Friday, October 13, 2017

More on Chinese Camera Hacking

So, as I keep phasing out my Hosafe Chinese cameras, I also keep going back to them.  They were cheap, but they have security issues that drive me crazy.  They also had a great picture.  So, I am really getting to the point I want to use them, without having them dial-home to mamma.

I decided to through a little more at these things, just to get a little more information.  I tossed Nikto to the camera, and it identified that you can hit the /cgi-bin/ URI and it will list the scripts.  They appear to be minimal, and two of them stood out.  One was called "" - and I immediately threw some shell escape characters trying to inject commands.  Unfortunately, they actually did some sanity checking, and your maximum length to play with is a command about 4 characters long.  Scratch that one off of the list.

The other script (ignoring the "proccgi" and "wagent" scripts) was called "jvsweb.cgi".  A quick google, and someone said you can list video streams using this CGI in the form of :
Hrm.  I wonder what else it can do?  I tried some additional shell escapes on this, and it smartly refused to do anything else and just gave me a "param error".  I dunno, maybe it tried to run it, but I couldn't get anything out of it (like a "%24%28cp+/etc/passwd+/mnt/web/cgi-bin/%29" [$(cp /etc/passwd /mnt/web/cgi-bin/)], though I didn't use a pipe on it). Another google with the cmd and yst added to the jvsweb.cgi, and I see a page referencing a "webhelp".  That gives a list of options for the cmd parameter, and a very-high-level rundown of what they are for.  It includes everything from modifying your white balance to configuring motion detection.

There was also one called "webdevinfo".  My curiosity was definitely piqued now.  I tossed it in, and got a param error.  A Russian page ( gave a bit more information that I could change the action to "list" (and better information on each of the commands in the webhelp, too) for most of those cmd's, and sure enough, I got a response for :
        "type":    "ipc",
        "hardware":    "JVS-HI3516CS",
        "firmware":    "V2.2.2904",
        "manufacture":    "JVS-HI3516CS",
        "sn":    "S509233745",
        "model":    "ipc-module",
        "channelCnt":    1,
        "streamCnt":    3,
        "ystChannelNo":    [1, 2, 3, 0, 8, 0, 8, 0, 8, 0, 8, 0, 8, 0, 49316, 19032, 35896, 54, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 49048, 19032, 48912, 19032, 38256, 386, 45380, 16436, 2848, 16437, 200, 0, 2848, 16437, 0, 0, 0, 0, 16487, 50277, 16487, 50277, 45380, 16436, 49088, 19032, 1216, 19033, 2384, 19033, 63192, 16398, 49088, 19032, 16487, 50277, 45380, 16436, 60304, 375, 46392, 16436, 338, 0, 46392, 16436, 16487, 50277, 16487, 50277, 45380, 16436, 49144, 19032, 1216, 19033, 46392, 16436, 16487, 50277, 16487, 50277, 45380, 16436, 49168, 19032, 1216, 19033, 46392, 16436, 16487, 50277, 16487, 50277, 45380, 16436],
        "name":    "Camera",
        "date":    "2000-01-01 09:11:37",
        "bSntp":    1,
        "sntpInterval":    24,
        "ntpServer":    "",
        "tz":    8,
        "bDST":    0
The product for these cameras is "JVS-HI3516CS".  That matches the "dial-home-to-mamma" URL of it hitting "", as these are "Jovision" cameras.  The HI3516CS seems to match a cheap, rebadge-friendly hardware producer named "Hisilicon".  And, they sell an SDK.  I might have to delve into the SDK to see if I can create a firmware that will override something, or give me another shell, but it is definitely a start.  The ipc-module is interesting, to - it is an "IP Camera", modular manufacture system where you build the software you want around it, slap a pretty sticker on it, and ship it out.

It is amazing to me that such a cheap, "anonymous" camera has such a good picture, and yet such a lack of controls in that "dial home" tendency.

Saturday, September 30, 2017

Tool Score - Gerstner Tool Box

Someone had listed a Gerstner and Sons tool box on a local classifieds website, complete with a few tools.  It turns out that it was a model 42, in Oak. They listed it for $450, but I couldn't afford that.  I offered $250, and we settled on $300.  It was nearly theft on my part - the box alone goes for $350.  I also picked up another set of inside micrometers (Millers Falls Company), outside micrometer (Starret, No. 224 0-4"), and a 5" Brown and Sharpe sine bar :

So, on to the tool box.  It has definitely seen better days.  I don't really want to refinish it, though.  It is beautiful.

My biggest surprise was middle drawer that enclosed a 1940 10th edition of the Machinery Handbook (the bible for a machinist), with a hand written note that it was purchased in 1940.  If it was purchased for this tool box, that puts the tool box into the same era.

Next, I did a little drawer organization.  Starting from the bottom, I found end mills, cutting inserts, lathe bits, set screws, ball bearings, hex wrenches and boring bars.  I also found a weird little measuring device that I am unfamiliar with :

Next one up had punches, chisels, files, pencils/pen, and a the usual marking supplies along with a demurring tool set :

The third drawer from the bottom had a few clamps, a 0-1" outside micrometer (Geo Scherr Company), a 1-2" outside micrometer, dividers, compass, a few needle points that I am unfamiliar with, and an old pin chuck :

Next, we'll tackle the left drawers.  The bottom of the left side drawers contained some machinist jacks, v-blocks, clamps, and a little machinist vice.  One cool thing out of that drawer was a portable oiler, shown in the middle of this next picture :

Next was a bunch of taps (some custom ground for specific purposes) :

And then, in the top-most drawer on the left side, tap wrenches and a few dies (along with a random chuck key).  The cool thing was this tool box owner built his own die using a nut and either a mill or a drill :

Next, I went to the right side, starting from the bottom-misty right-handed drawer.  It was full of center drills, drill bits for a chuck, and drill bits for a morse taper (1MT).  It was just getting better all the time.

Next came with some solder, stones, o-rings, and some other odds and ends.  I am interested to know who "Carla" was - written on one of the measuring rulers found here :

Two left!  Next one on the right side was full of gear pitch gauges, feeler gauges, and other measuring tools.  This owner was definitely organized :

One thing in this drawer I was unfamiliar with was a craftsman tool looking like :

So, onward and upward.  The last drawer was filled with bushings, pins, welding tips, a couple of springs, and some rather weird stuff.  It also had two pieces of what looked like part of a sine bar, and four small parallels :

Finally, to the top.  This was a bit of a score in and of itself.  There were two squares, three micrometer stands, a small micrometer, a small mechanical micrometer, angle finders, an alignment device (Tubalcain/mrpete222 called it a "wobbler", and I am not sure of the official name), parallels/gauge blocks, and some right-angle blocks :

Yes, I think I scored.  For a grand total of $350, I ended up with four micrometers, three micrometer stands, rulers, alignment pins, drill bits, v-blocks, jacks, taps, dies, end mills, lathe cutting bits, inserts, set screws, dividers, and a host of other things I've already forgotten.

Saturday, September 9, 2017

Generating Video Intros for Training Segments

Our company had some training.  We are large enough that we have dedicated videographers and video editors, but they were unavailable.  After recording the webex, we needed to break the videos into segments, and throw a header on each segment.  That meant I had to generate some fancy-schmancy header that included a company logo, followed by the vendor logo, and then enough time to put segment-specific text.  Here's how I built the header :

First, I generated four separate images I wanted to use.  The first was "white".  The second was the company logo on white.  The third was the vendor logo and faded-company logo on white, and the last was both vendor and company logos faded on a white background.  I called them "frame-01.jpg", "frame-02.jpg", "frame-03.jpg", and "frame-04.jpeg".  I know, I know, fairly creative naming convention.

Next, I needed to create video segments for each of those.  Seeing as how I love the open-source world, and I prefer Linux as my workstation, I ended up using a command line :
    ffmpeg -loop 1 -i frame-01.jpg -c:v libx264 -t 2 -r 30 -pix_fmt yuv420p -vf scale=1920:1080,setdar=16:9 01-white.mp4
    ffmpeg -loop 1 -i frame-02.jpg -c:v libx264 -t 7 -r 30 -pix_fmt yuv420p -vf scale=1920:1080,setdar=16:9 02-company.mp4
    ffmpeg -loop 1 -i frame-03.jpg -c:v libx264 -t 7 -r 30 -pix_fmt yuv420p -vf scale=1920:1080,setdar=16:9 03-vendor.mp4
    ffmpeg -loop 1 -i frame-04.jpg -c:v libx264 -t 2 -r 30 -pix_fmt yuv420p -vf scale=1920:1080,setdar=16:9 04-faded-2_seconds.mp4
That gave me four separate videos. I wanted it to be fancy, so I thought I would use a fancy video editor to generate some cross fade/transition segments between each of them.  I used Cinelerra. It is fairly complex, but you can do a TON of stuff with it. I could have done the entire video - but kept ending up at the command line because that's where I felt most comfortable with it.  Anyway, I used that to generate transitions between the white and company videos, the company and vendor videos, and the vendor to faded videos.  I also generated a fade from the faded to the white video, just so I could fade it back to white.

Once I had those videos and transition videos, I could finally assemble them into a single header video.  This was done by creating a file with the file names listed in the following format :
    file '015-transition_from_white_to_intermountain.mp4'
    file '025-transition_from_ihc_to_sav.mp4'
    file '035-transition_from_sav_to_faded.mp4'
    file '04-faded-2_seconds.mp4'
    file '04-faded-2_seconds.mp4'
    file '04-faded-2_seconds.mp4'
    file '045-transition_from_faded_to_white.mp4'
After that, it was simply running the following command to assemble them into a single video file :
    ffmpeg -f concat -i files.txt -c copy saviynt-training_header.mp4
There was a small problem - my monitor resolution was a wee bit smaller than the 1920x1080 video I had generated.  So, on a whim, I down-scaled that video into something smaller I could play as a preview :
    ffmpeg -i saviynt-training_header.mp4 -vf scale=720:480,setdar=16:9 saviynt-training_header-smaller.mp4
Not a bad days' work!

Sunday, August 20, 2017

Book Scanner v2.0

Since y'all thought I did nothing for two months, I'm going to post a little more. That old, wooden-framed book scanner had some issues with it.

  1. It was heavy, and awkward to move around
  2. It didn't set up square (which is really kind of essential).

So, what to do? Start over.  Here's what I needed designed into it this time :

  • Compressability - I would like something that can be dismantled into something small (the wooden one 
  • Lightweight - It needs to be very portable, and not a chore to lug into a court house to convert old records into PDF
  • Squareness - You want the pictures to be oriented properly
  • Repeatability - getting it set up over and over, I want it to be fairly consistent and easy to use

I needed portability, and that demanded that things were done in lightweight plastics.  No heavy woods.  The requirements for squareness meant I had to grab the platten bases and put a hinge on them - if they were square, the frame would likely be square.  Also, the supporting frame under the platten had to be square, and solid - no taking this one apart.  That means it had to be small.  A few quick notes, and then it was off to Dome Hepot for PVC pipe and Ded, Dath, and Deyond for some plastic cutting boards.  The sizes of the cutting boards will depend on how large you want it to be.

Now, with my parts lined up, I could start assembling it.  The two 90*x90*x90* three-way elbows were for the lower frame front.  I used two extra tees not shown in the above picture, with threads to match those 90* three-way elbows.  The bottom frame was approximately as long as one cutting board was wide.  The length between pillars was two-thirds of the length of a cutting board,  The bottom frame assembled as :

If you look closely, you will note I used a compound miter saw to cut those elbows at the same angle I wanted my platten base to be.  Those black things will thread out, but the rest of the frame was glued together to keep it solid and square.

Once I had that in place, it was time to do the platten base.  This was done using two cutting boards and a piano hinge.  First, it was time to mark out the holes in the cutting board for attaching the hinge.  Since the piano hinge has even holes, I could do them all at once.  I taped the boards together, drilled them out, then counter sunk the screw heads.

I did have to use the belt sander to put a bevel on one end of the cutting boards, just because I needed them to open up to the specific angle (a full 105 degrees).  I used the smaller cutting board from one of those to add a hinged support.

Once the platten base was complete, I could turn my focus to the upper frame and pivot. The Frame was put together using four elbows and two tees, along with some pipe.  For the pivot, you can use anything.  I had some spare hiem joints from working on the corvette headlight conversion to electric,  and so I opted to use those.  The pipes DO need to be there - they fit into the lower frame's tees on the back - , and that helps the upper frame keep square.

It will work with cameras on the upper frame, and the actual glass platten will hang from that upper frame.  Lift up, turn the page, lower, snap pictures, and repeat.

Once I get the physical complete, I will start to do the digital.  The digital base will be a raspberry pi running Linux, two Canon SD cameras, and CHDK firmware allowing control over the cameras from inside of Linux.  The raspberry pi will have a switch on it to trigger the photo, and it will also use an SD card to store the pictures.  I have a number of books to convert as a test.