Not able to modify DS-2CD2032-I

[Clown]

Hello,

I just bought a new DS-2CD2032-I (I already have more of them in use) and I'm having trouble with it like I never had before.

I unboxed it, plugged it in, opend up SADP, changed the IP and logged in to the camera. Everything fine, looking good and working well. But then it happend: I changed the ports (because I always change them to non-standard). After that, I wasn't able to connect to it, because it wouldn't listen to the new port somehow. Hik-online.com DDNS was showing the new port by the way, so I would think the cam did change it, but in the browser it wasn't reachable.

So, I thougt, well, maybe it just went bad when changing the port, so let's reset the device. Unplugged it, pushed the reset-button, hold it for 15 seconds when plugging it in again. You know the drill I think.

It then looked like it did a reset, because I do see the standard 192.0.0.64 IP in SADP. It's working fine as well, because when putting the cam in the dark, the IR-lights go on and when I turn on the light they turn of again.

But the problem: I can't change the IP with SADP. When using the standard 12345 password it just says it's not able to modify the settings. I thought: maybe it did not reset the password, so I tried the password I set earlier: no luck either.

So, I thought, there's one thing left: Hikvision TFTP. Downloaded it, ran it, it seemed to work, it said the firmware was installed successfully.

But, again: I can see the cam work, SADP sees it, but I just can't change the IP. Also restoring the default password in SADP by entering the serial number doesn't work, SADP says: failed, can't restore. Just like it does when I try to change the IP address.

In short: HELP. What the **** is happening?

 

[nayr]

do you have anything running trying to login to the camera with the old login? I had a similar problem when I changed passwords and a piece of software locked the camera up trying repeatedly to login w/incorrect credentials.. It wasent until after I killed the software that I was able to reset everything fine.

 

[fenderman]

Welcome to the forum..I would try the hard reset again...after the reset...power cycle it..see if that helps...also how are you powering the camera? make sure there is enough power getting to it.

 

[Clown]

In short: HELP. What the **** is happening?

Well. I finished typing my post, after 2 hours of fight with the camera. You can guess: seconds after this it finaly let's me change the IPaddress. STRANGE.

But I can't find a button to delete this thread. But, it looks good now. So no help needed anymore. Sorry! Or thanks, for your magical help.

 

[fenderman]

Its always like that....lol...no need to delete the thread..it may help someone in the future...all they gotta do is post their issues and its magically solved...yup thats how good ipcamtalk is

 

[Clown]

Welcome to the forum..I would try the hard reset again...after the reset...power cycle it..see if that helps...also how are you powering the camera? make sure there is enough power getting to it.

Thanks for your help, the problem solved itself after I finished typing this thread. Strange, very strange. I had been busy with it for 2 hours, with several hard resets.

I use a TP-Link PoE-injector I always use for this cam. Tried using a normal adapter to. Cam worked all the time, but IP-changing wasn't possible. Seems to be possible again now.

 

[nayr]

some browsers like chrome are really aggressive on requesting resources (all the elements of a page, the images/scripts/streams/code) concurrently.. it does this to make pages load quicker but for small embedded devices with limited resources this can overwealm the web server running on the camera and cause timeout issues where it looks like something changes but wont or the save just fails outright.

you can try another browser or give the camera some time to recover from the page loading before saving any changes.. if you dont realize whats happening it seems like its a random issue that solves it self.

 

[Clown]

By the way. I now DO know what went wrong with the port change: I just add them up with one every time I install a new camera. This time, that would be port 87.

But, port 87 is some kind of blocked port, browsers just don't want to connect to it. So, for other people finding this thread: do NOT use port 87.

When you happend to do so, this solution is easier than giving your cam a hard reset, is what I know now...... http://e1tips.com/2014/03/17/allow-firefox-chrome-to-access-restricted-ports/

 

[nayr]

in networking world ports 1-1023 are reserved for system applications, most operating systems require administrator access to open any of these ports.. It'd probably be wise to not run anything on this range if possible as many will be blacklisted for residential internet, browsers, etc for various security reasons.

You'll find port collisions on alot of stuff under 10k, for your strategy I'd suggest grabbing a very high port# and start incrementing it and you wont run into any issues. 40080+ or something.

Common ports are scanned for vulnerabilities constantly; to find services running on non-standard ports requires a more invasive scan that takes alot more time and occur much less frequently.. Though I would urge you to avoid port forwarding all together and go with a more secure VPN setup that gives you alot more security and does not require you to expose your cameras to the harm of the internet, then you can run all your cameras on port 80 and not need to remember what camera is on what port.

 

[Clown]

You'll find port collisions on alot of stuff under 10k, for your strategy I'd suggest grabbing a very high port# and start incrementing it and you wont run into any issues. 40080+ or something.

Yes, true. But the problem with that is that most standard routers from the cable companies do not allow forwarding for portnumbers like that.

Though I would urge you to avoid port forwarding all together and go with a more secure VPN setup that gives you alot more security and does not require you to expose your cameras to the harm of the internet

Yeah, well. Setting up a VPN for all my camera's (they are all in different locations) seems a lot more work and additional costs then benefits for me.

 

[nayr]

Really? I have never seen a router from anyone capable of NAT/Portforwarding that could not accept inputs from 1-65536.. you should double check that, Ive worked for handfull's of ISP's and a few router manufacturers and really doubt this is true of most standard routers.

Ok given it may cost a little if your routers dont support already VPN.. but it costs nothing if the support is there and your not using it.. All major smart phones/tablet/operating systems support VPN, and setting up point to point VPN bridges between locations is not much more work than forwarding ports if the hardware supports it.. you'd be connecting all the remote cameras to your network and the'd respond like local devices.. just create separate VPN credentials for each remote camera to get in..

VPN Seems like alot of work to most people until they successfully get it working, most people follow a simple guide online and wonder why they thought it was so complicated..

Just giving free advice, which your free to take it or leave it..

 

[Clown]

Ok given it may cost a little if your routers dont support already VPN.. but it costs nothing if the support is there and your not using it.. All major smart phones/tablet/operating systems support VPN, and setting up point to point VPN bridges between locations is not much more work than forwarding ports if the hardware supports it.. you'd be connecting all the remote cameras to your network and the'd respond like local devices.. just create separate VPN credentials for each remote camera to get in..

VPN Seems like alot of work to most people until they successfully get it working, most people follow a simple guide online and wonder why they thought it was so complicated..

What you describe here sounds very interesting, easy and save.

But personaly, I wouldn't know how I could create my own VPN network that doesn't cost a lot of money.

I know a few of the popular VPN companies, but I think they're expensive. For sure to expensive for just playing around with cams and not having to forward ports..

How do you do a thing like you describe without having to pay a fortune for an VPN subscription then?

Edit: I use my camera's as public webcams. I'm streaming their video with a Wowza Streaming server to several sites. The cams are located at businesses or people's houses. So it's not an option to deploy an VPN in there routers for all there own traffic. Would have to be just mine, from the cams

 

[nayr]

your confusing paid VPN services for the simple VPN protocol.. My router has built in VPN capabilities, I can link it with any other router with the same capabilities over the internet and all devices will appear like there on the same LAN, and any traffic that has to go over the internet is encrypted and secure. There are no monthly anything fees.. You may need to buy a router with these capabilities or you can run a VPN tunnels on a computer on the network and forward the routes manually but thats complicating things.

if there webcams then there not security cameras so you can forgo most security if there intended to be broadcasted publicly..

 

[Zxel]

Though I would urge you to avoid port forwarding all together and go with a more secure VPN setup that gives you alot more security and does not require you to expose your cameras to the harm of the internet, then you can run all your cameras on port 80 and not need to remember what camera is on what port.

I think VPN is highly over touted as a more secure solution when in many cases it is not, and this is one of them.

Why?

When you establish a VPN connection you are exposing ALL 65K+ ports of one device to another, i.e. you are creating a virtual network between them, everything in the network stream is exposed to each device (albeit only the devices in the VPN), however, when you port foward, you only have to defend against access/attacks on that one port. A device on a VPN that is compromised can use the VPN connection to infect the other devices in the VPN network (on any port/network method), and since there is access to the public/private networking on at least one of the devices in the VPN (useally the computer or router) your infection can spread outside the VPN.

I actually have experience with this sort of VPN compromise in the real world, I am vary careful with what I establish a VPN for. For example, connecting your computer to your friends computer via VPN sounds like a great secure method of sharing devices/files/whatever, however, each computer is exposed to the other computer, in other words if one gets infected/compromised the other will be exposed to it too. If I instead use software over a single port to do the same things (like VLC/Norton/SSH/Whatever) I am only exposing one port (some software use multiple) and it is un-likely that a compromised system or device will be able to effect my system (because the compromise/virus has no idea how to do it without using the standard network).

Bottom line IMO is port fowarding is much easier to defend against than a full VPN connection. There are times when VPN is needed (I do like it), however, thinking that you are more secure in a VPN connection will be a mistake that can cost you.

 

[nayr]

if your connecting untrusted networks into your network then yeah, your exposing all sorts of issues.. dont use it to connect friends networks together, thats plain silly..

If my laptop/desktop/mobile has a virus then it will infect my network regardless if its on a VPN, WiFi or plugged in directly, you should be weary about plugging anything into your network you may suspect has been compromised.. If your bridging networks with VPN and you dont have any control of what is plugged into it then you require additional defenses such as firewalls.

A VPN will only allow remote access from devices you let onto the network, assuming you use a decent password, providing a secure authentication and secure transport of data, a Port forward of a non-encrypted web service allows the the whole internet a direct connection to your device, with authentication credentials transmitted in plain text and the video stream transmitted in an interceptable format.. Connect to an open wifi network and I dare you to login to your port forwarded cameras, not only can the network admin see your login and stream but so can everyone else within wireless range of you can also.

There are many more security holes in your camera's firmware than there in any VPN Solution.. once I have a shell on your camera I have full access to infect the rest of your network.. to compromise your network over a VPN I have to get a virus on your computer first, with a vulnerable service running on a forwarded port I can compromise the network without any interaction from any users on that network, thats much more difficult to defend against.

It takes a little more setup but you can put a VPN on a separate subnet and configure a firewall between the VPN subnet and your main network, allowing you to restrict remote VPN clients/networks access to the local network even further, this is how you setup a VPN to handle untrusted devices properly..

Most of the people here needing to remotely view there IPCameras from a tablet/laptop/mobile device are perfectly safe using a VPN because those devices are normally connected directly to the LAN when they are not remote.. If those devices have been hacked/infected then there network is compromised regardless of the VPN.. True the VPN wont protect the rest of the network from those infected devices, but neither will the WiFi, or the ethernet cable when it gets home.

VPN is just a protocol allowing a secure transport to your LAN when your away, it serves as a virtual network cable stretching across the internet and into your device.. just as if you were plugging in at home. For monitoring IPCameras this is an ideal solution for remote connectivity, much more ideal than allowing the entire world direct access to your camera via port forwarding.

but in this guys's case he has no use for VPN because these are public webcams..

 

[Zxel]

if your connecting untrusted networks into your network then yeah, your exposing all sorts of issues.. dont use it to connect friends networks together, thats plain silly..

Agreed, and yet it happens all too much.

A VPN will only allow remote access from devices you let onto the network, assuming you use a decent password, providing a secure authentication and secure transport of data, a Port forward of a non-encrypted web service allows the the whole internet a direct connection to your device, with authentication credentials transmitted in plain text and the video stream transmitted in an interceptable format..

There are many more security holes in your camera's firmware than there in any VPN Solution.. once I have a shell on your camera I have full access to infect the rest of your network.. to compromise your network over a VPN I have to get a virus on your computer first, with a vulnerable service running on a forwarded port I can compromise the network without any interaction from any users on that network, thats much more difficult to defend against.

It takes a little more setup but you can put a VPN on a separate subnet and configure a firewall between the VPN subnet and your main network, allowing you to restrict remote VPN clients/networks access to the local network even further, this is how you setup a VPN to handle untrusted devices properly.

but in this guys's case he has no use for VPN because these are public webcams..

I agree with most of this, however, there are a few points I'd like to make:

1. If the camera's output is sensitive (most camera's do not fall into this category) VPN can be another valued security layer, however, it adds complexity (which you mention) and proccessing overhead (encryption/decryption). Most home use cameras are not sensitive, standard (even though plain text/sucky) security measures are fine (this includes proper hardening, like setting a fixed IP and strong password). It is not as simple as it sounds to intercept even plain text credentials, there would need to be a reason why someone with the skill to do this would bother to do so.

2. Totally agree with your statememnt on camera's firmware, I suggest anyone seriously into security and are buying camera's from china (there are others - China isn't alone - I do this always regardless) should isolate them with a firewall from your entire network except for the exact ports/IPs they are to connect to. I say this because I have personal experience with infected cameras from China (although I dont think it was an infection , rather done on purpose). I use a sophisticated firewall (I use routerboard or cisco) to redirect all calls from cameras to known good/safe IPs, even for simple things like NTP/DNS/DDNS...), I never allow them to contact an IP back in China.

3. You make my point on the dangers of VPN, shell access, a more dificult thing to stop when you are concerned about 65K+ ports, guarding one port is far easier. Since this is going to be exposed publicly anyway I'd rather harden the one port/service instead of the entire network.

4. Relying on firewalls/subnets/network protocols... for your protection soley is a bad idea. I always hated this truth because it is such a pain in the arse in practice and I love firewalls and network segmentation (firewalls have become much more sophisticated, features that only used to be available in very expensive hardware). In the real world though you must realize that firewalls can fail (I've only seen this happen 2x, so it is not a common thing) and your system should have layers of security independent of each other. A layered security approach is the industry standard for serious security, and it is a good one (as much as it irks me).

If you setup your cameras as mentioned above, even if a camera was compromised it could not effect other devices/cameras or your network (because of camera isolation). Since these cameras will be public, isolating them from your network (as described above) will make it impossible for your network to be compromised. Of course I have not put in all the details needed for this setup (it would be a very long post - as if this one wasn't long enough), however, there is enough here for those computer savy to understand, and if you are not you should have lots of questions (we all started at zero, feel no shame). :friendly_wink:

I recently had a compromised camera on my network, used it for years, however, it finally died. Isolating it using the method described above pulled the teeth on it, so I used it anyway.

 

[Zxel]

Thumbs Up! For that.

Here are links to more recent VPN Exploits. Using a VPN as a primary security solution can end up taking you on an expected vacation, to fool's paradise:

http://www.ipcamtalk.com/showthread.php?1143-Network-Security-Primer&p=13138&viewfull=1#post13138

Don

Lol, I'm not touching that thread, that's the stuff I do at work and it always brings fierce debate in forums.

It is intersting to read peoples thoughts on the matter though.