Skip to content

Instantly share code, notes, and snippets.

@jhelbig

jhelbig/README.md

Last active July 26, 2018 06:02
Show Gist options
  • Save jhelbig/d3dcb603b21ca0c88aca2f5be869c9b3 to your computer and use it in GitHub Desktop.
Save jhelbig/d3dcb603b21ca0c88aca2f5be869c9b3 to your computer and use it in GitHub Desktop.
Download ZIP
ZP-IBG15-W Notes
Raw
README.md

ZP-IBG15-W

The following notes are freely available to anyone who has administrative control over their personal network. Everything contained within this document was recovered by monitoring traffic across a personal network.

Legal Notice

Any and all documenation that is contained within this file, is to be used for the sole purpose of gathering knowledege in the pursuit of creating an educated public that knows what their IoT devices are doing on their networks. If you use this/these documents to support the harm or directly harm the manufacturer you knowingly do so at your own risk and absolve any and all users who have managed or maintained this or any document contained within this collection.

Furthermore, if you damage your own property or yourself you proceed at your own risk and absolve any and all users who have managed or maintained this or any document contained within this collection.

This documentation falls under the Copyleft standards and practices meaning it allows redistributing the work (with or without changes) on condition that recipients are also granted these rights.

HTTP

The following calls are incomplete and may need further documentation. These are a work-in-progress and should not be taken as 100% complete.

devlogin

Once you have added the camera to an internet connected network, it makes a phone-home call to authorize the camera to be used across the network and link it with your account.

Request

The camera_id parameter can be found on the bottom of the camera, printed on the label. It will typically start with 'ZMD' and will be followed by 12 alpha-numeric characters.

Response

A JSON response will be returned that will tell the camera information about the environment on the other side, such as IP addresses that are expected to call it, as well as other TLD's that it can call to.

{
    "dev_conn_addr": "50.226.99.162:6102,50.226.99.163:6102,50.226.99.164:6102,50.226.99.165:6102,50.226.99.166:6102,50.226.99.167:6102",
    "file_server_addr": "https://11-alertsfile.myzmodo.com,https://12-alertsfile.myzmodo.com,https://13-alertsfile.myzmodo.com,https://14-alertsfile.myzmodo.com,https://15-alertsfile.myzmodo.com,https://17-alertsfile.myzmodo.com,https://18-alertsfile.myzmodo.com",
    "session": 6000,
    "result": "ok",
    "addition": "oJHO77IOh8HOHvNOhKhKJGiluvb8BV",
    "dev_access_addr": "https://11-devaccess.myzmodo.com,https://12-devaccess.myzmodo.com,https://13-devaccess.myzmodo.com,https://14-devaccess.myzmodo.com,https://21-devaccess.myzmodo.com,https://22-devaccess.myzmodo.com",
    "heartbeat_interval": 90,
    "encrypt_key": "D9F7H09FD7HJ09D7F0GB8N6F0DG7J097",
    "alerts_addr": "https://11-alertsmng.myzmodo.com,https://12-alertsmng.myzmodo.com,https://15-alertsmng.myzmodo.com,https://16-alertsmng.myzmodo.com,https://17-alertsmng.myzmodo.com,https://18-alertsmng.myzmodo.com,https://21-alertsmng.myzmodo.com,https://22-alertsmng.myzmodo.com,https://23-alertsmng.myzmodo.com,https://24-alertsmng.myzmodo.com,https://25-alertsmng.myzmodo.com,https://26-alertsmng.myzmodo.com",
    "timestamp": 946686829,
    "encrypt_key_id": "X98D6G9S8D6G9S67D0B7S8I8BD6S98F6",
    "dev_mng_addr": "https://1z3-Devmng2.myzmodo.com,https://1z4-Devmng2.myzmodo.com,https://1z5-Devmng2.myzmodo.com,https://1z6-Devmng2.myzmodo.com"
}

Breakdown

  • dev_conn_addr
  • this is the expected address that a remote viewing will take place from, from what I have found ONLY requests from these IP addresses are allowed to view the video stream.
  • file_server_addr
  • this hosts all the TLDs that will be called to send screenshots or other misc file uploads to, typically not used in the free version of the software
  • session
  • not quiet sure what this does, as changing it or not doesn't do anything that has been observed
  • addition
  • this is used as a token when making subsequent calls back home, it will identify the device directly with this key, and it will work days after it's been generated.
  • dev_access_addr
  • these hosts are the TLDs that will be called to from the camera, note the domain used on Login
  • heartbeat_interval
  • the alloted amount of seconds between reachout out to the service to give an all clear/update
  • [?] encrypt_key
  • obviously, this encrypts things. What? I don't have a clue
  • [?] alerts_addr
  • untested, but I would assume these are the endpoints used when mo-cap is used and an alert is sent out
  • [?] timestamp
  • I suppose this is used by the camera to invalidate certain JSON objects when they are too old, I haven't yet run into any issues with it yet.
  • [?] encrypt_key_id
  • somehow linked to the encrypt_key on the service side, these two may have to match in order for communications to exist
  • [?] dev_mng_addr
  • still not sure what these are used for, but they ARE used to kick off something on the cameras.

sync

Request


#### Response
_-UNDOCUMENTED-_

----
## confrpt
#### Request
 - POST
  - https://11-DevAccess.myzmodo.com/factorydevice/confrpt
 - BODY
  - ```json
    {
        "baseinfo":{
            "tokenid": "oJHO77IOh8HOHvNOhKhKJGiluvb8BV",
            "physical_id": "ZMD124KJ1JBTKDS",
            "device_type": "0",
            "gateway_mac": "XX:XX:XX:XX:XX:XX"
        },
        "confinfo":{
            "device_channel": "1",
            "device_ionum": "0",
            "device_model": "SD-H2901",
            "device_version": "V8.0.0.0;V8.0.0.0;V8.0.0.0;V8.0.1.26",
            "device_capacity": "1644237057",
            "device_extend_capacity": "1075581299",
            "device_supply_capacity": "1073741894",
            "resolution": {
                "HD": "1280*720",
                "SD": "320*240",
                "LD": "320*240"
            },
            "aes_key": "6D987H6F7DG6NS987F5HS8DD975FG76S"
        }
    }

Response

-UNDOCUMENTED-

upnp_rpt

I believe this endpoint in general configures the cameras settings to the remote service.

Request

  • POST
  • https://11-DevAccess.myzmodo.com/factorydevice/upnp_rpt
  • BODY { "physical_id":"ZMD124KJ1JBTKDS", "upnp_video_port":"0", "local_video_port":"8000", "tokenid":"oJHO77IOh8HOHvNOhKhKJGiluvb8BV", "device_mac":"XX:XX:XX:XX:XX:XX", "local_ip":"XXX.XXX.XXX.XXX", "net_mask":"255.255.255.0", "gateway_ip":"XXX.XXX.XXX.XXX", "gateway_mac":"XX:XX:XX:XX:XX:XX", "ssid":"MY_WIFI_SSID" }

#### Response
_-UNDOCUMENTED-_

----
## cover_report
I believe since this is the only call that sends a temp image along, it's actually sending over the "cover" image when viewing multiple cameras at once.  This would typically be updated once every, you guessed it, 90 seconds with the heartbeat.

Note the different sub-domain used

#### Request
 - POST
  - https://1z3-Devmng2.myzmodo.com/fileserver/cover_report
 - BODY
    {
        "tokenid":"oJHO77IOh8HOHvNOhKhKJGiluvb8BV",
        "physical_id":"ZMD124KJ1JBTKDS",
        "channel":"0",
        "image_name":<RAW_FILE filename="Pivot_img_XXXXXX_XXXXXX.jpg", type="image/jpeg">
    }

Response

-UNDOCUMENTED-

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment