Wink Hub root

Search This thread

CantSleepAWink

New member
Jul 10, 2015
3
0
Missed something - Bricked the Wink

So I followed the steps to perform the NAND Flash exploit detailed earlier in the thread.

I was attempting to connect pin 29 to the UART ground (though before that I tried the Ethernet cage, as mentioned earlier in the thread), and must have done something wrong.

*edit* I've successfully gotten in and used the following commands:

Code:
=> setenv bootdelay 1
=> saveenv

setenv bootargs 'noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:rootfs rw gpmi init=/bin/sh'
nand read ${loadaddr} app-kernel 0x00400000 && bootm ${loadaddr}

To get into the filesystem. However, when I let it boot normally, I still get the below:

Once it gets to
Code:
Launch upgrade script
+ /root/platform/run_upgrade.sh
+ FILE=/tmp/isalive

It will loop continually at this:

Code:
+ '[' '!' -e /tmp/isalive ']'
+ sleep 1

Is there a way to recover, or should I make my second exchange :eek: (The first was actually for the same reason, but I didn't get into the device due to stupidity in Putty config).

There were a few other failures before this behavior was exhibited, however.

I should also mention that I may have done something very silly - I ran this, and may have screwed everything up. You see, I had paired the wink with my phone, and updated the wink. When I first saw the loop above, I ran this (really without thinking about the consequences)

Code:
mount -a
ubiformat /dev/mtd3 -y -q
ubiattach -p /dev/mtd3
mknod /dev/ubi1 c 252 0
ubimkvol /dev/ubi1 -m -N database
mount -t ubifs ubi1:database /database

Ideas? I really garfed it up.
 
Last edited:

Unheard

Senior Member
Mar 25, 2010
229
137
Atlanta, GA
EDIT EDIT:
Fixed it, had to clear out the wpa_xxx file (can't remember the name)

-------

EDIT:
Ok, the Wink's AP is up and running, and I can connect, but all I get is the Home Page text from the index.php when I try to browse the IP. I feel like I'm getting close, but the Wink still has no external access to the web. Is there an alternate method I can push the UBI?

--------


Trying to figure this out. I managed to soft-brick the wink during NAND booting to a root shell (not sure how), but it now boots to a BUS ERROR.

I am able to U-BOOT into a BADIMAGE shell based on another posts recommendation. My issue is trying to get the unit connected to my WiFi so I can download an update image to recover the Wink.

I follow the directions and this is what I am getting:

(UnheardNet.Legacy is my 2.4ghz N AP)

[[email protected] ~]# curl "http://192.168.0.1/index.php" -d '{"ssid":"UnheardNet.L
egacy","pass":"xxxxx"}'
{"status":"ok"}[[email protected] ~]# ping google.com
ping: bad address 'google.com'
[[email protected] ~]# wlan0 (WE) : Wireless Event too big (41987)
wlan0 (WE) : Wireless Event too big (41987)
wlan0 (WE) : Wireless Event too big (41987)

Any thoughts or suggestions?
 
Last edited:

GenesisFactor

Member
Nov 28, 2007
14
0
I have a question to all at the bottom :). Before that, i wanted to offer some assistance:

I went through what you did, CantSleepAWink
Once it gets to
Code:
Launch upgrade script
+ /root/platform/run_upgrade.sh
+ FILE=/tmp/isalive

It will loop continually at this:

Code:
+ '[' '!' -e /tmp/isalive ']'
+ sleep 1

Ideas? I really garfed it up.

ps -ef will get you a list of the PID. find the one that says run upgrade.sh. Mine were usually about 1120s or 1130s
kill -9 <pid#>

kills that annoying loop.

Then, follow http://www.rootwink.com/viewtopic.php?f=6&t=4, which i used to update the winkhub and fixed it mostly. (i have a problem too) :)
Hope that helps.

ONTO MY QUESTION

right now i get this error when trying to connect to wifi. It blinks blue for a few minutes, but then does nothing but sends these errors about 3 or 4 times. ifconfig returns nothing
Code:
dhd_aoe_hostip_clr failed code -23
ace_update_host_ipv4_table_failed

any ideas on ?
 

BuckSinister

New member
Aug 1, 2015
2
0
I am interested.

Would you send me the old firmwares. I am trying to downgrade my newly purchased hub using a man in the middle attack. I am documenting teh procedure and if i get to work i will send you the instructions.



What's really interesting is that hXXp:// and hXXps:// provide two totally different outputs right now.

http shows:
Code:
board_id=00.01
group_id=0
sw_pkg_url=https://hub-updates.winkapp.com/00.01
fparts=4
alt_pkg_url=https://wink-hub-images.s3.amazonaws.com/00.01

...

fdest3=/dev/mtd5
fver3=00.47
foff3=0
ftype3=1
fsrc3=app-rootfs.ubi
md5sum3=55574706f2cbf4f6e17e4d224b63287d


https shows:
Code:
board_id=00.01
group_id=0
sw_pkg_url=https://wink-hub-images.s3.amazonaws.com/00.01
fparts=4
alt_pkg_url=https://hub-updates.winkapp.com/00.01

...

fdest3=/dev/mtd5
fver3=00.55
foff3=0
ftype3=1
fsrc3=app-rootfs.ubi
md5sum3=86442e13205e3c493b53e333b6478a7d

My current Wink App doesn't show any updates pending, and I've rebooted it a few times just to see if it would check again.
It would appear then that the Wink hub currently looks to the http version of the file to know when an update is available, then switches to https when downloading the update. Because the HTTP version of the file only lists 00.47 as the current version, the hubs aren't seeing any reason to check for a new firmware file at the moment. If you do download a firmware file manually, the only versions available are the latest ones from 00.55.

-----
Just noticed - since hXXps://hub-updates.winkapp.com/00.01 returns nothing at the moment, the http version of the upgrade text then provides the alt-pkg URL of the amazonaws location, which *does* have firmware files, then it proceeds from there.

So spoofing the http upgrade_00.01.txt file, and linking it to your own custom version then is the key.

I have to go digging through my hard drives... When I got the Hub for the first time in July and discovered where the update files came from (including the now hidden .xml file), I saved a copy of all the 00.31 firmware files...

---------- Post added at 02:29 AM ---------- Previous post was at 01:56 AM ----------

So I have a copy of the firmware files from the Amazon server the way they were on October 17th 2014 at 2:12 am. This was version 00.24.

I also have a copy of the prodtest (version 00.29) and the stagetest (version 00.32) as they appeared at that time.

If anyone is interested in a copy, just let me know.

e
 

BuckSinister

New member
Aug 1, 2015
2
0
Old firmware Images?

Does anybody have copies of the the old firmware images that contained the php expolit? I would like to create a clone of the wink-hub-images.s3.amazonaws.com, but place the old image as the newest and change the checksums in the manifests, with the hope that my wink hub will autodowngrade. Has anyone tried this before?
I created a mini network, where the wink sites resolve to my own web servers. I have hit a bump in the road, since i can't find any rootable images to download to proceed further. Please contact me , send me a copy , or post a link to any old firmware you may be willing to share.
 

LivinOne

Senior Member
Mar 27, 2008
459
17
Need help from the experts, please :)

I had a new Hub that I rooted and had SSH running on. It then sat idle until today when I got my devices to connect to it.

I tried to update the firmware, using Putty, but it looks like the update removed root as I can not longer SSH into it. Is there any easy way to get it back?

tanks!
 

zeroepoch

Senior Member
Dec 30, 2010
313
214
San Jose, CA
www.zeroepoch.com
Need help from the experts, please :)

I had a new Hub that I rooted and had SSH running on. It then sat idle until today when I got my devices to connect to it.

I tried to update the firmware, using Putty, but it looks like the update removed root as I can not longer SSH into it. Is there any easy way to get it back?

tanks!

No. You will need to use the method which jumpers a pin on the flash chip. Normally SSH access is preserved across upgrades for me since the enable file and keys are saved on the database partition. Maybe you did a major upgrade that wiped those or before they existed?
 

LivinOne

Senior Member
Mar 27, 2008
459
17
No. You will need to use the method which jumpers a pin on the flash chip. Normally SSH access is preserved across upgrades for me since the enable file and keys are saved on the database partition. Maybe you did a major upgrade that wiped those or before they existed?

I can see the SSH prompt but root/root is no longer allowing me to login. I can't find the private key file I saved off either.

Also, do you think the original private key will work since I followed the process of adding a new public key?

I'm new to all this key certs... I cannot figure out how to make a key file that Putty will use - anyone have a file using the private key they can post as an example?

thx for the help!
 

zeroepoch

Senior Member
Dec 30, 2010
313
214
San Jose, CA
www.zeroepoch.com
I can see the SSH prompt but root/root is no longer allowing me to login. I can't find the private key file I saved off either.

Also, do you think the original private key will work since I followed the process of adding a new public key?

I'm new to all this key certs... I cannot figure out how to make a key file that Putty will use - anyone have a file using the private key they can post as an example?

thx for the help!

You will need the matching private key for the last public key you uploaded. The original private key (if you did update it later) will not work. I don't know if anyone has discovered what the default root password is, or if it's unique to each device, but I think even then password logins are disabled by default by settings in /etc/default/dropbear. If you enabled UART access you might try that but an upgrade usually disables that login path.
 

LivinOne

Senior Member
Mar 27, 2008
459
17
You will need the matching private key for the last public key you uploaded. The original private key (if you did update it later) will not work. I don't know if anyone has discovered what the default root password is, or if it's unique to each device, but I think even then password logins are disabled by default by settings in /etc/default/dropbear. If you enabled UART access you might try that but an upgrade usually disables that login path.

If I changed the default private/public keys... I used the ones in the how-to.

How do I make a proper .ppk file, using those keys, to use with Putty & WinSCP?

thx for the help!
 

zeroepoch

Senior Member
Dec 30, 2010
313
214
San Jose, CA
www.zeroepoch.com
If I changed the default private/public keys... I used the ones in the how-to.

How do I make a proper .ppk file, using those keys, to use with Putty & WinSCP?

thx for the help!

Sorry I don't know. I don't use putty that often, mainly ssh in Linux. Maybe someone else on this forum can prepare the file for you or provide some instructions. If you used the keys from the tutorials on the web then you might be able to recover root access.
 

ScDoc8

Member
Jun 10, 2014
13
12
I am having difficulty finding the best time to short the pin 29 on the nand chip. I see Uboot comes up as soon as powered, and a few seconds later the kernal decompresses and boots. Is the 1-2 window after plugging in the box when I need to short the pins?

Thanks
 

Natodd

New member
Jan 19, 2015
2
0
I use exec for Wink/OpenHab binding. On the machine running OpenHab, set up ssh key auth with your wink hub under the user that runs openhab, notably the initial connection will be interactive which caught me up for a bit. I have two scripts I've added to my openhab /usr/sbin listed below. I've also pasted a few lines of my default.items file.

Code:
[email protected]:~# cat /usr/sbin/apron-relay
#!/bin/bash
ssh -i /etc/openhab/winkkey.rsa [email protected] "/usr/sbin/aprontest [email protected]"|sed "s/ \+/ /g"|sed "/^$/d"

Code:
[email protected]:~# cat /usr/sbin/apron-attr
#!/bin/sh
grep "[email protected]" | cut -d '|' -f 5

Code:
Switch  Lamp    "Lamp"  (Livingroom)    { exec="<[/bin/[email protected]@[email protected]@apron-relay -l -m 1|sed -e \"s/ //g\"|grep On_Off:60000:REGEX(.*(ON|OFF))] >[*:/bin/[email protected]@[email protected]@apron-relay -u -m 1 -t 1 -v %2$s]" }
Number  LampLevel       "Brightness [%d]"       (Livingroom)    { exec="<[/bin/[email protected]@[email protected]@apron-relay -l -m 1|grep Level:60000:REGEX(.*[| ]+(\\d+))] >[*:/bin/[email protected]@[email protected]@apron-relay -u -m 1 -t 2 -v %2$s]"}
Number  Temp_Hallway    "Thermostat Temperature [%.1f F]"       (Indoors,Temperatures)  {exec="<[/bin/[email protected]@[email protected]@apron-relay -l -m 6|apron-attr Level:60000:REGEX((.*))]"}


so I'm trying to accomplish this using your snippets of code you submitted. I have altered the relevants bits, I think. my winkkey file has a different name and location, however it won't turn my lights on or off. Aside from put the Exec plugin in place, was there other steps you needed to do to get that piece working?
 

LivinOne

Senior Member
Mar 27, 2008
459
17
I found my way back in (Putty & WinSCP) using my PrivateKey... now I want to re-enable ROOT password.

I have tried a few commands from the hacking wink how-tos but I get errors with both...

curl "http://192.168.2.63/database/set_dev_value.php" -d "nodeId=a&attrId=;cp /etc/shadow /etc/shadow.bak;sed -i 's/root:.*:\(.*:.*:.*:.*:::\)/root::\1/' /etc/shadow;cat /etc/shadow;"
...throws... cannot POST to /database/set_dev_value.php

curl -d cmd='sed%20-i%20%27s%2F%3D-sg%2F%3D%2F%27%20%2Fetc%2Fdefault%2Fdropbear%3B%2Fetc%2Finit.d%2FS50dropbear%20restart%3Becho%20-e%20%22%5Cn%5Cn%22%20%7C%20passwd' http://192.168.2.63/exploit.php
...throws... cannot POST to /exploit.php

why is it not able to respond to commands?

Also, I noticed /VAR/WWW folder does not exist... should it be there?

thanks for he help!
 

checkmateyou

Senior Member
Dec 22, 2011
69
6
I found my way back in (Putty & WinSCP) using my PrivateKey... now I want to re-enable ROOT password.

I have tried a few commands from the hacking wink how-tos but I get errors with both...

curl "http://192.168.2.63/database/set_dev_value.php" -d "nodeId=a&attrId=;cp /etc/shadow /etc/shadow.bak;sed -i 's/root:.*:\(.*:.*:.*:.*:::\)/root::\1/' /etc/shadow;cat /etc/shadow;"
...throws... cannot POST to /database/set_dev_value.php

curl -d cmd='sed%20-i%20%27s%2F%3D-sg%2F%3D%2F%27%20%2Fetc%2Fdefault%2Fdropbear%3B%2Fetc%2Finit.d%2FS50dropbear%20restart%3Becho%20-e%20%22%5Cn%5Cn%22%20%7C%20passwd' http://192.168.2.63/exploit.php
...throws... cannot POST to /exploit.php

why is it not able to respond to commands?

Also, I noticed /VAR/WWW folder does not exist... should it be there?

thanks for he help!

I can't find the /var/www directory either. I'm trying to use the Blink app to control devices locally. Am I missing something?
 

zeroepoch

Senior Member
Dec 30, 2010
313
214
San Jose, CA
www.zeroepoch.com
Now that you mention it, it looks like in a recent release the wink hub doesn't use php at all. It's not even included anymore. Although it still runs a web server since it returns wifi information when you connect to port 80. I noticed something interesting in /opt/local_control where it appears to be a node.js app. They seem to be working on local control as they promised. There is a few modules but the only service enabled is "wifi". "aau" whatever that stands for is not enabled in /opt/local_control/server.js but it appears to be something they are working on. Maybe someone with more time can look into it and see how functional it is or add a node app for aprontest access. Below is the list of handlers available for the "wifi" service.

Code:
dispatcher.dispatch('GET /networks', 'listNetworks')
dispatcher.dispatch('GET /', 'getStatus')
dispatcher.dispatch('POST /', 'post')
dispatcher.dispatch('GET /authCheck', 'heartbeat')
dispatcher.dispatch('POST /upgrade', 'upgrade')
 
Last edited:

checkmateyou

Senior Member
Dec 22, 2011
69
6
Now that they don't use .php, do you have any suggestion on how to use Blink or OpenHab? All the methods that I have seen rely on /var/www and using commands like curl "http://192.168.2.32/set_dev_value.php" -d "nodeId=a&attrId=aprontest -u -m1 -t2 -v 1;" via terminal

Thank you in advance.

Edit:

Lots of interesting info regarding local control can be found here: https://www.reddit.com/r/winkhub/comments/3kxr4q/new_firmware_and_scheduled_maintenance/
Unfortunately, no one posted how to take advantage of them. There is, fortunately, a README that contain a changelog and what seems to be an API. I will dig for further info.
 
Last edited:

checkmateyou

Senior Member
Dec 22, 2011
69
6
We can add support for our own devices. I've been playing around with the apron.db file and added the Wattage readout for my Aeon Labs power switch. It originally didn't report the number of watts used (as seen in an earlier post). I used the following insert and found that the power is reported via the multilevel sensor instead of the meter attribute. This may be due to the meter attribute not existing before I added it and may not be supported in the software. In any case:
Code:
insert into zwavedevicestate (nodeid, endpoint,attributeid) select 2, 0, attributeid from zwaveattribute;
You'll then want to run aprontest -e -m#
I then removed all the blank values with
Code:
delete from zwavedevicestate where nodeid=2 and value_get is null;

Code:
[[email protected] ~]# aprontest -l -m2
Gang ID: 0x00000002
Generic/Specific device types: 0x10/0x01
Manufacturer ID: 0x0086 Product Type: 0x0003 Product Number: 0x0006
Device has 6 attributes...
New POWER_SWITCH_BINARY
   ATTRIBUTE |                         DESCRIPTION |   TYPE | MODE |                              GET |                              SET
           1 |                        GenericValue |  UINT8 |  R/W |                              255 |                              255
           7 |                              On_Off |   BOOL |    R |                             TRUE |                             TRUE
           8 |                               Level |  FLOAT |    R |                          674.033 |                          674.033
           9 |                                Unit | STRING |    R |                             Watt |                             Watt
          18 |            ConfigurationParameter_1 | UINT32 |  R/W |                                0 |                                0
           2 |                              On_Off |   BOOL |  R/W |                             TRUE |                             TRUE

My attribute 2 is at the bottom as I had to remove the duplicate and add it back in.
I have successfully added a Philips Hue bulb to the Wink Hub. Dimming and turning it off and on works, but I cannot change the color.

I have no idea how you added new attributes; could you please explain what you did, and possibly step by step please? I would very much appreciate it!
 

Jcordeiro73

New member
Oct 20, 2015
1
0
Help...

Hi
I have a problem with my wink. I have console acces but here is the output.
Please someone help me :)

Thanks

Loading file 'DO_UPDATE' to addr 0x42000000 with size 1 (0x00000001)...
Done
word at 0x42000000 (0x31) != word at 0x42000004 (0x30)
Total of 0 word(s) were the same

NAND read: device 0 offset 0x300000, size 0x300000
3145728 bytes read: OK
Wrong Image Format for bootm command
ERROR: can't get kernel image!

NAND read: device 0 offset 0x2b00000, size 0x400000
4194304 bytes read: OK
Wrong Image Format for bootm command
ERROR: can't get kernel image!
Falling back to updater...

NAND read: device 0 offset 0x300000, size 0x300000
3145728 bytes read: OK
Wrong Image Format for bootm command
ERROR: can't get kernel image!

NAND read: device 0 offset 0x2b00000, size 0x400000
4194304 bytes read: OK
Wrong Image Format for bootm command
ERROR: can't get kernel image!
=> printenv
app_boot=run appboot_args && nand read ${loadaddr} app-kernel 0x00400000 && boot m ${loadaddr}
app_boot_bad=run updater_args; setenv bootargs ${bootargs} badapp; nand read ${l oadaddr} updater-kernel 0x00300000; bootm ${loadaddr}
appboot_args=setenv bootargs 'noinitrd console=ttyAM0,115200 rootfstype=ubifs ub i.mtd=5 root=ubi0:rootfs rw gpmi';
baudrate=115200
bd_addr=0021CC0892FA
boot_app=run app_boot || run app_boot_bad
boot_getflag=mtdparts default && ubi part database && ubifsmount ubi0:database & & mw 42000000 0 8 && ubifsload 42000000 DO_UPDATE 1 && run boot_logic
boot_logic=mw 42000004 30; if cmp 42000000 42000004 1; then run boot_app; else r un boot_updater; fi;
boot_updater=run updater_boot || run updater_boot_bad
bootargs=noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:roo tfs rw gpmi badupdater
bootcmd=mtdparts default; run boot_getflag || echo Falling back to updater...; r un boot_updater
bootdelay=0
bootfile=uImage
ethact=FEC0
ethaddr=00:04:00:00:00:00
ethprime=FEC0
filesize=1
loadaddr=0x42000000
mtddevname=u-boot
mtddevnum=0
mtdids=nand0=gpmi-nand
mtdparts=mtdparts=gpmi-nand:3m(u-boot),4m(updater-kernel),28m(updater-rootfs),8m (database),8m(app-kernel),-(app-rootfs)
partition=nand0,0
serialno=152201021WZD1
stderr=serial
stdin=serial
stdout=serial
updater_args=setenv bootargs 'noinitrd console=ttyAM0,115200 rootfstype=ubifs ub i.mtd=2 root=ubi0:rootfs rw gpmi';
updater_boot=run updater_args && nand read ${loadaddr} updater-kernel 0x00300000 && bootm ${loadaddr}
updater_boot_bad=run appboot_args; setenv bootargs ${bootargs} badupdater; nand read ${loadaddr} app-kernel 0x00400000; bootm ${loadaddr}
ver=U-Boot 2014.01-14400-gda781c6-dirty (Apr 30 2014 - 22:35:38)
 
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone