Hacking process of LaMetric time #2

Open
opened 2018-04-14 19:51:34 +02:00 by tyalie · 42 comments
tyalie commented 2018-04-14 19:51:34 +02:00 (Migrated from github.com)

Hey there. Was there any further progress in hacking the LaMetric Time? I found the root password especially interesting, so that one can access the SSH port.

I could only find this post on reddit, where somebody successfully accessed the SSH by open it up and changing it manually:
https://www.reddit.com/r/LaMetric/comments/3sq55r/hacking_progress/

Have you heard of further progress in this regard?

Thanks a lot

  • George
Hey there. Was there any further progress in hacking the LaMetric Time? I found the root password especially interesting, so that one can access the SSH port. I could only find this post on reddit, where somebody successfully accessed the SSH by open it up and changing it manually: https://www.reddit.com/r/LaMetric/comments/3sq55r/hacking_progress/ Have you heard of further progress in this regard? Thanks a lot - George
chorankates commented 2018-04-26 02:41:06 +02:00 (Migrated from github.com)

@Gansgar sorry for the slow reply, didn't see the notification.. i continued running the GCP instance for almost 2 weeks and didn't crack it - i will update the README.md with that information.

i was unaware of that post (or subreddit), but after failing to crack the hash attempted something similar - though i was never able to mount the card..

can't recall the reason now, but i'll take another look this weekend as the device itself is still sitting on my desk - and it's smug aura mocks me.

@Gansgar sorry for the slow reply, didn't see the notification.. i continued running the GCP instance for almost 2 weeks and didn't crack it - i will update the README.md with that information. i was unaware of that post (or subreddit), but after failing to crack the hash attempted something similar - though i was never able to mount the card.. can't recall the reason now, but i'll take another look this weekend as the device itself is still sitting on my desk - and it's smug aura mocks me.
tyalie commented 2018-06-21 19:05:10 +02:00 (Migrated from github.com)

Hey there,

thanks for the reply. Any updates?

George

Hey there, thanks for the reply. Any updates? George
magcode commented 2018-08-20 17:01:16 +02:00 (Migrated from github.com)

Getting root access to the device is actually not so difficult. I reset the root password and removed a firewall rule which seemed to block port 22. Now I have full access to the device.

The challenge is to make it possible without opening the device (and loosing warranty by doing so).

Getting root access to the device is actually not so difficult. I reset the root password and removed a firewall rule which seemed to block port 22. Now I have full access to the device. The challenge is to make it possible without opening the device (and loosing warranty by doing so).
BeHive commented 2018-10-02 21:20:36 +02:00 (Migrated from github.com)

Hello

After gaining access to the device, are you able to change the WiFi settings to make it connect to a wpa enterprise network?

Also, could you provide some info on that firewall rule you removed?

Cheers

Hello After gaining access to the device, are you able to change the WiFi settings to make it connect to a wpa enterprise network? Also, could you provide some info on that firewall rule you removed? Cheers
magcode commented 2018-10-03 10:57:58 +02:00 (Migrated from github.com)

wpa enterprise

No idea. I don't have such a network

some info on that firewall rule

I removed /etc/init.d/S50block_ssh
The device runs a knockd.
In theory you should be able to enable the SSH port using knock <lam ip> 7623 6732 8675 6623 1732 8675.
However that did not work for me.

>wpa enterprise No idea. I don't have such a network >some info on that firewall rule I removed `/etc/init.d/S50block_ssh` The device runs a knockd. In theory you should be able to enable the SSH port using `knock <lam ip> 7623 6732 8675 6623 1732 8675`. However that did not work for me.
MasterScrat commented 2019-04-22 15:09:25 +02:00 (Migrated from github.com)

Any news on this? Anyone was able to break the password?

Any news on this? Anyone was able to break the password?
k4a commented 2019-12-10 21:03:46 +01:00 (Migrated from github.com)

HI to all!

Successfully rebuild firmware with changed password & removed ssh firewall (without opening device).
I think it's possible to get ssh access without any firmware modification, by knoking & use ssh_rsa_key after it to access device. Will try it.

HI to all! Successfully rebuild firmware with changed password & removed ssh firewall (without opening device). I think it's possible to get ssh access without any firmware modification, by knoking & use ssh_rsa_key after it to access device. Will try it.
magcode commented 2019-12-10 22:55:50 +01:00 (Migrated from github.com)

Well. You can build a custom firmware. Yes. But you don't have their private key to sign it. Without that signature the device won't install the firmware. Correct me if I'm wrong.

Well. You can build a custom firmware. Yes. But you don't have their private key to sign it. Without that signature the device won't install the firmware. Correct me if I'm wrong.
k4a commented 2019-12-11 11:53:55 +01:00 (Migrated from github.com)

I have their private key ))
So device install fixed firmware without any warnings.

I have their private key )) So device install fixed firmware without any warnings.
magcode commented 2019-12-11 12:02:02 +01:00 (Migrated from github.com)

OMG.
!!!HERO!!!

OMG. !!!HERO!!!
tyalie commented 2019-12-12 12:24:21 +01:00 (Migrated from github.com)

That's amazing 😎

That's amazing 😎
k4a commented 2019-12-13 15:04:43 +01:00 (Migrated from github.com)

https://mega.nz/#!NMBBjCLQ!NwB_0xuGzsU857LX0pyRiTY8mwzuVkI7l7egCLPfq8E
root password lametric, ssh firewall deleted

https://mega.nz/#!NMBBjCLQ!NwB_0xuGzsU857LX0pyRiTY8mwzuVkI7l7egCLPfq8E root password lametric, ssh firewall deleted
Zignixx commented 2020-02-12 00:47:25 +01:00 (Migrated from github.com)

@k4a can you maybe create a cfw for 2.0.24? Would be nice! :)

@k4a can you maybe create a cfw for 2.0.24? Would be nice! :)
k4a commented 2020-03-03 09:58:20 +01:00 (Migrated from github.com)
HI 2 all version 2.0.24 https://mega.nz/#!0MwyAabB!3M0JRbIWBqj1X1jmqL5NlUdI9M7TOr8QDvVCs6XgOZo root password same
Zignixx commented 2020-03-03 14:29:29 +01:00 (Migrated from github.com)

HI 2 all
version 2.0.24
https://mega.nz/#!0MwyAabB!3M0JRbIWBqj1X1jmqL5NlUdI9M7TOr8QDvVCs6XgOZo
root password same

Thanks!
What i need to do if i already have 2.0.24 (original) installed on my Lametric? Can i just overwrite this firmware?

> HI 2 all > version 2.0.24 > https://mega.nz/#!0MwyAabB!3M0JRbIWBqj1X1jmqL5NlUdI9M7TOr8QDvVCs6XgOZo > root password same Thanks! What i need to do if i already have 2.0.24 (original) installed on my Lametric? Can i just overwrite this firmware?
k4a commented 2020-03-03 16:03:46 +01:00 (Migrated from github.com)

I don't try to overwrite, couse I have 2.0.23 installed. I think you can.
If not, look at recovery info - reset to base revision, and after that install 2.0.24

I don't try to overwrite, couse I have 2.0.23 installed. I think you can. If not, look at [recovery info](https://help.lametric.com/support/solutions/articles/6000095176-lametric-time-can-not-boot-up-and-shows-the-loading-indicator-all-the-time-4-dots-are-spinning-aro) - reset to base revision, and after that install 2.0.24
robbiet480 commented 2020-04-10 04:01:07 +02:00 (Migrated from github.com)

How do you install this firmware? Do you have to open the device up and write the SD card?

EDIT: I assume this is the procedure but haven't tried it yet... From the user guide:

Follow a few easy steps to update software:

  1. Connect device to PC using USB cable.
  2. Start device in Recovery mode (press and hold Volume Up button and short press the On/Off button at the same time).
  3. Mount mass storage (navigate in Recovery mode to ‘MOUNT’ using Left or Right navigation buttons and confirm with Action button ).
  4. PC should detect new mass storage device and LaMetric Time will be temporarily locked. 65
  5. Drop latest software file from firmware.lametric.com to the root folder of the disk drive that appeared on your PC.
  6. Safely disconnect LaMetric Time from PC and reboot it (navigate to ‘REBOOT’ using Left or Right buttons and confirm with Action button ).
  7. The software will be installed automatically. The device will reboot few times.
  8. In a case of some issue - error file update.err.txt will be created on the disk. To check the error – mount disk again and open the file to find out the reason of failure.
How do you install this firmware? Do you have to open the device up and write the SD card? EDIT: I assume this is the procedure but haven't tried it yet... [From the user guide](https://things.lametric.com/user_guide.pdf): Follow a few easy steps to update software: 1. Connect device to PC using USB cable. 2. Start device in Recovery mode (press and hold Volume Up button and short press the On/Off button at the same time). 3. Mount mass storage (navigate in Recovery mode to ‘MOUNT’ using Left or Right navigation buttons and confirm with Action button ). 4. PC should detect new mass storage device and LaMetric Time will be temporarily locked. 65 5. Drop latest software file from firmware.lametric.com to the root folder of the disk drive that appeared on your PC. 6. Safely disconnect LaMetric Time from PC and reboot it (navigate to ‘REBOOT’ using Left or Right buttons and confirm with Action button ). 7. The software will be installed automatically. The device will reboot few times. 8. In a case of some issue - error file update.err.txt will be created on the disk. To check the error – mount disk again and open the file to find out the reason of failure.
xiconfjs commented 2020-05-15 01:50:55 +02:00 (Migrated from github.com)

Hi @k4a ,

can you please provide either a patched 2.0.26 firmware or perhaps the key you signed the firmware with?

Thanks

Hi @k4a , can you please provide either a patched 2.0.26 firmware or perhaps the key you signed the firmware with? Thanks
poblabs commented 2020-06-06 00:06:51 +02:00 (Migrated from github.com)

@robbiet480 Did that work for you? and what benefits have you seen gained by using this firmware?

@robbiet480 Did that work for you? and what benefits have you seen gained by using this firmware?
robbiet480 commented 2020-06-06 00:07:49 +02:00 (Migrated from github.com)

@poblabs I haven’t personally done it no.

@poblabs I haven’t personally done it no.
DrNachtschatten commented 2020-06-11 14:12:18 +02:00 (Migrated from github.com)

I probably am wrong here, please just delete this comment if so.
Does anyone have a complete image of the LaMetric Time SD card? Mine died and without the original partition table and compiled bootloader, the device won't do anything.

I probably am wrong here, please just delete this comment if so. Does anyone have a complete image of the LaMetric Time SD card? Mine died and without the original partition table and compiled bootloader, the device won't do anything.
FD- commented 2020-09-04 13:03:17 +02:00 (Migrated from github.com)

Hi all,
I have developed a software development kit for developing native apps for LaMetric OS (reverse-engineered liblfoundation headers, found a compatible cross-compiler toolchain, written a script for packaging ipk packages). It's working great for me and radically opens up the device for many more use cases. It turned out liblfoundation already provides a set of well-engineered components (based on Qt) that make developing native apps really easy (once I had figured out the headers). It's also possible to write custom widgets that draw arbitrary content on the screen.

Anyway, I'm posting here because the SDK only makes sense on a device that has SSH access (apps are to be installed via opkg-cl), which for now is only possible using @k4a's custom firmware linked above. @k4a would you be willing to send me an email regarding how firmware signature verification works, how you were able to build your custom firmware and how this could be leveraged for bootstrapping a LaMetric OS homebrew scene? My email address is linked on my GitHub profile page.

Hi all, I have developed a software development kit for developing native apps for LaMetric OS (reverse-engineered liblfoundation headers, found a compatible cross-compiler toolchain, written a script for packaging ipk packages). It's working great for me and radically opens up the device for many more use cases. It turned out liblfoundation already provides a set of well-engineered components (based on Qt) that make developing native apps really easy (once I had figured out the headers). It's also possible to write custom widgets that draw arbitrary content on the screen. Anyway, I'm posting here because the SDK only makes sense on a device that has SSH access (apps are to be installed via opkg-cl), which for now is only possible using @k4a's custom firmware linked above. @k4a would you be willing to send me an email regarding how firmware signature verification works, how you were able to build your custom firmware and how this could be leveraged for bootstrapping a LaMetric OS homebrew scene? My email address is linked on my GitHub profile page.
magcode commented 2020-09-04 14:02:12 +02:00 (Migrated from github.com)

Fantastic!
I'd appreciate the SDK. Potentially I/we can migrate my stuff (https://github.com/magcode/lametric-tools)

Fantastic! I'd appreciate the SDK. Potentially I/we can migrate my stuff (https://github.com/magcode/lametric-tools)
tyalie commented 2020-09-05 17:33:41 +02:00 (Migrated from github.com)

I'm absolutely amazed. Years after the product is released, it is finally opened up by the community. Mad respect for all who made this happen.

I'm absolutely amazed. Years after the product is released, it is finally opened up by the community. Mad respect for all who made this happen.
poblabs commented 2020-09-05 20:28:19 +02:00 (Migrated from github.com)

Does anyone have the install documented?

Does anyone have the install documented?
FD- commented 2020-09-13 16:28:41 +02:00 (Migrated from github.com)

Well, unfortunately, @k4a hasn't contacted me yet, so I decided to release the SDK anyway. Please have a look at my repo here: https://github.com/FD-/LaMetric-SDK. @magcode I don't know much about MQTT, so I greatly appreciate how your project complements my SDK. Let me know if you have an idea how our projects can be integrated!

Please help spread the word and let me know how the SDK works for you! If you create something others could benefit from, please publish the source code! I'm looking forward to seeing what you can come up with!

Well, unfortunately, @k4a hasn't contacted me yet, so I decided to release the SDK anyway. Please have a look at my repo here: https://github.com/FD-/LaMetric-SDK. @magcode I don't know much about MQTT, so I greatly appreciate how your project complements my SDK. Let me know if you have an idea how our projects can be integrated! Please help spread the word and let me know how the SDK works for you! If you create something others could benefit from, please publish the source code! I'm looking forward to seeing what you can come up with!
FD- commented 2020-09-15 13:13:45 +02:00 (Migrated from github.com)

I think I have found a relatively simple way to install custom apps on stock (unmodified, original) firmware, but I need someone to test this method on a device that still runs said stock firmware. If you are willing to help me give this a test, please send me an email!

I think I have found a relatively simple way to install custom apps on stock (unmodified, original) firmware, but I need someone to test this method on a device that still runs said stock firmware. If you are willing to help me give this a test, please send me an email!
FD- commented 2020-09-15 14:53:55 +02:00 (Migrated from github.com)

Alright guys, we were able to confirm my method works on stock firmware. I've updated my repository. Happy homebrewing!

Alright guys, we were able to confirm my method works on stock firmware. I've updated my repository. Happy homebrewing!
terrikate commented 2021-01-15 00:05:45 +01:00 (Migrated from github.com)

Do any of you have a full image of the SDCard? To see if restoring it solves the following problem:

With very old versions of the lametric firmware (default restore) it works perfectly but as soon as I upgrade to more modern versions the LED display stops working but the device and its applications, below, still work. I hear the radio for example

Any help is welcome. Thank you!

Do any of you have a full image of the SDCard? To see if restoring it solves the following problem: With very old versions of the lametric firmware (default restore) it works perfectly but as soon as I upgrade to more modern versions the LED display stops working but the device and its applications, below, still work. I hear the radio for example Any help is welcome. Thank you!
DrNachtschatten commented 2021-01-15 10:47:24 +01:00 (Migrated from github.com)

@terrikate please see this thread https://www.reddit.com/r/LaMetric/comments/givivn/lametric_time_sd_card_image/

Feel free to contact me via any private message channel of choice, I can give you a full SD card image.

@terrikate please see this thread https://www.reddit.com/r/LaMetric/comments/givivn/lametric_time_sd_card_image/ Feel free to contact me via any private message channel of choice, I can give you a full SD card image.
FD- commented 2021-01-15 19:09:56 +01:00 (Migrated from github.com)

Different hardware revisions of the device use different MCUs and LED drivers for controlling the display, so that may be a source of incompatibilities. All MCU variants are from the STM32 family, and their firmware can be flashed from the main CPU. The firmware files are located in the /etc/ folder (*.hex files) IIRC and can be manually flashed with the cortex_update.sh script. Could be worth a try, though the first thing to do would obviously be checking the logcat and kernel logs for any obvious errors.

BTW, what is the last version that works for you, and how do you restore default?

Different hardware revisions of the device use different MCUs and LED drivers for controlling the display, so that may be a source of incompatibilities. All MCU variants are from the STM32 family, and their firmware can be flashed from the main CPU. The firmware files are located in the /etc/ folder (*.hex files) IIRC and can be manually flashed with the cortex_update.sh script. Could be worth a try, though the first thing to do would obviously be checking the logcat and kernel logs for any obvious errors. BTW, what is the last version that works for you, and how do you restore default?
terrikate commented 2021-01-16 19:45:59 +01:00 (Migrated from github.com)

Thank you @DrNachtschatten! I had seen that topic before writing the other day but as the images no longer existed and didn't seem to have ended well I decided to try this way. Can you send me a mega/drive link or other provider with the image to terrikate at gmail dot com? I appreciate it, thanks a lot!

@FD- I leave you more information here. I tried to play with cortex_update.sh without success. To restore the default version, in my case 1.6.1, I press volume up, the action button and the power button. When the menu comes out I choose restore and when it finishes and I configure it all the LED display works correctly

Default version. When restoring

NAME="LaMetric"
VERSION=2016.10-rC-228
VERSION_ID=1.6.1

Current version with ssh access (2.0.3 of this same post)

# ls -la *.hex
-rwxrwxrwx    1 root     root         88828 Jun  4  2018 MY9163_V01.hex
-rwxrwxrwx    1 root     root         89053 Jun  4  2018 TLC5929V01.hex
-rwxrwxrwx    1 root     root         89053 Jun  4  2018 cortex_firmware.hex
 ./cortex_update.sh
Get kernel version
Cortex flashing...
no input parameters
Get hardware version
stm32flash 0.4

http://stm32flash.googlecode.com/

Interface serial_posix: 57600 8E1
Version      : 0x31
Option 1     : 0x00
Option 2     : 0x00
Device ID    : 0x0444 (STM32F030/F031)
- RAM        : 8KiB  (4096b reserved by bootloader)
- Flash      : 64KiB (sector size: 4x1024)
- Option RAM : 12b
- System RAM : 3KiB
Memory read
Read address 0x08007d6a (100.00%) Done.

Display hardware version MY9163_V01
match MY9163_V01
write firware MY9163_V01
write /etc/MY9163_V01.hex
stm32flash 0.4

http://stm32flash.googlecode.com/

Using Parser : Intel HEX
Interface serial_posix: 115200 8E1
Version      : 0x31
Option 1     : 0x00
Option 2     : 0x00
Device ID    : 0x0444 (STM32F030/F031)
- RAM        : 8KiB  (4096b reserved by bootloader)
- Flash      : 64KiB (sector size: 4x1024)
- Option RAM : 12b
- System RAM : 3KiB
Write to memory
Erasing memory
Wrote and verified address 0x08007b4c (100.00%) Done.

Cortex flashed
Cortex reset vanilla
Done
cat /tmp/hw
MY9163_V01#

I tried all three .hex and nothing. In logcat everything is in order. If you can think of anything else, I appreciate it. Thank you!

Thank you @DrNachtschatten! I had seen that topic before writing the other day but as the images no longer existed and didn't seem to have ended well I decided to try this way. Can you send me a mega/drive link or other provider with the image to terrikate at gmail dot com? I appreciate it, thanks a lot! @FD- I leave you more information here. I tried to play with **cortex_update.sh** without success. To restore the default version, in my case **1.6.1**, I press volume up, the action button and the power button. When the menu comes out I choose restore and when it finishes and I configure it all the LED display works correctly Default version. When restoring ``` NAME="LaMetric" VERSION=2016.10-rC-228 VERSION_ID=1.6.1 ``` Current version with ssh access (2.0.3 of this same post) ``` # ls -la *.hex -rwxrwxrwx 1 root root 88828 Jun 4 2018 MY9163_V01.hex -rwxrwxrwx 1 root root 89053 Jun 4 2018 TLC5929V01.hex -rwxrwxrwx 1 root root 89053 Jun 4 2018 cortex_firmware.hex ``` ``` ./cortex_update.sh Get kernel version Cortex flashing... no input parameters Get hardware version stm32flash 0.4 http://stm32flash.googlecode.com/ Interface serial_posix: 57600 8E1 Version : 0x31 Option 1 : 0x00 Option 2 : 0x00 Device ID : 0x0444 (STM32F030/F031) - RAM : 8KiB (4096b reserved by bootloader) - Flash : 64KiB (sector size: 4x1024) - Option RAM : 12b - System RAM : 3KiB Memory read Read address 0x08007d6a (100.00%) Done. Display hardware version MY9163_V01 match MY9163_V01 write firware MY9163_V01 write /etc/MY9163_V01.hex stm32flash 0.4 http://stm32flash.googlecode.com/ Using Parser : Intel HEX Interface serial_posix: 115200 8E1 Version : 0x31 Option 1 : 0x00 Option 2 : 0x00 Device ID : 0x0444 (STM32F030/F031) - RAM : 8KiB (4096b reserved by bootloader) - Flash : 64KiB (sector size: 4x1024) - Option RAM : 12b - System RAM : 3KiB Write to memory Erasing memory Wrote and verified address 0x08007b4c (100.00%) Done. Cortex flashed Cortex reset vanilla Done ``` ``` cat /tmp/hw MY9163_V01# ``` I tried all three .hex and nothing. In logcat everything is in order. If you can think of anything else, I appreciate it. Thank you!
FD- commented 2021-01-17 16:57:25 +01:00 (Migrated from github.com)

When exactly does the display cut out on a recent image? Does the boot animation show? Does scrolling text show? There's a lmledtool program somewhere inside the file system, I think it was in /usr/bin. You could try the tests it includes.

When exactly does the display cut out on a recent image? Does the boot animation show? Does scrolling text show? There's a lmledtool program somewhere inside the file system, I think it was in /usr/bin. You could try the tests it includes.
terrikate commented 2021-01-17 18:24:12 +01:00 (Migrated from github.com)

After the startup animation it goes to black. I don't see the scrolling text
I have tested the test tool (/usr/sbin/lmledtest) with the different firmwares and the animations do them correctly. When the test is launched, parameter -t, the led screen lights up well and returns this message:

LED OPEN DETECTION TEST
OUTPUT LEAKAGE DETECTION (TLC5929)/SHORT TO GND (MY9163)
LED SHORT DETECTION

This happens only with the MY9163_V01 firmware. With the others it returns apart from that message, Bad led: white x=XX y=YY for each one of the leds of the array (rgb + white) although it lights up anyway

After the startup animation it goes to black. I don't see the scrolling text I have tested the test tool (/usr/sbin/lmledtest) with the different firmwares and the animations do them correctly. When the test is launched, parameter -t, the led screen lights up well and returns this message: ``` LED OPEN DETECTION TEST OUTPUT LEAKAGE DETECTION (TLC5929)/SHORT TO GND (MY9163) LED SHORT DETECTION ``` This happens only with the MY9163_V01 firmware. With the others it returns apart from that message, `Bad led: white x=XX y=YY` for each one of the leds of the array (rgb + white) although it lights up anyway
FD- commented 2021-01-17 20:42:44 +01:00 (Migrated from github.com)

Apparently, they changed something in the display frequency in firmware 2.0.9, so you could try if flashing 2.0.8 still works: https://storage.lametric.com/sa1/firmware/lm_ota_2.0.8_20180511_497_sa1.bin

Apparently, they changed something in the display frequency in firmware 2.0.9, so you could try if flashing 2.0.8 still works: https://storage.lametric.com/sa1/firmware/lm_ota_2.0.8_20180511_497_sa1.bin
hallard commented 2021-02-21 23:30:45 +01:00 (Migrated from github.com)

Hi guys, Amazing work really.

Just a stupid question, If I go to the megaupload FW and open ssh to my LM, does any FW upgrade will deny back my SSH access? If so any update image available?
thanks

Hi guys, Amazing work really. Just a stupid question, If I go to the megaupload FW and open ssh to my LM, does any FW upgrade will deny back my SSH access? If so any update image available? thanks
algmyr commented 2021-11-22 02:54:17 +01:00 (Migrated from github.com)

Looking at the thing that actually does the firmware update /lametric/system/services/com.lametric.lametricdaemon/daemon I actually see nothing that verifies the signature file. What I see is that thing running /etc/validate_fw.sh which only checks the MD5 hash, which you could just update after updating the squashfs image. This is a dumb question, but have people tried just updating the md5sum after modification? It's likely that I'm missing the place actually doing the signature check, but I have to ask.

Looking at the thing that actually does the firmware update `/lametric/system/services/com.lametric.lametricdaemon/daemon` I actually see nothing that verifies the signature file. What I see is that thing running `/etc/validate_fw.sh` which only checks the MD5 hash, which you could just update after updating the squashfs image. This is a dumb question, but have people tried just updating the md5sum after modification? It's likely that I'm missing the place actually doing the signature check, but I have to ask.
FD- commented 2021-11-22 09:50:45 +01:00 (Migrated from github.com)

@algmyr The signature check happens in the recovery partition, in /usr/share/lametric-tools/recovery_menu/action_upgrade:

...
echo "Verifying signature of file $file..."
gpg --ignore-time --verify $file.sig $file || error_reboot_exit "Firmware is from unknown source. Not installed."
...
@algmyr The signature check happens in the recovery partition, in `/usr/share/lametric-tools/recovery_menu/action_upgrade`: ... echo "Verifying signature of file $file..." gpg --ignore-time --verify $file.sig $file || error_reboot_exit "Firmware is from unknown source. Not installed." ...
Zignixx commented 2021-11-22 12:10:43 +01:00 (Migrated from github.com)

@algmyr The signature check happens in the recovery partition, in /usr/share/lametric-tools/recovery_menu/action_upgrade:

...
echo "Verifying signature of file $file..."
gpg --ignore-time --verify $file.sig $file || error_reboot_exit "Firmware is from unknown source. Not installed."
...

Is there a way to modify this file if i'm able to access the lametric over ssh?

> @algmyr The signature check happens in the recovery partition, in `/usr/share/lametric-tools/recovery_menu/action_upgrade`: > > ``` > ... > echo "Verifying signature of file $file..." > gpg --ignore-time --verify $file.sig $file || error_reboot_exit "Firmware is from unknown source. Not installed." > ... > ``` Is there a way to modify this file if i'm able to access the lametric over ssh?
FD- commented 2021-11-22 14:05:11 +01:00 (Migrated from github.com)

You may be able to manually mount the recovery partition (p8) from the normal OS. It's a squash file system IIRC. I'd recommend backing up the internal micro SD card first, because if you screw up the recovery partition things can get pretty ugly.

You may be able to manually mount the recovery partition (p8) from the normal OS. It's a squash file system IIRC. I'd recommend backing up the internal micro SD card first, because if you screw up the recovery partition things can get pretty ugly.
bluesveins commented 2024-02-18 20:33:49 +01:00 (Migrated from github.com)

hi is there any progress in this topic?

hi is there any progress in this topic?
tyalie commented 2024-09-27 23:09:57 +02:00 (Migrated from github.com)

I've had my clock for years but never bothered opening it. After needing to deep clean it and accidentally breaking the sd card I had quite a journey. I learned that the newest version has a LUKS partition? How crazy.

If anybody wonders, the key to decrypt the LUKS partition is derived from the cid of the sd-card and the chip-id of the Allwinner CPU.

/* one can read it with busybox devmem
# devmem 0x1C23800 64
... - first 64 bit
# devmem 0x1C23808 64
... - last 64 bit
*/
chipid = 128 bit from address 0x1c23800 (see allwinner A13 memory map) with four byte chunks in little endian

sd_card_id = 128 bit from /sys/block/mmcblk0/device/cid also with four byte chunks in little endian

key[0:16] = chipid
key[16:32] = sd_card_id

Also: Don't try to be clever and change the SD Card image size. I had a 8GB SD Card which was a bit smaller than the original one and manipulated the image to fit on the SDCard. It was only 100MB and the clock booted, but I couldn't update the FW anymore.

I've had my clock for years but never bothered opening it. After needing to deep clean it and accidentally breaking the sd card I had quite a journey. I learned that the newest version has a LUKS partition? How crazy. If anybody wonders, the key to decrypt the LUKS partition is derived from the cid of the sd-card and the chip-id of the Allwinner CPU. ``` /* one can read it with busybox devmem # devmem 0x1C23800 64 ... - first 64 bit # devmem 0x1C23808 64 ... - last 64 bit */ chipid = 128 bit from address 0x1c23800 (see allwinner A13 memory map) with four byte chunks in little endian sd_card_id = 128 bit from /sys/block/mmcblk0/device/cid also with four byte chunks in little endian key[0:16] = chipid key[16:32] = sd_card_id ``` Also: Don't try to be clever and change the SD Card image size. I had a 8GB SD Card which was a bit smaller than the original one and manipulated the image to fit on the SDCard. It was only 100MB and the clock booted, but I couldn't update the FW anymore.
Sign in to join this conversation.
No Label
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: xiconfjs/h4ck#2
No description provided.