Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firmware dump #3

Open
26didi89 opened this issue Feb 17, 2022 · 4 comments
Open

Firmware dump #3

26didi89 opened this issue Feb 17, 2022 · 4 comments

Comments

@26didi89
Copy link

Hi Aldohrs,

I discovered your work from Home Assistant forum. I am looking information about IO Homecontrol part.
I would supplement SDR capture analysis with firmware analysis. What are your last discoveries?

Thanks
@Aldohrs
Copy link
Owner

Aldohrs commented Feb 18, 2022

Hi 26didi89,

I'm still working on it. I'm currently working on a custom OS for the TaHoma to make it an easy development and hacking platform.

I also want to reverse the io-homecontrol protocol. I actually managed last year to sniff io-homecontrol frames on the air using a RTL-SDR a year ago. I decoded the bottom layers but I still have work to do with the upper ones and the pairing process.

On the software side, I did not much yet. Most of the information should come from io-homecontrol libraries and the firmware of the STM32 chip.

@Aldohrs
Copy link
Owner

Aldohrs commented Feb 18, 2022

I'm considering releasing publicly my Gnuradio workflow and my findings on the protocol itself, but as I'm digging back the project, I need some time to do checks to make sure to release non-sensitive information.

@paller
Copy link

paller commented Mar 9, 2022

This is very related to merbanan/rtl_433#1376

I have io-homecontrol windows, two 1-way remotes, and an older Tahoma box which unfortunately doesn't have the same PCB as yours. What I would like to look at is how the CMAC/AES-signing is done. Trying to obtain some data for investigation I have captured some different scenarios with an SDR.

  1. Cloning one remote to another (surely, they must exchange AES keys in the process)
  2. Used the TaHoma to scan for devices in the home (doesn't seem very secure. It locates both windows and is able to control them without any human approval)

While some of the packets seems to be about 128 bits bigger than "normal" I can't say if it really is the key in plain sight. Trying to figure out how the CMAC is calculated is hard enough, using a key that may or may not be correct doesn't help.

Some SDR captures with a known AES key would make a great start. I might have to give the jailbreak a try on my older unit to obtain the key, unless someone would be willing to share their extracted key and SDR captures.

Another thing I would like to try is disassembling the io-homecontrol application. I know AES is done in hardware, but if we can see what is loaded into the block and more importantly how the output is used to construct a full io-homecontrol packet that probably would be the easiest way to reverse the protocol. Would it be possible to share that binary?

@Aldohrs
Copy link
Owner

Aldohrs commented May 8, 2022

Hi,

Unfortunately, all firmware, including STM32, are protected by copyright laws and I cannot share any of it. However, if you jailbreaked your Kizbox, the STM32 firmware should lie in /apps/overkiz/share/io-homecontrol/bin/

On the current progress I've made on the radio protocol (which I didn't touch for a while), I am pretty close to what is specified in merbanan/rtl_433#1376 (comment)

At the moment, I'm focusing on my custom OS to be able to boot on a USB key and use one TaHoma as a sniffer. With an extended toolset not limited to the 128MB NAND space.

Regards,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@paller @26didi89 @Aldohrs