Cobian backup: Restore incremental backups

If you are using Cobian backup to backup your files and you have selected incremental as strategy you will find that the restore process could be a very long task if you do it manually, file by file.

You should start by older files and then continue with the inmediatily next file by date, overwriting previous files if were the case. That is the key, newer files must overwrite older backed-up files.

Today I have to restore a very very very long incremental backup, two years of daily incremental backups and only one full backup. That is 730 file backups. Furthermore the files are zipped.

Cobian backup incremental files to restore
Only one page of Cobian backup incremental files to restore as a sample

 

It will be great if we could do this with a script, isn´t it?

So let’s do it. We will use the following commands:

  • dir, to get a list of the files sort by name (that really means by date because of the naming pattern cobian uses)
  • 7-zip, to uncompress the files to a specific folder (you could use other tools like winrar)
  • for, a windows scripting tool to loop between items

To make things easier we will open a cmd window and we will get into the folder where the backed files are (d:\temp in my case).  The destination folder in will be d:\restored. The full command is:

for /f “delims=” %a in (‘dir /b/on’) do 7z x “%a” -od:\restored -aoa

Explanation:

  • dir /b/on:
    • /b parameter: shows only file names, no other summary info
    • /on parameter: Order by name, older files will be procesed first
  • for /f “delims=” %a in (list_of_files) do (uncompress_file)
    • /f parse the output of dir
    • “delims=” set a delimiter, nothing in our case
    • %a, will be the file name in each loop
    • in (), will be the full list of files got by dir command
    • do (), will be the command to apply at each file, 7-zip in my case
  • 7z e %a -od:\restored -aoa
    • x, extract files with its original folder structure
    • “%a”, the filename provided by for
    • -od:\restored, the destination folder
    • -aoa, options to overwrite any existing file. As we are extracting in order, newer files will overwrite older files.

Note: 7z.exe must be in your path variable or you should call with its full path. I added 7z to my PATH variable with:
set PATH=%PATH%;C:\Program Files\7-Zip

How to get rid of Emotet and TrickBot

Steps:

  1. Download Rkill.
  2. Download and install last version (trial) of Malwarebytes in each PC and run an analisys once with internet connection to get latest virus definitions
  3. Disconnect all PCs from the network to avoid one infected PC reinfect one cleaned PC
  4. Run Rkill in each PC to kill any infected process
  5. Run a Malwarebytes full analisys to remove all infected files
  6. Patch every PC with this patch to avoid new infections. This will patch some exploits used by Trickbot, but there is newer versions which use other exploits.
  7. At this point Emotet and Trickbot should not be in your system, but it is so smart that it could keep hidden and reborn in a few days or weeks. So…
  8. Review process list searching for any strange process name. (I should add some powershell script here)
  9. Review schedule task to review any suspicious task
  10. Re-run Rkill + Malwarebytes every day in some random machines for a few weeks.
  11. Change all passwords. Trickbot collects any password it is able to capture. Domain passwords, email passwords, browser rememberd passwords (specially bank accounts)…

Some consequences:

  • Now I have blocked .doc, .docx, .xls, xlst email attachements by default.
  • I am thinking about changing jobs

Compartir el puerto 443: Apache y Exchange

Cuando se complica la infraestructura de servidores puede ocurrir que diferentes servicios necesiten compartir el mismo puerto. Es el caso de Exchange y un servidor web seguro (HTTPS).

Actualmente dispongo de un servidor web, en el puerto 80 de la ip pública y de un servidor de Exchange en el puerto 443. El problema viene cuando en el servidor web queremos servir webs seguras (HTTPS) con certificados SSL. Esto se hace también por el puerto 443, por lo que entra en conflicto con Exchange. Soluciones:

  1. Contratar una segunda IP pública, y ejecutar el servidor web en una IP y el servidor Exchange en la otra
  2. Cambiar el puerto de Exchange al 444, por ejemplo. Microsoft no facilita este cambio, pero si buscas en internet verás que se puede hacer a través del registro de Windows. La desventaja de esta solución es que tendrás que reconfigurar todos los dispositivos (PCs, móviles…) para que ahora apunten al nuevo puerto.
  3. Configuar un proxy inverso que escuche en el puerto 443, que se encargue de atender las solicitudes y derivarlas a quién correspondan, derivarla al servidor web o al servidor de Exchange según corresponda. Esta es la solución que yo he elegido.

Para montar el Proxy reverse he elegido Debian 8 Jessie con Apache haciendo de Reverse Proxy. Configurar el proxy reverse para que por ejemplo atienda diferentes solicitudes HTTP y HTTPS y las derive a diferentes servidores web de la LAN es relativamente sencillo y hay un montón de tutoriales en la red. Configurar un Reverse Proxy para que funcione con Exchange es un infierno. Exchange utiliza RPC sobre HTTP, pero como suele ocurrir con Microsoft, una versión “muy suya”, no el estándar. Esa es básicamente la clave para hacerlo funcionar, entender que el RPC de Exchange no es el normal.

Los pasos que yo he seguido son:

1. Crear certificado Let’s Encrypt con certbot en la máquina Apache que ejecuta el Reverse Proxy

2. Exportar el certificado a pfx con openssl para poder usarlo en Exchange:

openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

Como veis el mismo certificado tiene que estar instalado en la máquina que hace de Proxy Reverse y en la de Exchange

3. Instalar el certificado pfx en Exchange (yo lo hago a través de IIS)

4. Habilitar los módulos necesarios en Apache para poder hacer Reverse Proxy

a2enmod ssl
a2enmod proxy
a2enmod proxy_balancer
a2enmod proxy_http

Y el super importante para que funcione Exchange:

apt-get install libapache2-mod-proxy-msrpc
a2enmod proxy_msrpc

Ojo porque dependiendo de la distrubición de Linux que uses puede ser que este módulo tengas que configurarlo a mano. En mi caso Debian lo incluye.

5. Crear un Virtual Host en Apache para que haga Reverse Proxy, enlazando el certificado creado y redirigiendo las peticiones a la máquina que ejecute Exchange:

<VirtualHost *:80>
ServerName mail.midominiopublico.es
ServerAlias autodiscover.midominiopublico.es
ServerAdmin tomascrespo@midominiopublico.es

ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

Header always set X-Frame-Options SAMEORIGIN

Header set Server Apache

Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By

# Nachfolgende zeile löst den "Expectation Failed Apache 417" Fehler beim AutoDiscover etc.
RequestHeader unset Expect early

# Nachfolgende Zeilen sind um die Authentifizierung zu ermöglichen - NTLM-Funktioniert durch den Proxy nicht, deshalb Basis-Authentifizierung erzwingen
SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
Header unset WWW-Authenticate
Header add WWW-Authenticate "Basic realm=midominiopublico.es"

ProxyRequests Off

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/owa(.*) https://midominiopublico.es/owa$1 [R,L]
RewriteRule ^/ecp(.*) https://midominiopublico.es/ecp$1 [R,L]
RewriteRule ^/Microsoft-Server-ActiveSync(.*) https://midominiopublico.es/Microsoft-Server-ActiveSync$1 [R,L]

DocumentRoot /var/www/midominiopublico.es/web

<Directory />
 Order deny,allow
 Deny from all
</Directory>

<Directory /var/www/midominiopublico.es/web>
 DirectoryIndex index.php index.html
 Options -Indexes +FollowSymLinks
 Order allow,deny
 Allow from all
</Directory>

<Proxy *>
 Order deny,allow
 Allow from all
</Proxy>

</VirtualHost>


<VirtualHost *:443>

ServerName midominiopublico.es
ServerAlias autodiscover.midominiopublico.es


ServerAdmin tomascrespo@midominiopublico.es

ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

Header always set X-Frame-Options SAMEORIGIN

Header set Server Apache

Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By

RequestHeader unset Expect early

#SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
Header unset WWW-Authenticate
Header add WWW-Authenticate "Basic realm=midominiopublico.es"

ProxyRequests Off
ProxyPreserveHost On


SSLProxyEngine On
# Problemen mit Kommunikation zwischen Apache-Proxy und Exchange-Server aus dem Wege gehen
# Alle SSL Prüfungen werden damit ausgeschaltet
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

# owa
ProxyPass /owa https://maquinaexchange.local/owa
ProxyPassReverse /owa https://maquinaexchange.local/owa
ProxyPass /OWA https://maquinaexchange.local/OWA
ProxyPassReverse /OWA https://maquinaexchange.local/OWA
ProxyPass /Owa https://maquinaexchange.local/Owa
ProxyPassReverse /Owa https://maquinaexchange.local/Owa

# Einstellungen um per OWA das Kennwort zu aendern
ProxyPass /iisadmpwd https://maquinaexchange.local/iisadmpwd
ProxyPassReverse /iisadmpwd https://maquinaexchange.local/iisadmpwd

# ecp
ProxyPass /ecp https://maquinaexchange.local/ecp
ProxyPassReverse /ecp https://maquinaexchange.local/ecp
ProxyPass /ECP https://maquinaexchange.local/ECP
ProxyPassReverse /ECP https://maquinaexchange.local/ECP
ProxyPass /Ecp https://maquinaexchange.local/Ecp
ProxyPassReverse /Ecp https://maquinaexchange.local/Ecp

# ews -> Exchange Web Services
ProxyPass /ews https://maquinaexchange.local/ews
ProxyPassReverse /ews https://maquinaexchange.local/ews
ProxyPass /EWS https://maquinaexchange.local/EWS
ProxyPassReverse /EWS https://maquinaexchange.local/EWS
ProxyPass /Ews https://maquinaexchange.local/Ews
ProxyPassReverse /Ews https://maquinaexchange.local/Ews
ProxyPass /exchange https://maquinaexchange.local/exchange
ProxyPassReverse /exchange https://maquinaexchange.local/exchange
ProxyPass /Exchange https://maquinaexchange.local/Exchange
ProxyPassReverse /Exchange https://maquinaexchange.local/Exchange
ProxyPass /exchweb https://maquinaexchange.local/exchweb
ProxyPassReverse /exchweb https://maquinaexchange.local/exchweb
ProxyPass /public https://maquinaexchange.local/public
ProxyPassReverse /public https://maquinaexchange.local/public

# oab (Offline Address Book)
ProxyPass /oab https://maquinaexchange.local/oab
ProxyPassReverse /oab https://maquinaexchange.local/oab
ProxyPass /OAB https://maquinaexchange.local/OAB
ProxyPassReverse /OAB https://maquinaexchange.local/OAB

# Microsoft-Server-ActiveSync
ProxyPass /Microsoft-Server-ActiveSync https://maquinaexchange.local/Microsoft-Server-ActiveSync connectiontimeout=600
ProxyPassReverse /Microsoft-Server-ActiveSync https://maquinaexchange.local/Microsoft-Server-ActiveSync

<Directory /Microsoft-Server-ActiveSync>
# Problem mit dem Versenden von Dateianhängen > 128KByte per ActiceSync umgehen (neuer Wert 30MByte)
SSLRenegBufferSize 31457280
</Directory>

# RPC over http(s) / Outlook Anywhere
OutlookAnywherePassthrough On
ProxyPass /rpc https://maquinaexchange.local/rpc
ProxyPassReverse /rpc https://maquinaexchange.local/rpc

# AutoDiscover -> Autodiscover for non-AD integrated Clients (Mac, eg.)
ProxyPass /autodiscover https://maquinaexchange.local/autodiscover
ProxyPassReverse /autodiscover https://maquinaexchange.local/autodiscover
ProxyPass /Autodiscover https://maquinaexchange.local/Autodiscover
ProxyPassReverse /Autodiscover https://maquinaexchange.local/Autodiscover
ProxyPass /AutoDiscover https://maquinaexchange.local/AutoDiscover
ProxyPassReverse /AutoDiscover https://maquinaexchange.local/AutoDiscover

# Zeichensatz spezifieren fuer Umlaute
AddDefaultCharset ISO-8859-1

DocumentRoot /var/www/midominiopublico.es/web

<Directory />
 Order deny,allow
 Deny from all
</Directory>

<Directory /var/www>
 DirectoryIndex index.php index.html
 Options -Indexes +FollowSymLinks
 Order allow,deny
 Allow from all
</Directory>

<Proxy *>
 SetEnv proxy-nokeepalive 1
 SetEnv force-proxy-request-1.0 1
 Order deny,allow
 Allow from all
</Proxy>

SSLEngine on

Include /etc/letsencrypt/options-ssl-apache.conf
 SSLCertificateFile /etc/letsencrypt/live/midominiopublico.es/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/midominiopublico.es/privkey.pem


 BrowserMatch "MSIE [2-6]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
 # MSIE 7 and newer should be able to use keepalive
 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

# old Server config
 #BrowserMatch ".*MSIE.*" \
 # nokeepalive ssl-unclean-shutdown \
 # downgrade-1.0 force-response-1.0
</VirtualHost>

Como veis también hay un VirtualHost para el puerto 80, que lo único que hace es redirigir las peticiones HTTP para que se conviertan en HTTPS, al puerto 443 que es por donde deben de ir.

6. Probar y añadir sal al gusto.

 

Notas:

Los PC con Outlook fuera de la LAN usan Outlook Anywhere para conectarse, o lo que es lo mismo RPC sobre HTTP

Los Mac con Outlook fuera de la LAN usan Exchange Web Services (EWS) para conectarse.

Tanto Outlook AnyWhere como Exchange Web Services (EWS) y Offline Address Book (OAB) tienen que tener habilitada la Autenticación Básica, pues Apache Reverse Proxy no es capaz de manejar la Autenticación NTLM.

La Autenticación Básica de EWS y OAB se habilita en IIS, en el directorio virtual /EWS, en el apartado Autenticación

A mi actualmente me está funcionando todo desde fuera de la oficina:

  • Outlook Web Access (OWA)
  • iPhones, móviles Android y móviles Windows Phone con ActiveSync
  • Portátiles de los jefes MacBook Air que usan EWS (con Outlook for Mac)
  • Portátiles Windows  con Outlook, que usan Outlook Anywhere

Referencias: Apache2 als Reverse Proxy für Exchange 2010 2013 inklusive Outlook Anywhere RPC over http

Convert letsencrypt .pem certificate to .pfx

I use Let’s Encrypt certificates in my Windows and Linux serves. This week I had to use the same certificate in two machines, one IIS server (Windows) and one Apache2 server (Linux Debian).

I create the certificate in Linux using certbot utility, ant it gave me four files:

  • cert.pem
  • chain.pem
  • fullchain.pem
  • privkey.pem

I installed to Apache with no problems.

But then I tried to install the certificate to IIS 6.1 and I realized that Windows did not want that type of file. With some research on the Internet I found a solution, using the command openssl (in Linux):

openssl pkcs12 -export -out certificateforwindows.pfx -inkey privkey.pem -in cert.pem -certfile fullchain.pem

I wish this helps someone

Yi Home Camera 2 1080p + Xiaomi Power Bank 2c 20.000mAh

Description

Sometimes I need a camera in some places where there is no easy power supply, so I have to run with a battery. I usually use a UPS, like the one we use for ower computers, but this machine converts from a 12v battery to 220v output, and then, the Yi Home Camera transformer convert from 220v to 5v.

So I thought using a power bank (those which we use to recharge our mobile in a emergency) to avoid even the  transformer. I bought the bigger I found, Xiaomi Power Bank 2C 20.000mAh.

 

Theoretical calculations

The power supply of the Yi Camera is 5v 2.0A. In the Yi Home Camera 2 is noted 4.0W(MAX).
If the camera consumes 4 watts for 24h it involve 96Wh
The battery is rated at 20.000 mAh and 5v, that is 100Wh.

With these data, and assuming that the camera is always at max consumption, (4W) it should last: 100/96 = 25h, a bit more than a day. That assuming:

 

  1. The battery could be fully discharged. False, Li-polymer battery can be discharged 80% as much
  2. The camera consumes 4W all the time. False, I have tested the camera with a consumption-meter for a full week and it consumes 2.4W in average.

So now the calculations are:  (80%100Wh)/(2.5w24h) = 80/60 = 32h

Let’s check.

In Practice

Now my test. I full charged the power bank, set it to low current output mode (according to power bank user guide this funcion is for small devices, fitness bands, watches, bluetooth headsets and other small gadgets), and place the camera in my cottage. I set it up recording continiously (not only when motion is detected) at 1080p @25fps (max quality) and disabled all other stuff like gesture recognition o baby crying recognition. The camera was with no WiFi connection (perhaps it was searching for WiFi all the time and that is a battery consuming operation). It started recording August 19, 2018 at 20:56h, and the last slice of recording was at August 21, 2018 at 06:37h.

So, my Yi Home Camera 2 connected to a Xiaomi Power Bank 2C as power supply continuosly recording last 33 hours and 41 minutes.

Wow!!! Only a 4,3% of  deviation between theory and reality.

Next tests:

  • With WiFi connection linked, not always searching.
  • With motion detection only recording. I suposse it will increase autonomy because of not writing continiously to the sd card. On the other hand motion detector is a CPU consuming operation…

Anyway if you got here, perhaps you have to have a look to Blink cameras and this Blink cameras with AA batteries but be aware of region lock before purchasing one.

How to use Yi Home Camera 2 (1080p) outside of China, revisited

Firstly, this post is about Yi Home Camera 2. Currently Xiaoyi has various similar models. In each one of its models they make a Chinese version and an international version (same version but more expensive). Xiaoyi is making big efforts to block using Chinese models outside of China, forcing you to buy a international version.

I wrote an article some time ago to get this camera working, but after that Xiaomi enhanced its blocking procedure and this article is not valid any more.

Now Xiaomi has introduced a new change, checking if your camera is connecting to their servers from a Chinese IP address or not.

Description of the problem

Yi Home Camera 2 is paired with Yi app with no problem, the camera works and save video on the SD card, even notify you when there is some event, but you can NOT get live video. When you open Yi app it stucks at Establishing secure channel… 50% for a while and finally it shows the error message Network connection failed, please check network settings and reconnect it (-20009). So neither you  can watch your camera on live or browse through your records from the Yi app. However you can get out the SD card and review your videos in a PC.

The solution

In brief the solution is using a Chinese proxy, so Xiaomi will think your camera is in China. Easy, isn’t it?

Fortunately there is a project (yi-hack-v2) where someone (niclet) has made a custom firmware to get telnet and FTP working for this camera and, the most important for us, with an option to setup a proxy. So all the credits go for him/her.

The procedure to get your camera working again is:

  1. Download the files of niclet project and copy the contents of sd folder to the root of your SD card. The card has to be FAT32 (vfat) formated.
  2. Edit the file yi-hack-v2.cfg (in test folder) and uncomment the last line (remove the starting ‘#’), and set one Chinese server (I use this list)
  3. Put your SD card. All is done. Now you can pair it with your Yi Chinise phone app an get Live video with no problems

Note 1: The text editor to edit file yi-hack-v2.cfg is important. Its a linux file, someway different to a Windows one. I firstly used notepad and the hack doesn’t work. I then used Notepad++ and it worked perfectly. Mind this if you are having any trouble.

Note 2: If you have some trouble formatting you SD card with Windows, you could use HP USB Disk Storage Format Tool

Note 3: You have to download the files of niclet project (yi-hack-2) from github, but if you have any problems they are here too.

Note 4: I’ve got better results pairing the camera without the SD card, and then inserting it (after pairing success).

Currently my last line of yi-hack-v2.cfg is:

YI_HACK_PROXY=socks4://123.59.100.246:1080

and with this proxy the camera is working for three months.

YI_HACK_PROXY=socks5://103.85.24.43:7982

 

Dominios Windows .local y problemas con Apple

Desde hace algún tiempo estoy problema con los dominios Windows de algunas empresas, dominios Active Directory, y los productos de Apple, especialmente con iPhone y iPad (aunque po lo que veo hay gente que también tiene problema con los Mac).

El problema surgió porque los productos de Apple no recibian email (mediante ActiveSync del servidor Exchange que tenemos en la empresa) cuando estaban conectados al WiFi de la empresa, pero sin embargo sí que recibian email cuando estaban fuera de la empresa.

El problema es que cuando están dentro de la empresa son incapaces de resolver el nombre del dominio, pues es un dominio interno del tipo midominio.local, mientras que cuando están fuera de la empresa utilizan midominio.com. Tras mucho estrujarme la cabeza doy con la información de que ahora (a saber desde cuándo, pues antes funcionaban perfectamente) Apple utiliza el sufijo .local para Bonjour (lo trata como host Rendezvous), por lo que al ver que es un dominio .local no resuelve mediante DNS, sino que resuelve mediante Bonjour, o lo que es lo mismo, no resuelve.

Hay muy poca información al respecto en internet sobre este tema, así que aquí dejo un par de links.

El artículo técnico de Apple. Ofrece solución para los Mac, pero no para los iPhone/iPad.
Uno de los problemas en los foros de Microsoft.
Otro problema en spiceworks.

¿Y que hay de las soluciones? ¿cambiar el sufijo de tu dominio Windows por algo del tipo midominio.loc? Venga, es muy divertido cambiar el nombre de un dominio!

Aquí las mejores prácticas que recomienda Microsoft para elegir un nombre de dominio Windows.

Probablemente por esto Microsoft ha dejado de recomendar utilizar .local para sus dominios Active Directory y ahora recomienda usar un subdominio del dominio público.

How to use Yi Home Camera 2 (1080p) outside of China

UPDATE (11/11/2017): This process is not valid anymore, but you can use a new one. All info here.

I’ve been using a Yi Homme Camera for a long (aka Xiaomi/Xiaoyi Small Ants Camera). It’s a magnific camera with good quality (720p) and night vision at a stunning price. In my opinion, then only flaw is the lack of an wired Ethernet port. However, Xiaomi, firmware update after firmware update has made it a bit worse. First they blocked telnet access, RTSP and HTTP. And finally the blocked their Chinese hardware to be used only in China Mainland (from Nov 2015). Yes, they sell two versions, Chinese and International. Luckily you always can solve this limitations running some scripts or downgrading the firmware. There is a lot of info on the Internet.

 

Recently Xiaomi (Yi) launched a major upgrade for this product. They presented Yi Home Camera 2, with even better quality, 1080p @25fps 1.5Mbits, gesture detection and more. Obviusly I immediately bought one. However I got the same issue all people is having. It’s impossible to get it working. You can not pair it with the phone app. The camera gets the QR code, connect to your WIFI network (light steady blue light) but the pairing proccess never ends succesfully. You get “time out” both the camera (voice message) and the phone. Every people has the same problem. Some of them have tried to update the firmware, but this is even worse. Now they get a voice message “This camera can only be used in China”.

After some weeks of research I finally get mine working, using a specific firmware.

To install it you have to:

    1. Download this firmware (version 2.1.1-20160429113900) and put it in the root of your SDCARD (it has to be FAT32 formated). The name of the file has to be home.bin, otherwise camera won’t install it
    2. Turn on the camera
    3. Reset the camera to default values pressing the reset white button in the back
    4. Turn the camera off
    5. Insert the SD card with home.bin and turn it on

You will see the green led blinking for about one minute. After that you will be able to pair your camera with the app. Bear in mind that the app has to be Chinese version too.

And, of course, remember NOT to update your camera firmware even if the phone app invite you.

Next step: Enable telnet to allow RTSP and FTP.

Date and Time in Xiaomi Xiaoyi Smart Camera

Sometimes you find out a small gem like this beautifull piece of hardware. Xiaoyi Smart Camera is almost the perfect home camera. It has a beutiful design, good video quality, bidirectional sound, good construction, SD card slot, WIFI, a decent mobile app, and a bargain price. However it has some drawbacks:

  • Latest firmwares have removed telet, FTP and RTSP access. WHY?
  • Time Zone is stuck to China, so your recordings are miss-dated, what does moving through recordings by the mobile application a nightmare.
  • Lack of wired networking.

I can accept the lack of wired networking but not the other two. The first was present in early firmwares. The Time Zone setting would be really easy to add. There are some alternatives on the Internet to fix the Time Zone issue but while helping they don`t solve the problem.

Solution 1

Disable ntpdate (from here):

I telnetted into the camera (username: root / password: 1234qwer)

Code:
cd /homemv ntpdate ntpdate.orig
touch ntpdate
chmod 755 ntpdate
date -s “2015-06-02 22:00″

The commands above disable to program that tries to set the date from the internet, and then you can set the date manually to the current date/time. Hope this helps.

Of course, to be able to apply this solution you have to flash one firmware with telnet support.
Drawbacks:

Solution 2

Firmware mod (from here)


If you are living in a different time zone (GMT+6 is Germany, Denmake, Austria, Italy…) you have to download the file “equip_test.sh” open and modify the row. The line “my_version =” should contain possible the latest version of the firmware.

Drawbacks:

  • While the timestamp on the video is fixed, the orange marks in mobile app timeline not, so moving through it doesn’t work very well.

Solution 3

Changing time zone in etc (from here)

Hello,
You can change the timezone.
Change the TZ file in /etc/
the command is :
echo “$my_gmt” > /etc/TZ
change $my_gmt by your timezone.
Note : GMT 0 => Beijing
for Paris = GMT+6
Have fun.

 

My solution

Work in progrress: I’ve create a bash scritp which changes the time of the mp4 files created by the camera to a previous date, 6 hours before. The script is executed every minute through cron.

 

Update: The best solution

Finally, the best solution it’s here and it does suppot moving through recordings perfectly.

Sincronización del reloj con la hora de Internet

Uno de los servidores de una empresa está teniendo problemas
con el reloj de Windows (Windows Server 2012). El reloj se atrasa de
forma aleatoria, llegando a marcar incluso un día menos de la fecha
actual. Siendo el servidor un controlador de dominio (relaciones de
confianza y sincronización de la hora con los equipos del dominio),
centralita teléfonica (no se puede llamar a determinadas horas) y
gestionar la facturación (fechas de facturas erróneas) esto se convierte
en un gran problema. Lo primero por supuesto fue pensar que la pila del CMOS se había gastado, y simplemente con sustituir la sería suficiente, pero no es así, pues la hora se retrasa sin ni siquiera tener que apagar o
reiniciar el equipo, sino mientras Windows está en funcionamiento,
cuando la pila no entra en juego.

Teniendo en cuenta que la placa basae de ese mismo servidor ya ha
dado algún problema de hardware, cabe suponer que debe ser algo de lo
mismo. Así, y en vista de que el cliente no quiere sustituir el
servidor, la solución a adoptar es conseguir que el relog se sincronice
con la hora de internet para evitar ese retraso. Como sabemos Windows ya
ofrece esa posibilidad, como una opción más del reloj, pero la
sincroniza cuando el quiere, lo que provoca que el reloj siga
atrasándose.

configurar-fecha-y-hora

 

Así pues había que buscar otra solución.

La orden de línea de comandos W32tm.exe /resync fuerza la
sincronización del reloj con la hora de internet (time.windows.com, o el
servidor NTP que esté configurado), dejando la fecha y la hora
perfectas.

Así, la solución fue crear una tarea programada que ejecutase esta
orden cada 15 minutos, para asegurarnos de que el reloj estuviese
siempre sincronizado. La tarea viene a ser esta:

tarea-sinc

Quizás la primera línea podría omitirse, pero está para asegurarnos
de que el servicio de sincronización de la hora está ejecutándose, no
vaya a ser que esté dormido.