Forum: Offtopic Thermomix Rezeptchips


Announcement: there is an English version of this forum on EmbDev.net. Posts you create there will be displayed on Mikrocontroller.net and EmbDev.net.
von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Hans H. schrieb:
> Bimby T. schrieb:
>> Ikaro P. schrieb:
>>> (I know I'm late... more comming soon, I promiss)
>>>
>>> 2faf 32c6 f26b 5cc0 21c1 8988 019a f3a5
>>
>> Hi Ikaro P.,
>>
>> it is never late for sharing your findings. :)
>> Is this the encryption key for the cook key or the piece of code where
>> the signature of the key is checked?
>>
>> Thanks and keep the great work! :)
>
> Its the actual encryption key for the cookey. You can extract it from
> matts kernel dump.

Hi Hans H.,

you mean the decryption key and not encryption key, or am I wrong? From 
what I know, nobody found out how to encrypt a cook key, right?

von Hans H. (Firma: kobs-ng) (haschhans)


Bewertung
0 lesenswert
nicht lesenswert
> Hi Hans H.,
>
> you mean the decryption key and not encryption key, or am I wrong? From
> what I know, nobody found out how to encrypt a cook key, right?

Encryption and decryption key is the same for the cookey.
Everyone that got a custom recipe on his TM had to encrypt his cookey.

von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Hans H. schrieb:
>> Hi Hans H.,
>>
>> you mean the decryption key and not encryption key, or am I wrong? From
>> what I know, nobody found out how to encrypt a cook key, right?
>
> Encryption and decryption key is the same for the cookey.
> Everyone that got a custom recipe on his TM had to encrypt his cookey.

Sorry, I was thinking about the recipe chip verification method and not 
encryption/decryption of the chip... The recipe chip verification uses 
an RSA Key and this is what nobody found out how to compute, just Matt 
knows how to bypass this verification using a bug found on the 
verification method of the recipe chip.

: Bearbeitet durch User
von Hans H. (Firma: kobs-ng) (haschhans)


Bewertung
0 lesenswert
nicht lesenswert

von Martin S. (sirnails)


Bewertung
0 lesenswert
nicht lesenswert
Hans H. schrieb:
> TM6 is coming:
> https://thermomix.vorwerk.de/thermomix/tm6/

Seems like Vorwerk is pissed....

von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Martin S. schrieb:
> Hans H. schrieb:
> TM6 is coming:
> https://thermomix.vorwerk.de/thermomix/tm6/
>
> Seems like Vorwerk is pissed....

Well it seems that they tried to copy the Monsieur Cuisine Connect from 
Lidl...
Allmost all new features could be added to the TM5 with a software 
update...

Here the first test and differences to the TM5: 
https://youtu.be/5fjKtTg441g

Maybe it is time to find out a way how to upgrade the TM5 with the 
software from the TM6... :P

von Ivo B. (ivoburkart)


Bewertung
0 lesenswert
nicht lesenswert
Sieht aus als hätte der TM6 eine Web-basierte Oberfläche :-)

von Hans H. (Firma: kobs-ng) (haschhans)


Bewertung
0 lesenswert
nicht lesenswert
Ivo B. schrieb:
> Sieht aus als hätte der TM6 eine Web-basierte Oberfläche :-)

Was genau verleitet dich zu dieser Aussage?

von Marco H. (marco_h883)


Bewertung
0 lesenswert
nicht lesenswert
Hans H. schrieb:
> Ivo B. schrieb:
> Sieht aus als hätte der TM6 eine Web-basierte Oberfläche :-)
>
> Was genau verleitet dich zu dieser Aussage?

Wir haben den TM6 zu Hause stehen. Ich würde auch sagen, dass der 
Zugriff auf die Rezeptarchive webbasiert ist. Aber andere Funktionen 
sind wie bisher keine weboberfläche.

von Erlantz L. (erlantz_l)


Angehängte Dateien:

Bewertung
3 lesenswert
nicht lesenswert
Hello from Spain ;)
Boot GUI Sistem (actually working on it):


/opt/Thermomix.sh : script that launches log processes and calls the GUI
/usr/sbin/supervisor : "supervises" tm5 hardware and if all is ok runs
 the thermomix GUI (binary is /opt/Thermomix/Thermomix )
/usr/sbin/supervisor_config.xml : here are the parameters thar reads 
supervisor

We can launch supervisor from shell as root:

supervisor -m SERVICE  :a mode that lifts with preset IP (192.168.76.1), 
mouse and keyboard, uses some port but does not start the GUI

supervisor - m GUI : It runs the GUI, and yo can see a screen but but 
you still can not move forward, I need a mouse

Other servies:

supervisor -m OTA : search upgrade

....

To launch linux  I use the tm5.sh script  that is in this forum 
(Beitrag "Re: Thermomix Rezeptchips") 
but not necessary chroot, and I have changet it to launch witch screnn 
and 256M of ram (max ran to qemu) :

qemu-system-arm -M versatilepb -kernel vmlinuz -initrd initrd.img -m 
256M -hda disk.qcow2 -append "root=/dev/sda1" -redir tcp:8022::22


thins to do:

It,s not necesarry to mount partition, you can make it in same 
partition:
mkdir -p /mnt/rwfs/data/system_config

Copy binaries fron thermomix rootfs

cp -r /tm5/usr/* /usr
cp -r /tm5/opt/* /opt

rc.local form thermomix rootfs is not necessary, only the binaries that 
I mention are necessary

Note: I'm trying to stabilize GUI, from time it falls

: Bearbeitet durch User
von Erlantz L. (erlantz_l)


Bewertung
0 lesenswert
nicht lesenswert
Ikaro P. schrieb:


> P.S. Comming soon might be a guide on running the GUI in an emulator,
> for now it's not usable as the emulated touchscreen driver is sending
> coordinated in 0-32768 range but the GUI needs them in screen pixels.
> Clicking blindly in the left upper corner is just pain in the ass...

Ikaro, in order to run GUI  can you tell what emulated touchscreen 
driver have you use?
Thans

von Hans H. (Firma: kobs-ng) (haschhans)


Bewertung
0 lesenswert
nicht lesenswert
Anyone still working on a root shell?

von Erlantz L. (erlantz_l)


Bewertung
0 lesenswert
nicht lesenswert
I use a raspberry pi 2b witch chroot, supervisor service works but I 
still have no luck witch  touch screen I can't use screen. If anyone can 
use screen (ikaro) please tell us how can

von Hans H. (Firma: kobs-ng) (haschhans)


Bewertung
0 lesenswert
nicht lesenswert
Erlantz L. schrieb:
> I use a raspberry pi 2b witch chroot, supervisor service works but I
> still have no luck witch  touch screen I can't use screen. If anyone can
> use screen (ikaro) please tell us how can

I do not know how to apply that with qemu, but I am sure the tm5 uses 
the NOVATEK NT11004 display, this should be the touchscreen driver :)

https://github.com/wondermedia/wm8850/tree/master/ANDROID_3.0.8/drivers/input/touchscreen/novatek

von Erlantz L. (erlantz_l)


Bewertung
0 lesenswert
nicht lesenswert
Maybe the information I am going to provide is useful:
Through the logs of the supervisory service I have discovered that the 
GUI has been developed by the following company: 
https://www.guiliani.de, the version of the Thermomix GUI shared here is 
the Guiliani 1.6, it seems old and on the web there are no references to 
it, however in the binary certain sources are seen, many of them shared 
in the guiliani version 2.1: 
http://guiliani.de/mediawiki/downloads/Guiliani_doc_2.1/files.html

von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Hi everyone,
Starting 2020 the new TM6 will be build in China, maybe then there 
should be more Chinese Hackers trying to hack it. :P

Just out of curiosity, did anyone here knew of a TM31 clone from South 
Korea? It is called Cooking Master ALLDA (AD-1000):
http://www.allda.co.kr/en/cooking-master-allda/product-specification/
http://www.wordin.com/sub/sub02_05_1.php
https://www.youtube.com/watch?v=xHzhNIyrs6U
https://www.youtube.com/watch?v=y3y5LQniGlc

Happy hacking! :)

: Bearbeitet durch User
von Gunter G. (guntergunter)


Bewertung
0 lesenswert
nicht lesenswert
This video seems to sum it all up (getting a remote root shell, recover 
the key and bypass the digital signature check). Unfortunately it is all 
in French.

https://static.sstic.org/rumps2019/1080p/SSTIC_2019-06-06_P09_RUMPS_06.mp4

von Moritz M. (mom)


Bewertung
0 lesenswert
nicht lesenswert
Gunter G. schrieb:
> This video seems to sum it all up (getting a remote root shell, recover
> the key and bypass the digital signature check). Unfortunately it is all
> in French.
>
> https://static.sstic.org/rumps2019/1080p/SSTIC_2019-06-06_P09_RUMPS_06.mp4

Orrr. Nice picture of the STM32 he has there. Sadly it is mine and CC 
BY-NC-SA 4.0 licensed. Which he obviously forgot to mention in the talk.

von Moritz M. (mom)


Bewertung
0 lesenswert
nicht lesenswert
On Twitter he wrotes:

»Hi, fixed around April (v2.6 or v2.7). There is no English version of 
the slides (I probably should have made those in English for the 
presentation). I'm thinking of doing version of the vid with English 
subtitles.«

https://twitter.com/jmbesnard_maz/status/1140977515252658179

So seems to be fixed already.

von Sigma P. (sigmapic)


Bewertung
0 lesenswert
nicht lesenswert
Gunter G. schrieb:
> This video seems to sum it all up (getting a remote root shell, recover
> the key and bypass the digital signature check). Unfortunately it is all
> in French.
>
> https://static.sstic.org/rumps2019/1080p/SSTIC_2019-06-06_P09_RUMPS_06.mp4

Very interesting but not so happy to see that.

I'm french. So I understand everything.

Guys, everything you need now in order to decrypt recipe chips is 
written on this thread.

He say that he alerted Thermomix about this exploit in January 2019.

At this time if I remember well, we were already able to decrypt the 
receipe chip.

I wonder if this buy is a member of this forum?
Did he post on this thread?

What he didn't explain is how he success to extract the kernel from the 
flash.

von Sigma P. (sigmapic)


Bewertung
0 lesenswert
nicht lesenswert
I don't know if I already posted this link here but it could be usefull 
for you:
https://github.com/SigmaPic/cryptoloop

von Sigma P. (sigmapic)


Bewertung
0 lesenswert
nicht lesenswert
Sigma P. schrieb:
> What he didn't explain is how he success to extract the kernel from the
> flash.

In fact he did it => nanddump

von Mortimer N. (Firma: privat) (ranseyer)


Bewertung
0 lesenswert
nicht lesenswert
Moritz M. schrieb:
> On Twitter he wrotes:
>
> »Hi, fixed around April (v2.6 or v2.7). There is no English version of
> the slides (I probably should have made those in English for the
> presentation). I'm thinking of doing version of the vid with English
> subtitles.«
>
> https://twitter.com/jmbesnard_maz/status/1140977515252658179
>
> So seems to be fixed already.



Hmm, has somebody seen the version with en-subtitles ?

von Sigma P. (sigmapic)


Bewertung
0 lesenswert
nicht lesenswert
Mortimer N. schrieb:
> Hmm, has somebody seen the version with en-subtitles ?


A quick summary:
1. Target: getting a root shell, decrypt receipe chip, bypass signature 
check
2. Exploit communicated to Thermomix in Januay 2019 and patch published 
in March 2019 (he don't say whether Thermomix patched new firmware)
3. He looked to the GUI, find in a menu that TM5 runs linux and request 
source code CD from Thermomix
4. While waiting for CD, he open the receipe chip, find a USB flash in 
UDP format, connect it to a computer, look the entropy and deduce that 
the memory is encrypted => Difficult to do something
5. He got the source code CD. Look at it and find that encryption is 
managed by a modified version of DCP instead of usual crypto API
6. He bought the wifi key, find that communication is SSL encrypted => 
Impossible to do MITM
7. He open the key, find a USB memory, find two partitions on it, find 
that one is writable with a tarball on it
8. He remove the tarball and put the key again in the Thermomix, then 
check again this partition and find that tarball is restored by TM5
9. So he deduce that he can execute tar on a archive he can control and 
he now that some tar version from Busybox are vunerable to directory 
transversal exploit (exploit used to root dji drone)
10. TM5 use tar in 1.23 whereas exploit has been found in 1.22 based on 
CVE report
11. He check the source of code 1.23 and find that exploit has not been 
fixed. Exploit is fixed in 1.28
12. Some constraints: almost everything is read only except /tmp, /etc 
and /var that are mounted in a tmpfs of 512kB. This memory is erase 
after reboot. Tools distributed on the TM5 are very limited but there is 
tcpsvd
13. He decided to use the "script" directive from dhclient and bind a 
shell with tcpvsd. He create the tarball with evreything and his script 
is run when key is attached to TM5
14. He got a shell
15. Look inside TM5
16. Find that AES is usued (grep -r losetup)
17. Find the pass phrase in opt/cookey.txt, try to decrypt and mount it 
but fails
18. He looked in DCP source code and find that the key that is pass via 
losetup is not directly used to decrypt. This key is compared to a key 
harcoded in the kernel and if they match another hardocded key is used 
to decrypt the recipe chip. (This trick allows to store the real key in 
the kernel)
19. He dump kernel with nandflash and extract the key
20. He decrypt the receipe chip, it works!
21. He modify the recipe data base
22. He find that all files are signed and signature is check with 
checksig called by netlink
23. He find a way (explained in the video) to bypass signature check by 
changing USB memory serial
23. To modify the USB serial, either use an MP Tool or emulate a USB 
flash with a raspberry (what he did)
24. Finished

von Moritz M. (mom)


Bewertung
0 lesenswert
nicht lesenswert
Thanks a lot for the summary, would have taken ages for me to figure it 
out with my poor french.

Sigma P. schrieb:
> 2. Exploit communicated to Thermomix in Januay 2019 and patch published
> in March 2019 (he don't say whether Thermomix patched new firmware)


That he wrote in the Tweet above. It was fixed in 2.6 or 2.7 in April 
2019.

As I'm afraid updating my TM5: what is the current version available?

Does anybody know if updating requires updates from minor version to 
minor version (e.g. 2.3->2.4->2.5) incrementally?
Or will it be like the latest version will be installed regardless which 
one is currently running (e.g. 2.3->2.5)?

von Moritz M. (mom)


Bewertung
0 lesenswert
nicht lesenswert
At least getting the root shell should be feasible. Hopefully will find 
some time during the next months.

von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Sigma P. schrieb:
> 7. He open the key, find a USB memory, find two partitions on it, find
> that one is writable with a tarball on it
> 8. He remove the tarball and put the key again in the Thermomix, then
> check again this partition and find that tarball is restored by TM5

Hi Sigma, ist this correct? What I understood from the video is that the 
two partitions from the WIFI Key are not encrypted and if you delete one 
SQLite database on partition 2, the TM5 will restore it from the cs.tar 
from partition 1.

Anyone that has an updated TM5 can confirm the Busybox version shown on 
the "About" screen of the TM5?

I think I have seen somewhere in the TM5 scripts/source code that there 
is a "switch" that will allow the TM5 to downgrade its firmware, maybe 
we can use it somehow.

Do you think that the guy in the video is Ikaro? He is an Information 
Security Audit & Advisory Senior Manager 
(https://www.linkedin.com/in/jmbesnard), an we wrote here this:

> --Ikaro Psi

> P.S. The security on this machine is very very impressive, I have pretty
> much never seen done anything this right and I do security for living,
> those engineers were thinking of every little detail. Sadly even them
> are only humans :)

I think the best way to explore the TM5 ist to successfully run the TM5 
System/GUI on QEMU or RPI. Ikaro has somehow emulated the touchscreen 
but never gave information how to do that. I think this is one of the 
last pieces that we need to successfully emulate the TM5.

Happy hacking everyone! :)

: Bearbeitet durch User
von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Bimby T. schrieb:
> I think I have seen somewhere in the TM5 scripts/source code that there
> is a "switch" that will allow the TM5 to downgrade its firmware, maybe
> we can use it somehow.

From /opt/common.sh:

is_downgrade_enabled() {
    spare2=$(cat /sys/devices/platform/mxs-persistent.0/SPARE_2)
    if [ $(($spare2 & $TM41_BM_DOWNGRADE_ENABLED)) -ne 0 ] ; then
        g_status=1
    else
        g_status=0
    fi
}

enable_downgrade() {
    spare2=$(cat /sys/devices/platform/mxs-persistent.0/SPARE_2)
    spare2=$(($spare2 | $TM41_BM_DOWNGRADE_ENABLED))
    echo $spare2 > /sys/devices/platform/mxs-persistent.0/SPARE_2
}

disable_downgrade() {
    spare2=$(cat /sys/devices/platform/mxs-persistent.0/SPARE_2)
    spare2=$(($spare2 & ~$TM41_BM_DOWNGRADE_ENABLED))
    echo $spare2 > /sys/devices/platform/mxs-persistent.0/SPARE_2
}

From /opt/update.sh:

# Only allow downgrade if the special bit in RTC memory is set
# Otherwise only allow version >= current ones
is_downgrade_enabled
get_current_version
if [ $g_status -eq 1 ]; then
    new_version_allowed=1
elif [ $sw_date -ge $g_current_version ]; then
    new_version_allowed=1
fi

# If the new version didn't pass a check and it is not a forced update, 
bail out
if [ $new_version_allowed -eq 0 ] && [ $forced -eq 0 ]; then
    echo "Downgrade is not allowed"
    exit 2
fi

Here are some Novatek Touchscreen (used by TM5 is the NT11004) drivers:
https://github.com/wondermedia/wm8850/blob/master/ANDROID_3.0.8/drivers/input/touchscreen/novatek/novatek.c
https://github.com/crewrktablets/rk30_kernel/blob/master/drivers/input/touchscreen/Novatek_nt11003.c
https://git.congatec.com/android/qmx6_kernel/commit/01539e3aa09e7203a451d567de7cedc4794453ff#b9dd3bb551ac2d88c29329285264a4cdccc79989
https://github.com/endlessm/linux-meson/blob/master/drivers/amlogic/input/touchscreen/novatek.c

Maybe someone knows how to emulate the I2C on QEMU using the serial 
converter from QEMU: 
https://unix.stackexchange.com/questions/119335/how-can-i-simulate-usb-storage-device-connection-with-qemu

von Sigma P. (sigmapic)


Bewertung
0 lesenswert
nicht lesenswert
Bimby T. schrieb:
> Hi Sigma, ist this correct? What I understood from the video is that the
> two partitions from the WIFI Key are not encrypted and if you delete one
> SQLite database on partition 2, the TM5 will restore it from the cs.tar
> from partition 1.

You're right.
There are two partition that are not encrypted.
One contains some database file.
The second a tarball that may be a backup of the first one.
If you delete some file of the first partition, it is restored.
It seems that restoration is done from the tarball.
So, the TM5 open the tarball.
So, with a magic tarball you can get the root shell.

Great job by the way.

von Tom T. (tomtest)


Bewertung
0 lesenswert
nicht lesenswert
I might found something that cloud help sorting out the sql tables:
https://pastebin.com/kpfviZZq

AllRecipes or getGuidedMap seems to be a good starting point to 
understand the structure.

von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Hi,

does anyone already has asked Vorwerk (opensource@vorwerk.de) for the 
open source code of the new Thermomix TM6?
Would be nice to know if it is possible to convert a TM5 to a TM6... It 
seems that the models are almost identical... :)

von David F. (david_f)


Bewertung
-1 lesenswert
nicht lesenswert
Guten Abend,

Bei diesem super langen Thread have ich leicht den Überblick verloren.
Kann mir einer kurz zusammenfassen was der aktuelle Stand ist?
Was ist zurzeit möglich?

Gruß
kolch

von Ralf X. (ralf0815)


Bewertung
-3 lesenswert
nicht lesenswert
David F. schrieb:
> Guten Abend,
>
> Bei diesem super langen Thread have ich leicht den Überblick verloren.
> Kann mir einer kurz zusammenfassen was der aktuelle Stand ist?
> Was ist zurzeit möglich?
>
> Gruß
> kolch

Zur Zeit ist so gut wie alles möglich, nicht nur beim Kochen.

von Julian W. (julian-w) Benutzerseite


Bewertung
0 lesenswert
nicht lesenswert
Ein Forenuser konnte den Thermomix überlisten, allerdings ist keine 
Anleitung frei verfügbar. Man muss also selbst den Bug im Quellcode 
suchen, der dies ermöglicht. Allerdings gibt es ein paar Tipps dazu im 
Thread.

von Sebastian K. (5phinxx)


Bewertung
4 lesenswert
nicht lesenswert
Ralf X. schrieb:
> David F. schrieb:
>> Guten Abend,
>>
>> Bei diesem super langen Thread have ich leicht den Überblick verloren.
>> Kann mir einer kurz zusammenfassen was der aktuelle Stand ist?
>> Was ist zurzeit möglich?
>>
>> Gruß
>> kolch
>
> Zur Zeit ist so gut wie alles möglich, nicht nur beim Kochen.

Wow, vielen Dank für deinen Beitrag! Du bist eine richtige Bereicherung 
für dieses Forum 👍

von David F. (david_f)


Bewertung
2 lesenswert
nicht lesenswert
@Sebastian
Danke für dein Kommentar. Ich habe mir das gleiche Gedacht.

@Julian
Schade das es kein wirkliches HowTo gibt. Die Informationen sind ja sehr 
verstreut im Thread.

von Michael W. (mwulz)


Bewertung
0 lesenswert
nicht lesenswert
David F. schrieb:
> @Sebastian
> Danke für dein Kommentar. Ich habe mir das gleiche Gedacht.
>
> @Julian
> Schade das es kein wirkliches HowTo gibt. Die Informationen sind ja sehr
> verstreut im Thread.

@all: es gibt leider auch genau diese Foren User die nur darauf warten 
sinnlose Kommentare abzugeben.

Ich schlage vor die Hacks die hier angeboten werden auf Github zu 
stellen und damit die Thematik einfacher zu gestalten.

Auch ein Switch auf Englisch wie schon vorgeschlagen würde die Thematik 
mehr international machen und den Kreis der Leute die wirklich was 
beitragen können auch vergrößern.

Lg

von Schang S. (Firma: keine) (schang)


Bewertung
2 lesenswert
nicht lesenswert
This security talk wraps it up:
https://static.sstic.org/rumps2019/1080p/SSTIC_2019-06-06_P09_RUMPS_06.mp4

1 - how to get a root shell
2 - how to recover encryption key and decrypt stick
3 - how to bypass digital signature

von Bimby T. (bimby)


Bewertung
1 lesenswert
nicht lesenswert
Michael W. schrieb:
> David F. schrieb:
>> @Sebastian
>> Danke für dein Kommentar. Ich habe mir das gleiche Gedacht.
>>
>> @Julian
>> Schade das es kein wirkliches HowTo gibt. Die Informationen sind ja sehr
>> verstreut im Thread.
>
> @all: es gibt leider auch genau diese Foren User die nur darauf warten
> sinnlose Kommentare abzugeben.
>
> Ich schlage vor die Hacks die hier angeboten werden auf Github zu
> stellen und damit die Thematik einfacher zu gestalten.
>
> Auch ein Switch auf Englisch wie schon vorgeschlagen würde die Thematik
> mehr international machen und den Kreis der Leute die wirklich was
> beitragen können auch vergrößern.
>
> Lg

@To all that do not want to read the complete thread:

- You can find all the steps to change the Cook Key files here (I think 
this procedure was already patched on new firmware releases): 
https://pastebin.com/uSRCEpts

- You can watch a video how to gain root access on an older firmware of 
the Thermomix: https://www.youtube.com/watch?v=iCOBc6JLSGc

If someone successfully managed to run the Thermomix GUI with QEMU, just 
let us know (Ikaro have managed to run it with an emulated Touchscreen 
driver. Sadly he never shared this emulated driver): 
Beitrag "Re: Thermomix Rezeptchips")

von Schang S. (Firma: keine) (schang)


Bewertung
0 lesenswert
nicht lesenswert
The YouTube video seems to be private. If it is yours could you switch 
it to public? Thanks

von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Schang S. schrieb:
> The YouTube video seems to be private. If it is yours could you switch
> it to public? Thanks

Hi Schang,

I have changed the permissions.
The Youtube video is the same that you have already posted, just on 
youtube so you can turn subtitles on and choose an auto generated 
translation...

Beitrag #6454341 wurde vom Autor gelöscht.
Beitrag #6454350 wurde vom Autor gelöscht.
von David F. (david_f)


Bewertung
0 lesenswert
nicht lesenswert
Bimby T. schrieb:
> - You can find all the steps to change the Cook Key files here (I think
> this procedure was already patched on new firmware releases):
> https://pastebin.com/uSRCEpts

Sorry to hear that is already fix with the new firmware. You are 100% 
sure?

von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
David F. schrieb:
> Bimby T. schrieb:
>> - You can find all the steps to change the Cook Key files here (I think
>> this procedure was already patched on new firmware releases):
>> https://pastebin.com/uSRCEpts
>
> Sorry to hear that is already fix with the new firmware. You are 100%
> sure?

If you watch the youtube video I've posted, you can see the steps to 
gain access to the Thermomix and change a recipe on the cook key.
The security engineer told that he have got the Ok from Vorwerk to show 
this vulnerability because it was already patched on the new firmware 
version...

von Alexander H. (alexander_h390)


Bewertung
0 lesenswert
nicht lesenswert
Does anybody know which is the last firmware with the vulnerability?
2.8?
Mine is still running on 2.4.

von Schang S. (Firma: keine) (schang)


Bewertung
1 lesenswert
nicht lesenswert
I can't remember exactly version numbers but basically it was patched 
around March 2019 so if you can see a timestamp  next to the version 
then you can determine whether you device is still vulnerable.
If your TM5 has never been patched through the Wifi cookkey installation 
then your device is definitely vulnerable.

Finally, check the about menu to find what version of busybox is 
advertised. If it is 1.23xx then it is vulnerable.

von Moritz M. (mom)


Bewertung
1 lesenswert
nicht lesenswert
It was fixed in 2.6 or 2.7.

Did anybody request the firmware from opensource@vorwerk.de for the 
versions > 2.4?

If somebody has it, we can put it to Github/Gitlab for reference. Just 
DM me for details.

2.3 is already available.

von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Anyone here knows what is the URL to check for a firmware update and if 
it is possible to download the update without the Thermomix? I think I 
have read here that the update is encrypted, is it possible do decrypt 
and access the update files?

von Ben H. (ben_h)


Bewertung
0 lesenswert
nicht lesenswert
Bimby T. schrieb:
> - You can find all the steps to change the Cook Key files here (I think
> this procedure was already patched on new firmware releases):
> https://pastebin.com/uSRCEpts

I confused Cook Key with Recipe Chips and tried the steps above for a 
Recipe Chip USB - but the image doesn't compress much. Is there a method 
to modify the recipes on the Recipe Chips, or just the Cook Key (wifi 
dongle)?

(Have a Thermomix that I didn't think we've allowed the update - its 
Software
202007050000 2.10 - which look new (assuming that's a date) - but 
Busybox says 1.23.2)

von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Ben H. schrieb:
> Bimby T. schrieb:
>> - You can find all the steps to change the Cook Key files here (I think
>> this procedure was already patched on new firmware releases):
>> https://pastebin.com/uSRCEpts
>
> I confused Cook Key with Recipe Chips and tried the steps above for a
> Recipe Chip USB - but the image doesn't compress much. Is there a method
> to modify the recipes on the Recipe Chips, or just the Cook Key (wifi
> dongle)?
>
> (Have a Thermomix that I didn't think we've allowed the update - its
> Software
> 202007050000 2.10 - which look new (assuming that's a date) - but
> Busybox says 1.23.2)

Wenn I say Cook Key I mean the Recipe Chips (I think the Wifi dongle 
doesn't work)... This method should allow you to edit the Recipes on the 
chip (you need to check the data structure of the recipes)... I also 
recommend using an USB Pendrive that has a tool to change the serial 
number...

von Schang S. (Firma: keine) (schang)


Bewertung
1 lesenswert
nicht lesenswert
Although the attack features the Cook-key (as a way to get a remote 
shell and to then recover the encryption key and eventually to 
understand the digital signature bypass through command injection with 
the USB serial number), the final target is the recipe chip (e.g., the 
small green device you get when you purchase a TM5).

Changing recipes is just a matter of understanding the database 
structure (which can be quite a mess). For example, if you wish to 
change the weight of a particular ingredient for a recipe, you'll have 
to update that information in 2 different tables.
As for actually creating a recipe from scratch, it is slightly more 
difficult.

Changing the serial number requires that you get a memory flash drive 
that will allow serial number update. From what I have experienced, you 
often need to write content (the modified disk image of the recipe 
stick) and to update the serial number at the same time. This operation 
takes a lot of time and will sometimes eventually brick the flash drive. 
Because of that, it is more convenient to simulate a flash drive with an 
OTG-enabled raspberry Pi (Raspberry zero does that, other raspberry 
versions don't). With that setup you can not only change the serial 
number at ease but you can also update data on the fly (which is way 
more convenient when you need to make frequent changes in an attempt to 
modify/create a recipe). It is also more convenient to do that with the 
cook-key (as shown in the video) by putting a USB (male/female) 
extension inside and then plugging the rpi zero (more convenient from a 
connection standpoint).

This looks like this:
[TM5]--[Cook-key]--<USB-extension>[RPI-zero]

Finally, I believe that you also need to power the RPI-zero with USB (so 
both USB OTG and normal USB ports will be used) as the TM5 does not 
provide enough power to boot the RPI.

von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Schang S. schrieb:
> Because of that, it is more convenient to simulate a flash drive with an
> OTG-enabled raspberry Pi (Raspberry zero does that, other raspberry
> versions don't). With that setup you can not only change the serial
> number at ease but you can also update data on the fly (which is way
> more convenient when you need to make frequent changes in an attempt to
> modify/create a recipe).

Hi Schang, it would be nice if you could post a little "how to" on using 
the RPi Zero as an USB Stick for the TM5... :)

von Schang S. (Firma: keine) (schang)


Bewertung
1 lesenswert
nicht lesenswert
5'23 of the video provides a screenshot of the command line to do that

von Truggy M. (truggy)


Bewertung
0 lesenswert
nicht lesenswert
Hi all,

I've been reading all the thread, and frankly, that's awesome, good job 
guys for all your discoveries. I'll add my share here.

I've been investigating the updates version 2.8 and 2.10, and both of 
them are patched, the exploits in the video of the SSTIC 2019 are no 
longer possible.
Even if busybox version is vulnerable, they have set up a test in the 
update process to refuse the update package if it contains symbolic 
links, hard links, "../" or "/"
This is verified in binary file "/usr/sbin/netlink".

About the step 7 of the procedure https://pastebin.com/uSRCEpts :
"Write image.img back to the Cook Key or USB Pendrive that can be read 
by the machine" : as stated in the video, you also have to change the 
serial number of the USB drive, this is possible on lots of USB devices 
thanks to flashboot.ru files.
BUT, something not really underlined, you ALSO have to make the 
partition of your USB drive be seen like a CDROM filesystem (in the 
video, at position 5:23 you'll see his using the gadget mass_storage 
with option cdrom=y).
Even with flashboot.ru files, I tried on 3 different USB keys I own, and 
I could not write the raw crypted image on the USB drives (image not 
written or not the size of the partition is different from image).
I really think we'd need to find the good usb drive model to do so !

Technical info of one of my USB Cookey shows :
Controller: Silicon Motion SM3257 ENLTAA
Possible Memory Chip(s): Samsung K9ABGD8U0D
Maybe we can find somewhere to buy it ?
I wonder how Matt C. did the hack in his post "04.11.2018 10:28", maybe 
already with raspberry ?

I don't think the file structure or the sqlite tables might be a problem 
to create your own cookey, it's logical. The main problem is the 
signature checking that is not possible anymore to bypass in newer 
versions (at least starting from 2.8, they have added a check to see if 
the serial number only contains numbers)...

The gadget mass_storage might be used to get root shell differently on 
the device, but that would need more investigation and may end to 
nothing ! :)

About the updates, Vorweck has really done a big job to protect this 
input, congrats !
If you're interested, here are the links of :
- version 2.8 root squashfs filesystem :
https://mega.nz/file/0vIU3JoC#MljPXOhZHL82u9_xpFXXC2TKPo3KzxQEElKte0wsar4
- version 2.10 root squashfs filesystem :
https://mega.nz/file/hrAQhTpB#ezcbOKG9ALETVWTPADY-K5YuFfM3WBotgrXEs5bR9sw
- kobs-ng update file containing the kernel of version 2.10:
https://mega.nz/file/0jYkwT5S#z6R6x69xPtsUZjzML7UXybTWYxa6-_-g40cqSU-LPQ0

I'd really love to have my TM5 freed, so that I can share my recipes 
with anyone and without the cookidoo platform !

Cheers !

: Bearbeitet durch User
von Ralf G. (dougie)


Bewertung
0 lesenswert
nicht lesenswert
...in fact it would be fantastic having an image for a RPi zero, which 
emulates a CookKey WiFi Dongle (or at least a CookKey) towards the TM5, 
and offers WiFi capabilities to the other side.... enabling the use and 
storage of own recipies....

von Truggy M. (truggy)


Bewertung
0 lesenswert
nicht lesenswert
I think the communications between TM5 and cookidoo servers are 
encrypted by TLS (of course) and moreover may use TM5 internal 
certificates to connect to this platform.
Therefore, you'd need to extract these certificates from your TM5 to be 
able to create a MITM proxy and decrypt the data : so you need root on 
the device or be able to read the NAND chipset of your TM5...

With reverse engineering you'd might be able to understand the protocol 
communication and emulate the cookidoo servers : well that's an idea if 
the TM5 doesn't wait for authentic certificates from cookidoo...

There should still have possibilities with this wifi, we just have to be 
creative and imagine scenarios :)

: Bearbeitet durch User
von Matt C. (thermomatt)


Bewertung
0 lesenswert
nicht lesenswert
Truggy M. schrieb:
> I wonder how Matt C. did the hack in his post "04.11.2018 10:28", maybe
> already with raspberry ?

I used a normal USB stick - I just went through my collection of USB 
sticks and tried to find the MPTool software for each one, until one 
finally worked.   The USB stick I ended up using was a cheap one that I 
got free from a conference, using Ameco MW6208 chipset, but any should 
be fine if you can find the right software to set the serial number and 
CD-ROM mode.  It is quite a painful process so using RPi is a good idea.

Cheers,
Matt

von Truggy M. (truggy)


Bewertung
0 lesenswert
nicht lesenswert
Thanks Matt for that clarification, I wasn't that lucky with my 3 USB 
drives !

As the busybox version is still vulnerable, it might be possible to 
create a raspberry with mass storage gadget acting like the 2 internal 
partitions of the cookkey wifi.
As shown in the SSTIC video, at 1:11, if the "ext.sdb" file is not 
present in the second partition, the thermomix will recreate the second 
partition (mkfs.ext4) and restore the contents of the file "cs.tar" from 
partition 1 to partition 2.
The new protection in > 2.7 versions is checking for malformed "cs.tar" 
to allow the restoring of the file to partition.
With that mass gadget, I think it would be possible to intercept (on the 
raspberry) the first opening of "cs.tar" and show a valid file, and then 
for the next open of "cs.tar" give a crafted tar file, and boom :)

I haven't worked yet on the linux possibilities to hook those system 
calls, but there's a good chance it's possible to do it in combination 
with mass storage gadget.

Once root on the device, you could simply mount a modified filesystem 
and disable signature checking of the recipes, that is easy.

: Bearbeitet durch User
von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Matt C. schrieb:
> Truggy M. schrieb:
>> I wonder how Matt C. did the hack in his post "04.11.2018 10:28", maybe
>> already with raspberry ?
>
> I used a normal USB stick - I just went through my collection of USB
> sticks and tried to find the MPTool software for each one, until one
> finally worked.   The USB stick I ended up using was a cheap one that I
> got free from a conference, using Ameco MW6208 chipset, but any should
> be fine if you can find the right software to set the serial number and
> CD-ROM mode.  It is quite a painful process so using RPi is a good idea.
>
> Cheers,
> Matt

I know that the Windows 10 Installation USB Sticks can be written with 
an ISO as CD-ROM using MPALL_F1_7F00_DL07_v503_0A:
https://www.elektroda.com/rtvforum/topic3313834.html

The one I have tested has this FCC-ID and should be a DataTraveler 3.0 
from Kingston (Model: DTM30): https://fccid.io/MSIP-REM-K98-1734

Here a picture of the internals: 
https://mdex-nn.ru/uploads/win10_flash02.jpg

Maybe they still can be found on ebay or amazon...

von Ralf G. (dougie)


Bewertung
0 lesenswert
nicht lesenswert
Truggy M. schrieb:
>
>
> There should still have possibilities with this wifi, we just have to be
> creative and imagine scenarios :)

...I meant an Image which behaves like a Cookey towards the TM5, and 
offers a simple WebPage to the user for adding recipies.... maybe also 
with an option to import dumps from other Cookeys....

Would be cool.... and I guess in the range of available options 
(unfortunately a bit outside my area of expertise at this point in time)

von Ralf G. (dougie)


Bewertung
0 lesenswert
nicht lesenswert
...in addition:

It seems the manufacturer wants to make you move to a new firmware as 
quick as possible. Over the weekend I spent some minutes with our TM5 
and a WiFi CooKey I grabbed on ebay...

Because the TM5 was on its original Firmware from 2016, it was not abel 
to use the Wifi Key and an update with the firmware stored on the Wifi 
Key was neccessary.

Done that I was able to connect to the local Wifi and registered the 
Vorwerk Server, delivering the next message, that a newer Firmware would 
be available.
I refused to do that and found out, that with the current firmware the 
server does not perform any sync betweeen your Cookidoo web account and 
the TM5. ...
It says no sync possible until newer firmware installed....

Hmmmm....

: Bearbeitet durch User
von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Ralf G. schrieb:

> Done that I was able to connect to the local Wifi and registered the
> Vorwerk Server, delivering the next message, that a newer Firmware would
> be available.
> I refused to do that and found out, that with the current firmware the
> server does not perform any sync betweeen your Cookidoo web account and
> the TM5. ...
> It says no sync possible until newer firmware installed....
>
> Hmmmm....

I think that the old firmware hast an expired certificate and this is 
why it needs a new firmware to connect to the vorwerk servers...

von Ralf G. (dougie)


Angehängte Dateien:

Bewertung
0 lesenswert
nicht lesenswert
Well, I'm afraid it's intentionally.... on the TM5 I can browse recipies 
online from the VW Server, but when adding Recpies with my computer to 
my personal lists on Cookidoo and trying to synchronize with the TM5, it 
mandates a software update...

For obvious reasons I don't want that at this point in time...

Need to read, how to set up a RPi zero in OTG mode and behaving as an 
USB Stick with "our" serial...

von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Ralf G. schrieb:

> Need to read, how to set up a RPi zero in OTG mode and behaving as an
> USB Stick with "our" serial...

Just check the youtube video @5:22: https://youtu.be/iCOBc6JLSGc?t=322
Here you can see how to configure the RPi Zero W as an Mass Storage 
device: 
https://magpi.raspberrypi.org/articles/pi-zero-w-smart-usb-flash-drive

: Bearbeitet durch User
von Truggy M. (truggy)


Bewertung
0 lesenswert
nicht lesenswert
about mandatory update, it's written in their update change log :
https://support.vorwerk.com/hc/en-us/articles/360008472119-Which-new-functions-do-I-get-for-my-Thermomix-TM5-with-the-latest-update-

They may have strengthened also the server communication or added new 
features that previous firmwares didn't support

About RPi, search for the linux mass storage gadget, instructions are 
quite clear and the video pointed by Bimby gives you the command line.

Has anyone already worked with system hooks ?

von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Truggy M. schrieb:

> About the updates, Vorweck has really done a big job to protect this
> input, congrats !
> If you're interested, here are the links of :
> - version 2.8 root squashfs filesystem :
> https://mega.nz/file/0vIU3JoC#MljPXOhZHL82u9_xpFXXC2TKPo3KzxQEElKte0wsar4
> - version 2.10 root squashfs filesystem :
> https://mega.nz/file/hrAQhTpB#ezcbOKG9ALETVWTPADY-K5YuFfM3WBotgrXEs5bR9sw
> - kobs-ng update file containing the kernel of version 2.10:
> https://mega.nz/file/0jYkwT5S#z6R6x69xPtsUZjzML7UXybTWYxa6-_-g40cqSU-LPQ0

Hi Truggy,

how did you got access to the new firmware 2.10? Are you able to 
download the updates directly from vorwerk servers? If so, can you tell 
how? :)

von Truggy M. (truggy)


Bewertung
0 lesenswert
nicht lesenswert
Well, I didn't spent time on looking after the url in vorwerk's servers 
: I just connected the wifi cookkey, the thermomix downloaded the 
update, and I took the file "tm5.img" from the second partition of the 
drive in the cookkey.

The extraction of the internal data was a little harder because their 
tool (/usr/sbin/checkimg) needed some little "adjustments" to be able to 
extract the data without complaining...

von Bimby T. (bimby)


Bewertung
0 lesenswert
nicht lesenswert
Truggy M. schrieb:
> Well, I didn't spent time on looking after the url in vorwerk's servers
> : I just connected the wifi cookkey, the thermomix downloaded the
> update, and I took the file "tm5.img" from the second partition of the
> drive in the cookkey.
>
> The extraction of the internal data was a little harder because their
> tool (/usr/sbin/checkimg) needed some little "adjustments" to be able to
> extract the data without complaining...

It would be nice to find out how to get the URL to check if we could 
inject a custom firmware. I suppose that the firmware has a checksum, so 
I was thinking to change part of the firmware swapping bytes from an 
image. Per example: if we have a binary file we would like to patch, we 
seek the needed bytes for the patch on an image and swap them. In 
theory, the image would have bad pixels, but the checksum should be the 
same, because we only swapped the bytes on the firmware.
It would be hard work, but, first thing: is something like this even 
possible? :)

: Bearbeitet durch User
von Truggy M. (truggy)


Bewertung
0 lesenswert
nicht lesenswert
That could be a good idea, but seeing the level of security they have 
put in the product, it's really more than a checksum, I guess they have 
encrypted / verified the update package with RSA certificates :
without the private key, you won't be able to generate a valid update 
package...

If you're interested, here are the complete update files, you'll see the 
format is not understandable and very probably encrypted :
- full update version 2.8 : 
https://mega.nz/file/s2QWgR4A#F6ju-XtenmQ1Unn-l2htUp6eG0CbZnRzsLXqlnjEN0I
- full update version 2.10 : 
https://mega.nz/file/wrYiULAC#9z-R0G23mqF2WAXdR4o4fjdTSy_W5SGfEsptb2IJRgo

von Ralf G. (dougie)


Angehängte Dateien:

Bewertung
0 lesenswert
nicht lesenswert
....today I purchased an used Chip for our TM5, but for an unknown 
reason, the TM5 complaints that he cannot read the chip and I should 
clean the contacts.

Well I did (several times) ... I also opened the chip and bent the 
contacts to the memory stick inside. No luck.

Then I soldered some cables directly between memory stick and the 
contacts... same result....

So I assume the memory stick is simply defect... In case you don't have 
a smart idea what to do with it, I guess I will transform it to an USB 
OTG Interface

: Bearbeitet durch User
Bitte melde dich an um einen Beitrag zu schreiben. Anmeldung ist kostenlos und dauert nur eine Minute.
Bestehender Account
Schon ein Account bei Google/GoogleMail, Yahoo oder Facebook? Keine Anmeldung erforderlich!
Mit Google-Account einloggen | Mit Facebook-Account einloggen
Noch kein Account? Hier anmelden.