If you’re looking for Home Automation appliances, you might want to check out the Wink Hub. It’s fifty bucks, and has six radios on board: WiFi, Bluetooth, Z-Wave, Zigbee, and 433MHz Lutron and Kidde. That’s an insane amount of connectivity in a very cheap package. It’s been pwnzor3d before, but dinnovative has a much better solution for getting root on this device.
Earlier methods of rooting the Wink involved passing commands via URLs – something that’s not exactly secure. The new method leverages what’s already installed on the Wink, specifically Dropbear, to generate public keys on the Wink hub and getting that key onto another computer securely. The complete exploit is just a few lines in a terminal, but once that’s done you’ll have a rooted Wink hub.
Even though the Wink hub has been rooted a few times before, we haven’t seen anything that leverages the capabilities of this hardware. There isn’t another device with a bunch of IoT radios on the market for $50, and we’re dying to see what people can come up with. If you’ve done something with your Wink, send it in on the tip line.
Here’s some code that adds an extra api and a compatable android app for your rooted wink hub. https://github.com/nashira/blink
Is there a way to purchase the wink hub in europe ( germany ) ?
I was just looking back at the Defcon 22 post that mentioned the Wink earlier today. I need to grab one of those suckers, after I get some bills taken care of.
Anyone know if you can get an actual weight/force measurement out of the “Refuel” module? Measuring more than just Propane level would be nice, and I can think of a lot of cool applications for it.
I’m using a similar setup. My wink hub is on my LAN, and I use Raspberry Pi running OpenHAB (a home automation program) to turn things on/off/dimm. So I no longer need Wink server, and OpenHAB insulates the Wink hub from the rest of the internet for security. I have a lot of other sensors integrated into OpenHAb, so now these sensors can interact with the Zigbee and Z-wave lights.
https://electronichamsters.wordpress.com/2014/12/31/hacking-the-wink-hub-to-work-with-openhab-for-local-control/
I added voice control, just like in Star Trek.
“pwnzor3d” Really?
I know, right? He forgot the ‘0’.
pwnz0r3d.
ftfy.
OK, I’m a reasonably savvy guy, but what the heck is “pwnzor3d?”
It’s a sort of battle cry that < 16 year olds shout when they deface a random website with a downloaded exploit tool that actually just turned their gaming rig into a minion bot for some Russian hacker group.
Sweet affiliate link, bro.
Here’s the same thing for the same price.
If it’s the same price, why do you get pissed off he posted an affiliate link?
Meh, he’s still using the set_dev_value.php (*GLARING EYE-STABBING*) vulnerability on a factory-default device. It’s a vulnerabilty where you can trivially execute commands as root by just accessing a URL. Once you’ve got that, your different next steps are really just nitpicks, so this post isn’t as interesting as I initially hoped.
If you make the mistake of updating the firmware before hacking it, they removed that PHP script, and disabled dropbear and getty listening on serial, so at that point it’s nothing but a kinda-big gateway for Wink’s cloud to control your devices for you. It’d be more interesting if someone finds other vulnerabilities to hack it then. It’s running PHP after all… ;)
Is the actual goal of this post to rekindle interest in the community for this fantastic cheap and powerful box? I appreciate that sentiment! I only started fooling with mine last weekend, and it deserves more community attention.
Not sure if the hubs still come with the base-hackable firmware. But if they continue to ship it that way, this hub is a great deal. I’ve been able to integrate z-wave wall switches and zigbee GE link bulbs, all controlled locally, blocking access to Wink servers. It’s super reliable for the last couple weeks it’s been running. And I have all the automation features that Wink has, or at lease the ones I care about.
Yes, they do. Bought one a few weeks ago from Lowe’s or Home Depot.
How have you been controlling your devices?
This appears to have been fixed in the device that I purchased at HD earlier this month. Oh well. Looks like I’ll have to open it up, attach an FTDI USB to TTL UART to the serial console, and hold the flash in reset while I power-cycle to force U-Boot to bail to a command prompt.
I can confirm that this works, with the exception that I had to also append “ubi.mtd=database” to the kernel boot arguments. Trying to attach mtd3 (the database partition) after booting was failing with the error that UBI wasn’t present in the system (???). Also, the dropbear ssh options file is in /etc/default, not /tmp/rootfs/etc/default/.
When you get the command prompt in U-Boot, it’s helpful to add a delay before booting the kernel, in case you want to play with the bootloader later without the paperclip trick:
=> setenv bootdelay
=> saveenv
‘bootdelay’ requires an integer argument for the value of seconds to delay loading the kernel from flash.
Can I see the bootargs command you ran? I’m getting stuck attaching mtd3 and get the same error you did.
Meant to insert a link with instructions above:
http://www.rootwink.com/viewtopic.php?t=67
So if you hack what exactly can be done with the device? Can you get it to talk to generic Zwave devices or integrate with Vera?
Sad this bug got publicly disclosed before being fixed as I had reported it to wink over 3 months ago.
Heres the original video I used to PoC the bug to Wink.
https://www.youtube.com/watch?v=MqpULC84rCQ
(Sorry about the previous posts, had some issues submitting my original comments.)
Why? Why did you report it, man? Did it not occur to you that some of us want to root the device? Now I have to wait until Monday to go in to work to fetch my USB to TTL UART dongle and go about it the “hard” way.
you asshole.
What a jerk. Now we have no choice but to take it apart.
still works great you did nothing at all! All you did is wast tons of time trying to be a grumpy old fart who’s mad at the kids who can still get enough blood to fill there fun sticks!
I watched your vid very closely and I know who you are. lol
Home Depot has a promo in store. Buy two GE Link Bulbs, and get the Hub for $20. At the store I went to total with tax came out to $53.47
Also check you local Home-De-Pot as they are always running a deal if you buy a few device with the wink. I think the current deal is get the Wink for $20 if you buy two devices. Thanks for the post HAD!
Hey those of you looping through a Raspberry PI for home automation should take a look at the Raspbee (yeah I know, and NO I don’t work for them). It’s a daughterboard that speaks raw Zigbee, Jason libraries and a graphical management interface if you’re into that sort of thing. I even have Kodi/XBMC bolted onto it. It’s pretty nice, range is terrific.
Another possibility is running Virtual Wiring (see http://www.catalinacomputing.com) on a Raspberry Pi. It turns your Pi into a hub which supports Z-Wave, ZigBee (XBees), and Arduinos, too. You can add your own devices as well.
Virtual Wiring runs standalone (doesn’t use or need a cloud server). There’s an article on a home automation project in Raspberry Pi Geek Magazine (pointed to by the Catalina Computing website), and Virtual Wiring is freely downloadable and free for non-commercial use.
Full disclosure – I work for Catalina Computing.
I connected mine to SmartThings:
https://github.com/quantiletree/SmartWink