OpenWrt Forum Archive

Topic: Philips Hue Bridge v2 hacked (root access)

The content of this topic has been archived on 6 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
pepe2k
19 Jul 2016, 20:57

Hello!

Philips Hue Bridge v2 owners might be interested in this.
I hope it won't get removed as on reddit...

I saw @wehooper4 work on "jailbreaking" Philips Hue Bridge v2 and decided to continue, based on what was already discovered. After several hours I was finally able to break inside.

BusyBox v1.19.4 (2016-05-10 15:28:31 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

 _    _ _    _ ______   ____       _     _              ___    ___
| |  | | |  | |  ____| |  _ \     (_)   | |            |__ \  / _ \
| |__| | |  | | |__    | |_) |_ __ _  __| | __ _  ___     ) || | | |
|  __  | |  | |  __|   |  _ <| '__| |/ _` |/ _` |/ _ \   / / | | | |
| |  | | |__| | |____  | |_) | |  | | (_| | (_| |  __/  / /_ | |_| |
|_|  |_|\____/|______| |____/|_|  |_|\__,_|\__, |\___| |____(_)___/
                                            __/ |
                                           |___/
--------------------------------------------------------------------
Version: 33370
--------------------------------------------------------------------
root@Philips-hue:~#
root@Philips-hue:~# cat /etc/openwrt_release
DISTRIB_ID="QSDK.BSB002"
DISTRIB_RELEASE="1.9"
DISTRIB_REVISION="r40838"
DISTRIB_CODENAME="bsb002"
DISTRIB_TARGET="ar71xx/generic"
DISTRIB_DESCRIPTION="QSDK.BSB002 BSB002 1.9"
DISTRIB_TAINTS="no-all busybox override"

TL;DR: you will need solder skills and UART access to the device.

1. Access to U-Boot CLI

First of all, we need to get access to the U-Boot command line, to be able to load custom firmware. Because of the boot delay environment variable set to 0 seconds, U-Boot in Hue Bridge v2 doesn't allow to interrupt booting process at all, so the idea was to break it somehow. The easiest way for that is to temporary disconnect SPI NAND FLASH as it's the one U-Boot is loading kernel from.

There are several ways to make that, including removing whole chip from the board, but thanks to PCB designers, there is a jumper resistor on CS line for the SPI NAND - R31 (top of the PCB, under main SoC, right bottom corner here). When it's removed, the SoC is not able to enable NAND chip and... U-Boot returns to main loop (CLI):

eth1 up
eth0, eth1
Qualcomm Atheros SPI NAND Driver, Version 0.1 (c) 2014  Qualcomm Atheros Inc.
ath_spi_nand_ecc: Couldn't enable internal ECC
Setting 0x181162c0 to 0x3061a100
Hit any key to stop autoboot:  0 

** Device 0 not available
ath>

Now we can change bootdelay to something bigger than 0 and save changes (happily this U-Boot version supports writable environment):

ath> setenv bootdelay 3
ath> saveenv

Saving Environment to Flash...
Protect off 9F040000 ... 9F04FFFF
Un-Protecting sectors 4..4 in bank 1
Un-Protected 1 sectors
Protect off 9F050000 ... 9F05FFFF
Un-Protecting sectors 5..5 in bank 1
Un-Protected 1 sectors
Erasing Flash... 9F050000 ... 9F05FFFF ...Erasing flash... 
First 0x5 last 0x5 sector size 0x10000
   5
Erased 1 sectors
Writing to Flash...  9F050005 ... 9F060000 ...write addr: 9f050000
write addr: 9f040004
done
Protecting sectors 5..5 in bank 1
Protected 1 sectors
Protecting sectors 4..4 in bank 1
Protected 1 sectors
ath>

Power down device and solder back jumper resistor to make NAND works again.

2. Dump and extract firmware

In next step I prepared initramfs version of OpenWrt CC image with SPI NAND FLASH support (based on code for GL-AR300M, which is based on same platform), booted it and downloaded dumps from all mtd partitions:

root@OpenWrt:/# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00010000 "u-boot"
mtd1: 00020000 00010000 "u-boot-env"
mtd2: 00010000 00010000 "reserved"
mtd3: 00010000 00010000 "art"
mtd4: 00400000 00020000 "kernel-0"
mtd5: 02800000 00020000 "root-0"
mtd6: 00400000 00020000 "kernel-1"
mtd7: 02800000 00020000 "root-1"
mtd8: 02800000 00020000 "overlay"

As it turned out, rootfs filesystem is SquashFS inside UBI container (thanks to my colleague @obsy for help with extracting the firmware). Just for reference: extracted root-0 filesystem, from some older version of Hue firmware.

3. How to get root password/access?!

My first idea was simple: extract firmware, change/remove root password, pack firmware and put it back to NAND. But... during looking around, I found script which was called every boot:

#!/bin/sh
# Copyright (C) 2015 Philips Lighting

unset UBOOT_SECURITY_STRING
unset SHADOW_SECURITY_STRING

abort() {
    echo -e "$*"
    sleep 1
    exit 1
}

isUBootEnvironmentReady() {
    fw_printenv >/dev/null 2>/dev/null
    return $?
}

updateUBootSecurityString() {
    UBOOT_SECURITY_STRING=`fw_printenv -n security 2>/dev/null`
    return $?
}

updateShadowSecurityString() {
    SHADOW_SECURITY_STRING=`awk -F ':' '/^root:/{print $2}' /etc/shadow`
    return $?
}

escapeStringForSed() {
    echo "$1" | sed -e 's/[\/&]/\\&/g'
}

patchShadowSecurityString() {
    local ESCAPED_SECURITY_STRING=`escapeStringForSed $1`
    sed -i 's/^\(root:\)\([^:]*\)\(.*\)$/\1'${ESCAPED_SECURITY_STRING}'\3/g' /etc/shadow
    return $?
}

syncShadowWithUBootSecurityString() {
    updateUBootSecurityString
    updateShadowSecurityString
    if [ "${SHADOW_SECURITY_STRING}" != "${UBOOT_SECURITY_STRING}" ]; then
        patchShadowSecurityString ${UBOOT_SECURITY_STRING}
    fi
    return $?
}

if ! isUBootEnvironmentReady; then
    abort "Init in progress: Please try again later..."
fi

if ! syncShadowWithUBootSecurityString; then
    unset UBOOT_SECURITY_STRING
fi

The script reads value of security U-Boot environment variable, compares it with current root password hash and updates it if they are not the same... So, back to U-Boot CLI:

ath> setenv security $1\$AeKNkgji\$haI72VcQ8Yi9K5gtL5T1F0
ath> saveenv
Saving Environment to Flash...
Protect off 9F050000 ... 9F05FFFF
Un-Protecting sectors 5..5 in bank 1
Un-Protected 1 sectors
Protect off 9F040000 ... 9F04FFFF
Un-Protecting sectors 4..4 in bank 1
Un-Protected 1 sectors
Erasing Flash... 9F040000 ... 9F04FFFF ...Erasing flash...
First 0x4 last 0x4 sector size 0x10000                                                                                                                                                                                                      4
Erased 1 sectors
Writing to Flash...  9F040005 ... 9F050000 ...write addr: 9f040000
write addr: 9f050004
done
Protecting sectors 4..4 in bank 1
Protected 1 sectors
Protecting sectors 5..5 in bank 1
Protected 1 sectors
ath> reset

And that's all. From now, your root password is: root

HAPPY HACKING!

(Last edited by pepe2k on 19 Jul 2016, 22:48)

Post #2
pepe2k
21 Jul 2016, 13:37

Just a small update with shorter instruction and photo of the PCB.

1. UART
UART is located in J1 and J6 (standard 2,54 mm pitch header), J6 pinout:
1 - GND
4 - RX
5 - TX


2. R31 (jumper on SPI NAND CS signal)
http://www.tech-blog.pl/pliki/2016-07-21_142828.jpg


3. Step by step instruction

1. Remove R31.
2. Connect over UART (115200 8n1) and power up device.
3. Wait for U-Boot CLI ready and issue:

setenv bootdelay 3
setenv security $1\$AeKNkgji\$haI72VcQ8Yi9K5gtL5T1F0
saveenv

4. Power down device and solder back R31 (or make there jumper with solder or a wire).
5. Power up the device, login with: root/root

(Last edited by pepe2k on 21 Jul 2016, 15:25)

Post #3
freezer2k
22 Jul 2016, 10:41

Nice Work Pepe!

Post #4
pepe2k
25 Jul 2016, 18:50

I just found that someone else found same way to get root access to this device and did that before me cool

Idea is the same, but doesn't require soldering - all you need to do is short two points on the PCB (DO signal from both FLASH chips and GND) just after the U-Boot start: http://colinoflynn.com/2016/07/getting- … ridge-2-0/

Post #5
santhosh
19 Apr 2017, 12:30

Hi Pepe2k,

Good post. I would be getting my Philips hue v2 bridge soon. I am a novice to OpenWrt. I would like to update it to CC version.

After rooting will I be able to upgrade the firmware(using Luci or sysupgrade) without any other modifications. If I can upgrade which binary should be used. Because I don't see Philips hue profile in the supported hardware.

Post #6
pepe2k
19 Apr 2017, 12:43
santhosh wrote:

Hi Pepe2k,

Good post. I would be getting my Philips hue v2 bridge soon. I am a novice to OpenWrt. I would like to update it to CC version.

After rooting will I be able to upgrade the firmware(using Luci or sysupgrade) without any other modifications. If I can upgrade which binary should be used. Because I don't see Philips hue profile in the supported hardware.

This device isn't supported at this moment.

Post #7
santhosh
19 Apr 2017, 13:26

Thank you for your quick response

I need to install python on Philips hue.

I see two options for this.
1. Install python using opkg on the existing openwrt.
2. Work on creating custom image from scratch.

What would be the best way?

I doubt whether first option will work. Because my colleague failed to connect to internet from philips root.

Now second option also looks like a huge work as there is no support for Philips hardware.

Post #8
tristan.net
23 Apr 2017, 05:21

For installing python, see

Tristan79/HUEHack (on github)

First option works fine!

Post #9
PingtheAPB
22 Jun 2017, 17:49

Hi Pepe2k,

I was hoping to load OpenWRT to the Philips Hue to replace what's on the bridge currently. I'm kind of new to OpenWRT, so could I ask how you flashed the firmware and what exact build you used?

Post #10
pepe2k
22 Jun 2017, 20:49
PingtheAPB wrote:

Hi Pepe2k,

I was hoping to load OpenWRT to the Philips Hue to replace what's on the bridge currently. I'm kind of new to OpenWRT, so could I ask how you flashed the firmware and what exact build you used?

I was using this tree: https://github.com/domino-team/openwrt-cc (GL-AR300M has SPI NAND).

The discussion might have continued from here.