VTH1550CH connects VTO but not cameras (SIP firmware)

alexc · Jan 11, 2022

Hi,

I am following this forum for a while but this is my first post.

I have a VTH1550CH connected to a VTO3211D-P2 and to several Dahua cameras. This was working fine with the non-SIP firmware.

I upgraded the VTH and VTO with the SIP firmware (from here). The VTH now connects the VTO with SIP, no problem here. However I can't connect my cameras to the VTH.

From the VTH, I do: Monitor -> IPC -> Add -> Enter Name, IP address, user name, password -> OK and then I got the message "Set Successfully" but the camera doesn't show up on the screen.

If I reset the VTH ("Default All" option) then I can successfully add a camera (same procedure as described above) right after the reset (i.e. before configuring the VTH to connect the VTO). However the camera disappears from the VTH as soon as configure the VTH to connect the VTO.

Firmware:

VTH 4.300.0000000.8.R.20190316
VTO 4.300.0000002.0.R.20190511

The VTO is configured has the SIP server.

Has anyone seen this problem?

riogrande75 · Jan 11, 2022

Sounds a bit weird - never heard about this problem.

Well, I would compare the configurations of both setup's. This could point out your problem's cause.

Connect with the DahuaConsole to your VTH after you successfully setup your cameras and issue command "config all".
Then connect the VTH with SIP to your VTO and when your cameras don't work anymore, do again a "config all".
Save both outputs (you have to increase the scrollback window previously if you use putty!) and then you should see a difference in section "VTHRemoteIPCInfo".

Ok,ok - this is not a easy task for Linux beginners, but you'll learn a lot of dahua's configuration and this will surly help you diagnose other issues in the future.

alexc · Jan 11, 2022

Thanks. I have the DahuaConsole working and it's great! Thanks for that (no problem with Linux/Python/JSON, that's part of my job).
I am able to connect the VTH, I will check the data with different configurations.

alexc · Jan 12, 2022

So ,this is weird :

if I set the IP address of the SIP Server with the IP address of the VTO (where the SIP server is) then I cannot add any camera (DahuaConsole shows that the camera list remains empty)
if I set the IP address of the SIP server with an unused IP address then I can successfully add cameras

Here is the config difference:

Code:

               "OutboundProxy": "192.168.1.99",              |                        "OutboundProxy": "192.168.1.110",
                "SIPServer": "192.168.1.99",                 |                        "SIPServer": "192.168.1.110",
                    "Address": "0.0.0.0",                    |                            "Address": "192.168.1.93",
                    "MachineAddress": "",                    |                            "IpcRely": "IPC",
                    "Password": "admin",                     |                            "MachineAddress": "aaa",
                                                             >                            "Password": "xxxxxxxx",
                    "StreamType": "Extra1",                  |                            "StreamType": "Main",

192.168.1.99 is the address of the VTO (with the SIP server).
192.168.1.110 is an unused IP address.
192.168.1.93 is the address of the camera.

On the left side, the SIP server is configured with the correct IP address (192.168.1.99) and I cannot add any camera.
On the right side, the SIP server is configured with an unused IP address (192.168.1.110) and I can successfully add a camera (e.g. 192.168.1.93).

I notice that setting the SIP server sets "SIPServer" but also "OutboundProxy". Could it be that if the IP address is valid then the request to connect a camera goes through the proxy (in that case the VTO) and the request fails; but if the IP address is not valid then no proxy is used and the request goes directly to the camera?

riogrande75 · Jan 12, 2022

That sounds interresting :wtf:

Did you try to add the camera's again after you hooked it up the SIP server?

Did you also try latest FW for VTO? This seems to be the latest firmware for VTO3211D devices:
DH_VTO3211D_MultiLang_PN_SIP_V4.400.0000001.0.R.20210722

alexc · Jan 12, 2022

I tried this:

VTH and VTO properly configured, no camera added
Block network access to VTO (i.e. VTH can't reach VTO)
Add camera (this works because the SIP server is not reachable)
Camera is visible and accessible from VTH
Unblock network access to VTO
The camera just added disappears from VTH!!!

Next step: I will update to the latest VTO firmware.

bashis · Jan 13, 2022

alexc said:
I tried this:

VTH and VTO properly configured, no camera added

Block network access to VTO (i.e. VTH can't reach VTO)

Add camera (this works because the SIP server is not reachable)

Camera is visible and accessible from VTH

Unblock network access to VTO

The camera just added disappears from VTH!!!

Next step: I will update to the latest VTO firmware.

FYI, I got curious so I needed to test and it turned out that I had exactly same issue as you with;
VTH2421F: DH_VTHX421H_MultiLang_SIP_V4.500.0000000.7.R.201220
VTO2101E: DH_VTO2101E_MultiLang_PN_16M-SIP_V4.500.0000000.5.R.201026

But started to work again after upgrade the VTH to: DH_VTHX421H_MultiLang_SIP_V4.500.0000002.0.R.210713 with Firmware from dahuasecurity.com

Of course the CVE-2021-33044 (NetKeyboard) stop working on the VTH with new FW, but since the VTO has no newer FW available - it's still working. (d0h!)

[EDIT]
Dahua 'updated' this firmware 13/10/2021 with old and exploitable version from 26/10/2020 (sigh)

Verify here:

Dahua Technology - World-leading Video-centric AIoT Solution and Service Provide

Dahua Technology

www.dahuasecurity.com

or here (13/01/2022)

Dahua Technology - Leading Video Surveillance Solution Provider with CCTV Products, IP Camera, PTZ, HDCVI products, NVR, Intelligent Building, Intelligent Transportation and Software - Dahua Technology

Dahua Technology

web.archive.org

alexc · Jan 13, 2022

Thanks for your tests. On my side, I updated the VTO to the latest firmware and still have the problem. But as you found out the problem comes from the VTH, and I think I have the latest VTH1550CH firmware (4.300.0000000.8.R.20190316), so it looks like I am stuck. I will try to snoop the network to see if I can just block requests to the SIP server related to cameras.

bashis · Jan 13, 2022

alexc said:
Thanks for your tests. On my side, I updated the VTO to the latest firmware and still have the problem. But as you found out the problem comes from the VTH, and I think I have the latest VTH1550CH firmware (4.300.0000000.8.R.20190316), so it looks like I am stuck. I will try to snoop the network to see if I can just block requests to the SIP server related to cameras.

You have new firmware here
Version: DH_VTHX421L_MultiLang_SIP_V4.500.0000001.0.R.210714

bashis · Jan 13, 2022

bashis said:
You have new firmware here
Version: DH_VTHX421L_MultiLang_SIP_V4.500.0000001.0.R.210714

By the way, with your very old 4.3x Firmware you are vulnerable and exploitable to 'Dahua Authentication bypass (CVE-2021-33044, CVE-2021-33045)', more details here.
<snip>
[...]
September 1, 2021: Notified Dahua PSIRT that I cannot find firmware updates for my IPC/VTH/VTO devices
September 2, 2021: Dahua PSIRT pointed oversea website, asked for what models I have so Dahua could release firmware
September 2, 2021: Refused to provide details, as I do expect me to find firmware on their website
September 3, 2021: Dahua PSIRT informed that R&D will upload updated firmware in batches
[...]
</snip>

If you do not can use that firmware I posted above, get in contact with Dahua and point at me as the reason and you must have updated firmware

I know (or at least sure about) that Dahua monitor this site and also IPVM, where I just made a post about 'VTO2101E' that I just found out still exploitable to CVE-2021-33044, you can read more here if you are IPVM member.

Best, bashis

riogrande75 · Jan 14, 2022

@bashis The firmware link you posted is for VTH1550-S2 (2nd. gen of VTH1550 which has complete different hw). Do not try to flash this on a gen1 VTH1550, it will brick it!
In fact dahua did not yet release a new fw with a fix for 'Dahua Authentication bypass (CVE-2021-33044, CVE-2021-33045)' issue for this model. So fw 4.3 dated 20190316 is the latest.

@alexc: Can you pls. post the whole config from your VTH after you ran into the problem? I want to compare it with my VTH's config.
Maybe I can find a hack to make it possible to use camera's again.

alexc · Jan 14, 2022

The config is attached (I've just masked out passwd). It was taken right after trying to add a camera.

From the console log/dlog, I see this:

dlog:
[2022-01-14 10:05:21]
Detail: {'Data': 'VTHRemoteIPCInfo'}
User: System, Device: , Type: SaveConfig, Level: 0
[2022-01-14 10:05:19]
Detail: {'Data': 'VTHRemoteIPCInfo'}
User: System, Device: , Type: SaveConfig, Level: 0

log:
10:05:29|[Manager] [ver:Unknown] info Log.cpp DumpInfo 864 tid:439 Log 2 : {
"Detail" : {
"Data" : "VTHRemoteIPCInfo"
},
"Device" : "",
"Level" : 0,
"Time" : "2022-01-14 10:05:19",
"Type" : "SaveConfig",
"User" : "System"
}

riogrande75 · Jan 14, 2022

You did not yet answer my question from post #5:

Did you try to add the camera's again after you hooked it up the SIP server?

alexc · Jan 14, 2022

riogrande75 said:
You did not yet answer my question from post #5:

Do you mean hook up the camera to the SIP server? I don't see options to do that with VTO3211 (which is the SIP server).

I have snooped the network traffic, and I can see that the VTH sends some DHIP requests to the VTO, but requests are encrypted. Do you know if we can disable DHIP encryption between VTH and VTO?

riogrande75 · Jan 14, 2022

I mean, did you try to add a ip camera again on the VTH AFTER you connected the VTH to the VTO's SIP server?

alexc · Jan 14, 2022

Adding an IP camera on the VTH after connecting the VTH to the VTO SIP server doesn't work.
Adding an IP camera works only if the VTH is configured with a SIP server with an invalid IP address.

As soon as the VTH SIP is configured with the VTO's SIP server address then adding camera doesn't work, and if cameras were already configured they disappear. Note that this fails even if the "Enable Status" of the SIP server on the VTH is set to "Off".

riogrande75 · Jan 14, 2022

Just gave it a shot with my VTH1660 (same fw binary like your VTH1510) and VTO2000A (latest fw from july '21). No problem.

Did you try to add the camera's config again with DahuaConsole or another hack?
If they are visible in the config just like they were before, can the camera's be viewed?

alexc · Jan 17, 2022

riogrande75 said:
Just gave it a shot with my VTH1660 (same fw binary like your VTH1510) and VTO2000A (latest fw from july '21). No problem.

Did you try to add the camera's config again with DahuaConsole or another hack?
If they are visible in the config just like they were before, can the camera's be viewed?

I have added a "setIPC" command to DahuaConsole, and it effectively adds the camera to the config:

Code:

[Console]# config VTHRemoteIPCInfo.Ipc32
{
    "params": {
        "table": {
            "Address": "0.0.0.0",
            "Channel": 0,
            "MachineAddress": "",
            "Password": "admin",
            "Port": 554,
            "ProtocolType": "Dahua3",
            "StreamType": "Extra1",
            "UserName": "admin"
        }
    }
}

[Console]# setIPC
[+] set VTHRemoteIPCInfo.Ipc32: True

[Console]# config VTHRemoteIPCInfo.Ipc32
{
    "params": {
        "table": {
            "Address": "192.168.1.93",
            "Channel": 0,
            "IpcRely": "IPC",
            "MachineAddress": "cour",
            "Password": "XXXXXXXX,
            "Port": 554,
            "ProtocolType": "Dahua3",
            "StreamType": "Main",
            "UserName": "admin"
        }
    }
}

However, the camera disappears from the config if I interact with the VTH to view the camera: on the VTH, I select 'Monitor' then 'IPC' and the camera is gone from the config.

Code:

[Console]# config VTHRemoteIPCInfo.Ipc32
{
    "params": {
        "table": {
            "Address": "0.0.0.0",
            "Channel": 0,
            "MachineAddress": "",
            "Password": "admin",
            "Port": 554,
            "ProtocolType": "Dahua3",
            "StreamType": "Extra1",
            "UserName": "admin"
        }
    }
}

riogrande75 · Jan 17, 2022

Well... Then I'd say, this could be a incompatible setup (at least a bit) :banghead:

Maybe there is a chance to hack the VTO's config - can you post VTO's output of "config all"?
I'll compare it with my VTO2000A's config, maybe there is chance to convice your VTO to allow some IPC's as well.

bashis · Jan 17, 2022

It's a bug in the VTH Firmware, simple as that.

You should reach out to Dahua and ask for updated Firmware.

VTH1550CH connects VTO but not cameras (SIP firmware)

n3wb

Pulling my weight

n3wb

n3wb

Pulling my weight

n3wb

n3wb

Pulling my weight

n3wb

Attachments

Pulling my weight

n3wb

Pulling my weight

n3wb

Pulling my weight

n3wb

Pulling my weight