Close
0%
0%

Zmodo - Local Controller

Zmodo have some cool cameras! This project is about reversing protocols / bins of all things zomodo to bypass the cloud.

Similar projects worth following
This camera is really cool but is uses some "cloud app" for all video to be uploaded to. I would like to create a NodeJS server for this to bypass sending all my video / audio to China :) This is just a place for me to dump files and notes. If you want to help check out the main App3518 (which is the cpu Hi3518C) binary and help start to reverse it.

All files for this project are in the dropbox link. The main "App" file is App3518 and it is in the Dropbox link. This file is also the local webserver. It is responsible to posting video data to the MeShare website. You can downlod the MeShare app for IOS and Android as well if you would like to poke around in that.

What I am hoping for is some others that want to use this camera to get involved in the reversing of the networking protocol. I am not 100% certain.. But it might make more sense to place a different "app" on the device that we write and can post all the video data straight to our server code.

Amazon sells these cameras for around $38 here:

http://www.amazon.com/gp/product/B00ZZ4HX1K

Cameras known to run the same software (perhaps different hardware)

  1. Zmodo ZH-IXY1D
  2. Zmodo ZM-SH75D0001

If you know of a Zmodo camera running the same version (or contacting the same cloud servers) leave a comment and I will add them to the list. The App3518 has the shasum of ba5fa306d519c57124f9de96a1f007f0. App3518 is the main binary that runs on these Zmodo* cameras.

zmodoboot.txt

Out of the box boot log. This is before connecting to a wireless network.

plain - 49.00 kB - 01/16/2016 at 03:27

Download

zmodowireless.txt

Log showing the wireless connection process during and after setup.

plain - 28.64 kB - 01/16/2016 at 03:27

Download

  • Dumping the MTD Partitions

    ril3y01/21/2016 at 03:21 5 comments

    I went ahead and dumped the files to the Dropbox for the MTD partitions.

    https://www.dropbox.com/sh/adups6kczg65138/AACquDl-FP1ZT0KB1yB-4aGia?dl=0


    # cat /proc/mtd
    dev: size erasesize name
    mtd0: 00040000 00010000 "boot"
    mtd1: 000c0000 00010000 "config"
    mtd2: 00480000 00010000 "rootfs"
    mtd3: 00a80000 00010000 "app"

    More to come....

  • Initial rooting (or read that as loggin in) and poking around

    ril3y12/02/2015 at 19:16 2 comments

    There is a 3 pad test point on the other size of the main board. It is 3v3 ttl serial. tx rx gnd. Solder a few tiny wires to each pad then hook up to a ttl 3v3 usb to serial ( I use the prolific ones) and open a serial terminal (coolterm etc) 115200 8N1. I did place a dab of hot glue to hold the wires in place as to not pull the test point's pads right off of the pcb. I forgot to take a picture of it first. I have another camera on order and will post some pics when it gets in.

    This will drop you to a root shell.... Heres some boot messages.. The full boot messages are in the dropbox link.

    U-Boot 2010.06 (Apr 28 2015 - 09:46:30)
    
    Check spi flash controller v350... Found
    Spi(cs1) ID: 0x01 0x20 0x18 0x4D 0x01 0x80
    Spi(cs1): Block:64KB Chip:16MB Name:"S25FL129P1"
    MMC:   MMC FLASH INIT: No card on slot!
    In:    serial
    Out:   serial
    Err:   serial
    No mmc storage device found!
    Hit any key to stop autoboot:  1 ... 0 
    16384 KiB hi_sfc at 0:0 is now current device
    
    cramfs load file : /boot/hikernel
    ### CRAMFS load complete: 2409600 bytes loaded to 0x82000000
    ## Booting kernel from Legacy Image at 82000000 ...
       Image Name:   hilinux
       Image Type:   ARM Linux Kernel Image (uncompressed)
       Data Size:    2409536 Bytes = 2.3 MiB
       Load Address: 80008000
       Entry Point:  80008000
       Loading Kernel Image ... OK
    OK
    
    Starting kernel ...

    There is a really annoying feature that they felt the need to leave in place. All print statements from ./App3518 program seem to spit out to the tty. And its a very chatty program. However it does give you a glimpse into some of the communications with the "MeShare" streaming video service. Observe....

    Dec  2 14:02:09 <P2P>: web.cpp[471]web_report_upnp:recv:{"result":"ok","data":[],"addition":""}
    
    Dec  2 14:02:09 <P2P>: device_operation.cpp[744]p2p_send_cover_pic:begin upload cover picture for channel[0]...
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[42]SetUrl:http://192.241.59.218:80/factorydevice/picture_report
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[83]AddPostString:tokenid:p4yL5zwYSQRL8vcCNUbx9v12bmKcQF
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[83]AddPostString:channel:0
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[93]AddPostPicture:image_name:/tmp/cover.jpg
    
    Dec  2 14:02:09 <P2P>: web.cpp[402]web_report_picture:recv:{"result":"ok","data":"","addition":""}
    
    Dec  2 14:02:09 <P2P>: device_operation.cpp[942]p2p_is_timezone_set_by_meshare:timezone America/New_York, America/New_York
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[42]SetUrl:http://192.241.59.218:80/factorydevice/gettimezone?tokenid=p4yL5zwYSQRL8vcCNUbx9v12bmKcQF
    
    Dec  2 14:02:09 <P2P>: web_task.cpp[252]SetConnectTimeout:[10]
    
    Dec  2 14:02:09 <P2P>: web.cpp[425]web_get_timezone:recv reply:{"result":"ok","offset_seconds":"-18000"}
    
    Dec  2 14:02:09 <P2P>: web.cpp[434]web_get_timezone:get timezone:-18000
    
    Dec  2 14:02:09 <P2P>: device_operation.cpp[905]p2p_set_timezone_offset[1170719936]
    
    Dec  2 14:02:11 <P2P>: p2p_sip.cpp[148]keep_alive_timer_func:keep alive timeout, resend !
    
    Dec  2 14:02:11 <P2P>: p2p_sip.cpp[120]send_keep_alive:send_keep_alive:{ "MethodName": "Option.update", "TokenId": "p4yL5zwYSQRL8vcCNUbx9v12bmKcQF", "DevId": "ZMD00ID02206860", "UserType": 2, "Interval": 90 }
    
    Dec  2 14:02:11 <P2P>: p2p_sip.cpp[40]p2p_keep_alive_cb:reply:{ "ResultCode": 0, "ResultReason": "ok", "CmuId": 1001000000 }
    
    

    The program generating all of these print statements is App3518 which I tftp'ed off of the device and posted in the dropbox link. There is also a message file which I am unclear of what it is doing.

    ril3ys-MBP:Zmodo Reversing ril3y$ file message App3518 
    message: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped
    App3518: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped

View all 2 project logs

Enjoy this project?

Share

Discussions

Geno wrote 02/27/2024 at 03:18 point

ANYKA AK3918EV300 MCU supports both h264 and h265 IBH23 camera at current there is no support at all on OpenIPC website. Anyone have any data they can share with folks would be greatly appreciated! 

https://github.com/forlotto/ak3918ev300v18-zmodo-ibh23

Here is something.

Popped the camera open there is an RX and TX labeled on the board.

Even with all this info I'm a little dead in the water when it comes to development I haven't the faintest clue on how to setup what would be required to make this camera work via ONVIF or RTSP etc... 

But figured I'd leave the info for those with better development skills than I. 

I really wish OPENIPC and hackers would specifically target the Zmodo brand in particular.

I uncovered a few underhanded things they are doing to their customers. At the moment they are selling cameras that intentionally block the functionality of the NVR.

I've had to pay like 500bux an NVR from a guy that is a distributor he told me he could lose his ability to distribute if I post them for sale on eBay. They are trying to quietly phase out NVR's so we are collecting them from different users.

There has also been many people who have had camera updates which disabled app functionality or disabled display of video on the NVR. So they are trying to get people off of NVR's using underhanded methodologies. 

I contacted them about it they stated it wasn't going on they were just focusing solely on cloud subscription services they said the only reason why cameras will not work is not because of firmware it is because of hardware now only supports h265 and is upgraded. And that is all the NVR supports.

So I looked up the chip for the cameras it supports h264 and h265 as I suspected and the NVR SOC for 4 different variations of NVR I looked up also provide the same support. So they are now selling cameras which block the use of the NVR through firmware.

We need HACKER SUPPORT on Zmodo's rear we need OPENIPC.

https://files.zmodo.com/Software%20Files/NVR%20Tools/

There is some useful files for folks as well ;)

  Are you sure? yes | no

rka wrote 12/13/2022 at 21:33 point

How can I check which CPU does camera have? It looks like there is passive cooler on top of the CPU and is glued together?

  Are you sure? yes | no

chris wrote 09/12/2022 at 09:41 point

Raising this project from the dead.........
Has anyone looked into openipc yet? They have builds for this specific hisilicon chip, but they do caution that the networking and all the gpio stuff would need to be looked up. The build instructions to get their firmware on these little cams is centered around TFTP.......which needs the wireless to be up which doesn't happen while still in uboot. So most of their documentation isn't exact for these cams. I did manage to pull a full firmware dump off of this camera over the serial port, and verified it matched an image taken directly from the flash chip. Also managed to change uboot and got their uimage and rootfs onto the cam and running. Just sort of stuck on picking apart which gpios do what on this thing and to get the wireless working. (I've even tried pulling the wireless board off and running a usb->ethernet adapter from the USB data lines that went to the wireless adapter. (there's only 1 usb port on this soc.)
So if there's still interest in swapping the brains out on these things let me know and I'll post up my notes so far.

  Are you sure? yes | no

rka wrote 12/13/2022 at 13:37 point

Hi. I am interested in custom builds. I have few zmodo cameras and would love to get videostream locally or somewhere on local network.

  Are you sure? yes | no

Narog wrote 04/19/2021 at 10:26 point

Hey does anyone has the firmware v7.8.0.20, looks like port 8000 has the video stream encrypted now and mplayer cannot display it.

  Are you sure? yes | no

Kfir wrote 12/06/2019 at 16:44 point

any chance someone can upload or send a link to the lowest firmware?

I can’t find it anywhere and zmodo is kind of “holding me hostage” with my 

SH75D001

;)

my direct mail is: kfir@njoy.co.il

  Are you sure? yes | no

Brandon wrote 08/18/2019 at 23:09 point

I have a ZP-IBH15-S and just started trying to mess around with it. After watching it in wireshark I learned that my "magic packet" to start a stream is 0x5555aaaa000000000000a290, so decently similar to others. Past that though I can not turn the stream into anything readable. I've tried piping it straight to a file, vlc, ffmpeg, mplayer under various configs but nothing has succeeded. Still tinkering around but I see this being particularly difficult.

  Are you sure? yes | no

x0a wrote 11/17/2019 at 17:10 point

The final two bytes (\xa2\x90 in your case) are the CMD_START_VIDEO command, see the full list here: https://github.com/dulton/v200/blob/3c9dc92e4c58389acb4f3f6b93e04f0aad520e72/zmdnetlib/zmdnetlib/netuser.cpp#L263

Definitions: https://github.com/dulton/v200/blob/3c9dc92e4c58389acb4f3f6b93e04f0aad520e72/include/zmdnetlib/interfacedef.h#L246

And it appears to request a VGA stream, not sure if that changes the format or just specifies resolution, but you should try \x00\x50 instead for 720p.

At the beginning of the stream, it echoes the bytes you sent in. So trim the first 12 bytes with `tail -c + 12`. Then add a h264 magic markers (three null bytes followed by \x01) to the beginning of the stream. See: https://stackoverflow.com/questions/38094302/how-to-understand-header-of-h264

echo -ne '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x50' | nc securitysystem 8000 | tail -c +12 | (echo -ne '\x00\x00\x00\x01' && cat)

Now you have a standard 720p h264 elementary stream that you can pipe directly to mplayer, or save it and use `ffmpeg -framerate 12 -i test.264 -c copy output.mp4` to encapsulate/mux the raw data in an mp4 format, no transcoding necessary since its already h264.

Play directly:

echo -ne '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x50' | nc securitysystem 8000 | tail -c +12 | (echo -ne '\x00\x00\x00\x01' && cat) |  mplayer -fps 25 -demuxer h264es -

Save 5 seconds of video and wrap in an MP4:

timeout 5 bash -c "echo -ne '\x55\x55\xaa\xaa\x00\x00\x00\x00\x00\x02\x00\x50' | nc securitysystem 8000 | tail -c +12 | (echo -ne '\x00\x00\x00\x01' && cat) >test.264" || ffmpeg -framerate 12 -i test.264 -c copy output.mp4

Note that this requires a fixed size file because it needs to be able to go back and add headers to the beginning of the file, specifying video length and what not.

  Are you sure? yes | no

Ltkenbo wrote 12/26/2019 at 18:45 point

@x0a 

I tried some of your commands and yes like others reported it does start streaming data (and I also observed this on wireshark with the Zmodo PC app). I can't however get any video to show up using your commands.

I don't think is just a plain h264 stream, it has other things as part of the TCP packets along with it such as headers specifying video timing and others. If you look at the firmware you linked in github, you can see in include/encode/BufferManage.h they have definitions for what a header for a video frame looks like.

It does seem to be encoded in h264 looking at other parts of the code, but my point was that simply just cutting off the first 12 bytes you're not left with a pure h264 stream, it's slightly more complicated than that. 

I am glad the code is there, as this will make it pretty easy to figure out. I am motivated to get this working my self as I have 3 of these identical cameras along with an outdoor version that I want to get working with my Zoneminder server. I will post more of what I find after studying the code some more.

  Are you sure? yes | no

Steve wrote 05/13/2019 at 14:49 point

I stumbled upon the firmware source code someone discreetly posted on GitHub if it helps anyone. You can tease out the ZSP (their control protocol) and you can see where they disabled things like the web interface. I am unfortunately not a Linux guy, but I would suspect it could be tweaked and built to do what everyone wants. It appears to support all varieties based on build flags. You can find it here: https://github.com/dulton/v200

  Are you sure? yes | no

sam wrote 03/24/2022 at 16:52 point

This is an excellent find!  I was able to build and flash my camera using that code, however when trying to enable ONVIF support for standard RTSP stream I found that a critical source file is missing: rtspLib.c.. 

  Are you sure? yes | no

dipling-at wrote 08/16/2023 at 19:43 point

@sam  Were you able to activate rtsp streaming? 

  Are you sure? yes | no

Alexander Ose wrote 03/15/2019 at 21:29 point

Has anyone succeeded in getting an audio stream from this device?

  Are you sure? yes | no

sarvoth wrote 02/19/2019 at 21:21 point

I just got some of these, and despite what I read here, it appears telnet is blocked on these cameras out of the box.

  Are you sure? yes | no

Jpatton98 wrote 02/12/2019 at 04:20 point

Hey all    DL-d and am using Zviewer to view all three of my cams, Viewing all three cams works great. Problems is I am having issues recording from any of the cams,  I can't record anything from any of them. I went into what little settings there is in the software but it still will not record video. Any ideas?  I have three of the zmodo mini 720 IP cams

  Are you sure? yes | no

rileyil77 wrote 11/17/2018 at 17:08 point

So, for our home security system we using iSPY Open Source Security Program.  I'm using ISPY on an Windows 7 Pro PC.  The IP for my PC with iSPY within the LAN is 192.168.1.3....  So my wife convinced me the other day to purchase the meShare Mini WiFi Camera 2 pack from Walmart.  I did.  I can't get them to connect to iSPY.  Not sure why.  So I dig around and I find that the cameras IPs on my LAN is 192.168.1.66 and 192.168.1.67 via information given to me by the router.  I also did some Google searching and found my cameras are actually Zmodo ZM – SH75D001 / ZH-IXY1D...  So my question is has anyone used these camera with iSPY successfully?  I used ZViewer which I downloaded from a link I found here on the site and changed some settings.  I would just use the ZViewer Program...  However it doesn't want to save my video storage to the local hard drive?  Am I doing something wrong with ZViewer?

  Are you sure? yes | no

Mdb90 wrote 06/07/2018 at 20:43 point

can anyone provide the old firmware again? Dropbox link doesn’t work anymore.

Thanks!

  Are you sure? yes | no

kvvincentvalentine wrote 12/28/2017 at 15:29 point

Is this project still ongoing? I got a Zmodo camera for Christmas and when I found out that I couldn't stream to RTSP or use some work around I started digging. 

  Are you sure? yes | no

blackhounter wrote 05/31/2018 at 10:09 point

I'm still trying to get a direct feed from the camera as well as redirecting it to a personal server. Currently i use the zviewer (http://surveillance.zmodo.com/media/downloader/tool/Zviewer2.0.1.6_Setup.exe) to directly access the camera feed without the need of a cloud app. Are you able to use the web interface? i have used it but suddenly it dissapeared

  Are you sure? yes | no

Mdb90 wrote 06/08/2018 at 12:57 point

that might be because the firmware version is too New.

  Are you sure? yes | no

fichow wrote 09/03/2017 at 15:05 point

I did all this per abcshare on 6/15/2017 notes said:

zbatch program used to downgrade

http://files.zmodo.com/Software Files/NVR Tools/Original NVR/ZBatch1.0.2/

(download the dll as well as the exe)

For device type ZM-SH75D0001, Hardware Version 799990304

V7.8.0.16 https://www.dropbox.com/s/p4xxbabru3zlmeu/IPC-APP.txt?dl=0

Again, need to remove .txt before loading it into the zbatch program

Run zbatch.exe>upgrade tab>type IPC>refresh to find camera on network>upgrade>IPC-APP file

But nothing happened my camera still running V8.0.1.26, does anyone know what I am doing wrong?

  Are you sure? yes | no

ZakM wrote 09/02/2017 at 04:55 point

I have a Zmodo ZH-IXY1D.   Has anyone figured out a way to use it as a LAN only camera, preferably using tinyCam android app?

  Are you sure? yes | no

abcshady wrote 06/15/2017 at 15:33 point

In case anyone is wondering, these are the settings I use for tinycam

Settings:

Zmodo ZP-NE-14S

Port: 8000

User:admin

Password:11111

  Are you sure? yes | no

abcshady wrote 06/15/2017 at 15:16 point

I have 1 older HW camera and two new. I used to use them with the android tinycam app but the recent updates stopped them working. Thanks to csirk51 I got the old one working using the IPC-APP file to downgrade it.

I contacted support and they gave me the IPC-APP file to downgrade the new camera's as well and now all three are working with tinycam again.

zbatch program used to downgrade

http://files.zmodo.com/Software Files/NVR Tools/Original NVR/ZBatch1.0.2/

(download the dll as well as the exe)

For device type ZM-SH75D0001, Hardware Version 799990304

V7.8.0.16 https://www.dropbox.com/s/p4xxbabru3zlmeu/IPC-APP.txt?dl=0

Again, need to remove .txt before loading it into the zbatch program

Run zbatch.exe>upgrade tab>type IPC>refresh to find camera on network>upgrade>IPC-APP file

  Are you sure? yes | no

csirk51 wrote 04/27/2017 at 07:44 point

I have an old HW type camera, latest firmware was V7.4.0.16 for a long time. Camera automatically upgraded to V7.4.0.20, where telnet and web access are gone, encryption is on. Asked Zmodo support to send me the old firmware, it can be uploaded to the camera with zsight pc app.

Link: https://www.dropbox.com/s/xi9zh6psmmunvol/IPC-APP.txt?dl=0

(Just cut the .txt)

  Are you sure? yes | no

lex.almani wrote 04/25/2017 at 02:28 point

I got the data from port 8000, does anyone know how to convert it to video or image?

  Are you sure? yes | no

smsmithz wrote 04/10/2017 at 19:15 point

I got the zbatch application, and I believe I got the old firmware.  Does anyone have instructions on how to use the zbatch software?  Working with zmodo tech team is very time consuming....  After reseting the firmware will mishare not work anymore?   

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates