Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by SergeiF

  1. Hi, (Correct me if I am wrong): As many of you aware newer Dahua cameras do not come with reset button to reset it to factory defaults (or at least reset the password). Since admin password is part of telnet password, if admin password is forgotten and other users also have been deleted it is not possible to reset the camera at home without RS232. What I found out is that Dahua has internal password reset tool (ConfigCleaner). I would love to get my hands on it to reverse engineer and make an open source friendly script (since I don't run windows, apart from a test virtual machine used to reverse engineer windows only tools). Here is a proof of concept for Hikvision: http://sergei.nz/reverse-engineering-hikvision-sadp-tool-now-with-script/ Why? Because I would like to actually own my hardware. One day we will have Open-WRT/DD-WRT/Tomato open router firmware equivalent for IP-Cameras which will free us from crappy, insecure firmware hell that the IP Camera market is (FFS why ActiveX is still used???). Any friendly Dahua resellers/employees here? I will promise not to publish actual tool (only the result from reverse engineering, which is perfectly legal ).
  2. Nope, but I am interested to find out. Is there a "document" of the whole process?
  3. How about I turn your not so real copyright issue around (modifying camera firmware that you own should be covered under fair use). It is Dahua who breaches copyright. The Linux kernel and other software that runs the camera is copyrighted under GPL2/3 licences. Which stipulates that whatever modifications to the code (which they do) should be available upon request. Good luck getting kernel sources from Dahua. In fact if Dahua was not so greedy, we would probably have much better firmware to start with. Market segregation is stupid (short term gains, long term loss). To be honest if there was a project like Open-WRT/DD-WRT/Tomato for IP cameras I would rather use that instead of Chinese backdoored firmware. I am located in NZ, where the hell I am supposed to buy official Dahua? I tried that with Hikvision and got quoted $800 for $80 camera on Aliexpress. Regarding non-genuine cameras: majority of Dahua/Hikvision cameras are genuine on Aliexpress (you can tell by pulling them apart and poking around the internals). I purchased numerous cameras in Aliexpress and yet to buy a fake (fakes are normally unbranded). The statement regarding reliable and secure, Dahua, Hikvision and most if not all Chinese IP camera manufacturors don't make reliable or secure products. I am yet to find a single brand (or model) that is not full of backdoors, hardcoded credentials, obtuse password recovery methods. For a security product they surely suck at making the camera secure. As a amateur what I have discovered in my own time is just a tip of an iceberg what a properly motivated security "researcher" can discover. Just look at all CVEs for these cameras. P.S: Copyright violation is not theft by definition.
  4. Hello there, Does anybody know telnet password for Dahua IPC-HFW4300S? It is not root/vizxv, even though md5crypt appears to be so in /etc/passwd. I took firmware image and dug around, but could not find anything other vizxv. The hash in /etc/passwd (from firmware image): $1$jSqQv.uP$jgz4lwEx2pnDh4QwXkh06/:vizxv If anyone interested this is how I extracted this hash (and cracked the password): http://sergei.nz/extracting-password-from-dahua-firmware-image/ http://sergei.nz/exploring-dahua-firmware/ But for all these efforts it looks like the telnet is not accepting vizxv. I looked at strings on telnetd on the firmware and it references to /mnt/mtd/Config/passwd which is not on firmware.... Regards. Sergei.
  5. Yay, I am in, after resetting to admin it worked. I should try the following combination: admin/7ujMko0{new_password} as I assume it expects 7ujMko0 appended to the password... Update: it worked!
  6. Interesting enough I found the 7ujMko0 string hardcoded in telnetd binary on the firmware. I have just tried telnet admin/7ujMko0admin and root/7ujMko0admin with no luck. I will try to reset password to admin, to see if that makes any difference...
  7. Hello there, I have recently purchased Hikvision DS-2CD2032-I (firmware version 5.2.0, English). It is connected via gigabit TP-Link PoE switch (also recently purchased). When stream is captured with ffmpeg (or avconv) I get occasional stream errors. The errors get worse once the camera has uptime of more than 1 day. I noticed that after a while the loadavg on camera climbs from 4-5 to 8-10. Even loadavg 4 is a bit high to start with. My airvision camera sits at loadavg of about 0.2. When used with UDP rtsp stream (default) it is unusable (almost every frame dropped or corrupted), when used with TCP (-rtsp_transport tcp) the stream is almost perfect until it is not. The specific errors are following: ... [h264 @ 0x20fdd20] error while decoding MB 71 13, bytestream -22 [h264 @ 0x20fdd20] concealing 6578 DC, 6578 AC, 6578 MV errors in I frame .... [h264 @ 0x20fd4a0] Cannot use next picture in error concealment .... [h264 @ 0x20fdd20] left block unavailable for requested intra4x4 mode -1 at 0 62 ... [h264 @ 0x20fee20] cabac decode of qscale diff failed at 89 48 ... While the errors are happening I get corrupted video... When pinging the camera there is no packet loss. After rebooting the camera errors go away for a while and load average hovers around 4. I do not get any errors with my airvision camera.... The camera is used with my own python motion detection script, it basically watches second stream for motion (using OpenCV) and captures the main stream with ffmpeg. I have tried avconv (fork of ffmpeg out of ubuntu repository) and compiled latest ffmpeg, same result. Any ideas what can I do? Also is there any opensource firmware for IP cameras (like open-wrt, dd-wrt, tomato, etc for routers)? The web interface is completely useless in linux environment.