Review-IP Villa Outdoor Doorbell Station & Indoor Monitor Kit

user8963

Known around here
Joined
Nov 26, 2018
Messages
1,465
Reaction score
2,315
Location
Christmas Island
Andy told me there is no recourse for bricking them.
I dont think @EMPIRETECANDY is right... someone here in forum posted a link to a german forum where the recovery process is descirbed... maybe give it a try...

i am not sure why they change the firmware with hex edit... i would start with the 4.5 firmware and try to flash it with jounin tftpd (instead of cisco, never heard about that) ... if that fails... maybe you need to edit the firmware with hex edit :D

Here are the pictures where the TTL connector is (and pinout)
Code:
https://translate.google.com/translate?sl=auto&tl=en&u=https://www.ip-phone-forum.de/threads/vto-vth-tftp-ttl-anschlussbilder-sammlung.305575/
Here is the tutorial
Code:
https://translate.google.com/translate?sl=auto&tl=en&u=https://www.ip-phone-forum.de/threads/vto2000a-c-nach-fw-update-nicht-mehr-erreichbar.304909/post-2346656
Here is a collection of firmwares (if new one fail with tftpd)
 
Last edited:
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
still tinkering with my GDMSS app & push notifications for a VTO. How to troubleshoot no push notifications? Wiresharking! Here is what I have found out so far.
may need @catcamstar to jump in this one :)
Network background:
using Android smartphone (Pixel 4XL) with VPN always connected
VTO is on my camera network of 192.168.4.19 ; 2 VTH's at 192.168.4.20 and .21
Ubiquiti RADIUS VPN server network on 192.168.5.xxx

When the VTO 'call' is pressed, a SIP session is requested from the VTO to the VTH's.
At line 33, the VTO contacts outside of my network to Google at 216.239.36.55 using port 443 (I've opened all ports on the VTO for testing purposes). I assume this is Google Push notification services. I get a ringing call on my GDSS app and press the answer button.


vto call button pressed.jpg

------------

Starting at line 85, the VTO and Google start talking with TCP techno babble of ACK,SYN (VTO = Hi, I am VTO. Google = Hello VTO. VTO = lets dance) and then discuss using TLSv1.2 security encrypted protocol (TLSv1.3 came out in 2018 so maybe one day the VTO firmware will reflect that).
Starting at line 90, you can see the VTO sending H264 video packets to a Multicast environment of 224.0.2.14. I believe this is when the group of VTH's start ringing and showing video camera images.

vto  syn ack.jpg

----------------------------

The complete listing of the VTO and Google Push services taking through a 1 second call.
Notice, that the VTO does use TLSv1.2, certificates, and ciphers. All encrypted (I believe no sound/video to the outside world....just push notification stuff).

vto talking to google.jpg

------------------

Here is the VTO talking to my VPN gateway to send sound/video to my Pixel using port 37777 (this is the default TCP port listed on the VTO GUI).
Which I found odd because I thought my Pixel would show up on my main network since it does have a DHCP reservation on 192.168.1.xxx
But I'm no VPN specialist :)


vto talking to VPN network.jpg

---------------

I did this to find out what firewall rules & ports to dabble with. From this info, I have to allow local port 37777 from the VTO to my VPN gateway (not between VTO and Pixel IP's). I also have to allow 4 ports to the internet (google push notifcation services). Could I set the VTO destination to only a specific IP of google? Nope. They list host names, never IP's.
Here is what I found in regards to Google Android (not iOS) info:
temp2.jpeg

--------------------

And a little picture of how push notifications work. Here, using iOS as example:
temp.jpg
 
Last edited:
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
Alrighty. I got things to work again after dabbling with firewall rules for the last week. Ug.
Again, my current setup: Ubiquiti UDM router, Ubiquiti managed 48 port switch, and VTO.
I had to set up WAN OUT firewall rule to ALLOW all 60+ Google IP's from my VTO because I have a 2nd WAN OUT rule blocking all camera IP's out to the internet so this ALLOW rule was needed. The VTO uses Google Push Notification Services that sends alerts to your phone (iOS does the same with their service). So internet connection to specific IP's & ports are required. If these are blocked by your router, you are not getting notifications.
temp.jpg


---------------------------

I also have the subnet of the cameras locked down and rejected to any other subnet. So any outbound packets need ALLOW firewall rules for the LAN IN. Such as, VTO getting past the LAN IN for Google:
temp2.jpg

------------------

In a normal router setup, this might just be what all you need.
I went a step further.
I run a RADIUS VPN server on my Unifi. 192.168.5.xxx I need additional rules when my smartphone is set to 'VPN always on' whether sitting at home or out at work.
Again, my camera network is block/rejected from talking to any other subnet unless ALLOW rules are made. I need to ALLOW the VTO IP to send packets to the VPN network but only for VTO ports. This allows the VTO to talk to anyone on the VPN network but only through the assigned VTO ports. The issue with this UDM RADIUS server is I never know what IP my smartphone is since the UDM does not let me know (many folks have bitched about this aspect). Wireshark shows that the VTO just sends to VPN gateway IP and the rest is figured out with....magic.
temp3.jpg

-----------------

I reboot both smartphone and VTO after every firewall rule change to ensure progression as I found out if you do not reboot, one of the devices remembers the previous port. Hence, this isn't no 5 minutes of setup. Took me a week with a couple hours here and there to figure things out without conflicting with other firewall rules.
End result: when someone presses the 'call' button on the VTO, both my multitude of VTH's and smartphone with DMSS application both ring and shows live video of camera. I can hit 'answer' button and have a two way conversation with live video.
I am HOPING this is slightly more secure than using PTP and/or port forwarding :)
Just wanted to share my experience for 4 or 5 guys in the future trying to use VTO without using P2P :)




---------------------
 
Last edited:

flynreelow

Known around here
Joined
Dec 12, 2016
Messages
1,198
Reaction score
1,086
Alrighty. I got things to work again after dabbling with firewall rules for the last week. Ug.
Again, my current setup: Ubiquiti UDM router, Ubiquiti managed 48 port switch, and VTO.
I had to set up WAN OUT firewall rule to ALLOW all 60+ Google IP's from my VTO because I have a 2nd WAN OUT rule blocking all camera IP's out to the internet so this ALLOW rule was needed. The VTO uses Google Push Notification Services that sends alerts to your phone (iOS does the same with their service). So internet connection to specific IP's & ports are required. If these are blocked by your router, you are not getting notifications.
View attachment 101339


---------------------------

I also have the subnet of the cameras locked down and rejected to any other subnet. So any outbound packets need ALLOW firewall rules for the LAN IN. Such as, VTO getting past the LAN IN for Google:
View attachment 101340

------------------

In a normal router setup, this might just be what all you need.
I went a step further.
I run a RADIUS VPN server on my Unifi. 192.168.5.xxx I need additional rules when my smartphone is set to 'VPN always on' whether sitting at home or out at work.
Again, my camera network is block/rejected from talking to any other subnet unless ALLOW rules are made. I need to ALLOW the VTO IP to send packets to the VPN network but only for VTO ports. This allows the VTO to talk to anyone on the VPN network but only through the assigned VTO ports. The issue with this UDM RADIUS server is I never know what IP my smartphone is since the UDM does not let me know (many folks have bitched about this aspect). Wireshark shows that the VTO just sends to VPN gateway IP and the rest is figured out with....magic.
View attachment 101341

-----------------

I reboot both smartphone and VTO after every firewall rule change to ensure progression as I found out if you do not reboot, one of the devices remembers the previous port. Hence, this isn't no 5 minutes of setup. Took me a week with a couple hours here and there to figure things out without conflicting with other firewall rules.
End result: when someone presses the 'call' button on the VTO, both my multitude of VTH's and smartphone with DMSS application both ring and shows live video of camera. I can hit 'answer' button and have a two way conversation with live video.
I am HOPING this is slightly more secure than using PTP and/or port forwarding :)
Just wanted to share my experience for 4 or 5 guys in the future trying to use VTO without using P2P :)




---------------------
ok i read most of this.. i swear. but straight out of the box, notifications dont work to your iphone or android?
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
ok i read most of this.. i swear. but straight out of the box, notifications dont work to your iphone or android?
not with the complexity of my network setup. main network 192.168.1.xxx, camera network on 192.168.4.xxx, etc. gotta have rules inbetween all that, blockage from internet.
straight out of the box on a new router, new VTO, new smartphone? sure, things will work since everything is default. but so would 2 million hackers :)
 

flynreelow

Known around here
Joined
Dec 12, 2016
Messages
1,198
Reaction score
1,086
not with the complexity of my network setup. main network 192.168.1.xxx, camera network on 192.168.4.xxx, etc. gotta have rules inbetween all that, blockage from internet.
straight out of the box on a new router, new VTO, new smartphone? sure, things will work since everything is default. but so would 2 million hackers :)
im curious, if you are away from house, and running your VPN on your phone, wouldnt you still get these notifications without all that other hoopla
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
im curious, if you are away from house, and running your VPN on your phone, wouldnt you still get these notifications without all that other hoopla
nope. the VTO which is on my network was originally blocked from any internet access and also blocked from any other subnet. security reasoning.
I had to allow 2 pathways. #1) google push notifications and #2) to my smartphone itself which the DMSS app finds home. Which goes down the rabbit hole of part A: local network when smartphone is on local wifi. And part B: when using VPN out in the world.
 

Badstraw

Young grasshopper
Joined
Aug 15, 2021
Messages
34
Reaction score
4
Location
Usa
Are you guys using DSS agile vdp? It doesn’t let me register …
 

gsmithsa

n3wb
Joined
Jun 23, 2021
Messages
12
Reaction score
1
Location
Sydney
not with the complexity of my network setup. main network 192.168.1.xxx, camera network on 192.168.4.xxx, etc. gotta have rules inbetween all that, blockage from internet.
I have the VTO and VTH on one VLAN10, my other cameras on VLAN20, and my trusted devices on VLAN30.

Devices on VLAN30 can access everything

Devices on VLAN20 have no internet access and no access to the other VLANs

Devices on VLAN10 have outgoing internet access, and uPnP (to allow push notifications/remote answer), and no access to the other VLANs

With the default ports specified in the VTO opened, I noticed a lot of bot scanning in my firewall. So I tried to change the external port numbers to obscure ones (which you can only do in the GUI with uPnP on), then turning uPnP off. This worked for a while (and definitely stopped the bot scans), but push notifications would stop working after a period of time (I presume Dahua's servers would check uPnP capability periodically).

I then thought about putting the VTO/VTH on VLAN20 (so completely isolated), get call notifications via Home Assistant, and use the VTO's 2-way audio as the intercom (ie not use DMSS at all). However I found the 2-way audio (through ONVIF) a bit hit-and-miss as to whether it worked

So in the end I settled on the VLAN strategy above - the VTO/VTH are completely isolated from the rest of my network, but I can still get push notifications of calls and answer remotely via DMSS

On my (albeit very old) iPhone, the VPN will often switch off if the cellular network drops out/changes, or if the phone sleeps for a while due to inactivity. So I need to have a non-(always on) VPN based solution for receiving VTO calls

Keen to hear of any other security thoughts around this
 
Last edited:
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
I have the VTO and VTH on one VLAN10, my other cameras on VLAN20, and my trusted devices on VLAN30.

Devices on VLAN30 can access everything

Devices on VLAN20 have no internet access and no access to the other VLANs

Devices on VLAN10 have outgoing internet access, and uPnP (to allow push notifications/remote answer), and no access to the other VLANs

I did try opening the ports specified on the VTO and then turning uPnP off, but push notifications would stop working after a period of time.

I then thought about putting the VTO/VTH on VLAN20 (so completely isolated), get call notifications via Home Assistant, and use the VTO's 2-way audio as the intercom (ie not use DMSS at all). However I found the 2-way audio (through ONVIF) a bit hit-and-miss as to whether it worked

So in the end I settled on the VLAN strategy above - the VTO/VTH are completely isolated from the rest of my network, but I can still get push notifications of calls and answer remotely via DMSS

On my (albeit very old) iPhone, the VPN will often switch off if the cellular network drops out/changes, or if the phone sleeps for a while due to inactivity. So I need to have a non-(always on) VPN based solution for receiving VTO calls

Keen to hear of any other security thoughts around this
then you did not set your firewall rules up correctly. Maybe with my postings above including the Wireshark pictures helps figure things out. My first day attempt I made firewall rules thinking I made it happen. Nope. Day 2 I thought again. Nope. Hence, took me awhile to figure it out.
Your way of P2P on it's own dedicated subnet is the lesser of two evils. I went down a rabbit hole to figure out how to get mine to work with a somewhat secured setup (I mean, opening ports up to 60 Google IP's doesn't make me feel warm & fuzzy either). However, I understand that many folks do not want to bother / no time to figure out how to use Wireshark as a tool and figure out firewall rules for their router.
 
Last edited:

gsmithsa

n3wb
Joined
Jun 23, 2021
Messages
12
Reaction score
1
Location
Sydney
then you did not set your firewall rules up correctly. Maybe with my postings above including the Wireshark pictures helps figure things out.
Sorry I've edited my post above as I forgot to detail:
With the default ports specified in the VTO opened, I noticed a lot of bot scanning in my firewall. So I tried to change the external port numbers to obscure ones (which you can only do in the GUI with uPnP on), then turning uPnP off. This worked for a while (and definitely stopped the bot scans), but push notifications would stop working after a period of time (I presume Dahua's servers would check uPnP capability periodically).


I'm a bit confused with what you're doing. Correct me if I'm wrong:
1. Your VTO has no outgoing access to start with
2. You have port forwarded 443, 5228-5230 to your VTO ?
3. Your VTO is allowed outgoing access to a list of 60+ Google IPs ?

If so,
  • what if Dahua changes their push origin or cloud host to a different service ?
  • how 'sticky' are those 60 Google IPs you've whitelisted ?
  • 443 and 5228-5230 are the only incoming ports you have open for the VTO-DMSS connection to work completely ??
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
Sorry I've edited my post above as I forgot to detail:
With the default ports specified in the VTO opened, I noticed a lot of bot scanning in my firewall. So I tried to change the external port numbers to obscure ones (which you can only do in the GUI with uPnP on), then turning uPnP off. This worked for a while (and definitely stopped the bot scans), but push notifications would stop working after a period of time (I presume Dahua's servers would check uPnP capability periodically).


I'm a bit confused with what you're doing. Correct me if I'm wrong:
1. Your VTO has no outgoing access to start with
2. You have port forwarded 443, 5228-5230 to your VTO ?
3. Your VTO is allowed outgoing access to a list of 60+ Google IPs ?

If so,
  • what if Dahua changes their push origin or cloud host to a different service ?
  • how 'sticky' are those 60 Google IPs you've whitelisted ?
  • 443 and 5228-5230 are the only incoming ports you have open for the VTO-DMSS connection to work completely ??
1.) correct... my VTO along with all my other cameras are on a subnet that has a DENY rule to REJECT/BLOCK all communication to the internet and to other subnets. I then have to create specific targeted ALLOW rules.
2.) I have no port forwarding. That's a big nono.
3.) Yes...my VTO is allowed to talk to those 60 Google IP's on specific Google Push ports. I can not find a way around this, sadly. Also, my VTO is allowed to talk to my VPN subnet as well with a single specific VTO UDP port.

I am not using Dahua cloud hosting at all. Inside the VTO, it is "hardcoded" inside the firmware (maybe?) to use Google/iOS push services at specific IPs & ports.
How sticky? That is the downside of Google. Those IP's could change any day on a whim and I'm at their mercy. Thankfully, those IPs have been the same for years so I'm rolling the dice. If my push notifications start to fail, I will see if I need IP updating. I believe iOS is much easier to setup because less number of IP's.

VTO local ports = 37777 and 37778 to the VPN network
Google push ports = 443, 5228, 5229, 5230 to the Google IP's.
 

gsmithsa

n3wb
Joined
Jun 23, 2021
Messages
12
Reaction score
1
Location
Sydney
I am not using Dahua cloud hosting at all
Are you using DMSS to get notifications and remote answer ?

If so, the VTO must contact Dahua servers, which then contact your phone

Interesting that you have no ports forwarded and no P2P... how are you registering your VTO in DMSS ?
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
Are you using DMSS to get notifications and remote answer ?

If so, the VTO must contact Dahua servers, which then contact your phone

Interesting that you have no ports forwarded and no P2P... how are you registering your VTO in DMSS ?
incorrect.
The VTO does not talk to Dahua servers at all.
If I were using P2P, this would be true.
VTO "only" talks to Google Push IP's and my VPN network and that's it.
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
Are you using DMSS to get notifications and remote answer ?

If so, the VTO must contact Dahua servers, which then contact your phone

Interesting that you have no ports forwarded and no P2P... how are you registering your VTO in DMSS ?
look at post #262 above to see how push notifications work. Nothing about Dahua servers. Instead, the VTO contacts Google Push server or iOS push server.
 

gsmithsa

n3wb
Joined
Jun 23, 2021
Messages
12
Reaction score
1
Location
Sydney
VTO "only" talks to Google Push IP's and that's it.
How are you registering DMSS ?

If you register via VTO SN, I would say DMSS passes your VTO IP on to Dahua. If it can't find your VTO (because ports aren't open or it can't do STUN because of your firewall), I'd say it won't register ?

If you register via your WAN IP, you'd have to forward ports

While the initial push notification would go VTO -> push service -> your phone, I suspect that the actual call uses a SIP server, not the push server.

If your VTO's SIP server is not exposed to the internet, then it would have to be Dahua's

See this discussion (VOIP, but same concept) How do PUSH notifications work with PortSIP PBX? | PBX & Collaboration & WebRTC & Video Conferencing
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
How are you registering DMSS ?

If you register via VTO SN, I would say DMSS passes your VTO IP on to Dahua. If it can't find your VTO (because ports aren't open or it can't do STUN because of your firewall), I'd say it won't register ?

If you register via your WAN IP, you'd have to forward ports

While the initial push notification would go VTO -> push service -> your phone, I suspect that the actual call uses a SIP server, not the push server.

If your VTO's SIP server is not exposed to the internet, then it would have to be Dahua's

See this discussion (VOIP, but same concept) How do PUSH notifications work with PortSIP PBX? | PBX & Collaboration & WebRTC & Video Conferencing
Dunno what you mean by 'register'. I installed app on my phone. Added VTO to the app. Add camera via IP search to the app. I 'subscribe' to the camera (which actually means the app talks to the google/ios push service server). The rest is firewall setups.
 
Top