Victure AC820: I knew it was RTSP

Last Christmas I got this “sport camera” as a present from the Three Wise Men, the Spanish version of Santa Claus. It was in my list but I didn’t have an idea of what to do with it apart from putting it on the car or maybe in my bicycle to record the kind of “traveling” videos that we like to share on Instagram.

As you already may be thinking, it is hard times to go looking for journey as Covid-19 is taking off again. For that reason, knowing that it had a WiFi mode and an app to view the live stream from the camera, I decided to tinker with it.

First thing I did was to confirm my suspects on the protocol used by the camera to send the video. I turned on my laptop and connected it to the hotspot created by the camera. Once connected, I used nmapto scan available ports on it, confirming my thoughts of an open rtsp:554 port. I tried to connect to root path with VLC without result. A further research was needed!

The only way that came to my mind in order to find out witch path was the application using was to sniff the traffic with Wireshark. I had never done anything like that before so I was thrilled doing it by the first time understanding what was happening — I tried years ago, before working on IT, but without result as I was a completely ignorant on the topic — .

After some days of trial and errors, I achieved to make it work 🙌. This is what I found out:

  • Place the camera, laptop and phone one meter of each other. I spent a couple of hours trying to understand why every article and video on internet was achieving to get the EAPOL packages of the Wifi handshake but not me. It turned out that Wireshark can get confused if the devices are too near of each other.
  • Set your Wifi interface in monitor mode. Some interfaces — like the one from my old pc — don’t have such option, so be sure yours is capable of. If not, you can always buy a cheap one from any online store and plug it.
  • Choose the right Wifi channels. It seems that Wireshark doesn’t show packages from all possible sources and you have to configure it. I was unable to see the camera Wifi ssid on the log and some post on Stackoverflow suggested to change it. First, I used linssid tool from linux to scan my network and get the exact channel that the camera was emitting. Then, I updated my Wifi interface configuration using iwconfig wlp5s0 channel 11 (2 GHz band), opened Wireshark and there it was. It turned out that Wireshark has a builtin functionality to change the channel in a live capturing session, but now I posses a fancy terminal way to do it 😁. For those not so fond of the terminal, you just have to go to View and mark “Wireless Toolbar”.
  • Not all packages have SSID information. You can filter packages by source and target mac address, protocol or ip among many others, but don’t try to do everything in the same sentence or you’ll waste time. My RTSP packages didn’t have that information so filtering by ( wlan.sa == 78:68:13:02:c7:5a || wlan.da == 78:68:13:02:c7:5a) && wlan.ssid == victure_a21d7d && rtsp was hiding my actual data.
  • Remember to star a fresh capturing session and reconnect your mobile phone. This way, Wireshark will be able to capture the AP/Mobile handshake and will be able to decrypt the packages. Remember that before this step, the only protocol you will see on the log will be 802.11 . And don’t forget to add the decryption key!

That’s a bunch of things to know, don’t you think? Well, As I know that not everyone of you is in the mood of doing all this stuff, here you have what I got:

Channel is set to 1 because I took the photo from the saved session and the Wifi interface was in use, so the default value was set.

It is rtsp://192.168.0.1:554/livestream/12!! I managed to got it 💃