Hacking the Motorola Blink 1 Baby Monitor (Part 1)

As I mentioned before I’ve recently acquired a Motorola Blink 1 Wi-Fi baby monitor. My plan was to reverse engineer some of its functions in order to integrate it with our existing home automation. My findings to date indicate that it should be fairly easy to interface with the monitor without using the Monitor Everywhere App.

The first step was just to point a web browser at the camera’s IP address which paid off by giving me the following (with no authentication incidentally – be careful if you might be putting one of these on a publicly accessible IP):

Motorola Blink 1 Web InterfaceYou get a web interface with Javascript based video streaming & control Pan & Tilt as well as a reading of the current temperature & controls for contrast, brightness & image resolution. Two resolutions are available: QVGA (320×240) & VGA (640×480). On this page the video stream is provided by using some Javascript to repeatedly load a JPEG image from the URL:

http://<camera-ip>/?action=snapshot

and replacing the existing page image with it. Control of pan & tilt is also done with AJAX HTTP requests, I’ve not done any experimenting with those yet so I’ll leave them for another time. It is also possible to read the temperature sensor value in °C by requesting the following URL:

http://<camera-ip>/?action=command&command=value_temperature

 

The link for “Video + Audio” takes you to an identical looking page but instead of using Javascript to provide the video it using a Java applet to playback an MJPEG stream with audio. The Java applet appears to be based on the Cambozola streaming image viewer by Andy Wilcock. The URL for the MJPEG stream is:

http://<camera-ip>/?action=appletvastream

It seems possible to playback the video stream perfectly happily using VLC (just point it at the URL) but so far I can’t get it to play any audio with VLC. Unjar’ing the cambozola.jar from the Blink makes me suspect there could be an ADPCM audio stream (there is an ADPCMDecoder.class in the JAR) but it’s not obvious from capturing the stream’s URL with wget – if anyone knows anything about audio encoding in MJPEG streams I’d be most interested to hear about it.

One final point of interest from the web interface is that the page title identifies the Blink 1 as the MBP2000W which I’m guessing is the Motorola internal model number for the device.

Having explored the web interface a bit I thought I’d look into what sort of network traffic the Blink was generating. Having whipped out arpspoof & tcpdump I can confirm that the Blink is chatty little thing. On start-up it registers itself with the Monitor Everywhere website (it seems to use its own MAC address as the key), it seems to generate lots of ICMP traffic (mostly echo requests) & there’s definitely some STUN stuff going on (presumably to allow access to the camera from outside of your local network). I’ve got some network captures that I’ll be spending some time analysing in the near future.

One thing I did notice is that it’s fairly easy to receive alerts from the camera when it detects a noise. It just sends out a UDP subnet broadcast on port 51110. The contents of the UDP packet are:

VOX:<Camera MAC Address>

You can test this for yourself just by using netcat to listen on UDP port 51110 like so:

netcat -l -u 51110

That’s all I’ve got so far but I’ll post some more info when I’ve got some. In the meantime, happy hacking!

8 Replies to “Hacking the Motorola Blink 1 Baby Monitor (Part 1)”

  1. Interesting read! I just bought a Motorola blink1 myself but didn’t have time to experiment with it yet.
    Can we expect a part 2 of this post?

  2. Hi i like to learn more about your findings. Will there be a part 2? Do you know if we can hoop up this IP camera to a surveillance type of system?

  3. Very good post indeed! I bought the camera a week ago, upgraded the firmware and guess what – now logging via web on the IP gets me the following:

    404: Not Found!
    Could not open file

    The good part: VLC stream works (no clue if I have audio via it) but at least I do not have to go via the annoying java web site…. and yes, the VLC stream works just fine w/o any auth 🙂

    What I want is to somehow get back the web client on the camera – at leasat when I am on the wi fi – to go via it…

    Amazing info, thanks 🙂

  4. In the new firmware they removed the main page (it returns 404: Not Found!
    Could not open file).

    All the action links still exists though.
    Do you think you can send me a copy of the HTML so I can test out the AJAX PAN / ZOOM requests?

    1. Yesterday I plugged the camera in and found out that the new firmware removes the web-server landing page. Anyway, I’ve found a way around it, see my most recent post (Part 2) for details.

Leave a Reply

Your email address will not be published. Required fields are marked *