adding WiP weemo
This commit is contained in:
parent
84294fbaa9
commit
e6b05b9504
@ -13,4 +13,5 @@ name | description | url
|
|||||||
[Philips Hue](http://www.meethue.com) | device communication insecure, Ruby library/CLI to control via REST HTTP | [hued](https://github.com/chorankates/hued)
|
[Philips Hue](http://www.meethue.com) | device communication insecure, Ruby library/CLI to control via REST HTTP | [hued](https://github.com/chorankates/hued)
|
||||||
[RAV FileHub](http://www.ravpower.com/ravpower-rp-wd02-filehub-6000mah-power-bank.html) | a HooToo by any other name.. but with a twist | [rav-filehub](rav-filehub)
|
[RAV FileHub](http://www.ravpower.com/ravpower-rp-wd02-filehub-6000mah-power-bank.html) | a HooToo by any other name.. but with a twist | [rav-filehub](rav-filehub)
|
||||||
[RevoLabs flx UC1000](http://www.revolabs.com/products/conference-phones/wired-conference-phones/flx-uc-phones/flx-uc-1000-speakerphone) | more than just brute forcing the PIN | [revolabs-flx_uc_1000](revolabs-flx_uc_1000)
|
[RevoLabs flx UC1000](http://www.revolabs.com/products/conference-phones/wired-conference-phones/flx-uc-phones/flx-uc-1000-speakerphone) | more than just brute forcing the PIN | [revolabs-flx_uc_1000](revolabs-flx_uc_1000)
|
||||||
[Ubiquiti mFi mPower](https://www.ubnt.com/mfi/mpower/) | root access trivially obtained, credential leakage, unnecessary services exposed | [ubiquiti/mFi](ubiquiti/mfi)
|
[Ubiquiti mFi mPower](https://www.ubnt.com/mfi/mpower/) | root access trivially obtained, credential leakage, unnecessary services exposed | [ubiquiti/mFi](ubiquiti/mfi)
|
||||||
|
[Weemo Mini]() | work in progress, recon mostly done | [weemo](weemo)
|
172
weemo/README.md
Normal file
172
weemo/README.md
Normal file
@ -0,0 +1,172 @@
|
|||||||
|
# Mini
|
||||||
|
|
||||||
|
- [device](#device)
|
||||||
|
- [digging](#digging)
|
||||||
|
- [nmap](#nmap)
|
||||||
|
|
||||||
|
|
||||||
|
## device
|
||||||
|
name | value
|
||||||
|
----------------|-----
|
||||||
|
model | `TODO`
|
||||||
|
product | `TODO`
|
||||||
|
firmware | `TODO`
|
||||||
|
features | WiFi enabled power strip
|
||||||
|
|
||||||
|
## digging
|
||||||
|
|
||||||
|
### nmap
|
||||||
|
|
||||||
|
from `nmap -PN -p 1-65535 -sV <device>`, we get:
|
||||||
|
|
||||||
|
```
|
||||||
|
PORT STATE SERVICE VERSION
|
||||||
|
53/tcp open domain dnsmasq 2.73
|
||||||
|
49152/tcp open upnp Belkin Wemo upnpd (UPnP 1.0)
|
||||||
|
Service Info: Device: power-misc
|
||||||
|
```
|
||||||
|
|
||||||
|
# TODO need to split this out, powerstrip is separate frome netcam
|
||||||
|
|
||||||
|
```
|
||||||
|
nmap 10.68.68.22 -Pn -sV -p 1-65535
|
||||||
|
|
||||||
|
Starting Nmap 7.12 ( https://nmap.org ) at 2017-04-04 17:02 PDT
|
||||||
|
Nmap scan report for CAM.ralinktech.com (10.68.68.22)
|
||||||
|
Host is up (0.030s latency).
|
||||||
|
Not shown: 65531 closed ports
|
||||||
|
PORT STATE SERVICE VERSION
|
||||||
|
53/tcp open domain dnsmasq 2.40
|
||||||
|
80/tcp open http Belkin NetCam http config
|
||||||
|
81/tcp open http Belkin NetCam http config
|
||||||
|
443/tcp open ssl/http Belkin NetCam http config
|
||||||
|
Service Info: Device: webcam
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### upnpd
|
||||||
|
|
||||||
|
poking at this endpoint:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ curl -v http://10.22.22.1:49152
|
||||||
|
* Rebuilt URL to: http://10.22.22.1:49152/
|
||||||
|
* Trying 10.22.22.1...
|
||||||
|
* TCP_NODELAY set
|
||||||
|
* Connected to 10.22.22.1 (10.22.22.1) port 49152 (#0)
|
||||||
|
> GET / HTTP/1.1
|
||||||
|
> Host: 10.22.22.1:49152
|
||||||
|
> User-Agent: curl/7.51.0
|
||||||
|
> Accept: */*
|
||||||
|
>
|
||||||
|
< HTTP/1.1 404 Not Found
|
||||||
|
< SERVER: Unspecified, UPnP/1.0, Unspecified
|
||||||
|
< CONNECTION: close
|
||||||
|
< CONTENT-LENGTH: 48
|
||||||
|
< CONTENT-TYPE: text/html
|
||||||
|
<
|
||||||
|
* Curl_http_done: called premature == 0
|
||||||
|
* Closing connection 0
|
||||||
|
<html><body><h1>404 Not Found</h1></body></html>
|
||||||
|
```
|
||||||
|
|
||||||
|
`http://10.22.22.1:49152/foo` yields the same, but:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
maybe we need to use [wemo-extracted/assets/api_key.txt](wemo-extracted/assets/api_key.txt) ?
|
||||||
|
|
||||||
|
digging into [constants.js](wemo-extracted/assets/www/js/constants.js), seeing some things we probably shouldn't:
|
||||||
|
```javascript
|
||||||
|
var cloudEnvironment = {
|
||||||
|
/*CI: "https://173.196.160.173:8443",
|
||||||
|
STAGING: "https://stagapi.xbcs.net:8443",
|
||||||
|
PRODUCTION: "https://api.xbcs.net:8443",
|
||||||
|
JARDEN: "https://api.test.jardon.xbcs.net:8443",
|
||||||
|
QA: "https://173.196.160.163:8443",
|
||||||
|
DEV: "https://173.196.160.173:8443"*/
|
||||||
|
|
||||||
|
//adding urls with SSL certificates
|
||||||
|
CI: "https://wemoci.lswf.net:9069",
|
||||||
|
STAGING: "https://bcsstag.lswf.net:8443",
|
||||||
|
PRODUCTION: "https://api.xbcs.net:8443",
|
||||||
|
JARDEN: "https://api.test.jardon.xbcs.net:8443",
|
||||||
|
QA: " https://wemoqa.lswf.net:9069",
|
||||||
|
DEV: "https://wemoci.lswf.net:9069",
|
||||||
|
MONOLITHIC: "https://devtest-1373897041.us-east-1.elb.amazonaws.com:8443"
|
||||||
|
};
|
||||||
|
|
||||||
|
/*var cloudEnvironment = {
|
||||||
|
STAGING: "https://107.20.144.211:8443",
|
||||||
|
PRODUCTION: "https://api.xbcs.net:8443"
|
||||||
|
};
|
||||||
|
*/
|
||||||
|
|
||||||
|
var firmwareCloudEnvironment = {
|
||||||
|
STAGING: "http://fw.stag1.xbcs.net",
|
||||||
|
PRODUCTION: "https://fw.xbcs.net",
|
||||||
|
NESTDEV:"https://iftttnest.xwemo.com",
|
||||||
|
JARDEN: "http://fw.test.jardon.xbcs.net",
|
||||||
|
QA: "http://fw.xbcs.net",
|
||||||
|
DEV: "http://173.196.160.173",
|
||||||
|
CI: "http://173.196.160.173",
|
||||||
|
MONOLITHIC: "https://fw.xbcs.net"
|
||||||
|
};
|
||||||
|
|
||||||
|
/*var firmwareCloudEnvironment = {
|
||||||
|
STAGING: "http://75.101.183.196",
|
||||||
|
PRODUCTION: "https://fw.xbcs.net"
|
||||||
|
};
|
||||||
|
*/
|
||||||
|
|
||||||
|
//...
|
||||||
|
|
||||||
|
var PUSH_DB_REQUIRED = 0;
|
||||||
|
var PUSH_DB_NOT_REQUIRED = 1;
|
||||||
|
|
||||||
|
var cloudAPI = {
|
||||||
|
DEVICE_LIST: cloud + "/apis/http/plugin/plugins/",
|
||||||
|
SMART_SETUP_REGISTRATION: cloud + "/apis/http/plugin/registration/smartDevice",
|
||||||
|
STATE_CHANGE: cloud + "/apis/http/plugin/message/",
|
||||||
|
ATTRIBUTE_CHANGE: cloud + "/apis/http/device/homeDevices/",
|
||||||
|
// REGISTER_EMAIL: cloud + "/apis/http/plugin/registerEmail/",
|
||||||
|
COLLECT_EMAIL: cloud + "/apis/http/plugin/emailAddresses/",
|
||||||
|
FIRMWARE_URL: cloud + "/apis/http/plugin/fwUpgradeInfo/",
|
||||||
|
SMARTDEVICE_DISABLE: cloud + "/apis/http/plugin/updateRemoteAccess/",
|
||||||
|
SMARTDEVICE_LIST: cloud + "/apis/http/plugin/smartDevices/",
|
||||||
|
GENERATE_IFTTT_PIN: cloud + "/apis/http/plugin/generatePin/",
|
||||||
|
SEND_ACK_NEW_HOME: cloud + '/apis/http/plugin/ackForHomeIdSync/',
|
||||||
|
DEVICE_MESSAGE: cloud + '/apis/http/plugin/message/',
|
||||||
|
FIRMWARE_UPGRADE: cloud + '/apis/http/plugin/upgradeFwVersion',
|
||||||
|
GET_DB_FILE: cloud + '/apis/http/plugin/dbfile/',
|
||||||
|
LOCATION_SEARCH: cloud + '/apis/http/plugin/geoInfo/cityLocations?cityName=',
|
||||||
|
INSIGHT_PARAMS: cloud + '/apis/http/plugin/insight/message/',
|
||||||
|
SET_DEVICE_ICON: cloud + '/apis/http/plugin/ext/deviceIcon/',
|
||||||
|
GET_DEVICE_ICON: cloud + '/apis/http/plugin/ext/deviceIcon/',
|
||||||
|
GET_RULE_EVENTS: cloud + '/apis/http/plugin/push/ruleEvents/',
|
||||||
|
LED_DEVICE_LIST: cloud + '/apis/http/device/homeDevices/',
|
||||||
|
LED_STATE_CHANGE: cloud + '/apis/http/device/homeDevices/capabilityProfile?remoteSync=true',
|
||||||
|
LED_CREATE_GROUP: cloud + '/apis/http/device/groups/',
|
||||||
|
LED_DELETE_GROUP: cloud + '/apis/http/device/groups/',
|
||||||
|
LED_STATE_CHANGE_GROUP: cloud + '/apis/http/device/groups/capabilityProfile?remoteSync=true',
|
||||||
|
LED_EDIT_ICON: cloud + '/apis/http/lswf/uploads/',
|
||||||
|
LED_GET_ICON: cloud + '/apis/http/device/homeUploads/',
|
||||||
|
LED_FIRMWARE_URL: cloud + '/apis/http/device/fwUpgradeInfo/',
|
||||||
|
EMAIL_OPT_IN: 'http://www.belkin.com/signup/wemo/?email',
|
||||||
|
HIDE_DEVICE: cloud + '/apis/http/plugin/property/[MacAddress]/visibility/0'
|
||||||
|
};
|
||||||
|
|
||||||
|
var firmwareTextFile = {
|
||||||
|
PATH: firmwareCloud + "/wemo/NewFirmware.txt",
|
||||||
|
PATH_PROD: firmwareCloud + "/wemo/NewFirmware.txt",
|
||||||
|
PATH_STAG: firmwareCloud + "/wemo/version.txt",
|
||||||
|
PATH_QA: firmwareCloud + "/wemo/NewFirmware.txt",
|
||||||
|
PATH_MINICLOUD: firmwareCloud + "/wemo/NewFirmware.txt",
|
||||||
|
PATH_DEV:"http://173.196.160.173/wemo/NewFirmware.txt"
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
||||||
|
aside from the extremely amusing `PUSH_DB_REQUIRED` and `PUSH_DB_NOT_REQUIRED` values, looks like this could have the paths for new firmwares - allowing us to MiTM
|
Loading…
Reference in New Issue
Block a user