Close
0%
0%

Zmodo - Local Controller

Zmodo have some cool cameras! This project is about reversing protocols / bins of all things zomodo to bypass the cloud.

Similar projects worth following
This camera is really cool but is uses some "cloud app" for all video to be uploaded to. I would like to create a NodeJS server for this to bypass sending all my video / audio to China :) This is just a place for me to dump files and notes. If you want to help check out the main App3518 (which is the cpu Hi3518C) binary and help start to reverse it.

All files for this project are in the dropbox link. The main "App" file is App3518 and it is in the Dropbox link. This file is also the local webserver. It is responsible to posting video data to the MeShare website. You can downlod the MeShare app for IOS and Android as well if you would like to poke around in that.

What I am hoping for is some others that want to use this camera to get involved in the reversing of the networking protocol. I am not 100% certain.. But it might make more sense to place a different "app" on the device that we write and can post all the video data straight to our server code.

Amazon sells these cameras for around $38 here:

http://www.amazon.com/gp/product/B00ZZ4HX1K

Cameras known to run the same software (perhaps different hardware)

  1. Zmodo ZH-IXY1D
  2. Zmodo ZM-SH75D0001

If you know of a Zmodo camera running the same version (or contacting the same cloud servers) leave a comment and I will add them to the list. The App3518 has the shasum of ba5fa306d519c57124f9de96a1f007f0. App3518 is the main binary that runs on these Zmodo* cameras.

zmodoboot.txt

Out of the box boot log. This is before connecting to a wireless network.

plain - 49.00 kB - 01/16/2016 at 03:27

Download

zmodowireless.txt

Log showing the wireless connection process during and after setup.

plain - 28.64 kB - 01/16/2016 at 03:27

Download

  • Dumping the MTD Partitions

    ril3y01/21/2016 at 03:21 5 comments

    I went ahead and dumped the files to the Dropbox for the MTD partitions.

    https://www.dropbox.com/sh/adups6kczg65138/AACquDl-FP1ZT0KB1yB-4aGia?dl=0


    # cat /proc/mtd
    dev: size erasesize name
    mtd0: 00040000 00010000 "boot"
    mtd1: 000c0000 00010000 "config"
    mtd2: 00480000 00010000 "rootfs"
    mtd3: 00a80000 00010000 "app"

    More to come....

  • Initial rooting (or read that as loggin in) and poking around

    ril3y12/02/2015 at 19:16 1 comment

    There is a 3 pad test point on the other size of the main board. It is 3v3 ttl serial. tx rx gnd. Solder a few tiny wires to each pad then hook up to a ttl 3v3 usb to serial ( I use the prolific ones) and open a serial terminal (coolterm etc) 115200 8N1. I did place a dab of hot glue to hold the wires in place as to not pull the test point's pads right off of the pcb. I forgot to take a picture of it first. I have another camera on order and will post some pics when it gets in.

    This will drop you to a root shell.... Heres some boot messages.. The full boot messages are in the dropbox link.

    U-Boot 2010.06 (Apr 28 2015 - 09:46:30)
    
    Check spi flash controller v350... Found
    Spi(cs1) ID: 0x01 0x20 0x18 0x4D 0x01 0x80
    Spi(cs1): Block:64KB Chip:16MB Name:"S25FL129P1"
    MMC:   MMC FLASH INIT: No card on slot!
    In:    serial
    Out:   serial
    Err:   serial
    No mmc storage device found!
    Hit any key to stop autoboot:  1 ... 0 
    16384 KiB hi_sfc at 0:0 is now current device
    
    cramfs load file : /boot/hikernel
    ### CRAMFS load complete: 2409600 bytes loaded to 0x82000000
    ## Booting kernel from Legacy Image at 82000000 ...
       Image Name:   hilinux
       Image Type:   ARM Linux Kernel Image (uncompressed)
       Data Size:    2409536 Bytes = 2.3 MiB
       Load Address: 80008000
       Entry Point:  80008000
       Loading Kernel Image ... OK
    OK
    
    Starting kernel ...

    There is a really annoying feature that they felt the need to leave in place. All print statements from ./App3518 program seem to spit out to the tty. And its a very chatty program. However it does give you a glimpse into some of the communications with the "MeShare" streaming video service. Observe....

    Dec  2 14:02:09 <P2P>: web.cpp[471]web_report_upnp:recv:{"result":"ok","data":[],"addition":""}
    
    Dec  2 14:02:09 <P2P>: device_operation.cpp[744]p2p_send_cover_pic:begin upload cover picture for channel[0]...
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[42]SetUrl:http://192.241.59.218:80/factorydevice/picture_report
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[83]AddPostString:tokenid:p4yL5zwYSQRL8vcCNUbx9v12bmKcQF
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[83]AddPostString:channel:0
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[93]AddPostPicture:image_name:/tmp/cover.jpg
    
    Dec  2 14:02:09 <P2P>: web.cpp[402]web_report_picture:recv:{"result":"ok","data":"","addition":""}
    
    Dec  2 14:02:09 <P2P>: device_operation.cpp[942]p2p_is_timezone_set_by_meshare:timezone America/New_York, America/New_York
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[42]SetUrl:http://192.241.59.218:80/factorydevice/gettimezone?tokenid=p4yL5zwYSQRL8vcCNUbx9v12bmKcQF
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[252]SetConnectTimeout:[10]
    
    Dec  2 14:02:09 <P2P>: web.cpp[425]web_get_timezone:recv reply:{"result":"ok","offset_seconds":"-18000"}
    
    Dec  2 14:02:09 <P2P>: web.cpp[434]web_get_timezone:get timezone:-18000
    
    Dec  2 14:02:09 <P2P>: device_operation.cpp[905]p2p_set_timezone_offset[1170719936]
    
    Dec  2 14:02:11 <P2P>: p2p_sip.cpp[148]keep_alive_timer_func:keep alive timeout, resend !
    
    Dec  2 14:02:11 <P2P>: p2p_sip.cpp[120]send_keep_alive:send_keep_alive:{ "MethodName": "Option.update", "TokenId": "p4yL5zwYSQRL8vcCNUbx9v12bmKcQF", "DevId": "ZMD00ID02206860", "UserType": 2, "Interval": 90 }
    
    Dec  2 14:02:11 <P2P>: p2p_sip.cpp[40]p2p_keep_alive_cb:reply:{ "ResultCode": 0, "ResultReason": "ok", "CmuId": 1001000000 }
    
    

    The program generating all of these print statements is App3518 which I tftp'ed off of the device and posted in the dropbox link. There is also a message file which I am unclear of what it is doing.

    ril3ys-MBP:Zmodo Reversing ril3y$ file message App3518 
    message: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped
    App3518: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped

View all 2 project logs

Enjoy this project?

Share

Discussions

Steve wrote 05/13/2019 at 14:49 point

I stumbled upon the firmware source code someone discreetly posted on GitHub if it helps anyone. You can tease out the ZSP (their control protocol) and you can see where they disabled things like the web interface. I am unfortunately not a Linux guy, but I would suspect it could be tweaked and built to do what everyone wants. It appears to support all varieties based on build flags. You can find it here: https://github.com/dulton/v200

  Are you sure? yes | no

Alexander Ose wrote 03/15/2019 at 21:29 point

Has anyone succeeded in getting an audio stream from this device?

  Are you sure? yes | no

sarvoth wrote 02/19/2019 at 21:21 point

I just got some of these, and despite what I read here, it appears telnet is blocked on these cameras out of the box.

  Are you sure? yes | no

Jpatton98 wrote 02/12/2019 at 04:20 point

Hey all    DL-d and am using Zviewer to view all three of my cams, Viewing all three cams works great. Problems is I am having issues recording from any of the cams,  I can't record anything from any of them. I went into what little settings there is in the software but it still will not record video. Any ideas?  I have three of the zmodo mini 720 IP cams

  Are you sure? yes | no

rileyil77 wrote 11/17/2018 at 17:08 point

So, for our home security system we using iSPY Open Source Security Program.  I'm using ISPY on an Windows 7 Pro PC.  The IP for my PC with iSPY within the LAN is 192.168.1.3....  So my wife convinced me the other day to purchase the meShare Mini WiFi Camera 2 pack from Walmart.  I did.  I can't get them to connect to iSPY.  Not sure why.  So I dig around and I find that the cameras IPs on my LAN is 192.168.1.66 and 192.168.1.67 via information given to me by the router.  I also did some Google searching and found my cameras are actually Zmodo ZM – SH75D001 / ZH-IXY1D...  So my question is has anyone used these camera with iSPY successfully?  I used ZViewer which I downloaded from a link I found here on the site and changed some settings.  I would just use the ZViewer Program...  However it doesn't want to save my video storage to the local hard drive?  Am I doing something wrong with ZViewer?

  Are you sure? yes | no

Mdb90 wrote 06/07/2018 at 20:43 point

can anyone provide the old firmware again? Dropbox link doesn’t work anymore.

Thanks!

  Are you sure? yes | no

kvvincentvalentine wrote 12/28/2017 at 15:29 point

Is this project still ongoing? I got a Zmodo camera for Christmas and when I found out that I couldn't stream to RTSP or use some work around I started digging. 

  Are you sure? yes | no

blackhounter wrote 05/31/2018 at 10:09 point

I'm still trying to get a direct feed from the camera as well as redirecting it to a personal server. Currently i use the zviewer (http://surveillance.zmodo.com/media/downloader/tool/Zviewer2.0.1.6_Setup.exe) to directly access the camera feed without the need of a cloud app. Are you able to use the web interface? i have used it but suddenly it dissapeared

  Are you sure? yes | no

Mdb90 wrote 06/08/2018 at 12:57 point

that might be because the firmware version is too New.

  Are you sure? yes | no

fichow wrote 09/03/2017 at 15:05 point

I did all this per abcshare on 6/15/2017 notes said:

zbatch program used to downgrade

http://files.zmodo.com/Software Files/NVR Tools/Original NVR/ZBatch1.0.2/

(download the dll as well as the exe)

For device type ZM-SH75D0001, Hardware Version 799990304

V7.8.0.16 https://www.dropbox.com/s/p4xxbabru3zlmeu/IPC-APP.txt?dl=0

Again, need to remove .txt before loading it into the zbatch program

Run zbatch.exe>upgrade tab>type IPC>refresh to find camera on network>upgrade>IPC-APP file

But nothing happened my camera still running V8.0.1.26, does anyone know what I am doing wrong?

  Are you sure? yes | no

ZakM wrote 09/02/2017 at 04:55 point

I have a Zmodo ZH-IXY1D.   Has anyone figured out a way to use it as a LAN only camera, preferably using tinyCam android app?

  Are you sure? yes | no

abcshady wrote 06/15/2017 at 15:33 point

In case anyone is wondering, these are the settings I use for tinycam

Settings:

Zmodo ZP-NE-14S

Port: 8000

User:admin

Password:11111

  Are you sure? yes | no

abcshady wrote 06/15/2017 at 15:16 point

I have 1 older HW camera and two new. I used to use them with the android tinycam app but the recent updates stopped them working. Thanks to csirk51 I got the old one working using the IPC-APP file to downgrade it.

I contacted support and they gave me the IPC-APP file to downgrade the new camera's as well and now all three are working with tinycam again.

zbatch program used to downgrade

http://files.zmodo.com/Software Files/NVR Tools/Original NVR/ZBatch1.0.2/

(download the dll as well as the exe)

For device type ZM-SH75D0001, Hardware Version 799990304

V7.8.0.16 https://www.dropbox.com/s/p4xxbabru3zlmeu/IPC-APP.txt?dl=0

Again, need to remove .txt before loading it into the zbatch program

Run zbatch.exe>upgrade tab>type IPC>refresh to find camera on network>upgrade>IPC-APP file

  Are you sure? yes | no

csirk51 wrote 04/27/2017 at 07:44 point

I have an old HW type camera, latest firmware was V7.4.0.16 for a long time. Camera automatically upgraded to V7.4.0.20, where telnet and web access are gone, encryption is on. Asked Zmodo support to send me the old firmware, it can be uploaded to the camera with zsight pc app.

Link: https://www.dropbox.com/s/xi9zh6psmmunvol/IPC-APP.txt?dl=0

(Just cut the .txt)

  Are you sure? yes | no

lex.almani wrote 04/25/2017 at 02:28 point

I got the data from port 8000, does anyone know how to convert it to video or image?

  Are you sure? yes | no

smsmithz wrote 04/10/2017 at 19:15 point

I got the zbatch application, and I believe I got the old firmware.  Does anyone have instructions on how to use the zbatch software?  Working with zmodo tech team is very time consuming....  After reseting the firmware will mishare not work anymore?   

  Are you sure? yes | no

oPless wrote 03/07/2017 at 19:58 point

Anyone else notice that these cameras appear to phone home to 192.241.59.218 port 8088 ?

  Are you sure? yes | no

rickgtx wrote 01/07/2017 at 22:02 point

No video can be read by avconv.  They fail with "Invalid data found when processing input".

I like to capture an image every second to feed to Motion on my local network.

I have a Zmodo ZM-SS7AD001-W outdoor HD IR camera.  On the camera shell it has ZP-IBH13-W but it has only the two IR lights.


Only port 8000 is open.  Zmodo and MeShare Apps work.  Zviewer and Zsight Apps do not work.

The good news 55 55 AA AA does give me a response.

\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x50 gives me a 110k-130k file
\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x02\x90 gives me a 55-70k file

All files have a header basically repeating the command sent and some more bytes that are the same in each header:
for HD
55 55 AA AA 04 00 00 00 00 00 00 50 00 00 00 00 30 30 64 63  
for SD:
55 55 AA AA 04 00 00 00 00 00 02 90 00 00 00 00 30 30 64 63

I tried removing the first 12 bytes and various other combinations to get a usable file without success.

What do your file headers look like?

  Are you sure? yes | no

habazot wrote 01/07/2017 at 23:18 point

Here is a script I use to feed ZoneMinder with a jpg file about once a second:

#!/bin/bash

HOST=$1
FILE=/tmp/${HOST}-HD.jpg

touch ${FILE}
chmod 777 ${FILE}
while true; do 
    echo -e '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x50' | netcat -w 2 ${HOST} 8000 | avconv -i pipe:0 -y -q:v 9 -s 1280x720 -vframes 1 -r 1 ${FILE} >/dev/null 2>&1
done

It is horribly inefficient and jams my wireless network but kinda does the job...

But I would rather insert a different server into the cameras and get rid of that horrible App3518. Should be an example app to just supply a stream in the SDK, but I have not had time to explore that option. One day....

  Are you sure? yes | no

rickgtx wrote 01/09/2017 at 03:49 point

Thx, but avconv still gives me "Invalid data found when processing input"  My model may use a propriety image format.

  Are you sure? yes | no

john_j_gagne wrote 01/28/2017 at 23:15 point

hi rickgtx:

this script works

#!/bin/bash

rm -rf /home/<user>/tmp/SD1.jpg
time ( echo -e '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x02\x90' | nc 192.168.1.243 8000 | ffmpeg -i pipe:0 -q:v 1 -vframes 1 /home/<user>/tmp/SD1.jpg &>/dev/null )
sleep 1s

My problem is I have an 8 channel zmodo dvr and this only gives me access to channel one, and I really like to be able to get output from the other channels as well. I'm guessing it's just a matter of having the header right string to echo to netcat but that seems to be nearly impossible to figure out what that string might be...

this script streams the output from channel one continuously to mplayer... this works remarkably well.

#!/bin/bash

echo -ne '\x55\x55\xaa\xaa\x04\x00\x00\x00\x00\x00\x02\x90' | nc 192.168.1.243 8000 | mplayer -fps 25 -demuxer h264es -

anyway hope that script helps.

  Are you sure? yes | no

rickgtx wrote 02/02/2017 at 23:08 point

Thx John,  But I still get  "Invalid data found when processing input".  I thought ffmpeg would work but it is the same as avconv.  Might my model encrypt the video?  I expect an H.264 video stream but do not see any markers for it.

 I'm reluctant to open my outdoor unit to try connect to the TTL .  But thx again.

  Are you sure? yes | no

oPless wrote 02/28/2017 at 20:09 point

Having a look after wiresharking the protocol of my cameras, turning on the HD stream sends the 55 55 ... 00 50 in your post, then it responds with a 16 byte header and then starts streaming the h264 data.

Modified versions of habazot et al's scripts work for a couple of seconds and then stop, probably because of the end of line char(s) being interpreted as a second command and the camera side timing out and dropping the connection.

I wrote a few lines of perl to send the appropriate command packet, skip the 16 bytes, then stream the data to stdout so you can use ffplayer to view the stream.

Here it is: https://gist.github.com/opless/d1effc2eefdf2dfe3b1a6418979bc8ba

YMMV of course, but since zmodo only seem to keep a few hours of poorly triggered images I thought I'd best start looking at zoneminder!

  Are you sure? yes | no

Neil Cherry wrote 03/02/2017 at 19:20 point

the read socket works pretty well, I've switched that into my perl script and my screen shots work a bit better now

  Are you sure? yes | no

nshemo wrote 04/03/2017 at 04:32 point

My file headers look like this:

55 55 AA AA 04 00 00 00 00 00 00 50 00 00 00 00 30 30 64 63 2E 17 00 00 0E 16 0D 00 80 35 00 00 BF F1 9A A6 01 00 00 00 80 42 00 00 01 00 00 00 0D E5 7C DD DD 83 43 C2 3E AA EB 46 08 A1 B4 4F ....

The first 16 Bytes are common to all dumps, the next 4 are also common and are 00dc which indicate an AVI-type file format. The next 4 bytes indicate the data size (0x0000172E = 5934 bytes in this case). Then the last 24 bytes are also common. Cannot figure out what they mean. After that is the actual image data which I haven't been able to decode. The file size changes according the lighting conditions which suggests that the image is in some sort of compressed image format.

  Are you sure? yes | no

habazot wrote 01/02/2017 at 11:30 point

Are there any other software solutions based on the Hi3518 chipsets we could replace the App3518 with?.. Or just a way to serve at RTSP stream on 554 in addition to what is already there would help, anyone fiddled with the SDK yet?

The HW is nice and compact, but the whole "send everything to China first" is a turnoff..

  Are you sure? yes | no

ho53y wrote 12/23/2016 at 21:12 point

Update camera with latest firmware, and now no direct web-interface access on it. If there any way to bring it back?

  Are you sure? yes | no

smsmithz wrote 12/30/2016 at 16:46 point

I would like to know the same thing.  I own 6 of these cameras.  Three I bought recently and they have the new firmware that won't connect to Blue Iris.  Let me know if you guys know of way to flash back to the old firmware and have copies of that firmware!!!  Great work you guys are doing. Very interesting reading all the comments.

  Are you sure? yes | no

habazot wrote 01/02/2017 at 09:13 point

Contact the support team on their chat on zmodo.com. They will help you reverting firmware by sending you a Zbatch application and 7.4.0.20 firmware which I believe is the latest before changing protocols.

  Are you sure? yes | no

kuetem wrote 09/27/2016 at 20:57 point

I use Zviewer software from Zmodo to view my webcam live (bypass the cloud).

Port 9000 is for mobile. I'm new to hackaday I don't know how to add pictures, I'm at work, I'll check back later.

  Are you sure? yes | no

Jeremy Jay wrote 09/13/2016 at 20:31 point

I recently bought a pair of Zmodo cameras too. ZP-IBI15-W so fairly different from what you all have. I have a serial line on one of the cameras and dumped the whole filesystem, so I've been working through it trying to figure it all out. Telnet is open but there's a root password (I haven't been able to crack it yet even with the hash from /etc/passwd ).

Has anyone been able to find the location for firmware downloads? I've found files.zmodo.com but it doesn't seem to have anything for my model. I haven't been able to snoop the update checks yet. (FYI, most of the firmwares found on that site are just JFFS2 images... )

For a warm-up, I started reversing the 'message' program since it's pretty small. The strings in it are easy to see, but from the code it's using SysV IPC messages to restart the network. It looks like the messages are probably sent from App3518 (as expected).

  Are you sure? yes | no

Jeremy Jay wrote 09/16/2016 at 02:20 point

sweet! I found the password for telnet: if anyone else is wondering it's "zmodo19820816"

  Are you sure? yes | no

ril3y wrote 09/18/2016 at 15:45 point

The App3518 is the process that is feeding the watchdog timer /dev/watchdog if you kill it it will reboot in about 1 min.  However if you write a bash script that echo "1" to /dev/watchdog every few seconds your camera will not reboot if you kill App3518.  Grats on the  password.

  Are you sure? yes | no

kuetem wrote 09/27/2016 at 20:54 point

Thank you! password works! 

  Are you sure? yes | no

Lee T. Davy wrote 04/25/2017 at 16:33 point

April 25,2017 

I have same but model  ZM-W0003-2 on box of 2. 
Updated  with  Zmodo Android app to V7.9.0.30 fw so not sure how to use
your information.

I tried this...  

telnet -l admin  198.xxxx.xxx.xxx 8000 

waits without prompt but then I enter zmodo19820816
and it  just exits back to prompt

Connection closed by foreign host.
$

nc examples modified for single call and remove null out log just hang 

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates