Things I Know about the WeMo boxes

I'm working on hacking my wemo. I'd like to determine how it talks back and forth over the network. What I know at this time is that when the mobile app is running both the mobile app and the wemo device are talking over UPnP


Belkin WeMo Switch

I had to turn off UPnP on my router to use the following tools. I determined the protocol was UPnP by jumping onto my DD-WRT router, installing tcpdump and capturing several packet dumps and examining them.

The best thing UPnP analysis tool I found was miranda. You can get it from the downloads page here: Miranda

Under the covers it uses python twisted and Coherence: Coherence

Read more about miranda: Miranda Article

Some particulars:

  • The LOCATION of the services file doesn't change, http://host/setup.xml
  • The PORT of the UPnP device does change, I've seen 49152-49154 so far

You'll see if you read the logs below that the host number changes, I had to keep restarting the program, rediscovering the device, and that changes the order in miranda.

I think with this I've got everything I need to start making requests

I had some issues with miranda printing out the whole device info that it gathered, I'm checking into that, but in the gist they are pulled out of python and pretty-printed:

I have two guesses at how things work with IFFT. I'll be exploring those soon and update the post.


I'm Issac Kelly. I like to build things, with software and hardware. By day I do that at Nonchalance in San Francisco. I like to teach people, but mostly about the things I'm interested in. I'm currently a mentor at Hackbright Academy. I'm building open source automation, albeit slowly at Plum Garage.


If you want to know when I write

If you want to know when I write, you should give me your email address, or if rss is your thing, subscribe