Any progress on this recently?

[hawkeye217]

I just came across your script. I have the same Hikvision clone doorbell and I'm trying to locally control the LEDs around the button while keeping the doorbell from connecting to the internet.

I found this project where someone used mitmproxy to reverse engineer the Ezviz API. I've also commented on an open issue there where I've done a bit of sniffing with Wireshark.

Did you manage to make any more progress on your doorbell?

[xopr]

Sorry for the somewhat late reply.

I haven't looked into it anymore and more or less abandoned the project due to lack of time.
The decryption part is not working completely correct; presumably the AES initialization vector (iv) or mode is not correct.
Someone who is more comfortable in AES encryption than me might be able to have a breakthrough.

My intentions are to release my code as open source (assuming @gardar agrees with this) so everyone can have a go at it.

Thanks for the reference to pyEzviz; it's good to have publicity in either direction.

[gardar]

I have actually made some progress myself recently, well not exactly on this code, but what I have managed is to establish serial connection with my doorbell where I was able to gain root access on the doorbell.
I have compiled some tools for the doorbell so now I have can look into what the doorbell is doing from the other side. With this data/access I am hoping I can figure out the missing links for this project.
But I'm also looking into the possibility of making a custom firmware for the doorbell which would cut the doorbell completely from the cloud.
I haven't had a chance to publish my findings but I hope that I have time to do so soon.

That being said I 100% agree with having this code open source and I plan to do the same if I create any other projects for these doorbells.

[xopr]

I have actually made some progress myself recently, [...]

That is really great news to hear!
Feel free to mention it here when you published something (I might even try the serial access as well assuming it's either 3.3v or 5v TTL)
I also took the opportunity to assign the MIT license to this so everyone can use it (and in the hope someone builds upon these first results)

[GSzabados]

Gents,

I have another approach to start with. The EzViz cameras do support some sort of local control/config.

I have just added a Feature Request to the ha-ezviz repo, which sums up my findings regarding local access.

RenierM26/ha-ezviz#109

You can do a WireShark capture meanwhile EzViz Studio authenticates the camera locally (admin/verification code) and then when it fethces details of the settings or when changing them.

My point would be to fully disconnect these cameras from the cloud and use them fully locally.

[hawkeye217]

Using the Hikvision Network SDK, I can control a fair amount of functions locally. With their C++ examples, it was pretty easy to write some code to adjust things like camera exposure time and WDR enable/disable. It also seems like there's alarm functionality (with push), but I haven't played with that specifically.

What I haven't been able to find is any documentation or info on changing things like the status LED or IR LEDs. It seems those local functions may be specific to this doorbell, not Hikvision cameras in general.

[GSzabados]

It also seems like there's alarm functionality (with push), but I haven't played with that specifically.

I am really after the alarm function, but I cannot find any documentation of it about what format/protocol is it.

It is most likely SIA-Contact ID or Sur-gard, but I haven't managed to set up anything yet to receive and decode it.

[hawkeye217]

There's a file in the SDK's demo folder called "Alarm.cpp" that seems to listen for and return alarm events. Maybe that will help?

[GSzabados]

Maybe that will help?

Thanks!

[gardar]

What I haven't been able to find is any documentation or info on changing things like the status LED or IR LEDs. It seems those local functions may be specific to this doorbell, not Hikvision cameras in general.

From what I've seen by exploring the firmware the doorbell has more things in common with the Hikvision NVR's than the Hikvision cameras.
That being said there firmware does contain strings for the following devices, which suggests they share the same firmware (or at least some parts of the firmware).

• DS-KH8501-A
• DS-KH8500
• DS-KH8301-A
• DS-KH8301-AS
• DS-KH8301
• DS-KH8300
• DS-KH8200
• DS-KH6300
• DS-KH6300-A
• DS-KH6310
• DS-KH6310-A
• DS-KD8102-2
• DS-KD8002-2A
• DS-KM8301
• DS-KH6310(L)
• DS-KH6210(L)
• DS-KH6310-A(L)
• DS-KH6310-AS
• DS-KD3002-2A
• DS-KD6002-2A
• DS-KD8412-2A
• DS-KD8402-2A
• DS-KD8512-2A
• DS-KD8502-2A
• DS-KB8112-IM
• DS-KB6003-WIP
• DS-KB6403-WIP

[gardar]

I have another approach to start with. The EzViz cameras do support some sort of local control/config.

Using the Hikvision Network SDK, I can control a fair amount of functions locally.

I haven't looked at that sdk myself but are we talking about the onvif control or is this something else? I did find some undocumented onvif capabilities but nothing too interesting.

[hawkeye217]

It's something else. It's C++ code from Hikvision that interfaces with the camera directly. The example code they provide can do pretty much all the same stuff as their iVMS-4200 software you can get for free.