Console access on Stretch

Plugwise Forum about Plugwise devices and the Source software.
Post-IT
Member
Member
Posts: 448
Joined: Sat Feb 28, 2009 12:01 am
Location: Netherlands (Rotterdam)

Console access on Stretch

Post by Post-IT »

Did anyone manage to get a working console on the Stretch already?

Looking at the Omnima HMP documentation the serial connection is on jumper 12 pin 4,6,8 (TxD,GND,RxD) using setting 115200/8/N/1. I do get output during boot, however it is unreadable/scrambled.
Phoenix
Starting Member
Starting Member
Posts: 48
Joined: Sun Apr 28, 2013 9:40 pm
Location: Netherlands (Deventer)
Contact:

Re: Console access on Stretch

Post by Phoenix »

Console access is working, at least on my Stretch 2.0, they did remove the FAILSAVE mode ;-(
http://phoenixinteractive.mine.nu/websi ... ?f=27&t=44
Last edited by Phoenix on Mon Apr 29, 2013 4:51 pm, edited 1 time in total.
Huisautomatisering - Domotica - Elektronica - IT consulting - Software ontwikkeling - 3D printing - Maatwerk
Website: domoticx.nl / Webshop: domoticx.nl/webwinkel / Knowledge Center: http://domoticx.com
Post-IT
Member
Member
Posts: 448
Joined: Sat Feb 28, 2009 12:01 am
Location: Netherlands (Rotterdam)

Re: Console access on Stretch

Post by Post-IT »

I've tried this using pin 4,6 &8 and at 115200 baud and with two different usb/serial cables on a linux system and on windows... but no luck for me yet. Only scrambled output.

Did you have system access?
Phoenix
Starting Member
Starting Member
Posts: 48
Joined: Sun Apr 28, 2013 9:40 pm
Location: Netherlands (Deventer)
Contact:

Re: Console access on Stretch

Post by Phoenix »

Hi POST-IT

You need some learning in Serial connections :lol: , most connections nowadays on hardware are UART connections!

You need a USB <--> UART TTL cable, not a USB <---> Serial RS232 (you can even damage your hardware if the Serial RSR232 is directly from computer (USB may not damage it since it's not >5v)

UART TTL:
+5v = 1
0v = 0

Serial RS232:
+3v t/m +15v = 0
-3v t/m -15v = 1

That's why your data is scrambled up ;-)

For more on this, read my website on the stuff, it will help you understand serial connections :mrgreen:
SERIAL RS232: http://phoenixinteractive.mine.nu/websi ... ?f=22&t=26
UART TTL: http://phoenixinteractive.mine.nu/websi ... ?f=22&t=27
Last edited by Phoenix on Mon Apr 29, 2013 4:52 pm, edited 1 time in total.
Huisautomatisering - Domotica - Elektronica - IT consulting - Software ontwikkeling - 3D printing - Maatwerk
Website: domoticx.nl / Webshop: domoticx.nl/webwinkel / Knowledge Center: http://domoticx.com
Phoenix
Starting Member
Starting Member
Posts: 48
Joined: Sun Apr 28, 2013 9:40 pm
Location: Netherlands (Deventer)
Contact:

Re: Console access on Stretch

Post by Phoenix »

Post-IT wrote:Did you have system access?
No, they removed the failsave mode in the Stretch 2.0 :evil: , i've already jailbreaked the Smile P1 in 2012: http://phoenixinteractive.mine.nu/websi ... ?f=26&t=63
Otherwise read all the info's here (Dutch): http://phoenixinteractive.mine.nu/websi ... m.php?f=26

They where not happy but they could not prevent it , haha :lol: , there are other ways to JailBreak the Stretch 2.0, here in Dutch (i am to lazy atm to translate it :o )

In de Openwrt software zit standaard een "Failsave" modus, deze modus is te vergelijken met de veilige modus van Windows, je kan wat diagnostische programma's draaien etc, echter heeft plugwise deze modus eruit gehaald in de Stratch 2.0...hier is nog onderzoek nodig...to be continued!

Er zijn 2-tal oplossingen voor een Jailbreak (in theorie):
1a) Memory dump (firmware) met JTAG pins op de stretch.
1b) Upload new firmware op de stretch en gebruik een sniffer om de pakketten te onderscheppen (firmware catch).

Nadat firmware bemachtigd is (img bestand)
2) Splits het firmware bestand welke een SquashFS partitie bevat, en haal deze partitie eruit (dump)
3) Mount in Linux de uitgenomen SquashFS partitie.
4) Er is software (John the Ripper) om de SSH HASH van DropBear (etc/shadow) de ontcijferen...

Bronnen:
Voorbeeld unpack: http://dns-300.sergeyzh.org/wiki/howto/ ... k_firmware
DropBear: https://matt.ucc.asn.au/dropbear/dropbear.html
Shadow bestand: http://www.cyberciti.biz/faq/understand ... adow-file/
Shadow bestand: decode ja/nee?: http://forums.cpanel.net/f5/can-etc-sha ... -4660.html
John the Ripper: http://www.openwall.com/john/
Last edited by Phoenix on Mon Apr 29, 2013 4:52 pm, edited 1 time in total.
Huisautomatisering - Domotica - Elektronica - IT consulting - Software ontwikkeling - 3D printing - Maatwerk
Website: domoticx.nl / Webshop: domoticx.nl/webwinkel / Knowledge Center: http://domoticx.com
Post-IT
Member
Member
Posts: 448
Joined: Sat Feb 28, 2009 12:01 am
Location: Netherlands (Rotterdam)

Re: Console access on Stretch

Post by Post-IT »

Thanks, the guys from Omnima forgot to tell me that. I just ordered a stick on Marktplaats for €6.

Allready tried a bruteforce on the ssh deamon, but I think it has no password set as it returns a notice which states public key as primary authentication method.

Also tried searching for exploits on the services, however I need a working shell from any user before priviliged access is possible.

I've noticed the device sends a HTTP request to a PW server to check for updated firmware. Maybe we could adjust the request body to state an old firmware version so it returns current firmware?
Phoenix
Starting Member
Starting Member
Posts: 48
Joined: Sun Apr 28, 2013 9:40 pm
Location: Netherlands (Deventer)
Contact:

Re: Console access on Stretch

Post by Phoenix »

@Post-it
I got the whole 1.1.9 firmware and source from the smile, i have found the "firmware server" but it seems it is protected, likely the smile sends a "verification" key to it, so i have to browse and look in the firmware some more to understand the smile much better before attempting something... :D but i am rather busy with everything, so i will se if i could make some time nowadays!
Huisautomatisering - Domotica - Elektronica - IT consulting - Software ontwikkeling - 3D printing - Maatwerk
Website: domoticx.nl / Webshop: domoticx.nl/webwinkel / Knowledge Center: http://domoticx.com
Phoenix
Starting Member
Starting Member
Posts: 48
Joined: Sun Apr 28, 2013 9:40 pm
Location: Netherlands (Deventer)
Contact:

Re: Console access on Stretch

Post by Phoenix »

You can already SSH your Stretch 2.0, it will ask for a username and password....i tried many, many passwords (like Stretch ID's / MAC's etc...) but no luck (assuming root access is always: username=root, at least on the Smile P1 it was) i doubt if it would be a common password! :roll:

What i want?
- Understand the Stretch 2.0, like how to control a zigbee stick in Linux!
- Understand the ZigBee stick, and get it to work on a Windows machine! (i tried with zigbee software but the stick didn't work, so it may be a "fork of ZigBee" communication protocol)

Let's see if we can get into the Stretch 2.0! Game ON! :D
Huisautomatisering - Domotica - Elektronica - IT consulting - Software ontwikkeling - 3D printing - Maatwerk
Website: domoticx.nl / Webshop: domoticx.nl/webwinkel / Knowledge Center: http://domoticx.com
Phoenix
Starting Member
Starting Member
Posts: 48
Joined: Sun Apr 28, 2013 9:40 pm
Location: Netherlands (Deventer)
Contact:

Re: Console access on Stretch

Post by Phoenix »

Ok, i got some firmwares as Linux BIN/IMG files, the Linux headers are inside, so this is the first step! :D

Does anyone know more firmware versions?, i got:

Smile:
1.2.8 (released 2013)
1.1.9 (as released late 2012)
15.3.7 (old version, no GUI interface?)
15.3.11 (old version, no GUI interface?)
15.3.12 (old version, no GUI interface?)

As with the trick to get firmwares for the Smile the same can be done for the Stretch by adjusting some variables :mrgreen:

Stretch
1.0.38 (?)
1.0.40 (released 2013?)
1.0.41 (released 2013)

Desktop software message:
stretch update.png
stretch update.png (21.7 KiB) Viewed 21905 times
Capturing and copying:
Image

The Linux header is inside, this is a example from the Smile firmware (Stretch = Linux v3.3.7)
smile update check 05.png
smile update check 05.png (29.35 KiB) Viewed 21905 times
Huisautomatisering - Domotica - Elektronica - IT consulting - Software ontwikkeling - 3D printing - Maatwerk
Website: domoticx.nl / Webshop: domoticx.nl/webwinkel / Knowledge Center: http://domoticx.com
Post-IT
Member
Member
Posts: 448
Joined: Sat Feb 28, 2009 12:01 am
Location: Netherlands (Rotterdam)

Re: Console access on Stretch

Post by Post-IT »

I thought about getting it through the JTAG, but I'm a bit concerned there is a JTAG watchdog running. And I don't have any experience on that side or enough spare Stretches to waste on that...

I've pushed the top 3 libraries through a ssh script without luck.

My goal is to be see more of the XML info and data collection. In source I could fetch total usage of a certain stick which is now missing in de known xml output of the stretch.
Last edited by Post-IT on Mon Apr 29, 2013 4:48 pm, edited 1 time in total.
Phoenix
Starting Member
Starting Member
Posts: 48
Joined: Sun Apr 28, 2013 9:40 pm
Location: Netherlands (Deventer)
Contact:

Re: Console access on Stretch

Post by Phoenix »

Post-IT wrote:I thought about getting it through the JTAG, but I'm a bit concerned there is a JTAG watchdog running. And I don't have any experience on that side or enough spare Stretches to waste on that...
Just Jailbreak the Smile P1 and use the CURL command (with certificates and key) to download the firmwares from the Plugwise update server, more described here on my website (made the topic today! :D ): http://phoenixinteractive.mine.nu/websi ... f=27&t=128

Now we need to extract the SquashFS partition and "mount" it in linux to see what's in there...
Huisautomatisering - Domotica - Elektronica - IT consulting - Software ontwikkeling - 3D printing - Maatwerk
Website: domoticx.nl / Webshop: domoticx.nl/webwinkel / Knowledge Center: http://domoticx.com
Post-IT
Member
Member
Posts: 448
Joined: Sat Feb 28, 2009 12:01 am
Location: Netherlands (Rotterdam)

Re: Console access on Stretch

Post by Post-IT »

If I have the binfile I could use binwalk and dd to extract the SquashFS. I've unsquashed something years ago, but I've noticed there are new FS types on the market today... although it looks mainly a compression type thing.
Post-IT
Member
Member
Posts: 448
Joined: Sat Feb 28, 2009 12:01 am
Location: Netherlands (Rotterdam)

Re: Console access on Stretch

Post by Post-IT »

Bingo! Just got the T-shirt.
Post-IT
Member
Member
Posts: 448
Joined: Sat Feb 28, 2009 12:01 am
Location: Netherlands (Rotterdam)

Re: Console access on Stretch

Post by Post-IT »

Fortunately the shadowfile contained MD5 passwords. The root password is just "root". However I'm unable to access the root shell remotely using that account.

Also Dropbear seems to be configured to allow root access and root password access. So I have to dig in to this some more to see why ssh access is still not possible.

/etc/shadow contains only 1 user with a password hash, which is root.
/etc/passwd contains 2 more users with a password hash, stretch (with password "stretch") and userp1 (with password "userp1")
Phoenix
Starting Member
Starting Member
Posts: 48
Joined: Sun Apr 28, 2013 9:40 pm
Location: Netherlands (Deventer)
Contact:

Re: Console access on Stretch

Post by Phoenix »

Post-IT wrote:Fortunately the shadowfile contained MD5 passwords. The root password is just "root". However I'm unable to access the root shell remotely using that account.

Also Dropbear seems to be configured to allow root access and root password access. So I have to dig in to this some more to see why ssh access is still not possible.

/etc/shadow contains only 1 user with a password hash, which is root.
/etc/passwd contains 2 more users with a password hash, stretch (with password "stretch") and userp1 (with password "userp1")
Have you used Binwalk?, can you discribe your steps?
Last edited by Phoenix on Wed May 01, 2013 12:36 am, edited 3 times in total.
Huisautomatisering - Domotica - Elektronica - IT consulting - Software ontwikkeling - 3D printing - Maatwerk
Website: domoticx.nl / Webshop: domoticx.nl/webwinkel / Knowledge Center: http://domoticx.com
Post Reply

Return to “Plugwise Forum”