[SW] TF-520 based IP cam i/f = balcony pumpkin cam

got it cheap because of the crappy SW ("requires" IE5/Netstape and java...) - interesting stuff :D

Similar projects worth following
Digitus branded IP camera with TF-520 chipset.

No HaD price entry as using scripting languages does not involve a build/compile process :P

Maybe I'll add a cheap openwrt router and let it do some image manipulation (accessible by http, inserting bank robbery images etc...) if I get time to play with openwrt, cross-compiling and all that stuff in detail.

In short, cat "0110" | nc 4321 | dd bs=4 skip=1 would do it, but because the cam just stops sending if read speed is to fast, and I found no way to control the pipe buffer for now, there is no simple solution (except maybe a simple shellscript of the while(True){read, sleep, write} type, but this still does not control how many bytes netcat reads in one chunk...)

The cam is from approx ~2003 -2005? and nearly-never used.

I got this camera in the original cardboard box, but without any documentation. As it is no-name ("Digitus" brand), there is no info on the web because it is old and outdated, too.


First step: hello  there?

  • Laptop listening with wireshark
  • webcam connected
  • power applied
  • traffic detected, it runs on

Second Step: Web interface

  • Own IP set to
  • browsing to
  • Login screen, which does only accept 4 letter max. password (wtf?)
  • admin / 1234 does the trick

Third step: crappy java applet to view images

  • Whole web interface requires Java Script to work, except image display
  • Image display is done with "video_java.class"
  • decompiled with JAD it reveals:
    • open socket to port 4321 (hardcoded in this java file, but configurable web gui parameters!)
    • send magic string "0110\n", no auth
    • receive 4 byte header
      • first 2 bytes = payload size
      • second 2 bytes = ??
    • receive payload (jpg file) in little junks (else camera can't catch up!)
    • display jpg
    • after timer triggers, repeat
  • crappiest solution to display image in browser. ever.

Fourth step: lets talk to that web gui (or better block that port entirely)

  • web gui auth works as follows:
    • take username (admin), password (1234) and challenge (more on this later) and run md5 on it
    • send md5 ("response") to cam
    • cam answers with session cookie
    • keep cookie, send it with all requests
  • challenge/cookie
    • 4 byte string
    • generated by:
      • internal 24bit counter counts in an endless loop. Starts at zero after power-on.
      • represenation of this 24bit value by 4 chars = 6 bit (=64 states) encoded by char
      • chars are from these: ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz and represent 0-63
    • there is no way to log out (=timeout mechanism)
    • bruteforce for 4 byte string with known values is easy and just limited by slow camera
  • triggering some actions / config features
    • commands are sent by HTTP POST, including cookie
    • most settings are remembered (e.g. LEDs on or off), except image size (defaults to 320x240)
    • settings are written to small eeprom on board, which takes approx 10 seconds. Using LEDs as outputs (e.g. to drive IR LEDs) is out of question.
    • cam seems to run 320x240px natively, because 160x120 and 640x480 bring the frame rate down (20fps to 5-7fps)
    • email server CANNOT be disabled, which means the cam spams with host name requests for "" - setting it to stops that.
Read more »

View all 2 project logs

Enjoy this project?



Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates