Hi, I'm new to this forum and recently got into the hacking of my Toon due to some Eneco choices on pricing
Although the whole rooting process isn't that complicated for someone who's a little bit tech-savvy, the holy grail is to make this possible for your average joe without prying open and messing around with serial connectors and consoles.
I've been looking at a few vectors on getting into this device:
What doesn't seem to work:
- I tried finding a DFU-ish/recover mode on the board, i.e. powering it on while holding reset or something to make it boot and try to recover from USB for example. I haven't been able to find a way to make it do that.
- It doesn't auto-exec anything when inserting a USB stick, so that one is out as well.
Most interesting bit I've figured so far is the OpenVPN client it uses. I've gone trough some scripts and binaries and once that tun0 interface comes up and it connects to the service center, a lot of interesting things happen on a system level. You can write files, give it commands, I've found references to all kinds of support interfaces for the service desk all from that tun0 connection/IP range.
First of all, I'm not a VPN security expert, so I have no idea of some of this is viable.
The idea is: Create a Virtualbox bootable VM (so it works on any kind of computer/laptop) that runs it's own LAN/WLAN access point in a small isolated local network and OpenVPN server. It routes every IP (DNS, etc) through a set of IPtables rules to itself to capture anything trying to go out. Run a DNS server that answers on any IP (8.8.8.8 will do) and give back IP's that are always it's own. Let Toon connect into this little isolated network.
Now that Toon tries to make any and all connections towards local daemons which it THINKS is the public internet, comes the difficult part; Faking the OpenVPN server side to be a valid server.
Now the first issue is the certificates: Quby has been smart enough to give every Toon it's own certificate files client-side. So no big common set that's shared between all Toons. There is however a CA chain certificate on there, but I'm not sure if this would be a way in.
The interesting part however, is the OpenVPN server on Toon:
OpenVPN 2.3.11 arm-hae-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 30 2016
library versions: OpenSSL 1.0.2h 3 May 2016, LZO 1.08
This is an older OpenVPN server that's vulnerable to the SWEET32 cipher break:
https://community.openvpn.net/openvpn/wiki/SWEET32
But this threads a bit over my expertise. Could we use this weak version/bug to fake a OpenVPN server response so Toon would successfully connect and THINK it's connected to the service center? Because IF that can be done, the device is nearly wide-open for auto-rooting any toon using nothing more then a laptop and VirtualBOX on a local network, without prying the thing open and trying to get into the newer hardened bootloader.
I'm still looking at other software ways that could get a foot in the door here, but the above is the largest potential for cracking it wide open fairly easily.