Rooting Hue Bridge with firmware 1967054020
Star of today’s show, Hue Bridge 2.1_X03A
Problem statement
There are several guides on the ’Net on how to root a Hue Bridge (and enable wifi or whatnot).
But they don’t work anymore1. Instead of a login prompt past the console
activation, the system greets you with 5, then salt of its root password,
and if you type in something, you get back Error reading signature file /tmp/secret_phrase or similar2.
So I rolled up my sleeves and broke into their little new “security” thing. If you’re interested in the “how”, I’ll talk about that after the solution.
Solution
Here’s how to root the newer hue bridge 2 (BSB002) with firmware version
1967054020:
I’m skipping over the hardware portion of the mod – see Colin O’Flynn’s guide all the way to step 4.
Or use R. X. Seger’s guide and stop before the Root password section.
In other words, attach an usb-to-3v3-uart
dongle3, short the DAT0 test point, get access to uboot, tweak bootdelay:
setenv bootdelay 3
saveenv
reset
Now interrupt initial boot (press Enter during countdown), and we’ll take
it from there.
(What follows is the novel part)
Backup env variables4 by issuing printenv and copying it to a file.
Next, get the root shell going – by tweaking the existing std_bootargs
to replace init with /bin/sh. In my case that’d be:
setenv std_bootargs 'board=BSB002 console=ttyS0,115200 ubi.mtd=overlay rootfs=/dev/mtdblock:rootfs rootfstype=squashfs noinitrd init=/bin/sh'
followed by boot. No permanent envvar changes needed. ;)
After booting, in that barebones root shell, tweak the overlay:
mount -t ubifs ubi1_1 /overlay
mkdir /overlay/upper/bin
# Let's make ourselves a proper login shell in fully booted system
cat - >/overlay/upper/bin/secure-console.sh <<'EOF'
#!/bin/sh
exec /bin/ash --login
EOF
chmod a+x /overlay/upper/bin/secure-console.sh
umount /overlay/
And now continue to the normal system boot:
exec /sbin/init
When it boots up, you have a root console right there (press Enter):
BusyBox v1.30.1 () built-in shell (ash)
_ _ _ _ ______ ____ _ _ ___ __ __
| | | | | | | ____| | _ \ (_) | | |__ \ \ \ / /
| |__| | | | | |__ | |_) |_ __ _ __| | __ _ ___ ) | \ V /
| __ | | | | __| | _ <| '__| |/ _` |/ _` |/ _ \ / / > <
| | | | |__| | |____ | |_) | | | | (_| | (_| | __/ / /_ _ / . \
|_| |_|\____/|______| |____/|_| |_|\__,_|\__, |\___| |____(_)_/ \_\
__/ |
|___/
----------------------------------------------------------------------
Version: 1967054020
----------------------------------------------------------------------
root@xxxxxxxxxxxx:/#
Add your ssh key by running ssh-factory-key -r - and pasting the key
to stdin. This will also auto-enable ssh in the firewall config. Please
note that the key has to be ssh-rsa and it must have a name5.
Example (adding a ssh key named key):
$ ssh-factory-key -r -
ssh-rsa AAAAB3N........................== key
registered: key
installed: firewall rule for ssh
$
Remove the insecure secure-console.sh you added previously, and reboot:
cd /overlay/upper/
rm bin/secure-console.sh
rmdir bin
# unfortunately this screws up all of /bin (until reboot)
# thus... make it so:
reboot
After reboot, you can ssh to your newly rooted hue bridge:
$ ssh root@x.y.z.w -p 22 \
-o 'PubkeyAcceptedAlgorithms +ssh-rsa' \
-o 'HostkeyAlgorithms +ssh-rsa'
BusyBox v1.30.1 () built-in shell (ash)
_ _ _ _ ______ ____ _ _ ___ __ __
| | | | | | | ____| | _ \ (_) | | |__ \ \ \ / /
| |__| | | | | |__ | |_) |_ __ _ __| | __ _ ___ ) | \ V /
| __ | | | | __| | _ <| '__| |/ _` |/ _` |/ _ \ / / > <
| | | | |__| | |____ | |_) | | | | (_| | (_| | __/ / /_ _ / . \
|_| |_|\____/|______| |____/|_| |_|\__,_|\__, |\___| |____(_)_/ \_\
__/ |
|___/
----------------------------------------------------------------------
Version: 1967054020
----------------------------------------------------------------------
root@xxxxxxxxxxxx:~#
And this is how you root the newer Hue Bridge firmware, ladies and gents.
How did I do it?
Not much to it, really.
The init= param override is a well known thing6.
Once in, I noticed in /etc/inittab that the console is set
to /bin/secure-console.sh.
So I took a looksie under that skirt7, and found out that it’s mostly a no-go in its current form.
But an easy way in is to replace all the fanciness with something friendlier.
Now, the rootfs can’t be really changed (that’s readonly), but the overlay can be.
So it took me a bit of a fumbling through the filesystem to figure out how
to mount the ubifs overlay8. At first I thought I had to mknod the
block device, but it turns out, ubifs doesn’t need the device node. It’s
perfectly happy with just a name. Cool.
The rest was just splice from Colin’s guide (the whole ssh-factory-key -r
business). But not being happy with file creation, I discovered the option
to paste it in from stdin. Always a plus.
So, yeah, the “quickie” tag doesn’t lie. It hardly took any time at all.
-
As far as I can tell. Correct me if I’m wrong. ↩
-
Unless you can properly ECC-sign what you’re supposed to sign. But I’m not a “Signify” / Philips eng. Are you? ↩
-
soldered header, or – like a pro – with a 5P 2.54mm pogo pin adapter ↩
-
You never know… but unless you F up, you won’t need them. ↩
-
Also wouldn’t hurt to make it rather short,
1024is enough. But that’s not obligatory. ↩ -
And one of the reasons why one should have full disk encryption, and secure boot. ↩
-
I won’t be posting it here, but suffice to say, that
openssl dgst -sha256is invoked against a prime256v1 pubkey. ↩ -
Plus, which device to mount, which was somewhat clear from the debug messages shown during regular boot. ↩