From e6b05b95041ab38f330097c65799c1a94bb82954 Mon Sep 17 00:00:00 2001
From: Conor Horan-Kates <conor.code@gmail.com>
Date: Wed, 21 Jun 2017 22:33:28 -0700
Subject: [PATCH] adding WiP weemo

---
 README.md       |   3 +-
 weemo/README.md | 172 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 174 insertions(+), 1 deletion(-)
 create mode 100644 weemo/README.md

diff --git a/README.md b/README.md
index 3fcfbba..6485264 100644
--- a/README.md
+++ b/README.md
@@ -13,4 +13,5 @@ name | description | url
 [Philips Hue](http://www.meethue.com) | device communication insecure, Ruby library/CLI to control via REST HTTP | [hued](https://github.com/chorankates/hued)
 [RAV FileHub](http://www.ravpower.com/ravpower-rp-wd02-filehub-6000mah-power-bank.html) | a HooToo by any other name.. but with a twist | [rav-filehub](rav-filehub)
 [RevoLabs flx UC1000](http://www.revolabs.com/products/conference-phones/wired-conference-phones/flx-uc-phones/flx-uc-1000-speakerphone) | more than just brute forcing the PIN | [revolabs-flx_uc_1000](revolabs-flx_uc_1000)
-[Ubiquiti mFi mPower](https://www.ubnt.com/mfi/mpower/) | root access trivially obtained, credential leakage, unnecessary services exposed | [ubiquiti/mFi](ubiquiti/mfi)
\ No newline at end of file
+[Ubiquiti mFi mPower](https://www.ubnt.com/mfi/mpower/) | root access trivially obtained, credential leakage, unnecessary services exposed | [ubiquiti/mFi](ubiquiti/mfi)
+[Weemo Mini]() | work in progress, recon mostly done | [weemo](weemo)
\ No newline at end of file
diff --git a/weemo/README.md b/weemo/README.md
new file mode 100644
index 0000000..cd70b2c
--- /dev/null
+++ b/weemo/README.md
@@ -0,0 +1,172 @@
+# Mini
+
+- [device](#device)
+- [digging](#digging)
+  - [nmap](#nmap)
+
+
+## device
+name            | value
+----------------|-----
+model           | `TODO`
+product         | `TODO`
+firmware        | `TODO`
+features        | WiFi enabled power strip
+
+## digging
+
+### nmap
+
+from `nmap -PN -p 1-65535 -sV <device>`, we get:
+
+```
+PORT      STATE SERVICE VERSION
+53/tcp    open  domain  dnsmasq 2.73
+49152/tcp open  upnp    Belkin Wemo upnpd (UPnP 1.0)
+Service Info: Device: power-misc
+```
+
+# TODO need to split this out, powerstrip is separate frome netcam
+
+```
+nmap 10.68.68.22 -Pn -sV -p 1-65535
+
+Starting Nmap 7.12 ( https://nmap.org ) at 2017-04-04 17:02 PDT
+Nmap scan report for CAM.ralinktech.com (10.68.68.22)
+Host is up (0.030s latency).
+Not shown: 65531 closed ports
+PORT    STATE SERVICE  VERSION
+53/tcp  open  domain   dnsmasq 2.40
+80/tcp  open  http     Belkin NetCam http config
+81/tcp  open  http     Belkin NetCam http config
+443/tcp open  ssl/http Belkin NetCam http config
+Service Info: Device: webcam
+```
+
+
+
+### upnpd
+
+poking at this endpoint:
+
+```
+$ curl -v http://10.22.22.1:49152
+* Rebuilt URL to: http://10.22.22.1:49152/
+*   Trying 10.22.22.1...
+* TCP_NODELAY set
+* Connected to 10.22.22.1 (10.22.22.1) port 49152 (#0)
+> GET / HTTP/1.1
+> Host: 10.22.22.1:49152
+> User-Agent: curl/7.51.0
+> Accept: */*
+>
+< HTTP/1.1 404 Not Found
+< SERVER: Unspecified, UPnP/1.0, Unspecified
+< CONNECTION: close
+< CONTENT-LENGTH: 48
+< CONTENT-TYPE: text/html
+<
+* Curl_http_done: called premature == 0
+* Closing connection 0
+<html><body><h1>404 Not Found</h1></body></html>
+```
+
+`http://10.22.22.1:49152/foo` yields the same, but:
+
+```
+
+```
+
+maybe we need to use [wemo-extracted/assets/api_key.txt](wemo-extracted/assets/api_key.txt) ?
+ 
+digging into [constants.js](wemo-extracted/assets/www/js/constants.js), seeing some things we probably shouldn't:
+```javascript
+var cloudEnvironment = {
+    /*CI: "https://173.196.160.173:8443",
+    STAGING: "https://stagapi.xbcs.net:8443",
+    PRODUCTION: "https://api.xbcs.net:8443",
+    JARDEN: "https://api.test.jardon.xbcs.net:8443",
+    QA: "https://173.196.160.163:8443",
+    DEV: "https://173.196.160.173:8443"*/
+		
+    //adding urls with SSL certificates
+    CI: "https://wemoci.lswf.net:9069",
+    STAGING: "https://bcsstag.lswf.net:8443",
+    PRODUCTION: "https://api.xbcs.net:8443",
+    JARDEN: "https://api.test.jardon.xbcs.net:8443",
+    QA: " https://wemoqa.lswf.net:9069",
+    DEV: "https://wemoci.lswf.net:9069",
+    MONOLITHIC: "https://devtest-1373897041.us-east-1.elb.amazonaws.com:8443"
+};
+
+/*var cloudEnvironment = {
+    STAGING: "https://107.20.144.211:8443",
+    PRODUCTION: "https://api.xbcs.net:8443"
+};
+*/
+
+var firmwareCloudEnvironment = {
+    STAGING: "http://fw.stag1.xbcs.net",
+    PRODUCTION: "https://fw.xbcs.net",
+    NESTDEV:"https://iftttnest.xwemo.com",
+    JARDEN: "http://fw.test.jardon.xbcs.net",
+    QA: "http://fw.xbcs.net",
+    DEV: "http://173.196.160.173",
+    CI: "http://173.196.160.173",
+    MONOLITHIC: "https://fw.xbcs.net"
+};
+
+/*var firmwareCloudEnvironment = {
+    STAGING: "http://75.101.183.196",
+    PRODUCTION: "https://fw.xbcs.net"
+};
+*/
+
+//...
+
+var PUSH_DB_REQUIRED = 0;
+var PUSH_DB_NOT_REQUIRED = 1;
+
+var cloudAPI = {
+    DEVICE_LIST: cloud + "/apis/http/plugin/plugins/",
+    SMART_SETUP_REGISTRATION: cloud + "/apis/http/plugin/registration/smartDevice",
+    STATE_CHANGE: cloud + "/apis/http/plugin/message/",
+    ATTRIBUTE_CHANGE: cloud + "/apis/http/device/homeDevices/",
+    // REGISTER_EMAIL: cloud + "/apis/http/plugin/registerEmail/",
+    COLLECT_EMAIL: cloud + "/apis/http/plugin/emailAddresses/",
+    FIRMWARE_URL: cloud + "/apis/http/plugin/fwUpgradeInfo/",
+    SMARTDEVICE_DISABLE: cloud + "/apis/http/plugin/updateRemoteAccess/",
+    SMARTDEVICE_LIST: cloud + "/apis/http/plugin/smartDevices/",
+    GENERATE_IFTTT_PIN: cloud + "/apis/http/plugin/generatePin/",
+    SEND_ACK_NEW_HOME: cloud + '/apis/http/plugin/ackForHomeIdSync/',
+    DEVICE_MESSAGE: cloud + '/apis/http/plugin/message/',
+    FIRMWARE_UPGRADE: cloud + '/apis/http/plugin/upgradeFwVersion',
+    GET_DB_FILE: cloud + '/apis/http/plugin/dbfile/',
+    LOCATION_SEARCH: cloud + '/apis/http/plugin/geoInfo/cityLocations?cityName=',
+    INSIGHT_PARAMS: cloud + '/apis/http/plugin/insight/message/',
+    SET_DEVICE_ICON: cloud + '/apis/http/plugin/ext/deviceIcon/',
+    GET_DEVICE_ICON: cloud + '/apis/http/plugin/ext/deviceIcon/',
+    GET_RULE_EVENTS: cloud + '/apis/http/plugin/push/ruleEvents/',
+    LED_DEVICE_LIST: cloud + '/apis/http/device/homeDevices/',
+    LED_STATE_CHANGE: cloud + '/apis/http/device/homeDevices/capabilityProfile?remoteSync=true',
+    LED_CREATE_GROUP: cloud + '/apis/http/device/groups/',
+    LED_DELETE_GROUP: cloud + '/apis/http/device/groups/',
+    LED_STATE_CHANGE_GROUP: cloud + '/apis/http/device/groups/capabilityProfile?remoteSync=true',
+    LED_EDIT_ICON: cloud + '/apis/http/lswf/uploads/',
+    LED_GET_ICON: cloud + '/apis/http/device/homeUploads/',
+    LED_FIRMWARE_URL: cloud + '/apis/http/device/fwUpgradeInfo/',
+    EMAIL_OPT_IN: 'http://www.belkin.com/signup/wemo/?email',
+    HIDE_DEVICE: cloud + '/apis/http/plugin/property/[MacAddress]/visibility/0'
+};
+
+var firmwareTextFile = {
+    PATH: firmwareCloud + "/wemo/NewFirmware.txt",
+    PATH_PROD: firmwareCloud + "/wemo/NewFirmware.txt",
+    PATH_STAG: firmwareCloud + "/wemo/version.txt",
+    PATH_QA: firmwareCloud + "/wemo/NewFirmware.txt",
+    PATH_MINICLOUD: firmwareCloud + "/wemo/NewFirmware.txt",
+    PATH_DEV:"http://173.196.160.173/wemo/NewFirmware.txt"
+};
+```
+
+aside from the extremely amusing `PUSH_DB_REQUIRED` and `PUSH_DB_NOT_REQUIRED` values, looks like this could have the paths for new firmwares - allowing us to MiTM