btsimonh / 826-x-ip-camera

For the examination of an mipc connected camera
66 stars 11 forks source link

TTHS005 Camera #2

Open stacksjb opened 6 years ago

stacksjb commented 6 years ago

Hello,

Found this repo by way of this post (http://www.openipcam.com/forum/index.php/topic,1429.msg5004.html#msg5004), the site appears to be nonfunctional (couldn't reply).

I have a TaoTronics TT-HS005 camera I picked up on a flash deal at one point. The manual is located here: https://www.taotronics.com/media/downloads/88-20005-181_TT-HS005%20User%20Guide%20(PC)%20-%20V1.1(20170307).pdf

It connects remotely to the "ehawk.taotronics.com" URL, which appears to be identical to the MIPC website (though skinned slightly different), so I believe it is a similar clone.

I'd like to use locally with my camera server, however I can't seem to locate a feed. I found my way to your post after an NMAP showed a similar "Tmrmt_hello" response. NMAP result below:

Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-03 19:16 MDT NSE: Loaded 148 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 19:16 Completed NSE at 19:16, 0.00s elapsed Initiating NSE at 19:16 Completed NSE at 19:16, 0.00s elapsed Initiating ARP Ping Scan at 19:16 Scanning 172.16.0.195 [1 port] Completed ARP Ping Scan at 19:16, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 19:16 Completed Parallel DNS resolution of 1 host. at 19:16, 0.00s elapsed Initiating SYN Stealth Scan at 19:16 Scanning 172.16.0.195 [65535 ports] Discovered open port 80/tcp on 172.16.0.195 Discovered open port 8600/tcp on 172.16.0.195 Discovered open port 7010/tcp on 172.16.0.195 Completed SYN Stealth Scan at 19:16, 19.72s elapsed (65535 total ports) Initiating Service scan at 19:16 Scanning 3 services on 172.16.0.195 Service scan Timing: About 33.33% done; ETC: 19:20 (0:02:42 remaining) Service scan Timing: About 66.67% done; ETC: 19:19 (0:01:00 remaining) Completed Service scan at 19:19, 151.24s elapsed (3 services on 1 host) Initiating OS detection (try #1) against 172.16.0.195 Retrying OS detection (try #2) against 172.16.0.195 adjust_timeouts2: packet supposedly had rtt of -1085677 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -1085677 microseconds. Ignoring time. Retrying OS detection (try #3) against 172.16.0.195 Retrying OS detection (try #4) against 172.16.0.195 adjust_timeouts2: packet supposedly had rtt of -1225849 microseconds. Ignoring time. adjusttimeouts2: packet supposedly had rtt of -1225849 microseconds. Ignoring time. Retrying OS detection (try #5) against 172.16.0.195 NSE: Script scanning 172.16.0.195. Initiating NSE at 19:19 Completed NSE at 19:19, 0.25s elapsed Initiating NSE at 19:19 Completed NSE at 19:19, 1.07s elapsed Nmap scan report for 172.16.0.195 Host is up (0.0025s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 80/tcp open http? | http-methods: | Supported Methods: GET HEAD POST OPTIONS |_http-title: IPC 7010/tcp open ups-onlinet? 8600/tcp open asterix? | fingerprint-strings: | DNSStatusRequestTCP: | y%2& | Tmrmt_hello | 1jfiegbp5sfdq | DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, Help, NULL, RPCCheck, RTSPRequest: | Tmrmthello | 1jfiegbp5sfdq 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8600-TCP:V=7.70%I=7%D=7/3%Time=5B3C1FF9%P=x86_64-apple-darwin13.4.0 SF:%r(NULL,6C,"8\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|\xf9\xb5h\0 SF:\0\0\0\xbc\x1c\xc5\xb6\0\0\0\0\xf5\x8f\x05Tmrmt_hello\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x0e\0\0\0\xe0\x1c\xc5\xb6\0\0\0\x001 SF:jfiegbp5sfdq\n\0\0")%r(GenericLines,6C,"8\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\ SF:0\0\0\0\0\0\0\0|\xf9\xb5h\0\0\0\0\xbc\x1c\xc5\xb6\0\0\0\0\xf5\x8f\x05T SF:mrmt_hello\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x0e\0\0\ SF:0\xe0\x1c\xc5\xb6\0\0\0\x001jfiegbp5sfdq\n\0\0")%r(GetRequest,6C,"8\0\0 SF:\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0z\xf5\x9dc\0\0\0\0@\$\xc5\xb6\ SF:0\0\0\0\xf5\x8f\x05Tmrmt_hello\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\ SF:0\0\0\0\0\0\x0e\0\0\0d\$\xc5\xb6\0\0\0\x001jfiegbp5sfdq\n\0\0")%r(HTTPO SF:ptions,6C,"8\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xa8\?\x98\x0f SF:\0\0\0\0@\$\xc5\xb6\0\0\0\0\xf5\x8f\x05Tmrmt_hello\0\0\0\0\0\0\0\0\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x0e\0\0\0d\$\xc5\xb6\0\0\0\x001jfiegbp5 SF:sfdq\n\0\0")%r(RTSPRequest,6C,"8\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\x81g(x\0\0\0\x008+\xc5\xb6\0\0\0\0\xf5\x8f\x05Tmrmt_hello\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x0e\0\0\0\+\xc5\xb6\0 SF:\0\0\x001jfiegbp5sfdq\n\0\0")%r(RPCCheck,6C,"8\0\0\0l\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\0<\xd4/5\0\0\0\x008+\xc5\xb6\0\0\0\0\xf5\x8f\x05Tmr SF:mt_hello\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x0e\0\0\0\ SF:\+\xc5\xb6\0\0\0\x001jfiegbp5sfdq\n\0\0")%r(DNSVersionBindReqTCP,6C,"8 SF:\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xb7\$\xccV\0\0\0\x008+\x SF:c5\xb6\0\0\0\0\xf5\x8f\x05Tmrmt_hello\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\x0e\0\0\0\+\xc5\xb6\0\0\0\x001jfiegbp5sfdq\n\0\0") SF:%r(DNSStatusRequestTCP,6C,"8\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0y%2&\0\0\0\0\xc4\x07\xc5\xb6\0\0\0\0\xf5\x8f\x05Tmrmt_hello\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x0e\0\0\0\xe8\x07\xc5\xb6\0\ SF:0\0\x001jfiegbp5sfdq\n\0\0")%r(Help,6C,"8\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\ SF:0\0\0\0\0\0\0\0\x1b\x85\xc0y\0\0\0\0\xc4\x07\xc5\xb6\0\0\0\0\xf5\x8f\x0 SF:5Tmrmt_hello\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x0e\0\ SF:0\0\xe8\x07\xc5\xb6\0\0\0\x001jfiegbp5sfdq\n\0\0"); MAC Address: AE:CA:05:FE:91:47 (Unknown) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.70%E=4%D=7/3%OT=80%CT=1%CU=34710%PV=Y%DS=1%DC=D%G=Y%M=AECA05%TM OS:=5B3C2099%P=x86_64-apple-darwin13.4.0)SEQ(SP=104%GCD=1%ISR=10B%TI=Z%CI=Z OS:%II=I%TS=U)SEQ(CI=Z%II=I%TS=U)SEQ(CI=Z%II=I)OPS(O1=M582NNSNW2%O2=M582NNS OS:NW2%O3=M582NW2%O4=M582NNSNW2%O5=M582NNSNW2%O6=M582NNS)WIN(W1=3714%W2=371 OS:4%W3=3714%W4=3714%W5=3714%W6=3714)ECN(R=Y%DF=Y%T=40%W=3714%O=M582NNSNW2% OS:CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y OS:%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%R OS:D=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0% OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPC OS:K=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

NSE: Script Post-scanning. Initiating NSE at 19:19 Completed NSE at 19:19, 0.00s elapsed Initiating NSE at 19:19 Completed NSE at 19:19, 0.00s elapsed Read data files from: /usr/local/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 188.81 seconds Raw packets sent: 66075 (2.911MB) | Rcvd: 65974 (2.642MB)`

In the WebGUI, there are two versions listed, neither which match up with the uploads you provided. It appears to be running a slightly different version - I've tried uploading the ones on this site to no avail.

image

Are there upgrade.sh files I can copy to an SD card, can I modify the upgrade files, or any potential suggestions? I'm happy to pop it open and JTAG it if that's the next steps (done plenty of similar cracking of models; in the past I would unlock Vonage boxes for usage with FreePBX/Asterisk via serial console :))

btsimonh commented 6 years ago

yes, it does look very similar.... if not identical. Does it offer an upgrade at the moment from the UI? I got my upgrade file by adding tcpdump on my main router, and dumping TCP packets whilst asking for the upgrade; this gave the URL of the upgrade file.... you may only get one shot at this, so pull the lan as soon as you see the download commence. If not, I did get the impression that there should be a way to 'reset to factory defaults' which may remove any upgrade applied, but have not yet been successful.

I HAVE re-created the web login process and obtained RTSP and RTMP urls for video (by reverse engineering the local javascript web API). However, the URL is random and different for each session (their 'security'). I have successfully run flv.js based decoding in a browser. (this work was done as a Node-Red flow in Javascript; now added to repo).

In terms of 'breaking in', uboot serial is your easiest option. The serial connections are easily seen in the pictures; i didn't even solder to them :).
The readme in https://github.com/btsimonh/826-x-ip-camera/tree/master/reference tells you how to extract the complete firmware to SD card, and then convert to a file in PC. Split according to the linux bootlog. From there, you need to extract both the root filesystem and the jffs2 partition. this will give you sizes and checksums of the original tar file referenced in the upgrade file. BUT... so far, I did not manage to create an upgrade file which did not contain a 'patch', so if you don't have an upgrade file, you may not be able to persuade it to run the script :(.

An alternative way to 'break in' without an upgrade file is to modify the jffs2. But note their JFFS2 does not support some modern options (very small mods which fit within the latest page MAY work, or find an older, compatible, JFFS2 implementation). If you can modify the jffs2, you are done.

(the upgrade hacks zips contain the original and modified scripts; in the filesystem the modified script lives at /devdata/dev_init.sh)

Please let me know how you get on, so we can update here for others.

P.S. be careful working with SD cards - it seems to like to format them with it's own FS, as yet not recognised, if the SD card is not that FS. The Uboot seems to have SD support, and you can mount an SD in linux (maybe only if you kill their app?).

btsimonh commented 6 years ago

ok, additional info. IF you find /dev_data/ipc_pack_diff in your JFFS2 filesystem, then that IS the upgrade file, and so can be extracted and modified.... and re-applied through the web interface.

Lexridge commented 6 years ago

Since this thing is apparently running Linux, the manufacturer SHOULD be supplying the source for it. I would love to get this camera to provide a RTSP stream for Linux Motion, but the security issues are most important first, obviously. It would be super nice to figure out a way to add a custom kernel and get rid of the proprietary SD format and use ext4 instead.

Keep up the good work and thanks!

btsimonh commented 6 years ago

quite a lot of the functionality is inside their monolithic executable. The chip SDK has some samples which could be built and run instead; the other opportunity is to find a camera with a 'better' executable which runs the same chipset (and sensor?), and transplant. Getting to a std SD format would be nice (or at least preventing format) - then we would be able to use the SD card as the boot device (or at least the application store). (maybe we can just mount the SD card before app start - this may then prevent it from mounting and formatting it?) The kernel is the std kernel from the SDK, and all source is available :). But it's the application which makes it do 'camera' things. Another use for this hardware could be a custom camera robot - I read that the common 'Spy' robots are based on IP CCTV chipsets with the PTZ driving the motors; I'm tempted to add processes to talk to an arduino over serial, routing this to network to add additional sensors and motor control.

Phil-Rei commented 6 years ago

Hi, I have the same Camera but from a different brand named KAMTRON (there seems to be a lot different brands like MAISI and PANNOVO). The Model is 826 (not 826-X) and the Softwareversion is the same (v3.4.1.1604071109). I've already done some research on my own.

Searching for RTSP I found a way to get the current Picture as JPG.

http://**local-ip-or-hostname**/ccm/ccm_pic_get.jpg?hfrom_handle=887330&dsess=1&dsess_nid=**NON-STATIC-SESSION-ID**&dsess_sn=**SERIALNUMBER**&dtoken=p0_xxxxxxxxxx

Can you post the RTSP URL or does the Firmware need to be modificated?

Another thing I've noticed is, that the login-password is encrypted to a HEX string using the public available CryptoJS Library (functions are in core.js -> CryptoJS.enc.Hex.stringify and CryptoJS.enc.Hex.parse)

http://**local-ip-or-hostname**/ccm/cacs_login_req.js?hfrom_handle=653862&dlid=0xe&dnid=MMj86%5fVKY3VLg%2ehgp32mL%2e5BAWEOgQI&duser=**SERIALNUMBER**&dpass=**PASSWORDHEXENCRYPTED**&dsession_req=1&dparam__x_countz_=1&dparam=1&dparam_name=spv&dparam_value=v1

I'm not good at javascript, but to someone who is, it seems to be easy to decrypt the camera's password from the captured url.

I've also noticed, that the SessionID maybe expires after some time, as i was able to get the jpg picture with two different (recent) SessionIDs. But a very old one didn't work.

btsimonh commented 6 years ago

Hi Phil, yes, the session ID is given at login, and the URLs for pictures and video vary accordingly :(. So basically, you can't hook some software up which needs a statically configured RSTP address. Best we could probably do is write a script or program for the local linux, and proxy a URL (maybe on another port) to the dynamic URL - i.e. have the program run at boot, to login to itself, obtain an RTSP stream address, and then proxy that address..... repeat as required.... Obtaining the various IDs was a right pain, and is at the moment only embodied on the node-red flow I created to do so. Using this, I can get video in my browser :). i.e. complete the login process and get the credentials required to then ask for video and get a dynamic URL, pass that to the browser (and use some dodgy player to play...). s

Phil-Rei commented 6 years ago

Wow, that was a quick reply. your idea using a proxy sounds good. If nginx is running this should be possible. But if you have access to the filesystem, why don't just modify the javascript to ignore the Session ID?

Obtaining the session ID is no pain for me. Just use your Browser's Tool

Vivaldi: image

IE11: image

I don't need the rstp stream for a fancy surveillance software. VLC would be fine to me. So Maybe I can write a small program, which logs into the camera and then steals the session id. Then it creates a playlist and starts VLC.

Can you maybe give me the URL of the rstp stream, like in my example with getting the jpg image. So I can see if I'm also able to stream a video.

btsimonh commented 6 years ago

example: rtmp://192.168.1.173:7010/live/1jfiegbqdqhxq_p0_JCWJXJQCIPOJ example RTSP: rtsp://192.168.1.173:7020/live/1jfiegbqdqhxq_p0_JCWJXJQCIPOJ

The JCWJXJQCIPOJ bit changes sometimes. Although trying now, re-logging on to the camera seems to give the same URL; so not sure what prompts it to change. Of course, in the browser you should be able to see this in debug - it will use it to set the URL on the player object? 👍 image

Although if you need RTSP, you may need to ask for it.... the default local camera http seems to ask for RTMP:.

Phil-Rei commented 6 years ago

Thank you. Now I got RTMP to work. RTSP doesn't work, port 7030 is not open on the device. But for me it doesn't matter as long one protocol works.

So in this URL there is another unique/temporary ID different from the sess_nid. I'm sure it will change after rebooting the device.

I can't understand why they don't support rtmp://username:password@ip:7010/live/...

This would be a great feature for the camera and won't be a security issue, since there's still an authentication (yes I know the password is plain text, but It's my own network).

So I'm still thinking about how to get or bypass this ID.

Phil-Rei commented 6 years ago

P.S. be careful working with SD cards - it seems to like to format them with it's own FS, as yet not recognised, if the SD card is not that FS. The Uboot seems to have SD support, and you can mount an SD in linux (maybe only if you kill their app?).

There is a Tool to Export Data from the SD-Card http://us10.mipcm.com:2080/pub/windows/sdtool/v5.7.1.1807031100/windows_sdtool_v5.7.1.1807031100.exe

It seems the export.min.js decrypts the contents of the sd-card useing also the CryptoJS Library

btsimonh commented 6 years ago

ohh.. good find. interesting a google search of v5.7.1.1807031100 gives a set of companies who use this.... And the extraction provides all the mlib. libraries that I had to reverse engineer last time!. They are the keys to logging... a key exchange is done, and a shared secret kept.

Lexridge commented 6 years ago

I am using Fedora Linux and both Firefox and Chrome to access the camera directly. I get the interface, but when I hit play, I only get a black screen. I suspect this is why I am not able to retrieve the ccm_play.js in debugging. Are you accessing the camera's http via Windows or Linux?

BTW, this unit just updated to v5.1.8.1807231703.

EDIT: Just tried from Windows 7 in VirtualBox. It prompted me to install the mme plugin. I did. Now in windows (just as in linux), I get the initial photo with play button, but still only black screen once pressed. Weird!

Lexridge commented 6 years ago

I also just noticed the GUI now allows one to upload the update manually. I wonder if the fw needs to be signed before it will accept it? If not, could be an easy way to make changes to the fw before updating it. Perhaps it was always there and I just never noticed before.

btsimonh commented 6 years ago

hi Lexridge, if your based version is 4.6.2.1706161621, then the upgrade hack file should take with the manual upgrade method. Would be good to get the url to the v5.1.8.1807231703 upgrade file - I did this using TCPDump on my router to see the traffic.... if you do manage to get this, let me know. I'm on windows, and in the original UI, the video seems always flash based, so if you can enable flash, the original UI may work; else I have had it working with my Node-Red flow and flv.js (RTMP). Also, there is also a RTSP stream. just a pain that the URL changes.... (P.S. just looked at my cam to see if it's offering an upgrade; but of course it is not because it can;t see the internet any more!).

btsimonh commented 6 years ago

the new upgrade patch is http://209.133.212.170.2080/version/ipc/gm8136/v5.1.6.1804251402/ipc_pack_patch_from_v4.6.2.1706161621.rtl8188fu_to_v5.1.6.1804251402.rtl8188fu.bin I have not yet made a modified upgrade file from this.

btsimonh commented 6 years ago

@Lexridge - 'I wonder if the fw needs to be signed before it will accept it?' - read the upgradefileformat part of the wiki - yes, it's easy to modify the script which is run at boot via modifying the upgrade file. The upgrade file is CRCed, but easily spoofed. Updating the actual firmware (the programs it runs) is much more difficult, because the upgrade file is a difference between two tar files, and the difference method is yet to be established. But, once you have broken in, you could compile, install, and run your own software easily. I've pulled the later version, and the script it contains is identical to the last version, so the modification method will work with this version; just cut and paste the script from the one I did, re-calculate the CRC, and you are done.

jfoclpf commented 4 years ago

@Phil-Rei do you confirm that this still works?

http://local-ip-or-hostname/ccm/cacs_login_req.js?hfrom_handle=653862&dlid=0xe&dnid=MMj86%5fVKY3VLg%2ehgp32mL%2e5BAWEOgQI&duser=SERIALNUMBER&dpass=PASSWORDHEXENCRYPTED&dsession_req=1&dparam__x_countz_=1&dparam=1&dparam_name=spv&dparam_value=v1

Phil-Rei commented 4 years ago

I no longer have the camera and therefore cannot test it, sorry. But I was never able to get a static link for a video or picture.

btsimonh commented 4 years ago

you could have a look at my hacked about node-red flow, which operated various interfaces of the camera, including I think getting a URL. It's in the repo. (if you are not familiar with node-red, it's a visual javascript programming tool, so the code I've written is plain old JS, just split up into blocks....).

jfoclpf commented 4 years ago

I know node well, the question is how to get that specific url.

btsimonh commented 4 years ago

it's been a long time since I worked on the camera :). If you have the time, then fire up node-red, and examine the flow; it's a very 'developmenty' flow, and may need 'require:require' in the settings.js of node-red to operate. From memory, you have to login to the camera to get a valid session, and then you can ask it for a url for video or pictures. I paused looking at it because it's video was not exactly 'standard', and so decoding in node was a pain - (I wanted to go into opencv4node).

1knueller commented 4 years ago

I can confirm that the jpg image get still works. made a firmware update today

http://192.168.0.160/ccm/ccm_pic_get.jpg?hfrom_handle=887330&dsess=1&dsess_nid=**SESSIONID**&dsess_sn=**SERIALNUMBER**&dtoken=p0_xxxxxxxxxx

thanks alot everyone

mike96ca commented 4 years ago

I can confirm that the jpg image get still works. made a firmware update today

http://192.168.0.160/ccm/ccm_pic_get.jpg?hfrom_handle=887330&dsess=1&dsess_nid=**SESSIONID**&dsess_sn=**SERIALNUMBER**&dtoken=p0_xxxxxxxxxx

thanks alot everyone

I guess there is no way to obtain any static address? I ask because I plan to use the JPG URL in iSpy software to capture and record from the 826 camera for surveillance purposes.

btsimonh commented 4 years ago

i don't think so. A small node server which generates the address and serves the image on a static address was my solution.

belveder79 commented 3 years ago

Just to bump this discussion and as reference for someone still playing around with this - and to pay homage to @btsimonh again 👍 - as he mentioned there is a way to get the same static address and to get RTSP, but it requires a detour...

I installed this aler9/rtsp-simple-server as a docker container with exposed ports (I refer to that as server part in the following), which runs permanently and is bored most of the time, and I have ffmpeg installed.

I created a function node, which grabs the rtmp:// address from the ccm.play_info property. This one is fed into a custom exec node, which essentially does an ffmpeg <insert rtmp here as msg.payload> -c copy -f rtsp rtsp://<ip>:<port>/myroom where ip and port are the IP and exposed port of the machine running the server docker container. As a result, you can consume the stream with rtsp prefix under the same URI, i.e. rtsp://<ip>:<port>/myroom.

The ffmpeg and restreaming server part is causing no CPU load basically (4% on my powersave governed DietPi RPi Zero W), as they are just forwarding network packets mostly, so that is not a huge issue (I mean compared to copying individual pixels in a NodeRed image view, for example). The question is, what is the intended way to use all of this and how to leverage the behaviour of the exec node waiting for termination (or to better spawn a separate process).

One could run ffmpeg without the server part. ffmpeg will wait for the client to connect and will automatically terminate once the client disconnects - if the exec node waits for termination, the benefit is that you can restart everything once NodeRed gets aware of the node being terminated, but ffmpeg will be running as part of NodeRed. Obviously you won't get notice of a separate background process terminating (unless you do some bash script hacking to touch a file and do periodic checks on its timestamp or whatever). I can live with ffmpeg running as part of NodeRed, and I prefer using the server part, as it (a) enables streaming to multiple clients, (b) decouples the ffmpeg part from any client, and (c) it is still safe to have the exec node wait for termination, as I can respawn the stream then any time I get notice about the termination.

PS: the reason I came across all of this is that I installed some quite nice software for MacOS, GlanceCam, and while it worked out of the box for my other two webcams (a rather old Hootoo and an ESP32-Cam module), the Yatwin was not working and, seriously, I did not find any software that was working except IPCamViewer for Android or iOS.

belveder79 commented 3 years ago

so another finding is that you should run ffmpeg with -loglevel quiet -nostats flags, as the stats kills the exec node over time otherwise (buffer overrun)