Determining "Resource path" strings for an older Dahua IP camera

[bcjackson]

I'm trying to connect a new InVidTech NVR to an existing system consisting of about 10 cameras. Some of the cameras are HikVision, and I can connect to them using one of the built in protocols provided by the NVR. There are several cameras however that I think are some sort of private labelled Dahua cameras. I know the login credentials to these cameras and I can log into them directly with Internet Explorer using the Active X control. I can see live video and configure them. The InVid Tech NVR so far has not been able to connect to those cameras using any of the protocols provided.

What's available to try are InVid Tech 1 (I guess works with InVid Tech branded cameras), InVid Tech 2 (which works with HikVision cameras, OnVif (which I hoped would work here, but does not), and finally Custom. With "Custom" you can configure some custom configurations for the main stream and the sub stream. Some of this is preconfigured such as: "Type" is RTSP, "Transfer protocol" is TCP, and the "Port" is 554. The final text boxes for the two streams are labelled "Resource path", and I'm seeking some guidance for that.

Does anybody have any suggestions for how I can learn the strings that I need to put in the resource path boxes so that I might get a working connection to the camera. BTW, the NVR is the InVid Tech model PN1A-16X16-2NH. The camera is just not marked at all, but based upon some related sales documents dating back the installation, the camera is similar to a Dahua model IPC-HDBW2320RN-ZS. The cameras were installed in mid 2016.

 

[TonyR]

Have you tried ODM ? Log in, go to Live Video and if it's ONVIF-compatible, find the RSTP stream URL at bottom.

If no joy, try these below as a network stream with VLC:

Mainstream:

rtsp:/username:password@Camera-IP:554/cam/realmonitor?channel=1&subtype=0

Substream:

rtsp:/username:password@Camera-IP:554/cam/realmonitor?channel=1&subtype=1

NOTE: use 2 "/" after "rstp:", the forum software won't allow 2 in a row!

 

[bcjackson]

Have you tried ODM ? Log in, go to Live Video and if it's ONVIF-compatible, find the RSTP stream URL at bottom.

If no joy, try these below as a network stream with VLC:

Mainstream:

rtsp:/username:password@Camera-IP:554/cam/realmonitor?channel=1&subtype=0

Substream:

rtsp:/username:password@Camera-IP:554/cam/realmonitor?channel=1&subtype=1

NOTE: use 2 "/" after "rstp:", the forum software won't allow 2 in a row!

Hi TonyR:
This was quite helpful. I did try ODM, but it was not able to show me any RTSP stream URLs. It was only able to show just a few details. Maybe the camera doesn't work as expected. However, I then moved on to your specific suggestions for the main stream and sub stream using VLC to test with. I was able to make both streams work, so that's good progress. In the morning tomorrow, I will see if I can transfer this information to the InVid Tech NVR and make it work there too.

I had found something pretty close to this on a website called getscw.com, but I'd not correctly figured out their example URLs. Your strings made the difference here.

 

[bcjackson]

Hi TonyR:
Those resource path strings do seem to work. I was able to connect to one of the Dahua cameras I had on the test bench. I likely can clone that solution for all the other similar cameras onsite.

This is a different question pertaining this job wherein the NVR is being upgraded with newer equipment. There are a couple of HikVision cameras installed for which nobody knows the password. Well, to be exactly accurate, I guess one could say that the NVR that's coming out knows the passwords and has them stored in its configuration. However, the customer has no records, and the original installer is not available. The NVR user interface does not display them on screen.

I contacted HikVision directly and provided serial numbers to see if they would assist. They would not, saying the problem was that the cameras had been sourced via grey market distribution channels, and they don't support those cameras. I tried a little password reset utility that works with some older HikVision cameras, but it would not work with these; it threw an error message instead.

I'm wondering if there is a practical way to obtain the passwords from the old NVR by some means. Would it be practical to perhaps use something like WireShark and maybe examine packets going from the NVR to that camera? Would the passwords be present in clear text and be learnable by a method like that?

For the immediate term, the customer said just replace the cameras with new ones, and don't forget to make them better He sees this as an upgrade opportunity. He likely has no interest in the cameras I take down, but I do. I'll benefit if the passwords can become known.

 

[alastairstevenson]

I'm wondering if there is a practical way to obtain the passwords from the old NVR by some means.

If the NVR has old enough firmware (sorry but I don't know what version they changed this on) that the exported camera configuration file from the NVR holds the camera passwords, there is a fair chance it can be decrypted and the passwords exposed in plaintext.
Zip up a config file and attach here, or send it to me in 'Conversations' for privacy.

Also - what's the firmware versions of the Hikvision cameras?
If it's 5.4.0 or earlier, the camera password can be extracted via a configuration file exported without the need for authentication, then decrypted and decoded.
Given LAN access to the cameras, eg a PC with an IP address in the same range the cameras are on, try this URL :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
If that works - zip it up and supply it.

Also - and you've probably tried this already, by default, Hikvision cameras 'Activated' by connecting to a Hikvision NVR PoE port in Plug&Play mode would be given the NVR admin password to activate them.
The newer firmware has a facility to use a separate password for activation - but the NVR VGA/HDMI interface has an option to show this.

 

[bcjackson]

Update from the field:

The HikVision cameras are as follows: The DS-2CD2342WD-I has V5.5.0.Build 170725. The NSC-212-DM has V5.4.3.Build 170123. I tried the URL provided (http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK ), and got some results, but none useful. When trying that with the DS-2CD camera, the browser just came back with "page cannot be found". When trying that with the NSC-212 camera, it resulted in a login dialog box requesting the information I don't have.

I also tried the password used for access to the NVR, but that didn't work on either camera.

I'm still not sure what brand of NVR this is that I'm replacing, but it did have an option to export configuration information to files it would place on a flash drive plugged into one of the USB ports. One such export dealing with camera configuration did provide all the camera passwords in plain text. So, the problem is resolved.

 

[alastairstevenson]

Excellent! A good result.

 

[alastairstevenson]

I tried the URL provided (http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK ), and got some results, but none useful.

Just as an aside - if that's a Hikvision OEM brand, that version of firmware probably has the 'Hikvision backdoor vulnerability'.
An indication is the lack of authentication prompt when requesting the configuration file export.
If so, the resultant file would be encrypted and encoded, which when reversed holds the camera password in plaintext.

 

[bcjackson]

I'm back for a little more help. I had occasion to go onsite today and connect the new InVid Tech NVR to the customers collection of cameras. Right now, I have 9 of the 10 cameras streaming video. Three of the camera are HikVision, so they seem to work fine using one of InVid Tech's built in prototcols. Six of them are thought to be some sort of Dahua OEM version that Dahua says isn't their's, but I think is their's Those work using the resource path info that TonyR provided a few messages back.

The final camera that's not streaming yet has a very similar looking user interface to the Dahuas when you log into it directly. What I mean is it's very similar in appearance to the six "Dahua" cameras. It's definitely a different camera though. The six that work are fixed cameras. This last one is an outdoor PTZ. The description in a sales document I saw for this original installation described it as: "EYEsurv ESIP-PTZv3-1080pIR 2MP High Definition Infrared IP PTZ Zoom Security Camera 30x". I did find an "update.bin" firmware file on Nelly's Security site for that model. I do think it's very likely that Nelly's was the distributor of this camera. I wonder what are the chances that a firmware upgrade will do something to make using RTSP with this camera work. If I do a firmware update, and if the update applies OK, but still offers no results connecting to the camera with the InVid Tech NVR's custom protocol, what might be the best next course of action to try?

One other thing I am also wondering about. As I understand it, when you use an RTSP stream to connect a camera to an NVR, you don't have anything elaborate going on. For example, I don't think the camera can signal the NVR that it thinks motion is going on in the image. My actual concern is regarding PTZ control. Would a protocol using RTSP support sending commands to the camera to make it do the PTZ movements? If that's likely to not work, then I may possibly be in the position of having to recommend to this customer that their PTZ camera needs to be replaced with something a lot newer that the new NVR likes.