-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hacking process of LaMetric time #2
Comments
@Gansgar sorry for the slow reply, didn't see the notification.. i continued running the GCP instance for almost 2 weeks and didn't crack it - i will update the README.md with that information. i was unaware of that post (or subreddit), but after failing to crack the hash attempted something similar - though i was never able to mount the card.. can't recall the reason now, but i'll take another look this weekend as the device itself is still sitting on my desk - and it's smug aura mocks me. |
Hey there, thanks for the reply. Any updates? George |
Getting root access to the device is actually not so difficult. I reset the root password and removed a firewall rule which seemed to block port 22. Now I have full access to the device. The challenge is to make it possible without opening the device (and loosing warranty by doing so). |
Hello After gaining access to the device, are you able to change the WiFi settings to make it connect to a wpa enterprise network? Also, could you provide some info on that firewall rule you removed? Cheers |
No idea. I don't have such a network
I removed |
Any news on this? Anyone was able to break the password? |
HI to all! Successfully rebuild firmware with changed password & removed ssh firewall (without opening device). |
Well. You can build a custom firmware. Yes. But you don't have their private key to sign it. Without that signature the device won't install the firmware. Correct me if I'm wrong. |
I have their private key )) |
OMG. |
That's amazing 😎 |
https://mega.nz/#!NMBBjCLQ!NwB_0xuGzsU857LX0pyRiTY8mwzuVkI7l7egCLPfq8E |
@k4a can you maybe create a cfw for 2.0.24? Would be nice! :) |
HI 2 all |
Thanks! |
I don't try to overwrite, couse I have 2.0.23 installed. I think you can. |
How do you install this firmware? Do you have to open the device up and write the SD card? EDIT: I assume this is the procedure but haven't tried it yet... From the user guide: Follow a few easy steps to update software:
|
Hi @k4a , can you please provide either a patched 2.0.26 firmware or perhaps the key you signed the firmware with? Thanks |
@robbiet480 Did that work for you? and what benefits have you seen gained by using this firmware? |
@poblabs I haven’t personally done it no. |
I probably am wrong here, please just delete this comment if so. |
Hi all, Anyway, I'm posting here because the SDK only makes sense on a device that has SSH access (apps are to be installed via opkg-cl), which for now is only possible using @k4a's custom firmware linked above. @k4a would you be willing to send me an email regarding how firmware signature verification works, how you were able to build your custom firmware and how this could be leveraged for bootstrapping a LaMetric OS homebrew scene? My email address is linked on my GitHub profile page. |
Fantastic! |
I'm absolutely amazed. Years after the product is released, it is finally opened up by the community. Mad respect for all who made this happen. |
Does anyone have the install documented? |
Well, unfortunately, @k4a hasn't contacted me yet, so I decided to release the SDK anyway. Please have a look at my repo here: https://github.com/FD-/LaMetric-SDK. @magcode I don't know much about MQTT, so I greatly appreciate how your project complements my SDK. Let me know if you have an idea how our projects can be integrated! Please help spread the word and let me know how the SDK works for you! If you create something others could benefit from, please publish the source code! I'm looking forward to seeing what you can come up with! |
I think I have found a relatively simple way to install custom apps on stock (unmodified, original) firmware, but I need someone to test this method on a device that still runs said stock firmware. If you are willing to help me give this a test, please send me an email! |
Alright guys, we were able to confirm my method works on stock firmware. I've updated my repository. Happy homebrewing! |
Do any of you have a full image of the SDCard? To see if restoring it solves the following problem: With very old versions of the lametric firmware (default restore) it works perfectly but as soon as I upgrade to more modern versions the LED display stops working but the device and its applications, below, still work. I hear the radio for example Any help is welcome. Thank you! |
@terrikate please see this thread https://www.reddit.com/r/LaMetric/comments/givivn/lametric_time_sd_card_image/ Feel free to contact me via any private message channel of choice, I can give you a full SD card image. |
Different hardware revisions of the device use different MCUs and LED drivers for controlling the display, so that may be a source of incompatibilities. All MCU variants are from the STM32 family, and their firmware can be flashed from the main CPU. The firmware files are located in the /etc/ folder (*.hex files) IIRC and can be manually flashed with the cortex_update.sh script. Could be worth a try, though the first thing to do would obviously be checking the logcat and kernel logs for any obvious errors. BTW, what is the last version that works for you, and how do you restore default? |
Thank you @DrNachtschatten! I had seen that topic before writing the other day but as the images no longer existed and didn't seem to have ended well I decided to try this way. Can you send me a mega/drive link or other provider with the image to terrikate at gmail dot com? I appreciate it, thanks a lot! @FD- I leave you more information here. I tried to play with cortex_update.sh without success. To restore the default version, in my case 1.6.1, I press volume up, the action button and the power button. When the menu comes out I choose restore and when it finishes and I configure it all the LED display works correctly Default version. When restoring
Current version with ssh access (2.0.3 of this same post)
I tried all three .hex and nothing. In logcat everything is in order. If you can think of anything else, I appreciate it. Thank you! |
When exactly does the display cut out on a recent image? Does the boot animation show? Does scrolling text show? There's a lmledtool program somewhere inside the file system, I think it was in /usr/bin. You could try the tests it includes. |
After the startup animation it goes to black. I don't see the scrolling text
This happens only with the MY9163_V01 firmware. With the others it returns apart from that message, |
Apparently, they changed something in the display frequency in firmware 2.0.9, so you could try if flashing 2.0.8 still works: https://storage.lametric.com/sa1/firmware/lm_ota_2.0.8_20180511_497_sa1.bin |
Hi guys, Amazing work really. Just a stupid question, If I go to the megaupload FW and open ssh to my LM, does any FW upgrade will deny back my SSH access? If so any update image available? |
Looking at the thing that actually does the firmware update |
@algmyr The signature check happens in the recovery partition, in
|
Is there a way to modify this file if i'm able to access the lametric over ssh? |
You may be able to manually mount the recovery partition (p8) from the normal OS. It's a squash file system IIRC. I'd recommend backing up the internal micro SD card first, because if you screw up the recovery partition things can get pretty ugly. |
hi is there any progress in this topic? |
Hey there. Was there any further progress in hacking the LaMetric Time? I found the root password especially interesting, so that one can access the SSH port.
I could only find this post on reddit, where somebody successfully accessed the SSH by open it up and changing it manually:
https://www.reddit.com/r/LaMetric/comments/3sq55r/hacking_progress/
Have you heard of further progress in this regard?
Thanks a lot
The text was updated successfully, but these errors were encountered: