Home Automation - Jovision CloudSEE Doorbell Trigger to Telegram Chat

Home Automation - Jovision CloudSEE Doorbell Trigger to Telegram Chat

· json · rss
Subscribe:
RSS
RSS
JSON
JSON

The doorbell, according to the MAC address, is by China Dragon Technology Limited

The reason for this is because this model is from China and requires me to install HUAWEI Push Kit to receive notifications. But I did not want that and needed an alternative.

Now this may seem like a very simple integration, trust me it is not. The doorbell itself has all ports closed and it only communicates with their own cloud servers.

Intercepting Traffic with Zanti Man-in-the-Middle (MitM) Attack

I tried many ways to intercept traffic and see the requests sent by the doorbell when the alarm button is triggered. I settled onto my trusty Android device with Zanti Penetration Testing Application.

Here's a sample request sent according to Zanti where they upload an image to their cloud servers when the button is pressed.

URL: http://oss-cn-hangzhou.aliyuncs.com/xw-cloudstorage/ecateye/7days/(CAMERA_ID)/20210613/A01142912.jpg
Date: Sun Jun 13 14:29:10 GMT+08:00 2021
Method: PUT
Auth: null
Cookie: null
User Agent: (CAMERA_ID)
Mime Type: null

Headers:
date : Sun, 13 Jun 2021 06:29:19 GMT
authorization : OSS (AUTH_KEY)
content-length : 20857
host : oss-cn-hangzhou.aliyuncs.com
content-type : application/octet-stream
user-agent : (CAMERA_ID)

Form params:

DNS "Poisoning" with AdGuard Home DNS Server

Since my entire household is under AdGuard Home DNS (previously PiHole) and the device doesn't seem to be using any custom DNS servers, I have decided to reroute traffic going to oss-cn-hangzhou.aliyuncs.com to my NGINX server.

Proxying and Mirroring with NGINX

Luckily for me, the device uses insecure HTTP connection and I don't have to worry about any certificate checks. I pinged the address to find out that the IP address is 118.31.219.251. It may be a CDN IP but it's a low priority for me to keep up with it. I used the mirror keyword to route traffic to a webhook trigger on my local N8N.io instance

server {
  listen 80;
  listen [::]:80;

  server_name oss-cn-hangzhou.aliyuncs.com;

  location / {
    mirror /mirror;
    mirror_request_body on;
    proxy_pass http://118.31.219.251;
  }
  location /mirror {
    internal;
    proxy_method POST;
    proxy_pass http://(N8N_IO_HOSTNAME)/webhook/(WEBHOOK_ID)/;
  }
}

Handling request with N8N.io

  1. Grabs the request body from POST webhook (make sure to enable Binary Data option)
  2. Sends the image data captured in data binary object to my personal MinIO server
  3. Sends the photo and a message to my family's Telegram channel

Final output

It's time to press the doorbell!