Ennio Wifi Doorbell: The saga continues.

ennio cameraI managed to get around to playing with the Ennio wifi doorbell a little more, trying to figure out how all of it works. It seems I have to learn a few things about UDP, however with a quick and dirty tcpdump on my openwrt router (which I was hacking in other ways earlier) to an NFS share on my RAID I managed to collect a chunk of worthwhile data while my phone interacted with the camera.

Capture results

As far as I can tell without capturing all of the data of all of the interactions it goes something like this:

  • Phone sends a broadcast request of some kind and the doorbell responds with a packet with it’s name to the UDP port specified by the initial contact.
  • The phone logs into the device using the username and password provided by doing by sending a hex encoded ASCII string, with some preamble bytes:

Continue reading →

Ennio Doorbell internal teardown

Here are the results of taking apart the Ennio wifi doorbell. I haven’t had a chance to dump the memory from this device yet, but I received a request to take some photos of the internals. Here are those photos;
Ennio memory chip Ennio camera module Ennio main board reverse side Ennio SoC module Ennio SoC module reverse side. Ennio internals unhooked

 

 

 

 

 

 

 

 

 

 

The SoC is a RaLink RT5350, the data sheet for the chip can be found here. I guess some of the pins on the wide connector are for programming the memory chip (JTAG). I just need to work out which ones.

I’m looking for memory dump options, at first I wanted to mount my NFS server onto the device and dump to a file there, however that won’t work due to NFS being missing from the device. The other option is to dump it to telnet using base64 encoding, then decode it on the other side… This would be less than ideal but still possible. I need to boot the device up again to figure out what to do next.

Setting up a cross compile toolchain to build new binaries might be the best option for getting what I need out of this thing. Although I doubt the source code for the IPCam will be available to me.

The most important thing for me to do is to disable the wifi hardware. Once disabled it’s safe to actually put the hardware on the wall outside. I will likely need to take it down at some point, if I intend to flash the memory. I still wouldn’t recommend buying an Ennio wifi doorbell, or any of the variations out there. The failure point is the OS which is a black box of obscurity over security. I would love to have the time to develop a better open-source OS to run on these things which would work on foscam, wansview and others too. Like OpenWRT but for IPCams.