https://www.goprawn.com/forum/ambarella ... read/page2
PTP/IP specifications
http://gphoto.org/doc/ptpip.php
https://developers.theta360.com/en/docs ... reference/
Hacking Eken H9R
-
- Site Admin
- Posts: 2449
- Joined: Wed 25 Feb 25 2009 8:00 pm
Hacking Eken H9R
- Attachments
-
- DC-X005.pdf
- (750.95 KiB) Downloaded 3958 times
-
- 10.1.1.849.8502.pdf
- (348.88 KiB) Downloaded 3815 times
-
- pc_ieee_trans_consumer_elect_2005_b.pdf
- (735.04 KiB) Downloaded 3825 times
-
- Site Admin
- Posts: 2449
- Joined: Wed 25 Feb 25 2009 8:00 pm
Re: Hacking Eken H9R
Network Radar scan from 1-9000 reveals only:-
port 21: FTP
port 554: RTSP
WireShark reveals:-
port 53: DNS
port 554: RTSP
port 6970: RDT possible malformed
port 6971: RTCP
port 6972: RTP
port 6973: RTCP
port 6974: RTP unknown version
port 6975: RTCP
port 6999: RTCP
port 15740: Picture Transfer Protocol PTP/IP
port 21: FTP
port 554: RTSP
WireShark reveals:-
port 53: DNS
port 554: RTSP
port 6970: RDT possible malformed
port 6971: RTCP
port 6972: RTP
port 6973: RTCP
port 6974: RTP unknown version
port 6975: RTCP
port 6999: RTCP
port 15740: Picture Transfer Protocol PTP/IP
-
- Site Admin
- Posts: 2449
- Joined: Wed 25 Feb 25 2009 8:00 pm
Re: Hacking Eken H9R
It appears that the H9R uses PTP/IP to control camera functions. Updates to camera seem to use RTSP and file handling uses FTP.
It is possible to FTP into 192.168.1.1 which accepts any non-zero user and password. However any instructions attempting to list the files seem to close the connection down. It is unclear if this actually closes the link altogether since some commands still work. Needs more investigation.
Update
Okay, we seem to have gotten something working here. Login as per usual but this drops you into the root directory. To download files, one must first navigate to the PHOTO or VIDEO directory.
cd / *optional. Starts in root directory
cd PHOTO
get FHD0005.JPG
Filenames are all in caps.
Totally works with FileZilla!!!!
It is possible to FTP into 192.168.1.1 which accepts any non-zero user and password. However any instructions attempting to list the files seem to close the connection down. It is unclear if this actually closes the link altogether since some commands still work. Needs more investigation.
Update
Okay, we seem to have gotten something working here. Login as per usual but this drops you into the root directory. To download files, one must first navigate to the PHOTO or VIDEO directory.
cd / *optional. Starts in root directory
cd PHOTO
get FHD0005.JPG
Filenames are all in caps.
Totally works with FileZilla!!!!
-
- Site Admin
- Posts: 2449
- Joined: Wed 25 Feb 25 2009 8:00 pm
-
- Site Admin
- Posts: 2449
- Joined: Wed 25 Feb 25 2009 8:00 pm
Re: Hacking Eken H9R
RTSP
rtsp://192.168.1.1
rtsp://192.168.1.1/MJPG?W=640&H=360&Q=50&BR=5000000/track1
Can be viewed with VLC network stream option
rtsp://192.168.1.1
rtsp://192.168.1.1/MJPG?W=640&H=360&Q=50&BR=5000000/track1
Can be viewed with VLC network stream option
-
- Site Admin
- Posts: 2449
- Joined: Wed 25 Feb 25 2009 8:00 pm
Re: Hacking Eken H9R
Wi-Fi mode can only be connected to if SD card is present. Without the card, I think the camera behaves like a USB camera.
-
- Site Admin
- Posts: 2449
- Joined: Wed 25 Feb 25 2009 8:00 pm
Re: Hacking Eken H9R
ptpip.py
Program can be made to work but contains a number of bugs that seems to be preventing proper communications:-
1. Malformed GUID packet
- needs to be encoded into utf-16 [line 202]
- needs version
self.hostname = self.hostname.encode('utf-16')
self.version = '\x00\x00\x01\x00'
2. data_length not declared before use
- lines 102 and 122 needs further indent
- unclear if lines 107 and 125 needs to be indented. Should be indented.
3. session_id wrongly formatted
- in line 28, the use of session_id will not unpack correctly
- this is using binary packed string with value 0 and length 4 (unsigned integer)
- but the following section requires a packed string of length 8 (unsigned long)
- this needs to be corrected
if len(self.session_id) == 4:
self.session_id = struct.pack('L', int(struct.unpack('I', self.session_id)[0]))
4. session_id initial value
- as stated in #3 above, the default initial session ID value is 0
- captured traffic indicates initial session ID as 1
- may have to be changed
Program can be made to work but contains a number of bugs that seems to be preventing proper communications:-
1. Malformed GUID packet
- needs to be encoded into utf-16 [line 202]
- needs version
self.hostname = self.hostname.encode('utf-16')
self.version = '\x00\x00\x01\x00'
2. data_length not declared before use
- lines 102 and 122 needs further indent
- unclear if lines 107 and 125 needs to be indented. Should be indented.
3. session_id wrongly formatted
- in line 28, the use of session_id will not unpack correctly
- this is using binary packed string with value 0 and length 4 (unsigned integer)
- but the following section requires a packed string of length 8 (unsigned long)
- this needs to be corrected
if len(self.session_id) == 4:
self.session_id = struct.pack('L', int(struct.unpack('I', self.session_id)[0]))
4. session_id initial value
- as stated in #3 above, the default initial session ID value is 0
- captured traffic indicates initial session ID as 1
- may have to be changed
-
- Site Admin
- Posts: 2449
- Joined: Wed 25 Feb 25 2009 8:00 pm
Re: Hacking Eken H9R
Command sequence from captured transactions:-
> Init Command Request GUID, Name
< Init Command Act Connection GUID, Name
> OpenSession 0x1002
< Start Data Packet
> GetDeviceInfo 0x1001
< Start Data Packet (239-bytes of data)
> Operation Request Packet 0x1007
< End Data Packet
> GetStorageIDs 0x1004
< Start Data Packet
whole bunch of Operation Request Packets
> Operation Request Packet 0x9601 *one of these are erroneous, both share same transaction ID
> Operation Request Packet 0xa601 *this one is probably wrong
< Event Packet 0xc601, Transaction ID: -1
; actually maybe it's supposed to be like this. This same pattern appears in a different file
> Operation Request Packet 0x1014
> Operation Request Packet 0x9601
> Operation Request Packet 0x1015 - GetDevicePropValue: Device Property Value
> GetDeviceInfo 0x1001
> Operation Request Packet 0x1014
whole bunch of the same 0x1014 - GetDevicePropDesc: Device Property Description, contains param being requested
> Operation Request Packet 0x9601
> Operation Request Packet 0x1014 *multiple
> Operation Request Packet 0x1015
> Operation Request Packet 0x1014
> Operation Request Packet 0x1015
> Operation Request Packet 0x1014
> Operation Request Packet 0x1014
> Operation Request Packet 0x1016
> Operation Request Packet 0x2001
> Operation Request Packet 0xa601
> Operation Request Packet 0x1015
> Operation Request Packet 0x1014 *multiple
> Operation Request Packet 0x9601 *multiple
> Operation Request Packet 0x1014
> GetStorageIDs 0x1004
> Operation Request Packet 0x1005
Second capture: 815pm.pcap
*Connect, Change to camera mode, Capture, Disconnect
Init Command Request GUID
OpenSession
GetDeviceInfo
Operation Request Packet: 0x1007 = GetObjectHandles
GetStorageIDs
Operation Request Packet: 0x1007 = GetObjectHandles
Operation Request Packet: 0x9601
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1015 = GetDevicePropValue
Operation Request Packet: 0x9601
GetDeviceInfo
whole bunch of 0x1014 with some 0x1015
> Operation Request Packet: 0x1016 = SetDevicePropValue: 0x5011
> Start Data Packet: len=20, payload for SetDevicePropValue, timestring
* This combination sets the time and date
GetStorageIDs
Operation Request Packet: 0x1005 = GetStorageInfo
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1015 = GetDevicePropValue
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x1014 = GetDevicePropDesc
> Operation Request Packet: 0x1016 = SetDevicePropValue, 0xd604
> Start Data Packet: len=2, payload for SetDevicePropValue, ????
* This combination seems to be a mode change
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1005 = GetStorageInfo
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1015 = GetDevicePropValue
Operation Request Packet: 0x1005 = GetStorageInfo
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x9601
Operation Request Packet: 0x100e = Initiate Capture (start shooting)
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x1005 = GetStorageInfo
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
> Init Command Request GUID, Name
< Init Command Act Connection GUID, Name
> OpenSession 0x1002
< Start Data Packet
> GetDeviceInfo 0x1001
< Start Data Packet (239-bytes of data)
> Operation Request Packet 0x1007
< End Data Packet
> GetStorageIDs 0x1004
< Start Data Packet
whole bunch of Operation Request Packets
> Operation Request Packet 0x9601 *one of these are erroneous, both share same transaction ID
> Operation Request Packet 0xa601 *this one is probably wrong
< Event Packet 0xc601, Transaction ID: -1
; actually maybe it's supposed to be like this. This same pattern appears in a different file
> Operation Request Packet 0x1014
> Operation Request Packet 0x9601
> Operation Request Packet 0x1015 - GetDevicePropValue: Device Property Value
> GetDeviceInfo 0x1001
> Operation Request Packet 0x1014
whole bunch of the same 0x1014 - GetDevicePropDesc: Device Property Description, contains param being requested
> Operation Request Packet 0x9601
> Operation Request Packet 0x1014 *multiple
> Operation Request Packet 0x1015
> Operation Request Packet 0x1014
> Operation Request Packet 0x1015
> Operation Request Packet 0x1014
> Operation Request Packet 0x1014
> Operation Request Packet 0x1016
> Operation Request Packet 0x2001
> Operation Request Packet 0xa601
> Operation Request Packet 0x1015
> Operation Request Packet 0x1014 *multiple
> Operation Request Packet 0x9601 *multiple
> Operation Request Packet 0x1014
> GetStorageIDs 0x1004
> Operation Request Packet 0x1005
Second capture: 815pm.pcap
*Connect, Change to camera mode, Capture, Disconnect
Init Command Request GUID
OpenSession
GetDeviceInfo
Operation Request Packet: 0x1007 = GetObjectHandles
GetStorageIDs
Operation Request Packet: 0x1007 = GetObjectHandles
Operation Request Packet: 0x9601
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1015 = GetDevicePropValue
Operation Request Packet: 0x9601
GetDeviceInfo
whole bunch of 0x1014 with some 0x1015
> Operation Request Packet: 0x1016 = SetDevicePropValue: 0x5011
> Start Data Packet: len=20, payload for SetDevicePropValue, timestring
* This combination sets the time and date
GetStorageIDs
Operation Request Packet: 0x1005 = GetStorageInfo
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1015 = GetDevicePropValue
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x1014 = GetDevicePropDesc
> Operation Request Packet: 0x1016 = SetDevicePropValue, 0xd604
> Start Data Packet: len=2, payload for SetDevicePropValue, ????
* This combination seems to be a mode change
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1005 = GetStorageInfo
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1015 = GetDevicePropValue
Operation Request Packet: 0x1005 = GetStorageInfo
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x9601
Operation Request Packet: 0x100e = Initiate Capture (start shooting)
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x1005 = GetStorageInfo
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
-
- Site Admin
- Posts: 2449
- Joined: Wed 25 Feb 25 2009 8:00 pm
Re: Hacking Eken H9R
Packets to ports 6970-6977, 6998-6999
The ports seem to be paired in their function. The pattern seems to be
6970 - malformed
6971 - 0-bytes
6970 - malformed
6971 - 0-bytes
6972 - cefaedfe
6973 - 0-bytes
6972 - cefaedfe
6973 - 0-bytes
6974 - cefaedfe
6975 - 0-bytes
6974 - cefaedfe
6975 - 0-bytes
6976 - cefaedfe
6977 - 0-bytes
6976 - cefaedfe
6977 - 0-bytes
6998 - cefaedfe
6999 - 0-bytes
6998 - cefaedfe
6999 - 0-bytes
The ports seem to be paired in their function. The pattern seems to be
6970 - malformed
6971 - 0-bytes
6970 - malformed
6971 - 0-bytes
6972 - cefaedfe
6973 - 0-bytes
6972 - cefaedfe
6973 - 0-bytes
6974 - cefaedfe
6975 - 0-bytes
6974 - cefaedfe
6975 - 0-bytes
6976 - cefaedfe
6977 - 0-bytes
6976 - cefaedfe
6977 - 0-bytes
6998 - cefaedfe
6999 - 0-bytes
6998 - cefaedfe
6999 - 0-bytes
-
- Site Admin
- Posts: 2449
- Joined: Wed 25 Feb 25 2009 8:00 pm
Re: Hacking Eken H9R
Command to set date: Investigation
Operation Request Packet
Data Phase Info: (4-bytes) 0x00000001
Cmd: (2-bytes) 0x1016 = SetDevicePropValue
Transaction ID: (4-bytes) 0x0000001b
0x00005011 [11 50 00 00] = Property: DateTime [see properties table in PTP-IP Reference]
Structure of TCP packet:
TCP header
4-bytes of length = length of payload + 4 (length of these 4-bytes) *assigned in send_data()
data payload = *assigned in PtpIpCmdRequest()
4-bytes packet operation type (0x00000006)
4-bytes Data phase (0x00000001)
2-bytes Operation code (0x1016)
4-bytes Transaction ID (0x0000001b) *varies
4-bytes Property ID (0x00005011)
Start Data Packet
Length: (4-bytes) 0x00000014 (decimal 20)
Transaction ID: (4-bytes) 0x0000001b [same as above]
Total data-length: (8-bytes) 0x0000000000000025 (decimal 37)
0x00000031 [31 00 00 00] (decimal 49)
0x0000000c [0c 00 00 00] (decimal 12)
0x0000001b [1b 00 00 00] (decimal 27) *could be transaction or session id
0x12 [12] (decimal 18) *could be the length of the following string in utf-8
unicode "20180327T201530.0" (17-chars, 34-bytes)
0x0000 [00 00]
Structure of TCP packet:
TCP header
4-bytes of length = length of partial payload + 4 *assigned in send_data()
partial payload = *assigned in ??
4-bytes packet type: Start Packet (0x00000009)
4-bytes Transaction ID (0x0000001b) *varies
8-bytes Total data length, including remainder of payload (0x0000000000000025) [decimal 37]
remainder of payload
0x00000031
0x0000000c
0x0000001b
37-bytes of payload = 1-byte of strlen + 18-words of unicode character including null terminator word
The payload is preceded by a single byte indicating the length of the string in characters inclusive of terminating null. In this case, 18.
Essentially, the payload is just an len-18 string made up of the null-terminated datetime string. This is encoded into utf-16 and so takes up 36-bytes
The total of the above is 37-bytes.
Operation Request Packet
Data Phase Info: (4-bytes) 0x00000001
Cmd: (2-bytes) 0x1016 = SetDevicePropValue
Transaction ID: (4-bytes) 0x0000001b
0x00005011 [11 50 00 00] = Property: DateTime [see properties table in PTP-IP Reference]
Structure of TCP packet:
TCP header
4-bytes of length = length of payload + 4 (length of these 4-bytes) *assigned in send_data()
data payload = *assigned in PtpIpCmdRequest()
4-bytes packet operation type (0x00000006)
4-bytes Data phase (0x00000001)
2-bytes Operation code (0x1016)
4-bytes Transaction ID (0x0000001b) *varies
4-bytes Property ID (0x00005011)
Start Data Packet
Length: (4-bytes) 0x00000014 (decimal 20)
Transaction ID: (4-bytes) 0x0000001b [same as above]
Total data-length: (8-bytes) 0x0000000000000025 (decimal 37)
0x00000031 [31 00 00 00] (decimal 49)
0x0000000c [0c 00 00 00] (decimal 12)
0x0000001b [1b 00 00 00] (decimal 27) *could be transaction or session id
0x12 [12] (decimal 18) *could be the length of the following string in utf-8
unicode "20180327T201530.0" (17-chars, 34-bytes)
0x0000 [00 00]
Structure of TCP packet:
TCP header
4-bytes of length = length of partial payload + 4 *assigned in send_data()
partial payload = *assigned in ??
4-bytes packet type: Start Packet (0x00000009)
4-bytes Transaction ID (0x0000001b) *varies
8-bytes Total data length, including remainder of payload (0x0000000000000025) [decimal 37]
remainder of payload
0x00000031
0x0000000c
0x0000001b
37-bytes of payload = 1-byte of strlen + 18-words of unicode character including null terminator word
The payload is preceded by a single byte indicating the length of the string in characters inclusive of terminating null. In this case, 18.
Essentially, the payload is just an len-18 string made up of the null-terminated datetime string. This is encoded into utf-16 and so takes up 36-bytes
The total of the above is 37-bytes.