While analyzing security of iMiniCam app, I learned some part of UDP protocol used to communicate with the camera. Here is quick bunch of facts.
UDP layer
Port 32100 (Proto_Hello, to external server) and port 32108 (others, to camera).
Type-length layer
Following structure represents first header that is always found in datagram.
struct header { uint8_t magic; enum proto_type type; uint16_t length; }
In this structure magic is always set to 0xf1, type is one of the below values, packed on single byte and length count data that follows this packet, so if it is equal to zero, only those four bytes are transmitted.
Packet types
These are all the types present in binary, I was reverse engineering. Names are derived from function names that crafts their content, so i.e. for Proto_DevLgn that is equal to 0x10 there exists function PPPP_Proto_Write_DevLgn, PPPP_Proto_Read_DevLgn and PPPP_Proto_Send_DevLgn.
enum proto_type { Proto_Hello = 0; Proto_HelloAck = 1; Proto_HelloTo = 2; Proto_HelloToAck = 3; Proto_QueryDID = 8; Proto_QueryDIDAck = 9; Proto_DevLgn = 0x10; Proto_DevLgnAck = 0x11; Proto_DevLgn_CRC = 0x12; Proto_DevLgn1_CRC = 0x13; Proto_P2PReq = 0x20; Proto_P2PReqAck = 0x21; Proto_LanSerch = 0x30; Proto_PunchTo = 0x40; Proto_PunchPkt = 0x41; Proto_P2PRdy = 0x42; Proto_RSLgn = 0x60; Proto_RSLgnAck = 0x61; Proto_RSLgn1 = 0x62; Proto_RSLgn1Ack = 0x63; Proto_ListReq1 = 0x67; Proto_ListReq = 0x68; Proto_ListReqAck = 0x69; Proto_RlyHello = 0x70; Proto_RlyHelloAck = 0x71; Proto_RlyPort = 0x72; Proto_RlyPortAck = 0x73; Proto_ByteCount = 0x78; Proto_RlyReq = 0x80; Proto_RlyReqAck = 0x81; Proto_RlyTo = 0x82; Proto_RlyPkt = 0x83; Proto_RlyRdy = 0x84; Proto_SDevRun = 0x90; Proto_SDevLgn = 0x91; Proto_SDevLgn_CRC = 0x92; Proto_DRWAck = 0xd1; Proto_PSR = 0xd8; Proto_Alive = 0xe0; Proto_AliveAck = 0xe1; Proto_Close = 0xf0; Proto_MGMDumpLoginDID = 0xf4; Proto_MGMDumpLoginDIDDetail = 0xf5; Proto_MGMDumpLoginDID1 = 0xf6; Proto_MGMLogControl = 0xf7; Proto_MGMRemoteManagement = 0xf8; }
Proto_Hello
This packet’s content is empty (length=0). Sent to external server. Response is Proto_HelloAck.
Proto_HelloAck
Length is 0x10. Content is according to following structure:
struct HelloAck { struct sockaddr_in wan_addr; }
Final word
I hope this very quick introduction will help someone and will lead to documenting the protocol, in enough part, that it will be possible to develop open source client application able to communicate with the cameras using it.