Reverse Engineering WyzeSense bridge protocol (Part I)

If you are in the market for consumer IP cameras, you may have already heard the brand named “Wyze”. I’ve been their user for more than a year. Their camera products are solid and also affordable. But today’s topic is not about the WyzeCam. Instead, we are looking at their newly announced WyzeSense sensor kit.

There are already lots of reviews about the WyzeSense sensor kit since the day they announced it, and they all read very positive. But to me, the moment I read their announcement, I knew this will also be something good for DIY’ers. Not only because they are affordable, but also because how the sensor talks to the internet: through their USB dongle. Their USB dongle (WyzeSense bridge) is plugged into the reserved USB-A port on their camera. It’s very likely the USB dongle is talking to the camera using “Serial-over-USB” kind of protocols, which is simple enough to be reverse engineered. So, here is the idea: if I can reverse engineer the communication protocol between the dongle and the camera, I can then use their dongle (and of course their sensors) on other platforms, such as Raspberry Pi and easily make my own automation systems without relying on their platform.

Don’t get me wrong: Their products and software are great. They’ve announced many partnerships such as IFTTT, Alexa, Google Home Assistant, etc. That means with their built-ins support, you already have a lot of options to integrate the WyseSense sensors into your home automation system. But, it’s never a bad idea to have one more choice.

So, let’s get started.

Usually, to work on any hardware hacking, step #1 will be get your hands on the target hardware. Well, along with their announcement, they have some early bird pre-ordering started, but the actual kit won’t ship until a month later. So while waiting for my order to arrive, I need to start looking into it without having the dongle.

OK, so now the question is where to get more information? I already have the camera, and it seems there is already firmware updates to support the sensors. Reversing the firmware is definitely something on my list. But before that, let’s take a look at FCC website.

According to the FAQ on Wyze’s website, their sensors are using a proprietary Sub-1Ghz RF communications. If you are reversing anything related to RF, FCC website is always a good source of hardware information. Doing a Google search “WyzeSense FCC” bring up this web page to me. If you browse a little bit, you should be able to find some internal pictures of the sensor bridge:

The picture on the top apparently is the main chip used in the bridge. It’s very clear this is a TI CC1310 chip. Other than the RF spec, the datasheet also explains a couple things:

  1. The chip itself has no USB capability. Unless Wyze is implementing a software USB stack (which I highly doubt anyone would do that on a product), there must be a “something to USB” converter IC.
  2. TI has its own SimpleLink platform and SDK, which is supported by this chip. It’s very likely Wyze is going to use this as their communication protocol, and probably a lot of code will be using whatever reference project TI provides.
  3. There is a ROM bootloader supporting updating the firmware. There is no reason for Wyze to develop their own firmware update mechanism instead of using an existing one.

The chip in the bottom picture has some hard to read markings. Remember I said there should be a “something to USB” chip? I’m sure this is it, since I’m not seeing a 3rd chip anywhere. The marking reads as CH654T? Just by wild guessing, this might be something like CH430 series. Searching their website shows this may be a CH554T. Spec-sheet says it’s a microcontroller with USB support, mostly used for USB accessories. I’m quite sure at this point this is the USB solution.

Anyway, that’s all about collecting hardware information before we get the real device. Next step will be the camera firmware.

This entry was posted in Computer and Internet, IOT, reverse engineering. Bookmark the permalink.

4 Responses to Reverse Engineering WyzeSense bridge protocol (Part I)

  1. Pingback: Reverse Engineering WyzeSense Hardware – Ans Info

  2. Pingback: Reverse Engineering WyzeSense Hardware

  3. Pingback: MSI Net, Inc. - Reverse Engineering WyzeSense Hardware

  4. Pingback: Reverse Engineering WyzeSense Hardware – Technology News Online

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s