I have some very backlogged projects I’ve decided to just release to get them out of my backlog. This one is related to the Digital Ally ThermoVu DTM-600, which is a Uniview/OEM OET-213H-NB-style facial recognition and thermal access-control device.

This release is the majority of my notes, tools, findings, and research artifacts from looking at the device, its firmware, its exposed services, and its biometric/access-control workflows. It includes documentation, findings, runtime notes, LAPI and ONVIF material, configs, selected evidence, test artifacts, and source-based tooling for inspecting and interacting with the device.
The most interesting parts are probably the full compromise chain and the tooling. There is work around the UDP/7788 maintenance service, default/root access paths, the updatecpld shell escape, LAPI endpoint mapping, ONVIF/SOAP enumeration, face-template storage, and template-manipulation behavior. I also split out a standalone Uniview/OEM LAPI research client that should be useful beyond this specific Digital Ally device.
The release is meant to be useful for other researchers who want to understand the attack surface, firmware layout, management APIs, ONVIF behavior, access-control logic, and practical testing workflow without starting from zero.
I intentionally excluded raw oversized firmware dumps, private agent files, local workflow material, personal biometric source images, and personal secrets. What is included is the public research package: notes, reports, source, scripts, selected evidence, generated test artifacts, and the standalone LAPI toolkit.
Maybe one day I’ll revisit. For now, I have enough CVEs and don’t have the bandwidth to pursue it further.

You can find the research HERE!
You can find the standalone toolkit HERE!
END TRANSMISSION
