Rooting Toon (or boxx)
Moderators: marcelr, TheHogNL, Toonz
Re: Rooting Toon (or boxx)
Just as same as the other guy a few days ago (viewtopic.php?f=101&t=11230&p=92780#p92754) you forgot to read in the README "Then make sure the serial port on the Pi is enabled and the serial console is disabled using raspi_config and reboot if necessary. " This will enable the serial0 port
Member of the Toon Software Collective
Re: Rooting Toon (or boxx)
Im sorry, this setting is changed back to default when i did a new OS install. My bad.TheHogNL wrote:Just as same as the other guy a few days ago (viewtopic.php?f=101&t=11230&p=92780#p92754) you forgot to read in the README "Then make sure the serial port on the Pi is enabled and the serial console is disabled using raspi_config and reboot if necessary. " This will enable the serial0 port
Now script is telling: Please restart toon..
no magic
tried with reset and power on/off but nothing happend.
Solved: Placed uboot.bin file into rootToon folder. Installed OPenOCD again and used telnet session and now i have acces to U-boot.
Thanks for fast answer.
Re: Rooting Toon (or boxx)
Hi,
I have average success with rooting the Toon and therefore have some questions:
1. What do you guys really mean with 'rooted the Toon', having access to the /bin/sh after modifying bootloader args OR having fully root access over SSH?
I ask this because after leaving the password field empty in passwd for root I can't login with SSH; it says the password is incorrect. I tried some hash values as suggested in this forum, but what's interesting is that upon reboot the hash value changes to:
root:NO9Lh4WPU0:root:/root:/bin/sh
Does this mean that the hash value I entered isn't appropriate? I tried:
- 4fSaNO9Lh4WPU
- $1$1ajmZdpR$D/L7nG0lQD.u9LkTeQ0cE/
So I'm almost there, but the SSH connection doesn't work as I can't login.
Thanks in advance!
I have average success with rooting the Toon and therefore have some questions:
1. What do you guys really mean with 'rooted the Toon', having access to the /bin/sh after modifying bootloader args OR having fully root access over SSH?
I ask this because after leaving the password field empty in passwd for root I can't login with SSH; it says the password is incorrect. I tried some hash values as suggested in this forum, but what's interesting is that upon reboot the hash value changes to:
root:NO9Lh4WPU0:root:/root:/bin/sh
Does this mean that the hash value I entered isn't appropriate? I tried:
- 4fSaNO9Lh4WPU
- $1$1ajmZdpR$D/L7nG0lQD.u9LkTeQ0cE/
So I'm almost there, but the SSH connection doesn't work as I can't login.
Thanks in advance!
Re: Rooting Toon (or boxx)
You can also try FTR0zlZvsHEF2 which would be password 'toon'.M1XKEY wrote:Hi,
I have average success with rooting the Toon and therefore have some questions:
1. What do you guys really mean with 'rooted the Toon', having access to the /bin/sh after modifying bootloader args OR having fully root access over SSH?
I ask this because after leaving the password field empty in passwd for root I can't login with SSH; it says the password is incorrect. I tried some hash values as suggested in this forum, but what's interesting is that upon reboot the hash value changes to:
root:NO9Lh4WPU0:root:/root:/bin/sh
Does this mean that the hash value I entered isn't appropriate? I tried:
- 4fSaNO9Lh4WPU
- $1$1ajmZdpR$D/L7nG0lQD.u9LkTeQ0cE/
So I'm almost there, but the SSH connection doesn't work as I can't login.
Thanks in advance!
I could be that your toon was already rooted and someone created a script to replace the password on every boot back to that hash.
To have getty working you need to replace busybox but I don't recommend that. Just have ssh working and you are done.
Member of the Toon Software Collective
Re: Rooting Toon (or boxx)
Okay thanks, will try that when I am at home. getty did work, something went wrong with saving the getty line in the /etc/inittab file. I only installed dropbear myself and busybox was already there (version 1.27.2). So maybe it was indeed already rooted before. What kind of hash algorithm is used for that 'toon' password? And do you know where I can find such a script that could replace the password hash upon boot on the system? It's worth noting that I can't login with the getty serial console for the same reasons as with SSH.You can also try FTR0zlZvsHEF2 which would be password 'toon'.
I could be that your toon was already rooted and someone created a script to replace the password on every boot back to that hash.
To have getty working you need to replace busybox but I don't recommend that. Just have ssh working and you are done.
Thanks!
Re: Rooting Toon (or boxx)
See my post viewtopic.php?f=101&t=11230&p=92570&hil ... swd#p92570 for changing the password. Or use this website for it to create the DES crypt https://unix4lyfe.org/crypt/
Probably the root restore is somewhere in /etc/rc.local, a crontab file or a script in /root directory. You can also run to look for a file containing that hash and hopefully it will show where it is restored.
Probably the root restore is somewhere in /etc/rc.local, a crontab file or a script in /root directory. You can also run
Code: Select all
grep -r NO9Lh4WPU0 /*
Member of the Toon Software Collective
Re: Rooting Toon (or boxx)
I can't get it working. I tried changing the password with the command you provided, but then i get the following error:
I suppose it was the missing of the salt parameter because as I did this it worked:
I also tried it with the DES crypt website. No success either. The NO9Lh4WPU0 hash is gone however.
Searching for this hash in files did reveal some results, but I don't think that are restore scripts. The screenshot is attached.
But somehow always when I put a value in the passwd file I get the following messages at bootup: chown: unknown user/group root:root. Afterwards checking the passwd file the password is empty again.
I don't get why I can't login when the passwd password for root is empty. There is also an passwd.busybox file, I tried changing that one but did'nt help either.
Thanks for the help!
Code: Select all
1077827296:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:547:You need to read the OpenSSL FAQ.
Code: Select all
/usr/bin/openssl passwd -crypt -salt xx password
Searching for this hash in files did reveal some results, but I don't think that are restore scripts. The screenshot is attached.
But somehow always when I put a value in the passwd file I get the following messages at bootup: chown: unknown user/group root:root. Afterwards checking the passwd file the password is empty again.
I don't get why I can't login when the passwd password for root is empty. There is also an passwd.busybox file, I tried changing that one but did'nt help either.
Thanks for the help!
- Attachments
-
- grep res.png (6.82 KiB) Viewed 8609 times
Re: Rooting Toon (or boxx)
Dropbear/SSH doesn't allow an empty password. Busybox getty does allow it but you should enable getty then.
Can you paste your passwd file after you changed it? I'm thinking you just doing it wrong
Can you paste your passwd file after you changed it? I'm thinking you just doing it wrong
Member of the Toon Software Collective
Re: Rooting Toon (or boxx)
Probably yes .TheHogNL wrote:Dropbear/SSH doesn't allow an empty password. Busybox getty does allow it but you should enable getty then.
Can you paste your passwd file after you changed it? I'm thinking you just doing it wrong
I atttached my passwd file screenshot after saving it with :wq in vi. I pasted the crypt of 'toon' inside the file. This line is also present in /etc/inittab:
Code: Select all
# add serial console access: (added, MR!):
gett:235:respawn:/sbin/getty -L 115200 ttymxc0 vt102
- Attachments
-
- toon-passwd.png (37.12 KiB) Viewed 8584 times
Re: Rooting Toon (or boxx)
Should be
Code: Select all
root:FTR0zlZvsHEF2:0:0:root:/root:/bin/sh
Member of the Toon Software Collective
Re: Rooting Toon (or boxx)
Aah, I probably messed it up while copying. But upon rebooting it removes the :0:0, so I still can't login. I can feel that we are almost there . What could be the reason it removes the :0:0 upon reboot?
I'm currently graduating with an IoT Pentesting project and investigating hardware-based attack-paths. So I understand that you can connect to the bootloader, but how did you crack that password? (3BHf2)
I don't think you can brute force the boot loader because of the 2 second time, or am I wrong?
Thanks!
I'm currently graduating with an IoT Pentesting project and investigating hardware-based attack-paths. So I understand that you can connect to the bootloader, but how did you crack that password? (3BHf2)
I don't think you can brute force the boot loader because of the 2 second time, or am I wrong?
Thanks!
Re: Rooting Toon (or boxx)
If you contact me PM I will send you my mobile number so we can chat offline and I'll help you over teamviewer. I'm at home about 21h.M1XKEY wrote:Aah, I probably messed it up while copying. But upon rebooting it removes the :0:0, so I still can't login. I can feel that we are almost there . What could be the reason it removes the :0:0 upon reboot?
I'm currently graduating with an IoT Pentesting project and investigating hardware-based attack-paths. So I understand that you can connect to the bootloader, but how did you crack that password? (3BHf2)
I don't think you can brute force the boot loader because of the 2 second time, or am I wrong?
Thanks!
The bootloader password was found in the flash image (uboot partittion), stored plain text (they changed that in uboot R10). Marcel can explain better but you can just read the flash chip manually using external tools or using openocd on the jtag port.
Even without the password you could gain access to uboot by pulling some flash pin to the ground during boot so the uboot pops up (because it can't boot the operating system). They changed that in R10 also.
Member of the Toon Software Collective
Re: Rooting Toon (or boxx)
I haven't have a Toon yet, but I do have some questions about rooting a Toon.
If I buy a Toon 1 (QB2), do I have to look for a certain hardware and/or software version? Or are all Toon 1's rootable?
Is it right I only need a Raspberry Pi and some F-F jumper cables? (and a Toon of course)
I haven't seen photos of a Toon connected to a Raspberry Pi and I don't have a Toon yet, but is this just straightforward? There is no soldering needed? If there are photos of a Toon connected to a Raspberry for rooting, I would like to see them. Because reading the guide it looks really easy to root a Toon but seeing the word JTAG, all kinds of hell of soldering a Xbox 360 comes to mind
If I buy a Toon 1 (QB2), do I have to look for a certain hardware and/or software version? Or are all Toon 1's rootable?
Is it right I only need a Raspberry Pi and some F-F jumper cables? (and a Toon of course)
I haven't seen photos of a Toon connected to a Raspberry Pi and I don't have a Toon yet, but is this just straightforward? There is no soldering needed? If there are photos of a Toon connected to a Raspberry for rooting, I would like to see them. Because reading the guide it looks really easy to root a Toon but seeing the word JTAG, all kinds of hell of soldering a Xbox 360 comes to mind
Re: Rooting Toon (or boxx)
Yes that is all you need.
Depending on the Toon1 version you need to install more jumper wires (so the script can use jtag) and extra software on the Pi (openocd) but if you read the readme for the toonrooter this will be clear enough (https://github.com/ToonSoftwareCollective/ToonRooter). For the rest it doesn't care about what Toon1 you have.
Sorry there is no photo and I am not at home currently to make a photo. But it is dead simpel if you read that readme. Just install all jumper wires and you are done.
BTW, this is also answered in the 'how to root a toon' manual download/file.php?id=3720 and viewtopic.php?f=100&t=11235
Depending on the Toon1 version you need to install more jumper wires (so the script can use jtag) and extra software on the Pi (openocd) but if you read the readme for the toonrooter this will be clear enough (https://github.com/ToonSoftwareCollective/ToonRooter). For the rest it doesn't care about what Toon1 you have.
Sorry there is no photo and I am not at home currently to make a photo. But it is dead simpel if you read that readme. Just install all jumper wires and you are done.
BTW, this is also answered in the 'how to root a toon' manual download/file.php?id=3720 and viewtopic.php?f=100&t=11235
Member of the Toon Software Collective
Re: Rooting Toon (or boxx)
- All Toon 1's are rootable, newer ones only with a Raspberry Pi/JTAG.Knulen wrote: If I buy a Toon 1 (QB2), do I have to look for a certain hardware and/or software version? Or are all Toon 1's rootable?
- Check for meteradapters if you want "Zon op Toon" and/or have a newer model smart meter with DSMR 5.x. You'll need the "2 flame" version.
Code: Select all
meter adapter Firmware
PN: Z-wave/LPC *)
6500-1100-3301 14/21
6500-1100-3302
6500-1100-3303
6500-1102-0400 35/37
6500-1102-0401
6500-1200-4700 25/31
6500-1200-47xx 35/39
6500-1300-7200
6500-1400-4900 36/43
6500-1400-6000 0.15/0.11