Monday, March 27, 2017

Hacking Xfinity's Home Security Cameras, part 3

So we discontinued our Xfinity Home subscription (which isn't a statement against the service; we moved out of the Xfinity service area and into a Cox service area and opted not to install their home security package) several months ago.  Of course I took down the Xfinity cameras before we moved, and they've been in storage since.  Last night, I finally dug them out and set about getting them working -- without the touchscreen and security router that Xfinity had them set up for.  This blog post is mostly so I will remember how I did it, because all the information is out there, but it's not all correct (for my cameras, at least).

The problem, of course, is that when the cameras were paired to the Xfinity touchscreen/router/system, passwords were set to view the feeds, and to administer the cameras.  It's possible to get the cameras onto another Wifi by pressing the reset button for a few seconds (putting it into a WPS pairing mode) and then pressing the WPS button on your router.  But this is of no use if you don't know the passwords to get into the camera.

(First thing's first: use the power+ethernet dongle that you cleverly had the Xfinity tech leave you when he installed the cameras so that you can put them on your hardwired LAN.  Do that now.)

So, for the iCamera2 cameras, the information I found online says that the default username is "administrator" and the default password is a blank password.  This, obviously, didn't work with my camera because it was paired with the Xfinity system.  Additionally, the firmware that was loaded onto the camera doesn't have a web UI by default.  (But, if you have the password, you can enable it with a request to /adm/enable_ui.cgi.)

As an aside, I did try updating the firmware, thinking that might reset the password. I found a list of available firmware images in a comment on this blog post, which was a welcome find. I'll repeat his list here for convenience sake:

iCamera1000 Firmware Files

http://edge.xfinity-home.top.comcast.net/firmware/DYW9HZ-105-1002R08.bin
http://edge.xfinity-home.top.comcast.net/firmware/DYW9HZ-308-1002R17.bin
http://edge.xfinity-home.top.comcast.net/firmware/DYW9HZ-308-1002R19.bin
http://edge.xfinity-home.top.comcast.net/firmware/DYW9HZ-308-1002R22.bin

iCamera2 Firmware Files

http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-104-300114.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-105-300124.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-105-300126.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-106-300128.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-106-300129.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-108-300132.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-110-300229.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-110-300230.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-111-300235.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-111-300238.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-111-300239.bin

The online information also suggested that one should hold the reset button while applying power to the camera.  This appears to put the camera into some kind of recovery mode where the power LED flashes rapidly.  I was not able to see the camera perform any sort of initialization or DHCP request or anything, but eventually figured out that it had just assumed a 192.168.0.99 IP address.  I was able to communicate with it on that address, but the only thing available seemed to be a firmware update page, from which I could upload new firmware images (and have them installed) but that was it.

What I eventually worked out as the solution was to let the camera power on normally, then press and hold the reset button for some 30 seconds.  I did not see any indications that this did anything, but it looks like this resets the camera into a setup mode where the touchscreen can pair it.  After performing this step, I was able to access the camera using curl from my linux box:

# curl --basic --user administrator: 'http://10.0.1.133/adm/set_group.cgi?group=NETWORK&dns_server=10.0.0.1&dns_type=1'
OK
# curl --basic --user administrator: 'http://10.0.1.133/adm/set_group.cgi?group=HTTP&https_mode=1&http_mode=1'
OK
# curl --basic --user administrator: 'http://10.0.1.133/adm/set_group.cgi?group=USER&admin_name=root&admin_password=&login_check=1&user1=%2C'
OK

Of course, at this point I went to the web UI to verify that the password I'd just set was working. And it was. Thinking about it now, I'm wondering if once reset this way, the web UI is not disabled anymore. If not (that is, if the web UI is disabled and browsing to the camera yields a 404 error), it can be re-enabled with:

# curl --basic --user : 'http:///adm/enable_ui.cgi'


This was enough to get me into the camera's configuration UI and able to set up everything there. I will be repeating this with additional cameras later on, so I'll update this further if anything else becomes apparent. But, in case it helps anyone else, these were the steps I took and what I ended up with.

16 comments:

  1. I have been trying to troubleshoot my camera for hours and your blog is the ONLY thing I have found that helped me solve my problem! Thank you! It was a huge help!

    ReplyDelete
    Replies
    1. I totally agree with you ... this blog is heaven sent.

      Delete
  2. I keep getting a certificate error when trying to go to the web interface of the camera. If I use camstudio I can load camera as a hardwired source. I just want to get in and be able to modify camera settings. I can not set my wifi info unless I can get logged in. I am out of contract and own these cameras now and simply want to get them on my own network via wifi. anyone know how to get around certificate error? xcam.camera.xfinityhome.com

    ReplyDelete
  3. hi bro if you know about the upgrade version of rc4551 oc821 rc8221 so please let me inform i have 3000 thousand cameras in stock all have the F/W version problem please some body help me thanks to every one

    ReplyDelete
  4. OMG!!! You are a lifesaver!!! I've been looking EVERYWHERE and finally came to your blog. It works pretty damn good. For those of you that might not be very familiar with linux commands, you can just use the http:// addresses and just copy them into your browser with the correct IP address of your camera.

    ReplyDelete
  5. Please help! I am getting 404 XML message when I use CURL commands from this blog.

    ReplyDelete
  6. Hi - Would appreciate help on this. This is xfinity XCAM2 - leftover after service termination. I have done hard reset properly. I am able to view the camera via ethernet which I wasn't able to before hard resetting. I need to be able to get the CAM on wi-fi in order to install the cams where I need them. I keep getting 404 when trying to save config changes in web administration page. I have tried Curl too, do not get OK in return. Tries WPS connection too. I suspect Xfinity/Comcast is still preventing any config changes to the CAM.

    http://192.168.xxx.xxx/util/query.cgi?extension=yes

    hostname=SCHC2AEW12E923
    description=
    defname=SC12E923
    h264_resolution=1920
    h264_resolution2=1280
    h264_resolution3=1280
    h264_resolution4=1280
    mic_in=on
    speaker_out=on
    ptctrl=off
    irled=on
    resolutions=1920*1080,1280*720,640*480
    mac=14:2e:5e:12:e9:23
    privacy=on
    pir_sensor=off
    wps_pin_code=50816941
    ioctrl=off
    company_name=Comcast
    model_number=SCHC2AEW
    wireless=on
    fw_ver=V3.0.02.54
    ip_addr=192.168.xxx.xxx
    netmask=255.255.255.0
    gateway=192.168.xxx.xxx
    timezone=25
    current_time=07/17/2020 16:53:02
    http_port=80
    rtsp_port=554
    https_port=443

    ReplyDelete
    Replies
    1. I have recently been going through this process again to get these things on my own router. To get the WiFi to work, I had to make sure and run the WLAN=0 set command to get the WiFi to start broadcasting.

      /adm/set_group.cgi?group=WIRELESS&$property=$0

      - Get all WiFi configurations
      /adm/get_group.cgi?group=WIRELESS
      Response:
      [WIRELESS]
      wlan_type=1
      wlan_essid=MyNetwork
      wlan_channel=0
      wlan_domain=5
      wlan_security=2
      wep_authtype=2
      wep_mode=1
      wep_index=1
      wep_ascii=
      wep_kep1=
      wep_kep2=
      wep_kep3=
      wep_kep4=
      wpa_ascii=
      wmm=0

      Properties which can be set using /adm/set_group.cgi?group=WIRELESS&$property=$value.
      wlan_type Valid values are
      0 Ad hoc
      1 Infrastructure

      On the ICam2's, this works most of the time, but sometimes the Cam will not pull the IP properly after the reboot. I have never been able to get this to work with the XCam, though. I have since given in and set the cameras to pairing mode after I scratch them and use the WPS in the Router. Once I see the IP address assigned to the device by the MAC listing the the Router's connected devices, I use the GUI to configure. Here are the two websites I have used multiple times to refresh my memory on the HTML commands...I find this way easier than using CL, but I am what you might call a "path of least resistance" kinda guy.

      https://github.com/edent/Sercomm-API/blob/master/README.md
      https://shkspr.mobi/blog/2017/11/telnet-and-root-on-the-sercomm-icamera2/

      GL :]

      Delete
    2. P.S. It sometimes takes three or four times to properly reset the camera and get it into the correct mode to pair. This is my process:

      Plug in camera to the power adapter.

      Wait for the camera to enter into normal operating mode, Middle light solid and Left light flashing, this is the camera looking to connect to the current settings.

      Hold down the button on the back until both red IR lights come on, ususally within 20-30 seconds.

      Let up on the button and the camera will reboot.

      Once it is back up in normal operation again, hold the button on the back for about 5 seconds and the lights will start flashing much faster, this is the Wireless pairing mode.

      Have your router GUI open and make sure you have the connected devices showing and either press the WPS button or select the button in the GUI to initiate the WPS procedure.

      Once the camera is paired, the lights with start doing different blinking patterns and the last 6 digits of the camera's MAC address should be listed with a new IP and listed as a WiFI connection.

      Again, I have spent a couple of hours on one camera many times to get them added properly, both as an XHS Takeover tech and playing with them at home. Hang in there. I currently have 5 total cams on my Chicken coop with targeted motion working on the perimeters for racoons and such.

      Hope this all helped!

      Delete
  7. Too bad I don't know any of what has been said. Lol I have 2 x2cam

    ReplyDelete
    Replies
    1. I know just enough of what was said to know that I don't know enough for any of it to be useful. lol...

      Delete
  8. Great information here!!! I have followed it over several years to get Xfinity cameras (6 total) operational on my network and on Netcam Studio. My question: What happened to the nice user interface on the Xcams?

    In the past I could use the command: http://192.168.xxx.xxx/adm/enable_ui.cgi to ENABLE the UI(once OK was returned, then just enter http://192.168.xxx.xxx and the UI would come up. I get a 404 error. Tried on all 3 of my Xcams....any ideas would be so welcomed. BTW, the UI is still present on the older cameras.....Many Thanks!

    ReplyDelete
  9. Youre so cool! I dont suppose Ive read anything similar to this prior to. So nice to locate somebody by original thoughts on this subject. realy we appreciate you beginning this up. this excellent website are some things that is required on the internet, an individual with a little originality. beneficial job for bringing new things to the net! white house market

    ReplyDelete
  10. I am having the same issue. Have you had any luck setting up the xcam2 cameras?

    ReplyDelete
  11. Do not let the xCAM2 or xCAM onto the internet at any moment. The camera will call out for a firmware update and loose the gui enable function. Does anyone know how to downgrade the firmware without the gui? Anyone have the old firmware?

    ReplyDelete