Cheep Chinese Camera

I picked up this 50H10L (HI3518E_50H10L_S39) based cheap POE CCTV style camera as a test for replacing the cameras we use at work to view EUTs (Equipment Under Test). the cameras we normally use are wired CCTV cameras.

The (professionally done) CD comes with a number of applications and PDFs on it…

The one useful set seems to be the Camera CMS Software.

A powerful central control software, distributed architecture, set much window, many customers and language, voice interphone, video conference, grading electronic map, alarm center, compatible with other extended product, single straight even equipment monitoring system and other function as one. Software has the function of electronic map, friendly interface, simple operation, convenient for the permission.

These are photos of the back of the Camera board, and the POE:

Looks like I can directly supply it with power and drop off the POE daughter board.

I am feeding the supplied POE / splitter thing with 12V center Positive from a small bench top PSU, and ran an ethernet cable to the network switch.

I have had a quick look at the camera to see which ports are open:

PORT    STATE SERVICE
23/tcp  open  telnet
80/tcp  open  http
88/tcp  open  kerberos-sec
554/tcp open  rtsp

There seems to be port 8899 open, and something called Sofia running on port 9527

Telnet seems to be on the username root password xmhdipc (thanks to here) for the password, once in its time to have a quick look around, the MOTD banner says “Welcome to Monitor Tech.”

# cat /proc/version
Linux version 3.0.8 ([email protected]) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #150 Mon Jan 5 11:19:45 CST 2015
# cat /proc/cpuinfo
Processor       : ARM926EJ-S rev 5 (v5l)
BogoMIPS        : 218.72
Features        : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant     : 0x0
CPU part        : 0x926
CPU revision    : 5

Hardware        : hi3518
Revision        : 0000
Serial          : 0000000000000000

Looking around the file system, there is a text file called ProductDefinition in /usr/bin with the values for Vendor: General and Hardware: HI3518E_50H10L_S39, however that is not much use when handed to google, in teh root linuxrc is a symlink to bin/busybox

Enough Playing, time to try and use the camera!

Installing Camera CMS Software on my desktop allows me to connect to the camera and change its IP address away from the default of 192.168.1.10 (mine is 192.168.1.8).

You will first need to add a zone (Mine is called Lab 1)

Once you have your zone, you can add a device to it.

Either IP Search, or add the device by its IP addess (the default is 192.168.1.10)

with the device highlighted in the IP Search box, you can click “Edit Device” this allows you to change IP address etc.

Now back to the main screen, and in the left hand area select the zone, and camera, and then you will be able to see the camera feeds. Drag and Drop one of the camera feeds to one of the “screens” in the main body.

Remote Config allows you to make more changes to the camera, select the camera from the left

and you will be given a load of options that you can change 🙂

Now CMS is lovely and all, but it ain’t VLC, the path to get VLC working is add

rtsp://192.168.1.8:554/user=admin&password=&channel=1&stream=0.sdp

in the open network stream.

The camera is a little laggy, but it is not too terrible.

Interesting Security problem…

if you goto [ip address] it rewrites the url to [ip address]/Login.htm now you can type in the username admin password [blank], and login, or if that has been changed, you can type in [ip address]/DVR.htm and get past the login screen.

12 thoughts on “Cheep Chinese Camera”

yeahman
2016-09-16, 08:30

Do you know if you can change the root password?

the web interface access; it is accessible only on your LAN right? is it open to the internet??

Reply
- Skippy Post author
  2016-09-16, 09:10
  
  The web-interface should only be accessible from inside unless you have port forwarded to it across your router.
  
  The root password is set and stored in the read only EPROM
  
  Reply
  - yeahman
    2016-09-16, 09:24
    
    thx for ur reply.
    
    is telnet accessible from the outside?
    Is it a security risk having a root password known by most people lol? it is only if they have access to your LAN right?
    
    Reply
    - Skippy Post author
      2016-09-16, 14:17
      
      Unless you port forward port 23 for telnet and port 80 for http you should not be able to get to either the Telnet port, or the Web admin from outside.
      
      Reply
  - yeahman
    2016-09-16, 09:24
    
    the web interface…that’s port 80 right?
    
    Reply
    - Skippy Post author
      2016-09-16, 14:21
      
      yep, http is port 80, https is port 443
      
      Reply
yeahman
2016-09-16, 08:36

your IP camera is accessible with the Xmeye right?
I am searching for a way to disable access of the camera via the internet. I want to use it only on my LAN.

I went into the CMS software and in settings > netservice > I unticked “cloud” but I can still access the camera via the Xmeye app

Reply
- Skippy Post author
  2016-09-16, 09:11
  
  I haven’t tried the app
  
  Reply
  - yeahman
    2016-09-16, 09:26
    
    I wonder how the app works … it asks for the device serial number and that’s all….
    
    Reply
    - Skippy Post author
      2016-09-16, 14:22
      
      I assume the camera makes a connection to a server outside your network, and the app makes a connection to the same server.
      
      Reply
Juarez Fernando de Souza
2016-11-07, 23:44

I lost my password and can not get it, do you have any idea what to do?

Reply
- Skippy Post author
  2016-11-22, 13:57
  
  xc3511, is quite a common password.
  
  Reply

Interesting Security problem…

Leave a comment Cancel reply

12 thoughts on “Cheep Chinese Camera”