Why there is no documentation and no mention of this camera anywhere on the web beats me. Maybe it’s the small relatively unknown Koreon manufacturer, but it’s hard, really hard to track down. It seems to be a nice, sensible camera, espeically for transitioning from analogue to digital CCTV. It features:

• both a composite video out (switchable between PAL and NTSC) and 10/100M Ethernet IP networking with rtp/rtsp streams in H.264 and/or MJPEG
• a choice of 12v DC, 24v AC or Power over Ethernet
• 2 way audio and general purpose input/output pins – obviously both need extra hardware to work
• DC iris control
• Day/Night mode functionality – full colour and IR capable with removable filter
• takes standard C/CS mount lenses

So if your camera has failed, and you want to start moving from analogue CCTV to digital, it’s an ideal option as it won’t become reduant immediately on upgrading, you’ll simply be able to move it over to the new system.

Now onto the fact it has not just little, but seemingly no documentation beyond the ‘spec sheet’ ITX provide on their website. Let me open a few little details up for you.

Web browser

The spec seems to imply that you could use almost any browser with this camera. Just see their impressive list: Internet Explorer 7.0 or above, Firefox, Chrome, PDA/Smart phone. Now, while all these can admittedly, edit the settings for the camera, they cannot view the live video feed in the built in viewer. This is only possible in Internet Explorer for the simple reason that it requires a ActiveX plugin to be installed to function. Fear not however, for the data can be liberated!

RTSP streams

However, all the ActiveX plugin does is provide an in browser RTSP/RTP viewer. With the correct software, such as VLC or a number of other media players, this can be played back directly. However, revealing the address you need is far from simple! The method that was eventually successfull was using Wireshark to disect the packets themselves to find the address request by the ActiveX viewer. However, here they are for all to enjoy!

RTP didn’t seem to want to play easily with VLC player, and this seems to do what I’m looking for, so no need to go any further. Hopefully this can help other to use this camera in many projects, and break free from using that manufacturers software.

Install Debian

Install Debian from CD1, normal istall mode is fine. Mostly just answer the questions as normal except when you get to “tasksel”, unmark “Grahical Desktop environment” and mark “SSH server”. If it’s just a proxy, you don’t need anything else!

Once you’ve rebooted after installing Debian, log in and use “ifconfig” to find you IP address (unless you entered a static one during install), then you can complete the rest of these instructions via SSH (and copy/paste the commands in!). I also personally prefer to edit the config files via SCP so I get to use a pretty GUI text editor.

Configure network and DNS

Navigate to /etc/network/interfaces and edit the primary network interface settings to match below. Use your own IP address. The DNS nameserver should be your internal AD DNS server, probably your domain controller. It must be as an IP address.
allow-hotplug eth0
auto eth0
iface eth0 inet static
address 192.168.0.7
netmask 255.255.255.0
gateway 192.168.0.254
dns-nameservers 192.168.0.2
dns-search exampledomain.local

Then issue /etc/init.d/networking restart to change to the new IP settings. Remeber if you do this via SSH you will have to connection dropped and you’ll need to log in again.

Add Webmin repository

Webmin isn’t included in the standard Debian repository, but never fear, it’s got it own so we’ll get regular updates.

Add the following to the end of /etc/apt/sources.list:
# webmin repository
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

Now run the follwing three commands to download and install the GPG signing key used:
cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc

Update repositories and upgrade packages

Next we’ll update the repository list and then apply any updates so we’re kept secure.
apt-get update
apt-get upgrade

Install our packages!

Now onto the install itself! The following command will install everything we need: Samba, Squid, DansGuardian, Webmin and a few dependencies on the side. It asks for the debian install CD to be inserted part way in, and depending on the speed of your internet connection could take several minutes.
apt-get install dnsmasq webmin squid dansguardian samba winbind krb5-user libcompress-zlib-perl resolvconf ntp ntpdate

It will ask to specify your workgroup you want the server to be in, enter in in caps like this: EXAMPLE and not like this EXAMPLE.LOCAL

Configure Kerberos

Next a small bit of configration to take care of:
dpkg-reconfigure krb5-config
It will ask for:

• Default Kerberos version 5 realm: EXAMPLEDOMAIN.LOCAL
• Add locations of default Kerberos servers to /etc/krb5.conf? No

Configure NTP with your domain

Networks run better when all the machines have the same time, so we’ll change us from getting Network Time Protcotol updates from Debians servers to just using our domain controller.

Add server domaincontroller.exampledomain.local iburst
to /etc/ntp.conf below
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool:
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst
and comment out the four Debian time server entries.

Configure Samba

Make a backup copy of /etc/samba/smb.conf before we start to edit it.

Under the section labeled “Authentication” add security = ads below the line which reads # security = user

Under the section labeled “Domains” add domain logons = no immediatly below the line ; domain logons = yes

Under the “Misc” section, find the following two lines:
; idmap uid = 10000-20000
; idmap gid = 10000-20000
and uncomment them (remove the ‘;’ from the begining of each line.)

At this point add the following three lines, just above the next section marked “Share Definitions”
winbind trusted domains only = yes
realm = SJS.LOCAL
winbind cache time = 3600

All done for smb.conf, so save and exit.

Prepare to join the domain

Restart samba, winbind and synchronize the time with the domain controller.
net time set -S domaincontroller
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start

Join the domain

Join the machine to the domain:
kinit Administrator
net ads join -U Administrator
You’ll be asked for the password of the domain user you specify at the end of the command, once for each command. You should get:
root@proxy:~# kinit Administrator
Password for Administrator@EXAMPLEDOMAIN.LOCAL:
root@sbproxy:~# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- EXAMPLEDOMAIN
Joined 'PROXY' to realm 'exampledomain.local'

As this sometimes gives a positive result without actually doing what’s required, the following is an essential check:
wbinfo -t
This should give: checking the trust secret for domain SJS via RPC calls succeeded. If this step fails, you might find rebooting helps. If not, start goggling for issues with samba and joining domains.

Final checks on having the domain auth working, try these to commands, the first of which should all the users in the domain (which does mean it can take some time!) and the second of which should list all the groups on the domain.
wbinfo -u
wbinfo -g

Configure Squid

Make a backup copy of /etc/squid/squid.conf before we start to edit it.

Add the following three lines below the block of #auth_param that are there, leave them incase you want to change something in the future.
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic realm exampledomain

Add:
acl ntlm_auth proxy_auth REQUIRED
http_access allow ntlm_auth
above:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

Comment out this line (shortly after the above code):
http_access allow localhost

Squid needs access to /var/run/samba/winbindd_privileged We can easily fix this but the permissions will reset when we reboot. So Jesse Waters on ubuntuforums.org posted a script that will set the permissions on every system boot. Create /etc/init.d/winbind-ch.sh and paste the following into it. You need to set it’s permissions to 755 to allow excution. You can download a copy of this in a file from www.petespcs.co.uk/petespcs/dangerous/windbind-cd.sh
#!/bin/sh
#set -x
WINBINDD_PRIVILEGED=/var/run/samba/winbindd_privileged
chmodgrp() {
chgrp proxy $WINBINDD_PRIVILEGED || return 1
chmod g+w $WINBINDD_PRIVILEGED || return 1
}
case "$1" in
start)
chmodgrp
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
#EOF
Following this run update-rc.d winbind-ch.sh start 21 2 3 4 5 . to finish that off.

Configure Dans Guardian

Make a backup copy of /etc/dansguardian/dansguardian.conf before we start to edit it.

First, a simple edit: comment out the line UNCONFIGURED - Please remove this line after configuration

Find the line filtergroups = 1 and change it to however many filter groups you feel you need, but be warned that the webmin interface can only handle so many.

Uncomment the following two lines:
authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'
authplugin = '/etc/dansguardian/authplugins/proxy-ntlm.conf'

That’s all in that file, so close and save.

A quick shot of the inside of the BT Openreach Infinity VDSL2+ modem/router/bridge, which comes in a box labeled Huawei Echolife HG612. See Huawei’s page for the HG612. However, it is clear we have a modified stripped down version of the device, as there are no wireless features visible either internally or externally. This also means we have no access to any configuration pages it has (as yet).

A quick note on opening this thing: there are 4 Philips/Pozidrive/crosshead screws under the outer ends of the rubber feet, you don’t actually need to pull the feet fully off to get to the screws. There’s also a really annoying clip in the middle of the ‘front’ (opposite the connectors) of the box. This is easily dealt with by opening up the back edge slightly, and sliding in a long screwdriver to give a gentle push out on the front. The top then simply lifts off. Re-assembly is easy, it simply clicks in place.

There is but one other problem with this box: namely, it regularly ends up disconnecting from the broadband line, intermittently at first, then more and more often until it can’t keep a connection at all. This happens our about 2 months for me, keeping the modem flat, sitting on it’s feet on a shelf.

The problem with this box is, unsurprisingly given how few vents are on it, heat. Take out the 4 screws from under the outer ends of the feet, and whack a big fan onto it, and it sits, even after cooking itself stupid for 2 months, happy as anything, cool as a cucumber. There are reports that if you wall mount this box in the vertical position then the vents actually work! However, I have not tried this, so cannot say. It may be enough to stop a new box cooking itself, but not to fix an already problematic box.

I’m sure that in time I will be trialling a new modem in the upright wall mount position, and if there’s still no joy I will be having a go at modding that one so an external power supply is not needed, even mounting the fan within the box, a small CPU fan should do the job after all. If you do intend to do this, it’s worth bearing in mind that offically these boxes still belong to BT Openreach, so you might not want to damage it too much.

One final picture to give hardware hackers another excuse to break into these boxes, a lovely block of headers, marked RX, NULL, VCC, GND, TX, and another row is a JTAG connection from my brief research. Hopefully this might lead to some 3rd party firmware, so we can access some stats from this and use some of it’s other features. Also interesting to note is the ‘Internet’ LED space for 2 LEDs, I assume one green and one red to indicate the state of the PPPoE connection when this box is used to handle it. BT of course uses the home hub for this, but actually you can use any PPPoE cable router or simply a computer. I personally hook mine to a m0n0wall box.