Whole reason I avoided Ring and went with Ubiquiti is the very public abuse of Ring devices by their employees, the build quality wasn't what I would want, and the police being the customer and the users who installed them being the product.
The diode is for compatibility with old style doorbells that use AC and operate a simple "ding dong" solenoid :) The diode bypasses the switch so the unit is powered on one half-wave of the AC, providing constant power. Pressing the doorbell bypasses the diode and provides the missing other half-wave of power to the unit, which it detects as a doorbell push
My parents had one of these on their house. The button crapped out after a year, and the videos are super choppy and often start recording too late to be of use. The one time they had a package stolen, it didn't start recording until the thief was well on his way out of there. They got rid of it.
thx for making this. the "ring makes the best doorbells"-folks in my social bubble are growing. now I can show them, that my DIY solutions are (maybe) superior then their "it just works perfecly fine out of the boy without any complicated installation"-solution.
Interesting. Had one of the slightly fancier versions of this for a few years now since a neighbor decided to become an Airbnb. The "look how dangerous your neighborhood is, good thing you have our product/service" is definitely one of the most annoying parts. I think in my newer model, they put the optional diode in a small plastic box. It's an optional thing for certain ways of connecting it, either with or without an indoor chime, iirc.
Great review from a great channel on a terrible device from a terrible company. Completely agree with your opinions on the whole thing, liked seeing somebody smarter / more experienced than me taking it apart and figuring out how it works!
The encryption is probably compliant with the SRTP (Secure RTP) specification, RFC 3711. SRTP packets look just like RTP packets except the payload is encrypted, so there's no way to tell if a packet is RTP or SRTP just by looking at it-you need additional metadata from the session negotiation to tell. Key management is not part of the SRTP spec, so they could be communicating the keys in any number of ways. I can at least tell you that they're not using SDES (RFC 4568), which sends the keys via SDP, since I don't see the relevant fields in the SDP messages. Although the fact that they don't encrypt their SDP is also probably enough to tell you that :P
interesting to see that it is basically a sip video phone. was it a software update at the start or pulling down the phone extension config? the SIP/SDP is an encrypted call.
Try this on your IP cams. Attempt to login via the IP and when it asks you for credentials, leave them blank and repeatedly try in quick succession and see if it eventually lets you in to a slightly different looking consol with Chinese lettering...
I've been buying IP cameras for while, mostly security ones but a few industrial ones. I don't see any reason to own one of those cloud ones. Most use the ONVIF protocol so can work with ONVIFFER or TinyCam on Android fine enough. The latter is literally a swiss army knife of features but I wish it had customizable layouts like ONVIFFER. Most (but not all, talking to you Arecont Vision) have ftp clients so just set an SBC up or use existing NAS. I'm using a Jetson Nano with a task that runs object detection and tags clips. Some cool things I've discovered. ARECONT VISION cameras have pretty shit web admin interfaces but really extensively REST API features. I've got two 20 megapixel panorama cameras on my house. Pelco Sarix have killer on-board analytics for car/people detection and others things, and believe it or not, optional root shell access via ssh if you want it. IQvision had a C++ SDK to write custom plugin analystics modules but its been hard to track down since the company was acquired or something.
a few years ago I'd expect something like this to run Linux on a small SOC. I find it interesting they went with a more embedded solution. It seems like there is a shift towards more single-propose hardware doing specific things as IOT "matures"?
I'm not sure that's really the case. This looks like a somewhat "older" design style to me, and they're just running the same thing until they can't anymore. There's a date code 2016/9/13 at around 4m50s in the video. Newer cameras are all like you said, little ARM procs with some (outdated) Linux on it.
The view of the packet capture during the setup process was cool. Would be interested in seeing more of you hacking on this thing. Firmware extraction?
SIP was used for async at least since Cisco started pushing their phones hard to businesses. It's how they can, for example, follow dial patterns and know when enough digits (in the right pattern) have been pressed so they can start dialing without requiring the user to press SEND or CALL. (It used to be possible to tell if the user was dialing an area code because the second digit was always a 1 or a 0, and no local exchange prefixes would ever use a 0 or 1 in the second digit. So you dial seven digits for local and the call manager would immediately start the call process, or dial 10 digits for long distance. This is no longer true, though. But the async is still useful if you have local rules like, dial 9 to get an outside line, anything else is a private internal number.) SIP is also used so the call manager can know when the handset goes off hook. Cisco added these features to SIP when it started moving its phone products away from the proprietary SCCP/Skinny protocol that the phones had when they bought out whatever company originally made them, in order to maintain these features.
Yes, the video and audio is encrypted. Early versions had issues with packet sniffing, people grabbing the streams and locating homes. Then the issues with deauth and connect themselves, hence the qr hardware verify.
Two questions, who tf are you? And why have I not known about you before. Only watched this vid from you, but it’s really well produced and edited, took away all the boring “dead” time that most tear down videos have.
interesting, searched for hacking ak2000 gimbal and ... I'm mostly just looking to see if there is a way to use the follow focus II without the gimbal ..
It's certainly possible that they encrypted the video, but it's just as likely that they are abusing RTP and SDP and are putting some format of video that's "naturally produced" by the encoder straight into the RTP payload. It might be instructive to view the video from the web page, with help from Chrome or Firefox Developer Tools. Maybe you can figure out what the resolution and format the video is from that direction.
I'd be interested also. I'd like to slap together my own esp32cam at a later date but in the meantime, no ready-made "open source and privacy respecting" ip cameras out there?
@Gigs it is against terms of use for ntppool.org. Citing: " You must absolutely not use the default pool.ntp.org zone names as the default configuration in your application or appliance. " There are many technical reasons, and past issues that makes this a strong requirement for use.
@@movax20h that's technically not in the terms of use, but in the "vendor guidelines". You could argue it's not really binding in any way, but as scanlime said, it's at least a best practice.
A friend of mine got one of these things after some car with out of state plates started cruising his neighborhood looking for things to steal off peoples porches around Christmas time. The best part was because of the pandemic these clowns get to wear masks to conceal their faces while they rob you. I don't mind security cameras, what I mind is what is done with the information once it gets into the hands of these giant garbage companies.
Freaking amazing to watch a teardown with someone who knows what they're looking at.
until now, this is best teardown of the year
Whole reason I avoided Ring and went with Ubiquiti is the very public abuse of Ring devices by their employees, the build quality wasn't what I would want, and the police being the customer and the users who installed them being the product.
also there new bait and switch.
The diode is for compatibility with old style doorbells that use AC and operate a simple "ding dong" solenoid :)
The diode bypasses the switch so the unit is powered on one half-wave of the AC, providing constant power.
Pressing the doorbell bypasses the diode and provides the missing other half-wave of power to the unit, which it detects as a doorbell push
"This is the least satisfying doorbell button I've ever pressed" :DDD
"It feels better without the rubber thing over it." 10:05
I'm liking the annoyed but knows exactly what they're talking about vibe. Subbed immediately.
Nice to see the edited version of the "in progress" footage. Great teardown and analysis.
This was really well paced and a super knowledgeable commentary. Thanks a ton for this great teardown.
You worry about government surveillance while poor Tuco is under constant observation from the Scanlime Surveillance State! /s
My parents had one of these on their house. The button crapped out after a year, and the videos are super choppy and often start recording too late to be of use. The one time they had a package stolen, it didn't start recording until the thief was well on his way out of there. They got rid of it.
“How do I not learn more” XD
Glad to see you're back creating content! Missed you
thx for making this. the "ring makes the best doorbells"-folks in my social bubble are growing. now I can show them, that my DIY solutions are (maybe) superior then their "it just works perfecly fine out of the boy without any complicated installation"-solution.
Thank you for sharing! Very interesting to watch how you figure stuff out along the way. :)
Interesting. Had one of the slightly fancier versions of this for a few years now since a neighbor decided to become an Airbnb. The "look how dangerous your neighborhood is, good thing you have our product/service" is definitely one of the most annoying parts.
I think in my newer model, they put the optional diode in a small plastic box. It's an optional thing for certain ways of connecting it, either with or without an indoor chime, iirc.
Looks like a juicero ring bell lol
Nice vid as always !!
Holyofack, so it IS skookem.
Will it chooch?
Great review from a great channel on a terrible device from a terrible company. Completely agree with your opinions on the whole thing, liked seeing somebody smarter / more experienced than me taking it apart and figuring out how it works!
I think they used a selective soldering machine to solder the IR leds. Great video btw!
Yet another great video, you got yourself a new fan.
The encryption is probably compliant with the SRTP (Secure RTP) specification, RFC 3711. SRTP packets look just like RTP packets except the payload is encrypted, so there's no way to tell if a packet is RTP or SRTP just by looking at it-you need additional metadata from the session negotiation to tell. Key management is not part of the SRTP spec, so they could be communicating the keys in any number of ways. I can at least tell you that they're not using SDES (RFC 4568), which sends the keys via SDP, since I don't see the relevant fields in the SDP messages. Although the fact that they don't encrypt their SDP is also probably enough to tell you that :P
Was this streamed? If so you have the best stream editing method I've ever witnessed
yes, this was 100% recorded live. the editing is very labor intensive, glad you like it :)
@@scanlime On top of the significant knowledge and explanatory powers, you're a great editor too! :)
interesting to see that it is basically a sip video phone. was it a software update at the start or pulling down the phone extension config?
the SIP/SDP is an encrypted call.
Try this on your IP cams. Attempt to login via the IP and when it asks you for credentials, leave them blank and repeatedly try in quick succession and see if it eventually lets you in to a slightly different looking consol with Chinese lettering...
Goddamn, I should've stumbled on your channel years ago, fantastic work.
Scanlime goes all the way back to LiveJournal. :)
that was incredible!
Interesting... Looked up. Sensor is a Excelitas Technologies PYD1698 available from Digikey part no 1601-1005-ND
I've been buying IP cameras for while, mostly security ones but a few industrial ones. I don't see any reason to own one of those cloud ones. Most use the ONVIF protocol so can work with ONVIFFER or TinyCam on Android fine enough. The latter is literally a swiss army knife of features but I wish it had customizable layouts like ONVIFFER. Most (but not all, talking to you Arecont Vision) have ftp clients so just set an SBC up or use existing NAS. I'm using a Jetson Nano with a task that runs object detection and tags clips.
Some cool things I've discovered. ARECONT VISION cameras have pretty shit web admin interfaces but really extensively REST API features. I've got two 20 megapixel panorama cameras on my house. Pelco Sarix have killer on-board analytics for car/people detection and others things, and believe it or not, optional root shell access via ssh if you want it. IQvision had a C++ SDK to write custom plugin analystics modules but its been hard to track down since the company was acquired or something.
also use ipcams that dont see internet and ispy on a windows box, whats ur software setup like?
Could probably make an open source version of this with a raspberry pi easily.
It appears multiple people have, actually. But they're all ugly.
a few years ago I'd expect something like this to run Linux on a small SOC. I find it interesting they went with a more embedded solution. It seems like there is a shift towards more single-propose hardware doing specific things as IOT "matures"?
I'm not sure that's really the case. This looks like a somewhat "older" design style to me, and they're just running the same thing until they can't anymore. There's a date code 2016/9/13 at around 4m50s in the video. Newer cameras are all like you said, little ARM procs with some (outdated) Linux on it.
@@octothorpian_nightmare Ahh, Fascinating.
The view of the packet capture during the setup process was cool. Would be interested in seeing more of you hacking on this thing. Firmware extraction?
SIP was used for async at least since Cisco started pushing their phones hard to businesses. It's how they can, for example, follow dial patterns and know when enough digits (in the right pattern) have been pressed so they can start dialing without requiring the user to press SEND or CALL. (It used to be possible to tell if the user was dialing an area code because the second digit was always a 1 or a 0, and no local exchange prefixes would ever use a 0 or 1 in the second digit. So you dial seven digits for local and the call manager would immediately start the call process, or dial 10 digits for long distance. This is no longer true, though. But the async is still useful if you have local rules like, dial 9 to get an outside line, anything else is a private internal number.)
SIP is also used so the call manager can know when the handset goes off hook. Cisco added these features to SIP when it started moving its phone products away from the proprietary SCCP/Skinny protocol that the phones had when they bought out whatever company originally made them, in order to maintain these features.
Great tear down. Earned my sub :)
So I don't know what's bothering you?
This is a great development platform.
For voyeurs and for the police:P
Thanks for the great video, scanlime :)
Yes, the video and audio is encrypted. Early versions had issues with packet sniffing, people grabbing the streams and locating homes. Then the issues with deauth and connect themselves, hence the qr hardware verify.
Reality nice editing
Two questions, who tf are you? And why have I not known about you before. Only watched this vid from you, but it’s really well produced and edited, took away all the boring “dead” time that most tear down videos have.
haha thanks. the editing is a lot of work :)
interesting, searched for hacking ak2000 gimbal and ... I'm mostly just looking to see if there is a way to use the follow focus II without the gimbal ..
What a fantastic recommendation from the yt algo
Good stuff.
I hope you are doing well. Missing your content.
Also it does requests to 8.8.8.8, is that your DNS setup in DHCP, or they hard coded it in their firmware?
not hardcoded, i had that in my DHCP offering, since I didn't set up a local DNS server for the testbed network
@@scanlime ah. ok.
This thing would make sense only if it were given out for free in return for allowing police to access it.
ngl I think these video doorbells are cool. Does anyone know of one that is useable locally with it storing video on my NAS?
very strange insides, not what I expected at all
It's certainly possible that they encrypted the video, but it's just as likely that they are abusing RTP and SDP and are putting some format of video that's "naturally produced" by the encoder straight into the RTP payload. It might be instructive to view the video from the web page, with help from Chrome or Firefox Developer Tools. Maybe you can figure out what the resolution and format the video is from that direction.
Also, I'm in the market for IP cameras that don't talk to any kinda cloud... Any suggestions?
ESP32 camera and Raspberry Pi Zero W + camera module are two suggestions.
I'd be interested also. I'd like to slap together my own esp32cam at a later date but in the meantime, no ready-made "open source and privacy respecting" ip cameras out there?
"Zero cool drop tables" does someone have a sense of humour?
It's like Hackers and XKCD had a love child and this is what happened. X3
I was looking to see if anyone else caught this hahaha. That dev was having fun
Is the "Hey Zero Cool", a Hackers reference?
I'm thinking it is indeed a reference to the movie
I do not use anything that wont let me self record to my own drives.
whats wrong with hitting pool.ntp?
spoofing
the best practice is to include a product-specific name in the NTP pool URLs you hardcode into products
@@scanlime did not know that, thanks
@Gigs it is against terms of use for ntppool.org. Citing: " You must absolutely not use the default pool.ntp.org zone names as the default configuration in your application or appliance. " There are many technical reasons, and past issues that makes this a strong requirement for use.
@@movax20h that's technically not in the terms of use, but in the "vendor guidelines". You could argue it's not really binding in any way, but as scanlime said, it's at least a best practice.
ding
A friend of mine got one of these things after some car with out of state plates started cruising his neighborhood looking for things to steal off peoples porches around Christmas time. The best part was because of the pandemic these clowns get to wear masks to conceal their faces while they rob you. I don't mind security cameras, what I mind is what is done with the information once it gets into the hands of these giant garbage companies.
No I came to watch a tear down not listen to some ones paranoia