This job has been sat on my desk at work for about 7 months, looking at Amazon it may be one of these (available in black too). After my luck with the last camera, I was hoping to get into this one too.
Yep The CD is standard Chinese quality CD, it contains the normal useless instruction manual, and some other software I doubt I will look at.
The specification of the camera is listed as:
- High Resolution 2.0 Megapixe [sic] 1/3″ CMOS Sensor;
- 1920 X 1080P resolution 25fps real time
- Zoom 2.8-12mm Lens
- Support POE, reduce the trouble of cable arrangement.;
- Support iPhone, Android smart phone;
- Weatherproof IP66
- P2P Cloud Function;
- Support Motion detection, Email Alarm function;
- Support Multi-Language
- Day & Night vision;
- Net weight: 0.5KG;
- Metal Material Shell;
- Simple Operation and Easy to Use
Looking around online I am yet to find any helpful information about it, like who made it, and what the password is for Telnet (I guess it has a telnet port). The username and password for the web interface (as listed on the stickers) is admin/admin. (The model number printed on the sticker doesn’t give any helpful results either when googled as 321PMPVBDW or 32IPMPVBDW, 321 PMPV BDW is some kind of car)
The username and password for the web interface (as listed on the stickers) is admin/admin.
Logging in for the first time, I changed the ip address from the default to DHCP controlled, our router hands it a static IP address now which is banned from seeing the internet. like most cameras from china it will only work in Microsoft Internet Explorer, and even then only after you install some random software (something called IPCOCX_PX.exe (IPCOCX_PX instruction manual)).
While the camera is sold as a POE camera, it is often better where the documentation doesn’t tell you what China means by POE to just use a passive injector set like these from Amazon, as they don’t risk blowing the thing up as much.
From the web interface I managed to get the firmware version number out ‘S2L55M_IMX124_X_6.1.2.4’ and software version ‘6.1.2.4’ the S2L55M relates to an Ambarella product (Ambarella SOC), and the IMX124 relates to the Sony sensor.
Looking back at the Port Scan, I worked through the open ports, port 23 is Telnet, port 80 is HTTPD (web console), port 401 seems to just be a Telnet stream with details of the Alarm Function status (s2l_motionDetect.c), ports 402, 403 looks to be a Telnet stream of debug information, port 404 seems to be status of Ethernet (mine is upset due to not seeing the internet), port 405 seems to be the log relating to accessing heart.freeip.com (it wants to access 52.28.192.128, on port 3478). FreeIP.com looks to be a external access site to connect to your own devices from outside using p2p. Port 3478 is the standard STUN port, and looking at the wikipedia article that kind of makes sense.
March 15, 2017 at 12:35
Do you still need help with your IP camera? I don’t own the exact model, but I can offer some general help on how I got the camera I own under my control.
March 15, 2017 at 12:35
I would very much appreciate any help you could give me 🙂
March 15, 2017 at 12:37
Ok… You will need a USB/RS232-adapter that uses 3.3V signalling. Those can be had on ebay cheaply (For example this one: http://www.ebay.de/itm/201633040820) and are very useful. Then you need to find the serial port on the PCB. On the photos you posted, I can see 2 candidates on the right side of the PCB. If you have a scope, check on which of the contacts you see signals when booting. Then measure the baud rate or just guess (on my camera it’s 38400). For starters just connect GND and RxD so you can watch but don’t inject any signals yet.
Once you can see the boot messages scroll by, you have the right pin and the right baud rate. Quite often you will be dumped into a root shell already. Now you need to find out where to connect TxD to, it should be next to RxD. Then enter ‘busybox’ to see what commands you have. My camera had a full set and that made life easy.
If you don’t get a root shell try CTRL-C. I had to do that with my camera. The process I killed was ‘rtspd’ which also kept a watchdog happy, so after killing it, the camera performed a reset after about a minute. I fixed that by entering ‘rtspd &’. Now that I had a shell, I was able to look around, understand the boot process, notice it kept /etc in RAM and find a way to set the root password to my liking by adding the following line to a start script I could edit:
echo -e "password\npassword" | passwdThis trick might not work for your camera, depending on how it’s set up.
I also found leftover scripts from programming and was able to mount an NFS share from my server on the camera:
mount -t nfs -o intr,nolock,rsize=1024,wsize=1024 : /mnt/nfsHope this helps…
March 15, 2017 at 12:46
My problem is now that I have mounted it on the wall, so access to the serial port is a bit harder, I will definitely do this on the next camera that crosses my desk (I suspect that it will be a Foscam POE HD IP Camera with H.264 FI9821EP), the one I have installed without opening up doesn’t give much away about its internal workings via port scan (port 88 HTTPD, Port 443, and port 888 are open) although I have found the RTSP stream at
rtsp://admin:admin@ipaddress:88/videoMain