Review - TOP-201 Super Mini 720P HD IP-Cam (The Cheapest IP Cam So Far !!)

Discussion in 'IP Cameras' started by lojix, Dec 13, 2014.

Share This Page

  1. Tehnicni

    Tehnicni n3wb

    Joined:
    Sep 2, 2016
    Messages:
    19
    Likes Received:
    0
    Yes, with VLC & rtsp
     
  2. cybermaus

    cybermaus n3wb

    Joined:
    May 26, 2016
    Messages:
    16
    Likes Received:
    2
    Hi sp9dlm

    Not sure how you got this, but I suspect you are a skilled guy who unpacked both the 20160604 and 20150317 firmware files, copied over the rt3070.mod, and repacked it. Or someone like you.
    In which case, great respect!

    And also a humble request:

    Can you add the 3070 modules also to this firmware file?

    General_HZXM_IPC_GM8135S_QQ_50V10PL-S_V4.02.R12.Nat.OnvifS.QQ.20160407.bin
    Its for the 17502 camera boards, which seem to suffer the same fate.

    Link for sohu download
    Currently entry 2 on page 3 of all latest firmwares of manufacturer
    (the 6510 camera is currently entry 10 on page 4, but I am sure you have this already)

    Warning to others: DO NOT TRY THIS LINKED FIRMWARE on a 6510 camera!!

    Thanks

    Edit: never mind: I binwalked, unzipped and scramfs-loop-mounted the firmware file, found the entire linux file structure, and no modules at all. Everything is compiled into the kernel, so its all or nothing when it comes to repacking.

    I am also somewhat surprised it seemed to have scramfs rather then squashfs. Maybe despite the very similar UI, Sofia code and firmware naming, the 17502 is quite different from the 6510.
     
    Last edited: Dec 7, 2016
  3. Standa from Czechia

    Standa from Czechia n3wb

    Joined:
    Nov 9, 2016
    Messages:
    1
    Likes Received:
    0
    Good day everybody. Does anyone have information why not work ResetTool oat all types cameras with new firmware after 6/2016? At cameras with firmware before 6/2016 work at 100%. Thank you for help. Benny from Czechia
     
  4. cybermaus

    cybermaus n3wb

    Joined:
    May 26, 2016
    Messages:
    16
    Likes Received:
    2
    I never used the reset tool, so have no idea, but please be aware that the "Generic Device Manager" search and IP set tool for these Sofia camera's also has a device factory reset button.
     
  5. chorizo

    chorizo n3wb

    Joined:
    Dec 11, 2016
    Messages:
    15
    Likes Received:
    3
    Hi everybody.
    I've just got a "TOP-201 IR" camera which seems faulty, don't know if the one I'm experiencing it's a known issue: maybe someone can help me to sort it out...

    Let me explain: the camera body looks fine (although there are some scratches, maybe it was refurbished even if sold as new), when powered using an adapter^ it goes on fine (power led works). So far so good...
    The trouble starts when I try connecting it to the router using an ethernet cable: the networking led of the camera starts blinking but it doesn't get recognized by the router (the cable isn't faulty because it works with other devices and the router's ethernet port led blinks too)^^; even after waiting a lot that led doesn't stop blinking.

    I thought this may be a software issue so I disassembled the camera and managed to connect to the serial interface. The connection works fine, I've even managed to dump the romfs.cramfs filesystem image as explained here^^^.

    Code:
    U-Boot 2010.06-svn (Oct 14 2015 - 15:07:23)
    
    DRAM:  256 MiB
    Check spi flash controller v350... Found
    Spi(cs1) ID: 0xC2 0x20 0x17 0xC2 0x20 0x17
    Spi(cs1): Block:64KB Chip:8MB Name:"MX25L6406E"
    envcrc 0xadaa5f5e
    ENV_SIZE = 0xfffc
    In:    serial
    Out:   serial
    Err:   serial
    Press Ctrl+C to stop autoboot
    CFG_BOOT_ADDR:0x58040000
    8192 KiB hi_sfc at 0:0 is now current device
    
    ### boot load complete: 1973968 bytes loaded to 0x82000000
    ### SAVE TO 80008000 !
    ## Booting kernel from Legacy Image at 82000000 ...
       Image Name:   linux
       Image Type:   ARM Linux Kernel Image (uncompressed)
       Data Size:    1973904 Bytes = 1.9 MiB
       Load Address: 80008000
       Entry Point:  80008000
    
    
    load=0x80008000,_bss_end=80829828,image_end=801e9e90,boot_sp=807c7168
       Loading Kernel Image ... OK
    OK
    
    Starting kernel ...
    
    Uncompressing Linux... done, booting the kernel.
    

    Code:
    bootcmd=setenv setargs setenv bootargs ${bootargs};run setargs;fload;bootm 0x82000000
    bootdelay=1
    baudrate=115200
    bootfile="uImage"
    da=mw.b 0x82000000 ff 1000000;tftp 0x82000000 u-boot.bin.img;sf probe 0;flwrite
    du=mw.b 0x82000000 ff 1000000;tftp 0x82000000 user-x.cramfs.img;sf probe 0;flwrite
    dr=mw.b 0x82000000 ff 1000000;tftp 0x82000000 romfs-x.cramfs.img;sf probe 0;flwrite
    dw=mw.b 0x82000000 ff 1000000;tftp 0x82000000 web-x.cramfs.img;sf probe 0;flwrite
    dc=mw.b 0x82000000 ff 1000000;tftp 0x82000000 custom-x.cramfs.img;sf probe 0;flwrite
    up=mw.b 0x82000000 ff 1000000;tftp 0x82000000 update.img;sf probe 0;flwrite
    ua=mw.b 0x82000000 ff 1000000;tftp 0x82000000 upall_verify.img;sf probe 0;flwrite
    tk=mw.b 0x82000000 ff 1000000;tftp 0x82000000 uImage; bootm 0x82000000
    dd=mw.b 0x82000000 ff 1000000;tftp 0x82000000 mtd-x.jffs2.img;sf probe 0;flwrite
    ipaddr=192.168.1.10
    serverip=192.168.1.107
    netmask=255.255.255.0
    bootargs=mem=${osmem} console=ttyAMA0,115200 root=/dev/mtdblock1 rootfstype=cramfs mtdparts=hi_sfc:256K(boot),3520K(romfs),2560K(user),1280K(web),256K(custom),320K(mtd)
    ethaddr=00:12:16:aa:xx:xx
    HWID=8043420004048425
    NID=0x0005
    osmem=44M
    appSystemLanguage=SimpChinese
    appVideoStandard=PAL
    stdin=serial
    stdout=serial
    stderr=serial
    verify=n
    ver=U-Boot 2010.06-svn (Oct 14 2015 - 15:07:23)
    
    Environment size: 1308/65532 bytes
    

    Does anybody know if there's a way to solve this issue?
    In case I've left out important details do not hesitate to ask me, I'll provide you all information I can get...

    Thanks in advance!

    ^ I've tested it: its output is 12.4 VDC, the declared amperage is: 1A (so it should be OK).
    ^^ I've also tried it against another router by a different brand (this time LAN only without Internet connectivity).
    ^^^ As the dump was done exploiting the ethernet connection I think it can be ruled out that this is an hardware defect.
     
    Last edited: Dec 11, 2016
  6. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    4,517
    Likes Received:
    894
    Location:
    Scotland
    Have you tried a telnet session to the (U-boot IP address at least, may get changed later) IP address of 192.168.1.10 ?
    If you let U-boot boot the kernel, can you ping the camera at that address?
     
  7. chorizo

    chorizo n3wb

    Joined:
    Dec 11, 2016
    Messages:
    15
    Likes Received:
    3
    No, I'll try it now.

    I don't think that's possible: when I start the camera normally [no serial, 1) power adapter, 2) ethernet cable (connected to the router)] the device doesn't get recognized (it isn't listed in the connected clients sections of the router).
     
  8. chorizo

    chorizo n3wb

    Joined:
    Dec 11, 2016
    Messages:
    15
    Likes Received:
    3
    The camera replies to the ping requests.

    I was wrong: same as above (it replies to the ping requests).
     
  9. richms

    richms n3wb

    Joined:
    Jul 22, 2016
    Messages:
    8
    Likes Received:
    1
    Try reconfiguring the IP address with the device manager software that it would have come with. I have had at least one that was non responsive on any IP, and the device manager was able to assign it an IP and then I could get into its web UI and set it up. Without that there was nothing on the IP the box had, which was also what device manager found it at. Yes I had an IP on the PC in the same subnet before anyone suggests that ;)
     
    alastairstevenson likes this.
  10. chorizo

    chorizo n3wb

    Joined:
    Dec 11, 2016
    Messages:
    15
    Likes Received:
    3
    You mean the one in the CD, right (General DeviceManage)?
    The PC I'm testing from is in the same subnet of the ipcamera.

    Anyway, I've just tried viewing the stream with ffmpeg:
    Code:
    ffplay rtsp://192.168.1.10:554/user=admin_password=_channel=1_stream=0.sdp?real_stream
    and it's indeed streaming (images are garbage, at the moment, because the camera is still disassembled and the sensor is apart from the lens).

    Tomorrow I'll try following richms' advice to see if it improves the current behavior. Now, at least, it seems to be streaming... did anybody encounter the same issue?

    Thanks everybody!
     
  11. cybermaus

    cybermaus n3wb

    Joined:
    May 26, 2016
    Messages:
    16
    Likes Received:
    2
    Possibly I am misinterpreting what I read here, especially as your serial link shows you are not a complete digi-noob. But it sounds as if the camera simply had a hardcoded IP and you expected it to have DHCP hence "it isn't listed in the connected clients sections of the router". More of a misunderstanding then an issue. If so, a bit of a pity you went as far as bared its guts.
     
  12. chorizo

    chorizo n3wb

    Joined:
    Dec 11, 2016
    Messages:
    15
    Likes Received:
    3
    Yeah maybe it was just a wrong expectation on my part: I was surprised, thinking it wasn't working properly, because in the past I configured a few devices with static IPs and I recall they were listed in the "devices" section of the router too. So, assuming both the camera and the router are working as expected, I see two possibilities:

    1. What I recall is wrong (it was long time ago, it could be...)
    2. The devices I had were configured using Static DHCP

    The fact is that if the device isn't recognized by the router I'm unable to configure its networking settings (things like port forwarding, access logging, etc.).
     
  13. cybermaus

    cybermaus n3wb

    Joined:
    May 26, 2016
    Messages:
    16
    Likes Received:
    2
    You cannot enter the IP for port forwarding manually? Usually there is a manual option. Even if there is a drop down list with IP's, there may be an empty one at the end of the list.
    What brand router?
     
  14. chorizo

    chorizo n3wb

    Joined:
    Dec 11, 2016
    Messages:
    15
    Likes Received:
    3
    You're right (there's an option to insert the ip manually at the end of the drop down list): never noticed that one...

    As these kind of devices are quite vulnerable, if exposed carelessly on the internet, before setting it up I'm checking what's the safety level of this ipcamera.

    Here's the result of a port scan (when available I've also added additional descriptions gathered manually):
    1. 80/tcp (http, uc-httpd 1.0.0, Web UI)
    2. 554/tcp (rtsp, H264DVR 1.0, H.264 video stream)
    3. 3702/udp (SOAP / ONVIF / ws-discovery, gSOAP 2.7)
    4. 8899/tcp (SOAP / ONVIF, gSOAP 2.7)
    5. 9527/tcp (Telnet, BusyBox v1.16.1 telnetd)
    6. 9530/tcp (unknown)
    7. 34567/tcp (ipcamera TCP port)

    Even if not identified by the port scan, the camera may also use the following ports:
    1. 8443/tcp (ipcamera SSL port) // the camera seems to refuse any connection attempts on this one
    2. 34568/udp (ipcamera UDP port)
    3. 34569/udp (IP Search port)
    Verdict: password (and firewall) protect it as much as you can (otherwise it's going to be abused by black hats).


    Now I've got three other questions:
    1. I've tried browsing the web UI using Firefox: it gets diplayed but only in chinese and the browser says I miss a plugin: do I need to use Internet Explorer to get something useful?
    2. Is it possible to login through telnet as the root user? (I've confirmed that the password should be xmhdipc, network port 9527, but I'm unable to login^)
    3. Is CMS really needed? (or I can use any other compatible viewer without losing useful features?)

    ^ I can log using:
    • Username: admin
    • Password: <empty>
    That's not the root account.
    Moreover, after I run the command to get the sh shell, the shell doesn't seem to run the commands I type. Furthermore, if i list the available users using the provided command, the camera replies saying the only ones existing are: admin and default (that's not true because user root is included in the ipcamera's shadow file).

    Thanks again!
     
    Last edited: Dec 12, 2016
  15. Kawboy12R

    Kawboy12R Getting comfortable

    Joined:
    Nov 18, 2014
    Messages:
    1,212
    Likes Received:
    249
    Safety level 0. Deny them access to the net completely. Preferably deny them access to your OWN computers except for camera management boxes. Some of these even come prepackaged with malware.
     
  16. Dodutils

    Dodutils Getting the hang of it

    Joined:
    Dec 10, 2016
    Messages:
    144
    Likes Received:
    22
    1. Many cameras still use ActiveX so it should be IE only (Microsoft Edge dropped ActiveX support)
    2. Or may be you firmware version changed as root password ?
    3. What are "usefull features" to you ? if you use this camera thru NVR or usual software like BI or Netcam Studio they can do the viewing/motion alert/recording so no need of original CMS especially for such "basic" camera.
     
  17. Dodutils

    Dodutils Getting the hang of it

    Joined:
    Dec 10, 2016
    Messages:
    144
    Likes Received:
    22
    Yes security is crap like ESCAM QD300/QD900 which accept you get stream without any password and allow P2P unencrypted over Internet so you someone can sniff your link and get login/password and full RTSP stream.

    If you have local privacy/security concern the best you can do is to connect them to managed switch that will isolate their network into a dedicated VLAN that your NVR can access to for example, then from outside you connect to your NVR (or BI or Netscan Studio or whatever software) directly from Internet or for more privacy/security thru some VPN you set on your DSL/Fiber router.
     
    Last edited: Dec 12, 2016
  18. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    4,517
    Likes Received:
    894
    Location:
    Scotland
    Sorry - totally wrong.
    Vulnerability exploits don't generally care what password you've set. That's why they are vulnerabilities.
     
  19. chorizo

    chorizo n3wb

    Joined:
    Dec 11, 2016
    Messages:
    15
    Likes Received:
    3
    Sorry if I wasn't clear: I meant to ask if there were any unique features available only using CMS? (I don't think so)

    Uhm so, ignoring the fact that all the traffic is in cleartext (it isn't good but unfortunately it isn't surprising), you say the camera may be dangerous / hostile even for use in the local network and It may even contain malware? (is the malware part a general statement or is the "TOP-201" known to be infected?)

    Yeah, I wanted it to be accessible from the outside but in a secure way (I was thinking of using something like a ssh tunnel / VPN). Your suggestion provides an interesting idea too...

    You're right, I've explained myself in a bad way...

    What I meant was that assuming there are no known exploits affecting this device, to harden it, you still need to change the default password (empty) and firewall anything which isn't needed or restricted in other ways (ssh tunnel, VPN, IP whitelist, etc.).
    For example I know devices like this (even this one) are compromised and turned into bots exploited by botnets like Mirai controlled by black hats. I haven't read the details about how this is done but I think the devices are tested against a set of known username / password combos, wordlists.

    Do you know if there's any know exploit afftecting the "TOP-201" ipcamera?

    Many thanks everybody!
     
  20. chorizo

    chorizo n3wb

    Joined:
    Dec 11, 2016
    Messages:
    15
    Likes Received:
    3
    Sorry to bump the thread: no replies to my previous questions?

    Thanks in advance!
     
  21. zero-degrees

    zero-degrees Getting comfortable

    Joined:
    Aug 15, 2015
    Messages:
    856
    Likes Received:
    367
    Location:
    Indiana
    You are asking a lot of a questions for a $25 camera... You get what you pay for.

    Just because today there are no known exploits doesn't mean some will not appear tomorrow. While, this can be said about ANY device, the likely hood is MUCH higher in a sub par inexpensive device from china like this.

    Placing this device on a secure network via VPN doesn't mean anything - other then you are trusting an inexpensive China device on your secure network... This is the exact reason why controlled networks have all types of alarms set to go off when something like this occures. Just because you secure a network so someone else can't look in doesn't mean anything if the device is unsecure or unleashes an attack from within.

    Bottom Line - If you want to try a $25 ONVIF camera go for it, but don't put a lot of faith in the outcome.
     
  22. chorizo

    chorizo n3wb

    Joined:
    Dec 11, 2016
    Messages:
    15
    Likes Received:
    3
    Didn't want to be annoying, just that I'm a curious person and I like to thinker with this kind of low cost devices...

    As you've correctly written it isn't right to expect too much from cheap device like this: just wanted to know if there were publicly known issues / exploits in order to mitigate them...
    Anyway I'll probably set-up the camera in a separate VLAN firewalling everything (inbound / outbound) so that I can talk only on that network segment locally. Another device in the same VLAN will fetch the RTSP stream and provide secure access to it (the authentication part being managed by ssh).

    Regarding my previous questions, as the security part has been partially addressed, what about the CMS and telnet ones?

    Thanks for your patient replies.
     
  23. cybermaus

    cybermaus n3wb

    Joined:
    May 26, 2016
    Messages:
    16
    Likes Received:
    2
    1 and 3 are related: If you cannot connect through the build in browser, then you cannot really configure the camera, unless if you have CMS. CMS is the only program I found that can actually controll all the configuration of the camera. But other then for configuration, I do not use it, any Onvif complient viewer should work for motion detect, any RTSP should work for viewing. I never was able to connect using IE also but I am not bothered by it.

    2: In some version of the camera, they dropped autostart for telnet. Connect to 9527, and start telnet deamon from in there, and then connect through telnet.
    I forget the exact commands, but something like:
    shell
    /sbin/telnetd &
    or
    shell
    /bin/telnetd &

    Not sure anymore if you also have to put an option on the telnetd.
    You may want to read up on the internet man pages on telnetd for that.
     
    chorizo likes this.
  24. chorizo

    chorizo n3wb

    Joined:
    Dec 11, 2016
    Messages:
    15
    Likes Received:
    3
    Thanks for the explanation.

    Thanks. I'll try fiddling with that one in order to see what happens...
     
  25. chorizo

    chorizo n3wb

    Joined:
    Dec 11, 2016
    Messages:
    15
    Likes Received:
    3
    Unfortunately here's what happen (gif animation):

    [​IMG]

    I've also tried issuing the command you suggested (I've confirmed /sbin is the correct path):
    Code:
    /sbin/telnetd &
    But the result is always the same:
    Code:
    : not found
    As you may have noticed from the gif, some error messages are printed during the execution:
    Code:
    ===GetNatDnsSrvAddr ===> begin
    
    gethostbyname mac.secu100.net fail
    
    CCloudMediaManager::Start-------->get pub cfg ip failed [pub-cfg.secu100.net]
    
    ===gethostbyname error for host:pub-cfg.secu100.net
    
    CCloudAlarmCli::Start-------->get pub cfg ip failed [pub-cfg.secu100.net]
    
    CloudUpgrade::SetServerAddr: Address error! Errorcode : Name or service not known
    
    ===gethostbyname error for host:secu100.net
    
    GetNatServerIP error
     
    Last edited: Dec 17, 2016
  26. cybermaus

    cybermaus n3wb

    Joined:
    May 26, 2016
    Messages:
    16
    Likes Received:
    2
    Thats what I got as well, and I tried many variants of the telnetd call, including some with options like IP and port to listen for, one of them worked, even though it never gave a satisfacotry command respond.

    So I say again, read the telnetd man page ( the busybox one) and try some. Because I tried so many myself, I do not quite remember which variant was the right one.
     
  27. Dodutils

    Dodutils Getting the hang of it

    Joined:
    Dec 10, 2016
    Messages:
    144
    Likes Received:
    22
    Hey what did you use to record and make animated GIF of your screen session #wantit !
     
  28. cybermaus

    cybermaus n3wb

    Joined:
    May 26, 2016
    Messages:
    16
    Likes Received:
    2
  29. chorizo

    chorizo n3wb

    Joined:
    Dec 11, 2016
    Messages:
    15
    Likes Received:
    3
    Thanks, I'll try it this week (as soon as I've enough free time).

    Hi, I've used ttygif.

    The exact way I recorded that gif is reported here:

    Terminal emulator: xterm (132x43)

    Start recording: ttyrec myrecording filename
    Stop recording: CTRL + D (or type exit)

    Generate gif from the recorded typescript: ttygif filename

    Optimize gif filesize: gifsicle -O3 filename.gif -o optimized_filename.gif
     
    Dodutils and alastairstevenson like this.
  30. Dodutils

    Dodutils Getting the hang of it

    Joined:
    Dec 10, 2016
    Messages:
    144
    Likes Received:
    22
    Tnx :)