Well guys, I finally got this thing working. Here's what I've learned...
I had configured the whole thing and had it up and running with iVMS and BI... everything except the chime... without using the hikconnect app at all. Unfortunately, there is no way to configure it to use a chime without using the app. The doorbell defaults to "no chime" -- which explains why I wasn't seeing any voltage change when the button was pressed.
From a security standpoint, this thing is a mess. First of all, having to use the app has it's own problems...
- It requires location services to be enabled and it must have permission to them or it will refuse to continue. There is no justifiable reason for this requirement.
- It requires access to photos, storage and other stuff that it also shouldn't need to have.
- It automatically takes the wifi settings (SSID & Password) from your phone/tablet and feeds them to the camera.
So, you basically have an app requiring location data and has access to your wifi SSID and password... with those three things, someone could locate your home and gain access to your network with little to no effort. On top of that, it's communicating to at least two servers in Asia as soon as it comes online, as well as several amazon hosted servers. There's a decent chance this sensitive data is making it's way to one of those servers.
It turns out this thing just assumes you're on an insecure network and allow any kind of outbound traffic out by default. I'm sure this is true for the vast amount of non-technical consumers out there, but it doesn't play nice on a secured network at all. This was the biggest problem I was running into and didn't realize it until I started digging into traffic patterns. When I would set up the phone, using the app like a good boy, it would tell me "wifi configured" and I could see it show up on my network. I could ping it and even get a live view from it... but the app would eventually time-out and complain that the network configuration failed. That's weird... it literally just spoke to me and said it had succeeded! Grrrr!!!!!!
Lot's of "interesting" network traffic was being blocked by my firewall. Most internet based products make use of well known ports like 80 and 443 and are happy with those. Not hikvision... they want ports 123, 8800, 31006, 8666, ICMP, 6002, 6500, and 5228...
The camera itself reaches out to:
123 (NTP) - first hitting a server in China (time.ys7.com). After configuration is complete, this changes to 0.amazon.pool.ntp.org.
8800 - amazon hosted server
31006 - amazon hosted server
8666 - amazon hosted server
ICMP - pings it's gateway every 30 seconds.
6002 - an unresolvable server in Singapore.
5228 - google hosted server
6500 - amazon hosted server
The hik-connect app reaches out to:
8666, 8800 and 6500
Of all those ports it tried to use, I only allowed 123, 8800, 31600, 8666, and ICMP. Once I did that, I was able to get the app to configure the camera... including the option to set my chime type. Finally!
When I did all of this, I spun-up a "test" access point and connected the camera and my tablet to it. I did not want to connect them to my true internal network given the blatant security problems with the entire product/app combo. Once I had the camera configured and was ready to move it to my "real" network, I connected my laptop to the test network and connected to the camera via iVMS so I could change the wifi settings and admin password and not have to worry about the hikconnect app passing those details to who knows where. Once on my real network, I have my DHCP server set to not give the camera any DNS servers and it points it's gateway at another internal host so it can ping (otherwise it will drop the wifi every 5 minutes).
Unfortunately, hikvision made this camera a nightmare to deal with. Every bit of this hassle could have been avoided if they had just allowed the setting of the chime via the normal ONVIF and iVMS protocols. There were a few others also only available from the app... microphone control and indicator light on/off come to mind. Why on earth would they leave these out of the standard configuration protocols??!?!?!? Geez.
I'm sure it all goes swell for folks who aren't as privacy concious, or aren't technical enough to worry about the traffic on their network, but if you're at all security conscious and were hoping to get a self-contained offline camera for your doorbell, this isn't it.
As for compatibility with iVMS... which it clearly claims it has on the product datasheet... it's missing a few key components...
- It will not send motion events to iVMS. It will send PIR events, but not motion detection events.
- It does not support a privacy mask.
- It does not support the storage server, meaning it can only record to it's internal SD card.
- There are probably more I just haven't stumbled across yet.
Some of these can be overcome by using
blue iris instead of iVMS, but when you have 16 other cameras that are all hikvision and you've built infrastructure designed around their solutions, adding this one camera really shouldn't kink up the works as bad as it does. They just half-assed this one and from a company that generally produces excellent products, it has been disappointing.