firmware on Recent content in firmware on Hugo -- en Sat, 09 Apr 2022 14:24:10 +0200 Dumping Tuya firmware Sat, 09 Apr 2022 14:24:10 +0200 This story started on January 18th 2022. I was bored and decided to tear some cheap hardware apart to see if I could learn a new trick or two. It turned out that some good friends were working on that exact same hardware for over a year and before I knew it, I was sharing my previously dumped firmware with them and in return they invited me to join their project. <p>This story started on January 18th 2022.</p> <p>I was bored and decided to tear some cheap hardware apart to see if I could learn a new trick or two.</p> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> <tbody> <tr> <td><a href="" target="_blank"><img src=""></a></td> <td><a href="" target="_blank"><img src=""></a></td> <td><a href="" target="_blank"><img src=""></a></td> <td><a href="" target="_blank"><img src=""></a></td> </tr> </tbody> </table> <p>It turned out that some good friends were working on that exact same hardware for over a year and before I knew it, I was sharing my previously dumped firmware with them and in return they invited me to join their project.</p> <p>These are the signal messages that started our collaborative journey.</p> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <p>In order to contribute to this project from the hardware side, I started shopping for a few hundred euro&rsquo;s on Smart Devices.</p> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <p>On February 7th, 2022 on exactly 22:14 both <a href="" target="_blank">Khaled</a> and <a href="" target="_blank">Tom</a> tweeted this announcement simultaniously.</p> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <p>While Khaled and Tom were working hard on the software side I was collaborating with <a href="" target="_blank">Joseph</a> on the hardware side. We spend quite some time breaking the devices open. While most of them were plastic, some of them were <a href="" target="_blank">glass</a> ;-)</p> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <p>After tearing them (violently) apart, soldering wires to pinheaders and make a breadboard setup:</p> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <p>Look for the different &ldquo;SMART&rdquo; circuit boards inside the different devices.</p> <h1 id="cb3s">CB3S</h1> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <h1 id="e303692">E303692</h1> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <h1 id="skylc5">SKYLC5</h1> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <h1 id="wb2s">WB2S</h1> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <h1 id="wb3s">WB3S</h1> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <h1 id="wblc3">WBLC3</h1> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <h1 id="wblc5">WBLC5</h1> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <p>On March 29th, 2022 the writeup of the <a href="" target="_blank">Exploit</a> was published.</p> <p><a href="" target="_blank"><img src=""></a></p> <p>It allows patching without having to damage/open the devices (for the once that we already done) You can help others by dumping the firmware of your own device.</p> <p><a href="" target="_blank"><img src=""></a></p> <p>I handed the remaining devices over to Tom, to clear some space in this crowded house for the next projects ;-)</p> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <hr> <h1 id="i-will-perform-a-live-demonstration-to-show-the-actual-process-of-dumping-the-firmware-with-a-random-smart-bulb-that-was-given-to-me-recently">I will perform a &rsquo;live&rsquo; demonstration to show the actual process of dumping the firmware with a random smart bulb that was given to me recently.</h1> <hr> <p>In order to motivate their residents to become more sustainable, most municipalities offer free products from <a href="" target="_blank">WoonWijzerWinkel</a> as an incentive.</p> <p>One of the available products was a WOOX E14 SMART BULB (Full Colour+White)</p> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <p>On their <a href="" target="_blank">Website</a> it shows that they use Tuya.</p> <p><a href="" target="_blank"><img src=""></a></p> <p>Let&rsquo;s see what is inside (the box):</p> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <p>Now gently take of the cap (after testing it is not glass):</p> <p><a href="" target="_blank"><img src=""></a></p> <p>Now for more destructive work:</p> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <p>When taking pictures with my Microscope I use a high power flashlight to make the identification on the chip more readable.</p> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <p>When you follow the traces using the continuity check of a multimeter, this will be the pinout:</p> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <p>Next up wire the tiny circuit board on a breadboard:</p> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <p>We need to look at the <a href="" target="_blank">FT2232HL Datasheet</a> in order to wire it to the FTDI.</p> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <p>First check UART2 for console data:</p> <pre tabindex="0"><code>****SystemReset**** [01-01 18:12:16 TUYA Notice] :BK7231S_1.0.5 CPSR:000000D3 R0:00000028 R1:00001700 R2:00800130 R3:0000003B R4:00000001 R13:00402DB0 R14(LR):0004F896 ST:00000001 J 0x10000 prvHeapInit-start addr:0x41f1d8, size:134696 [01-01 18:12:15 TUYA Debug][uni_thread.c:215] Thread:sys_timer Exec Start. Set to Running Status [01-01 18:12:15 TUYA Err][online_log_serv.c:280] log stats ufread fail. [01-01 18:12:15 TUYA Debug][online_log_serv.c:540] log serv init success [01-01 18:12:15 TUYA Notice][light_system.c:1425] go to pre device! bk_rst:1 tuya_rst:4[01-01 18:12:15 TUYA Notice][light_system.c:1436] goto first bright up! bk_rst:1 tuya_rst:40xcb 0x4e 0x3e 0xa4 0x0 0x30 0x9d 0xab 0x65 0x6d 0x8d 0xbf 0xe4 0xb9 0x3f 0x35 [01-01 18:12:15 TUYA Notice][tuya_main.c:203] **********[oem_bk7231s_light_ty] [1.1.2] compiled at May 30 2020 16:23:50********** [rx_iq]rx_amp_err_rd: 0xfffffffd [rx_iq]rx_phase_err_rd: 0xfffffffd [rx_iq]rx_ty2_rd: 0x000 *********** finally result ********** gbias_after_cal: 0x15 gav_tssi: 0x1f gtx_q_dc_comp:0x1fc gtx_i_dc_comp:0x200 gtx_i_gain_comp:1023 gtx_q_gain_comp:1023 gtx_phase_comp:501 gtx_phase_ty2:512 gtx_ifilter_corner over: 0xa gtx_qfilter_corner over: 0xa gtx_dcorMod:0x8, gtx_dcorPA:0xa gtx_pre_gain:0x0 g_rx_dc_gain_tab 0 over: 0x80808080 g_rx_dc_gain_tab 1 over: 0x88788880 g_rx_dc_gain_tab 2 over: 0x92789078 g_rx_dc_gain_tab 3 over: 0xbc60ac68 g_rx_dc_gain_tab 4 over: 0xbe60bc60 g_rx_dc_gain_tab 5 over: 0xbc5fbe60 g_rx_dc_gain_tab 6 over: 0xbc5ebc5e g_rx_dc_gain_tab 7 over: 0xbc5dbc5f grx_amp_err_wr:0x201 grx_phase_err_wr:0x3ff ************************************** temp in flash is:276 lpf_i &amp; q in flash is:9, 9 xtal in flash is:32 -----pwr_gain:12, g_idx:12, shift_b:0, shift_g:0 -----[pwr_gain]12 Initializing TCP/IP stack [01-01 18:12:17 TUYA Notice][tuya_main.c:229] mf_init succ [01-01 18:12:17 TUYA Notice][tuya_ble_api.c:292] ble sdk inited device id key : 16 d4 1d 8c d9 8f 00 b2 04 e9 80 09 98 ec f8 42 7e !!!!!!!!!!tuya_bt_port_init [01-01 18:12:17 TUYA Notice][tuya_ble_api.c:328] ble sdk re_inited [01-01 18:12:17 TUYA Notice][tuya_bt_sdk.c:319] ty bt sdk init success finish [01-01 18:12:17 TUYA Notice][light_system.c:1484] &lt; TUYA IOT SDK V:2.0.0 BS:30.06_PT:2.2_LAN:3.3_CAD:1.0.2_CD:1.0.0 &gt; &lt; tuya_iot_lib BUILD AT:2018_12_05_17_03_30 BY tuya_iot_team AT 8710_2M &gt; IOT DEFS &lt; WIFI_GW:1 DEBUG:1 KV_FILE:0 SHUTDOWN_MODE:0 LITTL[01-01 18:12:17 TUYA Notice][light_system.c:1485] oem_bk7231s_light_ty:1.1.2 [01-01 18:12:17 TUYA Notice][device_config_load.c:310] device config data already load! Don&#39;t load again!! [01-01 18:12:17 TUYA Notice][light_set_color.c:94] Drive init already init ok [01-01 18:12:17 TUYA Notice][tuya_main.c:128] current product ssid name:tuya_mdev_test2 ht in scan scan_start_req_handler gapm_cmp_evt_handler operation = 0x1, status = 0x0 gapm_cmp_evt_handler operation = 0x3, status = 0x0 STACK INIT OK ble_env-&gt;start_hdl = 0x7gapm_cmp_evt_handler operation = 0x1b, status = 0x0 CREATE DB SUCCESS [01-01 18:12:17 TUYA Notice][tuya_ble_api.c:256] rev ble event 3 device id key : 16 d4 1d 8c d9 8f 00 b2 04 e9 80 09 98 ec f8 42 7e !!!!!!!!!!tuya_bt_reset_adv [01-01 18:12:17 TUYA Notice][tuya_ble_api.c:120] ble adv &amp;&amp; resp changed do td cur_t:303--last:idx:13,t:276 -- new:idx:15,t:300 --0xc:08, shift_b:0, shift_g:0, X:1 [01-01 18:12:19 TUYA Notice][gw_intf.c:3166] serial_no:10d56174f567 [01-01 18:12:19 TUYA Notice][gw_intf.c:3197] gw_cntl.gw_wsm.stat:0 [01-01 18:12:19 TUYA Notice][gw_intf.c:3200] gw_cntl.gw_wsm.nc_tp:1 [01-01 18:12:19 TUYA Notice][gw_intf.c:3201] [01-01 18:12:19 TUYA Notice][gw_intf.c:3238] gw_cntl.gw_if.abi:0 input:0 [01-01 18:12:19 TUYA Notice][gw_intf.c:3239] gw_cntl.gw_if.product_key:keytg5kq8gvkv9dh, input:keytg5kq8gvkv9dh [01-01 18:12:19 TUYA Notice][gw_intf.c:3240], input:0 [01-01 18:12:19 TUYA Notice][gw_intf.c:3242] gw_cntl.gw_if.firmware_key:keytg5kq8gvkv9dh, input:keytg5kq8gvkv9dh [01-01 18:12:19 TUYA Notice][tuya_bt_sdk.c:337] ty bt update product:keytg5kq8gvkv9dh 1 [01-01 18:12:19 TUYA Notice][tuya_ble_api.c:137] update product_id type:1 keytg5kq8gvkv9dh b765eb2d66ef4129 qW8PHxYi99JagWUI3c5dnRsovLgi4q5M [01-01 18:12:19 TUYA Notice][gw_intf.c:2981] start tmm long timer,cfg_lp_timeout:180000ms [01-01 18:12:19 TUYA Notice][light_system.c:1395] frame init ok! ht in scan scan_start_req_handler [01-01 18:12:20 TUYA Err][uf_flash_file_app.c:339] uf_get_size err,filepath:3,ret:13 [01-01 18:12:20 TUYA Err][uf_flash_file_app.c:339] uf_get_size err,filepath:5,ret:13 [01-01 18:12:20 TUYA Err][uf_flash_file_app.c:339] uf_get_size err,filepath:4,ret:13 [01-01 18:12:20 TUYA Notice][light_system.c:594] start ez config auto blink [01-01 18:12:20 TUYA Notice][bp1658cj.c:191] low power mode [01-01 18:12:21 TUYA Notice][bp1658cj.c:191] low power mode [01-01 18:12:21 TUYA Notice][bp1658cj.c:191] low power mode me_set_ps_disable:840 0 0 0 462557 952021 ------beacon_int_set:100 TU set_active param 0 [msg]APM_STOP_CFM update_ongoing_1_bcn_update mm-next-timer_null hal_machw_enter_monitor_mode [01-01 18:12:21 TUYA Notice][tuya_bt_sdk.c:345] ty bt start network cfg.. [01-01 18:12:21 TUYA Notice][tuya_ble_api.c:161] update bound state 0 device id key : 16 6b 51 d4 fd 36 e5 b3 aa 4b 3a 9a b5 df 6e 0b cc !!!!!!!!!!tuya_bt_reset_adv [01-01 18:12:21 TUYA Notice][tuya_ble_api.c:120] ble adv &amp;&amp; resp changed !!!!!!!!!!tuya_before_netcfg_cb appm start advertising [01-01 18:12:22 TUYA Notice][bp1658cj.c:191] low power mode do td cur_t:309--last:idx:15,t:300 -- new:idx:16,t:312 --0xc:08, shift_b:0, shift_g:0, X:0 [01-01 18:12:22 TUYA Notice][bp1658cj.c:191] low power mode [01-01 18:12:23 TUYA Notice][bp1658cj.c:191] low power mode [01-01 18:12:23 TUYA Notice][bp1658cj.c:191] low power mode </code></pre><p>Now dump the firmware:</p> <pre tabindex="0"><code>jilles@arch ~/tools/tuya_dumps$ ./ WOOX Connected! Chip info: BK7231S_1.0.5 Reading 4k page at 0X2000000 (0.00%) Reading 4k page at 0X2001000 (0.20%) Reading 4k page at 0X2002000 (0.39%) Reading 4k page at 0X2003000 (0.59%) | | | | | | | | Reading 4k page at 0X21FC000 (99.22%) Reading 4k page at 0X21FD000 (99.41%) Reading 4k page at 0X21FE000 (99.61%) Reading 4k page at 0X21FF000 (99.80%) RBL containers: 0x10f9a: bootloader - [encoding_algorithm=NONE, size=0xdd20] - extracted to WOOX/WOOX_bootloader_1.00.bin 0x129f0a: app - [encoding_algorithm=NONE, size=0xed5e0] - extracted to WOOX/WOOX_app_1.00.bin total 3056 -rw-r--r-- 1 jilles jilles 972256 Apr 5 23:47 WOOX_app_1.00.bin -rw-r--r-- 1 jilles jilles 56608 Apr 5 23:47 WOOX_bootloader_1.00.bin -rw-r--r-- 1 jilles jilles 2097152 Apr 5 23:47 WOOX.dump /**&lt; @author &lt;; */ /**&lt; @version v0.3.1 */ encrypt without crc successfully! -file size: 0xed5f0 /**&lt; @author &lt;; */ /**&lt; @version v0.3.1 */ encrypt without crc successfully! -file size: 0xdd30 total 4068 drwxr-xr-x 2 jilles jilles 157 Apr 5 23:47 . drwxr-xr-x 12 jilles jilles 4096 Apr 5 23:46 .. -rw-r--r-- 1 jilles jilles 972256 Apr 5 23:47 WOOX_app_1.00.bin -rw-r--r-- 1 jilles jilles 972272 Apr 5 23:47 WOOX_app_1.00_decrypted.bin -rw-r--r-- 1 jilles jilles 56608 Apr 5 23:47 WOOX_bootloader_1.00.bin -rw-r--r-- 1 jilles jilles 56624 Apr 5 23:47 WOOX_bootloader_1.00_decrypted.bin -rw-r--r-- 1 jilles jilles 2097152 Apr 5 23:47 WOOX.dump DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 52420 0xCCC4 CRC32 polynomial table, little endian 55687 0xD987 Copyright string: &#34;Copyright 1995-2005 Mark Adler &#34; DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 650644 0x9ED94 SHA256 hash constants, little endian 833328 0xCB730 AES Inverse S-Box 846811 0xCEBDB Copyright string: &#34;Copyright (c) 2003-2015, Jouni Malinen &lt;; and contributors&#34; 889100 0xD910C CRC32 polynomial table, little endian 895777 0xDAB21 Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/wifi_sdk/tuya_iot_wifi_api.c 900573 0xDBDDD Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/gw_intf.c 907326 0xDD83E Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/smart_frame.c 917611 0xE006B Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_base/kv_storge/flash/simple_flash_app.c 920463 0xE0B8F Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_base/sys_serv/uni_time_queue.c 923506 0xE1772 Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/adapter_platform.c 924457 0xE1B29 Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/system/uni_semaphore.c 924977 0xE1D31 Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/utilities/uni_time.c 925485 0xE1F2D Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/utilities/mem_pool.c 925898 0xE20CA Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/wifi_intf/wf_basic_intf.c 926044 0xE215C CRC32 polynomial table, little endian 927068 0xE255C CRC32 polynomial table, little endian 928156 0xE299C Base64 standard index table 928486 0xE2AE6 Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/bt_conn/tuya_ble_api.c 931060 0xE34F4 Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/bt_conn/tuya_ble_mutli_tsf_protocol.c 933576 0xE3EC8 Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/wifi_cfg_serv/ez_mc.c 938044 0xE503C Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/iot_httpc.c 943947 0xE674B Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/com_protocol.c 955024 0xE9290 SHA256 hash constants, little endian 955549 0xE949D Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/wifi_cfg_serv/wf_sniffer_intf.c </code></pre><p>I created a small programm to make my life easier:</p> <pre tabindex="0"><code>#!/bin/bash BKTOOLS=~/Git/bk7231tools/ if [ &#34;$1&#34; == &#34;&#34; ];then echo echo Syntax: echo \ \ \&lt;foldername\&gt; echo exit fi if [ ! -d $1 ];then mkdir $1 fi # Dump Flash if [ ! -f $1/$1.dump];then python ${BKTOOLS} read_flash $1/$1.dump-d /dev/ttyUSB0 --no-verify-checksum -s 02000000 -c 512 -b 921600 fi if [ ! -f $1/$1.dump];then echo Nothing dumped - exiting exit fi # Remove previous extracted files for f in $1/*bin$1/*cpr $1/*out ;do rm $f done # Extract items from Flash python ${BKTOOLS} dissect_dump$1/$1.dump-e -O $1/ ls -l $1/ # Decrypt encrypted parts if [ ! -f encrypt ];then wget &#34;; -O encrypt chmod +x encrypt fi hash=$(sha1sum encrypt | cut -d\ -f1) if [ ! &#34;$hash&#34; == &#34;3631612a9e7158b3043385745729324d53c6a5c2&#34; ];then echo encrypt file has different hash, be careful exit fi # Decrypt items ./encrypt $1/$1_app_1.00.bin510fb093 a3cbeadc 5993a17e c7adeb03 10000 mv $1/$1_app_1.00_enc.bin$1/$1_app_1.00_decrypted.bin ./encrypt $1/$1_bootloader_1.00.bin510fb093 a3cbeadc 5993a17e c7adeb03 0 mv $1/$1_bootloader_1.00_enc.bin$1/$1_bootloader_1.00_decrypted.bin rm $1/*cpr rm $1/*out ls -la $1/ binwalk $1/$1_bootloader_1.00_decrypted.bin binwalk $1/$1_app_1.00_decrypted.bin </code></pre><p>Add thats how another dump is added to the list of devices:</p> <pre tabindex="0"><code>$ tree . +-- 2578539-970719-White-And-Color-Ambiance-E27-806Lumen |   +-- 2578539-970719_app_1.00.bin |   +-- 2578539-970719_app_1.00_decrypted.bin |   +-- 2578539-970719_bootloader_1.00.bin |   +-- 2578539-970719_bootloader_1.00_decrypted.bin |   +-- 2578539-970719.dump | +-- 2578539-970724-White-And-Color-Ambiance-E27-806Lumen |   +-- 2578539-970724_app_1.00.bin |   +-- 2578539-970724_app_1.00_decrypted.bin |   +-- 2578539-970724_bootloader_1.00.bin |   +-- 2578539-970724_bootloader_1.00_decrypted.bin |   +-- 2578539-970724.dump | +-- 3000267-Tunable-White-GU10-345Lumen |   +-- 3000267_app_1.00.bin |   +-- 3000267_app_1.00_decrypted.bin |   +-- 3000267_bootloader_1.00.bin |   +-- 3000267_bootloader_1.00_decrypted.bin |   +-- 3000267.dump | +-- 3000272-Tunable-White-E27-806Lumen |   +-- 3000272_app_1.00.bin |   +-- 3000272_app_1.00_decrypted.bin |   +-- 3000272_bootloader_1.00.bin |   +-- 3000272_bootloader_1.00_decrypted.bin |   +-- 3000272.dump | +-- 3000273-Tunable-White-E27-1400Lumen |   +-- 3000273_app_1.00.bin |   +-- 3000273_app_1.00_decrypted.bin |   +-- 3000273_bootloader_1.00.bin |   +-- 3000273_bootloader_1.00_decrypted.bin |   +-- 3000273.dump | +-- 3001686-970709-Warm-White-Smart-Filament-E27-806Lumen |   +-- 3001686_app_1.00.bin |   +-- 3001686_app_1.00_decrypted.bin |   +-- 3001686_bootloader_1.00.bin |   +-- 3001686_bootloader_1.00_decrypted.bin |   +-- 3001686.dump | +-- 3001700-970739-Warm-White-Smart-Filament-E27-806Lumen |   +-- 3001700_app_1.00.bin |   +-- 3001700_app_1.00_decrypted.bin |   +-- 3001700_bootloader_1.00.bin |   +-- 3001700_bootloader_1.00_decrypted.bin |   +-- 3001700.dump | +-- 3001702-970727-Warm-White-Ambiance-Smart-Filament-E14-470Lumen |   +-- 3001702_app_1.00.bin |   +-- 3001702_app_1.00_decrypted.bin |   +-- 3001702_bootloader_1.00.bin |   +-- 3001702_bootloader_1.00_decrypted.bin |   +-- 3001702.dump | +-- 3004154-LED-Mood-Light |   +-- 3004154_app_1.00.bin |   +-- 3004154_app_1.00_decrypted.bin |   +-- 3004154_bootloader_1.00.bin |   +-- 3004154_bootloader_1.00_decrypted.bin |   +-- 3004154.dump | +-- 3004200-WiFi-Outdoor-Dual-Socket |   +-- 3004200_app_1.00.bin |   +-- 3004200_app_1.00_decrypted.bin |   +-- 3004200_bootloader_1.00.bin |   +-- 3004200_bootloader_1.00_decrypted.bin |   +-- 3004200.dump | +-- 3004919-970710-Smart-LED-RGB-Tunable-White-GU10-380Lumen |   +-- 3004919_970710_app_1.00.bin |   +-- 3004919_970710_app_1.00_decrypted.bin |   +-- 3004919_970710_bootloader_1.00.bin |   +-- 3004919_970710_bootloader_1.00_decrypted.bin |   +-- 3004919_970710.dump | +-- 3005364-970796-WiFi-Smart-Outdoor-Garden-Lamp |   +-- 3005364-970796_app_1.00.bin |   +-- 3005364-970796_app_1.00_decrypted.bin |   +-- 3005364-970796_bootloader_1.00.bin |   +-- 3005364-970796_bootloader_1.00_decrypted.bin |   +-- 3005364-970796.dump | +-- 3006033-Dimmer-Switch |   +-- 3006033_app_1.00.bin |   +-- 3006033_app_1.00_decrypted.bin |   +-- 3006033_bootloader_1.00.bin |   +-- 3006033_bootloader_1.00_decrypted.bin |   +-- 3006033.dump | +-- 3006767-Tunable-White-Downlight-360Lumen |   +-- 3006767_app_1.00.bin |   +-- 3006767_app_1.00_decrypted.bin |   +-- 3006767_bootloader_1.00.bin |   +-- 3006767_bootloader_1.00_decrypted.bin |   +-- 3006767.dump | +-- 3007213-970787-Ceiling-Light |   +-- dump_3007213_970787_app_1.00.bin |   +-- dump_3007213_970787_app_1.00_enc.bin |   +-- dump_3007213_970787.bin |   +-- dump_3007213_970787_bootloader_1.00.bin |   +-- dump_3007213_970787_bootloader_1.00_enc.bin | +-- 3007257-970729-Extra-Warm-White-Ambiance-Smart-Filament-E27-350Lumen |   +-- 3007257_app_1.00.bin |   +-- 3007257_app_1.00_decrypted.bin |   +-- 3007257_bootloader_1.00.bin |   +-- 3007257_bootloader_1.00_decrypted.bin |   +-- 3007257.dump | +-- 8435606703567-WOOX-Smart-Bulb-Full-Colour-and-White-E14-470Lumen |   +-- WOOX_app_1.00.bin |   +-- WOOX_app_1.00_decrypted.bin |   +-- WOOX_bootloader_1.00.bin |   +-- WOOX_bootloader_1.00_decrypted.bin |   +-- WOOX.dump | +-- 970715_E27_WCW |   +-- 970715_E27_WCW_app_1.00.bin |   +-- 970715_E27_WCW_app_1.00_decrypted.bin |   +-- 970715_E27_WCW_bootloader_1.00.bin |   +-- 970715_E27_WCW_bootloader_1.00_decrypted.bin |   +-- 970715_E27_WCW.dump | +-- MoodLight_WB3S +-- LSC_mood_light_BK7231_2MB_Flash_CRCd_app_1.00.bin +-- LSC_mood_light_BK7231_2MB_Flash_CRCd_app_1.00_decrypted.bin +-- LSC_mood_light_BK7231_2MB_Flash_CRCd_app_1.00_decrypted_copy_for_demo.bin +-- LSC_mood_light_BK7231_2MB_Flash_CRCd_bootloader_1.00.bin +-- LSC_mood_light_BK7231_2MB_Flash_CRCd_bootloader_1.00_decrypted.bin +-- LSC_mood_light_BK7231_2MB_Flash_CRCd.dump </code></pre> Dumpsterdiving for network access Tue, 05 Apr 2022 10:24:10 +0200 I did a lecture on hardware hacking last year for Tweakers. One of the comments under the announcement was a remark to put my money where my mouth was. Just scaring people by telling them I could simply login to your network when you throw away you broken Smart light was not very credible. And eventhough people were kindly speaking up for me I would still like to illustrate how simple it is. <p><a href="" target="_blank"><img src=""></a></p> <p>I did a lecture on hardware hacking last year for <a href="" target="_blank">Tweakers</a>. One of the comments under the announcement was a remark to put my money where my mouth was. Just scaring people by telling them I could simply login to your network when you throw away you broken Smart light was not very <a href="" target="_blank">credible</a>. And eventhough people were kindly speaking up for me I would still like to illustrate how simple it is.</p> <h2 id="step-1---breakinghttpswwwjillescomtuya-a-lightbulb">Step 1 - <a href="">Breaking</a> a lightbulb</h2> <p><a href="" target="_blank"><img src=""></a></p> <h2 id="step-2---soldering-4-wires">Step 2 - Soldering 4 wires:</h2> <table> <thead> <tr> <th><a href="" target="_blank"><img src=""></a></th> <th><a href="" target="_blank"><img src=""></a></th> </tr> </thead> </table> <h2 id="step-3---running-1-script-to-dump-the-firmware">Step 3 - Running 1 script to dump the firmware</h2> <pre tabindex="0"><code>jilles@arch ~/tools/tuya_dumps$ ./ HACK Connected! Chip info: BK7231S_1.0.5 Reading 4k page at 0X2000000 (0.00%) Reading 4k page at 0X2001000 (0.20%) Reading 4k page at 0X2002000 (0.39%) Reading 4k page at 0X2003000 (0.59%) | | | | Reading 4k page at 0X21FB000 (99.02%) Reading 4k page at 0X21FC000 (99.22%) Reading 4k page at 0X21FD000 (99.41%) Reading 4k page at 0X21FE000 (99.61%) Reading 4k page at 0X21FF000 (99.80%) RBL containers: 0x10f9a: bootloader - [encoding_algorithm=NONE, size=0xdd20] - extracted to HACK/HACK_bootloader_1.00.bin 0x129f0a: app - [encoding_algorithm=NONE, size=0xed5e0] - extracted to HACK/HACK_app_1.00.bin total 3056 -rw-r--r-- 1 jilles jilles 972256 Apr 6 02:40 HACK_app_1.00.bin -rw-r--r-- 1 jilles jilles 56608 Apr 6 02:40 HACK_bootloader_1.00.bin -rw-r--r-- 1 jilles jilles 2097152 Apr 6 02:40 HACK.dump /**&lt; @author &lt;; */ /**&lt; @version v0.3.1 */ encrypt without crc successfully! -file size: 0xed5f0 /**&lt; @author &lt;; */ /**&lt; @version v0.3.1 */ encrypt without crc successfully! -file size: 0xdd30 total 4068 drwxr-xr-x 2 jilles jilles 157 Apr 6 02:40 . drwxr-xr-x 12 jilles jilles 4096 Apr 6 02:39 .. -rw-r--r-- 1 jilles jilles 972256 Apr 6 02:40 HACK_app_1.00.bin -rw-r--r-- 1 jilles jilles 972272 Apr 6 02:40 HACK_app_1.00_decrypted.bin -rw-r--r-- 1 jilles jilles 56608 Apr 6 02:40 HACK_bootloader_1.00.bin -rw-r--r-- 1 jilles jilles 56624 Apr 6 02:40 HACK_bootloader_1.00_decrypted.bin -rw-r--r-- 1 jilles jilles 2097152 Apr 6 02:40 HACK.dump DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 52420 0xCCC4 CRC32 polynomial table, little endian 55687 0xD987 Copyright string: &#34;Copyright 1995-2005 Mark Adler &#34; DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 650644 0x9ED94 SHA256 hash constants, little endian 833328 0xCB730 AES Inverse S-Box 846811 0xCEBDB Copyright string: &#34;Copyright (c) 2003-2015, Jouni Malinen &lt;; and contributors&#34; 889100 0xD910C CRC32 polynomial table, little endian 895777 0xDAB21 Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/wifi_sdk/tuya_iot_wifi_api.c 900573 0xDBDDD Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/gw_intf.c 907326 0xDD83E Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/smart_frame.c 917611 0xE006B Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_base/kv_storge/flash/simple_flash_app.c 920463 0xE0B8F Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_base/sys_serv/uni_time_queue.c 923506 0xE1772 Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/adapter_platform.c 924457 0xE1B29 Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/system/uni_semaphore.c 924977 0xE1D31 Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/utilities/uni_time.c 925485 0xE1F2D Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/utilities/mem_pool.c 925898 0xE20CA Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/wifi_intf/wf_basic_intf.c 926044 0xE215C CRC32 polynomial table, little endian 927068 0xE255C CRC32 polynomial table, little endian 928156 0xE299C Base64 standard index table 928486 0xE2AE6 Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/bt_conn/tuya_ble_api.c 931060 0xE34F4 Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/bt_conn/tuya_ble_mutli_tsf_protocol.c 933576 0xE3EC8 Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/wifi_cfg_serv/ez_mc.c 938044 0xE503C Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/iot_httpc.c 943947 0xE674B Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/com_protocol.c 955024 0xE9290 SHA256 hash constants, little endian 955549 0xE949D Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/wifi_cfg_serv/wf_sniffer_intf.c </code></pre><h2 id="step-4---executing-one-simple-search-query">Step 4 - Executing one simple search query</h2> <pre tabindex="0"><code>$ strings HACK.dump | grep onveiligwifi -A2 onveiligwifi 61b77bc0c7710cb2e9fe5c8bb4244ed86829789297ba8ee7bf6176de3e6263eb onveiligwachtwoord </code></pre><h1 id="this-is-all-it-takes-and-and-depending-on-the-device-it-would-take-about-30-minutes">This is all it takes and and depending on the device it would take about 30 minutes</h1> <hr> <blockquote> <h2 id="so-what-should-i-do">So what should I do?</h2> <ul> <li>Preferably create a seperate network for your IoT devices that is not connected to the rest of your equipment</li> <li>Monitor your IoT network for unexpected network devices joining</li> <li>Add devices to allow-lists, and remove deprovisioned devices from that list</li> </ul> </blockquote> <blockquote> <h2 id="that-sounds-like-a-lot-of-work-what-else-can-i-do">That sounds like a lot of work, what else can I do?</h2> <ul> <li>Create a new password every time you throw away a broken device</li> <li>Open the lightbulb and physically damage all the chips</li> <li>Don&rsquo;t use IoT devices</li> <li>Don&rsquo;t care, get hacked</li> </ul> </blockquote>