Toon as a domotica controller?

Everything about rooting Toons 1 and 2.

Moderators: marcelr, TheHogNL, Toonz

Post Reply
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Toon as a domotica controller?

Post by marcelr »

A few weeks ago I bought an Eneco Toon thermostat from http://www.marktplaats.nl. I'm not a client of Eneco, nor do I intend to become one in the near future. One of the threads at this forum raised my interest. The toon is a an ARM926-based linux box with a touchscreen, z-wave interface, opentherm interface, P1 interface, wifi interface, ethernet access and USB port. The open-source (GPL) part of the firmware source code is available from the software company that built it: quby.nl/opensource/openembedded-qb2-too ... r1.tar.bz2

It should not be too hard to modify this device to control other z-wave components when one can get into the device.

Getting in:

The toon is easy to open. The white frame is clicked into the grey backing and can be removed by just lifting it and gently retracting it from the backing. The touchscreen can then be lifted and put (a wee bit) aside. The pcb holding all the components is kept in place by a few plastic studs and can be dislodged easily. When done, the back of the PCB presents two connectors: one 2-pin connector for a 24V power supply (accessible from the outside), and a 2x7 connector holding probably a JTAG interface, SPI interface and a serial port. Logic high being 3.3V.
See forum.eneco.nl/suggesties-ideea-n-verbe ... toon-4853/ for some pictures.

I have tested these pins with a logic sniffer seeedstudio.com/depot/open-workbench-lo ... l?cPath=63.
So far I have found part of the serial port:

pin 13: RxD, (well, that's what my sniffer says, TxD would make more sense, for now I'll stick to my sniffer's analysis)
pin 14: GND,
baud rate 115200, 8N1 data/parity/stop.
(TxD is probably one of pins 9-12).

When hooked up to a 3.3V USB-serial converter, toon spits out the following (FTDI USB-serial converter attached to USB, ethernet cable connected to the ethernet port) over the serial port at the PCB:

Code: Select all


U-Boot 2010.09-R6 (Mar 14 2012 - 11:15:10)


CPU:   Freescale i.MX27 at 400.168 MHz


Prodrive B.V. ED2.0

DRAM:  128 MiB

NAND:  128 MiB

LCD: Initializing LCD frambuffer at a1400000

LCD: 800x480, pbb 4

LCD: Drawing the logo...

In:    serial

Out:   serial

Err:   serial

Display-bmp: 800 x 480  with 16777216 colors

Net:   FEC

Warning: FEC MAC addresses don't match:

Address in SROM is         xx:xx:xx:xx:xx:xx

Address in environment is  yy:yy:yy:yy:yy:yy



Enter password - autoboot in 2 sec...


NAND read: device 0 offset 0x300000, size 0x300000

 3145728 bytes read: OK

## Booting kernel from Legacy Image at a1000000 ...

   Image Name:   Linux-2.6.36-R07-h10

   Image Type:   ARM Linux Kernel Image (uncompressed)

   Data Size:    2353700 Bytes = 2.2 MiB

   Load Address: a0008000

   Entry Point:  a0008000

   Verifying Checksum ... OK

   Loading Kernel Image ... OK

OK


Starting kernel ...


Uncompressing Linux... done, booting the kernel.
Linux version 2.6.36-R07-h10 (jbraam@dvl) (gcc version 4.5.3 20110223 (prerelease) (GCC) ) #1 PREEMPT Thu Apr 5 12:23:23 CEST 2012
CPU: ARM926EJ-S [41069264] revision 4 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: Prodrive B.V ED2.0
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: ubi.mtd=4 root=ubi0:rootfs rw rootfstype=ubifs mtdparts=mxc_nand:512K@0x00100000(u-boot-env)ro,1536K(splash-image),3M(kernel),3M(kernel-backup),119M(rootfs) console=ttymxc0,115200 mem=128M
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 128MB = 128MB total
Memory: 125288k/125288k available, 5784k reserved, 0K highmem
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    DMA     : 0xffa00000 - 0xffe00000   (   4 MB)
    vmalloc : 0xc8800000 - 0xf4000000   ( 696 MB)
    lowmem  : 0xc0000000 - 0xc8000000   ( 128 MB)
    modules : 0xbf000000 - 0xc0000000   (  16 MB)
      .init : 0xc0008000 - 0xc0024000   ( 112 kB)
      .text : 0xc0024000 - 0xc0405000   (3972 kB)
      .data : 0xc0420000 - 0xc0467e60   ( 288 kB)
Hierarchical RCU implementation.
	RCU-based detection of stalled CPUs is disabled.
	Verbose stalled-CPUs detection is disabled.
NR_IRQS:272
MXC IRQ initialized
MXC GPIO hardware
Console: colour dummy device 80x30
Calibrating delay loop... 199.88 BogoMIPS (lpj=999424)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource mxc_timer1
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
msgmni has been set to 244
io scheduler noop registered (default)
imx-fb imx-fb.0: PreserveUBootFramebuffer(1): xres=800, yres=480 [skip _update_lcdc]
imx-fb imx-fb.0: PreserveUBootFramebuffer(2): xres=800, yres=480 [skip _update_lcdc]
Console: switching to colour frame buffer device 100x30
imx-fb imx-fb.0: fb0: DISP0 BG fb device registered successfully.
imx-fb imx-fb.0: PreserveUBootFramebuffer(3): xres=800, yres=480 [skip _update_lcdc]
imx-fb imx-fb.0: fb1: DISP0 FG fb device registered successfully.
Serial: IMX driver
imx-uart.0: ttymxc0 at MMIO 0x1000a000 (irq = 20) is a IMX
console [ttymxc0] enabled
imx-uart.1: ttymxc1 at MMIO 0x1000b000 (irq = 19) is a IMX
imx-uart.2: ttymxc2 at MMIO 0x1000c000 (irq = 18) is a IMX
NAND device: Manufacturer ID: 0xec, Chip ID: 0xf1 (Samsung NAND 128MiB 3,3V 8-bit)
Scanning device for bad blocks
Bad eraseblock 140 at 0x000001180000
RedBoot partition parsing not available
5 cmdlinepart partitions found on MTD device mxc_nand
Creating 5 MTD partitions on "mxc_nand":
0x000000100000-0x000000180000 : "u-boot-env"
0x000000180000-0x000000300000 : "splash-image"
0x000000300000-0x000000600000 : "kernel"
0x000000600000-0x000000900000 : "kernel-backup"
0x000000900000-0x000008000000 : "rootfs"
UBI: attaching mtd4 to ubi0
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    129024 bytes
UBI: smallest flash I/O unit:    2048
UBI: sub-page size:              512
UBI: VID header offset:          512 (aligned 512)
UBI: data offset:                2048
UBI: max. sequence number:       100
UBI: attached mtd4 to ubi0
UBI: MTD device name:            "rootfs"
UBI: MTD device size:            119 MiB
UBI: number of good PEBs:        951
UBI: number of bad PEBs:         1
UBI: max. allowed volumes:       128
UBI: wear-leveling threshold:    4096
UBI: number of internal volumes: 1
UBI: number of user volumes:     1
UBI: available PEBs:             0
UBI: total number of reserved PEBs: 951
UBI: number of PEBs reserved for bad PEB handling: 9
UBI: max/mean erase counter: 1/0
UBI: image sequence number:  1189859196
UBI: background thread "ubi_bgt0d" started, PID 336
at25 spi0.0: 32 KByte at25640B eeprom, pagesize 64
spi_imx spi_imx.0: probed
FEC Ethernet Driver
fec_enet_mii_bus: probed
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
mxc-ehci mxc-ehci.0: initializing i.MX USB Controller
mxc-ehci mxc-ehci.0: portsc setup 1: 0x80000000
mxc-ehci mxc-ehci.0: Work around for USB enabled
ULPI transceiver vendor/product ID 0x04cc/0x1505
mxc-ehci mxc-ehci.0: Freescale On-Chip EHCI Host Controller
mxc-ehci mxc-ehci.0: new USB bus registered, assigned bus number 1
mxc-ehci mxc-ehci.0: irq 56, io mem 0x10024000
mxc-ehci mxc-ehci.0: USB 2.0 started, EHCI 1.00
usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb1: Product: Freescale On-Chip EHCI Host Controller
usb usb1: Manufacturer: Linux 2.6.36-R07-h10 ehci_hcd
usb usb1: SerialNumber: mxc-ehci.0
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
mxc-ehci mxc-ehci.2: initializing i.MX USB Controller
mxc-ehci mxc-ehci.2: portsc setup 1: 0x80000000
mxc-ehci mxc-ehci.2: Work around for USB enabled
mxc-ehci mxc-ehci.2: Freescale On-Chip EHCI Host Controller
mxc-ehci mxc-ehci.2: new USB bus registered, assigned bus number 2
mxc-ehci mxc-ehci.2: irq 55, io mem 0x10024400
mxc-ehci mxc-ehci.2: USB 2.0 started, EHCI 1.00
usb usb2: New USB device found, idVendor=1d6b, idProduct=0002
usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb2: Product: Freescale On-Chip EHCI Host Controller
usb usb2: Manufacturer: Linux 2.6.36-R07-h10 ehci_hcd
usb usb2: SerialNumber: mxc-ehci.2
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver usbserial
usbserial: USB Serial Driver core
USB Serial support registered for cp210x
usbcore: registered new interface driver cp210x
cp210x: v0.09:Silicon Labs CP210x RS232 serial adaptor driver
USB Serial support registered for FTDI USB Serial Device
usbcore: registered new interface driver ftdi_sio
ftdi_sio: v1.6.0:USB FTDI Serial Converters Driver
USB Serial support registered for pl2303
usbcore: registered new interface driver pl2303
pl2303: Prolific PL2303 USB to serial adaptor driver
input: TSC2007 Touchscreen as /devices/virtual/input/input0
rtc-isl1208 1-006f: chip found, driver version 0.3
rtc-isl1208 1-006f: rtc core: registered rtc-isl1208 as rtc0
i2c /dev entries driver
imx2-wdt imx2-wdt.0: IMX2+ Watchdog Timer enabled. timeout=60s (nowayout=0)
adt7410 0-0048: adt7410 temperature sensor registered.
adt7410 0-0049: adt7410 temperature sensor registered.
usbcore: registered new interface driver r871x_usb_drv
nf_conntrack version 0.5.0 (1957 buckets, 7828 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 17
lib80211: common routines for IEEE802.11 drivers
rtc-isl1208 1-006f: setting system clock to 2013-06-04 17:38:01 UTC (1370367481)
usb 1-1: new full speed USB device using mxc-ehci and address 2
UBIFS: recovery needed
usb 1-1: New USB device found, idVendor=0403, idProduct=6001
UBIFS: recovery completed
UBIFS: mounted UBI device 0, volume 0, name "rootfs"
UBIFS: file system size:   119605248 bytes (116802 KiB, 114 MiB, 927 LEBs)
UBIFS: journal size:       9033728 bytes (8822 KiB, 8 MiB, 71 LEBs)
UBIFS: media format:       w4/r0 (latest is w4/r0)
UBIFS: default compressor: lzo
UBIFS: reserved for root:  0 bytes (0 KiB)
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: USB Serial Converter
usb 1-1: Manufacturer: FTDI
usb 1-1: SerialNumber: FTGHPZFA
VFS: Mounted root (ubifs filesystem) on device 0:13.
Freeing init memory: 112K
ftdi_sio 1-1:1.0: FTDI USB Serial Device converter detected
usb 1-1: Detected FT232RL
usb 1-1: Number of endpoints 2
usb 1-1: Endpoint 1 MaxPacketSize 64
usb 1-1: Endpoint 2 MaxPacketSize 64
usb 1-1: Setting MaxPacketSize 64
usb 1-1: FTDI USB Serial Device converter now attached to ttyUSB0
usb 2-1: new high speed USB device using mxc-ehci and address 2
usb 2-1: New USB device found, idVendor=13d3, idProduct=3309
usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 2-1: Product: RTL8191S WLAN Adapter 
usb 2-1: Manufacturer: Manufacturer Realtek 
usb 2-1: SerialNumber: 00e04c000001
==DriverVersion: v2.6.6.0.20101111==
register rtl8712_netdev_ops to netdev_ops

8712_usb_endpoint_descriptor(0):
bLength=7
bDescriptorType=5
bEndpointAddress=83
wMaxPacketSize=200
bInterval=0

8712_usb_endpoint_descriptor(1):
bLength=7
bDescriptorType=5
bEndpointAddress=4
wMaxPacketSize=200
bInterval=0

8712_usb_endpoint_descriptor(2):
bLength=7
bDescriptorType=5
bEndpointAddress=6
wMaxPacketSize=200
bInterval=0

8712_usb_endpoint_descriptor(3):
bLength=7
bDescriptorType=5
bEndpointAddress=d
wMaxPacketSize=200
bInterval=0

8712u : USB_SPEED_HIGH
nr_endpoint=4
Boot from EFUSE
Autoload OK!!
CustomerID = 0x   0
MAC Address from efuse= zz-zz-zz-zz-zz-zz
eth0: Freescale FEC PHY driver [Generic PHY] (mii_bus:phy_addr=1:10, irq=-1)
ADDRCONF(NETDEV_UP): eth0: link is not ready
device eth0 entered promiscuous mode
eth0: Freescale FEC PHY driver [Generic PHY] (mii_bus:phy_addr=1:10, irq=-1)
ADDRCONF(NETDEV_UP): eth0: link is not ready
PHY: 1:10 - Link is Up - 100/Full
ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
imx-fb imx-fb.0: PreserveUBootFramebuffer(4): xres=800, yres=480 [do _update_lcdc]
The text output stops when the software reaches the screen "start configuration".
I haven't done that (yet), want to keep my toon pristine so I can backup the original firmware before taking the same firmware apart ;-).

Nexte step:

Finding the TxD connector, so I can talk back to the machine. Then a password will be handy ...
In the boot sequence, the FTDI device gets connected to /dev/ttyUSB0, should be possible to get in through that route, haven't tested yet.

I'lll keep you posted.

grtz,

marcelr
Last edited by marcelr on Wed Jun 05, 2013 7:13 am, edited 1 time in total.
Bwired
Administrator
Administrator
Posts: 4704
Joined: Sat Mar 25, 2006 1:07 am
Location: Netherlands
Contact:

Re: Toon as a domotica controller?

Post by Bwired »

Nice! Keep us posted...
jeroenc
Member
Member
Posts: 62
Joined: Tue Feb 15, 2011 2:09 pm
Location: Huissen

Re: Toon as a domotica controller?

Post by jeroenc »

Nice!
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Toon as a domotica controller?

Post by marcelr »

Still trying to get in ...
Just hooked up the TxD terminal of a FTDI 3.3V USB-serial converter to pin 11. Works, at least with minicom.

Summarizing, the serial port of Toon is located on the 14-pin header as follows:

pin 11: RxD (connects to TxD of the connecting serial port)
pin 13: TxD (connects to RxD of the connecting port)
pin 14: GND

115200 baud, 8N1 data bits/parity/stop bits

Downside: I haven't managed to interrupt the boot sequence yet. So far, serial input only works after init has started a getty on this port. Not very useful, since the console just spits out the syslog, and cannot be interrupted. Could be hardware flow control at first (RTS/CTS), although it's not very likely. Have to check.

I also have a question for domotica forum members with a toon:

If I install the software (hit "Start installatie" on the welcome screen) can I go back to factory default settings afterwards, such that the machine is in _exactly_ the same state as when it first came out of the package?

grtz,

marcelr
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Toon as a domotica controller?

Post by marcelr »

Made a small step again, a possible explanation of the serial port not working during initial boot-up. U-boot possibly blocks the serial port during boot-up. At least, it can be made to do so, according to the code. Haven't found hardware flow control wiring, probably because it isn't there.

BTW, u-boot is licensed under GPLv2 AFAIK, and I can't seem to find any of its code in the open source package published by Quby. Nice job for the FSF :evil:

I hit the "start installatie" button, and after setting up the wifi connection I tested _all_ service ports on the toon. To no avail, all of them are filtered.

Even so, before hitting the activation key (should be done after setup, haven't touched it yet), toon calls home.
Toon contacts this URL _before_ activation of the machine, through a random port, at port 443:
https://a3985.homeautomationeurope.atom86.net, having IP-adresses 95.142.102.128 through 95.142.102.148 and 95.142.102.150 through 95.142.102.191. The one in between (95.142.102.149) is a mailserver: mail.haemail.nl. Not that this info makes access easier, it's just here for completeness sake.

Next step: JTAG, see if that works at all.

grtz,

marcelr
raymonvdm
Senior Member
Senior Member
Posts: 1153
Joined: Sun Dec 18, 2011 1:23 am

Re: Toon as a domotica controller?

Post by raymonvdm »

Please keep on going. It would be nice to use Toon as a Z-wave controller.
Running HS3PRO on PC with Z-Wave / OpenTherm / Plugwise / RFXcom / MQTT / XAP400 / Logitech Media Server and Squeezelite on PI`s
wwolkers
Member
Member
Posts: 273
Joined: Tue Sep 23, 2008 10:10 am
Location: Netherlands
Contact:

Re: Toon as a domotica controller?

Post by wwolkers »

Nice work so far!
I also ordered a Toon, to see what's possible, since the hardware is capable of a lot of things.
phoenixb
Advanced Member
Advanced Member
Posts: 512
Joined: Thu Jul 23, 2009 1:00 pm
Location: Netherlands

Re: Toon as a domotica controller?

Post by phoenixb »

Hello Marcelr,

About the factory settings, this is possible after the setup when you look into the menu -> systeem -> software -> and then hit the button "herstel"
you can go back to the orginal software.

Regards,
__________________
Tonaatje
Starting Member
Starting Member
Posts: 2
Joined: Thu Aug 09, 2012 9:08 pm

Re: Toon as a domotica controller?

Post by Tonaatje »

Good work,


For zwave,

THE display has an webui, but there is a problem, you have local acces for 2 hours. So after 2 hours your acces is gone.
wwolkers
Member
Member
Posts: 273
Joined: Tue Sep 23, 2008 10:10 am
Location: Netherlands
Contact:

Re: Toon as a domotica controller?

Post by wwolkers »

I also have a Toon now to play around with. I did a reset, but then it will ask you for an activation code. I called Eneco, and explained, and they were very nice and helpfull and gave me an activation code, even though I am not a customer of Eneco! You will not get any software updates, nor the weather/traffic or the power/gas consumption values officially (Traffic & weather work for me, and I also got an update)
I'll have to try the webui. I saw the option, but didn't have time to test yet.
User avatar
RDNZL
Forum Moderator
Forum Moderator
Posts: 1008
Joined: Sun Sep 24, 2006 1:45 pm
Location: Dordrecht, The Netherlands
Contact:

Re: Toon as a domotica controller?

Post by RDNZL »

Even so, before hitting the activation key (should be done after setup, haven't touched it yet), toon calls home.
Toon contacts this URL _before_ activation of the machine, through a random port, at port 443:
https://a3985.homeautomationeurope.atom86.net, having IP-adresses 95.142.102.128 through 95.142.102.148 and 95.142.102.150 through 95.142.102.191. The one in between (95.142.102.149) is a mailserver: mail.haemail.nl.
Not that this info makes access easier, it's just here for completeness sake.
It can help finding out what it does, later on you can spoof the address with a local dns server to point to a server of your own.
This was a way to hack the Audreys (well known by people using MisterHouse like myself) :P
And you can check the apache logs then to see what urls it tries to fetch (updates?)
Of course you can also use wireshark for this.

About work for the FSF, don't get your hopes to high, there are more commercial homeautomation projects which don't obey the rules.
One of them http://www.domoticaforum.eu/viewtopic.php?t=303
Regards, Ron.
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Toon as a domotica controller?

Post by marcelr »

It can help finding out what it does, later on you can spoof the address with a local dns server to point to a server of your own.
This was a way to hack the Audreys (well known by people using MisterHouse like myself) :P
And you can check the apache logs then to see what urls it tries to fetch (updates?)
Of course you can also use wireshark for this.
That's my plan in the near future, wireshark would be my tool of choice. So far, finding the JTAG port has proven to be harder than I thought. Right now I'm collecting tools to access the processor bumps directly, see if I can find some connections there.
About work for the FSF, don't get your hopes to high, there are more commercial homeautomation projects which don't obey the rules.
I don't care that much, it's a last resort, when all else fails.
User avatar
RDNZL
Forum Moderator
Forum Moderator
Posts: 1008
Joined: Sun Sep 24, 2006 1:45 pm
Location: Dordrecht, The Netherlands
Contact:

Re: Toon as a domotica controller?

Post by RDNZL »

LOL, DUH I only now just realized that the company making and selling the Home Control Box aka HCB -which I mentioned earlier as the project 'borrowing' the open source project misterhouse as base for their product- is the same company who made the Toon...
Read more about it here on page 10-13 (Dutch), and also see that they hired a security company to make sure the Toon is secure.
bits-chips.nl/fileadmin/uploads_redacti ... 13-web.pdf
Which is a good thing for the customers and bad News for the topicstarter :roll:
Regards, Ron.
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Toon as a domotica controller?

Post by marcelr »

It's been awfully quite the last few months. Sorry about that, I had other, more pressing things to do (taking a long holiday, among other things).
Haven't found a JTAG interface yet. There's a strong possibility that it isn't connected ...

I had a go at the open source package as published by quby.nl. The build of the rootfs and kernel images took a little patching and more than 6 hours on a rather dated CentOS 6 box that I keep for jobs like this. The bare rootfs (UBI filesystem, without propriertary software, i.e., the entire user interface for toon) has some interesting information.
The kernel version in the published open source is one patch level higher than my toon's kernel. Good, so the published code is not outdated.
Haven't ploughed through all of it yet, but apparently spi support including bit-banging is supported in toon's kernel. Need to find out if I can access that port.

Other features:
Once working, access to the machine is through dropbear, a secure shell daemon. Quite common in embedded systems.
According to the boot scripts, /etc/inittab should spawn normal gettys to /dev/console, and tinylogin should present a login prompt. It doesn't, so something else is going on. /etc/passwd only holds an old-fashioned DES128 hash key for the root password. Cracked that in less than a millisecond, root has no password ;-).

Oh, and the previous post shouldn't be too discouraging: the guys of cryptology in my university always said that anything that's stored in digital form, can be cracked. I hope they're still right ...

That's all for now, will try to make the reporting intervals a bit shorter than the last one :-)

grtz,

marcelr
Ierlandfan
Member
Member
Posts: 151
Joined: Thu Oct 03, 2013 7:53 pm

Re: Toon as a domotica controller?

Post by Ierlandfan »

Hi Marcelr,

let's team up!
I took another aproach first. Possible running services to exploit.
Identified: DHCP client (udhcp 1.18.3, part of Busybox) It does not sanitize hostname and possible domain name.
Wasn't working for me. It's easy to try, set up a dhcp server and insert

option host-name beginName`command`endName or beginName;command;endName;
Tried to do something simple like reboot as a command but it didn't work. Because Toon's Hostname is static.
Will try again in the holiday with domain-name.
Next, ligttpd, couldn't find an exploit to use.
Next jquery, well same thing,

I have to say my knowledge of ligttpd and jquery are almost 0.

Turned to Home Control Box (HCB) firmware because I had a hunch. I guessed right!
A few pointers:
http://ip_toon/hcb_config/binaryVersionsList.js.
http://ip_toon/hcb_web/config_left.html
http://ip_toon/hcb_web/config_top.html

Also examine the source of the pages to find a lot more pointers

Above pages are part of the configuration part of the original HCB. Their functions are not working because
http://ip_toon/hcb_config is forbidden so
http://ip_toon/hcb_config?action?=some_command gives a forbidden
so does http://ip_toon/hcb_netcon

This can possibly be exploited by examening the HCB firmware more in detail and try.

Anyway, I tried to go further, sniffing Wireshark, it's setting up a vpn to the mentioned IP's earlier
but I can't see any client/server handshake or Hello, i know they're using certificate authorization but how? Don't know.
It was possible to Ddos the device (hping2 <ip_toon> -i u1 -S –p) which frooze the device after about 15 seconds and it rebooted eventually.
(Which they solved in FW verson after 2.24, because I told Quby about it.)

Right, what next: Chrony, the client side of the timehandler. No known exploit.

I did compile a version for about the same board (with the opensource part) so I can debug if you want.

Anyway, continue, found serial just like you, and just like you, cannot get in. Cannot stop bootprocess.
I haven't tried jtag 'cause I don't have a scope or logic analyzer.
There is another way which is on the left of the board. It's probably i2c. Maybe you can sniff it with your logic analyzer.

I was determined to get acces to some point so I made an interface from the memory bank (nand) to cardreader
but since I didn't want to solder the wires I sort of taped them to the nand. Wasn't working. (Bad connection is the most likely cause)
I will try though to use a ps3/xbox360 nand clip-on but they're hard to get. And there are a few smd's around the nand which will probably make that route useless.
Maybe someone can desolder the nand and hook it up to a cardreader to read it's contents. I know a guy who can (Both) but since well, it's cold around christmas I cannot send it to him.
(So if anyone has a spare/onused one to offer...you can send it to him.) For those...Sprite_tm.

Why I am so determined..simple, i have a device (Toon) which is sending sensitive information outside my network and they "say" it save.
They also said "no information" is sent outside my network. It's one-way.
Then tell me, how does the toonopafstand App knows how hot it is inside?
Post Reply

Return to “Toon Rooting”