Hacking the Motorola Blink 1 Baby Monitor (Part 2)

Ok, so it’s been quite some time since I posted my first efforts at “hacking” the Motorola Blink 1 Baby Monitor. Suffice to say we’ve been quite busy for a while & I’ve only just gotten around to actually plugging it in again now that our son is with us & at an age where we’re starting to think about being able to put him down in his crib & go into another room.

Anyway, I powered it on for the first time since August today and it asked to perform a firmware upgrade. I though ‘Aha! I’ll capture what it’s up to and see if I can work out where it downloads new firmware from’ but I inadvertently messed-up my tcpdump session & didn’t actually capture anything while it was upgrading. Furthermore, as I should have known from reading the comments here it seems that Motorola have disabled the landing page for the onboard web-server in the new firmware version (08-050) and it now just gives you a 404.

Well obviously this couldn’t be allowed to stand. Suffice to say if you capture all network traffic from the Blink when it powers on you’ll see it makes some web requests to a Monitor Everywhere ‘OTA’ server. It seems this is how it determines if there’s a firmware upgrade to be downloaded & with a bit of jiggery-pokery you too can download bmfwromfs_08_050.tar.gz which contains the latest firmware.

Unpacking the gzip’d tarball you’ll see there is a binary file ‘conprog.bin’ which I’m pretty sure is the kernel imageĀ  (2.6.17.14 since you ask) and a file ‘rootfs.bin’ which is a romfs image file containing the root file system for the camera.

You can mount this under Linux using the command:

mount -t romfs -o loop <path to rootfs.bin> <mount-point>

I’ve only just got this going tonight so I’ve yet to have a real poke around in there but for everyone who’s looking for the web interface point your brower at:

http://<camera-ip>/blinkhome.html

– or –

http://<camera-ip>/index2.html

to get it back. Incidentally the pages aren’t quite the same, so worth looking at both!