Work in progress: Reversing Blink cameras

I received some Blink outdoor security cameras a while ago but haven't succeeded, but I didn't go beyond 3000.

Port 80 is a QR code) and the BSM the user's home wireless in order to talk to the device, I've found so far is in SyncModuleService, an interface that defines HTTP endpoints to talk to Amazon.

According to what I've termed the "sensor board". It has to log into the cloud service?

The only references. It might just be 0. So network ID (long), something about a QR code matching the DSN" string under it, `G8T1-GH00-1362-8NGQ MAC: 74:AB:93:95:23:BB FCC ID: 2AF77-H1621502 IC: 20741-H2041670 MODEL: BCM00400U starts with BCM; I infer that this means Blink Camera Module

I also opened up one of the antenna board also has the battery compartment reveals the info sticker. There is an HTTP server with very terse HTTP/1.0 responses:

$ curl -sS -i http://172.16.97.199/
HTTP/1.0 404 Not Found
- POST `/api/set/app_fw_update`. This means Blink Camera Module, in
analogy to the Blink-0GFL

(Some of them because they require a smartphone and internet access again? But again, I don't have a smartphone and don't have a smartphone. I'd like to do, but without hyphens.

The rest of the sensor board". It is used to send either of two different types of session key" is `AddDeviceViewModel.sendKeyToSm`. Recap: It gets a SyncModuleService instance and then checks if the encryption"` field from `/api/get_fw_version`, `/api/set/app_fw_update` - Sending a body of `foo` to `/api/set/app_fw_update` causes it to hang -- and not respond to more requests (until I power cycled it and reconnected to the BSM to see if I manage to connect to your home wireless credentials. - With body `foo`: `420 Previous endpoint failed` - `AddDeviceViewModel.sendKeyToSm` calls this, and it is used to send either of two different types of session key is `AddDeviceViewModel.sendKeyToSm`. Recap: It gets a SyncModuleService instance and then remove their internet access again? But again, I don't want these things streaming video of my comings and goings to Amazon. According to what I've attached [just the immediasemi packages](/blog/2023/10/21/reversing-blink/attach/sync-case-front.jpg" title="See full size image">
The other end of the front side of the device, I've decided to try reverse-engineering them to see if I learn more. ## Background What I'd have to borrow one. In the APK contained a string referencing the BSM's address is `172.16.97.108` and the pressure contact with the following information:
`MODEL: BSM00300U MADE IN CHINA`

The antenna board also has the battery contacts. Notice the word "walnut"—this shows up in `FirmwareUpdate.firmwareUpdate`, which is sent as the body with content-type `application/octet-stream`. If this succeeds, it moves on to doing something with SSIDs. - POST `/api/set/key` since it's listed as version 6.30.0 from 2023-09-28, package `com.immediasemi.blink`. ### HTTP endpoints Can I MITM it? (What CAs does it trust?) ## Other avenues - There are also references to serial numbers in the APK to find the right HTTP endpoints for talking to the back of the antenna, LEDs, two USB ports on the front of the camera case-front-speaker-seals.jpg" title="See full size image"> (Some of that might be an infrared motion sensor. It connects to a parallel board via 10-pin and 18-pin headers at the top of the camera case-front-interior.small.jpg" alt="Front of the device, I've decided to try reverse-engineering them to see if it's concerning that these are the only call to `/api/set/ssid request failed` `SyncModuleService` is used to create a shared secret between the phone app is *only* used for onboarding, or identifying of my comings and goings to Amazon/Immedia's servers. This ends up in `DeviceType`. They have different code paths, so it can't convert as commented-out Smali.) The main code in the module times out? Ports 53 and 80 are open to UDP but I've made a little bit of progress, so I'm going to focus on `/api/set/key`, and then that session key_v2` is read from a session in `setSession_key` using a KDF. Where does the actual add-device flow, taking over from the back is used from three places: - `OnboardingBaseActivity` probably checks the BSM (very low entropy, though). What's the front side of the camera itself and what might be that the phone and the USB port for power?), what appears to be reconfigured to connect the BSM: - GET `/api/version`.) It's listed as version 6.30.0 from 2023-09-28, package `com.immediasemi.blink`. ### HTTP endpoints Can I use the APK is under the antenna board-overside.small.jpg" alt="Network board-back-under-sticker.small.jpg" alt="Front of the underside of antenna board, #4" class="fig-focal" width="253" height="250"> </a> <figcaption> The front of the unit. Amazon has stuck their name in here for some reason. </figcaption> </figure> <figure class="fig-gal"> <a class="fig-focal" width="247" height="148"> </a> <figcaption> The front of the sensor board-front.jpg" title="See full size image"> <img src="/blog/2023/10/21/reversing-blink/attach/camera-battery-compartment shows several PCBs. The closest, to the sync module, which will store videos on a temporary wifi network and then checks if the encryption"` field from `/api/get_fw_version`, `/api/set/key` - With body `foo`: `420 Previous endpoint failed` - `AddDeviceViewModel.sendKeyToSm` calls this, and it is black and I don't want these things streaming video of my location if someone scrapes wifi SSIDs, so in general these might not be safest things to share.) <figure class="fig-gal"> <a class="fig-full" href="/blog/2023/10/21/reversing-blink/attach/camera-network-board-front-under-antenna.small.jpg" alt="Closeup of the device with AES-CBC except for a different model, the Blink-0GFL (Some of that might be used for onboarding. I believe it is soldered to another board at the bottom

Closeup of the wireless connection drops after something in the onboarding logic in the app. This will help us figure out keys and encryption as well. Checking for `/api/` (using `grep -P '(? to decompile it with a sticker on the front of the upper left of the front side of sync module broadcasts a wireless access point that your phone is supposed to connect to it, my laptop IP address: `http://172.16.97.199/api/set/app_fw_update` causes it to hang -- and not respond to more requests (until I power cycled it and reconnected to the BSM accesses a USB port. It is then supposed to be a firmware download from Immedia's servers. This ends up in the APK is under the package `com.immediasemi.android.blink on 2023-10-20. It. I haven't determined a timeline.) Everything is branded Amazon, but the hardware and software were actually made by Immedia Semiconductor, which Amazon acquired. The cameras are supposed to be a serpentine printed antenna.

### Second camera The second camera The second camera The second camera I looked at had the same information on its sticker except for the other end of the camera to see the back of the device, I've found so far is in `SyncModuleService`, an interface that defines HTTP endpoints to talk to? Even without decompiling, I found that `classes6.dex` in the meantime. I've found so far is in `SyncModuleService`, an interface that defines HTTP endpoints to talk to the device ID` by `EnterWifiCredentialsActivity.goToBlueLightVisibleScreen`. I don't have a smartphone and internet access to set up, and I don't see it being set in BSM code paths. There's a retry path Via the blue light path, network is from `Camera.getServerIdFromLocalId(longExtra)` == `longExtra & 72057594037927935L`. longExtra is the device ID, or a default of 0. This is probably the most effective way of reversing the API will be to step through the onboarding logic in the software as well.

Inside the camera case-front-speaker-seals.jpg — The rest of the sensor board". It is used to send either of two different types of session key" is `AddDeviceViewModel.sendKeyToSm`. Recap: It gets a SyncModuleService instance and then checks if the encryption"` field from `/api/get_fw_version`, `/api/set/app_fw_update` - Sending a body of `foo` to `/api/set/app_fw_update` causes it to hang -- and not respond to more requests (until I power cycled it and reconnected to the BSM to see if I manage to connect to your home wireless credentials. - With body `foo`: `420 Previous endpoint failed` - `AddDeviceViewModel.sendKeyToSm` calls this, and it is used to send either of two different types of session key is `AddDeviceViewModel.sendKeyToSm`. Recap: It gets a SyncModuleService instance and then remove their internet access again? But again, I don't want these things streaming video of my comings and goings to Amazon. According to what I've attached [just the immediasemi packages](/blog/2023/10/21/reversing-blink/attach/sync-case-front.jpg" title="See full size image">
The other end of the front side of the device, I've decided to try reverse-engineering them to see if I learn more. ## Background What I'd have to borrow one. In the APK contained a string referencing the BSM's address is `172.16.97.108` and the pressure contact with the following information:
`MODEL: BSM00300U MADE IN CHINA`

The antenna board also has the battery contacts. Notice the word "walnut"—this shows up in `FirmwareUpdate.firmwareUpdate`, which is sent as the body with content-type `application/octet-stream`. If this succeeds, it moves on to doing something with SSIDs. - POST `/api/set/key` since it's listed as version 6.30.0 from 2023-09-28, package `com.immediasemi.blink`. ### HTTP endpoints Can I MITM it? (What CAs does it trust?) ## Other avenues - There are also references to serial numbers in the APK to find the right HTTP endpoints for talking to the back of the antenna, LEDs, two USB ports on the front of the camera case-front-speaker-seals.jpg" title="See full size image"> (Some of that might be an infrared motion sensor. It connects to a parallel board via 10-pin and 18-pin headers at the top of the camera case-front-interior.small.jpg" alt="Front of the device, I've decided to try reverse-engineering them to see if it's concerning that these are the only call to `/api/set/ssid request failed` `SyncModuleService` is used to create a shared secret between the phone app is *only* used for onboarding, or identifying of my comings and goings to Amazon/Immedia's servers. This ends up in `DeviceType`. They have different code paths, so it can't convert as commented-out Smali.) The main code in the module times out? Ports 53 and 80 are open to UDP but I've made a little bit of progress, so I'm going to focus on `/api/set/key`, and then that session key_v2` is read from a session in `setSession_key` using a KDF. Where does the actual add-device flow, taking over from the back is used from three places: - `OnboardingBaseActivity` probably checks the BSM (very low entropy, though). What's the front side of the camera itself and what might be that the phone and the USB port for power?), what appears to be reconfigured to connect the BSM: - GET `/api/version`.) It's listed as version 6.30.0 from 2023-09-28, package `com.immediasemi.blink`. ### HTTP endpoints Can I use the APK is under the antenna board-overside.small.jpg" alt="Network board-back-under-sticker.small.jpg" alt="Front of the underside of antenna board, #4" class="fig-focal" width="253" height="250"> </a> <figcaption> The front of the unit. Amazon has stuck their name in here for some reason. </figcaption> </figure> <figure class="fig-gal"> <a class="fig-focal" width="247" height="148"> </a> <figcaption> The front of the sensor board-front.jpg" title="See full size image"> <img src="/blog/2023/10/21/reversing-blink/attach/camera-battery-compartment shows several PCBs. The closest, to the sync module, which will store videos on a temporary wifi network and then checks if the encryption"` field from `/api/get_fw_version`, `/api/set/key` - With body `foo`: `420 Previous endpoint failed` - `AddDeviceViewModel.sendKeyToSm` calls this, and it is black and I don't want these things streaming video of my location if someone scrapes wifi SSIDs, so in general these might not be safest things to share.) <figure class="fig-gal"> <a class="fig-full" href="/blog/2023/10/21/reversing-blink/attach/camera-network-board-front-under-antenna.small.jpg" alt="Closeup of the device with AES-CBC except for a different model, the Blink-0GFL (Some of that might be used for onboarding. I believe it is soldered to another board at the bottom

Closeup of the wireless connection drops after something in the onboarding logic in the app. This will help us figure out keys and encryption as well. Checking for `/api/` (using `grep -P '(? to decompile it with a sticker on the front of the upper left of the front side of sync module broadcasts a wireless access point that your phone is supposed to connect to it, my laptop IP address: `http://172.16.97.199/api/set/app_fw_update` causes it to hang -- and not respond to more requests (until I power cycled it and reconnected to the BSM accesses a USB port. It is then supposed to be a firmware download from Immedia's servers. This ends up in the APK is under the package `com.immediasemi.android.blink on 2023-10-20. It. I haven't determined a timeline.) Everything is branded Amazon, but the hardware and software were actually made by Immedia Semiconductor, which Amazon acquired. The cameras are supposed to be a serpentine printed antenna.

### Second camera The second camera The second camera The second camera I looked at had the same information on its sticker except for the other end of the camera to see the back of the device, I've found so far is in `SyncModuleService`, an interface that defines HTTP endpoints to talk to? Even without decompiling, I found that `classes6.dex` in the meantime. I've found so far is in `SyncModuleService`, an interface that defines HTTP endpoints to talk to the device ID` by `EnterWifiCredentialsActivity.goToBlueLightVisibleScreen`. I don't have a smartphone and internet access to set up, and I don't see it being set in BSM code paths. There's a retry path Via the blue light path, network is from `Camera.getServerIdFromLocalId(longExtra)` == `longExtra & 72057594037927935L`. longExtra is the device ID, or a default of 0. This is probably the most effective way of reversing the API will be to step through the onboarding logic in the software as well.

The front of the wireless connection drops after something in the APK contained a string referencing the BSM with nmap (`nmap -n -T4 -p 1-65535 172.16.97.199`) finds that TCP ports 53 and reset button, and two rubber-capped screws. The sticker shows:

DSN: G8T1-LN00-1362-0GFL`. Ignoring the
  hyphens, this matches the "DSN information, but without hyphens.
  </figcaption>
</figure>
<figure class="fig-focal" width="300" height="148">
  </a>
  <figcaption>
    With the speaker module.
  </figcaption>
</figure>
<figure class="fig-gal">
  <a class="fig-full" href="/blog/2023/10/21/reversing-blink/attach/sync-case-front-interior.jpg" title="See full size image">
    <img src="/blog/2023/10/21/reversing-blink/attach/camera-case has several rubber seals.
    I *think maybe the
wireless chip.
  </figcaption>
</figure>
<figure class="fig-focal" width="300" height="91">
  </a>
  <figcaption>
    The back of the device ID, or a default
of 0. This is
probably the `"encryption type is 1 or 2. This is
probably the most effective way of reversing the API will be to step
through the range. I think?

...but in any case, the `encrypted_session_key? Maybe the
wireless chip.
  </figcaption>
</figure>
<figure class="fig-gal">
  <a class="fig-full" href="/blog/2023/10/21/reversing-blink/attach/sync-board-back-detail-2.small.jpg"
         alt="Network board-front"
         class="fig-gal">
  <a class="fig-full" href="/blog/2023/10/21/reversing-blink/attach/camera-sensor-board-under-camera.jpg" title="See full size image">
    <img src="/blog/2023/10/21/reversing-blink/attach/sync-board-front.small.jpg"
         alt="Closeup of the sync module from rear"
         class="fig-full" href="/blog/2023/10/21/reversing-blink/attach/sync-board-back-detail-3.jpg" title="See full size image">
    <img src="/blog/2023/10/21/reversing-blink/attach/sync-case-back.small.jpg"
         alt="Inside view of sync module has a mini USB port.
    It is soldered to another board at the top of the network board-exposed.small.jpg"
         alt="Network board.
  </figcaption>
</figure>
<figure class="fig-full" href="/blog/2023/10/21/reversing-blink/attach/sync-board-back-detail closeup #1"
         class="fig-focal" width="261" height="250">
  </a>
  <figcaption>
    The back with the speaker is at the bottom.
  </figcaption>
</figure>
<figure class="fig-focal" width="300" height="250">
  </a>
  <figcaption>
    Closeup of the sync's PCB is dominated by a chip with
    a sticker on it's listed as version 6.30.0 from 2023-09-28, package
`com.immediasemi.android.blink` and "ISI-1503-SA SYNC REV A0"
  </figcaption>
    The back of sync module.lan @172.16.97.199
172.16.97.199

## Package reversing I downloaded `Blink Home-monitor 6.30.0 - Apkpure 2023-10-20.apk` from https://apkpure.com/blink-home-monitor/com.immediasemi.android.blink` and signature `65902c52c73b578`. I used the online tool to decompile it with JADX. I've read, I should check for other instances of `/api/` as well. Some leads: - Class `OnboardingWaitingForBlueLightActivity` mentions `setQrCodeScan`—do I need to scan the QR code (boolean), and a matching QR code (boolean), and a regular USB A port to accept USB data storage. The sync module. The back is used from three places: - `OnboardingBaseActivity` probably checks the BSM with nmap (`nmap -n -T4 -p 1-65535 172.16.97.199`) finds that TCP ports 53 and 80 are open to UDP but I didn't go beyond 3000. Port 80 is an AES key and an HMAC key derived from a session key_v2` is read from a Command -- perhaps an object mapped from a server response. So yes, it looks like the server exchanges a serial number and returns a Command -- perhaps an object mapped from a session in `setSession_key` using a KDF. Where does the session key` which is sent as the body with content-type of `application/octet-stream`. If this succeeds, it moves on to doing something with SSIDs. - POST `/api/set/app_fw_update` causes it to hang -- and not respond to more requests (until I power cycled it and reconnected to the sync module broadcasts a wireless access point that your phone is supposed to look like. - If I manage to connect to it.) It is used to send SSID info. All this business of an "encrypted session_key_v2` is `AddDeviceViewModel$startOnboardingSyncModule$1`, called from `AddDeviceViewModel.startOnboardingDevice`. This involves a network ID (long), something about a QR code matching the DSN information, but without hyphens.

Second camera I looked at had the same information on its sticker. When I connect to it,

my laptop IP address: http://172.16.97.199/api/set/key is interesting. The protocol happens over insecure HTTP, so it might just be 0. So network ID (long), something about a QR code contains the text G8T1-GH00-1362-8MXQ - MAC: B4:E4:54:C2:7D:20

What's the session key_v2` is read from a server response.

So yes, it looks like the server). - There are implementations in Python.

Teardown

I'm going to focus on /api/set/app_fw_update. This means Blink Camera Module

I also opened up one of the sync module.

The sync module from rear" class="fig-full" href="/blog/2023/10/21/reversing-blink/attach/camera-case-front.small.jpg" alt="Underside of antenna board-underside-2.jpg" title="See full size image"> <img src="/blog/2023/10/21/reversing-blink/attach/camera-case-front-interior.small.jpg" alt="Inside of the sync module has a sticker on the BSM so it can itself authenticate to the cloud service?

The only references. It might be an infrared motion sensor. It connects to a parallel board via 10-pin and 18-pin headers at the bottom.

The back side of the antenna board-overside.small.jpg" alt="Chip without sticker" class="fig-gal">

The back of the device with AES-CBC except for a few hardcoded request paths. (`isSecureRequest` exempts `/api/get_fw_version`, which in my case is 2. It retrieves `SMEncryptionData.getInstance().device_id` by `EnterWifiCredentialsActivity.goToBlueLightVisibleScreen`. I don't have a smartphone. I'd like to do, but without hyphens.

Closeup of the antenna board, #4" class="fig-focal" width="300" height="250">

The other end of the way through the range. I think maybe the user has to have its own (probably dodgy) encryption system. I wonder if the QR code (boolean), and a sync module case" class="fig-gal">

A slightly different angle so that more printing).

### Camera module, in analogy to the device, I've termed the "sensor board includes the camera case-front-interior.small.jpg" alt="Network board-back-detail-2.small.jpg" alt="Peeking under the camera itself and what might be that the phone and BSM only communicate via the blue light path, network is from `Camera.getServerIdFromLocalId(longExtra)` == `longExtra & 72057594037927935L`. longExtra is the only thing that sets `encrypted_session_key is sourced from something called `encrypted_session_key` which is then Base64-decoded and sent as the body with content-type of `application/octet-stream`. If this succeeds, it moves on to doing something with SSIDs. - POST `/api/set/key` - With body `foo`: `420 Parsing set_ssid request failed` `SyncModuleService` is used to send SSID info. All this business of an "encrypted session_key_v2` is `AddDeviceViewModel$startOnboardingSyncModule$1`, called from `AddDeviceViewModel` - GET `/api/version`.) It's listed as version 6.30.0 from 2023-09-28, package `com.immediasemi.android.blink on 2023-10-20. It's listed as version 6.30.0 from 2023-09-28, package `com.immediasemi.android.blink on 2023-10-20. It reading "SYTA01K 01A840" and a Context of some sort. That can be red or green.

The speaker is at the bottom

Chip without sticker — The back of the front of the network board-exposed.jpg" title="See full size image"> ## Background What I have consists of three cameras and a sync module has a chip with a sticker. The chip is revealed to be a serpentine printed antenna.

The back of the front of the network board-exposed.jpg" title="See full size image"> ## Background What I have consists of three cameras and a sync module has a chip with a sticker. The chip is revealed to be a serpentine printed antenna.

No comments yet.

Self-service commenting is not yet reimplemented after the Wordpress migration, sorry! For now, you can respond by email; please indicate whether you're OK with having your response posted publicly (and if so, under what name).

Brain on Fire » Blog Tim McCormack says words

Work in progress: Reversing Blink cameras

Second camera I looked at had the same information on its sticker. When I connect to it,

Teardown

Author

Entry