Description
hi there,
The last few days i've been trying to get access to my Besder branded camera. I have some communication going on with the camera..
I wanted to try you library.. As expected i needed to change the hash to match my camera
I provided the hash of my camera in the encryption-library:
#XOR1_ENC_KEY = (0x69, 0x97, 0xcc, 0x19)
XOR1_ENC_KEY = (0x2c, 0xd4, 0x60, 0x04) # seed/psk=vstarcam2018
I recognize the LAN_SEARCH unencrypted message which you broadcast: f1 30 00 00.
The encrypted message your library broadcasts is: 49 b5 73 a9. My camera does not respond. I then replaced your encryption/decryption code by mine, and then my camera did start to work. I then see that i get the expected the broadcast message to be: 49 b5 73 d5
I initially also had used a piece of code which has an edge-case issue. I notice my encryption./decryption does not have any impact on the encrypted-LAN_SEARCH-message, but apparantly it does on mine and probably other cameras.
# Calculate hash from seeed/psk-string
def simple_hash(psk):
psk_hash = [0x00, 0x00, 0x00, 0x00]
for psk_byte in map(ord, psk):
psk_hash[0] = (psk_hash[0] + psk_byte) & 0xFF
psk_hash[1] = (psk_hash[1] - psk_byte) & 0xFF
psk_hash[2] = (psk_hash[2] + (psk_byte // 3)) & 0xFF
psk_hash[3] = psk_hash[3] ^ psk_byte
return psk_hash
# Lookup value in table
def _lookup(hash, b):
hash_index = b & 3
index = (hash[hash_index] + b) & 0xFF
return PPPP_SIMPLE_SHUFFLE[index]
def simple_decrypt(hash, input):
output = [0] * len(input)
output[0] = input[0] ^ _lookup(hash, 0)
for i in range(1, len(input)):
output[i] = input[i] ^ _lookup(hash, input[i-1])
return bytes(output)
def simple_encrypt(hash, input):
output = [0] * len(input)
output[0] = input[0] ^ _lookup(hash, 0)
for i in range(1, len(input)):
output[i] = input[i] ^ _lookup(hash, output[i-1])
return bytes(output)
note to self (default password of my camera is different):
clear && python -m aiopppp -u admin -p 888888 --log-level DEBUG
I see that after a while the connection dropped on waiting for "json" :
DEBUG:aiopppp.session:recv< PacketType.P2PAlive, len=0
DEBUG:aiopppp.session:send> P2PAliveAck: []
DEBUG:aiopppp.session:recv< PacketType.P2pRdy, len=20
INFO:aiopppp.session:Connected to DevID(VSTH-378138-WVLKX), json=True
DEBUG:aiopppp.session:send> Drw(chn:Command, idx: 0): [0xa0, {'pro': 'check_user', 'cmd': 100, 'user': 'admin', 'pwd': '888888', 'devmac': '0000'}]
DEBUG:aiopppp.session:Waiting for ACK for 0
DEBUG:aiopppp.session:recv< PacketType.DrwAck, len=6
DEBUG:aiopppp.session:Got DRW ACK DrwAck: [d1 00 00 01 00 00]
DEBUG:aiopppp.session:handle_drw_ack(idx=0)
DEBUG:aiopppp.session:wait_ack(idx=0) complete, waiters: 0
DEBUG:aiopppp.session:recv< PacketType.P2PAlive, len=0
DEBUG:aiopppp.session:send> P2PAliveAck: []
DEBUG:aiopppp.session:recv< PacketType.P2PAlive, len=0
DEBUG:aiopppp.session:send> P2PAliveAck: []
DEBUG:aiopppp.session:recv< PacketType.P2PAlive, len=0
DEBUG:aiopppp.session:send> P2PAliveAck: []
DEBUG:aiopppp.session:recv< PacketType.P2PAlive, len=0
DEBUG:aiopppp.session:send> P2PAliveAck: []
ERROR:aiopppp.session:Timeout during device setup
DEBUG:aiopppp.session:send> Close: []
WARNING:aiopppp.session:Device DevID(VSTH-378138-WVLKX) lost
INFO:aiopppp.session:Stopping task for DevID(VSTH-378138-WVLKX)
WARNING:__main__:Device DevID(VSTH-378138-WVLKX) lost
On the high-level our camera's seem compatible, after i fixed the edge case issue in the encryption-code. I see that your library tries to communicate via json, which times out on my camera. I also tried the non-json option, but that also didn't work right-away.
My camera seems to work with some kind of http protocol. An encrypted message is sent containing a string like: "GET /get_info.cgi?name=admin&pasword=88888". It then responds with a JavaScript snippet, something like:
'''
var hasLight=0
var dummy=1
...
'''
Only some options of my camera are exposed via ONVIF. My camera has 4 camera-sensors and lighting options.