Ring Doorbell

From Exploitee.rs
Jump to: navigation, search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Ring-doorbell.jpg

This page will be dedicated to a general overview, descriptions, and information related to the Ring Doorbell.

About

The Ring Doorbell is a wifi connected doorbell with an attached HD camera. The device functions by connecting to a VPN network, then using SIP to transfer H.264 video and audio as a VoIP call.

Hardware

The Ring Doorbell's design is very similar to the "GS2011M HD Video Application Development Kit". The follow IC's perform a majority of the device's advertised functionality.

  • MSP430 - Low Power MCU Used to store Ring Doorbell functionality code
  • GS2011MIE - Low Power Gainspan IC Used for WiFi functionality
  • OV788 - Omnivision IC Used for HD Video Processing (Omnivision H.264 Video compression chip)

Disassembly

Below is our teardown of the Ring Doorbell.

Hardware Pinouts

Below is a pinout diagram of the debug pin headers on the Ring Doorbell. The labels correspond to the various Datasheets for the misc ICs.

UART

A UART connection is available on the ring, upon connecting and pressing a key you will be presented with a "F5->" shell. The following commands are found to work

  • toggleIR - Toggle IR LEDS
  • ovOn
  • ovOff
  • ovResetHigh
  • ovResetLow
  • bootOv
  • resetMsp
  • callMeMaybe
  • gotoStandby - Put Camera In Standby Mode
  • buildNumber - Get Build Number
  • loadFlashImage - Load Image to GainSpan Flash
  • loadMSP430 - Load binary to MSP430
  • getPot
  • ring - Ring Doorbell
  • setVidRes - Set Video Resolution
  • setBitRate - Set Audio Bitrate
  • setFrameRate - Set Video Frame Rate
  • setBrightness - Set Camera Brightness
  • setContrast - Set Camera Contrast
  • setSaturation - Set Camera Saturation
  • setOvRegister
  • setLowLossThresh
  • setHighLossThresh
  • setL2Retries
  • setHwVersion
  • notifyOn
  • notifyOff
  • toggleMotion - Toggle Motion Sensor
  • setSpeakerVolume - Set Speaker Volume
  • setMicVolume - Set Mic Volume
  • getMotionData
  • getJpegImage
  • reboot - Reboot Ring

Stealing WiFi Credentials

Prior to the start of 2016 it was possible to steal a users WiFi credentials if they had a connected Ring Doorbell. This was done by putting the device into "AP Mode", connecting to the "RING-####" provisioning network, then accessing a specific URL which was left over from the GainSpan SDK. The video below demonstrates the bug

Gainspan SDK Pages

The Ring Doorbell contains a number of pages still left in from the GainSpan SDK. The following pages are available after accessing the Ring's AP by pressing the connect button on the back of the doorbell.

  • /gainspan/system/sslcertupload - Upload new SSL Cert
  • /gainspan/system/fwuploc - Upload new FW
  • /gainspan/system/config/network - Network Connection Info
  • /gainspan/system/config/httpd - HTTPD Config Info
  • /gainspan/system/config/id - Hostname and UID/MAC
  • /gainspan/system/config/otafu - OTA Firmware Update Info
  • /gainspan/system/prov/ap_list - List Access points and WiFi info
  • /gainspan/system/prov/scan_params - Wifi scanning parameters
  • /gainspan/system/prov/wps - WPS setup
  • /gainspan/system/fsupload - File System Upload
  • /gainspan/system/firmware/version - Gainspan Firmware Version Info
  • /gainspan/system/api/version - Gainspan API Version
  • /eapcerts.html - EAP Certificate Upload
  • /gsap.html - Gainspan AP Configuration
  • /gsclient.html - Gainspan Client Network Settings
  • /gsprov.html - Gainspan Network Device Setup
  • /otafu.html - OTA Firmware Update
  • /smartplug.html - Gainspan Smartplug Web Application
  • /sslcert.html - SSL Certificate Upload
  • /tls.html - TLS Web App

Gainspan SDK Pages Video

Below is a video showing the pages accessible on the Ring Doorbell which are mostly just remnants from the GainSpan SDK.

Firmware Updates

The Ring Doorbell contains an OTA update process which consists of downloading and flashing 2 files. A "###_app.bin" file and a "###_flash.bin" file. The "###" portion is an integer which represents the current build number while the _flash or _app portion of the filename denote what the update file is used for. Updates require authentication but can be acquired by viewing the update URL through the UART port and using the supplied basic-auth along with the update url to download both parts of the firmware update.

  • ###_app.bin - This update binary is flashed to the MSP430 and contains the code which handles the Doorbell functionality
  • ###_flash.bin - This update binary is flashed to the GainSpan 2011MIE and contains the code needed to provision the device, handle firmware updates and general functionality for WiFi connectivity.