Review - TOP-201 Super Mini 720P HD IP-Cam (The Cheapest IP Cam So Far !!)

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
451
Reaction score
166
Oh, and sticker on my camera reads "720p". Not sure if there is a difference between 720 and 960..
On such TOP-201-like cameras take care about the firmware and the sensor resolution you may have different sensors (and chipset too) :

720P: H22 + Hi3518E
720P: H42 + Hi3518E
960P: SC1135 + Hi3518E
1080P: SC2135 + Hi3516C

ALso take care about the Vxxx after the Hi3518E you have Hi3518E "alone", the Hi3518EV200 and Hi3518EV300 that are different.
 
Last edited:

Tehnicni

Young grasshopper
Joined
Sep 2, 2016
Messages
51
Reaction score
2
After uploading new FW I notice pink picture also with strong light, even daylight. Can somebody upload some old FW for TOP-201, 308 camera. I have basic camera without WiFi and afraid to upload FW which you are talking about
 

cybermaus

Young grasshopper
Joined
May 26, 2016
Messages
57
Reaction score
13
On such TOP-201-like cameras take care about the firmware and the sensor resolution you may have different sensors (and chipset too) :

720P: H22 + Hi3518E
720P: H42 + Hi3518E
960P: SC1135 + Hi3518E
1080P: SC2135 + Hi3516C

ALso take care about the Vxxx after the Hi3518E you have Hi3518E "alone", the Hi3518EV200 and Hi3518EV300 that are different.
Take care of everything! Even with the same chip and the same sensor, it can wire up those chips differently. Unless you know all it to be the same manufacturer and model, the firmware is a risk.
Which means that my camera is definitely different then Alexey's, and I should not use that firmware myself!

After uploading new FW I notice pink picture also with strong light, even daylight. Can somebody upload some old FW for TOP-201, 308 camera. I have basic camera without WiFi and afraid to upload FW which you are talking about
Which means you should list out much more details about your camera. What full firmware+version string was displayed before you flashed? What date? What file did you flash. Where did you get it? What firmware+version string is displayed now?

Also, it is possible you simply accidentally disabled the IR in the software settings. I see above you have been playing with the dynamic range, did you also play with day/night mode and/or IR Swap?


And it is possible you screwed in new wide angle lens too deeply. This is needed to get focus on such short focal distance lens, but is possible your lens is now physically blocking the IR filter from moving. Do you hear the IR filter "click" when you turn on the camera?

I actually did that myself too. I broke one camera because I screwed in a 1.8mm lens to deeply to get focus, and I *broke* the moveable IR filter glass. In my case, it is still "clicking" but the IR glass fell out next time I unscrewed the lens.
 

Alexey

n3wb
Joined
Feb 10, 2017
Messages
9
Reaction score
4
Location
Limassol
Finally succeeded to customise the /mnt/custom (/dev/mtdblock4) part of my camera's firmware after flashing one proposed by cybermaus (Review - TOP-201 Super Mini 720P HD IP-Cam (The Cheapest IP Cam So Far !!)).

Managed to 'brick' the camera in due course by destroying files in /mnt/custom, therefore I advise everyone NOT TO USE Firmware Mod Kit, apart from 'binwalk-script' utility for info purposes (I tried version 0.99, by the way). It does not extract files from firmware '.img' files correctly (they are all binary zeroes inside). And it is useless anyway, cannot re-create firmware file. If you need to mod one of firmware files, do as follows:

Install cramfs tools (if your Linux distro does not have it as part of util-linux), and zip utility. Then:

Code:
unzip YOUR_EXISTING_FIRMWARE_FILE_NAME.bin
head -c+64 <custom-x.cramfs.img >myimg.header
tail -c+65 <custom-x.cramfs.img >myimg.cramfs
mkdir /mnt/diskimage
mount -o loop $PWD/myimg.cramfs /mnt/diskimage
mkdir myimg
cp -a /mnt/diskimage/* ./myimg
umount /mnt/diskimage
[now modify/remove/add files in ./myimg directory, watch out for total files size - should be under 300K]
mkfs.cramfs -b 20480 ./myimg modimg.cramfs
cat myimg.header modimg.cramfs >custom-x.cramfs.img
[edit your InstallDesc file to include only custom-x.cramfs.img, be careful with commas!]
zip -9 mycustom.zip InstallDesc custom-x.cramfs.img
[flash your device using DeviceManage, web interface or CMS]
I added this script to the '/mnt/custom' partition to be able to run anything I want on camera start-up:

Code:
# cat /mnt/custom/extapp.sh
#!/bin/sh
if [ -f /mnt/mtd/userinit.sh ]; then
        chmod a+x /mnt/mtd/userinit.sh
        /mnt/mtd/userinit.sh &
fi

#
 

cybermaus

Young grasshopper
Joined
May 26, 2016
Messages
57
Reaction score
13
Wow. I'd put more then 1 like if I could !

Not that I have need for this, camera's are working. But good to know how to just in case.

PS: don't like this post. Otherwise this thread page looks like you and me just trading fake likes. But the work you did definitely deserves a like.

PS2: When I did play myself with this, I found that some firmware's use cramfs, but other use squashfs. So do not blindly follow above instructions. It may depend on the specific camera.
 
Last edited:

Alexey

n3wb
Joined
Feb 10, 2017
Messages
9
Reaction score
4
Location
Limassol
Wow. I'd put more then 1 like if I could !

Not that I have need for this, camera's are working. But good to know how to just in case.

PS: don't like this post. Otherwise this thread page looks like you and me just trading fake likes. But the work you did definitely deserves a like.
OK, got the message. By the way - Did you test FTP offload with motion detection (Setting->System->NetService->FTP, then Setting->Alarm->Video Motion-> check FTP)?
FTP does not work at all in my camera, tried few different firmware releases. My next mod attempt would be, most probably, to make FTP work. Or, to try sending e-mail with attached snapshot (like FOSCAM cameras do).
 

cybermaus

Young grasshopper
Joined
May 26, 2016
Messages
57
Reaction score
13
No. I use them as fairly dumb camera's, connected to a NVR.
The camera only needs to signal motion detect to the NVR, and then the NVR does anything else, like save the recording and (if I wanted) email and snapshot.

There are a few reasons for this setup
- 6 active camera's, centralized management
- I do not want an email for every false alarm (cat, bird, wind, cloud, sun-shade, leaves)
- If I get a motion detect on one camera, I want the other camera's to also start recording.

but most importantly:

When I had my camera's on a network monitor for a while, I did see it "call out" every so often. Even though I had the cloud disabled.
I think it was a harmless manufacturer call home instinct (I checked the registration of the IP address), but I dislike it.
So all my camera's are *not connected* to the internet. They can only connect to the NVR.
So not only no incoming port forwarding, but also no outgoing traffic.

Of course the risk merely shifts: Can I trust the NVR itself? And can I trust the Android box hooked up to the monitor?
But at least the camera's themselves cannot be used as a IoT botnet.
 
Last edited:

Alexey

n3wb
Joined
Feb 10, 2017
Messages
9
Reaction score
4
Location
Limassol
Hmm.. been thinking about an NVR box but too lazy to buy one. Looking into turning a Raspberry Pi into an NVR.

Oh, and a quick 'de-brick' procedure, JIC, as I went through it today in the morning. I disassembled the 'water-proof' case, easy to do: remove two screws and front part, then two screws and LEDs then 4 screws and you got the board. Look at the photo how serial port is attached using 3 wires.
Open terminal (like Putty or minicom), parameters 115200/8/N/1. Then power-cycle the camera, press Control-C when instructed on the screen over serial port. Type 'printenv' (without quotes) - you will see command lines for loading all parts of firmware over TFTP. Otherwise type 'help'.



 
Last edited:

rellor

n3wb
Joined
Feb 17, 2017
Messages
10
Reaction score
3
Hi - Been following this thread for a long time - Bought a hi3518e pinhole lens camera without wifi - have completely forgot the admin password and have been hacking it ever since. Got the serial soldered, managed to download the image to a tftp server from the U-boot, have the passwd and passwd- files and even though everyone says the root password for it is xmhdipc with this one it isn't the case. Is there a way of getting the console serial output after "booting the kernel" as it stops after then.
 

rellor

n3wb
Joined
Feb 17, 2017
Messages
10
Reaction score
3
Trying to login at the telnet on 9527

passwd file : root:$1$RYIwEiRA$d5iRRVQ5ZeRTrJwGjRy.B0:0:0:root:/:/bin/sh (stick it in google and I get xmhdipc, which doesn't allow me in.)
passwd- file : root:$6$0E8/0opc$yfESwbvIce8PIEb3fCgH1kRpISzA2ffyv9VfdeM3wadmKyLfLXgNlyH3TafXvugdqPevBgE.3EZtGnP.KZZug.:0:0:root:/:/bin/sh


I have attached the rom which I tftpd thanks to this link Hacking Cheap eBay IP Camera

Download the zip file, unzip and mount it using
sudo mkdir /media/cramfs
sudo mount -t cramfs -o loop romfs2.cramfs /media/cramfs

Firmware version I am using is unknown, but details may be in the image above.

With all these p2p cameras & people worrying about them phoning home, I just set IP manually but change gateway IP to +1 along with DNS.
 

Attachments

Alexey

n3wb
Joined
Feb 10, 2017
Messages
9
Reaction score
4
Location
Limassol
Trying to login at the telnet on 9527

passwd file : root:$1$RYIwEiRA$d5iRRVQ5ZeRTrJwGjRy.B0:0:0:root:/:/bin/sh (stick it in google and I get xmhdipc, which doesn't allow me in.)
passwd- file : root:$6$0E8/0opc$yfESwbvIce8PIEb3fCgH1kRpISzA2ffyv9VfdeM3wadmKyLfLXgNlyH3TafXvugdqPevBgE.3EZtGnP.KZZug.:0:0:root:/:/bin/sh


I have attached the rom which I tftpd thanks to this link Hacking Cheap eBay IP Camera

Download the zip file, unzip and mount it using
sudo mkdir /media/cramfs
sudo mount -t cramfs -o loop romfs2.cramfs /media/cramfs

Firmware version I am using is unknown, but details may be in the image above.

With all these p2p cameras & people worrying about them phoning home, I just set IP manually but change gateway IP to +1 along with DNS.
I guess password is OK. What is not OK is terminal settings when you telnet to port 9527. I suggest trying few combinations: to use either ^J (ctrl-j) or ^M (ctrl-m) after typing username and password.
 

cybermaus

Young grasshopper
Joined
May 26, 2016
Messages
57
Reaction score
13
Is there a way of getting the console serial output after "booting the kernel" as it stops after then.
Never did serial on the camera's (yet) but have so on other devices.
You probably already tried, but its not mentioned above, so just in case: simply press Enter on the console? Usually that kickstarts the shell and promt.
 

rellor

n3wb
Joined
Feb 17, 2017
Messages
10
Reaction score
3
Unfortunately ENTER on console does nothing, and ctrl j/m gives me the same results :_

password:xmhdipc
user:root account invalid
User not valid!
user name:root
password:xmhdipc

user:root account invalid
User not valid!
 

rellor

n3wb
Joined
Feb 17, 2017
Messages
10
Reaction score
3
to the port 9527 (Virtual Serial Interface via TCP/IP) you must login in the same way as web-ui: login 'admin', default password will be empty.
Not this one - The pinhole camera has slightly different firmware, and ENTER on the 9527 telnet gets me nowhere....
 

Alexey

n3wb
Joined
Feb 10, 2017
Messages
9
Reaction score
4
Location
Limassol
Not this one - The pinhole camera has slightly different firmware, and ENTER on the 9527 telnet gets me nowhere....
Just tried it on my camera. Apparently you cannot login as 'root' from the console at port 9527, as it is not 'telnetd' that listens on this port, but some 'dvrHelper' application.
I can login with 'admin' user and password, though. But it does not seem to be an option for you, as you do not remember 'admin' password. The only solution, from my point of view, would be to extract and re-build your own 'custom-x.cramfs.img' and burn it to the camera's flash, as I did, adding 'extapp.sh' file to the root of /mnt/custom filesystem (mtdblock4). Just put 'telnetd&' in this script and reboot camera.
 

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
451
Reaction score
166
These days I receive 2 wide angle lens. These are great, viewing angle is 87° (varifocal lens have max 64°). They have IR cut filter on inner side. Focus is uniform all over the picture. Aperture is little bit smaller then varifocal lens. Another one is crap.
I only buy 5MP rated lens to be sure I get good lens quality because many are crap and only 0.3MP (you can see air bubbles or dust particles inside the lens glass), for example I bought this pack of multiple lens from 2.8mm to 16mm and it was crap 2.8mm~16mm Fixed IRIS Lens for Security Cameras - Black (6-Lens Pack)
 

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
451
Reaction score
166
But what did everyone else do? Just give up on email alerts? Surely there are other options. I am really hoping those who found solutions will chime in. For instance, does anyone know of other existing SHA-1 SMTP servers?
If you are in trouble with secured SMTP server you may use sTunnel installed in one of your PC (Win32/Linux https://www.stunnel.org) and let the camera connect to it as standard SMTP with no encryption and let sTunnel proxy and transform it into SSL SMTP
 
Top