A Wireshark dissector for DVRIP/Sofia protocol found in Xiongmai based IP cameras Full writeup of a sample IP camera is available at Besder 6024PB-XMA501 IP camera security investigation repository.
- Test Device
- DVRIP/Sofia Message Header
- Audio Header
- I-Frame Header
- P-Frame Header
- Information Frame Header
This dissector is based on a DVRIP Wireshark Dissector for Port 37777 (Dahua IP camera), which can be found here: https://github.com/r4bit999/dvrip-analysis/tree/master
Tested on Besder 6024PB-XMA501 IP camera:
Model: XM530_50X50-WG_8M
Firmware version: V5.00.R02.00030747.10010.349f17
Media frames are saved as bytes in /tmp directory (file format: 'pinfo.number'_'frame_name').
DVRIP/Sofia media payloads have their own headers. All media payload header fields (except signature) are reordered to little-endian (LE) to extract their exact value.
Media payload headers were reconstructed based on Xiongmai bitstream frame format document.
Header description of a single DVRIP/Sofia message is based on Digital Video Recorder Interface Protocol document, the actual diagram being on page 7.
- BIT 0: message header byte, fixed as 0xFF.
- BIT 1: observed to be equal to 0 for requests and equal to 1 for responses from the IP camera.
- BIT 2: reserved byte 1:
- Equals
0when H.264 video codec is used (BIT4 =0x02on I-Frame header). - Equals
1when H.265 video codec is used (BIT4 =0x12on I-Frame header).
- Equals
- BIT 3: reserved byte 2:
- Equals
128when DVRIP message contains audio frames. - Equals
0otherwise.
- Equals
- BIT 4-7: session ID. Assigned by the camera after successful login. Needs to be present in every subsequent message.
- BIT 8-11: sequence number. Increments from 0 after startup, and after reaching the (unknown) maximum, starts from 0 again.
- BIT 12: total number of packets in a single message. Value of 0 or 1 indicate a single message per packet.
- BIT 13: number of a current packet in message. Meaningful only when the value of total packets (BIT 12) is greater than 1.
- BIT 14-15: command code (also called message id). The code defines what action to perform.
- BIT 16-19: data (payload) length. Length of a JSON payload, which starts immediately after DVRIP/Sofia header.
- BIT 0-3: signature
- BIT 4: audio codec (0x0e = G711A)
- BIT 5: sampling rate (0x02 = 8kHz sampling)
- BIT 6-7: length of audio payload
- BIT 0-3: signature
- BIT 4: video codec (0x01 = MPEG4, 0x02 = H.264, 0x12 = H.265)
- BIT 5: encoded framerate (variable; 1-25 for PAL, 1-30 for NTSC)
- BIT 6: low 8 bits of image width; the value is actual width divided by 8
- BIT 7: low 8 bits of image height; the value is actual height divided by 8
- BIT 8-11: datetime of the capture
- BIT 12-15: length of I-Frame payload
First 4 bits of an I-Frame payload (BITS 16-19) are equal to 0x00000001
Same exact header fields are shared between I-Frames (FC) and snapshots (FE).
Extension of I-Frames.
- BIT 0-3: signature
- BIT 4-7: length of P-Frame payload
First 4 bits of a P-Frame payload (BITS 8-11) are equal to 0x00000001
- BIT 0-3: signature
- BIT 4: general information (unconfirmed)
- BIT 5: unused value
- BIT 6-7: payload length
Used for information transmission. First byte after signature (byte 4):
- 0x01 - general information.
- 0x06 - unknown value.









