Hacking process of LaMetric time

[tyalie]

Hey there. Was there any further progress in hacking the LaMetric Time? I found the root password especially interesting, so that one can access the SSH port.

I could only find this post on reddit, where somebody successfully accessed the SSH by open it up and changing it manually:
https://www.reddit.com/r/LaMetric/comments/3sq55r/hacking_progress/

Have you heard of further progress in this regard?

Thanks a lot

• George

[chorankates]

@Gansgar sorry for the slow reply, didn't see the notification.. i continued running the GCP instance for almost 2 weeks and didn't crack it - i will update the README.md with that information.

i was unaware of that post (or subreddit), but after failing to crack the hash attempted something similar - though i was never able to mount the card..

can't recall the reason now, but i'll take another look this weekend as the device itself is still sitting on my desk - and it's smug aura mocks me.

[tyalie]

Hey there,

thanks for the reply. Any updates?

George

[magcode]

Getting root access to the device is actually not so difficult. I reset the root password and removed a firewall rule which seemed to block port 22. Now I have full access to the device.

The challenge is to make it possible without opening the device (and loosing warranty by doing so).

[BeHive]

Hello

After gaining access to the device, are you able to change the WiFi settings to make it connect to a wpa enterprise network?

Also, could you provide some info on that firewall rule you removed?

Cheers

[magcode]

wpa enterprise

No idea. I don't have such a network

some info on that firewall rule

I removed /etc/init.d/S50block_ssh
The device runs a knockd.
In theory you should be able to enable the SSH port using knock <lam ip> 7623 6732 8675 6623 1732 8675.
However that did not work for me.

[MasterScrat]

Any news on this? Anyone was able to break the password?

[k4a]

HI to all!

Successfully rebuild firmware with changed password & removed ssh firewall (without opening device).
I think it's possible to get ssh access without any firmware modification, by knoking & use ssh_rsa_key after it to access device. Will try it.

[magcode]

Well. You can build a custom firmware. Yes. But you don't have their private key to sign it. Without that signature the device won't install the firmware. Correct me if I'm wrong.

[k4a]

I have their private key ))
So device install fixed firmware without any warnings.

[magcode]

OMG.
!!!HERO!!!

[tyalie]

That's amazing 😎

[k4a]

https://mega.nz/#!NMBBjCLQ!NwB_0xuGzsU857LX0pyRiTY8mwzuVkI7l7egCLPfq8E
root password lametric, ssh firewall deleted

[Zignixx]

@k4a can you maybe create a cfw for 2.0.24? Would be nice! :)

[k4a]

HI 2 all
version 2.0.24
https://mega.nz/#!0MwyAabB!3M0JRbIWBqj1X1jmqL5NlUdI9M7TOr8QDvVCs6XgOZo
root password same

[Zignixx]

HI 2 all
version 2.0.24
https://mega.nz/#!0MwyAabB!3M0JRbIWBqj1X1jmqL5NlUdI9M7TOr8QDvVCs6XgOZo
root password same

Thanks!
What i need to do if i already have 2.0.24 (original) installed on my Lametric? Can i just overwrite this firmware?

[k4a]

I don't try to overwrite, couse I have 2.0.23 installed. I think you can.
If not, look at recovery info - reset to base revision, and after that install 2.0.24

[robbiet480]

How do you install this firmware? Do you have to open the device up and write the SD card?

EDIT: I assume this is the procedure but haven't tried it yet... From the user guide:

Follow a few easy steps to update software:

1. Connect device to PC using USB cable.
2. Start device in Recovery mode (press and hold Volume Up button and short press the On/Off button at the same time).
3. Mount mass storage (navigate in Recovery mode to ‘MOUNT’ using Left or Right navigation buttons and confirm with Action button ).
4. PC should detect new mass storage device and LaMetric Time will be temporarily locked. 65
5. Drop latest software file from firmware.lametric.com to the root folder of the disk drive that appeared on your PC.
6. Safely disconnect LaMetric Time from PC and reboot it (navigate to ‘REBOOT’ using Left or Right buttons and confirm with Action button ).
7. The software will be installed automatically. The device will reboot few times.
8. In a case of some issue - error file update.err.txt will be created on the disk. To check the error – mount disk again and open the file to find out the reason of failure.

[xiconfjs]

Hi @k4a ,

can you please provide either a patched 2.0.26 firmware or perhaps the key you signed the firmware with?

Thanks

[poblabs]

@robbiet480 Did that work for you? and what benefits have you seen gained by using this firmware?

[robbiet480]

@poblabs I haven’t personally done it no.

[DrNachtschatten]

I probably am wrong here, please just delete this comment if so.
Does anyone have a complete image of the LaMetric Time SD card? Mine died and without the original partition table and compiled bootloader, the device won't do anything.

[FD-]

Hi all,
I have developed a software development kit for developing native apps for LaMetric OS (reverse-engineered liblfoundation headers, found a compatible cross-compiler toolchain, written a script for packaging ipk packages). It's working great for me and radically opens up the device for many more use cases. It turned out liblfoundation already provides a set of well-engineered components (based on Qt) that make developing native apps really easy (once I had figured out the headers). It's also possible to write custom widgets that draw arbitrary content on the screen.

Anyway, I'm posting here because the SDK only makes sense on a device that has SSH access (apps are to be installed via opkg-cl), which for now is only possible using @k4a's custom firmware linked above. @k4a would you be willing to send me an email regarding how firmware signature verification works, how you were able to build your custom firmware and how this could be leveraged for bootstrapping a LaMetric OS homebrew scene? My email address is linked on my GitHub profile page.

[magcode]

Fantastic!
I'd appreciate the SDK. Potentially I/we can migrate my stuff (https://github.com/magcode/lametric-tools)

[tyalie]

I'm absolutely amazed. Years after the product is released, it is finally opened up by the community. Mad respect for all who made this happen.

[poblabs]

Does anyone have the install documented?

[FD-]

Well, unfortunately, @k4a hasn't contacted me yet, so I decided to release the SDK anyway. Please have a look at my repo here: https://github.com/FD-/LaMetric-SDK. @magcode I don't know much about MQTT, so I greatly appreciate how your project complements my SDK. Let me know if you have an idea how our projects can be integrated!

Please help spread the word and let me know how the SDK works for you! If you create something others could benefit from, please publish the source code! I'm looking forward to seeing what you can come up with!

[FD-]

I think I have found a relatively simple way to install custom apps on stock (unmodified, original) firmware, but I need someone to test this method on a device that still runs said stock firmware. If you are willing to help me give this a test, please send me an email!

[FD-]

Alright guys, we were able to confirm my method works on stock firmware. I've updated my repository. Happy homebrewing!

[terrikate]

Do any of you have a full image of the SDCard? To see if restoring it solves the following problem:

With very old versions of the lametric firmware (default restore) it works perfectly but as soon as I upgrade to more modern versions the LED display stops working but the device and its applications, below, still work. I hear the radio for example

Any help is welcome. Thank you!

[DrNachtschatten]

@terrikate please see this thread https://www.reddit.com/r/LaMetric/comments/givivn/lametric_time_sd_card_image/

Feel free to contact me via any private message channel of choice, I can give you a full SD card image.

[FD-]

Different hardware revisions of the device use different MCUs and LED drivers for controlling the display, so that may be a source of incompatibilities. All MCU variants are from the STM32 family, and their firmware can be flashed from the main CPU. The firmware files are located in the /etc/ folder (*.hex files) IIRC and can be manually flashed with the cortex_update.sh script. Could be worth a try, though the first thing to do would obviously be checking the logcat and kernel logs for any obvious errors.

BTW, what is the last version that works for you, and how do you restore default?

[terrikate]

Thank you @DrNachtschatten! I had seen that topic before writing the other day but as the images no longer existed and didn't seem to have ended well I decided to try this way. Can you send me a mega/drive link or other provider with the image to terrikate at gmail dot com? I appreciate it, thanks a lot!

@FD- I leave you more information here. I tried to play with cortex_update.sh without success. To restore the default version, in my case 1.6.1, I press volume up, the action button and the power button. When the menu comes out I choose restore and when it finishes and I configure it all the LED display works correctly

Default version. When restoring

NAME="LaMetric"
VERSION=2016.10-rC-228
VERSION_ID=1.6.1

Current version with ssh access (2.0.3 of this same post)

# ls -la *.hex
-rwxrwxrwx    1 root     root         88828 Jun  4  2018 MY9163_V01.hex
-rwxrwxrwx    1 root     root         89053 Jun  4  2018 TLC5929V01.hex
-rwxrwxrwx    1 root     root         89053 Jun  4  2018 cortex_firmware.hex

 ./cortex_update.sh
Get kernel version
Cortex flashing...
no input parameters
Get hardware version
stm32flash 0.4

http://stm32flash.googlecode.com/

Interface serial_posix: 57600 8E1
Version      : 0x31
Option 1     : 0x00
Option 2     : 0x00
Device ID    : 0x0444 (STM32F030/F031)
- RAM        : 8KiB  (4096b reserved by bootloader)
- Flash      : 64KiB (sector size: 4x1024)
- Option RAM : 12b
- System RAM : 3KiB
Memory read
Read address 0x08007d6a (100.00%) Done.

Display hardware version MY9163_V01
match MY9163_V01
write firware MY9163_V01
write /etc/MY9163_V01.hex
stm32flash 0.4

http://stm32flash.googlecode.com/

Using Parser : Intel HEX
Interface serial_posix: 115200 8E1
Version      : 0x31
Option 1     : 0x00
Option 2     : 0x00
Device ID    : 0x0444 (STM32F030/F031)
- RAM        : 8KiB  (4096b reserved by bootloader)
- Flash      : 64KiB (sector size: 4x1024)
- Option RAM : 12b
- System RAM : 3KiB
Write to memory
Erasing memory
Wrote and verified address 0x08007b4c (100.00%) Done.

Cortex flashed
Cortex reset vanilla
Done

cat /tmp/hw
MY9163_V01#

I tried all three .hex and nothing. In logcat everything is in order. If you can think of anything else, I appreciate it. Thank you!

[FD-]

When exactly does the display cut out on a recent image? Does the boot animation show? Does scrolling text show? There's a lmledtool program somewhere inside the file system, I think it was in /usr/bin. You could try the tests it includes.

[terrikate]

After the startup animation it goes to black. I don't see the scrolling text
I have tested the test tool (/usr/sbin/lmledtest) with the different firmwares and the animations do them correctly. When the test is launched, parameter -t, the led screen lights up well and returns this message:

LED OPEN DETECTION TEST
OUTPUT LEAKAGE DETECTION (TLC5929)/SHORT TO GND (MY9163)
LED SHORT DETECTION

This happens only with the MY9163_V01 firmware. With the others it returns apart from that message, Bad led: white x=XX y=YY for each one of the leds of the array (rgb + white) although it lights up anyway

[FD-]

Apparently, they changed something in the display frequency in firmware 2.0.9, so you could try if flashing 2.0.8 still works: https://storage.lametric.com/sa1/firmware/lm_ota_2.0.8_20180511_497_sa1.bin

[hallard]

Hi guys, Amazing work really.

Just a stupid question, If I go to the megaupload FW and open ssh to my LM, does any FW upgrade will deny back my SSH access? If so any update image available?
thanks

[algmyr]

Looking at the thing that actually does the firmware update /lametric/system/services/com.lametric.lametricdaemon/daemon I actually see nothing that verifies the signature file. What I see is that thing running /etc/validate_fw.sh which only checks the MD5 hash, which you could just update after updating the squashfs image. This is a dumb question, but have people tried just updating the md5sum after modification? It's likely that I'm missing the place actually doing the signature check, but I have to ask.

[FD-]

@algmyr The signature check happens in the recovery partition, in /usr/share/lametric-tools/recovery_menu/action_upgrade:

...
echo "Verifying signature of file $file..."
gpg --ignore-time --verify $file.sig $file || error_reboot_exit "Firmware is from unknown source. Not installed."
...

[Zignixx]

@algmyr The signature check happens in the recovery partition, in /usr/share/lametric-tools/recovery_menu/action_upgrade:

...
echo "Verifying signature of file $file..."
gpg --ignore-time --verify $file.sig $file || error_reboot_exit "Firmware is from unknown source. Not installed."
...

Is there a way to modify this file if i'm able to access the lametric over ssh?

[FD-]

You may be able to manually mount the recovery partition (p8) from the normal OS. It's a squash file system IIRC. I'd recommend backing up the internal micro SD card first, because if you screw up the recovery partition things can get pretty ugly.

[bluesveins]

hi is there any progress in this topic?