Rooting Toon (or boxx)
Moderators: marcelr, TheHogNL, Toonz
Rooting Toon (or boxx)
Please post your questions/tips/remarks related to rooting Eneco's Toon here.
Rooting guide: viewtopic.php?f=100&t=11235
Rooting guide: viewtopic.php?f=100&t=11235
Re: Rooting Toon
Maybe a good idea to post the latest rooting guide in the TS?
Re: Rooting Toon
Good idea, slightly different: I made a read-only manuals and tutorials section. First manual added: rooting
grtz,
marcelr
grtz,
marcelr
Re: Rooting Toon
Over the last few months I have had requests from (mostly starting) forum members to help them out with rooting their toon. Some just want tips and troubleshooting advice. Some want me to do the actual rooting for them. Such requests are mostly made by PM and/or mail.
While I'm happy to help anybody who is enthusiastic about the stuff that has been published so far on toon in this forum, I would like to urge everybody seeking help or support with rooting and software adaptations to ask for this through the forum pages, and not through PM or mail.
The reasons are simple:
Some mistakes/errors happen to everybody who starts working with toon hardware, and it's a bit tedious to answer the same questions over and over again.
Starting members posts have to pass through a moderation process before they are published on the web. Since I also moderate this thread, the processing time for posts/PMs/mail is the same. I check mail regularly, and as soon as you post as starting member, I see that you have done so, in my mailbox. If your post is publishable (i.e. not spam), it will be approved/published, and answered if there's a request that needs answering. So, posting in the forum is as fast as any other means to contact me.
When you post in the forum, other members can chime in and possibly help you out.
In general, I will NOT root your toon for you (unless there are very very very specific circumstances). You will have to it yourself, but you can always ask for advice.
So in short, all request for rooting support should be made in the forum, from now on.
grtz,
marcelr
While I'm happy to help anybody who is enthusiastic about the stuff that has been published so far on toon in this forum, I would like to urge everybody seeking help or support with rooting and software adaptations to ask for this through the forum pages, and not through PM or mail.
The reasons are simple:
Some mistakes/errors happen to everybody who starts working with toon hardware, and it's a bit tedious to answer the same questions over and over again.
Starting members posts have to pass through a moderation process before they are published on the web. Since I also moderate this thread, the processing time for posts/PMs/mail is the same. I check mail regularly, and as soon as you post as starting member, I see that you have done so, in my mailbox. If your post is publishable (i.e. not spam), it will be approved/published, and answered if there's a request that needs answering. So, posting in the forum is as fast as any other means to contact me.
When you post in the forum, other members can chime in and possibly help you out.
In general, I will NOT root your toon for you (unless there are very very very specific circumstances). You will have to it yourself, but you can always ask for advice.
So in short, all request for rooting support should be made in the forum, from now on.
grtz,
marcelr
Re: Rooting Toon
I recently got my hands on a newer toon, with boot loader version 2010.9-R10.
It was built a few weeks after Ierlandfan published the rooting method for toon, and most probably can be found on any toon with serial numbers starting with 16 (production year 2016).
The guys at Quby haven't been idle in making access to toon harder. This version has a properly hashed boot loader password (SHA256), and when you try to access it through the screwdriver method, it no longer drops you to a shell, instead you get this:
While I admire the sense of humour of the developers, accessing a toon with this boot loader version is a bit tougher (but not impossible ).
grtz,
marcelr
It was built a few weeks after Ierlandfan published the rooting method for toon, and most probably can be found on any toon with serial numbers starting with 16 (production year 2016).
The guys at Quby haven't been idle in making access to toon harder. This version has a properly hashed boot loader password (SHA256), and when you try to access it through the screwdriver method, it no longer drops you to a shell, instead you get this:
Code: Select all
Verifying Checksum ... Bad Data CRC
ERROR: can't get kernel image!
---------------------------------------------------------
Welcome to the bootloader, adventurous adventurer.
We congratulate you on your perseverance and inventivity!
Would you like an easier way in?
Please visit quby.com/open-system for more information.
Game on! :)
---------------------------------------------------------
grtz,
marcelr
Re: Rooting Toon
hello ,thanks to you i have a rooted TOON ,
can you tell me how to update it and keep it rooted ...?
thanks
can you tell me how to update it and keep it rooted ...?
thanks
hack-wedstrijd: Game of Toons
For those who are interested, there will be a Toon hackathon on October 11th in Rotterdam:
So you think you can hack Toon?
Toon, de slimme thermostaat, wordt gebruikt in 300.000 huishoudens. Logisch dat Eneco let op de veiligheid en die ook regelmatig test. Maar, zoals bij elk slim apparaat, kunnen er altijd nog onverwachte kwetsbaarheden zijn.
Tek Tok heeft daarom Eneco uitgedaagd voor een hack-wedstrijd: Game of Toons. Denk jij dat jij de Toon kunt kraken? Laat het zien op 11 oktober in Worm, Rotterdam.
http://tektok.nl/got
So you think you can hack Toon?
Toon, de slimme thermostaat, wordt gebruikt in 300.000 huishoudens. Logisch dat Eneco let op de veiligheid en die ook regelmatig test. Maar, zoals bij elk slim apparaat, kunnen er altijd nog onverwachte kwetsbaarheden zijn.
Tek Tok heeft daarom Eneco uitgedaagd voor een hack-wedstrijd: Game of Toons. Denk jij dat jij de Toon kunt kraken? Laat het zien op 11 oktober in Worm, Rotterdam.
http://tektok.nl/got
Re: Rooting Toon
@Templar: sounds like fun, although I can't make it, I'm afraid. Other stuff to do.
Maybe we should publish a list of all installed software packages together with version numbers, devices and internally used service ports, as a service for those who will attend , so participants can do a bit of homework for finding exploits. Or does that count as cheating ?
Anyway, for those who will attend, have fun.
@hayman: Once it's rooted, it's rooted. New updates will shutdown ssh access, but IIRC, cygnusx posted a remedy for that. You will need to apply that remedy BEFORE you install updates, if you want to continue having access to your toon. Updates are pushed to your toon by Eneco, if you have a subscription. If not, there's not a lot to update.
Maybe we should publish a list of all installed software packages together with version numbers, devices and internally used service ports, as a service for those who will attend , so participants can do a bit of homework for finding exploits. Or does that count as cheating ?
Anyway, for those who will attend, have fun.
@hayman: Once it's rooted, it's rooted. New updates will shutdown ssh access, but IIRC, cygnusx posted a remedy for that. You will need to apply that remedy BEFORE you install updates, if you want to continue having access to your toon. Updates are pushed to your toon by Eneco, if you have a subscription. If not, there's not a lot to update.
Re: Rooting Toon
Hi,
Can anyone send me a recent firmware image (or extracted root filesystem) for the Eneco TOON?
Kind Regards,
blasty
edit: Actually, nevermind. Just hooked up the UART on mine and got an U-boot shell. I can figure things out from here.
Can anyone send me a recent firmware image (or extracted root filesystem) for the Eneco TOON?
Kind Regards,
blasty
edit: Actually, nevermind. Just hooked up the UART on mine and got an U-boot shell. I can figure things out from here.
Re: Rooting Toon
There may be another way:marcelr wrote:I recently got my hands on a newer toon, with boot loader version 2010.9-R10.
It was built a few weeks after Ierlandfan published the rooting method for toon, and most probably can be found on any toon with serial numbers starting with 16 (production year 2016).
The guys at Quby haven't been idle in making access to toon harder. This version has a properly hashed boot loader password (SHA256), and when you try to access it through the screwdriver method, it no longer drops you to a shell, instead you get this:
While I admire the sense of humour of the developers, accessing a toon with this boot loader version is a bit tougher (but not impossible ).Code: Select all
Verifying Checksum ... Bad Data CRC ERROR: can't get kernel image! --------------------------------------------------------- Welcome to the bootloader, adventurous adventurer. We congratulate you on your perseverance and inventivity! Would you like an easier way in? Please visit quby.com/open-system for more information. Game on! :) ---------------------------------------------------------
grtz,
marcelr
http://quby.com/en/page/123
Toon as a domotica controller?
Hello, i have bought myself a Toon and started to root it but unfortunately, i have a recent firmware ( U-Boot 2010.09-R10 (Dec 14 2015 - 19:28:18) ) and i was not able to find a bootloader password for this.
I've tried to short the circuits of the Nand Chip, but in my Toon, also a new version of this chip is placed ( Samsung 507 ). So i was unable to get into the u-boot by this method.
So, is there a possible way for me to root Toon ?
I've tried to short the circuits of the Nand Chip, but in my Toon, also a new version of this chip is placed ( Samsung 507 ). So i was unable to get into the u-boot by this method.
So, is there a possible way for me to root Toon ?
Re: Rooting Toon
Moved your post to the right topic, and no, your Samsung chip is not very different from earlier versions. The type is: K9F1G08UDE.
Your u-boot version has a properly hashed password (and is unknown). So, the two ways to get in are: ask Quby (see earlier post by Templar). or: build a new u-Boot (from source) and flash it onto your toon with a JTAG programmer.
I have no experience with the first method, and the second is still (a bit) under development.
best,
marcelr
Your u-boot version has a properly hashed password (and is unknown). So, the two ways to get in are: ask Quby (see earlier post by Templar). or: build a new u-Boot (from source) and flash it onto your toon with a JTAG programmer.
I have no experience with the first method, and the second is still (a bit) under development.
best,
marcelr
Re: Rooting Toon
Thank you for your swift responce.
I've mailed Quby and asked them to provide me "an easier way in".
Let's see if they responde.
Thank you all for your efforts in making this possible.
Best regards,
Manyakim
I've mailed Quby and asked them to provide me "an easier way in".
Let's see if they responde.
Thank you all for your efforts in making this possible.
Best regards,
Manyakim
Re: Rooting Toon; accessing NAND with JTAG
I try to use JTAG for dumping the flash. I use a buspirate as JTAG with
openocd. This seems to work fine, as I can dump memory and even make
changes in RAM. If I 'halt' the processor just before the U-boot is asking
for a password, I can dump the U-boot memory from memory addresses 0xa100000
onwards.
Now if I perform a 'nand probe 0' command, the script gets stuck on the
reading and writing in the MX27 flash controller memory mapped registers
as 0xd80001xx addresses. It seems that at this stage in booting these
addresses are not accessable.
@marcelr: How did you succeeded in getting access to the flash? Could you post your
'toon.cfg' configuration script. At what stage do you execute the 'nand
probe 0' command. You write that only after a cycle halt, resume, halt,
that worked.
Unfortunately, my version is R10 (sha256 password on the U-boot). I have a corrupted root-fs (kernel panic). So, it seems that the only way forward is flashing a new U-boot. Hence, nand flash access is needed through JTAG.
openocd. This seems to work fine, as I can dump memory and even make
changes in RAM. If I 'halt' the processor just before the U-boot is asking
for a password, I can dump the U-boot memory from memory addresses 0xa100000
onwards.
Now if I perform a 'nand probe 0' command, the script gets stuck on the
reading and writing in the MX27 flash controller memory mapped registers
as 0xd80001xx addresses. It seems that at this stage in booting these
addresses are not accessable.
@marcelr: How did you succeeded in getting access to the flash? Could you post your
'toon.cfg' configuration script. At what stage do you execute the 'nand
probe 0' command. You write that only after a cycle halt, resume, halt,
that worked.
Unfortunately, my version is R10 (sha256 password on the U-boot). I have a corrupted root-fs (kernel panic). So, it seems that the only way forward is flashing a new U-boot. Hence, nand flash access is needed through JTAG.
Re: Rooting Toon
Hmmm...
That's a tricky one. You could rebuild U-Boot from source (Quby U-Boot archive, although you will also need to configure it, that part is not given in the archive. I gave that a try, see script below).
Then, flash that boot loader onto toon, and it should work.
Other method: rip an older boot loader from an older toon, flash that onto your toon (together with its environment).
Here are the scripts (nothing fancy, I'm afraid):
JTAG configuration script: toon.cfg (used with openocd 0.8.0):
and the shell script to build U-Boot (put inside top level dir of the U-boot tree, edit paths according to your needs):
please report any progress, it would be interesting to know what works best.
marcelr
That's a tricky one. You could rebuild U-Boot from source (Quby U-Boot archive, although you will also need to configure it, that part is not given in the archive. I gave that a try, see script below).
Then, flash that boot loader onto toon, and it should work.
Other method: rip an older boot loader from an older toon, flash that onto your toon (together with its environment).
Here are the scripts (nothing fancy, I'm afraid):
JTAG configuration script: toon.cfg (used with openocd 0.8.0):
Code: Select all
#
# config file for Eneco toon thermostat.
#
# this device has a Freescale i.MX27 processor, 128MB NAND flash, and a
# non-standard JTAG interface
# load default processor cfg:
source [find target/imx27.cfg]
imx27.cpu arm7_9 fast_memory_access enable
#imx27.cpu arm7_9 dbgrq enable
reset_config separate
reset_config trst_open_drain
jtag_ntrst_assert_width 50
$_TARGETNAME configure -event reset-init { toon_init }
# set up NAND flash:
nand device toon.nand mxc imx27.cpu mx27 noecc biswap
proc toon_init { } {
#reset_config trst_and_srst srst_pulls_trst
# reset the board correctly
adapter_khz 500
reset run
reset halt
}
Code: Select all
#! /bin/sh
# script for configuring toon u-boot
#
./mkconfig ed20 arm arm926ejs ed20 prodrive mx27
# set to wherever you unpacked the quby openembedded tree
OE_ROOT=/home/toon
# add toolchain for toon to the $PATH
PATH=$PATH:$OE_ROOT/oe/qb2/tmp/sysroots/x86_64-linux/usr/qb2/bin/
export PATH
CROSS_COMPILE=arm-hae-linux-gnueabi-
export CROSS_COMPILE
make
marcelr