![\"\"](\"https:\/\/einstein.amsterdam\/wp-content\/uploads\/loadscreen_0.png\")
<\/p>\n<\/p>\n
Make sure toon is not connected to any network that’s in contact with So: disconnect toon from any wireless network (invalidate the In the second step of the rooting process you will need to install an Requirements:<\/p>\n 1: 3.3V serial-to-USB cable, with separate header connectors for TxD, 2: A computer with serial terminal software like putty and a 3: A small (metal) screwdriver.<\/p>\n 4: Eneco (quby) Toon.<\/p>\n 5: Proficiency in using vi (the basic text editor, available in all ##### Opening the case and connection of the serial interface: #####<\/p>\n Open the casing of toon to access its 14-pin I\/O header connector by The white frame is clicked into the grey backing and can be removed by The PCB holding all the components is kept in place by a Connect a 3.3V signal level serial-to-USB adapter to the serial port Port settings: 115200 baud, 8N1.<\/p>\n (See also domoticaforum.eu for wiring: This is the pinout (not necessarily completely correct, but works for me):<\/p>\n JTAG:<\/p>\n pin 1: RTCK brown 11 serial port (3.3V logic levels, ttymxc0, 115200 baud, 8N1):<\/p>\n pin 11: RxD Make sure the component side of the PCB is accessible. Connect toon ##### Entering (and editing) the boot loader: #####<\/p>\n ## By using the password ##<\/p>\n The bootloader is accessed by entering the bootloader password when Enter password – autoboot in 2 sec.<\/p>\n Two boot loader passwords have been retrieved so far, and they depend U-Boot 2010.09-R6 (Mar 14 2012 – 11:15:10)<\/p>\n CPU: Freescale i.MX27 at 400.168 MHz These are the passwords that go with the u-boot versions:<\/p>\n Bootloader version password<\/p>\n U-Boot 2010.09-R6 f4E9J The password is case-sensitive, so, e.g., f is different from F. U-Boot><\/p>\n Note that the password is not shown when you enter it. The (very If, for whatever reason, you cannot enter the password properly, or ## By shorting the NAND chip ##<\/p>\n Enter the u-boot menu by briefly shorting the proper control pins on This causes a flash memory checksum error and drops you to a u-boot #### Editing the U-Boot environment #####<\/p>\n After getting the U-Boot prompt (either way), this is what you get U-Boot> printenv Environment size: 1280\/131068 bytes Edit as follows (redefine addmisc, this is the last part of boot_nand, setenv addmisc setenv bootargs \\$\\{bootargs\\} mem=\\$\\{mem\\} lpj=999424 init=\/bin\/sh<\/p>\n Not sure what lpj=999424 means, but in my case it should be there, Then resume the booting process of Toon by typing:<\/p>\n run boot_nand At the end of the booting process, you will be dropped to a shell, and ##### Editing the boot scripts and passwd file: #####<\/p>\n Add a serial tty to \/etc\/inittab; locate the following line in \/etc\/inittab:<\/p>\n # HCBv2 static stuff<\/p>\n and edit (software version < 3.0 (shockwave flash GUI), using vi):<\/p>\n # HCBv2 static stuff or: (toon SW 3.0, qt GUI):<\/p>\n # HCBv2 static stuff While you’re at it, comment out the openvpn line with a hash mark:<\/p>\n #ovpn:2345:respawn:\/usr\/sbin\/openvpn –config \/etc\/openvpn\/vpn.conf –verb 0 >\/dev\/null 2>&1<\/p>\n By commenting out the openvpn command, toon no longer connects to the (for toon software 3.0 and later only:) root:DISABLED:0:0:root:\/root:\/bin\/sh<\/p>\n to read:<\/p>\n root::0:0:root:\/root:\/bin\/sh<\/p>\n and save. Otherwise you won’t get in.<\/p>\n ##### Restoring the boot loader and accessing toon through a shell: #####<\/p>\n After completing the addition of the serial tty to \/etc\/inittab (and To quote Patrick Volkerding, from the Slackware set-up sequence:<\/p>\n You may now login as “root”.<\/p>\n (and do set a _strong_ password!, by typing the command: passwd Do not reassemble toon yet, you will need the serial connection to Requirements:<\/p>\n 1: private network connection to a web server To be able to access toon over the network, you should install an ssh dropbear_0.51-r7.0_qb2.ipk<\/p>\n Put this file (temporarily) on a webserver, in its root, so you don’t On toon:<\/p>\n wget http:\/\/<server_name>\/dropbear_0.51-r7.0_qb2.ipk<\/p>\n After download, install dropbear with:<\/p>\n opkg install dropbear_0.51-r7.0_qb2.ipk<\/p>\n Early 2016, the original dropbear package has been replaced with dropbear_2015.71-r0_qb2.ipk<\/p>\n This version resolves some issues with encryption methods no longer ### Modification of iptables (the linux firewall) ###<\/p>\n To be able to access Toon through ssh or otherwise, the network ports Edit iptables.conf by issueing the command:<\/p>\n vi \/etc\/default\/iptables.conf<\/p>\n Edit after the part that starts with:<\/p>\n # These are all closed for Quby\/Toon: -A HCB-INPUT -p tcp -m tcp –dport 22 –tcp-flags SYN,RST,ACK SYN -j ACCEPT On newer firmware (3.0.32 and later) you will need port 10080 instead of 7080:<\/p>\n -A HCB-INPUT -p tcp -m tcp –dport 22 –tcp-flags SYN,RST,ACK SYN -j ACCEPT Explanation of the ports 80 (http) and 7080\/10080 (some private Test, by opening a secure shell connection to another server: and verify its functionality. The dropbear package installs an ssh If, for some valid reason, you cannot build dropbear and\/or put it on After having installed dropbear and testing its functionality (both Requirements:<\/p>\n 1: toon with dropbear installed When toon is set up completely, in the tab “Internet” toon states to ##### Disabling OpenVPN: #####<\/p>\n The OpenVPN connection is disabled by simply not starting OpenVPN, #ovpn:2345:respawn:\/usr\/sbin\/openvpn –config \/etc\/openvpn\/vpn.conf –verb 0 >\/dev\/null 2>&1<\/p>\n This shuts off openvpn effectively. In the internet tab you will now After toon has been rebooted (don’t do that yet!), if you have a toon Locate the file onNotificationReceived : { …. etc.<\/p>\n This will interpret a working internet connection as a connection to ##### Disabling the time service access to time.quby.nl: #####<\/p>\n Toon keeps track of time through the chrony daemon. To set the clock server time.quby.nl minpoll 8 and replace the server name by another time server. I use<\/p>\n wwv.nist.gov instead of time.quby.nl<\/p>\n since it has the same (short) server name length (you never know if Note: the time protocol (tcp\/udp port 37) is something else than the ##### Disabling pinging quby.nl: #####<\/p>\n Toon pings the quby ping server every so many seconds. This is done in To reroute, edit the file \/etc\/hosts.template and add the line<\/p>\n 127.0.0.1 ping.quby.nl<\/p>\n at the end of the file, and save it.<\/p>\n Test whether your rerouting works by pinging quby:<\/p>\n eneco-001-xxxxxx:\/# ping ping.quby.nl This indicates that the ping requests for quby are redirected to Reboot toon for good measure. Now you can go edit the service All done. You have now severed all connections between toon and Eneco ########################################################################### Before you begin ########################################################################### Make sure toon is not connected to any network that’s in contact with the internet. Eneco (quby) can see every […]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=\/wp\/v2\/pages\/1863"}],"collection":[{"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1863"}],"version-history":[{"count":6,"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=\/wp\/v2\/pages\/1863\/revisions"}],"predecessor-version":[{"id":1921,"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=\/wp\/v2\/pages\/1863\/revisions\/1921"}],"wp:attachment":[{"href":"https:\/\/einstein.amsterdam\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n###########################################################################
\nBefore you begin
\n###########################################################################
\n<\/strong><\/p>\n
\nthe internet. Eneco (quby) can see every toon connected to its service
\ncenter. Big Brother is watching YOU!<\/p>\n
\npassphrase, remove the SSID from toon, or remove the wifi chipset \ud83d\ude09 ).<\/p>\n
\nssh client\/server. I have done this through a small (wired) router,
\nwith no WAN connection, and a private webserver.<\/p>\n
\n###########################################################################
\nRooting Eneco’s toon
\n###########################################################################
\n<\/strong><\/p>\n
\nRxD and GND (or a ttl-to-serial-adapter when you are using a native serial
\nport).<\/p>\n
\nfree USB port (or a free serial port).<\/p>\n
\nUNIX-flavours).<\/p>\n
\ncarefully dislodging the PCB from the backing shell. Be careful not to
\nbreak the flat cables connecting the display.<\/p>\n
\njust lifting it and gently retracting it from the backing. Use your
\nnails, not tools! The touchscreen\/display part can then be lifted and
\nput (a wee bit) aside. Be careful with the antennas. In newer toons
\nthey are glued to the grey casing, and easily torn.<\/p>\n
\nfew plastic studs and can be dislodged easily. When done, the back of
\nthe PCB presents two connectors: one 2-pin connector for a 24V power
\nsupply (accessible from the outside), and a 2×7 connector holding a
\nJTAG interface and a serial port. Logic high being 3.3V.<\/p>\n
\nof toon and open a serial console (e.g., hyperterminal or putty on
\nWindows, minicom on Linux, but there are many other options).<\/p>\n
\nhttp:\/\/www.domoticaforum.eu\/viewtopic.php?f=17&t=8743)<\/p>\n
\npin 2: TRST red 3
\npin 3: GND orange 4
\npin 4: TCK yellow 9
\npin 5: GND green 6
\npin 6: TMS blue 7
\npin 7: SRST purple 15
\npin 8: TDI grey 5
\npin 9: Vt white 1
\npin 10: TDO black 13<\/p>\n
\npin 12: ??
\npin 13: TxD
\npin 14: GND<\/p>\n
\nto a power supply (boiler module + power adapter) and power it up.<\/p>\n
\nthe boot loader is starting, and presents the prompt:<\/p>\n
\non the bootloader version of your toon. The bootloader version is
\ndisplayed in the serial console immediately after toon (re)boots:<\/p>\n
\n… etc.<\/p>\n
\nU-Boot 2010.09-R8 3BHf2<\/p>\n
\nEnter the password (terminated with a <return>-character) by
\ncopy\/pasting it into the serial console. U-boot will stop and present
\nits prompt:<\/p>\n
\nbasic) serial console of U-Boot only echoes what you enter _after_ the
\npassword has been entered and command has been redirected to the
\nserial interface.<\/p>\n
\nyou have a toon with yet another (unknown) password, you can revert to
\nthe U-Boot interruption method presented below, or dump the boot
\nloader image (contact me through PM). It’s not hard to find the boot
\nloader password in the image, but it takes too many steps to describe
\nhere. You will need JTAG hardware and software for this.<\/p>\n
\nthe NAND chip early on during boot-up (Short the pins when “checking
\ncrc” or similar is visible) A small metal screwdriver will do nicely
\nfor this purpose.<\/p>\n
\nshell. For toon’s NAND chip, the pins are 8 and 9 (!CE and !RE, NOT
\nChip enable and NOT Read enable, search http:\/\/www.hackaday.com for
\ndetails). The NAND chip is the (only) samsung chip on the PCB.<\/p>\n
\nwhen asking for printenv (bootloader version U-Boot 2010.09-R8, R6 is
\nvery similar):<\/p>\n
\nbootdelay=2
\nbaudrate=115200
\nloadaddr=0xA1000000
\nbootdelay=2
\nmtdids=nand0=mxc_nand
\nmtdparts=mtdparts=mxc_nand:1M(u-boot)ro,512K(u-boot-env)ro,1536K(splash-image),3M(kernel),3M(kernel-backup),119M(rootfs)
\nmtdparts_kernel=mtdparts=mxc_nand:512K@0x00100000(u-boot-env)ro,1536K(splash-image),3M(kernel),3M(kernel-backup),119M(rootfs)
\nmem=128M
\nautoload=no
\nbacklight_brightness=50
\nbaudrate=115200
\nconsole=ttymxc0
\naddtty=setenv bootargs ${bootargs} console=${console},${baudrate}
\naddmtd=setenv bootargs ${bootargs} ${mtdparts_kernel}
\nnandargs=setenv bootargs ubi.mtd=4 root=ubi0:rootfs rw rootfstype=ubifs
\nboot_nand=run nandargs addmtd addtty addmisc; nand read ${loadaddr} kernel; bootm ${loadaddr}
\nboot_nand_backup=run nandargs addmtd addtty addmisc; nand read ${loadaddr} kernel-backup; bootm ${loadaddr}
\nbootcmd=run boot_nand
\nsplashimage=0x180000
\nethact=FEC
\nsn=xx-xx-xxx-xxx
\npn=6500-1400-1200
\nsoftware_compatibility=0
\nmanufacture_date=2014\/04
\nethaddr=aa:bb:cc:dd:ee:ff
\naddmisc=setenv bootargs ${bootargs} mem=${mem} lpj=999424
\nbootargs=ubi.mtd=4 root=ubi0:rootfs rw rootfstype=ubifs mtdparts=mxc_nand:512K@0x00100000(u-boot-env)ro,1536K(splash-image),3M(kernel),3M(kernel-backup),119M(rootfs) c4
\npartition=nand0,0
\nmtddevnum=0
\nmtddevname=u-boot<\/p>\n
\nU-Boot><\/p>\n
\nby adding init (be sure to properly escape the $ and { }-signs with
\nbackslashes!) ):<\/p>\n
\notherwise toon won’t boot again. In older firmwares, the phrase
\nlpj=999424 is not present, should be no problem.<\/p>\n
\nand press <enter>.<\/p>\n
\nyou can start editing whatever needs editing.<\/p>\n
\novpn:2345:respawn:\/usr\/sbin\/openvpn –config \/etc\/openvpn\/vpn.conf –verb 0 >\/dev\/null 2>&1
\nflas:5:respawn:\/usr\/bin\/startflash >\/dev\/null 2>&1
\n# add serial console access: (added, MR!):
\ngett:235:respawn:\/sbin\/getty -L 115200 ttymxc0 vt102<\/p>\n
\novpn:2345:respawn:\/usr\/sbin\/openvpn –config \/etc\/openvpn\/vpn.conf –verb 0 >\/dev\/null 2>&1
\nqtqt:245:respawn:\/usr\/bin\/startqt >\/dev\/null 2>&1
\n# add serial console access: (added, MR!):
\ngett:235:respawn:\/sbin\/getty -L 115200 ttymxc0 vt102<\/p>\n
\nservice center (and won’t upload anymore data). If you don’t have an
\nEneco account, that’s probably what you want. Otherwise, leave it as
\nit is.<\/p>\n
\nLocate the password file \/etc\/passwd and edit the line:<\/p>\n
\nediting the password file) type reboot and you return to the normal
\nboot (runlevel 5), now with a login shell, on a serial console. Since
\nthe u-boot environment changes haven’t been stored to flash, the boot
\nsequence proceeds as before (without \/init\/sh).<\/p>\n
\nand following the steps of the passwd-program).<\/p>\n
\nopen the network ports to the outside world.<\/p>\n
\n###########################################################################
\nMaking toon accessible from outside
\n###########################################################################
\n<\/strong><\/p>\n
\n2: dropbear installation package
\n3: serial console connection to toon<\/p>\n
\nclient\/server. In embedded systems like toon, this is typically
\ndropbear. To get a working version of dropbear, you can build the quby
\nopenembedded tree from source. See
\nhttp:\/\/quby.nl\/opensource\/openembedded-qb2-toon-2012r1.tar.bz2 for
\ndetails. Part of the build is the compilation and packaging of
\ndropbear. It will end up in a file called<\/p>\n
\nhave to look for it, and pick it up with wget:<\/p>\n
\na newer one:<\/p>\n
\ndeemed safe in modern OS’es. It’s available from the “toon as a
\ndomotica controller?”-thread at domoticaforum.eu.<\/p>\n
\nassociated with these services need to be opened in the firewall.<\/p>\n
\nMake this part look like this:<\/p>\n
\n-A HCB-INPUT -p tcp -m tcp –dport 7080 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
\n-A HCB-INPUT -p tcp -m tcp –dport 80 –tcp-flags SYN,RST,ACK SYN -j ACCEPT<\/p>\n
\n-A HCB-INPUT -p tcp -m tcp –dport 10080 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
\n-A HCB-INPUT -p tcp -m tcp –dport 80 –tcp-flags SYN,RST,ACK SYN -j ACCEPT<\/p>\n
\nserver) will follow in the forum thread on toon.<\/p>\n
\nssh <user>@<machine><\/p>\n
\nclient (ssh), server (sshd) and secure copy (scp) application on
\ntoon.<\/p>\n
\na webserver, contact me and I’ll upload the package to my own small
\nwebserver, so you can pick it up there. Building your own version of
\nthe quby openembedded tree is highly recommended, though. It also
\nbuilds a bunch of analysis tools like gdb and strace. Handy for
\ntesting all kinds of stuff.<\/p>\n
\nways: from toon to the outside world, and from the outside world into
\ntoon), you can reassemble toon.<\/p>\n
\n###########################################################################
\nHardening toon (complete exclusion of Eneco, for non-Eneco users only)
\n###########################################################################
\n<\/strong><\/p>\n
\n2: connection with private network (no WAN)<\/p>\n
\nbe connected to the service center. The service center consist of a
\nbunch of websites and other services, accessed through a VPN tunnel,
\nmanaged by Quby, under the flag of Eneco. Each toon connects to the
\nservice center through an OpenVPN tunnel, with TLS security
\nenhancement. Even if you do not have an Eneco account, toon will send
\ndata to Eneco on a regular basis. According to Eneco, no energy usage
\n(gas and electricity) data are uploaded –which is true– but boiler
\nsettings are transmitted every hour. No idea why, by the way. Besides
\nthrough the OpenVPN connection mentioned earlier, toon phones home
\nwith ping and the chrony daemon.<\/p>\n
\nthrough commenting out the openvpn line in \/etc\/inittab:<\/p>\n
\nget the message “Connected to the internet” or something along these
\nlines. You will also get a warning message that internet has not been
\nset up correctly or setup has not yet been completed. You can safely
\nignore these warnings.<\/p>\n
\nwith qt-gui, you can suppress the warnings issues by toon, about not
\nbeing able to reach the service center, as follows (thank you, al_n!):<\/p>\n
\n\/HCBv2\/qml\/apps\/internetSettings\/InternetSettingsApp.qml, and look for
\nthe following code (line 365 or thereabouts):<\/p>\n
\nvar statemachine = message.getArgument(“statemachine”);
\nif (statemachine) {
\nvar prevSmStatus = smStatus;
\nsmStatus = parseInt(statemachine);
\n\/\/ add the following two lines of code:
\n\/\/ added by al_n (20151220):
\nif(smStatus == _ST_INTERNET) {
\nsmStatus = _ST_TUNNEL;
\n}
\n\/\/
\n\/\/ continuation of original file:
\n\/\/ Trigger the internetStateChange signal, used by the internet settings overview screen
\ninternetStateChange(smStatus);<\/p>\n
\nthe service center, and thus warnings are suppressed.<\/p>\n
\nat startup, and to keep it synchronized with the rest of the world,
\ntoon uses the time server of quby: time.quby.nl. This server name is
\nset in \/etc\/chrony.conf
\nLocate the following two lines in chrony.conf:<\/p>\n
\nand
\ninitstepslew 30 time.quby.nl<\/p>\n
\nand how the chrony code was hacked by quby), is accessed by many clients
\nacross the globe, and has proven to have a good level of stability
\nover many years of service.<\/p>\n
\nnetwork time protocol (ntp, udp port 123). You will need a time
\nserver, not an ntp-server.<\/p>\n
\n\/HCBv2\/sbin\/hcb_netcon. The ping server address is unfortunately
\nhard-coded in hcb_netcon, so to disable this, you will need to reroute
\nping requests to another machine. You can’t switch it off easily.<\/p>\n
\nPING ping.quby.nl (127.0.0.1): 56 data bytes
\n64 bytes from 127.0.0.1: seq=0 ttl=64 time=1.108 ms
\n64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.738 ms
\n64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.658 ms<\/p>\n
\nlocalhost (IP 127.0.0.1). Thanks, RDNZL, for pointing this out!<\/p>\n
\nInternetSettingsApp.qml file, as explained above.<\/p>\n
\n(quby), and can safely connect it to your wireless network again.<\/p>\n","protected":false},"excerpt":{"rendered":"