Close
0%
0%

Zmodo - Local Controller

Zmodo have some cool cameras! This project is about reversing protocols / bins of all things zomodo to bypass the cloud.

Similar projects worth following
This camera is really cool but is uses some "cloud app" for all video to be uploaded to. I would like to create a NodeJS server for this to bypass sending all my video / audio to China :) This is just a place for me to dump files and notes. If you want to help check out the main App3518 (which is the cpu Hi3518C) binary and help start to reverse it.

All files for this project are in the dropbox link. The main "App" file is App3518 and it is in the Dropbox link. This file is also the local webserver. It is responsible to posting video data to the MeShare website. You can downlod the MeShare app for IOS and Android as well if you would like to poke around in that.

What I am hoping for is some others that want to use this camera to get involved in the reversing of the networking protocol. I am not 100% certain.. But it might make more sense to place a different "app" on the device that we write and can post all the video data straight to our server code.

Amazon sells these cameras for around $38 here:

http://www.amazon.com/gp/product/B00ZZ4HX1K

Cameras known to run the same software (perhaps different hardware)

  1. Zmodo ZH-IXY1D
  2. Zmodo ZM-SH75D0001

If you know of a Zmodo camera running the same version (or contacting the same cloud servers) leave a comment and I will add them to the list. The App3518 has the shasum of ba5fa306d519c57124f9de96a1f007f0. App3518 is the main binary that runs on these Zmodo* cameras.

zmodoboot.txt

Out of the box boot log. This is before connecting to a wireless network.

plain - 49.00 kB - 01/16/2016 at 03:27

Download

zmodowireless.txt

Log showing the wireless connection process during and after setup.

plain - 28.64 kB - 01/16/2016 at 03:27

Download

View all 2 files

  • Dumping the MTD Partitions

    ril3y01/21/2016 at 03:21 5 comments

    I went ahead and dumped the files to the Dropbox for the MTD partitions.

    https://www.dropbox.com/sh/adups6kczg65138/AACquDl-FP1ZT0KB1yB-4aGia?dl=0


    # cat /proc/mtd
    dev: size erasesize name
    mtd0: 00040000 00010000 "boot"
    mtd1: 000c0000 00010000 "config"
    mtd2: 00480000 00010000 "rootfs"
    mtd3: 00a80000 00010000 "app"

    More to come....

  • Initial rooting (or read that as loggin in) and poking around

    ril3y12/02/2015 at 19:16 0 comments

    There is a 3 pad test point on the other size of the main board. It is 3v3 ttl serial. tx rx gnd. Solder a few tiny wires to each pad then hook up to a ttl 3v3 usb to serial ( I use the prolific ones) and open a serial terminal (coolterm etc) 115200 8N1. I did place a dab of hot glue to hold the wires in place as to not pull the test point's pads right off of the pcb. I forgot to take a picture of it first. I have another camera on order and will post some pics when it gets in.

    This will drop you to a root shell.... Heres some boot messages.. The full boot messages are in the dropbox link.

    U-Boot 2010.06 (Apr 28 2015 - 09:46:30)
    
    Check spi flash controller v350... Found
    Spi(cs1) ID: 0x01 0x20 0x18 0x4D 0x01 0x80
    Spi(cs1): Block:64KB Chip:16MB Name:"S25FL129P1"
    MMC:   MMC FLASH INIT: No card on slot!
    In:    serial
    Out:   serial
    Err:   serial
    No mmc storage device found!
    Hit any key to stop autoboot:  1 ... 0 
    16384 KiB hi_sfc at 0:0 is now current device
    
    cramfs load file : /boot/hikernel
    ### CRAMFS load complete: 2409600 bytes loaded to 0x82000000
    ## Booting kernel from Legacy Image at 82000000 ...
       Image Name:   hilinux
       Image Type:   ARM Linux Kernel Image (uncompressed)
       Data Size:    2409536 Bytes = 2.3 MiB
       Load Address: 80008000
       Entry Point:  80008000
       Loading Kernel Image ... OK
    OK
    
    Starting kernel ...

    There is a really annoying feature that they felt the need to leave in place. All print statements from ./App3518 program seem to spit out to the tty. And its a very chatty program. However it does give you a glimpse into some of the communications with the "MeShare" streaming video service. Observe....

    Dec  2 14:02:09 <P2P>: web.cpp[471]web_report_upnp:recv:{"result":"ok","data":[],"addition":""}
    
    Dec  2 14:02:09 <P2P>: device_operation.cpp[744]p2p_send_cover_pic:begin upload cover picture for channel[0]...
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[42]SetUrl:http://192.241.59.218:80/factorydevice/picture_report
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[83]AddPostString:tokenid:p4yL5zwYSQRL8vcCNUbx9v12bmKcQF
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[83]AddPostString:channel:0
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[93]AddPostPicture:image_name:/tmp/cover.jpg
    
    Dec  2 14:02:09 <P2P>: web.cpp[402]web_report_picture:recv:{"result":"ok","data":"","addition":""}
    
    Dec  2 14:02:09 <P2P>: device_operation.cpp[942]p2p_is_timezone_set_by_meshare:timezone America/New_York, America/New_York
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[42]SetUrl:http://192.241.59.218:80/factorydevice/gettimezone?tokenid=p4yL5zwYSQRL8vcCNUbx9v12bmKcQF
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[252]SetConnectTimeout:[10]
    
    Dec  2 14:02:09 <P2P>: web.cpp[425]web_get_timezone:recv reply:{"result":"ok","offset_seconds":"-18000"}
    
    Dec  2 14:02:09 <P2P>: web.cpp[434]web_get_timezone:get timezone:-18000
    
    Dec  2 14:02:09 <P2P>: device_operation.cpp[905]p2p_set_timezone_offset[1170719936]
    
    Dec  2 14:02:11 <P2P>: p2p_sip.cpp[148]keep_alive_timer_func:keep alive timeout, resend !
    
    Dec  2 14:02:11 <P2P>: p2p_sip.cpp[120]send_keep_alive:send_keep_alive:{ "MethodName": "Option.update", "TokenId": "p4yL5zwYSQRL8vcCNUbx9v12bmKcQF", "DevId": "ZMD00ID02206860", "UserType": 2, "Interval": 90 }
    
    Dec  2 14:02:11 <P2P>: p2p_sip.cpp[40]p2p_keep_alive_cb:reply:{ "ResultCode": 0, "ResultReason": "ok", "CmuId": 1001000000 }
    
    

    The program generating all of these print statements is App3518 which I tftp'ed off of the device and posted in the dropbox link. There is also a message file which I am unclear of what it is doing.

    ril3ys-MBP:Zmodo Reversing ril3y$ file message App3518 
    message: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared...
    Read more »

View all 2 project logs

Enjoy this project?

Share      

Discussions

oPless wrote 03/07/2017 at 19:58 point

Anyone else notice that these cameras appear to phone home to 192.241.59.218 port 8088 ?

  Are you sure? yes | no

rickgtx wrote 01/07/2017 at 22:02 point

No video can be read by avconv.  They fail with "Invalid data found when processing input".

I like to capture an image every second to feed to Motion on my local network.

I have a Zmodo ZM-SS7AD001-W outdoor HD IR camera.  On the camera shell it has ZP-IBH13-W but it has only the two IR lights.


Only port 8000 is open.  Zmodo and MeShare Apps work.  Zviewer and Zsight Apps do not work.

The good news 55 55 AA AA does give me a response.

\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x50 gives me a 110k-130k file
\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x02\x90 gives me a 55-70k file

All files have a header basically repeating the command sent and some more bytes that are the same in each header:
for HD
55 55 AA AA 04 00 00 00 00 00 00 50 00 00 00 00 30 30 64 63  
for SD:
55 55 AA AA 04 00 00 00 00 00 02 90 00 00 00 00 30 30 64 63

I tried removing the first 12 bytes and various other combinations to get a usable file without success.

What do your file headers look like?

  Are you sure? yes | no

habazot wrote 01/07/2017 at 23:18 point

Here is a script I use to feed ZoneMinder with a jpg file about once a second:

#!/bin/bash

HOST=$1
FILE=/tmp/${HOST}-HD.jpg

touch ${FILE}
chmod 777 ${FILE}
while true; do 
    echo -e '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x50' | netcat -w 2 ${HOST} 8000 | avconv -i pipe:0 -y -q:v 9 -s 1280x720 -vframes 1 -r 1 ${FILE} >/dev/null 2>&1
done

It is horribly inefficient and jams my wireless network but kinda does the job...

But I would rather insert a different server into the cameras and get rid of that horrible App3518. Should be an example app to just supply a stream in the SDK, but I have not had time to explore that option. One day....

  Are you sure? yes | no

rickgtx wrote 01/09/2017 at 03:49 point

Thx, but avconv still gives me "Invalid data found when processing input"  My model may use a propriety image format.

  Are you sure? yes | no

john_j_gagne wrote 01/28/2017 at 23:15 point

hi rickgtx:

this script works

#!/bin/bash

rm -rf /home/<user>/tmp/SD1.jpg
time ( echo -e '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x02\x90' | nc 192.168.1.243 8000 | ffmpeg -i pipe:0 -q:v 1 -vframes 1 /home/<user>/tmp/SD1.jpg &>/dev/null )
sleep 1s

My problem is I have an 8 channel zmodo dvr and this only gives me access to channel one, and I really like to be able to get output from the other channels as well. I'm guessing it's just a matter of having the header right string to echo to netcat but that seems to be nearly impossible to figure out what that string might be...

this script streams the output from channel one continuously to mplayer... this works remarkably well.

#!/bin/bash

echo -ne '\x55\x55\xaa\xaa\x04\x00\x00\x00\x00\x00\x02\x90' | nc 192.168.1.243 8000 | mplayer -fps 25 -demuxer h264es -

anyway hope that script helps.

  Are you sure? yes | no

rickgtx wrote 02/02/2017 at 23:08 point

Thx John,  But I still get  "Invalid data found when processing input".  I thought ffmpeg would work but it is the same as avconv.  Might my model encrypt the video?  I expect an H.264 video stream but do not see any markers for it.

 I'm reluctant to open my outdoor unit to try connect to the TTL .  But thx again.

  Are you sure? yes | no

oPless wrote 02/28/2017 at 20:09 point

Having a look after wiresharking the protocol of my cameras, turning on the HD stream sends the 55 55 ... 00 50 in your post, then it responds with a 16 byte header and then starts streaming the h264 data.

Modified versions of habazot et al's scripts work for a couple of seconds and then stop, probably because of the end of line char(s) being interpreted as a second command and the camera side timing out and dropping the connection.

I wrote a few lines of perl to send the appropriate command packet, skip the 16 bytes, then stream the data to stdout so you can use ffplayer to view the stream.

Here it is: https://gist.github.com/opless/d1effc2eefdf2dfe3b1a6418979bc8ba

YMMV of course, but since zmodo only seem to keep a few hours of poorly triggered images I thought I'd best start looking at zoneminder!

  Are you sure? yes | no

Neil Cherry wrote 03/02/2017 at 19:20 point

the read socket works pretty well, I've switched that into my perl script and my screen shots work a bit better now

  Are you sure? yes | no

habazot wrote 01/02/2017 at 11:30 point

Are there any other software solutions based on the Hi3518 chipsets we could replace the App3518 with?.. Or just a way to serve at RTSP stream on 554 in addition to what is already there would help, anyone fiddled with the SDK yet?

The HW is nice and compact, but the whole "send everything to China first" is a turnoff..

  Are you sure? yes | no

ho53y wrote 12/23/2016 at 21:12 point

Update camera with latest firmware, and now no direct web-interface access on it. If there any way to bring it back?

  Are you sure? yes | no

smsmithz wrote 12/30/2016 at 16:46 point

I would like to know the same thing.  I own 6 of these cameras.  Three I bought recently and they have the new firmware that won't connect to Blue Iris.  Let me know if you guys know of way to flash back to the old firmware and have copies of that firmware!!!  Great work you guys are doing. Very interesting reading all the comments.

  Are you sure? yes | no

habazot wrote 01/02/2017 at 09:13 point

Contact the support team on their chat on zmodo.com. They will help you reverting firmware by sending you a Zbatch application and 7.4.0.20 firmware which I believe is the latest before changing protocols.

  Are you sure? yes | no

kuetem wrote 09/27/2016 at 20:57 point

I use Zviewer software from Zmodo to view my webcam live (bypass the cloud).

Port 9000 is for mobile. I'm new to hackaday I don't know how to add pictures, I'm at work, I'll check back later.

  Are you sure? yes | no

Jeremy Jay wrote 09/13/2016 at 20:31 point

I recently bought a pair of Zmodo cameras too. ZP-IBI15-W so fairly different from what you all have. I have a serial line on one of the cameras and dumped the whole filesystem, so I've been working through it trying to figure it all out. Telnet is open but there's a root password (I haven't been able to crack it yet even with the hash from /etc/passwd ).

Has anyone been able to find the location for firmware downloads? I've found files.zmodo.com but it doesn't seem to have anything for my model. I haven't been able to snoop the update checks yet. (FYI, most of the firmwares found on that site are just JFFS2 images... )

For a warm-up, I started reversing the 'message' program since it's pretty small. The strings in it are easy to see, but from the code it's using SysV IPC messages to restart the network. It looks like the messages are probably sent from App3518 (as expected).

  Are you sure? yes | no

Jeremy Jay wrote 09/16/2016 at 02:20 point

sweet! I found the password for telnet: if anyone else is wondering it's "zmodo19820816"

  Are you sure? yes | no

ril3y wrote 09/18/2016 at 15:45 point

The App3518 is the process that is feeding the watchdog timer /dev/watchdog if you kill it it will reboot in about 1 min.  However if you write a bash script that echo "1" to /dev/watchdog every few seconds your camera will not reboot if you kill App3518.  Grats on the  password.

  Are you sure? yes | no

kuetem wrote 09/27/2016 at 20:54 point

Thank you! password works! 

  Are you sure? yes | no

philcolbourn wrote 04/29/2016 at 12:16 point

ZH-IZV15-WAC

00 91 command seems to report camera routing table

00000000  55 55 aa aa fc cc 00 00  00 00 00 91 00 00 00 00
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

*
00000030  00 00 00 00 00 00 00 00  00 00 00 00 GATEWAY--IP
00000040  00 00 00 00 CAMERA---IP  NETWORKMASK GATEWAY--IP 
00000050  CAMERA--MAC--ADDR 01 00  00 00 00 00 00 00 00 00 
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
*
00000210  00 00 00 00 00 00 00 00  00 00 00 00 19 00 00 00
00000220  01 00 00 00 01 01 CAMERA----IP NETWORKMASK GATEW 
00000230  AY-IP CAMERA--MAC--ADDR  GATEWAY--IP 00 00 00 00 
00000240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

  Are you sure? yes | no

philcolbourn wrote 04/27/2016 at 15:21 point

ZH-IZV15-WAC

Discovered by accident that I can change its MAC address. After which it seems to restart and obtain a new IP address.

009c to set MAC

019c to read MAC

I tried to change MAC address to 'Coffee'

echo -ne '\x55\x55\xaa\xaa\x06\x00\x00\x00\x00\x00\x00\x9cCoffee' | netcat -w 5 10.1.0.96 8000 | hexdump -C

00000000  55 55 aa aa 04 00 00 00  00 00 00 9c 00 00 00 00  |UU..............|
00000010

<camera reset - lookup new IP address - now 10.1.0.97>

echo -ne '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x01\x9c' | netcat -w 5 10.1.0.97 8000 | hexdump -C
00000000  55 55 aa aa 06 00 00 00  00 00 01 9c 44 6f 66 66  |UU..........Doff|
00000010  65 65                                             |ee|
00000012

So, I got Doffee, not Coffee - it seems to add 1 to first byte of MAC address

  Are you sure? yes | no

fleshinachair wrote 04/26/2016 at 21:35 point

Well done for setting up this project. I found this page randomly as I own 2 zmodo cameras (indoor and outdoor model) but theyve decided that they can not or will not support email alerts anymore - I think maybe cos they want to upsell the cloud features instead. If anyone has a way of fixing this I'd be most interested as would a large number of people on their forums. I'm not a programmer but will follow this avidly! 

http://community.zmodo.com/t/email-alerts-suddenly-stopped/2018/129

  Are you sure? yes | no

Hajo wrote 04/15/2016 at 10:19 point

Some more details:
(might be interesting sometime? - maybe not)

I put a complete directory/file listing into dropbox:
# ls / -l -R
https://www.dropbox.com/s/ti1kvy2ljafthtg/directory.txt?dl=0


# df

Filesystem           1K-blocks      Used   Available  Use%     Mounted on    Access
/dev/root                    7040      7040                0  100%     /                        read only
devtmpfs                  15968             4        15964   0%        /dev                  read/write
tmpfs                        16032           36        15996   0%        /tmp                  read/write
/dev/mtdblock3       10752       6872         3880  64%       /app                  read/write
/dev/mtdblock1            768         216           552  28%        /config              read/write
tmfs                          16032            0        16032   0%         /system             read/write

# lsusb
Bus 001 Device 001: ID 1d6b:0002     -> Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001     -> Linux Foundation 1.1 root hub
Bus 001 Device 002: ID 0bda:8179    - > Realtek Semiconductor Corp. RTL8188EUS 802.11n Wireless Network Adapter

  Are you sure? yes | no

Hajo wrote 04/06/2016 at 21:05 point

Hi all,

I own a Zmodo ZH-IXY1D as well.
It runs Stock Firmware 7.4.0.16
Model: ZM-SH75D001-WA (shown in Device Parameters)
Hardware Version: 799990304

Some more details from WebUI:

Whether to support the intercom: YES
Whether to support local Storage: NO
Whether to support Onvif: NO
Whether to support PT: NO
Whether to support Zoom: NO
Whether to support Wifi: YES


Telnet with root access works (root/no password).

___________________________________________

# cat /proc/cpuinfo
Processor       : ARM926EJ-S rev 5 (v5l)
BogoMIPS        : 218.72
Features        : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant     : 0x0
CPU part        : 0x926
CPU revision    : 5

Hardware        : hi3518

____________________________________________

# uname -mrs
Linux 3.0.8 armv5tejl

____________________________________________

# cat /proc/version
Linux version 3.0.8 (harvey@localhost.localdomain) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #2 Thu Apr 16 10:08:52 CST 2015

____________________________________________

# mount
rootfs on / type rootfs (rw)
/dev/root on / type cramfs (ro,relatime)
devtmpfs on /dev type devtmpfs (rw,relatime,size=15968k,nr_inodes=3992,mode=755)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
tmpfs on /tmp type tmpfs (rw,relatime)
/dev/mtdblock3 on /app type jffs2 (rw,relatime)
/dev/mtdblock1 on /config type jffs2 (rw,relatime)
tmfs on /system type tmpfs (rw,relatime)

______________________________________________

The Hardware is not too bad, so I want to setup a cross-compiler to bring some software on that CAM.

http://events.linuxfoundation.org/sites/events/files/slides/Shuah_Khan_cross_compile_linux.pdf

Goals:

1a. ) Create local snapshot on camera and move it to a ftp server (automatic)

1b.) JPEG/MJPEG Streaming via port 80 (local folder -> /app/dvr)

2a.) The Cam should initate the rtsp-stream (FFMPEG/H264) on its own.

2b.) The stream should stop for ~1 Second after eg. 5 Minutes, and restart automaitcally, to have constant stream for NVR

Additional input welcome!

BR
Hajo

  Are you sure? yes | no

Neil Cherry wrote 05/11/2016 at 03:19 point

Thanks for the pdf. I'm not ready to setup the cross-compiler yet but I hope to later this summer. Still very busy with other HA projects. Glad to see others still playing. :-)

I've been using the same perl code to pull images (not streams) from other cameras (Amcrest and Foscam).

  Are you sure? yes | no

ril3y wrote 08/25/2016 at 22:01 point

Agree with @Neil Cherry I am planning on picking this back up.  I found the SDK to build the image.  I have not had time to play with it.  Now that winter is coming... I plan on getting these things working to my network not the cloud!

  Are you sure? yes | no

les.v2 wrote 03/03/2016 at 17:20 point

Hi All,

Just to inform you that I found how to get HD or SD stream.

I reuse things already find by the team ;-) that's why you will recognize your commands ;-)

1) The command to do screenshot "HD"  (tested on raspberry pi 2): PNG image data, 1280 x 720, 8-bit/color RGB, non-interlaced :

time ( echo -e '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x50' | netcat -w 2 192.168.0.38 8000 | avconv -i pipe:0 -q:v 1 -vframes 1 HD.png &>/dev/null )

Time of capture on my local network : 1.163s

and the command to check generation and format: 

 file HD.png

2) The command to do screenshot "SD"  (tested on raspberry pi 2) : PNG image data, 320 x 240, 8-bit/color RGB, non-interlaced

time ( echo -e '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x02\x90' | netcat -w 2 192.168.0.38 8000 | avconv -i pipe:0 -q:v 1 -vframes 1 SD.png &>/dev/null )

Time of capture on my local network: 0.343s

and the command to check generation and format: 

 file SD.png

Let me continue, my goal is to find a way to get a stream or a snapshot to have the video in a domotic software as jeedom / domoticz / etc... ;-).

Enjoy,

  Are you sure? yes | no

nykr95 wrote 02/10/2016 at 21:58 point

alixjg:

That actually worked - for port 9000 - but I am actually getting the low res stream.  I selected that model # in Blue Iris.  Now if I can just get the HD stream - I'm good.

Steve

  Are you sure? yes | no

alixjg wrote 02/13/2016 at 14:01 point

Yeah, sorry I forgot to mention that.  I can't figure out how to get the HD stream or audio.  I came across this the other day when meshare wasn't working for my wife and I.

  Are you sure? yes | no

nykr95 wrote 02/21/2016 at 22:58 point

I decided to sent it back to Amazon.  Too much effort when I can get other cameras the same price online with the same features and they have Onvif or RTSP feeds documented.

  Are you sure? yes | no

alixjg wrote 02/10/2016 at 17:36 point

Hi,

I'm not sure if this is worth looking into or not, but I was able to successfully setup the app "IP Cam Viewer Pro" on my android phone.  I selected "Zmodo ZMD-ISV-BFS23NM" for make and model, entered my IP, port 8000, and the username & password I use for the web interface.  I can view the camera, but I don't think audio is working.

  Are you sure? yes | no

nykr95 wrote 02/08/2016 at 21:13 point

Hi Guys,

I also have a couple of these cameras.  Found this thread searching the net.  I have been trying to figure out if I can use Blue Iris to get the video feed.  I put in the IP address and use port 8000 but I guess I don't have the correct path to grab the feed.  If seems to authenticate but not send the stream.   If you are able to receive it using mplayer - I would think Blue Iris could work.  Any suggestions on what parameters to use?

Regards,

  Are you sure? yes | no

Neil Cherry wrote 02/05/2016 at 14:09 point

Sorry been a bit busy (and I still am). But this is interesting:
http://www.contextis.com/resources/blog/push-hack-reverse-engineering-ip-camera/
A few more things we can poke at to see if we can access things like the voice.

  Are you sure? yes | no

Andreas M. wrote 01/26/2016 at 16:24 point

Since I don't have a ZModo yet, I can not verify, whether this is of interest: https://forums.zoneminder.com/viewtopic.php?f=9&t=18137

It mentions two ZModo models.

  Are you sure? yes | no

Neil Cherry wrote 01/27/2016 at 06:33 point

I took a peak and can't tell what cameras are being mentioned. I see the DVRs but not the cameras.

  Are you sure? yes | no

Neil Cherry wrote 01/18/2016 at 00:29 point

Hmm, replies get a bit funky when you reach the limit ...

Well I though about the binary blob in the mtd (flash) so I wrote this:

for i in 0 1 2 3 0ro 1ro 2ro 3ro block0 block1 block2 block3

do 

    echo -n "$i "

    dd if=/dev/mtd${i} 2>/dev/null | uuencode -m -

    echo

done

I tossed that into an expect script that I use to login and run a set of commands when the camera is rebooted. I have that dumped to a file and I'll pull that file apart and uudecode it on my server. I suspect that the mtdXro and mtdblockX files are identical to the mtdX files but I might as well take a look. If I can figure out how to mount the mtd2 as a cromfs image I might be able to get qemu to run and possibly compile some stuff to work with. Right now I'm pretty happy with the cgi program. I hope to have the camera setup tomorrow and start playing with it on a daily basis. :-)

  Are you sure? yes | no

ril3y wrote 01/20/2016 at 20:55 point

Hey @Neil Cherry I was away for a few weeks but now am back and working on this project again.  Would you like me to add you to the project?  Also, I have been trying to figure out the interface to the camera to linux.  Lots of times its like /dev/video but I am not sure on this one.  I very much would like to ignore the App3518 all together.  It seems pretty horrible.

I am working on killing the watchdog timer now too.  

Thoughts?

  Are you sure? yes | no

Neil Cherry wrote 01/20/2016 at 23:16 point

Not a problem, I've made really good progress (okay I went a bit nuts). I have a perl cgi running at home and can grab snap shots. I've been doing a lot of poking around and found these of interest:

http://irq5.io/2015/10/30/unpacking-xiaoyi-firmware-images/
http://xiaoyi.querex.be/
http://www.isysop.com/unpacking-and-repacking-u-boot-uimage-files/
http://www.isysop.com/unpacking-and-repacking-u-boot-images-part-2/

I haven't gotten around to investigating them too much yet. At minimum I was hoping I could steal the rtsp application and drop that on the camera. I also found some info on grabbing the bus pirate and pulling the image out of flash (and also put it back, just in case). I still haven't found where they write the data to, hmm..

I think the watchdog needs to stay, but I've been able to kill the App3518 and message and restart them so I can get the correct time (see my page). I'm also fixing an error on the funlux-cap.exp script so that it works properly. I haven't worked with the cramfs and I'm still learning binwalk (worked great on my Amcrest camera).

  Are you sure? yes | no

Neil Cherry wrote 01/16/2016 at 22:49 point

So I spent some more time with the screen shot commands. Turns out the one's I listed below fail if motion occurs. I'm not sure why but I've also discovered that I've had a lot of problems using the pipe:0 option for input. I seem to get varied results at different times (phase of the moon issues?). So with that in mind the current command I'm using is:

$ get_funlux.pl -h 192.168.2.5 -t 2  > video.h264;  avconv -r 25 -y -c:v h264  -i video.h264 -c:v h264 result.mov &&  avconv -strict experimental -i result.mov -vsync 1 -r 25 -an -y -qscale 1 -vframes 1 screenshot_%03d.jpg

The Perl script: get_funlux.pl handles the echo and netcat parts below (I've had some issues with netcat). The result is a video.h264 file (junk really), result.mov (h264, not sure why I use .mov) and a screenshot_001.jpg file. The screenshot_001.jpg is the screen shot. I'm just too lazy to clean up. The get_funlux.pl can be found here (I'll post that later tonight):

http://ushomeautomation.com/Notes/Funlux/get_funlux.pl

http://ushomeautomation.com/Notes/Funlux/funlux.pl

The scripts are licensed GPLv2. The get_funlux.pl is the echo netcool replacement, the funlux.pl is the Apache CGI Perl to generate a snap shot. There will also be a funlux.exp (Expect) script for getting the camera into a given state on reboot. I'll upload that later. Don't expect my best coding, these are quick hacks but they should work.

So more info will be posted here later. :-)

  Are you sure? yes | no

chris wrote 01/17/2016 at 00:28 point

What version is the camera running? Because it very well may be causing the phase of the moon issue. I've got 2 of these both with different versions on them. The camera with v7.4.0.16 seems to be very slow to detect motion and there's no rhyme or reason to it. Sometimes it'll send me a bunch of alerts with nothing and then not detect someone walking right up to the camera. The other camera is running v7.4.0.9 and the motion detection seems a LOT more sensitive and accurate. 

The reason I mention it is because as I was watching the cameras console output it was looping the session back to the meshare servers. Basically checking to see if it was connected and getting a heartbeat of sorts. But every time motion was detected the loop was interrupted and it would send 5 or 6 still frames out to the meshare servers. and then it would resume normal operation.

  Are you sure? yes | no

Neil Cherry wrote 01/17/2016 at 16:46 point

---------read configinfo--------
UbootVersion:V7.0.0.0
KernelVersion:V7.0.0.0
RootfsVersion:V7.0.0.0
AppVersion:V7.4.0.9
DeviceName:CH-S1R-WA
HardWareVersion:799990304
SupportInfo:0000011d

I don't have the meshare connection running, I've pointed the device to a non-router so it can't find its way home. What I've seen is if I issue the command to start the video (and convert) that initially it might work. But if I do it immediately again, it fails. Then I attempt a third time with a wait of 30 seconds or so it is again happy. It might have something to do with the above HBs that are sent but I don't know.

I'd love to get my hands on an update of the firmware. Then I could rip into it at my leisure. I've found a few other links that suggest my bus pirate may accomplish what I want. :-)

Oh forgot, I've update the link so the perl script is now there (sorry about that) and I've updated the web page with more information. Of course much more to follow.

  Are you sure? yes | no

chris wrote 01/17/2016 at 22:22 point

Neil, What you are describing seems to mirror what I've seen the camera do when it detects motion. On both my cams they also stop serving video for a second or two when motion is detected. I saw it in the serial output and also watched it on the monitor. It is really buggy stuff.

I'm going to work on extracting the uncrammed firmware from both running cameras tomorrow so we can poke around under the hood.

My main two focuses on this project are to enable a usable rtsp stream so these can be used on one of the many DVR software packages. And to enable local storage. I'll try and post by firmware dumps here if I can get write access to the dropbox. Otherwise I'll have to get them out to the group some other way.

  Are you sure? yes | no

chris wrote 01/16/2016 at 01:06 point

I just grabbed 2 serial sessions off of a new camera. New as in just taken out of the box and never setup.  I'll be uploading them to either a files section or the log once I clean them up. The first one will be the initial boot showing what this buggy little app does for the initial setup and I let it log for about 5 minutes so it would show how it tries to pair with the meshare app on an android phone. Prior to pairing with the app, the camera does trigger an alert in kismet as a suspicious client probing networks but not participating.

The second capture is the pairing session with the meshare app and then the network setup that follows. I'll get these uploaded soon.

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates