Close
0%
0%

Zmodo - Local Controller

Zmodo have some cool cameras! This project is about reversing protocols / bins of all things zomodo to bypass the cloud.

Similar projects worth following
This camera is really cool but is uses some "cloud app" for all video to be uploaded to. I would like to create a NodeJS server for this to bypass sending all my video / audio to China :) This is just a place for me to dump files and notes. If you want to help check out the main App3518 (which is the cpu Hi3518C) binary and help start to reverse it.

All files for this project are in the dropbox link. The main "App" file is App3518 and it is in the Dropbox link. This file is also the local webserver. It is responsible to posting video data to the MeShare website. You can downlod the MeShare app for IOS and Android as well if you would like to poke around in that.

What I am hoping for is some others that want to use this camera to get involved in the reversing of the networking protocol. I am not 100% certain.. But it might make more sense to place a different "app" on the device that we write and can post all the video data straight to our server code.

Amazon sells these cameras for around $38 here:

http://www.amazon.com/gp/product/B00ZZ4HX1K

Cameras known to run the same software (perhaps different hardware)

  1. Zmodo ZH-IXY1D
  2. Zmodo ZM-SH75D0001

If you know of a Zmodo camera running the same version (or contacting the same cloud servers) leave a comment and I will add them to the list. The App3518 has the shasum of ba5fa306d519c57124f9de96a1f007f0. App3518 is the main binary that runs on these Zmodo* cameras.

zmodoboot.txt

Out of the box boot log. This is before connecting to a wireless network.

plain - 49.00 kB - 01/16/2016 at 03:27

Download

zmodowireless.txt

Log showing the wireless connection process during and after setup.

plain - 28.64 kB - 01/16/2016 at 03:27

Download

  • Dumping the MTD Partitions

    ril3y01/21/2016 at 03:21 5 comments

    I went ahead and dumped the files to the Dropbox for the MTD partitions.

    https://www.dropbox.com/sh/adups6kczg65138/AACquDl-FP1ZT0KB1yB-4aGia?dl=0


    # cat /proc/mtd
    dev: size erasesize name
    mtd0: 00040000 00010000 "boot"
    mtd1: 000c0000 00010000 "config"
    mtd2: 00480000 00010000 "rootfs"
    mtd3: 00a80000 00010000 "app"

    More to come....

  • Initial rooting (or read that as loggin in) and poking around

    ril3y12/02/2015 at 19:16 1 comment

    There is a 3 pad test point on the other size of the main board. It is 3v3 ttl serial. tx rx gnd. Solder a few tiny wires to each pad then hook up to a ttl 3v3 usb to serial ( I use the prolific ones) and open a serial terminal (coolterm etc) 115200 8N1. I did place a dab of hot glue to hold the wires in place as to not pull the test point's pads right off of the pcb. I forgot to take a picture of it first. I have another camera on order and will post some pics when it gets in.

    This will drop you to a root shell.... Heres some boot messages.. The full boot messages are in the dropbox link.

    U-Boot 2010.06 (Apr 28 2015 - 09:46:30)
    
    Check spi flash controller v350... Found
    Spi(cs1) ID: 0x01 0x20 0x18 0x4D 0x01 0x80
    Spi(cs1): Block:64KB Chip:16MB Name:"S25FL129P1"
    MMC:   MMC FLASH INIT: No card on slot!
    In:    serial
    Out:   serial
    Err:   serial
    No mmc storage device found!
    Hit any key to stop autoboot:  1 ... 0 
    16384 KiB hi_sfc at 0:0 is now current device
    
    cramfs load file : /boot/hikernel
    ### CRAMFS load complete: 2409600 bytes loaded to 0x82000000
    ## Booting kernel from Legacy Image at 82000000 ...
       Image Name:   hilinux
       Image Type:   ARM Linux Kernel Image (uncompressed)
       Data Size:    2409536 Bytes = 2.3 MiB
       Load Address: 80008000
       Entry Point:  80008000
       Loading Kernel Image ... OK
    OK
    
    Starting kernel ...

    There is a really annoying feature that they felt the need to leave in place. All print statements from ./App3518 program seem to spit out to the tty. And its a very chatty program. However it does give you a glimpse into some of the communications with the "MeShare" streaming video service. Observe....

    Dec  2 14:02:09 <P2P>: web.cpp[471]web_report_upnp:recv:{"result":"ok","data":[],"addition":""}
    
    Dec  2 14:02:09 <P2P>: device_operation.cpp[744]p2p_send_cover_pic:begin upload cover picture for channel[0]...
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[42]SetUrl:http://192.241.59.218:80/factorydevice/picture_report
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[83]AddPostString:tokenid:p4yL5zwYSQRL8vcCNUbx9v12bmKcQF
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[83]AddPostString:channel:0
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[93]AddPostPicture:image_name:/tmp/cover.jpg
    
    Dec  2 14:02:09 <P2P>: web.cpp[402]web_report_picture:recv:{"result":"ok","data":"","addition":""}
    
    Dec  2 14:02:09 <P2P>: device_operation.cpp[942]p2p_is_timezone_set_by_meshare:timezone America/New_York, America/New_York
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[42]SetUrl:http://192.241.59.218:80/factorydevice/gettimezone?tokenid=p4yL5zwYSQRL8vcCNUbx9v12bmKcQF
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[252]SetConnectTimeout:[10]
    
    Dec  2 14:02:09 <P2P>: web.cpp[425]web_get_timezone:recv reply:{"result":"ok","offset_seconds":"-18000"}
    
    Dec  2 14:02:09 <P2P>: web.cpp[434]web_get_timezone:get timezone:-18000
    
    Dec  2 14:02:09 <P2P>: device_operation.cpp[905]p2p_set_timezone_offset[1170719936]
    
    Dec  2 14:02:11 <P2P>: p2p_sip.cpp[148]keep_alive_timer_func:keep alive timeout, resend !
    
    Dec  2 14:02:11 <P2P>: p2p_sip.cpp[120]send_keep_alive:send_keep_alive:{ "MethodName": "Option.update", "TokenId": "p4yL5zwYSQRL8vcCNUbx9v12bmKcQF", "DevId": "ZMD00ID02206860", "UserType": 2, "Interval": 90 }
    
    Dec  2 14:02:11 <P2P>: p2p_sip.cpp[40]p2p_keep_alive_cb:reply:{ "ResultCode": 0, "ResultReason": "ok", "CmuId": 1001000000 }
    
    

    The program generating all of these print statements is App3518 which I tftp'ed off of the device and posted in the dropbox link. There is also a message file which I am unclear of what it is doing.

    ril3ys-MBP:Zmodo Reversing ril3y$ file message App3518 
    message: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped
    App3518: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped

View all 2 project logs

Enjoy this project?

Share

Discussions

abcshady wrote 06/15/2017 at 15:33 point

In case anyone is wondering, these are the settings I use for tinycam

Settings:

Zmodo ZP-NE-14S

Port: 8000

User:admin

Password:11111

  Are you sure? yes | no

abcshady wrote 06/15/2017 at 15:16 point

I have 1 older HW camera and two new. I used to use them with the android tinycam app but the recent updates stopped them working. Thanks to csirk51 I got the old one working using the IPC-APP file to downgrade it.

I contacted support and they gave me the IPC-APP file to downgrade the new camera's as well and now all three are working with tinycam again.

zbatch program used to downgrade

http://files.zmodo.com/Software Files/NVR Tools/Original NVR/ZBatch1.0.2/

(download the dll as well as the exe)

For device type ZM-SH75D0001, Hardware Version 799990304

V7.8.0.16 https://www.dropbox.com/s/p4xxbabru3zlmeu/IPC-APP.txt?dl=0

Again, need to remove .txt before loading it into the zbatch program

Run zbatch.exe>upgrade tab>type IPC>refresh to find camera on network>upgrade>IPC-APP file

  Are you sure? yes | no

csirk51 wrote 04/27/2017 at 07:44 point

I have an old HW type camera, latest firmware was V7.4.0.16 for a long time. Camera automatically upgraded to V7.4.0.20, where telnet and web access are gone, encryption is on. Asked Zmodo support to send me the old firmware, it can be uploaded to the camera with zsight pc app.

Link: https://www.dropbox.com/s/xi9zh6psmmunvol/IPC-APP.txt?dl=0

(Just cut the .txt)

  Are you sure? yes | no

lex.almani wrote 04/25/2017 at 02:28 point

I got the data from port 8000, does anyone know how to convert it to video or image?

  Are you sure? yes | no

smsmithz wrote 04/10/2017 at 19:15 point

I got the zbatch application, and I believe I got the old firmware.  Does anyone have instructions on how to use the zbatch software?  Working with zmodo tech team is very time consuming....  After reseting the firmware will mishare not work anymore?   

  Are you sure? yes | no

oPless wrote 03/07/2017 at 19:58 point

Anyone else notice that these cameras appear to phone home to 192.241.59.218 port 8088 ?

  Are you sure? yes | no

rickgtx wrote 01/07/2017 at 22:02 point

No video can be read by avconv.  They fail with "Invalid data found when processing input".

I like to capture an image every second to feed to Motion on my local network.

I have a Zmodo ZM-SS7AD001-W outdoor HD IR camera.  On the camera shell it has ZP-IBH13-W but it has only the two IR lights.


Only port 8000 is open.  Zmodo and MeShare Apps work.  Zviewer and Zsight Apps do not work.

The good news 55 55 AA AA does give me a response.

\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x50 gives me a 110k-130k file
\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x02\x90 gives me a 55-70k file

All files have a header basically repeating the command sent and some more bytes that are the same in each header:
for HD
55 55 AA AA 04 00 00 00 00 00 00 50 00 00 00 00 30 30 64 63  
for SD:
55 55 AA AA 04 00 00 00 00 00 02 90 00 00 00 00 30 30 64 63

I tried removing the first 12 bytes and various other combinations to get a usable file without success.

What do your file headers look like?

  Are you sure? yes | no

habazot wrote 01/07/2017 at 23:18 point

Here is a script I use to feed ZoneMinder with a jpg file about once a second:

#!/bin/bash

HOST=$1
FILE=/tmp/${HOST}-HD.jpg

touch ${FILE}
chmod 777 ${FILE}
while true; do 
    echo -e '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x50' | netcat -w 2 ${HOST} 8000 | avconv -i pipe:0 -y -q:v 9 -s 1280x720 -vframes 1 -r 1 ${FILE} >/dev/null 2>&1
done

It is horribly inefficient and jams my wireless network but kinda does the job...

But I would rather insert a different server into the cameras and get rid of that horrible App3518. Should be an example app to just supply a stream in the SDK, but I have not had time to explore that option. One day....

  Are you sure? yes | no

rickgtx wrote 01/09/2017 at 03:49 point

Thx, but avconv still gives me "Invalid data found when processing input"  My model may use a propriety image format.

  Are you sure? yes | no

john_j_gagne wrote 01/28/2017 at 23:15 point

hi rickgtx:

this script works

#!/bin/bash

rm -rf /home/<user>/tmp/SD1.jpg
time ( echo -e '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x02\x90' | nc 192.168.1.243 8000 | ffmpeg -i pipe:0 -q:v 1 -vframes 1 /home/<user>/tmp/SD1.jpg &>/dev/null )
sleep 1s

My problem is I have an 8 channel zmodo dvr and this only gives me access to channel one, and I really like to be able to get output from the other channels as well. I'm guessing it's just a matter of having the header right string to echo to netcat but that seems to be nearly impossible to figure out what that string might be...

this script streams the output from channel one continuously to mplayer... this works remarkably well.

#!/bin/bash

echo -ne '\x55\x55\xaa\xaa\x04\x00\x00\x00\x00\x00\x02\x90' | nc 192.168.1.243 8000 | mplayer -fps 25 -demuxer h264es -

anyway hope that script helps.

  Are you sure? yes | no

rickgtx wrote 02/02/2017 at 23:08 point

Thx John,  But I still get  "Invalid data found when processing input".  I thought ffmpeg would work but it is the same as avconv.  Might my model encrypt the video?  I expect an H.264 video stream but do not see any markers for it.

 I'm reluctant to open my outdoor unit to try connect to the TTL .  But thx again.

  Are you sure? yes | no

oPless wrote 02/28/2017 at 20:09 point

Having a look after wiresharking the protocol of my cameras, turning on the HD stream sends the 55 55 ... 00 50 in your post, then it responds with a 16 byte header and then starts streaming the h264 data.

Modified versions of habazot et al's scripts work for a couple of seconds and then stop, probably because of the end of line char(s) being interpreted as a second command and the camera side timing out and dropping the connection.

I wrote a few lines of perl to send the appropriate command packet, skip the 16 bytes, then stream the data to stdout so you can use ffplayer to view the stream.

Here it is: https://gist.github.com/opless/d1effc2eefdf2dfe3b1a6418979bc8ba

YMMV of course, but since zmodo only seem to keep a few hours of poorly triggered images I thought I'd best start looking at zoneminder!

  Are you sure? yes | no

Neil Cherry wrote 03/02/2017 at 19:20 point

the read socket works pretty well, I've switched that into my perl script and my screen shots work a bit better now

  Are you sure? yes | no

nshemo wrote 04/03/2017 at 04:32 point

My file headers look like this:

55 55 AA AA 04 00 00 00 00 00 00 50 00 00 00 00 30 30 64 63 2E 17 00 00 0E 16 0D 00 80 35 00 00 BF F1 9A A6 01 00 00 00 80 42 00 00 01 00 00 00 0D E5 7C DD DD 83 43 C2 3E AA EB 46 08 A1 B4 4F ....

The first 16 Bytes are common to all dumps, the next 4 are also common and are 00dc which indicate an AVI-type file format. The next 4 bytes indicate the data size (0x0000172E = 5934 bytes in this case). Then the last 24 bytes are also common. Cannot figure out what they mean. After that is the actual image data which I haven't been able to decode. The file size changes according the lighting conditions which suggests that the image is in some sort of compressed image format.

  Are you sure? yes | no

habazot wrote 01/02/2017 at 11:30 point

Are there any other software solutions based on the Hi3518 chipsets we could replace the App3518 with?.. Or just a way to serve at RTSP stream on 554 in addition to what is already there would help, anyone fiddled with the SDK yet?

The HW is nice and compact, but the whole "send everything to China first" is a turnoff..

  Are you sure? yes | no

ho53y wrote 12/23/2016 at 21:12 point

Update camera with latest firmware, and now no direct web-interface access on it. If there any way to bring it back?

  Are you sure? yes | no

smsmithz wrote 12/30/2016 at 16:46 point

I would like to know the same thing.  I own 6 of these cameras.  Three I bought recently and they have the new firmware that won't connect to Blue Iris.  Let me know if you guys know of way to flash back to the old firmware and have copies of that firmware!!!  Great work you guys are doing. Very interesting reading all the comments.

  Are you sure? yes | no

habazot wrote 01/02/2017 at 09:13 point

Contact the support team on their chat on zmodo.com. They will help you reverting firmware by sending you a Zbatch application and 7.4.0.20 firmware which I believe is the latest before changing protocols.

  Are you sure? yes | no

kuetem wrote 09/27/2016 at 20:57 point

I use Zviewer software from Zmodo to view my webcam live (bypass the cloud).

Port 9000 is for mobile. I'm new to hackaday I don't know how to add pictures, I'm at work, I'll check back later.

  Are you sure? yes | no

Jeremy Jay wrote 09/13/2016 at 20:31 point

I recently bought a pair of Zmodo cameras too. ZP-IBI15-W so fairly different from what you all have. I have a serial line on one of the cameras and dumped the whole filesystem, so I've been working through it trying to figure it all out. Telnet is open but there's a root password (I haven't been able to crack it yet even with the hash from /etc/passwd ).

Has anyone been able to find the location for firmware downloads? I've found files.zmodo.com but it doesn't seem to have anything for my model. I haven't been able to snoop the update checks yet. (FYI, most of the firmwares found on that site are just JFFS2 images... )

For a warm-up, I started reversing the 'message' program since it's pretty small. The strings in it are easy to see, but from the code it's using SysV IPC messages to restart the network. It looks like the messages are probably sent from App3518 (as expected).

  Are you sure? yes | no

Jeremy Jay wrote 09/16/2016 at 02:20 point

sweet! I found the password for telnet: if anyone else is wondering it's "zmodo19820816"

  Are you sure? yes | no

ril3y wrote 09/18/2016 at 15:45 point

The App3518 is the process that is feeding the watchdog timer /dev/watchdog if you kill it it will reboot in about 1 min.  However if you write a bash script that echo "1" to /dev/watchdog every few seconds your camera will not reboot if you kill App3518.  Grats on the  password.

  Are you sure? yes | no

kuetem wrote 09/27/2016 at 20:54 point

Thank you! password works! 

  Are you sure? yes | no

Lee T. Davy wrote 04/25/2017 at 16:33 point

April 25,2017 

I have same but model  ZM-W0003-2 on box of 2. 
Updated  with  Zmodo Android app to V7.9.0.30 fw so not sure how to use
your information.

I tried this...  

telnet -l admin  198.xxxx.xxx.xxx 8000 

waits without prompt but then I enter zmodo19820816
and it  just exits back to prompt

Connection closed by foreign host.
$

nc examples modified for single call and remove null out log just hang 

  Are you sure? yes | no

philcolbourn wrote 04/29/2016 at 12:16 point

ZH-IZV15-WAC

00 91 command seems to report camera routing table

00000000  55 55 aa aa fc cc 00 00  00 00 00 91 00 00 00 00
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

*
00000030  00 00 00 00 00 00 00 00  00 00 00 00 GATEWAY--IP
00000040  00 00 00 00 CAMERA---IP  NETWORKMASK GATEWAY--IP 
00000050  CAMERA--MAC--ADDR 01 00  00 00 00 00 00 00 00 00 
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
*
00000210  00 00 00 00 00 00 00 00  00 00 00 00 19 00 00 00
00000220  01 00 00 00 01 01 CAMERA----IP NETWORKMASK GATEW 
00000230  AY-IP CAMERA--MAC--ADDR  GATEWAY--IP 00 00 00 00 
00000240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

  Are you sure? yes | no

philcolbourn wrote 04/27/2016 at 15:21 point

ZH-IZV15-WAC

Discovered by accident that I can change its MAC address. After which it seems to restart and obtain a new IP address.

009c to set MAC

019c to read MAC

I tried to change MAC address to 'Coffee'

echo -ne '\x55\x55\xaa\xaa\x06\x00\x00\x00\x00\x00\x00\x9cCoffee' | netcat -w 5 10.1.0.96 8000 | hexdump -C

00000000  55 55 aa aa 04 00 00 00  00 00 00 9c 00 00 00 00  |UU..............|
00000010

<camera reset - lookup new IP address - now 10.1.0.97>

echo -ne '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x01\x9c' | netcat -w 5 10.1.0.97 8000 | hexdump -C
00000000  55 55 aa aa 06 00 00 00  00 00 01 9c 44 6f 66 66  |UU..........Doff|
00000010  65 65                                             |ee|
00000012

So, I got Doffee, not Coffee - it seems to add 1 to first byte of MAC address

  Are you sure? yes | no

fleshinachair wrote 04/26/2016 at 21:35 point

Well done for setting up this project. I found this page randomly as I own 2 zmodo cameras (indoor and outdoor model) but theyve decided that they can not or will not support email alerts anymore - I think maybe cos they want to upsell the cloud features instead. If anyone has a way of fixing this I'd be most interested as would a large number of people on their forums. I'm not a programmer but will follow this avidly! 

http://community.zmodo.com/t/email-alerts-suddenly-stopped/2018/129

  Are you sure? yes | no

Hajo wrote 04/15/2016 at 10:19 point

Some more details:
(might be interesting sometime? - maybe not)

I put a complete directory/file listing into dropbox:
# ls / -l -R
https://www.dropbox.com/s/ti1kvy2ljafthtg/directory.txt?dl=0


# df

Filesystem           1K-blocks      Used   Available  Use%     Mounted on    Access
/dev/root                    7040      7040                0  100%     /                        read only
devtmpfs                  15968             4        15964   0%        /dev                  read/write
tmpfs                        16032           36        15996   0%        /tmp                  read/write
/dev/mtdblock3       10752       6872         3880  64%       /app                  read/write
/dev/mtdblock1            768         216           552  28%        /config              read/write
tmfs                          16032            0        16032   0%         /system             read/write

# lsusb
Bus 001 Device 001: ID 1d6b:0002     -> Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001     -> Linux Foundation 1.1 root hub
Bus 001 Device 002: ID 0bda:8179    - > Realtek Semiconductor Corp. RTL8188EUS 802.11n Wireless Network Adapter

  Are you sure? yes | no

Hajo wrote 04/06/2016 at 21:05 point

Hi all,

I own a Zmodo ZH-IXY1D as well.
It runs Stock Firmware 7.4.0.16
Model: ZM-SH75D001-WA (shown in Device Parameters)
Hardware Version: 799990304

Some more details from WebUI:

Whether to support the intercom: YES
Whether to support local Storage: NO
Whether to support Onvif: NO
Whether to support PT: NO
Whether to support Zoom: NO
Whether to support Wifi: YES


Telnet with root access works (root/no password).

___________________________________________

# cat /proc/cpuinfo
Processor       : ARM926EJ-S rev 5 (v5l)
BogoMIPS        : 218.72
Features        : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant     : 0x0
CPU part        : 0x926
CPU revision    : 5

Hardware        : hi3518

____________________________________________

# uname -mrs
Linux 3.0.8 armv5tejl

____________________________________________

# cat /proc/version
Linux version 3.0.8 (harvey@localhost.localdomain) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #2 Thu Apr 16 10:08:52 CST 2015

____________________________________________

# mount
rootfs on / type rootfs (rw)
/dev/root on / type cramfs (ro,relatime)
devtmpfs on /dev type devtmpfs (rw,relatime,size=15968k,nr_inodes=3992,mode=755)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
tmpfs on /tmp type tmpfs (rw,relatime)
/dev/mtdblock3 on /app type jffs2 (rw,relatime)
/dev/mtdblock1 on /config type jffs2 (rw,relatime)
tmfs on /system type tmpfs (rw,relatime)

______________________________________________

The Hardware is not too bad, so I want to setup a cross-compiler to bring some software on that CAM.

http://events.linuxfoundation.org/sites/events/files/slides/Shuah_Khan_cross_compile_linux.pdf

Goals:

1a. ) Create local snapshot on camera and move it to a ftp server (automatic)

1b.) JPEG/MJPEG Streaming via port 80 (local folder -> /app/dvr)

2a.) The Cam should initate the rtsp-stream (FFMPEG/H264) on its own.

2b.) The stream should stop for ~1 Second after eg. 5 Minutes, and restart automaitcally, to have constant stream for NVR

Additional input welcome!

BR
Hajo

  Are you sure? yes | no

Neil Cherry wrote 05/11/2016 at 03:19 point

Thanks for the pdf. I'm not ready to setup the cross-compiler yet but I hope to later this summer. Still very busy with other HA projects. Glad to see others still playing. :-)

I've been using the same perl code to pull images (not streams) from other cameras (Amcrest and Foscam).

  Are you sure? yes | no

ril3y wrote 08/25/2016 at 22:01 point

Agree with @Neil Cherry I am planning on picking this back up.  I found the SDK to build the image.  I have not had time to play with it.  Now that winter is coming... I plan on getting these things working to my network not the cloud!

  Are you sure? yes | no

les.v2 wrote 03/03/2016 at 17:20 point

Hi All,

Just to inform you that I found how to get HD or SD stream.

I reuse things already find by the team ;-) that's why you will recognize your commands ;-)

1) The command to do screenshot "HD"  (tested on raspberry pi 2): PNG image data, 1280 x 720, 8-bit/color RGB, non-interlaced :

time ( echo -e '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x50' | netcat -w 2 192.168.0.38 8000 | avconv -i pipe:0 -q:v 1 -vframes 1 HD.png &>/dev/null )

Time of capture on my local network : 1.163s

and the command to check generation and format: 

 file HD.png

2) The command to do screenshot "SD"  (tested on raspberry pi 2) : PNG image data, 320 x 240, 8-bit/color RGB, non-interlaced

time ( echo -e '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x02\x90' | netcat -w 2 192.168.0.38 8000 | avconv -i pipe:0 -q:v 1 -vframes 1 SD.png &>/dev/null )

Time of capture on my local network: 0.343s

and the command to check generation and format: 

 file SD.png

Let me continue, my goal is to find a way to get a stream or a snapshot to have the video in a domotic software as jeedom / domoticz / etc... ;-).

Enjoy,

  Are you sure? yes | no

nykr95 wrote 02/10/2016 at 21:58 point

alixjg:

That actually worked - for port 9000 - but I am actually getting the low res stream.  I selected that model # in Blue Iris.  Now if I can just get the HD stream - I'm good.

Steve

  Are you sure? yes | no

alixjg wrote 02/13/2016 at 14:01 point

Yeah, sorry I forgot to mention that.  I can't figure out how to get the HD stream or audio.  I came across this the other day when meshare wasn't working for my wife and I.

  Are you sure? yes | no

nykr95 wrote 02/21/2016 at 22:58 point

I decided to sent it back to Amazon.  Too much effort when I can get other cameras the same price online with the same features and they have Onvif or RTSP feeds documented.

  Are you sure? yes | no

alixjg wrote 02/10/2016 at 17:36 point

Hi,

I'm not sure if this is worth looking into or not, but I was able to successfully setup the app "IP Cam Viewer Pro" on my android phone.  I selected "Zmodo ZMD-ISV-BFS23NM" for make and model, entered my IP, port 8000, and the username & password I use for the web interface.  I can view the camera, but I don't think audio is working.

  Are you sure? yes | no

nykr95 wrote 02/08/2016 at 21:13 point

Hi Guys,

I also have a couple of these cameras.  Found this thread searching the net.  I have been trying to figure out if I can use Blue Iris to get the video feed.  I put in the IP address and use port 8000 but I guess I don't have the correct path to grab the feed.  If seems to authenticate but not send the stream.   If you are able to receive it using mplayer - I would think Blue Iris could work.  Any suggestions on what parameters to use?

Regards,

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates