Belkin Wemo Teardown part 2

Made progress today with using UPnP to communicate with the Wemo.

I used the awesome miranda-upnp Python library to explore the device. Its URL for listing services is at http://10.22.22.1:49152/setup.xml

There are ones for “rules”, “remoteaccess”, “metainfo”, “WiFiSetup”, “firmwareupdate”, “timesync” and “basicevent”.

The most interesting one, I’m guessing, is “basicevent” because it contains an action called “SetBinaryState” and “GetBinaryState” on top of others like “GetSerialNo”, “GetMacAddr” etc. But the BinaryState thing looks cool because I’m guessing it is what is used to control the switch.

Unfortunately, sending commands/actions to this service always returns a 500 error, with error code -111 is “Invalid Service” although from all indications I am sending the SOAP request to the proper URL and service. I tried it manually and through miranda-upnp, same results.
At this point I think it is a header I might be missing, perhaps the “User-Agent”? And without the one the device is expecting, it will reject with a 500?

I unfortunately don’t have an iOS device to test with. Has anyone with an iOS device and Belkin Wemo sniffed the traffic between them? If I can get my hands on one, next step would be use Ettercap and Wireshark on that same wifi AP to see what the iOS app is sending that I’m not.