-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathREADME
183 lines (144 loc) · 8.46 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
* NOTES:
YOU CAN BRICK YOUR STUFF VERY EASILY, PLAY CAREFUL.
Extracted rootfs + kernel is included in the rootfs.tar.bz2.
if you want to modifiy it, be sure you have experience with uboot/uboot scripts, otherwise, its easy to brick and a pain to recover, or if you're like me and bricked
it in the first 5 minutes of owning it, these files can help you recover it!
* TODO:
Write this how to better, format it so its readable.
* DONE:
*Firmware unpacking and repacking instructions added at the end of this README file explaining it, firmware images and modified firmware image added to the firmware_mods folder.
* HOW TO DOWNGRADE:
Put the download folder and update.php files in a folder called "roxy", then use https.py to with a self signed .pem certificate (generate it with openssl or grab the .pem certs in the rootfs archive.)
then redirect update.greenwavereality.com and update.greenwavereality.eu via spoofing on a local dns server and firewall rules to block both hosts once updated, as if it
can contact the update serves again it will update its self, I just blocked all outgoing traffic from my lighting controller to the web.
after executing python https.py hold the sync button as the bridge boots up for about 10 seconds once it starts to blink and flash red on the sync button you should see this:
ERROR:root:Host: update.greenwavereality.com
Accept: */*
Content-Length: 99
Content-Type: application/x-www-form-urlencoded
ERROR:root:MiniFieldStorage('mac', 'D4:A9:28:02:07:54')
ERROR:root:MiniFieldStorage('secret', '14bd2088419a828ec0d8f336a7939fa1')
ERROR:root:MiniFieldStorage('project', 'Apollo3')
ERROR:root:MiniFieldStorage('current_version', '0.0.0')
10.1.1.45 - - [26/Apr/2016 11:59:49] "POST /roxy/update.php HTTP/1.1" 200 -
ERROR:root:Host: update.greenwavereality.com
Accept: */*
Content-Length: 110
Content-Type: application/x-www-form-urlencoded
10.1.1.45 - - [26/Apr/2016 11:59:49] "GET /roxy/download/1349139456/rootfs.bin HTTP/1.1" 200 -
then it will hopefully download the "updated" rootfs from your spoofed update server, downgrading it to the last version that had ssh enabled,
root/thinkgreen. this works on all firmware versions even the ones with uboot input disabled :).
as I only have 1 unit to test it on, I've only tested downgrading my specific unit, so I'm not sure what other variables may be involved, but either way this will reply statically with a correct checksum and file URL.
* FIRMWARE MODIFICATIONS:
Unpacking and Rebuilding the u-boot firmware Image:
Here's my notes on making modifications to the firmware, you will need uboot-tools and mksquashfs 4.0.
There is a modified firmware image posted here, if you arent familure with bricking everything you own, then dont attempt to flash it!
* Commands for unpacking:
mkimage -l tcpfirm.bin
(get the sizes, binwalk works as well, calculate uboot headers and cut them off plus image markers)
and we get the following values:
dd if=tcpfirm.bin of=image0_kernel bs=1 skip=80 count=1669122
dd if=tcpfirm.bin of=image1_sqfs bs=1 skip=1669204 count=10641408
dd if=tcpfirm.bin of=image2_dtv bs=1 skip=12310612 count=7782
[dev@notworking tcpmod]$ binwalk image0_kernel
DECIMAL HEXADECIMAL DESCRIPTION
\* -------------------------------------------------------------------------------- \*
0 0x0 gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
[dev@notworking tcpmod]$ binwalk image1_sqfs
DECIMAL HEXADECIMAL DESCRIPTION
\* -------------------------------------------------------------------------------- \*
0 0x0 Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 10639101 bytes, 1456 inodes, blocksize: 131072 bytes, created: 2013-12-03 09:50:58
[dev@notworking tcpmod]$ binwalk image2_dtv
DECIMAL HEXADECIMAL DESCRIPTION
\* -------------------------------------------------------------------------------- \*
0 0x0 device tree image (dtb)
[dev@notworking tcpmod]$ sudo unsquashfs image1_sqfs
Parallel unsquashfs: Using 4 processors
1363 inodes (1494 blocks) to write
[============================================================================================================================================================================================================|] 1494/1494 100%
created 1147 files
created 93 directories
created 213 symlinks
created 3 devices
created 0 fifos
edited /etc/dhcpcd.exit-hook
and added
if $if_up
then
route del default
fi
edited /etc/init.d/rcS and added at the very bottom:
if test -f /media/config/opt_startup.sh
then
echo -en "running user defined startup script from jffs2"
/media/config/opt_startup.sh
fi
deleting the default route was a fast way for me to get rid of the update issue kinda, theres other ways by patching the uboot
nvram and such, but this was easy and I dont ever plan to allow the device to talk out of my network so it works for me. i also edited /etc/services.lo and /etc/services.net to re-enable ssh.
this will allow you to write a custom script thats launched upon boot runing whatever youd like from the jffs2 partition.
and now to put it back together, first making the squashfs image then putting kernel and device tree into a uboot firmware image.
[dev@notworking tcpmod]$ sudo mksquashfs squashfs-root image1_mod.sqfs -comp gzip -b 131072 -all-root
Parallel mksquashfs: Using 4 processors
Creating 4.0 filesystem on image1_mod.sqfs, block size 131072.
[=======================================================================================================================================================================================================================================|] 1278/1278 100%
Exportable Squashfs 4.0 filesystem, gzip compressed, data block size 131072
compressed data, compressed metadata, compressed fragments, compressed xattrs
duplicates are removed
Filesystem size 10388.38 Kbytes (10.14 Mbytes)
41.16% of uncompressed filesystem size (25239.13 Kbytes)
Inode table size 12703 bytes (12.41 Kbytes)
26.11% of uncompressed inode table size (48655 bytes)
Directory table size 14638 bytes (14.29 Kbytes)
51.41% of uncompressed directory table size (28471 bytes)
Number of duplicate files found 181
Number of inodes 1456
Number of files 1147
Number of fragments 55
Number of symbolic links 213
Number of device nodes 3
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 93
Number of ids (unique uids + gids) 1
Number of uids 1
root (0)
Number of gids 1
root (0)
now we pack it back into a uboot firmware file.
[dev@notworking tcpmod]$ mkimage -A ppc -O Linux -T multi -C gzip -n 'Firmware Image' -d image0_kernel:image1_mod.sqfs:image2_dtv tcpmod_firmware.img
Image Name: Firmware Image
Created: Wed Aug 10 21:59:35 2016
Image Type: PowerPC Linux Multi-File Image (gzip compressed)
Data Size: 12318330 Bytes = 12029.62 kB = 11.75 MB
Load Address: 00000000
Entry Point: 00000000
Contents:
Image 0: 1669122 Bytes = 1630.00 kB = 1.59 MB
Image 1: 10641408 Bytes = 10392.00 kB = 10.15 MB
Image 2: 7782 Bytes = 7.60 kB = 0.01 MB
comparing that with the original image, we see:
[dev@notworking tcpmod]$ mkimage -l tcpfirm.bin
Image Name: Firmware Image
Created: Tue Dec 3 04:50:58 2013
Image Type: PowerPC Linux Multi-File Image (gzip compressed)
Data Size: 12318330 Bytes = 12029.62 kB = 11.75 MB
Load Address: 00000000
Entry Point: 00000000
Contents:
Image 0: 1669122 Bytes = 1630.00 kB = 1.59 MB
Image 1: 10641408 Bytes = 10392.00 kB = 10.15 MB
Image 2: 7782 Bytes = 7.60 kB = 0.01 MB
to finish it off follow the downgrade instructions, but change out the md5sum on roxy.php to match your new firmware image and replace the rootfs.bin firmware image there with yours.
I have included my updated patched firmware (its a later version than the one i posted for downgrading, but has ssh renabled and the custom scripts mentioned above so enabling the webserver is of no issue.), see the firmware_mod folder.
~ # cat /etc/version
3.0.39
~ # uname -a
Linux lighting 3.5.3 #1 PREEMPT Tue Dec 3 10:44:29 CET 2013 ppc GNU/Linux
~ #
* md5sums:
4c448f9d9a2d8584ab5c0d4c6874af1e tcpfirm.bin // original uboot image
b32f5c3b6528db3c3eb75a3604532a12 tcpmod_firmware.img // modified uboot image
7896e1540e90f463551873ed8ea4b169 image0_kernel //original
203ec94023900fb5409d943b92eaef28 image1_sqfs //original
0810ed603e4a9150c4f2c1c3227e1605 image1_mod.sqfs // modified squashfs image
b2dd54d84bada53c7eeb945bbfb98322 image2_dtv //original