Menu
What's new

Hacking Juanvision D8204-2 NVR with YES.SYS IP cameras

A

ACCktm79

n3wb
Joined
Sep 13, 2024
Messages
4
Reaction score
0
Location
UK
Hi all,

I have chinese D8204-2 NVR with four IP cameras. Cameras have YES.SYS logo branded on them. I would like to get rid of that NVR and use cameras directly by IP, using motion or other software. So far, I have been unsuccessful with hacking the cameras. That's what got so far:

NVR model seems to be this:

D8204-2-POE - dvr163

helpen.dvr163.com helpen.dvr163.com

It's unsecure, outdated, last update from 2020, it really should not be on my network, and certainly not on WAN. But currently, I have no other choice and it is.

Cameras are:
YES.SYS logo on them, PoE powered outdoor cameras

Wireshark scan has revealed the following UDP packet sent to the NVR by one of the cameras:

JSON: 
{
  "Ver": "1.1",
  "Nonce": "62e0ef8cd97bdc120a212faf1c2fba981a230164",
  "Device-ID": "MAC_86:30:00:58:7d:67",
  "Repeater-ID": "none",
  "Device-Model": "HD IPCAM",
  "Device-Type": "IPCAM",
  "Esee-ID": "",
  "Software-Version": "1.4.8.391809825(2.4.1.2)",
  "Wired": [
    {
      "Connected": true,
      "DHCP": false,
      "IP": "192.168.1.69",
      "Netmask": "255.255.255.0",
      "Gateway": "192.168.1.1",
      "MAC": "86:30:00:58:7d:67"
    }
  ],
  "Channel-Cnt": 1,
  "Channel-Info": [
    {
      "id": 1,
      "Stream-Cnt": 2,
      "Stream-Info": [
        {
          "id": 11,
          "Resolution": "2560x1920",
          "Bitrate": 4096,
          "Codetype": "H.265",
          "Framerate": 8
        },
        {
          "id": 12,
          "Resolution": "702x576",
          "Bitrate": 384,
          "Codetype": "H.265",
          "Framerate": 15
        }
      ]
    }
  ],
  "Capabilities": {
    "Http-Port": 80,
    "MaxHardDiskDrivers": 0,
    "MaxTFCards": 1
  }
}
Furthermore, cameras have port 80 open, on which they respond:

Code: 
$ curl 192.168.1.69:80
<!DOCTYPE HTML PUBLIC "-/IETF/DTD HTML 2.0/EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL requested was not found on this server.</p>
</body></html>
They also have telnet open on port 8830:

Code: 
$ telnet 192.168.1.69 8830
Trying 192.168.1.69...
Connected to 192.168.1.69.
Escape character is '^]'.
No more open ports:
Code: 
$ nmap -p- 192.168.1.69
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-13 19:27 BST
Nmap scan report for 192.168.1.69
Host is up (0.00021s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
8830/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 3.53 seconds
I would like to learn what URL I need to pass to that http server listening on port 80, but I don't know how. If I knew, I could pass that onto motion software to have a nice and working AV stream from the camera without that outdated NVR. Any help welcome. Thank you.
 
A

ACCktm79

n3wb
Joined
Sep 13, 2024
Messages
4
Reaction score
0
Location
UK
By the way, Android app I use for this NVR is EseeCloud:
play.google.com

EseeCloud(IP Pro, VR Cam) - Apps on Google Play

Newly upgraded version of EseeCloud
play.google.com play.google.com

Cameras have "juan" word in that UDP packet, in a message blob I didn't copied in my previous post, it wasn't part of the JSON. EseeCloud has "juanvision" name in their Google Play internal app name. They may be from the same manufacturer.

Is there anyone who specialize in this kind of work? If you can hack my cameras so I can use it with motion, I am willing to pay for your time. Thanks for reading.
 
A

ACCktm79

n3wb
Joined
Sep 13, 2024
Messages
4
Reaction score
0
Location
UK
Hi all, I've made some progress. Learned that these cameras are most likely Juanvision, so I changed my topic name.
Secondly, I was able to obtain static snapshop JPG from the cameras! Their paths are as follows:
Code: 
http://192.168.1.69/snapshot.jpg
Here, I can see static 488x400 JPG directly from the camera, I can refresh it in the browser to get a new one. They seem to have no password whatsoever, just like telnet 8830 port (but telnet does not respond to my commands whatever I type).

Now, how can I explore it further to get access to RTSP stream? Any tips appreciated!
 
Last edited:
A

ACCktm79

n3wb
Joined
Sep 13, 2024
Messages
4
Reaction score
0
Location
UK
I think I've located video streams!

Code: 
$ wget --user=root --password=root --auth-no-challenge "http://192.168.1.69/livestream/11"
--2024-09-16 15:25:27--  http://192.168.1.69/livestream/11
Connecting to 192.168.1.69:80... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Unknown authentication scheme.

Username/Password Authentication Failed.

Code: 
$ wget --user=root --password=root --auth-no-challenge "http://192.168.1.69/livestream/12"
--2024-09-16 15:24:55--  http://192.168.1.69/livestream/12
Connecting to 192.168.1.69:80... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Unknown authentication scheme.

Username/Password Authentication Failed.
Everything else around that livestream URL is 404 Not Found. But these two, bingo! But now I need login and password.
 
You must log in or register to reply here.
Top