Need some help about CGI/RPC endpoints for DH-ASI3214A-W and DH-ASI6214S

[Vanscot]

Hello Everyone:

First post here, found this place searching info about Dahua devices I wanted to integrate with some software already developed here where I work.

I managed to get my hands on two devices (DH-ASI3214A-W and DH-ASI6214S) and so far they have played nice just using the cgi/rpc endpoints available.
But I have not been able to find a way to show an "Access Denied" message on the device using an endpoint.
@Botox helped me a lot with the firmware available for this devices but we had no luck so far.
They have a lot of undocumented capabilities (like the Auto Registration of the device, available on the settings page but documented on a list pdf file on Scribd for those interested, that uses Dahua as reference and explains the calls it but not completely).

In the end, I used old firmware files to check for clues but couldn't find anything related to what is listening on ports 80/443 of the device and the "web" partitions around are for the webGUI and not the actual services running (or so it seems).

So, if anyone has some clues or a list of all available methods on the device (o better yet: the one that will just print "Access Denied" or just some custom text on the display), it would be greatly appreciated if you share it!

Thans again for any help or clues!

 

[fragmented]

Hello Everyone:

First post here, found this place searching info about Dahua devices I wanted to integrate with some software already developed here where I work.

I managed to get my hands on two devices (DH-ASI3214A-W and DH-ASI6214S) and so far they have played nice just using the cgi/rpc endpoints available.
But I have not been able to find a way to show an "Access Denied" message on the device using an endpoint.
@Botox helped me a lot with the firmware available for this devices but we had no luck so far.
They have a lot of undocumented capabilities (like the Auto Registration of the device, available on the settings page but documented on a list pdf file on Scribd for those interested, that uses Dahua as reference and explains the calls it but not completely) fnaf.

In the end, I used old firmware files to check for clues but couldn't find anything related to what is listening on ports 80/443 of the device and the "web" partitions around are for the webGUI and not the actual services running (or so it seems).

So, if anyone has some clues or a list of all available methods on the device (o better yet: the one that will just print "Access Denied" or just some custom text on the display), it would be greatly appreciated if you share it!

Thans again for any help or clues!

Hi! I’ve also been digging around Dahua RPC/CGI stuff for a while and honestly most of the interesting methods seem to be undocumented
I never found a direct endpoint for showing a custom “Access Denied” message either, but from what I’ve seen the display/OSD features are usually tied to internal services rather than the public web API. Some firmware versions expose extra RPC methods that disappear in newer releases, so checking older firmware was definitely a smart move.

You might want to try:

• enumerating RPC methods through /RPC2 or /RPC2_Login
• checking websocket traffic from the web UI
• comparing configs exported from devices with different firmware versions
• sniffing calls during Auto Registration / event handling

If I come across anything related to custom display text or message overlays, I’ll share it here too. Curious to see if someone has already mapped those hidden methods.

 

[Mark_M]

Hello Everyone:

First post here, found this place searching info about Dahua devices I wanted to integrate with some software already developed here where I work.

I managed to get my hands on two devices (DH-ASI3214A-W and DH-ASI6214S) and so far they have played nice just using the cgi/rpc endpoints available.
But I have not been able to find a way to show an "Access Denied" message on the device using an endpoint.
@Botox helped me a lot with the firmware available for this devices but we had no luck so far.
They have a lot of undocumented capabilities (like the Auto Registration of the device, available on the settings page but documented on a list pdf file on Scribd for those interested, that uses Dahua as reference and explains the calls it but not completely).

In the end, I used old firmware files to check for clues but couldn't find anything related to what is listening on ports 80/443 of the device and the "web" partitions around are for the webGUI and not the actual services running (or so it seems).

So, if anyone has some clues or a list of all available methods on the device (o better yet: the one that will just print "Access Denied" or just some custom text on the display), it would be greatly appreciated if you share it!

Thans again for any help or clues!

That is version v1 API.
It's now past v3.8.
EmpireTech has v3.26 available: Download Product Resources

 

[Vanscot]

Hi! I’ve also been digging around Dahua RPC/CGI stuff for a while and honestly most of the interesting methods seem to be undocumented
I never found a direct endpoint for showing a custom “Access Denied” message either, but from what I’ve seen the display/OSD features are usually tied to internal services rather than the public web API. Some firmware versions expose extra RPC methods that disappear in newer releases, so checking older firmware was definitely a smart move.

You might want to try:

• enumerating RPC methods through /RPC2 or /RPC2_Login
• checking websocket traffic from the web UI
• comparing configs exported from devices with different firmware versions
• sniffing calls during Auto Registration / event handling

If I come across anything related to custom display text or message overlays, I’ll share it here too. Curious to see if someone has already mapped those hidden methods.

Hi Fragmented, thanks for the reply.
I did try to get available methods/services but most services do nothing for what I need and aside from those two options I have no idea how could I enumerate the available methods.
I was going to check traffic using a VM running the dahua central software once I have spent all other options.
The webui source is available on older versions of the firmware, even an .exe file is there for what I believe is a windows plugin, but aside from the obfuscated javascript (not all but some), there's nothing I find usefull.
The scribd file seems to have a workflow for auto registration but the web preview of the pdf file seems broken, for what I can tell it's a 3 steps process: incoming autoreg json data, callback to some url on the device, another call to the server but nothing certain.
I actually don't need a custom message (yet), just a way to show or trigger the "Access Denied" alert would be fine.

That is version v1 API.
It's now past v3.8.
EmpireTech has v3.26 available: Download Product Resources

Oh, Hi Mark_M:
I have more recent versions of the documentation for the apis, but newer versions have parts excluded, like the device auto registration flow/process.
Aside from that, I hope to find other methods that have been later removed from the docs but still work and see if the device can be integrated with our software.

----------------

All this is just to test if we can actually work with the devices, they pack a nice hardware for their form factor and could be quickly used to replace our custom devices...but so far they seem quite limited by the software they run.

Thanks for the post and any comments or suggestions are appreciated.

 

[Vanscot]

Wrote a script to sniff the RPC2 capabilities, it totally can be improved and gives some info but may be a good start for anyone else running into this problems.

#!/usr/bin/env python3

import hashlib
import json
import requests
import sys

HOST = "https://host.ip.or.name"
USER = "admin" # Default
PASS = "put your pass here"
CLIENTYPE = "Dahua3.0-Web3.0"

requests.packages.urllib3.disable_warnings()

s = requests.Session()

def rpc_login():
    url = f"{HOST}/RPC2_Login"

    payload = {
        "method": "global.login",
        "params": {
            "userName": USER,
            "password": "",
            "clientType": CLIENTYPE
        },
        "id": 10000
    }

    r = s.post(url, json=payload, verify=False)
    challenge = r.json()

    # print("[+] Challenge:")
    # print(json.dumps(challenge, indent=2))

    realm = challenge["params"]["realm"]
    random = challenge["params"]["random"]
    session = challenge["session"]

    hash1 = hashlib.md5(
        f"{USER}:{realm}:{PASS}".encode()
    ).hexdigest().upper()

    hash2 = hashlib.md5(
        f"{USER}:{random}:{hash1}".encode()
    ).hexdigest().upper()

    payload = {
        "method": "global.login",
        "session": session,
        "params": {
            "userName": USER,
            "password": hash2,
            "clientType": CLIENTYPE,
            "authorityType": "Default"
        },
        "id": 10000
    }

    r = s.post(url, json=payload, verify=False)

    try:
        login = r.json()
    except Exception:
        print("[-] Invalid login response:")
        print(r.text)
        sys.exit(1)

    # print("\n[+] Login response:")
    # print(json.dumps(login, indent=2))

    if not login.get("result"):
        print("\n[-] Login failed")
        sys.exit(1)

    return login["session"]

def rpc_call(session, method, params=None):

    if params is None:
        params = {}

    payload = {
        "method": method,
        "params": params,
        "id": 1,
        "session": session
    }

    r = s.post(
        f"{HOST}/RPC2",
        json=payload,
        verify=False
    )

    try:
        return r.json()
    except Exception:
        return {
            "raw": r.text
        }


session = rpc_login()

print("\n[+] Enumerating Services...")

result = rpc_call(
    session,
    "system.listService" # Most reliable so far on my device
)
# print(json.dumps(result, indent=2))

for ser in result["params"]["service"]:
    for met in [ "list", "listMethod", "listMethods", "getMethod", "getMethods", "getCaps", "getInfo" ]: #Any other options that can be used here?
        res = rpc_call(
            session,
            f"{ser}.{met}"
        )
        if res["result"] != True:
            continue
        print(f"\n[+] Calling: {ser}.{met}")
        print(json.dumps(res, indent=2))

 

[Mostoperly]

Hello Everyone:

First post here, found this place searching info about Dahua devices I wanted to integrate with some software already developed here where I work.

I managed to get my hands on two devices (DH-ASI3214A-W and DH-ASI6214S) and so far they have played nice just using the cgi/rpc endpoints available.
But I have not been able to find a way to show an "Access Denied" message on the device using an endpoint.
@Botox helped me a lot with the firmware available for this devices but we had no luck so far.
They have a lot of undocumented capabilities (like the Auto Registration of the device, available on the settings page but documented on a list pdf file on for those interested, that uses Dahua as reference and explains the calls it but not completely).

In the end, I used old firmware files to check for clues but couldn't find anything related to what is listening on ports 80/443 of the device and the "web" partitions around are for the webGUI and not the actual services running (or so it seems).

So, if anyone has some clues or a list of all available methods on the device (o better yet: the one that will just print "Access Denied" or just some custom text on the display), it would be greatly appreciated if you share it!

Thans again for any help or clues!

Interesting findings, thanks for sharing the details. Hopefully someone with deeper Dahua API experience can point you toward undocumented methods or display-related endpoints for custom messages.