I’ve created a copy of the APK that allows User Certificates, otherwise it fails to connect when sniffing.
I’ve reached a dead end. It tasks about Turn/Stun/Ice, and I’m not sure where to go now.
I’ve been able to get to this point, but I can’t seem to get any further:
(I’ve obsucated the results as there’s credentials inside)
From the API: “/device/getWebrtcTicket”
I’ve asked both Monkey Vision and VicoHome support regarding any API or feeds, and they both don’t offer anything. VicoHome said they may add something in the future.
It’s worth an ask Michael. My guess is as far as “easy” methods go, they seem to encrypt everything within that stream from port 8765 and our only hope is a bootloader method. Must admit I’m suprised how responsive the local view (on app) is if it is all going via cloud and then back to the app, which initially made me think there was some P2P comms going between the cam and client - but no proof so far.
I’ve been trying to work through this same problem. I see the same direct UDP stream in Wireshark that you’ve described, but it seems the video is being displayed through WebRTC. With WebRTC, the camera (and the connecting device) are each a random port greater than 37000 or so for the duration of the stream. If you end the stream and start it again, the ports will change. I’m guessing this functionality is built directly into the camera to create a local stream?
At any rate, I’m afraid I’m at a dead end. I’ve also tried scanning the camera with nmap, but it shows no open ports, so no easy way to grab a video feed there. VicoHome does advertise some integration with Google Assistant/Alexa, so it’s not completely closed off, but there doesn’t seem to be much documentation.
I’d be very interested if there was any further development on this topic.
I don’t know if this might help someone but I ran across a recent blog post (Jul 17) from a VicoHome dev regarding WebRTC and something new called IoT-RTC. Not much in the way of technical details but it may mean there are hooks in place that weren’t there before.
Following. Have a bird feeder camera that connects to the Vicohome app. Would love to figure out how to get the feed to display through Home Assistant.
I’m been following this thread with great interest as I also have a VicoHome camera and am keen to enable local streaming, specifically RTSP, for use with TinyCam Monitor or similar applications.
I have a VicoHome CG6F camera, which is sometimes also listed as CG625A2-TN4.
Here’s the information I have about my camera:
Like others here, my primary goal is to get an RTSP stream working for local access. I understand custom firmware is likely the most promising route, but identifying the chipset is the first hurdle.
My main questions for the community are:
Has anyone managed to open a VicoHome CG6F (or CG625A2-TN4) and identify the chipset used? Knowing the chipset would be incredibly helpful for exploring custom firmware compatibility, particularly with projects like OpenIPC.
Are there any known custom firmware projects, even in early stages, that might be relevant to VicoHome cameras or similar models?
Has anyone made progress in reverse-engineering the WebRTC stream from VicoHome cameras, or found alternative methods to achieve local streaming?
I’m technically inclined and willing to help explore solutions. If identifying the chipset requires opening the camera, I’m prepared to do that carefully if needed.
Any insights, information, or pointers you can share would be hugely appreciated!
Thanks in advance for your help and collaboration.
I have 16 of this Vicohome GG6S cameras, because they are very cheap and work on battery for months, I want to integrate all of them into my HA, I will keep an eye on this post.
I have the Vicohome CG625-TN7. I’ve opened it up; the SoC is the Ingenic T23, (I think) NAND memory, and wifi chip set is the WF-H861L-SSA1. There is an open source firmware called thingino, however it doesn’t support the memory or wifi. Like everyone else I also tried doing packet captures but to no avail, I will try editing the app to support user certs so I can mitm the TLS connection. Has anyone tried setting up in hotspot mode instead of network?
SoC and wifi:
I wasn’t able to successfully rebuild the APK to intercept the TLS calls to their API, for some reason no matter what it fails trusting PCAPDroids mitm cert, but I did see in the STUN payload that Vicohome is using the Coturn TURN server. I also found someone else trying to reverse engineer their API: GitHub - dydx/vico-cli: My attempts at reverse engineering the vicohome.io api to get my bird data. Using their example in auth.go I was able to authenticate to their API and get a token with curl -X POST -d '{"email":"<<username>>","password":"<<password>>","loginType":0}' -H 'Content-type:application/json' -H 'Accept:application/json' https://api-us.vicohome.io/account/login.
From what I’ve read, TURN requires a username and password, however it’s advised to use an API to randomly generate one for each connection, so it seems I need to figure out how to get their API to do this for me, then I think I can authenticate to the STUN server running on the camera, however I’m not really sure what to do after that. I did figure out I can test authentication to their TURN servers using Trickle ICE.
Any hints on why the Vicohome app refuses to trust my CA cert? I’ve installed it on my phone and went through gist.github com/luciopaiva/aa9cb30863804fb2ac3ed1ccd11c95c7 and gist.github com/luciopaiva/809f198e8c96781ad1db63c01732e985 to repack it but regardless of SDK version or what’s in network_security_config.xml it doesn’t want to trust it and all TLS calls fail.
im really interested too.
