Skip to content

Instantly share code, notes, and snippets.

@Ackthbpt

Ackthbpt/LR5Pro.md

Last active April 16, 2026 19:37
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Ackthbpt/8dc6cce560d62a9a5540fce11e03fef8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Ackthbpt/8dc6cce560d62a9a5540fce11e03fef8 to your computer and use it in GitHub Desktop.
Download ZIP
Litter-Robot 5 Pro — Local Camera Interface Reverse Engineering
Raw
LR5Pro.md

Litter-Robot 5 Pro - Local Camera Interface Reverse Engineering

Status: Work in progress - login credentials not yet cracked
Device: Litter-Robot 5 Pro (serial format: LR5-XX-XX-XX-XXXX-XXXXXX)
Camera OEM: iENSO Inc. (Toronto, ON, Canada) - ienso.com
Goal: Local RTSP access to the integrated camera without Whisker+ cloud subscription

Background

The Litter-Robot 5 Pro ships with dual integrated 1080p HD cameras (front-facing and inner-facing) manufactured by iENSO, a Canadian embedded vision OEM. Camera features like live streaming, recording history, and cat facial recognition are paywalled behind Whisker's Whisker+ subscription. The free tier limits you to 5 minutes of daily live streaming and 2 days of cloud-stored event recordings.

The camera module runs its own embedded Linux system with a full-featured web interface on the local network - completely independent of Whisker's cloud. This document describes what's been found so far.

Network Discovery

Open Ports

A full 65,535-port TCP scan reveals three open ports:

Port Protocol Service Notes
80 HTTP lighttpd/1.4.66 Serves the same React SPA as port 443
443 HTTPS lighttpd/1.4.66 Primary web interface (React SPA)
8888 HTTP lighttpd (assumed) Secondary login page (Bootstrap-based)

No other TCP ports are open - notably no RTSP (554), no telnet (23), no SSH (22). RTSP appears to require explicit activation through the web UI after authentication.

MAC Address / OUI

Field Value
MAC 04:A1:6F:10:9D:8E
OUI Block 04:A1:6F:10:00:00/28
Registered To iENSO Inc.

This is a /28 block (only 16 addresses), indicating a small-batch OEM allocation specific to iENSO's embedded camera modules.

TLS Certificate (Port 443)

Issuer:  C=CA, ST=ON, O=iENSO, CN=evpass
Subject: C=CA, ST=ON, O=iENSO, CN=evpass
Validity: 2020-12-31 to 2030-12-29
Key: RSA 4096-bit
Self-signed, Version 1 (v1)

The CN evpass likely refers to iENSO's EVPaaS (Embedded Vision Platform as a Service) product line.

Web Interfaces

Port 443 / Port 80 - Full React Application

A minified React single-page application (main.0e1380ba.js, ~2MB). The HTML shell references a CCTV camera favicon:

<link rel="icon" href="/cctv-camera-icon.svg" type="image/svg+xml">

All CSS class names use the ienso- prefix (e.g., ienso-button, ienso-input, ienso-video__video-controls__play-button), confirming this is stock iENSO firmware.

Authentication is via POST to /system/login with JSON body:

{"username": "...", "password": "..."}

All API endpoints return {"error":"unauthorized","success":false} without valid credentials. Invalid credentials return {"error":"invalid credentials","success":false} - no username enumeration (same error regardless of username).

Port 8888 - Simplified Bootstrap Interface

A simpler login page titled "Device Login - iENSO" using Bootstrap CSS and jQuery. Uses the same /system/login endpoint with the same JSON format. Likely a legacy or maintenance interface.

API Endpoints (Discovered via JS Bundle Analysis)

All endpoints require authentication. Extracted from the minified React bundle on port 443:

Authentication

Method Endpoint Description
POST /system/login Login (JSON: username, password)
POST /system/logout Logout

Streaming

Method Endpoint Description
GET /api/stream/settings Stream configuration
GET /api/stream/settings/options Available stream options
GET /api/stream/is_rtsp_up Check if RTSP is enabled
POST /api/stream/start_rtsp Enable RTSP streaming
POST /api/stream/start_webrtc Start WebRTC stream
POST /api/stream/start_webrtc_signaling WebRTC signaling
GET /stream/demo/channel/0/webrtc WebRTC stream path

Snapshots & Recording

Method Endpoint Description
POST /api/snapshot/perform Take a snapshot
GET /api/snapshot/list List saved snapshots
GET /api/snapshot/settings Snapshot configuration
GET /api/snapshot/settings/options Snapshot options
POST /api/recording/start Start recording
POST /api/recording/stop Stop recording
GET /api/recording/state Recording status
GET /api/recording/list List recordings
GET /api/recording/diskinfo Local storage info
POST /api/recording/remove_all Delete all recordings
POST /api/recording/remove_selected Delete selected recordings
GET /api/recording/download_zip Download recordings
GET /media/download Download media files

Camera & Image Settings

Method Endpoint Description
GET /api/camera/settings Camera configuration
GET /api/image/settings Image settings (brightness, contrast, etc.)
GET /api/image/settings/options Available image options
POST /api/image/zoom Digital zoom control
GET /api/day_night_mode Day/night mode status
GET /api/day_night_mode/options Day/night options

Network

Method Endpoint Description
GET /api/network/ip IP configuration
GET /api/network/properties Network properties
GET /api/network/settings Network settings

Device Management

Method Endpoint Description
GET /api/system/info System information
GET /api/system/logs System logs
POST /api/system/reboot Reboot camera
POST /api/system/reset Factory reset
POST /api/system/format/memory Format local storage
GET /api/device/settings Device configuration
GET /api/device/settings/schema Device settings schema
GET /api/device/time Date/time settings
GET /api/server/settings Server configuration
POST /api/settings/reset Reset all settings

User Management

Method Endpoint Description
POST /api/user/change_password Change admin password

AI / Analytics

Method Endpoint Description
GET /api/data-processing/settings AI/analytics configuration

Firmware

Method Endpoint Description
POST /api/firmware/update Upload firmware

SDK / App Runner

Method Endpoint Description
POST api/app-runner/deploy Deploy SDK application

UI Feature Set (from JS String Extraction)

The web interface includes controls for:

  • Live View - WebRTC-based live streaming with play/pause, snapshot, and fullscreen
  • RTSP Streaming - Toggle to enable RTSP with a URL displayed in the UI (note: "When RTSP is enabled, Live View stream is paused")
  • Recording - Start/stop recording, file browser, preview, download (ZIP), delete
  • Snapshots - Capture and manage snapshots
  • Image Settings - White balance, brightness, saturation, sharpness, contrast, hue, noise reduction, dewarp, HDR, auto exposure, AE metering mode, gain, exposure time
  • Day/Night Mode - Automatic IR switching
  • Mirror / Flip - Image orientation (with warning: "if AI is enabled at the same time, data labels will appear reversed")
  • AI Detectors - Motion detection with configurable zones/sensitivity, object detection (people, vehicles)
  • Network Settings - IPv4 (DHCP/static), DNS, gateway, subnet, hostname, MTU, HTTP/HTTPS ports
  • User Management - Change administrator login (username + password)
  • Firmware - Version info, firmware update upload, restart, restore, factory reset
  • Storage - Local storage status, capacity, format
  • Logs - Downloadable system logs

Password Requirements (for password changes via UI)

These are client-side validation rules on the change-password form. The factory default password may or may not conform to these:

  • Minimum 10 characters
  • At least 1 lowercase letter
  • At least 1 uppercase letter
  • At least 1 number
  • Cannot match the username

What Hasn't Worked

Credential Guessing

The following username/password combinations have been tried and all return {"error":"invalid credentials","success":false}:

Usernames tried: admin, root, evpass

Passwords tried: admin, Admin1234567, Password1234, Evpass123456, evpass, iENSO, ienso, password, whisker, plus various MAC-derived and serial-derived combinations.

Other Approaches

  • Unauthenticated API access - All endpoints return {"error":"unauthorized","success":false}
  • WebRTC demo path - /stream/demo/channel/0/webrtc returns the SPA shell (React router catch-all), no unauthenticated stream
  • RTSP probing - Port 554 is closed; ffprobe to various RTSP URLs returns connection refused
  • Full port scan - Only 80, 443, 8888 open across all 65,535 TCP ports

Hardware Details

  • Platform: Ambarella CV-series SoC (iENSO's EVPaaS uses Ambarella exclusively for their vision modules)
  • Web Server: lighttpd 1.4.66
  • Frontend: React SPA (minified, ~2MB bundle)
  • Secondary UI: Bootstrap 5 + jQuery 3.6.0
  • OS: Embedded Linux (assumed, based on lighttpd + BusyBox conventions in similar Ambarella platforms)

Next Steps

  1. Contact iENSO - Small 37-person company in Richmond Hill, ON. Contact: [email protected] / 905-763-6938. Ask for default credentials on the EVPaaS local web interface.
  2. Contact Whisker support - Ask about local camera interface credentials. Likely to deflect, but worth trying.
  3. Physical disassembly - Look for labels on the camera module board, or UART debug pads. Ambarella SoCs typically expose a debug UART. A USB-UART adapter + serial console would yield a root shell and direct access to the credential store.
  4. Firmware extraction - If a firmware update file can be obtained (via the update mechanism or intercepted OTA), it could be unpacked to extract credentials or password hashes.
  5. MITM the cloud connection - The camera communicates with Whisker's cloud for streaming. Intercepting this traffic might reveal auth tokens or provisioning data, though it's likely TLS-pinned.

Why This Matters

The Litter-Robot 5 Pro's camera is a fully capable IP camera with local RTSP streaming, recording, AI detection, and a complete web management interface - all running on your local network. Whisker charges a subscription (Whisker+) to access basic camera features through their cloud, but the hardware is capable of operating entirely locally.

If the login credentials can be determined:

  • RTSP streaming can be enabled and pointed directly at home NVR software (Frigate, Blue Iris, etc.)
  • Local recording to the camera's onboard storage becomes available
  • AI detection (motion, people, vehicles) can be configured independently
  • Image tuning (exposure, white balance, HDR, etc.) can be adjusted
  • No cloud dependency - everything runs on the LAN

This would make the LR5 Pro camera a first-class citizen in a self-hosted smart home setup, which is exactly what the Home Assistant / Frigate community has been asking for.

Contributing

If you've made progress on this or have an LR5 Pro you'd like to investigate, please comment below. Key things that would help:

  • Default credentials for iENSO EVPaaS camera modules
  • UART pinout for the LR5 Pro camera board
  • Firmware dumps or update files
  • Packet captures from the Whisker app during camera onboarding
  • Any response from iENSO or Whisker regarding local access

Last updated: April 16, 2026

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment