Hacking Eken H9R

Stuff I am working on
Daniel Wee
Site Admin
Posts: 2129
Joined: Wed 25 Feb 25 2009 8:00 pm

Hacking Eken H9R

Post by Daniel Wee » Fri 09 Mar 09 2018 6:14 pm

Attachments
DC-X005.pdf
(750.95 KiB) Downloaded 13 times
10.1.1.849.8502.pdf
(348.88 KiB) Downloaded 12 times
pc_ieee_trans_consumer_elect_2005_b.pdf
(735.04 KiB) Downloaded 12 times

Daniel Wee
Site Admin
Posts: 2129
Joined: Wed 25 Feb 25 2009 8:00 pm

Re: Hacking Eken H9R

Post by Daniel Wee » Fri 23 Mar 23 2018 11:59 pm

Network Radar scan from 1-9000 reveals only:-

port 21: FTP
port 554: RTSP

WireShark reveals:-

port 53: DNS
port 554: RTSP
port 6970: RDT possible malformed
port 6971: RTCP
port 6972: RTP
port 6973: RTCP
port 6974: RTP unknown version
port 6975: RTCP
port 6999: RTCP
port 15740: Picture Transfer Protocol PTP/IP

Daniel Wee
Site Admin
Posts: 2129
Joined: Wed 25 Feb 25 2009 8:00 pm

Re: Hacking Eken H9R

Post by Daniel Wee » Sat 24 Mar 24 2018 8:02 am

It appears that the H9R uses PTP/IP to control camera functions. Updates to camera seem to use RTSP and file handling uses FTP.

It is possible to FTP into 192.168.1.1 which accepts any non-zero user and password. However any instructions attempting to list the files seem to close the connection down. It is unclear if this actually closes the link altogether since some commands still work. Needs more investigation.

Update

Okay, we seem to have gotten something working here. Login as per usual but this drops you into the root directory. To download files, one must first navigate to the PHOTO or VIDEO directory.

cd / *optional. Starts in root directory
cd PHOTO
get FHD0005.JPG

Filenames are all in caps.

Totally works with FileZilla!!!!


Daniel Wee
Site Admin
Posts: 2129
Joined: Wed 25 Feb 25 2009 8:00 pm

Re: Hacking Eken H9R

Post by Daniel Wee » Mon 26 Mar 26 2018 7:43 pm

RTSP

rtsp://192.168.1.1
rtsp://192.168.1.1/MJPG?W=640&H=360&Q=50&BR=5000000/track1

Can be viewed with VLC network stream option

Daniel Wee
Site Admin
Posts: 2129
Joined: Wed 25 Feb 25 2009 8:00 pm

Re: Hacking Eken H9R

Post by Daniel Wee » Mon 26 Mar 26 2018 8:32 pm

Wi-Fi mode can only be connected to if SD card is present. Without the card, I think the camera behaves like a USB camera.

Daniel Wee
Site Admin
Posts: 2129
Joined: Wed 25 Feb 25 2009 8:00 pm

Re: Hacking Eken H9R

Post by Daniel Wee » Tue 27 Mar 27 2018 3:08 pm

ptpip.py

Program can be made to work but contains a number of bugs that seems to be preventing proper communications:-

1. Malformed GUID packet
- needs to be encoded into utf-16 [line 202]
- needs version

self.hostname = self.hostname.encode('utf-16')
self.version = '\x00\x00\x01\x00'

2. data_length not declared before use
- lines 102 and 122 needs further indent
- unclear if lines 107 and 125 needs to be indented. Should be indented.

3. session_id wrongly formatted
- in line 28, the use of session_id will not unpack correctly
- this is using binary packed string with value 0 and length 4 (unsigned integer)
- but the following section requires a packed string of length 8 (unsigned long)
- this needs to be corrected

if len(self.session_id) == 4:
self.session_id = struct.pack('L', int(struct.unpack('I', self.session_id)[0]))

4. session_id initial value
- as stated in #3 above, the default initial session ID value is 0
- captured traffic indicates initial session ID as 1
- may have to be changed

Daniel Wee
Site Admin
Posts: 2129
Joined: Wed 25 Feb 25 2009 8:00 pm

Re: Hacking Eken H9R

Post by Daniel Wee » Tue 27 Mar 27 2018 3:57 pm

Command sequence from captured transactions:-

> Init Command Request GUID, Name
< Init Command Act Connection GUID, Name
> OpenSession 0x1002
< Start Data Packet
> GetDeviceInfo 0x1001
< Start Data Packet (239-bytes of data)
> Operation Request Packet 0x1007
< End Data Packet
> GetStorageIDs 0x1004
< Start Data Packet

whole bunch of Operation Request Packets

> Operation Request Packet 0x9601 *one of these are erroneous, both share same transaction ID
> Operation Request Packet 0xa601 *this one is probably wrong
< Event Packet 0xc601, Transaction ID: -1
; actually maybe it's supposed to be like this. This same pattern appears in a different file

> Operation Request Packet 0x1014

> Operation Request Packet 0x9601
> Operation Request Packet 0x1015 - GetDevicePropValue: Device Property Value
> GetDeviceInfo 0x1001
> Operation Request Packet 0x1014

whole bunch of the same 0x1014 - GetDevicePropDesc: Device Property Description, contains param being requested

> Operation Request Packet 0x9601
> Operation Request Packet 0x1014 *multiple
> Operation Request Packet 0x1015
> Operation Request Packet 0x1014
> Operation Request Packet 0x1015
> Operation Request Packet 0x1014
> Operation Request Packet 0x1014
> Operation Request Packet 0x1016
> Operation Request Packet 0x2001
> Operation Request Packet 0xa601
> Operation Request Packet 0x1015
> Operation Request Packet 0x1014 *multiple
> Operation Request Packet 0x9601 *multiple
> Operation Request Packet 0x1014

> GetStorageIDs 0x1004
> Operation Request Packet 0x1005

Second capture: 815pm.pcap
*Connect, Change to camera mode, Capture, Disconnect

Init Command Request GUID
OpenSession
GetDeviceInfo
Operation Request Packet: 0x1007 = GetObjectHandles
GetStorageIDs
Operation Request Packet: 0x1007 = GetObjectHandles
Operation Request Packet: 0x9601
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1015 = GetDevicePropValue
Operation Request Packet: 0x9601
GetDeviceInfo

whole bunch of 0x1014 with some 0x1015

> Operation Request Packet: 0x1016 = SetDevicePropValue: 0x5011
> Start Data Packet: len=20, payload for SetDevicePropValue, timestring
* This combination sets the time and date

GetStorageIDs
Operation Request Packet: 0x1005 = GetStorageInfo
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1015 = GetDevicePropValue
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x1014 = GetDevicePropDesc

> Operation Request Packet: 0x1016 = SetDevicePropValue, 0xd604
> Start Data Packet: len=2, payload for SetDevicePropValue, ????
* This combination seems to be a mode change

Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1005 = GetStorageInfo
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1015 = GetDevicePropValue
Operation Request Packet: 0x1005 = GetStorageInfo
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x1014 = GetDevicePropDesc
Operation Request Packet: 0x9601
Operation Request Packet: 0x100e = Initiate Capture (start shooting)
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601
Operation Request Packet: 0x1005 = GetStorageInfo
Operation Request Packet: 0x9601
Operation Request Packet: 0x9601

Daniel Wee
Site Admin
Posts: 2129
Joined: Wed 25 Feb 25 2009 8:00 pm

Re: Hacking Eken H9R

Post by Daniel Wee » Tue 27 Mar 27 2018 7:40 pm

Packets to ports 6970-6977, 6998-6999

The ports seem to be paired in their function. The pattern seems to be

6970 - malformed
6971 - 0-bytes
6970 - malformed
6971 - 0-bytes

6972 - cefaedfe
6973 - 0-bytes
6972 - cefaedfe
6973 - 0-bytes

6974 - cefaedfe
6975 - 0-bytes
6974 - cefaedfe
6975 - 0-bytes

6976 - cefaedfe
6977 - 0-bytes
6976 - cefaedfe
6977 - 0-bytes

6998 - cefaedfe
6999 - 0-bytes
6998 - cefaedfe
6999 - 0-bytes

Daniel Wee
Site Admin
Posts: 2129
Joined: Wed 25 Feb 25 2009 8:00 pm

Re: Hacking Eken H9R

Post by Daniel Wee » Wed 28 Mar 28 2018 4:38 pm

Command to set date: Investigation

Operation Request Packet
Data Phase Info: (4-bytes) 0x00000001
Cmd: (2-bytes) 0x1016 = SetDevicePropValue
Transaction ID: (4-bytes) 0x0000001b
0x00005011 [11 50 00 00] = Property: DateTime [see properties table in PTP-IP Reference]

Structure of TCP packet:
TCP header
4-bytes of length = length of payload + 4 (length of these 4-bytes) *assigned in send_data()
data payload = *assigned in PtpIpCmdRequest()
4-bytes packet operation type (0x00000006)
4-bytes Data phase (0x00000001)
2-bytes Operation code (0x1016)
4-bytes Transaction ID (0x0000001b) *varies
4-bytes Property ID (0x00005011)

Start Data Packet
Length: (4-bytes) 0x00000014 (decimal 20)
Transaction ID: (4-bytes) 0x0000001b [same as above]
Total data-length: (8-bytes) 0x0000000000000025 (decimal 37)

0x00000031 [31 00 00 00] (decimal 49)
0x0000000c [0c 00 00 00] (decimal 12)
0x0000001b [1b 00 00 00] (decimal 27) *could be transaction or session id
0x12 [12] (decimal 18) *could be the length of the following string in utf-8

unicode "20180327T201530.0" (17-chars, 34-bytes)
0x0000 [00 00]

Structure of TCP packet:
TCP header
4-bytes of length = length of partial payload + 4 *assigned in send_data()
partial payload = *assigned in ??
4-bytes packet type: Start Packet (0x00000009)
4-bytes Transaction ID (0x0000001b) *varies
8-bytes Total data length, including remainder of payload (0x0000000000000025) [decimal 37]
remainder of payload
0x00000031
0x0000000c
0x0000001b
37-bytes of payload = 1-byte of strlen + 18-words of unicode character including null terminator word


The payload is preceded by a single byte indicating the length of the string in characters inclusive of terminating null. In this case, 18.

Essentially, the payload is just an len-18 string made up of the null-terminated datetime string. This is encoded into utf-16 and so takes up 36-bytes

The total of the above is 37-bytes.

Post Reply