I bought this camera from Frys Electronics and they list it as the Zmodo ZM-SH75D001-WA. The Packing List and label on the shrink wrap also call it the ZM-SH75D001-WA, but the carton and the camera itself only refer to the ZH-IXY1D. This confirms what chris wrote on 12/10/2015 below and the idea that these were rushed out the door.

The Zmodo site also has a Category on the KB page called FUNLUX. There are some references to this Zmodo camera (both numbers) on their "forum". The 2 different Zmodo model numbers add to the difficulty and confusion when searching for info on it.

I can confirm that a generic cell phone charging battery and cable will power the camera with no modifications.

I am not a programmer and can't add much technical help here, but I do want to mention that I can record a live stream from my unit directly to my QNAP NAS. I do it from the IE web GUI by right clicking on the live image and select Record. It records in a proprietary .264 file extension format that can't be played in VLC, MPC, DVDFab Media Player 2 or any other player I have tried. A Russian site I looked at hinted that the Zviewer application from Zmodo can play them, but I have not been able to do that. MediaInfo can read the data and a sample recording looks like this:

Format                                   : AVC
Format/Info                              : Advanced Video Codec
File size                                : 28.7 MiB

Video
Format                                   : AVC
Format/Info                              : Advanced Video Codec
Format profile                           : Baseline@L3.1
Format settings, CABAC                   : No
Format settings, ReFrames                : 1 frame
Format settings, GOP                     : M=1, N=100
Width                                    : 1 280 pixels
Height                                   : 720 pixels
Display aspect ratio                     : 16:9
Color space                              : YUV
Chroma subsampling                       : 4:2:0
Bit depth                                : 8 bits
Scan type                                : Progressive

Note that there is no info on duration or Bit Rate, etc.

A readable BMP image CAN be saved in the same manner, just choose Capture instead of Record. The image I saved is 1280x720 and is 2.60 MB in size.

I have very little knowledge of Linux, but I do have a Raspberry Pi and am willing to help out testing with it or Windows if needed.

Hope this info is of use to a few of you.

Hi Bill, sounds like you have the same camera. The CH-S1A-WA or ZH-IXY1D or ZM-SH75D001 seemed to be based on the same hardware. The proprietary file format is not unusual, they seem to think it makes there product better (really???). But that's the Windows software and not the camera. The camera streams h264 video. I'm not an expert on video.

I would expect that the Raspberry Pi can run the commands I have used below. I haven't gotten any further on these cameras yet ( my friend gave me yet another, different camera, with PTZ that I've been hacking :-) ). So far I can get that one to give me video and I can start/stop the PTZ controls. That needs a bit more work. :-)

I've put all my notes up on my web site (I'll continue to post here also). I thought it would be nice to have the information sorted and tidied up a bit.

http://ushomeautomation.com/Notes/Funlux/index.html

Also I found some information that suggests that the audio might be: g711a (64Kbps), A-Law (64Kbps), or g726 (16Kbps). One can hope :-) I've got a trace with audio being sent from the PC browser and receiving. 

Single snapshot:

$ echo -e '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x50' | netcat -w 2 192.168.24.130 8000 | avconv -i pipe:0 -q:v 1 -vframes 1 screenshot-%03d.png

Hehe! Success! I can now see the video stream in mplayer. Not sure how I'll get that into stills or into the browser but I can at least now make use of the camera. :-)

$echo -e '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x50' |netcat -w 600 192.168.2.5 8000 | mplayer -fps 24.976 -demuxer h264es -

(soory, fixed that now)

Hi Neil. Congratulations for your progress ! Would you mind explain a little bit the script that you used?  Thank you. Regards.

Yes that is a bit of magic. This is quick and dirty programming via the bash command line on my Linux server . :-) I'll later write a program to do this but it will be much more complex but a lot faster. I try to use the command line when I need to toss together a proof of concept (and I stole parts of the commands from @Peter Jerde below, but I upvoted him too).

Short answer:

The echo command sends the magic string into the stdin of netcat, netcat sends it to the camera, the camera begins to stream the video and mplayer displays it on the console of the Linux computer.

Long answer:

The magic string ( '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x50') is what tells the camera to start sending video. There are other magic strings also and I haven't figured them all out yet. The \x55 means translate that to the byte 0x55 in hex. That's a 12 byte string.

The camera is on IP 192.168.2.5 and listening on port 8000 for a command (that string above).

Netcat (or nc on some systems) sort of opens a 2 way pipe between the command line and the camera. It hides the network magic (watch with wireshark to see the magic). The -w 600 tells netcat to keep the connection open for 600 seconds (10 minutes). 

The fps is the frame per second (25 should work, I was messing around). I'm not sure what the ' -demux h264es - ' options mean exactly yet (other than treat the input as h264).

I'm not sure what to do on Windows.

$ echo -e '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x50' |netcat -w 600 192.168.2.5 8000 > video.h264

That should give you 10 minutes of video from the camera. Then you can use other tools to play the video. I plan on getting the video and images into a browser at some point.

I also have a similar camera. CH-S1R-WA (Funlux mini wireless). I'm able to telnet (as per above) into the device and the md5: 

# md5sum App3518
3497597d45ee5fd79825db92db1d6564  App3518

I've also found:

http://IPADDRESS/ with admin/111111 as ID and password.

I downloaded the cab file which results in a bunch of binaries and I think it's python source (odd but nice). I see that the device is listening on tcp ports 23, 80, 8000 and 9000 and using UDP ports 5844, 39770 and 8080.

I now also have a sniffer trace of the IE (cab) to camera communication. It's on port 8000 and it appears to be v7409. Unfortunately I'm not sure what to make of the stream yet.

More useful info:

$ (echo -e '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x91') | netcat -w 600 192.168.2.5 8000 > video.h264

Gives me this:

$ ls -l video.h264
-rw-r--r-- 1 njc njc 52488 Jan  1 18:09 video.h264
$ file video.h264
video.h264: VISX image file

Well that was interesting, not sure what kind of file it really is but contained inside was my wifi information, in plain text (grrr).

I recently purchased and setup a Funlux CH-S1R-WA, but I noticed after I took it out of the box, the back of it says ZH-IXY1D.  It uses meShare as well and appears to be the same camera, just different housing.  http://www.funlux.com/funlux-ip-network-cameras/indoor-ip-camera/720p-hd-wifi-wireless-network-ip-camera-with-audio.html I'm currently using this camera just as a baby monitor, but I'd really like to set it up with something like iSpy in the future.  I'm not of much help here, but I'd really like to see something become of this!

I believe this is the SDK for the board: https://mega.co.nz/#!69tXHCAD!spJmcKzH3WUmOOyTMVxIc07N4m6Bu8m3ziDhURaKjgM

I think that port 9000 is for mobile devices. The settings under the cab file report web on 80, video on 8000 and mobile video on 9000. I don't know what the difference between 8000 and 9000 is yet.

Also my unit kind of works with: 55 55 aa aa 00 00 00 00 00 00 00 98 and my unit seems a bit different from everyone elses.

Best I can tell the ZH-IXY1D is the same device as the ZM-SH75D001-WA. The latter is the model number on the box and what the device reports on the version tab of the embedded app. These things just sort of appeared out of nowhere and my local store was flooded with them for the holidays. Current firmware being advertised through the meshare app is v7.4.0.16

I bought a bunch of these hoping that I could use them with my DVR software, but they have the RTSP and ONVIF features disabled. I'm not a huge fan of them constantly streaming video and audio out to china 24/7.  So, we should hack the crap out of this and make it do our bidding

A couple things I noticed. The FCC number on the label on the rear of the camera mount is for a completely different product. It is for one of their wired cameras in a bullet type enclosure. I grabbed some hardware info from the filing for that product and the hardware inside really doesn't match. But, from poking around through telnet it looks like these cameras may be rushed out the door clones with stripped down firmware. I'm going to do a little more digging on the hardware this week and see if I can find another model that has the same boards inside. It may be easier to find and modify the running system on what this camera was based on than to reverse the stripped down firmware in this one.

Chris,  Thanks for the comment!  BTW, @KitBag started reversing the "MeShare" to China networking communications.  I have another friend that took a stab at the MeShare app (like perhaps an hour?)  Its pretty horrible!  The MeShare app should be avoided.  Its first order of business is to post your data "encrypted" (aka base64 doh!) to some Chinese URL!  I will let @KitBag comment more but it looks like he's got the image data parsed and "un-encrypted" (de-base64'ed)

Very interesting work on the FCC id's.  I did not think about that one.  Also check out the dropbox folder it has all the data in there.  Including some files taken from the MeShare app (resources) that list a bunch of models that work with the MeShare App as well as their "update urls" which when visited shoot back some obsfucated data (7mb worth) as a firmware update.  I am not sure if this is the camera / android app yet.

If you want to join the project let me know.

While tearing one of these down and running part numbers of components I noticed that there is a sister company called Funlux which has a comparable camera with a model number CH-S1R-WA. If I can locate one of these I'll see if it is just a repackaged clone of the hardware in these cameras. I'm also going to look into some other method of setting these cameras up to avoid the meshare app just to configure the wireless network. There is also an odd behavior that happens with the motion detection captures. Aside from the OCX and the Zsight PC apps not having the ability to record on motion detection even though you can configure them both for it. The meshare app will show 5 screen grabs plus a thumbnail. But, it does not have the date and time overlay on the image if you have it on. The camera name overlay shows just fine. Also, the default motion detect only seems to send to the meshare sight about half the time. 

Just to inform you, I succeed also to download file using Netcat, sorry for my simple question ;-)

Sorry @les.v2 I missed your comments.  Anyhow good deal that you were able to get the files out.  I used tftp btw and setup a tftp server on my linux box then transferred the files out that I wanted.  Good job getting in!  What username/pass are you using for telnet.  I have not poked at it.  I just used the usart port on the board itself.

hi,

Telnet login: root

Telnet password: (empty)

To see file and access command line: just do a "cd /"

Enjoy ;-)

log:

(none) login: root
Password:
Welcome to HiLinux.
None of nfsroot found in cmdline.
# ls
# cd /
# ls
app            etc            lost+found     opt            system
bin            hdd00          mkimg.rootfs   proc           tmp
boot           home           mknod_console  root           tool
config         init           mnt            sbin           usr
data           lib            mount.sh       share
dev            linuxrc        nfsroot        sys
#

Device Version that I have: V7.8.0.14

But still a question for me, how I can download it on my computer ?

on the camera you can use:

ftpput -u USERNAME -p PASSWORD ftp_server_ip local_filename remote_filename

If you have a Linux ftp server you'll need to make sure it's enabled. On Windows you'll need an ftp server.

Oups, I found it ;-) but I don't have the same because certainly I updated the version recently

# md5sum App3518

17e8ddbcb18de29079c2a60f440a555b  App3518

Hi All, I have one also (ZH-IXY1D), I could help you ;-) For the moment, I just access in telnet to the camera but I have a question of beginner (may be :-), how do you calculate the md5 ? did you download the App3518 file and how ? Thanks in advance.

Here's the picture of the ZH-IXY1D inside and out:

http://imgur.com/a/F1TGQ

Looks exactly the same.

So http://surveillance.zmodo.com/support-software has "zviewer for pc" which works to connect to and reconfigure the camera settings, including frames per second and bitrate etc.

I sniffed the traffic between zviewer and the camera, and discovered requesting the H264 video stream is pretty simple:

Just open a TCP connection to port 8000 on the camera and send these bytes: 55 55 AA AA 00 00 00 00 00 00 00 50

As long as you leave the connection open, the camera will just keep sending you a raw h264 bytestream which mplayer is able to play, and which  you can  manipulate with ffmpeg or whatever.

I was able to capture a stream for ten minutes with this:

(cat getstream; sleep 600) | nc CAMERA_IP 8000 > video.h264

where "getstream" is a binary file with those 12 bytes in it.

I'm going to keep sniffing around to see how to get audio, too.

Well it really depends.  It looks like its a pretty capable arm board.  I think the camera streams RTSP video out of one of the ports its listening on.  I literally took about 20 minutes on this to see what I could do.  I am working another project but got stuck and had to do something else to take my mind of of it.  :)  I plan on taking some more time and interest on this in a few weeks.  I tossed it into IDA pro and its pretty clean.  Clear text passwords... No obsfucation no real anti-debugging stuff... So looks pretty doable. 

I have a new Zmodo ZH-IXY1D that appears to be the same product by a different name. The App3518 executable is the same (md5 ba5fa306d519c57124f9de96a1f007f0)

How doable is it to reverse engineer an executable and compile our own? I was sad that there didn't seem to be any tools present on the device to  "grab one jpeg image" and the like.

It's really slick how seamlessly these work with their app, getting through nat and such, but man it's creepy to have some faceless foreign company running a security camera with audio for me. I hope we can succeed in taking these cute cheap devices over for our PRIVATE use!

Nice Peter.  I changed the description a bit to be more Zmodo* vs just the specific model I have.  Can you take some internal pics of the hardware and verify its the same?