Rooting Toon (or boxx)

Everything about rooting Toons 1 and 2.

Moderators: marcelr, TheHogNL, TerrorSource, Toonz

Re: Rooting Toon (or boxx)

Postby Toonz » Tue Sep 05, 2017 9:44 pm

makkie2002 wrote:I have installed an ESP8266-wifi module inside my Toon and connected it to Toon's serial port.
On the ESP8266 module I installed ESP-link and now I have always access to Toons terminal!
I think I will need to reopen the thermostat one more time to make pictures :wink:


Hi makkie2002,

I have successfully flashed ESP-Link (finally).
Do you happen to know how you connected it to the Toon? Will find out myself in the end but it easier if you have the diagram ready.
Thanks,

Toonz
member of the Toon Software Collective
User avatar
Toonz
Forum Moderator
Forum Moderator
 
Posts: 1249
Joined: December 2016

Re: Rooting Toon (or boxx)

Postby makkie2002 » Tue Sep 05, 2017 10:24 pm

I opened my Toon and took a picture :idea:
Image

This is the scheme that I deduced from that:
Toon 5 <-> WeMos G(nd)
Toon 9 <-> WeMos 3.3V
Toon 11 <-> WeMos TX
Toon 13 <-> Wemos RX

I also completely covered the WeMos module with tape to prevent false electrical contacts between the Toon and the WeMos ESP8266 when snugly installed in the case of Toon.

Have fun!
Last edited by makkie2002 on Wed Sep 06, 2017 1:14 pm, edited 2 times in total.
makkie2002
Member
Member
 
Posts: 66
Joined: August 2017

Re: Rooting Toon (or boxx)

Postby Toonz » Tue Sep 05, 2017 10:53 pm

Thanks a lot, will give it a go :)
But not tonight.....
member of the Toon Software Collective
User avatar
Toonz
Forum Moderator
Forum Moderator
 
Posts: 1249
Joined: December 2016

Re: Rooting Toon (or boxx)

Postby DaLass » Wed Sep 06, 2017 2:31 pm

Ierlandfan wrote:
My Toon has arrived last week, brand-new, completely sealed and is not registered at all



If you do it yourself then it's a Toon with subscription (If signed up ofcourse) but the question is if you really want that.
If you let Quby root Toon then it's just a Toon without subscription
Basically we can recreate all or almost all the functionality of Toon without subscription (and sometimes even better) so only thing you really loose is the Toon app. (And there's a workaround for that)

Edit: I hate typo's, fixed.

I didn't plan on taking a Toon subscription, so that part is covered.
I also want to order Zon on Toon, so I am thinking to get a 1-month subscription, let Eneco install Zon on Toon, cancel the subscription and root the device.
DaLass
Starting Member
Starting Member
 
Posts: 2
Joined: September 2017

Re: Rooting Toon (or boxx)

Postby TerrorSource » Wed Sep 06, 2017 10:11 pm

DaLass wrote:
Ierlandfan wrote:
My Toon has arrived last week, brand-new, completely sealed and is not registered at all



If you do it yourself then it's a Toon with subscription (If signed up ofcourse) but the question is if you really want that.
If you let Quby root Toon then it's just a Toon without subscription
Basically we can recreate all or almost all the functionality of Toon without subscription (and sometimes even better) so only thing you really loose is the Toon app. (And there's a workaround for that)

Edit: I hate typo's, fixed.

I didn't plan on taking a Toon subscription, so that part is covered.
I also want to order Zon on Toon, so I am thinking to get a 1-month subscription, let Eneco install Zon on Toon, cancel the subscription and root the device.


Subscription is not needed to activate the software-side of Zon Op Toon. You can do that yourself in the activation file for all that i know of.
TerrorSource
Member
Member
 
Posts: 294
Joined: May 2017

Re: Rooting Toon (or boxx)

Postby Vibestar » Wed Sep 06, 2017 10:58 pm

Hello,

I'm following the Dutch guide to root my Toon. I got to the part of "Aanpassing van iptables (de linux firewall)" (Modification of iptables (the linux firewall)).
When I'm in the root and try to view my directories (ls command) I only see the packages I downloaded (dropbear and openssh).
How do I get to /etc/default/iptables.conf

I'm very new to linux so I had to look for some commands and using VI but I managed until this part. Can anyone help me to get further?

Another question. How can I check if Quby is reading my TOON? I followed all the steps but how can I see I did it right? I already made a connection with internet through WIFI.

Tnx in regard
Vibestar
Starting Member
Starting Member
 
Posts: 45
Joined: September 2017
Location: Rosmalen

Re: Rooting Toon (or boxx)

Postby Toonz » Thu Sep 07, 2017 6:21 am

makkie2002 wrote:I opened my Toon and took a picture :idea:

This is the scheme that I deduced from that:
Toon 5 <-> WeMos G(nd)
Toon 9 <-> WeMos 3.3V
Toon 11 <-> WeMos TX
Toon 13 <-> Wemos RX

I also completely covered the WeMos module with tape to prevent false electrical contacts between the Toon and the WeMos ESP8266 when snugly installed in the case of Toon.

Have fun!


Worked perfectly, thanks a lot
member of the Toon Software Collective
User avatar
Toonz
Forum Moderator
Forum Moderator
 
Posts: 1249
Joined: December 2016

Re: Rooting Toon (or boxx)

Postby Vibestar » Thu Sep 07, 2017 12:26 pm

Vibestar wrote:Hello,

I'm following the Dutch guide to root my Toon. I got to the part of "Aanpassing van iptables (de linux firewall)" (Modification of iptables (the linux firewall)).
When I'm in the root and try to view my directories (ls command) I only see the packages I downloaded (dropbear and openssh).
How do I get to /etc/default/iptables.conf

I'm very new to linux so I had to look for some commands and using VI but I managed until this part. Can anyone help me to get further?

Another question. How can I check if Quby is reading my TOON? I followed all the steps but how can I see I did it right? I already made a connection with internet through WIFI.

Tnx in regard


I found out the fisrt part. So everything is rooted. When I ping the TOON it still connects to quby. Is this good?
Vibestar
Starting Member
Starting Member
 
Posts: 45
Joined: September 2017
Location: Rosmalen

Re: Rooting Toon (or boxx)

Postby Wunser » Sat Sep 09, 2017 5:53 pm

Hi, I'm new to this forum and recently got into the hacking of my Toon due to some Eneco choices on pricing ;-)

Although the whole rooting process isn't that complicated for someone who's a little bit tech-savvy, the holy grail is to make this possible for your average joe without prying open and messing around with serial connectors and consoles.

I've been looking at a few vectors on getting into this device:

What doesn't seem to work:
- I tried finding a DFU-ish/recover mode on the board, i.e. powering it on while holding reset or something to make it boot and try to recover from USB for example. I haven't been able to find a way to make it do that.
- It doesn't auto-exec anything when inserting a USB stick, so that one is out as well.

Most interesting bit I've figured so far is the OpenVPN client it uses. I've gone trough some scripts and binaries and once that tun0 interface comes up and it connects to the service center, a lot of interesting things happen on a system level. You can write files, give it commands, I've found references to all kinds of support interfaces for the service desk all from that tun0 connection/IP range.

First of all, I'm not a VPN security expert, so I have no idea of some of this is viable.

The idea is: Create a Virtualbox bootable VM (so it works on any kind of computer/laptop) that runs it's own LAN/WLAN access point in a small isolated local network and OpenVPN server. It routes every IP (DNS, etc) through a set of IPtables rules to itself to capture anything trying to go out. Run a DNS server that answers on any IP (8.8.8.8 will do) and give back IP's that are always it's own. Let Toon connect into this little isolated network.

Now that Toon tries to make any and all connections towards local daemons which it THINKS is the public internet, comes the difficult part; Faking the OpenVPN server side to be a valid server.

Now the first issue is the certificates: Quby has been smart enough to give every Toon it's own certificate files client-side. So no big common set that's shared between all Toons. There is however a CA chain certificate on there, but I'm not sure if this would be a way in.

The interesting part however, is the OpenVPN server on Toon:
OpenVPN 2.3.11 arm-hae-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 30 2016
library versions: OpenSSL 1.0.2h 3 May 2016, LZO 1.08

This is an older OpenVPN server that's vulnerable to the SWEET32 cipher break: https://community.openvpn.net/openvpn/wiki/SWEET32

But this threads a bit over my expertise. Could we use this weak version/bug to fake a OpenVPN server response so Toon would successfully connect and THINK it's connected to the service center? Because IF that can be done, the device is nearly wide-open for auto-rooting any toon using nothing more then a laptop and VirtualBOX on a local network, without prying the thing open and trying to get into the newer hardened bootloader.


I'm still looking at other software ways that could get a foot in the door here, but the above is the largest potential for cracking it wide open fairly easily.
Wunser
Starting Member
Starting Member
 
Posts: 10
Joined: September 2017

Re: Rooting Toon (or boxx)

Postby Vibestar » Sat Sep 09, 2017 6:52 pm

I have a simple question. I'm really a noob when it comes to linux commands but I'm learning. Is there a command to refresh the gui? I'm more a designer than coder. I tried swapping some png and svg files. That works, but I've to restart, reboot, shutdown every time I make some changes. That takes for ages.
Vibestar
Starting Member
Starting Member
 
Posts: 45
Joined: September 2017
Location: Rosmalen

Re: Rooting Toon (or boxx)

Postby Toonz » Sat Sep 09, 2017 11:07 pm

Interesting, if we can manage a working vpn connection to our own vpn server from a virgin Toon then that is a big step. Still some challenges to overcome though (also upgrade scripts are signed and signatures checked before execution.
member of the Toon Software Collective
User avatar
Toonz
Forum Moderator
Forum Moderator
 
Posts: 1249
Joined: December 2016

Re: Rooting Toon (or boxx)

Postby TheHogNL » Mon Sep 11, 2017 10:18 am

Vibestar wrote:I have a simple question. I'm really a noob when it comes to linux commands but I'm learning. Is there a command to refresh the gui? I'm more a designer than coder. I tried swapping some png and svg files. That works, but I've to restart, reboot, shutdown every time I make some changes. That takes for ages.


killall qt-gui

That will restart the gui itself. Also takes a few minutes but a bit faster than rebooting.
Member of the Toon Software Collective
User avatar
TheHogNL
Forum Moderator
Forum Moderator
 
Posts: 1290
Joined: August 2017

Re: Rooting Toon (or boxx)

Postby Ierlandfan » Mon Sep 11, 2017 7:39 pm

If you're looking for a "simple" attack vector that doesn't involves breaking encryption (Now whe are in it makes more sense to try this again)
Try this one:

The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options.


(CVE-2011-2716 20)

Installed on Toon: busybox-udhcpd - 1.18.3-r42.1

This sounds quite easy, set up a dhcp server and insert a command in one of the options. (Have to look for one, it' s been done before but not on Toon)
Hostname is fixed (In Toon) so that's not an option. The other options can be played with. SInce we have full control over Toon we can try to probe and see how Toon responds on Toon itself.
Ierlandfan
Member
Member
 
Posts: 148
Joined: October 2013

Re: Rooting Toon (or boxx)

Postby TheHogNL » Tue Sep 12, 2017 6:58 pm

Ierlandfan wrote:This sounds quite easy, set up a dhcp server and insert a command in one of the options. (Have to look for one, it' s been done before but not on Toon)
Hostname is fixed (In Toon) so that's not an option. The other options can be played with. SInce we have full control over Toon we can try to probe and see how Toon responds on Toon itself.


Sounds possible. The DOMAIN_NAME is the first one to try. I noticed that the hacked Toon I have installed my domain name (fritz.box) into /etc/resolv.conf so dhcp is using the domain name provided by the dhcp server.

I was looking for example exploit code but could not find anything for now.
Member of the Toon Software Collective
User avatar
TheHogNL
Forum Moderator
Forum Moderator
 
Posts: 1290
Joined: August 2017

Re: Rooting Toon (or boxx)

Postby wilcoe » Wed Sep 13, 2017 4:08 pm

makkie2002 wrote:This is the scheme that I deduced from that:
Toon 5 <-> WeMos G(nd)
Toon 9 <-> WeMos 3.3V
Toon 11 <-> WeMos TX
Toon 13 <-> Wemos RX

I also completely covered the WeMos module with tape to prevent false electrical contacts between the Toon and the WeMos ESP8266 when snugly installed in the case of Toon.

Have fun!


Hi, also soldered a WeMos to Toon.
But don't know which steps todo now.

esp-link is running and is also accesable by browser, Do i need to change some settings on pin definitions in esp-link?

nevermind, after couple of minutes (30 or more) the whole WeMos is not working.
Back to my soldering table :)

Regards,
wilcoe
Starting Member
Starting Member
 
Posts: 1
Joined: September 2017

PreviousNext

Return to Toon Rooting

Who is online

Users browsing this forum: No registered users and 0 guests