• Hi Guest, Please subscribe to our YouTube channel for fresh new videos each week.

hacking china IP camera - need help for rtsp , password for telnet

van12

New Member
Messages
5
Likes
0
Points
1
Thread starter #1
hi

i bought this noname IP camera for 270RMB in Beijing sept 2016, not any info on the camera (except uid admin and password is empty) , no userguide. I didnt care much for asking the manual, just thought I can fix it with http (i have foscam and another outdoor ip camera at home) .... I was wrong no port 80.......but there is telnet, rtsp (554)

I try vcl player, angry ip scanner, nmap, firefox,rtsp player app, webcam 7 ...nothing help
https://www.ispyconnect.com/man.aspx?n=china#

are there anyone of you having the port like below, any idea? any root password for telnet??

the chip inside is "Grain" , see picture below

http://192.168.1.75:554/ just give "file not found"

root@ubuntu-armhf:~# nmap -AT4 192.168.1.75
Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-09 22:56 CET
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.75
Host is up (0.00067s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet Busybox telnetd
554/tcp open http GM Streaming Server httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
|_http-title: Site doesn't have a title (text/html).
| rtsp-methods:
|_ DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, SET_PARAMETER, GET_PARAMETER
5050/tcp open tcpwrapped
5051/tcp open tcpwrapped
8800/tcp open tcpwrapped
8899/tcp open soap gSOAP soap 2.8
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/xml; charset=utf-8).
MAC Address: CE:5B:8A:A3:D0:7D (Unknown)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.9
Network Distance: 1 hop
Service Info: Host: GM; Device: webcam

TRACEROUTE
HOP RTT ADDRESS
1 0.67 ms 192.168.1.75

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.68 seconds



root@ubuntu-armhf:~# telnet 192.168.1.75
Trying 192.168.1.75...
Connected to 192.168.1.75.
Escape character is '^]'.

GM login: admin
Password:
Login incorrect
GM login:

 

van12

New Member
Messages
5
Likes
0
Points
1
Thread starter #3
hi, Thanks, unfortunately it can only find my other ip-cams, not the one I have issue with
 

Garyw

New Member
Messages
2
Likes
1
Points
1
#4
I have a similar ipcam. I have managed to login using root as the username and blank password

There's not much in there tho. - although I know little about Linux.

Port 553 is the rtsp streaming port but I need a 20 digit UID to be able to connect (on the bottom of th camera is only a 7 digit ID...)
 

van12

New Member
Messages
5
Likes
0
Points
1
Thread starter #5
i had tried root with blank password, not work.
there is no 7 or 20 digit UID, only 8 digit on the barcode (label). try to use wmplayer for open rtsp stream, nothing happens

root@ubuntu-armhf:~# telnet 192.168.1.75
Trying 192.168.1.75...
Connected to 192.168.1.75.
Escape character is '^]'.

GM login: root
Password:
Login incorrect
GM login:
 

Garyw

New Member
Messages
2
Likes
1
Points
1
#6
I have successfully connected to the RTSP stream using VLC and IP Cam Viewer Lite (on iOS).

I did this via http//IP ADDRESS:554/onvif1 (for Standard Definition video) using generic RTSP over TCP

replace onvif1 with onvif2 to get HD video

The limitation of this method is that you can't control the camera - eg Pan, Tilt or send audio to the device.
 

van12

New Member
Messages
5
Likes
0
Points
1
Thread starter #7
thanks for the tips about onvif , I found the "ONVIF Device Manager" and it discovers easily the URL for me :). The application also have the option for rotate the webcam, showing the "live video" and nothing more (for this webcam)
start VLC -> ctrl +n -> click network
rtsp://192.168.1.75//live/ch00_1

I found some intersting links, but couldn't crack the root password yet. I am trying commix right now

https://jumpespjump.blogspot.dk/2015/09/how-i-hacked-my-ip-camera-and-found.html
Chinese IP camera configuration & firmware | Technology News
IP Cameras Default Passwords Directory
 
Messages
2
Likes
0
Points
1
#9
If you can get hold of the firmware id be happy to have a look at the hashes and get back to you :)

P.s. sorry if this thread is old!
 

van12

New Member
Messages
5
Likes
0
Points
1
Thread starter #10
>>root/cat1029 not help
tng@ubuntu-armhf:~$ telnet 192.168.1.75
Trying 192.168.1.75...
Connected to 192.168.1.75.
Escape character is '^]'.
GM login: root
Password:
Login incorrect
GM login:

>>firmware id
not much info, other than "31628229" on a white label
 

gutmetal

New Member
Messages
1
Likes
0
Points
1
#11
Any news on that? I believe I have a similar camera which was working perfectly before I update the firmware. No the Y axis won't move perfectly. I'll try to downgrade the firmware.