AlertMe Hub - Yes, it's Linux

Extending the system, interesting uses and API twiddling.
sorphin
Posts: 7
Joined: Sun Nov 11, 2012 6:29 am

Re: AlertMe Hub - Yes, it's Linux

Post by sorphin » Wed Nov 14, 2012 7:34 pm

Update #2: slightly more progress.. but only slightly... it turns out that the 'hubapp' program, actually has a cli to it, so i can interact with it a bit.. here's the listing of 'help' from it:

Code: Select all

PicOS v0.19
    boot Boots main application
    configure default|<variable> <val> - Resets all vars to factory defaults, or sets <variable> to <val>
    date Show current date/time
    debug [[<source>] on|off] - Shows all debugging sources, or enables/disables debugging from <source>
    dump <start address> [<end address>] - Dump specified area of memory
    hash <start address> <end address> - Hash specified area of memory
    help [<cmd>] - Show help about <cmd>, or a list of all commands
    info Displays info
    hubinfo Shows hub info, as used by PC app
    reset Resets processor
    show default|<variable> <val> - Resets all vars to factory defaults, or sets <variable> to <val>
    wait Stop booting application
    write <address> <hex value|quoted string> - Write byte value or string to address
    osevt <id> <data> - issue event
    timestamps <0|1> - enable log timestamps
    wdt wdt test
LedMod v0.1
    ledset <0xrr> <0xgg> <0xbb>
    lampcond <0xseq>
    lampstatus Show system LED status
    lamplist <0xseq>
UpgradeMod v0.1
    osupgrade osupgrade [<url>] [<filename>] - Fetches a PicOS image via TCP
    tcpstop tcpstop - Stops the current TCP transfer
    upgrade upgrade [<url>] [<filename>] - Fetches an application image via TCP
    getdevimage getdevimage [<type>] [<rev>] - Fetches a device image via TCP
PowerMod v0.1
    power Get power status
Testmod
    test Run self test
UPnPMod v0.1
    upnp 
Hub Application v3.3r8
    appshutdown Shutdown hub application
    unauthorise Unauthorise hub
    clrhnf Clear HNF
    devlist List devices
    plj Permit local joining, 0=only join@ZR, 1=join@ZCO/ZR
    bclr Broadcast clear HNF
    shows Show/Change debug sources, [SOURCE LOG/PRINT Yes/No]
    signal TEST: Device signals
    telem TEST: Dump telemetry table
    zctop TEST: Dump zigbee topology
    updev updev [<device EUI64>] - Queue a device upgrade
    chchn chchn [<target>] - Change zigbee channel to target.
    thermostat thermostat <device> <off|heat|cool|auto> [<setpoint> [<setpoint>]] - Thermostat Cluster Operations
    zw_debug zw_debug <0/1> - Enable ZWASL debug
    zw_basic_get zw_basic_get <node> - Basic Get command
    zw_battery zw_battery <node> - Battery Get command
    zw_config_get zw_config_get <node> <parameter> - Configuration Get parameter
    doorlock doorlock <device> <lock|unlock|duration> - Door Lock Operations
    usercode usercode <device> <slot> <status> [<code>] - User Code Operations
    vacation vacation <device> <0|1> - Vacation Operations
and here's an example from the 'devlist' command:

Code: Select all

*********************Zigbee Controller Devices**************************  
                                                       L  T                P    
                                                       s  o  P             r    
                                       P               i  p  r             o    
I  S  D                                a               g  o  e  A  p    R  t    
n  t  e                                r    T  T  V    n     s  n  o    e  o    
d  a  v         Z                 N    N    y  e  o    L  L  e  n  w    l  c    
e  t  I    H    I                 w    w    p  m  l    Q  Q  n  c  e    a  o    
x  e  D    W    D                 k    k    e  p  t    I  I  t  e  r    y  l    
|  |  |    |    |                 |    |    |  |  |    |  |  |  |  |    |  |    
+--+--+----+----+-----------------+----+----+--+--+----+--+--+--+--+----+--+----
|00|12|0001|0235|000D6F000237AEF4|8C20|0000|07|00|324A|FF|FF|01|01|0000|00|AM  

*****************************Virtual Devices****************************
                                                              P           
                                      P                       r           
I  S  D                               a                       e  A  p    R
n  t  e                               r    T    T  V       H  s  n  o    e
d  a  v         Z                N    N    y    e  o    L  o  e  n  w    l
e  t  I    H    I                w    w    p    m  l    Q  p  n  c  e    a
x  e  D    W    D                k    k    e    p  t    I  s  t  e  r    y
|  |  |    |    |                |    |    |    |  |    |  |  |  |  |    |
+--+--+----+----+----------------+----+----+----+--+----+--+--+--+--+----+--
*****************ZWave Controller Devices*******************
I  D
n  e                     N  T    T    V    
d  v    Z                o  y    e    o    
e  I    i                d  p    m    l    
x  D    d                e  e    p    t    
|  |    |                |  |    |    |    
+--+---------------------+--+----+----+----
********************************Cameras*****************************
 # |  id  |       mac address       |     ip addr     | state | info
0 | 0000 | 00:00:00:0e:8f:92:78:e2 |   192.168.1.112 |   26  | present
 1 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 2 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 3 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 4 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 5 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 6 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 7 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 8 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 9 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 

sorphin
Posts: 7
Joined: Sun Nov 11, 2012 6:29 am

Re: AlertMe Hub - Yes, it's Linux

Post by sorphin » Thu Nov 15, 2012 6:26 am

It would appear, they use passphraseless private keys on the hub for the camera, etc.. That makes my job a lot easier all the sudden.

sorphin
Posts: 7
Joined: Sun Nov 11, 2012 6:29 am

Re: AlertMe Hub - Yes, it's Linux

Post by sorphin » Sun Nov 18, 2012 12:06 am

I've also now managed to get a console on the RC8221 camera that Lowe's is using as well. I'm trying to sort out how to get a shell though.

wpiman
Posts: 9
Joined: Mon Sep 10, 2012 5:59 pm

Re: AlertMe Hub - Yes, it's Linux

Post by wpiman » Tue Nov 20, 2012 3:29 am

Nice progress. What I am really hoping to figure out is how the Zigbee Sensors pair up with the device, and then use that knowledge to get them to pair up with a cheap USB Zigbee stick-- like what I got from Telegesis. Then I can pair the sensors to my PC directly and bypass the hub-- or possibly use the hub as a interface for Zigbee over the serial bus.

I don't have a camera-- do you have any sensors?

sorphin
Posts: 7
Joined: Sun Nov 11, 2012 6:29 am

Re: AlertMe Hub - Yes, it's Linux

Post by sorphin » Tue Nov 20, 2012 10:08 pm

Just the smartplug (so it's zigbee)..

duncanmcbryde
Posts: 3
Joined: Sat Jul 20, 2013 1:43 pm

Re: AlertMe Hub - Yes, it's Linux

Post by duncanmcbryde » Tue Jul 23, 2013 1:14 am

Hi guys, I'm playing around with the Alertme nanohub. I thought I'd share with the community a bit on how to get to the linux command prompt, as I was struggling to follow Sorphin's steps to get to the command line. Perhaps someone will find the steps handy

I struggled finding which pin numbers were what. It turns out pin 1 is the square pin! As stated before:
  • Pin 4: Ground
    Pin 3: Rx
    Pin 2: Tx
    Pin 1: Unknown?
I used a 3.3V FTDI cable with the screen command to get an interactive terminal with many lines of history.

Code: Select all

screen /dev/tty.usbserial-A400hAWk 115200,-parenb,-cstopb,cs8 -h 10000
As the device is booting, type "wait" to get into the pre-boot environment. Here's the available help documentation for the listed commands:

Code: Select all

debug [[<source>] on|off] - Shows all debugging sources, or enables/disables debugging from <source>
dump <start>[ <end>] - Displays memory between <start> and <end>gcw
halt Deprecated - please use 'wait'
help [<cmd>] - Show help about <cmd>, or a list of all commands
info <immutable>|all - Displays <immutable> or all immutables
bootApp Loads (and runs) app from flash
linux Deprecated - please use 'bootApp'
reset [em260] Resets EP9302 by default, or EM260 if specified
show [<variable>|all] - Displays <variable> or all variables
upgrade Upgrade SPI flash
wait Stop booting application
write <addr> <val>|<string> - Writes <val> or <string> to <addr>, in hex
arp <ipaddress> - Do an ARP for <ipaddress>
dhcp Request an IP address via DHCP
tftp Loads (and executes) filename given by earlier DHCP
ethStatus Displays stats
ping (Remote command for testing)
test board|cased
casetest Start self test mode
ramtest <quick|comprehensive>
selfTest Same as casetest
nandtest [page_address]
temperature Show current onboard temperature
rgb <r> <g> <b> in hex, 00-7F
modemCmd <ATcommand> - Send <ATCommand> to modem.  Any result is printed directly
modemPower [modem] - Turns modem off and then on again
modemPulse Sends power pulse to modem to turn it on or off
modemPresent Reads back CGPIO0 to see if modem is attached & powered
sendSms <phone no> <message> - Sends <message> to <phone no> as a txt
showSms <memoryType> <index> - Shows message using <memoryType> and <index>
simPresent Reads FGPIO3 to see if SIM is inserted
tcpget tcpget [<url>] - Fetches an upgrade image via TCP
tcpstop tcpstop - Stops the current TCP transfer
zCal Calibrate all radio channels
zTest Ping golden node
zToken <MfgTokenId> - Display value of token from EM260
zPing [<dbm>] - Ping Comms Node
burst <chan> <spaceS> [<markMs>] - simulate ZigBee traffic
stream <channel> <dBm> - Turns streaming on, using channel and power (in dBm)
tone <channel> <dBm> - Turns toning on, using channel and power (in dBm)
receive <channel>

I noted the output of configure, in case it may be useful to me or someone else

Code: Select all

hubOsCmd : linux
linuxCmd : console=ttyAM1,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2
appSvr1 : hubsrv1.ash.uk.alertme.com:443
appSvr2 : hubsrv1.ash.uk.alertme.com:443
imgSvr1 : imgsrv1.ash.uk.alertme.com:443
imgSvr2 : imgsrv2.ash.uk.alertme.com:443
tstSvr1 : imgsrv1.ash.uk.alertme.com:443
tstSvr2 : imgsrv2.ash.uk.alertme.com:443
deployId : 1
built : 2011/05/20-17:02:03_by_00@InTech_for_AlertMe.com
macAddr : 00:1C:2B:01:D2:8D
ipAddr : 0.0.0.0 (auto)
SIMICCID : 
APN : 
spiKeys : good keys
Use "configure" to boot into a shell without requiring the password

Code: Select all

configure linuxCmd console=ttyAM1,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2 init=/bin/sh rw
Boot into linux with the linux command, and you should find yourself sitting at a busybox shell

Code: Select all

Loading linux...
MD5 checksum passed
Operator key passed
Loading ramdisk...

<Snip>

BusyBox v1.4.1 (2011-05-31 17:52:47 BST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/bin/sh: can't access tty; job control turned off
/ $
From this point you can use passwd to change the root password to your choosing. When this is done reboot and log in with root and your new password.

Code: Select all

Loading linux...
MD5 checksum passed
Operator key passed
Loading ramdisk...

<Snip>

Welcome to AlertMe Linux.

uclibc login: root
<password>
It seems that the alertme hub uses python and Twistd to manage communication. Files of note include:

Code: Select all

/etc/alertme/hub/hub.conf
/etc/alertme/hub/config-comms.xml
/usr/lib/python2.4/site-packages/alertme/
/usr/bin/alertme
I think that's as far as I got with poking around. I'd like to see if I can replicate Sorphin's access to the Hubbapp program, I can't seem to find it. Next stage is to get SSH up and running and to see if I can get the default password. I'm planning to intercept traffic between the hub and the internet to see what's being sent. Ideally what I'd like to do is be able to scrape the power usage from the zigbee power meter.

User avatar
roobarb!
Site Admin
Posts: 219
Joined: Mon Nov 21, 2011 4:56 pm
Location: Manchester, UK
Contact:

Re: AlertMe Hub - Yes, it's Linux

Post by roobarb! » Fri Jul 26, 2013 10:24 am

Blimey, good work! It would be lovely to get the sensor values locally rather than having to go via the web API, so please let us know how it goes!
Alerty - control your AlertMe system with my third-party app for iPhone and iPod Touch. Available on iTunes!

sorphin
Posts: 7
Joined: Sun Nov 11, 2012 6:29 am

Re: AlertMe Hub - Yes, it's Linux

Post by sorphin » Wed Sep 04, 2013 8:40 am

duncanmcbryde wrote:Hi guys, I'm playing around with the Alertme nanohub. I thought I'd share with the community a bit on how to get to the linux command prompt, as I was struggling to follow Sorphin's steps to get to the command line.
<snip>
I think that's as far as I got with poking around. I'd like to see if I can replicate Sorphin's access to the Hubbapp program, I can't seem to find it. Next stage is to get SSH up and running and to see if I can get the default password. I'm planning to intercept traffic between the hub and the internet to see what's being sent. Ideally what I'd like to do is be able to scrape the power usage from the zigbee power meter.
My steps would be slightly different than yours since you're using an Alertme nanohub and I was using a Lowe's (AlertMe) IRIS hub.. it was a bit different.. and it doesn't have the same OS layout, different sw, etc.. The traffic to the 'servers' is SSL encrypted.. that's where I got nailed... Man in the Middle attack without being able to replace the certs is a real pain in the arse... I took all my stuff back because i was having too many issues compared to what it was worth with it being so tired into the "IRIS" service, tbh.

tickett
Posts: 1
Joined: Tue Sep 10, 2013 9:15 pm

Re: AlertMe Hub - Yes, it's Linux

Post by tickett » Thu Sep 19, 2013 9:13 am

Damn, my AlertMe hub that came with my home energy pack doesn't have ssh(d). But I was able to patch into the console the way you described and change the root password.

Any clever ideas how I might get sshd running? It does have wget on- but i'm not sure if such a thing as a precompiled dropbear/sshd exists?

User avatar
roobarb!
Site Admin
Posts: 219
Joined: Mon Nov 21, 2011 4:56 pm
Location: Manchester, UK
Contact:

Re: AlertMe Hub - Yes, it's Linux

Post by roobarb! » Mon Sep 23, 2013 9:45 am

tickett wrote:Any clever ideas how I might get sshd running? It does have wget on- but i'm not sure if such a thing as a precompiled dropbear/sshd exists?
No idea, I'm afraid - I've not tried anything other than chatting to the device over the TTY / DEBUG port.

I know it goes without saying, but I'll say it anyway… bye, bye warranty / support / etc, etc…
Alerty - control your AlertMe system with my third-party app for iPhone and iPod Touch. Available on iTunes!

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests