A dotnet program for interacting with the Heath Zenith Sl-3011-00 Notifi Plug-In Doorbell (Model WLTRX3011).
I'm writing this because
- Their android app is a giant pile of crap.
- I want to know the security of the things on my network (Hint: It's not good. Welcome to the Internet of S**t).
- Taking things apart is fun.
Fun fact: This device sells for ~$70 at Lowes and Walmart despite having only a dollar or two's worth of components.
FCC Docs: https://fccid.io/BJ4-WLTRX3011
Internal Images:
The device communicates on TCP port 12345 using what looks like a custom protocol.
Data packets consist of a Command, Command Data, Status, and CRC.
| Field | Size (bytes) | Description |
|---|---|---|
| Command | 1 | The command id |
| Data Size | 1 | The size of the [Data] field |
| Data | variable | The command data |
| Status | 1 | The status of the command¹ |
| CRC | 2 | The CRC-16 of the packet² |
- This field is always
0for commands sent from the app, and appears to always be0in responses. - The app doesn't check the CRC of responses, it's unknown if the device itself does.
| Command | Id |
|---|---|
| StartCommunication | 0 |
| SendWifiSSID | 16 |
| SendWifiPWD | 17 |
| SendDeviceName | 18 |
| SendCloudID | 19 |
| SendGMT | 20 |
| SendCommandType | 22 |
| SendServer | 21 |
| GetWifiConnectionStatus | 64 |
| GetScannedWifiSSIDNum | 65 |
| GetScannedWifiSSID | 66 |
| EndCommunication | -1 |
| NoCommand | -1 |
| GetMacAddress | 67 |
Packets are encrypted using AES128 (CBC) and then encoded as base64.
- Client sends a
StartCommunicationcommand encrypted using a hardcoded AES key and blank IV. - Device responds with a new AES key to use for future commands.