The cam is from approx ~2003 -2005? and nearly-never used.

I got this camera in the original cardboard box, but without any documentation. As it is no-name ("Digitus" brand), there is no info on the web because it is old and outdated, too.

"Featurelist":

First step: hello  there?

• Laptop listening with wireshark
• webcam connected
• power applied
• traffic detected, it runs on 192.168.2.3

Second Step: Web interface

• Own IP set to 192.168.2.1
• browsing to 192.168.2.3:80
• Login screen, which does only accept 4 letter max. password (wtf?)
• admin / 1234 does the trick

Third step: crappy java applet to view images

• Whole web interface requires Java Script to work, except image display
• Image display is done with "video_java.class"
• decompiled with JAD it reveals:
  • open socket to port 4321 (hardcoded in this java file, but configurable web gui parameters!)
  • send magic string "0110\n", no auth
  • receive 4 byte header
    • first 2 bytes = payload size
    • second 2 bytes = ??
  • receive payload (jpg file) in little junks (else camera can't catch up!)
  • display jpg
  • after timer triggers, repeat
• crappiest solution to display image in browser. ever.

Fourth step: lets talk to that web gui (or better block that port entirely)

• web gui auth works as follows:
  • take username (admin), password (1234) and challenge (more on this later) and run md5 on it
  • send md5 ("response") to cam
  • cam answers with session cookie
  • keep cookie, send it with all requests
• challenge/cookie
  • 4 byte string
  • generated by:
    • internal 24bit counter counts in an endless loop. Starts at zero after power-on.
    • represenation of this 24bit value by 4 chars = 6 bit (=64 states) encoded by char
    • chars are from these: ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz and represent 0-63
  • there is no way to log out (=timeout mechanism)
  • bruteforce for 4 byte string with known values is easy and just limited by slow camera
• triggering some actions / config features
  • commands are sent by HTTP POST, including cookie
  • most settings are remembered (e.g. LEDs on or off), except image size (defaults to 320x240)
  • settings are written to small eeprom on board, which takes approx 10 seconds. Using LEDs as outputs (e.g. to drive IR LEDs) is out of question.
  • cam seems to run 320x240px natively, because 160x120 and 640x480 bring the frame rate down (20fps to 5-7fps)
  • email server CANNOT be disabled, which means the cam spams with host name requests for "mailserver.com" - setting it to 127.0.0.1 stops that.