This article contains some examples of hacks that enable telnet, load an alternate ftp daemon, extract
information, etc...
If keeping the camera under guarantee is no longer a concern for you, please read on... (-:
Important Notice:
Before performing any firmware change, make a backup of firmware files, including the board.dat file,
and make yourself familiar with recovery options. Proceed at your own risks, or don't...
and make yourself familiar with recovery options. Proceed at your own risks, or don't...
This post is based on the information found in macmpi's post on forum.hardware.fr
Basics:
The /app folder contains typically 3 files loaded when the camera is powered on:
cs -> the main firmware application file
cs.def.ini -> the default config file
cs.ini -> the current config file loaded by cs
A universal way to talk to the camera is to replace its cs file with another one containing a valid script, such as the following that loads the telnetd daemon:
#!/bin/sh
cp /etc_ro/rcS /tmp/eye/app/.cd /bintelnetd&
Once a terminal access is possible via telnet, the possibilities are endless: change the services loading at startup (including telnetd itself) via the file /etc_ro/rcS, use a different ftp deamon (MayGion unlimited fd, or restricted ftpd)
Hackmaster...
The hacks below are an extension of this simple idea.
The files must be first renamed as app.bin to be installed like normal application updates from the IP Camera interface. Each file has a specific purpose and the System Information panel will show which ones are active.
inject.bin: This is the "Hackmaster" module, which opens the camera to further hacking via the other files below. It is based on fw v.5.60 but will remain active after a traditional firmware update. It is reversible thanks to a clean-up file also provided.
tnt.bin: This enable the telnet daemon.
bbx.bin: Installs the latest full Busybox which provides a more completes set of linux commands. It requires an Internet access to work. Check the log under /tmp to verify if the installation was successful.
ocx.bin: Removes the ocx2.exe file from /www (saving 600KB of space), and provides an Internet access to this file instead.
mSD.bin: Mounts the SD Card for access via FTP (e.g. ftp://user:pass@IP/app/SD). The status of the SD mount is logged under /tmp.
ftM.bin: Enables the unrestricted MayGion FTP daemon (login: MayGion, password: maygion.com).
ftB.bin: Enables the basic FTP daemon which uses the admin login
log.bin: Generates a log file in /app. Can be helpful for troubleshooting. Since it's only occasionaly needed, it will self-destruct on restart.
no_hack.bin: Removes all the hacks but leave the enabler intact (i.e. Hackmaster).
clean-up.bin: Cleans up all traces of hacks (including the Hackmaster), and restores the camera in its normal state.
The HackMaster files can also be obtained from the original article: Forum.hardware.fr
47 comments:
I have completed installing all hacks and can access FTP files with the MayGion account. However whenever I try to edit the file /etc_ro/rcS or any other ftp change, this stays until the camera is on. When it is rebooted all files that I have edited get deleted. How should I edit rcS? All I am trying to do is completely shutdown wireless since this cam is going in a baby room. (Have found out that the telnet command ifconfig ra0 down brings down the ralink interface and no radiation is emitted from the camera)
I haven't played with that hack for a while now, the best would be to visit the dedicated topic on this forum:
http://forum.hardware.fr/hfr/HardwarePeripheriques/webcam-camera-ip/unique-ipcam-sdcard-sujet_58053_1.htm
It's mainly in French but the creator of the hack understands English, so you'll get a reply there.
So - having bought an IPCC-B10 IP camera for my QNAP NAS Surveillance System and found it works very well for continuous recording under its ONVIF feature set - I haven't been able to get motion detection recording working. Despite getting updated firmware from IP Cloud Camera, and even flashing it with the AM-Q6320 firmware linked on this site, and some poking around in its internals.
Based on checking out the user manual for the Dericam H502W, which shows it features a couple of motion detection actions which could be used as recording triggers on the QNAP SS Pro - an FTP action that includes specifying a destination folder (unlike that on AM-Q6320 and IPCC-B10) and an HTTP action, and the positive words here, I bought an H502w to experiment with. Confident it would work well.
It's actually a pretty good camera in terms of video quality and features. It streams well and reliably via VLC, ONVIF DM, its own live view - but annoyingly it only occasionally connects to SS Pro on my NAS box, using the various ONVIF flavours and even the Generic RTSP choice. And multiple versions of SS Pro.
I have to believe the problem must subtly lie with the QNAP H.264 decoding - though it works AOK with the IPCC-B10.
So I've got one camera that I can use for continuous recording but no motion detection, and one that can do motion detection but only very erratic recording.
Does anyone know how I can squeeze the two together to make one perfect unit?
Bubbah - have you successfully connected the H502W to your Synology SS, and does it stream steadily and reliably?
On my QNAP NAS, using either the ONVIF or Generic RTSP camera selection, the camera connects OK, streams for 10-15 secs, then stops.
The QNAP NAS times out, and then reconnects and the cycle repeats.
I have looked at network captures of the traffic between the H502W and the QNAP NAS, and believe the problem is caused by a flow control issue in the TCP stack on the H502W causing an incompatibility with the QNAP NAS.
During the initial RTSP/TCP SYN handshake, the QNAP NAS offers a TCP window size with an 0x5 scale factor. The H502W ignores this and for all streaming uses a small TCP window size with 0x1 scale factor.
After about 15secs the window size drops and the camera issues an 'end of data' ack packet, streaming stops.
I've dropped a query on the Dericam Tech Support forum, and sent an email to Maygion to ask if firmware development is still active and for any updated versions.
I'm quite tempted to try 'hackmaster' and see if I can mess with any network interface settings that might resolve this problem, though for me that's relatively unexplored territory.
But might be interesting ...
That reconnection cycle rings a bell, I've had that in the past with an older firmware version. Currently I see no more disconnection logged from either H502W I use on SS. The last firmware was published in November 2013 by maygion.com and I don't think there will be any other. If you go the hackmaster route -which would give you total control over the ip cam- just check forum.hardware.fr in case there's any newer version, I lost track of it.
OK, ta, I'll see if there are any clues on the French forum.
So from the Dericam Support forum and email, I made contact with Peter from Tech Support.
He gave me a camera internet address to connect my QNAP SS Pro to - and it streamed OK, steadily with no breaks. I had a quick look around the camera. Different, newer firmware, almost the same user interface. Great! We're testing out updated firmware, it's going to be OK.
But no - the subsequent email exchange explained that the camera I connected to was an early version of the soon-to-be-released H503W. This has a new improved DSP, it supersedes the H502W which has been discontinued. He confirmed the H502W is not compatible with the QNAP NAS SS Pro.
So from the anticipation of a nice fix to the disappointment that there isn't one and won't be.
Started down the Hackmaster route with the intention of messing with the TCP config, but hit some inconsistencies which I'll get back to later.
Because I've got a couple of distractions that arrived today - a Vanxse B-811 (£22 off Aliexpress!) and an Amovision AM-Q645R mini dome camera off eBay.
I see that Cybernova also released the same model. I hope they also finally used servo motors because the PTZ accuracy was quite poor.
Have fun with you new IPC's!
Away from home just now so no chance to play with the new gadgets.
But a quick look showed the Vanxse B-811 seemed quite different from the Amovision models. An unusual and different UI, no FTP or email actions - probably because of no motion detection. A surprise as was a claimed feature. I'm having a dialogue via Aliexpress.
I'm reluctant to flash the Amovision firmware on it - unless you know someone who has done this.
Well I finally managed to convert my H502W into an ornament. Permanently. It now stays completely silent on the network and doesn't offer a listening ear on the FTP recovery socket. Or any other.
I was analysing why the RTSP stream to my QNAP NAS connects for a few 10s of secs then stops, then gets restarted etc.
Pretty sure I narrowed it down to the strangely anomalous session timeout value of 'PT0H1M26.400S' configured in the ONVIF video encoder profiles. ONVIF spec mandates it to be PT0S.
So I thought, quite ridiculously optimistically, that if I delved round in the MTDBLOCKn contents I might just find where the value is defined.
And in going through the various blocks and getting some errors mounting them as ffs2 it looks like I managed to permanently unmount one used early in the boot process.
Oh well - it was fun anyway, and I did learn a few things along the way ...
And what about that strange session timeout value? What's that all about? PT0H1M26.400S That's 86.400S, one thousandth of the number of seconds in a day. Most odd.
It's quite q challenge to brick this camera, and I've tried. It's actually the only camera for which I dare updating the firmware via Wi-Fi. Did you check the my recovery article?. I'm pretty sure it's recoverable.
Yep - sniffed the traffic at power-on - there is none, not even broadcasts. When part bricked it looks for 192.168.1.3 for example as a potential FTP saviour.
NMAPped the LAN, IP and UDP. Nothing relevant showing.
I think what did it was when I unmounted MTDBLOCK5 from the tmp/newfolder where I'd mounted it, to find it just had the app and www folders. And then issued a reboot.
I asked the guy at Dericam if he would send me a control board - but no.
Hi Alastair.
Did the same thing messing around with MTDBLOCKn (mounting, etc), ...to same result after reboot: killed the board for good. Was not sure of the reason, but reading you story, it's pretty much similar. At that point I had a SD card in the unit and it became very hot. Actually the CPU was becoming very hot after the incident.
However Dericam did send me a spare motherboard, after a couple of remote debug sessions which led nowhere. H502W have 2 years guaranty so...
Note that I did not tell them the full story on how it happened...
So how did you convince Dericam to send you a new motherboard? Presumably you stated (quite correctly) that the camera was no longer working ... Maybe I should try that, especially as I believe there is new firmware that fixes the RTSP timeout issue.
I also tried a TTL-RS232 cable on the 3 pads on the main board, and 2 miniscule ones on one of the ICs, but couldn't find a serial Linux TTY, probably just a JTAG port.
Yes indeed, just said it stopped working and became very hot. Usual methods to recover did not work. tools won't detect it on the network, etc...
I need to check if QNAP SS works with 6.40, have not checked yet.
Well, Dericam tech support have been pretty helpful to me too after I asked for a replacement board under warranty.
After the expected recovery suggestions, I sent a photo of the test hookup showing a non-responsive camera, and he sent me a replacement main board.
The camera is now working again, it was loaded with newer firmware, and no longer has the RTSP connect/disconnect/reconnect flaw, and ONVIF is a little better. But FTP is flaky and unusable. But the camera works, that's the main thing.
Great!
Are you on 6.40 from Maygion or newer ?
Try to activate Maygion FTP with Hackmaster, if you are stuck with baseline FTP.
Are you going to try to poke with MTDBLOCK again?... I did not. :)
BTW, if newer than 6.40, save it (/app/*) prior to eventually installing Hackmaster, so that we can have it to restore & use. Nothing post 6.40 is publicly available so far.
Hum...saving it without FTP would be a challenge though... chicken&egg situation.
The current firmware (or at least the ini / conf file that describes it) is labelled Dericam, so I'm not sure where it is relative to the Maygion 6.40
"Software Version: H.264 14.07.12.63
Web Version: 14.07.12.52(Dericam h.264)
Firmware Build Date: Apr 7 2014 18:16:02
OCX/Plugin: 20140128"
Unfortunately the only FTP command I've found to work is 'cd'. All others terminate the FTP process, needing a reboot.
At the moment I'm a bit averse to another Hackmaster injection - in case there is now some protection against it.
However - as part of the fault verification, Dericam Tech Support sent me a 'cs' file, plus the cs.def.ini conf file, which has the same version string as above.
This can be downloaded here it you wish to take a chance ...
https://drive.google.com/file/d/0ByOOL4RskWFLanNHZ1M4UHp2TXM/view?usp=sharing
Download seems to be forced in text mode, so file gets "corrupted" in transfer. Anyhow Dericam changed to its own release numbering numbering some time ago. Looking at Build date, it looks like it is older than 6.40 from Maygion (must be around 6.16.3).
Fact is, due to core firmware structure (the one that can't be modified), they can not "protect" against Hackmaster: so it is safe.
Worst case, you can still restore your firmware with IPCamTool.exe, or IPCamRepair.exe: you would just need to reconstruct app.bin by putting your cs and cs.def.ini into an "app" directory, and apply makebin.exe onto that directory.
You may contact macmpi on forum.hardware.fr referenced in the original article. ;)
A file compare with the original after download was fine.
If the Maygion 6.40 is newer I might just have a go. You are right about the IPcam tools - that's another method for getting out of a hole.
6.40 build date is: Aug 27 2014 15:23:15
Very stable & fine with Hackmaster.
Does the replacement motherboard give you telnet access by default?
Nope - no telnet access by default in the Dericam Software Version: H.264 14.07.12.63
Web Version: 14.07.12.52(Dericam h.264) Firmware Build Date: Apr 7 2014 18:16:02
I think I'll do the 6.40 Maygion update, based on your info.
I updated the H502W with the Maygion 6.40 firmware - all is OK.
You are right - this is a newer build date than that Dericam supplied on the replacement board.
Software Version: H.264 6.40
Web Version: ipcam(2014.08.27)
Firmware Build Date: Aug 27 2014 15:23:15
OCX/Plugin: 20140128
Is QNAP SS any better?
Is baseline FTP more stable?
Re: telnet, this is not a app.bin stuff, so it can not be dealt with through a firmware update. This is motherboard's core firmware dependent. If not available on your motherboard, only Hackmaster can enable it.
The camera streams OK now on QNAP SS Pro, no more connect/disconnect sequences.
Baseline FTP is working fine using Internet Explorer 11 / Windows 7 Explorer, but is still unreliable using Win7 command line FTP.
And the camera connects OK using both a generic RTSP/TCP and ONVIF connection to my newly-delivered Hikvision 7816N-E2/8P NVR. Looks like this is going to be a good home for my cameras - though there are some flaws in the firmware. But a very functional piece of kit.
The H502W video quality, though, is much poorer than that on my selection of other cameras - Amovision Q645R, IPCC B10, Vanxse B-811 and the newest and best of all, Hikvision DS-2032-I
Great your initial concern with SS Pro is now fixed.
Have fun.
Hello Alastair,
Do you happen to have the April 2014 firmware? I just got a Dericam and didn't realize the firmware on Dericam's official site was older than the firmware loaded on the unit!
Hello,
I have the raw files (not the .bin compressed versions) that came with the replacement board I was sent. The cs (app) file is dated April 2014, the www files are August.
Are you able to FTP these on to your camera? Here is a winzip archive, be aware that it also holds the cs.ini and cs.def.ini config files - you may want to preserve yours before updating.
https://drive.google.com/file/d/0ByOOL4RskWFLSXAyaHpPcUlMRlU/view?usp=sharing
You could also look at the Maygion 6.4.0 firmware that was mentioned in this thread. It's a later revision, August 2014, I flashed my H502W with it, works OK. http://www.maygion.com/en/index.htm
Would it be possible to modify the firmware to output snapshot in 720P?
not sure but I saw this on ispyconnect.com (http://www.ispyconnect.com/man.aspx?n=Dericam)
http://IPADDRESS/snap.jpg?JpegSize=XL
...didn't try yet
I will try it when I get home today, but I think I have tested that before and there is no change still just 640x480 size.
I tried last evening and it doesn't do anything on the size of the snapshot. Basically the snapshot icon in the main interface follows the resolution set for the video stream. So if set to 1280x720, the picture will be 1280x720 as well but only using the small snapshot icon below the view frame. It should be possible to find out what url to use by tracing it either with Wireshark or Fiddler.
I would like to place the http://IPADDRESS/snap.jpg? in a html page, would be nice if it was 720P. logging into the camera to use the snapshot icon is nothing I would like to do. I was hoping there was something that could be done in firmware, but I don´t know anything about how to do that.
Bubbah,
I need your help on this one... I have the H502W from Dericam. I am trying to change my network password settings, but they won't save once the device has reset. The maygion website says to do the following: "The flash space maybe full.The simplest solution is login ipcam by ftp and delete www/ocx2.exe to get some flash space." How do I do this? I do not have a FTP. My router does have a USB that I could create an FTP if possible. I'd really like to make this as simple as possible. Is there a manual way that I can open some flash up? Would it be best that I factory reset?
BTW holding the reset button down does not do a factory reset on my camera. It simply restarts the camera.... This is frustrating.
I think there's a misunderstanding on what is required to use FTP. The camera runs a FTP service which can be accessed with any FTP client, like FileZilla. No need to set up a FTP server yourself.
In this other article you'll find the possible FTP logins to use depending the origin of the H502W.
Hi.Maygion can add link to download the 6.4.0 update?Thanks
Hi Alastair, do you have 6.40 backed up by any chance? I can not find it anywhere now, Maygion website is dead. Also the files you have uploaded to Google Drive can not be downloaded, it errors out with: "Sorry, this file is infected with a virus. Only the owner is allowed to download infected files." Hope you are getting reply notification :).
Hi, I'm pretty sure the files from Alastair are clean. It is the presence of oxc2.exe (ActiveX viewer) that triggers that false positive alert. I have another backup with that file removed because of similar alerts: http://www.gadgetvictims.com/2013/02/recovering-dericamcybernova-hd-ip-camera.html
Thanks Buddah! I'm pretty sure this is the reason. Easy way to get around this is to password protect the archive and post a password along with a download link. Unfortunately the post you have pointed out contains only the older 5.x FW version backup, I'm looking for 6.40 (or above if it ever existed). If you have somewhere 6.40 backup and can upload it and share that would be absolutely great. Thanks again!
I found it back under the dust on an old server:
https://drive.google.com/drive/folders/0B9kFXSWngqLWbllQQ0w1WWRoZk0
...also added 6.60 but I don't remember the changes.
Please note, these are not backup but "normal" update files, so you may need to ftp the 5.x backup first to the camera and then proceed with the traditional update from the UI.
You are absolutely awesome! Thank you very much! Interesting that there is 6.60 firmware, have not seen and references to it anywhere, I though the latest was 6.40 :). I'll try both, may brick my cam though with 6.60 :).
I could not retrieve the origin of that v.6.60. Maybe it's for the H503W, but mine just reports "14.09.23.03" as the software version. My H502W is still in 6.40. I probably had a good reason not to update it to 6.60, but it's been a while now. Anyway, better stay away from it.
Already tried 6.60 and amazingly it did not brick my cam, runs fine so far. System Information shows:
Software Version: H.264 6.6
Web Version: ipcam(2013.08.29)
Firmware Build Date: Sep 9 2013 23:09:00
6.60 version is apparently 6.6 version, mystery solved! BTW, I can not get motion detection area selection to work, were you able to get it working? I saw your post with a screenshot where you have area selection feature on here http://www.gadgetvictims.com/2012/11/cvlm-i234-first-look.html.
That version appears on a forum around October 2013 and is the last one published by Cybernova. Still no details on the changes though. I must have tried it an reverted to 6.40 for some reason.
As far as I can remember the area detection worked for me but I ended up using all my IP Cameras through a NVR server which now does that part of the job as well, so didn't use it much on the H502W itself.
Post a Comment
Note: Only a member of this blog may post a comment.