Hacking process of LaMetric time #2
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Hey there. Was there any further progress in hacking the LaMetric Time? I found the root password especially interesting, so that one can access the SSH port.
I could only find this post on reddit, where somebody successfully accessed the SSH by open it up and changing it manually:
https://www.reddit.com/r/LaMetric/comments/3sq55r/hacking_progress/
Have you heard of further progress in this regard?
Thanks a lot
@Gansgar sorry for the slow reply, didn't see the notification.. i continued running the GCP instance for almost 2 weeks and didn't crack it - i will update the README.md with that information.
i was unaware of that post (or subreddit), but after failing to crack the hash attempted something similar - though i was never able to mount the card..
can't recall the reason now, but i'll take another look this weekend as the device itself is still sitting on my desk - and it's smug aura mocks me.
Hey there,
thanks for the reply. Any updates?
George
Getting root access to the device is actually not so difficult. I reset the root password and removed a firewall rule which seemed to block port 22. Now I have full access to the device.
The challenge is to make it possible without opening the device (and loosing warranty by doing so).
Hello
After gaining access to the device, are you able to change the WiFi settings to make it connect to a wpa enterprise network?
Also, could you provide some info on that firewall rule you removed?
Cheers
No idea. I don't have such a network
I removed
/etc/init.d/S50block_sshThe device runs a knockd.
In theory you should be able to enable the SSH port using
knock <lam ip> 7623 6732 8675 6623 1732 8675.However that did not work for me.
Any news on this? Anyone was able to break the password?
HI to all!
Successfully rebuild firmware with changed password & removed ssh firewall (without opening device).
I think it's possible to get ssh access without any firmware modification, by knoking & use ssh_rsa_key after it to access device. Will try it.
Well. You can build a custom firmware. Yes. But you don't have their private key to sign it. Without that signature the device won't install the firmware. Correct me if I'm wrong.
I have their private key ))
So device install fixed firmware without any warnings.
OMG.
!!!HERO!!!
That's amazing 😎
https://mega.nz/#!NMBBjCLQ!NwB_0xuGzsU857LX0pyRiTY8mwzuVkI7l7egCLPfq8E
root password lametric, ssh firewall deleted
@k4a can you maybe create a cfw for 2.0.24? Would be nice! :)
HI 2 all
version 2.0.24
https://mega.nz/#!0MwyAabB!3M0JRbIWBqj1X1jmqL5NlUdI9M7TOr8QDvVCs6XgOZo
root password same
Thanks!
What i need to do if i already have 2.0.24 (original) installed on my Lametric? Can i just overwrite this firmware?
I don't try to overwrite, couse I have 2.0.23 installed. I think you can.
If not, look at recovery info - reset to base revision, and after that install 2.0.24
How do you install this firmware? Do you have to open the device up and write the SD card?
EDIT: I assume this is the procedure but haven't tried it yet... From the user guide:
Follow a few easy steps to update software:
Hi @k4a ,
can you please provide either a patched 2.0.26 firmware or perhaps the key you signed the firmware with?
Thanks
@robbiet480 Did that work for you? and what benefits have you seen gained by using this firmware?
@poblabs I haven’t personally done it no.
I probably am wrong here, please just delete this comment if so.
Does anyone have a complete image of the LaMetric Time SD card? Mine died and without the original partition table and compiled bootloader, the device won't do anything.
Hi all,
I have developed a software development kit for developing native apps for LaMetric OS (reverse-engineered liblfoundation headers, found a compatible cross-compiler toolchain, written a script for packaging ipk packages). It's working great for me and radically opens up the device for many more use cases. It turned out liblfoundation already provides a set of well-engineered components (based on Qt) that make developing native apps really easy (once I had figured out the headers). It's also possible to write custom widgets that draw arbitrary content on the screen.
Anyway, I'm posting here because the SDK only makes sense on a device that has SSH access (apps are to be installed via opkg-cl), which for now is only possible using @k4a's custom firmware linked above. @k4a would you be willing to send me an email regarding how firmware signature verification works, how you were able to build your custom firmware and how this could be leveraged for bootstrapping a LaMetric OS homebrew scene? My email address is linked on my GitHub profile page.
Fantastic!
I'd appreciate the SDK. Potentially I/we can migrate my stuff (https://github.com/magcode/lametric-tools)
I'm absolutely amazed. Years after the product is released, it is finally opened up by the community. Mad respect for all who made this happen.
Does anyone have the install documented?
Well, unfortunately, @k4a hasn't contacted me yet, so I decided to release the SDK anyway. Please have a look at my repo here: https://github.com/FD-/LaMetric-SDK. @magcode I don't know much about MQTT, so I greatly appreciate how your project complements my SDK. Let me know if you have an idea how our projects can be integrated!
Please help spread the word and let me know how the SDK works for you! If you create something others could benefit from, please publish the source code! I'm looking forward to seeing what you can come up with!
I think I have found a relatively simple way to install custom apps on stock (unmodified, original) firmware, but I need someone to test this method on a device that still runs said stock firmware. If you are willing to help me give this a test, please send me an email!
Alright guys, we were able to confirm my method works on stock firmware. I've updated my repository. Happy homebrewing!
Do any of you have a full image of the SDCard? To see if restoring it solves the following problem:
With very old versions of the lametric firmware (default restore) it works perfectly but as soon as I upgrade to more modern versions the LED display stops working but the device and its applications, below, still work. I hear the radio for example
Any help is welcome. Thank you!
@terrikate please see this thread https://www.reddit.com/r/LaMetric/comments/givivn/lametric_time_sd_card_image/
Feel free to contact me via any private message channel of choice, I can give you a full SD card image.
Different hardware revisions of the device use different MCUs and LED drivers for controlling the display, so that may be a source of incompatibilities. All MCU variants are from the STM32 family, and their firmware can be flashed from the main CPU. The firmware files are located in the /etc/ folder (*.hex files) IIRC and can be manually flashed with the cortex_update.sh script. Could be worth a try, though the first thing to do would obviously be checking the logcat and kernel logs for any obvious errors.
BTW, what is the last version that works for you, and how do you restore default?
Thank you @DrNachtschatten! I had seen that topic before writing the other day but as the images no longer existed and didn't seem to have ended well I decided to try this way. Can you send me a mega/drive link or other provider with the image to terrikate at gmail dot com? I appreciate it, thanks a lot!
@FD- I leave you more information here. I tried to play with cortex_update.sh without success. To restore the default version, in my case 1.6.1, I press volume up, the action button and the power button. When the menu comes out I choose restore and when it finishes and I configure it all the LED display works correctly
Default version. When restoring
Current version with ssh access (2.0.3 of this same post)
I tried all three .hex and nothing. In logcat everything is in order. If you can think of anything else, I appreciate it. Thank you!
When exactly does the display cut out on a recent image? Does the boot animation show? Does scrolling text show? There's a lmledtool program somewhere inside the file system, I think it was in /usr/bin. You could try the tests it includes.
After the startup animation it goes to black. I don't see the scrolling text
I have tested the test tool (/usr/sbin/lmledtest) with the different firmwares and the animations do them correctly. When the test is launched, parameter -t, the led screen lights up well and returns this message:
This happens only with the MY9163_V01 firmware. With the others it returns apart from that message,
Bad led: white x=XX y=YYfor each one of the leds of the array (rgb + white) although it lights up anywayApparently, they changed something in the display frequency in firmware 2.0.9, so you could try if flashing 2.0.8 still works: https://storage.lametric.com/sa1/firmware/lm_ota_2.0.8_20180511_497_sa1.bin
Hi guys, Amazing work really.
Just a stupid question, If I go to the megaupload FW and open ssh to my LM, does any FW upgrade will deny back my SSH access? If so any update image available?
thanks
Looking at the thing that actually does the firmware update
/lametric/system/services/com.lametric.lametricdaemon/daemonI actually see nothing that verifies the signature file. What I see is that thing running/etc/validate_fw.shwhich only checks the MD5 hash, which you could just update after updating the squashfs image. This is a dumb question, but have people tried just updating the md5sum after modification? It's likely that I'm missing the place actually doing the signature check, but I have to ask.@algmyr The signature check happens in the recovery partition, in
/usr/share/lametric-tools/recovery_menu/action_upgrade:Is there a way to modify this file if i'm able to access the lametric over ssh?
You may be able to manually mount the recovery partition (p8) from the normal OS. It's a squash file system IIRC. I'd recommend backing up the internal micro SD card first, because if you screw up the recovery partition things can get pretty ugly.
hi is there any progress in this topic?
I've had my clock for years but never bothered opening it. After needing to deep clean it and accidentally breaking the sd card I had quite a journey. I learned that the newest version has a LUKS partition? How crazy.
If anybody wonders, the key to decrypt the LUKS partition is derived from the cid of the sd-card and the chip-id of the Allwinner CPU.
Also: Don't try to be clever and change the SD Card image size. I had a 8GB SD Card which was a bit smaller than the original one and manipulated the image to fit on the SDCard. It was only 100MB and the clock booted, but I couldn't update the FW anymore.