Rooting Toon (or boxx)

Everything about rooting Toons 1 and 2.

Moderators: marcelr, TerrorSource, Toonz, TheHogNL

Re: Rooting Toon (or boxx)

Postby TheHogNL » Wed Dec 04, 2019 9:39 pm

Just as same as the other guy a few days ago (https://www.domoticaforum.eu/viewtopic. ... 780#p92754) you forgot to read in the README "Then make sure the serial port on the Pi is enabled and the serial console is disabled using raspi_config and reboot if necessary. " This will enable the serial0 port
Member of the Toon Software Collective
User avatar
TheHogNL
Forum Moderator
Forum Moderator
 
Posts: 1415
Joined: August 2017

Re: Rooting Toon (or boxx)

Postby RNdX » Wed Dec 04, 2019 10:52 pm

TheHogNL wrote:Just as same as the other guy a few days ago (https://www.domoticaforum.eu/viewtopic. ... 780#p92754) you forgot to read in the README "Then make sure the serial port on the Pi is enabled and the serial console is disabled using raspi_config and reboot if necessary. " This will enable the serial0 port


Im sorry, this setting is changed back to default when i did a new OS install. My bad.
Now script is telling: Please restart toon..
no magic
tried with reset and power on/off but nothing happend.

Solved: Placed uboot.bin file into rootToon folder. Installed OPenOCD again and used telnet session and now i have acces to U-boot.
Thanks for fast answer.
RNdX
Starting Member
Starting Member
 
Posts: 6
Joined: December 2019

Re: Rooting Toon (or boxx)

Postby M1XKEY » Sun Dec 08, 2019 10:14 pm

Hi,

I have average success with rooting the Toon and therefore have some questions:

1. What do you guys really mean with 'rooted the Toon', having access to the /bin/sh after modifying bootloader args OR having fully root access over SSH?

I ask this because after leaving the password field empty in passwd for root I can't login with SSH; it says the password is incorrect. I tried some hash values as suggested in this forum, but what's interesting is that upon reboot the hash value changes to:

root:NO9Lh4WPU0:root:/root:/bin/sh

Does this mean that the hash value I entered isn't appropriate? I tried:
- 4fSaNO9Lh4WPU
- $1$1ajmZdpR$D/L7nG0lQD.u9LkTeQ0cE/

So I'm almost there, but the SSH connection doesn't work as I can't login.

Thanks in advance!
M1XKEY
Starting Member
Starting Member
 
Posts: 5
Joined: December 2019

Re: Rooting Toon (or boxx)

Postby TheHogNL » Mon Dec 09, 2019 10:36 am

M1XKEY wrote:Hi,

I have average success with rooting the Toon and therefore have some questions:

1. What do you guys really mean with 'rooted the Toon', having access to the /bin/sh after modifying bootloader args OR having fully root access over SSH?

I ask this because after leaving the password field empty in passwd for root I can't login with SSH; it says the password is incorrect. I tried some hash values as suggested in this forum, but what's interesting is that upon reboot the hash value changes to:

root:NO9Lh4WPU0:root:/root:/bin/sh

Does this mean that the hash value I entered isn't appropriate? I tried:
- 4fSaNO9Lh4WPU
- $1$1ajmZdpR$D/L7nG0lQD.u9LkTeQ0cE/

So I'm almost there, but the SSH connection doesn't work as I can't login.

Thanks in advance!


You can also try FTR0zlZvsHEF2 which would be password 'toon'.
I could be that your toon was already rooted and someone created a script to replace the password on every boot back to that hash.

To have getty working you need to replace busybox but I don't recommend that. Just have ssh working and you are done.
Member of the Toon Software Collective
User avatar
TheHogNL
Forum Moderator
Forum Moderator
 
Posts: 1415
Joined: August 2017

Re: Rooting Toon (or boxx)

Postby M1XKEY » Mon Dec 09, 2019 11:19 am

You can also try FTR0zlZvsHEF2 which would be password 'toon'.
I could be that your toon was already rooted and someone created a script to replace the password on every boot back to that hash.

To have getty working you need to replace busybox but I don't recommend that. Just have ssh working and you are done.


Okay thanks, will try that when I am at home. getty did work, something went wrong with saving the getty line in the /etc/inittab file. I only installed dropbear myself and busybox was already there (version 1.27.2). So maybe it was indeed already rooted before. What kind of hash algorithm is used for that 'toon' password? And do you know where I can find such a script that could replace the password hash upon boot on the system? It's worth noting that I can't login with the getty serial console for the same reasons as with SSH.

Thanks! :D
M1XKEY
Starting Member
Starting Member
 
Posts: 5
Joined: December 2019

Re: Rooting Toon (or boxx)

Postby TheHogNL » Mon Dec 09, 2019 12:10 pm

See my post https://www.domoticaforum.eu/viewtopic. ... swd#p92570 for changing the password. Or use this website for it to create the DES crypt https://unix4lyfe.org/crypt/

Probably the root restore is somewhere in /etc/rc.local, a crontab file or a script in /root directory. You can also run
Code: Select all
grep -r NO9Lh4WPU0 /*
to look for a file containing that hash and hopefully it will show where it is restored.
Member of the Toon Software Collective
User avatar
TheHogNL
Forum Moderator
Forum Moderator
 
Posts: 1415
Joined: August 2017

Re: Rooting Toon (or boxx)

Postby M1XKEY » Mon Dec 09, 2019 9:44 pm

I can't get it working. I tried changing the password with the command you provided, but then i get the following error:

Code: Select all
1077827296:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:547:You need to read the OpenSSL FAQ.

I suppose it was the missing of the salt parameter because as I did this it worked:
Code: Select all
/usr/bin/openssl passwd -crypt -salt xx password

I also tried it with the DES crypt website. No success either. The NO9Lh4WPU0 hash is gone however.

Searching for this hash in files did reveal some results, but I don't think that are restore scripts. The screenshot is attached.
But somehow always when I put a value in the passwd file I get the following messages at bootup: chown: unknown user/group root:root. Afterwards checking the passwd file the password is empty again.

I don't get why I can't login when the passwd password for root is empty. There is also an passwd.busybox file, I tried changing that one but did'nt help either.

Thanks for the help!
Attachments
grep res.png
grep res.png (6.82 KiB) Viewed 1314 times
M1XKEY
Starting Member
Starting Member
 
Posts: 5
Joined: December 2019

Re: Rooting Toon (or boxx)

Postby TheHogNL » Tue Dec 10, 2019 9:37 am

Dropbear/SSH doesn't allow an empty password. Busybox getty does allow it but you should enable getty then.
Can you paste your passwd file after you changed it? I'm thinking you just doing it wrong :)
Member of the Toon Software Collective
User avatar
TheHogNL
Forum Moderator
Forum Moderator
 
Posts: 1415
Joined: August 2017

Re: Rooting Toon (or boxx)

Postby M1XKEY » Tue Dec 10, 2019 11:38 am

TheHogNL wrote:Dropbear/SSH doesn't allow an empty password. Busybox getty does allow it but you should enable getty then.
Can you paste your passwd file after you changed it? I'm thinking you just doing it wrong :)

Probably yes :mrgreen:.

I atttached my passwd file screenshot after saving it with :wq in vi. I pasted the crypt of 'toon' inside the file. This line is also present in /etc/inittab:

Code: Select all
# add serial console access: (added, MR!):                                     
gett:235:respawn:/sbin/getty -L 115200 ttymxc0 vt102

Getty does show up after boot, but couldn't login either.
Attachments
toon-passwd.png
toon-passwd.png (37.12 KiB) Viewed 1289 times
M1XKEY
Starting Member
Starting Member
 
Posts: 5
Joined: December 2019

Re: Rooting Toon (or boxx)

Postby TheHogNL » Tue Dec 10, 2019 12:24 pm

Should be

Code: Select all
root:FTR0zlZvsHEF2:0:0:root:/root:/bin/sh
Member of the Toon Software Collective
User avatar
TheHogNL
Forum Moderator
Forum Moderator
 
Posts: 1415
Joined: August 2017

Re: Rooting Toon (or boxx)

Postby M1XKEY » Tue Dec 10, 2019 6:10 pm

Aah, I probably messed it up while copying. But upon rebooting it removes the :0:0, so I still can't login. I can feel that we are almost there :roll:. What could be the reason it removes the :0:0 upon reboot?

I'm currently graduating with an IoT Pentesting project and investigating hardware-based attack-paths. So I understand that you can connect to the bootloader, but how did you crack that password? (3BHf2)
I don't think you can brute force the boot loader because of the 2 second time, or am I wrong?

Thanks!
M1XKEY
Starting Member
Starting Member
 
Posts: 5
Joined: December 2019

Re: Rooting Toon (or boxx)

Postby TheHogNL » Wed Dec 11, 2019 9:14 am

M1XKEY wrote:Aah, I probably messed it up while copying. But upon rebooting it removes the :0:0, so I still can't login. I can feel that we are almost there :roll:. What could be the reason it removes the :0:0 upon reboot?

I'm currently graduating with an IoT Pentesting project and investigating hardware-based attack-paths. So I understand that you can connect to the bootloader, but how did you crack that password? (3BHf2)
I don't think you can brute force the boot loader because of the 2 second time, or am I wrong?

Thanks!


If you contact me PM I will send you my mobile number so we can chat offline and I'll help you over teamviewer. I'm at home about 21h.

The bootloader password was found in the flash image (uboot partittion), stored plain text (they changed that in uboot R10). Marcel can explain better but you can just read the flash chip manually using external tools or using openocd on the jtag port.
Even without the password you could gain access to uboot by pulling some flash pin to the ground during boot so the uboot pops up (because it can't boot the operating system). They changed that in R10 also.
Member of the Toon Software Collective
User avatar
TheHogNL
Forum Moderator
Forum Moderator
 
Posts: 1415
Joined: August 2017

Re: Rooting Toon (or boxx)

Postby Knulen » Wed Dec 25, 2019 2:52 pm

I haven't have a Toon yet, but I do have some questions about rooting a Toon.

If I buy a Toon 1 (QB2), do I have to look for a certain hardware and/or software version? Or are all Toon 1's rootable?

Is it right I only need a Raspberry Pi and some F-F jumper cables? (and a Toon of course)

I haven't seen photos of a Toon connected to a Raspberry Pi and I don't have a Toon yet, but is this just straightforward? There is no soldering needed? If there are photos of a Toon connected to a Raspberry for rooting, I would like to see them. Because reading the guide it looks really easy to root a Toon but seeing the word JTAG, all kinds of hell of soldering a Xbox 360 comes to mind :P
Knulen
Starting Member
Starting Member
 
Posts: 2
Joined: December 2019

Re: Rooting Toon (or boxx)

Postby TheHogNL » Wed Dec 25, 2019 5:41 pm

Yes that is all you need.
Depending on the Toon1 version you need to install more jumper wires (so the script can use jtag) and extra software on the Pi (openocd) but if you read the readme for the toonrooter this will be clear enough (https://github.com/ToonSoftwareCollective/ToonRooter). For the rest it doesn't care about what Toon1 you have.

Sorry there is no photo and I am not at home currently to make a photo. But it is dead simpel if you read that readme. Just install all jumper wires and you are done.

BTW, this is also answered in the 'how to root a toon' manual https://www.domoticaforum.eu/download/file.php?id=3720 and https://www.domoticaforum.eu/viewtopic. ... 00&t=11235
Member of the Toon Software Collective
User avatar
TheHogNL
Forum Moderator
Forum Moderator
 
Posts: 1415
Joined: August 2017

Re: Rooting Toon (or boxx)

Postby Templar » Thu Dec 26, 2019 10:46 am

Knulen wrote:If I buy a Toon 1 (QB2), do I have to look for a certain hardware and/or software version? Or are all Toon 1's rootable?


- All Toon 1's are rootable, newer ones only with a Raspberry Pi/JTAG.
- Check for meteradapters if you want "Zon op Toon" and/or have a newer model smart meter with DSMR 5.x. You'll need the "2 flame" version.

Code: Select all
meter adapter     Firmware
PN:               Z-wave/LPC *)

6500-1100-3301    14/21
6500-1100-3302
6500-1100-3303

6500-1102-0400    35/37
6500-1102-0401

6500-1200-4700    25/31

6500-1200-47xx    35/39
6500-1300-7200

6500-1400-4900    36/43

6500-1400-6000    0.15/0.11
Templar
Member
Member
 
Posts: 154
Joined: March 2011
Location: Netherlands

PreviousNext

Return to Toon Rooting

Who is online

Users browsing this forum: No registered users and 1 guest