Video Surveillance, Blue Iris and HomeSeer/HSTouch or IPCameras

[electron]

Looks like the video streaming service is listening on port 9000.  We'll have to do some more digging (unless you have no interest, and just want to find another solution).  Do you have SSH/telnet access to this device?
 
Also, don't expose this unit to the internet, it is one of the many devices which is vulnerable to the user/password exploit found here.  That said, this exploit might be what we need  The article/comments do list some more info about what port 9000 does.

 

[DanielHeth]

I have great interest actually.  I like the functionality of the DVR and would love to leave the recording load on it instead of the main homeseer server.
 
I've been careful not to expose it... in fact it is even behind a 2nd router/network so i can keep the computer i use for monitoring the feeds from using my primary networks bandwidth.
 
I read a little into that exploit but couldn't find what i was looking for. 
 
The system does have telnet access, however my user/pass isn't getting me past the prompt.  Do you know of any default logins that might work? 
 
I may need to perform that exploit to get in.

 

[electron]

Supposedly the default user/pass is disabled, but when I ran a sniffer on port 9000, IP Cam Viewer sends a bunch of data, including the following 2 strings:

• admin
• 0123456

So try that as a user/pass combo (flip them around if it doesn't work).  I'll try to do some more research later.

 

[DanielHeth]

No joy on those or combinations of that, rearranging the numbers a bit and using root as well as admin.
 
By the looks of this thread, http://www.cctvforum.com/viewtopic.php?t=33151&p=208586, http://tech.groups.yahoo.com/group/q_see_hack/message/155, and the one you linked to... i may need to open up the dvr, add a USB-TTL module and hack into it. Not ideal since i have low-moderate linux experience.
 
I'm looking packet by packet at my web-session.  I also found an admin/123456 but that didn't work either.  Still examining packets and not sure if i'll get anywhere.
i may indeed need to hack the box to reset the password and gain access to the dvr's filesystem.

 

[electron]

NightOwl claims it's impossible to get a static snapshot from this platform.  Challenge Accepted!
 
I can't work on this right now, but one thing I would try is look up the user names and passwords for all the other DVRs using this same platform (check the security advisory posted earlier), and even google combinations of that make/model with 'api' or 'static jpg', etc.

 

[pete_c]

Here relating to HSTouch/Homeseer and Zoneminder DVR; been playing with a sort of overlay for streaming HD.   The ZM box has always been separate though from HS.  It is a hodgepodge box today with an 8 chip analog video CCTV card and now 8 more IP camera feeds.  Transitioning a little bit at a time to IP HD camera feeds. 
 
Originally I was using xAP for remote features of alarm triggers and remote control of DVR based on external sensors.  Lately have connected a CM11A to ZM box.  While there is a couple of gotchas with this methodology; it allows for alarm DVR recording triggers sent from HS to ZM.  It also allows for use of the video analytics triggers from ZM to HS. 
 
With the above written though HSTouch clients / views et all can be and have been triggered for whatever. 
 
Been building HD (1900X1200) HSTouch client screens putting multiple views on the office LCD TV to see how HSTouch client functions with HD using an Aopen DIgital engine pc's. 

 

[DanielHeth]

After running NMAP on my DVR IP, i discovered the following open ports... 23, 80, 88, and 9000.
 
23 gives me the basic login prompt which none of my logins work.
80 is the web interface
9000 is the media port
88 however gives you a console which any username and any password works, but nothing useful...  Here is what it looks like.
 
Welcome to Stb's world
Username: admin
Password:
Commands available:
  help                 Show available commands
  quit                 Disconnect
  logout               Disconnect
  exit                 Exit from current mode
  history              Show a list of previously run commands
  enable               Turn on privileged commands
  test                 test cmd.
                        get snapcfg help from "test -?"
  thread               get thread info.
  mem                  get mem info.

ROOT>

 

[DanielHeth]

I'm in!!!!  Followed ConsoleCowboy's instructions with a few mods...
 
from my windows 7 x64...
1. downloaded latest nmap which includes ncat
2. downloaded python 2.7 (don't get 3.x cause of various issues i ran into and hand to debug code i'd never programmed in before)
3. download the modified version of their script:  http://bigfix.me/user/danielheth/dvrown.py
4. put the script into the c:\python27 directory
5. Make sure your firewall is turned off.. you'll be opening up a port to listen on... and the firewall will cause connection issues.
6. open cmd prompt to the python directory and run the following command:
    a. dvrown.py [ip of dvr] [your workstations ip] [port you want to listen on]
 
It'll take a few minutes but once you connect you'll basically be receiving the output of any commands you type into the linux shell... nothing is perminant, i think... i haven't rebooted yet, but at least you can browse around the filesystem and discover all kinds of things about the system. 
 
Still trying to determine if this will get us closer to our end goal of a static camera url. 

 

[DanielHeth]

ok, discovered you can use the 'pwd' command to change the root password.  Once you do that you can safely type 'reboot' and the next time it's online you can telnet into the dvr.
Again still trying to figure if it will get us closer to our goal... but so far this is pretty cool!! 
 
My Zeus DVR5 is running BusyBox v1.1.2 if anybody was interested...LOL.

 

[pete_c]

Really nice Daniel! 
 
Over the last 10 years and relating to HS has been trying to integrate a CCTV/DVR setup with HS.  The still snapshot stuff worked fine for me in the middle 2000's.  There are possibilities though and means of doing this today running external to HSTouch applications.  That said I can stream and get stills in just about every available format today with ZM.  The bottleneck here has always been HSTouch.  (a simple browser interface today will stream video and stills just fine).
 
With earlier builds of HSTouch I could get maybe 1 FP minute video.  HSTouch is doing better now relating to frame rates.
 
It would be nice though to integrate full featured record, play and capture of CCTV stuff with HSTouch.
 
I have been able only do this with an overlay external program running HSTouch in Wintel (not Android at this time).
 
I do see some difficulties with said functionality because of all of the different propietary and embedded CCTV DVR stuff out there. IE: getting to that point with HSTouch is one thing and making it work with a variety of different CCTV's is another thing.

 

[electron]

This is one of the reasons I also have a copy of my video feeds going to an Axis server, which is much easier to interface, plus I am using a Windows based DVR solution (Vitamin D in my case), which should make it even easier to get some control of playback etc.

 

[ccollins00]

Looking to connect my night owl possidon dvr
can help me with the URLs??? I have been trying everything the web port is 8088 the media port is 9000 the mobile is18000