Ennio Wifi Doorbell: The saga continues.

ennio cameraI managed to get around to playing with the Ennio wifi doorbell a little more, trying to figure out how all of it works. It seems I have to learn a few things about UDP, however with a quick and dirty tcpdump on my openwrt router (which I was hacking in other ways earlier) to an NFS share on my RAID I managed to collect a chunk of worthwhile data while my phone interacted with the camera.

Capture results

As far as I can tell without capturing all of the data of all of the interactions it goes something like this:

  • Phone sends a broadcast request of some kind and the doorbell responds with a packet with it’s name to the UDP port specified by the initial contact.
  • The phone logs into the device using the username and password provided by doing by sending a hex encoded ASCII string, with some preamble bytes:

Continue reading →

Ennio Doorbell internals

I haven’t yet had a chance to dump the memory from this device yet, but I received a request to take some photos of the internals. Here are those photos.
Ennio memory chip Ennio camera module Ennio main board reverse side Ennio SoC module Ennio SoC module reverse side. Ennio internals unhooked

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The SoC is a RaLink RT5350 the data sheet for the chip can be found here… I guess some of the pins on the wide connector are for programming the memory chip (JTAG), I just need to work out which ones.

I’m looking for memory dump options, at first I wanted to mount my NFS server onto the device and dump to a file there, however that won’t work due to NFS being missing from the device. The other option is to dump it to telnet using base64 encoding, then decode it on the other side… Less than ideal but still possible. I need to boot the device up again to figure out what to do next.

Setting up a cross compile toolchain to build new binaries might be the best option for getting what I need out of this thing.

Hacking the Ennio Wifi Doorbell

ennio cameraI recently purchased a Ennio Wifi Doorbell in order to have a doorbell, and also have an outdoor front of house security camera. It seemed like pretty much the only option available.

The camera is fairly easy to set up in the way it was intended. Install an app from the app store, and pair it (with magic, or zeroconf/bonjour) with your phone.

When the button is pushed a push notification arrives on your phone, I’m not quite sure how this happens yet but I’ll dig further. The camera sends a photo with the push notification and also allows streaming of video from the camera.

As far as I can tell both of these things work over 3G as well as Wifi flawlessly with a horrifying app UI.

First things first, is it secure?

With this thing going on the front of my house I want to know if it’s possible to break into it or in some other way use it to break into my network.

The short answer, this device is about as secure as a wet paper bag with a block of gold in it. This, although a major downside from a consumer perspective, leaves many open opportunities for the hardware hacker. Continue reading →

io_export_diffmap & MetaMorph: Resurrecting a dead project.

It seems that the original author of io_export_diffmap for Blender and MetaMorph for Unity has killed the original website and various scant ramblings on forums have led me to discover that it is essentially an orphaned project now. I’ve decided to take it on, update it to blender 2.74 and start work on porting the javascript to C# for Unity5. My work is stored over at github as usual. Continue reading →

Update: ESP8266 WiFi server complete (enough)…

Photo 01-05-2015 16 19 46So a new Arduino arrived today after the connectors gave out on my older ones. It’s a cheap UNO clone and will be followed by a selection of Nano’s for various coming projects. I added support to my ESP8266 project for lightsOn, lightsOff, and setting a value for the lights on. Which can be found in the github repo. The server responds with a simple JSON string explaining the current state of the light, and can be adjusted by sending particular HTTP requests. Continue reading →

Kernel hacking for the RFM12B

RFM12BI’ve been busying myself with fixing up and adapting the RFM12B Linux driver. My first thought was simply to give people support for sending and listening for OOK signals as an extension, then taking the device support in the rtl_433 decoder to extend RFM12B driver to include lots of OOK device support for things like weather stations and energy monitors.

JeeLib already does most of this work on Arduino so for the most part this is simply a matter of joining lots and lots of code together from different places and making sure it sits right. I’ve decided that in order to do this it would probably be better to re-write the driver while trying to fix some of the original driver’s TODO list along the way.

The driver will loosely allow :-

  • Compatibility with the original RFM12B driver & original JeeLib compatibility.
  • Send OOK, FSK messages to devices.
  • Listen for OOK, FSK messages from devices.
  • Set tuning to a specific frequency.

Continue reading →

Fitted Salus RT800RF

Fitted the Salus RT500RF today, this wasn’t such a difficult job but I did blow two fuses following bad advice. The wiring of my Vaillant Turbomax doesn’t require bridging the COM and Live as suggested in many online videos, nor do I need to add a LOAD resistor between pins 4 and 5 on the boiler.

RT500RF to VaillantHere’s a simple diagram to demonstrate how to connect the Salus RT500RF to a Vaillant. Now simply when pins 3 & 4 of the Vaillant are bridged they will start the boiler up. An optional pipe thermostat to switch the boiler off if the pipe overheats can be inserted in between pins 3 on the Vaillant and N/O on the Salus RT500RF.

Now I’m getting ready to start sniffing the airwaves with my SDR and my RFM12B to see what I can do. All I really want is to set/get the current state of the boiler.

[auction-affiliate tool=”lister”]

Upgrades… Salus RT500RF 868MHz wireless boiler control

RT500RFI’ve just received a Salus RT500RF in the post. I’m pretty much all prepared to hack this thing, at first I’ll sniff the airwaves with the RTL-SDR and try and get a handle on how it works. There’s been at least one blog article regarding this unit so I’ll also have a dig around them and see what they can tell me too. The idea is to get the Raspberry Pi with the 868MHz RFM12B to send a signal to turn the heating system on/off, and if possible, interrogate the current state of the boiler.

This will be the first stage in smartening up the house. The OWL CM160 and the Salus RT500RF are the first devices that I’m going to mess with as they’re the most useful to me right away. Next I’ll be turning my hand to Oregon Scientific weather sensors, Wireless door bells and other hardware on the 433/868 bands. These bands of course are used in Europe and some other locations, the equivalent is 315/915 for the US. So if you’re following my work then make sure you pick up the right bands for your location. It’s always best to buy radio transmitters and receivers in your own country because the likelihood of anything being on sale which isn’t allowed is reduced.

[auction-affiliate tool=”lister”]

New toys! ESP8266

esp8266So it seems that since the Arduino WiFi module was a complete failure in the teasmade (well not complete, just unreliable and who wants their tea to be unreliable). I ordered a couple of ESP8266‘s. These are quite a hot topic at the moment, basically it’s just a serial port over wifi.

The intention is to control my book case lighting with them, so I want to do a few things while testing. Firstly the initial concept is to be able to send a RESTful command to turn a light on/off, Simple enough. Second I want to be able to send a value and have the lights set to that value e.g. 255 which will set the brightness. Third, I want to be able to have the ESP8266 send a RESTful command to a php test server elsewhere on the network. Finally, I want to be able to send a “status” message in JSON on request. Continue reading →

RFM12B-Linux on the Raspberry Pi B2 – GPIO_BASE

Thanks to impshum digging around with epic google foo I found the correct PI B2 GPIO_BASEGPIO_BASE for the Raspberry Pi B2. Raspberry Pi used to have a peripheral base address of 0x20000000 now it’s 0x37000000 on the B2, so the GPIO peripheral address is 0x37200000 which has broken the odd GPIO based product (including the HotPi). I’ve added a pull request to RFM12B-Linux and that should be that. I still need to merge in changes for OOK and see if that works and of course, figure out how to set the frequency to listen/transmit on.

RFM12B’s will soon become a must add hardware to the Raspberry Pi, I just need to get that software working :). It’s a great piece of kit, and the code already in github is a good jumping off point. I’ve merged in a OOK sender fork, and I’ll be adding code to put the device into OOK listen mode. All of this controlled via ioctl. Essentially with the little RFM12B’s hooked directly into the Raspberry Pi GPIO port’s SPI pins you’ll have the ability to mess with anything out there, which uses 433/434MHz or 315MHz if you’re in the US, or 915MHz or 868MHz whatever HopeRF board matches with your locations radio standards.

At present I’m looking at getting the OWL to work because I already understand most of that. Next I’ll be looking at getting RF light sockets, lightwaveRF devices, indoor/outdoor weather sensors and even doorbells into the supported devices list.

[auction-affiliate tool=”lister”]