Reverse Engineering WyzeSense Hardware

Wyze are a company that produces a variety of home automation products. Their Wyze Sense package is a system of contact and PIR home security sensors, that piggy backs off their Wyze Cam product. In the interests of being able to use this hardware outside the prescribed corporate ecosystem, [Xuan Xing] got down to hacking.

The project starts by tearing down the Wyze Cam, and getting serial console access. This was made easier by an existing Github project, which develops custom firmwares for smart cameras. With that in place he was able to see what was going on under the hood, and read the camera’s system logs.

By poring over these logs, and examining the disassembled Wyze Sense dongle, he’s well on the way to discovering how the sensors communicate with the Wyze Cam. The end goal is to enable the Wyze security sensors to be used with the Raspberry Pi platform, and to share the code on Github for other makers to experiment with.

Home automation platforms come and go quicker than the seasons change. This makes the hardware a popular target for hackers trying to get things running independently of any one company’s servers.

5 thoughts on “Reverse Engineering WyzeSense Hardware

  1. These ‘custom’ firmwares have some serious security flaws… I won’t recommend hanging any of these in your network.

    SSH enabled by default with default settings and no way to change.
    Check:https://flamingo-tech.nl/2019/02/16/xiaomi-xiaofang-s1-ssh-disable/

    Some sketchy autoupdate script pulling updates from git…
    https://flamingo-tech.nl/2019/03/01/xiaomi-xiaofang-s1-autoupdate-script/

    These products are highly unsafe. Black box firmware and even the ‘openfirmware’ has some doubtfull code.

    The wyzesense is the same camera rocking the same chips.

    1. I guess I’d encourage you to make some pull requests to address those issues you’ve identified, if they’re not accepted you could fork the project. That’s the beauty of Open Source Software

      1. Last I looked, even the “open” firmware wasn’t a ground-up clean source, it was just a set of hacks and mods built on the original firmware, so anything weird lurking in there is still there, you have to find it first before you can change it.

        If that’s inaccurate, I’d love to see a link to the clean version.

  2. That’s what a good router is for. SSH access has its place. But a proper router is required. Think something that can run with openWRT , Tomato, AdvancedTomtao or the like.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.