Finding Camera Stream Paths
This page contains methods and approaches for getting cameras to work with ZM. The best results will be with cameras tested by users in the Hardware Compatibility List. Next will be with cameras that detail the path in user manuals, and or are Onvif compliant. Proprietary and undocumented cameras are more difficult.
Overall, this can be as simple as looking in the user manual, or as complicated as reverse engineering and breaking into the device. Choose your own adventure.
Typical methods of obtaining the cameras paths in order of easiest to hardest are:
- User Manual/Website
- Onvif probe
- Search online resources and forums
- Get access to the camera shell
- Sniff network packets with TCPDump or Wireshark
- Reverse Engineer
Double check that you don't have any other settings that may block cameras communicating to your computer (firewall, antivirus, etc). For new users who install using the recommended install guides, this should not be a concern.
Important!!!: While doing this testing, you want to keep in mind the following:
- Test outside of ZM, first. (this is faster)
- Verify that ffmpeg / vlc works (see below for examples of usage)
- use the info that works in ffmpeg or vlc in zm.
Resolution must be correct.
Testing out a Camera
See the hardware compatibility lists for more details. Port for RTSP is usually but not always 554.
If you want to test from the terminal without X, you can use ffmpeg
$ ffmpeg -i rtsp://<username>:<password>@<ipaddress>:<port>/<somepath> output.mp4
If the stream connects, it will provide you with some information about the stream encoding, and also the resolution.
Note that the above are examples for RTSP. You would use http for MJPEG. See the Hardware Compatibility List for more details.
Not all fields are required to be filled in for Zoneminder.
- Resolution must be right.
- Most cameras require username/password.
If you are unsure how to fill in the information into Zoneminder, refer to the Hardware Compatibility List for other cameras, and copy them.
Note that the results you get from cameras will differ depending on how you connect to the camera (whether you choose, remote, ffmpeg, or libvlc in ZM).
Reputable name brand cameras (Axis, Arecont Vision, Foscam, many others) will offer stream paths in the user manual or website. If you bought an unbranded cheap camera or one of the proprietary cameras sold in retail stores then you must move onto the other options.
Starting with Zoneminder 1.30.4 there is an onvif probe option in the camera configuration. You can also use other Onvif probe programs.
Web Search Online
Ispyconnect has a large database of URLs available for cameras. The ZM wiki has some. Use a search engine. You may also come across a telnet or ssh password, which can be used to gain access to the camera OS.
Many cameras run GNU/Linux. If you can get access to the files on the camera, through telnet, or through exploiting a vulnerability in the camera, then you can look around for paths. You may be able to send files from the camera to your local machine using FTP. Cameras often have busybox, or similar utils. Running the command "strings" on binaries may come up with something. Run nmap on the camera to see what ports are open. See more details in external links at the bottom.
$ nmap -p1-65535 <ipaddressofcamera>
Watch the packets coming from the camera when accessing the video stream, and determine where the stream is located if possible. Some cameras require custom authentication, so if your camera is proprietary, then things are more difficult. This is the danger of purchasing cameras that don't follow the standard (onvif).
Reverse engineering is one possibly time-intensive method of gaining information about a given camera. See the reverse engineering links below.
- Some cameras have limited space for username / password. Be wary of the camera cutting off the end of the password.
- Some cameras don't handle special characters in passwords well. https://forums.zoneminder.com/viewtopic.php?f=40&p=117987#p117987
Reverse Engineering Links
- https://web.archive.org/web/20180124024708/https://github.com/sgayou/medfusion-4000-research/blob/master/doc/README.md Advanced reverse engineering/exploitation of a medical device
- https://www.contextis.com/blog/push-hack-reverse-engineering-ip-camera Reverse Engineering an IP Camera
- https://alexhude.github.io/2019/01/24/hacking-leica-m240.html Reverse Engineering a consumer camera
- http://web.archive.org/web/20190609073446/https://hclxing.wordpress.com/2019/05/30/reverse-engineering-wyzesense-bridge-protocol-part-i/ Wyzesensor reverse engineering (1/3)
- http://web.archive.org/web/20190606222131/https://hclxing.wordpress.com/2019/05/30/reverse-engineering-wyzesense-bridge-protocol-part-ii/ Wyzesensor reverse engineering (2/3)
- https://hclxing.wordpress.com/2019/06/06/reverse-engineering-wyzesense-bridge-protocol-part-iii/ Wyzesensor reverse engineering (3/3)
- https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks Xiaomi / Wyzecam Camera Reverse Engineering
- https://www.eionix.co.in/2019/10/10/reverse-engineer-ddpai-firmware.html Reverse Engineering a Dashcam
- Huang, Andrew "Bunnie", (2017) The Hardware Hacker. pg 279. No Starch Press.
- http://web.archive.org/web/20210212100444/https://frdmtoplay.com/patching-in-fahrenheit/ - Disassembly and patching.