Ennio wifi doorbell brief follow-up

ennio cameraA few interested netizens have been in touch regarding the Ennio doorbell. The device isn’t an impenetrable box quite the opposite. It’s built on top of OpenWRT by the looks of things and here’s what we know.

It’s core is a NixCore X1 (datasheet)

As per the datasheet UART PINS 39 and 40 can be used to connect to the device by connecting to a Raspberry Pi providing a serial console and flashing can be achieved via TFTPD.

The camera is a UVC camera which makes things fairly simple to get into.

What we need to achieve next is a full mapping of GPIO pins to input output functions; e.g. GPIO14 = Doorbell (just a guess).

I’m hoping to get some kind of build system up and running and a github project to host it. I’ll even write up some custom software so you can free your doorbell from whatever security problems exist on the other side of it (amazon cloud).

What needs GPIO mapping.

  • Touch button
  • Blue LED for button (is this controllable)
  • Light Sensor
  • IR LEDs
  • Relay port

What we’re uncertain of 

  • Microphone input configuration
  • Speaker output configuration

Ennio Wifi Doorbell: The saga continues.

ennio cameraI managed to get around to playing with the Ennio wifi doorbell a little more, trying to figure out how all of it works. It seems I have to learn a few things about UDP, however with a quick and dirty tcpdump on my openwrt router (which I was hacking in other ways earlier) to an NFS share on my RAID I managed to collect a chunk of worthwhile data while my phone interacted with the camera.

Capture results

As far as I can tell without capturing all of the data of all of the interactions it goes something like this:

  • Phone sends a broadcast request of some kind and the doorbell responds with a packet with it’s name to the UDP port specified by the initial contact.
  • The phone logs into the device using the username and password provided by doing by sending a hex encoded ASCII string, with some preamble bytes:

Continue reading →

Hacking the Ennio Wifi Doorbell

ennio cameraI recently purchased a Ennio Wifi Doorbell in order to have a doorbell, and also have an outdoor front of house security camera. It seemed like pretty much the only option available.

The camera is fairly easy to set up in the way it was intended. Install an app from the app store, and pair it (with magic, or zeroconf/bonjour) with your phone.

When the button is pushed a push notification arrives on your phone, I’m not quite sure how this happens yet but I’ll dig further. The camera sends a photo with the push notification and also allows streaming of video from the camera.

As far as I can tell both of these things work over 3G as well as Wifi flawlessly with a horrifying app UI.

First things first, is it secure?

With this thing going on the front of my house I want to know if it’s possible to break into it or in some other way use it to break into my network.

The short answer, this device is about as secure as a wet paper bag with a block of gold in it. This, although a major downside from a consumer perspective, leaves many open opportunities for the hardware hacker. Continue reading →