hacker

turmio

description
I will try to get shell from the PHILIPS hue bridge v 2.0. You can find my raw notes from here
started

2015-12-29

  • https://www.reddit.com/r/Hue/comments/3x12y6/jailbreaking_the_v2_hub/

  • Get shell with HW hacking: https://forum.openwrt.org/viewtopic.php?id=66346

  • http://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/

  • Getting root shell (HW hacking)

    Gudos for Colin O’Flynn and pepe2k for figuring out how to intercept the u-boot process and get access to u-boot console. I followed their instructions and managed to pull it through.

    Check their instructions:

    I did the following:

    Add your SSH public key to ''/etc/droppear/authorized_keys''
    # iptables -I input_lan_rule -p tcp --dport 22 --syn -j ACCEPT
    
    or if you want to do permanent change add folowing to: /etc/config/firewall
    config rule 'ssh' 
           option name              Allow-ssh
           option src               lan
           option proto             tcp
           option dest_port         22
           option target            ACCEPT 
           option family            ipv4
    
    After that you can use SSH 

    WiFi / WLAN

    u-boot env

    ath> printenv
    # Standard configuration
    baudrate=115200
    ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
    # Factory IP config environment
    # Factory programming helpers
    board=bsb002
    flasht=tftp 0x80060000 ${board}/${board}_uboot.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr
     0x9f000000 $ize
    flash_uboot_env=tftp 0x80060000 ${board}/${board}_uboot_environment.bin&&erase 0x9f040000 +$fil
    esip.b $fileaddr 0x9f040000 $filesize
    flash_uboot_and_env=tftp 0x80060000 ${board}/${board}_uboot_and_enment.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr 0x9f000000 $filesize
    flash_art=tftp 0x80060000 $d}/${board}_art.bin&&erase 0x9f070000 +$filesize&&cp.b $fileaddr 0x9f070000 $filesize
    flash_kernel_0=t0x80060000 ${board}/kernel.bin&&nand erase 0x0 0x400000&&nand write $fileaddr 0x0 esize
    flash_root_0=tftp 0x80060000 ${board}/root.bin&&nand erase 0x400000 0x28000and write $fileaddr 0x400000 $filesize
    flash_kernel_1=tftp 0x80060000 ${board}/kernel.bin&&nand erase 0000 0x400000&&nand write $fileaddr 0x2C00000 $filesize
    flash_root_1=tftp 0x80060000 ${board}/root.binnd erase 0x3000000 0x2800000&&nand write $fileaddr 0x3000000 $filesize
    flash_overftp 0x80060000 ${board}/overlay.bin&&nand erase 0x5800000 0x2800000&&nand write $fileaddr 0x5800000 $fize
    flash_factory=run flash_uboot_and_env&&run flash_kernel_0&&run flash_root_0&&rash_overlay
    # Boot configuration - common
    std_bootargs=board=BSB002 console=ttyS0,115200 ubi.mtd=overootfs=/dev/mtdblock:rootfs rootfstype=squashfs noinitrd init=/sbin/init
    # Boot configuration - slot 0parts0=spi0.0:256k(u-boot)ro,128k(u-boot-env),64k(reserved),64k(art);spi0.1:4m(kernel-0)ro,40m(root-0),rnel-1),40m(root-1),-(overlay)
    kernel_0_start=0x0
    boot_from_slot_0=setenv bootargs ubi.mtd=5 ${std_bgs} mtdparts=${mtdparts0}; nboot 0x81000000 0 ${kernel_0_start}
    # Boot configuration - slot 1
    mtdparti0.0:256k(u-boot)ro,128k(u-boot-env),64k(reserved),64k(art);spi0.1:4m(kernel-0),40m(root-0),4m(kernel-10m(root-1),-(overlay)
    kernel_1_start=0x2C00000
    boot_from_slot_1=setenv bootargs ubi.mtd=7 ${std_bootamtdparts=${mtdparts1}; nboot 0x81000000 0 ${kernel_1_start}
    # Boot command
    # Selected slot
    ethact=eeui64=001788fffe2179c6
    set12nc=HueBridge2K15
    ctn=HueBridge2K15
    portal=9e345a8da10e5b5290beeed85edb00ecurity=$5$BkwEJP3Tp/u8Q2Za$qQXbcKEibHVPel.8.GXb8ds46DG29yFyeFZa6JKF7o2
    homekit=028-08-483
    hwrevision
    production=1537
    ipaddr=192.168.11.179
    serverip=192.168.11.66
    bootcmd=if test ${bootslot} -ne 1;the boot_from_slot_0;else run boot_from_slot_1;fi
    bootdelay=0
    frcnt=4
    bootslot=1
    stdin=serial
    stdoutal
    stderr=serial
    bootargs=ubi.mtd=7 board=BSB002 console=ttyS0,115200 ubi.mtd=overlay rootfs=/dev/mtd:rootfs rootfstype=squashfs noinitrd init=/sbin/init mtdparts=spi0.0:256k(u-boot)ro,128k(u-boot-env),6served),64k(art);spi0.1:4m(kernel-0),40m(root-0),4m(kernel-1)ro,40m(root-1),-(overlay)
    
    ath> printenv security
    security=$5$BkwEJP3Tp/u8Q2Za$qQXbcKEibHVPel.8.GXb8ds46DG29yFyeFZa6JKF7o2

    Geric Info

    Serial port

    You can find serial port/UART from the board (Details later)

    Boot messages

    [    0.000000] Movable start for each node
    [    0.000000] Early memory node ranges
    [    0.000000]   node   0: [mem 0x00000x03ffffff]
    [    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
    [    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
    [    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 1
                                                                                         [    0.000000] Kernel command line:  ubi.mtd=5 board=BSB002 console=ttyS0,115200 ubi.mtd=overlay rootev/mtdblock:rootfs rootfstype=squashfs noinitrd init=/sbin/init mtdparts=s
    pi0.0:256k(u-boot)ro,128k(u-env),64k(reserved),64k(art);spi0.1:4m(kernel-0)ro,40m(root-0),4m(kernel-1),40m(root-1),-(overlay) mem=ootfstype=squashfs,jffs2 noinitrd
    [    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
    [    0.000000] Dentry cache hash table entries: 819der: 3, 32768 bytes)
    [    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
    [    0.000000] Writing ErrCtl register=00000000
    [    0.000000] Readback ErrCtl register=0000
                                                [    0.000000] Memory: 60756K/65536K available (2712K kernel code, 126K rwdata, 576K rodata, 160K init, 185K bss, 4780K reserved)
    [    0.000000] SLUB: HWalign=32, Order=0inObjects=0, CPUs=1, Nodes=1
    [    0.000000] NR_IRQS:51
    [    0.000000] Clocks: CPU:650.000MHz, DDR:597.583MHz, AHB:216.666MHz, Ref:25.000MHz
    [.000000] Calibrating delay loop... 432.53 BogoMIPS (lpj=2162688)

    Login

    I did press "f" and enter.

    Press the [f] key and hit [enter] to enter failsafe mode
    Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
    - failsafe -
    ------------------------------------------------------
    Cannot enter failsafe mode: Disabled on this system !!
    ------------------------------------------------------
    
    
    Please press Enter to activate this console.
    
    (none) login: f
    Password:

    Firmware

    Firmware Head

    0000000: 4253 4230 3032 0002 004e fcc9 6272 6964  BSB002...N..brid
    0000010: 6765 0000 0000 0000 0000 0000 0000 0000  ge..............
    0000020: 0000 004e fab0 0103 0000 0000 3031 3033  ...N........0103
    0000030: 3032 3632 0000 0000 0000 0000 4bb1 3918  0262........K.9.
    0000040: a7ac d534 6aab 63fc cb81 3643 1f9b 53bd  ...4j.c...6C..S.
    0000050: d9b5 a76d f5bf 82dc 8265 eebc 75d8 5e42  ...m.....e..u.^B
    0000060: dbc1 f384 c368 24c3 1988 f97e 9ab3 34c7  .....h$....~..4.

    Public key from the end of firmware file

    openssl rsa -pubin -text -in a 
    Public-Key: (2048 bit)
    Modulus:
        00:a1:ba:a2:33:57:01:4a:be:ba:87:db:5a:c9:c4:
        4d:a4:2e:e1:2b:31:48:53:26:2d:4a:2b:65:19:ce:
        94:01:2e:0e:81:ff:d9:39:c0:e1:17:09:2d:d1:fc:
        e7:89:11:3c:44:48:c4:19:72:be:b5:a2:72:72:1c:
        f8:80:e4:f7:05:3d:0e:b0:8f:6d:5a:62:f4:6c:6c:
        e3:bf:b7:45:37:64:e5:14:c7:e5:87:55:1a:55:f8:
        53:af:3f:b2:11:47:38:56:7a:2d:4b:30:e9:b6:bf:
        23:d9:33:3c:08:71:bc:98:ae:3d:0b:92:d8:c4:9f:
        d9:42:1d:5d:5e:97:e6:88:74:1b:f9:14:0e:88:af:
        fc:83:d4:21:01:c4:86:fd:a3:55:bd:e5:fd:a2:69:
        76:d1:c0:e0:2d:0a:f0:e8:20:b9:10:ef:62:33:04:
        03:e5:43:13:d1:df:46:6e:eb:df:3c:c4:a2:cb:9c:
        48:32:13:1c:85:2e:d9:5c:50:fa:56:99:3a:03:ad:
        7a:9b:96:79:57:76:a1:cc:87:a6:9a:d3:04:26:70:
        0f:85:b9:2b:48:67:17:bd:b9:3b:e0:c8:10:dc:2b:
        83:d8:58:0b:7c:e8:e3:28:a7:c4:e2:17:96:62:7e:
        15:0f:ec:cc:8c:6e:ed:40:23:38:dd:a9:5b:a7:31:
        7b:15
    Exponent: 65537 (0x10001)
    writing RSA key
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAobqiM1cBSr66h9taycRN
    pC7hKzFIUyYtSitlGc6UAS4Ogf/ZOcDhFwkt0fzniRE8REjEGXK+taJychz4gOT3
    BT0OsI9tWmL0bGzjv7dFN2TlFMflh1UaVfhTrz+yEUc4VnotSzDptr8j2TM8CHG8
    mK49C5LYxJ/ZQh1dXpfmiHQb+RQOiK/8g9QhAcSG/aNVveX9oml20cDgLQrw6CC5
    EO9iMwQD5UMT0d9GbuvfPMSiy5xIMhMchS7ZXFD6Vpk6A616m5Z5V3ahzIemmtME
    JnAPhbkrSGcXvbk74MgQ3CuD2FgLfOjjKKfE4heWYn4VD+zMjG7tQCM43albpzF7
    FQIDAQAB
    -----END PUBLIC KEY-----

    Attachments

    • [get | view | diff] (2016-07-19 21:11:46, 413.3 KB) [[attachment:Philips Hue Bridge v2 hacked (root access) (Page 1) — Hardware Hacking — OpenWrt.pdf]]
    • [get | view | diff] (2015-12-29 22:57:45, 191.7 KB) [[attachment:hue-bridge-serial.jpg]]
    • [get | view | diff] (2015-12-30 09:32:56, 133.8 KB) [[attachment:hue-personal-wireless-lighting.pdf]]
     All files | Selected Files: delete move to page
    Normal Sort Sort + uniq Sort + uniq + count

    WEB-server

    $ curl -v '10.0.2.58/description.xml'
    *   Trying 10.0.2.58...
    * Connected to 10.0.2.58 (10.0.2.58) port 80 (#0)
    > GET /description.xml HTTP/1.1
    > Host: 10.0.2.58
    > User-Agent: curl/7.43.0
    > Accept: */*
    > 
    < HTTP/1.1 200 OK
    < Content-type: text/xml
    < Connection: Keep-Alive
    * no chunk, no close, no size. Assume close to signal end
    < 
    <?xml version="1.0" encoding="UTF-8" ?>
    <root xmlns="urn:schemas-upnp-org:device-1-0">
    <specVersion>
    <major>1</major>
    <minor>0</minor>
    </specVersion>
    <URLBase>http://10.0.2.58:80/</URLBase>
    <device>
    <deviceType>urn:schemas-upnp-org:device:Basic:1</deviceType>
    <friendlyName>Philips hue (10.0.2.58)</friendlyName>
    <manufacturer>Royal Philips Electronics</manufacturer>
    <manufacturerURL>http://www.philips.com</manufacturerURL>
    <modelDescription>Philips hue Personal Wireless Lighting</modelDescription>
    <modelName>Philips hue bridge 2015</modelName>
    <modelNumber>BSB002</modelNumber>
    <modelURL>http://www.meethue.com</modelURL>
    <serialNumber>001788xxxxx</serialNumber>
    <UDN>uuid:2f402f80-da50-11e1-9b23-001788xxxxx</UDN>
    <presentationURL>index.html</presentationURL>
    <iconList>
    <icon>
    <mimetype>image/png</mimetype>
    <height>48</height>
    <width>48</width>
    <depth>24</depth>
    <url>hue_logo_0.png</url>
    </icon>
    <icon>
    <mimetype>image/png</mimetype>
    <height>120</height>
    <width>120</width>
    <depth>24</depth>
    <url>hue_logo_3.png</url>
    </icon>
    </iconList>
    </device>
    </root>

    HW


    CategoryProjekti