This is not true, IR filter is on sensor chip, I apologize for the misinformation.
This is not true, IR filter is on sensor chip, I apologize for the misinformation.
Dodutils
Pulling my weight
- Dec 10, 2016
- 451
- 166
On such TOP-201-like cameras take care about the firmware and the sensor resolution you may have different sensors (and chipset too) :
720P: H22 + Hi3518E
720P: H42 + Hi3518E
960P: SC1135 + Hi3518E
1080P: SC2135 + Hi3516C
ALso take care about the Vxxx after the Hi3518E you have Hi3518E "alone", the Hi3518EV200 and Hi3518EV300 that are different.
Last edited:
After uploading new FW I notice pink picture also with strong light, even daylight. Can somebody upload some old FW for TOP-201, 308 camera. I have basic camera without WiFi and afraid to upload FW which you are talking about
Take care of everything! Even with the same chip and the same sensor, it can wire up those chips differently. Unless you know all it to be the same manufacturer and model, the firmware is a risk.
Which means that my camera is definitely different then Alexey's, and I should not use that firmware myself!
Which means you should list out much more details about your camera. What full firmware+version string was displayed before you flashed? What date? What file did you flash. Where did you get it? What firmware+version string is displayed now?
Also, it is possible you simply accidentally disabled the IR in the software settings. I see above you have been playing with the dynamic range, did you also play with day/night mode and/or IR Swap?
And it is possible you screwed in new wide angle lens too deeply. This is needed to get focus on such short focal distance lens, but is possible your lens is now physically blocking the IR filter from moving. Do you hear the IR filter "click" when you turn on the camera?
I actually did that myself too. I broke one camera because I screwed in a 1.8mm lens to deeply to get focus, and I *broke* the moveable IR filter glass. In my case, it is still "clicking" but the IR glass fell out next time I unscrewed the lens.
Finally succeeded to customise the /mnt/custom (/dev/mtdblock4) part of my camera's firmware after flashing one proposed by cybermaus (Review - TOP-201 Super Mini 720P HD IP-Cam (The Cheapest IP Cam So Far !!)).
Managed to 'brick' the camera in due course by destroying files in /mnt/custom, therefore I advise everyone NOT TO USE Firmware Mod Kit, apart from 'binwalk-script' utility for info purposes (I tried version 0.99, by the way). It does not extract files from firmware '.img' files correctly (they are all binary zeroes inside). And it is useless anyway, cannot re-create firmware file. If you need to mod one of firmware files, do as follows:
Install cramfs tools (if your Linux distro does not have it as part of util-linux), and zip utility. Then:
I added this script to the '/mnt/custom' partition to be able to run anything I want on camera start-up:
Managed to 'brick' the camera in due course by destroying files in /mnt/custom, therefore I advise everyone NOT TO USE Firmware Mod Kit, apart from 'binwalk-script' utility for info purposes (I tried version 0.99, by the way). It does not extract files from firmware '.img' files correctly (they are all binary zeroes inside). And it is useless anyway, cannot re-create firmware file. If you need to mod one of firmware files, do as follows:
Install cramfs tools (if your Linux distro does not have it as part of util-linux), and zip utility. Then:
Code:
unzip YOUR_EXISTING_FIRMWARE_FILE_NAME.bin
head -c+64 <custom-x.cramfs.img >myimg.header
tail -c+65 <custom-x.cramfs.img >myimg.cramfs
mkdir /mnt/diskimage
mount -o loop $PWD/myimg.cramfs /mnt/diskimage
mkdir myimg
cp -a /mnt/diskimage/* ./myimg
umount /mnt/diskimage
[now modify/remove/add files in ./myimg directory, watch out for total files size - should be under 300K]
mkfs.cramfs -b 20480 ./myimg modimg.cramfs
cat myimg.header modimg.cramfs >custom-x.cramfs.img
[edit your InstallDesc file to include only custom-x.cramfs.img, be careful with commas!]
zip -9 mycustom.zip InstallDesc custom-x.cramfs.img
[flash your device using DeviceManage, web interface or CMS]I added this script to the '/mnt/custom' partition to be able to run anything I want on camera start-up:
Code:
# cat /mnt/custom/extapp.sh
#!/bin/sh
if [ -f /mnt/mtd/userinit.sh ]; then
chmod a+x /mnt/mtd/userinit.sh
/mnt/mtd/userinit.sh &
fi
#Wow. I'd put more then 1 like if I could !
Not that I have need for this, camera's are working. But good to know how to just in case.
PS: don't like this post. Otherwise this thread page looks like you and me just trading fake likes. But the work you did definitely deserves a like.
PS2: When I did play myself with this, I found that some firmware's use cramfs, but other use squashfs. So do not blindly follow above instructions. It may depend on the specific camera.
Not that I have need for this, camera's are working. But good to know how to just in case.
PS: don't like this post. Otherwise this thread page looks like you and me just trading fake likes. But the work you did definitely deserves a like.
PS2: When I did play myself with this, I found that some firmware's use cramfs, but other use squashfs. So do not blindly follow above instructions. It may depend on the specific camera.
Last edited:
OK, got the message. By the way - Did you test FTP offload with motion detection (Setting->System->NetService->FTP, then Setting->Alarm->Video Motion-> check FTP)?
FTP does not work at all in my camera, tried few different firmware releases. My next mod attempt would be, most probably, to make FTP work. Or, to try sending e-mail with attached snapshot (like FOSCAM cameras do).
No. I use them as fairly dumb camera's, connected to a NVR.
The camera only needs to signal motion detect to the NVR, and then the NVR does anything else, like save the recording and (if I wanted) email and snapshot.
There are a few reasons for this setup
- 6 active camera's, centralized management
- I do not want an email for every false alarm (cat, bird, wind, cloud, sun-shade, leaves)
- If I get a motion detect on one camera, I want the other camera's to also start recording.
but most importantly:
When I had my camera's on a network monitor for a while, I did see it "call out" every so often. Even though I had the cloud disabled.
I think it was a harmless manufacturer call home instinct (I checked the registration of the IP address), but I dislike it.
So all my camera's are *not connected* to the internet. They can only connect to the NVR.
So not only no incoming port forwarding, but also no outgoing traffic.
Of course the risk merely shifts: Can I trust the NVR itself? And can I trust the Android box hooked up to the monitor?
But at least the camera's themselves cannot be used as a IoT botnet.
The camera only needs to signal motion detect to the NVR, and then the NVR does anything else, like save the recording and (if I wanted) email and snapshot.
There are a few reasons for this setup
- 6 active camera's, centralized management
- I do not want an email for every false alarm (cat, bird, wind, cloud, sun-shade, leaves)
- If I get a motion detect on one camera, I want the other camera's to also start recording.
but most importantly:
When I had my camera's on a network monitor for a while, I did see it "call out" every so often. Even though I had the cloud disabled.
I think it was a harmless manufacturer call home instinct (I checked the registration of the IP address), but I dislike it.
So all my camera's are *not connected* to the internet. They can only connect to the NVR.
So not only no incoming port forwarding, but also no outgoing traffic.
Of course the risk merely shifts: Can I trust the NVR itself? And can I trust the Android box hooked up to the monitor?
But at least the camera's themselves cannot be used as a IoT botnet.
Last edited:
Hmm.. been thinking about an NVR box but too lazy to buy one. Looking into turning a Raspberry Pi into an NVR.
Oh, and a quick 'de-brick' procedure, JIC, as I went through it today in the morning. I disassembled the 'water-proof' case, easy to do: remove two screws and front part, then two screws and LEDs then 4 screws and you got the board. Look at the photo how serial port is attached using 3 wires.
Open terminal (like Putty or minicom), parameters 115200/8/N/1. Then power-cycle the camera, press Control-C when instructed on the screen over serial port. Type 'printenv' (without quotes) - you will see command lines for loading all parts of firmware over TFTP. Otherwise type 'help'.
Oh, and a quick 'de-brick' procedure, JIC, as I went through it today in the morning. I disassembled the 'water-proof' case, easy to do: remove two screws and front part, then two screws and LEDs then 4 screws and you got the board. Look at the photo how serial port is attached using 3 wires.
Open terminal (like Putty or minicom), parameters 115200/8/N/1. Then power-cycle the camera, press Control-C when instructed on the screen over serial port. Type 'printenv' (without quotes) - you will see command lines for loading all parts of firmware over TFTP. Otherwise type 'help'.
Last edited:
rellor
n3wb
- Feb 17, 2017
- 10
- 3
Hi - Been following this thread for a long time - Bought a hi3518e pinhole lens camera without wifi - have completely forgot the admin password and have been hacking it ever since. Got the serial soldered, managed to download the image to a tftp server from the U-boot, have the passwd and passwd- files and even though everyone says the root password for it is xmhdipc with this one it isn't the case. Is there a way of getting the console serial output after "booting the kernel" as it stops after then.
alastairstevenson
Staff member
Paste the contents on here, maybe someone will take a look.
Where are you trying this - at a telnet login?
rellor
n3wb
- Feb 17, 2017
- 10
- 3
Trying to login at the telnet on 9527
passwd file : root:$1$RYIwEiRA$d5iRRVQ5ZeRTrJwGjRy.B0:0:0:root:/:/bin/sh (stick it in google and I get xmhdipc, which doesn't allow me in.)
passwd- file : root:$6$0E8/0opc$yfESwbvIce8PIEb3fCgH1kRpISzA2ffyv9VfdeM3wadmKyLfLXgNlyH3TafXvugdqPevBgE.3EZtGnP.KZZug.:0:0:root:/:/bin/sh
I have attached the rom which I tftpd thanks to this link Hacking Cheap eBay IP Camera
Download the zip file, unzip and mount it using
sudo mkdir /media/cramfs
sudo mount -t cramfs -o loop romfs2.cramfs /media/cramfs
Firmware version I am using is unknown, but details may be in the image above.
With all these p2p cameras & people worrying about them phoning home, I just set IP manually but change gateway IP to +1 along with DNS.
passwd file : root:$1$RYIwEiRA$d5iRRVQ5ZeRTrJwGjRy.B0:0:0:root:/:/bin/sh (stick it in google and I get xmhdipc, which doesn't allow me in.)
passwd- file : root:$6$0E8/0opc$yfESwbvIce8PIEb3fCgH1kRpISzA2ffyv9VfdeM3wadmKyLfLXgNlyH3TafXvugdqPevBgE.3EZtGnP.KZZug.:0:0:root:/:/bin/sh
I have attached the rom which I tftpd thanks to this link Hacking Cheap eBay IP Camera
Download the zip file, unzip and mount it using
sudo mkdir /media/cramfs
sudo mount -t cramfs -o loop romfs2.cramfs /media/cramfs
Firmware version I am using is unknown, but details may be in the image above.
With all these p2p cameras & people worrying about them phoning home, I just set IP manually but change gateway IP to +1 along with DNS.
I guess password is OK. What is not OK is terminal settings when you telnet to port 9527. I suggest trying few combinations: to use either ^J (ctrl-j) or ^M (ctrl-m) after typing username and password.
Never did serial on the camera's (yet) but have so on other devices.
You probably already tried, but its not mentioned above, so just in case: simply press Enter on the console? Usually that kickstarts the shell and promt.
bcd
n3wb
- Aug 5, 2016
- 9
- 2
to the port 9527 (Virtual Serial Interface via TCP/IP) you must login in the same way as web-ui: login 'admin', default password will be empty.
Just tried it on my camera. Apparently you cannot login as 'root' from the console at port 9527, as it is not 'telnetd' that listens on this port, but some 'dvrHelper' application.
I can login with 'admin' user and password, though. But it does not seem to be an option for you, as you do not remember 'admin' password. The only solution, from my point of view, would be to extract and re-build your own 'custom-x.cramfs.img' and burn it to the camera's flash, as I did, adding 'extapp.sh' file to the root of /mnt/custom filesystem (mtdblock4). Just put 'telnetd&' in this script and reboot camera.
Dodutils
Pulling my weight
- Dec 10, 2016
- 451
- 166
I only buy 5MP rated lens to be sure I get good lens quality because many are crap and only 0.3MP (you can see air bubbles or dust particles inside the lens glass), for example I bought this pack of multiple lens from 2.8mm to 16mm and it was crap 2.8mm~16mm Fixed IRIS Lens for Security Cameras - Black (6-Lens Pack)
Dodutils
Pulling my weight
- Dec 10, 2016
- 451
- 166
If you are in trouble with secured SMTP server you may use sTunnel installed in one of your PC (Win32/Linux https://www.stunnel.org) and let the camera connect to it as standard SMTP with no encryption and let sTunnel proxy and transform it into SSL SMTP