37 comments

[ 2.3 ms ] story [ 60.0 ms ] thread
So we're at the point that finding hardcoded admin passwords is no big deal.
Hardcoded admin creds should've gone extinct with Flash-based websites, but here we are
Thank you for including the final part about what your dog has been up to :)
Are techniques like using Frida and mitmproxy on Android apps still going to be possible after the signing requirement goes into effect next year?
Got one for my house but what really annoyed me was that I wasn't able to set a fixed IP for it
Unrelated, but I wonder if the OP's dog moves from the bed to the floor because the radiator turns on? might need more sensor data :D
go2rtc is great. the compatibility range it offers is just huge and gets rid of 90% of the difficulty in making a decent NVR app.
Anyone have a similar fix for Yi/Kami cameras?
really like how this blog is written. a lot of writeups like this recently have been generated by an LLM, and it's quite distracting to read - this was a pleasant surprise. it strikes a good balance between technical and laid-back

(yes i know the cover image is AI-generated, that's incidental to the content)

The cover image is a 2.8M png, if the author is reading. I gave up my github account so cannot comment.
(comment deleted)
tapo annoyingly is also one of the only cameras that doesn't have a still snapshot url after all these years and endless requests from many

someone needs to make replacement firmware

ffmpeg can fake it but takes a few seconds to grab from the video stream and of course you can't run ffmpeg from your browser (or wait, can you now?)

     ffmpeg -rtsp_transport tcp -i "rtsp://cameraname:camerapass@192.168.1.23:554/stream1" -an   -y  -vframes 1 -f image2 -vcodec mjpeg  "snap.jpg"
Every single post on this site is worth reading. Loads of fun with hacking electronics. :)
Interesting... from the terminal I see he named his laptop the same thing I've named one of my cheaper laptops too... craptop. LOL.
IoT security is generally terrible, but the fact that consumer routers are essentially unaudited black boxes processing all your network traffic is genuinely concerning. Most people have no idea their router firmware hasn't been updated in years and is probably running known CVEs. The supply chain trust model for networking hardware is broken.
Personally I treat any ISP provided (or big box store) router as compromised anyway. I install my own router as a replacement, or if not possible, just as the sole device downstream of it, and connect all my stuff to my own router. And I use Tailscale + other routing DNS servers, etc.
Fritzbox brand and possibly others updates itself automatically by default. ISPs often also control the devices they ship to clients and install updates as part of a "fleet management".
I tried and failed at enough suggestions I found on the internet and via AI to cobble together a frigate configuration that eventually worked with the Tapo cameras.

RTC setup section:

  go2rtc:
    streams:
      <Camera RTC name>:
        - rtsp://tapoadmin:<local camera account password>@<camera IP address>:554/stream1
        - ffmpeg:<Camera RTC name>#audio=opus
        - tapo://<Tapo cloud password>@<camera IP address>
      <Camera RTC name>_sub:
        - rtsp://tapoadmin:<local camera account password>@<camera IP address>:554/stream2
        - ffmpeg:<Camera RTC name>_sub#audio=opus
        - tapo://<Tapo cloud password>@<camera IP address>
Main section:

  <Camera name>:
    ffmpeg:
      output_args:
        record: preset-record-generic-audio-aac
      inputs:
        - path: rtsp://127.0.0.1:8554/<Camera RTC name>_sub
          input_args: preset-rtsp-restream
          roles:
            - detect
        - path: rtsp://127.0.0.1:8554/<Camera RTC name>
          input_args: preset-rtsp-restream
          roles:
            - record
            - audio
    detect:
      enabled: true
      width: 640
      height: 360
      fps: 7
    live:
      streams:
        <Camera RTC name>: <Camera RTC name>
    record:
      enabled: true
      retain:
        days: 0
        mode: all
Where:

* <Camera RTC name> is just any old short name you want to assign to the camera.

* <Camera name> is the main name for the camera that will be shown in the frigate UI

* <local camera account password> is something set individually on each camera (settings > Advanced > Camera Account, set it to On and setup username/password > Account Information)

* <Tapo cloud password> is the password setup for the Tapo app (I'm not sure how necessary this is, since there's nowhere that the username is specified... this is the only bit I'm fuzzy on)

This is the basics that works for me for the Tapo cameras. There are a boatload of other settings specific to Frigate (but not specific to Tapo cameras).

This is nowhere near as cool hack as the article, however.

Does anyone have a good reference for which tapo cameras support rtsp? I have a c210 that works well (sort of, you can't use it with their cloud capture) and I have it working with frigate.

But today I got a c402 (outdoor) thinking I could use it to capture my son's soccer practice. But that doesn't have the camera account option under advanced.

I love the price point of these devices but the functionality is all over the place.

If anyone knows a good outdoor camera, preferably with solar panel, that is cheap and has an rtsp stream, please let me know.

> SIDENOTE: If you want 2 way audio to work in frigate you must use the tapo:// go2rtc configuration for your main stream instead of the usual rtsp://. TP-Link are lazy and only implement 2 way audio on their own proprietary API.

Annoyingly when this is in use, I can't use ONVIF which seems like the only way to pan and tilt the camera using open tools. So if I want to use two way audio and also control the camera, I have to stop the process reading tapo:// stream, start onvif client and rotate, turn off onvif client and start streaming using tapo:// again

I know people who are still using the router their ISP gave them, and they’ve never even changed the default password. The thing is, they don’t even know it can be updated, let alone that there might be security vulnerabilities. To most users, if the internet works, that’s all that matters.
Hacking together something usable out of cloud-first piece of hardware you ended up with is respectable, but I would like to bring up another option to go with if you're choosing a new device: buy camera that doesn't require a phone app to initial setup and serves RTSP out of the box.