Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong. GTV_Hacker:General_disclaimer
This page will be dedicated to a general overview, descriptions, and information related to the Ring Doorbell.
The Ring Doorbell is a wifi connected doorbell with an attached HD camera. The device functions by connecting to a VPN network, then using SIP to transfer H.264 video and audio as a VoIP call.
The Ring Doorbell's design is very similar to the "GS2011M HD Video Application Development Kit". The follow IC's perform a majority of the device's advertised functionality.
- MSP430 - Low Power MCU Used to store Ring Doorbell functionality code
- GS2011MIE - Low Power Gainspan IC Used for WiFi functionality
- OV788 - Omnivision IC Used for HD Video Processing (Omnivision H.264 Video compression chip)
Below is our teardown of the Ring Doorbell.
Below is a pinout diagram of the debug pin headers on the Ring Doorbell. The labels correspond to the various Datasheets for the misc ICs.
A UART connection is available on the ring, upon connecting and pressing a key you will be presented with a "F5->" shell. The following commands are found to work
- toggleIR - Toggle IR LEDS
- gotoStandby - Put Camera In Standby Mode
- buildNumber - Get Build Number
- loadFlashImage - Load Image to GainSpan Flash
- loadMSP430 - Load binary to MSP430
- ring - Ring Doorbell
- setVidRes - Set Video Resolution
- setBitRate - Set Audio Bitrate
- setFrameRate - Set Video Frame Rate
- setBrightness - Set Camera Brightness
- setContrast - Set Camera Contrast
- setSaturation - Set Camera Saturation
- toggleMotion - Toggle Motion Sensor
- setSpeakerVolume - Set Speaker Volume
- setMicVolume - Set Mic Volume
- reboot - Reboot Ring
Stealing WiFi Credentials
Prior to the start of 2016 it was possible to steal a users WiFi credentials if they had a connected Ring Doorbell. This was done by putting the device into "AP Mode", connecting to the "RING-####" provisioning network, then accessing a specific URL which was left over from the GainSpan SDK. The video below demonstrates the bug
Gainspan SDK Pages
The Ring Doorbell contains a number of pages still left in from the GainSpan SDK. The following pages are available after accessing the Ring's AP by pressing the connect button on the back of the doorbell.
- /gainspan/system/sslcertupload - Upload new SSL Cert
- /gainspan/system/fwuploc - Upload new FW
- /gainspan/system/config/network - Network Connection Info
- /gainspan/system/config/httpd - HTTPD Config Info
- /gainspan/system/config/id - Hostname and UID/MAC
- /gainspan/system/config/otafu - OTA Firmware Update Info
- /gainspan/system/prov/ap_list - List Access points and WiFi info
- /gainspan/system/prov/scan_params - Wifi scanning parameters
- /gainspan/system/prov/wps - WPS setup
- /gainspan/system/fsupload - File System Upload
- /gainspan/system/firmware/version - Gainspan Firmware Version Info
- /gainspan/system/api/version - Gainspan API Version
- /eapcerts.html - EAP Certificate Upload
- /gsap.html - Gainspan AP Configuration
- /gsclient.html - Gainspan Client Network Settings
- /gsprov.html - Gainspan Network Device Setup
- /otafu.html - OTA Firmware Update
- /smartplug.html - Gainspan Smartplug Web Application
- /sslcert.html - SSL Certificate Upload
- /tls.html - TLS Web App
Gainspan SDK Pages Video
Below is a video showing the pages accessible on the Ring Doorbell which are mostly just remnants from the GainSpan SDK.
The Ring Doorbell contains an OTA update process which consists of downloading and flashing 2 files. A "###_app.bin" file and a "###_flash.bin" file. The "###" portion is an integer which represents the current build number while the _flash or _app portion of the filename denote what the update file is used for. Updates require authentication but can be acquired by viewing the update URL through the UART port and using the supplied basic-auth along with the update url to download both parts of the firmware update.
- ###_app.bin - This update binary is flashed to the MSP430 and contains the code which handles the Doorbell functionality
- ###_flash.bin - This update binary is flashed to the GainSpan 2011MIE and contains the code needed to provision the device, handle firmware updates and general functionality for WiFi connectivity.