Building on the work of others (as is always the case!) [pepe2k] managed to get root access on the Philips Hue Bridge v2 IoT light controller. There’s nothing unusual here, really. Connect to the device over serial, interrupt the boot process, boot up open firmware, dump the existing firmware, and work the hacker magic from there.
Of course, the details are the real story. Philips had set U-Boot to boot the firmware from flash in zero seconds, not allowing [pepe2k] much time to interrupt it. So he desoldered the flash, giving him all the time in the world, and allowing him to change the boot delay. Resoldering the flash and loading up his own system let him dump the firmware.
The “hacker magic” glossed over in the intro consisted of poking around until he found a script that was called on every boot. This is how [pepe2k] gets around not knowing the root password. The script compares the hash of the typed password with an environment variable, set with the hash of the correct password. Changing that environment variable to the hash of his favorite password (“root”) made him master of the box.
And just in case you’re one of the few Hackaday readers who doesn’t understand why we do these things, besides the fact that it’s just fun, consider Philips’ (eventually retracted) clampdown on the interoperability of this very device, or Google’s red bricks. The fatal flaw of IoT devices is that they place you at the whims of companies who may decide that they’re not making enough money any more, and shut them down. Keep your hacking skills sharp.
The 900-pound gorilla in the corner of the Internet of Things (IoT) hype that everyone is trying to ignore is interoperability. In the Internet of Internets (IoI) everything works on a few standards that are widely accepted: IP and HTML. The discrepancies are in the details and the standards wars are in the past. Websites are largely interoperable. Not so in the wild-west ethos of the IoT.
Philips makes a line of ZigBee-enabled RGB lightbulbs that took the enthusiast community by storm. And initially, Philips was very friendly to other devices — it makes a ZigBee-to-WiFi bridge that would let you control all of your ZigBee-based lights, regardless of their manufacturer, from your phone. Until now.
Philips has just rolled out a “Friends of Hue” certification process, and has since pushed out a firmware update where their Hue bridges stop interoperating with non-certified devices. You can read Philips’ version of the story here.
Philips Locks Out 3rd Party ZigBee Hardware
The short version is that, ZigBee standards be damned, your future non-Philips lights won’t be allowed to associate with the Philips bridge. Your GE and Osram bulbs aren’t Friends of Hue. DIY RGB strips in your lighting mix? Not Friends of Hue. In fact, you won’t be surprised to know who the “Friends of Hue” are: other Philips products, and Apple. That’s it. If you were used to running a mixed lighting system, those days are over. If you’re not on the friends list, you are an Enemy of Hue.
Their claim is that third party products may display buggy behavior on a Philips network, and that this loads up their customer-response hotlines and makes people think that Philips is responsible. Of course, they could simply tell people to disable the “other” devices and see how it works, putting the blame where it belongs. Or they could open up a “developer mode” that made it clear that the user was doing something “innovative”. But neither of these strategies prevent consumers from buying other firms’ bulbs, which cost only 30-50% of Philips’ Hue line.
While Philips is very careful to not couch it as such, the Friends of Hue program really looks like an attempt to shut out their competitors; Philips got an early lead in the RGB LED game and has a large share of the market. As they say themselves in their own press release “Today these 3rd party bulbs represent a minimal fraction of the total product connected to our bridges so the percentage of our users affected is minimal.” And they’d like to keep it that way, even though the people they’re hurting are probably their most vocal and dedicated customers.
And while we, with our manual light switches, laugh comfortably at the first-world problems of Hue consumers, we have to ask ourselves whether we’re next. Today they come for our RGB lightbulbs, but tomorrow it might be our networked toasters. A chilling thought!
Snark aside, the IoT brings two of the saddest realities of the software world into your home appliances: Where there’s code, there’s vulnerabilities, and when you can’t control the code yourself you aren’t really in control. You may own the lightbulb, but you’re merely licensing the firmware that runs it. The manufacturer can change the rules of the game, or go out of the product line entirely, and you’re high and dry. What can you do? Pull out your JTAG debugger.
Of course it’s insane to suggest that everyone needs to become an embedded-device firmware hacker just to keep their fridge running. As we’ve written before, we need to come up with some solution that puts a little more control in the hands of the ostensible owners of the devices, while at the same time keeping the baddies out. We suggest a press-to-revert-firmware button, for instance. When Philips pushes a non-consumer-friendly upgrade, you could vote with your fingertips — but then you’d miss out on bug fixes as well. Maybe it’s better to just give in an learn to love Windows 10.
There are no easy solutions and no perfect software. The industry is still young and we’ll see a lot of companies staking out their turf as with any new technology. It seems to us that IoT devices leave consumers with even less choice and control than in the past, because they are driven by firmware that’s supposed to be invisible. It’s just a lightbulb, right?
What do you think? Any ideas about how to put the power back in the hands of the “owner” of the device without everyone’s refrigerators becoming botnet zombies? Let us know in the comments.
“We underestimated the impact this would have upon the small number of our customers who currently use uncertified lights from other brands in the Philips Hue system. We have decided to continue to enable our customers who wish to integrate these uncertified products within their Philips Hue system.”
Old Mini and Mainframe computers often had huge banks of diagnostic lights to indicate the status of address, data and control buses or other functions. When the lights blinked, the computer was busy at work. When they stopped in a particular pattern, engineers could try and figure out what went wrong by decoding the status of the lights.
[Folkert van Heusden] has an old MSX-based Philips VG-8020 computer and decided to add his own set of BlinkenLights to his system. The VG-8020 was a first generation MSX released in 1983 and featured a Zilog Z80A microprocessor clocked at 3.56 MHz, 64KB of RAM, 16KB of VRAM, and two cartridge slots.
The cartridge slots of the MSX are connected to the address and data buses in addition to many of the control signals, so it seemed logical to tap in to those signals. Not wanting to play around with a whole bunch of transistors, he opted to use an Arduino Nano to connect to his computer and drive the LEDs. In hindsight, this seemed like a wise decision as it allowed him to do some processing on the incoming data before driving the LEDs.
Instead of creating a new PCB, he cut open one of his beloved game cartridges. A switch was added to the slot select control pin (SLTSL) and eight wires soldered directly to the data bus. These were hooked up as inputs to the Arduino. A bank of eight LEDs with limiting resistors were connected to outputs on the Arduino. A quick test confirmed it all worked, including the switch to enable / disable the cartridge. He had to experiment with the code a bit as the LEDs were initially blinking too fast.
A couple of months later, he upgraded his BlinkenLight display to include the 16 bit address, 8 bit data and 8 lines for control signals. To do this, he used two MCP23017 – I2C 16 input/output port expander chips. For the LEDs, he installed a bank of four NeoPixel LED bars. A Pro-Mini takes care of the processing, and a custom PCB in the cartridge format houses all of it neatly. Check out the two videos below showing the BlinkenLights in action.
[Martin] recently purchased a Philips LivingColors lamp. It’s a commercial product that basically acts as mood lighting with the ability to change to many different colors. [Martin] was disappointed with the brightness of his off-the-shelf lamp. Rather than spend a few hundred dollars to purchase more lamps, he decided to modify the one he already had.
[Martin] started by removing the front cover of his lamp. He found that there were four bright LEDs inside. Two red, one green, and one blue. [Martin] soldered one wire to the driver of each LED. These wires then connected to four different N-channel MOSFET transistors on a piece of protoboard.
After hooking up his RIGOL oscilloscope, [Martin] was able to see that each LED was driven with a pulse width modulated signal. All he had to do was connect a simple non-addressable RGB LED strip and a power source to his new driver board. Now the lamp can control the LED strip along with the internal LEDs. This greatly extends the brightness of the lamp with minimal modifications to the commercial product. Be sure to check out the video below for a complete walk through. Continue reading “Increasing The Brightness Of A Philips LivingColors Lamp”→
[OiD] had a dusty, old, forgotten Philips HDD1420 GoGear mp3 player kicking around his place. As you can imagine, the battery was dead. He had no charger or connector for the thing, but decided to try to resurrect it anyway.
He thought it would simply be a matter of providing alternative power, but the GoGear wasn’t having it and insisted on being connected to a computer. He had some luck consulting Pinouts.ru and found Philips’ own device manager software, but it still wasn’t easy. The device manager doesn’t work on Windows 7. He tried an XP box, but it didn’t detect the device.
Finally, he discovered that the hard drive was kaput and replaced it with an 8GB Microdrive. That helped, but he still had a hard row to hoe. [OiD] formatted the new HD and gave it the official firmware, but still had to replace some system files according to the Philips manual. He ended up using RockBox to reanimate it and decided to keep it on the device.
There was still an issue with charging, though. It has an IC that handles selection of either the proprietary external adapter or USB power, but the RockBox firmware doesn’t implement switching and defaults to the adapter. Several tweaks and a hacked-in mini USB later, the patient is in stable condition and cranking out the tunes.
Welcome to Eindhoven! We came to visit a few hackers from MadSpace (translated) but unfortunately they are in the process of moving, and there was not much to see at the space. Lucky for us, our visit corresponded with the Dutch Design Week (translated)! So we still had some cool things to see!
Eindhoven has a very interesting history. Phillips was founded here back in the late 1800’s, with a single factory, but in the past century it grew into what could almost be called Philip’s City. A stretch of a few kilometers of Phillips buildings dominated Eindhoven and almost everyone worked for them. Fast forward to the present and most of the buildings have been sold and turned into other businesses.
After getting his hands on the Philips Hue smart lightbulb [Brandon Evans] cracked open some of the hardware to see what is inside. He also spent time working out the software tricks necessary to use Siri to control light bulbs from iOS.
If you haven’t heard of the Hue product before it’s an LED bulb that fits in a standard medium base whose color and intensity can be controlled wirelessly. Included in each unit is Zigbee compatible hardware that lets the bulbs form their own mesh network. [Brandon] didn’t crack open the bulb since these things cost a pretty penny and disassembly requires cutting. But he did point us to this post where [Michael Herf] shows what the bulb’s case is hiding. We do get to see the other piece of the puzzle as [Brandon] exposes the internals on the base unit that bridges the mesh network to your home network via Ethernet. An STM32 chip is responsible for controlling the base unit.
Aside from a look at the guts [Brandon] hacked Siri (Apple’s voice activated virtual assistant) to control the system. You can see a demonstration of that in the clip after the break. The details are found in the second half of his post which is linked at the top. The code is found in his siriproxy-hue repository.