## page was renamed from Hacking Hue Bridge hacker:: [[turmio]] description:: I will try to get shell from the PHILIPS hue bridge v 2.0. You can find my raw notes from here started:: <> * https://www.reddit.com/r/Hue/comments/3x12y6/jailbreaking_the_v2_hub/ * Get shell with HW hacking: https://forum.openwrt.org/viewtopic.php?id=66346 * http://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/ <> = Getting root shell (HW hacking) = Gudos for Colin O’Flynn and pepe2k for figuring out how to intercept the u-boot process and get access to u-boot console. I followed their instructions and managed to pull it through. Check their instructions: * http://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/ * https://forum.openwrt.org/viewtopic.php?id=66346 I did the following: * Soldered pins for serial port * Used the trick provided by Colin o Flynn * Changed bootdelay to 3 * Changed the ''security'' environmental to my own hash. {{{ ath> setenv security '$5$wbgtEC1iF$ugIfQUoE7SNg4mplDI/7xdfLC7jXoMAkupeMsm10hY9' ath> setenv bootdelay 3 ath> savenev ath> reset }}} * After first boot and login: {{{ Add your SSH public key to ''/etc/droppear/authorized_keys'' # iptables -I input_lan_rule -p tcp --dport 22 --syn -j ACCEPT or if you want to do permanent change add folowing to: /etc/config/firewall config rule 'ssh' option name Allow-ssh option src lan option proto tcp option dest_port 22 option target ACCEPT option family ipv4 After that you can use SSH }}} == WiFi / WLAN == * There is WLAN chip * There is Wireless configuration in /etc/config/wireless (wlan disabled) {{{ ... # REMOVE THIS LINE TO ENABLE WIFI: option disabled 1 }}} * After removing you have active wlan0 -device * However there is no antenna * There seems to be jack for antenna if you want to hack your own == u-boot env == {{{ ath> printenv # Standard configuration baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee # Factory IP config environment # Factory programming helpers board=bsb002 flasht=tftp 0x80060000 ${board}/${board}_uboot.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr 0x9f000000 $ize flash_uboot_env=tftp 0x80060000 ${board}/${board}_uboot_environment.bin&&erase 0x9f040000 +$fil esip.b $fileaddr 0x9f040000 $filesize flash_uboot_and_env=tftp 0x80060000 ${board}/${board}_uboot_and_enment.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr 0x9f000000 $filesize flash_art=tftp 0x80060000 $d}/${board}_art.bin&&erase 0x9f070000 +$filesize&&cp.b $fileaddr 0x9f070000 $filesize flash_kernel_0=t0x80060000 ${board}/kernel.bin&&nand erase 0x0 0x400000&&nand write $fileaddr 0x0 esize flash_root_0=tftp 0x80060000 ${board}/root.bin&&nand erase 0x400000 0x28000and write $fileaddr 0x400000 $filesize flash_kernel_1=tftp 0x80060000 ${board}/kernel.bin&&nand erase 0000 0x400000&&nand write $fileaddr 0x2C00000 $filesize flash_root_1=tftp 0x80060000 ${board}/root.binnd erase 0x3000000 0x2800000&&nand write $fileaddr 0x3000000 $filesize flash_overftp 0x80060000 ${board}/overlay.bin&&nand erase 0x5800000 0x2800000&&nand write $fileaddr 0x5800000 $fize flash_factory=run flash_uboot_and_env&&run flash_kernel_0&&run flash_root_0&&rash_overlay # Boot configuration - common std_bootargs=board=BSB002 console=ttyS0,115200 ubi.mtd=overootfs=/dev/mtdblock:rootfs rootfstype=squashfs noinitrd init=/sbin/init # Boot configuration - slot 0parts0=spi0.0:256k(u-boot)ro,128k(u-boot-env),64k(reserved),64k(art);spi0.1:4m(kernel-0)ro,40m(root-0),rnel-1),40m(root-1),-(overlay) kernel_0_start=0x0 boot_from_slot_0=setenv bootargs ubi.mtd=5 ${std_bgs} mtdparts=${mtdparts0}; nboot 0x81000000 0 ${kernel_0_start} # Boot configuration - slot 1 mtdparti0.0:256k(u-boot)ro,128k(u-boot-env),64k(reserved),64k(art);spi0.1:4m(kernel-0),40m(root-0),4m(kernel-10m(root-1),-(overlay) kernel_1_start=0x2C00000 boot_from_slot_1=setenv bootargs ubi.mtd=7 ${std_bootamtdparts=${mtdparts1}; nboot 0x81000000 0 ${kernel_1_start} # Boot command # Selected slot ethact=eeui64=001788fffe2179c6 set12nc=HueBridge2K15 ctn=HueBridge2K15 portal=9e345a8da10e5b5290beeed85edb00ecurity=$5$BkwEJP3Tp/u8Q2Za$qQXbcKEibHVPel.8.GXb8ds46DG29yFyeFZa6JKF7o2 homekit=028-08-483 hwrevision production=1537 ipaddr=192.168.11.179 serverip=192.168.11.66 bootcmd=if test ${bootslot} -ne 1;the boot_from_slot_0;else run boot_from_slot_1;fi bootdelay=0 frcnt=4 bootslot=1 stdin=serial stdoutal stderr=serial bootargs=ubi.mtd=7 board=BSB002 console=ttyS0,115200 ubi.mtd=overlay rootfs=/dev/mtd:rootfs rootfstype=squashfs noinitrd init=/sbin/init mtdparts=spi0.0:256k(u-boot)ro,128k(u-boot-env),6served),64k(art);spi0.1:4m(kernel-0),40m(root-0),4m(kernel-1)ro,40m(root-1),-(overlay) ath> printenv security security=$5$BkwEJP3Tp/u8Q2Za$qQXbcKEibHVPel.8.GXb8ds46DG29yFyeFZa6JKF7o2 }}} = Geric Info = == Serial port == You can find serial port/UART from the board (Details later) {{attachment:hue-bridge-serial.jpg}} == Boot messages == {{{ [ 0.000000] Movable start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x00000x03ffffff] [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 1 [ 0.000000] Kernel command line: ubi.mtd=5 board=BSB002 console=ttyS0,115200 ubi.mtd=overlay rootev/mtdblock:rootfs rootfstype=squashfs noinitrd init=/sbin/init mtdparts=s pi0.0:256k(u-boot)ro,128k(u-env),64k(reserved),64k(art);spi0.1:4m(kernel-0)ro,40m(root-0),4m(kernel-1),40m(root-1),-(overlay) mem=ootfstype=squashfs,jffs2 noinitrd [ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes) [ 0.000000] Dentry cache hash table entries: 819der: 3, 32768 bytes) [ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) [ 0.000000] Writing ErrCtl register=00000000 [ 0.000000] Readback ErrCtl register=0000 [ 0.000000] Memory: 60756K/65536K available (2712K kernel code, 126K rwdata, 576K rodata, 160K init, 185K bss, 4780K reserved) [ 0.000000] SLUB: HWalign=32, Order=0inObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS:51 [ 0.000000] Clocks: CPU:650.000MHz, DDR:597.583MHz, AHB:216.666MHz, Ref:25.000MHz [.000000] Calibrating delay loop... 432.53 BogoMIPS (lpj=2162688) }}} * In details: [[/BootMessage]] * Bootlog with full debug (enabled with hitting "4" and : [[/BootMessageWithFullDebug]] * Update with full debug: [[/UpdateWithFullDebug]] == Login == I did press "f" and enter. {{{ Press the [f] key and hit [enter] to enter failsafe mode Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level - failsafe - ------------------------------------------------------ Cannot enter failsafe mode: Disabled on this system !! ------------------------------------------------------ Please press Enter to activate this console. (none) login: f Password: }}} * Accounts are still missing = Firmware = * Seems to be encrypted * http://fds.cpp.philips.com/firmware/BSB002/1030262/BSB002_01030262.product.RSA_prod_02.fw2 * http://www.isysop.com/unpacking-and-repacking-u-boot-uimage-files/ == Firmware Head == {{{ 0000000: 4253 4230 3032 0002 004e fcc9 6272 6964 BSB002...N..brid 0000010: 6765 0000 0000 0000 0000 0000 0000 0000 ge.............. 0000020: 0000 004e fab0 0103 0000 0000 3031 3033 ...N........0103 0000030: 3032 3632 0000 0000 0000 0000 4bb1 3918 0262........K.9. 0000040: a7ac d534 6aab 63fc cb81 3643 1f9b 53bd ...4j.c...6C..S. 0000050: d9b5 a76d f5bf 82dc 8265 eebc 75d8 5e42 ...m.....e..u.^B 0000060: dbc1 f384 c368 24c3 1988 f97e 9ab3 34c7 .....h$....~..4. }}} == Public key from the end of firmware file == {{{ openssl rsa -pubin -text -in a Public-Key: (2048 bit) Modulus: 00:a1:ba:a2:33:57:01:4a:be:ba:87:db:5a:c9:c4: 4d:a4:2e:e1:2b:31:48:53:26:2d:4a:2b:65:19:ce: 94:01:2e:0e:81:ff:d9:39:c0:e1:17:09:2d:d1:fc: e7:89:11:3c:44:48:c4:19:72:be:b5:a2:72:72:1c: f8:80:e4:f7:05:3d:0e:b0:8f:6d:5a:62:f4:6c:6c: e3:bf:b7:45:37:64:e5:14:c7:e5:87:55:1a:55:f8: 53:af:3f:b2:11:47:38:56:7a:2d:4b:30:e9:b6:bf: 23:d9:33:3c:08:71:bc:98:ae:3d:0b:92:d8:c4:9f: d9:42:1d:5d:5e:97:e6:88:74:1b:f9:14:0e:88:af: fc:83:d4:21:01:c4:86:fd:a3:55:bd:e5:fd:a2:69: 76:d1:c0:e0:2d:0a:f0:e8:20:b9:10:ef:62:33:04: 03:e5:43:13:d1:df:46:6e:eb:df:3c:c4:a2:cb:9c: 48:32:13:1c:85:2e:d9:5c:50:fa:56:99:3a:03:ad: 7a:9b:96:79:57:76:a1:cc:87:a6:9a:d3:04:26:70: 0f:85:b9:2b:48:67:17:bd:b9:3b:e0:c8:10:dc:2b: 83:d8:58:0b:7c:e8:e3:28:a7:c4:e2:17:96:62:7e: 15:0f:ec:cc:8c:6e:ed:40:23:38:dd:a9:5b:a7:31: 7b:15 Exponent: 65537 (0x10001) writing RSA key -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAobqiM1cBSr66h9taycRN pC7hKzFIUyYtSitlGc6UAS4Ogf/ZOcDhFwkt0fzniRE8REjEGXK+taJychz4gOT3 BT0OsI9tWmL0bGzjv7dFN2TlFMflh1UaVfhTrz+yEUc4VnotSzDptr8j2TM8CHG8 mK49C5LYxJ/ZQh1dXpfmiHQb+RQOiK/8g9QhAcSG/aNVveX9oml20cDgLQrw6CC5 EO9iMwQD5UMT0d9GbuvfPMSiy5xIMhMchS7ZXFD6Vpk6A616m5Z5V3ahzIemmtME JnAPhbkrSGcXvbk74MgQ3CuD2FgLfOjjKKfE4heWYn4VD+zMjG7tQCM43albpzF7 FQIDAQAB -----END PUBLIC KEY----- }}} == Attachments == <> == WEB-server == {{{ $ curl -v '10.0.2.58/description.xml' * Trying 10.0.2.58... * Connected to 10.0.2.58 (10.0.2.58) port 80 (#0) > GET /description.xml HTTP/1.1 > Host: 10.0.2.58 > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 200 OK < Content-type: text/xml < Connection: Keep-Alive * no chunk, no close, no size. Assume close to signal end < 1 0 http://10.0.2.58:80/ urn:schemas-upnp-org:device:Basic:1 Philips hue (10.0.2.58) Royal Philips Electronics http://www.philips.com Philips hue Personal Wireless Lighting Philips hue bridge 2015 BSB002 http://www.meethue.com 001788xxxxx uuid:2f402f80-da50-11e1-9b23-001788xxxxx index.html image/png 48 48 24 hue_logo_0.png image/png 120 120 24 hue_logo_3.png }}} * Landing page (2015-12-30): [[attachment:hue-personal-wireless-lighting.pdf]] == HW == * CPU: qca4531-bl3a * Memory: https://www.winbond.com/resource-files/da00-w9751g6kbg1.pdf * USB to Serial Bridge Conroller: http://prolificusa.com/files/DS_PL2303SA_d20120504.pdf ---- CategoryProjekti