Question about Smartwares CIP-39220 IP Cam

[klokklok]

I bought a Smartwares CIP-39220 IP Cam and its not that great so far. It only works on Android/IOS devices by default and the app (SW360) requires to have access to the Media and Location of my device. Also the cam doesn't work on a local network and requires internet access (to a Chinese server) to even display the video stream, this seems like a big security issue.

Because of the problems described above I tried to find the RTSP stream (or any other protocol) to get the cam working on just my local network.

The quality of the Cam is pretty good (1080p) in day and even night conditions.

Some info about the IP Cam:
Ports: 80, 64444 (Sadly no FTP or Telnet)
Firmware version: 2.0.27.0

The network paths I discovered so far:
Single image path: 192.168.1.115:80/snapshot.jpg (640x360)
RTSP Stream: rtsp://192.168.1.115:80/ch1_0.264 (Sadly requires a username/password which I don't have)
Bubble Stream: http://192.168.1.115:80/bubble/live?ch=0&stream=0 (Also requires username/password for handshake)

The API the cam is talking to: openapi.dvr163.com (Located in China)

I found a lot of use full information in this Github repository: github.com/maxious/c8915a436b532ab09e61bf937295a5d2
Its not exactly the same Cam but the software seems identical.

Does anyone have experience with bad IP Cams like this or even the software its running on? The only further step I know is Brute forcing the RTSP username/password and disabling full internet connection for the cam. But I'm not sure if that is the right step.

Edit: Trying to use plain text instead of the Github URL Because the page is huge.

 

[Bdom17]

Hi have the same Ip camera, sniffing the network with wireshark I've found the RTSP authentification data:
user: admin
pass: ca3fee3d
Sadly it seem's that the stream doesn't work with VLC

 

[Bdom17]

It works with
RTSP Stream: rtsp://camIP:80/ch0_0.264
user: admin
pass: ca3fee3d

 

[klokklok]

It works with
RTSP Stream: rtsp://camIP:80/ch0_0.264
user: admin
pass: ca3fee3d

Hi awesome that those credentials worked for you!

How did you exactly sniff the authentication data with Wireshark? Those credentials sadly don't work on my camera

 

[Theos]

Hi all,
Just connected the same camera to my network and try to figure out my password. I stared to some wireshark-dumps all night, but it doesn't make too much sense yet. I don't like the connections to China at all, and would love to use the rtsp-stream instead.

@Bdom17: could you please share with us how you where able to recover the password?
@klokklok, the github-links seems to be down, would it be possible to share the info with me?

Thanks!

 

[klokklok]

Hi all,
Just connected the same camera to my network and try to figure out my password. I stared to some wireshark-dumps all night, but it doesn't make too much sense yet. I don't like the connections to China at all, and would love to use the rtsp-stream instead.

@Bdom17: could you please share with us how you where able to recover the password?
@klokklok, the github-links seems to be down, would it be possible to share the info with me?

Thanks!

Hi,

The connections to China are terrible and I also wanna manage the camera on my own.

Here is the Github page I found by searching on google for: "ipcam port 80 64444"

This forum just loads the full page, that is the reason why I removed it from my original post. I couldn't find a way to post a normal link.

 

[Theos]

thank you! That is helpful. I will play around with it when I'm back home.

 

[KrisGalle]

I have the same camera's and world like to use thema with Blue Iris any tips how i could do that?

Verstuurd vanaf mijn ELE-L29 met Tapatalk

 

[Yetanipcamr]

Try to find a firmware dump for those cameras and run it through strings and Ghidra to see what endpoints are offered. I did this for my "Sannce"/Annke cameras and created a camera control script based on what I found:

github: Cam controls cameras, or is supposed to

While your camera probably differs in some respects there tend to be many similarities due to the way these companies copy code from each other and elsewhere. Here's a list of endpoints found on my (Xiongmai-produced) cameras, check the web source and my script to see how it is used:

# based on strings pulled from firmware dump, these represent api endpoints
# used with GET or PUT requests as defined in NK_N1Device_InitV2()
#
# check http://camera_ip/js/function.js (etc) for how these endpoints seem to expect
# to be fed amd cared for - "seem" because the firmware is quite buggy and not all
# endpoints seem to be connected.
#
# /NetSDK/
# /NetSDK/Audio/encode/channel
# /NetSDK/Audio/encode/channel/[id=101]
# /NetSDK/Audio/encode/channel/[id=101]/enabled
# /NetSDK/Audio/input/channel
# /NetSDK/Audio/input/channel/[id=1]
# /NetSDK/Audio/input/channel/[id=1]/inputVolume
# /NetSDK/Audio/input/channel/[id=1]/microphoneType
# /NetSDK/Audio/input/channel/[id=1]/outputVolume
# /NetSDK/Audio/input/channel/[id=1]/sampleBitWidth
# /NetSDK/Audio/input/channel/[id=1]/sampleRate
# /NetSDK/Factory
# /NetSDK/Image
# /NetSDK/Image/denoise3d
# /NetSDK/Image/irCutFilter
# /NetSDK/Image/manualSharpness
# /netsdk/image/videoMode
# /NetSDK/Image/videoMode
# /NetSDK/Image/wdr
# /NetSDK/Network/DNS
# /NetSDK/Network/ESee
# /NetSDK/Network/interface
# /NetSDK/Network/interface/[id=1]
# /NetSDK/Network/interface/[id=1]/lan
# /NetSDK/Network/interface/[id=4]
# /NetSDK/Network/interface/[id=4]/lan
# /NetSDK/Network/interface/[id=4]/wireless
# /NetSDK/Network/port
# /NetSDK/Network/port/[id=1]
# /NetSDK/Network/wireless/allStaInfo
# /NetSDK/Network/wireless/stationSignal
# /NetSDK/Network/Wireless/status
# /NetSDK/PTZ/channel/[id=1]/control
# /NetSDK/snapshot
# /NetSDK/snapshot.jpg
# /NetSDK/System/deviceInfo
# /NetSDK/System/deviceInfo/deviceAddress
# /NetSDK/System/deviceInfo/deviceName
# /NetSDK/System/operation
# /NetSDK/System/operation/default
# /NetSDK/System/operation/reboot
# /NetSDK/System/operation/remoteUpgrade
# /NetSDK/System/time
# /NetSDK/System/time/calendarStyle
# /NetSDK/System/time/localTime
# /NetSDK/System/time/ntp
# /NetSDK/System/time/rtc
# /NetSDK/System/time/timeZone
# /NetSDK/Video/encode/channel
# /NetSDK/Video/encode/channel/101/snapshot
# /NetSDK/Video/encode/channel/102/snapshot
# /NetSDK/Video/encode/channel/[id=101]
# /NetSDK/Video/encode/channel/[id=101]/channelNameOverlay
# /NetSDK/Video/encode/channel/[id=101]/datetimeOverlay
# /NetSDK/Video/encode/channel/[id=101]/requestKeyFrame
# /NetSDK/Video/encode/channel/[id=102]
# /NetSDK/Video/encode/channel/[id=102]/requestKeyFrame
# /NetSDK/Video/encode/channel/[id=1]/requestKeyFrame
# /NetSDK/Video/encode/channel/[id=2]/requestKeyFrame
# /NetSDK/Video/input/channel
# /NetSDK/Video/input/channel/[id=1]
# /NetSDK/Video/input/channel/[id=1]/brightnessLevel
# /NetSDK/Video/input/channel/[id=1]/contrastLevel
# /NetSDK/Video/input/channel/[id=1]/flipEnabled
# /NetSDK/Video/input/channel/[id=1]/hueLevel
# /NetSDK/Video/input/channel/[id=1]/mirrorEnabled
# /NetSDK/Video/input/channel/[id=1]/PrivacyMask
# /NetSDK/Video/input/channel/[id=1]/saturationLevel
# /NetSDK/Video/input/channel/[id=1]/sharpnessLevel
# /NetSDK/Video/motionDetection/channel
# /NetSDK/Video/motionDetection/channel/[id=1]
#
# /cgi-bin/gw2.cgi
# /cgi-bin/hi3510/echo.cgi
# /cgi-bin/hi3510/ptzctrl.cgi
# /cgi-bin/hi3510/preset.cgi
# /cgi-bin/hi3510/param.cgi
#
# /livestream/11
# /livestream/12
#
# /livestream/hinetate/11
# /livestream/hinetate/12
#
# /snapshot
# /snapshot.jpg
#
# /user/add_user.xml
# /user/del_user.xml
# /user/set_pass.xml
# /user/user_list.xml
#
# /_SDK/index.php
# /_SDK/info/device.php
# /_SDK/info/event.php
# /_SDK/info/license.php
# /_SDK/info/monitor.php
#

 

[KrisGalle]

It works with
RTSP Stream: rtsp:/camIP:80/ch0_0.264
user: admin
pass: ca3fee3d

Hello what firmware do you have on that cam?
Do you have a download link ?

 

[KrisGalle]

I bought a Smartwares CIP-39220 IP Cam and its not that great so far. It only works on Android/IOS devices by default and the app (SW360) requires to have access to the Media and Location of my device. Also the cam doesn't work on a local network and requires internet access (to a Chinese server) to even display the video stream, this seems like a big security issue.

Because of the problems described above I tried to find the RTSP stream (or any other protocol) to get the cam working on just my local network.

The quality of the Cam is pretty good (1080p) in day and even night conditions.

Some info about the IP Cam:
Ports: 80, 64444 (Sadly no FTP or Telnet)
Firmware version: 2.0.27.0

The network paths I discovered so far:
Single image path: 192.168.1.115:80/snapshot.jpg (640x360)
RTSP Stream: rtsp:/192.168.1.115:80/ch1_0.264 (Sadly requires a username/password which I don't have)
Bubble Stream:

http://192.168.1.115:80/bubble/live?ch=0&stream=0

(Also requires username/password for handshake)

The API the cam is talking to: openapi.dvr163.com (Located in China)

I found a lot of use full information in this Github repository: github.com/maxious/c8915a436b532ab09e61bf937295a5d2
Its not exactly the same Cam but the software seems identical.

Does anyone have experience with bad IP Cams like this or even the software its running on? The only further step I know is Brute forcing the RTSP username/password and disabling full internet connection for the cam. But I'm not sure if that is the right step.

Edit: Trying to use plain text instead of the Github URL Because the page is huge.

Did you ever had any luck with getting rtsp to work, i supose you got the at Action