But how can we change the view that the camera is showing? For this I installed Packet Capture on my phone, and captured a few packets while change the view in the app. At first glance, it seems that it uses FTP for changing the view. The username and password are both wificam (I wonder if this can be changed). After setting passive mode, we get a RETR \FULL_VIEW.BIN; unfortunately this doesn't seem to yield much; it's possibly an update mechanism from the app.
Moving on, we see port 15740 in use. Annoyingly, it's a binary protocol. Playing around and looking at the traffic dump, it seems that a straight replay of the previous commands from the app doesn't quite work - it doesn't give the same response. I suspect there is a handshake going on, but I don't have the time to decipher it at the moment.
Thankfully, it appears that whatever view mode was last set via the Android app persists when watching the RTSP stream, so that might be all I need in order to re-broadcast a live stream.
Annoyingly, the wifi connection on this camera seems to be flaky on the connection phase; specifically both my Android and OSX computer often fail to pick up a DHCP lease.
