Every time I picked up a new smart device, I lost an afternoon to the same setup. hostapd will not start because wpa_supplicant is holding the radio. NetworkManager brings it back the moment you stop it. Port 53 is taken. The FORWARD chain looks right but devices sit there with no internet.
So I packaged it. Mezz: a docker compose stack, two curl commands, edit .env, bring it up.
You are basically paying $12 to let anyone on the internet ring your doorbell.
Bought a cheap Temu smart doorbell, dumped the BK7252N firmware over UART, and worked out how to take over any unit on the platform, hijack live calls, and exfiltrate the owner's WiFi password.
Responsible disclosure sent. Sensitive specifics withheld.
Behind a cheap Temu doorbell sits an IoT backend where device IDs are sequential and requests are forgeable with a string baked into every firmware. One signed call lifts any device's persistent password and lets anyone on the Internet hijack the next live call.
