Gigaset elements devices research

[jurkov]

Hello!

Could someone create a network traffic recording of the device pairing? It could be done using this https://httptoolkit.com/docs/guides/android/ instruction. It would help to understand how the app, the web, and the base station work together.

A network traffic recording while paring different devices to the base station would also be interesting.

[obruns]

@jurkov, I don't think the client-facing traffic needs to be recorded anymore. We got plenty of implementations that use the JSON-based REST API already. It is also observable when using the Gigaset Elements Web App and running your browsers' Developer Tools (press F12).

My attempts using mitmproxy between the basestation and the "Gigaset Elements Cloud" have been unsuccessful so far. It suffers from the same problems that are described here. See the updated README.md in this repo.

[jurkov]

Could be helpful:
/api/v1/me/elements/bs01/claim -> maybe POST with actiavtionCode -> claming a station
/api/v1/me/basestations/{bsId}/fw_upgrade -> maybe GET -> triggering a update?

[jurkov]

Did you see https://www.av-test.org/fileadmin/pdf/publications/avtest_2014-04_smart_home_deutsch.pdf#25 ?

[obruns]

Did you see https://www.av-test.org/fileadmin/pdf/publications/avtest_2014-04_smart_home_deutsch.pdf#25 ?

Thanks for the pointer. Hadn't seen that one before. At a quick glance it appears like they have updated the product based on the reported findings (TLSv1.0 is now TLSv1.2, fwiw). I'll have a deeper look at pages 25pp nevertheless.

I'm not that hopeful to be able to peek at the traffic between the basestation and the cloud service. But I got a bunch of Wireshark captures starting with the boot of the basestation and including most of the sensors firing events.

[jurkov]

Well, the game is not over until we have a look at this MX25??? SPI flash: https://osmocom.org/projects/misc-dect-hacks/wiki/Gigaset_Elements_Base
Maybe it's possible to read with an Arduino or esp32: https://github.com/adafruit/Adafruit_SPIFlash

[jurkov]

I just found another blog post about api-bs... from 2014: https://lofidewanto.blogspot.com/2014/04/smart-home-sweet-home-with-gigaset.html but there is nothing new.

[jurkov]

Also a talk of 2018 about Gigaset IOT:
https://www.youtube.com/watch?v=r1j_D1HH_2M
https://de.slideshare.net/TomaszTarczyski1/evolution-of-the-iot-backend-platform-from-a-monolith-to-microservices-and-toward-cloud-native-infrastructure?from_search=2&_gl=1*1w9mhph*_gcl_au*MTA4MDc3MDU2Ni4xNzEyMjI1MzIy

https://de.slideshare.net/TomaszTarczyski1/iot-backend-architecture?from_search=0&_gl=1*1g4pute*_gcl_au*MTA4MDc3MDU2Ni4xNzEyMjI1MzIy

but there is nothing new.

[jurkov]

Also of 2017 secrets of the camera:
https://www.iot-tests.org/de/2017/01/gigaset-elements-kamera-im-test/
https://team-sik.org/sik-2016-044/
https://team-sik.org/sik-2016-045/
https://team-sik.org/sik-2016-046/
https://team-sik.org/sik-2016-047/
https://team-sik.org/sik-2016-048/
-> https://github.com/ycardon/gigaset-elements-proxy?tab=readme-ov-file#credits
Might they still work? with the right URL?
The Gigaset Cameras are Y-Cam Cameras.
https://www.use-ip.co.uk/datasheets/y-camusermanual.pdf

[l05r]

The manual of the Y-Cam cameras mention the manual flashing of the firmware. I was unable to find such a firmware. Using the cameras locally could be as simple as flashing the original firmware. The original firmware seems to contain a local interface.

[jurkov]

@l05r I found: https://www.opencve.io/cve/CVE-2014-1901
They have a link to http://www.y-cam.com/y-cam-security-fix/ With the help of archive.org we can find it: https://web.archive.org/web/20140602092559/http://www.y-cam.com/y-cam-security-fix/ and https://web.archive.org/web/*/http://www.y-cam.com/firmwares/* as well.
e.g.

• https://web.archive.org/web/20150531012112/http://www.y-cam.com:80/firmwares/YCAM_BLACK_S_C_FIRMWARE_EN_V4.51B20140401S.mfw
• https://web.archive.org/web/20151006175408/http://www.y-cam.com/firmwares/YCAM_BLACK_SD_C_FIRMWARE_EN_V4.23B20110804.zip

[GitMuki]

Hi, I am also interested in not having to throw my gigaset stuff in the garbage bin. What I have noticed is that power plugs still turn on/off according to the timer rules I had created for them. I haven't experimented with for example seeing if it depends on the base-station being on, or sniffing the network around the time they turn on/off. But I may if it might help someone that can do something useful with the information?

[l05r]

I found this:

https://forum.smart-home-systeme.com/thread/528-gigaset-elements-abgeschaltet-was-geht-jetzt-noch/

It explains what still works and what does not. Everything relying on you an your app does not work because the servers are shut down. Things already set up (rules like timers for the plug or a motion sensor triggering a plug) do still work.

I have not tested turning the alarm on/off using the button. I already had rules set up for the button to arm/disarm the system before the servers got shut down.

[l05r]

Our Model of camera seems to be the YCK004. Which is S range (not SD as it does not have a micro SD card slot)

[Tony23457]

Hi, I open a cam S30851-H2556-R101 which got a SD card on it. There is some pictures/video of the some Chinese guys form the factory, however, there is a file log call firmware_upgrade.log with the UTC and log of two functions:
check_sd_card()
check_new_version()
Try to reset the cam will power it on with the mfw file form YCAM didn't work. Can't follow the reset procedure form YCAM as that one doesn't have a RJ45 port but only a microUSB one.
Does some one know a tool to see if the microUSB port could to more then just power the CAM ?

Got a 2nd CAM S30851-H2557-R101 with nmap I saw some open UDP ports, try to get a rtsp flow out it but didn't work. The old CVE https://team-sik.org/sik-2016-045/ on the udp port didn't work either.

PORT STATE SERVICE VERSION
177/udp open|filtered xdmcp
998/udp open|filtered puparp
1524/udp open|filtered ingreslock
5001/udp open|filtered commplex-link
18987/udp open|filtered unknown
20031/udp open|filtered bakbonenetvault
20817/udp open|filtered unknown
30656/udp open|filtered unknown
32776/udp open|filtered sometimes-rpc16
41524/udp open|filtered unknown
44101/udp open|filtered unknown
49166/udp open|filtered unknown
49175/udp open|filtered unknown
58178/udp open|filtered unknown
58631/udp open|filtered unknown

I send a few random UDP packet but I didn't get a reply, does some one a tool to go deeper on those UDP port or another angle to check that cam ?

[jurkov]

Are you sure that the camera is based on a Ycam model? Do you have any pictures of the internals?

[Tony23457]

No just followed the lead here for me it's look like a custom made for gigaset. Here are the pictures :



What do you think about the angle I should look a those two cams, I'm trying to see it in more local perspective without MIM the cloud setup connectivity?
One got rj45 port and wifi module, couldn't open it with out breaking it, I only got those udp port open after it got a IP., The second got wifi module, sd card and microUSB port.