Monday, 4 January 2016

KKMoon 805 IP Camera Webviewer

I recently purchased a Kkmoon 805 720p IP Camera off ebay. It's software indicates that it is based on a  Texas Instruments DM365 processor.

It supports connection via P2P and RTSP.  Log in uses basic authentication, it does not support HTTPS, so passwords are sent unencrypted and unfortunately its firmware doesn't appear to restrict the number of unsuccessful attempts to log in either.

I've found the RTSP steam can be viewed without a password anyway.
The following URLs worked for me using VLC media player:

rtsp://user:pass@IPAddress:554/0 (720p stream, averages ~15fps, user and pass can be anything)
rtsp://user:pass@IPAddress:554/1 (480p stream.. " " ")

The following URLs also worked with VLC in Linux and android, but not in Windows:

rtsp://IPAddress/camera-media/profile0 (720p)
rtsp://IPAddress/camera-media/profile1 (480p)
rtsp://IPAddress/camera-media/profile2 (opened both streams in the vlc plugin)

To download a  still from the camera:-

http://IPAddress/snapshot/image0.jpg (320px x 240px).

P2P allows the camera to be remotely accessible over the net with minimal configuration, it doesn't need port forwarding set up, or uPnP enabled, or  DDNS. Unfortunately, if you don't want to allow P2P access, there's no option to disable P2P, other than blocking internet access for it in the router's firewall.

The Android app I'm using is  P2PCam_HD installed from Google Play, although I'm not sure if that is the official app for this camera, as I didn't install the one from the CD/website.

Image quality is acceptable, but not fantastic, and deteriorates badly in low light, until it flips out the IR-cut filter and switches to black & white. Night vision lit by the IR emitters is fairly good. Sound quality is poor, and I've yet to manage to access an audio stream other than by the P2P apps.

A nice feature is that it can record to a micro-SD card in 720p (or 480/320 if preferred).
It is  supposed to be able to send an email when it detects motion, but I've been unable to get email to work with any email service I've tried, other than for sending the test email.

EDIT: I was able to receive emails by running a local smtp server with the SSL option unticked, StartTLS doesn't seem to be implemented, and I'm guessing its SSL support is obsolete due to the  SSL vulnerabilities.

Another very annoying issue is occasionally when viewing the RTSP stream directly, with a programme like VLC or an ONVIF recorder, the camera will pan or tilt on its own accord, and sooner or later the connection will drop with the camera firmware seeming to partially crash and reset itself, although it doesn't lose the time. So far this hasn't happened when monitoring the stream using its P2P apps, or recording to a micro SD card while not being monitored.

The random pan/tilt issue seems to occur much less frequently when the camera has been up and running without a reboot for more than six days.

The camera's positioning to presets doesn't seem to be reliably accurate,  I suspect they might be getting corrupted along with the camera's track of its current position due to the crashes.

There is nothing under the hole marked "Reset" in the bottom of the generic case.  I removed the bottom from mine and found a pin hole under one of the sticky labels above a button on the rather diminutive circuit board for the various connectors. The pin hole is about ½" behind the camera mount screw and ¼" toward the side with the network port.

The official software is hosted here:-

The browser interface requires the installation of an activex plug-in, requiring Internet Explorer, so I've created a web page that also works in Firefox (32 bit version only) with the VLC plugin included with VLC Media Player to display the RTSP stream. IP address and port are stored as cookies. If you have one of these  I've hosted it here, or you can use it directly from this page:-

Unfortunately, Firefox will be dropping support of all NPAPI plugins, and the VLC NPAPI plugin is not one of the few permitted to run in the 64 bit version, so the 32 bit versions of both firefox and vlc is required. It
Edit: I've modified my javascript to get it working in Internet Explorer (both 32 and 64 bit). KKMoon 805 IP Camera Webviewer
Goto Set
720p 480
Camera IP :

IRCut Colour Sensitivity= Mirror= White Balance = Flicker= ExposureTime=

User Password(anything will do) Alt Url (linx only)

Tuesday, 16 November 2010

Repairing a Ford Focus or Mondeo Keyfob Remote

A few months back my father was having trouble with the remote control central locking on his Ford Focus, a new battery in the keyfob didn't help, so I gave the contacts a quick clean with some isopropyl alcohol and all seemed well, until about a month later when it stopped working again. Initially I suspected the cheap 8 for a pound lithium battery I'd used, but realised it was probably a faulty switch after a further replacement only lasted a week, by which time the doors had also started to occasionally relock themselves.

A replacement remote keyfob from Ford, is quite expensive, so he was keen for me to try and fix it.

To get the key apart, use a small screwdriver inserted into the slot at the back to pry the remote section out of the key yoke. The two halves of the remote section then simply unclip.

Should you decide to order a new remote from Ford, you'll find the part number on the remote section just below the slot. The RFID chip, which deactivates the immobiliser appears to be located in the half containing the battery, so if you don't have the two keys required to reprogram the immobiliser to accept the RFID in a new remote, swapping the battery compartment over would probably work.

The plastic cover over the PCB is held in place by a couple of plastic pegs, which have had their ends melted to stop them pulling back through the holes. Rather than cut the melted ends off , I squeezed them around with a pair of tweezers reducing the diameter enough to pop through the hole.

By now I'm wearing an anti-static strap, rather than risking zapping the electronics. They only cost about 2 quid from somewhere like dealextreme, but don't buy "wireless" ones, as they are a con, and don't work.

Gently pop the top peg out of the slot in the PCB to release it.

With the PCB removed, you can see the three miniature switches.

Testing my dad's ones with a meter revealed that the lock button had a partial short, enough to slowly drain the battery, but not normally quite enough to trigger the doors to lock

The cause was corrosion inside the switch, the debris from which, was creating the short. It must have got moisture in, although my dad is certain that the key has never got wet. The key for his previous Focus went through the wash cycle on at least one occasion that I know of, but never developed a fault, the seal on this one clearly isn't so good.

The switches come apart quite easily, by using a jeweller's screwdriver to  pop off their metal shells. They are a miniature leaf switch, one leaf acts as a contact, the other increases the force required to operate it. The one shown on the left was black, but cleaned up quite well

As a temporary fix, I unclipped the metal shells, scraped off the worst of the corrosion from the contacts and the silver plated leaf on each switch with a jeweller's screwdriver, and cleaned them with isopropyl alcohol. This restored the remote to full working order,  if you are lucky that might be all that is needed, but because of the very poor condition of the lock switch, I decided to source some replacements.

The switches are 2 x 6 mm KSR subminiature tactile switches made by C&K. From measuring the pressure required to operate the originals, I reckoned the 4.5N KSR251GLFS is the best match. You might even find you could swap the leaf switch and buttons over, rather than unsoldering the base, providing you can get the contacts in the switch base nice and clean.

I'm afraid I don't have any pictures of soldering the replacement switches  in, as I passed the job on to my brother; he's vastly better at soldering fiddly smt components than me. He tells me that he used a craft knife to separate the solder joints while heating it with his iron.

When you come to soldering the new switches on the solder pads on the switch are gull-winded so should draw  the solder in, the tricky bit is having a steady hand so as not to move them, or if you are clumsy like me, you might find it easier to solder them if you use a plastic spring clip to hold them in place.

After reassembling and testing the key, you should fix the PCB and its cover firmly in place, as even a small amount of play can cause the battery contacts to bend and eventually lose contact with the pads on the PCB when pressing the buttons.. So I'd suggest gluing it in place, or as I have, to make it easy should I ever need to take it apart again, I stuck a small thin square of foam rubber (I used a strip of stick on rubber feet, but  something like draft excluder might be thin enough) on the PCB cover so that it presses on the centre of the battery.

The key is now working fine, and cost less than a tenner to fix,  with a few spare switches left over, should it ever fail again.

Saturday, 16 October 2010

Sky D-Link DSL-2640S Router Password Extractor.

If you still have Sky_1.11 firmware ( the Firmware Version is shown on the router's status page ), I'd suggest downloading my program and extracting the password right away, however if you missed your opportunity to obtain your password before the router upgraded to the new Sky_2.04 firmware, then you can still extract it if you flash the router with the earlier version of the d-link firmware included on the CD supplied with the router.

This application will only work on the D-link router provided by Sky, and is quite likely to stop working in future versions of the firmware. Passwords for other Sky routers can be obtained from  this website, if you have the Sagem 2304N, select the Sagem F@ST2504 model. Passwords for the white Sky Netgear DG834GT router can be extracted by clicking this link.

Please be aware that using a router, other than the one provided to you by Sky is in breach of Sky's Terms and Conditions.

If you decide to use a non-sky router, please do not ask Sky customer services to assist in configuring it, and do not dispose of the one they supplied, as Sky do not provide support to customers while they are using non-sky routers.

Your use of this app, and the information it provides, is entirely at your own risk!

A brand new router stats/password extraction program with support for the current Dlink Sky2.04 firmware is now available from here:-

You can download the latest version from here:-: Authenticity_v1.71.jar (Please note that the password extraction feature will not work on this version if you connect to the router through a local proxy, as this causes my program to use for the PC's LAN address.  Kaspersky, and most likely one or two other anti-virus programs will cause this issue - I hope to fix this in the first release of my new program.

The front end is written in Java. I've tested it on Windows XP, a live Linux CD and I'm told it will work on Macs. If you don't have Java installed, it can be downloaded from here:- Java Downloads for All Operating Systems.

As of  V1.7 of my program, it is possible to extract the password without connecting the router to a phone line. If it fails to extract the password, but reports the adsl stats ok, then the router is probably being blocked from downloading the password extractor from your PC, by your PC's firewall.

If the router is blocked by a firewall (Windows Firewall seems to be a common culprit), its user interface will stop responding until the blocked request times out (about 2 minutes). Temporarily set the firewall running on your PC to allow inbound access on port 8888, or disable it while you extract your password. Then, either wait for the router's UI to start  responding again, or reboot it, and my app should work ok. You should remove the firewall rule once you've extracted the password, it is not required to access your detailed stats.

Typical Sky ADSL Settings (these are the same as most BT based ISPs) :-

Encapsulation: PPPoA (PPP over ATM or PPPoA VC-mux on some routers)
Multiplexing: VC-Based

VPI: 0
VCI: 38
ADSL Mode: Auto or  Multimode

If you need any help configuring your router, I'd recommend the forums at and 

V1.1 I've added an option to change the port it uses (you can ignore this, unless you run a server on port 8888), improved the error reporting, and fixed a minor bug. V1.3 Partially fixed a problem with it selecting the wrong network device, on some PCs, made the local IP address configurable in case it still picks the wrong one.
V1.4 Reconstructed the source from backups after a hardware failure, fixed a few bugs, and got the spinny busy indicator working.
V1.5 Added an option for those that want to tweak the snr margin (or execute any shell command) - enable "advanced" in the options menu to use it, but if you've just joined, then do not fiddle with the snr margin before the 10 day DLM process is over as it will affect the DLM process, and likely result in your connection speed being limited below what you're line is capable of. It will now also check the current directory for utelnetd and enable the Telnet button if it is found. If you need telnet access a suitable daemon can be found here
V1.6 Improved the noise margin tweaking options. Note that the noise margin dB adjustments shown on the slider are only approximate, and adjustments of more than -6db might not work with this router's xdslctl command.
V1.7 Can now extract the authentication details from a router that is not connected to the phone line.
V1.71 Corrected an erroneous error message,  minor changes to the server code.

I'd like to thank everyone making a contribution to my Paypal account, and I'd also like to thank everyone who helped with testing.

Instructions for Flashing The DSL-2640S - only necessary if the firmware has upgraded to Sky_2.04.

Warning: flashing the router could render it permanently inoperative if anything goes wrong, so proceed at your own risk

If you wish to do this, disconnect the phone line from the router, and connect the router to your PC with an Ethernet cable, rather than using wireless. Reset the router to its factory defaults (you may wish to back-up your current settings first), then power it up with the reset button held in until the "tick" led starts flashing. This puts the router into recovery mode, you can then use the dlink DSL-2640S recovery utility included on the CD to flash the router.  Or if you don't have Windows, you can access the recovery user interface by browsing to, after first configuring your PC with a fixed IP address (eg, since the router doesn't run a DHCP server while in recovery mode.

Do not turn off the power while the firmware is being written to the router.

It will take about two minutes for the router to write the firmware to its flash memory, then the light will stop flashing and it will then reboot itself, returning to its normal IP address.

Extract the password using Authenticity  V1.7 (or later) while the router is still disconnected from the phone line, to avoid any risk of the router re-updating itself.

If the Sky router is unable to connect to Sky after downgrading, reset it to its factory defaults for the downgraded firmware, by holding in the reset button in for 10 seconds when it is already powered up.

Saturday, 2 October 2010

d-link dsl-2640s

I managed to get hold of an almost new d-link sky router today. It didn't cost much as it is locked down to sky, but I was hoping I'd be able to flash it with a standard firmware, so that I can use it as a backup while I try to fix one of my other routers, both of which have hardware issues.

Meanwhile I've got the D-link sat on the side of my desk and am using it as a Wifi access point, while having a go at extracting the password generation code.

Here's a picture of the innards.

It is built around a Broadcom BCM63281KFBG, which according to a pdf I found on the Broadcom website, is a cost effective, low power chip, with support for power management. The Wifi chip is a BCM4313KML1G - single-band, IEEE 802.11n, with dual antenna support, although the router itself is only b and g capable.

As you can see there's minimal shielding on the wireless section, and judging by the PCB, the bcm63281 has an integrated switch. The inclusion of a power button at the rear, proved to be very useful while I was trying to access the shell.

It has four external Ethernet ports, and supports wireless 802.11b & g. The sky firmware includes support for WPA & WPA2, although you can't select WPA2 only. The firmware seems pretty good at automatically selecting an unused wifi channel, however it sometimes picks a channel used by a neighbour, possibly because they have their SSID hidden, so I found it necessary to manually select one.

The wifi signal is a little weak compared to my other routers, probably because of the internal antenna - the bit of steel with a wire attached at the bottom of the picture. I also wonder if they've limited the power output, to avoid causing interference issues due to the lack of shielding. There are unused solder pads on the PCB for a second antenna.

Mounting the router vertically improved the wifi reception by about 15%, and also makes the router run much cooler. It gets quite toasty while sitting on it's rubber feet, as the vents are at either end of the case. The wifi signal still doesn't match that of my other router's though, or even my neighbour's, it is however, more than adequate to reach opposite ends of my house.

Anyway, before trying to flash it, I wanted to try to access the shell, which, as it doesn't seem to have a telnet or ssh server running, requires a little hacking...

Getting root access didn't provide me with that much of a challenge, although the procedure I used did get a little complicated.

Needless to say it runs busybox under linux:-

BusyBox v1.00 (2010.06.23-05:56+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# ls
bin      dev      lib      mnt      proc     sys      usr      webs
data     etc      linuxrc  opt      sbin     tmp      var
# ls /bin
adsl            dnsproxy        iptables        ps              true
adslctl         dnsspoof        kill            pwd             udhcpd
brctl           dsldiagd        ln              pwr             umount
busybox         dumpmem         ls              pwrctl          upgrader
cat             eapd            mcpd            rawSocketTest   upnp
chmod           ebtables        mkdir           rm              urlfilterd
consoled        echo            mknod           sendarp         vlanctl
cp              epi_ttcp        mount           setmem          wl
date            ethctl          msh             sh              wlctl
ddnsd           ethswctl        nas             sleep           wlevt
deluser         false           nas4not         smd             wlmngr
df              fc              nvram           sntp            xdslctl
dhcpc           fcctl           nvramUpdate     ssk             xtm
dhcpd           flash_eraseall  ping            sysinfo         xtmctl
diapd           hotplug         ping6           telnetd
dmesg           httpd           pppd            tftpd
# ls /sbin
ethctl    ifconfig  insmod    logread   rmmod     syslogd
hotplug   init      klogd     reboot    route     vconfig
# help

Built-in commands:
. : break cd continue eval exec exit export help login newgrp
read readonly set shift times trap umask wait [ busybox cat chmod
cp date deluser df dmesg echo expr false flash_eraseall ftpget
ifconfig init insmod kill killall klogd linuxrc ln logger logread
ls mkdir mknod mount msh nc ping ping6 ps pwd reboot rm rmmod
route sendarp sh sleep sysinfo syslogd test tftp tftpd top true
tty umount vconfig wget
cat cpuinfo
system type             : 96328avng
processor               : 0
cpu model               : Broadcom4350 V7.5
BogoMIPS                : 319.48
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

Mem: 24400K used, 36880K free, 0K shrd, 2676K buff, 9752K cached
Load average: 0.13, 0.08, 0.01    (State: S=sleeping R=running, W=waiting)

 158 admin    SW         0     2  1.7  0.0 bcmsw
1098 admin    R        404  1096  0.5  0.6 exe
1002 admin    S        140     1  0.1  0.2 telnetd
 844 admin    S       1576   187  0.0  2.5 httpd
 188 admin    S       1448   187  0.0  2.3 ssk
 531 admin    S       1392   187  0.0  2.2 wlmngr
 187 admin    S        724   114  0.0  1.1 smd
 233 admin    S        640   187  0.0  1.0 mcpd
 608 admin    S        532   187  0.0  0.8 upgrader
1005 admin    S        500     1  0.0  0.8 pppd
 114 admin    S        464     1  0.0  0.7 sh
1096 admin    S        448  1002  0.0  0.7 sh
 195 admin    S        416   187  0.0  0.6 syslogd
   1 admin    S        392     0  0.0  0.6 init
 196 admin    S        344   187  0.0  0.5 klogd
 197 admin    S        340   187  0.0  0.5 sntp
 609 admin    S        288   187  0.0  0.4 dsldiagd
 250 admin    S        216     1  0.0  0.3 dnsspoof
 803 admin    S        212     1  0.0  0.3 nas
 799 admin    S        124     1  0.0  0.2 eapd

Running the PPP daemon manually, reveals that "ps" masks the chap password with a couple of asterisks.
1005 admin       500 S   pppd -c pppoa0 -a 0.0.38 -u -p **
1096 admin       448 S   /bin/sh
1103 admin       388 R   ps

If you've bought one off ebay, and want to check it works before flashing, the typical format of the pppd command is:-

/bin/pppd -c pppoa0 -a 0.0.38 -u USERNAME -p PASSWORD -f0 -z1500&

Obviously you'd need access to the shell first (I've written a program to provide telnet access and also to extract the password) and I suspect "pppd" will need to be run before connecting the router to the telephone line.

Finding a compatible firmware may prove to be very tricky though, I was hoping it would be the same hardware as the broadcom based dsl-2640b, however this router's design seems to be a new one.


D-Link have released the GPL source code

Friday, 16 May 2008

Nebuad's opt-out

I thought I'd have a quick look at one of Phorm's rivals, Nebuad.

Apparently much like Phorm, Nebuad uses a cookie based opt-out. Opting out or back-in is achieved by requesting a URL, in response to which Nebuad's server sends your browser its opt-out, or opt-in cookies...

Surprisingly, the opt-in /opt-out pages are indexed by google:

The above search no longer works try

Also cookie "h" is no longer set.

WARNING: if your ISP uses Nebuad and you've already opted-out, then opening the second search result shown in google ( will almost certainly opt you back in.

WARNING: I've just noticed that Firefox has a page pre-fetch feature which might result in the opt-in page being accessed and the cookie changed just by clicking on the google search above (depends on which link appears first I think)- if you click on the link above, please make sure you opt-out afterwards.

Nebuad's opt-in/opt page can be found here:-

Opting in creates 2 sets of 5 cookies, "o","u","c","h","w", one set in "", and the other in the "" subdomain. Opting out sets "o"="9" and deletes the other cookies.

o = 0 appears to indicate opted in.
o = 9 indicates opted out.

My guess is "o" might be a set of binary flags eg

bit #0 = 1 - don't track
bit #3 = 1 - don't show targetted adverts.

'c' is the name of an adserver.
'h' and 'u' are set to matching 14 digit numbers.
'w' is another 14 digit number, which appears to count upwards (could be a date and time perhaps?).

Different sets of numbers are generated for the a and b subdomains.

If you look at the bottom of the opt-in page you'll see the actual opt-in urls passed using a couple of <script> tags right at the very bottom after the closing html tag, the browser will request these urls and the server will set the cookies in the response and close the connection (no actual javascript is returned by the response).

<script language="JavaScript" src=""></script>
<script language="JavaScript" src=""></script>

And for the opt-out page.

<script language="JavaScript" src=""></script>
<script language="JavaScript" src=""></script>

There does not appear to be any measures in place to prevent an "evil" website from opting you back-in using the same method - try clicking on Google's cached optin_done link and check for cookies.