Rooting Toon (or boxx)

Everything about rooting Toons 1 and 2.

Moderators: marcelr, TheHogNL, Toonz

Post Reply
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Rooting Toon (or boxx)

Post by marcelr »

Please post your questions/tips/remarks related to rooting Eneco's Toon here.

Rooting guide: viewtopic.php?f=100&t=11235
cygnusx
Starting Member
Starting Member
Posts: 48
Joined: Tue Apr 14, 2015 10:12 am

Re: Rooting Toon

Post by cygnusx »

Maybe a good idea to post the latest rooting guide in the TS?
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Rooting Toon

Post by marcelr »

Good idea, slightly different: I made a read-only manuals and tutorials section. First manual added: rooting :-)

grtz,

marcelr
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Rooting Toon

Post by marcelr »

Over the last few months I have had requests from (mostly starting) forum members to help them out with rooting their toon. Some just want tips and troubleshooting advice. Some want me to do the actual rooting for them. Such requests are mostly made by PM and/or mail.

While I'm happy to help anybody who is enthusiastic about the stuff that has been published so far on toon in this forum, I would like to urge everybody seeking help or support with rooting and software adaptations to ask for this through the forum pages, and not through PM or mail.

The reasons are simple:

Some mistakes/errors happen to everybody who starts working with toon hardware, and it's a bit tedious to answer the same questions over and over again.

Starting members posts have to pass through a moderation process before they are published on the web. Since I also moderate this thread, the processing time for posts/PMs/mail is the same. I check mail regularly, and as soon as you post as starting member, I see that you have done so, in my mailbox. If your post is publishable (i.e. not spam), it will be approved/published, and answered if there's a request that needs answering. So, posting in the forum is as fast as any other means to contact me.

When you post in the forum, other members can chime in and possibly help you out.

In general, I will NOT root your toon for you (unless there are very very very specific circumstances). You will have to it yourself, but you can always ask for advice.

So in short, all request for rooting support should be made in the forum, from now on.

grtz,

marcelr
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Rooting Toon

Post by marcelr »

I recently got my hands on a newer toon, with boot loader version 2010.9-R10.
It was built a few weeks after Ierlandfan published the rooting method for toon, and most probably can be found on any toon with serial numbers starting with 16 (production year 2016).

The guys at Quby haven't been idle in making access to toon harder. This version has a properly hashed boot loader password (SHA256), and when you try to access it through the screwdriver method, it no longer drops you to a shell, instead you get this:

Code: Select all

   Verifying Checksum ... Bad Data CRC
ERROR: can't get kernel image!
---------------------------------------------------------
Welcome to the bootloader, adventurous adventurer.

We congratulate you on your perseverance and inventivity!

Would you like an easier way in?
Please visit quby.com/open-system for more information.

Game on! :)
---------------------------------------------------------
While I admire the sense of humour of the developers, accessing a toon with this boot loader version is a bit tougher (but not impossible ;-) ).

grtz,

marcelr
hayman
Starting Member
Starting Member
Posts: 36
Joined: Fri Feb 26, 2016 6:16 pm

Re: Rooting Toon

Post by hayman »

hello ,thanks to you i have a rooted TOON ,
can you tell me how to update it and keep it rooted ...?
thanks
Templar
Member
Member
Posts: 178
Joined: Fri Mar 18, 2011 8:49 pm
Location: Netherlands

hack-wedstrijd: Game of Toons

Post by Templar »

For those who are interested, there will be a Toon hackathon on October 11th in Rotterdam:

So you think you can hack Toon?
Toon, de slimme thermostaat, wordt gebruikt in 300.000 huishoudens. Logisch dat Eneco let op de veiligheid en die ook regelmatig test. Maar, zoals bij elk slim apparaat, kunnen er altijd nog onverwachte kwetsbaarheden zijn.
Tek Tok heeft daarom Eneco uitgedaagd voor een hack-wedstrijd: Game of Toons. Denk jij dat jij de Toon kunt kraken? Laat het zien op 11 oktober in Worm, Rotterdam.


http://tektok.nl/got
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Rooting Toon

Post by marcelr »

@Templar: sounds like fun, although I can't make it, I'm afraid. Other stuff to do.

Maybe we should publish a list of all installed software packages together with version numbers, devices and internally used service ports, as a service for those who will attend :mrgreen:, so participants can do a bit of homework for finding exploits. Or does that count as cheating :D ?
Anyway, for those who will attend, have fun.

@hayman: Once it's rooted, it's rooted. New updates will shutdown ssh access, but IIRC, cygnusx posted a remedy for that. You will need to apply that remedy BEFORE you install updates, if you want to continue having access to your toon. Updates are pushed to your toon by Eneco, if you have a subscription. If not, there's not a lot to update.
blasty
Starting Member
Starting Member
Posts: 1
Joined: Sun Jul 31, 2016 8:18 am

Re: Rooting Toon

Post by blasty »

Hi,

Can anyone send me a recent firmware image (or extracted root filesystem) for the Eneco TOON?

Kind Regards,
blasty

edit: Actually, nevermind. Just hooked up the UART on mine and got an U-boot shell. I can figure things out from here. ;-)
Templar
Member
Member
Posts: 178
Joined: Fri Mar 18, 2011 8:49 pm
Location: Netherlands

Re: Rooting Toon

Post by Templar »

marcelr wrote:I recently got my hands on a newer toon, with boot loader version 2010.9-R10.
It was built a few weeks after Ierlandfan published the rooting method for toon, and most probably can be found on any toon with serial numbers starting with 16 (production year 2016).

The guys at Quby haven't been idle in making access to toon harder. This version has a properly hashed boot loader password (SHA256), and when you try to access it through the screwdriver method, it no longer drops you to a shell, instead you get this:

Code: Select all

   Verifying Checksum ... Bad Data CRC
ERROR: can't get kernel image!
---------------------------------------------------------
Welcome to the bootloader, adventurous adventurer.

We congratulate you on your perseverance and inventivity!

Would you like an easier way in?
Please visit quby.com/open-system for more information.

Game on! :)
---------------------------------------------------------
While I admire the sense of humour of the developers, accessing a toon with this boot loader version is a bit tougher (but not impossible ;-) ).

grtz,

marcelr
There may be another way:
http://quby.com/en/page/123
Manyakim
Starting Member
Starting Member
Posts: 9
Joined: Sun Oct 02, 2016 6:07 pm

Toon as a domotica controller?

Post by Manyakim »

Hello, i have bought myself a Toon and started to root it but unfortunately, i have a recent firmware ( U-Boot 2010.09-R10 (Dec 14 2015 - 19:28:18) ) and i was not able to find a bootloader password for this.
I've tried to short the circuits of the Nand Chip, but in my Toon, also a new version of this chip is placed ( Samsung 507 ). So i was unable to get into the u-boot by this method.

So, is there a possible way for me to root Toon ?
Nand Chip 507.jpg
Nand Chip 507.jpg (63.73 KiB) Viewed 66632 times
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Rooting Toon

Post by marcelr »

Moved your post to the right topic, and no, your Samsung chip is not very different from earlier versions. The type is: K9F1G08UDE.

Your u-boot version has a properly hashed password (and is unknown). So, the two ways to get in are: ask Quby (see earlier post by Templar). or: build a new u-Boot (from source) and flash it onto your toon with a JTAG programmer.
I have no experience with the first method, and the second is still (a bit) under development.

best,

marcelr
Manyakim
Starting Member
Starting Member
Posts: 9
Joined: Sun Oct 02, 2016 6:07 pm

Re: Rooting Toon

Post by Manyakim »

Thank you for your swift responce.

I've mailed Quby and asked them to provide me "an easier way in".
Let's see if they responde.

Thank you all for your efforts in making this possible.

Best regards,
Manyakim
viking
Starting Member
Starting Member
Posts: 1
Joined: Sun Oct 02, 2016 2:37 pm

Re: Rooting Toon; accessing NAND with JTAG

Post by viking »

I try to use JTAG for dumping the flash. I use a buspirate as JTAG with
openocd. This seems to work fine, as I can dump memory and even make
changes in RAM. If I 'halt' the processor just before the U-boot is asking
for a password, I can dump the U-boot memory from memory addresses 0xa100000
onwards.
Now if I perform a 'nand probe 0' command, the script gets stuck on the
reading and writing in the MX27 flash controller memory mapped registers
as 0xd80001xx addresses. It seems that at this stage in booting these
addresses are not accessable.

@marcelr: How did you succeeded in getting access to the flash? Could you post your
'toon.cfg' configuration script. At what stage do you execute the 'nand
probe 0' command. You write that only after a cycle halt, resume, halt,
that worked.

Unfortunately, my version is R10 (sha256 password on the U-boot). I have a corrupted root-fs (kernel panic). So, it seems that the only way forward is flashing a new U-boot. Hence, nand flash access is needed through JTAG.
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Rooting Toon

Post by marcelr »

Hmmm...

That's a tricky one. You could rebuild U-Boot from source (Quby U-Boot archive, although you will also need to configure it, that part is not given in the archive. I gave that a try, see script below).
Then, flash that boot loader onto toon, and it should work.

Other method: rip an older boot loader from an older toon, flash that onto your toon (together with its environment).

Here are the scripts (nothing fancy, I'm afraid):
JTAG configuration script: toon.cfg (used with openocd 0.8.0):

Code: Select all

#
# config file for Eneco toon thermostat.
#
# this device has a Freescale i.MX27 processor, 128MB NAND flash, and a 
# non-standard  JTAG interface

# load default processor cfg:

source [find target/imx27.cfg]
imx27.cpu arm7_9 fast_memory_access enable
#imx27.cpu arm7_9 dbgrq enable
reset_config separate
reset_config trst_open_drain
jtag_ntrst_assert_width 50

$_TARGETNAME configure -event reset-init { toon_init }
# set up NAND flash:

nand device toon.nand  mxc imx27.cpu mx27 noecc biswap


proc toon_init { } {

#reset_config trst_and_srst srst_pulls_trst


     	# reset the board correctly
	adapter_khz 500
	reset run
	reset halt    

}
and the shell script to build U-Boot (put inside top level dir of the U-boot tree, edit paths according to your needs):

Code: Select all

#! /bin/sh
# script for configuring toon u-boot
#
./mkconfig ed20 arm arm926ejs ed20 prodrive mx27

# set to wherever you unpacked the quby openembedded tree
OE_ROOT=/home/toon

# add toolchain for toon to the $PATH
PATH=$PATH:$OE_ROOT/oe/qb2/tmp/sysroots/x86_64-linux/usr/qb2/bin/
export PATH

CROSS_COMPILE=arm-hae-linux-gnueabi-
export CROSS_COMPILE

make
please report any progress, it would be interesting to know what works best.

marcelr
Post Reply

Return to “Toon Rooting”