defogger

defogger copied to clipboard

Hi - does this work for the DCS-8100LH as well? Mine has FW v2.01 pre-installed which doesn't allow local streaming. Thanks!

smd100 [email protected] writes:

Hi - does this work for the DCS-8100LH as well? Mine has FW v2.01 pre-installed which doesn't allow local streaming. Thanks!

I have not tried, so I don't know. But the code base is most likely the same, so it is definitely possible. There's only one way to find out ;-)

Someone else tried defogger with a DCS-8010LH, but that failed because the name characteristic was unreadable. My simple code didn't account for that. But it's pretty easy to work around. Similar minor problems could affect other models.

Bjørn

Thanks - will give it a try and get back to you!

On Mon, 7 Oct 2019 at 03:35, Bjørn Mork [email protected] wrote:

smd100 [email protected] writes:

Hi - does this work for the DCS-8100LH as well? Mine has FW v2.01 pre-installed which doesn't allow local streaming. Thanks!

I have not tried, so I don't know. But the code base is most likely the same, so it is definitely possible. There's only one way to find out ;-)

Someone else tried defogger with a DCS-8010LH, but that failed because the name characteristic was unreadable. My simple code didn't account for that. But it's pretty easy to work around. Similar minor problems could affect other models.

Bjørn

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/bmork/defogger/issues/9?email_source=notifications&email_token=ABDA7J2I7NUDWOEBDQW7ADTQNIHVJA5CNFSM4I5XCU72YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEAOOHPI#issuecomment-538764221, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDA7JZBLZKSUOPCUEBAPG3QNIHVJANCNFSM4I5XCU7Q .

-- E-mail: [email protected] Mobile: +61 403 863739 Skype: steve_draper

My model is DCS-P6000LH, if i try it , could i have a brick?? or can it be reversed?

@bmork , you say: "Please let me know if you have an original v2.01.03 firmware update from D-Link, or any other version for that matter, or know where firmware updates can be downloaded."

I find this firmware in "https://es.mydlink.com/download":

http://d2okd4tdjucp2n.cloudfront.net/DCS-8000LH/DCS-8000LH_A1_FW_v1.02.04.zip

Release notes: http://d2okd4tdjucp2n.cloudfront.net/DCS-8000LH/DCS-8000LH_A1_Release_Notes_for_FW_v1.02.04.pdf

More firmware versions in (GPL source code): http://tsd.dlink.com.tw/GPL.asp

regards,

Dave Code [email protected] writes:

My model is DCS-P6000LH, if i try it , could i have a brick?? or can it be reversed?

The tools I've made will interact with the camera firmware in ways the firmware hasn't been tested with. There is no way to know for sure how the firmware will behave. It could do something stupid in response to even the most innocent looking tests. So yes, bricking it is possible. No guarantees given.

But there are ways to reduce the risk. Explore first, without changing anything persistent. Look at the source code and see what it does. The readme file documents pretty much everything I did to explore my camera.

Reading from the camera should be pretty safe.

Writing persistent variables is slightly more risky. It will not destroy any parts of the firmware, but could make important services fail. Which can be effectively a brick if you have no way to go back.

Abusing firmare bugs, like I do to gain access to the camera without using a console, is risky. It depends on a feature/bug which has not been tested by anyone else. Or it wouldn't exist... The behaviour is unpredictable until tested and verified.

Overwriting parts of the firmware, like I do for permanent HTTP access, is obviously very risky. This works fine on the DCS-8000LH because the MyDlink software is pretty isolated in a separate file system on a separate flash partition, and the main firmware doesn't validate it in any way. But other cameras could be different... I would not try this unless I was prepared for a brick.

I'd recommend looking for a console connector first. It's probably not worth the trouble if you have to break the case or solder a header. But if you're lucky then it is easily acessible like on the DCS-8000LH. Note that console access still won't solve all problems. But it makes it easier to see, and hopefully fix, minor issues. Fixing a broken firmware will still be difficult without a way to boot from anything but flash (don't know if the DCS-P6000LH has any other boot device? like ethernet, USB or SD-card? ). Transferring an image over a serial link might be possible, but will require some patience. And a working image... Fixing a broken bootloader is even worse. I consider that out of my league, although I'm sure there are people who can do it. At least if they have a working bootloader image.

FWIW, I considered my camera "broken" before I started this project, since it was useless to me without direct video streaming. I probably wouldn't have done it if I had a working camera.

Dave Code [email protected] writes:

@bmork , you say: "Please let me know if you have an original v2.01.03 firmware update from D-Link, or any other version for that matter, or know where firmware updates can be downloaded."

I find this firmware in "https://es.mydlink.com/download":

http://d2okd4tdjucp2n.cloudfront.net/DCS-8000LH/DCS-8000LH_A1_FW_v1.02.04.zip

Thanks. I should update that text. I found a few firmware revisions after writing that. and now have all these:

-rw-r--r-- 1 bjorn bjorn 10547200 May 15 21:23 DCS-8000LH-1.00.05_1007.bin
-rw-r--r-- 1 bjorn bjorn 10506240 May 15 21:23 DCS-8000LH-1.01.01_1203.bin
-rw-r--r-- 1 bjorn bjorn 11182080 May 15 21:23 DCS-8000LH-2.00.05_1508.bin
-rw-r--r-- 1 bjorn bjorn 11161600 May 15 21:23 DCS-8000LH-2.01.03_2206.bin
-rw-r--r-- 1 bjorn bjorn 11212800 Apr  9  2019 DCS-8000LH_Ax_v2.02.02_3014.bin

This has helped when trying to analyse the firmware update process. It doesn't seem to change much. Which makes sense, of course.

I think my model is very similar dcs-8000lh, i install camera with mydlink and when i send "nmap 192.168.x.x" i received: Nmap scan report for 192.168.x.x Host is up (0.031s latency). Not shown: 996 closed ports PORT STATE SERVICE 554/tcp filtered rtsp 8080/tcp open http-proxy 8081/tcp open blackice-icecap 8088/tcp open radan-http

When I navigate to 192.168.x.x:8088 system ask user and password, user i think is "admin" but password i dont know, first i want is know this passwd or change or disable it. how can i do it?

First i need know if i need to do factory reset and how can i do it?.

And before I want to open 554 rtsp (i think it is more risk)

my camera only have bluetooth and serial , i think is similiar dcs-8000lh

can you help me

PS Sorry , my english is bad

I try it now and connect well done and show me the cam ip config

pi@hassbian:~ $ sudo python3 dcs8000lh-configure.py xx:xx:xx:xx:xx:xx PINCODE --netconf Connecting to xx... Verifying IPCam service Connected to 'DCS-P6000LH-xxxx' wifi link is Up wifi config: {'M': 'x', 'I': 'xxx', 'S': 'x', 'E': 'x'} ip config: {'I': '192.168.0.x', 'N': '255.255.255.0', 'G': '192.168.0.x', 'D': '192.168.0.x'} Done.

Now work for me do telnet to my ip , I am very surprised, thanks for your work

Can i read now password for port 8088 without persistent change in camera?

Dave Code [email protected] writes:

I try it now and connect well done and show me the cam ip config

pi@hassbian:~ $ sudo python3 dcs8000lh-configure.py xx:xx:xx:xx:xx:xx PINCODE --netconf Connecting to xx... Verifying IPCam service Connected to 'DCS-P6000LH-xxxx' wifi link is Up wifi config: {'M': 'x', 'I': 'xxx', 'S': 'x', 'E': 'x'} ip config: {'I': '192.168.0.x', 'N': '255.255.255.0', 'G': '192.168.0.x', 'D': '192.168.0.x'} Done.

That's great! Thanks for letting me know.

If you want to verify the Bluetooth "set password" security hole used to run arbitrary commands without risking anything, then you could download the GPL source from D-Link and look at it. D-Link are among the best wrt actually providing real GPL source. So download the source for the DCS-P6000LH and take a quick look.

You'll probably find all the mydlink Bluetooth features in a single patch, which is named DCS-8000LH-GPL/package/bluez_utils/feature-patch/5.28/customized-mydlink.patch on the DCS-8000LH. I assume it will be similar for the DCS-6000LH.

I've described the security hole here, compressing the function calls somewhat for clarity: https://github.com/bmork/defogger#a201

It's all pretty obvious if you look at the code...

So D-Link programmers are as bad as the rest of them, but I still think they deserve real credit for publishing their code! This alone is reason enough to choose D-Link products for me :-)

Dave Code [email protected] writes:

I think my model is very similar dcs-8000lh, i install camera with mydlink and when i send "nmap 192.168.x.x" i received: Nmap scan report for 192.168.x.x Host is up (0.031s latency). Not shown: 996 closed ports PORT STATE SERVICE 554/tcp filtered rtsp 8080/tcp open http-proxy 8081/tcp open blackice-icecap 8088/tcp open radan-http

When I navigate to 192.168.x.x:8088 system ask user and password, user i think is "admin" but password i dont know, first i want is know this passwd or change or disable it. how can i do it?

I believe the password was unset or random by default on the DCS-8000LH. The Bluetooth "set admin password" command should set it.

First i need know if i need to do factory reset and how can i do it?.

I don't think it is necessary. Pressing the reset button for a very long time (10 seconds or more) will probably factory reset it.

And before I want to open 554 rtsp (i think it is more risk)

my camera only have bluetooth and serial , i think is similiar dcs-8000lh

If you're thinking about the risk of exposing this on the Internet, then I don't think that's wise without some sort of firewalling in any case. That's not specific to this camera, or D-Link cameras. No IP camera I know of receives security updates often enough to actually be secure.

Thnks for you, I widely have exceeded the objectives I was looking for with this camera

Now work for me HTTP NIPCA API for enable, disable motion and other very interesting options http://admin:[pincode]@192.168.x.x/config/motion.cgi?enable=no

And work for me rtsp live cam with user admin and password pin code. http://admin:[pincode]@192.168.x.x/config/rtspurl.cgi?profileid=1

with vlc: rtsp://admin:[pincode]@192.168.x.x/live/profile.0

I no need to change fw and do all with your bluetooth access options (dcs8000lh-configure.py).

thnks a lot

On my 8100LH, I can only run scripts in the 'common' folder, but not the 'config' or 'video' folder. For example if I do this (replacing '123456' with my PIN code): curl -u admin:123456 http://192.168.1.10/common/info.cgi I get about 20 lines of camera info.

But this: curl -u admin:123456 http://192.168.1.10/config/datetime.cgi results in:

<html>
<body>
<h1>Unauthorized</h1>
Please enter correct account/password.
</body>
</html>

And the same for this: curl --insecure -u admin:123456 https://192.168.2.37/video/mpegts.cgi>/tmp/stream Obviously, I cannot connect to a video stream with VLC either for the same reason.

Any idea why? (On telnet-ing into the camera, the 'common', 'config' and 'video' folders and files have the same permissions.)

smd100 [email protected] writes:

On my 8100LH, I can only run scripts in the 'common' folder, but not the 'config' folder. For example if I do this (replacing '123456' with my PIN code): curl -u admin:123456 http://192.168.1.10/common/info.cgi I get about 20 lines of camera info.

But this: curl -u admin:123456 http://192.168.1.10/config/datetime.cgi results in:

<html>
<body>
<h1>Unauthorized</h1>
Please enter correct account/password.
</body>
</html>

Any idea why? (On telnet-ing into the camera, the 'common' and 'config' folders and files have the same permissions.)

I don't know why. You could try looking at the generated files in /tmp/lighttpd-* and see if you can figure it out based on these. They are written by /etc/rc.d/init.d/lighttpd.sh on boot, partly based on NVRAM variables like AdminUser_ss etc. All the web server auth rules should be there.

I looked at the differences between the DCS-8000LH and DCS-8100LH:

--- /home/bjorn/docs/hardware/dlink/dcs8000lh/fw-2.02.02/root/etc/rc.d/init.d/extra_lighttpd.sh	2019-02-14 10:58:36.000000000 +0100
+++ etc/rc.d/init.d/lighttpd.sh	2019-10-27 13:47:45.492394836 +0100
@@ -2,20 +2,18 @@
 
 daemon=lighttpd
 PATH=$PATH:/sbin
-boot_mode=`pibinfo BootMode`
 
-Server_Enabled=$(tdb get HTTPServer Enable_byte)
-if [ $boot_mode = "normal" ] && [ $Server_Enabled -eq "0" ]; then
-	exit  0
-fi
-
-if [ "$(tdb get System OEM_ss)" == "Alphanetworks" ] || [ "$(tdb get System OEM_ss)" == "Trendnet" ]; then
-	method=digest           
+Model=`tdb get System Model_ss`
+if [ "$(tdb get System OEM_ss)" == "D-Link" ] || [ "$(tdb get System OEM_ss)" == "Alphanetworks" ] || [ "$(tdb get System OEM_ss)" == "Trendnet" ] || [ "$(tdb get System OEM_ss)" == "Vivint" ]; then
+	method=digest
 else
 	method=basic
 fi
 
-IPv6_Enabled=$(tdb get IPv6 Enable_byte)
+dev_method=$method
+if [ "$(tdb get System OEM_ss)" == "Vivint" ]; then
+	dev_method=basic
+fi
 
 die() {
 	echo $@
@@ -28,10 +26,14 @@
 
 dumpAccountKey() {
 	echo -n "\
-AdminUser_ss 
-AdminPasswd_ss
 LiveAuth_byte
 SnapAuth_byte
+AdminUser_ss 
+AdminPasswd_ss
+AdminUser2_ss 
+AdminPasswd2_ss
+AdminUser3_ss 
+AdminPasswd3_ss
 User1_ss
 Password1_ss
 User2_ss
@@ -107,11 +109,43 @@
 }
 
 setupAdmin() {
-	cat > /tmp/lighttpd-htdigest.user << EOM
+	cat >> /tmp/lighttpd-htdigest.user << EOM
 $1:$mac_realm:$(md5hex "$1:$mac_realm:$2")
 $1:nipca:$(md5hex "$1:nipca:$2")
 $1:onvif:$(md5hex "$1:onvif:$2")
+$1:PSIA:$(md5hex "$1:PSIA:$2")
+$1:OpenHome:$(md5hex "$1:OpenHome:$2")
 EOM
+	if [ $Model == "CS-6022" ]; then
+		GettyConsole=`tdb get GettyConsole Enable_byte`
+		echo -n "GettyConsole=$GettyConsole... "
+	fi
+
+	if [ "$GettyConsole" == "0" ]; then
+		#sed -i '1s/sh/123/' /etc/passwd
+		sed -i '8s/::respawn/#::respawn/' /etc/inittab
+		kill -HUP 1 >/dev/null 2>/dev/null
+		killall -9 -sh >/dev/null 2>/dev/null
+	else
+		#sed -i '1s/123/sh/' /etc/passwd
+		sed -i '8s/#::respawn/::respawn/' /etc/inittab
+		kill -HUP 1 >/dev/null 2>/dev/null
+		# for console login and telnet
+		if [ "$(tdb get System OEM_ss)" != "D-Link" ]; then
+			if [ $(pibinfo BootMode) == "mfg" ]; then
+				{ [ "$2" ] && echo "root:$2" || echo "root:admin"; } | chpasswd -m >/dev/null 2>/dev/null
+			else
+				{ [ "$2" ] && echo "root:$2" || echo "root:"; } | chpasswd -m >/dev/null 2>/dev/null
+			fi
+		else
+			[ -x /bin/console_secure ] && /bin/console_secure
+		fi
+		#if [ "$2" ];then
+		#	echo "root:$2" | chpasswd -m >/dev/null 2>/dev/null
+		#else
+		#	sed -i 's/^root:x:/root::/' /etc/passwd
+		#fi
+	fi
 }
 
 setupUser() {
@@ -119,11 +153,13 @@
 $1:$mac_realm:$(md5hex "$1:$mac_realm:$2")
 $1:nipca:$(md5hex "$1:nipca:$2")
 $1:onvif:$(md5hex "$1:onvif:$2")
+$1:PSIA:$(md5hex "$1:PSIA:$2")
+$1:OpenHome:$(md5hex "$1:OpenHome:$2")
 EOM
 }
 
 setupAuth() {
-lighttpd_lang="eng|cht|chn|de|es|it|fr|pt"
+lighttpd_lang="eng|chn|cht|de|es|it|fr|pt"
 # valid-user depend on auth settings
 if [ "$LiveAuth_byte" -eq 1 ]; then
 # snap auth
@@ -150,7 +186,7 @@
 EOM
 fi
 cat << EOM
-\$HTTP["url"] =~ "^/(video|audio|m|dev|cgi|directview|volumes|$lighttpd_lang)/" {
+\$HTTP["url"] =~ "^/(video|audio|wss|m|cgi|directview|volumes|$lighttpd_lang)/" {
 	auth.require = ( "" =>
 		(
 			"method" => "$method",
@@ -159,25 +195,24 @@
 		)
 	)	
 }	
-\$HTTP["url"] =~ "^/(av2|event2|play2|dev2)/" {
+\$HTTP["url"] =~ "^/(dev)/" {
 	auth.require = ( "" =>
 		(
-			"method" => "digest",
+			"method" => "$dev_method",
 			"realm" => "$mac_realm",
 			"require" => "valid-user"
 		)
-	)
-}
-\$HTTP["url"] =~ "^/wss" {
+	)	
+}	
+\$HTTP["url"] =~ "^/(av2|event2|play2|dev2)/" {
 	auth.require = ( "" =>
 		(
-			"method" => "$method",
+			"method" => "digest",
 			"realm" => "$mac_realm",
 			"require" => "valid-user"
 		)
 	)
 }
-
 \$HTTP["url"] =~ "^/(users|ptz)/" {
 	auth.require = ( "" =>
 		(
@@ -187,24 +222,6 @@
 		)
 	)
 }
-\$HTTP["url"] =~ "^/vaview.htm" {               
-        auth.require = ( "" =>                   
-        (                                                                       
-                "method" => "$method",       
-                "realm" => "$mac_realm",     
-                "require" => "valid-user"    
-        )                                    
-        )                                    
-}
-\$HTTP["url"] =~ "^/vjview.htm" {               
-        auth.require = ( "" =>                   
-        (                                                                       
-                "method" => "$method",       
-                "realm" => "$mac_realm",     
-                "require" => "valid-user"    
-        )                                    
-        )                                    
-}
 EOM
 fi
 # admin always need auth
@@ -218,12 +235,30 @@
         )
     )
 }
+\$HTTP["url"] =~ "^/PSIA/" {
+	auth.require = ( "" =>
+        (
+            "method" => "digest",
+            "realm" => "PSIA",
+            "require" => "valid-user" 
+        )
+    )
+}
+\$HTTP["url"] =~ "^/OpenHome/" {
+	auth.require = ( "" =>
+        (
+            "method" => "basic",
+            "realm" => "OpenHome",
+            "require" => "valid-user" 
+        )
+    )
+}
 \$HTTP["url"] =~ "^/config/" {
 	auth.require = ( "" =>
         (
             "method" => "$method",
             "realm" => "nipca",
-            "require" => "user=$AdminUser_ss"
+            "require" => "user=$AdminUser_ss|user=$AdminUser2_ss|user=$AdminUser3_ss"
         )
 	)
 }
@@ -232,23 +267,36 @@
 		(
 			"method"  => "$method",
 			"realm"   => "$mac_realm",
-			"require" => "user=$AdminUser_ss" 
+			"require" => "user=$AdminUser_ss|user=$AdminUser2_ss|user=$AdminUser3_ss" 
+		)
+	)
+}
+EOM
+if [ "$(tdb get System OEM_ss)" == "Vivint" ]; then
+cat << EOM
+\$HTTP["url"] =~ "^/common/" {
+	auth.require = ( "" =>
+		(
+			"method" => "$method",
+			"realm" => "nipca",
+			"require" => "user=$AdminUser_ss|user=$AdminUser2_ss|user=$AdminUser3_ss"
 		)
 	)
 }
 EOM
+fi
 }
 
 start() {
 	! pids=$(pidof $daemon) || die "$daemon($pids) is already running."
-	echo -n "Startting $daemon... "
+	echo -n "Starting $daemon... "
 	[ -x $binary ] || die "$binary is not a valid application"
 	export LD_LIBRARY_PATH=$prefix/lib
 	export PREFIX=$prefix
 	readAccount
 	HttpPort_num=$(tdb get HTTPServer Port_num)
 	if [ -n "$(lighttpd -v | grep ssl)" ] ; then
-		[ -x $prefix/etc/rc.d/init.d/extra_lighttpd_ssl.sh ] && SSLEnable_b=$(tdb get HTTPS Enable_byte) || SSLEnable_b=0
+		[ -x $prefix/etc/rc.d/init.d/lighttpd_ssl.sh ] && SSLEnable_b=$(tdb get HTTPS Enable_byte) || SSLEnable_b=0
 	else
 		SSLEnable_b="0"
 	fi
@@ -262,15 +310,13 @@
 	echo "auth.require.accept.provision = $(admin-accept)" >> /tmp/lighttpd-inc.conf 
 	echo "auth.require.accept.url = \"/auth/\""  >> /tmp/lighttpd-inc.conf 
 	echo "auth.require.accept.pattern = \"\/auth\/.*|\/config\/user_mod.cgi\""  >> /tmp/lighttpd-inc.conf 
+	echo "auth.require.accept.csrfflag = $(tdb get HTTPServer CSRFEnable_byte)" >> /tmp/lighttpd-inc.conf
 	[ -f "/sbin/ecr_client" ] && \
 	echo "server.max-keep-alive-requests = 128" >> /tmp/lighttpd-inc.conf && \
 	echo "server.max-keep-alive-idle = 30" >> /tmp/lighttpd-inc.conf && \
 	echo "server.max-read-idle = 60" >> /tmp/lighttpd-inc.conf && \
 	echo "server.max-write-idle = 360" >> /tmp/lighttpd-inc.conf
 
-	# csrf enable or not
-	echo "auth.require.accept.csrfflag = $(tdb get HTTPServer CSRFEnable_byte)" >> /tmp/lighttpd-inc.conf
-
 	[ -e "/tmp/www" ] && rm -rf /tmp/www
 	[ -e "/tmp/www/cgi" ] && rm -rf /tmp/www/cgi
 
@@ -312,17 +358,24 @@
 		ln -sf /var/www/config /tmp/www/config 
 		ln -sf /var/www/cgi/eventstream.cgi /tmp/www/cgi/eventstream.cgi 
 		ln -sf /var/www/cgi/web_event.cgi /tmp/www/cgi/web_event.cgi 
+		echo 'server.document-root = env.PREFIX + "/tmp/www/"' >> /tmp/lighttpd-inc.conf
+		#echo "server.document-root = $docRoot" >> /tmp/lighttpd-inc.conf
+	else
+		echo 'server.document-root = env.PREFIX + "/var/www/"' >> /tmp/lighttpd-inc.conf
 		#echo "server.document-root = $docRoot" >> /tmp/lighttpd-inc.conf
 	fi
-
-	#enable ipv6
+	#HttpPort setting
 	echo "server.port = $HttpPort_num" >> /tmp/lighttpd-inc.conf
-	if [ $IPv6_Enabled -eq "1" ]; then 
-		echo "\$SERVER[\"socket\"] == \"[::]:$HttpPort_num\" {server.use-ipv6 = \"enable\"}" >> /tmp/lighttpd-inc.conf
-	fi 
+
+	# enable ipv6
+	#echo "\$SERVER[\"socket\"] == \"[::]:$HttpPort_num\" {server.use-ipv6 = \"enable\"}" >> /tmp/lighttpd-inc.conf
 	setupAuth >> /tmp/lighttpd-inc.conf
-	# create dynamic user conf
-	setupAdmin "$AdminUser_ss" "$AdminPasswd_ss"
+	#create dynamic user conf
+	#setupAdmin "$AdminUser_ss" "$AdminPasswd_ss"
+	echo -n "" > /tmp/lighttpd-htdigest.user 
+	[ "$AdminUser_ss" != "" ] && setupAdmin "$AdminUser_ss" "$AdminPasswd_ss"
+	[ "$AdminUser2_ss" != "" ] && setupAdmin "$AdminUser2_ss" "$AdminPasswd2_ss"
+	[ "$AdminUser3_ss" != "" ] && setupAdmin "$AdminUser3_ss" "$AdminPasswd3_ss"
 	[ "$User1_ss" != "" ] && setupUser "$User1_ss" "$Password1_ss"
 	[ "$User2_ss" != "" ] && setupUser "$User2_ss" "$Password2_ss"
 	[ "$User3_ss" != "" ] && setupUser "$User3_ss" "$Password3_ss"
@@ -351,18 +404,58 @@
 	#if sd card is already inserted, we should check
 	[ -d "/mnt/usb/$model" ] && [ ! -L "/var/www/volumes/local" ] && ln -sf /mnt/usb/$model /var/www/volumes/local
 	# start...
-	$binary -f $prefix/etc/lighttpd/lighttpd.conf -m $prefix/lib
-	echo "ok."
-	#[ "$SSLEnable_b" = "1" -o "$SSLEnable_b" = "2" ] && $prefix/etc/rc.d/init.d/extra_lighttpd_ssl.sh start
-	[ $boot_mode = "normal" ] && [ -x $prefix/etc/rc.d/init.d/extra_lighttpd_ssl.sh ]  && $prefix/etc/rc.d/init.d/extra_lighttpd_ssl.sh start $prefix
-	kill -USR1 $(pidof rtspd | cut -d' ' -f1)
+	WebAccess_b=$(tdb get HTTPServer _WebAccess2_byte) || WebAccess_b=1
+	# web always enable in mfg mode
+	[ $(pibinfo BootMode) == "mfg" ] && WebAccess_b=1
+	if [ "$WebAccess_b" = "0" ] ; then
+		$binary -f $prefix/etc/lighttpd/lighttpd_noweb.conf -m $prefix/lib
+		echo "no web access ok."
+	else
+		$binary -f $prefix/etc/lighttpd/lighttpd.conf -m $prefix/lib
+		echo "ok."
+	fi
+	#[ "$SSLEnable_b" = "1" -o "$SSLEnable_b" = "2" ] && $prefix/etc/rc.d/init.d/lighttpd_ssl.sh start
+	if [ "$(pibinfo BootMode)" != "mfg" ]; then
+	[ -x $prefix/etc/rc.d/init.d/lighttpd_ssl.sh ]  && $prefix/etc/rc.d/init.d/lighttpd_ssl.sh start $prefix
+	fi
 }
 
+create_user_list() {
+	echo -n "" > /tmp/lighttpd-htdigest.user 
+	[ "$AdminUser_ss" != "" ] && setupAdmin "$AdminUser_ss" "$AdminPasswd_ss"
+	[ "$AdminUser2_ss" != "" ] && setupAdmin "$AdminUser2_ss" "$AdminPasswd2_ss"
+	[ "$AdminUser3_ss" != "" ] && setupAdmin "$AdminUser3_ss" "$AdminPasswd3_ss"
+	[ "$User1_ss" != "" ] && setupUser "$User1_ss" "$Password1_ss"
+	[ "$User2_ss" != "" ] && setupUser "$User2_ss" "$Password2_ss"
+	[ "$User3_ss" != "" ] && setupUser "$User3_ss" "$Password3_ss"
+	[ "$User4_ss" != "" ] && setupUser "$User4_ss" "$Password4_ss"
+	[ "$User5_ss" != "" ] && setupUser "$User5_ss" "$Password5_ss"
+	[ "$User6_ss" != "" ] && setupUser "$User6_ss" "$Password6_ss"
+	[ "$User7_ss" != "" ] && setupUser "$User7_ss" "$Password7_ss"
+	[ "$User8_ss" != "" ] && setupUser "$User8_ss" "$Password8_ss"
+	[ "$User9_ss" != "" ] && setupUser "$User9_ss" "$Password9_ss"
+	[ "$User10_ss" != "" ] && setupUser "$User10_ss" "$Password10_ss"
+	[ "$User11_ss" != "" ] && setupUser "$User11_ss" "$Password11_ss"
+	[ "$User12_ss" != "" ] && setupUser "$User12_ss" "$Password12_ss"
+	[ "$User13_ss" != "" ] && setupUser "$User13_ss" "$Password13_ss"
+	[ "$User14_ss" != "" ] && setupUser "$User14_ss" "$Password14_ss"
+	[ "$User15_ss" != "" ] && setupUser "$User15_ss" "$Password15_ss"
+	[ "$User16_ss" != "" ] && setupUser "$User16_ss" "$Password16_ss"
+	[ "$User17_ss" != "" ] && setupUser "$User17_ss" "$Password17_ss"
+	[ "$User18_ss" != "" ] && setupUser "$User18_ss" "$Password18_ss"
+	[ "$User19_ss" != "" ] && setupUser "$User19_ss" "$Password19_ss"
+	[ "$User20_ss" != "" ] && setupUser "$User20_ss" "$Password20_ss"
+	[ "$Operator1_ss" != "" ] && setupUser "$Operator1_ss" "$OperatorPwd1_ss"
+	[ "$Operator2_ss" != "" ] && setupUser "$Operator2_ss" "$OperatorPwd2_ss"
+	[ "$Operator3_ss" != "" ] && setupUser "$Operator3_ss" "$OperatorPwd3_ss"
+	[ "$Operator4_ss" != "" ] && setupUser "$Operator4_ss" "$OperatorPwd4_ss"
+	[ "$Operator5_ss" != "" ] && setupUser "$Operator5_ss" "$OperatorPwd5_ss"
+}
 status() {
 	echo -n "$daemon"
 	pids=$(pidof $daemon) && echo "($pids) is running." || echo " is stop."
 	SSLEnable_b=$(tdb get HTTPS Enable_byte)
-	[ "$SSLEnable_b" = "1" -o "$SSLEnable_b" = "2" ] && [ -x $prefix/etc/rc.d/init.d/extra_lighttpd_ssl.sh ]  && $prefix/etc/rc.d/init.d/extra_lighttpd_ssl.sh status
+	[ "$SSLEnable_b" = "1" -o "$SSLEnable_b" = "2" ] && [ -x $prefix/etc/rc.d/init.d/lighttpd_ssl.sh ]  && $prefix/etc/rc.d/init.d/lighttpd_ssl.sh status
 }
 
 stop() {
@@ -371,9 +464,12 @@
 	kill $(echo $pids | cut -d' ' -f1)
 	sleep 1
 	pids=$(pidof $daemon) && killall -9 $daemon && sleep 1 && pids=$(pidof $daemon) && die "ng." || echo "ok."
-	[ -x $prefix/etc/rc.d/init.d/extra_lighttpd_ssl.sh ] && $prefix/etc/rc.d/init.d/extra_lighttpd_ssl.sh stop
-	#Send CMD_WEBSERVER_STOPPED command
-	send_cmd watchdog 777 0 0 > /dev/null 2>&1 
+
+	if [ "$(pibinfo BootMode)" != "mfg" ]; then
+	[ -x $prefix/etc/rc.d/init.d/lighttpd_ssl.sh ] && $prefix/etc/rc.d/init.d/lighttpd_ssl.sh stop
+	fi
+
+	[ -e $pools_info_bin ] && $pools_info_bin -r
 }
 
 
@@ -382,29 +478,31 @@
 	echo -n "Stopping $daemon... "
 	kill $(echo $pids | cut -d' ' -f1)
 	pids=$(pidof $daemon) && killall -9 $daemon && sleep 1 && pids=$(pidof $daemon) && die "ng." || echo "ok."
-	[ -x $prefix/etc/rc.d/init.d/extra_lighttpd_ssl.sh ] && $prefix/etc/rc.d/init.d/extra_lighttpd_ssl.sh stop
+	[ -x $prefix/etc/rc.d/init.d/lighttpd_ssl.sh ] && $prefix/etc/rc.d/init.d/lighttpd_ssl.sh stop
 
 	! pids=$(pidof $daemon) || die "$daemon($pids) is already running."
-	echo -n "Startting $daemon... "
+	echo -n "Starting $daemon... "
 	[ -x $binary ] || die "$binary is not a valid application"
 	export LD_LIBRARY_PATH=$prefix/lib
 	export PREFIX=$prefix
 	readAdmin
 	HttpPort_num=$(tdb get HTTPServer Port_num)
 	if [ -n "$(lighttpd -v | grep ssl)" ] ; then
-		[ -x $prefix/etc/rc.d/init.d/extra_lighttpd_ssl.sh ] && SSLEnable_b=$(tdb get HTTPS Enable_byte) || SSLEnable_b=0
+		[ -x $prefix/etc/rc.d/init.d/lighttpd_ssl.sh ] && SSLEnable_b=$(tdb get HTTPS Enable_byte) || SSLEnable_b=0
 	else
 		SSLEnable_b="0"
 	fi
 
 	model=$( [ $(pibinfo Wireless) -eq 1 ] && tdb get System ModelW_ss || tdb get System Model_ss )
+	mac_realm="${model}_$(pibinfo MacAddress | cut -b 16-17)"
 
 	# create dynamic conf file.
 	[ "$HttpPort_num" != "" ] || HttpPort_num=80
 	echo > /tmp/lighttpd-inc.conf 
 	echo "auth.require.accept.provision = $(admin-accept)" >> /tmp/lighttpd-inc.conf 
 	echo "auth.require.accept.url = \"/auth/\""  >> /tmp/lighttpd-inc.conf 
-	echo "auth.require.accept.pattern = \"\/auth\/.*|\/config\/user_mod.cgi\""  >> /tmp/lighttpd-inc.conf 
+	echo "auth.require.accept.pattern = \"\/auth\/.*|\/config\/user_mod.cgi\""  >> /tmp/lighttpd-inc.conf
+	echo "auth.require.accept.csrfflag = $(tdb get HTTPServer CSRFEnable_byte)" >> /tmp/lighttpd-inc.conf
 	[ -f "/sbin/ecr_client" ] && \
 	echo "server.max-keep-alive-requests = 128" >> /tmp/lighttpd-inc.conf && \
 	echo "server.max-keep-alive-idle = 30" >> /tmp/lighttpd-inc.conf && \
@@ -450,23 +548,30 @@
 		ln -sf /var/www/config /tmp/www/config 
 		ln -sf /var/www/cgi/eventstream.cgi /tmp/www/cgi/eventstream.cgi 
 		ln -sf /var/www/cgi/web_event.cgi /tmp/www/cgi/web_event.cgi 
+		echo 'server.document-root = env.PREFIX + "/tmp/www/"' >> /tmp/lighttpd-inc.conf
+		#echo "server.document-root = $docRoot" >> /tmp/lighttpd-inc.conf
+	else
+		echo 'server.document-root = env.PREFIX + "/var/www/"' >> /tmp/lighttpd-inc.conf
 		#echo "server.document-root = $docRoot" >> /tmp/lighttpd-inc.conf
 	fi
 
 	#enable ipv6
 	echo "server.port = $HttpPort_num" >> /tmp/lighttpd-inc.conf
-	if [ $IPv6_Enabled -eq "1" ]; then 
-		echo "\$SERVER[\"socket\"] == \"[::]:$HttpPort_num\" {server.use-ipv6 = \"enable\"}" >> /tmp/lighttpd-inc.conf
-	fi
+	echo "\$SERVER[\"socket\"] == \"[::]:$HttpPort_num\" {server.use-ipv6 = \"enable\"}" >> /tmp/lighttpd-inc.conf
 	setupAuth >> /tmp/lighttpd-inc.conf
 	# create dynamic user conf
 	setupAdmin "$AdminUser_ss" "$AdminPasswd_ss"
 	# start...
-	$binary -f $prefix/etc/lighttpd/lighttpd.conf -m $prefix/lib
-	echo "ok."
-	#[ "$SSLEnable_b" = "1" -o "$SSLEnable_b" = "2" ] && $prefix/etc/rc.d/init.d/extra_lighttpd_ssl.sh start
-	[ -x $prefix/etc/rc.d/init.d/extra_lighttpd_ssl.sh ]  && $prefix/etc/rc.d/init.d/extra_lighttpd_ssl.sh start
-	kill -USR1 $(pidof rtspd | cut -d' ' -f1)
+	WebAccess_b=$(tdb get HTTPServer WebAccess2_byte) || WebAccess_b=1
+	if [ "$WebAccess_b" = "0" ] ; then
+		$binary -f $prefix/etc/lighttpd/lighttpd_noweb.conf -m $prefix/lib
+		echo "no web access ok."
+	else
+		$binary -f $prefix/etc/lighttpd/lighttpd.conf -m $prefix/lib
+		echo "ok."
+	fi
+	#[ "$SSLEnable_b" = "1" -o "$SSLEnable_b" = "2" ] && $prefix/etc/rc.d/init.d/lighttpd_ssl.sh start
+	[ -x $prefix/etc/rc.d/init.d/lighttpd_ssl.sh ]  && $prefix/etc/rc.d/init.d/lighttpd_ssl.sh start
 }
 
 action=$1
@@ -478,6 +583,7 @@
 
 conf=$prefix/etc/$daemon.conf
 binary=$prefix/sbin/$daemon
+pools_info_bin=$prefix/sbin/pools_info
 
 case $action in
 	start)
@@ -493,6 +599,12 @@
 	status)
 		status
 	;;
+	reload)
+		model=$( [ $(pibinfo Wireless) -eq 1 ] && tdb get System ModelW_ss || tdb get System Model_ss )
+		mac_realm="${model}_$(pibinfo MacAddress | cut -b 16-17)"
+		readAccount
+		create_user_list
+	;;
 	reloadAdmin)
 		reloadAdmin
 	;;

One notable difference is that the DCS-8100KH seems to use digest auth instead of basic. Maybe it's as simple as:

curl --digest -u admin:123456 http://192.168.1.10/config/datetime.cgi

?

Awesome! That's precisely it! Adding '--digest' did the job! Thank you.

Is there an equivalent for vlc command? If I type: vlc https://192.168.1.10/video/mpegts.cgi It says 'Connection failed. VLC could not connect to...' , presumably for the same reason?

I looked at the vlc source and believe it should work automatically. vls is parsing the WWW-Authenticate header returned with the 401 response, and will use digest auth if the camera web server returns a proper "Digest" header.

You can verify that the camera web server is requesting digest auth by using curl -D - https://192.168.1.10/video/mpegts.cgi. I get WWW-Authenticate: Basic realm="DCS-8000LH_00". You should get WWW-Authenticate: Digest .. with a nonce and more.

When I run this, I get: curl: (60) SSL certificate problem: self signed certificate If I add --insecure to the curl command, it shows what you predicted.

If I run: vlc https://192.168.1.10/video/mpegts.cgi It fails. Here is what the vlc log says:

-- logger module started --
main debug: VLC media player - 3.0.7 Vetinari
main debug: Copyright © 1996-2019 the VideoLAN team
main debug: revision 3.0.7-0-g86cee31
main debug: configured with ./configure  '--prefix=/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr' '--disable-wayland' '--enable-merge-ffmpeg' 'CFLAGS= -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/include -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/include' 'LDFLAGS= -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/lib -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/lib -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/lib/x86_64-linux-gnu -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/lib/x86_64-linux-gnu -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/lib -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/lib -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/lib/x86_64-linux-gnu -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/lib/x86_64-linux-gnu' 'CPPFLAGS= -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/include -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/include' 'CXXFLAGS= -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/include -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/include' 'PKG_CONFIG_PATH=:/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/share/pkgconfig:/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/share/pkgconfig'
main debug: searching plug-in modules
main debug: loading plugins cache file /snap/vlc/1049/usr/lib/vlc/plugins/plugins.dat
main debug: recursively browsing `/snap/vlc/1049/usr/lib/vlc/plugins'
main debug: plug-ins loaded: 517 modules
main debug: opening config file (/home/steve/snap/vlc/common/vlcrc)
main debug: looking for logger module matching "any": 3 candidates
file debug: opening logfile `/home/steve/vlc-log.txt'
main debug: using logger module "file"
main debug: translation test: code is "C"
main debug: looking for keystore module matching "memory": 4 candidates
main debug: using keystore module "memory"
main debug: CPU has capabilities MMX MMXEXT SSE SSE2 SSE3 SSSE3 SSE4.1 SSE4.2 AVX AVX2 FPU 
main debug: Creating an input for 'Media Library'
main debug: Input is a meta file: disabling unneeded options
main debug: using timeshift granularity of 50 MiB
main debug: using default timeshift path
main debug: `file/directory:///home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf' gives access `file' demux `directory' path `/home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf'
main debug: creating demux: access='file' demux='directory' location='/home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf' file='/home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf'
main debug: looking for access_demux module matching "file": 21 candidates
main debug: no access_demux modules matched
main debug: creating access: file:///home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf
main debug:  (path: /home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf)
main debug: looking for access module matching "file": 26 candidates
main debug: using access module "filesystem"
main debug: looking for stream_filter module matching "prefetch,cache_read": 26 candidates
cache_read debug: Using stream method for AStream*
cache_read debug: starting pre-buffering
cache_read debug: received first data after 0 ms
cache_read debug: pre-buffering done 296 bytes in 0s - 9967 KiB/s
main debug: using stream_filter module "cache_read"
main debug: looking for stream_filter module matching "any": 26 candidates
playlist debug: using XSPF playlist reader
main debug: using stream_filter module "playlist"
main debug: stream filter added to 0x71f8f0
main debug: looking for stream_filter module matching "any": 26 candidates
main debug: no stream_filter modules matched
main debug: looking for stream_directory module matching "any": 1 candidates
main debug: no stream_directory modules matched
main debug: attachment of directory-extractor failed for file:///home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf
main debug: looking for stream_filter module matching "record": 26 candidates
main debug: using stream_filter module "record"
main debug: creating demux: access='file' demux='directory' location='/home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf' file='/home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf'
main debug: looking for demux module matching "directory": 56 candidates
main debug: using demux module "directory"
main debug: looking for meta reader module matching "any": 2 candidates
lua debug: Trying Lua scripts in /home/steve/snap/vlc/1049/.local/share/vlc/lua/meta/reader
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/lib/vlc/lua/meta/reader
lua debug: Trying Lua playlist script /snap/vlc/1049/usr/lib/vlc/lua/meta/reader/filename.luac
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/share/vlc/lua/meta/reader
main debug: no meta reader modules matched
main debug: `file/directory:///home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf' successfully opened
main debug: looking for xml reader module matching "any": 1 candidates
main debug: using xml reader module "xml"
main debug: EOF reached
main debug: removing module "directory"
main debug: removing module "record"
main debug: removing module "playlist"
main debug: removing module "cache_read"
main debug: removing module "filesystem"
main debug: creating audio output
main debug: looking for audio output module matching "any": 6 candidates
vlcpulse debug: using library version 8.0.0
vlcpulse debug:  (compiled with version 8.0.0, protocol 30)
vlcpulse debug: connected locally to unix:/run/user/1000/snap.vlc/../pulse/native as client #14
vlcpulse debug: using protocol 30, server protocol 32
pulse debug: adding sink 0: alsa_output.pci-0000_00_1f.3.analog-stereo (Built-in Audio Analogue Stereo)
main debug: using audio output module "pulse"
main debug: keeping audio output
main debug: looking for interface module matching "dbus,none": 17 candidates
dbus debug: listening on dbus as: org.mpris.MediaPlayer2.vlc
main debug: using interface module "dbus"
main debug: looking for interface module matching "hotkeys,none": 17 candidates
main debug: using interface module "hotkeys"
main debug: looking for interface module matching "globalhotkeys,none": 17 candidates
main debug: using interface module "xcb_hotkeys"
main: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
main debug: looking for interface module matching "any": 17 candidates
dbus debug: Getting All properties
dbus debug: Getting All properties
dbus debug: Getting All properties
main debug: looking for extension module matching "any": 1 candidates
lua debug: Opening Lua Extension module
lua debug: Trying Lua scripts in /home/steve/snap/vlc/1049/.local/share/vlc/lua/extensions
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/lib/vlc/lua/extensions
lua debug: Trying Lua playlist script /snap/vlc/1049/usr/lib/vlc/lua/extensions/VLSub.luac
lua debug: Scanning Lua script /snap/vlc/1049/usr/lib/vlc/lua/extensions/VLSub.luac
lua debug: Script /snap/vlc/1049/usr/lib/vlc/lua/extensions/VLSub.luac has the following capability flags: 0x5
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/share/vlc/lua/extensions
main debug: using extension module "lua"
main debug: using interface module "qt"
main: playlist is empty
main debug: nothing to play
pulse debug: changing sink 0: alsa_output.pci-0000_00_1f.3.analog-stereo (Built-in Audio Analogue Stereo)
qt debug: Saving the advanced preferences
main debug: exiting
main debug: exiting
main debug: removing all interfaces
main debug: removing module "qt"
main debug: deactivating the playlist
main debug: removing module "pulse"
qt debug: requesting exit...
qt debug: waiting for UI thread...
main debug: exiting
qt debug: QApp exec() finished
qt debug: Video is not needed anymore
qt debug: Killing extension dialog provider
qt debug: ExtensionsDialogProvider is quitting...
main debug: removing module "lua"
main debug: removing module "xcb_hotkeys"
main debug: removing module "hotkeys"
main debug: removing module "dbus"
main debug: destroying
main debug: saving media library to file /home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf.tmp28435
main debug: looking for playlist export module matching "export-xspf": 4 candidates
main debug: using playlist export module "export"
main debug: removing module "export"
main debug: deleting item `Media Library'
main debug: deleting item `Playlist'
main debug: removing module "memory"
-- logger module stopped --
-- logger module started --
main debug: VLC media player - 3.0.7 Vetinari
main debug: Copyright © 1996-2019 the VideoLAN team
main debug: revision 3.0.7-0-g86cee31
main debug: configured with ./configure  '--prefix=/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr' '--disable-wayland' '--enable-merge-ffmpeg' 'CFLAGS= -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/include -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/include' 'LDFLAGS= -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/lib -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/lib -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/lib/x86_64-linux-gnu -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/lib/x86_64-linux-gnu -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/lib -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/lib -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/lib/x86_64-linux-gnu -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/lib/x86_64-linux-gnu' 'CPPFLAGS= -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/include -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/include' 'CXXFLAGS= -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/include -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/include' 'PKG_CONFIG_PATH=:/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/share/pkgconfig:/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/share/pkgconfig'
main debug: searching plug-in modules
main debug: loading plugins cache file /snap/vlc/1049/usr/lib/vlc/plugins/plugins.dat
main debug: recursively browsing `/snap/vlc/1049/usr/lib/vlc/plugins'
main debug: plug-ins loaded: 517 modules
main debug: opening config file (/home/steve/snap/vlc/common/vlcrc)
main debug: looking for logger module matching "any": 3 candidates
file debug: opening logfile `/home/steve/vlc-log.txt'
main debug: using logger module "file"
main debug: translation test: code is "C"
main debug: looking for keystore module matching "memory": 4 candidates
main debug: using keystore module "memory"
main debug: CPU has capabilities MMX MMXEXT SSE SSE2 SSE3 SSSE3 SSE4.1 SSE4.2 AVX AVX2 FPU 
main debug: Creating an input for 'Media Library'
main debug: Input is a meta file: disabling unneeded options
main debug: using timeshift granularity of 50 MiB
main debug: using default timeshift path
main debug: `file/directory:///home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf' gives access `file' demux `directory' path `/home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf'
main debug: creating demux: access='file' demux='directory' location='/home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf' file='/home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf'
main debug: looking for access_demux module matching "file": 21 candidates
main debug: no access_demux modules matched
main debug: creating access: file:///home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf
main debug:  (path: /home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf)
main debug: looking for access module matching "file": 26 candidates
main debug: using access module "filesystem"
main debug: looking for stream_filter module matching "prefetch,cache_read": 26 candidates
cache_read debug: Using stream method for AStream*
cache_read debug: starting pre-buffering
cache_read debug: received first data after 0 ms
cache_read debug: pre-buffering done 296 bytes in 0s - 14453 KiB/s
main debug: using stream_filter module "cache_read"
main debug: looking for stream_filter module matching "any": 26 candidates
playlist debug: using XSPF playlist reader
main debug: using stream_filter module "playlist"
main debug: stream filter added to 0x1ebe8f0
main debug: looking for stream_filter module matching "any": 26 candidates
main debug: no stream_filter modules matched
main debug: looking for stream_directory module matching "any": 1 candidates
main debug: no stream_directory modules matched
main debug: attachment of directory-extractor failed for file:///home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf
main debug: looking for stream_filter module matching "record": 26 candidates
main debug: using stream_filter module "record"
main debug: creating demux: access='file' demux='directory' location='/home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf' file='/home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf'
main debug: looking for demux module matching "directory": 56 candidates
main debug: using demux module "directory"
main debug: looking for meta reader module matching "any": 2 candidates
lua debug: Trying Lua scripts in /home/steve/snap/vlc/1049/.local/share/vlc/lua/meta/reader
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/lib/vlc/lua/meta/reader
lua debug: Trying Lua playlist script /snap/vlc/1049/usr/lib/vlc/lua/meta/reader/filename.luac
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/share/vlc/lua/meta/reader
main debug: no meta reader modules matched
main debug: `file/directory:///home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf' successfully opened
main debug: looking for xml reader module matching "any": 1 candidates
main debug: using xml reader module "xml"
main debug: EOF reached
main debug: removing module "directory"
main debug: removing module "record"
main debug: removing module "playlist"
main debug: removing module "cache_read"
main debug: removing module "filesystem"
main debug: creating audio output
main debug: looking for audio output module matching "any": 6 candidates
vlcpulse debug: using library version 8.0.0
vlcpulse debug:  (compiled with version 8.0.0, protocol 30)
vlcpulse debug: connected locally to unix:/run/user/1000/snap.vlc/../pulse/native as client #15
vlcpulse debug: using protocol 30, server protocol 32
pulse debug: adding sink 0: alsa_output.pci-0000_00_1f.3.analog-stereo (Built-in Audio Analogue Stereo)
main debug: using audio output module "pulse"
main debug: keeping audio output
main debug: looking for interface module matching "dbus,none": 17 candidates
dbus debug: listening on dbus as: org.mpris.MediaPlayer2.vlc
main debug: using interface module "dbus"
main debug: looking for interface module matching "hotkeys,none": 17 candidates
main debug: using interface module "hotkeys"
main debug: looking for interface module matching "globalhotkeys,none": 17 candidates
main debug: using interface module "xcb_hotkeys"
main: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
main debug: looking for interface module matching "any": 17 candidates
dbus debug: Getting All properties
dbus debug: Getting All properties
dbus debug: Getting All properties
main debug: looking for extension module matching "any": 1 candidates
lua debug: Opening Lua Extension module
lua debug: Trying Lua scripts in /home/steve/snap/vlc/1049/.local/share/vlc/lua/extensions
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/lib/vlc/lua/extensions
lua debug: Trying Lua playlist script /snap/vlc/1049/usr/lib/vlc/lua/extensions/VLSub.luac
lua debug: Scanning Lua script /snap/vlc/1049/usr/lib/vlc/lua/extensions/VLSub.luac
lua debug: Script /snap/vlc/1049/usr/lib/vlc/lua/extensions/VLSub.luac has the following capability flags: 0x5
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/share/vlc/lua/extensions
main debug: using extension module "lua"
main debug: using interface module "qt"
main: playlist is empty
main debug: nothing to play
pulse debug: changing sink 0: alsa_output.pci-0000_00_1f.3.analog-stereo (Built-in Audio Analogue Stereo)
main debug: processing request item: mpegts.cgi, node: Playlist, skip: 0
main debug: rebuilding array of current - root Playlist
main debug: rebuild done - 1 items, index 0
main debug: starting playback of new item
main debug: resyncing on mpegts.cgi
main debug: mpegts.cgi is at 0
main debug: creating new input thread
main debug: Creating an input for 'mpegts.cgi'
main debug: requesting art for new input thread
main debug: using timeshift granularity of 50 MiB
main debug: using default timeshift path
main debug: `https://192.168.1.10/video/mpegts.cgi' gives access `https' demux `any' path `192.168.1.10/video/mpegts.cgi'
main debug: creating demux: access='https' demux='any' location='192.168.1.10/video/mpegts.cgi' file='(null)'
main debug: looking for access_demux module matching "https": 21 candidates
main debug: no access_demux modules matched
main debug: creating access: https://192.168.1.10/video/mpegts.cgi
main debug: looking for access module matching "https": 26 candidates
main debug: looking for tls client module matching "any": 1 candidates
gnutls debug: using GnuTLS version 3.4.10
main debug: looking for meta fetcher module matching "any": 1 candidates
lua debug: Trying Lua scripts in /home/steve/snap/vlc/1049/.local/share/vlc/lua/meta/fetcher
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/lib/vlc/lua/meta/fetcher
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/share/vlc/lua/meta/fetcher
main debug: no meta fetcher modules matched
main debug: looking for art finder module matching "any": 2 candidates
lua debug: Trying Lua scripts in /home/steve/snap/vlc/1049/.local/share/vlc/lua/meta/art
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/lib/vlc/lua/meta/art
lua debug: Trying Lua playlist script /snap/vlc/1049/usr/lib/vlc/lua/meta/art/00_musicbrainz.luac
lua debug: skipping script (unmatched scope) /snap/vlc/1049/usr/lib/vlc/lua/meta/art/00_musicbrainz.luac
lua debug: Trying Lua playlist script /snap/vlc/1049/usr/lib/vlc/lua/meta/art/01_googleimage.luac
lua debug: skipping script (unmatched scope) /snap/vlc/1049/usr/lib/vlc/lua/meta/art/01_googleimage.luac
lua debug: Trying Lua playlist script /snap/vlc/1049/usr/lib/vlc/lua/meta/art/02_frenchtv.luac
lua debug: skipping script (unmatched scope) /snap/vlc/1049/usr/lib/vlc/lua/meta/art/02_frenchtv.luac
lua debug: Trying Lua playlist script /snap/vlc/1049/usr/lib/vlc/lua/meta/art/03_lastfm.luac
lua debug: skipping script (unmatched scope) /snap/vlc/1049/usr/lib/vlc/lua/meta/art/03_lastfm.luac
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/share/vlc/lua/meta/art
main debug: no art finder modules matched
main debug: looking for meta fetcher module matching "any": 1 candidates
lua debug: Trying Lua scripts in /home/steve/snap/vlc/1049/.local/share/vlc/lua/meta/fetcher
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/lib/vlc/lua/meta/fetcher
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/share/vlc/lua/meta/fetcher
main debug: no meta fetcher modules matched
main debug: looking for art finder module matching "any": 2 candidates
lua debug: Trying Lua scripts in /home/steve/snap/vlc/1049/.local/share/vlc/lua/meta/art
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/lib/vlc/lua/meta/art
lua debug: Trying Lua playlist script /snap/vlc/1049/usr/lib/vlc/lua/meta/art/00_musicbrainz.luac
lua debug: Trying Lua playlist script /snap/vlc/1049/usr/lib/vlc/lua/meta/art/01_googleimage.luac
lua debug: Trying Lua playlist script /snap/vlc/1049/usr/lib/vlc/lua/meta/art/02_frenchtv.luac
lua debug: Trying Lua playlist script /snap/vlc/1049/usr/lib/vlc/lua/meta/art/03_lastfm.luac
lua debug: Trying Lua scripts in /snap/vlc/1049/usr/share/vlc/lua/meta/art
main debug: no art finder modules matched
gnutls debug: loaded 148 trusted CAs from system
main debug: using tls client module "gnutls"
main debug: resolving 192.168.1.10 ...
qt debug: IM: Setting an input
gnutls debug: TLS handshake: Resource temporarily unavailable, try again.
gnutls debug: TLS handshake: Resource temporarily unavailable, try again.
gnutls debug: TLS handshake: Success.
gnutls error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. 
gnutls debug: 1 certificate(s) in the list
gnutls debug: certificate key match for 192.168.1.10
http debug: outgoing request:
GET /video/mpegts.cgi HTTP/1.1
Host: 192.168.1.10
Accept: */*
Accept-Language: en_US
User-Agent: VLC/3.0.7 LibVLC/3.0.7
Range: bytes=0-


http debug: incoming response:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="DCS-8100LH_FD", nonce="726fc9a7c657cc37b0d4239f6cf7dec23e46463d", qop="auth"
Content-Type: text/html
Content-Length: 91
Date: Tue, 17 Apr 2018 12:52:25 GMT
Server: dcs-lig-httpd


access error: HTTP 401 error
main debug: no access modules matched
main debug: dead input
qt debug: IM: Deleting the input
main debug: changing item without a request (current 0/1)
main debug: nothing to play
main debug: exiting
main debug: exiting
main debug: removing all interfaces
main debug: removing module "qt"
main debug: deactivating the playlist
main debug: removing module "pulse"
qt debug: requesting exit...
qt debug: waiting for UI thread...
qt debug: QApp exec() finished
qt debug: Video is not needed anymore
qt debug: Killing extension dialog provider
qt debug: ExtensionsDialogProvider is quitting...
main debug: removing module "lua"
main debug: removing module "xcb_hotkeys"
main debug: removing module "hotkeys"
main debug: removing module "dbus"
main debug: destroying
main debug: saving media library to file /home/steve/snap/vlc/1049/.local/share/vlc/ml.xspf.tmp28694
main debug: looking for playlist export module matching "export-xspf": 4 candidates
main debug: using playlist export module "export"
main debug: removing module "export"
main debug: deleting item `Media Library'
main debug: deleting item `mpegts.cgi'
main debug: deleting item `Playlist'
main debug: removing module "memory"
-- logger module stopped --

Sorry for my poor understanding of certificates, but I am at a loss here.

I don't know vlc well enough to answer this. The response from the camera looks fine. But the failing certificate verification could be causing problems, as you mention.

You can use e.g. openssl to debug the certificate chain. Connecting to my camera shows a single self-signed certifcate, which obviously is rejected by default:

$ openssl s_client -connect 192.168.1.10:443 -showcerts
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = TW, ST = Asia, L = Asia, O = D-Link Corporation, OU = D-Link Corporation, CN = www.dlink.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = TW, ST = Asia, L = Asia, O = D-Link Corporation, OU = D-Link Corporation, CN = www.dlink.com
verify return:1
---
Certificate chain
 0 s:C = TW, ST = Asia, L = Asia, O = D-Link Corporation, OU = D-Link Corporation, CN = www.dlink.com
   i:C = TW, ST = Asia, L = Asia, O = D-Link Corporation, OU = D-Link Corporation, CN = www.dlink.com
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIJANAfNrXsbCc2MA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
BAYTAlRXMQ0wCwYDVQQIDARBc2lhMQ0wCwYDVQQHDARBc2lhMRswGQYDVQQKDBJE
LUxpbmsgQ29ycG9yYXRpb24xGzAZBgNVBAsMEkQtTGluayBDb3Jwb3JhdGlvbjEW
MBQGA1UEAwwNd3d3LmRsaW5rLmNvbTAeFw0xOTAyMTQwMDAwMjlaFw0yOTAyMTEw
MDAwMjlaMH0xCzAJBgNVBAYTAlRXMQ0wCwYDVQQIDARBc2lhMQ0wCwYDVQQHDARB
c2lhMRswGQYDVQQKDBJELUxpbmsgQ29ycG9yYXRpb24xGzAZBgNVBAsMEkQtTGlu
ayBDb3Jwb3JhdGlvbjEWMBQGA1UEAwwNd3d3LmRsaW5rLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANL6zRdWgNWHrx/h4Lkx67vHFQm0We9KpLQz
kHeTnI1Diy58+2ISGtVvS/cPxRpyREQZlptPWIMMmxyhAEtnB7jVOSqx02pQB3HU
w8v/hp+gphqjSBKBOLeH9EM8C5SaxEcRevkRWshP4NusZGi/lVV5Kr/uqsVBhD4j
fgW/OJG2PXwgvPgmCYwl0RRt/3DsAaIAkyA0WkItcpy0y8ChmCOWWhVzMNknnOfg
rzOaxSJhiOL8aaKd82CGQ6IJfEN8/eyj85njVUypvKVNzZDVGYzAmk4VqoiE5fXB
JT/m/TH4ToUMCORFBXivLEVgGo348ul/N2sWnKkFLE3LopO91+cCAwEAAaNQME4w
HQYDVR0OBBYEFHs2rMwisZVbaggta7/UKKpWGLVXMB8GA1UdIwQYMBaAFHs2rMwi
sZVbaggta7/UKKpWGLVXMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AIDoSSlrHEIqjrynuSfWUN4V8F9T2ZmaO7ghrdLxl/fyWDx+EpAGbrLDeCvTYGkF
/pEpVLTZBuXJ8lNNZmlYRRioO0rKm7Vq7aSxjmPdoy3jeMRR3qJnIgO/otI3X+aM
DHiLabcpDFtdk7ivdnuwBKFyGjv0sitiV0nfgW5hYdLJXd7/nFiD73jBecmAgzjs
n0xaDJdLjbfcxy+9cJpGJccWEBPpB+47XR6A+4CACP3sIgXKmD0dvW6DkyRTrmVz
EXi59eKmSDYP0gQNsa5VqJ6R0JYxG5nByrttkfVl5T3EXUVGGZ8W0YP+xGKfFCGm
Rl8nvLpxdlqvKXKSCxyIl1o=
-----END CERTIFICATE-----
---
Server certificate
subject=C = TW, ST = Asia, L = Asia, O = D-Link Corporation, OU = D-Link Corporation, CN = www.dlink.com

issuer=C = TW, ST = Asia, L = Asia, O = D-Link Corporation, OU = D-Link Corporation, CN = www.dlink.com

---
No client certificate CA names sent
---
SSL handshake has read 1309 bytes and written 625 bytes
Verification error: self signed certificate
---
New, SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA
    Session-ID: C3D4AD33C35C71FB0BEAB662F7934955357D18084BF03701C99EA32040C62420
    Session-ID-ctx: 
    Master-Key: 72621A26B212484590BC5425308ADCFCC52BA0401EA42FFDAF64107DA9F101A3973A55B21A5F2BD25FC01A7F497ABC7E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e8 ba ac b5 2e d5 aa ed-b1 26 b1 df 02 0b 59 28   .........&....Y(
    0010 - a3 e6 6b 76 5e e6 a9 e5-44 ec de 40 ab d8 ad 1c   ..kv^...D..@....
    0020 - 67 2f 3d 84 db 0e 7e 58-0a 97 67 4a aa c6 3d 5d   g/=...~X..gJ..=]
    0030 - 98 ce 12 84 53 5c 24 8e-3d 81 15 cd 90 3b 71 e2   ....S\$.=....;q.
    0040 - 35 ed 49 7d 4e 39 b2 93-be 46 4e 4f b6 c0 19 37   5.I}N9...FNO...7
    0050 - c9 a3 e2 87 21 39 b0 cf-04 53 11 04 1f c6 e2 b9   ....!9...S......
    0060 - 05 94 5b e8 15 fe 4b e6-25 1f 24 0b 2c 33 71 68   ..[...K.%.$.,3qh
    0070 - 38 ac 24 ee 73 64 92 a7-39 35 53 d3 02 36 26 01   8.$.sd..95S..6&.
    0080 - f8 2d 18 7d 49 1d 1c dc-44 fd b6 71 17 39 07 fd   .-.}I...D..q.9..
    0090 - 5b 61 0a ad f8 87 f4 5d-e6 e6 68 00 53 a1 ee 75   [a.....]..h.S..u

    Start Time: 1572515007
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
---
closed

You can save the certificate (everthing between the BEGIN/END markers including the markers) to a file and use that as a CA file for curl. This will allow curl to validate the certificate signature. But the certificate verification will still fail on the subject:

$ curl -D - --cacert /tmp/camera-cert.pem https://192.168.1.10/video/mpegts.cgi
curl: (60) SSL: certificate subject name 'www.dlink.com' does not match target host name '192.168.1.10'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

You can cheat that by using the --resolve option to connect to the camera, using the CommonName from the certificate as servername. curl will then accept the certificate without using --insecure:

$ curl -D - --cacert /tmp/camera-cert.pem  --resolve www.dlink.com:443:192.168.1.10 https://www.dlink.com/video/mpegts.cgi
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="DCS-8000LH_73"
Content-Type: text/html
Content-Length: 91
Date: Thu, 31 Oct 2019 09:58:23 GMT
Server: dcs-lig-httpd

<html>
<body>
<h1>Unauthorized</h1>
Please enter correct account/password.
</body>
</html>

But I have no idea on how to do this with vlc. My best advice is to read the manual. Or just use http instead...

Thanks for all this. In the end, couldn't get VLC to work, even with http (not https) connection.

curl --digest -u admin:123456 http://192.168.1.10/video/mpegts.cgi>/home/steve/test-stream.ts worked fine to save to a file, then I could play the video back ok, but just couldn't live stream with VLC using these details.

Used free software called iSpy to live stream, which worked just fine. Weird, but it worked in the end!

Many thanks for all your efforts. Excellent work!

Hello,

I unwisely purchased a DCH-8600LH and will not return it after opening it. So I am investigating ways of supporting my workflows that my eight other older "unlocked" Dlink webcams handle.

Two questions:

1. Has anybody made this process work with the DCH-8600LH?

2. The README from the Dlink opensource build procedure says that the device can be flashed by putting the fireware bin file in the root directory of the SD card, insert and reboot. Has anybody confirmed this?

To Customer(DLINK) upgrade method,Please use the following steps: A, Copy the file "dlink_fw_upgrade.bin" into the root directory of a SD card . B, Insert the SD card into the device, and then reboot it. C, When the device'LED blinks green, PLS turn off power and remove the SD card.

Other notes and comments:

1. I can only see the static image with using https://{device ip}/images/jpeg.cgi. HTTP access issues a password challenge and NIPCA post for adding a password to the user isn't supported by the Dlink firmware. (I can create new users without passwords, however.)
2. I have an older WEP router and the MyDlink app and the NIPCA doesn't support adding a more secure WIFI password in hexadecimal format.
3. I would like to set a static IP for my webcam. The MyDlink app and Dlink's NIPCA support doesn't allow that.
4. This camera doesn't have the pinholes for serial access that the DCH-8000LH has so I guess that the cover must be cracked open and some soldiering performed.
5. I'm using version v1.00.10 and I'm apparently "abusing" a security hole for NIPCA access via a web browser.
6. Needless to say, I am very disappointed with this camera.

Nice job defogging the dlink cam!

I'm just trying this out on the DCS-8600LH. It shows the whole string as the name when connecting, not just the model and the last four of the mac: Connected to 'N=DCS-8600LH;P=0;T=946685035;Z=8;F=v1.00.10;H=A1;M=B0C554XXXXXX;V=3.0.0%2Db73'

I also changed the uuid in the BleCam() init: self.periph.getCharacteristics(uuid=0xa200) since the original code with 0x2a00 only throwed an error.

It still says the pincode is wrong - although it is not. I tried setting self.name to DCS-8600LH-XXXX, but that did not work out either - still wrong pincode.

Has anyone tried to get this working with the DCS-8600LH?

[B0:C5:54:XX:XX:XX][LE]> primary attr handle: 0x0001, end grp handle: 0x001e uuid: 0000d001-0000-1000-8000-00805f9b34fb [B0:C5:54:XX:XX:XX][LE]> characteristics handle: 0x0002, char properties: 0x12, char value handle: 0x0003, uuid: 0000a000-0000-1000-8000-00805f9b34fb handle: 0x0005, char properties: 0x0a, char value handle: 0x0006, uuid: 0000a001-0000-1000-8000-00805f9b34fb handle: 0x0007, char properties: 0x02, char value handle: 0x0008, uuid: 0000a100-0000-1000-8000-00805f9b34fb handle: 0x0009, char properties: 0x0a, char value handle: 0x000a, uuid: 0000a101-0000-1000-8000-00805f9b34fb handle: 0x000b, char properties: 0x08, char value handle: 0x000c, uuid: 0000a102-0000-1000-8000-00805f9b34fb handle: 0x000d, char properties: 0x02, char value handle: 0x000e, uuid: 0000a103-0000-1000-8000-00805f9b34fb handle: 0x000f, char properties: 0x02, char value handle: 0x0010, uuid: 0000a104-0000-1000-8000-00805f9b34fb handle: 0x0011, char properties: 0x0a, char value handle: 0x0012, uuid: 0000a200-0000-1000-8000-00805f9b34fb handle: 0x0013, char properties: 0x08, char value handle: 0x0014, uuid: 0000a201-0000-1000-8000-00805f9b34fb handle: 0x0015, char properties: 0x0a, char value handle: 0x0016, uuid: 0000a300-0000-1000-8000-00805f9b34fb handle: 0x0017, char properties: 0x02, char value handle: 0x0018, uuid: 0000a301-0000-1000-8000-00805f9b34fb handle: 0x0019, char properties: 0x08, char value handle: 0x001a, uuid: 0000a302-0000-1000-8000-00805f9b34fb handle: 0x001b, char properties: 0x08, char value handle: 0x001c, uuid: 0000a303-0000-1000-8000-00805f9b34fb handle: 0x001d, char properties: 0x02, char value handle: 0x001e, uuid: 0000a304-0000-1000-8000-00805f9b34fb [B0:C5:54:XX:XX:XX][LE]>

DCS-8600LH update / unlock success:

1. Change uuid to 0xa200: self.periph.getCharacteristics(uuid=0xa200)
2. change MTU : self.periph.setMTU(256)
3. extract correct self.name with: self.idstring = self.periph.getCharacteristics(uuid=0xa200)[0] self.idstate = kv2dict(self.idstring.read().decode()) self.name = self.idstate["N"] + "-" + self.idstate["M"][8:]

Note: I did not get this to work on an integrated bluetooth adapter on my laptop (bluez 5.48). All changes to MTU was ignored and I did not see the complete unlock string being sent when checking with wireshark. It works like a charm on the Raspberry Pi 3 (bluez 5.43) though. I chose 256 because that is what the 8600LH source code does (gatt-example.c).

DCS-8600LH update: According to the source code, they changed the set admin_password system() call, with the password within quotes: "password", also the whole string is tokenized, which means no semicolons are allowed in the command sequence or password. I have not been able to execute anything that way yet, but enabling telnet can be done another way: put a file named ".tw_enable_telnet" at the root of the SD card and reboot the camera. Also: http://ipcam/common/info.cgi will output camera information without requiring a password.

DCS-8600LH update: Default root pw is "twipc".

smd100 [email protected] writes: Hi - does this work for the DCS-8100LH as well? Mine has FW v2.01 pre-installed which doesn't allow local streaming. Thanks! I have not tried, so I don't know. But the code base is most likely the same, so it is definitely possible. There's only one way to find out ;-) Someone else tried defogger with a DCS-8010LH, but that failed because the name characteristic was unreadable. My simple code didn't account for that. But it's pretty easy to work around. Similar minor problems could affect other models. Bjørn

Hi, so how can I get the true characteristic? I have a bluetooth windows laptop and an android phone. Very thx.

PS. I'm trying to make a web version of this to connect DCS-8010LH with smartphone. javascript bluetooth API document

Wei-Liang Liou [email protected] writes:

smd100 [email protected] writes: Hi - does this work for the DCS-8100LH as well? Mine has FW v2.01 pre-installed which doesn't allow local streaming. Thanks! I have not tried, so I don't know. But the code base is most likely the same, so it is definitely possible. There's only one way to find out ;-) Someone else tried defogger with a DCS-8010LH, but that failed because the name characteristic was unreadable. My simple code didn't account for that. But it's pretty easy to work around. Similar minor problems could affect other models. Bjørn

Hi, so how can I get the true characteristic? I have a bluetooth windows laptop and an android phone. Very thx.

The input for the unlock key calculation on the DCS-8000LH is the concatination of

• the model string, i.e "DCS-8000LH"

• "-"

• the last four digits of the camera Bluetooth mac address, e.g. "CDEF" if the address is 12:34:56:AB:CD:EF

• the camera PIN code, e.g "012345"

• the challenge from BLE characteristic A001 or "tdb get Ble ChallengeKey_ss" in a shell, e.g. "b2gaescrbldchnik"

With the examples above, the complete input string becomes

"DCS-8000LH-CDEF012345b2gaescrbldchnik"

And you can generate the key by hand:

$ echo -n 'DCS-8000LH-CDEF012345b2gaescrbldchnik' | md5sum | xxd -r -p | base64 | cut -c-16 jrtY6nONQ5rV+2Ph

If you have shell access (e.g via console), then you can easily verify the key calculation by reading both challenge and key with

tdb get Ble ChallengeKey_ss tdb get Ble Key_ss

This might be necessary in case your camera use some other way to put the input string together..

Now, the model string is special in the above input, as it isn't readily available for the script. But I noticed that the BLE name characteristic included the model string along with the last four mac digits digits already appended. I.e "DCS-8000LH-CDEF" in the example. So I just used it for convenience, not having to enter the model name anywhere.

But if you can't read the name characteristic, then you can replace it with a static model string, or use an input parameter, or whatever. The four digits from the mac address will still have to be appended separated by a dash, assuming the input string is similar.

DCS-8600LH update: Default root pw is "twipc".

Thanks a lot. The default root password is twipc on DCS-8010LH too. BTW. After send the commands. I can't login telnet with admin:PINCODE and no web server listen on 80 port. I'm still survey how to launch NIPCA

grep -Eq ^admin: /etc/passwd||echo admin:x:0:0::/:/bin/sh >>/etc/passwd
grep -Eq ^admin:x: /etc/passwd&&echo admin:PINCODE|chpasswd
pidof telnetd||telnetd

[ "$(tdb get HTTPServer Enable_byte)" -eq "1" ]||tdb set HTTPServer Enable_byte=1
/etc/rc.d/init.d/extra_lighttpd.sh start

@tqz Do you know how to login the NIPCA? I watch your repo. It's similar than my DCS-8010LH (1.02.02). I can watch the stream with rtsp://admin:[email protected]:554/stream2 after I set admin_password by mdb set admin_password.

Coz the root of filesystem is read-only, I can't edit the /etc/passwd. Even if remount it to sdcard too. Does any method to change the file system to read-write?

8010

If anyone has success getting custom firmware onto the DCS-8010LH, I would greatly appreciate a guide that explains step by step what is and is not applicable from the main guide located at https://github.com/bmork/defogger because I have no idea where to even start. I'd be willing to make a $50+ donation to anyone that bothered to write up a step-by-step guide and post it (not that this is commercial in any way, just that I'd be happy to chip in toward a (relatively) easy to follow guide for some of the other D-Link cameras and I know there's a lot of people out there stuck with D-Link cameras that should be basic local feeds but are instead forced into a cloud-based system they never asked for.

The way I started way to create a Mint Linux live USB stick and boot my PC from this. Make sure the PC has bluetooth.

Then open a Terminal and run these commands in turn to get everything installed.

sudo apt update sudo apt install git cd git clone https://github.com/bmork/defogger sudo apt install python3-pip libglib2.0-dev python3-setuptools sudo pip3 install bluepy cd defogger ./dcs8000lh-configure.py B0:C5:54:47:xx:xx 123456 --survey ./dcs8000lh-configure.py B0:C5:54:47:xx:xx 123456 --essid WIFINETWORKNAME --wifipw WIFIPASSWORD ./dcs8000lh-configure.py B0:C5:54:47:xx:xx 123456 --sysinfo

Replace 'B0:C5:54:47:xx:xx' with your camera MAC address (written on label on back) and '123456' with the camera password (also on label).

If you get the 'dcs8000lh-configure.py' commands working, then you are halfway there. Then follow bmork's instructions depending on what you want to do.

Steve

Anyone know the default root pw for 8100LH? 'twipc' doesn't work. Thank you.

I've successfully cross-flashed a DCS-P6000LH with a complete DCS-8000LH firmware dump, changed pincode and mac address in mtd1, seems to work fine!

one slight oddity is dcs8000lh-configure.py can't turn on telnetd and lighttpd, but oh well.

Hello, same here, i am stuck with a dlink 8000lh and a grandpa with the mydlink app on their tablet. for this reason I want to continue using dlink cameras. at this moment patching it for me is too complicated. i would like to upload the firmware ota or just buy a dlink device with a sd card slot and upload a custom firmware. here comes my question:

1. Has anybody made a custom firmware work by putting it on a sd card?
2. Is it possible to spoof the dlink firmwareserver so the camera downloads a custom firmware image on its own?

I've successfully cross-flashed a DCS-P6000LH with a complete DCS-8000LH firmware dump, changed pincode and mac address in mtd1, seems to work fine! @Redfoxymoon Please guide how to do that cross-flashing. A beginner here. thanks in advance. regards.

You will need a DCS-8000LH to read the flash from w/ an external flash programmer, followed by hex editing the mac address and pincode to your target's camera then writing the modified flash dump onto the DCS-P6000LH.

but as noted earlier, not all services work as expected, probably because the DCS-8000LH firmware doesn't like the DCS-P6000LH data... the cross-flashed device will also obviously never work with the d-link smartphone app unless you flash back the original firmware

I don't intend to write any sort of detailed guide on how to do this, I don't want complaints about bricked hardware and more importantly, the final state of the camera is less than useful, buy an DCS-8000LH instead or something less locked down and crap in the first place.