GitHub - andrew-p0/greeenwave_firmware: Some files for TCP Connected/Greenwave Reality lighting controllers.

andrew-p0 / greeenwave_firmware Public

forked from hypergolic/greeenwave_firmware

Notifications You must be signed in to change notification settings
Fork 0
Star 0

Some files for TCP Connected/Greenwave Reality lighting controllers.

Unlicense license

0 stars 4 forks Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
firmware_mod		firmware_mod
roxy		roxy
LICENSE		LICENSE
README		README

Repository files navigation

* NOTES:
YOU CAN BRICK YOUR STUFF VERY EASILY, PLAY CAREFUL.
Extracted rootfs + kernel is included in the rootfs.tar.bz2.
if you want to modifiy it, be sure you have experience with uboot/uboot scripts, otherwise, its easy to brick and a pain to recover, or if you're like me and bricked
it in the first 5 minutes of owning it, these files can help you recover it!

* TODO:
Write this how to better, format it so its readable. 

* DONE:
*Firmware unpacking and repacking instructions added at the end of this README file explaining it, firmware images and modified firmware image added to the firmware_mods folder.

* HOW TO DOWNGRADE:
Put the download folder and update.php files in a folder called "roxy", then use https.py to with a self signed .pem certificate (generate it with openssl or grab the .pem certs in the rootfs archive.)
then redirect update.greenwavereality.com and update.greenwavereality.eu via spoofing on a local dns server and firewall rules to block both hosts once updated, as if it
can contact the update serves again it will update its self, I just blocked all outgoing traffic from my lighting controller to the web.

after executing python https.py hold the sync button as the bridge boots up for about 10 seconds once it starts to blink and flash red on the sync button you should see this:

ERROR:root:Host: update.greenwavereality.com
Accept: */*
Content-Length: 99
Content-Type: application/x-www-form-urlencoded

ERROR:root:MiniFieldStorage('mac', 'D4:A9:28:02:07:54')
ERROR:root:MiniFieldStorage('secret', '14bd2088419a828ec0d8f336a7939fa1')
ERROR:root:MiniFieldStorage('project', 'Apollo3')
ERROR:root:MiniFieldStorage('current_version', '0.0.0')
10.1.1.45 - - [26/Apr/2016 11:59:49] "POST /roxy/update.php HTTP/1.1" 200 -
ERROR:root:Host: update.greenwavereality.com
Accept: */*
Content-Length: 110
Content-Type: application/x-www-form-urlencoded

10.1.1.45 - - [26/Apr/2016 11:59:49] "GET /roxy/download/1349139456/rootfs.bin HTTP/1.1" 200 -

then it will hopefully download the "updated" rootfs from your spoofed update server, downgrading it to the last version that had ssh enabled,
root/thinkgreen.  this works on all firmware versions even the ones with uboot input disabled :).

as I only have 1 unit to test it on, I've only tested downgrading my specific unit, so I'm not sure what other variables may be involved, but either way this will reply statically with a correct checksum and file URL.


* FIRMWARE MODIFICATIONS:

Unpacking and Rebuilding the u-boot firmware Image:
Here's my notes on making modifications to the firmware, you will need uboot-tools and mksquashfs 4.0.

There is a modified firmware image posted here, if you arent familure with bricking everything you own, then dont attempt to flash it!

* Commands for unpacking:
mkimage -l tcpfirm.bin 
(get the sizes, binwalk works as well, calculate uboot headers and cut them off plus image markers)

and we get the following values:

dd if=tcpfirm.bin of=image0_kernel bs=1 skip=80 count=1669122
dd if=tcpfirm.bin of=image1_sqfs bs=1 skip=1669204 count=10641408
dd if=tcpfirm.bin of=image2_dtv bs=1 skip=12310612 count=7782

[dev@notworking tcpmod]$ binwalk image0_kernel 

DECIMAL       HEXADECIMAL     DESCRIPTION
\* -------------------------------------------------------------------------------- \*
0             0x0             gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)

[dev@notworking tcpmod]$ binwalk image1_sqfs 

DECIMAL       HEXADECIMAL     DESCRIPTION
\* -------------------------------------------------------------------------------- \*
0             0x0             Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 10639101 bytes, 1456 inodes, blocksize: 131072 bytes, created: 2013-12-03 09:50:58

[dev@notworking tcpmod]$ binwalk image2_dtv 

DECIMAL       HEXADECIMAL     DESCRIPTION
\* -------------------------------------------------------------------------------- \*
0             0x0             device tree image (dtb)

[dev@notworking tcpmod]$ sudo unsquashfs image1_sqfs 
Parallel unsquashfs: Using 4 processors
1363 inodes (1494 blocks) to write

[============================================================================================================================================================================================================|] 1494/1494 100%

created 1147 files
created 93 directories
created 213 symlinks
created 3 devices
created 0 fifos


edited /etc/dhcpcd.exit-hook
and added 
if $if_up
then
        route del default
fi

edited /etc/init.d/rcS and added at the very bottom:
if test -f /media/config/opt_startup.sh
then
        echo -en "running user defined startup script from jffs2"
        /media/config/opt_startup.sh
fi

deleting the default route was a fast way for me to get rid of the update issue kinda, theres other ways by patching the uboot
nvram and such, but this was easy and I dont ever plan to allow the device to talk out of my network so it works for me. i also edited /etc/services.lo and /etc/services.net to re-enable ssh.

this will allow you to write a custom script thats launched upon boot runing whatever youd like from the jffs2 partition. 
and now to put it back together, first making the squashfs image then putting kernel and device tree into a uboot firmware image.

[dev@notworking tcpmod]$ sudo mksquashfs squashfs-root image1_mod.sqfs -comp gzip -b 131072 -all-root
Parallel mksquashfs: Using 4 processors
Creating 4.0 filesystem on image1_mod.sqfs, block size 131072.
[=======================================================================================================================================================================================================================================|] 1278/1278 100%

Exportable Squashfs 4.0 filesystem, gzip compressed, data block size 131072
	compressed data, compressed metadata, compressed fragments, compressed xattrs
	duplicates are removed
Filesystem size 10388.38 Kbytes (10.14 Mbytes)
	41.16% of uncompressed filesystem size (25239.13 Kbytes)
Inode table size 12703 bytes (12.41 Kbytes)
	26.11% of uncompressed inode table size (48655 bytes)
Directory table size 14638 bytes (14.29 Kbytes)
	51.41% of uncompressed directory table size (28471 bytes)
Number of duplicate files found 181
Number of inodes 1456
Number of files 1147
Number of fragments 55
Number of symbolic links  213
Number of device nodes 3
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 93
Number of ids (unique uids + gids) 1
Number of uids 1
	root (0)
Number of gids 1
	root (0)

now we pack it back into a uboot firmware file.

[dev@notworking tcpmod]$ mkimage -A ppc -O Linux -T multi -C gzip -n 'Firmware Image' -d image0_kernel:image1_mod.sqfs:image2_dtv tcpmod_firmware.img
Image Name:   Firmware Image
Created:      Wed Aug 10 21:59:35 2016
Image Type:   PowerPC Linux Multi-File Image (gzip compressed)
Data Size:    12318330 Bytes = 12029.62 kB = 11.75 MB
Load Address: 00000000
Entry Point:  00000000
Contents:
   Image 0: 1669122 Bytes = 1630.00 kB = 1.59 MB
   Image 1: 10641408 Bytes = 10392.00 kB = 10.15 MB
   Image 2: 7782 Bytes = 7.60 kB = 0.01 MB


comparing that with the original image, we see:
[dev@notworking tcpmod]$ mkimage -l tcpfirm.bin 
Image Name:   Firmware Image
Created:      Tue Dec  3 04:50:58 2013
Image Type:   PowerPC Linux Multi-File Image (gzip compressed)
Data Size:    12318330 Bytes = 12029.62 kB = 11.75 MB
Load Address: 00000000
Entry Point:  00000000
Contents:
   Image 0: 1669122 Bytes = 1630.00 kB = 1.59 MB
   Image 1: 10641408 Bytes = 10392.00 kB = 10.15 MB
   Image 2: 7782 Bytes = 7.60 kB = 0.01 MB

to finish it off follow the downgrade instructions, but change out the md5sum on roxy.php to match your new firmware image and replace the rootfs.bin firmware image there with yours.

I have included my updated patched firmware (its a later version than the one i posted for downgrading, but has ssh renabled and the custom scripts mentioned above so enabling the webserver is of no issue.), see the firmware_mod folder.
~ # cat /etc/version 
3.0.39
~ # uname -a
Linux lighting 3.5.3 #1 PREEMPT Tue Dec 3 10:44:29 CET 2013 ppc GNU/Linux
~ # 

* md5sums:
4c448f9d9a2d8584ab5c0d4c6874af1e  tcpfirm.bin 			// original uboot image 
b32f5c3b6528db3c3eb75a3604532a12  tcpmod_firmware.img 	// modified uboot image
7896e1540e90f463551873ed8ea4b169  image0_kernel 		//original
203ec94023900fb5409d943b92eaef28  image1_sqfs 			//original
0810ed603e4a9150c4f2c1c3227e1605  image1_mod.sqfs 		// modified squashfs image
b2dd54d84bada53c7eeb945bbfb98322  image2_dtv 			//original