The cam is from approx ~2003 -2005? and nearly-never used.
I got this camera in the original cardboard box, but without any documentation. As it is no-name ("Digitus" brand), there is no info on the web because it is old and outdated, too.
First step: hello there?
- Laptop listening with wireshark
- webcam connected
- power applied
- traffic detected, it runs on 192.168.2.3
Second Step: Web interface
- Own IP set to 192.168.2.1
- browsing to 192.168.2.3:80
- Login screen, which does only accept 4 letter max. password (wtf?)
- admin / 1234 does the trick
Third step: crappy java applet to view images
- Whole web interface requires Java Script to work, except image display
- Image display is done with "video_java.class"
- decompiled with JAD it reveals:
- open socket to port 4321 (hardcoded in this java file, but configurable web gui parameters!)
- send magic string "0110\n", no auth
- receive 4 byte header
- first 2 bytes = payload size
- second 2 bytes = ??
- receive payload (jpg file) in little junks (else camera can't catch up!)
- display jpg
- after timer triggers, repeat
- crappiest solution to display image in browser. ever.
Fourth step: lets talk to that web gui (or better block that port entirely)
- web gui auth works as follows:
- take username (admin), password (1234) and challenge (more on this later) and run md5 on it
- send md5 ("response") to cam
- cam answers with session cookie
- keep cookie, send it with all requests
- 4 byte string
- generated by:
- internal 24bit counter counts in an endless loop. Starts at zero after power-on.
- represenation of this 24bit value by 4 chars = 6 bit (=64 states) encoded by char
- chars are from these: ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz and represent 0-63
- there is no way to log out (=timeout mechanism)
- bruteforce for 4 byte string with known values is easy and just limited by slow camera
- triggering some actions / config features
- commands are sent by HTTP POST, including cookie
- most settings are remembered (e.g. LEDs on or off), except image size (defaults to 320x240)
- settings are written to small eeprom on board, which takes approx 10 seconds. Using LEDs as outputs (e.g. to drive IR LEDs) is out of question.
- cam seems to run 320x240px natively, because 160x120 and 640x480 bring the frame rate down (20fps to 5-7fps)
- email server CANNOT be disabled, which means the cam spams with host name requests for "mailserver.com" - setting it to 127.0.0.1 stops that.