Ennio Wifi Doorbell: The saga continues.

ennio cameraI managed to get around to playing with the Ennio wifi doorbell a little more, trying to figure out how all of it works. It seems I have to learn a few things about UDP, however with a quick and dirty tcpdump on my openwrt router (which I was hacking in other ways earlier) to an NFS share on my RAID I managed to collect a chunk of worthwhile data while my phone interacted with the camera.

Capture results

As far as I can tell without capturing all of the data of all of the interactions it goes something like this:

  • Phone sends a broadcast request of some kind and the doorbell responds with a packet with it’s name to the UDP port specified by the initial contact.
  • The phone logs into the device using the username and password provided by doing by sending a hex encoded ASCII string, with some preamble bytes:

GET /check_user.cgi?time=1458683282.755537&Token=00554EE94A724D12B548A9A88B0D5C46&ios=006&loginuse=admin&loginpas=PASSWORD&user=admin&pwd=PASSWORD&

The response is then similarly hex encoded ascii of result=0; which I believe is actually intended to be javascript…

Understanding the mess

This device is quirky to say the least, essentially UDP datagrams are used to perform  HTTP queries, and then the responses are decoded as javascript, not JSON, but actual javascript, lots of it says things like var this = that; etc… You can even send multiple commands separated by some bytes and you’ll get multiple responses back.

I’ve learned a few things since playing around like this, first of all, the password is always supplied twice in the command string and livestream.cgi initiates the UDP stream to the phone, meanwhile talking back to the device actually uses asterisk which makes me think that asterisk is more heavily involved in this? More investigation is required.

I’m going to spend some time sanitising and decoding the packets, and learning more about the interactions which go along with doorbell push notifications and device online registration etc… These are the types of data I want to highjack and use in alternative ways.

There are of course some minor impediments to my journey, not being able to hack the binary of the “encoder” I think it’s called, to change the root password, remove the google 8.8.8.8 DNS server as a primary and get the push notifications to do something else… But it looks like it’s fairly safe in so far as it’s not running a upnp service with DDNS registration and a loophole in the web UI, this has been a common security problem on many IP Cams. The worrying thing is that when I disable wifi and use 3G I can still connect to it, my guess is that it registers itself with a service somewhere most likely the amazon cloud and the video is bounced from there somehow.

I haven’t even began to try and understand how the video is being broadcast other than, it’s a blast of UDP packets at the phone… 

A real fix?

There are lots of security considerations with this device, I think it might actually be best to start rewriting the binary from scratch. Life would be easier if the source code for the ipcam sdk was just made available, there are so many dodgy white box ip cams out there which could be fixed if the firmware was managed in github or at least somewhere instead of rotting between the engineers of Shenzen.

3 Comments

  1. Hi! Great blog, congrats!
    I’m actually interested in this doorbell and I analyzed the Android app to understand how it works. Basically, it uses p2p communications. There is a 3rd party server that is used only to establish the connection between the doorbell and the phone (UDP hole punching). After that, the video stream should go directly from the doorbell to the phone. Keep going with your analysis 😉

  2. Nice read! Have my Ennio now for 2 days and for now i’m not happy with it. If my iPhone is in sleep mode and i push the call button the phone rings but i have to unlock the phone with my passcode before i can answer the door. This takes to long and the door keeps ringing and i can’t answer it anymore.

    Have found several other apps looking similar (bad looking interface 🙂 ) and one looking better (IP Bell) but that one doesn’t ring at all… Fight is not over yet 🙂

    1. Once I have a better understanding of how to hack it I’m thinking of writing a quick and dirty IP cam streaming API and building it to replace “encoder” which seems to be their all in one server process. Honestly, I think when a company makes something this shitty, they should be forced to reveal all technical specs, in this case the source code should be provided so we can fix the damn thing ourselves.

Comments are closed.