Page 1 of 1

Re: AlertMe Hub - Yes, it's Linux

Posted: Wed Nov 14, 2012 7:34 pm
by sorphin
Update #2: slightly more progress.. but only slightly... it turns out that the 'hubapp' program, actually has a cli to it, so i can interact with it a bit.. here's the listing of 'help' from it:

Code: Select all

PicOS v0.19
    boot Boots main application
    configure default|<variable> <val> - Resets all vars to factory defaults, or sets <variable> to <val>
    date Show current date/time
    debug [[<source>] on|off] - Shows all debugging sources, or enables/disables debugging from <source>
    dump <start address> [<end address>] - Dump specified area of memory
    hash <start address> <end address> - Hash specified area of memory
    help [<cmd>] - Show help about <cmd>, or a list of all commands
    info Displays info
    hubinfo Shows hub info, as used by PC app
    reset Resets processor
    show default|<variable> <val> - Resets all vars to factory defaults, or sets <variable> to <val>
    wait Stop booting application
    write <address> <hex value|quoted string> - Write byte value or string to address
    osevt <id> <data> - issue event
    timestamps <0|1> - enable log timestamps
    wdt wdt test
LedMod v0.1
    ledset <0xrr> <0xgg> <0xbb>
    lampcond <0xseq>
    lampstatus Show system LED status
    lamplist <0xseq>
UpgradeMod v0.1
    osupgrade osupgrade [<url>] [<filename>] - Fetches a PicOS image via TCP
    tcpstop tcpstop - Stops the current TCP transfer
    upgrade upgrade [<url>] [<filename>] - Fetches an application image via TCP
    getdevimage getdevimage [<type>] [<rev>] - Fetches a device image via TCP
PowerMod v0.1
    power Get power status
Testmod
    test Run self test
UPnPMod v0.1
    upnp 
Hub Application v3.3r8
    appshutdown Shutdown hub application
    unauthorise Unauthorise hub
    clrhnf Clear HNF
    devlist List devices
    plj Permit local joining, 0=only join@ZR, 1=join@ZCO/ZR
    bclr Broadcast clear HNF
    shows Show/Change debug sources, [SOURCE LOG/PRINT Yes/No]
    signal TEST: Device signals
    telem TEST: Dump telemetry table
    zctop TEST: Dump zigbee topology
    updev updev [<device EUI64>] - Queue a device upgrade
    chchn chchn [<target>] - Change zigbee channel to target.
    thermostat thermostat <device> <off|heat|cool|auto> [<setpoint> [<setpoint>]] - Thermostat Cluster Operations
    zw_debug zw_debug <0/1> - Enable ZWASL debug
    zw_basic_get zw_basic_get <node> - Basic Get command
    zw_battery zw_battery <node> - Battery Get command
    zw_config_get zw_config_get <node> <parameter> - Configuration Get parameter
    doorlock doorlock <device> <lock|unlock|duration> - Door Lock Operations
    usercode usercode <device> <slot> <status> [<code>] - User Code Operations
    vacation vacation <device> <0|1> - Vacation Operations
and here's an example from the 'devlist' command:

Code: Select all

*********************Zigbee Controller Devices**************************  
                                                       L  T                P    
                                                       s  o  P             r    
                                       P               i  p  r             o    
I  S  D                                a               g  o  e  A  p    R  t    
n  t  e                                r    T  T  V    n     s  n  o    e  o    
d  a  v         Z                 N    N    y  e  o    L  L  e  n  w    l  c    
e  t  I    H    I                 w    w    p  m  l    Q  Q  n  c  e    a  o    
x  e  D    W    D                 k    k    e  p  t    I  I  t  e  r    y  l    
|  |  |    |    |                 |    |    |  |  |    |  |  |  |  |    |  |    
+--+--+----+----+-----------------+----+----+--+--+----+--+--+--+--+----+--+----
|00|12|0001|0235|000D6F000237AEF4|8C20|0000|07|00|324A|FF|FF|01|01|0000|00|AM  

*****************************Virtual Devices****************************
                                                              P           
                                      P                       r           
I  S  D                               a                       e  A  p    R
n  t  e                               r    T    T  V       H  s  n  o    e
d  a  v         Z                N    N    y    e  o    L  o  e  n  w    l
e  t  I    H    I                w    w    p    m  l    Q  p  n  c  e    a
x  e  D    W    D                k    k    e    p  t    I  s  t  e  r    y
|  |  |    |    |                |    |    |    |  |    |  |  |  |  |    |
+--+--+----+----+----------------+----+----+----+--+----+--+--+--+--+----+--
*****************ZWave Controller Devices*******************
I  D
n  e                     N  T    T    V    
d  v    Z                o  y    e    o    
e  I    i                d  p    m    l    
x  D    d                e  e    p    t    
|  |    |                |  |    |    |    
+--+---------------------+--+----+----+----
********************************Cameras*****************************
 # |  id  |       mac address       |     ip addr     | state | info
0 | 0000 | 00:00:00:0e:8f:92:78:e2 |   192.168.1.112 |   26  | present
 1 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 2 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 3 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 4 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 5 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 6 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 7 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 8 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 
 9 | ffff | 00:00:00:00:00:00:00:00 |         0.0.0.0 |    0  | 

Re: AlertMe Hub - Yes, it's Linux

Posted: Thu Nov 15, 2012 6:26 am
by sorphin
It would appear, they use passphraseless private keys on the hub for the camera, etc.. That makes my job a lot easier all the sudden.

Re: AlertMe Hub - Yes, it's Linux

Posted: Sun Nov 18, 2012 12:06 am
by sorphin
I've also now managed to get a console on the RC8221 camera that Lowe's is using as well. I'm trying to sort out how to get a shell though.

Re: AlertMe Hub - Yes, it's Linux

Posted: Tue Nov 20, 2012 3:29 am
by wpiman
Nice progress. What I am really hoping to figure out is how the Zigbee Sensors pair up with the device, and then use that knowledge to get them to pair up with a cheap USB Zigbee stick-- like what I got from Telegesis. Then I can pair the sensors to my PC directly and bypass the hub-- or possibly use the hub as a interface for Zigbee over the serial bus.

I don't have a camera-- do you have any sensors?

Re: AlertMe Hub - Yes, it's Linux

Posted: Tue Nov 20, 2012 10:08 pm
by sorphin
Just the smartplug (so it's zigbee)..

Re: AlertMe Hub - Yes, it's Linux

Posted: Tue Jul 23, 2013 1:14 am
by duncanmcbryde
Hi guys, I'm playing around with the Alertme nanohub. I thought I'd share with the community a bit on how to get to the linux command prompt, as I was struggling to follow Sorphin's steps to get to the command line. Perhaps someone will find the steps handy

I struggled finding which pin numbers were what. It turns out pin 1 is the square pin! As stated before:
  • Pin 4: Ground
    Pin 3: Rx
    Pin 2: Tx
    Pin 1: Unknown?
I used a 3.3V FTDI cable with the screen command to get an interactive terminal with many lines of history.

Code: Select all

screen /dev/tty.usbserial-A400hAWk 115200,-parenb,-cstopb,cs8 -h 10000
As the device is booting, type "wait" to get into the pre-boot environment. Here's the available help documentation for the listed commands:

Code: Select all

debug [[<source>] on|off] - Shows all debugging sources, or enables/disables debugging from <source>
dump <start>[ <end>] - Displays memory between <start> and <end>gcw
halt Deprecated - please use 'wait'
help [<cmd>] - Show help about <cmd>, or a list of all commands
info <immutable>|all - Displays <immutable> or all immutables
bootApp Loads (and runs) app from flash
linux Deprecated - please use 'bootApp'
reset [em260] Resets EP9302 by default, or EM260 if specified
show [<variable>|all] - Displays <variable> or all variables
upgrade Upgrade SPI flash
wait Stop booting application
write <addr> <val>|<string> - Writes <val> or <string> to <addr>, in hex
arp <ipaddress> - Do an ARP for <ipaddress>
dhcp Request an IP address via DHCP
tftp Loads (and executes) filename given by earlier DHCP
ethStatus Displays stats
ping (Remote command for testing)
test board|cased
casetest Start self test mode
ramtest <quick|comprehensive>
selfTest Same as casetest
nandtest [page_address]
temperature Show current onboard temperature
rgb <r> <g> <b> in hex, 00-7F
modemCmd <ATcommand> - Send <ATCommand> to modem.  Any result is printed directly
modemPower [modem] - Turns modem off and then on again
modemPulse Sends power pulse to modem to turn it on or off
modemPresent Reads back CGPIO0 to see if modem is attached & powered
sendSms <phone no> <message> - Sends <message> to <phone no> as a txt
showSms <memoryType> <index> - Shows message using <memoryType> and <index>
simPresent Reads FGPIO3 to see if SIM is inserted
tcpget tcpget [<url>] - Fetches an upgrade image via TCP
tcpstop tcpstop - Stops the current TCP transfer
zCal Calibrate all radio channels
zTest Ping golden node
zToken <MfgTokenId> - Display value of token from EM260
zPing [<dbm>] - Ping Comms Node
burst <chan> <spaceS> [<markMs>] - simulate ZigBee traffic
stream <channel> <dBm> - Turns streaming on, using channel and power (in dBm)
tone <channel> <dBm> - Turns toning on, using channel and power (in dBm)
receive <channel>

I noted the output of configure, in case it may be useful to me or someone else

Code: Select all

hubOsCmd : linux
linuxCmd : console=ttyAM1,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2
appSvr1 : hubsrv1.ash.uk.alertme.com:443
appSvr2 : hubsrv1.ash.uk.alertme.com:443
imgSvr1 : imgsrv1.ash.uk.alertme.com:443
imgSvr2 : imgsrv2.ash.uk.alertme.com:443
tstSvr1 : imgsrv1.ash.uk.alertme.com:443
tstSvr2 : imgsrv2.ash.uk.alertme.com:443
deployId : 1
built : 2011/05/20-17:02:03_by_00@InTech_for_AlertMe.com
macAddr : 00:1C:2B:01:D2:8D
ipAddr : 0.0.0.0 (auto)
SIMICCID : 
APN : 
spiKeys : good keys
Use "configure" to boot into a shell without requiring the password

Code: Select all

configure linuxCmd console=ttyAM1,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2 init=/bin/sh rw
Boot into linux with the linux command, and you should find yourself sitting at a busybox shell

Code: Select all

Loading linux...
MD5 checksum passed
Operator key passed
Loading ramdisk...

<Snip>

BusyBox v1.4.1 (2011-05-31 17:52:47 BST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/bin/sh: can't access tty; job control turned off
/ $
From this point you can use passwd to change the root password to your choosing. When this is done reboot and log in with root and your new password.

Code: Select all

Loading linux...
MD5 checksum passed
Operator key passed
Loading ramdisk...

<Snip>

Welcome to AlertMe Linux.

uclibc login: root
<password>
It seems that the alertme hub uses python and Twistd to manage communication. Files of note include:

Code: Select all

/etc/alertme/hub/hub.conf
/etc/alertme/hub/config-comms.xml
/usr/lib/python2.4/site-packages/alertme/
/usr/bin/alertme
I think that's as far as I got with poking around. I'd like to see if I can replicate Sorphin's access to the Hubbapp program, I can't seem to find it. Next stage is to get SSH up and running and to see if I can get the default password. I'm planning to intercept traffic between the hub and the internet to see what's being sent. Ideally what I'd like to do is be able to scrape the power usage from the zigbee power meter.

Re: AlertMe Hub - Yes, it's Linux

Posted: Fri Jul 26, 2013 10:24 am
by roobarb!
Blimey, good work! It would be lovely to get the sensor values locally rather than having to go via the web API, so please let us know how it goes!

Re: AlertMe Hub - Yes, it's Linux

Posted: Wed Sep 04, 2013 8:40 am
by sorphin
duncanmcbryde wrote:Hi guys, I'm playing around with the Alertme nanohub. I thought I'd share with the community a bit on how to get to the linux command prompt, as I was struggling to follow Sorphin's steps to get to the command line.
<snip>
I think that's as far as I got with poking around. I'd like to see if I can replicate Sorphin's access to the Hubbapp program, I can't seem to find it. Next stage is to get SSH up and running and to see if I can get the default password. I'm planning to intercept traffic between the hub and the internet to see what's being sent. Ideally what I'd like to do is be able to scrape the power usage from the zigbee power meter.
My steps would be slightly different than yours since you're using an Alertme nanohub and I was using a Lowe's (AlertMe) IRIS hub.. it was a bit different.. and it doesn't have the same OS layout, different sw, etc.. The traffic to the 'servers' is SSL encrypted.. that's where I got nailed... Man in the Middle attack without being able to replace the certs is a real pain in the arse... I took all my stuff back because i was having too many issues compared to what it was worth with it being so tired into the "IRIS" service, tbh.

Re: AlertMe Hub - Yes, it's Linux

Posted: Thu Sep 19, 2013 9:13 am
by tickett
Damn, my AlertMe hub that came with my home energy pack doesn't have ssh(d). But I was able to patch into the console the way you described and change the root password.

Any clever ideas how I might get sshd running? It does have wget on- but i'm not sure if such a thing as a precompiled dropbear/sshd exists?

Re: AlertMe Hub - Yes, it's Linux

Posted: Mon Sep 23, 2013 9:45 am
by roobarb!
tickett wrote:Any clever ideas how I might get sshd running? It does have wget on- but i'm not sure if such a thing as a precompiled dropbear/sshd exists?
No idea, I'm afraid - I've not tried anything other than chatting to the device over the TTY / DEBUG port.

I know it goes without saying, but I'll say it anyway… bye, bye warranty / support / etc, etc…

Re: AlertMe Hub - Yes, it's Linux

Posted: Mon Oct 07, 2013 7:13 pm
by tfm55x
duncanmcbryde wrote:Hi guys, I'm playing around with the Alertme nanohub. I thought I'd share with the community a bit on how to get to the linux command prompt, as I was struggling to follow Sorphin's steps to get to the command line. Perhaps someone will find the steps handy
.
.
<snip>
.
.


I noted the output of configure, in case it may be useful to me or someone else

Code: Select all

hubOsCmd : linux
linuxCmd : console=ttyAM1,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2
appSvr1 : hubsrv1.ash.uk.alertme.com:443
appSvr2 : hubsrv1.ash.uk.alertme.com:443
imgSvr1 : imgsrv1.ash.uk.alertme.com:443
imgSvr2 : imgsrv2.ash.uk.alertme.com:443
tstSvr1 : imgsrv1.ash.uk.alertme.com:443
tstSvr2 : imgsrv2.ash.uk.alertme.com:443
deployId : 1
built : 2011/05/20-17:02:03_by_00@InTech_for_AlertMe.com
macAddr : 00:1C:2B:01:D2:8D
ipAddr : 0.0.0.0 (auto)
SIMICCID : 
APN : 
spiKeys : good keys
Use "configure" to boot into a shell without requiring the password

Code: Select all

configure linuxCmd console=ttyAM1,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2 init=/bin/sh rw
Boot into linux with the linux command, and you should find yourself sitting at a busybox shell

Code: Select all

Loading linux...
MD5 checksum passed
Operator key passed
Loading ramdisk...

<Snip>

BusyBox v1.4.1 (2011-05-31 17:52:47 BST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/bin/sh: can't access tty; job control turned off
/ $
If you are using the Lowe's Iris hub, take note of the following default settings (via configure cmd):

Code: Select all

hubOsCmd : linux
linuxCmd : console=ttyAM0,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2
appSvr1 : hubserver.irissmarthome.com:443
authSvr : auth.irissmarthome.com:443
imgSvr1 : imgserver.irissmarthome.com:443
imgSvr2 : 
tstSvr1 : imgserver.irissmarthome.com:443
tstSvr2 : 
deployId : 2
built : 
ssh : off
macAddr : 00:1C:2B:02:81:55
ipAddr : 0.0.0.0 (auto)
spiKeys : good keys
In particular, note this one important change to duncanmcbryde's 'configure LinuxCmd' string (the console is on ttyAM0, instead of ttyAM1):

Code: Select all

configure linuxCmd console=ttyAM0,115200 root=/dev/mtdblock3 rootfstype=yaffs2,ext2 init=/bin/sh rw

Re: AlertMe Hub - Yes, it's Linux

Posted: Sat Oct 19, 2013 4:09 pm
by habile2
tickett wrote:Damn, my AlertMe hub that came with my home energy pack doesn't have ssh(d). But I was able to patch into the console the way you described and change the root password.

Any clever ideas how I might get sshd running? It does have wget on- but i'm not sure if such a thing as a precompiled dropbear/sshd exists?
I'm not sure about 'clever' but the closest I could get was enabling telnet. For sshd I think you'd need a replacement BusyBox.

For telnet here's what worked for me:

- Added /usr/sbin/inetd to /etc/init.d/rc.network start()
- Created /etc/inetd.conf with a single line: telnet stream tcp nowait root /usr/sbin/telnetd telnetd

There is also a user 'default' with no password. So rather than change the root password I added another user with same UID/GID of 0/0 that I could 'su' to.

C.

Re: AlertMe Hub - Yes, it's Linux

Posted: Sun Nov 03, 2013 5:24 pm
by duncanmcbryde
Hi Guys,

I started playing around with the alertme hub, but then Real Life (TM) got in the way and I set it aside for quite a while without progress. I'm attempting to dump the memory with the alterme hub, and now I'm truly outside my comfort zone :) I'm using the "dump" command in the boot environment and I'm seeing a lot of empty memory. The output looks like

Code: Select all

HubBoot v1.01, processor ID 9231EF52
Cold reset
HubOS v0.71 Copyright (C) AlertMe.com 2007-09
>
Bad reset count : 0
Loading system from NAND in 5 seconds
[OS] Mains power now on
System Start aborted
>dump 0 ffffffffff

00000000 92 53 00 00 FF FF FF FF 03 00 00 00 00 00 00 00 .S..............
00000010 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000080 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 00 00 00 00 00 00 00 00 05 00 00 00 FE 5A FE 5A .............Z.Z
000000A0 44 41 47 4A 00 00 00 00 FF FF FF FF 40 00 00 00 DAGJ........@...
000000B0 40 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 @...............
000000C0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................

<snip>
..
00000270 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
00000280 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
...

00000640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
And repeats between 00 and FF. I guess I'm only dumping a small section of the memory so far. I'm reading through the manual for the Cirrus Logic microcontroller and found this

From http://www.cirrus.com/en/pubs/manual/EP ... de_UM1.pdf
4.1.1.1 Memory Map
The normal Boot ROM base address base is 0x8009_0000. It will alias on 16 kbyte intervals.
When internal boot is active, the Boot ROM is double decoded and appears at its normal
address base and at address 0x0000_0000. At address 0x0000_0000 plus the current offset,
the Boot ROM can write the BootModeClr bit to remap itself back to 0x8009_0000 plus the current
offset. Execution then continues with the instruction at the next Boot ROM address in
0x8009_0000 space.
I can either attempt to spend the next few days attempting to dump all the memory, or I could attempt to dump from some specific memory locations. However I'm not quite sure how to specify the dump locations I'm going to have a bit more of a play. Perhaps someone can point me towards some firmware dumping guide?

Thanks, Duncan

Re: AlertMe Hub - Yes, it's Linux

Posted: Wed Nov 06, 2013 1:25 pm
by duncanmcbryde
Here's the (incomplete) output of the dump command in Bzip2 format. I left the dump command run for about 20 hours while recording the terminal and saving to a text file. The uncompressed text file is 622 MB, which is a bit large to post! I tried uploading a bzip compressed file to this board, but it crashed. XZ has the best compression on linux and should work on unix systems and 7-zip. This board does not allow .xz files to be posted, so I uploaded it to dropbox.

https://dl.dropboxusercontent.com/u/4161065/dump.hex.xz

Here's MD5sum for file integrity

Code: Select all

e35e946ed337d5981c415dbccff670b6  dump.hex
dea9bfae277441a1a8442cafb57dc338  dump.hex.xz

Re: AlertMe Hub - Yes, it's Linux

Posted: Sat Feb 01, 2014 2:56 pm
by hsmade
Just activated the console on my nano x5. To get ssh running, just type:
config spiflash.ssh 1
/etc/init,d/rc.sshd start