Toon (hacked)


###########################################################################
Before you begin
###########################################################################

Make sure toon is not connected to any network that’s in contact with
the internet. Eneco (quby) can see every toon connected to its service
center. Big Brother is watching YOU!

So: disconnect toon from any wireless network (invalidate the
passphrase, remove the SSID from toon, or remove the wifi chipset 😉 ).

In the second step of the rooting process you will need to install an
ssh client/server. I have done this through a small (wired) router,
with no WAN connection, and a private webserver.


###########################################################################
Rooting Eneco’s toon
###########################################################################

Requirements:

1: 3.3V serial-to-USB cable, with separate header connectors for TxD,
RxD and GND (or a ttl-to-serial-adapter when you are using a native serial
port).

2: A computer with serial terminal software like putty and a
free USB port (or a free serial port).

3: A small (metal) screwdriver.

4: Eneco (quby) Toon.

5: Proficiency in using vi (the basic text editor, available in all
UNIX-flavours).

##### Opening the case and connection of the serial interface: #####

Open the casing of toon to access its 14-pin I/O header connector by
carefully dislodging the PCB from the backing shell. Be careful not to
break the flat cables connecting the display.

The white frame is clicked into the grey backing and can be removed by
just lifting it and gently retracting it from the backing. Use your
nails, not tools! The touchscreen/display part can then be lifted and
put (a wee bit) aside. Be careful with the antennas. In newer toons
they are glued to the grey casing, and easily torn.

The PCB holding all the components is kept in place by a
few plastic studs and can be dislodged easily. When done, the back of
the PCB presents two connectors: one 2-pin connector for a 24V power
supply (accessible from the outside), and a 2×7 connector holding a
JTAG interface and a serial port. Logic high being 3.3V.

Connect a 3.3V signal level serial-to-USB adapter to the serial port
of toon and open a serial console (e.g., hyperterminal or putty on
Windows, minicom on Linux, but there are many other options).

Port settings: 115200 baud, 8N1.

(See also domoticaforum.eu for wiring:
http://www.domoticaforum.eu/viewtopic.php?f=17&t=8743)

This is the pinout (not necessarily completely correct, but works for me):

JTAG:

pin 1: RTCK brown 11
pin 2: TRST red 3
pin 3: GND orange 4
pin 4: TCK yellow 9
pin 5: GND green 6
pin 6: TMS blue 7
pin 7: SRST purple 15
pin 8: TDI grey 5
pin 9: Vt white 1
pin 10: TDO black 13

serial port (3.3V logic levels, ttymxc0, 115200 baud, 8N1):

pin 11: RxD
pin 12: ??
pin 13: TxD
pin 14: GND

Make sure the component side of the PCB is accessible. Connect toon
to a power supply (boiler module + power adapter) and power it up.

##### Entering (and editing) the boot loader: #####

## By using the password ##

The bootloader is accessed by entering the bootloader password when
the boot loader is starting, and presents the prompt:

Enter password – autoboot in 2 sec.

Two boot loader passwords have been retrieved so far, and they depend
on the bootloader version of your toon. The bootloader version is
displayed in the serial console immediately after toon (re)boots:

U-Boot 2010.09-R6 (Mar 14 2012 – 11:15:10)

CPU: Freescale i.MX27 at 400.168 MHz
… etc.

These are the passwords that go with the u-boot versions:

Bootloader version password

U-Boot 2010.09-R6 f4E9J
U-Boot 2010.09-R8 3BHf2

The password is case-sensitive, so, e.g., f is different from F.
Enter the password (terminated with a <return>-character) by
copy/pasting it into the serial console. U-boot will stop and present
its prompt:

U-Boot>

Note that the password is not shown when you enter it. The (very
basic) serial console of U-Boot only echoes what you enter _after_ the
password has been entered and command has been redirected to the
serial interface.

If, for whatever reason, you cannot enter the password properly, or
you have a toon with yet another (unknown) password, you can revert to
the U-Boot interruption method presented below, or dump the boot
loader image (contact me through PM). It’s not hard to find the boot
loader password in the image, but it takes too many steps to describe
here. You will need JTAG hardware and software for this.

## By shorting the NAND chip ##

Enter the u-boot menu by briefly shorting the proper control pins on
the NAND chip early on during boot-up (Short the pins when “checking
crc” or similar is visible) A small metal screwdriver will do nicely
for this purpose.

This causes a flash memory checksum error and drops you to a u-boot
shell. For toon’s NAND chip, the pins are 8 and 9 (!CE and !RE, NOT
Chip enable and NOT Read enable, search http://www.hackaday.com for
details). The NAND chip is the (only) samsung chip on the PCB.

#### Editing the U-Boot environment #####

After getting the U-Boot prompt (either way), this is what you get
when asking for printenv (bootloader version U-Boot 2010.09-R8, R6 is
very similar):

U-Boot> printenv
bootdelay=2
baudrate=115200
loadaddr=0xA1000000
bootdelay=2
mtdids=nand0=mxc_nand
mtdparts=mtdparts=mxc_nand:1M(u-boot)ro,512K(u-boot-env)ro,1536K(splash-image),3M(kernel),3M(kernel-backup),119M(rootfs)
mtdparts_kernel=mtdparts=mxc_nand:512K@0x00100000(u-boot-env)ro,1536K(splash-image),3M(kernel),3M(kernel-backup),119M(rootfs)
mem=128M
autoload=no
backlight_brightness=50
baudrate=115200
console=ttymxc0
addtty=setenv bootargs ${bootargs} console=${console},${baudrate}
addmtd=setenv bootargs ${bootargs} ${mtdparts_kernel}
nandargs=setenv bootargs ubi.mtd=4 root=ubi0:rootfs rw rootfstype=ubifs
boot_nand=run nandargs addmtd addtty addmisc; nand read ${loadaddr} kernel; bootm ${loadaddr}
boot_nand_backup=run nandargs addmtd addtty addmisc; nand read ${loadaddr} kernel-backup; bootm ${loadaddr}
bootcmd=run boot_nand
splashimage=0x180000
ethact=FEC
sn=xx-xx-xxx-xxx
pn=6500-1400-1200
software_compatibility=0
manufacture_date=2014/04
ethaddr=aa:bb:cc:dd:ee:ff
addmisc=setenv bootargs ${bootargs} mem=${mem} lpj=999424
bootargs=ubi.mtd=4 root=ubi0:rootfs rw rootfstype=ubifs mtdparts=mxc_nand:512K@0x00100000(u-boot-env)ro,1536K(splash-image),3M(kernel),3M(kernel-backup),119M(rootfs) c4
partition=nand0,0
mtddevnum=0
mtddevname=u-boot

Environment size: 1280/131068 bytes
U-Boot>

Edit as follows (redefine addmisc, this is the last part of boot_nand,
by adding init (be sure to properly escape the $ and { }-signs with
backslashes!) ):

setenv addmisc setenv bootargs \$\{bootargs\} mem=\$\{mem\} lpj=999424 init=/bin/sh

Not sure what lpj=999424 means, but in my case it should be there,
otherwise toon won’t boot again. In older firmwares, the phrase
lpj=999424 is not present, should be no problem.

Then resume the booting process of Toon by typing:

run boot_nand
and press <enter>.

At the end of the booting process, you will be dropped to a shell, and
you can start editing whatever needs editing.

##### Editing the boot scripts and passwd file: #####

Add a serial tty to /etc/inittab; locate the following line in /etc/inittab:

# HCBv2 static stuff

and edit (software version < 3.0 (shockwave flash GUI), using vi):

# HCBv2 static stuff
ovpn:2345:respawn:/usr/sbin/openvpn –config /etc/openvpn/vpn.conf –verb 0 >/dev/null 2>&1
flas:5:respawn:/usr/bin/startflash >/dev/null 2>&1
# add serial console access: (added, MR!):
gett:235:respawn:/sbin/getty -L 115200 ttymxc0 vt102

or: (toon SW 3.0, qt GUI):

# HCBv2 static stuff
ovpn:2345:respawn:/usr/sbin/openvpn –config /etc/openvpn/vpn.conf –verb 0 >/dev/null 2>&1
qtqt:245:respawn:/usr/bin/startqt >/dev/null 2>&1
# add serial console access: (added, MR!):
gett:235:respawn:/sbin/getty -L 115200 ttymxc0 vt102

While you’re at it, comment out the openvpn line with a hash mark:

#ovpn:2345:respawn:/usr/sbin/openvpn –config /etc/openvpn/vpn.conf –verb 0 >/dev/null 2>&1

By commenting out the openvpn command, toon no longer connects to the
service center (and won’t upload anymore data). If you don’t have an
Eneco account, that’s probably what you want. Otherwise, leave it as
it is.

(for toon software 3.0 and later only:)
Locate the password file /etc/passwd and edit the line:

root:DISABLED:0:0:root:/root:/bin/sh

to read:

root::0:0:root:/root:/bin/sh

and save. Otherwise you won’t get in.

##### Restoring the boot loader and accessing toon through a shell: #####

After completing the addition of the serial tty to /etc/inittab (and
editing the password file) type reboot and you return to the normal
boot (runlevel 5), now with a login shell, on a serial console. Since
the u-boot environment changes haven’t been stored to flash, the boot
sequence proceeds as before (without /init/sh).

To quote Patrick Volkerding, from the Slackware set-up sequence:

You may now login as “root”.

(and do set a _strong_ password!, by typing the command: passwd
and following the steps of the passwd-program).

Do not reassemble toon yet, you will need the serial connection to
open the network ports to the outside world.


###########################################################################
Making toon accessible from outside
###########################################################################

Requirements:

1: private network connection to a web server
2: dropbear installation package
3: serial console connection to toon

To be able to access toon over the network, you should install an ssh
client/server. In embedded systems like toon, this is typically
dropbear. To get a working version of dropbear, you can build the quby
openembedded tree from source. See
http://quby.nl/opensource/openembedded-qb2-toon-2012r1.tar.bz2 for
details. Part of the build is the compilation and packaging of
dropbear. It will end up in a file called

dropbear_0.51-r7.0_qb2.ipk link

Put this file (temporarily) on a webserver, in its root, so you don’t
have to look for it, and pick it up with wget:

On toon:

wget http://<server_name>/dropbear_0.51-r7.0_qb2.ipk

After download, install dropbear with:

opkg install dropbear_0.51-r7.0_qb2.ipk

Early 2016, the original dropbear package has been replaced with
a newer one:

dropbear_2015.71-r0_qb2.ipk

This version resolves some issues with encryption methods no longer
deemed safe in modern OS’es. It’s available from the “toon as a
domotica controller?”-thread at domoticaforum.eu.

### Modification of iptables (the linux firewall) ###

To be able to access Toon through ssh or otherwise, the network ports
associated with these services need to be opened in the firewall.

Edit iptables.conf by issueing the command:

vi /etc/default/iptables.conf

Edit after the part that starts with:

# These are all closed for Quby/Toon:
Make this part look like this:

-A HCB-INPUT -p tcp -m tcp –dport 22 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A HCB-INPUT -p tcp -m tcp –dport 7080 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A HCB-INPUT -p tcp -m tcp –dport 80 –tcp-flags SYN,RST,ACK SYN -j ACCEPT

On newer firmware (3.0.32 and later) you will need port 10080 instead of 7080:

-A HCB-INPUT -p tcp -m tcp –dport 22 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A HCB-INPUT -p tcp -m tcp –dport 10080 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A HCB-INPUT -p tcp -m tcp –dport 80 –tcp-flags SYN,RST,ACK SYN -j ACCEPT

Explanation of the ports 80 (http) and 7080/10080 (some private
server) will follow in the forum thread on toon.

Test, by opening a secure shell connection to another server:
ssh <user>@<machine>

and verify its functionality. The dropbear package installs an ssh
client (ssh), server (sshd) and secure copy (scp) application on
toon.

If, for some valid reason, you cannot build dropbear and/or put it on
a webserver, contact me and I’ll upload the package to my own small
webserver, so you can pick it up there. Building your own version of
the quby openembedded tree is highly recommended, though. It also
builds a bunch of analysis tools like gdb and strace. Handy for
testing all kinds of stuff.

After having installed dropbear and testing its functionality (both
ways: from toon to the outside world, and from the outside world into
toon), you can reassemble toon.


###########################################################################
Hardening toon (complete exclusion of Eneco, for non-Eneco users only)
###########################################################################

Requirements:

1: toon with dropbear installed
2: connection with private network (no WAN)

When toon is set up completely, in the tab “Internet” toon states to
be connected to the service center. The service center consist of a
bunch of websites and other services, accessed through a VPN tunnel,
managed by Quby, under the flag of Eneco. Each toon connects to the
service center through an OpenVPN tunnel, with TLS security
enhancement. Even if you do not have an Eneco account, toon will send
data to Eneco on a regular basis. According to Eneco, no energy usage
(gas and electricity) data are uploaded –which is true– but boiler
settings are transmitted every hour. No idea why, by the way. Besides
through the OpenVPN connection mentioned earlier, toon phones home
with ping and the chrony daemon.

##### Disabling OpenVPN: #####

The OpenVPN connection is disabled by simply not starting OpenVPN,
through commenting out the openvpn line in /etc/inittab:

#ovpn:2345:respawn:/usr/sbin/openvpn –config /etc/openvpn/vpn.conf –verb 0 >/dev/null 2>&1

This shuts off openvpn effectively. In the internet tab you will now
get the message “Connected to the internet” or something along these
lines. You will also get a warning message that internet has not been
set up correctly or setup has not yet been completed. You can safely
ignore these warnings.

After toon has been rebooted (don’t do that yet!), if you have a toon
with qt-gui, you can suppress the warnings issues by toon, about not
being able to reach the service center, as follows (thank you, al_n!):

Locate the file
/HCBv2/qml/apps/internetSettings/InternetSettingsApp.qml, and look for
the following code (line 365 or thereabouts):

onNotificationReceived : {
var statemachine = message.getArgument(“statemachine”);
if (statemachine) {
var prevSmStatus = smStatus;
smStatus = parseInt(statemachine);
// add the following two lines of code:
// added by al_n (20151220):
if(smStatus == _ST_INTERNET) {
smStatus = _ST_TUNNEL;
}
//
// continuation of original file:
// Trigger the internetStateChange signal, used by the internet settings overview screen
internetStateChange(smStatus);

…. etc.

This will interpret a working internet connection as a connection to
the service center, and thus warnings are suppressed.

##### Disabling the time service access to time.quby.nl: #####

Toon keeps track of time through the chrony daemon. To set the clock
at startup, and to keep it synchronized with the rest of the world,
toon uses the time server of quby: time.quby.nl. This server name is
set in /etc/chrony.conf
Locate the following two lines in chrony.conf:

server time.quby.nl minpoll 8
and
initstepslew 30 time.quby.nl

and replace the server name by another time server. I use

wwv.nist.gov instead of time.quby.nl

since it has the same (short) server name length (you never know if
and how the chrony code was hacked by quby), is accessed by many clients
across the globe, and has proven to have a good level of stability
over many years of service.

Note: the time protocol (tcp/udp port 37) is something else than the
network time protocol (ntp, udp port 123). You will need a time
server, not an ntp-server.

##### Disabling pinging quby.nl: #####

Toon pings the quby ping server every so many seconds. This is done in
/HCBv2/sbin/hcb_netcon. The ping server address is unfortunately
hard-coded in hcb_netcon, so to disable this, you will need to reroute
ping requests to another machine. You can’t switch it off easily.

To reroute, edit the file /etc/hosts.template and add the line

127.0.0.1 ping.quby.nl

at the end of the file, and save it.

Test whether your rerouting works by pinging quby:

eneco-001-xxxxxx:/# ping ping.quby.nl
PING ping.quby.nl (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=1.108 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.738 ms
64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.658 ms

This indicates that the ping requests for quby are redirected to
localhost (IP 127.0.0.1). Thanks, RDNZL, for pointing this out!

Reboot toon for good measure. Now you can go edit the service
InternetSettingsApp.qml file, as explained above.

All done. You have now severed all connections between toon and Eneco
(quby), and can safely connect it to your wireless network again.