Jump to content
buellwinkle

Snashot URL for Hikvision/Swann/Lorex cameras

Recommended Posts

I've been asked this on my blog, so thought I would share it here. To get a snapshot via an URL, the command would look like this. Tested it on a Hikvision but I would assume Swann/Lorex work the same way.

 

http:// -ip address- /Streaming/channels/1/picture

 

The CGI manual is here -

http://www.hikvisioneurope.com/portal/index.php?dir=Technical%20Materials/00%20%20%20Software%20%26%20Development%20Tools/00%20%20%20Development%20Tools/00%20%20%20CGI/&file=HIKVISION%20CGI%20IPMD%20V1.5.9.pdf

Share this post


Link to post
Share on other sites

I've been asked this on my blog, so thought I would share it here. To get a snapshot via an URL, the command would look like this. Tested it on a Hikvision but I would assume Swann/Lorex work the same way.

http:// -ip address- /Streaming/channels/1/picture

Hi buellwinkle,

 

Did you test this on and DVR or just IP cameras?

 

I just tried it and it worked great on a DS-2CD7153-E and DS-2CD8153F-E, but I could not get it working on a DVR. I tried an old 7204HFI-ST and a brand new 7204HFI-SH with no luck. 7204HFI-ST gave me a 404 page not found, I guess the old firmwares just won't support this. 7204HFI-SH gave me a 403 forbidden error after asking for user/password, so it does seem to be supported, but maybe something needs to be changed on the URL or I need to change some permissions.

 

http://ip/Streaming/channels

http://ip/Streaming/channels/1

 

The first command works OK and shows me a list of all channels and their configuration, but the second one gives me an invalid operation. Any hints?

 

<ResponseStatus version="1.0">
 <requestURL>/Streaming/channels/1/</requestURL>
 <statusCode>4</statusCode>
 <statusString>Invalid Operation</statusString>
</ResponseStatus>

 

Thanks!

Share this post


Link to post
Share on other sites

I have no idea and don't have access to an NVR or DVR. This is why I included the link to the CGI manual, it has every possible URL command that they publish.

Share this post


Link to post
Share on other sites

Ahhh, I did check out the PDF the first time... But I guess I just did not try hard enough

 

The command http://ip/Streaming/channels will list all the available channels, and I see that there are 8 channels available: 101 102 201 202 301 302 401 402. Each channel (1 2 3 4) has two stream (01 02). So with the command http://ip/Streaming/channels/101 will show me the information on main stream on channel 1.

 

And with the command http://ip/Streaming/channels/101/picture I will get a screenshot from channel 1, and I can also use channels 201, 301 and 401.

 

It is strange that while my main streams are 704x576 and the substreams are 176x144, no matter if I make the screenshot on main or substream, both give me a 704x576 screenshot. But I can live with that.

 

" title="Applause" />

Share this post


Link to post
Share on other sites

Good to see you figured it out. Just be glad Hikvision, unlike Dahua publishes documents like this. One reason I like Hikvision better than Dahua although both make good cameras, Hikvision seems to understands our needs better.

Share this post


Link to post
Share on other sites

Hi guys,

 

i came across this site and hope you can help me. i'm sitting my home automated system with Hikivision DVR 7308 , and i'm unable to watch each cam stream as you guys noted ie. Streaming/channels/1 any cfg or other files i need to use in the browser in order to watch each cam stream?

 

also anyone can point me on where i can get the latest FW for my device?

 

Thanks in advance

Share this post


Link to post
Share on other sites

I have a Hikvision camera that wouldn't work with http://ip/Streaming/channels/1/picture or http://ip/Streaming/channels/101/picture or any variation I tried. I would just get the response:

 

<ResponseStatus xmlns="http://www.std-cgi.com/ver10/XMLSchema" version="1.0">
<requestURL>/Streaming/channels/101/picture</requestURL>
<statusCode>3</statusCode>
<statusString>Device Error</statusString>
</ResponseStatus>

 

Some people talked about firmware versions breaking that. After days of searching for a workaround, I finally found someone mention using http://ip/onvif/snapshot

 

That works for my camera!

Share this post


Link to post
Share on other sites

Ah I see... Anyone know how to grab a different resolution snapshot than the one being streamed if you're using the URL http://ip/onvif/snapshot

 

Researched, but can't find anything that will work.

Share this post


Link to post
Share on other sites
Good to see you figured it out. Just be glad Hikvision, unlike Dahua publishes documents like this. One reason I like Hikvision better than Dahua although both make good cameras, Hikvision seems to understands our needs better.

 

Here is a Dahua IPC HTTP API V1.00:

 

https://mega.co.nz/#!agAxwIQK!vJH9Qurd6rixvOAVEiKpfq5q0a2uTIK159V1B9RbHEo

 

(Link is safe, if you're not familiar with Mega, now would be a good time to get familiar with it )

Share this post


Link to post
Share on other sites

 

Same as what I originally posted, but with IE it does not work, gives in an error "Windows cannot find....". With Firefox it asks me if I really want to log in, how annoying is that. Not as friendly as the onvif/snapshot in older firmware versions.

 

It does work with the curl command, directed the output to a jpg file on my desktop and it appeared there. What are you using this command in that works for you?

 

Don't get me wrong, I'm happy it works with curl because then I can script it if I had to. Ideally if I can find someone to help me that's a C programmer, I can used curl to maybe extract images from the camera, say 4-5 times per second, pass them to openalpr to create a cheap (free) LPR solution.

Share this post


Link to post
Share on other sites

I probably got it from you like most of my Hik tips.

It was in my RSTP notes with no attribution or link.

I used it in FF to test when the question came up, nothing cool like what you have going... that's a little over my head at this time.

Share this post


Link to post
Share on other sites

 

Same as what I originally posted, but with IE it does not work, gives in an error "Windows cannot find....". With Firefox it asks me if I really want to log in, how annoying is that. Not as friendly as the onvif/snapshot in older firmware versions.

 

It does work with the curl command, directed the output to a jpg file on my desktop and it appeared there. What are you using this command in that works for you?

 

Don't get me wrong, I'm happy it works with curl because then I can script it if I had to. Ideally if I can find someone to help me that's a C programmer, I can used curl to maybe extract images from the camera, say 4-5 times per second, pass them to openalpr to create a cheap (free) LPR solution.

 

Here is something interesting.

If the camera firmware version is 5.1.6 the snapshot script executes properly from the WAN (internet) without any user:password requirement. That is a serious security hole especially for those with static WAN IP. I tested it with IE11 and chrome.

Whereas in version 5.2.0 according to @catseyenu at least the user:password credentials are validated. It seems that in version 5.2.0 they fixed this security hole.

Share this post


Link to post
Share on other sites

If the camera firmware version is 5.1.6 the snapshot script executes properly from the WAN (internet) without any user:password requirement. That is a serious security hole especially for those with static WAN IP. I tested it with IE11 and chrome.

Whereas in version 5.2.0 according to @catseyenu at least the user:password credentials are validated. It seems that in version 5.2.0 they fixed this security hole.

This would be a despicable security hole. However, I'm not finding this (EDIT: I did find this below for the ONVIF URL).

 

I've just tested two cameras on 5.1.2 and one on 5.1.6. Tested from both a device on my LAN and one out on the internet. My findings:

 

5.1.2 cameras

In both Chrome and IE

http:///Streaming/channels/1/picture

 

results in a challenge for user/password. When the proper user/password is put in the camera immediately crashes.

 

In both Chrome and IE

http://user:pass@/Streaming/channels/1/picture

 

results in a challenge for user/pass in IE, but no challenge in Chrome (passthrough works fine). Nonetheless, both causes both cameras to immediately crash

 

5.1.6

In both Chrome and IE

http:///Streaming/channels/1/picture

 

Results in challenge for user/pass and successful main stream image

 

In IE

http://user:pass@/Streaming/channels/1/picture

 

Pass through does not work for user:pass; still asked in a dialog for the user & pass. After supplying, image is returned.

In Chrome this same URL works properly to return the image immediately.

 

I was unable to retrieve a substream image; regardless of the "channel", I always get a main stream image:

http://user:pass@/Streaming/channels/1/picture

=

http://user:pass@/Streaming/channels/201/picture

=

http://user:pass@/Streaming/channels/56/picture

 

etc.

Can anybody else confirm unequivocally that there is in fact a security hole in 5.1.6 that allows image retrieval from a camera without properly authenticating with user/password?

 

EDIT: This http:///onvif/snapshot does nothing on 5.1.2; no challenge for user/pass, but cameras don't crash. It DOES return an image on 5.1.6 without a request for authentication, which is utterly egregious and totally unacceptable. I assume that not port forwarding to the camera's port 80 would prohibit this glaring security hole; is there a way to use the ONVIF approach over port 8000 or 554...? Not via a browser, but through another tool that executes the same code on the camera?

Share this post


Link to post
Share on other sites

None of my cameras are port forwarded in my home, so no security hole for me. I only port forward Milestone XProtect which has higher end security. I do port forward my lake web cam, but not a security threat.

 

Also, while it's a pain to use the authentication method, if it's in a script, you can use CURL and it sends the user:password in the URL, no problem because I'm using it daily to put the temperature on the OSD.

Share this post


Link to post
Share on other sites
In IE

http://user:pass@/Streaming/channels/1/picture

Pass through does not work for user:pass; still asked...

user:pass@ hasn't worked in IE since IE6, and then not the later v6 ones. If you aren't doing it over SSL you are sending you creds in plain-text, and not only that, but also make it so simple that a cut-and-paste -- no reverse base-64, for example -- is all anyone needs to get on your camera and do whatever you could do.

 

Can anybody else confirm unequivocally that there is in fact a security hole in [Hiks]

http://www.cctvforum.com/viewtopic.php?f=19&t=41641

 

is there a way to use the ONVIF approach...that executes the same code on the camera?

If you are asking whether someone can get a snapshot if you don't open the camera's http port to the internet, no, not for that particular problem. This IS the onvif "(way)" to get a snapshot on Hiks: /onvif/snapshot. It's over the http port (like most Onvif cameras), so the problem then becomes one where you either accept possible snooping, or, if you don't open (forward) this port, not accessing your camera from the internet at all, not via http.

 

Supposedly the snapshot free-for-all problem was fixed in FW 5.2.0 for these cameras, if you can find it (or any later ones). This problem is known by almost no one, so not finding FW updates is not the first problem for most affected by this.

Share this post


Link to post
Share on other sites

Hi here is an example using c#

 

string fileName = "picture.jpg", myStringWebResource = null;

// Create a new WebClient instance.

WebClient myWebClient = new WebClient();

 

// Concatenate the domain with the Web resource filename.

myStringWebResource = "http://192.168.1.151/Streaming/channels/101/picture?snapShotImageType=JPEG";

Console.WriteLine("Downloading File \"{0}\" from \"{1}\" .......\n\n", fileName, myStringWebResource);

 

string credentials = Convert.ToBase64String(System.Text.Encoding.ASCII.GetBytes("admin:12345"));

myWebClient.Headers[system.Net.HttpRequestHeader.Authorization] = "Basic " + credentials;

 

 

// Download the Web resource and save it into the current filesystem folder.

myWebClient.DownloadFile(myStringWebResource, fileName);

Console.WriteLine("Successfully Downloaded File \"{0}\" from \"{1}\"", fileName, myStringWebResource);

Console.WriteLine("\nDownloaded file saved in the following file system folder:\n\t" );

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×