A Wireshark dissector for DVRIP/Sofia protocol found in Xiongmai based IP cameras Full writeup of a sample IP camera is available at Besder 6024PB-XMA501 IP camera security investigation repository.

• Test Device
• DVRIP/Sofia Message Header
• Audio Header
• I-Frame Header
• P-Frame Header
• Information Frame Header

This dissector is based on a DVRIP Wireshark Dissector for Port 37777 (Dahua IP camera), which can be found here: https://github.com/r4bit999/dvrip-analysis/tree/master

Tested on Besder 6024PB-XMA501 IP camera:

Model: XM530_50X50-WG_8M
Firmware version: V5.00.R02.00030747.10010.349f17

Media frames are saved as bytes in /tmp directory (file format: 'pinfo.number'_'frame_name').

DVRIP/Sofia media payloads have their own headers. All media payload header fields (except signature) are reordered to little-endian (LE) to extract their exact value.

Media payload headers were reconstructed based on Xiongmai bitstream frame format document.

Header description of a single DVRIP/Sofia message is based on Digital Video Recorder Interface Protocol document, the actual diagram being on page 7.

1. BIT 0: message header byte, fixed as 0xFF.
2. BIT 1: observed to be equal to 0 for requests and equal to 1 for responses from the IP camera.
3. BIT 2: reserved byte 1:
   • Equals 0 when H.264 video codec is used (BIT4 = 0x02 on I-Frame header).
   • Equals 1 when H.265 video codec is used (BIT4 = 0x12 on I-Frame header).
4. BIT 3: reserved byte 2:
   • Equals 128 when DVRIP message contains audio frames.
   • Equals 0 otherwise.
5. BIT 4-7: session ID. Assigned by the camera after successful login. Needs to be present in every subsequent message.
6. BIT 8-11: sequence number. Increments from 0 after startup, and after reaching the (unknown) maximum, starts from 0 again.
7. BIT 12: total number of packets in a single message. Value of 0 or 1 indicate a single message per packet.
8. BIT 13: number of a current packet in message. Meaningful only when the value of total packets (BIT 12) is greater than 1.
9. BIT 14-15: command code (also called message id). The code defines what action to perform.
10. BIT 16-19: data (payload) length. Length of a JSON payload, which starts immediately after DVRIP/Sofia header.

1. BIT 0-3: signature
2. BIT 4: audio codec (0x0e = G711A)
3. BIT 5: sampling rate (0x02 = 8kHz sampling)
4. BIT 6-7: length of audio payload

1. BIT 0-3: signature
2. BIT 4: video codec (0x01 = MPEG4, 0x02 = H.264, 0x12 = H.265)
3. BIT 5: encoded framerate (variable; 1-25 for PAL, 1-30 for NTSC)
4. BIT 6: low 8 bits of image width; the value is actual width divided by 8
5. BIT 7: low 8 bits of image height; the value is actual height divided by 8
6. BIT 8-11: datetime of the capture
7. BIT 12-15: length of I-Frame payload

First 4 bits of an I-Frame payload (BITS 16-19) are equal to 0x00000001

Same exact header fields are shared between I-Frames (FC) and snapshots (FE).

Extension of I-Frames.

1. BIT 0-3: signature
2. BIT 4-7: length of P-Frame payload

First 4 bits of a P-Frame payload (BITS 8-11) are equal to 0x00000001

1. BIT 0-3: signature
2. BIT 4: general information (unconfirmed)
3. BIT 5: unused value
4. BIT 6-7: payload length

Used for information transmission. First byte after signature (byte 4):

1. 0x01 - general information.
2. 0x06 - unknown value.