Playing with Network Cameras

Friday, February 5, 2016

rsyslog for IQeye network cameras

The classic IQeye cameras (not Xilinx, Ambarella-based ones) include built in syslog daemons that will log to a syslog server of your choosing. 514/UDP naturally.

This applies to models like IQ7xx, IQ8xx, IQ5xx (not sure about IQ54x), but not IQx3x models like the IQ732 or IQ030s. Basically the MJPEG cameras, not the H.264 ones.

Why would I want this? Why even write the feature into an IP camera?

There are some great applications that can be written to take advantage of watching the logs sent by IQeye cameras:

See and react to strange requests to strange URLs

Your firewall will only watch IPs at layer 3, it is not aware of HTTP requests. Using syslog we can see what URLs are actually being requested by clients at layer 7 and determine if real people or bots are attempting to compromise generic HTTP services. If you are seeing Wordpress URL requests, you can gather IPs to block which are likely just compromised hosts.

Trigger actions based on events

FTP transactions (especially if you don't have the ability to set file watches using inotify on your FTP server)
motion detected
NTP updates
DHCP renewals

Requests for URLs like serverpush.html

I had an incident where an internet user was changing my admin passwords. I leave my cameras with default passwords because I want people to explore a bit. It's interesting to see who stumbles into the honeypot!

Advanced logic such as detecting motion..changing lighting settings...displaying currently connected clients on a map..

By design the inbuilt webpages use JavaScript to make requests to the onboard "API" using OIDs

Detect client connections and update a status board

Using the syslog, you can generate a report of the most frequently requested files, and where the client IPs are located. You can also correlate this with your iptables log to get an idea who's requesting what from where.

Caveats

One drawback of getting the HTTP requests is that this level of logging also includes the FTP operations for triggered events. You'll need to grep through all of this to distinguish the entries.

Another consideration is security. Like all syslog logging the data over port 514 is in clear text. syslog is lossy, it operates over UDP 514. There is no guarantee of data being delivered.

How to enable logging

Telnet into the camera

SET LOGGING DESTINATION IP 207.7.34.3

or whatever your syslog server is...

Set logging levels, higher numbers are higher verbosity:

SET LOGGING NETWORK { 1-4 }

SET LOGGING IP { 1-7 }

SET LOGGING COMMANDS { ENABLED|DISABLED }

SET LOGGING TRIGGER { MOTION|RELAY|ALL }

Different events can be sent to different syslog servers:

SET LOGGING IP MAX DESTINATION IP 75.7.53.10

SET LOGGING COMMANDS ENABLED DESTINATION IP 129.7.23.21

Remember to save your settings!

SAVE LOGGING

Sample Log Entries

Motion detected, camera begins writing JPEGs:

<13>1 2015-02-13T17:18:13.070497-06:00 source command - - - command: ftp trigger trig-*.jpg trig+*.jpg
<151>1 2015-02-13T17:18:13.083371-06:00 iqeye220e83.jay.lan NOOP - - - NOOP
<151>1 2015-02-13T17:18:13.094767-06:00 200 NOOP - - - NOOP command successful#015#012
<151>1 2015-02-13T17:18:13.097009-06:00 iqeye220e83.jay.lan PASV - - - PASV
<151>1 2015-02-13T17:18:13.105143-06:00 227 Entering - - - Entering Passive Mode (192,168,16,119,220,64).#015#012
<151>1 2015-02-13T17:18:13.106772-06:00 STOR 17_18_11.trig-04.jpg.tmp - - - 17_18_11.trig-04.jpg.tmp
<151>1 2015-02-13T17:18:13.118378-06:00 150 Opening - - - Opening BINARY mode data connection for 17_18_11.trig-04.jpg.tmp#015#012
<151>1 2015-02-13T17:18:13.190253-06:00 RNFR 17_18_11.trig-04.jpg.tmp - - - 17_18_11.trig-04.jpg.tmp
<151>1 2015-02-13T17:18:13.196035-06:00 350 File - - - File or directory exists, ready for destination name#015#012
<151>1 2015-02-13T17:18:13.196412-06:00 RNTO 17_18_11.trig-04.jpg - - - 17_18_11.trig-04.jpg
<151>1 2015-02-13T17:18:13.207172-06:00 250 Rename - - - Rename successful#015#012

Client connects via web interface:

<150>1 2015-02-13T17:20:29.742021-06:00 iqeye220e83.jay.lan HTTP - - - HTTP: request style.css from 98.174.251.203
<150>1 2015-02-13T17:20:29.855949-06:00 iqeye220e83.jay.lan HTTP - - - HTTP: request gui.js from 98.174.251.203
<150>1 2015-02-13T17:20:29.856678-06:00 iqeye220e83.jay.lan HTTP - - - HTTP: request vid.js from 98.174.251.203
<150>1 2015-02-13T17:20:29.857385-06:00 iqeye220e83.jay.lan HTTP - - - HTTP: request lib.js from 98.174.251.203
<150>1 2015-02-13T17:20:31.225316-06:00 iqeye220e83.jay.lan HTTP - - - HTTP: request now.jpg?snap=spush?ds=1?dummy=1423869627585 from 98.174.251.203
<150>1 2015-02-13T17:24:36.800627-06:00 iqeye220e83.jay.lan NTP - - - NTP: accepted packet from 209.118.204.201

I'm still not clear on what the prepended <###> field is. Seems I need to study my syslog knowledge.

Happy Hacking!

Friday, April 10, 2015

IQinvision HEX model identifiers

The following HEX codes are used to identify camera models:

3b IQ7xx

4d IQ8xx

3c IQ511

6b IQ03x, IQ03x

Will probably add more later!

IQinvision IQeye511 and why it's one of my favorites

The IQ511 I think is the capstone entry into the IQeye product set. The form factor was and still is unique: a boxy, flat camera body with a protruding lens. It's kinda cute!

At 1280x1024 this camera was probably a resolution monster at its launch in 2007.

It's got basically all the features of my favorite 7xx series, in a compact package, and captive terminals for power input so it can be run from solar. Best of all, they can be had now for around $40/$60 with/without lens.

It does have the problem with old firmware that requires Java applets to configure the motion windows and to load the live view in the main viewer page. However, remember that you can always use serverpush.html instead of appletvid.html to get a raw MJPEG stream in your browser.

My suggestion, if you are concerned about having a non-Java camera, is to buy the IQ541 or IQ542. However, keep in mind that the IQ54x line is the BASIC line and is missing some important integration/hacking features. See my blog entry on that.

Keep on hacking!

Not all IQeyes are equal (IQD4x, IQ04x, IQ54x)

What it seemed like, was that I could get the form factor of the IQ03x but without the H.264 functionality. Imagine my surprise when I saw the following in the flash status screen:

It's Linux! For the first time in my tech life, I will say that I was disappointed that they ran Linux, mostly because the Linux firmware is lacking many of the features that make IQeyes so enjoyable to toy with.

No motion event triggers

Cannot send motion events to FTP/etc
Looks like they depend on ONVIF to monitor the image stream for motion event (?snap=spushn&pragma=motion also works)

No downsample

I really like this feature, basically the camera will do an onboard downscale for low bandwidth viewing.

No subframes

the 5xx, 7xx and 8xx series let you specify a GET string that shows you a small portion of the frame, ie ?wl=100&wt=100&ww=500&wh=400 which will show a 500x400 pixel window with the origin at 100x100px.

Syslog functionality...absent
FTP server on camera...absent...cannot customize webpages

Unless you are looking for very basic view functionality, you should shy away from the IQ54x, IQ04x, and IQD4x series, and instead go with 5xx, 7xx, 8xx series cameras for everything else. Unfortunately for a compact dome with those advanced features there doesn't seem to be many options in the previous generations, and you'll have to go with the newer R-series.

Sunday, December 7, 2014

Tunneling live RTSP video on a port forwarded camera

There are some times where you may need to view live video on an IQeye H.264 camera that is behind a firewall.

Normally, the RTSP stream is accessible on port 554, which is fine if you have the ability to provision a public IP for each of your cameras.

But if you are behind a NAT, then the camera will have a port forwarding like port 8080 on the outside. How do you stream video if you cannot get to port 554 on the inside?

Use the RTSP over HTTP function in VLC!

First, configure VLC

Go to Tools -> Preferences
Click on the All radio button at the bottom
Search for RTSP
Select "Tunnel RTSP and RTP over HTTP"
Set the HTTP tunnel port to the port forwarded port of your IQeye camera (let's use 8080 in this case)

Open a Network Stream

Use the path /rtsp/now.mp4 instead of just /now.mp4.

Media-> Open Network Stream
Enter 'rtsp://<ip_of_your_camera>:8080/rtsp/now.mp4' as the address (8080 is the example we are using)
Click Play

Voila!

IQeye 3 Series Review

I recently picked up two IQ031S cameras, a model that supports full-motion H.264. I've always been a fan of the standard MJPEG IQeye cameras and wanted to try these ones out. They are the H.264 entry-level cameras featuring the Ambarella SoC solution running Linux. MSRP around $400-500 I think. I picked mine off eBay for about $100.

IQ031S Version V4.0/069(140501) Platform: 6b

At the time of this writing (late 2014), this model is still sold and supported, but some more interesting models like the Alliance-mini, and 7-series are more up-to-date in terms of hardware and features.

As usual with IQeye H.264 cameras, the streams are accessible with RTSP over HTTP tunneling (port 80)
rtsp://<camera_ip>/rtsp/now.mp4 primary stream
rtsp://<camera_ip>/rtsp/stream1 primary stream
rtsp://<camera_ip>/rtsp/stream2 secondary stream

When using this method, make sure you tell VLC to "tunnel RTSP over HTTP" in Settings, and set the tunnel port to 80 (or whatever your camera is on). See more on this in my "tunneling live video on a port forwarded camera" post.

Or directly with RTSP port 554
rtsp://<camera_ip>:554/now.mp4 primary stream
rtsp://<camera_ip>:554/stream1 primary stream
rtsp://<camera_ip>:554/stream2 primary stream

First Thoughts

My first thoughts are that the live motion with sound is amazing! It's a weird feeling to see live video when you are so used to MJPEGs low framerate. The keyframes seem to happen about every few seconds, and looking at the OID table for the camera, this is confirmed with the following:

OID	current value	default value	range	description
1.17.2.5	3000	1000		video iframe interval (ms) (read only)

It's a bit strange that the item is read-only but the value is not set to the default.

The form factor is nice. It's a compact camera, very similar to the IQeye 511 that I really like, but in a short bullet style housing, rather than being flat like the 511. The rear of the camera has a reset button and an Ethernet port. That's all. It must be powered over PoE.

The Ambarella SoC has some strange artifacting. In all conditions, the image always seems to lean toward a blue/purple tint. I feel like the color adjustment matrices programmed into the camera are not tuned properly for the sensor. Changing the white balance settings doesn't seem to help. There is no way to set spot white balance and point to that spot.

Telnet Interface

The camera does have a telnet interface, but most of the 'SET' commands from old cameras are not implemented. For example, I do not know how to set the camera to put the log output to a syslog server as on the older cameras. The new telnet command line seems more suited to setting OIDs. But if you're going to do that, you might as well use the HTTP request method (ie /set.oid?OidTR1.2.9.1.9.2=Whatever).

> show logging
Info: cmd_show_logging not yet implemented
ret=-1

So it looks like the developers haven't gotten around to adding logging features. See the post on "syslog logging for IQeye" to see the use-cases and benefits of the IQeye on-board logging feature.

The command "monitor" was added, which is basically the same as the "show" command, but runs in an infinite loop.

The netstat output is much more Linux-y, and this makes sense: the camera runs an embedded Linux.
>> netstat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:32008 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:554 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:943 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2300 0.0.0.0:* LISTEN
tcp 0 0 192.168.16.137:36050 192.168.16.119:445 ESTABLISHED
tcp 0 0 192.168.16.137:23 192.168.16.119:44090 ESTABLISHED
tcp 0 24616 192.168.16.137:80 173.173.105.232:54754 ESTABLISHED
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 192.168.16.137:32769 209.118.204.201:123 ESTABLISHED
udp 0 0 224.0.0.251:5353 0.0.0.0:*
udp 0 0 239.255.255.250:1900 0.0.0.0:*
udp 0 0 0.0.0.0:3702 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 9 [ ] DGRAM 2348 /var/tmp/log
unix 2 [ ACC ] STREAM LISTENING 2372 /tmp/.imager_server
unix 2 [ ACC ] STREAM LISTENING 2385 /tmp/.trigger_server
unix 2 [ ACC ] STREAM LISTENING 2387 /tmp/.image_server
unix 2 [ ACC ] STREAM LISTENING 2438 /tmp/.audio_server
unix 2 [ ACC ] STREAM LISTENING 2477 /tmp/.oid_server
unix 3 [ ] STREAM CONNECTED 24646870 /tmp/.oid_server
unix 3 [ ] STREAM CONNECTED 24646869
unix 3 [ ] STREAM CONNECTED 24639383 /tmp/.image_server
unix 3 [ ] STREAM CONNECTED 24639382
unix 3 [ ] STREAM CONNECTED 24639381 /tmp/.imager_server
unix 3 [ ] STREAM CONNECTED 24639380
unix 2 [ ] DGRAM 24639376
unix 2 [ ] DGRAM 2670
unix 2 [ ] DGRAM 2666
unix 3 [ ] STREAM CONNECTED 2642 /tmp/.image_server
unix 3 [ ] STREAM CONNECTED 2639
unix 3 [ ] STREAM CONNECTED 2641 /tmp/.imager_server
unix 3 [ ] STREAM CONNECTED 2638
unix 3 [ ] STREAM CONNECTED 2637 /tmp/.oid_server
unix 3 [ ] STREAM CONNECTED 2636
unix 3 [ ] STREAM CONNECTED 2631 /tmp/.oid_server
unix 3 [ ] STREAM CONNECTED 2630
unix 2 [ ] DGRAM 2616
unix 3 [ ] STREAM CONNECTED 2607 /tmp/.oid_server
unix 3 [ ] STREAM CONNECTED 2606
unix 3 [ ] STREAM CONNECTED 2605 /tmp/.oid_server
unix 3 [ ] STREAM CONNECTED 2604
unix 2 [ ] DGRAM 2498
unix 3 [ ] STREAM CONNECTED 2494 /tmp/.trigger_server
unix 3 [ ] STREAM CONNECTED 2493
unix 3 [ ] STREAM CONNECTED 2495 /tmp/.oid_server
unix 3 [ ] STREAM CONNECTED 2480
unix 3 [ ] STREAM CONNECTED 2453 /tmp/.audio_server
unix 3 [ ] STREAM CONNECTED 2449
unix 3 [ ] STREAM CONNECTED 2425 /tmp/.trigger_server
unix 3 [ ] STREAM CONNECTED 2424
unix 3 [ ] STREAM CONNECTED 2408 /tmp/.image_server
unix 3 [ ] STREAM CONNECTED 2407
unix 3 [ ] STREAM CONNECTED 2406 /tmp/.imager_server
unix 3 [ ] STREAM CONNECTED 2405
unix 2 [ ] DGRAM 2401
unix 3 [ ] STREAM CONNECTED 2404 /tmp/.image_server
unix 3 [ ] STREAM CONNECTED 2400
unix 3 [ ] STREAM CONNECTED 2399 /tmp/.imager_server
unix 3 [ ] STREAM CONNECTED 2398
unix 2 [ ] DGRAM 2351

Image Sharpness

Even with sharpness set to "High" in the web UI, the actual OID for sharpness is not changed. They appear to be completely separate OIDs (1.2.3 and 1.2.40.2). The sharpness just never gets to the level I am used to on the older cameras unless I manually set OID 1.2.40.2 and make sure the Web UI sharpness is set to High.

http://cam_url/set.oid&oidTB1.2.40.2=0

sharpen 0/100

sharpen 100/100

sharpen 35/100

Again, it's a bit surprising that this is not exposed in the web UI.

Other

IQrecorder is completely absent from this camera. I think that IQinvision must have realized that their cameras are often used in centralized environments, so having onboard camera DVR wasn't as desireable as it once was, when megapixel cameras were a niche and expensive item where you'd own maybe 1-5 instead of a fleet of them.

Video recording always seems to record 3MB at a time and no more, I couldn't get this to work at all either with triggers to SMB drives, or FTP, or using the Direct-to-Storage "DTS" feature. But I like JPEG frames anyway :-)

No fine-grained motion windows, the window is broken into a series of squares in a grid. On older IQeye models, or models without H.264, this can be set to an exact pixel range.

If you plan on integrating your IQeye camera into a custom solution, then the IQeye 3 series is likely not a great choice. It is better suited to live viewing where you require real-time video.

One thing I noted about this camera in the current firmware version is that Dynamic Print variables are not supported in the text overlays. This is useful for things like putting the time of the camera's last trigger event into the image, for example. The syntax is $O(x.x.x.x) where x are the integers for the OID in question.

Another thing I noticed is that I cannot customize webpages over the built-in FTP server running on the camera. It actively refuses FTP connections, so you cannot play with the filesystem at all like you could with the older models. I looked for an OID or telnet command to enable this and could not find one. I was hoping to get access to the filesystem to see what those /tmp/.image_server etc files are (see netstat above) and what you can get from them.

One positive to note is that on the older cameras, you could choose to have a timelapse image taken automatically and uploaded OR you could do motion detection and event upload, but not both. The IQeye 3 series let's you do both!

Pros

Fast interface
Compact design
Included mounting hardware
Live motion with audio!
Actively maintained firmware
Supports HTTPS
Supports SNMP
Simultaneous timelapse and motion triggers
Multiple streams
Supports RTSP over HTTP tunneling for firewalled environments
Windows File Share (SMB) destination support

Cons

No privacy masks (the feature is completely absent)
No scaling/subwindows (ie '?ds=2' not supported) you must always get a full res frame
No motion-only data scraping (ie '?snap=spush1&pragma=motion&noimage')
Little telnet functionality
No spot-based white balance calibration
Post-processing is spotty, JPEG still image quality not as good as MJPEG models
Basic settings "hidden" in web UI, requires setting OIDs manually
Logging facilities absent
Gain method settings missing (clipaverage, peakdetect, darkdetect, average)
Exposure window exclusions missing
Changes in exposure settings and window require reboots
Bitrate for both primary and secondary H.264 streams must be the same

Saturday, July 19, 2014

New variable $MSE, and Dynamic Print variables on IQeye cameras

An interesting "Dynamic Print" or DP variable was added to the firmware for IQ8xx and IQ7xx cameras a few releases ago.

Dynamic Print variables are those that represent internal, and possibly dynamic, camera values, and can be used in filenames on triggers, inside of image captions, and on custom webpages that you write and upload to the camera.

This particular variable is pretty cool. It is:

$MSE = Milliseconds since epoch

One of the problems I had encountered with IQeye cameras is I was only able to set up rules to name trigger images with granularity to the second. This presents the following sorting problem:

Trigger sequences are supposed to go from negative numbers to positive ones, like trig-03, trig-02, trig-01, trig+00, trig+01 trig+02. However, since the date comes before the trigger sequence number in the filenames, when an event "spans seconds", where the last set of images roll over into the next second, this plays havoc on the sorting.

In addition, there is no guarantee that your filemanager will put trig-03, trig-02, trig-01, trig+00, trig+01 trig+02 in order, even by themselves.

Old

i.e.

File Path "$SH/$SD(%m)-$SD(%d)/$SD(%H)"

File Name "$ST.$FN"

This gives you folders with the camera MAC, with folders then dated by month and day, then folders by the hour, and then the default filenames for the JPEGs themselves.

00_1a_22_21_48/05-19/14/14_10_39.trig-02.jpg

New

i.e.

File Path "$SH/$SD(%m)-$SD(%d)/$SD(%H)"

File Name "$ST.$MSE.$FN"

00_1a_22_21_48/05-19/14/14_10_39.1400510841748.trig-02.jpg

This makes sure that images are sorted in the real order that they were taken.

Maybe other cameras have this variable as well, give it a try!

Does not work
IQ031s 4.0/069
IQeye3 V2.8/6(080313)

Works
IQ511 V2.8/6(080313)

IQ511 V2.8/10(110128)

IQ805 V3.0/9(101130)

IQ752 V3.0/4(091112)

Other variables

$SH	Your camera’s hardware address.
$SI	Your camera’s IP address.
$SN	Your camera’s name, as specified on the Network Settings page.
$ST	The current time (in 24-hour format: HH:MM:SS, ex: 16:05:20).
$SD	The current date (ex: Wed Feb 03 2010).
$SC	Company name (e.g. IQinVision).
$SP	Product name (e.g. IQeye752).
$SV	The version of operating software on your camera.
$SM	The domain name, as specified on the Network Settings page.
$FN	The name of the file that your camera is accessing.
$MSE	Milliseconds since epoch
$IMGDBG	Image debug data
$O(oidNumber)	Display an OID, like IP address (3.6.10) or the image focus value(1.2.25) or last trigger event time (1.3.20)

For time-based variables, you can use $SD in combination with the common strftime() UNIX time variables. Not all variables work. I may update this post to reflect that.

       %%     a literal %

       %a     locale's abbreviated weekday name (e.g., Sun)

       %A     locale's full weekday name (e.g., Sunday)

       %b     locale's abbreviated month name (e.g., Jan)

       %B     locale's full month name (e.g., January)

       %c     locale's date and time (e.g., Thu Mar  3 23:05:25 2005)

       %C     century; like %Y, except omit last two digits (e.g., 21)

       %d     day of month (e.g, 01)

       %D     date; same as %m/%d/%y

       %e     day of month, space padded; same as %_d

       %F     full date; same as %Y-%m-%d

       %g     last two digits of year of ISO week number (see %G)

       %G     year of ISO week number (see %V); normally useful only with %V

       %h     same as %b

       %H     hour (00..23)

       %I     hour (01..12)

       %j     day of year (001..366)

       %k     hour ( 0..23)

       %l     hour ( 1..12)

       %m     month (01..12)

       %M     minute (00..59)

       %n     a newline

       %N     nanoseconds (000000000..999999999)

       %p     locale's equivalent of either AM or PM; blank if not known

       %P     like %p, but lower case

       %r     locale's 12-hour clock time (e.g., 11:11:04 PM)

       %R     24-hour hour and minute; same as %H:%M

       %s     seconds since 1970-01-01 00:00:00 UTC

       %S     second (00..60)

       %t     a tab

       %T     time; same as %H:%M:%S

       %u     day of week (1..7); 1 is Monday

       %U     week number of year, with Sunday as first day of week (00..53)

       %V     ISO week number, with Monday as first day of week (01..53)

       %w     day of week (0..6); 0 is Sunday

       %W     week number of year, with Monday as first day of week (00..53)

       %x     locale's date representation (e.g., 12/31/99)

       %X     locale's time representation (e.g., 23:13:48)

       %y     last two digits of year (00..99)

       %Y     year

       %z     +hhmm numeric timezone (e.g., -0400)

       %:z    +hh:mm numeric timezone (e.g., -04:00)

       %::z   +hh:mm:ss numeric time zone (e.g., -04:00:00)

       %:::z  numeric  time  zone  with  :  to necessary precision (e.g., -04,
       +05:30)

       %Z     alphabetic time zone abbreviation (e.g., EDT)

Have fun!