Sunday, November 30, 2014

How to root your WINK hub - Step by Step tutorial

Recently bought a WINK hub on a sale from Homedepot almost for free on the Blackfriday sale. I liked the concept since it supports multiple radios like Zigbee, Z-Wave, Lutron 433, Kidde 433, Bluetooth & Wifi. I already own a Vera 3 and i wanted to use this as a secondary controller by rooting the hub. Vera3 is extremely good and reliable except the UI but it only supports Z-Wave which made me think why can't i hack this free device as my secondary controller and use some of the cheap Zigbee devices available in Lowes like their Door Sensor, Panic Button, etc.

I searched and found very few sites that talks about rooting this hub but the steps were not clear.  So i thought of putting my own steps,

#1. Looks like the Wink team has left some of the development debugging pages on the production release, which we will be leveraging to take control on this hub.

#2. After purchasing the hub DO NOT CONNET to the internet which will make the hub download the latest firmware where they have fixed the issue.

#3. Plugin the hub ( Don't worry it won't connect to the Wink Servers yet). Wait for the flashing pink lights to come up.( green -> flashing pink).

#4. Now connect your laptop to the Wifi SSID name WINKHUB-*

#5. Trying hitting the following url from your browser and make sure sure it works. 

and you should see this "home page". Perform the below steps while you are still connected to the hub.

#6.  I am using Mac, so i opened a terminal and issued a curl command as given below to disable the root account's password.

curl "" -d "nodeId=a&attrId=;cp /etc/shadow /etc/shadow.bak;sed -i 's/root:.*:\(.*:.*:.*:.*:::\)/root::\1/' /etc/shadow;cat /etc/shadow;"

 This will take a minute so please be patient.

#7. Generate a ssh key now by typing the following commands on a terminal window,

$ssh-keygen -t rsa

press the enter key to accept the default location
Type a passphare when it prompts and confirm it by entering the passphare second time. Now the system generates the ssh key as shown below.

Your identification has been saved in /Users/username/.ssh/id_rsa.
Your public key has been saved in /Users/username/.ssh/
The key fingerprint is:
bf:49:7f:cb:85:da:5a:f4:7c:1f:cc:23:dd:cc:55:f8 username@mac.local
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|         .       |
|        A .      |
|   .   . o       |
|  o . . G .      |
| + + o . +       |
|. o o = o +      |
| o...o + o       |
|.  oo.o .        |

#8. Now copy all the contents of your file(/Users/username/.ssh/ and encode the content using any of the online encoder. I used

#9. Copy the encoded content from the website and issue the following curl command from the terminal prompt as below(after replacing the your_encoded_key ) to add your ssh key to the hub.

curl "" -d "nodeId=a&attrId=;echo 'your_encoded_key' >> /root/.ssh/authorized_keys; cat /root/.ssh/authorized_keys;"

If the command is successful, it will list 2 rsa keys including the one that you just added.

#10.  Try to ssh into the hub using


#11. Now try editing the set_dev_value.php using,

$ vi /var/www/set_dev_value.php 

comment the line that starts with $cmd and add a new line as given below

$cmd = 'aprontest -u -m ' . $nodeId . ' -t ' . $attrId . ' -v ' . $v;

if you have done it correctly the file should look like this,

$nodeId = $_POST['nodeId'];
$attrId = $_POST['attrId'];
$v = $_POST['value'];

//$who = exec('whoami');
//echo $who;
//passthru("sudo ls", $retval);

//echo "nodeId=" .$nodeId . " attrId=" . $attrId . " value=" . $v;
//$cmd = 'sudo ' . dirname(__FILE__) . '/php2apron set_value ' . $nodeId . " " .
$cmd = 'aprontest -u -m ' . $nodeId . ' -t ' . $attrId . ' -v ' . $v;
//echo $cmd . " ";

passthru($cmd, $retval);
echo "ret_code=" . $retval;


#12. We want to block the device from getting the new firmware by editing the host file located in /etc/hosts

and add the following entries in bold.       localhost       flex-dvt

#13. One more last step before we disconnect, edit the following file,

$vi /etc/init.d/S31platform 

and look for the following lines,

if [ ! -e /database/oauth ]; then                                   
    rm /database/wpa_supplicant.conf                            

and edit the rm /database/wpa_supplicant.conf to rm /database/wpa_supplicant.conf1. I tried commenting the line but ran into issue. So i end up adding a 1 at the end, since the file anyway won't be there.

#13. Disconnect the ssh or open a new terminal and add your Wifi ssid/password using the following curl command by replacing the x's with your wifi's ssid and y's with your wifi's password.

curl "" -d '{"ssid":"xxxxxxx","pass":"yyyyyyy"}'

#14. Now try rebooting the hub if everything goes well you should see a blue light which confirms that it works and try ssh into the hub and it should work like before.

Also try accessing the device page by visiting http://your-new-hub-ip/devices.php, which you will be using to add /remove devices.

this link was very useful when i was rooting my device.

If you brick your device you will see a flashing pink. Still you can access the hub through UART which is little hard and also you need some hardware. I will post the picture and pin configuration shortly. Here is my Part 2 where you will find information about getting the shell access to the wink hub through the UART using an FTDI board.