Dahua for time lapse imaging?

[mroek 0]

Hi,

 

I have some Dahua 2100 bullets on order, and I would like to be able to fetch images from them at regular intervals (i.e time lapse), and have the images stored on a Synology NAS. I've read the camera manual, but it isn't entirely clear whether this can be set up from within the camera itself. Is it possible to set up the camera to upload a snapshot image to a FTP-server at, say, 1 minute intervals?

 

If not, then I could possibly set up a script with wget on the Synology to download the images from the camera snapshot URL. Has anyone tried that method? What does the camera actually return at the URL:

 

http://ip-address:9988/onvif/media_service/snapshot

 

Does it give you a JPEG-image?

 

Any insight appreciated.

[buellwinkle 0]

Don't have a clue if you can have it FTP snapshots on a schedule, like every 5 minutes. Nothing on the interface allows for that. You can FTP snapshots on motion detection or alarm input.

 

Using the URL you provided displays an image on a web browser. You can right click on the image and it saves as JPG.

 

They have an API so you can write a .net app to do what you want to do. Check the Bahamas Yellowpages forum, they have more info on this.

[Razer_SE 0]

I too want to do a time lapse on a construction project we are doing now. I have two ACTi TCM-1111 cameras but I'd prefer to store the images locally on the DVR if at all possible as the internet connection comes and goes at times. Cameras are already setup and working with Exacq on the property. Have to look in the cameras and see what my options are for doing a time lapse.

[mroek 0]

Don't have a clue if you can have it FTP snapshots on a schedule, like every 5 minutes. Nothing on the interface allows for that. You can FTP snapshots on motion detection or alarm input.

 

Using the URL you provided displays an image on a web browser. You can right click on the image and it saves as JPG.

 

They have an API so you can write a .net app to do what you want to do. Check the Bahamas Yellowpages forum, they have more info on this.

Thanks!

You have reviewed quite a number of Dahuas, so if it was possible from the interface I'd imagine that you'd have noticed.

 

My other plan should work, though. A script on the Synology NAS that invokes wget to retrieve snapshots from the camera should be feasible, I think. Perhaps even a better solution, since it would require no special configuration of the camera itself.

[dexterash 0]

It can be done

 

Just make sure you'll get the NAS settings correctly!

[GMaster1 0]

There any way to FTP/Telnet into the cam to remove that snapshot link feature? Kind of scary!

[mroek 0]

It can be done

 

Just make sure you'll get the NAS settings correctly!

Thanks! The interval you can set seems to range from 1 second to 1 day, which is fine. Is this feature available on all the Dahuas? Which camera/firmware was that interface screenshot taken from?

[mroek 0]

There any way to FTP/Telnet into the cam to remove that snapshot link feature? Kind of scary!

I don't know, but I agree that it should be possible to turn it off (or protect it by user/pass). However, the feature will not be available outside your LAN as long as you don't port-forward the port it uses. And if you need it to be invisible on your LAN, you could always block access in your firewall/router.

[GMaster1 0]

See--and I thought that too until I tested mine from the outside. Only ports that are forwarded to it are the web port, 37777, and 554. It must be using the web port, as I can get the result by going "http://[WAN_IPP]/onvif/media_service/snapshot" (No 9988)

[mroek 0]

See--and I thought that too until I tested mine from the outside. Only ports that are forwarded to it are the web port, 37777, and 554. It must be using the web port, as I can get the result by going "http://[WAN_IPP]/onvif/media_service/snapshot" (No 9988)

Hmm, that's not good.

I agree it has to use the web port, since when you omit a specific port number in the URL the browser will default to port 80.

It does seem to me as if the security aspect of these cameras isn't well taken care of. I don't have any cameras yet, but I have a shipment on it's way, and when I receive them I am going to look very closely at these things. I most certainly do not want to allow the entire internet to fetch snapshots from my cameras.

 

On a related note, I tried this with some online demo cameras that I found, but it didn't work. Could be because those had the web interface redirected to a different port. What did work, though, was to connect to it via Onvif Device Manager using admin/admin as user/pass. From there I could do lots of stuff, like reboot/reset/update firmware etc. Didn't actually do anything, of course, but I probably could have.

 

I gather that this would not have worked if the admin user had had a real password, but I'm not sure.

[GMaster1 0]

Just tried that app... Scary results.

 

(OP - Sorry to hijack this thread with a different discussion haha)

[mroek 0]

Just tried that app... Scary results.

 

(OP - Sorry to hijack this thread with a different discussion haha)

Well, I'm the OP, and I don't mind.

It is scary, no doubt. Not really sure what can be done about it either.

 

Did you test with Onvif Device Manager and just using admin/admin on your own camera, and got access?

[GMaster1 0]

Oh--hello OP, I'm inattentive haha.

 

The device mgr app auto-discovered and did not require logging in. I did not enter my (custom) admin password in. Was able to play around with a lot of features, but thankfully when I created a new admin user, it did not apply to the cam despite saying that it did in the app.

 

The :554 RTSP stream did not function due to that being PW protected I'm assuming.

 

Just installed the app on an off-site server and tested inbound... more sad news.

 

You can change network settings, video adjustments, etc.

 

I'm fairly pissed off now actually. Why does every manufacturer leave some type of hole/vulnerability?? Some things are yada yada--like end-users not changing default passwords and whatnot.. But what about people who genuinely know what they are doing with this stuff? Why should they have to fix these hidden flaws every time they install a new cam?? Some of them are blatantly obvious issues too, but the mere fact that you have to act like a hacker to FIX security flaws on a device that literally has "security" in its name is a joke.

 

Dahua, you're on my poop list now..

[dexterash 0]

You have to understand one thing: problems/bugs do appear in any product (even if it's Microsoft or Apple), so they release updates and fixes

 

Also, there are some sellers that do not have latest firmwares or, if they do have, they do not have "time" to update the products to latest firmwares (reducing costs).

 

This is why DAHUA only recommends to buy from trusted & recognized sellers, not through any channel (aliexpress, ebay etc).

 

Another thing can happen. DAHUA releases a beta-firmware for testing purposes by their well-known clients (to review them, test, request features, etc). The client says "oh, good, a new nice firmware, let's make it available to the public". So the buggy firmware is made available to all and the final-clients update their firmwares( for "new features") to buggy firmwares. As you can see on this forum too, there are people that make available any firmware they find on Internet or anywhere else, as a "latest firmware". It's a very bad bad practice!

[GMaster1 0]

I get the idea of firmware bugs/flaws. My underlying point I guess is that I would rather have a limit in features compared to not enough attention spent on developing secure layers (for this product/market). Other markets you can get away with spending more time/resources on fancy buttons and features to assist in selling something (Like a web enabled TV that needs firmware.. Not too concerned about security vulnerabilities there).

 

I agree the distribution of firmware is insanely peculiar with Dahua.

 

So--what to do next? Is there a way I can delete or rename directories via Telnet to make this ONVIF and snapshot thing go away?

[dexterash 0]

99.99% you can't, since DAHUA uses a single executable to start all services (thus you cannot kill a service, modifiy a service's configuration files etc)

 

A good way would be to ask you seller for an older firmware

[buellwinkle 0]

Yes, there's no security for that snapshot feature and no it doesn't work on all Dahua cameras, depends on the firmware release.

 

And yes, you can telnet into the camera and it has it's own user/password, not one you can set, (Oh snap, he didn't just divulge another security hole). The problem is you can't change much because it's a compressed read only file system that contains the code, believe me, I've tried but didn't push it to the point if bricking the camera. You would have to find a way to decompress onto the SD card, change the code and compress and move it back but the decompressor and compressor commands are not on the camera.

[GMaster1 0]

All good points and thank you both for the input.

 

I was thinking about making a shout out earlier to the telnet login issue, but thought "ehh it's overkill" haha. Thank you for the verification that it is a read-only setup. Was just about to google around for that answer.

 

As reference, I'm on this firmware for the cam I'm testing:

 

Software Version 2.103.0000.0.R, build : 2012-07-24

WEB Version 3.0.0.0

 

If I go back to an earlier version than this, don't I run into image issues?

[mroek 0]

99.99% you can't, since DAHUA uses a single executable to start all services (thus you cannot kill a service, modifiy a service's configuration files etc)

 

A good way would be to ask you seller for an older firmware

In general, newer firmwares should be better than older, and I feel quite strongly that Dahua should tighten up the security a little on these things.

 

Regarding the snapshot issue, GMaster1 reports that on his firmware, it works on the web port, but in generel it looks like it should only work on a specific port (9988). Could anyone confirm if that feature is restricted to port 9988 on the newest firmwares? If so, it will at least not be available on the WAN side unless this port is forwarded.

[dexterash 0]

9988 is a default port for the OnVif server.

 

In newer firmwares, DAHUA included it in it's 80 port server.

 

For security reasons, anyone can use only port 37777 (without forwarding 80 too).

[mroek 0]

9988 is a default port for the OnVif server.

 

In newer firmwares, DAHUA included it in it's 80 port server.

 

For security reasons, anyone can use only port 37777 (without forwarding 80 too).

Ok, but that means if you forward port 80, then anyone will be able to access the Onvif-server of the camera?

 

Does the web interface server listen to port 37777 also? So if you forward that port, you can access the web interface but still be protected by the user accounts (provided you have proper passwords on all of them)?

 

On a related note, I took a quick look at a Dahua firmware file that I downloaded, and it contained a number of file system images (squashfs and cramfs), so I guess that it might be possible to pre-modify a firmware to change both default passwords and other stuff. Of course, these images will be mounted on some flash memory in the camera, so it might be possible to modify stuff by manipulating the flash directly, perhaps with the dd command (if it is included).

[dexterash 0]

Ok, but that means if you forward port 80, then anyone will be able to access the Onvif-server of the camera?

Up to a point, yes (at least, with that firmware)

 

Does the web interface server listen to port 37777 also? So if you forward that port, you can access the web interface but still be protected by the user accounts (provided you have proper passwords on all of them)?

No, but dedicated software (like PSS) can be used to access port 37777 and display images & etc.

 

On a related note, I took a quick look at a Dahua firmware file that I downloaded, and it contained a number of file system images (squashfs and cramfs), so I guess that it might be possible to pre-modify a firmware to change both default passwords and other stuff. Of course, these images will be mounted on some flash memory in the camera, so it might be possible to modify stuff by manipulating the flash directly, perhaps with the dd command (if it is included).

 

Yes, the root password can be changed (after figuring the right hash algo). Other stuff... well, not! As i stated, DAHUA uses one single app to handle all, so there is little hope to modifiy anything. The only "public" files are the webserver's content, some config files for DAHUA (in proprietary format) and branding. All are readonly, separated partitions, except a small partition used for storing config.