Wifi Video Doorbell Analysis

Recently I decided, that a WIFI video doorbell would be a good investment. Since I can be quite penny-pinching, I ordered Generic TS-IWP708 Wifi Digital Wireless Video Tür Bell. By the time I bought it, it was around 30 Euros.

Here is my analysis of the device.

  1. Packaging and Content
    1. The Box
      The white box didn’t give many information. The top side had the general product name printed on it and some pictures of the package’s content are on the right side of the cartoon. Some bar code stickers were on the sides of the box, one of them had “TS-IWP708” printed beneath the code. No producer

      1. Contents of the Box
        1. User’s Manual (20 pages with colored illustrations)
        2. Door bell main unit in a recloseable plastic bag.
        3. Assembly frame featuring a rain shell
        4. Power adapter 230V to 5V 1A with a two-pin-header big CE logo.
        5. LAN adapter (8x17cm unshielded cables with an eight pin header on one end and a RJ45 female connector on the other side.
        6. An adapter consisting of three cables, each of 10.50 cm length with one three pin header on one side an open ends on the other.
        7. Two pieces of double-faced adhesive tape.
        8.  One bag with 4 pieces of cheap screw anchors an cheap screws and a small metal screw.Advertisement: If you are interested in webhosting, VPS an root servers, why don’t you have look at my list of ‘netcup’ vouchers – german quality hosting.
      2. Remarks:
        1. The manual doesn’t have any imprint or license information.
        2. The door bell has a bright enamel optic and a blue door bell touch button. There are two green leds left and right below that button. In the upper region there is the 640×480 camera an six IR leds, three on each side of the camera sensor. Speaker an microphone have slots in the casing. On the back side there is a sunk-in reset button. Two stickers on the back indicate “QC passed” and the date of production.
        3. The weather shell, if we can name that porch this way, has a whole on the buttom. We can use the small screw from 1.1.1.8 to fix the door bell main unit with this casing. A burglar would have an easy role in unmounting the bell that way. I’d recommend to fill the screw with epoxy raisin, if you’d like to keed the device after reading all of this post.
        4. The power cord is ridiculously short for an outdoor door bell. It has approximately 80 cm length.
        5. The LAN adapter is unshielded, no twisted pairs. It might cause radio interference if used that way. I guess we schould wrap that with aluminium foil when mounting the device.
        6. The three pin adapter cable is for a door opener. I would use that, and I’ll explain this later in 3.2.
    1. Setup
        1. Preparations
          1. On page 7 of the manual you’ll find QR codes that should directly link you to Google Play or App Store. Well, for android, the link for Door Phone 4.1 was dead. I found an app called “Door Phone 4.4” (search term: “doorphone”) from “ShenZhen Gogo Link Tech.limited”, which worked for me
          2. Caveats: Before trying to connect, turn off your mobile internet on your smart phone. It will probably interfere with the detection of the doorbell (It may be a country specific effect due to IP address ranges used for 4g/3g/2g networks).
          3. Now plug in the power adapter, that you’ve previously connected to the back of the doorbell – it’s the two pin header.
          4. Wait for the doorbell to boot up. It will announce “welcome to smart home”. After that wait another 30 seconds then press the blue doorbell touch button for about five seconds an release it. The bell will talk again: “Network configuration mode, please set it down in five minutes”.
          5. As soon as you hear that, a wifi access point will be available, that transmits the SSID „GBELL-{parts of the unit’s MAC address}“. Connect to it. The password is 123456789.
          6. Now, that you are associated with the AP, open your app “Door Phone”. And follow the instructions from the manual on page 9. “Please click here to add bell”, then “Search”. Click on the text of the detected “GBELL …”.
          7. Now tap the gear-wheel icon and continue to set up the WIFI.
          8. Don’t forget to change your WLAN on your mobile, when the voice tells you to wait a few seconds.Advertisement: Now, that you’ve read so far, how about having look at my list of ‘netcup’ vouchers – german quality hosting.
        2. Finalisation
          1. Now that the unit has been set up, you will like to fine tune. First turn off the alarm sound from alarm settings, otherwise you’ll probably get crazy…
          2. Mind the “User settings”. Keep in mind, that the bell app won’t accept special chars and passwords must be longer than six chars, but apparently not longer than nine.
          3. Keep that in mind in order to be able to log back in after you changed the password – otherwise the reset button on the back needs to be pressed, and you have to start right from the beginning.Advertisement: How about some FreeTime Unlimited – Amazon content for your kids?
    2. Deeper inspections
      1. Services
        1. Doing a port scan on the unit’s IP address unveals three active TCP ports:
          PORT STATE SERVICE
          23/tcp open telnet
          81/tcp open hosts2-ns
          8600/tcp open asterix

          1. The telnet service – or shall we call it backdoor? – can be accessed with the following credentials:
            user: root
            password: 123456
          2. On port 81, there is a web interface, that can be accessed with your users’ credentials. Keep in mind, that special chars don’t work, they are simply left out. The interface is more than crappy an should provide five basic functions:
            1. Video stream window – always black – disfunctional.
            2. WLAN scan – you can scan, but that’s all…
            3. Trigger the door opener, … well clueless, if the video and audio does not work here.
            4. Audio in – no function
            5. Audio out – no function
          3. The purpose of port 8600 is unclear at this point. It seems to be the “go-service”, that’s used for communicating with the app. I haven’t yet analysed that in deep, but it seems to be a monolitic multipurpose binary. It’s definitely not Asterisk.
        2. A deeper look into the firmware
          I used the telnet service with root permission to take a deeper look into the firmware. What I found:

          1. It’s running Busybox and Linux
            Surprise, the firmware uses a Realtek-SDK built on Linux 2.6 and nowhere in the packaging was any hint linking to the GPL license. No mention of reused code and licenses. I notified the producer „Sawful“ an Amazon about this. Waiting for an answer.

            #cat /proc/version 
            Linux version 2.6.21 (root@mailzxh-desktop) (gcc version 3.4.2) #655 Wed Nov 21 22:21:46 CST 2012
            # busybox 
            
            BusyBox v1.12.1 (2012-11-21 22:17:05 CST) multi-call binary
            Copyright (C) 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko
            and others. Licensed under GPLv2.
            See source distribution for full notice
          2. Hardware
            1. SoC: Realtek MIPS24K with rt5350 WIFI.
              # cat /proc/cpuinfo 
              system type : Ralink SoC
              processor : 0
              cpu model : MIPS 24K V4.12
              BogoMIPS : 239.10
              wait instruction : yes
              microsecond timers : yes
              tlb_entries : 32
              extra interrupt vector : yes
              hardware watchpoint : yes
              ASEs implemented : mips16 dsp
              VCED exceptions : not available
              VCEI exceptions : not available
              # ls /proc/rt5350 
              gmac skb_free tx_ring rx_ring cp0 esw_cnt
            2. RAM: 32MB
              # cat /proc/meminfo | grep MemTotal
              
              MemTotal: 29336 kB
            3. Flash
              1. Configuration/partitions
                # cat /proc/mtd 
                dev: size erasesize name
                mtd0: 00800000 00010000 "ALL"
                mtd1: 00030000 00010000 "Bootloader"
                mtd2: 00010000 00010000 "Config"
                mtd3: 00010000 00010000 "Factory"
                mtd4: 00100000 00010000 "Kernel"
                mtd5: 00330000 00010000 "RootFS"
                mtd6: 00300000 00010000 "sys"
                mtd7: 00080000 00010000 "param"

                So, this seems to be an eight megabite flash chip with 7 partitions.

                The firmware can be backed up using Busybox’s tftp client. Set up a TFTP server on a machine within the broadcast domain and run it with “tftp -l [local file] -r [remote file] -p [IP address of server]” to push the contents of  /proc/mtdblock* to your server.

              2. Partitions mounted as..
                # mount
                rootfs on / type rootfs (rw)
                /dev/root on / type squashfs (ro)
                proc on /proc type proc (rw)
                none on /var type ramfs (rw)
                none on /etc type ramfs (rw)
                none on /tmp type ramfs (rw)
                none on /media type ramfs (rw)
                none on /sys type sysfs (rw)
                none on /dev/pts type devpts (rw)
                /dev/mtdblock6 on /system type jffs2 (rw)
                /dev/mtdblock7 on /param type jffs2 (rw
            4. WIFI configuration
              iwconfig shows a ra0 RTWIFI SoftAP device and some wds-devices. wds0 has an SSID of GBELL… – so it seems, that the GBELL-AP is still configured, but I was unable to associate with it, assuming it was just a hidden SSID.
              apcli0 shows the client to the domestic main AP.I seem to be unable to find a regulatory domain setting for this device. It seems, we are restricted to the world domain.
            5. Active network services
              # netstat -aWp
              Active Internet connections (servers and established)
              Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
              tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN 133/encoder
              tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 28/telnetd
              tcp 0 0 0.0.0.0:8600 0.0.0.0:* LISTEN 31/go-daemon
              tcp 0 213 192.168.246.1:23 192.168.246.2:32798 ESTABLISHED 28/telnetd
              udp 0 0 127.0.0.1:8832 0.0.0.0:* 133/encoder
              udp 0 0 0.0.0.0:3073 0.0.0.0:* 133/encoder
              udp 0 0 0.0.0.0:3074 0.0.0.0:* 133/encoder
              udp 0 0 0.0.0.0:3075 0.0.0.0:* 133/encoder
              udp 0 0 127.0.0.1:6666 0.0.0.0:* 133/encoder
              udp 0 0 0.0.0.0:8600 0.0.0.0:* 31/go-daemon
              udp 0 0 0.0.0.0:9632 0.0.0.0:* 133/encoder
              udp 0 0 127.0.0.1:9123 0.0.0.0:* 31/go-daemon
              udp 0 0 127.0.0.1:9124 0.0.0.0:* 133/encoder
              udp 0 0 0.0.0.0:67 0.0.0.0:* 102/udhcpd
              udp 0 0 0.0.0.0:32108 0.0.0.0:* 133/encoder
              udp 0 0 127.0.0.1:8813 0.0.0.0:* 133/encoder
              udp 0 0 0.0.0.0:15733 0.0.0.0:* 133/encoder
              udp 0 0 127.0.0.1:8822 0.0.0.0:* 133/encoder
              udp 0 0 127.0.0.1:8831 0.0.0.0:* 30/cmd_thread
              Active UNIX domain sockets (servers and established)
              Proto RefCnt Flags Type State I-Node PID/Program name Pat
              1. Binary locations: /system/system/bin:
                # ls -la /system/system/bin
                -rwxr-xr-x 1 0 0 156768 go-daemon
                -rwxr-xr-x 1 0 0 8260 cmd_thread
                -rwxr-xr-x 1 0 0 877540 encoder
                drwxrwxrwx 5 0 0 0 ..
                drwxrwxrwx 2 0 0 0 .
            6. Camera:
              A snapshot of the camera can be retrieved using the following URL (credentials as chosen by yourself):
              http://192.168.246.1:81/snapshot.cgi
              According to the output of “strings encoder” on my local PC, videostream.cgi should be the corresponding URL for mjpg streaming. It does not work for me right now. The reasons are yet to be investigated.
          3. Security flaws
            1. Telnet with trivial credentials giving root permission level.
            2. WDS is probably susceptible to WPA-KRACK – yet to be tested. If hostapd is in the system binary of go-service, it would likely be, due to the age of the firmware and the fact, that wds configurations habe been used. KRACK mitigation would require not only the AP to fixed, but also most of the clients would have to be immunized to key replay attacks. It is to be expected, that many smart home gadgets haven’t received such an update.
    3. Conclusions
      This is one of the cheapest wifi doorbell devices. While the main unit is of a good design and is of surprisingly high quality at a first glance, the accessories are of surprisingly low quality.The manual isn’t up to date any longer. It also lacks any license information. The manufacturer does not currently publish the SDK used to create the binaries, that contain at least a Linux kernel and Busybox code – both have been released unter the GNU general public license. We’ll see, if the manufacturer or Amazon will react to that GPL violation hint.From a security perspective, a telnet daemon with no user changeable root credentials is an absolute no-go today, as it was 15 years ago. I found an article from Pentest Partners. The guys there have analysed a Maginon IPC-20C, that was built just around the same SDK/Framework – that article has been around for a while now: See: Hacking the IP camera (part 1).The doorbell would be much more comfortable to use, if the german translation of the Gogo-Link Door Phone App was a little bit better. There are also some untranslated chineses symbols. It would even be much better, if the device was equipped with a fully featured and working web interface to interact with. It is not. The fact of being addicted to an app, that already seems to have vanished from the Goolge Play in order to configure the doorbell is quite annoying.From a developers perspektiv, the device is quite interresting. I’ll have to look for some “Asterisk Camera Tools”, that speak the protocol of the go-daemon, which seems to be a static binary containing all necessary function, including a hostapd-alike (or even hostapd) service, or I’ll have to look for a way to get Open IP Cam running on that device. We’ll see.

Advertisement: Having read such a long text, don’t you think you are deserving of some tracks from Amazon Music Unlimited?

Various Snippets of Code – Cheatsheet (Work in progress)

Snippets of Code

There are times you don’t remember a command syntax … here are the memory hooks. Work in progress.

Continue reading Various Snippets of Code – Cheatsheet (Work in progress)