Rooting Toon (or boxx)

Everything about rooting Toons 1 and 2.

Moderators: marcelr, TheHogNL, Toonz

TheHogNL
Forum Moderator
Forum Moderator
Posts: 2125
Joined: Sun Aug 20, 2017 8:53 pm

Re: Rooting Toon (or boxx)

Post by TheHogNL »

Just as same as the other guy a few days ago (viewtopic.php?f=101&t=11230&p=92780#p92754) you forgot to read in the README "Then make sure the serial port on the Pi is enabled and the serial console is disabled using raspi_config and reboot if necessary. " This will enable the serial0 port
Member of the Toon Software Collective
RNdX
Starting Member
Starting Member
Posts: 7
Joined: Wed Dec 04, 2019 8:42 pm

Re: Rooting Toon (or boxx)

Post by RNdX »

TheHogNL wrote:Just as same as the other guy a few days ago (viewtopic.php?f=101&t=11230&p=92780#p92754) you forgot to read in the README "Then make sure the serial port on the Pi is enabled and the serial console is disabled using raspi_config and reboot if necessary. " This will enable the serial0 port
Im sorry, this setting is changed back to default when i did a new OS install. My bad.
Now script is telling: Please restart toon..
no magic
tried with reset and power on/off but nothing happend.

Solved: Placed uboot.bin file into rootToon folder. Installed OPenOCD again and used telnet session and now i have acces to U-boot.
Thanks for fast answer.
M1XKEY
Starting Member
Starting Member
Posts: 5
Joined: Sun Dec 08, 2019 11:03 pm

Re: Rooting Toon (or boxx)

Post by M1XKEY »

Hi,

I have average success with rooting the Toon and therefore have some questions:

1. What do you guys really mean with 'rooted the Toon', having access to the /bin/sh after modifying bootloader args OR having fully root access over SSH?

I ask this because after leaving the password field empty in passwd for root I can't login with SSH; it says the password is incorrect. I tried some hash values as suggested in this forum, but what's interesting is that upon reboot the hash value changes to:

root:NO9Lh4WPU0:root:/root:/bin/sh

Does this mean that the hash value I entered isn't appropriate? I tried:
- 4fSaNO9Lh4WPU
- $1$1ajmZdpR$D/L7nG0lQD.u9LkTeQ0cE/

So I'm almost there, but the SSH connection doesn't work as I can't login.

Thanks in advance!
TheHogNL
Forum Moderator
Forum Moderator
Posts: 2125
Joined: Sun Aug 20, 2017 8:53 pm

Re: Rooting Toon (or boxx)

Post by TheHogNL »

M1XKEY wrote:Hi,

I have average success with rooting the Toon and therefore have some questions:

1. What do you guys really mean with 'rooted the Toon', having access to the /bin/sh after modifying bootloader args OR having fully root access over SSH?

I ask this because after leaving the password field empty in passwd for root I can't login with SSH; it says the password is incorrect. I tried some hash values as suggested in this forum, but what's interesting is that upon reboot the hash value changes to:

root:NO9Lh4WPU0:root:/root:/bin/sh

Does this mean that the hash value I entered isn't appropriate? I tried:
- 4fSaNO9Lh4WPU
- $1$1ajmZdpR$D/L7nG0lQD.u9LkTeQ0cE/

So I'm almost there, but the SSH connection doesn't work as I can't login.

Thanks in advance!
You can also try FTR0zlZvsHEF2 which would be password 'toon'.
I could be that your toon was already rooted and someone created a script to replace the password on every boot back to that hash.

To have getty working you need to replace busybox but I don't recommend that. Just have ssh working and you are done.
Member of the Toon Software Collective
M1XKEY
Starting Member
Starting Member
Posts: 5
Joined: Sun Dec 08, 2019 11:03 pm

Re: Rooting Toon (or boxx)

Post by M1XKEY »

You can also try FTR0zlZvsHEF2 which would be password 'toon'.
I could be that your toon was already rooted and someone created a script to replace the password on every boot back to that hash.

To have getty working you need to replace busybox but I don't recommend that. Just have ssh working and you are done.
Okay thanks, will try that when I am at home. getty did work, something went wrong with saving the getty line in the /etc/inittab file. I only installed dropbear myself and busybox was already there (version 1.27.2). So maybe it was indeed already rooted before. What kind of hash algorithm is used for that 'toon' password? And do you know where I can find such a script that could replace the password hash upon boot on the system? It's worth noting that I can't login with the getty serial console for the same reasons as with SSH.

Thanks! :D
TheHogNL
Forum Moderator
Forum Moderator
Posts: 2125
Joined: Sun Aug 20, 2017 8:53 pm

Re: Rooting Toon (or boxx)

Post by TheHogNL »

See my post viewtopic.php?f=101&t=11230&p=92570&hil ... swd#p92570 for changing the password. Or use this website for it to create the DES crypt https://unix4lyfe.org/crypt/

Probably the root restore is somewhere in /etc/rc.local, a crontab file or a script in /root directory. You can also run

Code: Select all

grep -r NO9Lh4WPU0 /*
to look for a file containing that hash and hopefully it will show where it is restored.
Member of the Toon Software Collective
M1XKEY
Starting Member
Starting Member
Posts: 5
Joined: Sun Dec 08, 2019 11:03 pm

Re: Rooting Toon (or boxx)

Post by M1XKEY »

I can't get it working. I tried changing the password with the command you provided, but then i get the following error:

Code: Select all

1077827296:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:547:You need to read the OpenSSL FAQ. 
I suppose it was the missing of the salt parameter because as I did this it worked:

Code: Select all

/usr/bin/openssl passwd -crypt -salt xx password
I also tried it with the DES crypt website. No success either. The NO9Lh4WPU0 hash is gone however.

Searching for this hash in files did reveal some results, but I don't think that are restore scripts. The screenshot is attached.
But somehow always when I put a value in the passwd file I get the following messages at bootup: chown: unknown user/group root:root. Afterwards checking the passwd file the password is empty again.

I don't get why I can't login when the passwd password for root is empty. There is also an passwd.busybox file, I tried changing that one but did'nt help either.

Thanks for the help!
Attachments
grep res.png
grep res.png (6.82 KiB) Viewed 8445 times
TheHogNL
Forum Moderator
Forum Moderator
Posts: 2125
Joined: Sun Aug 20, 2017 8:53 pm

Re: Rooting Toon (or boxx)

Post by TheHogNL »

Dropbear/SSH doesn't allow an empty password. Busybox getty does allow it but you should enable getty then.
Can you paste your passwd file after you changed it? I'm thinking you just doing it wrong :)
Member of the Toon Software Collective
M1XKEY
Starting Member
Starting Member
Posts: 5
Joined: Sun Dec 08, 2019 11:03 pm

Re: Rooting Toon (or boxx)

Post by M1XKEY »

TheHogNL wrote:Dropbear/SSH doesn't allow an empty password. Busybox getty does allow it but you should enable getty then.
Can you paste your passwd file after you changed it? I'm thinking you just doing it wrong :)
Probably yes :mrgreen:.

I atttached my passwd file screenshot after saving it with :wq in vi. I pasted the crypt of 'toon' inside the file. This line is also present in /etc/inittab:

Code: Select all

# add serial console access: (added, MR!):                                      
gett:235:respawn:/sbin/getty -L 115200 ttymxc0 vt102 
Getty does show up after boot, but couldn't login either.
Attachments
toon-passwd.png
toon-passwd.png (37.12 KiB) Viewed 8420 times
TheHogNL
Forum Moderator
Forum Moderator
Posts: 2125
Joined: Sun Aug 20, 2017 8:53 pm

Re: Rooting Toon (or boxx)

Post by TheHogNL »

Should be

Code: Select all

root:FTR0zlZvsHEF2:0:0:root:/root:/bin/sh
Member of the Toon Software Collective
M1XKEY
Starting Member
Starting Member
Posts: 5
Joined: Sun Dec 08, 2019 11:03 pm

Re: Rooting Toon (or boxx)

Post by M1XKEY »

Aah, I probably messed it up while copying. But upon rebooting it removes the :0:0, so I still can't login. I can feel that we are almost there :roll:. What could be the reason it removes the :0:0 upon reboot?

I'm currently graduating with an IoT Pentesting project and investigating hardware-based attack-paths. So I understand that you can connect to the bootloader, but how did you crack that password? (3BHf2)
I don't think you can brute force the boot loader because of the 2 second time, or am I wrong?

Thanks!
TheHogNL
Forum Moderator
Forum Moderator
Posts: 2125
Joined: Sun Aug 20, 2017 8:53 pm

Re: Rooting Toon (or boxx)

Post by TheHogNL »

M1XKEY wrote:Aah, I probably messed it up while copying. But upon rebooting it removes the :0:0, so I still can't login. I can feel that we are almost there :roll:. What could be the reason it removes the :0:0 upon reboot?

I'm currently graduating with an IoT Pentesting project and investigating hardware-based attack-paths. So I understand that you can connect to the bootloader, but how did you crack that password? (3BHf2)
I don't think you can brute force the boot loader because of the 2 second time, or am I wrong?

Thanks!
If you contact me PM I will send you my mobile number so we can chat offline and I'll help you over teamviewer. I'm at home about 21h.

The bootloader password was found in the flash image (uboot partittion), stored plain text (they changed that in uboot R10). Marcel can explain better but you can just read the flash chip manually using external tools or using openocd on the jtag port.
Even without the password you could gain access to uboot by pulling some flash pin to the ground during boot so the uboot pops up (because it can't boot the operating system). They changed that in R10 also.
Member of the Toon Software Collective
Knulen
Starting Member
Starting Member
Posts: 2
Joined: Wed Dec 25, 2019 3:44 pm

Re: Rooting Toon (or boxx)

Post by Knulen »

I haven't have a Toon yet, but I do have some questions about rooting a Toon.

If I buy a Toon 1 (QB2), do I have to look for a certain hardware and/or software version? Or are all Toon 1's rootable?

Is it right I only need a Raspberry Pi and some F-F jumper cables? (and a Toon of course)

I haven't seen photos of a Toon connected to a Raspberry Pi and I don't have a Toon yet, but is this just straightforward? There is no soldering needed? If there are photos of a Toon connected to a Raspberry for rooting, I would like to see them. Because reading the guide it looks really easy to root a Toon but seeing the word JTAG, all kinds of hell of soldering a Xbox 360 comes to mind :P
TheHogNL
Forum Moderator
Forum Moderator
Posts: 2125
Joined: Sun Aug 20, 2017 8:53 pm

Re: Rooting Toon (or boxx)

Post by TheHogNL »

Yes that is all you need.
Depending on the Toon1 version you need to install more jumper wires (so the script can use jtag) and extra software on the Pi (openocd) but if you read the readme for the toonrooter this will be clear enough (https://github.com/ToonSoftwareCollective/ToonRooter). For the rest it doesn't care about what Toon1 you have.

Sorry there is no photo and I am not at home currently to make a photo. But it is dead simpel if you read that readme. Just install all jumper wires and you are done.

BTW, this is also answered in the 'how to root a toon' manual download/file.php?id=3720 and viewtopic.php?f=100&t=11235
Member of the Toon Software Collective
Templar
Member
Member
Posts: 178
Joined: Fri Mar 18, 2011 8:49 pm
Location: Netherlands

Re: Rooting Toon (or boxx)

Post by Templar »

Knulen wrote: If I buy a Toon 1 (QB2), do I have to look for a certain hardware and/or software version? Or are all Toon 1's rootable?
- All Toon 1's are rootable, newer ones only with a Raspberry Pi/JTAG.
- Check for meteradapters if you want "Zon op Toon" and/or have a newer model smart meter with DSMR 5.x. You'll need the "2 flame" version.

Code: Select all

meter adapter     Firmware
PN:               Z-wave/LPC *)

6500-1100-3301    14/21
6500-1100-3302
6500-1100-3303

6500-1102-0400    35/37 
6500-1102-0401

6500-1200-4700    25/31

6500-1200-47xx    35/39
6500-1300-7200

6500-1400-4900    36/43

6500-1400-6000    0.15/0.11
Post Reply

Return to “Toon Rooting”