Jilles.com

Dumping Tuya firmware

Sat, 09 Apr 2022 14:24:10 +0200

This story started on January 18th 2022.

I was bored and decided to tear some cheap hardware apart to see if I could learn a new trick or two.

It turned out that some good friends were working on that exact same hardware for over a year and before I knew it, I was sharing my previously dumped firmware with them and in return they invited me to join their project.

These are the signal messages that started our collaborative journey.

In order to contribute to this project from the hardware side, I started shopping for a few hundred euro’s on Smart Devices.

On February 7th, 2022 on exactly 22:14 both Khaled and Tom tweeted this announcement simultaniously.

While Khaled and Tom were working hard on the software side I was collaborating with Joseph on the hardware side. We spend quite some time breaking the devices open. While most of them were plastic, some of them were glass ;-)

After tearing them (violently) apart, soldering wires to pinheaders and make a breadboard setup:

Look for the different “SMART” circuit boards inside the different devices.

CB3S

E303692

SKYLC5

WB2S

WB3S

WBLC3

WBLC5

On March 29th, 2022 the writeup of the Exploit was published.

It allows patching without having to damage/open the devices (for the once that we already done) You can help others by dumping the firmware of your own device.

I handed the remaining devices over to Tom, to clear some space in this crowded house for the next projects ;-)

I will perform a ’live’ demonstration to show the actual process of dumping the firmware with a random smart bulb that was given to me recently.

In order to motivate their residents to become more sustainable, most municipalities offer free products from WoonWijzerWinkel as an incentive.

One of the available products was a WOOX E14 SMART BULB (Full Colour+White)

On their Website it shows that they use Tuya.

Let’s see what is inside (the box):

Now gently take of the cap (after testing it is not glass):

Now for more destructive work:

When taking pictures with my Microscope I use a high power flashlight to make the identification on the chip more readable.

When you follow the traces using the continuity check of a multimeter, this will be the pinout:

Next up wire the tiny circuit board on a breadboard:

We need to look at the FT2232HL Datasheet in order to wire it to the FTDI.

First check UART2 for console data:

****SystemReset****
[01-01 18:12:16 TUYA Notice]
:BK7231S_1.0.5
CPSR:000000D3
R0:00000028
R1:00001700
R2:00800130
R3:0000003B
R4:00000001
R13:00402DB0
R14(LR):0004F896
ST:00000001
J 0x10000
prvHeapInit-start addr:0x41f1d8, size:134696
[01-01 18:12:15 TUYA Debug][uni_thread.c:215] Thread:sys_timer Exec Start. Set to Running Status
[01-01 18:12:15 TUYA Err][online_log_serv.c:280] log stats ufread fail.
[01-01 18:12:15 TUYA Debug][online_log_serv.c:540] log serv init success
[01-01 18:12:15 TUYA Notice][light_system.c:1425] go to pre device!
bk_rst:1 tuya_rst:4[01-01 18:12:15 TUYA Notice][light_system.c:1436] goto first bright up!
bk_rst:1 tuya_rst:40xcb 0x4e 0x3e 0xa4 0x0 0x30 0x9d 0xab 0x65 0x6d 0x8d 0xbf 0xe4 0xb9 0x3f 0x35
[01-01 18:12:15 TUYA Notice][tuya_main.c:203] **********[oem_bk7231s_light_ty] [1.1.2] compiled at May 30 2020 16:23:50**********
[rx_iq]rx_amp_err_rd: 0xfffffffd
[rx_iq]rx_phase_err_rd: 0xfffffffd
[rx_iq]rx_ty2_rd: 0x000
*********** finally result **********
gbias_after_cal: 0x15
gav_tssi: 0x1f
gtx_q_dc_comp:0x1fc
gtx_i_dc_comp:0x200
gtx_i_gain_comp:1023
gtx_q_gain_comp:1023
gtx_phase_comp:501
gtx_phase_ty2:512
gtx_ifilter_corner over: 0xa
gtx_qfilter_corner over: 0xa
gtx_dcorMod:0x8, gtx_dcorPA:0xa
gtx_pre_gain:0x0
g_rx_dc_gain_tab 0 over: 0x80808080
g_rx_dc_gain_tab 1 over: 0x88788880
g_rx_dc_gain_tab 2 over: 0x92789078
g_rx_dc_gain_tab 3 over: 0xbc60ac68
g_rx_dc_gain_tab 4 over: 0xbe60bc60
g_rx_dc_gain_tab 5 over: 0xbc5fbe60
g_rx_dc_gain_tab 6 over: 0xbc5ebc5e
g_rx_dc_gain_tab 7 over: 0xbc5dbc5f
grx_amp_err_wr:0x201
grx_phase_err_wr:0x3ff
**************************************
temp in flash is:276
lpf_i & q in flash is:9, 9
xtal in flash is:32
-----pwr_gain:12, g_idx:12, shift_b:0, shift_g:0
                                                -----[pwr_gain]12
                                                                 Initializing TCP/IP stack
[01-01 18:12:17 TUYA Notice][tuya_main.c:229] mf_init succ
[01-01 18:12:17 TUYA Notice][tuya_ble_api.c:292] ble sdk inited
device id key : 16
d4 1d 8c d9 8f 00 b2 04 e9 80 09 98 ec f8 42 7e
!!!!!!!!!!tuya_bt_port_init
[01-01 18:12:17 TUYA Notice][tuya_ble_api.c:328] ble sdk re_inited
[01-01 18:12:17 TUYA Notice][tuya_bt_sdk.c:319] ty bt sdk init success finish
[01-01 18:12:17 TUYA Notice][light_system.c:1484] < TUYA IOT SDK V:2.0.0 BS:30.06_PT:2.2_LAN:3.3_CAD:1.0.2_CD:1.0.0 >
< tuya_iot_lib BUILD AT:2018_12_05_17_03_30 BY tuya_iot_team AT 8710_2M >
IOT DEFS < WIFI_GW:1 DEBUG:1 KV_FILE:0 SHUTDOWN_MODE:0 LITTL[01-01 18:12:17 TUYA Notice][light_system.c:1485] oem_bk7231s_light_ty:1.1.2
[01-01 18:12:17 TUYA Notice][device_config_load.c:310] device config data already load! Don't load again!!
[01-01 18:12:17 TUYA Notice][light_set_color.c:94] Drive init already init ok
[01-01 18:12:17 TUYA Notice][tuya_main.c:128] current product ssid name:tuya_mdev_test2
ht in scan
scan_start_req_handler
gapm_cmp_evt_handler operation = 0x1, status = 0x0
gapm_cmp_evt_handler operation = 0x3, status = 0x0
STACK INIT OK
ble_env->start_hdl = 0x7gapm_cmp_evt_handler operation = 0x1b, status = 0x0
CREATE DB SUCCESS
[01-01 18:12:17 TUYA Notice][tuya_ble_api.c:256] rev ble event 3
device id key : 16
d4 1d 8c d9 8f 00 b2 04 e9 80 09 98 ec f8 42 7e
!!!!!!!!!!tuya_bt_reset_adv
[01-01 18:12:17 TUYA Notice][tuya_ble_api.c:120] ble adv && resp changed
do td cur_t:303--last:idx:13,t:276 -- new:idx:15,t:300
--0xc:08, shift_b:0, shift_g:0, X:1
                                   [01-01 18:12:19 TUYA Notice][gw_intf.c:3166] serial_no:10d56174f567
[01-01 18:12:19 TUYA Notice][gw_intf.c:3197] gw_cntl.gw_wsm.stat:0
[01-01 18:12:19 TUYA Notice][gw_intf.c:3200] gw_cntl.gw_wsm.nc_tp:1
[01-01 18:12:19 TUYA Notice][gw_intf.c:3201] gw_cntl.gw_wsm.md:0
[01-01 18:12:19 TUYA Notice][gw_intf.c:3238] gw_cntl.gw_if.abi:0 input:0
[01-01 18:12:19 TUYA Notice][gw_intf.c:3239] gw_cntl.gw_if.product_key:keytg5kq8gvkv9dh, input:keytg5kq8gvkv9dh
[01-01 18:12:19 TUYA Notice][gw_intf.c:3240] gw_cntl.gw_if.tp:0, input:0
[01-01 18:12:19 TUYA Notice][gw_intf.c:3242] gw_cntl.gw_if.firmware_key:keytg5kq8gvkv9dh, input:keytg5kq8gvkv9dh
[01-01 18:12:19 TUYA Notice][tuya_bt_sdk.c:337] ty bt update product:keytg5kq8gvkv9dh 1
[01-01 18:12:19 TUYA Notice][tuya_ble_api.c:137] update product_id type:1 keytg5kq8gvkv9dh b765eb2d66ef4129 qW8PHxYi99JagWUI3c5dnRsovLgi4q5M
[01-01 18:12:19 TUYA Notice][gw_intf.c:2981] start tmm long timer,cfg_lp_timeout:180000ms
[01-01 18:12:19 TUYA Notice][light_system.c:1395] frame init ok!
ht in scan
scan_start_req_handler
[01-01 18:12:20 TUYA Err][uf_flash_file_app.c:339] uf_get_size err,filepath:3,ret:13
[01-01 18:12:20 TUYA Err][uf_flash_file_app.c:339] uf_get_size err,filepath:5,ret:13
[01-01 18:12:20 TUYA Err][uf_flash_file_app.c:339] uf_get_size err,filepath:4,ret:13
[01-01 18:12:20 TUYA Notice][light_system.c:594] start ez config auto blink
[01-01 18:12:20 TUYA Notice][bp1658cj.c:191] low power mode
[01-01 18:12:21 TUYA Notice][bp1658cj.c:191] low power mode
[01-01 18:12:21 TUYA Notice][bp1658cj.c:191] low power mode
me_set_ps_disable:840 0 0 0 462557 952021
------beacon_int_set:100 TU
set_active param 0
                  [msg]APM_STOP_CFM
                                   update_ongoing_1_bcn_update
mm-next-timer_null
hal_machw_enter_monitor_mode
[01-01 18:12:21 TUYA Notice][tuya_bt_sdk.c:345] ty bt start network cfg..
[01-01 18:12:21 TUYA Notice][tuya_ble_api.c:161] update bound state 0
device id key : 16
6b 51 d4 fd 36 e5 b3 aa 4b 3a 9a b5 df 6e 0b cc
!!!!!!!!!!tuya_bt_reset_adv
[01-01 18:12:21 TUYA Notice][tuya_ble_api.c:120] ble adv && resp changed
!!!!!!!!!!tuya_before_netcfg_cb
appm start advertising
[01-01 18:12:22 TUYA Notice][bp1658cj.c:191] low power mode
do td cur_t:309--last:idx:15,t:300 -- new:idx:16,t:312
--0xc:08, shift_b:0, shift_g:0, X:0
                                   [01-01 18:12:22 TUYA Notice][bp1658cj.c:191] low power mode
[01-01 18:12:23 TUYA Notice][bp1658cj.c:191] low power mode
[01-01 18:12:23 TUYA Notice][bp1658cj.c:191] low power mode

Now dump the firmware:

jilles@arch ~/tools/tuya_dumps$ ./dump.sh WOOX

Connected! Chip info: BK7231S_1.0.5
Reading 4k page at 0X2000000 (0.00%)
Reading 4k page at 0X2001000 (0.20%)
Reading 4k page at 0X2002000 (0.39%)
Reading 4k page at 0X2003000 (0.59%)
           |          |
           |          |
           |          |
           |          |
Reading 4k page at 0X21FC000 (99.22%)
Reading 4k page at 0X21FD000 (99.41%)
Reading 4k page at 0X21FE000 (99.61%)
Reading 4k page at 0X21FF000 (99.80%)

RBL containers:
        0x10f9a: bootloader - [encoding_algorithm=NONE, size=0xdd20] - extracted to WOOX/WOOX_bootloader_1.00.bin
        0x129f0a: app - [encoding_algorithm=NONE, size=0xed5e0] - extracted to WOOX/WOOX_app_1.00.bin
total 3056
-rw-r--r-- 1 jilles jilles  972256 Apr  5 23:47 WOOX_app_1.00.bin
-rw-r--r-- 1 jilles jilles   56608 Apr  5 23:47 WOOX_bootloader_1.00.bin
-rw-r--r-- 1 jilles jilles 2097152 Apr  5 23:47 WOOX.dump
/**< @author <jiewu@bekencorp.com> */
/**< @version v0.3.1 */
 encrypt without crc successfully!
 -file size: 0xed5f0
/**< @author <jiewu@bekencorp.com> */
/**< @version v0.3.1 */
 encrypt without crc successfully!
 -file size: 0xdd30
total 4068
drwxr-xr-x  2 jilles jilles     157 Apr  5 23:47 .
drwxr-xr-x 12 jilles jilles    4096 Apr  5 23:46 ..
-rw-r--r--  1 jilles jilles  972256 Apr  5 23:47 WOOX_app_1.00.bin
-rw-r--r--  1 jilles jilles  972272 Apr  5 23:47 WOOX_app_1.00_decrypted.bin
-rw-r--r--  1 jilles jilles   56608 Apr  5 23:47 WOOX_bootloader_1.00.bin
-rw-r--r--  1 jilles jilles   56624 Apr  5 23:47 WOOX_bootloader_1.00_decrypted.bin
-rw-r--r--  1 jilles jilles 2097152 Apr  5 23:47 WOOX.dump

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
52420         0xCCC4          CRC32 polynomial table, little endian
55687         0xD987          Copyright string: "Copyright 1995-2005 Mark Adler "


DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
650644        0x9ED94         SHA256 hash constants, little endian
833328        0xCB730         AES Inverse S-Box
846811        0xCEBDB         Copyright string: "Copyright (c) 2003-2015, Jouni Malinen <j@w1.fi> and contributors"
889100        0xD910C         CRC32 polynomial table, little endian
895777        0xDAB21         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/wifi_sdk/tuya_iot_wifi_api.c
900573        0xDBDDD         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/gw_intf.c
907326        0xDD83E         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/smart_frame.c
917611        0xE006B         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_base/kv_storge/flash/simple_flash_app.c
920463        0xE0B8F         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_base/sys_serv/uni_time_queue.c
923506        0xE1772         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/adapter_platform.c
924457        0xE1B29         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/system/uni_semaphore.c
924977        0xE1D31         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/utilities/uni_time.c
925485        0xE1F2D         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/utilities/mem_pool.c
925898        0xE20CA         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/wifi_intf/wf_basic_intf.c
926044        0xE215C         CRC32 polynomial table, little endian
927068        0xE255C         CRC32 polynomial table, little endian
928156        0xE299C         Base64 standard index table
928486        0xE2AE6         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/bt_conn/tuya_ble_api.c
931060        0xE34F4         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/bt_conn/tuya_ble_mutli_tsf_protocol.c
933576        0xE3EC8         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/wifi_cfg_serv/ez_mc.c
938044        0xE503C         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/iot_httpc.c
943947        0xE674B         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/com_protocol.c
955024        0xE9290         SHA256 hash constants, little endian
955549        0xE949D         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/wifi_cfg_serv/wf_sniffer_intf.c

I created a small programm to make my life easier:

#!/bin/bash

BKTOOLS=~/Git/bk7231tools/bk7231tools.py

if [ "$1" == "" ];then
   echo
   echo Syntax:
   echo \ \ dump.sh \<foldername\>
   echo
   exit
fi

if [ ! -d $1 ];then
  mkdir $1
fi

#  Dump Flash
if [ ! -f  $1/$1.dump];then
  python ${BKTOOLS} read_flash $1/$1.dump-d /dev/ttyUSB0 --no-verify-checksum -s 02000000 -c 512 -b 921600
fi
if [ ! -f $1/$1.dump];then
  echo Nothing dumped - exiting
  exit
fi

# Remove previous extracted files
for f in $1/*bin$1/*cpr $1/*out ;do
  rm $f
done

# Extract items from Flash
python ${BKTOOLS} dissect_dump$1/$1.dump-e -O $1/
ls -l $1/

# Decrypt encrypted parts
if [ ! -f encrypt ];then
   wget "https://github.com/tuya/tuya-iotos-embeded-sdk-wifi-ble-bk7231t/blob/master/platforms/bk7231t/bk7231t_os/tools/generate/package_tool/linux/encrypt?raw=true" -O encrypt
   chmod +x encrypt
fi

hash=$(sha1sum encrypt | cut -d\  -f1)
if [ ! "$hash" == "3631612a9e7158b3043385745729324d53c6a5c2" ];then
  echo encrypt file has different hash, be careful
  exit
fi

# Decrypt items
./encrypt  $1/$1_app_1.00.bin510fb093 a3cbeadc 5993a17e c7adeb03 10000
mv $1/$1_app_1.00_enc.bin$1/$1_app_1.00_decrypted.bin

./encrypt  $1/$1_bootloader_1.00.bin510fb093 a3cbeadc 5993a17e c7adeb03 0
mv $1/$1_bootloader_1.00_enc.bin$1/$1_bootloader_1.00_decrypted.bin

rm $1/*cpr
rm $1/*out
ls -la $1/
binwalk $1/$1_bootloader_1.00_decrypted.bin
binwalk $1/$1_app_1.00_decrypted.bin

Add thats how another dump is added to the list of devices:

$ tree .

+-- 2578539-970719-White-And-Color-Ambiance-E27-806Lumen
|   +-- 2578539-970719_app_1.00.bin
|   +-- 2578539-970719_app_1.00_decrypted.bin
|   +-- 2578539-970719_bootloader_1.00.bin
|   +-- 2578539-970719_bootloader_1.00_decrypted.bin
|   +-- 2578539-970719.dump
|
+-- 2578539-970724-White-And-Color-Ambiance-E27-806Lumen
|   +-- 2578539-970724_app_1.00.bin
|   +-- 2578539-970724_app_1.00_decrypted.bin
|   +-- 2578539-970724_bootloader_1.00.bin
|   +-- 2578539-970724_bootloader_1.00_decrypted.bin
|   +-- 2578539-970724.dump
|
+-- 3000267-Tunable-White-GU10-345Lumen
|   +-- 3000267_app_1.00.bin
|   +-- 3000267_app_1.00_decrypted.bin
|   +-- 3000267_bootloader_1.00.bin
|   +-- 3000267_bootloader_1.00_decrypted.bin
|   +-- 3000267.dump
|
+-- 3000272-Tunable-White-E27-806Lumen
|   +-- 3000272_app_1.00.bin
|   +-- 3000272_app_1.00_decrypted.bin
|   +-- 3000272_bootloader_1.00.bin
|   +-- 3000272_bootloader_1.00_decrypted.bin
|   +-- 3000272.dump
|
+-- 3000273-Tunable-White-E27-1400Lumen
|   +-- 3000273_app_1.00.bin
|   +-- 3000273_app_1.00_decrypted.bin
|   +-- 3000273_bootloader_1.00.bin
|   +-- 3000273_bootloader_1.00_decrypted.bin
|   +-- 3000273.dump
|
+-- 3001686-970709-Warm-White-Smart-Filament-E27-806Lumen
|   +-- 3001686_app_1.00.bin
|   +-- 3001686_app_1.00_decrypted.bin
|   +-- 3001686_bootloader_1.00.bin
|   +-- 3001686_bootloader_1.00_decrypted.bin
|   +-- 3001686.dump
|
+-- 3001700-970739-Warm-White-Smart-Filament-E27-806Lumen
|   +-- 3001700_app_1.00.bin
|   +-- 3001700_app_1.00_decrypted.bin
|   +-- 3001700_bootloader_1.00.bin
|   +-- 3001700_bootloader_1.00_decrypted.bin
|   +-- 3001700.dump
|
+-- 3001702-970727-Warm-White-Ambiance-Smart-Filament-E14-470Lumen
|   +-- 3001702_app_1.00.bin
|   +-- 3001702_app_1.00_decrypted.bin
|   +-- 3001702_bootloader_1.00.bin
|   +-- 3001702_bootloader_1.00_decrypted.bin
|   +-- 3001702.dump
|
+-- 3004154-LED-Mood-Light
|   +-- 3004154_app_1.00.bin
|   +-- 3004154_app_1.00_decrypted.bin
|   +-- 3004154_bootloader_1.00.bin
|   +-- 3004154_bootloader_1.00_decrypted.bin
|   +-- 3004154.dump
|
+-- 3004200-WiFi-Outdoor-Dual-Socket
|   +-- 3004200_app_1.00.bin
|   +-- 3004200_app_1.00_decrypted.bin
|   +-- 3004200_bootloader_1.00.bin
|   +-- 3004200_bootloader_1.00_decrypted.bin
|   +-- 3004200.dump
|
+-- 3004919-970710-Smart-LED-RGB-Tunable-White-GU10-380Lumen
|   +-- 3004919_970710_app_1.00.bin
|   +-- 3004919_970710_app_1.00_decrypted.bin
|   +-- 3004919_970710_bootloader_1.00.bin
|   +-- 3004919_970710_bootloader_1.00_decrypted.bin
|   +-- 3004919_970710.dump
|
+-- 3005364-970796-WiFi-Smart-Outdoor-Garden-Lamp
|   +-- 3005364-970796_app_1.00.bin
|   +-- 3005364-970796_app_1.00_decrypted.bin
|   +-- 3005364-970796_bootloader_1.00.bin
|   +-- 3005364-970796_bootloader_1.00_decrypted.bin
|   +-- 3005364-970796.dump
|
+-- 3006033-Dimmer-Switch
|   +-- 3006033_app_1.00.bin
|   +-- 3006033_app_1.00_decrypted.bin
|   +-- 3006033_bootloader_1.00.bin
|   +-- 3006033_bootloader_1.00_decrypted.bin
|   +-- 3006033.dump
|
+-- 3006767-Tunable-White-Downlight-360Lumen
|   +-- 3006767_app_1.00.bin
|   +-- 3006767_app_1.00_decrypted.bin
|   +-- 3006767_bootloader_1.00.bin
|   +-- 3006767_bootloader_1.00_decrypted.bin
|   +-- 3006767.dump
|
+-- 3007213-970787-Ceiling-Light
|   +-- dump_3007213_970787_app_1.00.bin
|   +-- dump_3007213_970787_app_1.00_enc.bin
|   +-- dump_3007213_970787.bin
|   +-- dump_3007213_970787_bootloader_1.00.bin
|   +-- dump_3007213_970787_bootloader_1.00_enc.bin
|
+-- 3007257-970729-Extra-Warm-White-Ambiance-Smart-Filament-E27-350Lumen
|   +-- 3007257_app_1.00.bin
|   +-- 3007257_app_1.00_decrypted.bin
|   +-- 3007257_bootloader_1.00.bin
|   +-- 3007257_bootloader_1.00_decrypted.bin
|   +-- 3007257.dump
|
+-- 8435606703567-WOOX-Smart-Bulb-Full-Colour-and-White-E14-470Lumen
|   +-- WOOX_app_1.00.bin
|   +-- WOOX_app_1.00_decrypted.bin
|   +-- WOOX_bootloader_1.00.bin
|   +-- WOOX_bootloader_1.00_decrypted.bin
|   +-- WOOX.dump
|
+-- 970715_E27_WCW
|   +-- 970715_E27_WCW_app_1.00.bin
|   +-- 970715_E27_WCW_app_1.00_decrypted.bin
|   +-- 970715_E27_WCW_bootloader_1.00.bin
|   +-- 970715_E27_WCW_bootloader_1.00_decrypted.bin
|   +-- 970715_E27_WCW.dump
|
+-- MoodLight_WB3S
    +-- LSC_mood_light_BK7231_2MB_Flash_CRCd_app_1.00.bin
    +-- LSC_mood_light_BK7231_2MB_Flash_CRCd_app_1.00_decrypted.bin
    +-- LSC_mood_light_BK7231_2MB_Flash_CRCd_app_1.00_decrypted_copy_for_demo.bin
    +-- LSC_mood_light_BK7231_2MB_Flash_CRCd_bootloader_1.00.bin
    +-- LSC_mood_light_BK7231_2MB_Flash_CRCd_bootloader_1.00_decrypted.bin
    +-- LSC_mood_light_BK7231_2MB_Flash_CRCd.dump

Contact

Sat, 09 Apr 2022 10:24:10 +0200

Github: JillesDOTCOM

Discord: jilles_com#3670

Email: jilles@jilles.com

PGP Fingerprint: AF5B DBA0 2E5F 6C74 10B2 8293 1063 86F6 6513 DA66

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: Hostname: pgp.surf.nl
Version: Hockeypuck 2.1.0-222-g25248d4

xjMEZPMPLhYJKwYBBAHaRw8BAQdAJKvNqVHod52aWgRDIf9aaCXibGzNJjgSWLps
DNl0c5rNJkppbGxlcyBHcm9lbmVuZGlqayA8amlsbGVzQGppbGxlcy5jb20+wpYE
ExYIAD4WIQSvW9ugLl9sdBCygpMQY4b2ZRPaZgUCZPMPLgIbAQUJAeEzgAULCQgH
AgYVCgkICwIEFgIDAQIeAQIXgAAKCRAQY4b2ZRPaZntHAQDLPHgcdLcqgh9gbP/w
2YHfUlvw2dVj+iTyr/rVx851DQD+Md9LS5Z3dzf6QGY1X1fAmNq4Yrwn6OZZ1o+s
FYWV7QTOMwRk8w8yFgkrBgEEAdpHDwEBB0BGpuefKJIQCU1lncH5qtYHPGRhgGR0
3yXEQzLyXzoBd8J+BBgWCAAmFiEEr1vboC5fbHQQsoKTEGOG9mUT2mYFAmTzDzIC
GyAFCQHhM4AACgkQEGOG9mUT2mZiBgEA1j4wBz+CIJnFpQB/5M0ls21hbXpvMt9G
jNSyQtkCFUUA/iTgP3jxBrALMcL9SSH+WkOMePTiSBQDkpLyShypRK0LzjMEZPMP
MRYJKwYBBAHaRw8BAQdA3ns5teIcEq8PWj8jDmx6pbt1TAdE2T1s41IrPyhUGR3C
wDUEGBYIACYWIQSvW9ugLl9sdBCygpMQY4b2ZRPaZgUCZPMPMQIbAgUJAeEzgACB
CRAQY4b2ZRPaZnYgBBkWCAAdFiEETpL+UkTO5r72svYIskLjtDenCcUFAmTzDzEA
CgkQskLjtDenCcXe9gD/WvnntOgZ8aFbxatSj+iUaw8kP4xEA+8YpEzX3irOyyoA
/itmjmVDAZ3p0U7MVvQTcY/hQzhsA8S+xt0ayGTBy48EzjgA/2ljjpsaQBHcg8n3
PjlROIISawtyz1HS3JopQUUYJQycAP9viWact8MA/+xH1wF6gCnVw5Iq4raBL832
1y5QAFL+AM44BGTzDzASCisGAQQBl1UBBQEBB0CdvQEheGpJKwiVTQejgRsS4BKB
r3FHhfTWOv5hMajjVAMBCAfCfgQYFggAJhYhBK9b26AuX2x0ELKCkxBjhvZlE9pm
BQJk8w8wAhsMBQkB4TOAAAoJEBBjhvZlE9pmVnABAImaUn5kKsRVNm6tLiQYlg1C
stX2ghMg2eGPKT70WkJTAQC7SDG1rM7aAok3m6DnZtedA7V4hR5BvsWSdnLoWcOM
Bg==
=3hla
-----END PGP PUBLIC KEY BLOCK-----

Dumpsterdiving for network access

Tue, 05 Apr 2022 10:24:10 +0200

I did a lecture on hardware hacking last year for Tweakers. One of the comments under the announcement was a remark to put my money where my mouth was. Just scaring people by telling them I could simply login to your network when you throw away you broken Smart light was not very credible. And eventhough people were kindly speaking up for me I would still like to illustrate how simple it is.

Step 1 - Breaking a lightbulb

Step 2 - Soldering 4 wires:

Step 3 - Running 1 script to dump the firmware

jilles@arch ~/tools/tuya_dumps$ ./dump.sh HACK

Connected! Chip info: BK7231S_1.0.5
Reading 4k page at 0X2000000 (0.00%)
Reading 4k page at 0X2001000 (0.20%)
Reading 4k page at 0X2002000 (0.39%)
Reading 4k page at 0X2003000 (0.59%)
     |                  |
     |                  |
Reading 4k page at 0X21FB000 (99.02%)
Reading 4k page at 0X21FC000 (99.22%)
Reading 4k page at 0X21FD000 (99.41%)
Reading 4k page at 0X21FE000 (99.61%)
Reading 4k page at 0X21FF000 (99.80%)

RBL containers:
        0x10f9a: bootloader - [encoding_algorithm=NONE, size=0xdd20] - extracted to HACK/HACK_bootloader_1.00.bin
        0x129f0a: app - [encoding_algorithm=NONE, size=0xed5e0] - extracted to HACK/HACK_app_1.00.bin
total 3056
-rw-r--r-- 1 jilles jilles  972256 Apr  6 02:40 HACK_app_1.00.bin
-rw-r--r-- 1 jilles jilles   56608 Apr  6 02:40 HACK_bootloader_1.00.bin
-rw-r--r-- 1 jilles jilles 2097152 Apr  6 02:40 HACK.dump
/**< @author <jiewu@bekencorp.com> */
/**< @version v0.3.1 */
 encrypt without crc successfully!
 -file size: 0xed5f0
/**< @author <jiewu@bekencorp.com> */
/**< @version v0.3.1 */
 encrypt without crc successfully!
 -file size: 0xdd30
total 4068
drwxr-xr-x  2 jilles jilles     157 Apr  6 02:40 .
drwxr-xr-x 12 jilles jilles    4096 Apr  6 02:39 ..
-rw-r--r--  1 jilles jilles  972256 Apr  6 02:40 HACK_app_1.00.bin
-rw-r--r--  1 jilles jilles  972272 Apr  6 02:40 HACK_app_1.00_decrypted.bin
-rw-r--r--  1 jilles jilles   56608 Apr  6 02:40 HACK_bootloader_1.00.bin
-rw-r--r--  1 jilles jilles   56624 Apr  6 02:40 HACK_bootloader_1.00_decrypted.bin
-rw-r--r--  1 jilles jilles 2097152 Apr  6 02:40 HACK.dump

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
52420         0xCCC4          CRC32 polynomial table, little endian
55687         0xD987          Copyright string: "Copyright 1995-2005 Mark Adler "


DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
650644        0x9ED94         SHA256 hash constants, little endian
833328        0xCB730         AES Inverse S-Box
846811        0xCEBDB         Copyright string: "Copyright (c) 2003-2015, Jouni Malinen <j@w1.fi> and contributors"
889100        0xD910C         CRC32 polynomial table, little endian
895777        0xDAB21         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/wifi_sdk/tuya_iot_wifi_api.c
900573        0xDBDDD         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/gw_intf.c
907326        0xDD83E         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/smart_frame.c
917611        0xE006B         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_base/kv_storge/flash/simple_flash_app.c
920463        0xE0B8F         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_base/sys_serv/uni_time_queue.c
923506        0xE1772         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/adapter_platform.c
924457        0xE1B29         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/system/uni_semaphore.c
924977        0xE1D31         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/utilities/uni_time.c
925485        0xE1F2D         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/utilities/mem_pool.c
925898        0xE20CA         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_adapter/wifi_intf/wf_basic_intf.c
926044        0xE215C         CRC32 polynomial table, little endian
927068        0xE255C         CRC32 polynomial table, little endian
928156        0xE299C         Base64 standard index table
928486        0xE2AE6         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/bt_conn/tuya_ble_api.c
931060        0xE34F4         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/bt_conn/tuya_ble_mutli_tsf_protocol.c
933576        0xE3EC8         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/wifi_cfg_serv/ez_mc.c
938044        0xE503C         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/iot_httpc.c
943947        0xE674B         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/tuya_cloud/com_protocol.c
955024        0xE9290         SHA256 hash constants, little endian
955549        0xE949D         Unix path: /home/share/samba/tuya/wifi_sdk/wifisdk_for_bk7231/project/tuya_iot/src/tuya_iot_sdk/wifi_cfg_serv/wf_sniffer_intf.c

Step 4 - Executing one simple search query

$ strings HACK.dump | grep onveiligwifi -A2
onveiligwifi
61b77bc0c7710cb2e9fe5c8bb4244ed86829789297ba8ee7bf6176de3e6263eb
onveiligwachtwoord

This is all it takes and and depending on the device it would take about 30 minutes

So what should I do?

Preferably create a seperate network for your IoT devices that is not connected to the rest of your equipment

Monitor your IoT network for unexpected network devices joining

Add devices to allow-lists, and remove deprovisioned devices from that list

That sounds like a lot of work, what else can I do?

Create a new password every time you throw away a broken device

Open the lightbulb and physically damage all the chips

Don’t use IoT devices

Don’t care, get hacked

About

Fri, 01 Apr 2022 10:24:10 +0200

This website is created to share (mostly) technical writeups and impulse purchases I have made. Someone on twitter once said to me: “Jilles, stop spending my money!”. This video was recorded for Hacking is not a crime, something I strongly believe.

As a parent of 2 twin boys (Jelle and Jurre) I was involved in education for over 4 years. This site will also contain information about STEM (science, technology, engineering and mathematics). Kids should be raised to think, challenge and invent not to blindly obey, believe and consume.

Support:

Hacking is not a crime

Fri, 01 Apr 2022 10:24:10 +0200

Lectures

Fri, 01 Apr 2022 10:24:10 +0200

What to do when someone close to you takes their life and you are not Tech-Savvy

Wardriver.uk - open source wardriving with the ESP32

Jilles, stop spending our money

Sensemakers Amsterdam

Zoldersessions #5 Jilles & Jurre

Empowering Youth

Zo maakt Jurre (15) de wereld veiliger met hacken

Veilig internetten: Cijferhack

Why I hacked my school

Cyberhelden episode:38