Love these blogs where someone casually demonstrates skills in roughly 11 different areas (from Soldering, C++ plugin writing to clear blog writing) all coming together to accomplish something.
ONVIF support is surprisingly spotty on low-end (<$100) IP cameras, especially wifi ones. Even if a camera claims to be ONVIF compatible, you should really check for a certification at [0].
Even for RTSP, there's often something stupid like the camera implementing 90% of the protocol except it never responds to OPTIONS requests.
And fun fact, VLC no longer supports RTSP on Debian-based distros due to licensing issues [1].
One of the worst cases of this that I've seen recently is TP-Link's Tapo, which does seem to support ONVIF to a usable extent, but it is impossible to set up the camera or move it to a different wifi network without using their stupid mobile app that requires a cloud account. It works fine offline after that.
RTSP completely lacking on battery powered devices which they don't clearly state anywhere. In fact the battery/solar powered units are practically useless as there is a huge delay in footage after detection so you will miss people/events.
Streaming video is fairly power intensive, the typical battery powered camera could not sustain more than a few hours of streaming without resorting to a prohibitively large battery pack.
Author here! Some very smart contributors have helped decode another layer of the Baichuan protocol - I actually missed the "media wrapper" because it happened to work without removing those headers from the video stream - as well as the UDP protocol variant, so it is technically possible to stream from battery cams. It does drain the battery unless they're externally powered.
There was an ONVIF/RTSP battery camera I wanted, but nobody seems to have on the second-hand market...
Netgear actually sold a rebranded/reflashed Arlo system as the FlexPower line with a special base station and reflashed Arlo cameras. The base did the magic that let the connected wireless Arlos act as ONVIF cameras in a DVR.
If the crap security on these cheap cams is a concern, one thing that is pretty easy to do if you buy a "managed switch" or similar is put the crappy cheap IP cams on their own private VLAN with no internet access, firewalled from all the other VLANs on your home LAN, perhaps with a few exceptions for NVRs or devices who view the feed locally at home. I just assume these devices are broken and compromised from moment I plug them in, because inevitably they always are.
Cameras can't be accessed from your LAN, cameras can't access your LAN and they can't phone home easily. They just sit and feed the NVR with video content, offline. I don't even connect them to the internet for firmware updates unless there is some show stopper bug preventing them working as plain ole cams - they are just dumb RTSP endpoints.
* using gdb Dynamic Print commands to target certain functions.
The dynamic printf command dprintf combines a breakpoint with formatted printing of your program’s data to give you the effect of inserting printf calls into your program on-the-fly, without having to recompile it. https://doc.ecoscentric.com/gnutools/doc/gdb/Dynamic-Printf....
* busybox has a watchdog minder, used like: watchdog /dev/watchdog
For those not familiar with Reolink: they're a Chinese manufacturer of relatively affordable IP cameras. They're often recommended on the internet for SMB's who need decent camera's but don't want to shell out for Hikvision or Axis.
"Shell out for Hikvision"?
Hikvision has generally been low cost equipment with decent performance.
The main issue with Hikvision is that they are funded and controlled by the Chinese government, and have had countless major vulnerabilities over the years.
Then there is Dahua, which is basically Hikvision Junior. Reolink is somewhat in the middle, in the past they have OEM'd products from Dahua, and others. It can be difficult to know who actually manufactures a lot of the Chinese surveillance cameras, as the companies often go to great lengths to obscure the details.
FWIW, I have a mostly isolated network of Reolink cameras.
Initially it was completely locked down, but I discovered the cameras eventually refuse connections after their RTC drifts too much. I could not get them to use my router for NTP because they preferred pool.ntp.org. I had to open up that port as well as allow them to make DNS lookups on my router.
They have been working fine with that minimal amount of internet access, but curiously, the firewall logs show frequent blocked connections to Reolink IPs on port 9999.
If you have Reolink cameras, your network is open, and you're worried about data exfiltration, then 9999 is one port you may want to block.
Yeah, I really should do that. The current DNS setup is just using AdGuard Home. From what I can see, it doesn't support custom rules. Down the road I will setup something that provides this, most likely BIND forwarding to AdGuard.
I have one. They’re decent quality. The iOS app is ok, but the web app is terrible. Hooks up over PoE (I have a Ubiquiti PoE setup), records to local SD card. You can also buy a box to record to as a secondary, or roll your own with various open source options.
Reolink is one of few brands that don't force you to use "the cloud". They allow you to store the data/stream where ever you want. Yet they have all the advantages of the other brands, for example a free Android app, and most importantly Relink has a web interface aswell - built into the camera.
This is why I moved to a Reolink NVR after years on ZoneMinder. I didn't want or need the cloud and I wanted constant recording. My Reolink NVR has been great so far paired with PoE cameras. Also I'm able to get a rtsp feed and still image for each camera from the NVR itself to do more processing on if I want to (ie. Frigate).
I'm happy for Neolink. Discovered it on the Reolink subreddit.
Like OP, I wound up with one of these neutered Reolink cameras. I had purchased a bunch of normal ONVIF/RTSP ones, but one box contained a D800. It also had a slightly damaged mounting plate with dried silicon caulk residue on it. Seems I was a victim of Amazon return fraud, where someone sent them back the D800 instead of an RLC-822A. I was already past the return window and some couldn't even raise an issue about it.
Now I'm thinking I could have saved a lot of money by simply buying their cheaper "dumb" cameras.
Vaguely related - recently discovered that old iphones can be repurposed to serve rtsp with app heriscope hd. Works in a pretty idiot proof manner, though amount of heat generated is concerning.
Still interesting though given camera quality on old ifruits is pretty good still
I have been using Neolink on my PI4 to send 4 camera streams to Frigate. It works great. Thank you so much for all the work here to reverse engineer this for people like me..
