A Wireshark dissector for DVRIP/Sofia protocol found in Xiongmai based IP cameras Full writeup of a sample IP camera is available at Besder 6024PB-XMA501 IP camera security investigation repository.
This dissector is based on a DVRIP Wireshark Dissector for Port 37777 (Dahua IP camera), which can be found here: https://github.com/r4bit999/dvrip-analysis/tree/master
Tested on Besder 6024PB-XMA501 IP camera:
Model: XM530_50X50-WG_8M
Firmware version: V5.00.R02.00030747.10010.349f17
Media frames are saved as bytes in /tmp directory (file format: 'pinfo.number'_'frame_name').
DVRIP/Sofia media payloads have their own headers. All media payload header fields (except signature) are reordered to little-endian (LE) to extract their exact value.
Media payload headers were reconstructed based on Xiongmai bitstream frame format document.
Header description of a single DVRIP/Sofia message is based on Digital Video Recorder Interface Protocol document, the actual diagram being on page 7.
- BIT 0 - message header byte, fixed as 0xFF.
- BIT 1 - observed to equalt 0 for requests and equal to 1 for responses from the IP camera.
- BIT 2 - reserved byte 1. Observed to be either 0 or 1.
- When H.265 video codec is used (BIT4 = 0x12 on I-Frame header), this value is equal to 1.
- When H.264 video codec is used (BIT4 = 0x02 on I-Frame header), this value is equal to 0.
- BIT 3 - reserved byte 2. Observed to be either 0 or 128.
- When H.264 video codec is used, value of this BIT is equal to 128 on DVRIP messages containing audio frames.
- Othervise, BIT3 value is equal to 0.
- BIT 4-7 - session ID. Assigned by the camera after successful login. Needs to be present in every subsequent message.
- BIT 8-11 - sequence number. Increments from 0 after startup, and after reaching the (unknown) maximum, starts from 0 again.
- BIT 12 - total number of packets in a single message. Value of 0 or 1 indicate a single message per packet.
- BIT 13 - number of a current packet in message. Meaningful only when the value of total packets (bit 12) is greater than 1.
- BIT 14-15 - command code (also called message id). The code defines what action to perform.
- BIT 16-19 - data (payload) length. Length of a JSON payload, which starts immediately after DVRIP/Sofia header.
- BIT 0-3 - signature
- BIT 4 - audio codec (0x0e = G711A)
- BIT 5 - sampling rate (0x02 = 8kHz sampling)
- BIT 6-7 - length of audio payload
- BIT 0-3 - signature
- BIT 4 - video codec (0x01 = MPEG4, 0x02 = H.264, 0x12 = H.265)
- BIT 5 - encoded framerate (variable; 1-25 for PAL, 1-30 for NTSC)
- BIT 6 - low 8 bits of image width; the value is actual width divided by 8
- BIT 7 - low 8 bits of image height; the value is actual height divided by 8
- BIT 8-11 - datetime of the capture
- BIT 12-15 - length of I-Frame payload
- BIT 16-19 - unknown value, observed to always be equal to 1
Same exact header fields are shared between I-Frames (FC) and snapshots (FE).
Extension of I-Frames.
- BIT 0-3 - signature
- BIT 4-7 - length of P-Frame payload
- BIT 8-11 - unknown value, always observed to be equal to 1
Used for information transmission. First byte after signature (byte 4):
- 0x01 - general information.
- 0x06 - unknown value.