Last active
March 9, 2025 02:15
-
-
Save maxious/c8915a436b532ab09e61bf937295a5d2 to your computer and use it in GitHub Desktop.
Revisions
-
maxious revised this gist
Sep 22, 2019 . 2 changed files with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,6 +2,8 @@ Might also be the dv163 P1: http://help.dvr163.com/index.php/P1 Based on Ankya AK3918 HD IP Camera SoC http://caxapa.ru/thumbs/914089/ak3818ds.pdf http://caxapa.ru/thumbs/914089/ak3818ds.pdf # Firmware => Telnet/FTP Check/download latest firmware (site blocked for malware in Chrome/Firefox) http://42.96.185.60:8088/XVR/common/checkCommonUpdate.php?DevModel=IPCAM&SWVersion=1.4.47.0&DeviceSN=F2731110583936&ODMNum=391802&FirmwareMagic=SlVBTiBJUENBTSBGSVJNV0FSRSBERVNJR05FRCBCWSBMQVc=&Release=1&app_version=2.3.13 @@ -10,6 +12,7 @@ Response: New Firmware=1\r\n Link=http://42.96.185.60:8088/XVR/common/getFirmware.php?ODM=COMMON&ROM=V1.4.70_CW.tar\r\n ``` Another version http://42.96.185.60:8088/XVR/common/getFirmware.php?ODM=COMMON&ROM=ALPHA_20190118_P1_AK3918EV100_V1.4.93.rom Updating to version 1.4.70 opens up telnet/ftp if the files "ftp_telnet_flag" and "uart_flag" are on the SD card. LoadingSorry, something went wrong. Reload?Sorry, we cannot display this file.Sorry, this file is invalid so it cannot be displayed. -
Jun 4, 2018 . 3 changed files with 69 additions and 13 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -38,7 +38,7 @@ A jpeg 640x480 snapshot from camera { "Function": { "promptSoundType": "english" } } ``` - /bubble/live ``` Video and audio streaming - see below ``` - /user/user_list.xml ``` <user ver="1.0" you="" add_user="no" ret="sorry" mesg="check in falied"/> @@ -75,4 +75,6 @@ startStreamSoup = '<SOUP version="1.0"><streamreq ch="vin0" stream="stream0" opt You can extract H264 frames out of a packet capture on port 64444: > ffmpeg -err_detect ignore_err -i stream.pcap -c copy stream.mp4 There is also streaming on port 80 via the url /bubble/live but this requires a custom handshake as well, see below python script to use ffplay. The stream is of type Video: h264 (Main) (avc1 / 0x31637661), yuv420p, 1280x720, 518 kb/s, 15.02 fps, 15 tbr, 1200k tbn, 30 tbc This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,17 +1,17 @@ # view output via: python3 stream.socket.py | ffplay -i pipe: # or can write to file write_to_files = False import socket import time import datetime import sys TCP_IP = '192.168.1.126' TCP_PORT = 80 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(2) s.setblocking(1) """ ************************************************************************************** @@ -32,22 +32,76 @@ data = s.recv(54) s.send(b'\xaa\x00\x00\x00\x15\n\x0e\x16\xc2\xdf\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00') # s.setblocking(0) if write_to_files: print("connected") timestamp = datetime.datetime.now().isoformat().replace(":", "-") dump = open(timestamp + '-socket.dump', 'wb') # os.mkfifo(timestamp + '-socket.h264') h264 = open(timestamp + '-socket.h264', 'wb') g711 = open(timestamp + '-socket.g711', 'wb') else: dump = None g711 = None h264 = sys.stdout.buffer g711_prelude = b'\xaa\x00\x00\x00' # decode with ```sox --channels 1 --type raw --rate 8000 -e a-law ~/Downloads/audio.g711 output.wav``` then write as http://en.wikipedia.org/wiki/Au_file_format h264_prelude = b'\x00\x00\x00\x01' in_h264 = False try: while True: try: data = s.recv(16) before_data = None dump.write(data) if write_to_files else None if g711_prelude in data: idx = data.index(g711_prelude) print("g711 @ " + str(idx)) before_data = data[:idx] data = data[idx:] if in_h264: h264.write(before_data) else: g711.write(before_data) if write_to_files else None h264.flush() g711.flush() if write_to_files else None in_h264 = False if h264_prelude in data: idx = data.index(h264_prelude) print("h264 @ " + str(idx)) before_data = data[:idx] data = data[idx:] if in_h264: h264.write(before_data) else: g711.write(before_data) if write_to_files else None h264.flush() g711.flush() if write_to_files else None in_h264 = True if in_h264: h264.write(data) else: g711.write(data) if write_to_files else None except BlockingIOError: time.sleep(.1) pass # https://docs.python.org/2/howto/sockets.html#disconnecting except BrokenPipeError: print("shutting down") if write_to_files else None s.shutdown(1) s.close() except KeyboardInterrupt: print("shutting down") if write_to_files else None h264.close() g711.close() if write_to_files else None dump.close() if write_to_files else None s.shutdown(1) s.close() LoadingSorry, something went wrong. Reload?Sorry, we cannot display this file.Sorry, this file is invalid so it cannot be displayed. -
Jun 3, 2018 . 2 changed files with 53 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,53 @@ # view output via: python3 stream.socket.py | ffplay -i pipe: # or can write to file import socket import os import time import sys TCP_IP = '192.168.1.126' TCP_PORT = 80 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #s.settimeout(2) s.setblocking(1) """ ************************************************************************************** * Avoid socket.error: [Errno 98] Address already in use exception * The SO_REUSEADDR flag tells the kernel to reuse a local socket in TIME_WAIT state, * without waiting for its natural timeout to expire. ************************************************************************************** """ s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.connect((TCP_IP, TCP_PORT)) s.send(b'GET /bubble/live?ch=0&stream=0 HTTP/1.1\r\n\r\n') data = s.recv(1142) s.send( b'\xaa\x00\x00\x005\x00\x0e\x16\xc2q\x00\x00\x00,\x00\x00\x00\x00admin\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00') data = s.recv(54) s.send(b'\xaa\x00\x00\x00\x15\n\x0e\x16\xc2\xdf\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00') #os.mkfifo('socket.dump') #print("connected") #f = open('socket.dump','wb') f =sys.stdout.buffer try: while True: data = s.recv(1024) f.write(data) f.flush() # https://docs.python.org/2/howto/sockets.html#disconnecting except BrokenPipeError: #print("shutting down") s.shutdown(1) s.close() except KeyboardInterrupt: #print("shutting down") s.shutdown(1) s.close() LoadingSorry, something went wrong. Reload?Sorry, we cannot display this file.Sorry, this file is invalid so it cannot be displayed. -
May 1, 2018 . 3 changed files with 6 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ Might also be the dv163 P1: http://help.dvr163.com/index.php/P1 # Firmware => Telnet/FTP Check/download latest firmware (site blocked for malware in Chrome/Firefox) http://42.96.185.60:8088/XVR/common/checkCommonUpdate.php?DevModel=IPCAM&SWVersion=1.4.47.0&DeviceSN=F2731110583936&ODMNum=391802&FirmwareMagic=SlVBTiBJUENBTSBGSVJNV0FSRSBERVNJR05FRCBCWSBMQVc=&Release=1&app_version=2.3.13 Response: @@ -20,6 +20,9 @@ DES HASH: ABgia2Z.lfFhA Password (ASCII): "j1/_7sxw" Password (HEX): 6a312f5f37737877 ``` GDBserver from https://github.com/therealsaumil/static-arm-bins/ or https://github.com/mzpqnxow/embedded-toolkit/tree/master/prebuilt_static_bins # HTTP Working URLs: - /snapshot or /snapshot.jpg or /NetSDK/Video/encode/channel/101/snapshot or /NetSDK/Video/encode/channel/102/snapshot This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,6 +8,8 @@ welcome to file system [root@anyka ~]$ ls ls bin dev etc init lib mnt proc sbin sys tmp usr var [root@anyka ~]$ uname -ar Linux anyka 3.4.35 #191 Wed Dec 13 14:56:53 CST 2017 armv5tejl GNU/Linux [root@anyka ~]$ cat /proc/cpuinfo cat /proc/cpuinfo Processor : ARM926EJ-S rev 5 (v5l) LoadingSorry, something went wrong. Reload?Sorry, we cannot display this file.Sorry, this file is invalid so it cannot be displayed. -
May 1, 2018 . 2 changed files with 4 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -22,8 +22,10 @@ Password (HEX): 6a312f5f37737877 ``` # HTTP Working URLs: - /snapshot or /snapshot.jpg or /NetSDK/Video/encode/channel/101/snapshot or /NetSDK/Video/encode/channel/102/snapshot ``` A jpeg 640x480 snapshot from camera ``` - /cgi-bin/gw2.cgi ``` <juan ver="1.0" seq="0"><conf type="read" user="" password=""><spec vin="1" ain="1" io_sensor="0" io_alarm="0" hdd="0" sd_card="0" /><info device_name="IPC" device_model="IPC" device_sn="F2731110583936" hardware_version="1.0.0" software_version="1.7.27(1.4.70_CW)" build_date="2017/09/28" build_time="10:22:36"></info></conf></juan> LoadingSorry, something went wrong. Reload?Sorry, we cannot display this file.Sorry, this file is invalid so it cannot be displayed. -
May 1, 2018 . 2 changed files with 33 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,6 +2,7 @@ Might also be the dv163 P1: http://help.dvr163.com/index.php/P1 # Firmware Check/download latest firmware (site blocked for malware in Chrome/Firefox) http://42.96.185.60:8088/XVR/common/checkCommonUpdate.php?DevModel=IPCAM&SWVersion=1.4.47.0&DeviceSN=F2731110583936&ODMNum=391802&FirmwareMagic=SlVBTiBJUENBTSBGSVJNV0FSRSBERVNJR05FRCBCWSBMQVc=&Release=1&app_version=2.3.13 Response: @@ -13,11 +14,42 @@ Link=http://42.96.185.60:8088/XVR/common/getFirmware.php?ODM=COMMON&ROM=V1.4.70_ Updating to version 1.4.70 opens up telnet/ftp if the files "ftp_telnet_flag" and "uart_flag" are on the SD card. Someone else wonders about cracking the root hash https://gist.github.com/gabonator/74cdd6ab4f733ff047356198c781f27d ``` MD5 HASH: $1$4dAkkeWK$HCy0K1z8E.wAuwgLV8bWd/ DES HASH: ABgia2Z.lfFhA Password (ASCII): "j1/_7sxw" Password (HEX): 6a312f5f37737877 ``` # HTTP Working URLs: - /snapshot - /snapshot.jpg - /cgi-bin/gw2.cgi ``` <juan ver="1.0" seq="0"><conf type="read" user="" password=""><spec vin="1" ain="1" io_sensor="0" io_alarm="0" hdd="0" sd_card="0" /><info device_name="IPC" device_model="IPC" device_sn="F2731110583936" hardware_version="1.0.0" software_version="1.7.27(1.4.70_CW)" build_date="2017/09/28" build_time="10:22:36"></info></conf></juan> ``` - /custom/OEM ``` { "Function": { "promptSoundType": "english" } } ``` - /bubble/live Neverending binary stream? - /user/user_list.xml ``` <user ver="1.0" you="" add_user="no" ret="sorry" mesg="check in falied"/> ``` - /cgi-bin/hi3510/echo.cgi ``` fun echo script ``` - /cgi-bin/hi3510/ptzctrl.cgi or /cgi-bin/hi3510/preset.cgi ``` sends you a random bit of memory! probably meant to have params like detailed in http://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf ``` - /cgi-bin/hi3510/param.cgi ``` blank if no params ``` # Streaming Streaming happens TCP port 64444 with a handshake looking like: ``` LoadingSorry, something went wrong. Reload?Sorry, we cannot display this file.Sorry, this file is invalid so it cannot be displayed. -
Apr 3, 2018 . 2 changed files with 92 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,92 @@ $ nc -t 192.168.1.X 23 �������� anyka login: root root Password: j1/_7sxw welcome to file system [root@anyka ~]$ ls ls bin dev etc init lib mnt proc sbin sys tmp usr var [root@anyka ~]$ cat /proc/cpuinfo cat /proc/cpuinfo Processor : ARM926EJ-S rev 5 (v5l) BogoMIPS : 199.06 Features : swp half fastmult edsp java CPU implementer : 0x41 CPU architecture: 5TEJ CPU variant : 0x0 CPU part : 0x926 CPU revision : 5 Hardware : Cloud39E_AK3918E+H42_V1.0.2 Revision : 0000 Serial : 0000000000000000 [root@anyka ~]$ free -m free -m total used free shared buffers Mem: 35 34 1 0 4 -/+ buffers: 30 5 Swap: 0 0 0 [root@anyka ~]$ mount mount rootfs on / type rootfs (rw) /dev/root on / type squashfs (ro,relatime) devtmpfs on /dev type devtmpfs (rw,relatime,mode=0755) proc on /proc type proc (rw,relatime) tmpfs on /tmp type tmpfs (rw,relatime) tmpfs on /var type tmpfs (rw,relatime) devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000) tmpfs on /mnt type tmpfs (rw,relatime) sysfs on /sys type sysfs (rw,relatime) /dev/loop0 on /usr type squashfs (ro,relatime) /dev/mtdblock3 on /etc/jffs2 type jffs2 (rw,relatime) /dev/mmcblk0p1 on /mnt/tf type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=cp437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro) [root@anyka ~]$ busybox busybox BusyBox v1.20.2 (2016-07-26 13:20:19 CST) multi-call binary. Copyright (C) 1998-2011 Erik Andersen, Rob Landley, Denys Vlasenko and others. Licensed under GPLv2. See source distribution for full notice. Usage: busybox [function] [arguments]... or: busybox --list[-full] or: busybox --install [-s] [DIR] or: function [arguments]... BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use and BusyBox will act like whatever it was invoked as. Currently defined functions: [, [[, acpid, adjtimex, arp, arping, ash, awk, base64, basename, beep, blockdev, bootchartd, brctl, cal, cat, catv, chat, chmod, chown, chroot, chrt, chvt, cksum, clear, cmp, cp, crontab, cttyhack, cut, date, dc, dd, depmod, devmem, df, dhcprelay, diff, dirname, dmesg, dnsdomainname, dos2unix, du, dumpkmap, dumpleases, echo, egrep, eject, env, expand, expr, fakeidentd, false, fbset, fbsplash, fdisk, fgconsole, fgrep, find, fold, free, fsync, ftpd, ftpget, ftpput, fuser, getopt, getty, grep, groups, halt, hd, head, hexdump, hostid, hostname, hwclock, id, ifconfig, ifdown, ifenslave, ifplugd, ifup, inetd, init, inotifyd, insmod, install, ionice, iostat, ip, ipaddr, ipcalc, ipcrm, ipcs, iplink, iproute, iprule, iptunnel, kbd_mode, kill, killall, killall5, klogd, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname, logread, losetup, ls, lsmod, lsof, lspci, lsusb, makedevs, md5sum, mdev, mesg, mkdir, mkdosfs, mkfifo, mkfs.vfat, mknod, modinfo, modprobe, more, mount, mountpoint, mv, nameif, nanddump, nandwrite, nbd-client, nc, netstat, nice, nslookup, ntpd, od, passwd, pgrep, pidof, ping, pivot_root, pkill, pmap, poweroff, powertop, printenv, printf, ps, pscan, pstree, pwd, pwdx, rdate, rdev, readahead, readlink, readprofile, realpath, reboot, renice, reset, resize, rm, rmdir, rmmod, route, rtcwake, rx, script, scriptreplay, sed, setarch, setconsole, setfont, setkeycodes, setlogcons, setserial, setsid, sh, sha1sum, sha256sum, sha512sum, showkey, slattach, sleep, smemcap, sort, split, stat, strings, stty, sum, switch_root, sync, sysctl, syslogd, tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp, tftpd, time, timeout, top, touch, traceroute, true, tty, tunctl, ubiattach, ubidetach, ubimkvol, ubirmvol, ubirsvol, ubiupdatevol, udhcpc, udhcpd, udpsvd, umount, uname, uncompress, unix2dos, uptime, usleep, uudecode, uuencode, vconfig, vi, volname, watch, watchdog, wc, which, whoami, whois, xargs, yes LoadingSorry, something went wrong. Reload?Sorry, we cannot display this file.Sorry, this file is invalid so it cannot be displayed. -
Apr 3, 2018 . 2 changed files with 5 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,5 @@  Might also be the dv163 P1: http://help.dvr163.com/index.php/P1 Check/download latest firmware (site blocked for malware in Chrome/Firefox) @@ -12,6 +13,10 @@ Link=http://42.96.185.60:8088/XVR/common/getFirmware.php?ODM=COMMON&ROM=V1.4.70_ Updating to version 1.4.70 opens up telnet/ftp if the files "ftp_telnet_flag" and "uart_flag" are on the SD card. Someone else wonders about cracking the root hash https://gist.github.com/gabonator/74cdd6ab4f733ff047356198c781f27d MD5 HASH: $1$4dAkkeWK$HCy0K1z8E.wAuwgLV8bWd/ DES HASH: ABgia2Z.lfFhA Password (ASCII): "j1/_7sxw" Password (HEX): 6a312f5f37737877 # Streaming Streaming happens TCP port 64444 with a handshake looking like: LoadingSorry, something went wrong. Reload?Sorry, we cannot display this file.Sorry, this file is invalid so it cannot be displayed. -
Mar 26, 2018 . 2 changed files with 509 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,509 @@ . ├── V1.4.70_CW.tar ├── root │ ├── bin │ │ ├── ash -> busybox │ │ ├── base64 -> busybox │ │ ├── busybox │ │ ├── cat -> busybox │ │ ├── catv -> busybox │ │ ├── chmod -> busybox │ │ ├── chown -> busybox │ │ ├── cp -> busybox │ │ ├── cttyhack -> busybox │ │ ├── date -> busybox │ │ ├── dd -> busybox │ │ ├── df -> busybox │ │ ├── dmesg -> busybox │ │ ├── dnsdomainname -> busybox │ │ ├── dumpkmap -> busybox │ │ ├── echo -> busybox │ │ ├── egrep -> busybox │ │ ├── false -> busybox │ │ ├── fgrep -> busybox │ │ ├── free -> busybox │ │ ├── fsync -> busybox │ │ ├── getopt -> busybox │ │ ├── grep -> busybox │ │ ├── hostname -> busybox │ │ ├── ionice -> busybox │ │ ├── iostat -> busybox │ │ ├── ip -> busybox │ │ ├── ipaddr -> busybox │ │ ├── ipcalc -> busybox │ │ ├── iplink -> busybox │ │ ├── iproute -> busybox │ │ ├── iprule -> busybox │ │ ├── iptunnel -> busybox │ │ ├── kill -> busybox │ │ ├── killall -> busybox │ │ ├── killall5 -> busybox │ │ ├── linux32 -> busybox │ │ ├── linux64 -> busybox │ │ ├── ln -> busybox │ │ ├── login -> busybox │ │ ├── ls -> busybox │ │ ├── mkdir -> busybox │ │ ├── mknod -> busybox │ │ ├── more -> busybox │ │ ├── mount -> busybox │ │ ├── mountpoint -> busybox │ │ ├── mv -> busybox │ │ ├── netstat -> busybox │ │ ├── nice -> busybox │ │ ├── od -> busybox │ │ ├── pidof -> busybox │ │ ├── ping -> busybox │ │ ├── powertop -> busybox │ │ ├── printenv -> busybox │ │ ├── ps -> busybox │ │ ├── pwd -> busybox │ │ ├── rm -> busybox │ │ ├── rmdir -> busybox │ │ ├── scriptreplay -> busybox │ │ ├── sed -> busybox │ │ ├── setarch -> busybox │ │ ├── setserial -> busybox │ │ ├── sh -> busybox │ │ ├── sleep -> busybox │ │ ├── stat -> busybox │ │ ├── stty -> busybox │ │ ├── sync -> busybox │ │ ├── tar -> busybox │ │ ├── touch -> busybox │ │ ├── true -> busybox │ │ ├── umount -> busybox │ │ ├── uname -> busybox │ │ ├── uncompress -> busybox │ │ ├── usleep -> busybox │ │ ├── vi -> busybox │ │ ├── watch -> busybox │ │ └── yes -> busybox │ ├── dev │ ├── etc │ │ ├── fstab │ │ ├── group │ │ ├── host.conf │ │ ├── hosts │ │ ├── init.d │ │ │ ├── mount_usr_img.sh │ │ │ ├── rc.local │ │ │ └── rcS │ │ ├── inittab │ │ ├── jffs2 │ │ ├── ld.so.conf │ │ ├── mdev.conf │ │ ├── nsswitch.conf │ │ ├── passwd │ │ ├── profile │ │ ├── resolv.conf -> jffs2/resolv.conf │ │ ├── services │ │ ├── shadow │ │ ├── sysconfig │ │ │ └── HOSTNAME │ │ └── udhcpd.conf │ ├── init -> bin/busybox │ ├── lib │ │ ├── ld-uClibc-0.9.32.1.so │ │ ├── ld-uClibc.so.0 -> ld-uClibc-0.9.32.1.so │ │ ├── libc.so.0 -> libuClibc-0.9.32.1.so │ │ ├── libcrypt-0.9.32.1.so │ │ ├── libcrypt.so.0 -> libcrypt-0.9.32.1.so │ │ ├── libdl-0.9.32.1.so │ │ ├── libdl.so.0 -> libdl-0.9.32.1.so │ │ ├── libgcc_s.so -> libgcc_s.so.1 │ │ ├── libgcc_s.so.1 │ │ ├── libiconv.so -> libiconv.so.0 │ │ ├── libiconv.so.0 │ │ ├── libm-0.9.32.1.so │ │ ├── libm.so.0 -> libm-0.9.32.1.so │ │ ├── libnsl-0.9.32.1.so │ │ ├── libnsl.so.0 -> libnsl-0.9.32.1.so │ │ ├── libpthread-0.9.32.1.so │ │ ├── libpthread.so.0 -> libpthread-0.9.32.1.so │ │ ├── libresolv-0.9.32.1.so │ │ ├── libresolv.so.0 -> libresolv-0.9.32.1.so │ │ ├── librt-0.9.32.1.so │ │ ├── librt.so.0 -> librt-0.9.32.1.so │ │ ├── libstdc++.so -> libstdc++.so.6.0.12 │ │ ├── libstdc++.so.6 -> libstdc++.so.6.0.12 │ │ ├── libstdc++.so.6.0.12 │ │ ├── libthread_db-0.9.32.1.so │ │ ├── libthread_db.so.1 -> libthread_db-0.9.32.1.so │ │ ├── libuClibc-0.9.32.1.so │ │ ├── libutil-0.9.32.1.so │ │ ├── libutil.so.0 -> libutil-0.9.32.1.so │ │ └── modules │ │ ├── 3.4.35 │ │ └── block2mtd.ko │ ├── mnt │ │ ├── nand │ │ └── sd │ ├── proc │ ├── sbin │ │ ├── acpid -> ../bin/busybox │ │ ├── adjtimex -> ../bin/busybox │ │ ├── arp -> ../bin/busybox │ │ ├── blockdev -> ../bin/busybox │ │ ├── bootchartd -> ../bin/busybox │ │ ├── depmod -> ../bin/busybox │ │ ├── devmem -> ../bin/busybox │ │ ├── fbsplash -> ../bin/busybox │ │ ├── fdisk -> ../bin/busybox │ │ ├── ftpd -> ../bin/busybox │ │ ├── getty -> ../bin/busybox │ │ ├── halt -> ../bin/busybox │ │ ├── hwclock -> ../bin/busybox │ │ ├── ifconfig -> ../bin/busybox │ │ ├── ifdown -> ../bin/busybox │ │ ├── ifenslave -> ../bin/busybox │ │ ├── ifup -> ../bin/busybox │ │ ├── init -> ../bin/busybox │ │ ├── inotifyd -> ../bin/busybox │ │ ├── insmod -> ../bin/busybox │ │ ├── iwlist │ │ ├── klogd -> ../bin/busybox │ │ ├── loadkmap -> ../bin/busybox │ │ ├── logread -> ../bin/busybox │ │ ├── losetup -> ../bin/busybox │ │ ├── lsmod -> ../bin/busybox │ │ ├── makedevs -> ../bin/busybox │ │ ├── mdev -> ../bin/busybox │ │ ├── mkdosfs -> ../bin/busybox │ │ ├── mkfs.vfat -> ../bin/busybox │ │ ├── modinfo -> ../bin/busybox │ │ ├── modprobe -> ../bin/busybox │ │ ├── nameif -> ../bin/busybox │ │ ├── passwd -> ../bin/busybox │ │ ├── pivot_root -> ../bin/busybox │ │ ├── poweroff -> ../bin/busybox │ │ ├── reboot -> ../bin/busybox │ │ ├── rmmod -> ../bin/busybox │ │ ├── route -> ../bin/busybox │ │ ├── setconsole -> ../bin/busybox │ │ ├── slattach -> ../bin/busybox │ │ ├── switch_root -> ../bin/busybox │ │ ├── sysctl -> ../bin/busybox │ │ ├── syslogd -> ../bin/busybox │ │ ├── telnetd -> ../bin/busybox │ │ ├── tunctl -> ../bin/busybox │ │ ├── udhcpc -> ../bin/busybox │ │ ├── udhcpd -> ../bin/busybox │ │ ├── updater │ │ ├── vconfig -> ../bin/busybox │ │ └── watchdog -> ../bin/busybox │ ├── sys │ ├── tmp │ ├── usr │ └── var ├── root.sqsh4 ├── root.sqsh4.md5 ├── usr │ ├── bin │ │ ├── [ -> ../../bin/busybox │ │ ├── [[ -> ../../bin/busybox │ │ ├── anyka_font_16.bin │ │ ├── anyka_ipc │ │ ├── arping -> ../../bin/busybox │ │ ├── awk -> ../../bin/busybox │ │ ├── basename -> ../../bin/busybox │ │ ├── beep -> ../../bin/busybox │ │ ├── cal -> ../../bin/busybox │ │ ├── chat -> ../../bin/busybox │ │ ├── chrt -> ../../bin/busybox │ │ ├── chvt -> ../../bin/busybox │ │ ├── cksum -> ../../bin/busybox │ │ ├── clear -> ../../bin/busybox │ │ ├── cmp -> ../../bin/busybox │ │ ├── crontab -> ../../bin/busybox │ │ ├── cut -> ../../bin/busybox │ │ ├── daemon │ │ ├── dc -> ../../bin/busybox │ │ ├── diff -> ../../bin/busybox │ │ ├── dirname -> ../../bin/busybox │ │ ├── dos2unix -> ../../bin/busybox │ │ ├── du -> ../../bin/busybox │ │ ├── dumpleases -> ../../bin/busybox │ │ ├── eject -> ../../bin/busybox │ │ ├── env -> ../../bin/busybox │ │ ├── expand -> ../../bin/busybox │ │ ├── expr -> ../../bin/busybox │ │ ├── fgconsole -> ../../bin/busybox │ │ ├── find -> ../../bin/busybox │ │ ├── fold -> ../../bin/busybox │ │ ├── free -> ../../bin/busybox │ │ ├── ftpget -> ../../bin/busybox │ │ ├── ftpput -> ../../bin/busybox │ │ ├── fuser -> ../../bin/busybox │ │ ├── gb_un.bin │ │ ├── groups -> ../../bin/busybox │ │ ├── hd -> ../../bin/busybox │ │ ├── head -> ../../bin/busybox │ │ ├── hexdump -> ../../bin/busybox │ │ ├── hostapd │ │ ├── hostapd_cli │ │ ├── hostid -> ../../bin/busybox │ │ ├── id -> ../../bin/busybox │ │ ├── ifplugd -> ../../bin/busybox │ │ ├── install -> ../../bin/busybox │ │ ├── ipcrm -> ../../bin/busybox │ │ ├── ipcs -> ../../bin/busybox │ │ ├── iwlist │ │ ├── kbd_mode -> ../../bin/busybox │ │ ├── killall -> ../../bin/busybox │ │ ├── killall5 -> ../../bin/busybox │ │ ├── less -> ../../bin/busybox │ │ ├── logger -> ../../bin/busybox │ │ ├── logname -> ../../bin/busybox │ │ ├── lsof -> ../../bin/busybox │ │ ├── lspci -> ../../bin/busybox │ │ ├── lsusb -> ../../bin/busybox │ │ ├── md5sum -> ../../bin/busybox │ │ ├── mesg -> ../../bin/busybox │ │ ├── mkfifo -> ../../bin/busybox │ │ ├── nc -> ../../bin/busybox │ │ ├── nslookup -> ../../bin/busybox │ │ ├── od -> ../../bin/busybox │ │ ├── passwd -> ../../bin/busybox │ │ ├── pgrep -> ../../bin/busybox │ │ ├── pkill -> ../../bin/busybox │ │ ├── pmap -> ../../bin/busybox │ │ ├── printf -> ../../bin/busybox │ │ ├── pscan -> ../../bin/busybox │ │ ├── pstree -> ../../bin/busybox │ │ ├── pwdx -> ../../bin/busybox │ │ ├── readahead -> ../../bin/busybox │ │ ├── readlink -> ../../bin/busybox │ │ ├── realpath -> ../../bin/busybox │ │ ├── renice -> ../../bin/busybox │ │ ├── reset -> ../../bin/busybox │ │ ├── resize -> ../../bin/busybox │ │ ├── rtcwake -> ../../bin/busybox │ │ ├── rx -> ../../bin/busybox │ │ ├── script -> ../../bin/busybox │ │ ├── setkeycodes -> ../../bin/busybox │ │ ├── setsid -> ../../bin/busybox │ │ ├── sha1sum -> ../../bin/busybox │ │ ├── sha256sum -> ../../bin/busybox │ │ ├── sha512sum -> ../../bin/busybox │ │ ├── showkey -> ../../bin/busybox │ │ ├── signalRate │ │ ├── smemcap -> ../../bin/busybox │ │ ├── sort -> ../../bin/busybox │ │ ├── split -> ../../bin/busybox │ │ ├── strings -> ../../bin/busybox │ │ ├── sum -> ../../bin/busybox │ │ ├── tail -> ../../bin/busybox │ │ ├── tcpsvd -> ../../bin/busybox │ │ ├── tee -> ../../bin/busybox │ │ ├── telnet -> ../../bin/busybox │ │ ├── test -> ../../bin/busybox │ │ ├── tftp -> ../../bin/busybox │ │ ├── tftpd -> ../../bin/busybox │ │ ├── time -> ../../bin/busybox │ │ ├── timeout -> ../../bin/busybox │ │ ├── top -> ../../bin/busybox │ │ ├── traceroute -> ../../bin/busybox │ │ ├── tty -> ../../bin/busybox │ │ ├── udpsvd -> ../../bin/busybox │ │ ├── unix2dos -> ../../bin/busybox │ │ ├── uptime -> ../../bin/busybox │ │ ├── uudecode -> ../../bin/busybox │ │ ├── uuencode -> ../../bin/busybox │ │ ├── volname -> ../../bin/busybox │ │ ├── wc -> ../../bin/busybox │ │ ├── which -> ../../bin/busybox │ │ ├── whoami -> ../../bin/busybox │ │ ├── whois -> ../../bin/busybox │ │ ├── wpa_cli │ │ ├── wpa_supplicant │ │ ├── xargs -> ../../bin/busybox │ │ └── yes -> ../../bin/busybox │ ├── lib │ │ ├── libakaudiocodec.so -> libakaudiocodec.so.0.1.0 │ │ ├── libakaudiocodec.so.0.1.0 │ │ ├── libakaudiofilter.so -> libakaudiofilter.so.0.1.0 │ │ ├── libakaudiofilter.so.0.1.0 │ │ ├── libakmedialib.so -> libakmedialib.so.0.2.0 │ │ ├── libakmedialib.so.0.2.0 │ │ ├── libakmotiondetectlib.so -> libakmotiondetectlib.so.0.1.0 │ │ ├── libakmotiondetectlib.so.0.1.0 │ │ ├── libakstreamenclib.so -> libakstreamenclib.so.0.1.0 │ │ ├── libakstreamenclib.so.0.1.0 │ │ ├── libakuio.so -> libakuio.so.0.1.0 │ │ ├── libakuio.so.0 -> libakuio.so.0.1.0 │ │ └── libakuio.so.0.1.0 │ ├── local │ │ ├── factory_cfg.ini │ │ ├── hostapd.conf │ │ ├── isp_9712.conf │ │ ├── isp_ar0130.conf │ │ ├── isp_h42.conf │ │ ├── isp_h42_krt.conf │ │ ├── isp_sc1035_CX.conf │ │ ├── isp_sc1035_PX.conf │ │ ├── isp_sc1035_ja.conf │ │ ├── isp_sc1035_yws.conf │ │ ├── isp_sc1045_CX.conf │ │ ├── isp_sc1045_PX.conf │ │ ├── isp_sc1045_ja.conf │ │ ├── isp_sc1045_yws.conf │ │ ├── isp_sc1135_CX.conf │ │ ├── isp_sc1135_PX.conf │ │ ├── isp_sc1135_yws.conf │ │ ├── isp_sc1145_CX.conf │ │ ├── isp_sc1145_PX.conf │ │ ├── isp_sc1145_yws.conf │ │ ├── multi_conf_mode │ │ ├── p2p_conf_in.json │ │ ├── p2p_conf_out.json │ │ ├── test_cfg.ini │ │ └── wpa_supplicant.conf │ ├── modules │ │ ├── 8188fu.ko │ │ ├── ak_ethernet.ko │ │ ├── ak_gpio_module.ko │ │ ├── ak_pwm_char.ko │ │ ├── akcamera.ko │ │ ├── akmci.ko │ │ ├── g_mass_storage.ko │ │ ├── i2c-dev.ko │ │ ├── otg-hs.ko │ │ ├── sdio_wifi.ko │ │ ├── sensor_ar0130.ko │ │ ├── sensor_gc1024.ko │ │ ├── sensor_h42.ko │ │ ├── sensor_h61.ko │ │ ├── sensor_ov9712.ko │ │ ├── sensor_sc1035.ko │ │ ├── sensor_sc1045.ko │ │ ├── sensor_sc1135.ko │ │ ├── sensor_sc1145.ko │ │ ├── sensor_sc1235.ko │ │ ├── sensor_sc1245.ko │ │ └── udc.ko │ ├── sbin │ │ ├── anyka_ipc.sh │ │ ├── brctl -> ../../bin/busybox │ │ ├── camera.sh │ │ ├── check_wifi.sh │ │ ├── chroot -> ../../bin/busybox │ │ ├── device_save.sh │ │ ├── dhcprelay -> ../../bin/busybox │ │ ├── eth_manage.sh │ │ ├── fakeidentd -> ../../bin/busybox │ │ ├── fbset -> ../../bin/busybox │ │ ├── ftpd -> ../../bin/busybox │ │ ├── inetd -> ../../bin/busybox │ │ ├── led.sh │ │ ├── loadfont -> ../../bin/busybox │ │ ├── nanddump -> ../../bin/busybox │ │ ├── nandwrite -> ../../bin/busybox │ │ ├── nbd-client -> ../../bin/busybox │ │ ├── net_manage.sh │ │ ├── ntpd -> ../../bin/busybox │ │ ├── rdate -> ../../bin/busybox │ │ ├── rdev -> ../../bin/busybox │ │ ├── readprofile -> ../../bin/busybox │ │ ├── recover_cfg.sh │ │ ├── remote_update.sh │ │ ├── repeater_one.sh │ │ ├── repeater_two.sh │ │ ├── service.sh │ │ ├── setfont -> ../../bin/busybox │ │ ├── setlogcons -> ../../bin/busybox │ │ ├── standby.sh │ │ ├── station_connect.sh │ │ ├── telnetd -> ../../bin/busybox │ │ ├── tf_update.sh │ │ ├── ubiattach -> ../../bin/busybox │ │ ├── ubidetach -> ../../bin/busybox │ │ ├── ubimkvol -> ../../bin/busybox │ │ ├── ubirmvol -> ../../bin/busybox │ │ ├── ubirsvol -> ../../bin/busybox │ │ ├── ubiupdatevol -> ../../bin/busybox │ │ ├── udhcpd -> ../../bin/busybox │ │ ├── udisk.sh │ │ ├── update.sh │ │ ├── update_online.sh │ │ ├── wifi_concurrent.sh │ │ ├── wifi_driver.sh │ │ ├── wifi_manage.sh │ │ ├── wifi_run.sh │ │ ├── wifi_station.sh │ │ └── wifi_uninstall.sh │ └── share │ ├── mp3 │ │ ├── chinese │ │ │ ├── Configuration_mode.mp3 │ │ │ ├── Firmware_update_failed.mp3 │ │ │ ├── Password_error.mp3 │ │ │ ├── Restore_factory_settings.mp3 │ │ │ ├── Upgrade.mp3 │ │ │ ├── WiFi_connection_completed.mp3 │ │ │ ├── WiFi_connection_failed.mp3 │ │ │ └── WiFi_setting.mp3 │ │ ├── english │ │ │ ├── Configuration_mode.mp3 │ │ │ ├── Firmware_update_failed.mp3 │ │ │ ├── Password_error.mp3 │ │ │ ├── Restore_factory_settings.mp3 │ │ │ ├── Upgrade.mp3 │ │ │ ├── WiFi_connection_completed.mp3 │ │ │ ├── WiFi_connection_failed.mp3 │ │ │ └── WiFi_setting.mp3 │ │ ├── german │ │ │ ├── Configuration_mode.mp3 │ │ │ ├── Firmware_update_failed.mp3 │ │ │ ├── Password_error.mp3 │ │ │ ├── Restore_factory_settings.mp3 │ │ │ ├── Upgrade.mp3 │ │ │ ├── WiFi_connection_completed.mp3 │ │ │ ├── WiFi_connection_failed.mp3 │ │ │ └── WiFi_setting.mp3 │ │ ├── korean │ │ │ ├── Configuration_mode.mp3 │ │ │ ├── Firmware_update_failed.mp3 │ │ │ ├── Password_error.mp3 │ │ │ ├── Please_wait.mp3 │ │ │ ├── Restore_factory_settings.mp3 │ │ │ ├── Upgrade.mp3 │ │ │ ├── WiFi_connection_completed.mp3 │ │ │ ├── WiFi_connection_failed.mp3 │ │ │ └── WiFi_setting.mp3 │ │ ├── portuguese │ │ │ ├── Configuration_mode.mp3 │ │ │ ├── Firmware_update_failed.mp3 │ │ │ ├── Password_error.mp3 │ │ │ ├── Restore_factory_settings.mp3 │ │ │ ├── Upgrade.mp3 │ │ │ ├── WiFi_connection_completed.mp3 │ │ │ ├── WiFi_connection_failed.mp3 │ │ │ └── WiFi_setting.mp3 │ │ ├── russian │ │ │ ├── Configuration_mode.mp3 │ │ │ ├── Firmware_update_failed.mp3 │ │ │ ├── Password_error.mp3 │ │ │ ├── Restore_factory_settings.mp3 │ │ │ ├── Upgrade.mp3 │ │ │ ├── WiFi_connection_completed.mp3 │ │ │ ├── WiFi_connection_failed.mp3 │ │ │ └── WiFi_setting.mp3 │ │ └── spanish │ │ ├── Configuration_mode.mp3 │ │ ├── Firmware_update_failed.mp3 │ │ ├── Password_error.mp3 │ │ ├── Restore_factory_settings.mp3 │ │ ├── Upgrade.mp3 │ │ ├── WiFi_connection_completed.mp3 │ │ ├── WiFi_connection_failed.mp3 │ │ └── WiFi_setting.mp3 │ ├── udhcpc │ │ └── default.script │ └── udhcpd.conf ├── usr.sqsh4 ├── usr.sqsh4.md5 ├── zImage └── zImage.md5 35 directories, 471 files LoadingSorry, something went wrong. Reload?Sorry, we cannot display this file.Sorry, this file is invalid so it cannot be displayed. -
Mar 26, 2018 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
LoadingSorry, something went wrong. Reload?Sorry, we cannot display this file.Sorry, this file is invalid so it cannot be displayed. -
Mar 26, 2018 . 1 changed file with 18 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,4 @@  Might also be the dv163 P1: http://help.dvr163.com/index.php/P1 Check/download latest firmware (site blocked for malware in Chrome/Firefox) @@ -12,6 +13,23 @@ Updating to version 1.4.70 opens up telnet/ftp if the files "ftp_telnet_flag" an Someone else wonders about cracking the root hash https://gist.github.com/gabonator/74cdd6ab4f733ff047356198c781f27d # Streaming Streaming happens TCP port 64444 with a handshake looking like: ``` login = 'LTCP...u'.replace('.',b'\x00') loginSoup = '<SOUP version="1.0"><auth usr="admin" psw="" eseeid="" nat="symmetric" client="" imei="" isp="" buddleid=""/></SOUP>.'.replace('.',b'\x00') #response LTCP...?<SOUP version="1.0"><auth usr="admin" psw="" error="0"/></SOUP> create = 'LTCP...R'.replace('.',b'\x00') createSoup = '<SOUP version="1.1"><vcon cmd="create" id="132137576" app="RemoteSetup" /></SOUP>.'.replace('.',b'\x00') startStream = 'LTCP...O'.replace('.',b'\x00') startStreamSoup = '<SOUP version="1.0"><streamreq ch="vin0" stream="stream0" opt="start"/></SOUP>.'.replace('.',b'\x00') #response LTCP...[<SOUP version="1.0"><streamreq ch="vin0" stream="stream0" opt="start" cam_des="P1"/></SOUP> ``` You can extract H264 frames out of a packet capture on port 64444: > ffmpeg -err_detect ignore_err -i stream.pcap -c copy stream.mp4 -
Mar 26, 2018 . 1 changed file with 2317 additions and 0 deletions.There are no files selected for viewing
-
Mar 26, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,18 @@ Might also be the dv163 P1: http://help.dvr163.com/index.php/P1 Check/download latest firmware (site blocked for malware in Chrome/Firefox) http://42.96.185.60:8088/XVR/common/checkCommonUpdate.php?DevModel=IPCAM&SWVersion=1.4.47.0&DeviceSN=F2731110583936&ODMNum=391802&FirmwareMagic=SlVBTiBJUENBTSBGSVJNV0FSRSBERVNJR05FRCBCWSBMQVc=&Release=1&app_version=2.3.13 Response: ``` New Firmware=1\r\n Link=http://42.96.185.60:8088/XVR/common/getFirmware.php?ODM=COMMON&ROM=V1.4.70_CW.tar\r\n ``` Updating to version 1.4.70 opens up telnet/ftp if the files "ftp_telnet_flag" and "uart_flag" are on the SD card. Someone else wonders about cracking the root hash https://gist.github.com/gabonator/74cdd6ab4f733ff047356198c781f27d You can extract H264 frames out of a packet capture on port 64444: > ffmpeg -err_detect ignore_err -i stream.pcap -c copy stream.mp4 The stream is of type Video: h264 (Main) (avc1 / 0x31637661), yuv420p, 1280x720, 518 kb/s, 15.02 fps, 15 tbr, 1200k tbn, 30 tbc