- hacker
- description
- I will try to get shell from the PHILIPS hue bridge v 2.0. You can find my raw notes from here
- started
2015-12-29
https://www.reddit.com/r/Hue/comments/3x12y6/jailbreaking_the_v2_hub/
Get shell with HW hacking: https://forum.openwrt.org/viewtopic.php?id=66346
http://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/
Contents
Getting root shell (HW hacking)
Gudos for Colin O’Flynn and pepe2k for figuring out how to intercept the u-boot process and get access to u-boot console. I followed their instructions and managed to pull it through.
Check their instructions:
I did the following:
- Soldered pins for serial port
- Used the trick provided by Colin o Flynn
- Changed bootdelay to 3
Changed the security environmental to my own hash.
ath> setenv security '$5$wbgtEC1iF$ugIfQUoE7SNg4mplDI/7xdfLC7jXoMAkupeMsm10hY9' ath> setenv bootdelay 3 ath> savenev ath> reset
- After first boot and login:
Add your SSH public key to ''/etc/droppear/authorized_keys''
# iptables -I input_lan_rule -p tcp --dport 22 --syn -j ACCEPT
or if you want to do permanent change add folowing to: /etc/config/firewall
config rule 'ssh'
option name Allow-ssh
option src lan
option proto tcp
option dest_port 22
option target ACCEPT
option family ipv4
After that you can use SSH
WiFi / WLAN
- There is WLAN chip
- There is Wireless configuration in /etc/config/wireless (wlan disabled)
... # REMOVE THIS LINE TO ENABLE WIFI: option disabled 1
- After removing you have active wlan0 -device
- However there is no antenna
- There seems to be jack for antenna if you want to hack your own
u-boot env
ath> printenv
# Standard configuration
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
# Factory IP config environment
# Factory programming helpers
board=bsb002
flasht=tftp 0x80060000 ${board}/${board}_uboot.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr
0x9f000000 $ize
flash_uboot_env=tftp 0x80060000 ${board}/${board}_uboot_environment.bin&&erase 0x9f040000 +$fil
esip.b $fileaddr 0x9f040000 $filesize
flash_uboot_and_env=tftp 0x80060000 ${board}/${board}_uboot_and_enment.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr 0x9f000000 $filesize
flash_art=tftp 0x80060000 $d}/${board}_art.bin&&erase 0x9f070000 +$filesize&&cp.b $fileaddr 0x9f070000 $filesize
flash_kernel_0=t0x80060000 ${board}/kernel.bin&&nand erase 0x0 0x400000&&nand write $fileaddr 0x0 esize
flash_root_0=tftp 0x80060000 ${board}/root.bin&&nand erase 0x400000 0x28000and write $fileaddr 0x400000 $filesize
flash_kernel_1=tftp 0x80060000 ${board}/kernel.bin&&nand erase 0000 0x400000&&nand write $fileaddr 0x2C00000 $filesize
flash_root_1=tftp 0x80060000 ${board}/root.binnd erase 0x3000000 0x2800000&&nand write $fileaddr 0x3000000 $filesize
flash_overftp 0x80060000 ${board}/overlay.bin&&nand erase 0x5800000 0x2800000&&nand write $fileaddr 0x5800000 $fize
flash_factory=run flash_uboot_and_env&&run flash_kernel_0&&run flash_root_0&&rash_overlay
# Boot configuration - common
std_bootargs=board=BSB002 console=ttyS0,115200 ubi.mtd=overootfs=/dev/mtdblock:rootfs rootfstype=squashfs noinitrd init=/sbin/init
# Boot configuration - slot 0parts0=spi0.0:256k(u-boot)ro,128k(u-boot-env),64k(reserved),64k(art);spi0.1:4m(kernel-0)ro,40m(root-0),rnel-1),40m(root-1),-(overlay)
kernel_0_start=0x0
boot_from_slot_0=setenv bootargs ubi.mtd=5 ${std_bgs} mtdparts=${mtdparts0}; nboot 0x81000000 0 ${kernel_0_start}
# Boot configuration - slot 1
mtdparti0.0:256k(u-boot)ro,128k(u-boot-env),64k(reserved),64k(art);spi0.1:4m(kernel-0),40m(root-0),4m(kernel-10m(root-1),-(overlay)
kernel_1_start=0x2C00000
boot_from_slot_1=setenv bootargs ubi.mtd=7 ${std_bootamtdparts=${mtdparts1}; nboot 0x81000000 0 ${kernel_1_start}
# Boot command
# Selected slot
ethact=eeui64=001788fffe2179c6
set12nc=HueBridge2K15
ctn=HueBridge2K15
portal=9e345a8da10e5b5290beeed85edb00ecurity=$5$BkwEJP3Tp/u8Q2Za$qQXbcKEibHVPel.8.GXb8ds46DG29yFyeFZa6JKF7o2
homekit=028-08-483
hwrevision
production=1537
ipaddr=192.168.11.179
serverip=192.168.11.66
bootcmd=if test ${bootslot} -ne 1;the boot_from_slot_0;else run boot_from_slot_1;fi
bootdelay=0
frcnt=4
bootslot=1
stdin=serial
stdoutal
stderr=serial
bootargs=ubi.mtd=7 board=BSB002 console=ttyS0,115200 ubi.mtd=overlay rootfs=/dev/mtd:rootfs rootfstype=squashfs noinitrd init=/sbin/init mtdparts=spi0.0:256k(u-boot)ro,128k(u-boot-env),6served),64k(art);spi0.1:4m(kernel-0),40m(root-0),4m(kernel-1)ro,40m(root-1),-(overlay)
ath> printenv security
security=$5$BkwEJP3Tp/u8Q2Za$qQXbcKEibHVPel.8.GXb8ds46DG29yFyeFZa6JKF7o2
Geric Info
Serial port
You can find serial port/UART from the board (Details later)
Boot messages
[ 0.000000] Movable start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00000x03ffffff]
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 1
[ 0.000000] Kernel command line: ubi.mtd=5 board=BSB002 console=ttyS0,115200 ubi.mtd=overlay rootev/mtdblock:rootfs rootfstype=squashfs noinitrd init=/sbin/init mtdparts=s
pi0.0:256k(u-boot)ro,128k(u-env),64k(reserved),64k(art);spi0.1:4m(kernel-0)ro,40m(root-0),4m(kernel-1),40m(root-1),-(overlay) mem=ootfstype=squashfs,jffs2 noinitrd
[ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[ 0.000000] Dentry cache hash table entries: 819der: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=0000
[ 0.000000] Memory: 60756K/65536K available (2712K kernel code, 126K rwdata, 576K rodata, 160K init, 185K bss, 4780K reserved)
[ 0.000000] SLUB: HWalign=32, Order=0inObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:51
[ 0.000000] Clocks: CPU:650.000MHz, DDR:597.583MHz, AHB:216.666MHz, Ref:25.000MHz
[.000000] Calibrating delay loop... 432.53 BogoMIPS (lpj=2162688)In details: /BootMessage
Bootlog with full debug (enabled with hitting "4" and <enter>: /BootMessageWithFullDebug
Update with full debug: /UpdateWithFullDebug
Login
I did press "f" and enter.
Press the [f] key and hit [enter] to enter failsafe mode Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level - failsafe - ------------------------------------------------------ Cannot enter failsafe mode: Disabled on this system !! ------------------------------------------------------ Please press Enter to activate this console. (none) login: f Password:
- Accounts are still missing
Firmware
- Seems to be encrypted
Firmware Head
0000000: 4253 4230 3032 0002 004e fcc9 6272 6964 BSB002...N..brid 0000010: 6765 0000 0000 0000 0000 0000 0000 0000 ge.............. 0000020: 0000 004e fab0 0103 0000 0000 3031 3033 ...N........0103 0000030: 3032 3632 0000 0000 0000 0000 4bb1 3918 0262........K.9. 0000040: a7ac d534 6aab 63fc cb81 3643 1f9b 53bd ...4j.c...6C..S. 0000050: d9b5 a76d f5bf 82dc 8265 eebc 75d8 5e42 ...m.....e..u.^B 0000060: dbc1 f384 c368 24c3 1988 f97e 9ab3 34c7 .....h$....~..4.
Public key from the end of firmware file
openssl rsa -pubin -text -in a
Public-Key: (2048 bit)
Modulus:
00:a1:ba:a2:33:57:01:4a:be:ba:87:db:5a:c9:c4:
4d:a4:2e:e1:2b:31:48:53:26:2d:4a:2b:65:19:ce:
94:01:2e:0e:81:ff:d9:39:c0:e1:17:09:2d:d1:fc:
e7:89:11:3c:44:48:c4:19:72:be:b5:a2:72:72:1c:
f8:80:e4:f7:05:3d:0e:b0:8f:6d:5a:62:f4:6c:6c:
e3:bf:b7:45:37:64:e5:14:c7:e5:87:55:1a:55:f8:
53:af:3f:b2:11:47:38:56:7a:2d:4b:30:e9:b6:bf:
23:d9:33:3c:08:71:bc:98:ae:3d:0b:92:d8:c4:9f:
d9:42:1d:5d:5e:97:e6:88:74:1b:f9:14:0e:88:af:
fc:83:d4:21:01:c4:86:fd:a3:55:bd:e5:fd:a2:69:
76:d1:c0:e0:2d:0a:f0:e8:20:b9:10:ef:62:33:04:
03:e5:43:13:d1:df:46:6e:eb:df:3c:c4:a2:cb:9c:
48:32:13:1c:85:2e:d9:5c:50:fa:56:99:3a:03:ad:
7a:9b:96:79:57:76:a1:cc:87:a6:9a:d3:04:26:70:
0f:85:b9:2b:48:67:17:bd:b9:3b:e0:c8:10:dc:2b:
83:d8:58:0b:7c:e8:e3:28:a7:c4:e2:17:96:62:7e:
15:0f:ec:cc:8c:6e:ed:40:23:38:dd:a9:5b:a7:31:
7b:15
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAobqiM1cBSr66h9taycRN
pC7hKzFIUyYtSitlGc6UAS4Ogf/ZOcDhFwkt0fzniRE8REjEGXK+taJychz4gOT3
BT0OsI9tWmL0bGzjv7dFN2TlFMflh1UaVfhTrz+yEUc4VnotSzDptr8j2TM8CHG8
mK49C5LYxJ/ZQh1dXpfmiHQb+RQOiK/8g9QhAcSG/aNVveX9oml20cDgLQrw6CC5
EO9iMwQD5UMT0d9GbuvfPMSiy5xIMhMchS7ZXFD6Vpk6A616m5Z5V3ahzIemmtME
JnAPhbkrSGcXvbk74MgQ3CuD2FgLfOjjKKfE4heWYn4VD+zMjG7tQCM43albpzF7
FQIDAQAB
-----END PUBLIC KEY-----
Attachments
Normal Sort Sort + uniq Sort + uniq + count
WEB-server
$ curl -v '10.0.2.58/description.xml' * Trying 10.0.2.58... * Connected to 10.0.2.58 (10.0.2.58) port 80 (#0) > GET /description.xml HTTP/1.1 > Host: 10.0.2.58 > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 200 OK < Content-type: text/xml < Connection: Keep-Alive * no chunk, no close, no size. Assume close to signal end < <?xml version="1.0" encoding="UTF-8" ?> <root xmlns="urn:schemas-upnp-org:device-1-0"> <specVersion> <major>1</major> <minor>0</minor> </specVersion> <URLBase>http://10.0.2.58:80/</URLBase> <device> <deviceType>urn:schemas-upnp-org:device:Basic:1</deviceType> <friendlyName>Philips hue (10.0.2.58)</friendlyName> <manufacturer>Royal Philips Electronics</manufacturer> <manufacturerURL>http://www.philips.com</manufacturerURL> <modelDescription>Philips hue Personal Wireless Lighting</modelDescription> <modelName>Philips hue bridge 2015</modelName> <modelNumber>BSB002</modelNumber> <modelURL>http://www.meethue.com</modelURL> <serialNumber>001788xxxxx</serialNumber> <UDN>uuid:2f402f80-da50-11e1-9b23-001788xxxxx</UDN> <presentationURL>index.html</presentationURL> <iconList> <icon> <mimetype>image/png</mimetype> <height>48</height> <width>48</width> <depth>24</depth> <url>hue_logo_0.png</url> </icon> <icon> <mimetype>image/png</mimetype> <height>120</height> <width>120</width> <depth>24</depth> <url>hue_logo_3.png</url> </icon> </iconList> </device> </root>
Landing page (2015-12-30): hue-personal-wireless-lighting.pdf
HW
- CPU: qca4531-bl3a
Memory: https://www.winbond.com/resource-files/da00-w9751g6kbg1.pdf
USB to Serial Bridge Conroller: http://prolificusa.com/files/DS_PL2303SA_d20120504.pdf