Wednesday 22 June 2016

A look at the TOP-308 IP camera

The TOP-308 is a wired-ethernet IP network 720p camera. It found it for under 15 Euros (now:20) at Banggood and thought it might replace my somewhat aged Linksys WGS54 .

Power on

The camera does not come with a power adapter. The connector is a center-positive barrel connector and requires a 12V 1A power supply. (ToDo: measure actual current)
I found an orphaned power supply in a junk box.

First contact

If your local network segment is 192.168.1.0/24, you're nearly there: The camera's address comes pre-set to 192.168.1.10. Changing it requires some effort. (More about that further down.)
The easiest way to get a video stream is to  use VLC, click "Open network stream" and enter:

rtsp://admin:@192.168.1.10/user=admin_password=_channel=1_stream=0.sdp

as the network address. This should immediately show a live stream.
First stream

Browsing is not a breeze

In Chrome & Safari, the web interface of the camera is a total pain. I struggled with it for quite a while. The web page always came up in Chinese, although the source code shows that there was an "English.js" that could be retrieved from the camera.
So I used the requestly-plugin for chrome to replace the requested file:
The resulting web page turned out to be entirely useless.
No way I could set up any of the camera's parameters in here.

Internet Explorer to the rescue

So I resorted to using the Internet Explorer 11. That brought up a different page that allowed not only to change the language, but also offered to download an active-X control from the manufacturer's web server.
That made things a lot easier to set things up. Date, DHCP.... anything you'd expect.
Many users will probably be happy with that. I'm not.

A closer look

I don't particularly like the Internet Explorer (iexplore) and it is only a matter of time when old 3rd party plugins are no longer supported.
That setup panel needs to communicate with the camera in some way and I need to find out about that. So I ran nmap against the camera:
Scanning 192.168.1.10 [65535 ports]
Discovered open port 554/tcp on 192.168.1.10
Discovered open port 80/tcp on 192.168.1.10
Discovered open port 9527/tcp on 192.168.1.10
Discovered open port 9530/tcp on 192.168.1.10
Discovered open port 34567/tcp on 192.168.1.10
Discovered open port 8899/tcp on 192.168.1.10
Completed Connect Scan at 23:12, 35.47s elapsed (65535 total ports)

So there are a number of open ports to be examined:
Port 80 goes without saying: The web interface.
Port 554 is the RSTP port we already used to stream to VLC in the example above.

That leaves 9527, 9530, 34567 and 8899 for further investigations.

A quick look at a wireshark trace suggests that TCP-port 34567 is the most promising candidate for reading / writing camera parameters. That connection also reveals an otherwise hidden user/password combination:
"PassWord" : "tlJwpbo6", "UserName" : "admin"

On port 9527 there is something that looks like a telnet interface. Logon is "admin" and no password:

Save SysTime to Flash:2016-06-23 10:28:04, Time:2378 Min, Trail:2378 Min
Save SysTime to Flash:2016-06-23 10:30:04, Time:2380 Min, Trail:2380 Min

username:admin
password:
admin$ help
----------------------Console Commands----------------------------
                 232 Comm dump
              485Pro 485 Protocol!
             ability Net Ability Utility!
                  ad AD debug interface!
               alarm Alarm status!
             bitrate Dump BitRate infomation!
                 cfg Config Help Utility!
        cloudupgrade CloudUpgrade console utility!
                comm Comm Input String
              encode Encode commands!
               front front board utility!

                  fs Fs debug interface!
                heap Dump heap status!
                help Try help!
                 log Log utility!
               magic magic tools!
              netitf NetInterFace Dump!
                netm NetManager Dump!
               onvif Onvif debug msg!
              packet Packet usage!
                 ptz ptz dump!
                quit Quit!
              reboot Reboot the system!
              record Record console utility!
                 rtp RTP Dump!
               shell Linux shell prompt!
            shutdown Shutdown the system!
                snap Snap Console Utility!
              thread Dump application threads!
                time Set SystemTime!
               timer Dump application timers!
             upgrade Upgrade utility!
                user Account Information!
                 ver version info!
             xmcloud XmCloud Dump!
To see details, please use 'cmd -h'

admin$ ver
Save SysTime to Flash:2016-06-23 10:32:04, Time:2382 Min, Trail:2382 Min
ver ---- V4.02.R12.00006210, [000 06 210]
Version: V4.02.R12.00006210.10010.140700.00000, BuildTime: 2016-02-24 13:22:12
admin$

That looks like a fairly recent build.

Through the shell command, I seem to be able to access a busybox binary, but could not get it to behave like on a standard linux system.

ls -l
ls: invalid option --

BusyBox v1.16.1 (2015-12-18 09:48:05 CST) multi-call binary.

Usage: ls [-1AacCdeFilnpLRrSsTtuvwxXk] [FILE]...

ls (-l)sh: syntax error: unexpected word (expecting ")")
admin$

Something seems to cripple the input. But there are lots of other options to look at:

admin$ netm
----------------------------------------------
netm -c          show Connect Information!
netm -s          show Transport Information!
netm -a          triger Adapter Debug Output!
netm -t <valve>  Adapter statistic output!
netm -p          print debug info or not!
admin$ netm -c
TODO:===>
NatRegisterEnable[1],NatRunStatus[2],NatServerIp=[52.29.139.70],DeviceMac=[68f06f04f5e9d090]!
admin$

And why does this thing have a reference to an Amazon AWS server? Sooo many questions...




To be continued...

PS: Yes, I am aware of the "CMS" software for the TOP cameras. I try to get away without proprietary software.


6 comments:

  1. Did you make any further progress on this camera?

    I'm considering it myself also, but wondering about the software (and its security or (lack of?) privacy) and also the image quality.


    ReplyDelete
  2. I haven't investigated any further yet. I share your doubts about privacy, because I can see this thing "phone home" quite frequently. Presumably to load firmware updates. I consider that a potential back door.

    ReplyDelete
  3. Hi,

    I know you didn't want any software but I use iSpyConnect for all my cameras.
    https://www.ispyconnect.com/download.aspx

    Worth a pop.

    ReplyDelete
  4. How did you connect via IE? When i point it to the IP, it's start downloading a file with random name?

    ReplyDelete
  5. Any update - accidentally bought same cameras and they are all on same IP address.

    ReplyDelete
    Replies
    1. Not really. Have a look at that:
      https://www.areresearch.net/2017/01/more-work-on-top-308-ip-camera.html
      Gives you root access.

      Delete