Domoticz

xman71 wrote: ↑Wednesday 11 October 2017 12:22 Could you send me by MP the UDP packet to use ?

No, just read what I wrote y'day. The packet will look different for all deviceID/password combinations. My packet will not work with your device.
But finding the correct one is quite easy: You have to get the IPC_DEBUG_TOOL from http://www.gwell.cc/e/DownSys/GetDown?c ... 6&pathid=0
Let it find your device in your LAN, add correct password (just like in my translated screenshot from above).
Then start your sniffer (wireshark) and click unlock.
When you hear switching of the relay, then you know it works.
Find the UDP packet that was sent by your PC to the doorbell's port 51880 exactly when you clicked and send it again by e.g. "Packet Sender". Works a 100% for me.

Thanks Rio.
I thought you were talking about a way to do this without uart.
Sorry for the misunderstanding.

Envoyé de mon SM-G935F en utilisant Tapatalk

Hi Xman!
Yes, in fact you can open the door from your LAN without UART. Just find the right UDP packet as described.
If you solve the doorbell push notification with an email that you filter somehow, you do not have to open the bell at all.

Due the fact, a simple fake UDP packet can open the your house's door, it's irresponsible risky to let the device access the internet or to switch on wifi!
I block internet access completely on my firewall and shutdown the wifi interface on the device

Too less response from other users - I give up and will sell it again.

Hello,
Have anyone tested to listen to the 433 chime with RFXCOM or RFLINK ?

Thank you

Hi,
I can see the doorbell in RFLink not in RFXCOM.

Oh great ! Thanks you !

Envoyé de mon Redmi 3S en utilisant Tapatalk

Riogrande75: I'm very interesed in this device, with the information which was gave by you here I was able to manage to access my device. You mentioned earlier that you made MQTT client for this architecture. Can you share these with us?

I do not have the device anymore. But here are the 2 mqtt files (binary), that I crosscompiled for running on this hisilicom platform:
https://expirebox.com/download/3e47aad7 ... 2c812.html
Pls. dont ask anything about it - I might not be able to help you.

josesmith wrote: ↑Monday 29 August 2016 5:01 This video doorbell is based on Gwell Hi3518E + OV9712 hardware design, the RTSP and ONVIF information can be found on Yoosee camera faq page: http://www.yooseecamera.com/faq.html

rtsp://IPadr:554/onvif1
Main stream rtsp://IPadr:554/onvif1
Sub-stream rtsp://IPadr:554/onvif2

ONVIF port: 5000; Device discovery port: 3702

In addition to use the Yoosee App, there are many alternatives including 2CU, COT PRO. Additionally, you can use any ONVIF compliant software/app to access the camera.

Where do I buy the Yoosee camera?

I bought ATZ-DBV03P with good aluminium body here:
https://www.ebay.fr/itm/eBELL-ATZ-DBV03 ... 2769935705

There are 2 versions of ATZ-DBV03P. One here with small firmware:
http://www.atz-tech.com/news/38-en.html

And mine, Gwell version:
http://www.gwell.cc/e/action/ShowInfo.p ... =102&id=22
Flashtool:
http://www.gwell.cc/e/action/ShowInfo.p ... =101&id=20
Unpack bin tool:
https://github.com/zzerrg/gmfwtools

I test downgrade from 13.00.01.10 to 13.00.00.99 with success.

If you someone can extract . bin for hack ?

About rf 433MHZ ring button:

Step 1. Buy a sonoff RF bridge
Step 2. Install ESPURNA FRIMWARE on it ( http://tinkerman.cat/hacking-sonoff-rf-bridge-433/ )
Step 3. Put Sonoff RF in Learning Mode, push the button on the IPCAM device.
Step .4 Save the learnig code in one of the swtich position

Now you have an MQTT mesage for pressing the button on the intercom and that message cant be interpreted in Openahb or HASS or Domoticz or other solution
If you have a Broadcom RF switch the learning button with change frequency mode, standard learnig doesnt work./

Tested and working on Sonoff RF, with broadcom i do just a a small experiment.

Now, i f u guys tell me how to make the modification in linux to run the scripts from riogrande75because if i do " vi /etc/init.d/rcS " command in the next reboot we will loose aditions code in the rcS file. I wish to undestand how can i run a script in case of reboot

what i discover so far:
1. Conect the device with USB UART ( conect only the RX/TX and GND pins)
2. Run putty , select serial . name you com number, select baud rate at 115200 and conect

if you connected in correct order RX,TX and GND you should see a console with running lines

3.Now write in console telnetd to enable telnet
4. Conect with putty in telnet mode port 23
5 Login as root
6 Press enter (do not entry any password )

and you sould see somthing like this

(none) login: root
Welcome to HiLinux.
#

and now you will cracked the box

My device is like user jumble , see page 3

i am not shure i understand the riogrande75 work, how hi can run a custom scritp on boot the device
And can somebody send to me riogrande75 mqtt scripts, thank you!

So, to enable telnet for remote acces you must do the following steps
1. Connect with UART to the device
2. Wait for booting to complete
3. write " telnetd " without quotes
4. open putty and set it to com conexion, choose your com number ( see in windows devices manager) set the baudrate to 115200, and conect to device with telnet trough LAN or WIFI
5. If you are succesufully you should see the awesome message " (none) login:" type root and enter and voila: " 6. run command 7. paste this code escape and type :wq to write the file

8 run this command to move the original npc executables 9 run this command to move npc-script to npc OBS: Now the npc is the bell app and run at every restart so we renamed with npc script to npc, adn move the original npc to npc-exe (thanks riogrande to this tip)
10 reboot the device and you should be able to telnet this toy without UART in you lan
11. If you want to disble WIFI interface put in npc script this line adn save it again with :wq command

At this step you should be able to have full root acces with telnet and noe it is time to do some scripting:

What we should do: well Install a mqtt script to send message from button and maybe open the relay for door access and right now i dont know how to do that.

Thats it for now. If riogrande75 see my message , please send the mqtt file becouse the llink where you put it is expired and i cant PM for it, maybe because i dont have allot of post here. So please help if you like and THANKS RIOGRANDE75 for the multiple tips

I built a RFLink with gateway 433Mhz for <10€. Bell is show as "SelectPlus3" and this work fine

Thanks sergiucip for good howto.
A small additional: needed for new script file

I also start ftp server and try to send output to file:
also we can see output with tail proc: Also to riogrande75 - thanks for you hard work! If possible, please share binary again. MQTT from this bell its my dream )

Thanks. Sorry for my English.

Update:
Big thanks riogrande75! Sorry I don't have rights here for write PM.

Hi

i have this doorbell

https://fr.aliexpress.com/item/Smart-72 ... 6c37UmFt4B

i find RX and TX on motherboard so i active telnet

thanks for script

if you want to know when someone push button

you can sniff and search raw packet in HEXA you must search '10076067'

a example ok python sniffer

https://github.com/fennec622/doorbell_konx

Someone know how can i decrypt trame with password ?

thanks

fennec62 wrote: ↑Friday 21 June 2019 3:53 Hi

i have this doorbell

https://fr.aliexpress.com/item/Smart-72 ... 6c37UmFt4B

i find RX and TX on motherboard so i active telnet

thanks for script

if you want to know when someone push button

you can sniff and search raw packet in HEXA you must search '10076067'

a example ok python sniffer

https://github.com/fennec622/doorbell_konx

Someone know how can i decrypt trame with password ?

thanks

Hi!
On the device board there are 3 connectors with 3 pins, on which there is possibly uart. Which connector did you connect to?
Are there any results on integrating a video call into a smart home system? Interested in reading the interception of keys, call a guest, the opening of the lock.

Hi, I am new in this forum and I have a very basic question:
I own a Doorbell eBell ATZ-dbv01p and I had to load the Yosee app in a new moblie but I could not re-connect to the device because I firgot the device password.
I reset back the device to factory by pushing reset buttom for more than 5 seconds but none of default passwords have been recognize. I tried with 123, 1234, 123123, 12341234, 12345678, admin, etc with no success. I also attempted with blank password but the app requires at least one character password.
I wonder if anyone could help me with any other password to try or any otehr way to reset the device or how to proceed to recover the old password.
Thanks.
Osvle

Fennec62,

fennec62 wrote: ↑Friday 21 June 2019 3:53 i have this doorbell

https://fr.aliexpress.com/item/Smart-72 ... 6c37UmFt4B

i find RX and TX on motherboard so i active telnet

Me probably too. Mainboard is identified as KW02-V200-V1.5-MAIN 2017-10-17.

Could you share a picture RX/TS you identified please?

Thank you.

Finally I identified serial myself as on the picture below. Board has three TTL serials: J3 (UART0), J47 (guess) and J60 (guess) with voltage level 3.4V which is fine for my USB CP210X dongle. Kernel console is available on UART0 (115200 8N1, no flow control) and provides standard HiLinux syslog and shell prompt. Doorbell uses ARM926EJ-S processor. System provides BusyBox telnetd which can be started from command line and then easily connected using doorbell's IP for root account with no password. System mounts read-only SQUASHFS / and temporary /etc overlay. .

Hi all,

I have this device too and I'm interrested in using MQTT on it.

So to riogrande75 or anyone that still has it, if possible, could you please share the MQTT binary files again?

Sorry I don't have rights here to write PM as I am new in this forum.