yi-hack-Allwinner-v2 icon indicating copy to clipboard operation
yi-hack-Allwinner-v2 copied to clipboard

Published 20 hours ago verified publisher icon roleoroleo

SSL / SRTP Option available?

Open meluvalli opened this issue 2 years ago • 10 comments

Any way to get SSL (HTTPS) and/or SRTP options on these cameras? Don't like the idea of someone being able to snoop and see passwords in clear text. Makes password protecting it pointless.

meluvalli avatar May 10 '22 09:05 meluvalli

The cams are busy with what they do right now if I understood things right. That's why my cams are internal only and the external part comes from Home Assistant. Maybe worth a try?

dreimer1986 avatar May 11 '22 10:05 dreimer1986

I have them set internal only, but there’s still always a chance if someone else gets on the same Wi-Fi and/or network they could packet sniff easily and see the passwords. I thought it would be best to allow SSL so this couldn’t be done.

meluvalli avatar May 11 '22 10:05 meluvalli

I think this would require to change the webserver. There can be stability problems and it's a lot of testing and work.

Just out of curiosity, I tested on the cam (64mb memory) successfully the golang http server with a tls connection. And the OpenWrt project is using uHTTPd.

WalkingDot avatar May 13 '22 08:05 WalkingDot

I tried to use stunnel and it seems ok. But it's to large to add it inside the hack. I could add it to the utils: https://github.com/roleoroleo/yi-hack-utils

If you want to try it, this is the binary: stunnel.gz

And this is a sample config:

cert = /tmp/sd/yi-hack/etc/stunnel.crt
key = /tmp/sd/yi-hack/etc/stunnel.key
debug = 7
pid = /var/run/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
output = /var/stunnel.log
client = no

[https]
accept = 0.0.0.0:443
connect = 127.0.0.1:8080
TIMEOUTclose = 0

I need to use your certificate (or generate a self-signed) and copy to /tmp/sd/yi-hack/etc

roleoroleo avatar May 13 '22 17:05 roleoroleo

About SRTP, AFAIK live555 doesn't support it in the server. So I can't add it.

roleoroleo avatar May 13 '22 17:05 roleoroleo

Wow, that was really fast.

I just had a strange idea... would the combination of live555 HLS proxy (http://www.live555.com/hlsProxy/) and stunnel be possible?

WalkingDot avatar May 13 '22 20:05 WalkingDot

I think it's not enough. stunnel should be added at RTP level. But my knowledge about it is not very good.

roleoroleo avatar May 15 '22 09:05 roleoroleo

ok, the next idea ;-) With use of ffmpeg a hls-live-playlist could be created (maybe with 2x 1 second segments in memory... each segment ~180kb).

I don't understand how to use "/dev/shm/fshare_frame_buf" as ffmpeg input. But if instead choose a 1 minute mp4-file, hls-playlist and hls-video-files are created in a few seconds: ./ffmpeg -i /tmp/sd/record/2022Y05M15D18H/00M00S60.mp4 -c copy -f hls -hls_list_size 0 out.m3u8

WalkingDot avatar May 15 '22 19:05 WalkingDot

I don't understand how to use "/dev/shm/fshare_frame_buf" as ffmpeg input.

It's not a compatible input, it's a custom format. You could use h264grabber to parse it and output a "standard" h26x stream.

roleoroleo avatar May 15 '22 19:05 roleoroleo

It seems that ffmpeg only creates the hls-playlist after the pipe is closed. Sad... otherwise this would probably be an easy way for secured hls-live-streams.

WalkingDot avatar May 16 '22 18:05 WalkingDot

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Dec 09 '22 03:12 stale[bot]