Hacking Around With Network Cameras


I was recently given 3 rather locked-down network cameras. Each camera was pre-programmed to communicate with a specific website, and only attach to a predefined wireless access point. Naturally, there was no supplied username or password.

I thought about how I might get access. Using a man-in-the-middle attack to sniff the password, or trying to dump the firmware and examine that. Sadly, all the vulnerabilities previously reported no longer work. After a little bit of thought, I went for decided low-tech solution; I hit the reset button! Yes, each camera had a recessed switch, accessible only with a paperclip, which reset the device to factory settings after holding it down for 10 seconds.

Anyway, this is my voyage of discovery with the three cameras. They are:

  • RC8221_ENRC8221 - a basic internal camera.
  • OC821_ENOC821D - an external camera with weatherproof features.
  • RC8230_ENRC8230 - a pan/tilt camera.

All of them are manufactured by Taiwanese OEM Sercomm. Annoyingly, Sercomm don't have any customer services. They mostly resell the cameras to Linksys, Cisco, Xanboo.

SerComm don't offer any firmware, GPL downloads, or much information about the cameras - so it's all very much trial and error.

Defaults

After resetting the cameras, they'll happily attach up to any wired network via the Ethernet port. Visit the IP address assigned by DHCP and you'll get to the admin panel.
The default username is "administrator" - there is no password set.
You can now go and fiddle with all the settings.

High Resolution Mode

The cameras are meant to be able to record at 720p - yet the user interface doesn't seem to allow it.
Camera Settings
Luckily, the API allows us to force the resolution.

http://192.168.0.42/adm/set_group.cgi?group=H264&resolution=4
http://192.168.0.42/adm/set_group.cgi?group=JPEG&resolution=4

Wait! What? API?!

Oh yes, all the cameras come with a variety of commands which can be controlled by simple a HTTP GET request.

Discovering The API

As I said previously, Sercomm provides no documentation. Luckily, their resellers do!
EyeSpy247 have the admin manual for the RC8221.
Use-IP have the admin manual for the OC821D.
I haven't yet found a manual for the RC8230 - but it uses most of the same API commands. The only main addition is the ability to move the camera via its pan/tile functionality. After a bit of digging, I found a discussion on how to activate this functionality.

Up:

http://192.168.0.42/pt/ptctrl.cgi?mv=U,10

Down:

http://192.168.0.42/pt/ptctrl.cgi?mv=D,10

Left:

http://192.168.0.42/pt/ptctrl.cgi?mv=L,11

Right:

http://192.168.0.42/pt/ptctrl.cgi?mv=R,11

The manuals give all sorts of instructions, how to view video streams, get photos, set and get various options. There are, sadly, some omissions.

Sending Sounds

One of the tasks I wanted to accomplish was to make the cameras play some of the turret sounds from the video game "Portal". This is proving tricky, despite the manual's promises to the contrary.

It should be possible to POST an audio file to the cameras, either in G.726, or G.711 (a-law or u-law). Despite creating the audio files correctly, and POSTing them to the cameras - they make not a peep!

curl -vv --data-binary @alaw8k.wav http://user:[email protected]/img/g711a.cgi
curl -vv -X POST -d @alaw8k.wav http://user:[email protected]/img/g711a.cgi --header "Content-Type:audio/x-wav"

I get a 200 OK, and the volume is set on the camera. Most vexing!

If you think you can help, please leave an answer on StackOverflow.

Arming - or lack thereof

With my other cameras, I can send a command to arm or disarm. I don't need the motion detection to send me emails every second of the day - only when I'm out of the house.

Looking at the source code of one of the pages, it looks like it's possible to POST some data to /adm/file.cgi - but it's not clearly documented which parameters are required. It will take me some time to work through the tangled nest of JavaScript.

Email

The cameras will send video when they detect motion - although getting this to work isn't at all obvious.
SMTP Settings Screen-fs8
Firstly, the password is hard-coded to be a maximum of 16 characters. If your password is "StarTrekIntoDarkness1" you're out of luck.
Secondly, the "Test the Server" button doesn't actually work. It randomly gave me errors about not being able to reach the server. I struggled for hours until I discovered that the error messages were lying to me! If you enter the details correctly, and the camera has access to the Internet, it should just work.

That said, once enabled, it will happily send emails with large video attachments to you.

Video Audio

All the cameras have microphones, and all do audio triggering (sending an alert when noise levels rise). Yet none of the cameras would embed audio in with the video. When streaming over RTSP, it was possible to pick up audio from the microphone. Lowish quality, 8kHz, mono - but better than nothing.
Again, if anyone knows how to get the alert videos to include audio, please let me know!

Motion Detection

Setting the motion detection area is very useful. You might want to ignore movement on the floor if you have a pet, or concentrate on a door handle. Sadly, with these cameras, you have to use IE6 or greater to set the detection area.
Internet Explorer 6 Required

You can try and use the API to set areas - but without being able to see the area in question, it's an exercise in frustration.

For my needs, having full screen video detection is fine. I may have to borrow a Windows machine if that changes.

Open Source

Each camera has an embedded Open Source page at /adm/Licenses.txt which includes all the text of the relevant GPL etc.

All three cameras have the following Open Source components:
Davicom Ethernet driver
Linux kernel 2.6.18
wireless_tools 26
busybox 1.16.0
dhcpcd 1.3.22-pl1
ez-ipupdate 3.0.11b7
iptables 1.3.4
ppp 2.4.1
cron daemon
samba client 3.06
glibc 2.8
alsa-lib-1.0.16
wpa_supplicant 0.4.5
NTP
thttpd-2.25b

Interesting to note that BusyBox is an unstable release version from 2010, thhtpd supports IPv6 even though the cameras don't appear to.
wpa_supplicant is ancient - that may explain why it can't cope with SSIDs with spaces in them. I presume it's the hardware which won't scan the 5GHz range.
The Linux kernel is from 2006 - that's common enough in embedded systems, but I do wonder if it presents a security risk.

Security

The cameras offer an SSL connection. However, the certificate is self signed and uses MD5 with 1024 bits. Basically, a security signing which was advised against in 2010.
There's no way to replace the certificate without replacing the firmware. If you are willing to trust it, the connection is secured via SSL.
Secure Connection
Assuming you can confirm the certificate is correct, the encryption should be sufficient to stop anyone but the NSA peeking through your cameras.

That said, the RTSP channel isn't protected by SSL. You can give a username/password, set time of day access, and restrict to specific IP addresses - but the video is transmitted in the clear.

For now, I'm keeping my cameras on my LAN with no external access to them.

What Next

At the moment, I've set the cameras up, but I'm not actively monitoring them - it's just too much work to switch each of them on when I leave for work.

So, if you can help....

  1. How do I send sound to the cameras?
  2. How do I get audio with the video alerts?
  3. How do I arm the cameras via the API?

198 thoughts on “Hacking Around With Network Cameras

  1. Great blog, thank you for taking the time. Like you I am using the EyeSpy247 RC8221 without the EyeSpy service. Instead I use a subdomian address with port forwarding to access the device locally / remotely. Wondered though if you had any thoughts on accessing the video stream directly with preset options (i.e. 2. H264 with Flash) rather than via the pre branded page. I wish to embed the feed in to another page

    Thanks again.

      1. I do have a couple iCameras2, I followed your instruction and I able to get into one, and I am very sure to get into the second one, but I need to know which application I could use to record and check videos from outside of my house?

  2. I had RC8221 camera. when i trayng to get some information from camera, i got "400 - bad reqest". Can i do something to use camera alone without provaider service?

  3. Thanks Terence for a great blog!

    I too have a RC8221 which was locked to my service provider (Elisa in Finland). Factory reset went ok, and I got to the admin panel.

    Unfortunately administrator as username (password empty) doesn't work. Is it possible, that credentials might be hard coded or flashed in firmware?

    Do you have any hints to give how to solve this problem?

    Cheers!

    Tomi from Helsinki, Finland

    1. Hmmm, it might be worth doing the factory reset when the camera is on the LAN but *not* connected to the Internet. It's possible that it's phoning home and then changing its password. Other that that, I don't know. Sorry!

        1. Assuming you have an ADSL modem - simply detach the cable which goes from your phone socket to the modem. That way you'll be able to reach all the devices on your LAN, but they won't have access to the Internet.

      1. I had the same issue with the "default" login credentials ("administrator", blank password). It worked immediately after reset, but I noticed on the administration page that the password had dots in it (like masked characters), but since I hadn't changed anything from the defaults I ignored it. When I logged out and later tried to login it wouldn't take the blank password. So apparently simply entering the administration page populates the password field with something. I did another reset and immediately put my own password in before logging out and haven't had any issues since.

  4. I have 2 network cameras and other stuff which will become obsolete when ATT Remote Monitor (Xanboo) disappears on 6/13. I am searching for a way to still be able to use the cameras without the Attrm website. However it all seems very complicated after reading the above, and I am not tech savvy. I will first try to reset one camera with a paper clip.

  5. Im trying to connect the OC821D to the wireless, but i couldn't..i tried with two differents routers, but the camera never connect. With cable works perfect, but is a wireless camera, so i want to put it outside without cable.

    1. You need to connect to the camera via the ethernet cable - then tell it to scan for wireless networks. Once you've typed in your password you should be able to do a test connect. If that works, save everything then unplug the cable and reboot the camera.

  6. I have had good success setting up the Sercomm iCamera1000. It is very similar to the RC8221 in just about every way - minus a few features. In your blog, you mention issues with the email setup. The screenshot you include even shows that you are using a Google SMTP server. I am trying to do the same thing. Motion is being detected and email is NOT being send. I am guessing it is some random problem. Error message from the Log: "SMTP: Failed to send E-mail to @gmail.com." I felt like it is a problem with SSL/TLS, as the only authentication option is "SMTP authentication." It would seem that the software does NOT support SSL - which seems crazy given that you set yours up to utilize port 465 - which is for SSL. Any insight here?

    thanks for the great blog and very helpful information on this particular topic.
    regards,
    -=Adam

      1. I've been working on a little Java application to work around being able to send attachments to gmail on the iCamera-1000. This works pretty well for me anyway, I've put up on my github today.

        But my next question is, what is the url to post to trigger an http event?

        1. Can you post the url to your github and more information on how to setup gmail smtp on these cameras. Thanks.

          1. I don't use the camera to actually send the email, rather to post an event to my app which then will send the email.

            Although, in the time since I posted and now I've gone beyond just emailing when the camera sees motion. I'm adding zigbee sensor triggers and triggering the camera that way as well.

            Eventually, I'll add camera streaming as well, partly because the firmware on my cameras is old, and partly because I want to see if I can make my own home security system based on a Raspberry Pi and Java. I can find others true but I want to write my own completely open source.

            But to answer your question;
            https://github.com/djr4488/camera-notifier

            1. Danny, how do you invoke your app upon an event trigger? I got the following message: HTTP-NOTIFY:Failed to connect the HTTP notification server.

              All I did was to put the full URL in the URL field in the HTTP(S) notification.

              1. Y, I'll need to pull out he cameras here again shortly. If it is alright I'll get you an answer by Sunday, been insanely busy at work the few weeks and am hoping that maybe I'll get some time off soonish.

              2. I updated the readme as I have added other things to my app between the time I originally wrote the readme and now.
                So there are a few more steps that involve using the swagger interface(only UI I have for the moment.

                Hopefully that readme will help, if not let me know.

  7. I lost the use of both my network cameras and other devices Friday when Att remote monitor website shut down. I've been trying and trying and reading all info available, and today I was able to reset one camera successfully and somehow acess it, so now I can see it from my computer but only locally...I have not been able to find the local address for the other camera yet, it is a Sercomm rc 4020, does anyone have any ideas? Also what's the best way to get acess from the Internet for the camera I can now access? Thank you!

  8. How can I do a hard reset, my power light is bliking and then after a minut or so all lights come on and does it again and again..

    1. For a full factory reset, push a paperclip into the little hole, hold it there, and turn on the camera. After 30 seconds, the lights should start flashing and the camera should be in its factory state.

    1. Blinking power means you are not on a network

      You don't tell us the model of your camera. The RC82390D defaults to 192.168.0.99 when it is reset. The default UserId is "administrator" and password is "" (i.e., none).

      I assigned a fixed IP address at 192.168.0.10 and put an ethernet cable between the PC and the 8230. Entered 192.168.0.99 into the browser's URL and VOILA, I had the camera! From there, I could program the proper network and the wireless picked it right up!

      I found the manual as an attachment to the FCC listing!!!

      https://fccid.io/document.php?id=1687444

  9. I succeeded in finding the local address for the Sercomm RC 4020 camera, and resetting it, I think, but all I see is the following on a green background:

    Index of /

    mode links bytes last-changed name
    dr-x 7 97 Feb 22 2008 ./

    I've been unable to get any kind of info on this model camera. If anyone has any suggestions ?

    1. I was able to bring up a login screen by adding user:pss before the ip address, and login with 'administrator' but all I got was another 3 lines on a green background:

      Index of /adm/

      mode links bytes last-changed name
      dr-x 2 326 Feb 22 2008 ./
      dr-x 2 326 Feb 22 2008 ./
      dr-x 2 326 Feb 22 2008 ./

      Still trying!

  10. I have just succeeded in viewing the camera picture! But that's all, so far. No access to setting up the camera.

  11. My RC8030 didn't revert to the default login and password when I set it to defaults in the administrator panel. I did the paperclip reset and it allowed me to log in once but then changed it several seconds later. I reset it again and now it's working alright. Hope this helps anyone with similar issues.

    1. How did you get to the administrator panel? I have a RC4020, and am unable to access the panel.

      1. I have to reset mine several times in a row with the paperclip and then on boot I have about a 20 second window to log in with "administrator" and no password before the device automatically changes the login. If you manage this you can change the password to something you set and shouldn't have to deal with it again. One reset isn't good enough - it's usually on the third one that works.

  12. Thank you, I will give this a try! It is all very mysterious to me so far, though I've gotten bits and pieces of the puzzle. Not sure anyone would be interested in this though. My best success with it is that I've finally found the right terms to be able to view a small live camera picture on my local network, but I can't do anything more so far. everything seems to be based on commands that I can't find a list of.

        1. When I go to http://192.168.1.7/adm/file.cgi?next_file=system.htm, I get a white page with 'OK'
          When I go to 192.168.1.7/img/main.cgi?next_file=main.htm, same thing.

          However when I try http://192.168.1.7/adm/sysinfo.cgi, I get: Firmware Version: V1.0.13 Serial Number:***

          I've looked at the manuals above for the cameras that seem similar, but most of the API commands don't seem to accomplish anything so far. Maybe my camera is too early a model and/or just doesn't have an admin panel?
          I keep trying when I have some free time!

          1. My firmware is V1.0.09 so I would think yours should have one if you're on the newer firmware. I'm not sure what's wrong, if I enter the IP address alone it redirects me to the panel.

            When I got my camera out of storage (3 years) the panel was buggy until I reset to factory defaults. I'm not sure if resetting will resolve the issue you're having but if it's a similar issue it might. Here is the API command that works for me, since you can't access the panel to do it.

            http://192.168.1.7/adm/file.cgi?this_file=password.htm&next_file=password.htm&todo=reset

            If most of the API still works you could probably just download a local copy of the panel.

            1. Aha! I got this
              "Camera's config file has been reset. Camera will restart and IP address maybe change .Please use the Windows utility to locate the camera and configure it correctly for your environment.Please close this Browser window and wait for a moment."

              No sure how I would download a local copy of the panel, though, any hints?

              Also I use either an old iPhone, an old iPad, and an old Mac PowerBook. I might have to borrow a pc and see if I could find this Windows utility that is mentioned. I did see something somewhere, hope I bookmarked it, about downloading something for this camera or one similar.
              Hope I get some time to try this out!
              Thanks so much!

              1. Basically I would save a copy of all the pages in my camera's control panel and upload them for you to download. Then you'd save them on your desktop and access the camera from there (instead of the camera's address).

                Since the API is the same it should work if every command was sent to the correct IP address. I'm guessing the Windows utility is used to find the dynamically given IP address or an actual tool used to access your camera. If your camera isn't using a static IP you can check your router for the new local IP (if it was given one).

                1. Thanks, that sounds interesting to try! I wonder if it would work on my rather old computer, a 2003 Mac power pc laptop. I haven't done anything more since my last reply. It would be very useful to have that camera back in operation the way it was when I had the service.

                  1. Are you guys familiar with micasaverde? I'm trying to add my sercomm RC8230D but i need the http:// address for the video stream, can you guys help me please

                    1. If you have a read of the manuals, you'll see that you can get videos from /img/media.sdp and RTSP from rtsp:///img/media.sav

  13. (Sorry in advance for the long post, but I think it'll be worth reading.)

    I realize that this post has been dead for a while now, but I wanted to let you know that I've got an RC8221 (Lowe's Iris model, aquired second-hand with no software or documentation) that had me confounded on configuring. I decided to go for an approach that I haven't seen before - hardware. I pulled the Flash chip, dumped it, broke it into its MTD partitions, and acquired the login credentials as well as a complete filesystem dump. I've also found that there's a factory "update" mode and it forces the camera to Ethernet IP 192.168.0.99 (and starts a webserver) for uploading firmware images, easily triggered with no additional tools - unfortunately, not a raw image, must have some form of header that I don't yet know... The username on my Lowes device is 'alertme' (makes sense, since the Iris hub is rebranded AlertMe hardware) and the password is a fairly random string, however it is stored plaintext in the firmware in two locations. I'm fairly confident that the same is true of ALL RC8221 cameras, due to its structure and placement, and I'm also confident (based upon the filesystem and config partitions storing the same password) that it's NOT encoded per-camera, more likely per-rebranding.

    To replicate my attempts, you'll need soldering skill, a Bus Pirate (hardware) and Flashrom (software), a serial terminal program (putty/minicom/etc) as well as a hex editor or Linux knowledge. I'd be willing to trade - my knowledge on how to do this for a dump of someone's non-Lowes firmware....of course, if someone asks, I'd be more than willing to share my knowledge without the trade.

    Using a hex editor, I was able to change the streams that're enabled, their default settings, resolutions, framerates, etc...as well as making WPS work to set up wireless. Also, to the original content creator here - the speaker output seems to be turned off by default in the firmware via config entry, which I switched on...haven't tested its functionality, but if you're interested in conversing I'll give it a shot..

    My biggest frustration, though, is that the Lowes Iris firmware has stripped out the Web UI in its entirity! There is NO web config here, unless I'm just doing it wrong. This is why I need a copy of someone's firmware or temporary access to their device - I'm confident I can toss it on this device to fix that.

    If anyone still has an RC8221 and the required equipment (or would be willing to send it to me for a few days) I'd like to collaborate on unlocking my device further, or just share the knowledge of course. I have no blog of my own, and don't care to start one for a single post about an outdated device. Comment here and we'll figure out a way to talk.

    What I need, ideally - I'm especially interested if you have any of the following;
    A firmware dump of someone's non-Lowes RC8221
    Physical access to someone's non-Lowes RC8221
    Someone who has the right tools, and a non-Lowes RC8221
    A firmware update file from ANY Sercomm device, ideally an RC8221

    Thanks for taking the time to read this.

    1. I have four Lowes RC8221 and two OC821. Since I am giving up on Lowes Iris HUB (moving to Smartthings) I would like to hack into these cameras and use EyeSpy247.com service or code them to work with my Smartthings. I am very smart about things but I do not have any real knowledge about these hacks, coding, upload or flashing devises.

      I am willing to pay, trade and help anyone here. I could just give up these cameras and move to the next model. or we can work on them.

      1. Can you share the administrator id and Lowes passcode for these device.
      2. Can you explain how to flash or upload new firmware that would give me the UI interface or point to Eyespy247.com service.

      you can email me directly at [email protected] if you would prefer.

      I think hacking into these cameras and using a firmware and the open source coding from Smarthings could get these working.

    2. Hello! Would you be interested in releasing the password for the Lowes Iris camera? I have a non-Iris firmware dump that you can use if you would like, but would like the password in exchange. You can email me at [email protected]. Thanks!

    3. Danin,

      Would you mind sharing the password that you mention in this post? I have a couple Lowe's Iris Branded cameras and would like to try the password that you see in the firmware on my cameras, but I don't have the time or knowhow to pull the firmware from the flash chip like you've done.

      I looked around a bit, in case you posted it already, but I couldn't find it.

      Thank you

      1. I didn't want to out-and-out post it in a public setting because ..well, security issues, yanno? Email me, I'll share it with you. Email is my username here, minus spaces, at Gmail...just in case it doesn't show up here or something.

    4. I have a RC 8221 and an willing to send it to you.. this post was very helpful. although I am still a little lost. would I send you some $ and a return post? let me know. thanks.

      1. I have a RC 8221 and an willing to send it to you.. this post was very helpful. although I am still a little lost. would I send you some $ and a return post? let me know. thanks.

        Pete - sorry for the late reply. I'm glad the post was helpful. The bottom line is, using a hardware flasher to "upgrade" the firmware is a bit tedious and beyond most people's abilities; if you don't understand what was said, you'll want to have someone who does handle it.
        If you're willing to send it to me for the process, all I ask is that you pay postage both ways. My time isn't particularly valuable to me, I won't ask for you to pay for me to do the modification. I just enjoy playing around with these things. You can reach me at DaninFuchs (at) gmail (dot) com - we can discuss things in more detail there, not really comfortable posting my name and address in a public location such as this.

  14. Hello,

    I own a RC8221 and the default login is: admin / admin!

    a few question:
    1) I have not found any options about motion capture, or send an email when move is detect, does this camera have this option?
    2) Is there any android app to view the stream? which?

    thanks!

    1. Flo - I'll be of limited help, since my camera has no web UI whatsoever, but I do know enough to answer some of it.

      1) It appears that some options are removed in some rebrandings. If you don't show those options, it may be that your rebranded firmware has that feature removed. Do you know the origin of this camera? (Lowes Iris, Eyespy247, etc..) That'll help people figure out how to help you.
      2) That depends which streams are enabled. My camera defaulted to a video-only MPEG-4 stream, and two video-only H264 streams - after reconfiguring it, it now has a video-only MJPEG stream, an MPEG-4 video stream with audio, and an H264 video-only stream. You'll need to know which streams are enabled, and find an app on Android that supports it - I know that with the Firefox browser you can just point right at the MJPEG stream and not even need an app, but there are likely other - better - solutions out there. If you aren't sure how to determine what streams are enabled, I'll do what I can to help you figure that out.

        1. I've never seen that camera, so I can't say much about the web interface, and I've got zero experience with the SMTP options on this device. I'll get back with you if I can help.

          I'll leave the URLs I found for my camera's current config - try pointing firefox at the http:// ones, and VLC or MPC or some such program at the rtsp:// ones..if they work, try to find an Android app that lists the protocol for that URL. The first two .sav files can be suffixed with '?channel=2' (or 0 or 1 or whatever else, for how many streams your camera supports at once. Typically 0 thru 2)

          rtsp://192.168.0.196:554/img/media.sav - MPEG4, 15fps, audio (corrupt with different codec)
          rtsp://192.168.0.196:554/img/video.sav - MPEG4, 15fps, no audio
          rtsp://192.168.0.196:554/img/audio.sav - No video, audio only
          http://192.168.0.196/img/video.h264 - 1280x720 (H264)
          http://192.168.0.196/img/snapshot.cgi?size=3&quality=(5...1) - 640x480 (JPEG)
          http://192.168.0.196/img/snapshot.cgi?size=4 - 1280x720 (JPEG)
          http://192.168.0.196/img/video.mjpeg (MJPEG)
          http://192.168.0.196/img/mjpeg.htm (MJPEG)
          http://192.168.0.196/img/mjpeg.cgi (MJPEG)

    1. Sorry buddy, 404 on mine. Even tried adding /adm/ or /util/ in the URL, since that's where most of the admin tools are. If anyone else can execute this, I'd actually be quite interested in a copy as well.

      On a related note, why do you need this dump? I have a manually extracted dump, but my system seems to be somewhat stripped down - if you're interested I can share it with you. Myself, I'm hoping to de-strip my own camera.

      1. Do you have web interface on the camera? , mine has no interface. I can work with your dump, do you have a way to update the firmware without removing the flash chip? My goal is to make the web interface to work. I have the missing .htm but i get checksum error when i try to boot the modified firmware

  15. Maybe we can combine our efforts, here. My camera also has no web interface, but you say you're trying to boot modified firmware..how have you modified the firmware? As of yet, I have no way to update the firmware without pulling the chip, but we may be able to, between us, figure out a way to do that. Is your camera an Iris as well?

        1. Oh, awesome. Thank you so much for that. I apparently didn't get a notification that you had ever replied, or I would gladly have sent an email. This will probably help a lot of people who have these fun little cameras but can't get them to do things the way they need or want. I'll be playing with that tonight.

        2. Well, for what it's worth, I've finally returned home from work and binwalked the firmware. Seems to be a raw image, rather than a web-flashable update. Same default IP of 192.168.0.99, username administrator, password blank. It does seem to have a call to auto register itself with http://www.eyespy247.com, though I'm not sure what it registers or why. I won't have time to flash the image onto my camera for a few days. I'd disable that, but perhaps that's just me. I'm eager, but unfortunately quite busy this week..perhaps this weekend I'll make the time. Thanks again for sharing!

    1. Hi! Thanks for your research on this! I have bin files from two iCamera 1000s (not the same as yours, but VERY similar API and features). Were you able to call /adm/upgrade.cgi with a file you obtained from /adm/flash_dumper.cgi? Everytime I try - I get an error: "Unable to read upgrade file.", even when the bin file is from the same device.

      1. I ran into the same problem with the iCamera2. Has anyone figured out how to process the flash_dumper.cgi export to allow for it to uploaded again? One difference is the iCamera2 dump (fw.bin) is 132mb. All of the web downloaded firmwares that I have seen for the Icamera 1000s have only been 16mb.

        1. Nevermind. I figured it out. The flash_dumper.cgi provides a raw dump of the entire flash memory, which I believe is 128mb in the iCamera2. The upgrade scripts require a compiled file at a fraction of the size (16mb for the iCamera1000 and 32mb for the iCamera2). I have been able to successfully upgrade/downgrade the FWs across vendor platforms. The hard part was finding those files since they are typically provided in the background via vendor configured hub devices.

          1. I have a few Icamera2 and Icamera1000, could you give a little more details on how you were able to get to the vendor configured hub, I would like to get cameras on the same firmware.

            1. Antoine are trying to provision the cameras to a vendor hub or are going to use them standalone via something like Blue Iris? If a hub, which vendor? E.g. Xfinity, ADT, TWC, IRIS, etc?

              1. they are set up as standalone cameras, I have one that is running a lower firmware that seems to drop out and I have to restart it to get it to come back online. I'm just trying to get all of them on the same firmware.

          2. Can you explain exactly how you were able to revert back to original firmware? I have several Icam2 cameras with comcast firmware on them that I would like to revert back to the original firmware. I also have several Icam2 cameras that still have the original firmware.

  16. I have the RC8025-ADT Cameras. I reset them, and I am able to use iSpy with them, but only hardwired. Like many of you I am trying to get into it so I can change the configuration.

    I don't reckon anyone has leveraged these and made it work

    1. I reset it
    2. tried the IP directly (just got a 404)
    3. tried the ip /adm (after much reviewing this site) and I actually did (twice) get prompted for the user name and password. I tried administrator with no password but didn't work.
    4. I was going to try to reset and get it connected super fast in case it was autochanging, but ever since I reset it again.. the website never prompts me for a password (wondering if somehow my PC cached it , so going to reboot
    5. I have a separate router, which I am setting up for my laptop and this camera so it has NO way to get to the internet to change anything, maybe that will work. The router will have DHCP enabled.

    I am super hopeful as I have 6 of these and 4 of the OC810 ADT cameras and am forgoing ADT (cost too much) for our local security + I want to self monitor these cameras with iSpy

    Reset made it work for iSpy.. but wireless is my next goal

    Thanks!!

    1. Woops I realized something and apologize.

      Clearly the reset did work and the username is Administrator and the password is blank.

      However the URL is invalid (I thought I was getting 401, it was a 404), and when I tried just admin.. I got a 401. So my bad

      However, I still do not know the admin UI URL, if someone does please. I will keep trying the ones from this thread 🙂

      Cheers!

    2. I sincerely apologize for the spam

      When I do try to get into my camera with the IP this happens
      http://192.168.0.9/main.cgi?next_file=index_in.htm

      it redirects to this URL and then gives the 404 not found error.

      When I found a manual for this camera (at least a variation of the base camera), it says I should just use the http://IPAddress and I should get the admin screen.

      I wonder if ADT did something to them and is there some way to undo it so I can get into the Admin UI... Unless someone else knows the admin ui 🙂

      Thanks!
      Last Spam!

      1. I am able to access some of the URL's that give direct feeds etc, due to the fact that... I guess ADT decided to use a similar firmware as they put in the OC810.

        The problem is still I cannot change the Wireless Settings 🙁 so the darn thing is only good wired.

        it is nice that I can do live streaming etc without needing even ISpy, however it would be lovely if I could configure the Wireless.

        Any thoughts?

        Cheers

          1. I have RC8025B-ADT

            To reset this device I had to take it apart and jump the pins where the reset button should be because it was apparently removed in this version of the hardware. Once I did that, I was able to access the web interface and get a video stream.

            However, when I try to set the wlan_essid using the CGI API it says Error: Unable to set wireless LAN configuration.

            Setting other values seems to work as expected. Any ideas?

  17. Has anyone had any luck connecting RC8221,OC821D OR RC8230 TO A REVO DVR? I am going to try making my own RJ12 toRj45 cable

  18. For what it's worth, I acquired the EyeSpy RC8221 firmware upgrade file from a very helpful reader at this very blog, and looked into upgrading the Lowes Iris RC8221 using it. I couldn't make the normal web interface OR the recovery web interface accept the file in its normal state, I'm assuming it expects a header or checksum of some form to validate the file...HOWEVER - I was able to pull the flash IC again, and dump the EyeSpy RC8221 firmware onto it with an external programmer, and get it to boot properly. Didn't complain about internal checksums, either. Standard EyeSpy 247 WebUI works, default user/pass works, configuration and wireless setup work. All menus functional, haven't actively tested the triggering and recording, but stream configuration works 100%, and remote registration seems to also function. I fully believe this camera is now, effectively, fully operational. With a little more tinkering, I might even be able to get it to run scripts and software from its own MicroSD card slot, but that's distant-future territory...

    Contact me for details. I really need to set up a blog of my own, apparently..maybe I'll look into that. In the mean time, I've confirmed that the Iris models will run less locked-down firmware. If anyone is willing to let me BORROW (or keep) -any- other IP camera that's locked down -AND- has a non-locked-down version with accessible firmware, I'm willing to burn a few dozen hours messing around with those to unlock them as well, and send it/them back. I suspect the process for things like the OC821 will be very similar. Contact me and we'll negotiate something.

    1. Hi Danin, I also have an Lowe's Iris camera that I'd like to flash it with the EyeSpy firmware. Can you please provide the steps that I need to take to accomplish this? For example, what software did you use to dump the firmware onto the camera? and also what do you mean by pulling the flash IC? Thanks for your help

      1. Hey Paulo. The process is actually really simple, if you have the means to desolder the flash IC. I'll give the basic no-nonsense outline here, and if you have any questions, let me know.

        First step is unfortunately to desolder the flash IC, and connect it to your favorite SPI programmer.
        - If you don't have a favorite SPI programmer, or don't own any of them, what you want to pick up is a Bus Pirate v3.6 - sources include Amazon, SeeedStudio, Sparkfun, etc, for around $30. Keep in mind, the Bus Pirate is not the fastest way to do it, but whatever you buy, it needs to be supported by Flashrom. Also, I'd strongly recommend specifically the Bus Pirate v3.6 - older ones are limited in hardware and the new 'better' v4 isn't as well-supported, changes the pin ordering and quantity on the header, and most guides assume you have the more widespread v3.6 (or earlier) design.

        Second step is to connect the chip to the SPI programmer.
        - Myself, I pulled the chip off and soldered wires to the proper pins (use the datasheet from the chip to match wiring to your SPI flasher) in single-bit mode, which is all the Bus Pirate supports as of when I performed this hack. This means Clock, Data 0, Chip Select, ignore the other Data pins. You'll also need to tie a few of the lines (Write Enable and ...something else, I can't remember right now) to VCC or GND depending on which ones they are, to enable write mode and so forth. If you know about flash memory it's easy to figure out which pins. If not, well, frankly I've forgotten which IC it was, and exactly what pins go where, and my camera is not in a place that's easy to unmount and disassemble. If you can't figure it out, tell me what the chip's part number is, I'll pull the datasheet and provide a complete hookup guide. Sorry, but I go through so many random projects that I lose track of details like that, but I guarantee I can get you the right info if you get me the chip's part number.

        Third step is to dump the chip's contents using Flashrom into a backup file, so you don't completely lose the camera if something goes terribly wrong. Again, the info for using Flashrom is out there, specifically there are also some BusPirate guides to using Flashrom, but not with this chip. The changes are trivial.

        Fourth step is to write the chip's contents with the EyeSpy firmware, again using Flashrom.

        Fifth step is to reinstall the chip and enjoy, because you're now done. The camera's default settings/login/etc are available in the EyeSpy247 RC8221 manual, I found it with a simple Google search. Holy crap is this thing ever a lot more capable than I'd expected.

        Sorry for the lack of clear detail, it's been ages and I cycle through random projects in a matter of days. I never keep the details written down because usually nobody really cares how I did it, hah. Maybe I should start a little blogroll of my own.. As I said, if you need more info, definitely let me know. I'm more than willing to help. Just get me the chip's part number.

    1. You'll need to reset the camera first. However, I do not have one of those to test.

    2. Press the reset for 10 seconds or more and that will reset the UserId, pw, and all customization of the IP camera.

  19. Hi all:

    Great blog! I scavenged a camera from an estate sale and finally took the time to try and make operational. Thanks to this blog I was able to piece together most of the setup info.

    The Camera is marked as a ISEE-VCWLG. I found that it is a SERCOMM camera through the FCC ID P27YL500. I was finally able to gain access to the Admin software via the IP Addy appended with /adm/file.cgi.

    I'm at the point where I have everything working via the NIC cable connection but cannot figure out how to get the wireless to work.

    In the Network section of the Admin panel I see the correct address of the Primary DNS server (Asus RT-N56U).

    In the Wireless section i have the following:

    WSC PIN Code:-----(Pin code for the Camera is here)
    Network Type:-------Infrastructure (other option is Ad Hoc)
    SSID:------------------ID for my Home Network
    Domain:--------------USA
    Channel No:---------Auto

    Security System:----WPA/WPA2 Personal (as per my Asus setup)
    Shared Key:----------("Password" to log into the Asus based network is here)

    With this info saved I disconnect the power from the camera, unplug the NIC cable and reconnect power. This is per the manual from the FCC site. Power must be disconnected in order to disconnect from hard wire connection. FWIU, reconnecting puts it into wireless mode. However, all I get is the blinking power LED and nothing on the Network LED.

    I'm stumped at this point as I can't get the wireless connection to initiate.

    Can anyone shed some light on my situation?

    Many thanks in advance.

    1. As a quick follow-up. I looked at the log and it indeed shows that it tried to connect to the (or a) server and was unsuccefull.
      Hopefully someone can assist.

      BUT, I also see that the camera went out to an alarm company and appears to have renewed a lease. I find nothing in the admin panel that references any of this. Is it hard coded into the firmware or is there any way to access and change or block?
      (Perhaps the log saves info regardless of a factory reset or this occurred before I did a factory reset..??? not sure)

      Thanks again to Terrence and others!

      From log:

      09/22/2015 07:01:01 DDNS: Failed to connect to DDNS server.
      09/22/2015 06:01:01 DDNS: Failed to connect to DDNS server.
      09/22/2015 05:01:01 DDNS: Failed to connect to DDNS server.
      09/22/2015 04:01:01 DDNS: Failed to connect to DDNS server.
      09/22/2015 03:03:01 NTP: Synchronization OK.
      09/22/2015 03:02:54 DDNS: Failed to connect to DDNS server.
      09/22/2015 03:02:54 HeartBeat: Connect to CMS server (cms1.AlarmCompanyName.com:8060) successfully.
      09/22/2015 03:02:51 DHCP: Lease renewal successfully.
      09/22/2015 03:02:43 Network: Lan activated.

      1. Update:

        I couldn't get the camera (Sercomm RC8221) to connect wirelessly to my Asus router. So, I decided to piggy back the Alarm company router (Sercomm IP1006RR N-router) to the Asus and see what would happen. Sure enough the Sercomm router and camera connected within seconds. I went to the Camera live image page and was able to view wirelessly. I'm guessing the camera's connection settings are hard coded into the firmware as the network info I recorded in the camera's Network / Wireless page seemed to do nothing.

        Attempting another angle, I found the user manual (via FCC id) and attempted to access router management through it's IP addy and the factory default ID / password. No luck. When connected to my PC there's no IP address to found for the router....at all. This leads me to believe it's set up as an access point.

        When I connect the Sercomm router to the Asus router, the Asus dynamically assigns an IP address to the Sercomm but I still can't gain access. I just get page can't be loaded...as if it's a bad address.

        I'm tempted to bring the Sercomm router back to factory settings but fear I may lose all settings needed to connect to the camera. Then I'm have nothing to work with.

        BTW, I use an App which seems to work very nicely called TinyCam. The free version is pretty much enabled. For $3.99 you get the Pro version and no ads.

        Feedback is welcome.

  20. Thanks for this huge work as I can now kick the setup of my web provider ! In my firmware version I have no access to the email panel in the administration menu.... By launching an url command, I can see that the email settings are available ! So I just need the html address of the email setup page : can anybody give me this address ? http://xxxx/adm/email.htm ? Or something like that...
    Thanks,
    Pascal, fromage Bordeaux, France

  21. Thanks for this huge work ! On my RC 8110 cam, the email panel is not available from the administration menu, due to my web provider firmware version I suppose. By triggering an url request, I found that the email parameters exist. So can anybody give me the url address of the meal setup page ? (something like http://Xxxx/adm/email.htm..)

    Thanks

    Pascal from Bordeaux, France

    1. To start off with I have to cams ( iCamera-1000-ADT Camera and OC810-ADT Outdoor/Night Camera)

      This blog has helped a lot in helping me figure out a lot. I found that I can connect to my wireless via WPS set up for my cams without the need for getting into the setting.

      Your question: I use the CGI to configure the settings for this to parameters are GET ( view) and SET ( Change), so for instance

      /adm/get_group.cgi?group=EMAIL ( will display all the settings for email)
      /set_group.cgi?group=EMAIL&smtp_enable=1 (will change the settings for the parameter smpt_enable to 1)

      With the iCamera-1000-ADT Camera, I am having zero luck getting past the admin password , any help will be appreciated.

      Thanks!

  22. Terence- To answer "03. How do I arm the cameras via the API?" Try /adm/set_group.cgi?group=EVENT&event_trigger=1 to enable the event trigger and 0 to disable. I'm thinking about writing a script to periodically ping my phone and if no response enable the trigger.

    Xundre- to login to the iCamera-1000 the username is administrator with no password.

    1. I don't think the Sercomm RC8221 firmware is available, best I've come up with (due to the help of other people on here) is the EyeSpy 247 breed of firmware, which is linked above. If that works for you, but the link above doesn't work any longer, I can give another.

      1. Danin, I am a huge fan of your hardware solution. That was an ingenious approach! And your extraction of the alertme credentials has been invaluable. Do you still have that eyespy247 image? There is an old sercomm fw tool that worked with the 8021. I am curious if it will work with the eyespy image on an 8221. Also if you are still interested, I can provide some firmware images (both flash dumped and web upgrades, including the latest Iris 1.0.0.6 upgrade for 8221).

        1. Jim - sorry for the delayed reply here, I kind of lost track of the thread for a while. I'm curious what this tool is, but having more information and more sources to work with could never be a bad thing. Get in touch with me if you wish to collaborate further.

  23. I scavenged a IP camera RC8021. I think it was Xanboo. Many of above works and I want to contribute some findings of my own. This is basicly listing, so it will be long 🙁
    Hope that this is some use. I have not tried to set any of these values yet. These are basic stuff, so probably others have also discovered them.

    URL:http:///adm/get_group.cgi?group=WIRELESS
    [WIRELESS]
    wlan_type=0
    wlan_essid=XanHoc
    wlan_channel=11
    wlan_domain=12
    wlan_security=0
    wep_authtype=1
    wep_mode=1
    wep_index=1
    wep_ascii=
    wep_kep1=
    wep_kep2=
    wep_kep3=
    wep_kep4=
    wpa_ascii=
    wmm=0

    http:///adm/get_group.cgi?group=HTTP

    http:///adm/get_group.cgi?group=VIDEO

    http:///adm/get_group.cgi?group=SYSTEM

    http:///adm/get_group.cgi?group=USER

    http:///adm/get_group.cgi?group=FTP

    http:///adm/get_group.cgi?group=LOG

    http:///adm/get_group.cgi?group=NETWORK

    http:///adm/get_group.cgi?group=MOTION

    http:///adm/get_group.cgi?group=AUDIO

    http:///adm/get_group.cgi?group=IO

    Mine is so called "wiped out". So there is no web pages to set up the camera. All there is are the links for video and snapshot. And of course http cgi.

    1. Were you able to setup your camera with these commands? I am trying to setup my camera with this shitty way because the dang UI is gone. But i am not 100% how to do it

      /adm/get_group.cgi?group=WIRELESS how do i set my SSID and WPA (WPA-PSK/WPA2-PSK) settings?

      I did /adm/site_survey.cgi and see the wifi network i need but how do i make it possible?

  24. Hi I'm hoping someone could help me. I really don't know much past the basic stuff with computers. I've googled but this blog is the only this that's been somewhat close to what I'm looking for.
    For the last 2 months on my network I've been seeing a camera (RC8026). It comes and seems to leave about a minute after I notice it.
    Does anyone know what this is? I'm starting to wonder if my boyfriend has a WiFi cam on me and watching from his home or phone. Please help.
    Thank u

    1. Hi Shalin,
      That sounds like an odd situation. If you have an open WiFi network, it could be a random camera connecting. I suggest that you change your WiFi's password and don't tell anyone what the new one is.
      If you have a mobile phone, download a camera scanning app - it should let you view the camera's feed so you can see where it is. I use https://play.google.com/store/apps/details?id=com.alexvas.dvr
      Good luck!

  25. Terence and others: If you are interested in examining the firmware in greater detailed, please take a look at the squashfs dump from my Sercomm/Sensormatic/ADT iCamera1000. This was binwalk'd from the complete flash dump as generated by executing /adm/flash_dumper.cgi. The www files are located in /usr/local/www. Of particular interest are file.cgi and ez.cgi - ARM ELFs that provide much of the functionality accessible through the web API. Most CGIs simply link to those two files.

    File: http://www.filedropper.com/icamera1000squashfs_1

    I'm currently looking for some insights into how Sercomm builds their firmware update packages.

    1. A few things:

      Aside from the obvious flash_dumper.cgi functionality, you can also use next_file to request any binary such as the cgi files themselves. Who knows why this functionality was shipped with production cameras...

      You can make some todo requests to file.cgi. The interesting one is /adm/file.cgi?todo=inject_telnetd. Unfortunately, I don't know the root password yet. It looks like it might be setup on boot from rc.sethost as a concatenation of three strings, but it's hard to tell without a proper disassembly.

      If anyone knows the Linux root password for these devices, please let me know.

      1. Sam, I would love to see your squashfs dump. Unfortunately your link seems to have expired. Any chance you could upload that again? Also I might be able to provide some assistance on the Sercomm firmware update packages. First take a look at the firmware mod kit:

        https://github.com/mirror/firmware-mod-kit
        https://code.google.com/archive/p/firmware-mod-kit/

        And these two decompiled Sercomm tutorials, both using the FMK:
        https://dl.packetstormsecurity.net/papers/general/reverse_engineering_ip_camera_firmware.pdf
        http://www.devttys0.com/2011/05/reverse-engineering-firmware-linksys-wag120n/

        I also have a few flash_dumper images for the iCamera1000 and iCamera2, as well as update packages from Comcast and Cox. I am currently working on tracking down packages for the RC8021 and RC8026. Let me know if you are interested.

        1. I.am interested in the firmware packages that you have for the Cox iCamera2 cameras. Would i be able to get these from you?
          Thanks, Edd

          1. Edd, sorry for the delay. I was trying to reach you on that youtube channel but ran into too many moderation delays. Even tried activating private messaging, but youtube has a bizarre system that requires a new 'brand' account to send PMs. I found out the hard way it deletes all old messages when you merge a brand and personal account. Very strange...

            Send me an email at paradoxicalloop (at) gmail (dot) com

        2. I have a couple hundred Schlage WCE100 that are great cheap cams. Xan/8021 Sercom. I have the firmware update utility and the NorthQ firmware to make them generic. However using them with the Nexia/Schlage system things have now changed. The Nexia people have updated their system to not update their own cameras with the original firmware. Instead they require you to send it to them for $39.99 and they will do it for you. I have many cameras that need to have the firmware updated off the factory default so they will update to the most recent firmware automatically. Nexia has a ton of theese cameras on their sys and supports them as long as they at some time had the firmware updated off the default Ver 1.0.03R01. The current Ver is 1.0.20. The reason I bought this qty of cameras is that I knew they would always be supported as long as the supported the other 300,000. Because of the proprietary firmware. I have experimented with may cams and find that as long as the firmware was updated off the default some time in the past the system will update to the most recent no problem. If I could extract the new version from any of the working ones I could update the firmware myself (i believe) . I have hooked up to the a usb and watched the linux boot on a old and new version but have no understanding. They just did this and caught me off balance here. Did you make any progress on dumping the flash from the 8021? Best Regards, Tim

  26. Alright, I've had an influx of requests because Lowes pushed a firmware update that seems to be inhibiting people's use of their hardware. You're not renting this junk from Lowes, you own it, even if they neutered it first. I wanted to keep this private, because to my knowledge this is not "in the wild" but Lowes is pushing my hand.

    Login details;
    Isername: alertme
    Password: nFQTEm*s67uxuF**a2vAth7RoJ
    (I'll repost in a different manner if the blog eats it somehow.)

    I've got reports that this works for Lowes Iris branded RC8221 and OC821 cameras. They're yours. Use them like you want. I realize someone is probably going to use this for dark purposes, but it wouldn't be necessary if Lowes hadn't locked you all out of your own hardware. They lit the fire, they can deal with the aftermath. You're welcome, Internets.

    1. No joy on any of my 14 bricks. Is there something I should change the ** in the password to?

        1. Yes, they are Lowe's (spit) models. Both the indoor and outdoor. I have the indoor handy it is model RC8221.

          1. Maybe I can help a bit. I use the same cameras and went on this mission to find answers after the Iris generation 2 hub made my cameras unusable with my iSpy server.

            Once I used Lowes' "migration utility" to move my cameras from the Generation 1 hub to the Generation 2 hub, my iSpy server could not connect to the cameras at all. Any connection attempt using RTSP or HTTP (using VLC Media player, which works great for testing video streams) resulted in a username and password prompt.

            Long before I stumbled across this forum, and eventually got credentials from Danin Fuchs, I tried hard resetting the camera in an attempt to make it work the way it used to. I was eventually able to get the cameras to where I could connect to the RTSP and HTTP feeds using VLC and iSpy, but the rest of the cameras configuration was gone. The Iris hub would no longer pair the cameras and because of this, I was no longer able to configure the wireless. The cameras did however work fine as long as they are hard wired.

            To reset the camera's (I did this on both the indoor and the outdoor cameras), first, for safety purposes, unplug the Iris hub from your network (assuming that it's still plugged in), make sure there is a wired network cable plugged in to the camera and use a pin or paperclip to push the reset button on the back of the camera and hold it for 30 seconds. Once you let go, the camera will reset, wait about 1 minute for it to finish its startup cycle (you should be able to the hear the IR cut filter click and see the IR lights come on if you are in a dim-ish room). After it's done starting up, pull the power cord and wait for a few seconds then plug it back in. Wait for the startup cycle to finish again. By default, the camera should get an IP address via DHCP handed out by your router or whatever is handing out IPs on your network. Now the video streams should be accessible using VLC or iSpy without asking for the username and password and the credentials supplied by Danin Fuchs should work for sending API calls to the camera's. NOTE: I did have to go through the reset process a couple of times on one of the cameras before I got it to work.

            I even called Iris support a couple of times to see if I could get anything useful out of them. Of course, they were next to useless. The only thing I was able to get out to of them is that since the cameras were not able to pair to the generation 2 hub (which seems to be a common problem, "once they are paired with a Gen 2 hub and you remove the pairing, they will not re-pair with the hub"), Iris support emailed me a letter to take to a Lowes store where they would replace my Iris cameras with new ones (great idea since my cameras are over two years old).

            After I got that information I got the credentials that Danin Fuchs supplied above and figured out that after a few hard resets of the cameras, as long as the Gen 2 Iris hub has not tried to pair to the cameras, then the cameras firmware is in a state where the above credentials will work allowing you to adjust the camera's configuration using the API commands listed here: https://github.com/edent/Sercomm-API

            But, as most people messing with this have realized, these cameras have been crippled quite a bit, and without going through the process that Danin Fuchs used, it's going to be a little hard to do much of anything aside from just basic "turning settings on and off".

            I haven't had a lot of time to test, but I am working on setting up the wireless using the API commands, I can't seem to pass the commands to the camera in a way that they will accept the input to connect them to my wireless, I assume that all of the commands need to be sent in a string of some sort for it to accept them but without the web interface on the camera, or a working web interface to play with, I'm not sure I will be able to figure it out any time soon. But I'm going to keep trying.

            Hopefully this information will be useful to someone else.

            1. Can you go into the detail of using RTSP and HTTP feeds using VLC? I have a "virgin" 8221 cam and I would like to use VLC with it. my cam has fixed address on my network and I use port forwarding to find it.. When I use HTTP, as "aaa.bbb.ccc.ddd:pppp" where aaa.bbb.ccc.ddd is the IP and pppp is the port, I get the the menu view or configure the cam.

              How can I configure that to use RTSP?

              Thanks!

              Eric

              1. Once you open VLC Media player, Click Media in the menu at the top, then click "Open Network Stream..." VLC will open a box that asks for the network stream URL.

                For both the RC8221 (indoor) and the OC821D (Outdoor), I use rtsp://IPADDRESS:554/img/media.sav?channel=2

                There is quite a bit of information in the threads above about the different streams that are available, as well as the commands to modify the settings of the streams.

            2. Thanks, key thing I was missing there. I was thinking the password would work while the camera was paired with the IRIS hub. That is the holy grail to get all access back.

              Have you tried to use WPS to get the wireless settings automatically?

              1. No, actually, after typing that reply, I played around with the camera a little more, turns out I was just issuing the command using the wrong group name. after I realized that, I was able to get the wireless set up without issue. Now it works great.

                I'm considering writing a small .HTM file that has all the documented API calls that you can set and apply using radio buttons and dropdown boxes with submit buttons for all the settings. Not sure when I'll really have time to do it, but it's fairly high on my to do list.

                1. I have icamera2 (which im guessing are somewhat the say because most of these commands work) and i bought a few more and realize the new FW update is also blocking me out of the UI setup. I was wondering if anyone has figured out a way to "downgrade" or flash the fw back down to older FW. This would seem to be the easiest way to re-enable the UI...

                  New
                  Firmware Version: V3.0.02.35
                  Current
                  Firmware Version: V3.0.01.29

                  1. I seem to be having the same issue. I have 3 icamera2's .. they where all working fine for over a year, but now when i try to login to them they are no longer taking my login/password or the default one.
                    Could they have updated on their own to the new firmware? This is not good

                    1. I had to connect them to the router via WPS, which sucked because when something rebooted the IP's changed. So i had to go into the router and set the static IP via Mac address. I own 9 of these icamera2's and 4 of them i got a few years back from comcast itself. But the most current ones i got from eBay and they already had the updated FW which sucks because i still cannot get into the camera's to change any setttings. I literally did a factory reset on them and connected to router via WPS and thats it.....its kind of upsetting....

                    2. Thanks.. But are you still able to get into the admin console of your older icamera 2's? Or is it just the new ones you bought.
                      My icamera 2's are a couple of years old. I set them up with static ips a while back so I never knew that anything changed on them.. My blue iris software never had an issue connecting. I just got a wifi extender and wanted to point one of the cameras to it and that's when I found out that the admin console was no longer accepting my login.
                      But how in the world did they get updated on their own like this? I can get to the main page where you view video but when I click on the admin page link I get login prompt and I can't login anymore with my old credentials.
                      We're your older icamera2's also locked out of admin page? Or just your newer ones?

                  2. Did you ever figure out how to get into the iCAMER2 ui AGAIN? i AM HAVING THE SAME PROBLEM.. I had 3 icamera2's working fine for over a year with Blue Iris software.. now all of a sudden i cannot log into them anymore. they still work wireless, but I wanted to change the access point on them but cannot anymore. How did they auto update like this? Seems my settings are still in place but the it no longer takes my login details for setting configuration.. man i am really pissed off.

                    1. I had to connect them to the router via WPS, which sucked because when something rebooted the IP's changed. So i had to go into the router and set the static IP via Mac address. I own 9 of these icamera2's and 4 of them i got a few years back from comcast itself. But the most current ones i got from eBay and they already had the updated FW which sucks because i still cannot get into the camera's to change any setttings. I literally did a factory reset on them and connected to router via WPS and thats it.....its kind of upsetting....

    2. hi!
      have you any version firmware for rc8221 with adm access?
      if you have it, plz send it vic_1980 at bk.ru

  27. I must have three unhappy iCamera 1000s (formerly on my Comcast system, which I recently ditched), because I've reset all three of them, and they will not happily talk to my wired network at all. If I attach them directly to my desktop or laptop (via Ethernet), I can see the MAC addresses of each one. When I Ethernet any of the cameras to my route (D-link AC3200), the router never sees it, i.e., it never shows up in the list of connected devices, which is where I need to start to get the IP Address. any suggestions would be greatly appreciated.

    1. Not every camera supports the higher resolutions. It will depend on the sensor and the firmware. Sorry.

      1. I have the rc8221d camera and I believe I'm on the 1.0 firmware. Is there somewhere I can download different firmware to enable it?

  28. I did not read through all the comments, but after fiddling for a few hours, it dawned on me: WPS! Wifi Protected Setup. Worked on RC8025B-ADT. Using iSpy to view. Thanks for helping with all the other things, Terence!

    1. The OC810-ADT's can use WPS, too. Instead of resetting to default, or in addition to it, anyway, click that button inside the hole next to the power input for only a second or two, to make it connect via WPS. Works beautifully.

      1. hello,

        once you connect it using wps, how are you accessing the feed? by ip? is there a username and password?

  29. I bought an old ATT version (xanboo) of the RC8221 off ebay. I enabled the mic, speakers and MJPEG using the API instruction I found here and in the manuals. Using IP CAM VIEWER PRO for iPhone and am able to send audio to the camera. It is somewhat garbled but it is intelligible and there is no cutout at one second.

  30. OC810 - log in info for camera administration is:

    Username: administrator
    PW field: leave blank

    I connected the oc810 via wps. Then tried the above and it worked. So no need to reset 🙂

  31. If anyone is interested, I have a factory firmware dump for an iCamera2 with a functional GUI. I used flash_dumper.cgi which yielded a 132mb file called fw.bin (fw_ver=V3.0.01.29). Unfortunately it appears to be a raw image and I have yet to figure out how to flash it onto another camera. Even attempting to upload it to the same camera results in "Error: Unable to read upgrade file."

    1. Hello Jim. I was wondering if you can help me out with the firmware upload i am trying to do to the iCamera2- C. I have gotten to the point that you have described above. I was able to save the 132mb file onto my computer and then when using the camera's web GUI i get the same error that you were receiving."Error: Unable to read upgrade file." Is there something that needs to be done to the 132mb file in order to use the web GUI to upload the firmware to the camera?
      Also, Do you know if its possible to convert a iCamera2-C into a iCamera2 by replacing the current firmware? I believe the cameras will work with my Cox security system if i can get the firmware to be V3.0.01.34 instead of V3.0.02.38 which it currently is. Thanks for any help you can provide. Edd

  32. All, here is the command to activate the administration menu on vendor modified firmwares such as Comcast Xfinity, Cox Homelife and ADT Pulse.

    /adm/enable_ui.cgi
    Response: OK

    Tested on iCamera2 using multiple vendor firmware versions. Although I suspect it will work with most Sercomm models.

    Credit to Prayas Kulshrestha who used the firmware mod kit on an old RC8061 image. I noticed a screenshot on page 6 of his guide that included this file in adm directory, along with some other untested commands:

    https://dl.packetstormsecurity.net/papers/general/reverse_engineering_ip_camera_firmware.pdf

    @Terence, I would especially like to thank you for all of your efforts with this blog and github API list! I added this as an 'issue' to your repo. It was my first git contribution, so I apologize if the format is off. The commit process was a bit daunting for a first time user.

    1. NIce find Jim B. I was excited to see this. Unfortunately not working with the LOWES/Sercomm cameras.

      1. Very interesting. What model number(s) and firmware versions did you test it on? And are you still provisioning them with the IRIS hub? For the FW version you should be able to use /adm/sysinfo.cgi or util/query.cgi?extension=yes. For clarification, you have admin access to these cameras and can execute api calls from /adm/ ?

        1. The command works and I get the OK back. There is just no web page there. Cameras are the RC8222. The are not on IRIS and I have admin password. I don't remember the firmware.

          1. So the command was accepted? That's actually more interesting than if it didn't respond at all. There are a few additional steps that IRIS could have used to obfuscate the menu with basic settings, such as limiting access to httpS, changing to a non-standard port, or multiple users with limited access. First off, you mention RC8222 but I couldn't find any reference to that model number. Did you mean to say RC8221?

            If you feel like pursuing this further, please run the following commands and post the results:

            /util/query.cgi?extension=yes

            /adm/sysinfo.cgi

            /adm/get_group.cgi?group=HTTP

            /adm/get_group.cgi?group=USER

            1. Here are the responses:

              hostname=RC8221927BBF
              description=
              defname=SC927BBF
              h264_resolution=1280
              h264_resolution2=1280
              mic_in=on
              speaker_out=off
              ptctrl=off
              wlled=off
              irled=on
              serial=off
              resolutions=1280x720,640*480,320*240,160*120
              mac=00:0e:8f:92:7b:bf
              privacy_button=on
              pir_sensor=on
              wps_pin_code=95999357
              ioctrl=on
              company_name=Lowe's
              model_number=RC8221
              wireless=on
              sw_pppoe=yes
              fw_ver=V1.0.06R00
              ip_addr=192.168.1.30
              netmask=255.255.255.0
              gateway=192.168.1.1
              timezone=4
              current_time=11/03/2016 18:37:57
              http_port=80
              rtsp_port=554
              https_port=443

              Firmware Version: V1.0.06
              Serial Number:
              Uptime: 662243

              http_mode=1
              http_port2=0
              http_port2_num=1024
              https_mode=1
              ssport_enable=0
              ssport_number=1025

              [USER]
              login_check=0
              admin_timeout=5
              admin_name=c37977
              admin_password=
              user1=
              user2=
              user3=
              user4=
              user5=
              user6=
              user7=
              user8=
              user9=
              user10=
              user11=
              user12=
              user13=
              user14=
              user15=
              user16=
              user17=
              user18=
              user19=
              user20=
              audio_in_ctrl=0
              audio_out_ctrl=0
              pt_ctrl=0
              io_ctrl=0
              adm_ctrl=0

            2. Hi
              I'm have only one answer (for the /util/query.cgi?extension=yes):

              hostname=RC8221769549
              description=
              defname=SC769549
              resolution=640
              h264_resolution=640
              mic_in=on
              speaker_out=off
              ptctrl=off
              wlled=off
              irled=on
              serial=off
              resolutions=1280*960,640*360,320*180,160*90
              mac=00:0e:8f:76:95:49
              privacy_button=on
              pir_sensor=on
              wps_pin_code=77714657
              ioctrl=on
              company_name=Elisa
              model_number=RC8221
              wireless=on
              fw_ver=V1.0.05R00
              ip_addr=192.182.174.248
              netmask=255.255.0.0
              gateway=192.182.0.1
              timezone=26
              current_time=02/22/2016 06:55:30
              http_port=80
              rtsp_port=554

              Another three (/adm/sysinfo.cgi; /adm/get_group.cgi?group=HTTP; /adm/get_group.cgi?group=USER) need authorization.

    2. Crazy, I have been ," Hacking Around With Network Cameras" since i came across a couple of Sercomm cameras , and I became quite proficient with the GUI, but then this! A simple line of code enables the Admin. This is sweet!

    3. HELL YES!, I have tried this on 3 of my camera's that didnt have the UI and it worked great. They are iCamera2-C i noticed when i logged into adm screen.

      iCamera2-C
      F/W version: V3.0.02.35

    4. This is great.. thanks Jim! and Terrance!
      One thing I did notice is that its not permanent. I have to enable every time if powered off and on. not a big deal though.

      1. Good catch Johnny! I hadn't thought of rebooting the cameras. I just tested it on an iCamera1000 and iCamera2 and sure enough, it resets each power cycle.

        1. I actually send curl reboot commands to my cameras once a day as a precautionary maintenance measue, so I just added the enable admin command to the job so I don't ever have to worry about enabling admin again. Works great. But more I think about it I think I may like the fact that admin is disabled now by default. It does provide another layer of security. Thanks again !

  33. Has anybody messed around with this file I noticed http_trigger.cgi?

    My assumption is that it is what I'd need to post to from an external source(like when a front door opens and I want to trigger video capture, but not based on motion). The only issue is, I don't have the tools to reverse engineer this cgi script and I no longer have the security system to packet sniff for calls to it(like I think was happening) in order to figure out what parameters it needs to test my hypothesis.

    Thanks

    1. Answered my own question;
      http_trigger.cgi is fairly simple, it just needs an Authorization header
      Authorization: Basic

      Then call it via GET
      If it takes other parameters though, I don't know, but whenever I pass parameters to it, it says they are invalid and returns a 503 status.

  34. Wondering if anyone could help me out with my firmware issue. I have more than a few icam2's with comcast firmware on them that I would like to flash back to original oem firmware. I do have a few icam2's that still have the oem software on them to extract. Just need to know exactly how to do it.

    1. Have you been able to get your firmware issue resolved with the iCamera2's? I had the same issue last month with 5 of these cameras and was able to change the firmware version to V3.0.01.34 instead of V3.0.02.38 which they was when they were Comcast Cameras.
      I did this by using the web GUI and installing the firmware version that I needed. The hard part was finding the right firmware version file. One of the guys on here was nice enough to share it with me.

      1. My cameras (iCamera2) that have are new in the box have V3.0.01.29 on them. The ones that were removed from xfinity home systems have V3.0.02.39. I cannot find firmware anywhere to download. Do you still have the firmware file and would you be willing to share it with me?

        1. Krytos,

          I have a few different files you can try. One of the members of this forum was kind enough to share them with me. Send me an email. edinaz1 (at) cox (dot) net

          1. Firmware worked great. I tried all 3 files and V3.0.01.24 was the one that worked the best. I am not able to see any difference between V3.0.01.24 and V3.0.01.29. Thanks again.

  35. You can actually just tell the camera to install whatever firmware you want. Just use the API command below and substitute the firmware version you want to install.

    /adm/auto_upgrade.cgi?new_fw_url=http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-106-300129.bin

  36. Hi all,

    I'm looking for to upgrade my rc8061 and rc8221 with firmware eyespy247 to use UI interface. But i didn't find bin's file to donwload anywhere...

    Is it possible to have a link ? Or if somebody can send me it to: [email protected]

    Thank you for your help.

  37. I currently have system setup using iCamera2, iSpy Software and a PC server system. My network has a wireless GIG Router and a 48 Port Gig switch. Some of the cameras are setup wireless and some are wired with CAT6 cable to my switch. I would like to replace the PC server with a DVR recorder of some sort. Does anyone know of a DVR recorder that could be compatible or used with these cameras? or a setup I can mimic. Thanks in advance.

  38. Hi,another sercomm product NV412A an encoder for analog to IP cameras on ADT pulse system,has anyone had only luck getting into them.Would be very useful with my cameras at home any info gratefully received,I have reset them but can only get one page of info called [email protected]

  39. Hi guys,
    I have found that the new XCAM cameras seem to have faulty Wireless modules. Camera would work wired but not wireless and when clicking on the "Site Survey" section in the wireless settings the spinning graphic just keeps spinning and never comes back.
    I just bought a new xcam off ebay an this one is doing the same thing even... unless comcast figured out some way to disable the wireless modules if not going through their gateway somehow.. i doubt it but you never know i guess.
    Has anyone else been seeing this issue?

    thanks

    1. The xcam is almost identical to the icamera2, with the exception of the wifi module being placed in the power supply adapter. The intent is to get better wifi reception by moving it inside the home and closer to the router. That also means you have to use the original power supply vs an aftermarket POE adapter if you want to retain wifi service.

      The next thing that comes to mind is all of the icameras models disable wifi as soon as you plug in a hardwired ethernet source. That is why the icameras provide 2 POE dongle adapters. One is used for the initial hardwired provisioning of the camera and the 2nd dongle is used to provide power to the camera but no ethernet connection, thus allowing the wifi module to activate.

      Did you setup the wifi login info on the xcam first and then disconnect the provisioning dongle and plug the Cat5 directly between the xcam and its power supply?

  40. i havent been able to figure this one out.. i have a few Icameras, and icamera2's and XCAMs that are failing to switch to night mode anymore.
    I see you can use cgi to manually switch the Manual day/night setting but it doesn't actually turn off/on the IR filter, it just enables the ability to manually switch between day/night in the "View Video" admin page.

    Has anyone figured out how to send a cgi command to switch the sercom cameras into night mode?

    1. Any update to this? Im kindve running into the same situation - my icamera2's are working fine but i received an XCAM that i can toggle the IR in the UI but it doesnt do anything and i dont know the command.

      I found this FCC manual regarding a different camera but the same basic sercomm icontrol UI. it has the admin commands but im unable to find the correct command to trigger the IR: https://fccid.io/pdf.php?id=1418906

      As a side not when i query the IR cut i get a filter=0 but on my icam2's i get filter=1 (http://...(IP)/io/query_filter.cgi)

  41. I inherited (when I purchased a home) 4 Honeywell ipcam-wo cameras that appears identical to the OC821D. However, the user name password combination to get into the camera is not working, does anyone have a clue what the user name password combo might be for an ipcam-wo. Seems like Honeywell likes to force people who have their cameras to enroll in their service. I called Honeywell direct on this and they said that I needed to have the service to have full access of my cameras (which I own). I'm able to use Ispy connect software to see all 4 cameras, but am having a hard time opening ports on these for cloud recording when my PC is turned off. Figured I probably need to gain access to the camera interface and do that from there.

    1. Have you reset the cameras and then tried "administrator" for the username with a blank password? I believe you hold the reset button down for 10 to 20 seconds to reset to factory defaults.

      1. I'm using a Honeywell wireless access point on these btw. Not sure if that changes things. Would it make a difference if the cameras were hard wired into my network?

  42. on the icameras, is there a way to turn off the wireless radio?
    I have one plugged into a powerline adapter but it still using the wireless radio.
    thanks

    1. Brian if I recall correctly from your YouTube replies, you're using icamera 2 and xcams. Is the one giving you a problem the icam2? Both the 1000 and icam2 will automatically disable wifi when it detects a hardwired ethernet connection. So the first thing that comes to mind is the POE injector dongle and wiring. Did you by chance reverse the cables from the POE injector? The male ethernet pigtail should plug into the switch or powerline adapter and the female port / patch cable should go into the camera. I have reversed them a couple times myself.

      Failing that I'd temporarily bypass the power line adapter and plug it directly into the switch to ensure the hardwired functions on the camera is working properly. And there might be a compatibility issue with the power line adapter.

  43. I have an XCAM i can log into and successfully got it configured for wired/wireless but the IR isnt turning on in either mode. When im in the UI i can toggle the settings for IR (manual day/night) but nothing happens both in wire/wireless modes. Other settings do work though such as; timestamp, time, network, video quality and type.

    Im an installer for these cameras (xfinity) and we were told they would not work hardlined (no info as to why but im digging into it).

    I found this FCC manual regarding a different camera but the same basic sercomm icontrol UI. it has the admin commands but im unable to find the correct command to trigger the IR

    Any suggestions?

  44. So I was given a RC8025B-ADT from my aunt because she didn't use it and does not care for it...but she really gave it to us because we have a autistic son that has outburst once and awhile so I wanted to set this up in him room to keep a eye on him but have no clue how to set it to my router and what to download to figure it out..and ADT wants to charge me alot just for them to take charge of it..so how can i get into this one???? Would really help out alot. Thank you.

  45. Hi, I've just got my SerComm RC8221 to connect wirelessly, This is a Lowes model, never upgraded firmware. Let me make clear I'm a novice, but love to play around with any devices I've got around. I've been coming back to this site, with hopes of new info on how to get my cam to work.

    If you're new to all this like me, this pdf, really helped me configure my cam, cause now I knew what all the options were for each setting.
    Here's is the SerComm Neutral Brand IP Camera Configuration File Spec, which lists SerComm API with descriptions.

    https://www.yumpu.com/en/document/view/15518716/sercomm-neutral-brand-ip-camera-configuration-file-rpracouk

    Also following the steps on this site, seemed to do the trick or i just got lucky. lol

    http://forum.livingwithiris.com/topic/2633-how-to-take-total-control-of-your-iris-cameras-with-the-api/

    I hope this helps someone, like all the help I got from this site.

Leave a Reply

Your email address will not be published. Required fields are marked *