hacking china IP camera - need help for rtsp , password for telnet

[van12]

hi

i bought this noname IP camera for 270RMB in Beijing sept 2016, not any info on the camera (except uid admin and password is empty) , no userguide. I didnt care much for asking the manual, just thought I can fix it with http (i have foscam and another outdoor ip camera at home) .... I was wrong no port 80.......but there is telnet, rtsp (554)

I try vcl player, angry ip scanner, nmap, firefox,rtsp player app, webcam 7 ...nothing help
https://www.ispyconnect.com/man.aspx?n=china#

are there anyone of you having the port like below, any idea? any root password for telnet??

the chip inside is "Grain" , see picture below

http://192.168.1.75:554/ just give "file not found"

root@ubuntu-armhf:~# nmap -AT4 192.168.1.75
Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-09 22:56 CET
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.75
Host is up (0.00067s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet Busybox telnetd
554/tcp open http GM Streaming Server httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
|_http-title: Site doesn't have a title (text/html).
| rtsp-methods:
|_ DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, SET_PARAMETER, GET_PARAMETER
5050/tcp open tcpwrapped
5051/tcp open tcpwrapped
8800/tcp open tcpwrapped
8899/tcp open soap gSOAP soap 2.8
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/xml; charset=utf-8).
MAC Address: CE:5B:8A:A30:7D (Unknown)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.9
Network Distance: 1 hop
Service Info: Host: GM; Device: webcam

TRACEROUTE
HOP RTT ADDRESS
1 0.67 ms 192.168.1.75

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.68 seconds



root@ubuntu-armhf:~# telnet 192.168.1.75
Trying 192.168.1.75...
Connected to 192.168.1.75.
Escape character is '^]'.

GM login: admin
Password:
Login incorrect
GM login:

 

[Cardoso (Interside)]

Hi,

Try to find the camera using the software below.

IP Camera Finder: http://download2.eye4.cn/download/application/app-find-vstarcam.zip

 

[van12]

hi, Thanks, unfortunately it can only find my other ip-cams, not the one I have issue with

 

[Garyw]

I have a similar ipcam. I have managed to login using root as the username and blank password

There's not much in there tho. - although I know little about Linux.

Port 553 is the rtsp streaming port but I need a 20 digit UID to be able to connect (on the bottom of th camera is only a 7 digit ID...)

 

[van12]

i had tried root with blank password, not work.
there is no 7 or 20 digit UID, only 8 digit on the barcode (label). try to use wmplayer for open rtsp stream, nothing happens

root@ubuntu-armhf:~# telnet 192.168.1.75
Trying 192.168.1.75...
Connected to 192.168.1.75.
Escape character is '^]'.

GM login: root
Password:
Login incorrect
GM login:

 

[Garyw]

I have successfully connected to the RTSP stream using VLC and IP Cam Viewer Lite (on iOS).

I did this via http//IP ADDRESS:554/onvif1 (for Standard Definition video) using generic RTSP over TCP

replace onvif1 with onvif2 to get HD video

The limitation of this method is that you can't control the camera - eg Pan, Tilt or send audio to the device.

 

[van12]

thanks for the tips about onvif , I found the "ONVIF Device Manager" and it discovers easily the URL for me . The application also have the option for rotate the webcam, showing the "live video" and nothing more (for this webcam)
start VLC -> ctrl +n -> click network
rtsp://192.168.1.75//live/ch00_1

I found some intersting links, but couldn't crack the root password yet. I am trying commix right now

https://jumpespjump.blogspot.dk/2015/09/how-i-hacked-my-ip-camera-and-found.html
Chinese IP camera configuration & firmware | Technology News
IP Cameras Default Passwords Directory

 

[Link Aylomen]

Hi,

Try:
root
cat1029

 

[Link Aylomen]

If you can get hold of the firmware id be happy to have a look at the hashes and get back to you

P.s. sorry if this thread is old!

 

[van12]

>>root/cat1029 not help
tng@ubuntu-armhf:~$ telnet 192.168.1.75
Trying 192.168.1.75...
Connected to 192.168.1.75.
Escape character is '^]'.
GM login: root
Password:
Login incorrect
GM login:

>>firmware id
not much info, other than "31628229" on a white label

 

[gutmetal]

Any news on that? I believe I have a similar camera which was working perfectly before I update the firmware. No the Y axis won't move perfectly. I'll try to downgrade the firmware.

 

[sitkonen]

Old thread, but my camera's user/pass for rtsp stream was admin/12345 and rtsp url was rtsp://192.168.8.176//live/ch00_1 .
For telnet admin/12345 did not work.

 

[raj33]

try telnet root/cxlinux

 

[jimmyboy_101]

signed up to say raj33 had the right credentials for me! cp05 now to have a look around this thing and see whats lerking underneath!

 

[Feanor]

login: root
Password: GM8182

 

[Mode_ss]

signed up to say raj33 had the right credentials for me! cp05 now to have a look around this thing and see whats lerking underneath!

Also worked for me... Thanks to Raj33. I Jimmyboy_101, any findings that's worth tho share?... I was hoping I could find a way to download my files from the SD card through telnet, but that protocol is not designed for doing that. So... Have you found any way to enable FTP on those cameras so you could backup your videos stored in the SD card?

 

[UweUwe]

Maybe you should try to find the required password, for example, here IP Camera Default Password

 

[chris bant]

I update the firmware. No the Y axis may not move flawlessly. I'll try to downgrade the firmware.

 

[ryks]

guys ,what i did was simple // open vlc/Media/open network stream /and just added on network url something like this
rtsp://192.168.1.34:554
then i was prompted with user and password
at user i added - admin
to password -
then pres play and is working

 

[Fellow26]

I have a similar issue. A Chinese no-name camera that would only play via HDLivecam app. I nmapped and found it is listening on 8554/tcp port for rtsp. when trying to connect via VLC, it prompts for authentication. It seems to accept admin 123456 but disconnects immediately with the following in the log.

live555 error: Failed to connect with rtsp://192.168.68.110:8554
satip error: Failed to setup RTSP session
-- logger module stopped --

Any help / direction would be appreciated.