Hans H. schrieb: > Bimby T. schrieb: >> Ikaro P. schrieb: >>> (I know I'm late... more comming soon, I promiss) >>> >>> 2faf 32c6 f26b 5cc0 21c1 8988 019a f3a5 >> >> Hi Ikaro P., >> >> it is never late for sharing your findings. :) >> Is this the encryption key for the cook key or the piece of code where >> the signature of the key is checked? >> >> Thanks and keep the great work! :) > > Its the actual encryption key for the cookey. You can extract it from > matts kernel dump. Hi Hans H., you mean the decryption key and not encryption key, or am I wrong? From what I know, nobody found out how to encrypt a cook key, right?
> Hi Hans H., > > you mean the decryption key and not encryption key, or am I wrong? From > what I know, nobody found out how to encrypt a cook key, right? Encryption and decryption key is the same for the cookey. Everyone that got a custom recipe on his TM had to encrypt his cookey.
Hans H. schrieb: >> Hi Hans H., >> >> you mean the decryption key and not encryption key, or am I wrong? From >> what I know, nobody found out how to encrypt a cook key, right? > > Encryption and decryption key is the same for the cookey. > Everyone that got a custom recipe on his TM had to encrypt his cookey. Sorry, I was thinking about the recipe chip verification method and not encryption/decryption of the chip... The recipe chip verification uses an RSA Key and this is what nobody found out how to compute, just Matt knows how to bypass this verification using a bug found on the verification method of the recipe chip.
:
Bearbeitet durch User
Hans H. schrieb: > TM6 is coming: > https://thermomix.vorwerk.de/thermomix/tm6/ Seems like Vorwerk is pissed....
Martin S. schrieb: > Hans H. schrieb: > TM6 is coming: > https://thermomix.vorwerk.de/thermomix/tm6/ > > Seems like Vorwerk is pissed.... Well it seems that they tried to copy the Monsieur Cuisine Connect from Lidl... Allmost all new features could be added to the TM5 with a software update... Here the first test and differences to the TM5: https://youtu.be/5fjKtTg441g Maybe it is time to find out a way how to upgrade the TM5 with the software from the TM6... :P
Ivo B. schrieb: > Sieht aus als hätte der TM6 eine Web-basierte Oberfläche :-) Was genau verleitet dich zu dieser Aussage?
Hans H. schrieb: > Ivo B. schrieb: > Sieht aus als hätte der TM6 eine Web-basierte Oberfläche :-) > > Was genau verleitet dich zu dieser Aussage? Wir haben den TM6 zu Hause stehen. Ich würde auch sagen, dass der Zugriff auf die Rezeptarchive webbasiert ist. Aber andere Funktionen sind wie bisher keine weboberfläche.
Hello from Spain ;) Boot GUI Sistem (actually working on it): /opt/Thermomix.sh : script that launches log processes and calls the GUI /usr/sbin/supervisor : "supervises" tm5 hardware and if all is ok runs the thermomix GUI (binary is /opt/Thermomix/Thermomix ) /usr/sbin/supervisor_config.xml : here are the parameters thar reads supervisor We can launch supervisor from shell as root: supervisor -m SERVICE :a mode that lifts with preset IP (192.168.76.1), mouse and keyboard, uses some port but does not start the GUI supervisor - m GUI : It runs the GUI, and yo can see a screen but but you still can not move forward, I need a mouse Other servies: supervisor -m OTA : search upgrade .... To launch linux I use the tm5.sh script that is in this forum (Beitrag "Re: Thermomix Rezeptchips") but not necessary chroot, and I have changet it to launch witch screnn and 256M of ram (max ran to qemu) : qemu-system-arm -M versatilepb -kernel vmlinuz -initrd initrd.img -m 256M -hda disk.qcow2 -append "root=/dev/sda1" -redir tcp:8022::22 thins to do: It,s not necesarry to mount partition, you can make it in same partition: mkdir -p /mnt/rwfs/data/system_config Copy binaries fron thermomix rootfs cp -r /tm5/usr/* /usr cp -r /tm5/opt/* /opt rc.local form thermomix rootfs is not necessary, only the binaries that I mention are necessary Note: I'm trying to stabilize GUI, from time it falls
:
Bearbeitet durch User
Ikaro P. schrieb: > P.S. Comming soon might be a guide on running the GUI in an emulator, > for now it's not usable as the emulated touchscreen driver is sending > coordinated in 0-32768 range but the GUI needs them in screen pixels. > Clicking blindly in the left upper corner is just pain in the ass... Ikaro, in order to run GUI can you tell what emulated touchscreen driver have you use? Thans
I use a raspberry pi 2b witch chroot, supervisor service works but I still have no luck witch touch screen I can't use screen. If anyone can use screen (ikaro) please tell us how can
Erlantz L. schrieb: > I use a raspberry pi 2b witch chroot, supervisor service works but I > still have no luck witch touch screen I can't use screen. If anyone can > use screen (ikaro) please tell us how can I do not know how to apply that with qemu, but I am sure the tm5 uses the NOVATEK NT11004 display, this should be the touchscreen driver :) https://github.com/wondermedia/wm8850/tree/master/ANDROID_3.0.8/drivers/input/touchscreen/novatek
Maybe the information I am going to provide is useful: Through the logs of the supervisory service I have discovered that the GUI has been developed by the following company: https://www.guiliani.de, the version of the Thermomix GUI shared here is the Guiliani 1.6, it seems old and on the web there are no references to it, however in the binary certain sources are seen, many of them shared in the guiliani version 2.1: http://guiliani.de/mediawiki/downloads/Guiliani_doc_2.1/files.html
Hi everyone, Starting 2020 the new TM6 will be build in China, maybe then there should be more Chinese Hackers trying to hack it. :P Just out of curiosity, did anyone here knew of a TM31 clone from South Korea? It is called Cooking Master ALLDA (AD-1000): http://www.allda.co.kr/en/cooking-master-allda/product-specification/ http://www.wordin.com/sub/sub02_05_1.php https://www.youtube.com/watch?v=xHzhNIyrs6U https://www.youtube.com/watch?v=y3y5LQniGlc Happy hacking! :)
:
Bearbeitet durch User
This video seems to sum it all up (getting a remote root shell, recover the key and bypass the digital signature check). Unfortunately it is all in French. https://static.sstic.org/rumps2019/1080p/SSTIC_2019-06-06_P09_RUMPS_06.mp4
Gunter G. schrieb: > This video seems to sum it all up (getting a remote root shell, recover > the key and bypass the digital signature check). Unfortunately it is all > in French. > > https://static.sstic.org/rumps2019/1080p/SSTIC_2019-06-06_P09_RUMPS_06.mp4 Orrr. Nice picture of the STM32 he has there. Sadly it is mine and CC BY-NC-SA 4.0 licensed. Which he obviously forgot to mention in the talk.
On Twitter he wrotes: »Hi, fixed around April (v2.6 or v2.7). There is no English version of the slides (I probably should have made those in English for the presentation). I'm thinking of doing version of the vid with English subtitles.« https://twitter.com/jmbesnard_maz/status/1140977515252658179 So seems to be fixed already.
Gunter G. schrieb: > This video seems to sum it all up (getting a remote root shell, recover > the key and bypass the digital signature check). Unfortunately it is all > in French. > > https://static.sstic.org/rumps2019/1080p/SSTIC_2019-06-06_P09_RUMPS_06.mp4 Very interesting but not so happy to see that. I'm french. So I understand everything. Guys, everything you need now in order to decrypt recipe chips is written on this thread. He say that he alerted Thermomix about this exploit in January 2019. At this time if I remember well, we were already able to decrypt the receipe chip. I wonder if this buy is a member of this forum? Did he post on this thread? What he didn't explain is how he success to extract the kernel from the flash.
I don't know if I already posted this link here but it could be usefull for you: https://github.com/SigmaPic/cryptoloop
Sigma P. schrieb: > What he didn't explain is how he success to extract the kernel from the > flash. In fact he did it => nanddump
Moritz M. schrieb: > On Twitter he wrotes: > > »Hi, fixed around April (v2.6 or v2.7). There is no English version of > the slides (I probably should have made those in English for the > presentation). I'm thinking of doing version of the vid with English > subtitles.« > > https://twitter.com/jmbesnard_maz/status/1140977515252658179 > > So seems to be fixed already. Hmm, has somebody seen the version with en-subtitles ?
Mortimer N. schrieb: > Hmm, has somebody seen the version with en-subtitles ? A quick summary: 1. Target: getting a root shell, decrypt receipe chip, bypass signature check 2. Exploit communicated to Thermomix in Januay 2019 and patch published in March 2019 (he don't say whether Thermomix patched new firmware) 3. He looked to the GUI, find in a menu that TM5 runs linux and request source code CD from Thermomix 4. While waiting for CD, he open the receipe chip, find a USB flash in UDP format, connect it to a computer, look the entropy and deduce that the memory is encrypted => Difficult to do something 5. He got the source code CD. Look at it and find that encryption is managed by a modified version of DCP instead of usual crypto API 6. He bought the wifi key, find that communication is SSL encrypted => Impossible to do MITM 7. He open the key, find a USB memory, find two partitions on it, find that one is writable with a tarball on it 8. He remove the tarball and put the key again in the Thermomix, then check again this partition and find that tarball is restored by TM5 9. So he deduce that he can execute tar on a archive he can control and he now that some tar version from Busybox are vunerable to directory transversal exploit (exploit used to root dji drone) 10. TM5 use tar in 1.23 whereas exploit has been found in 1.22 based on CVE report 11. He check the source of code 1.23 and find that exploit has not been fixed. Exploit is fixed in 1.28 12. Some constraints: almost everything is read only except /tmp, /etc and /var that are mounted in a tmpfs of 512kB. This memory is erase after reboot. Tools distributed on the TM5 are very limited but there is tcpsvd 13. He decided to use the "script" directive from dhclient and bind a shell with tcpvsd. He create the tarball with evreything and his script is run when key is attached to TM5 14. He got a shell 15. Look inside TM5 16. Find that AES is usued (grep -r losetup) 17. Find the pass phrase in opt/cookey.txt, try to decrypt and mount it but fails 18. He looked in DCP source code and find that the key that is pass via losetup is not directly used to decrypt. This key is compared to a key harcoded in the kernel and if they match another hardocded key is used to decrypt the recipe chip. (This trick allows to store the real key in the kernel) 19. He dump kernel with nandflash and extract the key 20. He decrypt the receipe chip, it works! 21. He modify the recipe data base 22. He find that all files are signed and signature is check with checksig called by netlink 23. He find a way (explained in the video) to bypass signature check by changing USB memory serial 23. To modify the USB serial, either use an MP Tool or emulate a USB flash with a raspberry (what he did) 24. Finished
Thanks a lot for the summary, would have taken ages for me to figure it out with my poor french. Sigma P. schrieb: > 2. Exploit communicated to Thermomix in Januay 2019 and patch published > in March 2019 (he don't say whether Thermomix patched new firmware) That he wrote in the Tweet above. It was fixed in 2.6 or 2.7 in April 2019. As I'm afraid updating my TM5: what is the current version available? Does anybody know if updating requires updates from minor version to minor version (e.g. 2.3->2.4->2.5) incrementally? Or will it be like the latest version will be installed regardless which one is currently running (e.g. 2.3->2.5)?
At least getting the root shell should be feasible. Hopefully will find some time during the next months.
Sigma P. schrieb: > 7. He open the key, find a USB memory, find two partitions on it, find > that one is writable with a tarball on it > 8. He remove the tarball and put the key again in the Thermomix, then > check again this partition and find that tarball is restored by TM5 Hi Sigma, ist this correct? What I understood from the video is that the two partitions from the WIFI Key are not encrypted and if you delete one SQLite database on partition 2, the TM5 will restore it from the cs.tar from partition 1. Anyone that has an updated TM5 can confirm the Busybox version shown on the "About" screen of the TM5? I think I have seen somewhere in the TM5 scripts/source code that there is a "switch" that will allow the TM5 to downgrade its firmware, maybe we can use it somehow. Do you think that the guy in the video is Ikaro? He is an Information Security Audit & Advisory Senior Manager (https://www.linkedin.com/in/jmbesnard), an we wrote here this: > --Ikaro Psi > P.S. The security on this machine is very very impressive, I have pretty > much never seen done anything this right and I do security for living, > those engineers were thinking of every little detail. Sadly even them > are only humans :) I think the best way to explore the TM5 ist to successfully run the TM5 System/GUI on QEMU or RPI. Ikaro has somehow emulated the touchscreen but never gave information how to do that. I think this is one of the last pieces that we need to successfully emulate the TM5. Happy hacking everyone! :)
:
Bearbeitet durch User
Bimby T. schrieb: > I think I have seen somewhere in the TM5 scripts/source code that there > is a "switch" that will allow the TM5 to downgrade its firmware, maybe > we can use it somehow. From /opt/common.sh: is_downgrade_enabled() { spare2=$(cat /sys/devices/platform/mxs-persistent.0/SPARE_2) if [ $(($spare2 & $TM41_BM_DOWNGRADE_ENABLED)) -ne 0 ] ; then g_status=1 else g_status=0 fi } enable_downgrade() { spare2=$(cat /sys/devices/platform/mxs-persistent.0/SPARE_2) spare2=$(($spare2 | $TM41_BM_DOWNGRADE_ENABLED)) echo $spare2 > /sys/devices/platform/mxs-persistent.0/SPARE_2 } disable_downgrade() { spare2=$(cat /sys/devices/platform/mxs-persistent.0/SPARE_2) spare2=$(($spare2 & ~$TM41_BM_DOWNGRADE_ENABLED)) echo $spare2 > /sys/devices/platform/mxs-persistent.0/SPARE_2 } From /opt/update.sh: # Only allow downgrade if the special bit in RTC memory is set # Otherwise only allow version >= current ones is_downgrade_enabled get_current_version if [ $g_status -eq 1 ]; then new_version_allowed=1 elif [ $sw_date -ge $g_current_version ]; then new_version_allowed=1 fi # If the new version didn't pass a check and it is not a forced update, bail out if [ $new_version_allowed -eq 0 ] && [ $forced -eq 0 ]; then echo "Downgrade is not allowed" exit 2 fi Here are some Novatek Touchscreen (used by TM5 is the NT11004) drivers: https://github.com/wondermedia/wm8850/blob/master/ANDROID_3.0.8/drivers/input/touchscreen/novatek/novatek.c https://github.com/crewrktablets/rk30_kernel/blob/master/drivers/input/touchscreen/Novatek_nt11003.c https://git.congatec.com/android/qmx6_kernel/commit/01539e3aa09e7203a451d567de7cedc4794453ff#b9dd3bb551ac2d88c29329285264a4cdccc79989 https://github.com/endlessm/linux-meson/blob/master/drivers/amlogic/input/touchscreen/novatek.c Maybe someone knows how to emulate the I2C on QEMU using the serial converter from QEMU: https://unix.stackexchange.com/questions/119335/how-can-i-simulate-usb-storage-device-connection-with-qemu
Bimby T. schrieb: > Hi Sigma, ist this correct? What I understood from the video is that the > two partitions from the WIFI Key are not encrypted and if you delete one > SQLite database on partition 2, the TM5 will restore it from the cs.tar > from partition 1. You're right. There are two partition that are not encrypted. One contains some database file. The second a tarball that may be a backup of the first one. If you delete some file of the first partition, it is restored. It seems that restoration is done from the tarball. So, the TM5 open the tarball. So, with a magic tarball you can get the root shell. Great job by the way.
I might found something that cloud help sorting out the sql tables: https://pastebin.com/kpfviZZq AllRecipes or getGuidedMap seems to be a good starting point to understand the structure.
Hi, does anyone already has asked Vorwerk (opensource@vorwerk.de) for the open source code of the new Thermomix TM6? Would be nice to know if it is possible to convert a TM5 to a TM6... It seems that the models are almost identical... :)
Guten Abend, Bei diesem super langen Thread have ich leicht den Überblick verloren. Kann mir einer kurz zusammenfassen was der aktuelle Stand ist? Was ist zurzeit möglich? Gruß kolch
David F. schrieb: > Guten Abend, > > Bei diesem super langen Thread have ich leicht den Überblick verloren. > Kann mir einer kurz zusammenfassen was der aktuelle Stand ist? > Was ist zurzeit möglich? > > Gruß > kolch Zur Zeit ist so gut wie alles möglich, nicht nur beim Kochen.
Ein Forenuser konnte den Thermomix überlisten, allerdings ist keine Anleitung frei verfügbar. Man muss also selbst den Bug im Quellcode suchen, der dies ermöglicht. Allerdings gibt es ein paar Tipps dazu im Thread.
Ralf X. schrieb: > David F. schrieb: >> Guten Abend, >> >> Bei diesem super langen Thread have ich leicht den Überblick verloren. >> Kann mir einer kurz zusammenfassen was der aktuelle Stand ist? >> Was ist zurzeit möglich? >> >> Gruß >> kolch > > Zur Zeit ist so gut wie alles möglich, nicht nur beim Kochen. Wow, vielen Dank für deinen Beitrag! Du bist eine richtige Bereicherung für dieses Forum 👍
@Sebastian Danke für dein Kommentar. Ich habe mir das gleiche Gedacht. @Julian Schade das es kein wirkliches HowTo gibt. Die Informationen sind ja sehr verstreut im Thread.
David F. schrieb: > @Sebastian > Danke für dein Kommentar. Ich habe mir das gleiche Gedacht. > > @Julian > Schade das es kein wirkliches HowTo gibt. Die Informationen sind ja sehr > verstreut im Thread. @all: es gibt leider auch genau diese Foren User die nur darauf warten sinnlose Kommentare abzugeben. Ich schlage vor die Hacks die hier angeboten werden auf Github zu stellen und damit die Thematik einfacher zu gestalten. Auch ein Switch auf Englisch wie schon vorgeschlagen würde die Thematik mehr international machen und den Kreis der Leute die wirklich was beitragen können auch vergrößern. Lg
This security talk wraps it up: https://static.sstic.org/rumps2019/1080p/SSTIC_2019-06-06_P09_RUMPS_06.mp4 1 - how to get a root shell 2 - how to recover encryption key and decrypt stick 3 - how to bypass digital signature
Michael W. schrieb: > David F. schrieb: >> @Sebastian >> Danke für dein Kommentar. Ich habe mir das gleiche Gedacht. >> >> @Julian >> Schade das es kein wirkliches HowTo gibt. Die Informationen sind ja sehr >> verstreut im Thread. > > @all: es gibt leider auch genau diese Foren User die nur darauf warten > sinnlose Kommentare abzugeben. > > Ich schlage vor die Hacks die hier angeboten werden auf Github zu > stellen und damit die Thematik einfacher zu gestalten. > > Auch ein Switch auf Englisch wie schon vorgeschlagen würde die Thematik > mehr international machen und den Kreis der Leute die wirklich was > beitragen können auch vergrößern. > > Lg @To all that do not want to read the complete thread: - You can find all the steps to change the Cook Key files here (I think this procedure was already patched on new firmware releases): https://pastebin.com/uSRCEpts - You can watch a video how to gain root access on an older firmware of the Thermomix: https://www.youtube.com/watch?v=iCOBc6JLSGc If someone successfully managed to run the Thermomix GUI with QEMU, just let us know (Ikaro have managed to run it with an emulated Touchscreen driver. Sadly he never shared this emulated driver): Beitrag "Re: Thermomix Rezeptchips")
The YouTube video seems to be private. If it is yours could you switch it to public? Thanks
Schang S. schrieb: > The YouTube video seems to be private. If it is yours could you switch > it to public? Thanks Hi Schang, I have changed the permissions. The Youtube video is the same that you have already posted, just on youtube so you can turn subtitles on and choose an auto generated translation...
Beitrag #6454341 wurde vom Autor gelöscht.
Beitrag #6454350 wurde vom Autor gelöscht.
Bimby T. schrieb: > - You can find all the steps to change the Cook Key files here (I think > this procedure was already patched on new firmware releases): > https://pastebin.com/uSRCEpts Sorry to hear that is already fix with the new firmware. You are 100% sure?
David F. schrieb: > Bimby T. schrieb: >> - You can find all the steps to change the Cook Key files here (I think >> this procedure was already patched on new firmware releases): >> https://pastebin.com/uSRCEpts > > Sorry to hear that is already fix with the new firmware. You are 100% > sure? If you watch the youtube video I've posted, you can see the steps to gain access to the Thermomix and change a recipe on the cook key. The security engineer told that he have got the Ok from Vorwerk to show this vulnerability because it was already patched on the new firmware version...
Does anybody know which is the last firmware with the vulnerability? 2.8? Mine is still running on 2.4.
I can't remember exactly version numbers but basically it was patched around March 2019 so if you can see a timestamp next to the version then you can determine whether you device is still vulnerable. If your TM5 has never been patched through the Wifi cookkey installation then your device is definitely vulnerable. Finally, check the about menu to find what version of busybox is advertised. If it is 1.23xx then it is vulnerable.
It was fixed in 2.6 or 2.7. Did anybody request the firmware from opensource@vorwerk.de for the versions > 2.4? If somebody has it, we can put it to Github/Gitlab for reference. Just DM me for details. 2.3 is already available.
Anyone here knows what is the URL to check for a firmware update and if it is possible to download the update without the Thermomix? I think I have read here that the update is encrypted, is it possible do decrypt and access the update files?
Bimby T. schrieb: > - You can find all the steps to change the Cook Key files here (I think > this procedure was already patched on new firmware releases): > https://pastebin.com/uSRCEpts I confused Cook Key with Recipe Chips and tried the steps above for a Recipe Chip USB - but the image doesn't compress much. Is there a method to modify the recipes on the Recipe Chips, or just the Cook Key (wifi dongle)? (Have a Thermomix that I didn't think we've allowed the update - its Software 202007050000 2.10 - which look new (assuming that's a date) - but Busybox says 1.23.2)
Ben H. schrieb: > Bimby T. schrieb: >> - You can find all the steps to change the Cook Key files here (I think >> this procedure was already patched on new firmware releases): >> https://pastebin.com/uSRCEpts > > I confused Cook Key with Recipe Chips and tried the steps above for a > Recipe Chip USB - but the image doesn't compress much. Is there a method > to modify the recipes on the Recipe Chips, or just the Cook Key (wifi > dongle)? > > (Have a Thermomix that I didn't think we've allowed the update - its > Software > 202007050000 2.10 - which look new (assuming that's a date) - but > Busybox says 1.23.2) Wenn I say Cook Key I mean the Recipe Chips (I think the Wifi dongle doesn't work)... This method should allow you to edit the Recipes on the chip (you need to check the data structure of the recipes)... I also recommend using an USB Pendrive that has a tool to change the serial number...
Although the attack features the Cook-key (as a way to get a remote shell and to then recover the encryption key and eventually to understand the digital signature bypass through command injection with the USB serial number), the final target is the recipe chip (e.g., the small green device you get when you purchase a TM5). Changing recipes is just a matter of understanding the database structure (which can be quite a mess). For example, if you wish to change the weight of a particular ingredient for a recipe, you'll have to update that information in 2 different tables. As for actually creating a recipe from scratch, it is slightly more difficult. Changing the serial number requires that you get a memory flash drive that will allow serial number update. From what I have experienced, you often need to write content (the modified disk image of the recipe stick) and to update the serial number at the same time. This operation takes a lot of time and will sometimes eventually brick the flash drive. Because of that, it is more convenient to simulate a flash drive with an OTG-enabled raspberry Pi (Raspberry zero does that, other raspberry versions don't). With that setup you can not only change the serial number at ease but you can also update data on the fly (which is way more convenient when you need to make frequent changes in an attempt to modify/create a recipe). It is also more convenient to do that with the cook-key (as shown in the video) by putting a USB (male/female) extension inside and then plugging the rpi zero (more convenient from a connection standpoint). This looks like this: [TM5]--[Cook-key]--<USB-extension>[RPI-zero] Finally, I believe that you also need to power the RPI-zero with USB (so both USB OTG and normal USB ports will be used) as the TM5 does not provide enough power to boot the RPI.
Schang S. schrieb: > Because of that, it is more convenient to simulate a flash drive with an > OTG-enabled raspberry Pi (Raspberry zero does that, other raspberry > versions don't). With that setup you can not only change the serial > number at ease but you can also update data on the fly (which is way > more convenient when you need to make frequent changes in an attempt to > modify/create a recipe). Hi Schang, it would be nice if you could post a little "how to" on using the RPi Zero as an USB Stick for the TM5... :)
Hi all, I've been reading all the thread, and frankly, that's awesome, good job guys for all your discoveries. I'll add my share here. I've been investigating the updates version 2.8 and 2.10, and both of them are patched, the exploits in the video of the SSTIC 2019 are no longer possible. Even if busybox version is vulnerable, they have set up a test in the update process to refuse the update package if it contains symbolic links, hard links, "../" or "/" This is verified in binary file "/usr/sbin/netlink". About the step 7 of the procedure https://pastebin.com/uSRCEpts : "Write image.img back to the Cook Key or USB Pendrive that can be read by the machine" : as stated in the video, you also have to change the serial number of the USB drive, this is possible on lots of USB devices thanks to flashboot.ru files. BUT, something not really underlined, you ALSO have to make the partition of your USB drive be seen like a CDROM filesystem (in the video, at position 5:23 you'll see his using the gadget mass_storage with option cdrom=y). Even with flashboot.ru files, I tried on 3 different USB keys I own, and I could not write the raw crypted image on the USB drives (image not written or not the size of the partition is different from image). I really think we'd need to find the good usb drive model to do so ! Technical info of one of my USB Cookey shows : Controller: Silicon Motion SM3257 ENLTAA Possible Memory Chip(s): Samsung K9ABGD8U0D Maybe we can find somewhere to buy it ? I wonder how Matt C. did the hack in his post "04.11.2018 10:28", maybe already with raspberry ? I don't think the file structure or the sqlite tables might be a problem to create your own cookey, it's logical. The main problem is the signature checking that is not possible anymore to bypass in newer versions (at least starting from 2.8, they have added a check to see if the serial number only contains numbers)... The gadget mass_storage might be used to get root shell differently on the device, but that would need more investigation and may end to nothing ! :) About the updates, Vorweck has really done a big job to protect this input, congrats ! If you're interested, here are the links of : - version 2.8 root squashfs filesystem : https://mega.nz/file/0vIU3JoC#MljPXOhZHL82u9_xpFXXC2TKPo3KzxQEElKte0wsar4 - version 2.10 root squashfs filesystem : https://mega.nz/file/hrAQhTpB#ezcbOKG9ALETVWTPADY-K5YuFfM3WBotgrXEs5bR9sw - kobs-ng update file containing the kernel of version 2.10: https://mega.nz/file/0jYkwT5S#z6R6x69xPtsUZjzML7UXybTWYxa6-_-g40cqSU-LPQ0 I'd really love to have my TM5 freed, so that I can share my recipes with anyone and without the cookidoo platform ! Cheers !
:
Bearbeitet durch User
...in fact it would be fantastic having an image for a RPi zero, which emulates a CookKey WiFi Dongle (or at least a CookKey) towards the TM5, and offers WiFi capabilities to the other side.... enabling the use and storage of own recipies....
I think the communications between TM5 and cookidoo servers are encrypted by TLS (of course) and moreover may use TM5 internal certificates to connect to this platform. Therefore, you'd need to extract these certificates from your TM5 to be able to create a MITM proxy and decrypt the data : so you need root on the device or be able to read the NAND chipset of your TM5... With reverse engineering you'd might be able to understand the protocol communication and emulate the cookidoo servers : well that's an idea if the TM5 doesn't wait for authentic certificates from cookidoo... There should still have possibilities with this wifi, we just have to be creative and imagine scenarios :)
:
Bearbeitet durch User
Truggy M. schrieb: > I wonder how Matt C. did the hack in his post "04.11.2018 10:28", maybe > already with raspberry ? I used a normal USB stick - I just went through my collection of USB sticks and tried to find the MPTool software for each one, until one finally worked. The USB stick I ended up using was a cheap one that I got free from a conference, using Ameco MW6208 chipset, but any should be fine if you can find the right software to set the serial number and CD-ROM mode. It is quite a painful process so using RPi is a good idea. Cheers, Matt
Thanks Matt for that clarification, I wasn't that lucky with my 3 USB drives ! As the busybox version is still vulnerable, it might be possible to create a raspberry with mass storage gadget acting like the 2 internal partitions of the cookkey wifi. As shown in the SSTIC video, at 1:11, if the "ext.sdb" file is not present in the second partition, the thermomix will recreate the second partition (mkfs.ext4) and restore the contents of the file "cs.tar" from partition 1 to partition 2. The new protection in > 2.7 versions is checking for malformed "cs.tar" to allow the restoring of the file to partition. With that mass gadget, I think it would be possible to intercept (on the raspberry) the first opening of "cs.tar" and show a valid file, and then for the next open of "cs.tar" give a crafted tar file, and boom :) I haven't worked yet on the linux possibilities to hook those system calls, but there's a good chance it's possible to do it in combination with mass storage gadget. Once root on the device, you could simply mount a modified filesystem and disable signature checking of the recipes, that is easy.
:
Bearbeitet durch User
Matt C. schrieb: > Truggy M. schrieb: >> I wonder how Matt C. did the hack in his post "04.11.2018 10:28", maybe >> already with raspberry ? > > I used a normal USB stick - I just went through my collection of USB > sticks and tried to find the MPTool software for each one, until one > finally worked. The USB stick I ended up using was a cheap one that I > got free from a conference, using Ameco MW6208 chipset, but any should > be fine if you can find the right software to set the serial number and > CD-ROM mode. It is quite a painful process so using RPi is a good idea. > > Cheers, > Matt I know that the Windows 10 Installation USB Sticks can be written with an ISO as CD-ROM using MPALL_F1_7F00_DL07_v503_0A: https://www.elektroda.com/rtvforum/topic3313834.html The one I have tested has this FCC-ID and should be a DataTraveler 3.0 from Kingston (Model: DTM30): https://fccid.io/MSIP-REM-K98-1734 Here a picture of the internals: https://mdex-nn.ru/uploads/win10_flash02.jpg Maybe they still can be found on ebay or amazon...
Truggy M. schrieb: > > > There should still have possibilities with this wifi, we just have to be > creative and imagine scenarios :) ...I meant an Image which behaves like a Cookey towards the TM5, and offers a simple WebPage to the user for adding recipies.... maybe also with an option to import dumps from other Cookeys.... Would be cool.... and I guess in the range of available options (unfortunately a bit outside my area of expertise at this point in time)
...in addition: It seems the manufacturer wants to make you move to a new firmware as quick as possible. Over the weekend I spent some minutes with our TM5 and a WiFi CooKey I grabbed on ebay... Because the TM5 was on its original Firmware from 2016, it was not abel to use the Wifi Key and an update with the firmware stored on the Wifi Key was neccessary. Done that I was able to connect to the local Wifi and registered the Vorwerk Server, delivering the next message, that a newer Firmware would be available. I refused to do that and found out, that with the current firmware the server does not perform any sync betweeen your Cookidoo web account and the TM5. ... It says no sync possible until newer firmware installed.... Hmmmm....
:
Bearbeitet durch User
Ralf G. schrieb: > Done that I was able to connect to the local Wifi and registered the > Vorwerk Server, delivering the next message, that a newer Firmware would > be available. > I refused to do that and found out, that with the current firmware the > server does not perform any sync betweeen your Cookidoo web account and > the TM5. ... > It says no sync possible until newer firmware installed.... > > Hmmmm.... I think that the old firmware hast an expired certificate and this is why it needs a new firmware to connect to the vorwerk servers...
Well, I'm afraid it's intentionally.... on the TM5 I can browse recipies online from the VW Server, but when adding Recpies with my computer to my personal lists on Cookidoo and trying to synchronize with the TM5, it mandates a software update... For obvious reasons I don't want that at this point in time... Need to read, how to set up a RPi zero in OTG mode and behaving as an USB Stick with "our" serial...
Ralf G. schrieb: > Need to read, how to set up a RPi zero in OTG mode and behaving as an > USB Stick with "our" serial... Just check the youtube video @5:22: https://youtu.be/iCOBc6JLSGc?t=322 Here you can see how to configure the RPi Zero W as an Mass Storage device: https://magpi.raspberrypi.org/articles/pi-zero-w-smart-usb-flash-drive
:
Bearbeitet durch User
about mandatory update, it's written in their update change log : https://support.vorwerk.com/hc/en-us/articles/360008472119-Which-new-functions-do-I-get-for-my-Thermomix-TM5-with-the-latest-update- They may have strengthened also the server communication or added new features that previous firmwares didn't support About RPi, search for the linux mass storage gadget, instructions are quite clear and the video pointed by Bimby gives you the command line. Has anyone already worked with system hooks ?
Truggy M. schrieb: > About the updates, Vorweck has really done a big job to protect this > input, congrats ! > If you're interested, here are the links of : > - version 2.8 root squashfs filesystem : > https://mega.nz/file/0vIU3JoC#MljPXOhZHL82u9_xpFXXC2TKPo3KzxQEElKte0wsar4 > - version 2.10 root squashfs filesystem : > https://mega.nz/file/hrAQhTpB#ezcbOKG9ALETVWTPADY-K5YuFfM3WBotgrXEs5bR9sw > - kobs-ng update file containing the kernel of version 2.10: > https://mega.nz/file/0jYkwT5S#z6R6x69xPtsUZjzML7UXybTWYxa6-_-g40cqSU-LPQ0 Hi Truggy, how did you got access to the new firmware 2.10? Are you able to download the updates directly from vorwerk servers? If so, can you tell how? :)
Well, I didn't spent time on looking after the url in vorwerk's servers : I just connected the wifi cookkey, the thermomix downloaded the update, and I took the file "tm5.img" from the second partition of the drive in the cookkey. The extraction of the internal data was a little harder because their tool (/usr/sbin/checkimg) needed some little "adjustments" to be able to extract the data without complaining...
Truggy M. schrieb: > Well, I didn't spent time on looking after the url in vorwerk's servers > : I just connected the wifi cookkey, the thermomix downloaded the > update, and I took the file "tm5.img" from the second partition of the > drive in the cookkey. > > The extraction of the internal data was a little harder because their > tool (/usr/sbin/checkimg) needed some little "adjustments" to be able to > extract the data without complaining... It would be nice to find out how to get the URL to check if we could inject a custom firmware. I suppose that the firmware has a checksum, so I was thinking to change part of the firmware swapping bytes from an image. Per example: if we have a binary file we would like to patch, we seek the needed bytes for the patch on an image and swap them. In theory, the image would have bad pixels, but the checksum should be the same, because we only swapped the bytes on the firmware. It would be hard work, but, first thing: is something like this even possible? :)
:
Bearbeitet durch User
That could be a good idea, but seeing the level of security they have put in the product, it's really more than a checksum, I guess they have encrypted / verified the update package with RSA certificates : without the private key, you won't be able to generate a valid update package... If you're interested, here are the complete update files, you'll see the format is not understandable and very probably encrypted : - full update version 2.8 : https://mega.nz/file/s2QWgR4A#F6ju-XtenmQ1Unn-l2htUp6eG0CbZnRzsLXqlnjEN0I - full update version 2.10 : https://mega.nz/file/wrYiULAC#9z-R0G23mqF2WAXdR4o4fjdTSy_W5SGfEsptb2IJRgo
....today I purchased an used Chip for our TM5, but for an unknown reason, the TM5 complaints that he cannot read the chip and I should clean the contacts. Well I did (several times) ... I also opened the chip and bent the contacts to the memory stick inside. No luck. Then I soldered some cables directly between memory stick and the contacts... same result.... So I assume the memory stick is simply defect... In case you don't have a smart idea what to do with it, I guess I will transform it to an USB OTG Interface
:
Bearbeitet durch User
Ralf G. schrieb: > ....today I purchased an used Chip for our TM5, but for an unknown > reason, the TM5 complaints that he cannot read the chip and I should > clean the contacts. > > Well I did (several times) ... I also opened the chip and bent the > contacts to the memory stick inside. No luck. > > Then I soldered some cables directly between memory stick and the > contacts... same result.... > > So I assume the memory stick is simply defect... In case you don't have > a smart idea what to do with it, I guess I will transform it to an USB > OTG Interface Had the same issues with the cookkey. I soldered it now directly to the TM5 and still get errors when the sync takes too much time/data. But it seems to be much more stable. I‘m thinking of directly integrating it into the TM5 and not use the external USB port at all... Were you able to read the USB flash drive directly on a PC/Mac?
:
Bearbeitet durch User
Xeno 2. schrieb: > Were you able to read the USB flash drive directly on a PC/Mac? Not yet tried... will try today. I slowly start to understand the business case of VW ... They stopped production of the keys and want all to use the CookiDoo Portal, as this gives constant revenues.... which the CokKeys do not. And to apply some pressure, you can't use the portal unless you have a new firmware on your TM5 However, the web is full of reports of CookKeys not working.... how can that be? I never came across of a standard USB Stick failing in years.... Is this intentionally or only lousy design/quality? Edit: in Windows it comes up as CD Device with Partition and Drive-Letter, however no contents can be shown. Linux says: [ 633.779020] usb 1-1.2: new high-speed USB device number 5 using dwc_otg [ 634.631705] usb 1-1.2: New USB device found, idVendor=090c, idProduct=1000, bcdDevice=11.00 [ 634.631737] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 634.631752] usb 1-1.2: Product: USB Flash Disk [ 634.631762] usb 1-1.2: Manufacturer: General [ 634.631775] usb 1-1.2: SerialNumber: 5080000495520002 [ 634.650843] usb-storage 1-1.2:1.0: USB Mass Storage device detected [ 634.652421] usb-storage 1-1.2:1.0: Quirks match for vid 090c pid 1000: 400 [ 634.652711] scsi host0: usb-storage 1-1.2:1.0 [ 634.662315] usb 1-1.2: USB disconnect, device number 5 [ 634.899285] usbcore: registered new interface driver uas [ 635.689058] usb 1-1.2: new high-speed USB device number 6 using dwc_otg [ 635.821919] usb 1-1.2: New USB device found, idVendor=090c, idProduct=1000, bcdDevice=11.00 [ 635.821950] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 635.821965] usb 1-1.2: Product: USB Flash Disk [ 635.821976] usb 1-1.2: Manufacturer: General [ 635.821990] usb 1-1.2: SerialNumber: 5080000495520002 [ 635.840126] usb-storage 1-1.2:1.0: USB Mass Storage device detected [ 635.845590] usb-storage 1-1.2:1.0: Quirks match for vid 090c pid 1000: 400 [ 635.846693] scsi host0: usb-storage 1-1.2:1.0 [ 637.210207] scsi 0:0:0:0: CD-ROM General USB Flash Disk 1100 PQ: 0 ANSI: 2 [ 637.283414] scsi 0:0:0:0: Attached scsi generic sg0 type 5 [ 637.351012] sr 0:0:0:0: [sr0] scsi3-mmc drive: 0x/0x caddy [ 637.351041] cdrom: Uniform CD-ROM driver Revision: 3.20 [ 637.355808] sr 0:0:0:0: Attached scsi CD-ROM sr0
:
Bearbeitet durch User
Ralf G. schrieb: > Xeno 2. schrieb: >> Were you able to read the USB flash drive directly on a PC/Mac? > > Not yet tried... will try today. > > I slowly start to understand the business case of VW ... They stopped > production of the keys and want all to use the CookiDoo Portal, as this > gives constant revenues.... which the CokKeys do not. And to apply some > pressure, you can't use the portal unless you have a new firmware on > your TM5 > > However, the web is full of reports of CookKeys not working.... how can > that be? I never came across of a standard USB Stick failing in > years.... > Is this intentionally or only lousy design/quality? > > Edit: in Windows it comes up as CD Device with Partition and > Drive-Letter, however no contents can be shown. I've seen many flash drives die - especially those that are being given out as adverts - also SanDisk Extreme SD-Cards die often. I think the TM5 has a lot of design flaws. To force a new firmware makes sense to protect their IP... I'm not very happy with the TM5 and this USB port... thats why I want to get rid of it. Regarding your "Recipe chip" (its not the CookKey with WiFi, right?): At least windows is able to read the partition table. So it could be useable?! Are the contacts on you TM5 ok? Try some IPA to clean it - but just a wild guess. Maybe someone else has any clue about your problem.
@Ralf : correct me if I'm wrong, as long as I remember, the thermomix also detects the presence of a Cookey using the magnets inside the Cookey. @Xeno 2 : I see that you haven't put magnets on your thermomix, is your cookey wifi working ?
Sorry for being not clear enough :-) I had to take out the magnets for solderig. Too annoying that they flip to the tip of the soldering iron all the time. Were put back in for testing of course. Both the original "Kochbuch" and the WiFi Key work without problems. Seems only related to the Cookey I purchased second hand. I'm now reading the whole thread a second (or third?) time (now at early 2015)... In between I got the SMI Tool Carlos mentioned and I should be able to clone a chip when having the proper USB Sticks.... I took a dd image from my defective chip, but I'm afraid this data to be corrupt. Otherwise the TM5 should read it...
Truggy M. schrieb: > @Ralf : correct me if I'm wrong, as long as I remember, the thermomix > also detects the presence of a Cookey using the magnets inside the > Cookey. > @Xeno 2 : I see that you haven't put magnets on your thermomix, is your > cookey wifi working ? @Truggy M.: Yes, CookKey(including WiFi) works for me without any magnets - didn't even know that there could be some reed or hall-effect sensor. But I think the shielding of the USB data lines is an issue for me since long syncs (a lot of cook books) are aborted with different error codes.
@Ralf : you can try to mount your dd image using the following linux commands : echo -n 2faf32c6f26b5cc021c18988019af3a5 | xxd -r -p > tm.key cryptsetup create recipes YourDDImage.img -c aes-cbc-plain -s 128 --key-file tm.key mkdir recipesmount mount /dev/mapper/recipes recipesmount If the mount command works, your image is correct, else all is lost :( @Xeno 2 : thanks for the confirmation, I'll try without the magnets on my TM5 !
Great stuff Truggy... This is what I get from the mounted image (mounted at /mnt/cdrom): root@raspberrypi:/mnt/cdrom# ls -la insgesamt 5765 drwx------ 3 root root 77 Jun 5 2014 . drwxr-xr-x 3 root root 4096 Dez 1 12:28 .. -rwxr-xr-x 1 root root 5898240 Jun 2 2014 ext.sdb -rw-rw-r-- 1 root root 256 Jun 5 2014 ext.sdb.sig drwxr-xr-x 3 root root 28 Jun 2 2014 material
Great ! now you can try with SMITool to reproduce your faulty drive (good luck !), don't forget to set the same serial as your original Cookey !
Yes, thanks for confirming!!! However I will try skipping the step using another USB Stick, but using a RPi zero in USB OTG Mode instead. Maybe I can also install a small Selector switch on some of the RPi ios and switch between multiple images.
Hallo, I habe angefangen dem Editor von Kyroth das Datenbankformat vom Rezept Chip beizubringen. Das entpackte Image vom Rezept-Chip (enc_dump) wird benötigt um den Editor zu testen. Zzt. kann er nur Rezeptdaten einlesen. TM-Schritte und Änderungen/zufügen folgt im Laufe der Zeit. Kann das alles nur nicht testen, da der Raspistick bei mir leider nicht funzt. Würde mich sehr freuen wenn jemand mit mehr Zeit und/oder besseren Programmierkenntnissen das Teil übernehmen will (Benötigt HTML/JS/SQL Kenntnisse) Quellcode ist zzt ein wenig chaotisch da ich einfach über den Code von Kyroth "drüberprogrammiert" habe. Das Bild stammt von einem Test, lasst euch also nicht verwirren, er liest das schon richtig ein. Hello, I have added basic database support for Kyroth's editor (from 2016) atm, it can only read in the recipes from the cook stick (enc_dump is needed from your recipe-chip). I can unfortunately not test whether changed/new data is compatible, because the raspi stick does not work for me. But i will continue on this editor until somebody with better programming skill and/or more time will adopt it. It uses HTML/JS/SQL and was tested on Mozilla and Chrome. Scource Code is a mess right now, because I have overwritten SOME parts to get the database included. The picture is from a test so don't get irritated - recipe reading works well. Peter
...just a short one: do the "old" Cookeys still work with the latest TM5 firmware? I can't imagine why they should not.... Reason for asking: for now I refused to install the latest Firmware Update, which is advertized everxy time when starting the TM5 with Wifi Key plugged in. The disadvantage is, that you don't get your TM5 to sync with the VW Server with an outdated Firmware. But in case understood correctly, there's no way to block a cloned Recipies Chip, because it can't be differentiated by the TM5 if its original or clone, right? Don't want to close a door I probably would like to go through soon. In particular: does the serial number glitch with the RpiZero still work with the latest firmware?
:
Bearbeitet durch User
@Peda : wouhaou, what a work ! how long have you been working on it, that's a real good start ! @Ralf : yes, of course "old" Cookeys still work with the latest TM5 firmware. And no, I think there is no way to distinguish an original from a cloned stick, it should only be based on encryption key (tm.key) and serial number. As I said, the serial number glitch won't work directly on newer firmware : they have implemented a pre-check to see if all bytes of the serial number are numerical. Note : you can get rid of the update advertising by removing the file tm5.img in the second partition of the cookey; maybe the tm5 will re-download it as soon as it is connected to internet, to be checked !
:
Bearbeitet durch User
Truggy M. schrieb: > As I said, the serial number glitch won't work directly on newer > firmware : they have implemented a pre-check to see if all bytes of the > serial number are numerical. Understood! But setting it to the serial stored on the original stick might work? > Note : you can get rid of the update advertising by removing the file > tm5.img in the second partition of the cookey; maybe the tm5 will > re-download it as soon as it is connected to internet, to be checked ! Unfortunately I'm one step ahead: I installed the firmware stored on the WiFi Stick, because without, our TM5 refused to work with WiFi at all. Now, with this version installed and when connected to WiFi & Internet, each time when starting up, the TM5 does a Firmware version check. And as said: it refuses to sync with the VW Cookidoo Server until more recent Firmware is installed. In this state the WiFi Stick is more or less useless. Will try to complete the adaptor today, connecting the RPi to the TM5 By the way: I guess I do know now, why the original stick was refused by the TM5: from the mounted image I tried to copy all files for playing with the database. It seems that about 50 images are broken. cp reports an io error and those have a lenght of zero. Does someone have an intact image for me please? As I own the original key, I hope this should not violate any copyright.
:
Bearbeitet durch User
Ralf G. schrieb: > Understood! But setting it to the serial stored on the original stick > might work? I think Yes. Actually, I have recreated an image of a cookey recipe, encrypted it, and managed to write it on a USB drive with correct serial number : if I dump the image it can be mounted correctly, but it doesn't work on my TM5... I'll have a closer look at what's wrong : the mount of the device "/dev/sr1" fails on my linux, whereas the dump works, strange...
ok, I found my error, the clone is working : I tried to setup an ext4 filesystem but when decrypted the cookey is a squashfs filesystem... I could also add a file in the filesystem of my clone, the cookey is still working ! Note : my TM5 detects the cookey ONLY if the magnets are present
I had success with a Raspberry Pi Zero W and an image I created a while back. Thanks everyone for the instructions. I got a used recipe chip off of e-bay (to reduce friction at home ;)) and replaced the USB stick with a USB extension cable. The next step will be to modify the existing image to add own recipes…
@Ralf : Which cookey was it ? And good job Tobias, looks good ! Luckily if you have an old firmware and you can use the flaw of the serial number to modify the recipes. Mine has been updated, I need to find another way around ! As someone proposed before, you could imagine a small touchscreen on the rpi to switch from a cookey image to another ;) Note : cookey raw images are about 4GB, but compressed it only use 3Mb : you could put all known cookeys in a single RPi (And I think it will work) :)
Truggy M. schrieb: > @Ralf : Which cookey was it ? It was "Wertvoll geniessen" .... do you want to see a pic as a proof of ownership? ;-)
Ralf G. schrieb: > It was "Wertvoll geniessen" .... do you want to see a pic as a proof of > ownership? ;-) Unfortunately I don't have this cookey... I'd guess that all same cookeys have the same serial number, but it's only a guess : I'll check with friends if this is the case ! If the serial doesn't change, you could ask anybody to give you its files, though I don't know how legal this is (if you really care about it !!)
...for testing purposes, I would also be happy with any other working image, except the "Kochbuch" :-) BR Ralf
I’d really stay away from anything other than knowledge sharing here. We don’t want to give Vorwerk any reason to claim it’s about copyright violation and “piracy”. At least from my perspective it’s solely about exploring the tech and being able to create my own guided recipes.
Complete agree Tobias, you're right. My goal is to have free, shared and legit recipes : I wouldn't be investigating this if Vorweck have an open system !
Nice, that there are working Chips with rPi to make sure that clones of the books can be saved and used! :-) OT: Is there a stored copy of this whole thread? Only for the case that it'll be shut down deleted whatever? If it'll happen, I think a discord channel would be a perfect way to continue this topic.
Truggy M. schrieb: > @Peda : wouhaou, what a work ! how long have you been working on it, > that's a real good start ! don't ask :( but I made some progress in code cleanup, more supported tables etc. the database is a MESS. most data is double (or more) in the tables, much useless data and, and, and... but I hope to get guideSteps in the sidebar soon completed. what you see in the sidbar picture is a mix of real and test data, but I have my hands on it. if anybody has trouble with this editor just drop me a line - I will fix it. my biggest problem is that I cannot test the database on writing. either the sig is opened soon ;) or I will need a painless betatester for this phase. btw, my email provider (squirrelMail) told me today:
1 | Dataloss: All changes made to accounts between 25th November at around 7:30 and 2nd December 11:00 UTC were lost due to a disk corruption resulting in a corrupted database. Accounts created during that timeframe will have to be re-created. |
so if you already send me a mail - you have to do it again :(
1 | many thanks to the guys here in the forum. i didnt had a chance to make anything on my own here. the work on the encryption, the skeleton of the editor, the tutorial for the pi-stick - whick didnt work for me :( etc... |
2 | i am proud that I can give someting back! |
Don't waste your time with the sticks, rather read the whole thread and wait for our discord server.
Peter T. schrieb: > Don't waste your time with the sticks, rather read the whole thread and > wait for our discord server. Why would you want to distract by moving to a discord server? I see no benefit in it.
Tobias C. schrieb: > Peter T. schrieb: >> Don't waste your time with the sticks, rather read the whole thread and >> wait for our discord server. > > Why would you want to distract by moving to a discord server? I see no > benefit in it. I only want to help with my information.
We can do: - decrypt cook-sticks, modify and add recipes with a python library - simulate cook-sticks with rpi zero - download recipes from cookidoo and add them to a cook-stick - make TM accept modified cook-sticks on firmware 2.4 and before - gain root access on firmware 2.4 and before - emulate firmware with qemu, unpack update packages We can not do: - make TM accept modified cook-sticks on firmware >2.4 - gain root access on firmware >2.4 - downgrade TM to 2.4 - emulate TM's touchscreen gui with qemu We will do: - create web gui running on rpi zero, using the library, to add, edit and share recipes comfortably We could do: - test things for you with root access on our second TM - help you working on downgrading to 2.4 If you have questions or want to contribute to the web gui, please write a message. [cook-stick=no wifi]
:
Bearbeitet durch User
Today I noticed that the known signature bypass doesnt work on older firmware versions. I cant verify it since I have no dump of these versions. So if your TM doesnt accept your stick even tho you did everything right, you maybe need to update to 20160523 with a cook-key.
Please can someone with firmware version 2.5, 2.6 or 2.7 post busybox+dhcp version(check in TM settings menu) and netlink hash/update image(extract from the cook-key)?
Hi Peter/All, As requested Version 201504080000 BBox 1.15.0 DHCPD 3.0.3b1 I have no WIFI CookKey. This machine has never been updated. I own two recipe chips that the machine refuses to read (non german). One starts reading and then gives C513 error the other is not recognized at all. Trying to fix this I disassembled the chips and dumped on the PC without any read problem (dd if=/dev/sr1 of=file.img) Not sure if I needed to skip any bytes. Then I've setup a Raspberry pi zero to try to see if I could simulate the chips. On machine I've got an error stating that the product is not genuine. On PC I can dump the simulated raspberry successfully but truncated to g_mass_storage max CD size (2.4 Gb). I tried: - Setting the original serial number - Setting serial injection hack. - Setting all product/vendor... parameters I have not been able to mount the images in my computer. I think that the key might be different. I'm available to test anything required.
Tinco A. schrieb: > > I have not been able to mount the images in my computer. I think that > the key might be different. Update: I managed to mount one of the images. The key works. I could see the pictures but the database is corrupt. [13470.092436] SQUASHFS error: Unable to read data cache entry [1e3a3] [13470.092437] SQUASHFS error: Unable to read page, block 1e3a3, size b1a6 [13470.092543] SQUASHFS error: lzo decompression failed, data probably corrupt [13470.092545] SQUASHFS error: Failed to read block 0x1e3a3: -5 [13470.092853] SQUASHFS error: lzo decompression failed, data probably corrupt [13470.092855] SQUASHFS error: Failed to read block 0x14c7e: -5 When using this chip on the machine it displays the splashscreen and then it fails. Probably when trying to open the database. I think that I would need to find a working chip.
Tinco A. schrieb: > Hi Peter/All, > > As requested > > Version 201504080000 > BBox 1.15.0 > DHCPD 3.0.3b1 Thanks for your help, I wrote you a message to fix your problems. @Everyone: If you have tm5.img files or dumps of the wifi-cookey(2019 or older), please send them to me. I already collected the following: 20160523 - md5: 7bf5904c8c7d1cc1d220aacb26afb321 20170629 - md5: 32017f670bcf3d948e0a9fd6da4230a3 20170913 - md5: 1e693b9f6189ddf94697d7976ab33a9c 20190710 - md5: 2fd89e67848dfe05c6dc5201a439aa70
Hi, I wrote a service to create custom recipes database. A format to share recipes and other few extra things. Enjoy and feel free to test and give feedback. Please check at: https://gitlab.com/tincomisc/recipeton
Fipsy O. schrieb: > Nice, that there are working Chips with rPi to make sure that clones of > the books can be saved and used! :-) > > OT: Is there a stored copy of this whole thread? Only for the case that > it'll be shut down deleted whatever? If it'll happen, I think a > discord channel would be a perfect way to continue this topic. https://web.archive.org/web/20210522150711/https://www.mikrocontroller.net/topic/thermomix-rezeptchips?page=single anything before this post should appear at this link soon. (for creating a newer freeze use the "save page now" feature of the wayback machine) Edit: falscher Timestamp in der url korrigiert
:
Bearbeitet durch User
I everybody I'm looking to repair a TM5, where it seems the flash has been corrupt or is bad. Anyone already dump the raw flash image (128MB) for the TM5 somewhere ? Did someone already done a wiki and or markdown site on github or somewhere with interessting information (serial ports, protocol used, ....) ? Thanks in advance ! Ich möchte ein TM5 reparieren, wo es scheint, dass der Flash beschädigt oder schlecht ist. Hat jemand schon irgendwo das Raw-Flash-Image (128 MB) für das TM5 abgelegt? Hat jemand schon eine Wiki- und/oder Markdown-Site auf github oder irgendwo mit interessanten Informationen (serielle Ports, verwendetes Protokoll, ....) erstellt? Viele Danke Nicolas
My TM5 currently shows an error code (C150) followed by an automatic shutdown. This is related to a mechanical problem which already has been repaired. Did the research on the debug port yield any results towards resetting stored errors? Any hint/PN would be highly appreciated. Disclaimer: I am not interested in cloning anything but rather to execute my right to repair. Thanks.
Hello guys, It's been a while ! Well, hope there's still people here who want to take control of the device :) I think I've found a way to downgrade the device, it may not work if you have the latest 2.12 version. This will ease a lot the research to free the device for the ones like me who have an already patched firmware after the ethical report of the french researcher (very good writeup / speaker Jean-Michel !). I think we can go back to the vulnerable firmware 20160523. For now, I'm quite fearful to try it on my device (yeah, my wife would kill me!), do you think it's really risky ? Cheers ! PS : I usually don't look at my emails / private message, please consider posting here first
Truggy M. schrieb: > Hello guys, > > It's been a while ! > Well, hope there's still people here who want to take control of the > device :) > > I think I've found a way to downgrade the device, it may not work if you > have the latest 2.12 version. > > This will ease a lot the research to free the device for the ones like > me who have an already patched firmware after the ethical report of the > french researcher (very good writeup / speaker Jean-Michel !). > > I think we can go back to the vulnerable firmware 20160523. > For now, I'm quite fearful to try it on my device (yeah, my wife would > kill me!), do you think it's really risky ? > > Cheers ! > > PS : I usually don't look at my emails / private message, please > consider posting here first Hey Mate, Great to read that there are stil ppl working with the device, we worked hard to free the device but I dont see many ppl benefit from it. I am excited to test your downgrade method, I also already found a way to upgrade to a specific version on purpose, which is necessary since the root shell was only introduced with the wifi firmware. Feel free to contact me and also checkout the subreddit :p Edit: I originally planed to make some polished showcase video about what you can do with the tm, but there was no time for that. So instead I am sharing some bad recordings I found on my hard drive, maybe it will motivate someone to work with the tm, we are still missing a DOOM build :)
:
Bearbeitet durch User
Hans H. schrieb: > > Edit: > I originally planed to make some polished showcase video about what you > can do with the tm, but there was no time for that. So instead I am > sharing some bad recordings I found on my hard drive, maybe it will > motivate someone to work with the tm, we are still missing a DOOM build > :) Wow! That interface looks neat! Would love to have that on my TM5 as well. I have a really old version installed right now, 2014something. But as far as I have seen, I first need a cook-key/cookido for rooting/to gain access. Would you provide your modified firmware?
Jonas W. schrieb: > Hans H. schrieb: > >> >> Edit: >> I originally planed to make some polished showcase video about what you >> can do with the tm, but there was no time for that. So instead I am >> sharing some bad recordings I found on my hard drive, maybe it will >> motivate someone to work with the tm, we are still missing a DOOM build >> :) > > Wow! That interface looks neat! Would love to have that on my TM5 as > well. I have a really old version installed right now, 2014something. > But as far as I have seen, I first need a cook-key/cookido for > rooting/to gain access. > > Would you provide your modified firmware? I dont have a pre-wifi firmware dump to analyze, but as far as I remember the serial number exploit was also introduced with the wifi firmware, so I think you at least need version 201605230000 to have some fun. The good news: you can update to a specific firmware version, even without a real cookidoo, by simulating the wifi cookidoo with a raspberry pi zero and placing the update package on the simulated cookidoo. I will release a step by step tutorial for this very soon. After the update you can use the serial exploit to run scripts on the tm5. With an USB hub you can also mount another usb drive to dump files. Regarding my UI image: this is just a joke, sorry :D it only shows a static image of the new TM6 UI. Maybe we will do some custom UI in the future.
The injection through the serial USB number was fixed around March/April 2019 so any version before that will do. There is also an unpublished way (MSD TOCTTOU-based) of rooting the TM5 on version prior to around March 2021. Hans (check your priv messages :) )
Hans H. schrieb: > The good news: you can update to a specific firmware version, even > without a real cookidoo, by simulating the wifi cookidoo with a > raspberry pi zero and placing the update package on the simulated > cookidoo. I will release a step by step tutorial for this very soon. > After the update you can use the serial exploit to run scripts on the > tm5. With an USB hub you can also mount another usb drive to dump files. > Hans, are you able to downgrade the device with your method ? From what I've searched it doesn't look possible "easily", yet I haven't analyzed the possibilities of the AX88772/72A/72B adapter. Thank you Schang too for the report of TOCTTOU, I was about to spend some time on it, do you think they fixed the problem after having read my message of 14.11.2020 15:13 ? Something else, does anyone know if the rootfs is signed and checked at bootup ?
Truggy M. schrieb: > Hans H. schrieb: >> The good news: you can update to a specific firmware version, even >> without a real cookidoo, by simulating the wifi cookidoo with a >> raspberry pi zero and placing the update package on the simulated >> cookidoo. I will release a step by step tutorial for this very soon. >> After the update you can use the serial exploit to run scripts on the >> tm5. With an USB hub you can also mount another usb drive to dump files. >> > > Hans, are you able to downgrade the device with your method ? > From what I've searched it doesn't look possible "easily", yet I haven't > analyzed the possibilities of the AX88772/72A/72B adapter. > > Thank you Schang too for the report of TOCTTOU, I was about to spend > some time on it, do you think they fixed the problem after having read > my message of 14.11.2020 15:13 ? > > Something else, does anyone know if the rootfs is signed and checked at > bootup ? I thought you know a downgrade method :D I will make further investigations to check the OTP fuses that are meaned to be burned with updates. Idk if its possible to bypass them atm. I also played around with the AX88772/72A/72B adapter but could not find anything useful yet.
Well, based on a single test for now, downgrade method looks to be working ! I strongly advise not to update to the latest firmware if you want to free your device ;) More information to come...
hey guys, I've read through this thread with great interest and wondered if you would be interested to join a discord server for easier information sharing. I've just created one here for any RE discussions regarding TM5, TM6, ...: https://discord.gg/FrhGSQyWJp Would be appreciated if you join and probably boost progress :)
Didnt know there is already one? In case there is, please share the invitation link, I'll delete the obsolete post then
You'll be glad to hear that we have found another good vulnerability, tests are really promising, stay tuned ;)
Truggy M. schrieb: > You'll be glad to hear that we have found another good vulnerability, > tests are really promising, stay tuned ;) Chad Truggy strikes again :3
Hello back there ! Good, we've now got working 2 proofs of concept to root the TM5. Before releasing it publicly, I'd like to give Vorwerk the opportunity to have a look at them and evaluate the risks for them, as a responsible vulnerability disclosure. So, if anyone working at Vorwerk (security, IT, support, ...) is still reading this thread, I'm willing to first share with you the details. Please write me a private message through the forum messaging, or in discord. The last vulnerability was marked here the 25th of march, I'll wait until the 25th of June (3 months after) and will release it publicly if no contact is made. Thank you !
Hello, I've been contacted by Vorwerk, so I won't be releasing details of the POCs until agreed with Vorwerk, sorry for those who were waiting for it with a lot of hope... I'll post the news here or in Discord when possible. Cheers!
Gilbert H. schrieb: > The Discord link from @SK F. now links to the old Discord, once > you > join. Hi Gilbert, It is impossible to be added to the Discord. My user is somo19976#0329
New TM5 firmware is released. V2.13 ``` Build date: 202208220000 Comment: RELEASEXXXX Forced update: False SHA256: 512b58965e8d8018a4cb5fc834c114a7a1cfb2861a5e9d16df323553c9fbd37b tm5.img ``` - New safety warnings added Source: https://www.vorwerk.com/de/de/c/home/service/thermomix/sicherheitshinweise?utm_source=Cookidoo&utm_medium=Vorwerk&utm_campaign=Organic_Vorwerk_Broad_Brand_Cookidoo_Thermomix-Profile_TM6_2022-08-Messbecher&utm_content=Cookidoo_2022-08-Messbecher_x__x
Enrique S. schrieb: > Gilbert H. schrieb: >> The Discord link from @SK F. now links to the old Discord, once >> you >> join. > > Hi Gilbert, It is impossible to be added to the Discord. My user is > somo19976#0329 You should be able to join the discord server with this link: https://discord.gg/3XX2PQxWBv
Hans H. schrieb: > We can do: > - decrypt cook-sticks, modify and add recipes with a python library > - simulate cook-sticks with rpi zero > - download recipes from cookidoo and add them to a cook-stick > - make TM accept modified cook-sticks on firmware 2.4 and before > - gain root access on firmware 2.4 and before > - emulate firmware with qemu, unpack update packages Are there any sources for that, a Github repo with tutorials or something similar?
Was mich mal interessieren würde an alle die sowas zu Hause haben: Wie oft nutzt ihr das wirklich zum kochen?
Raul K. schrieb: > Was mich mal interessieren würde an alle die sowas zu Hause haben: > Wie > oft nutzt ihr das wirklich zum kochen? Mehrmals wöchentlich. Allerdings per HW-Downgrade auf den TM31. (Der ist nicht smart und gängelt daher der User auch nicht mit Zwangspausen beim Öffnen des Deckels, usw, ...) PS: Diese ganzen Geräte sind total nutzlos, außer man befasst sich damit. Bei den smarten Teilen geht der Einstieg natürlich etwas leichter.
Der für mich einzig sinnvolle Hack wäre, mich per Wi-Fi mit dem TM verbinden zu können und alternativ zu den offiziellen Rezepten eine eigene Datenbank hierfür zu nutzen, die von der Community gepflegt wird. Alles Andere ist sicherlich eine tolle Leistung, aber der WAF ist suboptimal ;-) Das Kaufargument für das Teil ist ja gerade, dass es einfach funktionieren soll. Wir nutzen den TM übrigens täglich. Frau und Kinder machen sich da von der Suppe über Kakao vieles. Das Einzige, dass die Lieblingsfrau nervt, ist, dass sie den TM5 kurz vor Erscheinen des 6ers gekauft hat und nun einige Funktionen nicht vorhanden sind, was permanent in Vorwerk Mailings klar wird. Ist halt nicht, wie bei AVM, wo die Fritz!Boxen auch nach Erscheinen neuer Modelle liebevoll gepflegt werden.
Raul K. schrieb: > Was mich mal interessieren würde an alle die sowas zu Hause haben: Wie > oft nutzt ihr das wirklich zum kochen? Bitte hier jetzt keine Diskussion über Sinn und Unsinn von dem Gerät. Mach dafür gerne irgendwo ein Offtopic auf, aber bitte nicht hier in diesem Thread.
Hallo zusammen, ich bin leider auch gerade mit dem Thema Rezeptchips von Vorwerk beschäftigt. Ich habe hier leider einige Chips meiner Frau, die den Geist aufgegeben haben und da mich das total anstinkt, das Vorwerk hier so billige USB-Chips verbaut hat und ich auch etwas versiert bin in der Elektrotechnik, suche ich eben Lösungen und nicht nur reinen "Neukauf"... zumal die Produktion ja schon eingestellt wurde und die gebrauchten Teile bei z.B. bekannten Kleinanzeigen-Portalen leider auch nicht alle des Gelbe vom Ei sind (leider nun auch schon einige defekte daher erhalten -.-). Ich habe mir mit meinem 3D Drucker nun eine Lesestation gebaut, wo ich funktionierende Chips auslesen kann .... -> funktioniert Ich habe mir nun von meinen Bekannten einige Chips ausgeliehen, die bei uns defekt sind und habe ein Image davon gezogen .... -> funktioniert Jetzt möchte ich probieren, ob die Teile auch am TM5 geclont funktionieren. Hierfür habe ich eine Werbestick rausgekramt, der aber leider nicht mit einem Controller von SMI, sondern von FirstChip bestückt ist. Nunja, es gibt ja die bekannten MpTools auch für FirstChip. Leider aber ist es mir noch nicht gelungen, eine funktionsfähige Kopie meines Rezeptchips zu erzeugen. Hat hier schon jemand Erfahrungen darin, ob auch andere Controller-Hersteller neben SMI funktionieren? Weiter oben habe ich ja bereits gelesen, dass es nicht auf den genauen Chiptyp selbst ankommt aber leider habe ich nichts zu anderen Herstellern gelesen. Ich würde mir gern von China ein paar USB-UDP-Chips kaufen wollen, dann habe ich Ruhe vor dem Ausfall der Rezeptchips. Ein Backup von jedem Kochbuch auf die Festplatte und wenn wieder mal ein Chip ausfällt, einfach einen der UDPs beschrieben, fertig. Leider aber bieten einschlägige Auktionshäuser nur Chips mit Controllern von Alcor an. Hat vielleicht schon jemand Erfahrung damit? VG MH
:
Bearbeitet durch User
My TM5 currently shows an error code (C150) followed by an automatic shutdown. This is related to a mechanical problem which already has been repaired. Did the research on the debug port yield any results towards resetting stored errors?
Hi all sorry to write in english , I'm french and I wrote a topic to fix one of the issue of TM5 (lost of temp sensor) have a look here if you wish (it is in french) :https://www.abcelectronique.com/forum/showthread.php?t=107314 I also discovered the video from my compatriote JM Besnard.... amazing I don't anderstand nothing in linux and all that fancy stuff that you did here. today I wonder if you could tell me how to reset errors like the C72 . BEcause even if I fix the root cause (C72 stand for relays errors) tm5 refuse to recover properlly at least one guy know how to : https://www.youtube.com/watch?v=9CnJbHa2bwQ at 11:59 it connects a USB OTG to ethernet device to TM5 then TM5 starts a console screen where I can read the ip adress 192.168.76.1 the guy says that he spend a large amount of time to write the code that do the job... my question is ... is it thru or BS? I guess that vorwerk had a diagnostic tool for that right? best regards
Hello, after more than a year, (and no answer from Vorwerk to my last email), I've decided to release the vulnerabilities details on the Discord channel. This is for educational purposes as the vulnerabilities found are really interesting from technical and mindset points of view. We have revisited the TOCTTOU concept to trick the Thermomix restore process, take a look by yourself! I hope this will benefit other vendors or software-hardware engineers in creating more secure solutions and give ideas to pentesters ;) Cheers !
Ein Problem ist sicher, dass das Ding in den Mülleimer gehört. Man fühlt sich erinnert an Datas Fingerfalle oder an einen Sony DPS F7 (Effektgerät, Musik). Prinzipiell kann man mit einem Minimoog auch viel Spaß haben. Das alte Meal Master Programm war das viel bessere Werkzeug. Gut, wenn man eine größere Datenbank zusammen hatte (und das ging damals sehr schnell, viele hatten Rezepte aus guten Fernsehsendungen oder auch aus bekannten Kochbüchern in das Meal Master Format übertragen). Das UI war eine DOS-Konsole - aber einfach zu bedienen. Das aufwendigste war wirklich die Datenbank anzupassen. Man konnte dann schauen, was man im Kühlschrank, oder sonst auf Lager hat, die Zutaten angeben, und (nicht immer, aber immer öfter) passende Rezeptvorschläge oder gute Anregungen finden. Blättert man ein wenig im Kochkunstführer vom Escoffier herum, und macht sich ein paar Gedanken über die Sinnlichkeitswelten damals, verglichen mit der Digital und Supermarktwelt heute, kommen einem echt die Tränen. Crêpes lassen sich auf Jahrmärkten auch nur noch mit Nutella verkaufen oder Holunderbüsche nur noch von Fliegern ernten. (https://github.com/jeraymond/Recipe/blob/master/com.niceprograms.recipe/src/com/niceprograms/recipe/data/MealMasterImporter.java)
Hallo zusammen! Ist die Discord Community noch aktiv? Ich habe vor 2 Wochen um Freischaltung gebeten, kann aber immer noch nur den #welcome channel sehen. Hi folks! Is the Discord community still active? I requested access 2 weeks ago, but am still restricted to the #welcome channel only.
Bitte melde dich an um einen Beitrag zu schreiben. Anmeldung ist kostenlos und dauert nur eine Minute.
Bestehender Account
Schon ein Account bei Google/GoogleMail? Keine Anmeldung erforderlich!
Mit Google-Account einloggen
Mit Google-Account einloggen
Noch kein Account? Hier anmelden.