AlertMe Hub - Yes, it's Linux

Extending the system, interesting uses and API twiddling.
Post Reply
filbert
Posts: 1
Joined: Fri Apr 13, 2012 6:57 pm

AlertMe Hub - Yes, it's Linux

Post by filbert » Fri Apr 13, 2012 7:08 pm

I've just got an AlertMe kit, and given there seems to be a problem with their website/control panel which is preventing me using the service, I thought I'd have a poke around the hardware side of things.

Turns out that the AlertMe Hub (at least the Nano that came with my Energy starter kit) runs Linux. There's a TTL serial connector on the board, which is nice and clearly marked. There's a similar port marked 'Modem' as well, presumably for the GSM modem in the Security Hub.

The pinout is fairly standard TTL, Pin 4 is GND, 2 is RX and 3 is TX. The port runs at 115200 baud.

If anyone has a guess at what the root password might be, or where to get the firmware blobs from, that'd be appreciated :)

Here, for your viewing pleasure, is the system from poweron to login prompt:

Code: Select all

„ˆHubBoot v1.01, processor ID 9231C384
Cold reset
HubOS v0.71 Copyright (C) AlertMe.com 2007-09
>
Bad reset count : 0
Loading system from NAND in 5 seconds
[OS] Mains power now on
Loading linux...
MD5 checksum passed
Operator key passed
Loading ramdisk...
MD5 checksum passed
Operator key passed
Starting linux...
Uncompressing Linux.............................................................................. done, booting the kernel.
Linux version 2.6.19 (jacky@jacky-desktop) (gcc version 3.4.6) #1 Wed Jan 19 11:11:14 GMT 2011
CPU: ARM920T [41129200] revision 0 (ARMv4T), cr=c0007177
Machine: AlertMe.com Hub CPU Board
tags address is: c001fee0
mdesc->boot_params is: 00000100
Parsing tags
tag core, flags = 00000000
tag mem32 - start: 00000000  size: 00800000
tag mem32 - start: 01000000  size: 00800000
tag mem32 - start: 04000000  size: 00800000
tag mem32 - start: 05000000  size: 00800000
Tag: initrd2 - start: 01000000 size 00200000
TAG commandline: console=ttyAM1,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2
Memory policy: ECC disabled, Data cache writeback
CPU0: D VIVT write-back cache
CPU0: I cache: 16384 bytes, associativity 64, 32 byte lines, 8 sets
CPU0: D cache: 16384 bytes, associativity 64, 32 byte lines, 8 sets
Built 4 zonelists.  Total pages: 8128
Kernel command line: console=ttyAM1,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2
PID hash table entries: 128 (order: 7, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 8MB 8MB 8MB 8MB = 32MB total
Memory: 27908KB available (1936K code, 406K data, 104K init)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
checking if image is initramfs...it isn't (no cpio magic); looks like an initrd
Freeing initrd memory: 2048K
NET: Registered protocol family 16
AlertMe hub PCB revision 5
ep93xx: PLL1 running at 400 MHz, PLL2 at 192 MHz
ep93xx: FCLK 200 MHz, HCLK 100 MHz, PCLK 50 MHz
AMEHUB: disabling spiflash enable

********************************************************
ep93xx_led software pwm driver startup
********************************************************

Setting modem fudge...********* REQUEST IRQ ****************
NET: Registered protocol family 2
IP route cache hash table entries: 256 (order: -2, 1024 bytes)
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 1024 bind 512)
TCP reno registered
EP93xx M2M driver version 0.01
Hub Upgrade driver version 1.0
ADC driver version 0.1
Generic SSP Support version 0.1
EP93xx DMA-SSP driver version 0.01
SPI Flash driver version 0.1
SPI Flash driver: Registered ssp slave interface
Ember EM260 Driver, Copyright (C) 2007 AlertMe.com
  Implementation by Mynah-Software Ltd.
EM260 driver startup ... em260 driver installed successfully.
EP93xx CPU frequency driver version 0.01
ep93xx software pwm driver starting
NetWinder Floating Point Emulator V0.97 (extended precision)
audit: initializing netlink socket (disabled)
audit(1.239:1): initialized
yaffs Jan 19 2011 11:10:18 Installing. 
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered (default)
ep93xx_wdt: EP93XX watchdog, driver version 0.3
SoftDog: cannot register miscdev on minor=130 (err=-16)
Serial: AMBA driver $Revision: 1.41 $
apb:uart1: ttyAM0 at MMIO 0x808c0000 (irq = 52) is a AMBA
apb:uart2: ttyAM1 at MMIO 0x808d0000 (irq = 54) is a AMBA
apb:uart3: ttyAM2 at MMIO 0x808e0000 (irq = 55) is a AMBA
Serial: AMBA PL011 UART driver
RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
ep93xx-eth version 0.1 loading
eth0: ep93xx on-chip ethernet, IRQ 39, 00:1c:2b:01:9d:d8.
***** AME NANDFlash driver *****
** Prior to update, dev_cfg is: 08170d00
** Post update, dev_cfg is: 08170d00
Searching for NAND flash...
NAND device: Manufacturer ID: 0xec, Chip ID: 0x76 (Samsung NAND 64MiB 3,3V 8-bit)
Scanning device for bad blocks
Bad eraseblock 23 at 0x0005c000
Bad eraseblock 1216 at 0x01300000
AMEFlash - Found 5 partitions
AMEFlash: Initializing partition 1
          Name: zImage
          size: 00200000
          offset: 00004000
AMEFlash: Initializing partition 2
          Name: ramdisk
          size: 00200000
          offset: 00204000
AMEFlash: Initializing partition 3
          Name: root
          size: 02000000
          offset: 00404000
AMEFlash: Initializing partition 4
          Name: download
          size: 01afc000
          offset: 02404000
AMEFlash: Initializing partition 5
          Name: persistent
          size: 00100000
          offset: 03f00000
Using static partition definition
Creating 6 MTD partitions on "NAND 64MiB 3,3V 8-bit":
0x00000000-0x04000000 : "whole-flash"
0x00004000-0x00204000 : "zImage"
0x00204000-0x00404000 : "ramdisk"
0x00404000-0x02404000 : "root"
0x02404000-0x03f00000 : "download"
0x03f00000-0x04000000 : "persistent"
ep93xx_i2c_probe started
***** EP93xx I2C Init ***** result is: 0
pca9533_attach_adapter, adapter is: c0538050 - result is: 0
Advanced Linux Sound Architecture Driver Version 1.0.13 (Tue Nov 28 14:07:24 2006 UTC).
ASoC version 0.13.3
wm8510: WM8510 Audio Codec 0.6
SETTING UP custom interface

asoc: WM8510 HiFi <-> ep93xx-i2s mapping ok
 Codec is: c054b2d0
ALSA device list:
  #0: amehub-wm8510 (WM8510)
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 15
RAMDISK: Compressed image found at block 0
yaffs: dev is 1048576 name is "ram0"
yaffs: passed flags ""
yaffs: Attempting MTD mount on 1.0, "ram0"
VFS: Mounted root (ext2 filesystem).

Simple initrd is active

Attempting to mount /dev/mtdblock3
yaffs: dev is 32505859 name is "mtdblock3"
yaffs: passed flags ""
yaffs: Attempting MTD mount on 31.3, "mtdblock3"
yaffs: auto selecting yaffs1
block 960 is bad
Filesystem found on /dev/mtdblock3 - passing control...
save exit: isCheckpointed 0
Àyaffs: dev is 32505859 name is "mtdblock3"
yaffs: passed flags ""
yaffs: Attempting MTD mount on 31.3, "mtdblock3"
yaffs: auto selecting yaffs1
block 960 is bad
VFS: Mounted root (yaffs2 filesystem).
Trying to move old root to /initrd ... okay
Freeing init memory: 104K
yaffs: dev is 32505860 name is "mtdblock4"
yaffs: passed flags ""
yaffs: Attempting MTD mount on 31.4, "mtdblock4"
yaffs: auto selecting yaffs1
Setting up persistent filesystem
Attempting to mount /persistent
yaffs: dev is 32505861 name is "mtdblock5"
yaffs: passed flags ""
yaffs: Attempting MTD mount on 31.5, "mtdblock5"
yaffs: auto selecting yaffs1
Initializing random number generator... done.
Creating dynamic devices
àStarting network...
udhcpc (v1.4.1) started
ep93xx-eth: PHY is a SMSC LAN8700, rev 4
REG_SELFCTL = 0x00006220  MII_BMCR = 0x00003000
Sending discover...
link down
Sending discover...
Sending discover...
No lease, forking to background
OK
àStarting alertme: In Em2xxUpgradePackage::create
em260_open called
inode minor is zero, assigning to builtin struct em260_user
Down semaphore
In crit section
Device opened, open_count is: 1
em260_open returning zero (success)
Em260 firmware version is 0x3422 - requiem260_release called
red version is 0  em260_release, open count is: 0
x3422.
Em260 fiem260_release, returning 0
rmware is up to date - skipping Em260 bootload procedure.
done






Welcome to AlertMe Linux.



uclibc login: 

User avatar
roobarb!
Site Admin
Posts: 226
Joined: Mon Nov 21, 2011 4:56 pm
Location: Manchester, UK
Contact:

Re: AlertMe Hub - Yes, it's Linux

Post by roobarb! » Fri Apr 13, 2012 11:17 pm

Fantastic! I've been waiting for someone to do this for ages. Resisted the temptation to sneak around in my own hub because it is actually sat there, behaving itself and being an alarm system. :)

Well done!
Alerty - you could control your AlertMe system with my third-party app for iPhone and iPod Touch. Used to be available on iTunes!

bendy
Posts: 2
Joined: Thu Apr 19, 2012 8:29 am

Re: AlertMe Hub - Yes, it's Linux

Post by bendy » Thu Apr 19, 2012 8:35 am

looks like we might need to do this as alertme looks like history!

User avatar
roobarb!
Site Admin
Posts: 226
Joined: Mon Nov 21, 2011 4:56 pm
Location: Manchester, UK
Contact:

Re: AlertMe Hub - Yes, it's Linux

Post by roobarb! » Wed May 16, 2012 5:02 pm

As a comparison to the Nano Hub, I soldered some header pins to the debug holes on an AlertMe Hub (full version, although this output was recorded while disconnected from it's comms board). Using a TTL-232R-3V3, pin 4 is furthest from the DEBUG label and follows the same order: Pin 4 is GND (Black), 3 is TX (Orange) and 2 is RX (Yellow). Again, the port runs at 115200 baud.

Code: Select all

HubBoot v1.01, processor ID 921311CD
Cold reset
HubOS v0.71 Copyright (C) AlertMe.com 2007-09
>
 Bad reset count : 0
Loading system from NAND in 5 seconds
[OS] Mains power now on
Loading linux...
MD5 checksum passed
Operator key passed
Loading ramdisk...
MD5 checksum passed
Operator key passed
Starting linux...
Uncompressing Linux.............................................................................. done, booting the kernel.
Linux version 2.6.19 (ajh@ahughes-studioxps-6W2T7K1) (gcc version 3.4.6) #1 Tue May 31 17:59:44 BST 2011
CPU: ARM920T [41129200] revision 0 (ARMv4T), cr=c0007177
Machine: AlertMe.com Hub CPU Board
tags address is: c001fee0
mdesc->boot_params is: 00000100
Parsing tags
tag core, flags = 00000000
tag mem32 - start: 00000000  size: 00800000
tag mem32 - start: 01000000  size: 00800000
tag mem32 - start: 02000000  size: 00800000
tag mem32 - start: 03000000  size: 00800000
tag mem32 - start: 04000000  size: 00800000
tag mem32 - start: 05000000  size: 00800000
tag mem32 - start: 06000000  size: 00800000
tag mem32 - start: 07000000  size: 00800000
Tag: initrd2 - start: 01000000 size 00200000
TAG commandline: console=ttyAM1,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2
Memory policy: ECC disabled, Data cache writeback
CPU0: D VIVT write-back cache
CPU0: I cache: 16384 bytes, associativity 64, 32 byte lines, 8 sets
CPU0: D cache: 16384 bytes, associativity 64, 32 byte lines, 8 sets
Built 8 zonelists.  Total pages: 16256
Kernel command line: console=ttyAM1,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2
PID hash table entries: 256 (order: 8, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 8MB 8MB 8MB 8MB 8MB 8MB 8MB 8MB = 64MB total
Memory: 60348KB available (1936K code, 406K data, 104K init)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
checking if image is initramfs...it isn't (no cpio magic); looks like an initrd
Freeing initrd memory: 2048K
NET: Registered protocol family 16
AlertMe hub PCB revision 1
ep93xx: PLL1 running at 400 MHz, PLL2 at 192 MHz
ep93xx: FCLK 200 MHz, HCLK 100 MHz, PCLK 50 MHz
AMEHUB: disabling spiflash enable

********************************************************
ep93xx_led software pwm driver startup
********************************************************

Setting modem fudge...********* REQUEST IRQ ****************
NET: Registered protocol family 2
IP route cache hash table entries: 512 (order: -1, 2048 bytes)
TCP established hash table entries: 2048 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 2048 bind 1024)
TCP reno registered
EP93xx M2M driver version 0.01
Hub Upgrade driver version 1.0
ADC driver version 0.1
Generic SSP Support version 0.1
EP93xx DMA-SSP driver version 0.01
SPI Flash driver version 0.1
SPI Flash driver: Registered ssp slave interface
Ember EM260 Driver, Copyright (C) 2007 AlertMe.com
  Implementation by Mynah-Software Ltd.
EM260 driver startup ... em260 driver installed successfully.
EP93xx CPU frequency driver version 0.01
ep93xx software pwm driver starting
NetWinder Floating Point Emulator V0.97 (extended precision)
audit: initializing netlink socket (disabled)
audit(1.249:1): initialized
yaffs May 31 2011 17:58:24 Installing.
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered (default)
ep93xx_wdt: EP93XX watchdog, driver version 0.3
SoftDog: cannot register miscdev on minor=130 (err=-16)
Serial: AMBA driver $Revision: 1.41 $
apb:uart1: ttyAM0 at MMIO 0x808c0000 (irq = 52) is a AMBA
apb:uart2: ttyAM1 at MMIO 0x808d0000 (irq = 54) is a AMBA
apb:uart3: ttyAM2 at MMIO 0x808e0000 (irq = 55) is a AMBA
Serial: AMBA PL011 UART driver
RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
ep93xx-eth version 0.1 loading
eth0: ep93xx on-chip ethernet, IRQ 39, 00:1c:2b:01:09:9d.
***** AME NANDFlash driver *****
** Prior to update, dev_cfg is: 08170d40
** Post update, dev_cfg is: 08170d40
Searching for NAND flash...
NAND device: Manufacturer ID: 0xec, Chip ID: 0x76 (Samsung NAND 64MiB 3,3V 8-bit)
Scanning device for bad blocks
Bad eraseblock 59 at 0x000ec000
Bad eraseblock 3532 at 0x03730000
AMEFlash - Found 5 partitions
AMEFlash: Initializing partition 1
          Name: zImage
          size: 00200000
          offset: 00004000
AMEFlash: Initializing partition 2
          Name: ramdisk
          size: 00200000
          offset: 00204000
AMEFlash: Initializing partition 3
          Name: root
          size: 02000000
          offset: 00404000
AMEFlash: Initializing partition 4
          Name: download
          size: 01afc000
          offset: 02404000
AMEFlash: Initializing partition 5
          Name: persistent
          size: 00100000
          offset: 03f00000
Using static partition definition
Creating 6 MTD partitions on "NAND 64MiB 3,3V 8-bit":
0x00000000-0x04000000 : "whole-flash"
0x00004000-0x00204000 : "zImage"
0x00204000-0x00404000 : "ramdisk"
0x00404000-0x02404000 : "root"
0x02404000-0x03f00000 : "download"
0x03f00000-0x04000000 : "persistent"
ep93xx_i2c_probe started
***** EP93xx I2C Init ***** result is: 0
pca9533_attach_adapter, adapter is: c02a844c - result is: 0
i2c_adapter i2c-0: sendbytes: error - bailout.
Advanced Linux Sound Architecture Driver Version 1.0.13 (Tue Nov 28 14:07:24 2006 UTC).
ASoC version 0.13.3
wm8510: WM8510 Audio Codec 0.6
SETTING UP custom interface

asoc: WM8510 HiFi <-> ep93xx-i2s mapping ok
 Codec is: c05782d0
ALSA device list:
  #0: amehub-wm8510 (WM8510)
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 15
RAMDISK: Compressed image found at block 0
yaffs: dev is 1048576 name is "ram0"
yaffs: passed flags ""
yaffs: Attempting MTD mount on 1.0, "ram0"
VFS: Mounted root (ext2 filesystem).

Simple initrd is active

Attempting to mount /dev/mtdblock3
yaffs: dev is 32505859 name is "mtdblock3"
yaffs: passed flags ""
yaffs: Attempting MTD mount on 31.3, "mtdblock3"
yaffs: auto selecting yaffs1
Filesystem found on /dev/mtdblock3 - passing control...
save exit: isCheckpointed 0
¿yaffs: dev is 32505859 name is "mtdblock3"
yaffs: passed flags ""
yaffs: Attempting MTD mount on 31.3, "mtdblock3"
yaffs: auto selecting yaffs1
VFS: Mounted root (yaffs2 filesystem).
Trying to move old root to /initrd ... okay
Freeing init memory: 104K
yaffs: dev is 32505860 name is "mtdblock4"
yaffs: passed flags ""
yaffs: Attempting MTD mount on 31.4, "mtdblock4"
yaffs: auto selecting yaffs1
block 1228 is bad
Setting up persistent filesystem
Attempting to mount /persistent
yaffs: dev is 32505861 name is "mtdblock5"
yaffs: passed flags ""
yaffs: Attempting MTD mount on 31.5, "mtdblock5"
yaffs: auto selecting yaffs1
Initializing random number generator... done.
Creating dynamic devices
¿Starting network...
Start connectd...
OK
¿Starting alertme: In Em2xxUpgradePackage::create
em260_open called
inode minor is zero, assigning to builtin struct em260_user
Down semaphore
In crit section
Device opened, open_count is: 1
em260_open returning zero (success)
ep93xx-eth: PHY is a SMSC LAN8700, rev 3
REG_SELFCTL = 0x00006220  MII_BMCR = 0x00003000
Em260 firmware version is 0x3422 - requiem260_release called
red version is 0  em260_release, open count is: 0
x3422.
Em260 fiem260_release, returning 0
rmware is up to date - skipping Em260 bootload procedure.
done
link down



Welcome to AlertMe Linux.

uclibc login:
At first glance, one thing that is different is that there's twice as much memory in the full Hub - 64MB as opposed to 32MB in the Nano. I was also really impressed with the design of the Hub itself; the main board sits on one side, the comms board on the other, linked with a small ribbon cable. The battery backup is a set of Varta VH4000 cells made into a battery, which sits in a carrier in the centre of the Hub. Very neat - I also took some pics, which I'll try to upload somewhere.
Alerty - you could control your AlertMe system with my third-party app for iPhone and iPod Touch. Used to be available on iTunes!

robwalker
Posts: 3
Joined: Sat Jul 14, 2012 9:18 am

Re: AlertMe Hub - Yes, it's Linux

Post by robwalker » Sun Jul 22, 2012 2:57 pm

My first thought is that AlertMe are very likely breaking the law if they're not making the source code available...

phil4
Posts: 34
Joined: Fri Nov 25, 2011 11:27 pm
Location: Oxfordshire
Contact:

Re: AlertMe Hub - Yes, it's Linux

Post by phil4 » Sun Jul 22, 2012 9:48 pm

I'd guess that depends on whether a) they've made any changes and b) whether what they changed was GPL'd in the first place, and finally c) they've been asked, and refused.

I'm unsure if all those criteria have been met yet.

User avatar
roobarb!
Site Admin
Posts: 226
Joined: Mon Nov 21, 2011 4:56 pm
Location: Manchester, UK
Contact:

Re: AlertMe Hub - Yes, it's Linux

Post by roobarb! » Mon Jul 23, 2012 10:37 am

Very true. If you change the GPL'd stuff, you have to make those changes available. But you can run your own copyright code on Linux and there is no requirement to make the source for that available.
Alerty - you could control your AlertMe system with my third-party app for iPhone and iPod Touch. Used to be available on iTunes!

habile2
Posts: 5
Joined: Mon Aug 20, 2012 4:38 pm

Re: AlertMe Hub - Yes, it's Linux

Post by habile2 » Mon Aug 20, 2012 4:43 pm

robwalker wrote:My first thought is that AlertMe are very likely breaking the law if they're not making the source code available...
They will (or used to) make the GPLd source available. You had to e-mail a specific address which I can't recall and they sent the source to you. I have to say there wasn't anything of any interest because as they only have to supply the GPL stuff all you see in the code they have customised around Python etc.

C.

wpiman
Posts: 9
Joined: Mon Sep 10, 2012 5:59 pm

Re: AlertMe Hub - Yes, it's Linux

Post by wpiman » Mon Oct 08, 2012 10:08 pm

Did you try the usual suspects?

root with no password
root with password password
root with password root

User avatar
roobarb!
Site Admin
Posts: 226
Joined: Mon Nov 21, 2011 4:56 pm
Location: Manchester, UK
Contact:

Re: AlertMe Hub - Yes, it's Linux

Post by roobarb! » Wed Oct 10, 2012 7:29 am

wpiman wrote:Did you try the usual suspects?

root with no password
root with password password
root with password root
For a security system, I'd have been disappointed if it were that simple! ;)
Alerty - you could control your AlertMe system with my third-party app for iPhone and iPod Touch. Used to be available on iTunes!

wpiman
Posts: 9
Joined: Mon Sep 10, 2012 5:59 pm

Re: AlertMe Hub - Yes, it's Linux

Post by wpiman » Thu Oct 11, 2012 2:52 am

You never know. I imagine they figured if you had access to the hardware, you'd have control of the system anyway.

I got a Lowe's Iris Smarthub made by alert me and I see a 4 pin header on there. Can I just hook the wires directly up from the COM port on a PC? No level translation needed?

I see another header which looks like it goes to the Zigbee Pro chips. I was hoping that maybe there would be a jtag or ice header on there. No such luck.

User avatar
roobarb!
Site Admin
Posts: 226
Joined: Mon Nov 21, 2011 4:56 pm
Location: Manchester, UK
Contact:

Re: AlertMe Hub - Yes, it's Linux

Post by roobarb! » Thu Oct 11, 2012 12:58 pm

wpiman wrote:You never know. I imagine they figured if you had access to the hardware, you'd have control of the system anyway.

I got a Lowe's Iris Smarthub made by alert me and I see a 4 pin header on there. Can I just hook the wires directly up from the COM port on a PC? No level translation needed?

I see another header which looks like it goes to the Zigbee Pro chips. I was hoping that maybe there would be a jtag or ice header on there. No such luck.
Ooh, how'd you get an Iris system? Not sure with regard to that serial port - you might just get away with it. I use a TTL3v3 cable.

Yeah, it's a shame about the root password (in a way). There's a bunch of stuff that's only accessible by root, so I'm guessing that's where the goodies are. There's not much on the base file system.
Alerty - you could control your AlertMe system with my third-party app for iPhone and iPod Touch. Used to be available on iTunes!

wpiman
Posts: 9
Joined: Mon Sep 10, 2012 5:59 pm

Re: AlertMe Hub - Yes, it's Linux

Post by wpiman » Thu Oct 11, 2012 7:58 pm

There are $99 at Lowes. I live in the United States. The internal circuit board says it is a Alertme.com mini hub v2. 2011.

User avatar
roobarb!
Site Admin
Posts: 226
Joined: Mon Nov 21, 2011 4:56 pm
Location: Manchester, UK
Contact:

Re: AlertMe Hub - Yes, it's Linux

Post by roobarb! » Fri Oct 12, 2012 12:17 am

wpiman wrote:There are $99 at Lowes. I live in the United States. The internal circuit board says it is a Alertme.com mini hub v2. 2011.
Really, $99? Do you get any sensors with that, or is it just the hub unit?
Alerty - you could control your AlertMe system with my third-party app for iPhone and iPod Touch. Used to be available on iTunes!

wpiman
Posts: 9
Joined: Mon Sep 10, 2012 5:59 pm

Re: AlertMe Hub - Yes, it's Linux

Post by wpiman » Fri Oct 12, 2012 4:31 pm

Just the hub. The sensors are around $20 it appears.

Goto Lowes.com to look.

The hub also has two USB ports on in. Looks like they are USB masters (same interface that is on your PC).

wpiman
Posts: 9
Joined: Mon Sep 10, 2012 5:59 pm

Re: AlertMe Hub - Yes, it's Linux

Post by wpiman » Fri Oct 26, 2012 4:06 am

Ok, so I did this for my Iris hub and got the following.... (same TTL pin order)

At the end, I don't get a login screen. It says ok, and then the terminal appears to put out garbage. I don't know if they change the terminal speed or what--- maybe it goes encrypted or something???!? Any ideas?

----------------------------------------------------------------------------------
ffffffffffCold reset
HubOS v1.20 Copyright (C) AlertMe.com 2012
>
Loading linux...
MD5 checksum & Operator key passed
Loading ramdisk...
MD5 checksum & Operator key passed
Starting linux...
Initializing cgroup subsys cpuset
Initializing cgroup subsys cpu
Linux version 2.6.32.27-svn5552 (ahughes@bobbed2) (gcc version 4.3.5 (Buildroot 2010.11) ) #1 Thu Sep 20 12:46:39 BST 2012
CPU: ARM920T [41129200] revision 0 (ARMv4T), cr=c0007177
CPU: VIVT data cache, VIVT instruction cache
Machine: AlertMe.com Hub CPU Board
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8016
Kernel command line: console=ttyAM0,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 8MB 8MB 8MB 8MB = 32MB total
Memory: 26692KB available (3052K code, 360K data, 100K init, 0K highmem)
SLUB: Genslabs=11, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Hierarchical RCU implementation.
NR_IRQS:120
VIC @fefb0000: id 0x00041190, vendor 0x41
VIC @fefc0000: id 0x00041190, vendor 0x41
allocated 327680 bytes of page_cgroup
please try 'cgroup_disable=memory' option if you don't want memory cgroups
Calibrating delay loop... 99.73 BogoMIPS (lpj=498688)
Mount-cache hash table entries: 512
Initializing cgroup subsys ns
Initializing cgroup subsys cpuacct
Initializing cgroup subsys memory
Initializing cgroup subsys devices
Initializing cgroup subsys freezer
CPU: Testing write buffer coherency: ok
NET: Registered protocol family 16
AlertMe hub PCB revision 6
AMEHUB: disabling spiflash enable
******** GPIO11 enabledSetting modem fudge...
ep93xx: PLL1 running at 400 MHz, PLL2 at 192 MHz
ep93xx: FCLK 200 MHz, HCLK 100 MHz, PCLK 50 MHz
M2P DMA subsystem initialized
Serial: AMBA PL011 UART driver
bio: create slab <bio-0> at 0
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
NET: Registered protocol family 1
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (no cpio magic); looks like an initrd
Freeing initrd memory: 2048K
Hub Upgrade driver version 1.0
Generic SSP Support version 0.1
EP93xx M2M driver version 0.01
EP93xx CPU frequency driver version 0.01
EP93xx DMA-SSP driver version 0,01 loading
EP93xx DMA-SSP driver version 0,01 running
Alertme Hub spiflash driver registering
SPI Flash driver: Registered ssp slave interface
SST25VF010A id: BF 49
Alertme Hub spiflash driver version 0,01 running
Alertme Hub EM260 driver registering
Ember EM260 Driver, Copyright (C) 2007 AlertMe.com
Implementation by Mynah-Software Ltd.
EM260 driver startup ... em260 driver installed successfully.
amehub-swpwm registering
ep93xx software pwm driver starting
ep93xx-adc version 0.1 loading
ADC driver version 0.2
audit: initializing netlink socket (disabled)
type=2000 audit(0.629:1): initialized
msgmni has been set to 56
alg: No test for cipher_null (cipher_null-generic)
alg: No test for ecb(cipher_null) (ecb-cipher_null)
alg: No test for digest_null (digest_null-generic)
alg: No test for compress_null (compress_null-generic)
alg: No test for stdrng (krng)
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: AMBA driver
apb:uart1: ttyAM0 at MMIO 0x808c0000 (irq = 52) is a AMBA
console [ttyAM0] enabled
apb:uart2: ttyAM1 at MMIO 0x808d0000 (irq = 54) is a AMBA
apb:uart3: ttyAM2 at MMIO 0x808e0000 (irq = 55) is a AMBA
brd: module loaded
NAND device: Manufacturer ID: 0xec, Chip ID: 0xf1 (Samsung NAND 128MiB 3,3V 8-bit)
Scanning device for bad blocks
Bad eraseblock 70 at 0x0000008c0000
Bad eraseblock 179 at 0x000001660000
Bad eraseblock 457 at 0x000003920000
Bad eraseblock 665 at 0x000005320000
6 amenandfs partitions found on MTD device NAND 128MiB 3,3V 8-bit
Creating 6 MTD partitions on "NAND 128MiB 3,3V 8-bit":
0x000000000000-0x000008000000 : "whole-flash"
0x000000020000-0x000000220000 : "zImage"
0x000000220000-0x000000420000 : "ramdisk"
0x000000420000-0x000002420000 : "root"
0x000002420000-0x000007e00000 : "download"
0x000007e00000-0x000008000000 : "persistent"
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
ep93xx-eth version 0.1 loading
eth0: ep93xx on-chip ethernet, IRQ 39, 00:1c:2b:02:90:4c.
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
ep93xx-ohci ep93xx-ohci: EP93xx OHCI
ep93xx-ohci ep93xx-ohci: new USB bus registered, assigned bus number 1
ep93xx-ohci ep93xx-ohci: irq 56, io mem 0x80020000
usb usb1: New USB device found, idVendor=1d6b, idProduct=0001
usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb1: Product: EP93xx OHCI
usb usb1: Manufacturer: Linux 2.6.32.27-svn5552 ohci_hcd
usb usb1: SerialNumber: ep93xx
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 3 ports detected
usbcore: registered new interface driver usbserial
usbserial: USB Serial Driver core
USB Serial support registered for cp210x
usbcore: registered new interface driver cp210x
cp210x: v0.09:Silicon Labs CP210x RS232 serial adaptor driver
Advanced Linux Sound Architecture Driver Version 1.0.21.
No device for DAI WM8510 HiFi
No device for DAI ep93xx-i2s
WM8510 Audio Codec 0.6
asoc: WM8510 HiFi <-> ep93xx-i2s mapping ok
ALSA device list:
#0: amehub-wm8510 (WM8510)
TCP cubic registered
NET: Registered protocol family 17
NET: Registered protocol family 15
RAMDISK: gzip image found at block 0
yaffs: dev is 1048576 name is "ram0" rw
yaffs: passed flags ""
VFS: Mounted root (ext2 filesystem) on device 1:0.

Simple initrd is active

Attempting to mount /dev/mtdblock3
yaffs: dev is 32505859 name is "mtdblock3" rw
yaffs: passed flags ""
Filesystem found on /dev/mtdblock3 - passing control...
yaffs: dev is 32505859 name is "mtdblock3" rw
yaffs: passed flags ""
VFS: Mounted root (yaffs2 filesystem) on device 31:3.
Trying to move old root to /initrd ... okay
Freeing init memory: 100K
yaffs: dev is 32505860 name is "mtdblock4" rw
yaffs: passed flags ""
Creating dynamic devices
HW: Jupiter Hub
Initializing random number generator... done.
Starting portmap: done
Setting up persistent filesystem
Attempting to mount /persistent
yaffs: dev is 32505861 name is "mtdblock5" rw
yaffs: passed flags ""
Starting network...
Start connectd...
OK
fþ`àfxf~`fø~æ~~`æ~xþxføfxæø`æø?`æøffffxff~ffæøfføfxx???xþ~?ffffxøàfàfx?øþ`fxføþæøþfxæàæøæøf~ø~~þàf~à`føø~f~~ffææøfxf`æ~øfxæþfx?øàøf`øfx~þø?`fxxffxfxøfxàfxøþfàæf`æø~àffffxøøfx`f~ø~þfxæf~æàfxæøf?

wpiman
Posts: 9
Joined: Mon Sep 10, 2012 5:59 pm

Re: AlertMe Hub - Yes, it's Linux

Post by wpiman » Fri Oct 26, 2012 4:26 am

Ok- I think I managed to get to some screen.. No password prompt. I connected to the serial port after all the crap on the screen.

I can't see what I am typing, but here is me typing help... and some of the commands I see... I try a few. Most say

----------------------------------------

Fault Bad args
>
Fault Bad args
>
Fault Bad cmd
>
Fault Bad cmd
>
Fault Bad args
>
Fault Bad cmd
>
configure
debug
dump
verifyApp
trashApp
fixFlash
gcw
halt
help
hubInfo
info
bootApp
linux
reset
show
upgrade
newupgrade
endupgrade
wait
write
visonic
zwavetest
delay
dhcp
ping
test
soak
visonicId
rgb
ledpulse
tcpget
tcpstop
zToken
zPing
stream
tone
channel
usbRegDump
usbEnable
usbDisable
> (I type command here)
hubOsCmd : linux
linuxCmd : console=ttyAM0,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2
appSvr1 : hubserver.irissmarthome.com:443
authSvr : auth.irissmarthome.com:443
imgSvr1 : imgserver.irissmarthome.com:443
imgSvr2 :
tstSvr1 : imgserver.irissmarthome.com:443
tstSvr2 :
deployId : 2
built :
ssh : off
macAddr : 00:1C:2B:02:90:4C
ipAddr : 0.0.0.0 (auto)
spiKeys : good keys
> (I type ping)
Pong from 00:1C:2B:02:90:4C
>
Pong from 00:1C:2B:02:90:4C
>
Fault Bad args
>
Fault Bad args

>
Pong from 00:1C:2B:02:90:4C
>
Pong from 00:1C:2B:02:90:4C
>
Fault Bad args
>
Fault Bad args
>
>
[ZigBee] Channel 18
>
[TEST] 1 Inf(RemoteRSSI N/A)
[TEST] 2 Inf(LocalRSSI N/A)
>
Fault Bad cmd
>
Fault Bad args
>
>
>
>
>
>
HubInfo:Type 0,Mk 6,Name JupiterHub,HubOS v1.20,HubOSCrc 8DE650CHubApp v3.2r36,MAC 00:1C:2B:02:90:4C,CPUID 924DD47E,HubServer hubserver.irissmarthome.com:443,AuthServer auth.irissmarthome.com:443,ImgServer1 imgserver.irissmarthome.com:443,ImgServer2 ,IP 0.0.0.0 (auto),EUI64 000D6F0001A015AA
>
Fault Bad cmd
>
Fault Bad cmd
>
Fault Bad cmd
>
Fault Bad cmd
>
Fault Bad cmd
>
Fault Bad cmd
>
Fault Bad args
>
Fault Bad args
>
Fault Bad args
>
>
[TEST] 3 Inf(NewChan 1)
Fault [EZSP] Failed to set channel
>
>
Fault Bad args

I then did help command for all the commands


dump <start>[ <end>] - Displays memory between <start> and <end>
>
verifyApp
>
Fault Bad args
>
trashApp
>
gcw [1:0] - Alter or show bit. 1 will turn the board off if running from battery
>
halt Deprecated - please use 'wait'
>
Fault Bad args
>
hubInfo No args. Just displays info for hub
>
info <immutable>|all - Displays <immutable> or all immutables
>
BootROM : HubOS v1.20
procId : 924DD47E
pcbRev : 6
mains : 5500mV
nandId : ECF1
devcaps.modem : absent
devcaps.battery : unknown
ethPHY : SMSC LAN8700 rev 4
ethLink : down
IP addr : 0.0.0.0 (auto)
RAM : 32MB
EM260Id : 000D6F0001A015AA
EZSPstack : v3.4.22
ZigBeeDev : EM260
USB : Removed
>
bootApp Loads (and runs) app from flash
>
linux Deprecated - please use 'bootApp'
>
reset [em260] Resets EP9302 by default, or EM260 if specified
>
upgrade Upgrade SPI flash
>
newupgrade experimental Upgrade SPI flash
>
endupgrade end ethernet upgrade download
>
wait Stop booting application
>
write <addr> <val>|<string> - Writes <val> or <string> to <addr>, in hex
>
visonic <enable>
>
zwavetest test zwave board
>
delay <ms>
>
dhcp Request an IP address via DHCP
>
ping (Remote command for testing)
>
test board|cased|modem
>
soak radio|ping
>
visonicId <sirenId>
>
rgb <r> <g> <b> All values 0-255
>
Fault Bad cmd
>
ledpulse <r1> <g1> <b1> <r2> <g2> <b2> <period (ms)>
>
tcpget tcpget [<url>] [<filename>] - Fetches an upgrade image via TCP
>
tcpstop tcpstop - Stops the current TCP transfer
>
zToken <MfgTokenId> - Display value of token from EM260
>
zPing [<dbm>] - Ping Comms Node
>
stream <channel> <dBm> - Turns streaming on, using channel and power (in dBm)
>
channel [<channel>]
>
usbRegDump
>
usbEnable Initialises the USB hardware
>
usbDisable Shuts down the USB hardware

sorphin
Posts: 7
Joined: Sun Nov 11, 2012 6:29 am

Re: AlertMe Hub - Yes, it's Linux

Post by sorphin » Sun Nov 11, 2012 6:31 am

I just started messing with the Iris Hub, and have some progress to report. I'm on the console as wpiman was. I've found the configure command in 'hubos', which is -before- linux boots, allows you to change things, so i've suspended boot with 'wait', then used 'configure' to turn on SSH (and confirmed it is turned on after boot), and i've changed the linuxCMD line to break me into a busybox shell (which it did). I'm going to do some poking around now to see what I can find. I will report anything I find here.

Update #1:

in /bin there is a program called 'config', which outputs:

Code: Select all

spiflash.cafile=-----BEGIN CERTIFICATE-----                                                                                                                                             
MIICgTCCAeoCAQAwDQYJKoZIhvcNAQEEBQAwgYgxCzAJBgNVBAYTAlVTMR0wGwYD                                                                                                                        
VQQDExRjYS5pcmlzc21hcnRob21lLmNvbTEUMBIGA1UEBxMLTW9vcmVzdmlsbGUx                                                                                                                        
HjAcBgNVBAoTFUxvd2UncyBDb21wYW5pZXMgSW5jLjEXMBUGA1UECBMOTm9ydGgg                                                                                                                        
Q2Fyb2xpbmExCzAJBgNVBAsTAklUMB4XDTEyMDYxNTE4MTgwMFoXDTMyMDYxMDE4                                                                                                                        
MTgwMFowgYgxCzAJBgNVBAYTAlVTMR0wGwYDVQQDExRjYS5pcmlzc21hcnRob21l                                                                                                                        
LmNvbTEUMBIGA1UEBxMLTW9vcmVzdmlsbGUxHjAcBgNVBAoTFUxvd2UncyBDb21w                                                                                                                        
YW5pZXMgSW5jLjEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExCzAJBgNVBAsTAklU                                                                                                                        
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrpJDUEh2LzgvRBEZZ53G6J0Oc                                                                                                                        
Kgn7YyhWuU9bKgDwRipWpgiRyjX/2vD90D9LsGjTZU9/vAr5GVw6a9v2S9KyZxd0                                                                                                                        
r6WvUie16aP1qsQKmQiy2PjHOjU5Eo6HbZtCQoQuKtfkY6vvAUm+DpxmLlPim8tb                                                                                                                        
zpcrJoNqyCSd0FJCLQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAOc6O/ibxOKJ2P7r                                                                                                                        
oEFlh5aWMN68JAZs/+hlK6x2wERqkHn2VNTyOeUrYTcml2sOhvjlX6JvhigaAQgo                                                                                                                        
0AHTyaBAvh5O9qGhlkUWAVtGQFRc+R+3zBR20Z7ZCPywnUuRrXNKNbApJXAxDwHQ                                                                                                                        
rodPClxj0RM11u10dpq16DQjnOP4                                                                                                                                                            
-----END CERTIFICATE-----                                                                                                                                                               
spiflash.master_key=RSAKeyPublic                                                                                                                                                        
spiflash.operator_key=RSAKeyPublic                                                                                                                                                      
spiflash.macaddress=00:1c:2b:02:6f:33                                                                                                                                                   
spiflash.ipaddress=0.0.0.0                                                                                                                                                              
spiflash.phonenum=                                                                                                                                                                      
spiflash.deployment_index=2                                                                                                                                                             
spiflash.appsvr1url=hubserver.irissmarthome.com:443                                                                                                                                     
spiflash.appsvr2url=auth.irissmarthome.com:443                                                                                                                                          
spiflash.imgsvr1url=imgserver.irissmarthome.com:443                                                                                                                                     
spiflash.imgsvr2url=                                                                                                                                                                    
spiflash.tstsvr1url=imgserver.irissmarthome.com:443                                                                                                                                     
spiflash.tstsvr2url=                                                                                                                                                                    
spiflash.ssh=1                                                                                                                                                                          
spiflash.hubsvrurl=hubserver.irissmarthome.com:443                                                                                                                                      
spiflash.authsvrurl=auth.irissmarthome.com:443                                                                                                                                          
spiflash.imgsvrurl=imgserver.irissmarthome.com:443                                                                                                                                      
So it dumps out the same public key you can query from the hub's 'webserver' and allows you to change certain things just like you can in the 'hubos' bootloader. The hub appears to have 'scp' on it, so i'm going to pull off some files for offline analysis.

I've also found 'hubapp' under /usr/bin, which by my guess is the main 'hub' process. I will continue to report any more findings (if anyone's interested).

In reference to the 'garbage' after boot. it appears that 'starting connectd', is referring to a having a modem connected to the serial port or similar.

I have access to the /etc/passwd and /etc/shadow file it would appear. I'll pull the file(s) offline to see if 'john the ripper' can have any fun with it.

I also found, that if it 'bricks' itself, the bootloader will download a new image from the imgserver and flash it and attempt to repair itself.

I edited the boot scripts so that it doesn't load connectd, and there's no garbage, so now i can watch the console..

I've successfully enabled SSH, as well as having a shell loaded and changed the root password, and have the 'alertme' hub process running... here's the output from it's log file:

Code: Select all

/etc/init.d # cat /tmp/logging.0.log                                                                                                                                                    
                                                                                                                                                                                        
PicOS v0.19 Copyright (C) AlertMe.com 2007-11                                                                                                                                           
Reset reason: NONE                                                                                                                                                                      
1970-01-01 00:00:00 :Error [NET] Failed to connect to connectivity server 2                                                                                                             
> 1970-01-01 00:00:00 :[GENERIC] System LED status changed to 2, 2, 1                                                                                                                   
Link up                                                                                                                                                                                 
Hub Application v3.3r8                                                                                                                                                                  
OS Version 0.19 - require 0.19                                                                                                                                                          
1970-01-01 00:00:05 :[NET] Verbose off                                                                                                                                                  
Reading CAFile /persistent/CAfile.pem                                                                                                                                                   
1970-01-01 00:00:05 :Error [GENERIC] Failed to read /persistent/CAfile.pem                                                                                                              
                                                                                                                                                                                        
Reading CAFile from SPI Flash                                                                                                                                                           
p_not_before = 4FDA2AD8                                                                                                                                                                 
p_not_before = 509DF535                                                                                                                                                                 
1970-01-01 00:00:05 :[GENERIC] Authorised                                                                                                                                               
1970-01-01 00:00:05 :[GENERIC] Auth veri                                                                                                                                                
1970-01-01 00:00:05 :[GENERIC] System LED status changed to 3, 2, 3                                                                                                                     
2012-11-10 06:33:26 :[GENERIC] device controller init                                                                                                                                   
2012-11-10 06:33:26 :[ZC] EZSP protocol version 2, stack type 2, stack version 3422.                                                                                                    
2012-11-10 06:33:26 :CRITICAL [ZC] EM260 firmware is out of date.  Aborting Zigbee Controller.                                                                                          
2012-11-10 06:33:26 :[ZC] Endpoint: 0x02, profile: 0xC216                                                                                                                               
2012-11-10 06:33:26 :[GENERIC] [VDEV_DBG] vdev init                                                                                                                                     
2012-11-10 06:33:26 :CRITICAL [ZW] failed to open permanent store                                                                                                                       
2012-11-10 06:33:26 :[GENERIC] BluelinePowerSensorInit                                                                                                                                  
2012-11-10 06:33:26 :[ZC] Network up                                                                                                                                                    
2012-11-10 06:33:26 :[ZC]   Radio channel = 25                                                                                                                                          
2012-11-10 06:33:26 :[ZC]   PAN Id = EABA                                                                                                                                               
2012-11-10 06:33:26 :[ZC]   TX Pow = 0                                                                                                                                                  
2012-11-10 06:33:26 :[ZC] TCL:                                                                                                                                                          
2012-11-10 06:33:26 :[GENERIC] DUMP 16                                                                                                                                                  
5A 69 67 42 65 65 41 6C  6C 69 61 6E 63 65 30 39                                                                                                                                        
2012-11-10 06:33:26 :[ZC] NWK:                                                                                                                                                          
2012-11-10 06:33:26 :[GENERIC] DUMP 16                                                                                                                                                  
BC 78 99 5B D4 C1 89 12  24 43 8D 73 8F 77 87 6C                                                                                                                                        
2012-11-10 06:33:27 :[HUBAPP] Connecting to hub server                                                                                                                                  
2012-11-10 06:33:27 :Error [NET] Failed to connect to connectivity server 2                                                                                                             
2012-11-10 06:33:27 :[GENERIC] CAM: Admin password emw5Y0o3eFNaa0J4bVJjcWRHQmdwSlVxUUJpdG5vMDpjTngzVXVxbEhPbTIxMVNmVllnekJwSnI1TE9veTJjT0RQSFk3eDlFQWw0MWFNV3ZpMWtqZ3NQYTNkQ3BUZjM=     
2012-11-10 06:33:27 :[GENERIC] CAM: Notify password V3M5c3F1cnN1UW5scng2YVd4QjNScklwa2pzTjBMRTpOMUQ1aHlsT2kxeklnbUM3Nng2MEVuNnVMZWFZVWpjZmFlYjZTQUt5MTc0V2o2UmV0TlN3eU9nOXE0VjlidmU=    
p_not_before = 4FDA2AD8                                                                                                                                                                 
2012-11-10 06:33:27 :[GENERIC] CAM: Running                                                                                                                                             
2012-11-10 06:33:27 :[NET] Connected                                                                                                                                                    
p_not_before = 4FDA33E1                                                                                                                                                                 
p_not_before = 4FDA2AD8                                                                                                                                                                 
2012-11-10 06:33:27 :[GENERIC] PUBLIC KEY MEM 0                                                                                                                                         
2012-11-10 06:33:27 :[ZW] SAPI: Power up                                                                                                                                                
2012-11-10 06:33:28 :Error [ZW] SAPI: Received unknown byte in idle state - 3F                                                                                                          
2012-11-10 06:33:28 :[ZW] Get random: Started                                                                                                                                           
2012-11-10 06:33:28 :Error [ZW] SAPI: Received unknown byte in idle state - 6E                                                                                                          
2012-11-10 06:33:28 :[ZW] Get random: Tx complete                                                                                                                                       
2012-11-10 06:33:28 :[ZW] Get random: Response 1 26                                                                                                                                     
2012-11-10 06:33:28 :[ZW] Initialising Security Layer...                                                                                                                                
2012-11-10 06:33:28 :[ZW] Z-Wave network is secure                                                                                                                                      
2012-11-10 06:33:28 :[ZW] Set Node Info: Started                                                                                                                                        
2012-11-10 06:33:28 :[ZW] Set Node Info: Tx complete                                                                                                                                    
2012-11-10 06:33:28 :[ZW] Get network details: Started                                                                                                                                  
2012-11-10 06:33:28 :[ZW] Get network details: Home: F194746D    Controller: 1                                                                                                          
2012-11-10 06:33:28 :[ZW] API: Z-Wave 3.34                                                                                                                                              
2012-11-10 06:33:28 :[GENERIC] PRIV KEY 0                                                                                                                                               
2012-11-10 06:33:28 :[HUBAPP] Hub server connected                                                                                                                                      
2012-11-10 06:33:28 :[GENERIC] System LED status changed to 1, 2, 3                                                                                                                     
2012-11-10 06:33:28 :[HUBAPP] Sending hubserver ping message.                                                                                                                           
2012-11-10 06:33:28 :[HUBAPP]   |- Power on mains.                                                                                                                                      
2012-11-10 06:33:28 :[HUBAPP]   |- Hubversion 3.3r8.                                                                                                                                    
2012-11-10 06:33:28 :[HUBAPP]   |- AMNET Protocol version 4.                                                                                                                            
2012-11-10 06:33:28 :[HUBAPP]   |- PCB Rev: 6.                                                                                                                                          
2012-11-10 06:33:28 :[HUBAPP]   |- Has battery: Unknown                                                                                                                                 
2012-11-10 06:33:28 :[HUBAPP]   |- RAM: 32768K                                                                                                                                          
2012-11-10 06:33:29 :[GENERIC] System LED status changed to 3, 2, 3                                                                                                                     
2012-11-10 06:33:29 :[GENERIC] Disconnected. Reason 0                                                                                                                                   
2012-11-10 06:33:29 :[HUBAPP] Hub server disconnected                                                                                                                                   
2012-11-10 06:33:45 :[HUBAPP] Connecting to hub server                                                                                                                                  
2012-11-10 06:33:45 :Error [NET] Failed to connect to connectivity server 2                                                                                                             
2012-11-10 06:33:45 :[NET] Connected                                                                                                                                                    
2012-11-10 06:33:45 :[GENERIC] Failed to connect to hubserver.                                                                                                                          
2012-11-10 06:34:02 :[HUBAPP] Connecting to hub server                                                                                                                                  
2012-11-10 06:34:02 :Error [NET] Failed to connect to connectivity server 2                                                                                                             
2012-11-10 06:34:02 :[NET] Connected                                                                                                                                                    
p_not_before = 4FDA33E1                                                                                                                                                                 
p_not_before = 4FDA2AD8                                                                                                                                                                 
2012-11-10 06:34:02 :[GENERIC] PUBLIC KEY MEM 0                                                                                                                                         
2012-11-10 06:34:03 :[GENERIC] PRIV KEY 0                                                                                                                                               
2012-11-10 06:34:03 :[HUBAPP] Hub server connected                                                                                                                                      
2012-11-10 06:34:03 :[GENERIC] System LED status changed to 1, 2, 3                                                                                                                     
2012-11-10 06:34:03 :[HUBAPP] Sending hubserver ping message.                                                                                                                           
2012-11-10 06:34:03 :[HUBAPP]   |- Power on mains.                                                                                                                                      
2012-11-10 06:34:03 :[HUBAPP]   |- Hubversion 3.3r8.                                                                                                                                    
2012-11-10 06:34:03 :[HUBAPP]   |- AMNET Protocol version 4.                                                                                                                            
2012-11-10 06:34:03 :[HUBAPP]   |- PCB Rev: 6.                                                                                                                                          
2012-11-10 06:34:03 :[HUBAPP]   |- Has battery: Unknown                                                                                                                                 
2012-11-10 06:34:03 :[HUBAPP]   |- RAM: 32768K                                                                                                                                          
2012-11-10 06:34:03 :[GENERIC] System LED status changed to 3, 2, 3                                                                                                                     
2012-11-10 06:34:03 :[GENERIC] Disconnected. Reason 0                                                                                                                                   
2012-11-10 06:34:03 :[HUBAPP] Hub server disconnected
Once digging a bit more.. i found some files in a directory called /persistent:

Code: Select all

-rw-r--r--    1 root     root            97 Nov 10 06:33 camera_admin.txt
-rw-r--r--    1 root     root           928 Jun 14 18:18 camera_certificate.pem
-rw-r--r--    1 root     root            97 Nov 10 06:33 camera_notify_credentials.txt
-rw-r--r--    1 root     root           887 Jun 14 18:18 camera_privatekey.pem
-rw-r--r--    1 root     root           973 Jun 14 18:56 clientcert.pem
-rw-r--r--    1 root     root           887 Jun 14 18:56 clientkey.pem
drwx------    1 root     root          2048 Jan  1  1970 lost+found
-rw-r--r--    1 root     root             0 Nov 10 06:33 networkFormed
-rw-r--r--    1 root     root            16 Nov 10 06:33 secureZWaveKey
-rw-r--r--    1 root     root             1 Jan  1  1970 verbose_logging
Which appear to be the magic 'keys'.. so i can finally have access to my RC8221 camera possibly.

User avatar
roobarb!
Site Admin
Posts: 226
Joined: Mon Nov 21, 2011 4:56 pm
Location: Manchester, UK
Contact:

Re: AlertMe Hub - Yes, it's Linux

Post by roobarb! » Sun Nov 11, 2012 9:00 am

Wow - interesting stuff! How did you get access before the OS fires up? On the original hub it very quickly dives into launching Linux, so I've never been able to turn on SSH or get root access.
Alerty - you could control your AlertMe system with my third-party app for iPhone and iPod Touch. Used to be available on iTunes!

sorphin
Posts: 7
Joined: Sun Nov 11, 2012 6:29 am

Re: AlertMe Hub - Yes, it's Linux

Post by sorphin » Sun Nov 11, 2012 9:43 am

At the:
HubOS v1.20 Copyright (C) AlertMe.com 2012
>

prompt

type 'wait' and hit enter. It'll stop it from autobooting for that session.

sorphin
Posts: 7
Joined: Sun Nov 11, 2012 6:29 am

Re: AlertMe Hub - Yes, it's Linux

Post by sorphin » Wed Nov 14, 2012 7:34 pm

Update #2: slightly more progress.. but only slightly... it turns out that the 'hubapp' program, actually has a cli to it, so i can interact with it a bit.. here's the listing of 'help' from it:

Code: Select all

PicOS v0.19
    boot Boots main application
    configure default|<variable> <val> - Resets all vars to factory defaults, or sets <variable> to <val>
    date Show current date/time
    debug [[<source>] on|off] - Shows all debugging sources, or enables/disables debugging from <source>
    dump <start address> [<end address>] - Dump specified area of memory
    hash <start address> <end address> - Hash specified area of memory
    help [<cmd>] - Show help about <cmd>, or a list of all commands
    info Displays info
    hubinfo Shows hub info, as used by PC app
    reset Resets processor
    show default|<variable> <val> - Resets all vars to factory defaults, or sets <variable> to <val>
    wait Stop booting application
    write <address> <hex value|quoted string> - Write byte value or string to address
    osevt <id> <data> - issue event
    timestamps <0|1> - enable log timestamps
    wdt wdt test
LedMod v0.1
    ledset <0xrr> <0xgg> <0xbb>
    lampcond <0xseq>
    lampstatus Show system LED status
    lamplist <0xseq>
UpgradeMod v0.1
    osupgrade osupgrade [<url>] [<filename>] - Fetches a PicOS image via TCP
    tcpstop tcpstop - Stops the current TCP transfer
    upgrade upgrade [<url>] [<filename>] - Fetches an application image via TCP
    getdevimage getdevimage [<type>] [<rev>] - Fetches a device image via TCP
PowerMod v0.1
    power Get power status
Testmod
    test Run self test
UPnPMod v0.1
    upnp 
Hub Application v3.3r8
    appshutdown Shutdown hub application
    unauthorise Unauthorise hub
    clrhnf Clear HNF
    devlist List devices
    plj Permit local joining, 0=only join@ZR, 1=join@ZCO/ZR
    bclr Broadcast clear HNF
    shows Show/Change debug sources, [SOURCE LOG/PRINT Yes/No]
    signal TEST: Device signals
    telem TEST: Dump telemetry table
    zctop TEST: Dump zigbee topology
    updev updev [<device EUI64>] - Queue a device upgrade
    chchn chchn [<target>] - Change zigbee channel to target.
    thermostat thermostat <device> <off|heat|cool|auto> [<setpoint> [<setpoint>]] - Thermostat Cluster Operations
    zw_debug zw_debug <0/1> - Enable ZWASL debug
    zw_basic_get zw_basic_get <node> - Basic Get command
    zw_battery zw_battery <node> - Battery Get command
    zw_config_get zw_config_get <node> <parameter> - Configuration Get parameter
    doorlock doorlock <device> <lock|unlock|duration> - Door Lock Operations
    usercode usercode <device> <slot> <status> [<code>] - User Code Operations
    vacation vacation <device> <0|1> - Vacation Operations
and here's an example from the 'devlist' command:

Code: Select all

*********************Zigbee Controller Devices**************************  
                                                       L  T                P    
                                                       s  o  P             r    
                                       P               i  p  r             o    
I  S  D                                a               g  o  e  A  p    R  t    
n  t  e                                r    T  T  V    n     s  n  o    e  o    
d  a  v         Z                 N    N    y  e  o    L  L  e  n  w    l  c    
e  t  I    H    I                 w    w    p  m  l    Q  Q  n  c  e    a  o    
x  e  D    W    D                 k    k    e  p  t    I  I  t  e  r    y  l    
|  |  |    |    |                 |    |    |  |  |    |  |  |  |  |    |  |    
+--+--+----+----+-----------------+----+----+--+--+----+--+--+--+--+----+--+----
|00|12|0001|0235|000D6F000237AEF4|8C20|0000|07|00|324A|FF|FF|01|01|0000|00|AM  

*****************************Virtual Devices****************************
                                                              P           
                                      P                       r           
I  S  D                               a                       e  A  p    R
n  t  e                               r    T    T  V       H  s  n  o    e
d  a  v         Z                N    N    y    e  o    L  o  e  n  w    l
e  t  I    H    I                w    w    p    m  l    Q  p  n  c  e    a
x  e  D    W    D                k    k    e    p  t    I  s  t  e  r    y
|  |  |    |    |                |    |    |    |  |    |  |  |  |  |    |
+--+--+----+----+----------------+----+----+----+--+----+--+--+--+--+----+--
*****************ZWave Controller Devices*******************
I  D
n  e                     N  T    T    V    
d  v    Z                o  y    e    o    
e  I    i                d  p    m    l    
x  D    d                e  e    p    t    
|  |    |                |  |    |    |    
+--+---------------------+--+----+----+----
********************************Cameras*****************************
 # |  id  |       mac address       |     ip addr     | state | info
0 | 0000 | 00:00:00:0e:8f:92:78:e2 |   192.168.1.112 |   26  | present
 1 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 2 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 3 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 4 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 5 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 6 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 7 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 8 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 9 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 

sorphin
Posts: 7
Joined: Sun Nov 11, 2012 6:29 am

Re: AlertMe Hub - Yes, it's Linux

Post by sorphin » Thu Nov 15, 2012 6:26 am

It would appear, they use passphraseless private keys on the hub for the camera, etc.. That makes my job a lot easier all the sudden.

sorphin
Posts: 7
Joined: Sun Nov 11, 2012 6:29 am

Re: AlertMe Hub - Yes, it's Linux

Post by sorphin » Sun Nov 18, 2012 12:06 am

I've also now managed to get a console on the RC8221 camera that Lowe's is using as well. I'm trying to sort out how to get a shell though.

wpiman
Posts: 9
Joined: Mon Sep 10, 2012 5:59 pm

Re: AlertMe Hub - Yes, it's Linux

Post by wpiman » Tue Nov 20, 2012 3:29 am

Nice progress. What I am really hoping to figure out is how the Zigbee Sensors pair up with the device, and then use that knowledge to get them to pair up with a cheap USB Zigbee stick-- like what I got from Telegesis. Then I can pair the sensors to my PC directly and bypass the hub-- or possibly use the hub as a interface for Zigbee over the serial bus.

I don't have a camera-- do you have any sensors?

sorphin
Posts: 7
Joined: Sun Nov 11, 2012 6:29 am

Re: AlertMe Hub - Yes, it's Linux

Post by sorphin » Tue Nov 20, 2012 10:08 pm

Just the smartplug (so it's zigbee)..

duncanmcbryde
Posts: 3
Joined: Sat Jul 20, 2013 1:43 pm

Re: AlertMe Hub - Yes, it's Linux

Post by duncanmcbryde » Tue Jul 23, 2013 1:14 am

Hi guys, I'm playing around with the Alertme nanohub. I thought I'd share with the community a bit on how to get to the linux command prompt, as I was struggling to follow Sorphin's steps to get to the command line. Perhaps someone will find the steps handy

I struggled finding which pin numbers were what. It turns out pin 1 is the square pin! As stated before:
  • Pin 4: Ground
    Pin 3: Rx
    Pin 2: Tx
    Pin 1: Unknown?
I used a 3.3V FTDI cable with the screen command to get an interactive terminal with many lines of history.

Code: Select all

screen /dev/tty.usbserial-A400hAWk 115200,-parenb,-cstopb,cs8 -h 10000
As the device is booting, type "wait" to get into the pre-boot environment. Here's the available help documentation for the listed commands:

Code: Select all

debug [[<source>] on|off] - Shows all debugging sources, or enables/disables debugging from <source>
dump <start>[ <end>] - Displays memory between <start> and <end>gcw
halt Deprecated - please use 'wait'
help [<cmd>] - Show help about <cmd>, or a list of all commands
info <immutable>|all - Displays <immutable> or all immutables
bootApp Loads (and runs) app from flash
linux Deprecated - please use 'bootApp'
reset [em260] Resets EP9302 by default, or EM260 if specified
show [<variable>|all] - Displays <variable> or all variables
upgrade Upgrade SPI flash
wait Stop booting application
write <addr> <val>|<string> - Writes <val> or <string> to <addr>, in hex
arp <ipaddress> - Do an ARP for <ipaddress>
dhcp Request an IP address via DHCP
tftp Loads (and executes) filename given by earlier DHCP
ethStatus Displays stats
ping (Remote command for testing)
test board|cased
casetest Start self test mode
ramtest <quick|comprehensive>
selfTest Same as casetest
nandtest [page_address]
temperature Show current onboard temperature
rgb <r> <g> <b> in hex, 00-7F
modemCmd <ATcommand> - Send <ATCommand> to modem.  Any result is printed directly
modemPower [modem] - Turns modem off and then on again
modemPulse Sends power pulse to modem to turn it on or off
modemPresent Reads back CGPIO0 to see if modem is attached & powered
sendSms <phone no> <message> - Sends <message> to <phone no> as a txt
showSms <memoryType> <index> - Shows message using <memoryType> and <index>
simPresent Reads FGPIO3 to see if SIM is inserted
tcpget tcpget [<url>] - Fetches an upgrade image via TCP
tcpstop tcpstop - Stops the current TCP transfer
zCal Calibrate all radio channels
zTest Ping golden node
zToken <MfgTokenId> - Display value of token from EM260
zPing [<dbm>] - Ping Comms Node
burst <chan> <spaceS> [<markMs>] - simulate ZigBee traffic
stream <channel> <dBm> - Turns streaming on, using channel and power (in dBm)
tone <channel> <dBm> - Turns toning on, using channel and power (in dBm)
receive <channel>

I noted the output of configure, in case it may be useful to me or someone else

Code: Select all

hubOsCmd : linux
linuxCmd : console=ttyAM1,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2
appSvr1 : hubsrv1.ash.uk.alertme.com:443
appSvr2 : hubsrv1.ash.uk.alertme.com:443
imgSvr1 : imgsrv1.ash.uk.alertme.com:443
imgSvr2 : imgsrv2.ash.uk.alertme.com:443
tstSvr1 : imgsrv1.ash.uk.alertme.com:443
tstSvr2 : imgsrv2.ash.uk.alertme.com:443
deployId : 1
built : 2011/05/20-17:02:03_by_00@InTech_for_AlertMe.com
macAddr : 00:1C:2B:01:D2:8D
ipAddr : 0.0.0.0 (auto)
SIMICCID : 
APN : 
spiKeys : good keys
Use "configure" to boot into a shell without requiring the password

Code: Select all

configure linuxCmd console=ttyAM1,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2 init=/bin/sh rw
Boot into linux with the linux command, and you should find yourself sitting at a busybox shell

Code: Select all

Loading linux...
MD5 checksum passed
Operator key passed
Loading ramdisk...

<Snip>

BusyBox v1.4.1 (2011-05-31 17:52:47 BST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/bin/sh: can't access tty; job control turned off
/ $
From this point you can use passwd to change the root password to your choosing. When this is done reboot and log in with root and your new password.

Code: Select all

Loading linux...
MD5 checksum passed
Operator key passed
Loading ramdisk...

<Snip>

Welcome to AlertMe Linux.

uclibc login: root
<password>
It seems that the alertme hub uses python and Twistd to manage communication. Files of note include:

Code: Select all

/etc/alertme/hub/hub.conf
/etc/alertme/hub/config-comms.xml
/usr/lib/python2.4/site-packages/alertme/
/usr/bin/alertme
I think that's as far as I got with poking around. I'd like to see if I can replicate Sorphin's access to the Hubbapp program, I can't seem to find it. Next stage is to get SSH up and running and to see if I can get the default password. I'm planning to intercept traffic between the hub and the internet to see what's being sent. Ideally what I'd like to do is be able to scrape the power usage from the zigbee power meter.

User avatar
roobarb!
Site Admin
Posts: 226
Joined: Mon Nov 21, 2011 4:56 pm
Location: Manchester, UK
Contact:

Re: AlertMe Hub - Yes, it's Linux

Post by roobarb! » Fri Jul 26, 2013 10:24 am

Blimey, good work! It would be lovely to get the sensor values locally rather than having to go via the web API, so please let us know how it goes!
Alerty - you could control your AlertMe system with my third-party app for iPhone and iPod Touch. Used to be available on iTunes!

sorphin
Posts: 7
Joined: Sun Nov 11, 2012 6:29 am

Re: AlertMe Hub - Yes, it's Linux

Post by sorphin » Wed Sep 04, 2013 8:40 am

duncanmcbryde wrote:Hi guys, I'm playing around with the Alertme nanohub. I thought I'd share with the community a bit on how to get to the linux command prompt, as I was struggling to follow Sorphin's steps to get to the command line.
<snip>
I think that's as far as I got with poking around. I'd like to see if I can replicate Sorphin's access to the Hubbapp program, I can't seem to find it. Next stage is to get SSH up and running and to see if I can get the default password. I'm planning to intercept traffic between the hub and the internet to see what's being sent. Ideally what I'd like to do is be able to scrape the power usage from the zigbee power meter.
My steps would be slightly different than yours since you're using an Alertme nanohub and I was using a Lowe's (AlertMe) IRIS hub.. it was a bit different.. and it doesn't have the same OS layout, different sw, etc.. The traffic to the 'servers' is SSL encrypted.. that's where I got nailed... Man in the Middle attack without being able to replace the certs is a real pain in the arse... I took all my stuff back because i was having too many issues compared to what it was worth with it being so tired into the "IRIS" service, tbh.

tickett
Posts: 1
Joined: Tue Sep 10, 2013 9:15 pm

Re: AlertMe Hub - Yes, it's Linux

Post by tickett » Thu Sep 19, 2013 9:13 am

Damn, my AlertMe hub that came with my home energy pack doesn't have ssh(d). But I was able to patch into the console the way you described and change the root password.

Any clever ideas how I might get sshd running? It does have wget on- but i'm not sure if such a thing as a precompiled dropbear/sshd exists?

User avatar
roobarb!
Site Admin
Posts: 226
Joined: Mon Nov 21, 2011 4:56 pm
Location: Manchester, UK
Contact:

Re: AlertMe Hub - Yes, it's Linux

Post by roobarb! » Mon Sep 23, 2013 9:45 am

tickett wrote:Any clever ideas how I might get sshd running? It does have wget on- but i'm not sure if such a thing as a precompiled dropbear/sshd exists?
No idea, I'm afraid - I've not tried anything other than chatting to the device over the TTY / DEBUG port.

I know it goes without saying, but I'll say it anyway… bye, bye warranty / support / etc, etc…
Alerty - you could control your AlertMe system with my third-party app for iPhone and iPod Touch. Used to be available on iTunes!

tfm55x
Posts: 1
Joined: Mon Oct 07, 2013 6:57 pm

Re: AlertMe Hub - Yes, it's Linux

Post by tfm55x » Mon Oct 07, 2013 7:13 pm

duncanmcbryde wrote:Hi guys, I'm playing around with the Alertme nanohub. I thought I'd share with the community a bit on how to get to the linux command prompt, as I was struggling to follow Sorphin's steps to get to the command line. Perhaps someone will find the steps handy
.
.
<snip>
.
.


I noted the output of configure, in case it may be useful to me or someone else

Code: Select all

hubOsCmd : linux
linuxCmd : console=ttyAM1,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2
appSvr1 : hubsrv1.ash.uk.alertme.com:443
appSvr2 : hubsrv1.ash.uk.alertme.com:443
imgSvr1 : imgsrv1.ash.uk.alertme.com:443
imgSvr2 : imgsrv2.ash.uk.alertme.com:443
tstSvr1 : imgsrv1.ash.uk.alertme.com:443
tstSvr2 : imgsrv2.ash.uk.alertme.com:443
deployId : 1
built : 2011/05/20-17:02:03_by_00@InTech_for_AlertMe.com
macAddr : 00:1C:2B:01:D2:8D
ipAddr : 0.0.0.0 (auto)
SIMICCID : 
APN : 
spiKeys : good keys
Use "configure" to boot into a shell without requiring the password

Code: Select all

configure linuxCmd console=ttyAM1,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2 init=/bin/sh rw
Boot into linux with the linux command, and you should find yourself sitting at a busybox shell

Code: Select all

Loading linux...
MD5 checksum passed
Operator key passed
Loading ramdisk...

<Snip>

BusyBox v1.4.1 (2011-05-31 17:52:47 BST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/bin/sh: can't access tty; job control turned off
/ $
If you are using the Lowe's Iris hub, take note of the following default settings (via configure cmd):

Code: Select all

hubOsCmd : linux
linuxCmd : console=ttyAM0,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2
appSvr1 : hubserver.irissmarthome.com:443
authSvr : auth.irissmarthome.com:443
imgSvr1 : imgserver.irissmarthome.com:443
imgSvr2 : 
tstSvr1 : imgserver.irissmarthome.com:443
tstSvr2 : 
deployId : 2
built : 
ssh : off
macAddr : 00:1C:2B:02:81:55
ipAddr : 0.0.0.0 (auto)
spiKeys : good keys
In particular, note this one important change to duncanmcbryde's 'configure LinuxCmd' string (the console is on ttyAM0, instead of ttyAM1):

Code: Select all

configure linuxCmd console=ttyAM0,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2 init=/bin/sh rw

habile2
Posts: 5
Joined: Mon Aug 20, 2012 4:38 pm

Re: AlertMe Hub - Yes, it's Linux

Post by habile2 » Sat Oct 19, 2013 4:09 pm

tickett wrote:Damn, my AlertMe hub that came with my home energy pack doesn't have ssh(d). But I was able to patch into the console the way you described and change the root password.

Any clever ideas how I might get sshd running? It does have wget on- but i'm not sure if such a thing as a precompiled dropbear/sshd exists?
I'm not sure about 'clever' but the closest I could get was enabling telnet. For sshd I think you'd need a replacement BusyBox.

For telnet here's what worked for me:

- Added /usr/sbin/inetd to /etc/init.d/rc.network start()
- Created /etc/inetd.conf with a single line: telnet stream tcp nowait root /usr/sbin/telnetd telnetd

There is also a user 'default' with no password. So rather than change the root password I added another user with same UID/GID of 0/0 that I could 'su' to.

C.

duncanmcbryde
Posts: 3
Joined: Sat Jul 20, 2013 1:43 pm

Re: AlertMe Hub - Yes, it's Linux

Post by duncanmcbryde » Sun Nov 03, 2013 5:24 pm

Hi Guys,

I started playing around with the alertme hub, but then Real Life (TM) got in the way and I set it aside for quite a while without progress. I'm attempting to dump the memory with the alterme hub, and now I'm truly outside my comfort zone :) I'm using the "dump" command in the boot environment and I'm seeing a lot of empty memory. The output looks like

Code: Select all

HubBoot v1.01, processor ID 9231EF52
Cold reset
HubOS v0.71 Copyright (C) AlertMe.com 2007-09
>
Bad reset count : 0
Loading system from NAND in 5 seconds
[OS] Mains power now on
System Start aborted
>dump 0 ffffffffff

00000000 92 53 00 00 FF FF FF FF 03 00 00 00 00 00 00 00 .S..............
00000010 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000080 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 00 00 00 00 00 00 00 00 05 00 00 00 FE 5A FE 5A .............Z.Z
000000A0 44 41 47 4A 00 00 00 00 FF FF FF FF 40 00 00 00 DAGJ........@...
000000B0 40 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 @...............
000000C0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................

<snip>
..
00000270 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000280 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
...

00000640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
And repeats between 00 and FF. I guess I'm only dumping a small section of the memory so far. I'm reading through the manual for the Cirrus Logic microcontroller and found this

From http://www.cirrus.com/en/pubs/manual/EP ... de_UM1.pdf
4.1.1.1 Memory Map
The normal Boot ROM base address base is 0x8009_0000. It will alias on 16 kbyte intervals.
When internal boot is active, the Boot ROM is double decoded and appears at its normal
address base and at address 0x0000_0000. At address 0x0000_0000 plus the current offset,
the Boot ROM can write the BootModeClr bit to remap itself back to 0x8009_0000 plus the current
offset. Execution then continues with the instruction at the next Boot ROM address in
0x8009_0000 space.
I can either attempt to spend the next few days attempting to dump all the memory, or I could attempt to dump from some specific memory locations. However I'm not quite sure how to specify the dump locations I'm going to have a bit more of a play. Perhaps someone can point me towards some firmware dumping guide?

Thanks, Duncan

duncanmcbryde
Posts: 3
Joined: Sat Jul 20, 2013 1:43 pm

Re: AlertMe Hub - Yes, it's Linux

Post by duncanmcbryde » Wed Nov 06, 2013 1:25 pm

Here's the (incomplete) output of the dump command in Bzip2 format. I left the dump command run for about 20 hours while recording the terminal and saving to a text file. The uncompressed text file is 622 MB, which is a bit large to post! I tried uploading a bzip compressed file to this board, but it crashed. XZ has the best compression on linux and should work on unix systems and 7-zip. This board does not allow .xz files to be posted, so I uploaded it to dropbox.

https://dl.dropboxusercontent.com/u/4161065/dump.hex.xz

Here's MD5sum for file integrity

Code: Select all

e35e946ed337d5981c415dbccff670b6  dump.hex
dea9bfae277441a1a8442cafb57dc338  dump.hex.xz

hsmade
Posts: 1
Joined: Sat Feb 01, 2014 2:54 pm

Re: AlertMe Hub - Yes, it's Linux

Post by hsmade » Sat Feb 01, 2014 2:56 pm

Just activated the console on my nano x5. To get ssh running, just type:
config spiflash.ssh 1
/etc/init,d/rc.sshd start

Post Reply