Belkin Wemo Teardown part 1

I received a Belkin Wemo device today to play with.

Since I do not have an iOS device, and for some reason the Wemo ONLY works with iOS (wtf?), I’m trying to get it working without it.

So far I’ve connected my laptop to its wifi access point. It assigned me an IP of 10.22.22.2 and its IP is 10.22.22.1
No conventional ports such as 22/SSH, 23/Telnet or 80/HTTP worked.

Running nmap revealed very few ports to be opened:

nemik@a64:~$ nmap -sT 10.22.22.1

Starting Nmap 5.21 ( http://nmap.org ) at 2012-07-16 17:48 CDT
Nmap scan report for 10.22.22.1
Host is up (0.029s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
49152/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds

When running telnet on the opened port 49152, there were interesting things:

nemik@a64:~$ telnet 10.22.22.1 49152
Trying 10.22.22.1...
Connected to 10.22.22.1.
Escape character is '^]'.
HTTP/0.0 400 Bad Request
SERVER: Linux/2.6.21, UPnP/1.0, Portable SDK for UPnP devices/1.6.6
CONTENT-LENGTH: 50
CONTENT-TYPE: text/html
<html><body><h1>404 Not Found</h1></body></html>
Connection closed by foreign host.

Same for curl:

nemik@a64:~$ curl -i 10.22.22.1:49152
HTTP/1.1 404 Not Found
SERVER: Linux/2.6.21, UPnP/1.0, Portable SDK for UPnP devices/1.6.6
CONNECTION: close
CONTENT-LENGTH: 48
CONTENT-TYPE: text/html
<html><body><h1>404 Not Found</h1></body></html>

Interesting that it runs Linux though! I’d like to open it up to see the type of chips used inside but I do not have the triangular screwdriver for Belkin’s weird security screws on the device. If/when I order some and get it opened, I’ll post pics.

The next step is to borrow an iOS device and see if I can sniff the traffic for initializing the device. If anyone has done something similar or has any tips, please let me know.