WARNING : Complete defogging requires modifying one of the file systems in the camera. This implies a slight risk of ending up with a brick. You have now been warned…
WARNING : when finish step by step you disable mydlink app mobile access to camera, i think reset camera revert it but i dont try it.
New cameras dlink dcs-8000lh and dcs-p6000lh disabled access to http api cgi commands and rtsp live stream.
Launch “sudo python3 dcs8000lh-configure.py [mac] [pincode] --netconf” and send your response.
Launch “nmap 192.168.1.48” and send your response.
lighttpd (port 80) and telnet (port 21 ) not open , this is my response :
Not shown: 992 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
443/tcp open https
554/tcp open rtsp
8000/tcp open http-alt
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8088/tcp open radan-http
pi@AirBee-Home : ~/defogger $ python3 dcs8000lh-configure.py B0:C5:54:44:55:A2 xxxxx --netconf
Connecting to B0:C5:54:44:55:A2…
Verifying IPCam service
Connected to ‘DCS-8000LH-55A2’
wifi link is Up
wifi config: {‘M’: ‘0’, ‘I’: ‘RBC9-2.4’, ‘S’: ‘4’, ‘E’: ‘2’}
ip config: {‘I’: ‘192.168.1.48’, ‘N’: ‘255.255.255.0’, ‘G’: ‘192.168.1.1’, ‘D’: ‘192.168.1.1’}
Done.
pi@AirBee-Home : ~/defogger $ python3 dcs8000lh-configure.py B0:C5:54:44:55:A2 xxxxx --lighttpd
Connecting to B0:C5:54:44:55:A2…
Verifying IPCam service
Connected to ‘DCS-8000LH-55A2’
Attempting to run ‘[ “$(tdb get HTTPServer Enable_byte)” -eq “1” ]||tdb set HTTPServer Enable_byte=1’ on DCS-8000LH-55A2 by abusing the ‘set admin password’ request
Attempting to run ‘/etc/rc.d/init.d/extra_lighttpd.sh start’ on DCS-8000LH-55A2 by abusing the ‘set admin password’ request
Done.
pi@AirBee-Home : ~/defogger $ python3 dcs8000lh-configure.py B0:C5:54:44:55:A2 xxxxx --rtsp
Connecting to B0:C5:54:44:55:A2…
Verifying IPCam service
Connected to ‘DCS-8000LH-55A2’
Attempting to run ‘[ “$(tdb get RTPServer RejectExtIP_byte)” -eq “0” ]||tdb set RTPServer RejectExtIP_byte=0’ on DCS-8000LH-55A2 by abusing the ‘set admin password’ request
Attempting to run ‘[ “$(tdb get RTPServer Authenticate_byte)” -eq “1” ]||tdb set RTPServer Authenticate_byte=1’ on DCS-8000LH-55A2 by abusing the ‘set admin password’ request
Attempting to run ‘/etc/rc.d/init.d/firewall.sh reload&&/etc/rc.d/init.d/rtspd.sh restart’ on DCS-8000LH-55A2 by abusing the ‘set admin password’ request
Done.
pi@AirBee-Home : ~/defogger $ python3 dcs8000lh-configure.py B0:C5:54:44:55:A2 xxxxx --unsignedfw
Connecting to B0:C5:54:44:55:A2…
Verifying IPCam service
Connected to ‘DCS-8000LH-55A2’
Attempting to run ‘tdb set SecureFW _TrustLevel_byte=0’ on DCS-8000LH-55A2 by abusing the ‘set admin password’ request
Done.
pi@AirBee-Home : ~/defogger $ nmap 192.168.1.48
Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-05 17:36 CET
Nmap scan report for AirPrinter.lan (192.168.1.48)
Host is up (0.023s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
554/tcp filtered rtsp
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8088/tcp open radan-http
Nmap done: 1 IP address (1 host up) scanned in 1.46 seconds
PS : j’ai remarqué que meme si je met n’importe quoi comme pincode, je peux lancer les script , et j’ai pas de message d’erreur …mais le set de la config wifi fonctionne …
Sorry, I don’t know how to help you, you can post your issue at , I only use his code.
I can see that the rtsp port works for you, if you test with vlc the access to “rtsp://admin:[pincode]@192.168.x.x/live/profile.0” you can surely see the streaming of your camera, you can also access to it from home assistant, the only thing you will not be able to see the start camera image.
Defogger as-is doesn’t work with new firmwares, Dlink basically parched the security flaw in set password that permitted to pass arbitrary commands.
Nevertheless, with an inexpensive TTL to USB / UART device (about $2 on eBay, $7 on Amazon), it is still possible to hack those models. I am doing it right now on a DCS P6000LH. Just follow the “Serial Console” section of defogger's GitHub page and you’re set.
Entering alpha168 is when you are using the serial port and as soon as you see the ESC message you need to send that (apha168) via the serial terminal. It will then give you prompt and you can follow the instructions from that point on.
The username is “admin” and the password is your pin code for the camera.
I had issues with the bluetooth injection (which the newer firmware patched) but you can still do everything via the serial console and it works.
Hi iMil,
could you say me what fw u uploaded in your P6000LH camera ? I tried the one built with make command provided in defogger page but system answer me “upgrade failed”.
Hi Bento_Fernandes,
u need to use serial console because the procedure with BT doesn’t work on P6000LH.
Once u connect with it and the boot log start you need to enter alpha168 when u see the string Press ESC to abort autoboot in 3 seconds##
Then u can follow the procedure described here https://github.com/bmork/defogger#u-boot.
Unfortunately I’m blocked after I enabled http server 'cause I haven’t a valid FW for P6000 to upload.
Hello there,
so like you guys I am stuck with a dlink camera that does not allow direct streams.
I have no linux machine available, only a windows computer.
As I see the instructions serve on how to make a custom firmware.
There are two ways to do it, by bluetooth and with a serial cable.
I am wondering if it´s not possible to build a custom firmware and make the camera get it ota.
I am thinking about a hotspot on my windows machine, imperonating the updateserver by dns redirect and handing out the custom firmware to the camera.
It that even possible?
Hello, attempting on 2.05.03 fw, I am trying to enable rtsp on my camera ONLY without hacking the firmware and when I run the rtsp command from your config.py file it says done but I can not access the rtsp stream.