Good IPCameras that support OpenIPC

[grumpyITGuy]

They have literally nothing in common

The point of commonality I was alluding to that you somewhat correctly guessed is that criminals can use either platform with relative impunity. Though that wasn't meant to be construed as the only motivating factor behind their use.

My primary gripe with crypto is that the money I have to use to purchase it was earned honestly, and I was taxed quite extensively for doing so. In other words, it puts the purchasing power of my earnings at a disadvantage.

For example, the platform has become the defacto communication method for most developers at this point in time.

But why? Are they all that paranoid? Or are they that lazy? What's wrong with old fashioned discussion forums like this one?

Again, my problem with Telegram is that it's intended to be used primarily on a smartphone and the unique identifier used to create the account is said phone #. While I trust the source has been sufficiently audited to ensure it isn't leaking user's information, I detest both of those points sufficiently that I refuse to be a willing participant.

 

[forlotto]

There are a great many reasons you being old enough to know already should have some easy understanding of the success of telegram you just haven't taken the time to observe the why part think average internet user not ITGuy knows enough to be dangerous. It's fairly self-evident.

I'd argue phones have overtaken the use of the way we connect on the internet it was largely a PC thing.
Bandwidth has increased to progress beyond IRC and ICQ for real time chat modalities the introduction of video and voice and sharing of media has become easier but the laws more rigid as to what can or can't be shared so as an app developer there is that side of it copyright infringement NSFW and other illegal content is hard to guard against fully without help from the community. How does one stop someone from coming back to do it again under an a pseudonym when you have access to thousands of IP's VIA A VPN that are always changing it's not as cut and dried as it used to be.

I wouldn't talk on the internet in a tone I wouldn't use outside of the internet Rule1 I choose a path to support efforts of privacy and free speech in the events that what I say now may be contrarian tomorrow not to mention they kind of hold hands as well as security efforts that don't work as nefarious back door data collection as you alluded too. There are a great many problems stemming from I believe the start of it was the M$ antitrust case one of the fastest antitrust cases to make it through the courts.

We tend to forget things that exist or most don't know about them:

Windows 98 NSA Key.
Bios code That can allow things to be executed without your permission consent or knowledge in theory.
CPU Code That can allow things to be executed without your permission consent or knowledge in theory.
Cryptographic MITM
Deep Packet Inspection methods
Network and NICs things like BroadPWN
The GSM flag
Sim Jacking
TPM for your digital id if you've took the time to read the white paper.
Facebook Pixel which is a cross platform thingthat works with all of the big names.
heartbleed was an interesting exploit (How many others are out there like this we don't know of?)
And Many Many more things...

Just upgraded the internet B800 TPLink router was the only affordable option for Multigig over internet I can't wait until open source gets their hands on this device. The firmware is interesting having more security features than most but abhorrent in other ways like them wanting you to tie your damn phone to your router I told them in an email I'm not doing it!!! Your not having my phone my email and a password just so I can use my router. I don't want remote access to my router enabled in any way! It was like talking to the wall the tech guys you talk to don't even know the interface or a lick about network security could be such a great product really but they don't hire the proper minds like you for instance to develop something. I feel kind of naked running this crap at the edge of my network so there will be some growing pains I'll surely need to provision better and acquire more equipment as time and money affords.

Privacy should be fought hard for there are 3 methods that come to mind one simply educating folks that it is being violated ala Snowden and through talks like this, Passing common sense laws to deny domestic spying and implementing it as a law and enforcing it with the proper consequences but enforcing it mostly where their are known ops with intent of data collection and sales or sharing, finally you have the option to build software, firmware, and things that would prevent the backdoors you can't see and open source it so development in the proper direction can ensue. There are some honorable mentions like the EFF being a member, I suppose you could organize and go hold signs somewhere to raise awareness although not my style it does have an effect (just stay out of the road folks)....

I had the implicit privacy mind for quite some time doing IT work kind of taught me there are pro's and con's security depends on knowledge of for LAN/WAN/WAP/PAN there is little one can do VPN's are possible burner phones to sign up for telegram then use the desktop application.

There are a lot of unacknowledged privacy violations that are not so easy to protect against even though I'd like to believe their is privacy if all do this that and the other at the end of the day is there really? If I were to shake the magic 8 ball on that one it would come up with it is not likely. But it doesn't mean we shouldn't follow best practices either following best practices and getting people on board does improve the system.

All part of the reason I like OPENIPC though that is the nature of evolution if you want better security and better privacy it will likely be largely reliant on hackers coordinating efforts to modify things to ensure the possibility of the hidden elements of things largely unknowns to become knowns.

 

[grumpyITGuy]

There are a great many reasons you being old enough to know already should have some easy understanding of the success of telegram you just haven't taken the time to observe the why part think average internet user not ITGuy knows enough to be dangerous. It's fairly self-evident.

There's not a single day where I get out of bed and think: "how could I completely destroy my personal privacy by dipping my toes into some unknown platform". I do get it, back in the early 2000's I started out upon building a complete end-to-end chat platform that one could spin up on any windows machine out of their basement. I wasn't experienced enough at that point and had more (paying) workload to deal with, so it only exists in my memories. But I completely understand the reasons for their existence.

I'd argue phones have overtaken the use of the way we connect on the internet it was largely a PC thing.

Unfortunately. To grossly over-simplify, I've seen the unfortunate effects of this from some dips**t ordering the wrong camshafts for their engine because the mobile version of a vendor website (let's call it cRockAuto to protect the innocent) wasn't smart enough to show his mobile browser that the engine needed two completely different camshafts. Or that StarLink's standard consumer level hardware only allows setup via a mobile device (and that app completely sucks to an IT pro). Stupid comes in many different shapes and forms.

Back in 2012-ish I carried my relatively normal paranoid IT stance into a full-on grumpy guy "Walter". [F that mobile stuff, you whippersnappers]! If I can't use a real computer with a grown-up sized keyboard with mechanical keys to use your offering, I will go back into my cave and worship the withering remains of my Vic20.

Then I started developing my own apps for Android, and realized what information is readily available just to get a "hello world" app to run.

No joke, I will be the "it's only a PC thing or nothing" guy until they sprinkle my ashes on the beach. What you will call a "PC" can be debated, but it won't be something that has a SIM card in it.

Bandwidth has increased to progress beyond

Bandwidth has relatively nothing to do with privacy. Only the speed with which your privacy can evaporate.

So back to the main topic, thanks to a usb microscope I managed to find the uart pins on the Ingenic board that i've been chasing for several days. I've also located some SDK publications on github for the Sony IMX335 sensor that might help get better than junk resolution out of it. I'd like to think I have some intelligence to offer. But I doubt the OpenIPC devs care as much about this branch of the tech as they do the FPV quadcopter branch.

I'll probably burn half the day tomorrow trying different OpenIPC binaries for the T31 SOC in hopes of making this last hold-out be useful enough to buy more of.

 

[josh_mkeen]

If you have an Ingenic SoC based camera, you may want to use the thingino firmware instead. I switched on my Wyze V2 Cam after there were some privacy concerns raised regarding OpenIPC.

 

[forlotto]

Thanks for this I also have been made aware there are privacy concerns with OPENIPC untested or proven someone told me that it reports to certain servers. Talked about openhisilicon github being open sourced. Good to see there are security conscious folks but from what I am told it is harmless.. openhisilicon - Overview they claim the data collection is innocent though IDK... Logged traffic to 'majestic.cam' and to random aws bucket, this is confirmed another user said.
Log show Data exfiltrtated via dns too. Should block this: outgoing dns on camera
And Domains:
camware.s3.eu-north-1.amazonaws.com
majestic.cam
majestic.torturelabs.com
torturelabs.com
This is the reason I wanted OPENIPC cause many of the cheap china cameras do the same thing... "harmless data collection"



The devs had said a few things to this.
IGOR:
You are wrong about the developers. We are from different countries. Also you can suggest any improved place you think. But the font on the website and on the wiki is the same; we don’t have “small font”. There is a disclaimer written on the site, this is a standard solution and approach to information.

IGOR said it's just the streaming program you can choose between both. So it isn't anything but telemetry data for development from what I understand
mikal, [6/15/2024 10:59 AM]
Log show Data exfiltrtated via dns too. Should block this: outgoing dns on camera
And Domains:
camware.s3.eu-north-1.amazonaws.com
majestic.cam
majestic.torturelabs.com
torturelabs.com

Igor, [6/15/2024 11:05 AM]
You have the right to do whatever you want - refuse to use the firmware, refuse to use the Majestic streamer, block any traffic.
Collecting telemetry helps developers understand which devices are popular, how often problems or firmware versions change. Nothing more.
If you turn off this data, it will not be available for monitoring and analysis and, accordingly, no one will be able to help. When collecting telemetry, global problems and crashes are tracked and fixed instantly.

Igor, [6/15/2024 11:14 AM]
Thanks for your messages. I will be grateful to you if you can tell me where and what else should be written so that the paranoid people will be calm. The OpenIPC project and the most developed streamer Majestic have nothing to hide from the public.

You can now compile the firmware yourself or send a PR to generate firmware with a fully open Divinus streamer.
All Ultimate firmwares include both Majestic and Divinus streamers, so the choice is yours.

@grumpyITGuy
I was also made aware of a thingofirmware that was available for that camera possibly....

Hi, saw your post regarding firmware and helping others.

There exists thingino, a firmware which is specifically targeted towards ingenic devices.

checkout GitHub - themactep/thingino-firmware: Open-source firmware for Ingenic SoC IP cameras
Checkout the discord or telegram of thingino on the site. Very helpful community for testing, users, and development.

Fully open source, we are a young project but develop fast.

just FYI. have fun!

 

[forlotto]

IDK it seems like Igor is saying the data is collected to ensure the security of the software if something big happens they can intervene and issue an update to their code if there is some great catastrophe with the software and that it is not nefarious nor personal data collected from the individual per sey it is to spot possible issues with software in either functionality or possibly even security. So this is a pretty common practice these days.

 

[wittaj]

If you have an Ingenic SoC based camera, you may want to use the thingino firmware instead. I switched on my Wyze V2 Cam after there were some privacy concerns raised regarding OpenIPC.

It is why we say regardless of the firmware, don't let the camera have access to the internet...

And why there was a big discussion in this post that people were taking the wrong way that basically boiled down to that many here want cameras that perform (regardless of who makes it or the firmware) and can mitigate/minimize the spying risks of name brands rather than an opensource firmware that cannot perform for our needs.

And now if OpenIPC has privacy concerns, even more reason...

 

[forlotto]

No I talked to Igor fairly candidly he was pretty cut and dried seems to be paranoia nothing nefarious going on.
You can now compile the firmware yourself or send a PR to generate firmware with a fully open Divinus streamer.
All Ultimate firmwares include both Majestic and Divinus streamers, so the choice is yours.

As always anything IOT it is good network practice to implement isolation as best practice for your security as josh_Mkeen says.

But the whole point of OPENIPC is to give you options to potentially provide better security you can build upon this code improve it and use it as you wish.

IGOR also makes a good point he prefers to have their wiki be the one source of information for OPENIPC. Rather than answer endless questions over and over again the same thing have a solid source like wiki that can provide all of the needed info. I understand this totally you can spend much time going over the same questions over and over again. It appears many have asked these questions before and they have been answered on the wiki. And now very well by IGOR on Telegram.

 

[forlotto]

wiki/en/streamer-comparison.md at master · OpenIPC/wiki

The new OpenIPC wiki. Contribute to OpenIPC/wiki development by creating an account on GitHub.

github.com

 

[tweebs]

Stumbled across this thread/forum while googling 'openICP compatible cameras'. I admit I skimmed most of the discussion to get to the juicy/recent bits. I very much realize there are quality high performance IP camera out there but I'm not interested (reasons). I have some cheapo chinesium Amazon specials (Wyze et al) running alternative firmwares for non-critical farm ops, I trust the Chinese to spy on my chickens. However, I'd like to level up to a slightly less crappy solution for addition cams and home assistant integrations.

I looked into openIPC almost 2 years ago but also don't have time to invest in finding the good bang/buck, popular enough, "easily" hackable and available camera. BUT I can certainly contribute my findings, and maybe (cameras to avoid).

FYI, there is a tool for OpenIPC which scans a cameras firmware.bin to try to determine its SoC and sensor are compatible but I haven't investigated.

You'd think with all the cheap IPcams with vulnerable OEM firmware someone would have found method to flash/bootload intercept alternative firmware without needing UART access. Much like Wyze. Not that I mind cracking into a $40 piece of hardware. I'd just like to know if there is any point (if it's supported).

 

[grumpyITGuy]

You can now compile the firmware yourself or send a PR to generate firmware with a fully open Divinus streamer.

But will those fit on 8mb cameras?

IGOR also makes a good point he prefers to have their wiki be the one source of information for OPENIPC. Rather than answer endless questions over and over again

I haven't looked at it in the past several days, but having searched the wiki quite extensively over the past two months I can only describe it as an abhorrent mess. I've spent dozens of hours searching and reading, and this is the first I've heard of that particular alternative streaming server.

Whatever the case, I'm less paranoid about what data Majestic is phoning home with than I am concerned with having a camera with a ssh server, cron, ntp, etc. It's easy to firewall things like this off so they can only do what you expect them to.

I looked into openIPC almost 2 years ago but also don't have time to invest in finding the good bang/buck, popular enough, "easily" hackable and available camera. BUT I can certainly contribute my findings, and maybe (cameras to avoid).

To a certain extent I do have time and enjoy the challenge, but I'm finding there are very limited options for inexpensive boards and even fewer complete cameras that can produce > 4MP using the mipi drivers included with OpenIPC. Sure, it's "open source" and "you're welcome to submit a PR". But I've noticed in looking into the Thingino git that not all the SDK source code appears to be of equal quality / value. I've slept since so I've lost the specifics to entropy, but I found several mipi drivers in the Thingino repository that were capable of full resolution where the OpenIPC respository is crippled. The Sony IMX335 comes to mind. I can only assume this means the Ingenic SDK has better mipi driver examples than the SigmaStar SDK.

FYI, there is a tool for OpenIPC which scans a cameras firmware.bin to try to determine its SoC and sensor are compatible but I haven't investigated.

If you can find, care to share? I've seen nothing like this. Only the ipctool script that requires access to the shell (either running openipc or the vendor's firmware).

You'd think with all the cheap IPcams with vulnerable OEM firmware someone would have found method to flash/bootload intercept alternative firmware without needing UART access.

I've no experience with Wyze cams, but it seems the Anjvision stuff has gotten more and more locked down on flashing firmwares from within the vendor firmware, which is why having access to uboot or desoldering the nor flash is a must.

I've yet to exert much effort upon the Ingenic board. What I gleaned reading the Thingino readme wasn't terribly encouraging but I've also yet to figure out how to get the currently installed OpenIPC image to boot without segfaulting.

 

[grumpyITGuy]

Update: Had some quality time to spend with the Ingenic board yesterday and today. Seems the OpenIPC problem was just some missing uboot macros, easy to remedy.

Several hours of experimenting and tweaking allowed me to find the connectors and gpio pin numbers for the ircut filter and led control. There are some quirks, but in all it's completely tolerable. Here are a couple images of my basement storage area / mad scientist lab / guitar workshop.




I'm going to capture 10fps a/v off it tonight and if it looks acceptable will probably order a considerable quantity of them for future use.

Still haven't found the uboot password, or if the USB headers are exposed on this particular board so the Ingenic cloner tool can be used, but I'm ok if not. Worst case is I have to remove the SOC heatsink, desolder the NOR flash chip, and go on with life.

 

[forlotto]

Acceptable picture for me even night mode. If it's cheap and it works well and you have better control over things why not... Thanks again for sharing! u-boot-ingenic/tools/ingenic-tools/security at master · OpenIPC/u-boot-ingenic dunno if the keys are stored at the same offsets all the time but it may be helpful. It almost seems as if a new user key is burnt for each board at first glance stored here... aeskey[4] = {0xee6694c3, 0xef42d55b, 0x60bdfed8, 0x16536470}; Maybe with enough access and some global variables the area can be dumped in a round about way IDK maybe something like a math function or what have you may give you enough info to be dangerous IDK or maybe I'm just talking out of my rear cause I really am unsure how it all works for this type of thing. But figured I'd say it anyway in case it gives you some ideas.

Kind of curious about the quirks though is it sensitivity to light/dark?

By the way interesting work on the guitars frets look a little thick in some of the pics I know a lot of guitar players who sand the metal down for one reason or another. But other than that I'd say you got yourself a pretty good niche there as well. I never had the patience to stick with and learn the guitar.

Also reading you blog with MagicJack yep I know that struggle I decided to use Nettalk fairly simple and cheap seems to work well enough like 10bux a month or there about unless you want PBX options then it is like 20 something a month. I like the feature where I can block all robocallers with a spam pin and add people I know to a whitelist so they don't have to enter a pin that my friend is something I can get behind.

Why not https? Didn't want to deal with letsencrypt?

 

[grumpyITGuy]

... dunno if the keys are stored at the same offsets all the time but it may be helpful. It almost seems as if a new user key is burnt for each board at first glance stored here...

My guess is it's not actually a password, more like a custom interrupt key with ctrl and/or shift modifier. The reason I say that is because uboot prompts "Press password in 1 second." Since I already had the nand chip off I didn't waste any time attempting to brute force it. When I do a write-up I'll put the factory firmware up and anyone interested can go after it if they so desire.

Kind of curious about the quirks

My issues with the OpenIPC build on this board are:

1) runs a 3.10 kernel branch
2) the OSD flickers badly - will have to post an example
3) Majestic likes to crash when changing encoding settings

I'm not really happy with the hevc main profile either - last night's 6 hours of complete stillness produced a 22 gig video where the sigma based stuff is closer to 9 gigs.

Why not https? Didn't want to deal with letsencrypt?

I never really understood the point of using ssl on traffic that doesn't need to be secured. I don't allow remote logins to wp, so what traffic do I need to "protect"? That was rhetorical by the way.

 

[grumpyITGuy]

Ooof!

Input #0, rtsp, from 'rtsp:/xxx:xxx@x.x.x.x/stream=0':
Metadata:
title : RTSP Session
Duration: N/A, start: 0.000000, bitrate: N/A
Stream #0:0: Video: hevc (Main), yuv420p(tv, bt709), 2560x1440, 10 fps, 30 tbr, 90k tbn, 10 tbc
Stream #0:1: Audio: pcm_mulaw, 8000 Hz, 1 channels, s16, 64 kb/s
17.77 M-V: 0.005 fd= 0 aq= 0KB vq= 661KB sq= 0B f=0/0

That's not gonna work. :-\

 

[grumpyITGuy]

Update - a bit of tweaking on the minQp and maxQp values have produced acceptable results for the compressed main stream. My guess is the defaults of minQp/maxQp of 12/42 the Sigma branches honor aren't implemented in the Ingenic branch of Majestic. Will have to report back in the morning but looks like it will be as good as the Sigma based boards for roughly the same disk space.

Also, the flickering OSD was fixed last week. The only other "quirk" that's rubbing me wrong is the OSD isn't getting applied to the mjpeg preview and the h26x substream.

I think I'm going to wait to see if chinesium express does another "blowout" sale (~$1 off per board) like they normally do on the 1st and the 15th of each month, and then order 15-20 boards.

Wish I could find cheap Sigma based boards with this sensor, but I'll take what I can get. My plan is to replace all my existing Anpviz 4mp boards with this one running OpenIPC. If and when I get to a point I "like" I'll look into publishing a stream or two on yubtub.

Stay "tuned"... ;-)

 

[forlotto]

The feed looks good with compression and framerate but you were able to keep the same resolution. Does it support lower res as well like 1080 for less storage. That is the only killer with a lot of cameras it's nuts the amount of storage needed for a higher than 1080. I mean I typically do about 1080 unless it's by my doors outside I am able to run about 15 cams and have like 30 days of storage on a 14TB on most the others have a separate NVR and SDCard high endurance.

 

[grumpyITGuy]

Let me walk that last statement back some. There's definitely something screwy with the h26x encoders and / or Majestic on this Ingenic board. I've yet to try any cbr encoding, but for vbr it seems very unpredictable. Doing short 5 minute snippets at a time, I can get anywhere from 200mb to 165mb captures. It seemed like at times the min/maxQp settings made a difference, and others not as much. Overall, the 6 hour captures dropped from 20gb to 16.8gb, but that's still a stark difference to what the Sigma boards are producing. So I started doing three 5 minute clips with the same settings, and to my amazement the sizes seemed to be quite random. The last samples I captured were 176mb, 169mb and 168mb. I realize this is partially due to using VBR and the OSD changing constantly, but...

I just lowered the main stream resolution to 1920x1080 with the same qp settings used prior for 2560x1440 so I could answer the last question, and very oddly the 5 minute recordings were 178mb, 210.2mb and 210.0mb. I'm baffled. ffplay shows the correct resolution and overall lower video bitrate yet the containers (I prefer matroska) are larger than the last 3 full resolution captures.

BTW, this is all running at 10fps in an unoccupied room. There may be dust falling from the floor joists and / or cobwebs moving, but nothing else is going on in that area for the 5 minute test clips. I may try some at 20-25fps when I have a chance b/c I expect similar results to the resolution change. Though I'm almost frustrated enough to try the OE firmware on this board and see what kind of results it can produce.

 

[grumpyITGuy]

Dropping in with another update. After feeling like I struck out with the Ingenic T31 board I turned my attention back to the Anpviz IPC-D350W-SE camera mentioned in post #54. Full-res captures are breaking in at roughly 9.2gb per 6 hour session, and when capturing 1920x1080 streams the size was cut immensely.

Seems like the 5MP Anpviz board is going to be my go-to going forward. Will post a link to my personal blog site when I have time to fully document it all.

Found a couple vendors selling boards with identical specs to the specimens gleaned from the Anpviz turret cameras, but none had stock of the actual boards. Pretty sure Anjoy / Anpviz owns all of them now.

 

[grumpyITGuy]

Well I had plans on livestreaming one of my 5mp Anpviz cameras this week from the beach condo we rent for vacay, but have no idea how to configure Majestic for this. Seems like it would need to know the ingestion address(es) but there's only a setting for on / off and api key. The documentation at camerasrnd/streaming/youtube.md at master · OpenIPC/camerasrnd explains how to create a stream / broadcast and bind them, and then jumps to:

Navigate https://studio.youtube.com/

On right side click on 'CREATE' button and then 'Go live'

Whatever the case, as another update I've since replaced all my 4mp boards with the 5mp boards from the IPC-D350W-SE cameras. I re-used the 4mp turret housings because they're significantly smaller so less visually obtrusive / apt to attract attention. I installed OpenIPC on them out of the gate, and configured the new cams to use a small microsegment of my /24 subnet so as to firewall them off from accessing the internet except to retrieve time over ntp. They've been working great with my home-brewed ffmpeg wrapper script for recording for the past 3+ weeks and I've had zero issues with rtsp streaming just spontaneously stopping as I experienced with commercial Anpviz firmware. Overall I'm extremely happy with Majestic and the overall outcome of moving all my cameras to OpenIPC.

That said, there are some serious, and some not-so-serious shortcomings of the Majestic streamer.

• OSD position settings in majestic.yaml have no effect
• OSD not applied to secondary stream
• OSD has no backdrop or 'shadow', only white so difficult to read on light colored backgrounds like blue sky (both during the day and night)
• Delay setting for light monitor is simply checking sensor analog gain every N seconds. Should have been implemented as a true hysteresis timer where the timer is reset only after a state change.

I may never bother writing up a blog page for info I've gathered on the specific boards / cameras I've used OpenIPC on since the dev team seems to not care enough about such info as to have alternative channels of communication. That said if anyone has questions pertaining any of the hardware I've mentioned feel free to PM me. As an aside, I found on the Anpviz IPC-D350W-SE that of the 7 I own, the last 4 purchased had a different brand of flash manufactured by a company named 'Puya' that requires special write routines. Even the OEM u-boot was unable to flash them, so I ended up replacing those with Winbond NOR chips. This was not a major inconvenience for me as I found removing, flashing w/ a ch341a device and then resoldering the NOR flash was less of a hassle than connecting a uart and having to interrupt the bootloader and use tftp.

Anyway, here's a sample of what I was hoping to share a stream of this week. Obviously the wide angle lens is better suited for surveillance, but I'm only here one or two weeks a year and wanted to bottle some of the essence in whatever way possible with the tools at hand.