search

ant-thomas / zsgx1hacks

Hacks for ZS-GX1 IP Camera and various Goke GK7102 based IP Cameras
370 stars 101 forks source link

GIBSSI 1080P Wireless IP Camera - onvif ? #35

Open chilippso opened 6 years ago

chilippso commented 6 years ago

Got a GIBSSI 1080P Wireless IP Camera with same SoC (Goke GK7102S) but different PCB. Telnet/root credentials are equivalent, even RTSP (on different port: 8001) works with VLC but can not control it with onvif (tried iSpy) ...

Any suggestions?

# uname -a
Linux IP CAMERA 3.4.43-gk #61 PREEMPT Wed May 17 19:07:50 CST 2017 armv6l GNU/Linux

# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:843             0.0.0.0:*               LISTEN      175/p2pcam
tcp        0      0 0.0.0.0:6670            0.0.0.0:*               LISTEN      175/p2pcam
tcp        0      0 127.0.0.1:9008          0.0.0.0:*               LISTEN      175/p2pcam
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      178/telnetd
tcp        0      0 0.0.0.0:5050            0.0.0.0:*               LISTEN      175/p2pcam
tcp        0      0 0.0.0.0:7101            0.0.0.0:*               LISTEN      175/p2pcam
tcp        0      0 0.0.0.0:7103            0.0.0.0:*               LISTEN      175/p2pcam
tcp        0      0 0.0.0.0:8001            0.0.0.0:*               LISTEN      175/p2pcam
tcp        0      0 0.0.0.0:3201            0.0.0.0:*               LISTEN      149/tees
udp        0      0 0.0.0.0:7998            0.0.0.0:*                           175/p2pcam
udp        0      0 0.0.0.0:8001            0.0.0.0:*                           175/p2pcam
udp        0      0 0.0.0.0:8002            0.0.0.0:*                           175/p2pcam
# pwd
/home
# ls -la
drwxrwxrwx    5 root     root             0 Mar  8 18:39 .
drwxr-xr-x   18 root     root             0 Jan  1  1970 ..
-rwxrwxrwx    1 root     root          1200 Jan  1  1970 1080_mem_cfg.bin
-rwxrwxrwx    1 root     root       1137700 Sep  8 02:41 8188fu.ko
-rwxrwxrwx    1 root     root        361845 Jan  1  1970 VOICE.tgz
-rwxrwxrwx    1 root     root        334850 May  5  2017 VOICE.tgz.yuan
-rwxrwxrwx    1 root     root         59746 Jan  1  1970 ca-bundle-add-closeli.crt
-rwxrwxrwx    1 root     root           375 Jan  1  1970 check_mem.sh
-rwxrwxrwx    1 root     root         14153 Jan  1  1970 chmemcfg
-rwxrwxrwx    1 500      500            634 Jan  1  1970 cloud.ini
-rwxrwxrwx    1 500      500            609 Jan  1  1970 cloud_oversea.ini
-rw-r--r--    1 root     root           753 Mar  8 18:39 config.cfg
-rwxrwxrwx    1 root     root           753 Mar  8 18:39 config.cfg.bak
-rwxrwxrwx    1 root     root           141 Mar  7 12:33 config.json
-rwxrwxrwx    1 root     root          3659 Mar  8 18:40 config.xml
-rwxrwxrwx    1 root     root           141 Nov  8 15:19 config_bak.json
-rwxrwxrwx    1 root     root           155 Jun 23  2017 custom_init.sh
-rwxrwxrwx    1 500      500           7376 May 25  2017 debugtool
-rwxrwxrwx    1 root     root          1024 Mar  8 18:39 devParam.dat
drwxrwxrwx    2 1000     default          0 Mar 31  2017 extra
-rwxrwxrwx    1 root     root            32 Jul 28  2017 eye.conf
-rwxrwxrwx    1 500      500           1575 Jun 20  2017 factory_tool.sh
-rwxrwxrwx    1 root     root         14078 May 13  2017 flashwriteMtd
-rwxrwxrwx    1 500      500           4639 May 17  2017 gio.ko
-rwxrwxrwx    1 root     root        677824 Jun 23  2017 gk_fw.bin
-rwxrwxrwx    1 root     root         26094 Jan  1  1970 gkptz-dsa.ko
-rwxrwxrwx    1 root     root         25734 Jan  1  1970 gkptz.ko
-rwxrwxrwx    1 root     root           455 Jun 23  2017 hardinfo.bin
-rwxrwxrwx    1 root     root           137 Sep 12 07:57 hwcfg.ini
-rwxrwxrwx    1 root     root             8 Mar  7 12:34 idx.log
-rwxrwxrwx    1 root     root            30 Jan  1  1970 model.ini
-rwxrwxrwx    1 root     root       2706387 Jan  1  1970 p2pcam.tar.gz
-rwxrwxrwx    1 root     root            20 Mar  8 10:39 psp.dat
-rwxrwxrwx    1 root     root            89 Jun 23  2017 ptz.cfg
-rwxrwxrwx    1 500      500          21489 May  4  2017 sdc_tool
-rwxrwxrwx    1 500      500           1779 Apr 13  2017 sensor.sh
-rwxrwxrwx    1 500      500          38796 May 13  2017 sensordetect
drwxrwxrwx    2 500      500              0 Jan 23  2017 sensors
-rwxrwxrwx    1 500      500           3337 Jan  1  1970 start.sh
-rwxrwxrwx    1 root     root         28487 Jan  1  1970 tees
-rwxrwxrwx    1 root     root           985 Mar  7 12:28 work.log
-rwxrwxrwx    1 root     root        595508 Jan  1  1970 wpa_supplicant
-rwxrwxrwx    1 root     root           154 Jan  1  1970 wpa_supplicant.conf
-rwxrwxrwx    1 500      500            185 Jan  1  1970 wpa_supplicant.conf_EYERD
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-08 19:46 CET
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:46
Completed NSE at 19:46, 0.00s elapsed
Initiating NSE at 19:46
Completed NSE at 19:46, 0.00s elapsed
Initiating ARP Ping Scan at 19:46
Scanning 192.168.2.3 [1 port]
Completed ARP Ping Scan at 19:46, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:46
Completed Parallel DNS resolution of 1 host. at 19:46, 0.00s elapsed
Initiating SYN Stealth Scan at 19:46
Scanning 192.168.2.3 [1000 ports]
Discovered open port 23/tcp on 192.168.2.3
Discovered open port 7103/tcp on 192.168.2.3
Discovered open port 8001/tcp on 192.168.2.3
Discovered open port 5050/tcp on 192.168.2.3
Discovered open port 843/tcp on 192.168.2.3
Completed SYN Stealth Scan at 19:46, 0.11s elapsed (1000 total ports)
Initiating Service scan at 19:46
Scanning 5 services on 192.168.2.3
Completed Service scan at 19:46, 46.02s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 192.168.2.3
NSE: Script scanning 192.168.2.3.
Initiating NSE at 19:46
Completed NSE at 19:46, 5.04s elapsed
Initiating NSE at 19:46
Completed NSE at 19:46, 0.03s elapsed
Nmap scan report for 192.168.2.3
Host is up (0.00053s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE    VERSION
23/tcp   open  telnet
| fingerprint-strings: 
|   GenericLines: 
|     CAMERA login: 
|     CAMERA login: IP CAMERA login:
|   GetRequest: 
|     HTTP/1.0
|     CAMERA login:
|   Help: 
|     HELP
|     CAMERA login:
|   NCP: 
|     DmdT^@^@^@
|     ^@^@^@^A^@^@^@^@^@
|   NULL: 
|     CAMERA login:
|   RPCCheck: 
|     ^@^@(r
|   SIPOptions: 
|     OPTIONS sip:nm SIP/2.0
|     Via: SIP/2.0/TCP nm;branch=foo
|     From: <sip:nm@nm>;tag=root
|     <sip:nm2@nm2>
|     Call-ID: 50000
|     CSeq: 42 OPTIONS
|     Max-Forwards: 70
|     Content-Length: 0
|     Contact: <sip:nm@nm>
|     Accept: application/sdp
|     CAMERA login:
|   tn3270: 
|     ^@IBM-3279-4-E
|_    ^YIP CAMERA login:
843/tcp  open  unknown
| fingerprint-strings: 
|   DNSStatusRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, LANDesk-RC, LDAPBindReq, LPDString, NCP, RTSPRequest, TerminalServer, X11Probe, afp: 
|_    <cross-domain-policy> <allow-access-from domain="*" to-ports="*" /> </cross-domain-policy>
5050/tcp open  mmcc?
7103/tcp open  tcpwrapped
8001/tcp open  rtsp
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Server: TAS-Tech IPCam
|     Date: Fri, 8 Mar 118 18:46:15 GMT
|     Content-Length: 9
|     Cache-Control: no-cache
|     Found
|   GetRequest: 
|     HTTP/1.1 404 Not Found
|     Server: TAS-Tech IPCam
|     Date: Fri, 8 Mar 118 18:46:10 GMT
|     Content-Length: 9
|     Cache-Control: no-cache
|     Found
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Server: TAS-Tech IPCam
|     Date: Fri, 8 Mar 118 18:46:20 GMT
|     Content-Length: 18
|     Cache-Control: no-cache
|     Method Not Allowed
|   RTSPRequest: 
|     RTSP/1.0 200 OK
|     CSeq: 0
|     Server: TAS-Tech Streaming Server V100R001
|_    Public: DESCRIBE, SET_PARAMETER, SETUP, TEARDOWN, PAUSE, PLAY
|_rtsp-methods: DESCRIBE, SET_PARAMETER, SETUP, TEARDOWN, PAUSE, PLAY
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port23-TCP:V=7.60%I=7%D=3/8%Time=5AA184F3%P=x86_64-apple-darwin13.4.0%r
SF:(NULL,20,"\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x01\xff\xfb\x03\r\r\nIP\x20C
SF:AMERA\x20login:\x20")%r(GenericLines,46,"\xff\xfd\x01\xff\xfd\x1f\xff\x
SF:fb\x01\xff\xfb\x03\r\r\nIP\x20CAMERA\x20login:\x20\r\n\r\nIP\x20CAMERA\
SF:x20login:\x20IP\x20CAMERA\x20login:\x20")%r(tn3270,31,"\xff\xfd\x01\xff
SF:\xfd\x1f\xff\xfb\x01\xff\xfb\x03\r\r\n\^@IBM-3279-4-E\xfb\^YIP\x20CAMER
SF:A\x20login:\x20")%r(GetRequest,32,"\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x01
SF:\xff\xfb\x03\r\r\nGET\x20/\x20HTTP/1\.0\r\n\r\nIP\x20CAMERA\x20login:\x
SF:20")%r(RPCCheck,19,"\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x01\xff\xfb\x03\r\
SF:r\n\x80\^@\^@\(r\xfe\^\]")%r(Help,26,"\xff\xfd\x01\xff\xfd\x1f\xff\xfb\
SF:x01\xff\xfb\x03\r\r\nHELP\r\nIP\x20CAMERA\x20login:\x20")%r(SIPOptions,
SF:FF,"\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x01\xff\xfb\x03\r\r\nOPTIONS\x20si
SF:p:nm\x20SIP/2\.0\r\nVia:\x20SIP/2\.0/TCP\x20nm;branch=foo\r\nFrom:\x20<
SF:sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@nm2>\r\nCall-ID:\x2050000\r\nCSe
SF:q:\x2042\x20OPTIONS\r\nMax-Forwards:\x2070\r\nContent-Length:\x200\r\nC
SF:ontact:\x20<sip:nm@nm>\r\nAccept:\x20application/sdp\r\n\r\nIP\x20CAMER
SF:A\x20login:\x20")%r(NCP,49,"\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x01\xff\xf
SF:b\x03\r\r\nDmdT\^@\^@\^@\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x0
SF:8\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x
SF:08\^@\^@\^@\^A\^@\^@\^@\^@\^@");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port843-TCP:V=7.60%I=7%D=3/8%Time=5AA184F3%P=x86_64-apple-darwin13.4.0%
SF:r(GenericLines,5B,"<cross-domain-policy>\x20<allow-access-from\x20domai
SF:n=\"\*\"\x20to-ports=\"\*\"\x20/>\x20</cross-domain-policy>\0")%r(GetRe
SF:quest,5B,"<cross-domain-policy>\x20<allow-access-from\x20domain=\"\*\"\
SF:x20to-ports=\"\*\"\x20/>\x20</cross-domain-policy>\0")%r(HTTPOptions,5B
SF:,"<cross-domain-policy>\x20<allow-access-from\x20domain=\"\*\"\x20to-po
SF:rts=\"\*\"\x20/>\x20</cross-domain-policy>\0")%r(RTSPRequest,5B,"<cross
SF:-domain-policy>\x20<allow-access-from\x20domain=\"\*\"\x20to-ports=\"\*
SF:\"\x20/>\x20</cross-domain-policy>\0")%r(DNSStatusRequest,5B,"<cross-do
SF:main-policy>\x20<allow-access-from\x20domain=\"\*\"\x20to-ports=\"\*\"\
SF:x20/>\x20</cross-domain-policy>\0")%r(Help,5B,"<cross-domain-policy>\x2
SF:0<allow-access-from\x20domain=\"\*\"\x20to-ports=\"\*\"\x20/>\x20</cros
SF:s-domain-policy>\0")%r(X11Probe,5B,"<cross-domain-policy>\x20<allow-acc
SF:ess-from\x20domain=\"\*\"\x20to-ports=\"\*\"\x20/>\x20</cross-domain-po
SF:licy>\0")%r(LPDString,5B,"<cross-domain-policy>\x20<allow-access-from\x
SF:20domain=\"\*\"\x20to-ports=\"\*\"\x20/>\x20</cross-domain-policy>\0")%
SF:r(LDAPBindReq,5B,"<cross-domain-policy>\x20<allow-access-from\x20domain
SF:=\"\*\"\x20to-ports=\"\*\"\x20/>\x20</cross-domain-policy>\0")%r(LANDes
SF:k-RC,5B,"<cross-domain-policy>\x20<allow-access-from\x20domain=\"\*\"\x
SF:20to-ports=\"\*\"\x20/>\x20</cross-domain-policy>\0")%r(TerminalServer,
SF:5B,"<cross-domain-policy>\x20<allow-access-from\x20domain=\"\*\"\x20to-
SF:ports=\"\*\"\x20/>\x20</cross-domain-policy>\0")%r(NCP,5B,"<cross-domai
SF:n-policy>\x20<allow-access-from\x20domain=\"\*\"\x20to-ports=\"\*\"\x20
SF:/>\x20</cross-domain-policy>\0")%r(JavaRMI,5B,"<cross-domain-policy>\x2
SF:0<allow-access-from\x20domain=\"\*\"\x20to-ports=\"\*\"\x20/>\x20</cros
SF:s-domain-policy>\0")%r(afp,5B,"<cross-domain-policy>\x20<allow-access-f
SF:rom\x20domain=\"\*\"\x20to-ports=\"\*\"\x20/>\x20</cross-domain-policy>
SF:\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8001-TCP:V=7.60%I=7%D=3/8%Time=5AA184F8%P=x86_64-apple-darwin13.4.0
SF:%r(GetRequest,8A,"HTTP/1\.1\x20404\x20Not\x20Found\r\nServer:\x20TAS-Te
SF:ch\x20IPCam\r\nDate:\x20Fri,\x208\x20Mar\x20118\x2018:46:10\x20GMT\r\nC
SF:ontent-Length:\x209\r\nCache-Control:\x20no-cache\r\n\r\nNot\x20Found")
SF:%r(FourOhFourRequest,8A,"HTTP/1\.1\x20404\x20Not\x20Found\r\nServer:\x2
SF:0TAS-Tech\x20IPCam\r\nDate:\x20Fri,\x208\x20Mar\x20118\x2018:46:15\x20G
SF:MT\r\nContent-Length:\x209\r\nCache-Control:\x20no-cache\r\n\r\nNot\x20
SF:Found")%r(HTTPOptions,9D,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\
SF:r\nServer:\x20TAS-Tech\x20IPCam\r\nDate:\x20Fri,\x208\x20Mar\x20118\x20
SF:18:46:20\x20GMT\r\nContent-Length:\x2018\r\nCache-Control:\x20no-cache\
SF:r\n\r\nMethod\x20Not\x20Allowed")%r(RTSPRequest,87,"RTSP/1\.0\x20200\x2
SF:0OK\r\nCSeq:\x200\r\nServer:\x20TAS-Tech\x20Streaming\x20Server\x20V100
SF:R001\r\nPublic:\x20DESCRIBE,\x20SET_PARAMETER,\x20SETUP,\x20TEARDOWN,\x
SF:20PAUSE,\x20PLAY\r\n\r\n");
MAC Address: 00:0C:43:xx:xx:xx (Ralink Technology)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.13
Uptime guess: 0.002 days (since Thu Mar  8 19:44:12 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   0.53 ms 192.168.2.3

NSE: Script Post-scanning.
Initiating NSE at 19:46
Completed NSE at 19:46, 0.00s elapsed
Initiating NSE at 19:46
Completed NSE at 19:46, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.67 seconds
           Raw packets sent: 1026 (45.986KB) | Rcvd: 1014 (41.258KB)
alxponom commented 5 years ago

Hi, there. I got a similar device with disabled ONVIF protocol. I've fixed it by inserting a line "support_onvif = 1" in the file "hwcfg.ini" and restaing the device.

Anon0ne commented 4 years ago

what was telnet login? i cannot get into my cam.

alxponom commented 4 years ago

try using following: user: root, password: cxlinux

From: 0nezer0 Sent: 18 декабря 2019 г. 2:42 To: ant-thomas/zsgx1hacks Cc: alxponom; Comment Subject: Re: [ant-thomas/zsgx1hacks] GIBSSI 1080P Wireless IP Camera - onvif ?(#35)

what was telnet login? i cannot get into my cam. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

StevieeG commented 1 year ago

Hey did anyone have http running on port 80 on their camera? We must have a very similar camera, if so anyone get the creds for HTTP web page??

StevieeG commented 1 year ago

try using following: user: root, password: cxlinux From: 0nezer0 Sent: 18 декабря 2019 г. 2:42 To: ant-thomas/zsgx1hacks Cc: alxponom; Comment Subject: Re: [ant-thomas/zsgx1hacks] GIBSSI 1080P Wireless IP Camera - onvif ?(#35) what was telnet login? i cannot get into my cam. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

Hey do you know the creds for the webpage on port 80? Looks like we have the same IP camera but I have port 80 open on mine.