Belkin Wemo Teardown part 1

July 2012 ยท 2 minute read

I received a Belkin Wemo device today to play with.

Since I do not have an iOS device, and for some reason the Wemo ONLY works with iOS (wtf?), I’m trying to get it working without it.

So far I’ve connected my laptop to its wifi access point. It assigned me an IP of and its IP is No conventional ports such as 22/SSH, 23/Telnet or 80/HTTP worked.

Running nmap revealed very few ports to be opened:

    nemik@a64:~$ nmap -sT
    Starting Nmap 5.21 ( ) at 2012-07-16 17:48 CDT
    Nmap scan report for
    Host is up (0.029s latency).
    Not shown: 998 closed ports
    53/tcp    open  domain
    49152/tcp open  unknown
    Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds

When running telnet on the opened port 49152, there were interesting things:

    nemik@a64:~$ telnet 49152
    Connected to
    Escape character is '^]'.
    HTTP/0.0 400 Bad Request
    SERVER: Linux/2.6.21, UPnP/1.0, Portable SDK for UPnP devices/1.6.6
    CONTENT-TYPE: text/html
    <html><body><h1>404 Not Found</h1></body></html>
    Connection closed by foreign host.

Same for curl:

nemik@a64:~$ curl -i HTTP/1.1 404 Not Found SERVER: Linux/2.6.21, UPnP/1.0, Portable SDK for UPnP devices/1.6.6 CONNECTION: close CONTENT-LENGTH: 48 CONTENT-TYPE: text/html <html><body><h1>404 Not Found</h1></body></html>

Interesting that it runs Linux though! I’d like to open it up to see the type of chips used inside but I do not have the triangular screwdriver for Belkin’s weird security screws on the device. If/when I order some and get it opened, I’ll post pics.

The next step is to borrow an iOS device and see if I can sniff the traffic for initializing the device. If anyone has done something similar or has any tips, please let me know.