Popping an IP cam doorbell

Hardware
1

Hey folks,

Got my hands on a bit of kit that I’m having a go at.

As best I can tell it identifies as a TOCODING/TOSEE/AccFly JY-DB708.
Looks like a pretty common device under a few rebrands.

Has a basic camera, motion sensor & push-button, mic & speaker, connects over basic WiFI.

When 1st firing up, it broadcasts an open WiFI network as TOSEE_X_Y_Z (where X&Y&Z is the last 3 values of the MAC address).

IP is 192.168.120.1, and gives an DHCP lease starting @ 192.168.120.101

Ran an NMAP against it, but looks to be locked up pretty tight, but seems to communicate via a possibly pretty standard VoIP.
Only interesting bit that stands out is:

Not shown: 1999 closed ports
PORT STATE SERVICE VERSION
53/udp open|filtered domain
MAC Address: {REDACTED} (Topwell International Holdings Limited)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|VoIP phone
Running: 2N embedded, Grandstream embedded
OS CPE: cpe:/h:2n:helios cpe:/h:grandstream:gxp1105
OS details: 2N Helios IP VoIP doorbell, Grandstream GXP1105 VoIP phone
Network Distance: 1 hop

TRACEROUTE
HOP RTT ADDRESS
1 4.56 ms 192.168.120.1

Suspect video is over RTSP & audio simply SIP/VoIP?

From flyer/online, seems I need to download the companion ToSee app from the mobile store, but that’s not gonna happen (I simply don’t trust vendors)

Has anyone had luck with these el-cheapo devices?
Any ideas re how I can gain shell or control over this device?

2

Hi

See Tosee app and video doorbell wifi

It seems no-one’s yet figured out how to interface with these doorbells without the ToSee app… Any luck your side yet?

3

This is actually a pretty horrible piece of equipment, but doesn’t seem overly ‘hostile’.

I’ve set ip up in my IoT DMZ, and ‘sniffing’ the wire, doing packet-dumps, etc.

From what I can tell:

  • seems to be yet another Tuya greylabel device. Reverse-image searches show this device to be yet another in a series of dubious quality & largely unsupported/undocumented IoS-devices.
  • when doorbell button pressed, board powers up & gets DHCP lease
  • UDP - comms seem isolated between the device & tablet.
    • continues to work when IoT DMZ is unplugged
  • looks to be behaving a little like a VoIP device, & nmap profiling indicates something similar
    • don’t have a ‘spare’ VoIP gateway setup that I can use to test, but I may be able to push STUN or TR-069 configs via DHCP (IIRC - my telco is rusty)
  • I’ve tried to intercept the initial setup/handshake, but shelving that for now
  • always broadcasting FROM UDP:10000, receiver ports random-ish (using 28632 atm) & replies swap around, eg:
    • in one correspondence, $bell:10000 → $tablet:28632
    • replies, $tablet:10000 → $bell:28632

At this stage, it may just be simpler to gut this device & pop an ESP in there & hook up the I/O

1 Like