Close

Initial rooting (or read that as loggin in) and poking around

A project log for Zmodo - Local Controller

Zmodo have some cool cameras! This project is about reversing protocols / bins of all things zomodo to bypass the cloud.

ril3yril3y 12/02/2015 at 19:161 Comment

There is a 3 pad test point on the other size of the main board. It is 3v3 ttl serial. tx rx gnd. Solder a few tiny wires to each pad then hook up to a ttl 3v3 usb to serial ( I use the prolific ones) and open a serial terminal (coolterm etc) 115200 8N1. I did place a dab of hot glue to hold the wires in place as to not pull the test point's pads right off of the pcb. I forgot to take a picture of it first. I have another camera on order and will post some pics when it gets in.

This will drop you to a root shell.... Heres some boot messages.. The full boot messages are in the dropbox link.

U-Boot 2010.06 (Apr 28 2015 - 09:46:30)

Check spi flash controller v350... Found
Spi(cs1) ID: 0x01 0x20 0x18 0x4D 0x01 0x80
Spi(cs1): Block:64KB Chip:16MB Name:"S25FL129P1"
MMC:   MMC FLASH INIT: No card on slot!
In:    serial
Out:   serial
Err:   serial
No mmc storage device found!
Hit any key to stop autoboot:  1 ... 0 
16384 KiB hi_sfc at 0:0 is now current device

cramfs load file : /boot/hikernel
### CRAMFS load complete: 2409600 bytes loaded to 0x82000000
## Booting kernel from Legacy Image at 82000000 ...
   Image Name:   hilinux
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2409536 Bytes = 2.3 MiB
   Load Address: 80008000
   Entry Point:  80008000
   Loading Kernel Image ... OK
OK

Starting kernel ...

There is a really annoying feature that they felt the need to leave in place. All print statements from ./App3518 program seem to spit out to the tty. And its a very chatty program. However it does give you a glimpse into some of the communications with the "MeShare" streaming video service. Observe....

Dec  2 14:02:09 <P2P>: web.cpp[471]web_report_upnp:recv:{"result":"ok","data":[],"addition":""}

Dec  2 14:02:09 <P2P>: device_operation.cpp[744]p2p_send_cover_pic:begin upload cover picture for channel[0]...

Dec  2 14:02:09 <P2P>: web_task.cpp[42]SetUrl:http://192.241.59.218:80/factorydevice/picture_report

Dec  2 14:02:09 <P2P>: web_task.cpp[83]AddPostString:tokenid:p4yL5zwYSQRL8vcCNUbx9v12bmKcQF

Dec  2 14:02:09 <P2P>: web_task.cpp[83]AddPostString:channel:0

Dec  2 14:02:09 <P2P>: web_task.cpp[93]AddPostPicture:image_name:/tmp/cover.jpg

Dec  2 14:02:09 <P2P>: web.cpp[402]web_report_picture:recv:{"result":"ok","data":"","addition":""}

Dec  2 14:02:09 <P2P>: device_operation.cpp[942]p2p_is_timezone_set_by_meshare:timezone America/New_York, America/New_York

Dec  2 14:02:09 <P2P>: web_task.cpp[42]SetUrl:http://192.241.59.218:80/factorydevice/gettimezone?tokenid=p4yL5zwYSQRL8vcCNUbx9v12bmKcQF

Dec  2 14:02:09 <P2P>: web_task.cpp[252]SetConnectTimeout:[10]

Dec  2 14:02:09 <P2P>: web.cpp[425]web_get_timezone:recv reply:{"result":"ok","offset_seconds":"-18000"}

Dec  2 14:02:09 <P2P>: web.cpp[434]web_get_timezone:get timezone:-18000

Dec  2 14:02:09 <P2P>: device_operation.cpp[905]p2p_set_timezone_offset[1170719936]

Dec  2 14:02:11 <P2P>: p2p_sip.cpp[148]keep_alive_timer_func:keep alive timeout, resend !

Dec  2 14:02:11 <P2P>: p2p_sip.cpp[120]send_keep_alive:send_keep_alive:{ "MethodName": "Option.update", "TokenId": "p4yL5zwYSQRL8vcCNUbx9v12bmKcQF", "DevId": "ZMD00ID02206860", "UserType": 2, "Interval": 90 }

Dec  2 14:02:11 <P2P>: p2p_sip.cpp[40]p2p_keep_alive_cb:reply:{ "ResultCode": 0, "ResultReason": "ok", "CmuId": 1001000000 }

The program generating all of these print statements is App3518 which I tftp'ed off of the device and posted in the dropbox link. There is also a message file which I am unclear of what it is doing.

ril3ys-MBP:Zmodo Reversing ril3y$ file message App3518 
message: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped
App3518: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped

Discussions

Dr.Query wrote 04/17/2017 at 00:22 point

Just wondering here does that cam use the HI3518 chip ? I cracked open a ZMODO camera model ZP-IDQ13 SKU ZM-SS76D001-S just a little while ago. What your saying sounds pretty close to what I'm seeing. I was gonna start a project here. But i may just need to jump in on yours.....

  Are you sure? yes | no