Hacking the 2.0 Hub.
2 2

29 posts in this topic

So I have some great news about the Iris Hub 2.0. I found out how to get serial output from the hub.

What you need Arduino Uno and some jumpers

1.Jump reset to ground on the Uno
2.Ground pin 1 on the J1 (pin 1 is the box contact)
3.J1 Pin 4 to Uno Pin 0
4.J1 Pin 5 to Uno Pin 1
5.Plug in the Arduino to your computer and I use Putty on speed 115200
6.Plug in the hub and you will get this.

U-Boot SPL 2013.10 (Jul 27 2015 - 13:27:27)
reading args
spl: error reading image args, err - -1
reading u-boot.img
reading u-boot.img
omap-sham 53100000.sham: initialization failed.
omap_voltage_late_init: Voltage driver support not added
INIT: version 2.88 booting
Starting udev
Sun Oct 15 05:43:06 UTC 2017
Setting up needed gpios…
Done with gpio setup
Setup buzzer pwm
Done with pwm setup
mfg: clean, 23/4096 files, 678/16368 blocks
Manufacturing partition is clean
phy[lan8710]: Disabling Auto-MDIX support
libphy: PHY 4a101000.mdio:01 not found
net eth0: phy 4a101000.mdio:01 not found on slave 1
Flash size: 1920991232
data: clean, 153/88176 files, 33672/352252 blocks
Data partition is clean
Current Timestamp: 20171015054306
kernel.panic = 3
kernel.panic_on_oops = 1
Starting ifplugd: eth0
Setting up 4G dongle support…
Setting up Hub Agent…
INIT: Entering runlevel: 5
Configuring network interfaces… done.
Initializing Dropbear SSH server: dropbear.
Starting syslogd/klogd: done
Starting crond: OK
Poky (Yocto Project Reference Distro) 2.1.2 LWL-3848 /dev/ttyO0
LWL-3848 login: irisagentd[566]: No agent debug configuration is present.
irisagentd[566]: Starting hub agent…
Login:

I have not gotta passed the password yet but it is a start.

Share this post


Link to post
Share on other sites

Looks like Poky/Yocto uses an empty password by default... but I'm sure you tried that already (of course, username being "root").
Unless you can guess it or somehow brute force it, linux accounts seem to be pretty hard to hack.

Share this post


Link to post
Share on other sites

Leaving the password blank would be pretty boneheaded since it is always connected to the internet.... I wonder what you would see if you sniffed the traffic though during a software update?

Share this post


Link to post
Share on other sites

I did get this if you do a full reset on the hub 

Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFH3ZHMQAukzZumcMggAdJ5NFIgGmMxBu/U+VCsuXkavKjwe4/fH66lsEfIYzymqZ2EGK3yj5UuiJdTfNYqLgEgd30th5T4HrvCzoGbTKumvaoPLCT1wsjukA5jN51aeA//kyZ8trhkqH9PWDs+wI5db6e7txsA1BLtcemJwYiKlUhl0vEST8TLxhsm01Ku20QcPTP82B/xK8ixADXOOU4OKk6uVA+jlC2lnZxPwmdF/38wedPwatV617oIsSXdBErCXpUBmLT385lM0nt8uFGlT0Y6eAAsiarm/iRLIVmDvagM4u9DF0PVTZHw/5SkZoSqz8zndA1RGL/lRRT9YTX root@LWP-1002
Fingerprint: md5 8e:46:59:b7:58:1a:31:d3:3d:9f:b3:6f:05:ef:d5:72

 

Share this post


Link to post
Share on other sites

@thegillion

I noticed you were up tonight too, thought I would stop lurking and contribute.

No success with passwords here either. I had a thought to try tampering with u-boot to read the contents of the NAND flash, and it looks like the pins for changing the boot options J4 kind of match up with the pins on the TI page http://processors.wiki.ti.com/index.php/AM335x_U-Boot_User's_Guide#NAND

It has a default configuration set by the resistor jumper population in the middle top/bottom of the board, jumping the 2nd pin opposite pin 1 of the connector *to GND* brings the processor up in UART boot mode, this would allow us to load a compiled u-boot-spi.bin via xmodem and subsequent load .img as described on the TI page http://processors.wiki.ti.com/index.php/Linux_Core_U-Boot_User's_Guide#Using_UART

Possibly the same could be done via USB but I didn't really get any indication that I successfully got it in USB mode when tinkering so far. Unfortunately this woud require installing TI's silly toolchain and compiling u-boot with all the right device trees etc, would take some time to figure out.

2 hours ago, thegillion said:

Public key portion is:

This is the public part of the key for your dropbear ssh server, not even sure the private part would do us any good without a working user/pass combination but might be useful if you could dump all the IP traffic from this thing to the server irisagentd communicates with a-la man in the middle wireshark or similar.

 

I noticed you have two different hubs so far, LWL-3848 and LWP-1002, do they both say exactly the same stuff on boot? Maybe differences in firmware to investigate? The one I got the other day looked like it had been opened. When I tried to use it the way it was intended, I got error message E01 on the website. Called customer support and they said it was already associated with a different account and to return it. Not sure if I had defiled the thing while tinkering or what, mine might not be a good reference if it had been activated though.

I would much like to avoid the whole "send your temperature, lightswitch and camera details to the cloud" and make something useful to me with this hardware. Maybe someone could build u-boot and try booting over uart if they have some time to kill?

Share this post


Link to post
Share on other sites
3 hours ago, kruftindustries said:

I noticed you have two different hubs so far, LWL-3848 and LWP-1002, do they both say exactly the same stuff on boot? Maybe differences in firmware to investigate? The one I got the other day looked like it had been opened. When I tried to use it the way it was intended, I got error message E01 on the website. Called customer support and they said it was already associated with a different account and to return it. Not sure if I had defiled the thing while tinkering or what, mine might not be a good reference if it had been activated though.

Nope just killed one playing with the power jumpers.

Share this post


Link to post
Share on other sites

I spent a while trying, while I was successful getting the board into UART boot mode with "CCCCCCCCCCC" in the console, turns out you need to pull WARMRSTn pin low http://www.ti.com/lit/ds/symlink/am3358.pdf#[{"num"%3A845%2C"gen"%3A0}%2C{"name"%3A"XYZ"}%2C0%2C463%2C0] after uploading u-boot-spl.bin with xmodem and either I cannot find that pin on the board or the 1.8v supply is a dead short with it and a trace would need to be cut to perform a warm reset. There is also the possibility the pre-compiled u-boot binaries in the TI board support package http://downloads.ti.com/processor-sdk-linux/esd/AM335X/latest/exports/am335x-evm-linux-sdk-bin-05.02.00.10.tar.xz are not comparable with this board but not likely. There seems to be some kind of reset pin on J5 pin 1 but I can't tell which.

 

 

If the board isn't salvageable do you think you could pull the AM3352 off and figure out where pin A10 is connected on the board with a multimeter?

u-boot-am335x-evm.img

u-boot-spl.bin-am335x-evm

Share this post


Link to post
Share on other sites

After looking over your board you have REV C and it has holes in J4 and why do you have 3 and 4 jumped? In my testing, I could never get j4 to do anything and it just shows as S2 on mine.

Share this post


Link to post
Share on other sites

Those two are to change the boot order, it seemed like the green jumper got UART to boot sometimes, the two jumped together make UART boot pretty reliably. I was jumping the right pin inder the green jumper to ground manually before I soldered those headers in

 

Untitled.png

Share this post


Link to post
Share on other sites

I was really hoping I could read it by loading u-boot over UART but I have not been successful so far, think it's probably the pre-built beaglebone u-boot causing the issue. I lost this board when confirming the reset line though. Maybe I can get a replacement soon.

It would be complicated to read the emmc with a different processor and I don't have the tools to re-ball a bga.

Share this post


Link to post
Share on other sites
: blk_update_request: I/O error, dev sda, sector 19480
blk_update_request: I/O error, dev sda, sector 88960
EXT4-fs error (device sda1): __ext4_get_inode_loc:4072: inode #15566: block 1218: comm find: unable to read itable block
find: ./sda1/usr/include: Input/output error
EXT4-fs error (device sda1): __ext4_get_inode_loc:4072: inode #137906: block 524865: comm find: unable to read itable block
EXT4-fs (sda1): previous I/O error to superblock detected
find: ./sda1/usr/share: Input/output errorEXT4-fs error (device sda1): ext4_find_entry:1450: inode #15435: comm find: reading directory lblock 0

find: ./sda1/usr/sbin: No such file or directoryEXT4-fs error (device sda1): ext4_find_entry:1450: inode #15435: comm find: reading directory lblock 0

find: ./sda1/usr/local: No such file or directory
EXT4-fs error (device sda1): ext4_find_entry:1450: inode #15435: comm find: reading directory lblock 0
find: ./sda1/usr/bin: No such file or directoryEXT4-fs error (device sda1): ext4_find_entry:1450: inode #2: comm find: reading directory lblock 0

find: ./sda1/lost+found: No such file or directoEXT4-fs error (device sda1): ext4_find_entry:1450: inode #2: comm find: reading directory lblock 0
ry
find: ./sda1/media: No such file or directoryEXT4-fs error (device sda1): ext4_find_entry:1450: inode #2: comm find: reading directory lblock 0

find: ./sda1/sys: No such file or directoryEXT4-fs error (device sda1): ext4_find_entry:1450: inode #2: comm find: reading directory lblock 0

find: ./sda1/root: No such file or directoryEXT4-fs error (device sda1): ext4_find_entry:1450: inode #2: comm find: reading directory lblock 0

find: ./sda1/etc: No such file or directory
find: ./sda1/var: No such file or directory
find: ./sda1/boot: No such file or directory
find: ./sda1/mnt: No such file or directory
find: ./sda1/nfs-uEnv.txt: No such file or directory
find: ./sda1/sbin: No such file or directory
find: ./sda1/ID.txt: No such file or directory
find: ./sda1/bbb-uEnv.txt: No such file or directory
find: ./sda1/srv: No such file or directory
find: ./sda1/bin: No such file or directory

So if I put a usb drive on the port and then let it read for a min and unplug it you get this string of errors. Maybe this helps.

Share this post


Link to post
Share on other sites

As far as the u-boot progress goes, looks like there is something weird going on with the serial port, they may have done something weird with the schematic compared to a beaglebone black that would require some code changes in the u-boot source. Might not be worth a whole lot of time, the zigbee and z-wave and BLE radios could be connected to a raspberry pi or something with a few trace cuts on the board

 

I got so far as port muxing in the u-boot source and there is a section that checks which ethernet controller is connected to the spi pins to determine which pins should do what.

Share this post


Link to post
Share on other sites
On 1/28/2019 at 12:58 AM, kruftindustries said:

Might not be worth a whole lot of time, the zigbee and z-wave and BLE radios could be connected to a raspberry pi or something with a few trace cuts on the board

 

Why even bother wasting the time to access the radios?  They're nothing special, it's all commodity hardware.  Without access to the underlying Zigbee stack (required for V1 devices), you cannot do much with the radios alone.  V1 use a manufacturer specific cluster and attribute structure.  Unless you know it up front, or have access to a library, there's not a heck of a lot you can do with the devices, even with access to the radio..

A $25 XBee and some Python code, you can built yourself a simple mesh using V1 devices.  Add in a Zigbee sniffer and you might even be able to reverse-engineer the stack.  That's probably what Systronics has done.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
2 2