is quite different than the raptor 2XX2 or 3XX2.

A patch for this series and other Chinese equipment variants DS-2CD1XXX

DS-2CD2XX0, has already been made and already rebuilt custom firmware. These firmware 5.2.0 - Multilanguage.

The only thing that confuses me a little, so a processor of the IPC HI3518 !!!

Share this post


Link to post
Share on other sites

In the Chinese IPC series DS-2CD3XX0 is selected dev.ys7.com, and in the European dev.ezviz7.com. I saw this in the code davinci.

Firmware 5.2.0 is multilanguage and for a series of IPC is quite different than the raptor 2XX2 or 3XX2.

A patch for this series and other Chinese equipment variants DS-2CD1XXX

DS-2CD2XX0, has already been made and already rebuilt custom firmware.

The only thing that confuses me a little, so a processor of the IPC HI3518 !!!

Share this post


Link to post
Share on other sites

You can easily solve the issue of the "wrong" server domain by doing this at the DNS Level..

 

I am not sure of the capability of a consumer based router, I have done this in PFSense..

 

256451_1.png

 

This works great on all my cameras but one... And the issue is unrelated to the server but to the "Key"

 

The Challenge code / permanent code are both blank.. this should have "ABCDEF" in order to connect with ezviz. Anyone know what's wrong?

 

# showKey

challenge code:

operation code: 32xxxxxe-4xx4-1xx4-xx00-e4dxxxxxxdc

authorization code: 4db0xxxxxxxxxxxxxxxxxxxxxxxxx2a0

command key: 5f1ffxxxxxxe450d

permanent code(disable):

# date

Sat Sep 27 15:23:16 UTC 2014

#

 

# showStatus

device type long: DS-2CD2132-Ixxxxxxxxxxxxxxxxxxxxxxxxxx

device type: DS-2CD2132-I

device type display: DS-2CD2132-I

Registered : yes

last register time: Sat Sep 27 14:40:17 2014

protocol version: 1.7

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×