Difference between revisions of "Ring Doorbell"

From Exploitee.rs
Jump to navigationJump to search
Line 36: Line 36:
File:Ring-Doorbell-Pinouts.jpg
File:Ring-Doorbell-Pinouts.jpg
</gallery>
</gallery>
== UART ==
A UART connection is available on the ring, upon connecting and pressing a key you will be presented with a "F5->" shell. The following commands are found to work
* toggleIR - '''Toggle IR LEDS'''
* ovOn
* ovOff
* ovResetHigh
* ovResetLow
* bootOv
* resetMsp
* callMeMaybe
* gotoStandby - '''Put Camera In Standby Mode'''
* buildNumber - '''Get Build Number'''
* loadFlashImage - '''Load Image to GainSpan Flash'''
* loadMSP430 - '''Load binary to MSP430'''
* getPot
* ring - '''Ring Doorbell'''
* setVidRes - '''Set Video Resolution'''
* setBitRate - '''Set Audio Bitrate'''
* setFrameRate - '''Set Video Frame Rate'''
* setBrightness - '''Set Camera Brightness'''
* setContrast - '''Set Camera Contrast'''
* setSaturation - '''Set Camera Saturation'''
* setOvRegister
* setLowLossThresh
* setHighLossThresh
* setL2Retries
* setHwVersion
* notifyOn
* notifyOff
* toggleMotion - '''Toggle Motion Sensor'''
* setSpeakerVolume - '''Set Speaker Volume'''
* setMicVolume - '''Set Mic Volume'''
* getMotionData
* getJpegImage
* reboot - '''Reboot Ring'''


== Stealing WiFi Credentials ==
== Stealing WiFi Credentials ==

Revision as of 14:28, 15 January 2016

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Ring-doorbell.jpg

This page will be dedicated to a general overview, descriptions, and information related to the Ring Doorbell.

About

The Ring Doorbell is a wifi connected doorbell with an attached HD camera.

Disassembly

Below is our teardown of the Ring Doorbell.

Hardware Pinouts

Below is a pinout diagram of the debug pin headers on the Ring Doorbell. The labels correspond to the various Datasheets for the misc ICs.

UART

A UART connection is available on the ring, upon connecting and pressing a key you will be presented with a "F5->" shell. The following commands are found to work

  • toggleIR - Toggle IR LEDS
  • ovOn
  • ovOff
  • ovResetHigh
  • ovResetLow
  • bootOv
  • resetMsp
  • callMeMaybe
  • gotoStandby - Put Camera In Standby Mode
  • buildNumber - Get Build Number
  • loadFlashImage - Load Image to GainSpan Flash
  • loadMSP430 - Load binary to MSP430
  • getPot
  • ring - Ring Doorbell
  • setVidRes - Set Video Resolution
  • setBitRate - Set Audio Bitrate
  • setFrameRate - Set Video Frame Rate
  • setBrightness - Set Camera Brightness
  • setContrast - Set Camera Contrast
  • setSaturation - Set Camera Saturation
  • setOvRegister
  • setLowLossThresh
  • setHighLossThresh
  • setL2Retries
  • setHwVersion
  • notifyOn
  • notifyOff
  • toggleMotion - Toggle Motion Sensor
  • setSpeakerVolume - Set Speaker Volume
  • setMicVolume - Set Mic Volume
  • getMotionData
  • getJpegImage
  • reboot - Reboot Ring

Stealing WiFi Credentials

Prior to the start of 2016 it was possible to steal a users WiFi credentials if they had a connected Ring Doorbell. This was done by putting the device into "AP Mode", connecting to the "RING-####" provisioning network, then accessing a specific URL which was left over from the GainSpan SDK. The video below demonstrates the bug

Gainspan SDK Pages

The Ring Doorbell contains a number of pages still left in from the GainSpan SDK. The following pages are available after accessing the Ring's AP by pressing the connect button on the back of the doorbell.

  • /gainspan/system/sslcertupload - Upload new SSL Cert
  • /gainspan/system/fwuploc - Upload new FW
  • /gainspan/system/config/network - Network Connection Info
  • /gainspan/system/config/httpd - HTTPD Config Info
  • /gainspan/system/config/id - Hostname and UID/MAC
  • /gainspan/system/config/otafu - OTA Firmware Update Info
  • /gainspan/system/prov/ap_list - List Access points and WiFi info
  • /gainspan/system/prov/scan_params - Wifi scanning parameters
  • /gainspan/system/prov/wps - WPS setup
  • /gainspan/system/fsupload - File System Upload
  • /gainspan/system/firmware/version - Gainspan Firmware Version Info
  • /gainspan/system/api/version - Gainspan API Version
  • /eapcerts.html - EAP Certificate Upload
  • /gsap.html - Gainspan AP Configuration
  • /gsclient.html - Gainspan Client Network Settings
  • /gsprov.html - Gainspan Network Device Setup
  • /otafu.html - OTA Firmware Update
  • /smartplug.html - Gainspan Smartplug Web Application
  • /sslcert.html - SSL Certificate Upload
  • /tls.html - TLS Web App

Gainspan SDK Pages Video

Below is a video showing the pages accessible on the Ring Doorbell which are mostly just remnants from the GainSpan SDK.