Rooting Toon (or boxx)

Forum about the tweaking of the Eneco Toon.

Moderator: marcelr

Rooting Toon (or boxx)

Postby marcelr » Tue May 31, 2016 9:02 pm

Please post your questions/tips/remarks related to rooting Eneco's Toon here.
marcelr
Advanced Member
Advanced Member
 
Posts: 824
Joined: May 2012
Location: Ehv

Re: Rooting Toon

Postby cygnusx » Wed Jun 01, 2016 9:01 am

Maybe a good idea to post the latest rooting guide in the TS?
cygnusx
Starting Member
Starting Member
 
Posts: 48
Joined: April 2015

Re: Rooting Toon

Postby marcelr » Wed Jun 01, 2016 11:03 am

Good idea, slightly different: I made a read-only manuals and tutorials section. First manual added: rooting :-)

grtz,

marcelr
marcelr
Advanced Member
Advanced Member
 
Posts: 824
Joined: May 2012
Location: Ehv

Re: Rooting Toon

Postby marcelr » Wed Sep 07, 2016 8:46 pm

Over the last few months I have had requests from (mostly starting) forum members to help them out with rooting their toon. Some just want tips and troubleshooting advice. Some want me to do the actual rooting for them. Such requests are mostly made by PM and/or mail.

While I'm happy to help anybody who is enthusiastic about the stuff that has been published so far on toon in this forum, I would like to urge everybody seeking help or support with rooting and software adaptations to ask for this through the forum pages, and not through PM or mail.

The reasons are simple:

Some mistakes/errors happen to everybody who starts working with toon hardware, and it's a bit tedious to answer the same questions over and over again.

Starting members posts have to pass through a moderation process before they are published on the web. Since I also moderate this thread, the processing time for posts/PMs/mail is the same. I check mail regularly, and as soon as you post as starting member, I see that you have done so, in my mailbox. If your post is publishable (i.e. not spam), it will be approved/published, and answered if there's a request that needs answering. So, posting in the forum is as fast as any other means to contact me.

When you post in the forum, other members can chime in and possibly help you out.

In general, I will NOT root your toon for you (unless there are very very very specific circumstances). You will have to it yourself, but you can always ask for advice.

So in short, all request for rooting support should be made in the forum, from now on.

grtz,

marcelr
marcelr
Advanced Member
Advanced Member
 
Posts: 824
Joined: May 2012
Location: Ehv

Re: Rooting Toon

Postby marcelr » Tue Sep 13, 2016 9:07 pm

I recently got my hands on a newer toon, with boot loader version 2010.9-R10.
It was built a few weeks after Ierlandfan published the rooting method for toon, and most probably can be found on any toon with serial numbers starting with 16 (production year 2016).

The guys at Quby haven't been idle in making access to toon harder. This version has a properly hashed boot loader password (SHA256), and when you try to access it through the screwdriver method, it no longer drops you to a shell, instead you get this:

Code: Select all
   Verifying Checksum ... Bad Data CRC
ERROR: can't get kernel image!
---------------------------------------------------------
Welcome to the bootloader, adventurous adventurer.

We congratulate you on your perseverance and inventivity!

Would you like an easier way in?
Please visit quby.com/open-system for more information.

Game on! :)
---------------------------------------------------------

While I admire the sense of humour of the developers, accessing a toon with this boot loader version is a bit tougher (but not impossible ;-) ).

grtz,

marcelr
marcelr
Advanced Member
Advanced Member
 
Posts: 824
Joined: May 2012
Location: Ehv

Re: Rooting Toon

Postby hayman » Sun Sep 18, 2016 12:28 pm

hello ,thanks to you i have a rooted TOON ,
can you tell me how to update it and keep it rooted ...?
thanks
hayman
Starting Member
Starting Member
 
Posts: 24
Joined: February 2016

hack-wedstrijd: Game of Toons

Postby Templar » Sun Sep 18, 2016 2:27 pm

For those who are interested, there will be a Toon hackathon on October 11th in Rotterdam:

So you think you can hack Toon?
Toon, de slimme thermostaat, wordt gebruikt in 300.000 huishoudens. Logisch dat Eneco let op de veiligheid en die ook regelmatig test. Maar, zoals bij elk slim apparaat, kunnen er altijd nog onverwachte kwetsbaarheden zijn.
Tek Tok heeft daarom Eneco uitgedaagd voor een hack-wedstrijd: Game of Toons. Denk jij dat jij de Toon kunt kraken? Laat het zien op 11 oktober in Worm, Rotterdam.


http://tektok.nl/got
Templar
Member
Member
 
Posts: 84
Joined: March 2011
Location: Netherlands

Re: Rooting Toon

Postby marcelr » Sun Sep 18, 2016 3:01 pm

@Templar: sounds like fun, although I can't make it, I'm afraid. Other stuff to do.

Maybe we should publish a list of all installed software packages together with version numbers, devices and internally used service ports, as a service for those who will attend :mrgreen:, so participants can do a bit of homework for finding exploits. Or does that count as cheating :D ?
Anyway, for those who will attend, have fun.

@hayman: Once it's rooted, it's rooted. New updates will shutdown ssh access, but IIRC, cygnusx posted a remedy for that. You will need to apply that remedy BEFORE you install updates, if you want to continue having access to your toon. Updates are pushed to your toon by Eneco, if you have a subscription. If not, there's not a lot to update.
marcelr
Advanced Member
Advanced Member
 
Posts: 824
Joined: May 2012
Location: Ehv

Re: Rooting Toon

Postby blasty » Sun Sep 25, 2016 1:11 pm

Hi,

Can anyone send me a recent firmware image (or extracted root filesystem) for the Eneco TOON?

Kind Regards,
blasty

edit: Actually, nevermind. Just hooked up the UART on mine and got an U-boot shell. I can figure things out from here. ;-)
blasty
Starting Member
Starting Member
 
Posts: 1
Joined: July 2016

Re: Rooting Toon

Postby Templar » Thu Sep 29, 2016 11:22 pm

marcelr wrote:I recently got my hands on a newer toon, with boot loader version 2010.9-R10.
It was built a few weeks after Ierlandfan published the rooting method for toon, and most probably can be found on any toon with serial numbers starting with 16 (production year 2016).

The guys at Quby haven't been idle in making access to toon harder. This version has a properly hashed boot loader password (SHA256), and when you try to access it through the screwdriver method, it no longer drops you to a shell, instead you get this:

Code: Select all
   Verifying Checksum ... Bad Data CRC
ERROR: can't get kernel image!
---------------------------------------------------------
Welcome to the bootloader, adventurous adventurer.

We congratulate you on your perseverance and inventivity!

Would you like an easier way in?
Please visit quby.com/open-system for more information.

Game on! :)
---------------------------------------------------------

While I admire the sense of humour of the developers, accessing a toon with this boot loader version is a bit tougher (but not impossible ;-) ).

grtz,

marcelr


There may be another way:
http://quby.com/en/page/123
Templar
Member
Member
 
Posts: 84
Joined: March 2011
Location: Netherlands

Toon as a domotica controller?

Postby Manyakim » Sun Oct 02, 2016 5:20 pm

Hello, i have bought myself a Toon and started to root it but unfortunately, i have a recent firmware ( U-Boot 2010.09-R10 (Dec 14 2015 - 19:28:18) ) and i was not able to find a bootloader password for this.
I've tried to short the circuits of the Nand Chip, but in my Toon, also a new version of this chip is placed ( Samsung 507 ). So i was unable to get into the u-boot by this method.

So, is there a possible way for me to root Toon ?
Nand Chip 507.jpg
Nand Chip 507.jpg (63.73 KiB) Viewed 20469 times
Manyakim
Starting Member
Starting Member
 
Posts: 9
Joined: October 2016

Re: Rooting Toon

Postby marcelr » Sun Oct 02, 2016 5:58 pm

Moved your post to the right topic, and no, your Samsung chip is not very different from earlier versions. The type is: K9F1G08UDE.

Your u-boot version has a properly hashed password (and is unknown). So, the two ways to get in are: ask Quby (see earlier post by Templar). or: build a new u-Boot (from source) and flash it onto your toon with a JTAG programmer.
I have no experience with the first method, and the second is still (a bit) under development.

best,

marcelr
marcelr
Advanced Member
Advanced Member
 
Posts: 824
Joined: May 2012
Location: Ehv

Re: Rooting Toon

Postby Manyakim » Sun Oct 02, 2016 7:10 pm

Thank you for your swift responce.

I've mailed Quby and asked them to provide me "an easier way in".
Let's see if they responde.

Thank you all for your efforts in making this possible.

Best regards,
Manyakim
Manyakim
Starting Member
Starting Member
 
Posts: 9
Joined: October 2016

Re: Rooting Toon; accessing NAND with JTAG

Postby viking » Sun Oct 02, 2016 7:51 pm

I try to use JTAG for dumping the flash. I use a buspirate as JTAG with
openocd. This seems to work fine, as I can dump memory and even make
changes in RAM. If I 'halt' the processor just before the U-boot is asking
for a password, I can dump the U-boot memory from memory addresses 0xa100000
onwards.
Now if I perform a 'nand probe 0' command, the script gets stuck on the
reading and writing in the MX27 flash controller memory mapped registers
as 0xd80001xx addresses. It seems that at this stage in booting these
addresses are not accessable.

@marcelr: How did you succeeded in getting access to the flash? Could you post your
'toon.cfg' configuration script. At what stage do you execute the 'nand
probe 0' command. You write that only after a cycle halt, resume, halt,
that worked.

Unfortunately, my version is R10 (sha256 password on the U-boot). I have a corrupted root-fs (kernel panic). So, it seems that the only way forward is flashing a new U-boot. Hence, nand flash access is needed through JTAG.
viking
Starting Member
Starting Member
 
Posts: 1
Joined: October 2016

Re: Rooting Toon

Postby marcelr » Sun Oct 02, 2016 8:29 pm

Hmmm...

That's a tricky one. You could rebuild U-Boot from source (Quby U-Boot archive, although you will also need to configure it, that part is not given in the archive. I gave that a try, see script below).
Then, flash that boot loader onto toon, and it should work.

Other method: rip an older boot loader from an older toon, flash that onto your toon (together with its environment).

Here are the scripts (nothing fancy, I'm afraid):
JTAG configuration script: toon.cfg (used with openocd 0.8.0):
Code: Select all
#
# config file for Eneco toon thermostat.
#
# this device has a Freescale i.MX27 processor, 128MB NAND flash, and a
# non-standard  JTAG interface

# load default processor cfg:

source [find target/imx27.cfg]
imx27.cpu arm7_9 fast_memory_access enable
#imx27.cpu arm7_9 dbgrq enable
reset_config separate
reset_config trst_open_drain
jtag_ntrst_assert_width 50

$_TARGETNAME configure -event reset-init { toon_init }
# set up NAND flash:

nand device toon.nand  mxc imx27.cpu mx27 noecc biswap


proc toon_init { } {

#reset_config trst_and_srst srst_pulls_trst


        # reset the board correctly
   adapter_khz 500
   reset run
   reset halt   

}


and the shell script to build U-Boot (put inside top level dir of the U-boot tree, edit paths according to your needs):

Code: Select all
#! /bin/sh
# script for configuring toon u-boot
#
./mkconfig ed20 arm arm926ejs ed20 prodrive mx27

# set to wherever you unpacked the quby openembedded tree
OE_ROOT=/home/toon

# add toolchain for toon to the $PATH
PATH=$PATH:$OE_ROOT/oe/qb2/tmp/sysroots/x86_64-linux/usr/qb2/bin/
export PATH

CROSS_COMPILE=arm-hae-linux-gnueabi-
export CROSS_COMPILE

make


please report any progress, it would be interesting to know what works best.

marcelr
marcelr
Advanced Member
Advanced Member
 
Posts: 824
Joined: May 2012
Location: Ehv

Next

Return to Eneco Toon as Domotica controller

Who is online

Users browsing this forum: No registered users and 1 guest

cron