# Hue Bridge root [TOC] ## Root shell ### Podłączenie szeregowe ![](https://i.imgur.com/UxLT0Ds.png) ![](https://i.imgur.com/BUhtHrZ.png) ![](https://i.imgur.com/vemLYgf.png) ![](https://i.imgur.com/u2DG4CP.png) ### konsola bootloadera ![](https://i.imgur.com/NfwD71M.jpg) W celu uruchomienia konsoli u-boot należy zewrzeć pin DO flasha NAND z masą. Spowoduje to niezaładowanie kernela z flasha i start konsoli u-boot. ![](https://i.imgur.com/oZImc7e.png) ![](https://i.imgur.com/Oimbg4j.png) dalej dodać zmiane enva potem mozna uzywac `fw_printenv` oraz `fw_setenv` do zmieniania zmiennych ### uzsykanie ssh modyfikacja `/etc/config/dropbear`. Dodanie `option RootLogin ‘1’` do konfiguracji. Do tego `iptables` ![](https://i.imgur.com/CuiQuzH.png) ## Forensic ### system operacyjny ```shell root@LaVA:~# cat /etc/openwrt_release DISTRIB_ID='OpenWrt' DISTRIB_RELEASE='19.07.8' DISTRIB_REVISION='r11364-ef56c85848' DISTRIB_TARGET='bsb002/generic' DISTRIB_ARCH='mips_24kc' DISTRIB_DESCRIPTION='OpenWrt 19.07.8 r11364-ef56c85848' DISTRIB_TAINTS='no-all busybox override' ``` ``` root@LaVA:~# cat /proc/cmdline ubi.mtd=5 board=BSB002 console=ttyS0,115200 ubi.mtd=overlay rootfs=/dev/mtdblock:rootfs rootfstype=squashfs noinitrd init=/sbin/init mtdparts=spi0.0:256k(u-boot)ro,128k(u-boot-env),64k(reserved),64k(art);spi0.1:4m(kernel-0)ro,40m(root-0),4m(kernel-1),40m(root-1),-(overlay) mem=64M rootfstype=squashfs noinitrd ``` `ubi.mtd` - definiuje bootslot 5 oznacza 0, 7 oznacza 1 ### ps ``` PID USER VSZ STAT COMMAND 1 root 1580 S /sbin/procd 2 root 0 SW [kthreadd] 4 root 0 IW< [kworker/0:0H] 6 root 0 IW< [mm_percpu_wq] 7 root 0 SW [ksoftirqd/0] 8 root 0 IW [kworker/u2:1] 32 root 0 SW [oom_reaper] 91 root 0 IW< [writeback] 93 root 0 IW< [crypto] 95 root 0 IW< [kblockd] 123 root 0 IW [kworker/0:1] 131 root 0 SW [kswapd0] 193 root 0 SW [spi0] 358 root 0 IW< [ipv6_addrconf] 360 root 0 IW< [dsa_ordered] 371 root 0 SW [ubi_bgt0d] 379 root 0 SW [ubi_bgt1d] 387 root 0 IW< [kworker/0:1H] 447 root 0 SW [ubifs_bgt1_1] 524 root 1212 S /sbin/ubusd 525 root 924 S /sbin/askfirst /bin/secure-console.sh 672 root 1252 S /sbin/logd -S 64 728 dnsmasq 1392 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid 782 root 1752 S /sbin/netifd 812 root 1324 S /usr/sbin/crond -f -c /etc/crontabs -l 5 848 root 0 IW [kworker/0:2] 874 fluentbi 6116 S /usr/bin/fluent-bit -c /etc/fluentbit.conf 894 root 3980 S mosquitto -c /etc/mosquitto/mosquitto.conf 911 root 4700 S micropython /usr/bin/croupierd 930 root 6844 S /usr/bin/diagcd /etc/config/diagcd 948 root 1320 S /bin/sh /usr/sbin/factoryreset_daemon -d /var/platform-factoryreset/start 971 root 1320 S udhcpc -p /var/run/udhcpc-eth1.pid -s /lib/netifd/dhcp.script -f -t 3 -i eth1 -x hostname:LaVA -C 1127 root 17008 S /usr/sbin/ipbridge -p /home/ipbridge/var -z /dev/ttyZigbee -u /etc/channel/channel-config -h /hom 1145 root 6048 S /usr/bin/mdnsd 1177 root 7604 S nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf -g daemon off; 1218 root 6472 S micropython /usr/bin/updated --use_syslog --storage /home/updated/componentinfo.json --initial 17 1238 root 12220 S /usr/bin/behaviord --feature.smart_scene 1269 root 8168 S /usr/bin/clipd --clip_server_address 127.0.0.1:9003 --clip_api_schema /etc/clipd 1287 root 10892 S /usr/bin/stream --port_in=2100 --port_control_out=1338 --port_data_out=1339 --host-out=127.0.0.1 1310 root 10116 S /usr/bin/websocketcd --persistentlocation=/home/ipbridge/var --ca-filename=/etc/ca-certificates/c 1342 root 11952 S /usr/bin/hk_hap /etc/config/hk_hap 1373 root 1644 S /usr/bin/radar -c /etc/config/radar.json 1502 root 1112 S dropbear 1632 nobody 7728 S nginx: worker process 1698 root 1444 S ash /usr/bin/provisioning /etc/iot-credentials 1753 root 4516 S micropython /usr/bin/iot-connectivity --no-send-logs 1760 root 1448 S ash /usr/bin/provisioning /etc/iot-credentials 1761 root 1444 S ash /usr/bin/provisioning /etc/iot-credentials 1762 root 1392 S sleep 2h 2129 root 1324 S< /usr/sbin/ntpd -n -N -S /usr/sbin/ntpd-hotplug -S /etc/ntpd/ntpd.script -p time1.google.com -p ti 2150 root 1180 S dropbear 2151 root 1328 S -ash 2274 root 0 IW [kworker/u2:2] 2381 root 0 IW [kworker/u2:0] 2405 root 1392 S sleep 15s ``` ### instalacja opkg potrzeba `wget` i `opkg`, pobieramy z `https://downloads.openwrt.org/releases/19.07.8/packages/mips_24kc/` bo taka wersja openwrt. ``` root@LaVA:~# opkg update Downloading http://downloads.openwrt.org/releases/19.07.8/packages/mips_24kc/base/Packages.gz Updated list of available packages in /var/opkg-lists/openwrt_base Downloading http://downloads.openwrt.org/releases/19.07.8/packages/mips_24kc/base/Packages.sig Signature check passed. Downloading http://downloads.openwrt.org/releases/19.07.8/packages/mips_24kc/packages/Packages.gz Updated list of available packages in /var/opkg-lists/openwrt_packages Downloading http://downloads.openwrt.org/releases/19.07.8/packages/mips_24kc/packages/Packages.sig Signature check passed. ``` ### remote syslog ``` config system ... option log_ip <destination IP> option log_port <destination port> option log_proto <tcp or udp> ``` ### zainstalowane pacakge ``` root@LaVA:~# opkg list-installed analytics - 0.0 argtable - 2.13-1 avahi-autoipd - 0.8-1 base-files - 204.4-r11364-ef56c85848 boost - 1.71.0-6 boost-atomic - 1.71.0-6 boost-chrono - 1.71.0-6 boost-date_time - 1.71.0-6 boost-filesystem - 1.71.0-6 boost-system - 1.71.0-6 boost-thread - 1.71.0-6 breakpad - 0.0.0 busybox - 1.30.1-6 ccronexpr - 20180523-1 chacha20-simple - 1.0-1 connectedhomeip - 1.0.0 cpp-adaptors - 0.0 croupierd - 0.0 curl - 7.66.0-3 curve25519-donna - 1.0-28772f37a4b8a57ab9439b9e79b19f9abee686da dnsmasq - 2.80-16.3 dropbear - 2019.78-2 duktape - 2.5.0-1 ed25519-donna - 1.0-8757bd4cd209cb032853ece0ce413f122eef212c firewall - 2019-11-22-8174814a-3 fluent-bit - 1.8.10 fstools - 2020-05-12-84269037-1 fwtool - 2 grpc - 2017-04-12-v1.2.4 hk_hap - 1.0 hostapd-common - 2019-08-08-ca8c2bd2-8 hue-behavior-daemon - 0.0 hue-clip-daemon - 0.0 hue-date-time - 0.0 hue-daytime - 0.0 hue-diagnostics-client-daemon - 0.0 hue-duktapecpp - 0.0 hue-fs-migration - 1.0 hue-ipbridge - 0.0 hue-libclientinterface - 0.0 hue-libloggingclient - 0.0 hue-lmdb-cpp - 0.0 hue-log - 0.0 hue-matter-daemon - 0.0 hue-mdnsd - 1.0 hue-micropython-libs - 0.0 hue-mqtt-client - 0.0 hue-mqtt-utils - 0.0 hue-networking - 0.0 hue-program-options - 0.0 hue-qsdk-deps - 1.0-1 hue-shell-diagnostics-client - 1.0 hue-stream - 0.0 hue-system - 0.0 hue-system-config - 0.0 hue-timer - 0.0 hue-timezone - 0.0 hue-util - 0.0 hue-watchdog-lib - 0.0 hue-web - 0.0 iot-connectivity - 0.0 ip6tables - 1.8.3-1 iptables - 1.8.3-1 iw - 5.0.1-1 jshn - 2020-05-25-66195aee-1 json-schema-validator - 2.1.0 json_checker - 2007-08-24 jsonfilter - 2018-02-04-c7e938d6-1 kernel - 4.14.241-1-9e7cdf43b72fb90c151650560b7064a6 kmod-gpio-button-hotplug - 4.14.241-3 kmod-i2c-algo-bit - 4.14.241-1 kmod-i2c-core - 4.14.241-1 kmod-i2c-gpio - 4.14.241-1 kmod-ip6tables - 4.14.241-1 kmod-ipt-conntrack - 4.14.241-1 kmod-ipt-core - 4.14.241-1 kmod-ipt-nat - 4.14.241-1 kmod-nf-conntrack - 4.14.241-1 kmod-nf-conntrack6 - 4.14.241-1 kmod-nf-ipt - 4.14.241-1 kmod-nf-ipt6 - 4.14.241-1 kmod-nf-nat - 4.14.241-1 kmod-nf-reject - 4.14.241-1 kmod-nf-reject6 - 4.14.241-1 libatomic1 - 7.5.0-2 libblobmsg-json - 2020-05-25-66195aee-1 libc - 1.1.24-2 libcares - 1.15.0-4 libcurl4 - 7.66.0-3 libdaemon - 0.14-5 libedtls - 0.0 libevent2-core7 - 2.1.11-1 libffi - 3.3-2 libgcc1 - 7.5.0-2 libip4tc2 - 1.8.3-1 libip6tc2 - 1.8.3-1 libjson-c2 - 0.12.1-3.1 libjson-script - 2020-05-25-66195aee-1 libmbedtls12 - 2.16.10-1 libmosquitto-ssl - 2.0.10-dev-4 libmpack - v1.0-1 libnl-tiny - 0.1-5 libopenssl-conf - 1.1.1k-1 libopenssl1.1 - 1.1.1k-1 libpcre - 8.43-1 libprotobuf-c - 1.3.1-2 libpthread - 1.1.24-2 librt - 1.1.24-2 libsqlite3-0 - 3310100-1 libstdcpp6 - 7.5.0-2 libubox20191228 - 2020-05-25-66195aee-1 libubus20210603 - 2021-07-01-38c7fdd8-1 libuci20130104 - 2019-09-01-415f9e48-4 libugpio - 0.0.6-2 libxtables12 - 1.8.3-1 lmdb - 0.9.29-1 logd - 2019-06-16-4df34a4d-4 mdnsresponder - 878.200.35-1 micropython - 1.16-1 micropython-lib - 1.9.3-1 mosquitto-client-ssl - 2.0.10-dev-4 mosquitto-ssl - 2.0.10-dev-4 mtd - 24 musl-fts - 1.2.7-1 netifd - 2019-08-05-5e02f944-1 nginx-nchan - 1.2.6 nginx-ssl - 1.17.7-2 nlohmann_json - 3.9.1 openssh-sftp-server - 8.0p1-1 openssl-util - 1.1.1k-1 openwrt-keyring - 2021-02-20-49283916-2 platform-check-mount - 1.0 platform-crash-handler - 1.0 platform-factory-reset - 0.0 platform-fw-env - 0.0 platform-hotplug-ttyZigbee - 0.0 platform-memory-accounting - 1.0 platform-networking - 0.0 platform-platform-libs - 0.0 platform-secure-console - 0.0 platform-swupdate - 0.0 platform-sysctl - 0.0 platform-system - 0.0 platform-utils - 0.0 platform-webserver - 0.0 platform-websocketcd - 0.0 poly1305-donna - 1.0-dabffc6608eaca87d48c4ce9fc33a1e74a47e3f9 procd - 2020-03-07-09b9bd82-1 protobuf - 3.7.1-1 protobuf-lite - 3.7.1-1 provisioning - 0.0 radar - 1.0 rapidjson - 1.1.0 sha-1 - unknown srp - 2.1.2-1 taocppjson - 1.0.0-beta.13 tlsdate - 2016-11-23 tomcrypt - 1.17-bbc52b9e1bf4b22ac4616e667b06d217c6ab004e tommath - 0.42.0-6f5bf561220a04962fbcd56db940085de4b53327 ubi-utils - 2.1.1-1 uboot-envtools - 2018.03-3.1 ubox - 2019-06-16-4df34a4d-4 ubus - 2021-07-01-38c7fdd8-1 ubusd - 2021-07-01-38c7fdd8-1 uci - 2019-09-01-415f9e48-4 updated - 0.0 updated-flasher - 1.0 usign - 2020-05-23-f1f65026-1 utf8decoder - 2010-06-25 wget - 1.20.3-4 wpa-supplicant - 2019-08-08-ca8c2bd2-8 zigbee-firmware - 0.0 zlib - 1.2.11-3 ``` W tym proprietary ``` root@LaVA:~# opkg list-installed | grep '\- 0.0' analytics - 0.0 breakpad - 0.0.0 cpp-adaptors - 0.0 croupierd - 0.0 hue-behavior-daemon - 0.0 hue-clip-daemon - 0.0 hue-date-time - 0.0 hue-daytime - 0.0 hue-diagnostics-client-daemon - 0.0 hue-duktapecpp - 0.0 hue-ipbridge - 0.0 hue-libclientinterface - 0.0 hue-libloggingclient - 0.0 hue-lmdb-cpp - 0.0 hue-log - 0.0 hue-matter-daemon - 0.0 hue-micropython-libs - 0.0 hue-mqtt-client - 0.0 hue-mqtt-utils - 0.0 hue-networking - 0.0 hue-program-options - 0.0 hue-stream - 0.0 hue-system - 0.0 hue-system-config - 0.0 hue-timer - 0.0 hue-timezone - 0.0 hue-util - 0.0 hue-watchdog-lib - 0.0 hue-web - 0.0 iot-connectivity - 0.0 libedtls - 0.0 libugpio - 0.0.6-2 platform-factory-reset - 0.0 platform-fw-env - 0.0 platform-hotplug-ttyZigbee - 0.0 platform-networking - 0.0 platform-platform-libs - 0.0 platform-secure-console - 0.0 platform-swupdate - 0.0 platform-sysctl - 0.0 platform-system - 0.0 platform-utils - 0.0 platform-webserver - 0.0 platform-websocketcd - 0.0 provisioning - 0.0 updated - 0.0 zigbee-firmware - 0.0 ``` ### usługi TCP ``` root@LaVA:~# netstat -tupln Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1177/nginx.conf -g tcp 0 0 0.0.0.0:1339 0.0.0.0:* LISTEN 1127/ipbridge tcp 0 0 0.0.0.0:1883 0.0.0.0:* LISTEN 894/mosquitto tcp 0 0 127.0.0.1:1886 0.0.0.0:* LISTEN 874/fluent-bit tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN 1127/ipbridge tcp 0 0 127.0.0.1:6666 0.0.0.0:* LISTEN 1218/micropython tcp 0 0 127.0.0.1:9003 0.0.0.0:* LISTEN 1269/clipd tcp 0 0 0.0.0.0:3245 0.0.0.0:* LISTEN 1177/nginx.conf -g tcp 0 0 127.0.0.1:3246 0.0.0.0:* LISTEN 1269/clipd tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1177/nginx.conf -g tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 1218/micropython tcp 0 0 0.0.0.0:8083 0.0.0.0:* LISTEN 1177/nginx.conf -g tcp 0 0 127.0.0.1:5555 0.0.0.0:* LISTEN 1218/micropython tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 728/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1502/dropbear tcp 0 0 :::443 :::* LISTEN 1177/nginx.conf -g tcp 0 0 :::1883 :::* LISTEN 894/mosquitto tcp 0 0 :::80 :::* LISTEN 1177/nginx.conf -g tcp 0 0 :::8080 :::* LISTEN 1342/hk_hap tcp 0 0 :::8083 :::* LISTEN 1177/nginx.conf -g tcp 0 0 :::22 :::* LISTEN 1502/dropbear udp 0 0 127.0.0.1:53 0.0.0.0:* 728/dnsmasq udp 0 0 127.0.0.1:53 0.0.0.0:* 728/dnsmasq udp 0 0 0.0.0.0:1900 0.0.0.0:* 1127/ipbridge udp 0 0 0.0.0.0:53369 0.0.0.0:* 1145/mdnsd udp 0 0 0.0.0.0:5353 0.0.0.0:* 1145/mdnsd udp 0 0 :::53195 :::* 1145/mdnsd udp 0 0 :::5353 :::* 1145/mdnsd ``` ### urzadzenia ``` root@LaVA:~# ls -la /dev drwxr-xr-x 4 root root 1260 May 10 00:43 . drwxr-xr-x 1 root root 552 May 10 18:14 .. drwxr-xr-x 3 root root 60 Jan 1 1970 bus crw------- 1 root root 5, 1 May 10 00:42 console crw------- 1 root root 10, 63 Jan 1 1970 cpu_dma_latency crw-rw-rw- 1 root root 1, 7 Jan 1 1970 full crw------- 1 root root 254, 0 Jan 1 1970 gpiochip0 crw------- 1 root root 89, 0 Jan 1 1970 i2c-0 crw------- 1 root root 1, 11 Jan 1 1970 kmsg srw-rw-rw- 1 root root 0 May 10 00:42 log crw------- 1 root root 10, 60 Jan 1 1970 memory_bandwidth crw------- 1 root root 90, 0 Jan 1 1970 mtd0 crw------- 1 root root 90, 1 Jan 1 1970 mtd0ro crw------- 1 root root 90, 2 Jan 1 1970 mtd1 crw------- 1 root root 90, 20 Jan 1 1970 mtd10 crw------- 1 root root 90, 21 Jan 1 1970 mtd10ro crw------- 1 root root 90, 3 Jan 1 1970 mtd1ro crw------- 1 root root 90, 4 Jan 1 1970 mtd2 crw------- 1 root root 90, 5 Jan 1 1970 mtd2ro crw------- 1 root root 90, 6 Jan 1 1970 mtd3 crw------- 1 root root 90, 7 Jan 1 1970 mtd3ro crw------- 1 root root 90, 8 Jan 1 1970 mtd4 crw------- 1 root root 90, 9 Jan 1 1970 mtd4ro crw------- 1 root root 90, 10 Jan 1 1970 mtd5 crw------- 1 root root 90, 11 Jan 1 1970 mtd5ro crw------- 1 root root 90, 12 Jan 1 1970 mtd6 crw------- 1 root root 90, 13 Jan 1 1970 mtd6ro crw------- 1 root root 90, 14 Jan 1 1970 mtd7 crw------- 1 root root 90, 15 Jan 1 1970 mtd7ro crw------- 1 root root 90, 16 Jan 1 1970 mtd8 crw------- 1 root root 90, 17 Jan 1 1970 mtd8ro crw------- 1 root root 90, 18 Jan 1 1970 mtd9 crw------- 1 root root 90, 19 Jan 1 1970 mtd9ro brw------- 1 root root 31, 0 Jan 1 1970 mtdblock0 brw------- 1 root root 31, 1 Jan 1 1970 mtdblock1 brw------- 1 root root 31, 10 Jan 1 1970 mtdblock10 brw------- 1 root root 31, 2 Jan 1 1970 mtdblock2 brw------- 1 root root 31, 3 Jan 1 1970 mtdblock3 brw------- 1 root root 31, 4 Jan 1 1970 mtdblock4 brw------- 1 root root 31, 5 Jan 1 1970 mtdblock5 brw------- 1 root root 31, 6 Jan 1 1970 mtdblock6 brw------- 1 root root 31, 7 Jan 1 1970 mtdblock7 brw------- 1 root root 31, 8 Jan 1 1970 mtdblock8 brw------- 1 root root 31, 9 Jan 1 1970 mtdblock9 crw------- 1 root root 10, 62 Jan 1 1970 network_latency crw------- 1 root root 10, 61 Jan 1 1970 network_throughput crw-rw-rw- 1 root root 1, 3 Jan 1 1970 null crw-rw-rw- 1 root root 5, 2 May 10 18:20 ptmx drwxr-xr-x 2 root root 0 Jan 1 1970 pts crw-rw-rw- 1 root root 1, 8 Jan 1 1970 random lrwxrwxrwx 1 root root 8 Jan 1 1970 shm -> /tmp/shm crw-rw-rw- 1 root root 5, 0 Jan 1 1970 tty crw-rw---- 1 root dialout 166, 0 May 10 18:20 ttyACM0 crw-rw---- 1 root dialout 4, 64 Jan 1 1970 ttyS0 lrwxrwxrwx 1 root root 12 May 10 00:43 ttyZigbee -> /dev/ttyACM0 crw------- 1 root root 253, 0 Jan 1 1970 ubi0 crw------- 1 root root 253, 1 Jan 1 1970 ubi0_0 crw------- 1 root root 252, 0 Jan 1 1970 ubi1 crw------- 1 root root 252, 2 Jan 1 1970 ubi1_1 crw------- 1 root root 10, 59 Jan 1 1970 ubi_ctrl crw-rw-rw- 1 root root 1, 9 Jan 1 1970 urandom crw------- 1 root root 10, 130 Jan 1 1970 watchdog crw-rw-rw- 1 root root 1, 5 Jan 1 1970 zero ``` ### konfiguracja jakieś JS w `/home` w róznych katalogach. jest tez baza sqlite ### mosquitto config w `/etc/mosquitto/` config łączący się z MQTT GCP, `/etc/mosquitto/inc/google_iot.conf` ``` # cat /etc/mosquitto/inc/iot_bridge.conf # dynamically generated configuration connection google bridge_reload_type lazy address mqtt.2030.ltsapis.goog:443 bridge_insecure false bridge_tls_version tlsv1.2 bridge_capath /etc/ssl/certs/google_iot bridge_cafile /etc/ca-certificates/ca.ecc.cert-and-crls.pem bridge_ciphers ECDHE-ECDSA-AES128-GCM-SHA256 bridge_ciphers_tls1.3 TLS_CHACHA20_POLY1305_SHA256 keepalive_interval 1170 bridge_tcp_keepalive 30 5 5 bridge_tcp_user_timeout 60000 restart_timeout 1 3600 bridge_protocol_version mqttv311 try_private false bridge_attempt_unsubscribe false bridge_outgoing_retain false notifications_local_only true notification_topic $SYS/broker/connection/google/state local_clientid google remote_username unused remote_password eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJFUzI1NiJ9.eyJleHAiOiAxNjUyMjI5NzM4LCAiYXVkIjogImh1ZS1jbG91ZC1pb3QtcHJvdi1wcm9kIiwgImlhdCI6IDE2NTIxNDMzMzh9.xjyY4jgAn17BSqHJe5eS85pXbTIxREPpZIwFc9Zvxmdx2zOMp6tF4pohaVWc3-j9w4I95nhlUA-KRw8X0282vQ remote_clientid projects/hue-cloud-iot-prov-prod/locations/europe-west1/registries/provisioning-prod/devices/EUID-ecb5fafffe8c32a5 topic # in 0 iot/in/ /devices/EUID-ecb5fafffe8c32a5/commands/ topic # out 1 iot/out/ /devices/EUID-ecb5fafffe8c32a5/events/ topic config in 1 iot/ /devices/EUID-ecb5fafffe8c32a5/ topic state out 0 iot/ /devices/EUID-ecb5fafffe8c32a5/ ``` są tam certy, hasła, client id, bardzo ciekawe. bridguje 2 topici do lokalnego serwera mqtt. trzeba dodac `listen 1883` do `/etc/mosquitto/mosquitto.conf`, zeby MQTT bylo dostepne z zewnatrz. mqtt glowny kanal komunikacji wewnatrz bridga #### deodowanie wiadomosci binarnych wiadomosci sa skompresowane przy pomocy zlib, brakuje headera i trailera ```python= #!/usr/bin/env python3 # dlitz 2021, public domain import base64 import json import paho.mqtt.client as mqtt # pip install paho-mqtt import sys import zlib def main(): client = mqtt.Client(protocol=mqtt.MQTTv5, transport="tcp") client.enable_logger() client.on_connect = on_connect client.message_callback_add("dt/clip/+/+", handle_data_message) client.message_callback_add("cmd/clip/event/publish", handle_event_message) client.connect("localhost", 1883) client.loop_forever() def on_connect(client, userdata, flags, rc, properties): client.subscribe("dt/clip/+/+") client.subscribe("cmd/clip/event/publish") def handle_data_message(client, userdata, msg): out = { 'timestamp': msg.timestamp, 'state': msg.state, 'dup': msg.dup, 'mid': msg.mid, 'topic': msg.topic, 'payload_b64': base64.b64encode(msg.payload).decode('UTF-8'), 'payload_decoded': json.loads(zlib.decompress(msg.payload, wbits=-15)), 'qos': msg.qos, 'retain': msg.retain, 'info': { 'mid': msg.info.mid, 'rc': msg.info.rc, }, 'properties': msg.properties.json(), } print(json.dumps(out, indent=2)) sys.stdout.flush() def handle_event_message(client, userdata, msg): out = { 'timestamp': msg.timestamp, 'state': msg.state, 'dup': msg.dup, 'mid': msg.mid, 'topic': msg.topic, 'payload_b64': base64.b64encode(msg.payload).decode('UTF-8'), 'payload_decoded': json.loads(msg.payload), 'qos': msg.qos, 'retain': msg.retain, 'info': { 'mid': msg.info.mid, 'rc': msg.info.rc, }, 'properties': msg.properties.json(), } print(json.dumps(out, indent=2)) sys.stdout.flush() if __name__ == '__main__': main() ``` ### http revproxy nginx, ssl, uwierzytelnienie customowy bridge cert zaufany przez aplikacje na telefon, kluczyki EC dodatkowe uslugi binarne na róznych portach. mozna zrobic mirroring w celu podsluchania komunikacji pomimo SSL ```nginx= server { location = /mirror { internal; proxy_pass http://HOST:PORT$request_uri; } location / { mirror /mirror; # include pozostalych configów, api, clipd, enterteinment itp } } ``` ### micropython ``` MicroPython 31f2f76c on 2021-07-29; linux version Use Ctrl-D to exit, Ctrl-E for paste mode >>> >>> from bridge.bootslot import Bootslot Traceback (most recent call last): File "<stdin>", line 1, in <module> ImportError: no module named 'bridge' ``` problem z importem, szukamy patha do modulu ``` MicroPython 31f2f76c on 2021-07-29; linux version Use Ctrl-D to exit, Ctrl-E for paste mode >>> import sys >>> sys.path ['', '/root/.micropython/lib', '/usr/lib/micropython'] ``` w root nie ma nic, szukamy dalej ``` root@LaVA:/# find -type f -name '*bridge*' ... ./usr/bin/croupier/utilities/bridge.py ./usr/bin/update/bridge_component.py ./usr/bin/update/ipbridge_frontend.py ... ``` mamy to ## factoryreset.sh ```shell= #!/bin/sh SELF=`basename $0` set -o pipefail # Includes . /lib/functions/mtd.sh log_tty() { log "$*" >/dev/ttyS0 } log_tty "!!! Executing factoryreset !!!" upgradeFlags () { # set factory reset in progress # remove datafs_format contents, so migration runs again in case of downgrade to jffs2 fw_setenv --script - <<-EOF resetting_to_factory 1 datafs_format EOF } # Copy resetreason if provided if [ -f /var/platform/ipbridge-resetreason ]; then resetreason=`cat /var/platform/ipbridge-resetreason` fw_setenv resetreason ${resetreason} fi upgradeFlags shuthuedown reboot ``` ## Możliwości modyfikacji # Uslugi na bridge ## fluent-bit logs and diagnostics ## ipbridge zigbee ip bridge ## websocketcd wykorzystywany do zdalnej kontroli przez apliakcje Hue wykorzstuje protobuf ## updated program w pythonie do updatowania FW bridga, uzywa bootslotów ## clipd serwer http do API Hue: https://developers.meethue.com/develop/get-started-2/ ## behaviord trudno ustalic ## stream stream Spotify do synca uruchamia serwer HTTP na porcie 9004 gdy rozpoczyna sie sync, wyłącza jak się skonczy. dostaje na raz bardzo dużo danych, najprawdopodobniej całą piosenkę na raz: ``` <14>May 12 12:24:37 LaVA stream: got request target: /stream/v1/chunk <14>May 12 12:24:37 LaVA stream: Got POST request. Body size 46555 bytes <14>May 12 12:24:37 LaVA stream: send response code: 200 ``` jakakolwiek zmiana parametrow streama powoduje wyslanie nowego requestu, tak samo przesuniecie w piosence (co ciekawe im mniej do konca tym mniejsze przychodzą). ### Start streama ``` <13>May 12 11:47:58 LaVA stream: [EDTLS_SRVR] Starting server... <13>May 12 11:47:58 LaVA stream: [EDTLS_SRVR] address=::, port=2100, readTimeoutSeconds=10 <13>May 12 11:47:58 LaVA stream: [EDTLS_SRVR] Create socket... <13>May 12 11:47:58 LaVA stream: [EDTLS_SRVR_WRPR] Seeding the random number generator... <13>May 12 11:47:58 LaVA stream: [EDTLS_SRVR_WRPR] Seeding ok <13>May 12 11:47:58 LaVA stream: [EDTLS_SRVR_WRPR] Bind on udp ::/2100 ... <13>May 12 11:47:59 LaVA stream: [EDTLS_SRVR_WRPR] Bind ok <13>May 12 11:47:59 LaVA stream: [EDTLS_SRVR] Create socket ok <13>May 12 11:47:59 LaVA stream: [EDTLS_SRVR] Create session... <13>May 12 11:47:59 LaVA stream: [EDTLS_SRVR_WRPR] Setting up the DTLS data... <13>May 12 11:47:59 LaVA stream: [EDTLS_SRVR_WRPR] Setting up the DTLS data ok <13>May 12 11:47:59 LaVA stream: [EDTLS_SRVR_WRPR] Created session with sequenceNr=1 <13>May 12 11:47:59 LaVA stream: [EDTLS_SRVR] Create session ok <13>May 12 11:47:59 LaVA stream: [EDTLS_SRVR] Started server... <13>May 12 11:47:59 LaVA ipbridge: [entertainment_configuration_activity_monitor.cpp,107,ProcessEntertainmentConfigurationResource: Entertainment Configuration with id 1b705544-3b99-4ac7-b1bc-0838e8ae33c3 has status active] <13>May 12 11:47:59 LaVA ipbridge: [stream_connector.cpp,171,STREAM_CONNECTOR_StartOrUpdateConfiguration: group_id:200, id:1b705544-3b99-4ac7-b1bc-0838e8ae33c3, #channels:1, stream_owner:af93b7cc-ba26-4920-b2af-ff616621b545] <13>May 12 11:47:59 LaVA ipbridge: [statelog.cpp,167,T:CLIP_V2, M:1, R:1, ID:200, A:0x0000000001000000] <13>May 12 11:47:59 LaVA ipbridge: [statelog.cpp,167,T:CLIP_V2, M:1, R:1, ID:200, A:0x0000000002000000] <13>May 12 11:47:59 LaVA ipbridge: [stream_connector.cpp,199,STREAM_CONNECTOR_SetProxyNode: proxy_node:d5ed82a3-6bc7-4d26-a706-d63d6325d15b] <14>May 12 11:47:59 LaVA stream: Successfully updated Entertainment Configuration with uuid: 1b705544-3b99-4ac7-b1bc-0838e8ae33c3 ``` ### stop streama ``` ``` ## provisioning requestuje certy do MQTT Googla, moze tez do proxy http ciekawa funkcja, sprawdza rodzaj urządzenia, testowe, lokalne itp na produkcyjnym bridgu wartosc to `HueBridge2K15` ```shell= set_ctn_dependent_variables () { local url local ctn local ctx local env_check_return_code ctn=$(fw_printenv -n ctn) env_check_return_code=$? case ${ctn} in "HueBridge2K15") url="${prod_server_url}" ctx="${prod_hkdf_ctx}" ;; "HBsystem"|"HBPortal") url="${test_server_url}" ctx="${test_hkdf_ctx}" ;; "HBDev") url="${hbdev_server_url}" ctx="${hbdev_hkdf_ctx}" ;; "localhost") url="${local_server_url}" ctx="${local_hkdf_ctx}" ;; *) log_message "No CTN, exiting..." exit_with "${error_no_ctn}" ;; esac readonly server_url="${url}" readonly hkdf_ctx="${ctx}" return ${env_check_return_code} } ``` URLe do provisioningu ```shell= readonly hbdev_hkdf_ctx="iot-v1-dev" readonly test_hkdf_ctx="iot-v1-system" readonly prod_hkdf_ctx="iot-v1-prod" readonly local_hkdf_ctx="signingKey_PoC" readonly hbdev_server_url="https://provision-dev.meethue.com" readonly test_server_url="https://provision-system.meethue.com" readonly prod_server_url="https://provision.meethue.com" readonly local_server_url="http://localhost:3000" ``` `hkdf_ctx` - wykorzystywane przy generacji klucza do podpisów `HMAC-SHA256`. Klucz prywatny `/etc/iot-credentials/private_key.pem` generowany jest ## iot_connectivity - generuje config do łączenia z MQTT google - generuje JWT uzywane jako haslo do MQTT - `aud` - project id z pliku `/etc/iot-credentials/service.json` - podpsiany kluczem prywatnym z `/etc/iot-credentials/private_key.pem` # wiecej info ## Opis pozyskiwania certyfikatu ### provisioning main flowchart ```flow st=>start: Start s=>end: Sukces e=>end: Błąd op=>operation: Załadowanie kluczy do podpisu op2=>operation: Stworzenie klucza prywatnego op3=>operation: Stworzenie CSR op4=>operation: Wysłanie zapytania o certyfikat op5=>operation: Weryfikacja podpisu http=>condition: Kod HTTP? sig=>condition: Podpis zgodny? st->op->op2->op3->op4->http http(yes@200)->op5 http(no@inny)->op5 op5->sig ``` ### Wygenerowanie klucza prywantego `openssl ecparam -name prime256v1 -genkey -out "${private_key_file}"` ### Wygenerowanie CSR Dane CSR: - C = NL - Organization = Philips Hue - Common Name = bridge_id Bridge ID jest to wartość env fw `eui64`. Dla KC-IGxZ1-1001: `ecb5fafffe8c32a5`. Id nadrukowane jest na naklejce z tyłu bridga. ```shell= create_csr () { local subj="/C=${country}/O=${organization}/CN=${bridge_id}" openssl req -new -config "${openssl_cfg}" -extensions client_cert -key "${private_key_file}" -batch -subj "${subj}" | _replace_newlines_with_sequence } ``` `_replace_newlines_with_sequence` zamienia znaki nowej linii `\n` na escapowane `\n`. ### Stworzenie payloadu JSON do wysłania requestu ```json= { "timestamp": 1652214324, "token": "1652214324", "devicetype": "bsb002", "certtype": "iot-v1", "reason": "NIE WIADOMO, DO USTALENIA", "csr": "<CSR>" } ``` reason przekazywany jest do programu `get_signed_certificate`: ``` use as: /usr/bin/get_signed_certificate [reason] [destination_path] ``` Nie znaleziono jeszcze przykładowego wywołania, więc nie jest znany. ### Wygenreowanie klucza do podpisu Generowany jest klucz 512 bitowy w formacie hex. Potem dzielony jest na pol: - B2PE - Bridge to portal. sluzy do podpisywania wiadomosci z bridga do serwera - PE2B - Portal to bridge. sluzy do weryfikacji podpisu odpowedzi z serwera Klucz genrowany jest z wcześniej podanego klucz `portal_key` (jego wartość można odczytać z fw env `portal`, dla KC-IGxZ1-1001 jest to `1bce49e88efeecd7672eed1af91b3b6d`, dla Jedrzej `c9ad27a8646f565d6324c35f2bb4c9d2`), salt, którym jest bridge ID oraz info, ktore zamienione jest do postaci hex. Dla bridga KC-IGxZ1-1001 wartości są następujące: ``` input_key_material: 1bce49e88efeecd7672eed1af91b3b6d salt: ecb5fafffe8c32a5 info: iot-v1-prod ``` Funkcja generująca klucz 512 bitowy: ```shell= hkdf () { local length="${1}" local input_key_material="${2}" local salt="${3}" local info="${4}" local hash_len=32 if [ "${salt}" = "" ]; then salt=$( print_repeated_string '0' $((hash_len * 2)) ) # times 2 because we're using hex fi local rounds local Ki local hex_info local okm="" local t="" rounds=$(ceil_div "${length}" "${hash_len}") Ki=$(valueof "${input_key_material}" | hex_to_bin | hmac_sha256 "${salt}") hex_info=$(valueof "${info}" | bin_to_hex) for i in $(seq 1 "${rounds}"); do t=$(printf "%s%s%02x" "${t}" "${hex_info}" "${i}" | hex_to_bin | hmac_sha256 "${Ki}") okm="${okm}${t}" done valueof "${okm}" | cut -c1-$((2*length)) } ``` `HMAC-SHA256(data_hex, key_hex)` to tak naprawde ``` hmac_sha256_base64 () { openssl dgst -sha256 -binary -mac HMAC -macopt "hexkey:${1}" | base64_encode } ``` pseudo kod/python: ``` t = "" okm = "" Ki = HMAC-SHA256(PORTAL_KEY, BRIDGE_ID) for i in range(2): t = HMAC-SHA256(t + hex(HKDF_CTX) + "{:02x}".format(i), Ki) okm += t return okm ``` Funkcja wykonuje 2 rundy, w każdej z nich dodawane jest 256 bitów dzięki funkcji HMAC-SHA256. Interesujący nas klucz do generowania podpisu zapytań (`B2PE`) to tak naprawde tylko: `HMAC-SHA256(hex(HKDF_CTX) + "01", HMAC-SHA256(PORTAL_KEY, BRIDGE_ID))` Policzono ręcznie funkcje zadaną wyżej oraz sprawdzono, skrypt generuje tak samo: `bfb6f26ee296392c2774bad4b96704bc176fe35d5762beac68243a936073debd` ### Stworzenie podpisu danego zapytania Do podpisu wykorzystywana jest funkcja `HMAC-SHA256` z kluczem `B2PE`, otrzymany w kroku wyżej. ### Wysłanie zapytania o CSR w curl używany jest explicite root CA hue (`/etc/ca-certificates/ca/ecc/cert-and-crls.pem`). ``` POST /cert Host: provision.meethue.com Content-Type: application/json protocol-version: 2 key-version: 2 sw-version: 1950111030 Device-Id: ecb5fafffe8c32a5 Signature: <SIG> ``` `sw-version` pochodzi z `/etc/swversion`. Jest też widoczne w aplikacji Hue jako patch (major.minor.patch) wersji bridga. `Device-Id` - bridge id, opisany wyżej. ## ciekawe pliki - `/etc/ca-certificates/ca/ecc/cert-and-crls.pem` - root CA Hue - ## config na arch ``` # NAT iptables -t nat -A POSTROUTING -o wlp0s20f3 -j MASQUERADE iptables -A FORWARD -i wlp0s20f3 -o enp0s31f6 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i enp0s31f6 -o wlp0s20f3 -j ACCEPT # IP ip addr add dev enp0s31f6 192.168.111.10/24 # DHCP dnsmasq --dhcp-range=192.168.111.11,192.168.111.11,255.255.255.0 --interface=enp0s31f6 --dhcp-option=6,1.1.1.1,1.0.0.1 --no-daemon ``` ## url https://community.home-assistant.io/t/native-mqtt-push-updates-from-hue-hub/299504 https://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/ https://blog.andreibanaru.ro/2018/03/27/philips-hue-2-1-enabling-wifi/ ## inne The Hue hub also has a couple really nice DIY/remote-admin features: it supports pointing syslog at a custom host, and SSH pubkey authentication, and you can save these parameters in the boot variables, so they are preserved across firmware updates. From the u-boot prompt, I did something like: ``` # Remove root user password (disables remote password auth) setenv security # Set the contents of root's authorized_keys file setenv authorized_keys 'ssh-rsa AAAA[...] user@host' # syslog destination setenv logdest '192.0.2.1:514' ```