FORUMS
Remove All Ads from XDA

Wink Hub root

45 posts
Thanks Meter: 29
 
By FreeFly, Member on 10th December 2014, 09:47 PM
Post Reply Email Thread
12th December 2014, 03:00 AM |#21  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by electronichamsters

I ran a MD5sum on the copy of app-rootfs.ubi that I downloaded from the the amazon aws link sometime on dec 10th. It is "eec07feee1fa1a4a06e05a00af18156f".

I have no idea if it's v0.33 or 0.47. If someone else has a file they're sure is 0.33, can they run a MD5sum on it?



eec07feee1fa1a4a06e05a00af18156f is version 33

---------- Post added at 10:00 PM ---------- Previous post was at 09:51 PM ----------

Quote:
Originally Posted by qnology

Starting from a new in box Wink Hub, is there anything I need to do before hand to make sure I can SSH into the "upgrade mode" partition? It'a not clear if people are using a Serial Console connection to access the "upgrade mode" partition or if they are SSHing in. For SSH access, I would assume the authorized_keys file needs to be updated (so the upgrade mode partition would need to be mounted and updated). Just need some confirmation. Thank you

I have ran the following commands to my update partition to make sure I retain access:

Code:
ubiattach -p /dev/mtd2
mkdir /tmp/updater
mount -t ubifs ubi2:rootfs /tmp/updater
sed -i 's/=-sg/=/' /tmp/updater/etc/default/dropbear
rm -f /tmp/updater/etc/init.d/S99local
cp /var/www/set_dev_value.php /tmp/updater/var/www
fw_setenv bootdelay 5
sed -i 's/bootdelay       0/bootdelay       5/' /database_default/u-boot.env
echo "127.0.0.1       hub-api.winkapp.com"  >> /tmp/updater/etc/hosts
echo "127.0.0.1       hub-updates.winkapp.com" >> /tmp/updater/etc/hosts
echo "127.0.0.1       wink-hub-images.s3.amazonaws.com" >> /tmp/updater/etc/hosts
mkdir /tmp/updater/root/.ssh
cp /root/.ssh/authorized_keys /tmp/updater/root/.ssh/authorized_keys
cp /etc/shadow /tmp/updater/etc
sed -i 's/rm \/database\/wpa_supplicant.conf/echo WPA Fix #rm \/database\/wpa_supplicant.conf/' /tmp/updater/etc/init.d/S31platform
sed -i 's/#ttyAM0/ttyAM0/' /tmp/updater/etc/inittab
I use serial for access but ssh works just as well.
 
 
12th December 2014, 03:37 PM |#22  
Senior Member
Thanks Meter: 13
 
More
Quote:
Originally Posted by berserko

eec07feee1fa1a4a06e05a00af18156f is version 33

I have ran the following commands to my update partition to make sure I retain access:

Code:
...
fw_setenv bootdelay 5
...
I use serial for access but ssh works just as well.

For those using ssh instead of serial console, be careful about the bootdelay. I've read that not having a ttl-usb adapter connected to the JTAG headers might mess up the boot sequence. Some people reported a delay of 1 or 2 seconds is OK, any higher will mess it up.

So if you're using SSH only, might want to lower it to 1, or stay at 0. But that's risky too.
12th December 2014, 05:53 PM |#23  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by berserko

I have ran the following commands to my update partition to make sure I retain access:

Thanks for the clarification and additional details @berserko.

Quote:
Originally Posted by coachclass

For those using ssh instead of serial console, be careful about the bootdelay. I've read that not having a ttl-usb adapter connected to the JTAG headers might mess up the boot sequence. Some people reported a delay of 1 or 2 seconds is OK, any higher will mess it up.

So if you're using SSH only, might want to lower it to 1, or stay at 0. But that's risky too.

Thanks for the note @coachclass. I read the same thing and have been debating for SSH access only, if we should even mess with the bootdelay at all. But then again, setting it to 1 would allow us to use a serial connection as a backup method to get back into the Hub. I'm leaning toward a value of 1 currently.

---------- Post added at 05:53 PM ---------- Previous post was at 05:47 PM ----------

Quote:
Originally Posted by berserko


I have ran the following commands to my update partition to make sure I retain access:

Code:
ubiattach -p /dev/mtd2
...
sed -i 's/=-sg/=/' /tmp/updater/etc/default/dropbear
rm -f /tmp/updater/etc/init.d/S99local
...

A couple of questions regarding the commands:

1) What's in the S99local file and why the need to delete it?
2) I didn't find a "/tmp/updater/etc/default/dropbear" file. I'm wondering if dropbear automatically creates it the first time the "upgrade mode" partition is started. If so, we probably need to create the default/dropbear file versus sedding it.
12th December 2014, 08:26 PM |#24  
Junior Member
Thanks Meter: 0
 
More
Ok a couple of noticeable changes in 0.47 update.
I noticed that the startup script for SSH /etc/init.d/S50dropbear changed.
It does a check for /database/ENABLE_SSH before it will start dropbear. It also copies /database/authorized_keys to /root/.ssh if one exists.

If you are gonna update to 0.47 manually, here are the additionally step you need to enable SSH.

Enable SSH, Without this, SSH will not start, well unless you copy over the old S50dropbear file.
# touch /database/ENABLE_SSH
You can now keep your authorized_keys file in /database, as the dropbear startup script will check for the file and copy it to /root/.ssh
13th December 2014, 01:59 AM |#25  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by OuTTaRiCe

Ok a couple of noticeable changes in 0.47 update.
I noticed that the startup script for SSH /etc/init.d/S50dropbear changed.
It does a check for /database/ENABLE_SSH before it will start dropbear. It also copies /database/authorized_keys to /root/.ssh if one exists.

If you are gonna update to 0.47 manually, here are the additionally step you need to enable SSH.

Enable SSH, Without this, SSH will not start, well unless you copy over the old S50dropbear file.
# touch /database/ENABLE_SSH
You can now keep your authorized_keys file in /database, as the dropbear startup script will check for the file and copy it to /root/.ssh

Good catch...

I was also experimenting with the bootdelay and it appears any bootdelay might cause the device to hang on boot unless you keep the UART hooked up to the device.. In my opinion I wouldn't want to run without a uart long term unless you're blocking access to the Wink servers and not updating at all...
13th December 2014, 04:36 PM |#26  
Senior Member
Thanks Meter: 86
 
Donate to Me
More
Quote:
Originally Posted by berserko

Good catch...

I was also experimenting with the bootdelay and it appears any bootdelay might cause the device to hang on boot unless you keep the UART hooked up to the device.. In my opinion I wouldn't want to run without a uart long term unless you're blocking access to the Wink servers and not updating at all...


Yes, the inputs are found to float on the UART so the boot delay will always get tripped without something connected. Setting boot delay to 1 supposedly works for some people.
14th December 2014, 03:26 AM |#27  
Junior Member
Thanks Meter: 0
 
More
Can someone post the content of their S21platform file from the "upgrade mode" partition?

Code:
ubiattach -p /dev/mtd2
mkdir /tmp/updater
mount -t ubifs ubi2:rootfs /tmp/updater
cat /tmp/updater/etc/init.d/S31platform
My file doesn't look the same as the /etc/init.d/S31platform file and wanted to confirm. Thanks
14th December 2014, 04:34 AM |#28  
Junior Member
Thanks Meter: 0
 
More
That what happened to me, manually upgraded rooted Wink to 0.47.
Now I have SSH connection- Refused.
Wink has a blue light- connects itself to local network.
Android app can not connect Wink.
How to get back SSH ?
Anybody have a tutorial how use serial connection ?
Thanks in advance.


Quote:
Originally Posted by OuTTaRiCe

Ok a couple of noticeable changes in 0.47 update.
I noticed that the startup script for SSH /etc/init.d/S50dropbear changed.
It does a check for /database/ENABLE_SSH before it will start dropbear. It also copies /database/authorized_keys to /root/.ssh if one exists.

If you are gonna update to 0.47 manually, here are the additionally step you need to enable SSH.

Enable SSH, Without this, SSH will not start, well unless you copy over the old S50dropbear file.
# touch /database/ENABLE_SSH
You can now keep your authorized_keys file in /database, as the dropbear startup script will check for the file and copy it to /root/.ssh

14th December 2014, 12:49 PM |#29  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by nyuzva

That what happened to me, manually upgraded rooted Wink to 0.47.
Now I have SSH connection- Refused.
Wink has a blue light- connects itself to local network.
Android app can not connect Wink.
How to get back SSH ?
Anybody have a tutorial how use serial connection ?
Thanks in advance.

Did you uncomment the getty in inittab? If not serial won't help. If you did you need a usb uart and a 4 pin header (90 degree header work great you can reassemble the device and leave the UART hooked up... I got the uart similar to this https://www.sparkfun.com/products/9873 works great.
Did you keep any of the other exploits in tact? Might be another way in.
Did you copy set_dev_value.php back into place? If it's in place you could do something like this:

curl "http://192.168.0.1/set_dev_value.php" -d "nodeId=a&attrId=;touch /database/ENABLE_SSH;/etc/init.d/S50dropbear start;"

That would create the required file and start SSHD for you.

Post back with the upgrade procedure you did perhaps we can lend some more assistance.
14th December 2014, 03:38 PM |#30  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by qnology

Can someone post the content of their S21platform file from the "upgrade mode" partition?

Code:
ubiattach -p /dev/mtd2
mkdir /tmp/updater
mount -t ubifs ubi2:rootfs /tmp/updater
cat /tmp/updater/etc/init.d/S31platform
My file doesn't look the same as the /etc/init.d/S31platform file and wanted to confirm. Thanks

Correct, The S31platform file under the updater fs is different. For one, it does not contain the removal of wpa_supplicant.conf.

---------- Post added at 04:38 PM ---------- Previous post was at 04:28 PM ----------

Quote:
Originally Posted by berserko

Did you copy set_dev_value.php back into place? If it's in place you could do something like this:

I think this step should be highlighted, as it's the most important step.
Even if no other files are modified or copied, copying set_dev_value.php alone will still give you root access.
That said, a suggestion I would probably make is copying set_dev_value.php to a different file name. You never know what Wink would do in future firmwares. They could easier create a script to remove set_dev_value.php on bootup.
14th December 2014, 05:35 PM |#31  
Junior Member
Thanks Meter: 0
 
More
Thank you, Berserko.
I got SSH back after running curl command you provide.
It is asking for password now, I did not have any before, tried, root and keep app.
It there a command to reset a password?
Was able to reset the password , suggested by Bluerhino.
#change root password to Mypwd (Wink didnt allow to change to password to 'root')
curl "hXXp://192.168.1.13/set_dev_value.php" -d "nodeId=a&attrId=;echo -e 'Mypwd\nMypwd' | passwd;"

And one more- I have a serial device, or will buy the one you mention.
After I hook it up to the Wink- what software and commands should I use?
Thanks for help.


Quote:
Originally Posted by berserko

Did you uncomment the getty in inittab? If not serial won't help. If you did you need a usb uart and a 4 pin header (90 degree header work great you can reassemble the device and leave the UART hooked up... I got the uart similar to this works great.
Did you keep any of the other exploits in tact? Might be another way in.
Did you copy set_dev_value.php back into place? If it's in place you could do something like this:

curl "hXXp://192.168.0.1/set_dev_value.php" -d "nodeId=a&attrId=;touch /database/ENABLE_SSH;/etc/init.d/S50dropbear start;"

That would create the required file and start SSHD for you.

Post back with the upgrade procedure you did perhaps we can lend some more assistance.

Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes