Hacking Around With Network Cameras
I was recently given 3 rather locked-down network cameras. Each camera was pre-programmed to communicate with a specific website, and only attach to a predefined wireless access point. Naturally, there was no supplied username or password.
I thought about how I might get access. Using a man-in-the-middle attack to sniff the password, or trying to dump the firmware and examine that. Sadly, all the vulnerabilities previously reported no longer work. After a little bit of thought, I went for decided low-tech solution; I hit the reset button! Yes, each camera had a recessed switch, accessible only with a paperclip, which reset the device to factory settings after holding it down for 10 seconds.
Anyway, this is my voyage of discovery with the three cameras. They are:
-
RC8221
- a basic internal camera.
-
OC821D
- an external camera with weatherproof features.
-
RC8230
- a pan/tilt camera.
All of them are manufactured by Taiwanese OEM Sercomm. Annoyingly, Sercomm don't have any customer services. They mostly resell the cameras to Linksys, Cisco, Xanboo.
SerComm don't offer any firmware, GPL downloads, or much information about the cameras - so it's all very much trial and error.
Defaults
After resetting the cameras, they'll happily attach up to any wired network via the Ethernet port. Visit the IP address assigned by DHCP and you'll get to the admin panel. The default username is "administrator" - there is no password set. You can now go and fiddle with all the settings.
High Resolution Mode
The cameras are meant to be able to record at 720p - yet the user interface doesn't seem to allow it.
Luckily, the API allows us to force the resolution.
http://192.168.0.42/adm/set_group.cgi?group=H264&resolution=4
http://192.168.0.42/adm/set_group.cgi?group=JPEG&resolution=4
Wait! What? API?!
Oh yes, all the cameras come with a variety of commands which can be controlled by simple a HTTP GET request.
Discovering The API
As I said previously, Sercomm provides no documentation. Luckily, their resellers do! EyeSpy247 have the admin manual for the RC8221. Use-IP have the admin manual for the OC821D. I haven't yet found a manual for the RC8230 - but it uses most of the same API commands. The only main addition is the ability to move the camera via its pan/tile functionality. After a bit of digging, I found a discussion on how to activate this functionality.
Up:
http://192.168.0.42/pt/ptctrl.cgi?mv=U,10
Down:
http://192.168.0.42/pt/ptctrl.cgi?mv=D,10
Left:
http://192.168.0.42/pt/ptctrl.cgi?mv=L,11
Right:
http://192.168.0.42/pt/ptctrl.cgi?mv=R,11
The manuals give all sorts of instructions, how to view video streams, get photos, set and get various options. There are, sadly, some omissions.
Sending Sounds
One of the tasks I wanted to accomplish was to make the cameras play some of the turret sounds from the video game "Portal". This is proving tricky, despite the manual's promises to the contrary.
It should be possible to POST an audio file to the cameras, either in G.726, or G.711 (a-law or u-law). Despite creating the audio files correctly, and POSTing them to the cameras - they make not a peep!
curl -vv --data-binary @alaw8k.wav http://user:pass@192.168.0.42/img/g711a.cgi
curl -vv -X POST -d @alaw8k.wav http://user:pass@192.168.0.42/img/g711a.cgi --header "Content-Type:audio/x-wav"
I get a 200 OK, and the volume is set on the camera. Most vexing!
If you think you can help, please leave an answer on StackOverflow.
Arming - or lack thereof
With my other cameras, I can send a command to arm or disarm. I don't need the motion detection to send me emails every second of the day - only when I'm out of the house.
Looking at the source code of one of the pages, it looks like it's possible to POST some data to /adm/file.cgi - but it's not clearly documented which parameters are required. It will take me some time to work through the tangled nest of JavaScript.
The cameras will send video when they detect motion - although getting this to work isn't at all obvious.
Firstly, the password is hard-coded to be a maximum of 16 characters. If your password is "StarTrekIntoDarkness1" you're out of luck.
Secondly, the "Test the Server" button doesn't actually work. It randomly gave me errors about not being able to reach the server. I struggled for hours until I discovered that the error messages were lying to me! If you enter the details correctly, and the camera has access to the Internet, it should just work.
That said, once enabled, it will happily send emails with large video attachments to you.
Video Audio
All the cameras have microphones, and all do audio triggering (sending an alert when noise levels rise). Yet none of the cameras would embed audio in with the video. When streaming over RTSP, it was possible to pick up audio from the microphone. Lowish quality, 8kHz, mono - but better than nothing. Again, if anyone knows how to get the alert videos to include audio, please let me know!
Motion Detection
Setting the motion detection area is very useful. You might want to ignore movement on the floor if you have a pet, or concentrate on a door handle. Sadly, with these cameras, you have to use IE6 or greater to set the detection area.
You can try and use the API to set areas - but without being able to see the area in question, it's an exercise in frustration.
For my needs, having full screen video detection is fine. I may have to borrow a Windows machine if that changes.
Open Source
Each camera has an embedded Open Source page at /adm/Licenses.txt which includes all the text of the relevant GPL etc.
All three cameras have the following Open Source components: Davicom Ethernet driver Linux kernel 2.6.18 wireless_tools 26 busybox 1.16.0 dhcpcd 1.3.22-pl1 ez-ipupdate 3.0.11b7 iptables 1.3.4 ppp 2.4.1 cron daemon samba client 3.06 glibc 2.8 alsa-lib-1.0.16 wpa_supplicant 0.4.5 NTP thttpd-2.25b
Interesting to note that BusyBox is an unstable release version from 2010, thhtpd supports IPv6 even though the cameras don't appear to. wpa_supplicant is ancient - that may explain why it can't cope with SSIDs with spaces in them. I presume it's the hardware which won't scan the 5GHz range. The Linux kernel is from 2006 - that's common enough in embedded systems, but I do wonder if it presents a security risk.
Security
The cameras offer an SSL connection. However, the certificate is self signed and uses MD5 with 1024 bits. Basically, a security signing which was advised against in 2010.
There's no way to replace the certificate without replacing the firmware. If you are willing to trust it, the connection is secured via SSL.
Assuming you can confirm the certificate is correct, the encryption should be sufficient to stop anyone but the NSA peeking through your cameras.
That said, the RTSP channel isn't protected by SSL. You can give a username/password, set time of day access, and restrict to specific IP addresses - but the video is transmitted in the clear.
For now, I'm keeping my cameras on my LAN with no external access to them.
What Next
At the moment, I've set the cameras up, but I'm not actively monitoring them - it's just too much work to switch each of them on when I leave for work.
So, if you can help....
- How do I send sound to the cameras?
- How do I get audio with the video alerts?
- How do I arm the cameras via the API?
YHDO Security Camera Review
Smart Lights - Dumb Decisions
The (Connected) House Of Horrors
Radio 4 IoT Talk
Telnet and Root on the Sercomm iCamera2
James says:
Thanks again.
Victor Marquez says:
oops says:
peter says:
compguy65 says:
Peeter Indrek Solnask says:
Tomi says:
I too have a RC8221 which was locked to my service provider (Elisa in Finland). Factory reset went ok, and I got to the admin panel.
Unfortunately administrator as username (password empty) doesn't work. Is it possible, that credentials might be hard coded or flashed in firmware?
Do you have any hints to give how to solve this problem?
Cheers!
Tomi from Helsinki, Finland
Brian says:
I also have a RC8221 and password empty doesn't work for me!
Do you find any kind of solution for this problem?
Jan
Mitch Brewer says:
UN: administrator
PW: password
*NOTE: The password shouldn't, nor in my experience has never been defaulted as with these models.
Hope this helps if the answer has not already been posted by now.
Veritas Acerbum says:
Tom says:
Do you have any idea as to how to set the fixed IP address pf the Xanboo cameras?
Anne newland says:
james says:
Volya 🙂
Diego says:
anna says:
Adam Smith says:
thanks for the great blog and very helpful information on this particular topic.
regards,
-=Adam
Might be worth trying it with your ISP's SMTP servers. If that doesn't work - it looks like you're out of luck. Sorry.
Terence
But my next question is, what is the url to post to trigger an http event?
Jas says:
Terence Eden says:
GMail is slightly tricky to set up on these cameras. They don't support the modern security standards which Google demands. It *is* possible - but you'll need to set up your Google account to be less secure.
Although, in the time since I posted and now I've gone beyond just emailing when the camera sees motion. I'm adding zigbee sensor triggers and triggering the camera that way as well.
Eventually, I'll add camera streaming as well, partly because the firmware on my cameras is old, and partly because I want to see if I can make my own home security system based on a Raspberry Pi and Java. I can find others true but I want to write my own completely open source.
But to answer your question;
https://github.com/djr4488/camera-notifier
Y C says:
All I did was to put the full URL in the URL field in the HTTP(S) notification.
Danny says:
Danny says:
So there are a few more steps that involve using the swagger interface(only UI I have for the moment.
Hopefully that readme will help, if not let me know.
Bittoo says:
Anne newland says:
Johnny says:
Johnny says:
You don't tell us the model of your camera. The RC82390D defaults to 192.168.0.99 when it is reset. The default UserId is "administrator" and password is "" (i.e., none).
I assigned a fixed IP address at 192.168.0.10 and put an ethernet cable between the PC and the 8230. Entered 192.168.0.99 into the browser's URL and VOILA, I had the camera! From there, I could program the proper network and the wireless picked it right up!
I found the manual as an attachment to the FCC listing!!!
https://fccid.io/document.php?id=1687444
Anne newland says:
Index of /
mode links bytes last-changed name
dr-x 7 97 Feb 22 2008 ./
I've been unable to get any kind of info on this model camera. If anyone has any suggestions ?
Anne newland says:
Index of /adm/
mode links bytes last-changed name
dr-x 2 326 Feb 22 2008 ./
dr-x 2 326 Feb 22 2008 ./
dr-x 2 326 Feb 22 2008 ./
Still trying!
Anne newland says:
Anne newland says:
Anne newland says:
Try the following address:
http:///adm/file.cgi?next_file=system.htm
Rather than:
http:///adm/
As the second one is just a directory page with a green background.
The video page for my RC8030 is:
"/img/main.cgi?next_file=main.htm"
Which should have some buttons you can use for PTZ.
http://192.168.1.100/adm/file.cgi?next_file=system.htm
Which is where yours should be located given the correct IP address.
Anne newland says:
When I go to 192.168.1.7/img/main.cgi?next_file=main.htm, same thing.
However when I try http://192.168.1.7/adm/sysinfo.cgi, I get: Firmware Version: V1.0.13 Serial Number:***
I've looked at the manuals above for the cameras that seem similar, but most of the API commands don't seem to accomplish anything so far. Maybe my camera is too early a model and/or just doesn't have an admin panel?
I keep trying when I have some free time!
When I got my camera out of storage (3 years) the panel was buggy until I reset to factory defaults. I'm not sure if resetting will resolve the issue you're having but if it's a similar issue it might. Here is the API command that works for me, since you can't access the panel to do it.
http://192.168.1.7/adm/file.cgi?this_file=password.htm&next_file=password.htm&todo=reset
If most of the API still works you could probably just download a local copy of the panel.
Anne newland says:
"Camera's config file has been reset. Camera will restart and IP address maybe change .Please use the Windows utility to locate the camera and configure it correctly for your environment.Please close this Browser window and wait for a moment."
No sure how I would download a local copy of the panel, though, any hints?
Also I use either an old iPhone, an old iPad, and an old Mac PowerBook. I might have to borrow a pc and see if I could find this Windows utility that is mentioned. I did see something somewhere, hope I bookmarked it, about downloading something for this camera or one similar.
Hope I get some time to try this out!
Thanks so much!
Since the API is the same it should work if every command was sent to the correct IP address. I'm guessing the Windows utility is used to find the dynamically given IP address or an actual tool used to access your camera. If your camera isn't using a static IP you can check your router for the new local IP (if it was given one).
Anne newland says:
Johnny G says:
Craig Comstock says:
Craig Comstock says:
I realize that this post has been dead for a while now, but I wanted to let you know that I've got an RC8221 (Lowe's Iris model, aquired second-hand with no software or documentation) that had me confounded on configuring. I decided to go for an approach that I haven't seen before - hardware. I pulled the Flash chip, dumped it, broke it into its MTD partitions, and acquired the login credentials as well as a complete filesystem dump. I've also found that there's a factory "update" mode and it forces the camera to Ethernet IP 192.168.0.99 (and starts a webserver) for uploading firmware images, easily triggered with no additional tools - unfortunately, not a raw image, must have some form of header that I don't yet know... The username on my Lowes device is 'alertme' (makes sense, since the Iris hub is rebranded AlertMe hardware) and the password is a fairly random string, however it is stored plaintext in the firmware in two locations. I'm fairly confident that the same is true of ALL RC8221 cameras, due to its structure and placement, and I'm also confident (based upon the filesystem and config partitions storing the same password) that it's NOT encoded per-camera, more likely per-rebranding.
To replicate my attempts, you'll need soldering skill, a Bus Pirate (hardware) and Flashrom (software), a serial terminal program (putty/minicom/etc) as well as a hex editor or Linux knowledge. I'd be willing to trade - my knowledge on how to do this for a dump of someone's non-Lowes firmware....of course, if someone asks, I'd be more than willing to share my knowledge without the trade.
Using a hex editor, I was able to change the streams that're enabled, their default settings, resolutions, framerates, etc...as well as making WPS work to set up wireless. Also, to the original content creator here - the speaker output seems to be turned off by default in the firmware via config entry, which I switched on...haven't tested its functionality, but if you're interested in conversing I'll give it a shot..
My biggest frustration, though, is that the Lowes Iris firmware has stripped out the Web UI in its entirity! There is NO web config here, unless I'm just doing it wrong. This is why I need a copy of someone's firmware or temporary access to their device - I'm confident I can toss it on this device to fix that.
If anyone still has an RC8221 and the required equipment (or would be willing to send it to me for a few days) I'd like to collaborate on unlocking my device further, or just share the knowledge of course. I have no blog of my own, and don't care to start one for a single post about an outdated device. Comment here and we'll figure out a way to talk.
What I need, ideally - I'm especially interested if you have any of the following;
A firmware dump of someone's non-Lowes RC8221
Physical access to someone's non-Lowes RC8221
Someone who has the right tools, and a non-Lowes RC8221
A firmware update file from ANY Sercomm device, ideally an RC8221
Thanks for taking the time to read this.
Charles says:
I am willing to pay, trade and help anyone here. I could just give up these cameras and move to the next model. or we can work on them.
1. Can you share the administrator id and Lowes passcode for these device.
2. Can you explain how to flash or upload new firmware that would give me the UI interface or point to Eyespy247.com service.
you can email me directly at CharlesEscutia@me.com if you would prefer.
I think hacking into these cameras and using a firmware and the open source coding from Smarthings could get these working.
Jeremy says:
Would you mind sharing the password that you mention in this post? I have a couple Lowe's Iris Branded cameras and would like to try the password that you see in the firmware on my cameras, but I don't have the time or knowhow to pull the firmware from the flash chip like you've done.
I looked around a bit, in case you posted it already, but I couldn't find it.
Thank you
Jeremy says:
You can email me at jdub615@happy at last.us (no spaces) you can also try jdub615@williamsfam dot comcastbiz dot net if that doesn't work for some reason.
Pete Klick says:
Danin says:
Pete - sorry for the late reply. I'm glad the post was helpful. The bottom line is, using a hardware flasher to "upgrade" the firmware is a bit tedious and beyond most people's abilities; if you don't understand what was said, you'll want to have someone who does handle it.
If you're willing to send it to me for the process, all I ask is that you pay postage both ways. My time isn't particularly valuable to me, I won't ask for you to pay for me to do the modification. I just enjoy playing around with these things. You can reach me at DaninFuchs (at) gmail (dot) com - we can discuss things in more detail there, not really comfortable posting my name and address in a public location such as this.
flo says:
I own a RC8221 and the default login is: admin / admin!
a few question:
1) I have not found any options about motion capture, or send an email when move is detect, does this camera have this option?
2) Is there any android app to view the stream? which?
thanks!
1) It appears that some options are removed in some rebrandings. If you don't show those options, it may be that your rebranded firmware has that feature removed. Do you know the origin of this camera? (Lowes Iris, Eyespy247, etc..) That'll help people figure out how to help you.
2) That depends which streams are enabled. My camera defaulted to a video-only MPEG-4 stream, and two video-only H264 streams - after reconfiguring it, it now has a video-only MJPEG stream, an MPEG-4 video stream with audio, and an H264 video-only stream. You'll need to know which streams are enabled, and find an app on Android that supports it - I know that with the Firefox browser you can just point right at the MJPEG stream and not even need an app, but there are likely other - better - solutions out there. If you aren't sure how to determine what streams are enabled, I'll do what I can to help you figure that out.
flo says:
So, I won this camera through a swiss security company: http://www.my-serenity.ch/en/product/ipcam-hd-journuit-pir/
But I dont' want to use it throug their web interface, I want to control all the process in my own network.
The camera has a web interface with some options, but nothing for motion capture or smtp send option
I'll leave the URLs I found for my camera's current config - try pointing firefox at the http:// ones, and VLC or MPC or some such program at the rtsp:// ones..if they work, try to find an Android app that lists the protocol for that URL. The first two .sav files can be suffixed with '?channel=2' (or 0 or 1 or whatever else, for how many streams your camera supports at once. Typically 0 thru 2)
rtsp://192.168.0.196:554/img/media.sav - MPEG4, 15fps, audio (corrupt with different codec)
rtsp://192.168.0.196:554/img/video.sav - MPEG4, 15fps, no audio
rtsp://192.168.0.196:554/img/audio.sav - No video, audio only
http://192.168.0.196/img/video.h264 - 1280x720 (H264)
http://192.168.0.196/img/snapshot.cgi?size=3&quality=(5...1) - 640x480 (JPEG)
http://192.168.0.196/img/snapshot.cgi?size=4 - 1280x720 (JPEG)
http://192.168.0.196/img/video.mjpeg (MJPEG)
http://192.168.0.196/img/mjpeg.htm (MJPEG)
http://192.168.0.196/img/mjpeg.cgi (MJPEG)
casiean says:
On a related note, why do you need this dump? I have a manually extracted dump, but my system seems to be somewhat stripped down - if you're interested I can share it with you. Myself, I'm hoping to de-strip my own camera.
Pedro says:
Jim B says:
Jim B says:
Antoine Ingram says:
Jim B says:
Antoine Ingram says:
krytos says:
Michael says:
I don't reckon anyone has leveraged these and made it work
1. I reset it
2. tried the IP directly (just got a 404)
3. tried the ip /adm (after much reviewing this site) and I actually did (twice) get prompted for the user name and password. I tried administrator with no password but didn't work.
4. I was going to try to reset and get it connected super fast in case it was autochanging, but ever since I reset it again.. the website never prompts me for a password (wondering if somehow my PC cached it , so going to reboot
5. I have a separate router, which I am setting up for my laptop and this camera so it has NO way to get to the internet to change anything, maybe that will work. The router will have DHCP enabled.
I am super hopeful as I have 6 of these and 4 of the OC810 ADT cameras and am forgoing ADT (cost too much) for our local security + I want to self monitor these cameras with iSpy
Reset made it work for iSpy.. but wireless is my next goal
Thanks!!
Michael says:
Clearly the reset did work and the username is Administrator and the password is blank.
However the URL is invalid (I thought I was getting 401, it was a 404), and when I tried just admin.. I got a 401. So my bad
However, I still do not know the admin UI URL, if someone does please. I will keep trying the ones from this thread 🙂
Cheers!
Michael says:
When I do try to get into my camera with the IP this happens
http://192.168.0.9/main.cgi?next_file=index_in.htm
it redirects to this URL and then gives the 404 not found error.
When I found a manual for this camera (at least a variation of the base camera), it says I should just use the http://IPAddress and I should get the admin screen.
I wonder if ADT did something to them and is there some way to undo it so I can get into the Admin UI... Unless someone else knows the admin ui 🙂
Thanks!
Last Spam!
Michael says:
The problem is still I cannot change the Wireless Settings 🙁 so the darn thing is only good wired.
it is nice that I can do live streaming etc without needing even ISpy, however it would be lovely if I could configure the Wireless.
Any thoughts?
Cheers
Jonathan L. says:
The CGI API is still there, however, and it's the same as the RC8230. See the appendix in the manual: http://www.eyespy247.com/site_media/support_docs/support_35.pdf
Basically to configure the wireless:
http:///set_group.cgi?group=WIRELESS&wpa_ascii= // (if you're using WPA. check out /get_group.cgi for the list of options)
http:///set_group.cgi?group=WIRELESS&wlan_essid=
Ryan says:
To reset this device I had to take it apart and jump the pins where the reset button should be because it was apparently removed in this version of the hardware. Once I did that, I was able to access the web interface and get a video stream.
However, when I try to set the wlan_essid using the CGI API it says Error: Unable to set wireless LAN configuration.
Setting other values seems to work as expected. Any ideas?
James says:
JOhn says:
https://fccid.io/P27RC8230#exhibits
Contact me for details. I really need to set up a blog of my own, apparently..maybe I'll look into that. In the mean time, I've confirmed that the Iris models will run less locked-down firmware. If anyone is willing to let me BORROW (or keep) -any- other IP camera that's locked down -AND- has a non-locked-down version with accessible firmware, I'm willing to burn a few dozen hours messing around with those to unlock them as well, and send it/them back. I suspect the process for things like the OC821 will be very similar. Contact me and we'll negotiate something.
Paulo says:
First step is unfortunately to desolder the flash IC, and connect it to your favorite SPI programmer.
- If you don't have a favorite SPI programmer, or don't own any of them, what you want to pick up is a Bus Pirate v3.6 - sources include Amazon, SeeedStudio, Sparkfun, etc, for around $30. Keep in mind, the Bus Pirate is not the fastest way to do it, but whatever you buy, it needs to be supported by Flashrom. Also, I'd strongly recommend specifically the Bus Pirate v3.6 - older ones are limited in hardware and the new 'better' v4 isn't as well-supported, changes the pin ordering and quantity on the header, and most guides assume you have the more widespread v3.6 (or earlier) design.
Second step is to connect the chip to the SPI programmer.
- Myself, I pulled the chip off and soldered wires to the proper pins (use the datasheet from the chip to match wiring to your SPI flasher) in single-bit mode, which is all the Bus Pirate supports as of when I performed this hack. This means Clock, Data 0, Chip Select, ignore the other Data pins. You'll also need to tie a few of the lines (Write Enable and ...something else, I can't remember right now) to VCC or GND depending on which ones they are, to enable write mode and so forth. If you know about flash memory it's easy to figure out which pins. If not, well, frankly I've forgotten which IC it was, and exactly what pins go where, and my camera is not in a place that's easy to unmount and disassemble. If you can't figure it out, tell me what the chip's part number is, I'll pull the datasheet and provide a complete hookup guide. Sorry, but I go through so many random projects that I lose track of details like that, but I guarantee I can get you the right info if you get me the chip's part number.
Third step is to dump the chip's contents using Flashrom into a backup file, so you don't completely lose the camera if something goes terribly wrong. Again, the info for using Flashrom is out there, specifically there are also some BusPirate guides to using Flashrom, but not with this chip. The changes are trivial.
Fourth step is to write the chip's contents with the EyeSpy firmware, again using Flashrom.
Fifth step is to reinstall the chip and enjoy, because you're now done. The camera's default settings/login/etc are available in the EyeSpy247 RC8221 manual, I found it with a simple Google search. Holy crap is this thing ever a lot more capable than I'd expected.
Sorry for the lack of clear detail, it's been ages and I cycle through random projects in a matter of days. I never keep the details written down because usually nobody really cares how I did it, hah. Maybe I should start a little blogroll of my own.. As I said, if you need more info, definitely let me know. I'm more than willing to help. Just get me the chip's part number.
Paulo says:
YOR2012 says:
Terence Eden says:
Eric Andersen says:
Rick says:
Great blog! I scavenged a camera from an estate sale and finally took the time to try and make operational. Thanks to this blog I was able to piece together most of the setup info.
The Camera is marked as a ISEE-VCWLG. I found that it is a SERCOMM camera through the FCC ID P27YL500. I was finally able to gain access to the Admin software via the IP Addy appended with /adm/file.cgi.
I'm at the point where I have everything working via the NIC cable connection but cannot figure out how to get the wireless to work.
In the Network section of the Admin panel I see the correct address of the Primary DNS server (Asus RT-N56U).
In the Wireless section i have the following:
WSC PIN Code:-----(Pin code for the Camera is here)
Network Type:-------Infrastructure (other option is Ad Hoc)
SSID:------------------ID for my Home Network
Domain:--------------USA
Channel No:---------Auto
Security System:----WPA/WPA2 Personal (as per my Asus setup)
Shared Key:----------("Password" to log into the Asus based network is here)
With this info saved I disconnect the power from the camera, unplug the NIC cable and reconnect power. This is per the manual from the FCC site. Power must be disconnected in order to disconnect from hard wire connection. FWIU, reconnecting puts it into wireless mode. However, all I get is the blinking power LED and nothing on the Network LED.
I'm stumped at this point as I can't get the wireless connection to initiate.
Can anyone shed some light on my situation?
Many thanks in advance.
Rick says:
Hopefully someone can assist.
BUT, I also see that the camera went out to an alarm company and appears to have renewed a lease. I find nothing in the admin panel that references any of this. Is it hard coded into the firmware or is there any way to access and change or block?
(Perhaps the log saves info regardless of a factory reset or this occurred before I did a factory reset..??? not sure)
Thanks again to Terrence and others!
From log:
09/22/2015 07:01:01 DDNS: Failed to connect to DDNS server.
09/22/2015 06:01:01 DDNS: Failed to connect to DDNS server.
09/22/2015 05:01:01 DDNS: Failed to connect to DDNS server.
09/22/2015 04:01:01 DDNS: Failed to connect to DDNS server.
09/22/2015 03:03:01 NTP: Synchronization OK.
09/22/2015 03:02:54 DDNS: Failed to connect to DDNS server.
09/22/2015 03:02:54 HeartBeat: Connect to CMS server (cms1.AlarmCompanyName.com:8060) successfully.
09/22/2015 03:02:51 DHCP: Lease renewal successfully.
09/22/2015 03:02:43 Network: Lan activated.
Rick says:
I couldn't get the camera (Sercomm RC8221) to connect wirelessly to my Asus router. So, I decided to piggy back the Alarm company router (Sercomm IP1006RR N-router) to the Asus and see what would happen. Sure enough the Sercomm router and camera connected within seconds. I went to the Camera live image page and was able to view wirelessly. I'm guessing the camera's connection settings are hard coded into the firmware as the network info I recorded in the camera's Network / Wireless page seemed to do nothing.
Attempting another angle, I found the user manual (via FCC id) and attempted to access router management through it's IP addy and the factory default ID / password. No luck. When connected to my PC there's no IP address to found for the router....at all. This leads me to believe it's set up as an access point.
When I connect the Sercomm router to the Asus router, the Asus dynamically assigns an IP address to the Sercomm but I still can't gain access. I just get page can't be loaded...as if it's a bad address.
I'm tempted to bring the Sercomm router back to factory settings but fear I may lose all settings needed to connect to the camera. Then I'm have nothing to work with.
BTW, I use an App which seems to work very nicely called TinyCam. The free version is pretty much enabled. For $3.99 you get the Pro version and no ads.
Feedback is welcome.
Pascal says:
Thanks,
Pascal, fromage Bordeaux, France
Pascal says:
Thanks
Pascal from Bordeaux, France
This blog has helped a lot in helping me figure out a lot. I found that I can connect to my wireless via WPS set up for my cams without the need for getting into the setting.
Your question: I use the CGI to configure the settings for this to parameters are GET ( view) and SET ( Change), so for instance
/adm/get_group.cgi?group=EMAIL ( will display all the settings for email)
/set_group.cgi?group=EMAIL&smtp_enable=1 (will change the settings for the parameter smpt_enable to 1)
With the iCamera-1000-ADT Camera, I am having zero luck getting past the admin password , any help will be appreciated.
Thanks!
Nathan says:
Xundre- to login to the iCamera-1000 the username is administrator with no password.
DaRichMan says:
Jim B says:
Danin says:
JM says:
Hope that this is some use. I have not tried to set any of these values yet. These are basic stuff, so probably others have also discovered them.
URL: http:///adm/get_group.cgi?group=WIRELESS
[WIRELESS]
wlan_type=0
wlan_essid=XanHoc
wlan_channel=11
wlan_domain=12
wlan_security=0
wep_authtype=1
wep_mode=1
wep_index=1
wep_ascii=
wep_kep1=
wep_kep2=
wep_kep3=
wep_kep4=
wpa_ascii=
wmm=0
http:///adm/get_group.cgi?group=HTTP
http:///adm/get_group.cgi?group=VIDEO
http:///adm/get_group.cgi?group=SYSTEM
http:///adm/get_group.cgi?group=USER
http:///adm/get_group.cgi?group=FTP
http:///adm/get_group.cgi?group=LOG
http:///adm/get_group.cgi?group=NETWORK
http:///adm/get_group.cgi?group=MOTION
http:///adm/get_group.cgi?group=AUDIO
http:///adm/get_group.cgi?group=IO
Mine is so called "wiped out". So there is no web pages to set up the camera. All there is are the links for video and snapshot. And of course http cgi.
techology says:
/adm/get_group.cgi?group=WIRELESS how do i set my SSID and WPA (WPA-PSK/WPA2-PSK) settings?
I did /adm/site_survey.cgi and see the wifi network i need but how do i make it possible?
For the last 2 months on my network I've been seeing a camera (RC8026). It comes and seems to leave about a minute after I notice it.
Does anyone know what this is? I'm starting to wonder if my boyfriend has a WiFi cam on me and watching from his home or phone. Please help.
Thank u
Terence Eden says:
That sounds like an odd situation. If you have an open WiFi network, it could be a random camera connecting. I suggest that you change your WiFi's password and don't tell anyone what the new one is.
If you have a mobile phone, download a camera scanning app - it should let you view the camera's feed so you can see where it is. I use https://play.google.com/store/apps/details?id=com.alexvas.dvr
Good luck!
Sam says:
File: http://www.filedropper.com/icamera1000squashfs_1
I'm currently looking for some insights into how Sercomm builds their firmware update packages.
Sam says:
Aside from the obvious flash_dumper.cgi functionality, you can also use next_file to request any binary such as the cgi files themselves. Who knows why this functionality was shipped with production cameras...
You can make some todo requests to file.cgi. The interesting one is /adm/file.cgi?todo=inject_telnetd. Unfortunately, I don't know the root password yet. It looks like it might be setup on boot from rc.sethost as a concatenation of three strings, but it's hard to tell without a proper disassembly.
If anyone knows the Linux root password for these devices, please let me know.
Jim B says:
https://github.com/mirror/firmware-mod-kit
https://code.google.com/archive/p/firmware-mod-kit/
And these two decompiled Sercomm tutorials, both using the FMK:
https://dl.packetstormsecurity.net/papers/general/reverse_engineering_ip_camera_firmware.pdf
http://www.devttys0.com/2011/05/reverse-engineering-firmware-linksys-wag120n/
I also have a few flash_dumper images for the iCamera1000 and iCamera2, as well as update packages from Comcast and Cox. I am currently working on tracking down packages for the RC8021 and RC8026. Let me know if you are interested.
Edd M. says:
Thanks, Edd
Jim B says:
Send me an email at paradoxicalloop (at) gmail (dot) com
Tim says:
Dennis Vitali says:
@edent says:
Dennis Vitali says:
Dennid
Login details;
Isername: alertme
Password: nFQTEm*s67uxuF**a2vAth7RoJ
(I'll repost in a different manner if the blog eats it somehow.)
I've got reports that this works for Lowes Iris branded RC8221 and OC821 cameras. They're yours. Use them like you want. I realize someone is probably going to use this for dark purposes, but it wouldn't be necessary if Lowes hadn't locked you all out of your own hardware. They lit the fire, they can deal with the aftermath. You're welcome, Internets.
Dan Wil says:
Dan Wil says:
Dan Wil says:
Jeremy says:
Once I used Lowes' "migration utility" to move my cameras from the Generation 1 hub to the Generation 2 hub, my iSpy server could not connect to the cameras at all. Any connection attempt using RTSP or HTTP (using VLC Media player, which works great for testing video streams) resulted in a username and password prompt.
Long before I stumbled across this forum, and eventually got credentials from Danin Fuchs, I tried hard resetting the camera in an attempt to make it work the way it used to. I was eventually able to get the cameras to where I could connect to the RTSP and HTTP feeds using VLC and iSpy, but the rest of the cameras configuration was gone. The Iris hub would no longer pair the cameras and because of this, I was no longer able to configure the wireless. The cameras did however work fine as long as they are hard wired.
To reset the camera's (I did this on both the indoor and the outdoor cameras), first, for safety purposes, unplug the Iris hub from your network (assuming that it's still plugged in), make sure there is a wired network cable plugged in to the camera and use a pin or paperclip to push the reset button on the back of the camera and hold it for 30 seconds. Once you let go, the camera will reset, wait about 1 minute for it to finish its startup cycle (you should be able to the hear the IR cut filter click and see the IR lights come on if you are in a dim-ish room). After it's done starting up, pull the power cord and wait for a few seconds then plug it back in. Wait for the startup cycle to finish again. By default, the camera should get an IP address via DHCP handed out by your router or whatever is handing out IPs on your network. Now the video streams should be accessible using VLC or iSpy without asking for the username and password and the credentials supplied by Danin Fuchs should work for sending API calls to the camera's. NOTE: I did have to go through the reset process a couple of times on one of the cameras before I got it to work.
I even called Iris support a couple of times to see if I could get anything useful out of them. Of course, they were next to useless. The only thing I was able to get out to of them is that since the cameras were not able to pair to the generation 2 hub (which seems to be a common problem, "once they are paired with a Gen 2 hub and you remove the pairing, they will not re-pair with the hub"), Iris support emailed me a letter to take to a Lowes store where they would replace my Iris cameras with new ones (great idea since my cameras are over two years old).
After I got that information I got the credentials that Danin Fuchs supplied above and figured out that after a few hard resets of the cameras, as long as the Gen 2 Iris hub has not tried to pair to the cameras, then the cameras firmware is in a state where the above credentials will work allowing you to adjust the camera's configuration using the API commands listed here: https://github.com/edent/Sercomm-API
But, as most people messing with this have realized, these cameras have been crippled quite a bit, and without going through the process that Danin Fuchs used, it's going to be a little hard to do much of anything aside from just basic "turning settings on and off".
I haven't had a lot of time to test, but I am working on setting up the wireless using the API commands, I can't seem to pass the commands to the camera in a way that they will accept the input to connect them to my wireless, I assume that all of the commands need to be sent in a string of some sort for it to accept them but without the web interface on the camera, or a working web interface to play with, I'm not sure I will be able to figure it out any time soon. But I'm going to keep trying.
Hopefully this information will be useful to someone else.
Eric Andersen says:
How can I configure that to use RTSP?
Thanks!
Eric
Jeremy says:
For both the RC8221 (indoor) and the OC821D (Outdoor), I use rtsp://IPADDRESS:554/img/media.sav?channel=2
There is quite a bit of information in the threads above about the different streams that are available, as well as the commands to modify the settings of the streams.
Dan Wil says:
Have you tried to use WPS to get the wireless settings automatically?
Jeremy says:
I'm considering writing a small .HTM file that has all the documented API calls that you can set and apply using radio buttons and dropdown boxes with submit buttons for all the settings. Not sure when I'll really have time to do it, but it's fairly high on my to do list.
techology says:
New
Firmware Version: V3.0.02.35
Current
Firmware Version: V3.0.01.29
Tom says:
Could they have updated on their own to the new firmware? This is not good
techology says:
My icamera 2's are a couple of years old. I set them up with static ips a while back so I never knew that anything changed on them.. My blue iris software never had an issue connecting. I just got a wifi extender and wanted to point one of the cameras to it and that's when I found out that the admin console was no longer accepting my login.
But how in the world did they get updated on their own like this? I can get to the main page where you view video but when I click on the admin page link I get login prompt and I can't login anymore with my old credentials.
We're your older icamera2's also locked out of admin page? Or just your newer ones?
techology says:
krytos says:
https://192.168.x.x/adm/enable_ui.cgi
vic says:
have you any version firmware for rc8221 with adm access?
if you have it, plz send it vic_1980 at bk.ru
Susan Macaulay says:
Pete says:
Terence Eden says:
Peter says:
Terence Eden says:
vic says:
You have any version firmware for rc8221?
Adam Steidl says:
Adam Steidl says:
yc says:
once you connect it using wps, how are you accessing the feed? by ip? is there a username and password?
Dan Wil says:
Dan Wil says:
Dan Wil says:
jdillinger says:
Username: administrator
PW field: leave blank
I connected the oc810 via wps. Then tried the above and it worked. So no need to reset 🙂
Jim B says:
Edd M says:
Also, Do you know if its possible to convert a iCamera2-C into a iCamera2 by replacing the current firmware? I believe the cameras will work with my Cox security system if i can get the firmware to be V3.0.01.34 instead of V3.0.02.38 which it currently is. Thanks for any help you can provide. Edd
Jim B says:
/adm/enable_ui.cgi
Response: OK
Tested on iCamera2 using multiple vendor firmware versions. Although I suspect it will work with most Sercomm models.
Credit to Prayas Kulshrestha who used the firmware mod kit on an old RC8061 image. I noticed a screenshot on page 6 of his guide that included this file in adm directory, along with some other untested commands:
https://dl.packetstormsecurity.net/papers/general/reverse_engineering_ip_camera_firmware.pdf
@Terence, I would especially like to thank you for all of your efforts with this blog and github API list! I added this as an 'issue' to your repo. It was my first git contribution, so I apologize if the format is off. The commit process was a bit daunting for a first time user.
Dan Wil says:
Jim B says:
DanWil says:
Jim B says:
If you feel like pursuing this further, please run the following commands and post the results:
/util/query.cgi?extension=yes
/adm/sysinfo.cgi
/adm/get_group.cgi?group=HTTP
/adm/get_group.cgi?group=USER
Dan Wil says:
hostname=RC8221927BBF
description=
defname=SC927BBF
h264_resolution=1280
h264_resolution2=1280
mic_in=on
speaker_out=off
ptctrl=off
wlled=off
irled=on
serial=off
resolutions=1280x720,640*480,320*240,160*120
mac=00:0e:8f:92:7b:bf
privacy_button=on
pir_sensor=on
wps_pin_code=95999357
ioctrl=on
company_name=Lowe's
model_number=RC8221
wireless=on
sw_pppoe=yes
fw_ver=V1.0.06R00
ip_addr=192.168.1.30
netmask=255.255.255.0
gateway=192.168.1.1
timezone=4
current_time=11/03/2016 18:37:57
http_port=80
rtsp_port=554
https_port=443
Firmware Version: V1.0.06
Serial Number:
Uptime: 662243
http_mode=1
http_port2=0
http_port2_num=1024
https_mode=1
ssport_enable=0
ssport_number=1025
[USER]
login_check=0
admin_timeout=5
admin_name=c37977
admin_password=
user1=
user2=
user3=
user4=
user5=
user6=
user7=
user8=
user9=
user10=
user11=
user12=
user13=
user14=
user15=
user16=
user17=
user18=
user19=
user20=
audio_in_ctrl=0
audio_out_ctrl=0
pt_ctrl=0
io_ctrl=0
adm_ctrl=0
vic says:
I'm have only one answer (for the /util/query.cgi?extension=yes):
hostname=RC8221769549
description=
defname=SC769549
resolution=640
h264_resolution=640
mic_in=on
speaker_out=off
ptctrl=off
wlled=off
irled=on
serial=off
resolutions=1280*960,640*360,320*180,160*90
mac=00:0e:8f:76:95:49
privacy_button=on
pir_sensor=on
wps_pin_code=77714657
ioctrl=on
company_name=Elisa
model_number=RC8221
wireless=on
fw_ver=V1.0.05R00
ip_addr=192.182.174.248
netmask=255.255.0.0
gateway=192.182.0.1
timezone=26
current_time=02/22/2016 06:55:30
http_port=80
rtsp_port=554
Another three (/adm/sysinfo.cgi; /adm/get_group.cgi?group=HTTP; /adm/get_group.cgi?group=USER) need authorization.
jaanus rebase says:
I have same problem with Elisa RC8221. You have any version firmware for rc8221?
VO says:
techology says:
iCamera2-C
F/W version: V3.0.02.35
One thing I did notice is that its not permanent. I have to enable every time if powered off and on. not a big deal though.
Jim B says:
My assumption is that it is what I'd need to post to from an external source(like when a front door opens and I want to trigger video capture, but not based on motion). The only issue is, I don't have the tools to reverse engineer this cgi script and I no longer have the security system to packet sniff for calls to it(like I think was happening) in order to figure out what parameters it needs to test my hypothesis.
Thanks
http_trigger.cgi is fairly simple, it just needs an Authorization header
Authorization: Basic
Then call it via GET
If it takes other parameters though, I don't know, but whenever I pass parameters to it, it says they are invalid and returns a 503 status.
krytos says:
Edd M says:
I did this by using the web GUI and installing the firmware version that I needed. The hard part was finding the right firmware version file. One of the guys on here was nice enough to share it with me.
krytos says:
Edd M says:
I have a few different files you can try. One of the members of this forum was kind enough to share them with me. Send me an email. edinaz1 (at) cox (dot) net
krytos says:
krytos says:
http://edge.xfinity-home.top.comcast.net/firmware/DYW9HZ-105-1002R08.bin
http://edge.xfinity-home.top.comcast.net/firmware/DYW9HZ-308-1002R17.bin
http://edge.xfinity-home.top.comcast.net/firmware/DYW9HZ-308-1002R19.bin
http://edge.xfinity-home.top.comcast.net/firmware/DYW9HZ-308-1002R22.bin
iCamera2 Firmware Files
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-104-300114.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-105-300124.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-105-300126.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-106-300128.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-106-300129.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-108-300132.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-110-300229.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-110-300230.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-111-300235.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-111-300238.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-111-300239.bin
Edgar242 says:
My Icamera 1000 was reporting firmware version 3.0.1(something)... and I installed DYW9HZ-308-1002R22.bin downgrading the firmware to 1.0.02R22. I wonder if there is any major difference or benefit from downgrading or going back to Firmware v. 3.0.1
krytos says:
/adm/auto_upgrade.cgi?new_fw_url=http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-106-300129.bin
Laoshi1 says:
I'm looking for to upgrade my rc8061 and rc8221 with firmware eyespy247 to use UI interface. But i didn't find bin's file to donwload anywhere...
Is it possible to have a link ? Or if somebody can send me it to: laoshi1@hotmail.fr
Thank you for your help.
Bmac says:
Ian Philp says:
I have found that the new XCAM cameras seem to have faulty Wireless modules. Camera would work wired but not wireless and when clicking on the "Site Survey" section in the wireless settings the spinning graphic just keeps spinning and never comes back.
I just bought a new xcam off ebay an this one is doing the same thing even... unless comcast figured out some way to disable the wireless modules if not going through their gateway somehow.. i doubt it but you never know i guess.
Has anyone else been seeing this issue?
thanks
Jim B says:
The next thing that comes to mind is all of the icameras models disable wifi as soon as you plug in a hardwired ethernet source. That is why the icameras provide 2 POE dongle adapters. One is used for the initial hardwired provisioning of the camera and the 2nd dongle is used to provide power to the camera but no ethernet connection, thus allowing the wifi module to activate.
Did you setup the wifi login info on the xcam first and then disconnect the provisioning dongle and plug the Cat5 directly between the xcam and its power supply?
Johnny Cakes says:
I see you can use cgi to manually switch the Manual day/night setting but it doesn't actually turn off/on the IR filter, it just enables the ability to manually switch between day/night in the "View Video" admin page.
Has anyone figured out how to send a cgi command to switch the sercom cameras into night mode?
Scott says:
I found this FCC manual regarding a different camera but the same basic sercomm icontrol UI. it has the admin commands but im unable to find the correct command to trigger the IR: https://fccid.io/pdf.php?id=1418906
As a side not when i query the IR cut i get a filter=0 but on my icam2's i get filter=1 (http:// .. .(IP)/io/query_filter.cgi)
Oscar says:
James B says:
Oscar says:
Oscar says:
I have yet to be successful gaining access to the file system.
I have one plugged into a powerline adapter but it still using the wireless radio.
thanks
Jim B says:
Failing that I'd temporarily bypass the power line adapter and plug it directly into the switch to ensure the hardwired functions on the camera is working properly. And there might be a compatibility issue with the power line adapter.
Scott says:
Im an installer for these cameras (xfinity) and we were told they would not work hardlined (no info as to why but im digging into it).
I found this FCC manual regarding a different camera but the same basic sercomm icontrol UI. it has the admin commands but im unable to find the correct command to trigger the IR
Any suggestions?
Tim says:
Oedi says:
I have been able to access all the configuration of the RC8025-ADT. Below is all the steps that I used.
1) Press down the reset button (on the left beside the FCC logo) for 20 second
2) Connect a LAN cable to the device and it will boot with DHCP
3) Work out the IP it got
4) Goto http:///adm/enable_ui.cgi
5) when asked for login information use username administrator - blank password and then you will see “OK” on your screen
6) Goto http:// and now you have access to the administration page to set stuff.
On a reboot you will have to enable the UI again if you want to make changes.
Oedi says:
JoJo says:
If you're new to all this like me, this pdf, really helped me configure my cam, cause now I knew what all the options were for each setting.
Here's is the SerComm Neutral Brand IP Camera Configuration File Spec, which lists SerComm API with descriptions.
https://www.yumpu.com/en/document/view/15518716/sercomm-neutral-brand-ip-camera-configuration-file-rpracouk
Also following the steps on this site, seemed to do the trick or i just got lucky. lol
http://forum.livingwithiris.com/topic/2633-how-to-take-total-control-of-your-iris-cameras-with-the-api/
I hope this helps someone, like all the help I got from this site.
wilner nau says:
@edent says:
adminas the username and the password? If not, I suggest speaking to the retailer.Greg says:
Fenerli says:
@edent says:
David says:
Johnny Cakes says:
Anyone know of any new comparable cameras to the Icamera 2/Sercom 720P camera?
What i liked about it was that it was
1. Outdoor
2. Wireless or Wired with just a single cord.
3. 720P
4. Small footprint
Thanks!
Johnny Cakes says:
Auto Mode
/adm/set_group.cgi?group=VIDEO&dn_sch=0
Day Mode
/adm/set_group.cgi?group=VIDEO&dn_sch=2
Night Mode
/adm/set_group.cgi?group=VIDEO&dn_sch=3
josh says:
the hardware i have is sercomm rp131 WPS-POE ports (2 of these, one for each camera). they also had sercomm powerline Y cable adapters plugged in, but they were only using the power ports on these to connect to the camera's ac power. i guess they used this as a backup for power, but i'm not really sure.
the cameras are sercomm OC-432's. there is also the DLC-100 unit with another sercomm powerline, but i'm ignoring that one for now.
i have one POE (rp131) connecting to my new internet router, with the ethernet from that going into one of the cameras. the camera's light goes green, so i think it's connected. the 2nd POE isn't connecting to my router yet, so the camera connected to that is just flashing blue right now.
the problem here is that the POE units are not showing up with an IP on my router. i can find the powerline units with an IP, which is interesting, but no ip from the rp131 unit. if i plug the ethernet from the powerline into that camera, it doesn't seem to connect (stays blue flashing light).
has anyone had experience with any of this hardware? do you have any suggestions on that to try next? i feel like it's just a matter of forcing a reset on these, but the reset button doesn't feel like it goes down any when i stick anything in that hole.
@edent says:
josh says:
paul says:
Cabana says:
I have a RC8221W camera (like in this picture https://img01-olxro.akamaized.net/img-olxro/100783850_1_644x461_camera-de-supraveghere-wifi-sercomm-rc8221w-targu-jiu.jpg).
I have a problem to enter its configuration. When I enter the address 192.168.x.x in the browser, the camera automatically redirects me to https://homescope.sfr.fr/local
However, when I type in the browser 192.168.x.x/adm, a window appears in which I must enter the username and password. Unfortunately, none of the passwords that are given here work.
After entering http: //192.168.x.x/util/query.cgi? Extension = yes in the browser
I get this:
hostname=SFRCAM_0AFCA2
description=
defname=SFRCAM_0AFCA2
mjpeg_resolution2=640
h264_resolution=1280
h264_resolution3=320
mic_in=on
speaker_out=on
ptctrl=on
irled=on
serial=off
resolutions=1280720,640480,320240,160120
mac=00:0e:8f:0a:fc:a2
privacy_button=on
pir_sensor=on
wps_pin_code=07200342
ioctrl=on
company_name=Sercomm
model_number=WIFICAM_SFR_RC8221
wireless=on
fw_ver=V1.0.18
ip_addr=192.168.100.2
netmask=255.255.255.0
gateway=
timezone=29
current_time=07/01/2015 07:06:32
http_port=80
rtsp_port=554
Can I somehow get to the configuration of this camera?
Maybe someone has a file with the original software? I could upload it to a flash memory programmer.
Casiean says:
Cabana says:
Thank you for your answer 🙂
Unfortunately, I do not know any contact to you. Maybe I will give you my email, here it is: 19cabana91@gmail.com
marcelo says:
have you managed to unlock the camera?
i have the same one and same problema
apb says:
I'm try to find firmware for RC8221 and soft for rewrite =).
Have you firmware fo this model?
Bob says:
One think I found in addition to the wealth of knowledge above, is not only can you force 1280 720 in H264 ( http://"IP"/adm/set_group.cgi?group=H264&resolution=4) and get high resolution JPEGS ( http://"IP"/adm/set_group.cgi?group=JPEG&resolution=4) but you can also stream in 1280 720 in MJPEG!
I don't know the command line, but if you use "Inspect Element" on the Video Streamings page you can see the hidden resolutions. Really easy to figure out, right click, edit as HTML, delete a few characters at the beginning and end of each string so they look like the others and voila. 1280*720 appears in the drop down box. Select, save, & have a beer.
There are also other hidden menu items in other versions of the firmware for other cameras. I/O config, De-warping, Speaker set up.... Have fun!
Kelsey says:
"Action(EMAIL) of event name(event_pir) has been skipped because system resource is busying now.[event type: pir (bundle motion)]
Event triggered by pir (bundle motion)."
I'm not sure why it is saying the "system resource is busying now"? What's odd is that I had this working at one point where it would send me a recording of the motion detection via email but now it's not working. Could anyone shed some light on how to fix this issue?
Kelsey says:
@edent says:
Kelsey says:
Bryan says:
@edent says:
Bart says:
farid says:
OC821_
RC8230 hi bro i have these 3 kind of models but none of works or connect to my nvr will please if you can help me to guide how to connect my these ip cameras to my dvr or nvr thanks
Krimou8049 says:
Erik Finskas says:
Reading these threads with great interest trying to reverse engineer a RC8221-based camera used in Finland for a closed system which shut down. Now quite a big pile of cameras are doing nothing.
I've gathered up now that it would make most sense to flash the camera with the EyeSpy247 firmware with the Bus Pirate, but still after quite extensive crawling I did not find the firmware to download.
If you have the firmware, I'd like to receive it and put the soldering iron on 🙂
Thanks,
Erik
com dot google at finskas dot erik
Charles says:
If anyone can please help me I will really appreciate it
FACTORY RESET THE CAMERA.
Reset the camera by pressing the reset button on the back of the camera for 20-30 seconds. The manuals say "10 seconds" but mine didn't successfully reset after 15 seconds, so I eventually just held for 30 seconds and that worked. You'll know it works because the red LED lights (on mine, anyways) flashed once, then the device reboot. If the green light starts blinking, it failed - try again.
GET THE IP OF THE CAMERA
I got mine by logging into my router and looking at all the client list.
LOGIN TO THE ADMIN UI
Go to http://192.168.1.99/adm/enable_ui.cgi (replace 192.168.1.99 with your camera IP) -- Most comments say going to http://192.168.1.99/ they could login -- that gave me a 404. Go to http://192.168.1.99/adm/enable_ui.cgi and login with username "administrator" and empty password. IF the login doesn't work, then your device wasn't successfully reset in step 1, start over.
Thanks to all whose comments helped! 🙂
Eugen says:
hostname=RC8221D46459
description=
defname=SCD46459
h264_resolution=640
mic_in=on
speaker_out=off
ptctrl=off
wlled=off
irled=on
serial=off
resolutions=1280 960,640360,320 180,16090
mac=00:0e:8f:d4:64:59
privacy_button=on
pir_sensor=on
wps_pin_code=39193216
ioctrl=on
company_name=Elisa
model_number=RC8221
wireless=on
fw_ver=V1.0.10R00
ip_addr=192.168.0.47
netmask=255.255.255.0
gateway=192.168.0.1
timezone=26
current_time=01/01/2010 03:50:50
http_port=80
rtsp_port=554
What to do? Are there any ideas or firmware to read and look for a password file there? Thank!
DaninFuchs says:
VO says:
Chris Phillips says:
hostname=DukeOutdoor description=NextView defname=SC93C4C9 resolution=640 mpeg4_resolution2=640 mjpeg_resolution=320 h264_resolution3=640 mic_in=off speaker_out=off ptctrl=off wlled=off irled=on serial=off resolutions=640 480,320240,160*120 mac=00:0e:8f:93:c4:c9 privacy_button=off pir_sensor=on wps_pin_code=96841693 ioctrl=off company_name=NextAlarm model_number=OC810 wireless=on sw_pppoe=yes fw_ver=V1.0.02R00 ip_addr=192.168.0.41 netmask=255.255.255.0 gateway=192.168.0.1 timezone=4 current_time=03/19/2019 22:26:41 http_port=80 rtsp_port=554
Krytos says:
Xech says:
https://megaupload.nz/XcX1tbp3n5/fw_bin
Krytos says:
Xech says:
paLINKrk says:
Sid says:
I have an RC8221 from Lowe's that I am able to get into after resetting. I want it to send me an http request when it detects motion. I see from the logs that the motion is detected, "Alert: Detected motion." but then "Alert: There is no action for this event."
I can't seem to get it to trigger anything. I have been using "adm/set_group.cgi?group=EVENT&event_mt=" but no matter what I try as a value string, I get "Error: Unable to set Motion Detect configuration"
My configs look like:
[EVENT]
event_trigger=1
event_schedule=1
event_define1=
event_define2=
event_define3=
event_define4=
event_define5=
event_define6=
event_define7=
event_define8=
event_define9=
event_define10=
event_interval=2
event_in1=
event_in2=
event_mt=
event_pir=
event_httpc=
event_attach=avi,1,5,5
event_mpeg4=3,0,1
event_jpeg=1,0,1
[HTTP_NOTIFY]
http_notify=1
http_url=http://...URL here
http_proxy=
http_proxy_no=80
http_method=1
http_user=
http_password=
proxy_user=
proxy_password=
event_data_flag=0
Can anyone show me what I'm doing wrong?
Sid says:
The one from github would give:
adm/set_group.cgi?group=EVENT&event_mt=email:0;ftpu:0;httpn:1;httppost:0;smbc:0
but this gives an error (at least on my camera)
a string that works is:
adm/set_group.cgi?group=EVENT&event_mt=email:0;ftpu:0;op1:0;httpn:1;smbc:0;sd:0
Now I'm getting:
Alert: PIR & Motion Detection (bundle) triggered.
HTTP-NOTIFY:Send notification successfully.
In the logs!
Thanks for all the info on this blog.
Marcelo Cláudio says:
https://shop.eno.de/en/smart-home/vh-sercomm-kamera-fuer-v-home.html
is there anyway to have the login password and user name?
it is sold under vodafone security pack
Gene D says:
JJ says:
"Network: Lan activated."
I have an icamera2, and periodically that will show up on the log screen. I get the gist of the rest of logs, like DHCP lease renewal, NTP synchronization, and when someone connects to it. But that one doesn't make sense to me. Doesn't "lan" suggest a cable connection? As opposed to wifi, because the log does have another line entry that says "Network: wireless activated." But there has never been (at least not to my knowledge - ergo my concern) a cable connected to the camera since after the first day when it was initially set-up.
I admit I get a little paranoid about shit like this, so if someone could put my mind at ease it would be much appreciated.
So you have nothing to worry about. Although you can fill the Ethernet port with glue to stop people plugging in cables, if that's bothering you.
eFix says:
I have tried multiple email accounts (Comcast, Google ...) nothing works.
Anybody has any idea why it suddenly stopped working? I suspect a change in the Comcast-Xfinity Router-Modem but I can't find what caused it to stop working.
Kris says:
motion sensor of the camera
sound
the digital inputs of the camera
Did anybody had luck with these features?
login for my camera's was superadmin / superadmin, but I had to block internet traffic for the camera's because they always want to go back to their supplier after a reset
MK says:
Antoine Lovelace says:
Dan Roman says:
Thanks.
ta6point6litre says:
oops says:
oops says:
ta6point6litre says:
oops says:
It's really simple to test if my method works on your cameras. Take a cat5 patch cord and slice into it. Cut the blue and the white/ brown wires. Connect a 12v power supply to the cut wires on the side of the cable that plugs into the camera --> 12v+ on the blue wire and 12v- on the brown/white wire. Connect the end of the cat5 cable where you spliced in the power to the Xcam rj45 dongle. Connect the other end to your computer. Power everything up and you should see a light come on on the camera (if it has a status light). There's lots of references on this blog to guides on how to reset your camera to factory specs, how to access the camera's settings and how to view the camera from a browser or media player.
oops says:
Krytos says:
oops says:
Johnny says:
Its only happening to the cameras i place in this one location though. Wondering if maybe its getting direct sunlight and its damaging the lens or something. But im going through a new camera like every 12-16 months in just this one spot.
Anyone else see anything like this?
thanks
Johnny says:
Anyone know of any modern/new camera that has similar features?
Day/Night (IR) Mode
720P or better
Small footprint
Works with all the camera apps (tinycam, blue iris, IP Cam Viewer, etc.)
Wired or wireless operation
Single wire for power (Icamera can use a single flat CAT5 cable from the camera. Easily can close in window frame)
Indoor or Outdoor
I'm yet to find anything new that meets the above criteria.
If you know of any please let me know!!
thanks guys
ian says:
If I just go http://[ip] I get 404. Is there a path I need to add to get to log in?
I saw a suggestion for /img/media.flv and tried that and it is downloading a large file as I write 40mb+
Ian says:
Church says:
fawmum says:
Seano says:
I’ve a rc8221v2
I’ve read out the flash chip and gained the administrator password.
It’s an ADT- South Africa version.
I’m after alternative firmware if anyone has any lying around. The eye247 one looked promising but nothing comes up on google and the Dropbox is a dead end.
It’s more a Curiosity project, I’ve only recently starting meddling with spi and flashroms.
@edent says:
These are very old cameras - this thread is nearly a decade old! So I doubt that there are alternative firmware files to be found.
seano says:
one raspberryPi and some of the worst soldering I had it hooked up via spi and used flashrom to read the firmware.
for an idiot with very little understanding some of the guys aboves links and such provided a wealth of where to begin, was fun and that's the main point 😀 I was bored and had it lying around as a paperweight. now it works and I can use it, isn't the greatest image but serves a purpose. surprised it lived my butchery.
the password I got was TyC0711@DmIn14
the admin gui is stripped out, you have to go the hard way round to get to the config panels, but its workable.
Mihai says:
Thanks.