Forum: Offtopic Thermomix Rezeptchips

Hans H. schrieb:
> Bimby T. schrieb:
>> Ikaro P. schrieb:
>>> (I know I'm late... more comming soon, I promiss)
>>>
>>> 2faf 32c6 f26b 5cc0 21c1 8988 019a f3a5
>>
>> Hi Ikaro P.,
>>
>> it is never late for sharing your findings. :)
>> Is this the encryption key for the cook key or the piece of code where
>> the signature of the key is checked?
>>
>> Thanks and keep the great work! :)
>
> Its the actual encryption key for the cookey. You can extract it from
> matts kernel dump.

Hi Hans H.,

you mean the decryption key and not encryption key, or am I wrong? From 
what I know, nobody found out how to encrypt a cook key, right?

> Hi Hans H.,
>
> you mean the decryption key and not encryption key, or am I wrong? From
> what I know, nobody found out how to encrypt a cook key, right?

Encryption and decryption key is the same for the cookey.
Everyone that got a custom recipe on his TM had to encrypt his cookey.

Hans H. schrieb:
>> Hi Hans H.,
>>
>> you mean the decryption key and not encryption key, or am I wrong? From
>> what I know, nobody found out how to encrypt a cook key, right?
>
> Encryption and decryption key is the same for the cookey.
> Everyone that got a custom recipe on his TM had to encrypt his cookey.

Sorry, I was thinking about the recipe chip verification method and not 
encryption/decryption of the chip... The recipe chip verification uses 
an RSA Key and this is what nobody found out how to compute, just Matt 
knows how to bypass this verification using a bug found on the 
verification method of the recipe chip.

TM6 is coming:
https://thermomix.vorwerk.de/thermomix/tm6/

Hans H. schrieb:
> TM6 is coming:
> https://thermomix.vorwerk.de/thermomix/tm6/

Seems like Vorwerk is pissed....

Martin S. schrieb:
> Hans H. schrieb:
> TM6 is coming:
> https://thermomix.vorwerk.de/thermomix/tm6/
>
> Seems like Vorwerk is pissed....

Well it seems that they tried to copy the Monsieur Cuisine Connect from 
Lidl...
Allmost all new features could be added to the TM5 with a software 
update...

Here the first test and differences to the TM5: 
https://youtu.be/5fjKtTg441g

Maybe it is time to find out a way how to upgrade the TM5 with the 
software from the TM6... :P

Sieht aus als hätte der TM6 eine Web-basierte Oberfläche :-)

Ivo B. schrieb:
> Sieht aus als hätte der TM6 eine Web-basierte Oberfläche :-)

Was genau verleitet dich zu dieser Aussage?

Hans H. schrieb:
> Ivo B. schrieb:
> Sieht aus als hätte der TM6 eine Web-basierte Oberfläche :-)
>
> Was genau verleitet dich zu dieser Aussage?

Wir haben den TM6 zu Hause stehen. Ich würde auch sagen, dass der 
Zugriff auf die Rezeptarchive webbasiert ist. Aber andere Funktionen 
sind wie bisher keine weboberfläche.

Hello from Spain ;)
Boot GUI Sistem (actually working on it):


/opt/Thermomix.sh : script that launches log processes and calls the GUI
/usr/sbin/supervisor : "supervises" tm5 hardware and if all is ok runs
 the thermomix GUI (binary is /opt/Thermomix/Thermomix )
/usr/sbin/supervisor_config.xml : here are the parameters thar reads 
supervisor

We can launch supervisor from shell as root:

supervisor -m SERVICE  :a mode that lifts with preset IP (192.168.76.1), 
mouse and keyboard, uses some port but does not start the GUI

supervisor - m GUI : It runs the GUI, and yo can see a screen but but 
you still can not move forward, I need a mouse

Other servies:

supervisor -m OTA : search upgrade

....

To launch linux  I use the tm5.sh script  that is in this forum 
(Beitrag "Re: Thermomix Rezeptchips") 
but not necessary chroot, and I have changet it to launch witch screnn 
and 256M of ram (max ran to qemu) :

qemu-system-arm -M versatilepb -kernel vmlinuz -initrd initrd.img -m 
256M -hda disk.qcow2 -append "root=/dev/sda1" -redir tcp:8022::22


thins to do:

It,s not necesarry to mount partition, you can make it in same 
partition:
mkdir -p /mnt/rwfs/data/system_config

Copy binaries fron thermomix rootfs

cp -r /tm5/usr/* /usr
cp -r /tm5/opt/* /opt

rc.local form thermomix rootfs is not necessary, only the binaries that 
I mention are necessary

Note: I'm trying to stabilize GUI, from time it falls

Ikaro P. schrieb:


> P.S. Comming soon might be a guide on running the GUI in an emulator,
> for now it's not usable as the emulated touchscreen driver is sending
> coordinated in 0-32768 range but the GUI needs them in screen pixels.
> Clicking blindly in the left upper corner is just pain in the ass...

Ikaro, in order to run GUI  can you tell what emulated touchscreen 
driver have you use?
Thans

Anyone still working on a root shell?

I use a raspberry pi 2b witch chroot, supervisor service works but I 
still have no luck witch  touch screen I can't use screen. If anyone can 
use screen (ikaro) please tell us how can

Erlantz L. schrieb:
> I use a raspberry pi 2b witch chroot, supervisor service works but I
> still have no luck witch  touch screen I can't use screen. If anyone can
> use screen (ikaro) please tell us how can

I do not know how to apply that with qemu, but I am sure the tm5 uses 
the NOVATEK NT11004 display, this should be the touchscreen driver :)

https://github.com/wondermedia/wm8850/tree/master/ANDROID_3.0.8/drivers/input/touchscreen/novatek

Maybe the information I am going to provide is useful:
Through the logs of the supervisory service I have discovered that the 
GUI has been developed by the following company: 
https://www.guiliani.de, the version of the Thermomix GUI shared here is 
the Guiliani 1.6, it seems old and on the web there are no references to 
it, however in the binary certain sources are seen, many of them shared 
in the guiliani version 2.1: 
http://guiliani.de/mediawiki/downloads/Guiliani_doc_2.1/files.html

Hi everyone,
Starting 2020 the new TM6 will be build in China, maybe then there 
should be more Chinese Hackers trying to hack it. :P

Just out of curiosity, did anyone here knew of a TM31 clone from South 
Korea? It is called Cooking Master ALLDA (AD-1000):
http://www.allda.co.kr/en/cooking-master-allda/product-specification/
http://www.wordin.com/sub/sub02_05_1.php
https://www.youtube.com/watch?v=xHzhNIyrs6U
https://www.youtube.com/watch?v=y3y5LQniGlc

Happy hacking! :)

This video seems to sum it all up (getting a remote root shell, recover 
the key and bypass the digital signature check). Unfortunately it is all 
in French.

https://static.sstic.org/rumps2019/1080p/SSTIC_2019-06-06_P09_RUMPS_06.mp4

Gunter G. schrieb:
> This video seems to sum it all up (getting a remote root shell, recover
> the key and bypass the digital signature check). Unfortunately it is all
> in French.
>
> https://static.sstic.org/rumps2019/1080p/SSTIC_2019-06-06_P09_RUMPS_06.mp4

Orrr. Nice picture of the STM32 he has there. Sadly it is mine and CC 
BY-NC-SA 4.0 licensed. Which he obviously forgot to mention in the talk.

On Twitter he wrotes:

»Hi, fixed around April (v2.6 or v2.7). There is no English version of 
the slides (I probably should have made those in English for the 
presentation). I'm thinking of doing version of the vid with English 
subtitles.«

https://twitter.com/jmbesnard_maz/status/1140977515252658179

So seems to be fixed already.

Gunter G. schrieb:
> This video seems to sum it all up (getting a remote root shell, recover
> the key and bypass the digital signature check). Unfortunately it is all
> in French.
>
> https://static.sstic.org/rumps2019/1080p/SSTIC_2019-06-06_P09_RUMPS_06.mp4

Very interesting but not so happy to see that.

I'm french. So I understand everything.

Guys, everything you need now in order to decrypt recipe chips is 
written on this thread.

He say that he alerted Thermomix about this exploit in January 2019.

At this time if I remember well, we were already able to decrypt the 
receipe chip.

I wonder if this buy is a member of this forum?
Did he post on this thread?

What he didn't explain is how he success to extract the kernel from the 
flash.

I don't know if I already posted this link here but it could be usefull 
for you:
https://github.com/SigmaPic/cryptoloop

Sigma P. schrieb:
> What he didn't explain is how he success to extract the kernel from the
> flash.

In fact he did it => nanddump

Moritz M. schrieb:
> On Twitter he wrotes:
>
> »Hi, fixed around April (v2.6 or v2.7). There is no English version of
> the slides (I probably should have made those in English for the
> presentation). I'm thinking of doing version of the vid with English
> subtitles.«
>
> https://twitter.com/jmbesnard_maz/status/1140977515252658179
>
> So seems to be fixed already.



Hmm, has somebody seen the version with en-subtitles ?

Mortimer N. schrieb:
> Hmm, has somebody seen the version with en-subtitles ?


A quick summary:
1. Target: getting a root shell, decrypt receipe chip, bypass signature 
check
2. Exploit communicated to Thermomix in Januay 2019 and patch published 
in March 2019 (he don't say whether Thermomix patched new firmware)
3. He looked to the GUI, find in a menu that TM5 runs linux and request 
source code CD from Thermomix
4. While waiting for CD, he open the receipe chip, find a USB flash in 
UDP format, connect it to a computer, look the entropy and deduce that 
the memory is encrypted => Difficult to do something
5. He got the source code CD. Look at it and find that encryption is 
managed by a modified version of DCP instead of usual crypto API
6. He bought the wifi key, find that communication is SSL encrypted => 
Impossible to do MITM
7. He open the key, find a USB memory, find two partitions on it, find 
that one is writable with a tarball on it
8. He remove the tarball and put the key again in the Thermomix, then 
check again this partition and find that tarball is restored by TM5
9. So he deduce that he can execute tar on a archive he can control and 
he now that some tar version from Busybox are vunerable to directory 
transversal exploit (exploit used to root dji drone)
10. TM5 use tar in 1.23 whereas exploit has been found in 1.22 based on 
CVE report
11. He check the source of code 1.23 and find that exploit has not been 
fixed. Exploit is fixed in 1.28
12. Some constraints: almost everything is read only except /tmp, /etc 
and /var that are mounted in a tmpfs of 512kB. This memory is erase 
after reboot. Tools distributed on the TM5 are very limited but there is 
tcpsvd
13. He decided to use the "script" directive from dhclient and bind a 
shell with tcpvsd. He create the tarball with evreything and his script 
is run when key is attached to TM5
14. He got a shell
15. Look inside TM5
16. Find that AES is usued (grep -r losetup)
17. Find the pass phrase in opt/cookey.txt, try to decrypt and mount it 
but fails
18. He looked in DCP source code and find that the key that is pass via 
losetup is not directly used to decrypt. This key is compared to a key 
harcoded in the kernel and if they match another hardocded key is used 
to decrypt the recipe chip. (This trick allows to store the real key in 
the kernel)
19. He dump kernel with nandflash and extract the key
20. He decrypt the receipe chip, it works!
21. He modify the recipe data base
22. He find that all files are signed and signature is check with 
checksig called by netlink
23. He find a way (explained in the video) to bypass signature check by 
changing USB memory serial
23. To modify the USB serial, either use an MP Tool or emulate a USB 
flash with a raspberry (what he did)
24. Finished

Thanks a lot for the summary, would have taken ages for me to figure it 
out with my poor french.

Sigma P. schrieb:
> 2. Exploit communicated to Thermomix in Januay 2019 and patch published
> in March 2019 (he don't say whether Thermomix patched new firmware)


That he wrote in the Tweet above. It was fixed in 2.6 or 2.7 in April 
2019.

As I'm afraid updating my TM5: what is the current version available?

Does anybody know if updating requires updates from minor version to 
minor version (e.g. 2.3->2.4->2.5) incrementally?
Or will it be like the latest version will be installed regardless which 
one is currently running (e.g. 2.3->2.5)?

At least getting the root shell should be feasible. Hopefully will find 
some time during the next months.

Sigma P. schrieb:
> 7. He open the key, find a USB memory, find two partitions on it, find
> that one is writable with a tarball on it
> 8. He remove the tarball and put the key again in the Thermomix, then
> check again this partition and find that tarball is restored by TM5

Hi Sigma, ist this correct? What I understood from the video is that the 
two partitions from the WIFI Key are not encrypted and if you delete one 
SQLite database on partition 2, the TM5 will restore it from the cs.tar 
from partition 1.

Anyone that has an updated TM5 can confirm the Busybox version shown on 
the "About" screen of the TM5?

I think I have seen somewhere in the TM5 scripts/source code that there 
is a "switch" that will allow the TM5 to downgrade its firmware, maybe 
we can use it somehow.

Do you think that the guy in the video is Ikaro? He is an Information 
Security Audit & Advisory Senior Manager 
(https://www.linkedin.com/in/jmbesnard), an we wrote here this:

> --Ikaro Psi

> P.S. The security on this machine is very very impressive, I have pretty
> much never seen done anything this right and I do security for living,
> those engineers were thinking of every little detail. Sadly even them
> are only humans :)

I think the best way to explore the TM5 ist to successfully run the TM5 
System/GUI on QEMU or RPI. Ikaro has somehow emulated the touchscreen 
but never gave information how to do that. I think this is one of the 
last pieces that we need to successfully emulate the TM5.

Happy hacking everyone! :)

Bimby T. schrieb:
> I think I have seen somewhere in the TM5 scripts/source code that there
> is a "switch" that will allow the TM5 to downgrade its firmware, maybe
> we can use it somehow.

From /opt/common.sh:

is_downgrade_enabled() {
    spare2=$(cat /sys/devices/platform/mxs-persistent.0/SPARE_2)
    if [ $(($spare2 & $TM41_BM_DOWNGRADE_ENABLED)) -ne 0 ] ; then
        g_status=1
    else
        g_status=0
    fi
}

enable_downgrade() {
    spare2=$(cat /sys/devices/platform/mxs-persistent.0/SPARE_2)
    spare2=$(($spare2 | $TM41_BM_DOWNGRADE_ENABLED))
    echo $spare2 > /sys/devices/platform/mxs-persistent.0/SPARE_2
}

disable_downgrade() {
    spare2=$(cat /sys/devices/platform/mxs-persistent.0/SPARE_2)
    spare2=$(($spare2 & ~$TM41_BM_DOWNGRADE_ENABLED))
    echo $spare2 > /sys/devices/platform/mxs-persistent.0/SPARE_2
}

From /opt/update.sh:

# Only allow downgrade if the special bit in RTC memory is set
# Otherwise only allow version >= current ones
is_downgrade_enabled
get_current_version
if [ $g_status -eq 1 ]; then
    new_version_allowed=1
elif [ $sw_date -ge $g_current_version ]; then
    new_version_allowed=1
fi

# If the new version didn't pass a check and it is not a forced update, 
bail out
if [ $new_version_allowed -eq 0 ] && [ $forced -eq 0 ]; then
    echo "Downgrade is not allowed"
    exit 2
fi

Here are some Novatek Touchscreen (used by TM5 is the NT11004) drivers:
https://github.com/wondermedia/wm8850/blob/master/ANDROID_3.0.8/drivers/input/touchscreen/novatek/novatek.c
https://github.com/crewrktablets/rk30_kernel/blob/master/drivers/input/touchscreen/Novatek_nt11003.c
https://git.congatec.com/android/qmx6_kernel/commit/01539e3aa09e7203a451d567de7cedc4794453ff#b9dd3bb551ac2d88c29329285264a4cdccc79989
https://github.com/endlessm/linux-meson/blob/master/drivers/amlogic/input/touchscreen/novatek.c

Maybe someone knows how to emulate the I2C on QEMU using the serial 
converter from QEMU: 
https://unix.stackexchange.com/questions/119335/how-can-i-simulate-usb-storage-device-connection-with-qemu

Bimby T. schrieb:
> Hi Sigma, ist this correct? What I understood from the video is that the
> two partitions from the WIFI Key are not encrypted and if you delete one
> SQLite database on partition 2, the TM5 will restore it from the cs.tar
> from partition 1.

You're right.
There are two partition that are not encrypted.
One contains some database file.
The second a tarball that may be a backup of the first one.
If you delete some file of the first partition, it is restored.
It seems that restoration is done from the tarball.
So, the TM5 open the tarball.
So, with a magic tarball you can get the root shell.

Great job by the way.

I might found something that cloud help sorting out the sql tables:
https://pastebin.com/kpfviZZq

AllRecipes or getGuidedMap seems to be a good starting point to 
understand the structure.

Hi,

does anyone already has asked Vorwerk (opensource@vorwerk.de) for the 
open source code of the new Thermomix TM6?
Would be nice to know if it is possible to convert a TM5 to a TM6... It 
seems that the models are almost identical... :)

Guten Abend,

Bei diesem super langen Thread have ich leicht den Überblick verloren.
Kann mir einer kurz zusammenfassen was der aktuelle Stand ist?
Was ist zurzeit möglich?

Gruß
kolch

David F. schrieb:
> Guten Abend,
>
> Bei diesem super langen Thread have ich leicht den Überblick verloren.
> Kann mir einer kurz zusammenfassen was der aktuelle Stand ist?
> Was ist zurzeit möglich?
>
> Gruß
> kolch

Zur Zeit ist so gut wie alles möglich, nicht nur beim Kochen.

Ein Forenuser konnte den Thermomix überlisten, allerdings ist keine 
Anleitung frei verfügbar. Man muss also selbst den Bug im Quellcode 
suchen, der dies ermöglicht. Allerdings gibt es ein paar Tipps dazu im 
Thread.

Ralf X. schrieb:
> David F. schrieb:
>> Guten Abend,
>>
>> Bei diesem super langen Thread have ich leicht den Überblick verloren.
>> Kann mir einer kurz zusammenfassen was der aktuelle Stand ist?
>> Was ist zurzeit möglich?
>>
>> Gruß
>> kolch
>
> Zur Zeit ist so gut wie alles möglich, nicht nur beim Kochen.

Wow, vielen Dank für deinen Beitrag! Du bist eine richtige Bereicherung 
für dieses Forum 👍

@Sebastian
Danke für dein Kommentar. Ich habe mir das gleiche Gedacht.

@Julian
Schade das es kein wirkliches HowTo gibt. Die Informationen sind ja sehr 
verstreut im Thread.

David F. schrieb:
> @Sebastian
> Danke für dein Kommentar. Ich habe mir das gleiche Gedacht.
>
> @Julian
> Schade das es kein wirkliches HowTo gibt. Die Informationen sind ja sehr
> verstreut im Thread.

@all: es gibt leider auch genau diese Foren User die nur darauf warten 
sinnlose Kommentare abzugeben.

Ich schlage vor die Hacks die hier angeboten werden auf Github zu 
stellen und damit die Thematik einfacher zu gestalten.

Auch ein Switch auf Englisch wie schon vorgeschlagen würde die Thematik 
mehr international machen und den Kreis der Leute die wirklich was 
beitragen können auch vergrößern.

Lg

This security talk wraps it up:
https://static.sstic.org/rumps2019/1080p/SSTIC_2019-06-06_P09_RUMPS_06.mp4

1 - how to get a root shell
2 - how to recover encryption key and decrypt stick
3 - how to bypass digital signature

Michael W. schrieb:
> David F. schrieb:
>> @Sebastian
>> Danke für dein Kommentar. Ich habe mir das gleiche Gedacht.
>>
>> @Julian
>> Schade das es kein wirkliches HowTo gibt. Die Informationen sind ja sehr
>> verstreut im Thread.
>
> @all: es gibt leider auch genau diese Foren User die nur darauf warten
> sinnlose Kommentare abzugeben.
>
> Ich schlage vor die Hacks die hier angeboten werden auf Github zu
> stellen und damit die Thematik einfacher zu gestalten.
>
> Auch ein Switch auf Englisch wie schon vorgeschlagen würde die Thematik
> mehr international machen und den Kreis der Leute die wirklich was
> beitragen können auch vergrößern.
>
> Lg

@To all that do not want to read the complete thread:

- You can find all the steps to change the Cook Key files here (I think 
this procedure was already patched on new firmware releases): 
https://pastebin.com/uSRCEpts

- You can watch a video how to gain root access on an older firmware of 
the Thermomix: https://www.youtube.com/watch?v=iCOBc6JLSGc

If someone successfully managed to run the Thermomix GUI with QEMU, just 
let us know (Ikaro have managed to run it with an emulated Touchscreen 
driver. Sadly he never shared this emulated driver): 
Beitrag "Re: Thermomix Rezeptchips")

The YouTube video seems to be private. If it is yours could you switch 
it to public? Thanks

Schang S. schrieb:
> The YouTube video seems to be private. If it is yours could you switch
> it to public? Thanks

Hi Schang,

I have changed the permissions.
The Youtube video is the same that you have already posted, just on 
youtube so you can turn subtitles on and choose an auto generated 
translation...

Bimby T. schrieb:
> - You can find all the steps to change the Cook Key files here (I think
> this procedure was already patched on new firmware releases):
> https://pastebin.com/uSRCEpts

Sorry to hear that is already fix with the new firmware. You are 100% 
sure?

David F. schrieb:
> Bimby T. schrieb:
>> - You can find all the steps to change the Cook Key files here (I think
>> this procedure was already patched on new firmware releases):
>> https://pastebin.com/uSRCEpts
>
> Sorry to hear that is already fix with the new firmware. You are 100%
> sure?

If you watch the youtube video I've posted, you can see the steps to 
gain access to the Thermomix and change a recipe on the cook key.
The security engineer told that he have got the Ok from Vorwerk to show 
this vulnerability because it was already patched on the new firmware 
version...

Does anybody know which is the last firmware with the vulnerability?
2.8?
Mine is still running on 2.4.

I can't remember exactly version numbers but basically it was patched 
around March 2019 so if you can see a timestamp  next to the version 
then you can determine whether you device is still vulnerable.
If your TM5 has never been patched through the Wifi cookkey installation 
then your device is definitely vulnerable.

Finally, check the about menu to find what version of busybox is 
advertised. If it is 1.23xx then it is vulnerable.

It was fixed in 2.6 or 2.7.

Did anybody request the firmware from opensource@vorwerk.de for the 
versions > 2.4?

If somebody has it, we can put it to Github/Gitlab for reference. Just 
DM me for details.

2.3 is already available.

Anyone here knows what is the URL to check for a firmware update and if 
it is possible to download the update without the Thermomix? I think I 
have read here that the update is encrypted, is it possible do decrypt 
and access the update files?

Bimby T. schrieb:
> - You can find all the steps to change the Cook Key files here (I think
> this procedure was already patched on new firmware releases):
> https://pastebin.com/uSRCEpts

I confused Cook Key with Recipe Chips and tried the steps above for a 
Recipe Chip USB - but the image doesn't compress much. Is there a method 
to modify the recipes on the Recipe Chips, or just the Cook Key (wifi 
dongle)?

(Have a Thermomix that I didn't think we've allowed the update - its 
Software
202007050000 2.10 - which look new (assuming that's a date) - but 
Busybox says 1.23.2)

Ben H. schrieb:
> Bimby T. schrieb:
>> - You can find all the steps to change the Cook Key files here (I think
>> this procedure was already patched on new firmware releases):
>> https://pastebin.com/uSRCEpts
>
> I confused Cook Key with Recipe Chips and tried the steps above for a
> Recipe Chip USB - but the image doesn't compress much. Is there a method
> to modify the recipes on the Recipe Chips, or just the Cook Key (wifi
> dongle)?
>
> (Have a Thermomix that I didn't think we've allowed the update - its
> Software
> 202007050000 2.10 - which look new (assuming that's a date) - but
> Busybox says 1.23.2)

Wenn I say Cook Key I mean the Recipe Chips (I think the Wifi dongle 
doesn't work)... This method should allow you to edit the Recipes on the 
chip (you need to check the data structure of the recipes)... I also 
recommend using an USB Pendrive that has a tool to change the serial 
number...

Although the attack features the Cook-key (as a way to get a remote 
shell and to then recover the encryption key and eventually to 
understand the digital signature bypass through command injection with 
the USB serial number), the final target is the recipe chip (e.g., the 
small green device you get when you purchase a TM5).

Changing recipes is just a matter of understanding the database 
structure (which can be quite a mess). For example, if you wish to 
change the weight of a particular ingredient for a recipe, you'll have 
to update that information in 2 different tables.
As for actually creating a recipe from scratch, it is slightly more 
difficult.

Changing the serial number requires that you get a memory flash drive 
that will allow serial number update. From what I have experienced, you 
often need to write content (the modified disk image of the recipe 
stick) and to update the serial number at the same time. This operation 
takes a lot of time and will sometimes eventually brick the flash drive. 
Because of that, it is more convenient to simulate a flash drive with an 
OTG-enabled raspberry Pi (Raspberry zero does that, other raspberry 
versions don't). With that setup you can not only change the serial 
number at ease but you can also update data on the fly (which is way 
more convenient when you need to make frequent changes in an attempt to 
modify/create a recipe). It is also more convenient to do that with the 
cook-key (as shown in the video) by putting a USB (male/female) 
extension inside and then plugging the rpi zero (more convenient from a 
connection standpoint).

This looks like this:
[TM5]--[Cook-key]--<USB-extension>[RPI-zero]

Finally, I believe that you also need to power the RPI-zero with USB (so 
both USB OTG and normal USB ports will be used) as the TM5 does not 
provide enough power to boot the RPI.

Schang S. schrieb:
> Because of that, it is more convenient to simulate a flash drive with an
> OTG-enabled raspberry Pi (Raspberry zero does that, other raspberry
> versions don't). With that setup you can not only change the serial
> number at ease but you can also update data on the fly (which is way
> more convenient when you need to make frequent changes in an attempt to
> modify/create a recipe).

Hi Schang, it would be nice if you could post a little "how to" on using 
the RPi Zero as an USB Stick for the TM5... :)

5'23 of the video provides a screenshot of the command line to do that

Hi all,

I've been reading all the thread, and frankly, that's awesome, good job 
guys for all your discoveries. I'll add my share here.

I've been investigating the updates version 2.8 and 2.10, and both of 
them are patched, the exploits in the video of the SSTIC 2019 are no 
longer possible.
Even if busybox version is vulnerable, they have set up a test in the 
update process to refuse the update package if it contains symbolic 
links, hard links, "../" or "/"
This is verified in binary file "/usr/sbin/netlink".

About the step 7 of the procedure https://pastebin.com/uSRCEpts :
"Write image.img back to the Cook Key or USB Pendrive that can be read 
by the machine" : as stated in the video, you also have to change the 
serial number of the USB drive, this is possible on lots of USB devices 
thanks to flashboot.ru files.
BUT, something not really underlined, you ALSO have to make the 
partition of your USB drive be seen like a CDROM filesystem (in the 
video, at position 5:23 you'll see his using the gadget mass_storage 
with option cdrom=y).
Even with flashboot.ru files, I tried on 3 different USB keys I own, and 
I could not write the raw crypted image on the USB drives (image not 
written or not the size of the partition is different from image).
I really think we'd need to find the good usb drive model to do so !

Technical info of one of my USB Cookey shows :
Controller: Silicon Motion SM3257 ENLTAA
Possible Memory Chip(s): Samsung K9ABGD8U0D
Maybe we can find somewhere to buy it ?
I wonder how Matt C. did the hack in his post "04.11.2018 10:28", maybe 
already with raspberry ?

I don't think the file structure or the sqlite tables might be a problem 
to create your own cookey, it's logical. The main problem is the 
signature checking that is not possible anymore to bypass in newer 
versions (at least starting from 2.8, they have added a check to see if 
the serial number only contains numbers)...

The gadget mass_storage might be used to get root shell differently on 
the device, but that would need more investigation and may end to 
nothing ! :)

About the updates, Vorweck has really done a big job to protect this 
input, congrats !
If you're interested, here are the links of :
- version 2.8 root squashfs filesystem :
https://mega.nz/file/0vIU3JoC#MljPXOhZHL82u9_xpFXXC2TKPo3KzxQEElKte0wsar4
- version 2.10 root squashfs filesystem :
https://mega.nz/file/hrAQhTpB#ezcbOKG9ALETVWTPADY-K5YuFfM3WBotgrXEs5bR9sw
- kobs-ng update file containing the kernel of version 2.10:
https://mega.nz/file/0jYkwT5S#z6R6x69xPtsUZjzML7UXybTWYxa6-_-g40cqSU-LPQ0

I'd really love to have my TM5 freed, so that I can share my recipes 
with anyone and without the cookidoo platform !

Cheers !

...in fact it would be fantastic having an image for a RPi zero, which 
emulates a CookKey WiFi Dongle (or at least a CookKey) towards the TM5, 
and offers WiFi capabilities to the other side.... enabling the use and 
storage of own recipies....

I think the communications between TM5 and cookidoo servers are 
encrypted by TLS (of course) and moreover may use TM5 internal 
certificates to connect to this platform.
Therefore, you'd need to extract these certificates from your TM5 to be 
able to create a MITM proxy and decrypt the data : so you need root on 
the device or be able to read the NAND chipset of your TM5...

With reverse engineering you'd might be able to understand the protocol 
communication and emulate the cookidoo servers : well that's an idea if 
the TM5 doesn't wait for authentic certificates from cookidoo...

There should still have possibilities with this wifi, we just have to be 
creative and imagine scenarios :)

Truggy M. schrieb:
> I wonder how Matt C. did the hack in his post "04.11.2018 10:28", maybe
> already with raspberry ?

I used a normal USB stick - I just went through my collection of USB 
sticks and tried to find the MPTool software for each one, until one 
finally worked.   The USB stick I ended up using was a cheap one that I 
got free from a conference, using Ameco MW6208 chipset, but any should 
be fine if you can find the right software to set the serial number and 
CD-ROM mode.  It is quite a painful process so using RPi is a good idea.

Cheers,
Matt

Thanks Matt for that clarification, I wasn't that lucky with my 3 USB 
drives !

As the busybox version is still vulnerable, it might be possible to 
create a raspberry with mass storage gadget acting like the 2 internal 
partitions of the cookkey wifi.
As shown in the SSTIC video, at 1:11, if the "ext.sdb" file is not 
present in the second partition, the thermomix will recreate the second 
partition (mkfs.ext4) and restore the contents of the file "cs.tar" from 
partition 1 to partition 2.
The new protection in > 2.7 versions is checking for malformed "cs.tar" 
to allow the restoring of the file to partition.
With that mass gadget, I think it would be possible to intercept (on the 
raspberry) the first opening of "cs.tar" and show a valid file, and then 
for the next open of "cs.tar" give a crafted tar file, and boom :)

I haven't worked yet on the linux possibilities to hook those system 
calls, but there's a good chance it's possible to do it in combination 
with mass storage gadget.

Once root on the device, you could simply mount a modified filesystem 
and disable signature checking of the recipes, that is easy.

Matt C. schrieb:
> Truggy M. schrieb:
>> I wonder how Matt C. did the hack in his post "04.11.2018 10:28", maybe
>> already with raspberry ?
>
> I used a normal USB stick - I just went through my collection of USB
> sticks and tried to find the MPTool software for each one, until one
> finally worked.   The USB stick I ended up using was a cheap one that I
> got free from a conference, using Ameco MW6208 chipset, but any should
> be fine if you can find the right software to set the serial number and
> CD-ROM mode.  It is quite a painful process so using RPi is a good idea.
>
> Cheers,
> Matt

I know that the Windows 10 Installation USB Sticks can be written with 
an ISO as CD-ROM using MPALL_F1_7F00_DL07_v503_0A:
https://www.elektroda.com/rtvforum/topic3313834.html

The one I have tested has this FCC-ID and should be a DataTraveler 3.0 
from Kingston (Model: DTM30): https://fccid.io/MSIP-REM-K98-1734

Here a picture of the internals: 
https://mdex-nn.ru/uploads/win10_flash02.jpg

Maybe they still can be found on ebay or amazon...

Truggy M. schrieb:
>
>
> There should still have possibilities with this wifi, we just have to be
> creative and imagine scenarios :)

...I meant an Image which behaves like a Cookey towards the TM5, and 
offers a simple WebPage to the user for adding recipies.... maybe also 
with an option to import dumps from other Cookeys....

Would be cool.... and I guess in the range of available options 
(unfortunately a bit outside my area of expertise at this point in time)

...in addition:

It seems the manufacturer wants to make you move to a new firmware as 
quick as possible. Over the weekend I spent some minutes with our TM5 
and a WiFi CooKey I grabbed on ebay...

Because the TM5 was on its original Firmware from 2016, it was not abel 
to use the Wifi Key and an update with the firmware stored on the Wifi 
Key was neccessary.

Done that I was able to connect to the local Wifi and registered the 
Vorwerk Server, delivering the next message, that a newer Firmware would 
be available.
I refused to do that and found out, that with the current firmware the 
server does not perform any sync betweeen your Cookidoo web account and 
the TM5. ...
It says no sync possible until newer firmware installed....

Hmmmm....

Ralf G. schrieb:

> Done that I was able to connect to the local Wifi and registered the
> Vorwerk Server, delivering the next message, that a newer Firmware would
> be available.
> I refused to do that and found out, that with the current firmware the
> server does not perform any sync betweeen your Cookidoo web account and
> the TM5. ...
> It says no sync possible until newer firmware installed....
>
> Hmmmm....

I think that the old firmware hast an expired certificate and this is 
why it needs a new firmware to connect to the vorwerk servers...

Well, I'm afraid it's intentionally.... on the TM5 I can browse recipies 
online from the VW Server, but when adding Recpies with my computer to 
my personal lists on Cookidoo and trying to synchronize with the TM5, it 
mandates a software update...

For obvious reasons I don't want that at this point in time...

Need to read, how to set up a RPi zero in OTG mode and behaving as an 
USB Stick with "our" serial...

Ralf G. schrieb:

> Need to read, how to set up a RPi zero in OTG mode and behaving as an
> USB Stick with "our" serial...

Just check the youtube video @5:22: https://youtu.be/iCOBc6JLSGc?t=322
Here you can see how to configure the RPi Zero W as an Mass Storage 
device: 
https://magpi.raspberrypi.org/articles/pi-zero-w-smart-usb-flash-drive

about mandatory update, it's written in their update change log :
https://support.vorwerk.com/hc/en-us/articles/360008472119-Which-new-functions-do-I-get-for-my-Thermomix-TM5-with-the-latest-update-

They may have strengthened also the server communication or added new 
features that previous firmwares didn't support

About RPi, search for the linux mass storage gadget, instructions are 
quite clear and the video pointed by Bimby gives you the command line.

Has anyone already worked with system hooks ?

Truggy M. schrieb:

> About the updates, Vorweck has really done a big job to protect this
> input, congrats !
> If you're interested, here are the links of :
> - version 2.8 root squashfs filesystem :
> https://mega.nz/file/0vIU3JoC#MljPXOhZHL82u9_xpFXXC2TKPo3KzxQEElKte0wsar4
> - version 2.10 root squashfs filesystem :
> https://mega.nz/file/hrAQhTpB#ezcbOKG9ALETVWTPADY-K5YuFfM3WBotgrXEs5bR9sw
> - kobs-ng update file containing the kernel of version 2.10:
> https://mega.nz/file/0jYkwT5S#z6R6x69xPtsUZjzML7UXybTWYxa6-_-g40cqSU-LPQ0

Hi Truggy,

how did you got access to the new firmware 2.10? Are you able to 
download the updates directly from vorwerk servers? If so, can you tell 
how? :)

Well, I didn't spent time on looking after the url in vorwerk's servers 
: I just connected the wifi cookkey, the thermomix downloaded the 
update, and I took the file "tm5.img" from the second partition of the 
drive in the cookkey.

The extraction of the internal data was a little harder because their 
tool (/usr/sbin/checkimg) needed some little "adjustments" to be able to 
extract the data without complaining...

Truggy M. schrieb:
> Well, I didn't spent time on looking after the url in vorwerk's servers
> : I just connected the wifi cookkey, the thermomix downloaded the
> update, and I took the file "tm5.img" from the second partition of the
> drive in the cookkey.
>
> The extraction of the internal data was a little harder because their
> tool (/usr/sbin/checkimg) needed some little "adjustments" to be able to
> extract the data without complaining...

It would be nice to find out how to get the URL to check if we could 
inject a custom firmware. I suppose that the firmware has a checksum, so 
I was thinking to change part of the firmware swapping bytes from an 
image. Per example: if we have a binary file we would like to patch, we 
seek the needed bytes for the patch on an image and swap them. In 
theory, the image would have bad pixels, but the checksum should be the 
same, because we only swapped the bytes on the firmware.
It would be hard work, but, first thing: is something like this even 
possible? :)

That could be a good idea, but seeing the level of security they have 
put in the product, it's really more than a checksum, I guess they have 
encrypted / verified the update package with RSA certificates :
without the private key, you won't be able to generate a valid update 
package...

If you're interested, here are the complete update files, you'll see the 
format is not understandable and very probably encrypted :
- full update version 2.8 : 
https://mega.nz/file/s2QWgR4A#F6ju-XtenmQ1Unn-l2htUp6eG0CbZnRzsLXqlnjEN0I
- full update version 2.10 : 
https://mega.nz/file/wrYiULAC#9z-R0G23mqF2WAXdR4o4fjdTSy_W5SGfEsptb2IJRgo

....today I purchased an used Chip for our TM5, but for an unknown 
reason, the TM5 complaints that he cannot read the chip and I should 
clean the contacts.

Well I did (several times) ... I also opened the chip and bent the 
contacts to the memory stick inside. No luck.

Then I soldered some cables directly between memory stick and the 
contacts... same result....

So I assume the memory stick is simply defect... In case you don't have 
a smart idea what to do with it, I guess I will transform it to an USB 
OTG Interface

Ralf G. schrieb:
> ....today I purchased an used Chip for our TM5, but for an unknown
> reason, the TM5 complaints that he cannot read the chip and I should
> clean the contacts.
>
> Well I did (several times) ... I also opened the chip and bent the
> contacts to the memory stick inside. No luck.
>
> Then I soldered some cables directly between memory stick and the
> contacts... same result....
>
> So I assume the memory stick is simply defect... In case you don't have
> a smart idea what to do with it, I guess I will transform it to an USB
> OTG Interface

Had the same issues with the cookkey.
I soldered it now directly to the TM5 and still get errors when the sync 
takes too much time/data.
But it seems to be much more stable.
I‘m thinking of directly integrating it into the TM5 and not use the 
external USB port at all...

Were you able to read the USB flash drive directly on a PC/Mac?

Xeno 2. schrieb:
> Were you able to read the USB flash drive directly on a PC/Mac?

Not yet tried... will try today.

I slowly start to understand the business case of VW ... They stopped 
production of the keys and want all to use the CookiDoo Portal, as this 
gives constant revenues.... which the CokKeys do not. And to apply some 
pressure, you can't use the portal unless you have a new firmware on 
your TM5

However, the web is full of reports of CookKeys not working.... how can 
that be? I never came across of a standard USB Stick failing in 
years....
Is this intentionally or only lousy design/quality?

Edit: in Windows it comes up as CD Device with Partition and 
Drive-Letter, however no contents can be shown.

Linux says:

[  633.779020] usb 1-1.2: new high-speed USB device number 5 using 
dwc_otg
[  634.631705] usb 1-1.2: New USB device found, idVendor=090c, 
idProduct=1000, bcdDevice=11.00
[  634.631737] usb 1-1.2: New USB device strings: Mfr=1, Product=2, 
SerialNumber=3
[  634.631752] usb 1-1.2: Product: USB Flash Disk
[  634.631762] usb 1-1.2: Manufacturer: General
[  634.631775] usb 1-1.2: SerialNumber: 5080000495520002
[  634.650843] usb-storage 1-1.2:1.0: USB Mass Storage device detected
[  634.652421] usb-storage 1-1.2:1.0: Quirks match for vid 090c pid 
1000: 400
[  634.652711] scsi host0: usb-storage 1-1.2:1.0
[  634.662315] usb 1-1.2: USB disconnect, device number 5
[  634.899285] usbcore: registered new interface driver uas
[  635.689058] usb 1-1.2: new high-speed USB device number 6 using 
dwc_otg
[  635.821919] usb 1-1.2: New USB device found, idVendor=090c, 
idProduct=1000, bcdDevice=11.00
[  635.821950] usb 1-1.2: New USB device strings: Mfr=1, Product=2, 
SerialNumber=3
[  635.821965] usb 1-1.2: Product: USB Flash Disk
[  635.821976] usb 1-1.2: Manufacturer: General
[  635.821990] usb 1-1.2: SerialNumber: 5080000495520002
[  635.840126] usb-storage 1-1.2:1.0: USB Mass Storage device detected
[  635.845590] usb-storage 1-1.2:1.0: Quirks match for vid 090c pid 
1000: 400
[  635.846693] scsi host0: usb-storage 1-1.2:1.0
[  637.210207] scsi 0:0:0:0: CD-ROM            General  USB Flash Disk 
1100 PQ: 0 ANSI: 2
[  637.283414] scsi 0:0:0:0: Attached scsi generic sg0 type 5
[  637.351012] sr 0:0:0:0: [sr0] scsi3-mmc drive: 0x/0x caddy
[  637.351041] cdrom: Uniform CD-ROM driver Revision: 3.20
[  637.355808] sr 0:0:0:0: Attached scsi CD-ROM sr0

Ralf G. schrieb:
> Xeno 2. schrieb:
>> Were you able to read the USB flash drive directly on a PC/Mac?
>
> Not yet tried... will try today.
>
> I slowly start to understand the business case of VW ... They stopped
> production of the keys and want all to use the CookiDoo Portal, as this
> gives constant revenues.... which the CokKeys do not. And to apply some
> pressure, you can't use the portal unless you have a new firmware on
> your TM5
>
> However, the web is full of reports of CookKeys not working.... how can
> that be? I never came across of a standard USB Stick failing in
> years....
> Is this intentionally or only lousy design/quality?
>
> Edit: in Windows it comes up as CD Device with Partition and
> Drive-Letter, however no contents can be shown.

I've seen many flash drives die - especially those that are being given 
out as adverts - also SanDisk Extreme SD-Cards die often.

I think the TM5 has a lot of design flaws. To force a new firmware makes 
sense to protect their IP... I'm not very happy with the TM5 and this 
USB port... thats why I want to get rid of it.

Regarding your "Recipe chip" (its not the CookKey with WiFi, right?): At 
least windows is able to read the partition table.
So it could be useable?! Are the contacts on you TM5 ok? Try some IPA to 
clean it - but just a wild guess.

Maybe someone else has any clue about your problem.

@Ralf : correct me if I'm wrong, as long as I remember, the thermomix 
also detects the presence of a Cookey using the magnets inside the 
Cookey.
@Xeno 2 : I see that you haven't put magnets on your thermomix, is your 
cookey wifi working ?

Sorry for being not clear enough :-)

I had to take out the magnets for solderig. Too annoying that they flip 
to the tip of the soldering iron all the time. Were put back in for 
testing of course.

Both the original "Kochbuch" and the WiFi Key work without problems. 
Seems only related to the Cookey I purchased second hand.
I'm now reading the whole thread a second (or third?) time (now at early 
2015)...

In between I got the SMI Tool Carlos mentioned and I should be able to 
clone a chip when having the proper USB Sticks....

I took a dd image from my defective chip, but I'm afraid this data to be 
corrupt. Otherwise the TM5 should read it...

Truggy M. schrieb:
> @Ralf : correct me if I'm wrong, as long as I remember, the thermomix
> also detects the presence of a Cookey using the magnets inside the
> Cookey.
> @Xeno 2 : I see that you haven't put magnets on your thermomix, is your
> cookey wifi working ?

@Truggy M.:
Yes, CookKey(including WiFi) works for me without any magnets - didn't 
even know that there could be some reed or hall-effect sensor.
But I think the shielding of the USB data lines is an issue for me since 
long syncs (a lot of cook books) are aborted with different error codes.

@Ralf : you can try to mount your dd image using the following linux 
commands :
echo -n 2faf32c6f26b5cc021c18988019af3a5 | xxd -r -p > tm.key
cryptsetup create recipes YourDDImage.img -c aes-cbc-plain -s 128 
--key-file tm.key
mkdir recipesmount
mount /dev/mapper/recipes recipesmount

If the mount command works, your image is correct, else all is lost :(

@Xeno 2 : thanks for the confirmation, I'll try without the magnets on 
my TM5 !

Great stuff Truggy...

This is what I get from the mounted image (mounted at /mnt/cdrom):


root@raspberrypi:/mnt/cdrom# ls -la
insgesamt 5765
drwx------ 3 root root      77 Jun  5  2014 .
drwxr-xr-x 3 root root    4096 Dez  1 12:28 ..
-rwxr-xr-x 1 root root 5898240 Jun  2  2014 ext.sdb
-rw-rw-r-- 1 root root     256 Jun  5  2014 ext.sdb.sig
drwxr-xr-x 3 root root      28 Jun  2  2014 material

Great !
now you can try with SMITool to reproduce your faulty drive (good luck 
!), don't forget to set the same serial as your original Cookey !

Yes, thanks for confirming!!!

However I will try skipping the step using another USB Stick, but using 
a RPi zero in USB OTG Mode instead. Maybe I can also install a small 
Selector switch on some of the RPi ios and switch between multiple 
images.

Hallo,
I habe angefangen dem Editor von Kyroth das Datenbankformat vom Rezept 
Chip beizubringen.
Das entpackte Image vom Rezept-Chip (enc_dump) wird benötigt um den 
Editor zu testen.
Zzt. kann er nur Rezeptdaten einlesen. TM-Schritte und 
Änderungen/zufügen folgt im Laufe der Zeit.
Kann das alles nur nicht testen, da der Raspistick bei mir leider nicht 
funzt.
Würde mich sehr freuen wenn jemand mit mehr Zeit und/oder besseren 
Programmierkenntnissen
das Teil übernehmen will (Benötigt HTML/JS/SQL Kenntnisse)
Quellcode ist zzt ein wenig chaotisch da ich einfach über den Code von 
Kyroth "drüberprogrammiert" habe.
Das Bild stammt von einem Test, lasst euch also nicht verwirren, er 
liest das schon richtig ein.

Hello,
I have added basic database support for Kyroth's editor (from 2016)
atm, it can only read in the recipes from the cook stick (enc_dump is 
needed from your recipe-chip).
I can unfortunately not test whether changed/new data is compatible, 
because the raspi stick does not work for me.
But i will continue on this editor until somebody with better 
programming skill and/or more time will adopt it.
It uses HTML/JS/SQL and was tested on Mozilla and Chrome.
Scource Code is a mess right now, because I have overwritten SOME parts 
to get the database included.
The picture is from a test so don't get irritated - recipe reading works 
well.

Peter

...just a short one: do the "old" Cookeys still work with the latest TM5 
firmware? I can't imagine why they should not....

Reason for asking: for now I refused to install the latest Firmware 
Update, which is advertized everxy time when starting the TM5 with Wifi 
Key plugged in.
The disadvantage is, that you don't get your TM5 to sync with the VW 
Server with an outdated Firmware.

But in case understood correctly, there's no way to block a cloned 
Recipies Chip, because it can't be differentiated by the TM5 if its 
original or clone, right? Don't want to close a door I probably would 
like to go through soon.

In particular: does the serial number glitch with the RpiZero still work 
with the latest firmware?

@Peda : wouhaou, what a work ! how long have you been working on it, 
that's a real good start !

@Ralf : yes, of course "old" Cookeys still work with the latest TM5
firmware.
And no, I think there is no way to distinguish an original from a cloned 
stick, it should only be based on encryption key (tm.key) and serial 
number.
As I said, the serial number glitch won't work directly on newer 
firmware : they have implemented a pre-check to see if all bytes of the 
serial number are numerical.
Note : you can get rid of the update advertising by removing the file 
tm5.img in the second partition of the cookey; maybe the tm5 will 
re-download it as soon as it is connected to internet, to be checked !

Truggy M. schrieb:
> As I said, the serial number glitch won't work directly on newer
> firmware : they have implemented a pre-check to see if all bytes of the
> serial number are numerical.

Understood! But setting it to the serial stored on the original stick 
might work?

> Note : you can get rid of the update advertising by removing the file
> tm5.img in the second partition of the cookey; maybe the tm5 will
> re-download it as soon as it is connected to internet, to be checked !

Unfortunately I'm one step ahead: I installed the firmware stored on the 
WiFi Stick, because without, our TM5 refused to work with WiFi at all.
Now, with this version installed and when connected to WiFi & Internet, 
each time when starting up, the TM5 does a Firmware version check.
And as said: it refuses to sync with the VW Cookidoo Server until more 
recent Firmware is installed. In this state the WiFi Stick is more or 
less useless.

Will try to complete the adaptor today, connecting the RPi to the TM5


By the way: I guess I do know now, why the original stick was refused by 
the TM5: from the mounted image I tried to copy all files for playing 
with the database. It seems that about 50 images are broken. cp reports 
an io error and those have a lenght of zero.
Does someone have an intact image for me please? As I own the original 
key, I hope this should not violate any copyright.

Ralf G. schrieb:
> Understood! But setting it to the serial stored on the original stick
> might work?

I think Yes.
Actually, I have recreated an image of a cookey recipe, encrypted it, 
and managed to write it on a USB drive with correct serial number :
if I dump the image it can be mounted correctly, but it doesn't work on 
my TM5...
I'll have a closer look at what's wrong : the mount of the device 
"/dev/sr1" fails on my linux, whereas the dump works, strange...

ok, I found my error, the clone is working :
I tried to setup an ext4 filesystem but when decrypted the cookey is a 
squashfs filesystem...
I could also add a file in the filesystem of my clone, the cookey is 
still working !
Note : my TM5 detects the cookey ONLY if the magnets are present

I had success with a Raspberry Pi Zero W and an image I created a while 
back.
Thanks everyone for the instructions.

I got a used recipe chip off of e-bay (to reduce friction at home ;)) 
and replaced the USB stick with a USB extension cable.
The next step will be to modify the existing image to add own recipes…

@Ralf : Which cookey was it ?

And good job Tobias, looks good !
Luckily if you have an old firmware and you can use the flaw of the 
serial number to modify the recipes.
Mine has been updated, I need to find another way around !
As someone proposed before, you could imagine a small touchscreen on the 
rpi to switch from a cookey image to another ;)

Note : cookey raw images are about 4GB, but compressed it only use 3Mb : 
you could put all known cookeys in a single RPi (And I think it will 
work) :)

Truggy M. schrieb:
> @Ralf : Which cookey was it ?

It was "Wertvoll geniessen" .... do you want to see a pic as a proof of 
ownership? ;-)

Ralf G. schrieb:
> It was "Wertvoll geniessen" .... do you want to see a pic as a proof of
> ownership? ;-)

Unfortunately I don't have this cookey...

I'd guess that all same cookeys have the same serial number, but it's 
only a guess : I'll check with friends if this is the case !

If the serial doesn't change, you could ask anybody to give you its 
files, though I don't know how legal this is (if you really care about 
it !!)

...for testing purposes, I would also be happy with any other working 
image, except the "Kochbuch" :-)

BR
Ralf

I’d really stay away from anything other than knowledge sharing here.
We don’t want to give Vorwerk any reason to claim it’s about copyright 
violation and “piracy”.
At least from my perspective it’s solely about exploring the tech and 
being able to create my own guided recipes.

Complete agree Tobias, you're right.
My goal is to have free, shared and legit recipes : I wouldn't be 
investigating this if Vorweck have an open system !

Nice, that there are working Chips with rPi to make sure that clones of 
the books can be saved and used! :-)

OT: Is there a stored copy of this whole thread? Only for the case that 
it'll be shut down  deleted  whatever? If it'll happen, I think a 
discord channel would be a perfect way to continue this topic.

Truggy M. schrieb:
> @Peda : wouhaou, what a work ! how long have you been working on it,
> that's a real good start !

don't ask :(
but I made some progress in code cleanup, more supported tables etc.
the database is a MESS. most data is double (or more) in the tables, 
much useless data and, and, and...
but I hope to get guideSteps in the sidebar soon completed.
what you see in the sidbar picture is a mix of real and test data, but I 
have my hands on it.
if anybody has trouble with this editor just drop me a line - I will fix 
it.
my biggest problem is that I cannot test the database on writing. either 
the sig is  opened soon ;) or I will need a painless betatester for this 
phase.

btw, my email provider (squirrelMail) told me today:

1

Dataloss: All changes made to accounts between 25th November at around 7:30 and 2nd December 11:00 UTC were lost due to a disk corruption resulting in a corrupted database. Accounts created during that timeframe will have to be re-created.

so if you already send me a mail - you have to do it again :(

1

many thanks to the guys here in the forum. i didnt had a chance to make anything on my own here. the work on the encryption, the skeleton of the editor, the tutorial for the pi-stick - whick didnt work for me :( etc...

2

i am proud that I can give someting back!

Don't waste your time with the sticks, rather read the whole thread and 
wait for our discord server.

Peter T. schrieb:
> Don't waste your time with the sticks, rather read the whole thread and
> wait for our discord server.

Why would you want to distract by moving to a discord server? I see no 
benefit in it.

Tobias C. schrieb:
> Peter T. schrieb:
>> Don't waste your time with the sticks, rather read the whole thread and
>> wait for our discord server.
>
> Why would you want to distract by moving to a discord server? I see no
> benefit in it.

I only want to help with my information.

We can do:
- decrypt cook-sticks, modify and add recipes with a python library
- simulate cook-sticks with rpi zero
- download recipes from cookidoo and add them to a cook-stick
- make TM accept modified cook-sticks on firmware 2.4 and before
- gain root access on firmware 2.4 and before
- emulate firmware with qemu, unpack update packages

We can not do:
- make TM accept modified cook-sticks on firmware >2.4
- gain root access on firmware >2.4
- downgrade TM to 2.4
- emulate TM's touchscreen gui with qemu

We will do:
- create web gui running on rpi zero, using the library, to add, edit 
and share recipes comfortably

We could do:
- test things for you with root access on our second TM
- help you working on downgrading to 2.4


If you have questions or want to contribute to the web gui, please write 
a message.

[cook-stick=no wifi]

Today I noticed that the known signature bypass doesnt work on older 
firmware versions. I cant verify it since I have no dump of these 
versions.

So if your TM doesnt accept your stick even tho you did everything 
right, you maybe need to update to 20160523 with a cook-key.

Please can someone with firmware version 2.5, 2.6 or 2.7 post 
busybox+dhcp version(check in TM settings menu) and netlink hash/update 
image(extract from the cook-key)?

Hi Peter/All,

As requested

Version 201504080000
BBox 1.15.0
DHCPD 3.0.3b1

I have no WIFI CookKey. This machine has never been updated.

I own two recipe chips that the machine refuses to read (non german). 
One starts reading and then gives C513 error the other is not recognized 
at all.

Trying to fix this I disassembled the chips and dumped on the PC without 
any read problem (dd if=/dev/sr1 of=file.img) Not sure if I needed to 
skip any bytes.

Then I've setup a Raspberry pi zero to try to see if I could simulate 
the chips. On machine I've got an error stating that the product is not 
genuine. On PC I can dump the simulated raspberry successfully but 
truncated to g_mass_storage max CD size (2.4 Gb).

I tried:
- Setting the original serial number
- Setting serial injection hack.
- Setting all product/vendor... parameters

I have not been able to mount the images in my computer. I think that 
the key might be different.

I'm available to test anything required.

Tinco A. schrieb:
>
> I have not been able to mount the images in my computer. I think that
> the key might be different.

Update: I managed to mount one of the images. The key works.

I could see the pictures but the database is corrupt.

[13470.092436] SQUASHFS error: Unable to read data cache entry [1e3a3]
[13470.092437] SQUASHFS error: Unable to read page, block 1e3a3, size 
b1a6
[13470.092543] SQUASHFS error: lzo decompression failed, data probably 
corrupt
[13470.092545] SQUASHFS error: Failed to read block 0x1e3a3: -5
[13470.092853] SQUASHFS error: lzo decompression failed, data probably 
corrupt
[13470.092855] SQUASHFS error: Failed to read block 0x14c7e: -5


When using this chip on the machine it displays the splashscreen and 
then it fails. Probably when trying to open the database.

I think that I would need to find a working chip.

Tinco A. schrieb:
> Hi Peter/All,
>
> As requested
>
> Version 201504080000
> BBox 1.15.0
> DHCPD 3.0.3b1

Thanks for your help, I wrote you a message to fix your problems.

@Everyone:
If you have tm5.img files or dumps of the wifi-cookey(2019 or older), 
please send them to me.
I already collected the following:


20160523 - md5: 7bf5904c8c7d1cc1d220aacb26afb321

20170629 - md5: 32017f670bcf3d948e0a9fd6da4230a3

20170913 - md5: 1e693b9f6189ddf94697d7976ab33a9c

20190710 - md5: 2fd89e67848dfe05c6dc5201a439aa70

Hi,

I wrote a service to create custom recipes database. A format to share 
recipes and other few extra things.

Enjoy and feel free to test and give feedback.

Please check at:

https://gitlab.com/tincomisc/recipeton

Fipsy O. schrieb:
> Nice, that there are working Chips with rPi to make sure that clones of
> the books can be saved and used! :-)
>
> OT: Is there a stored copy of this whole thread? Only for the case that
> it'll be shut down  deleted  whatever? If it'll happen, I think a
> discord channel would be a perfect way to continue this topic.

https://web.archive.org/web/20210522150711/https://www.mikrocontroller.net/topic/thermomix-rezeptchips?page=single
anything before this post should appear at this link soon. (for creating 
a newer freeze use the "save page now" feature of the wayback machine)

Edit: falscher Timestamp in der url korrigiert

I everybody


I'm looking to repair a TM5, where it seems the flash has been corrupt 
or is bad.
Anyone already dump the raw flash image (128MB) for the TM5 somewhere ?

Did someone already done a wiki and or markdown site on github or 
somewhere with interessting information (serial ports, protocol used, 
....) ?

Thanks in advance !



Ich möchte ein TM5 reparieren, wo es scheint, dass der Flash beschädigt 
oder schlecht ist.
Hat jemand schon irgendwo das Raw-Flash-Image (128 MB) für das TM5 
abgelegt?

Hat jemand schon eine Wiki- und/oder Markdown-Site auf github oder 
irgendwo mit interessanten Informationen (serielle Ports, verwendetes 
Protokoll, ....) erstellt?

Viele Danke


Nicolas

My TM5 currently shows an error code (C150) followed by an automatic 
shutdown. This is related to a mechanical problem which already has been 
repaired. Did the research on the debug port yield any results towards 
resetting stored errors? Any hint/PN would be highly appreciated.
Disclaimer: I am not interested in cloning anything but rather to 
execute my right to repair.

Thanks.

Hello guys,

It's been a while !
Well, hope there's still people here who want to take control of the 
device :)

I think I've found a way to downgrade the device, it may not work if you 
have the latest 2.12 version.

This will ease a lot the research to free the device for the ones like 
me who have an already patched firmware after the ethical report of the 
french researcher (very good writeup / speaker Jean-Michel !).

I think we can go back to the vulnerable firmware 20160523.
For now, I'm quite fearful to try it on my device (yeah, my wife would 
kill me!), do you think it's really risky ?

Cheers !

PS : I usually don't look at my emails / private message, please 
consider posting here first

Truggy M. schrieb:
> Hello guys,
>
> It's been a while !
> Well, hope there's still people here who want to take control of the
> device :)
>
> I think I've found a way to downgrade the device, it may not work if you
> have the latest 2.12 version.
>
> This will ease a lot the research to free the device for the ones like
> me who have an already patched firmware after the ethical report of the
> french researcher (very good writeup / speaker Jean-Michel !).
>
> I think we can go back to the vulnerable firmware 20160523.
> For now, I'm quite fearful to try it on my device (yeah, my wife would
> kill me!), do you think it's really risky ?
>
> Cheers !
>
> PS : I usually don't look at my emails / private message, please
> consider posting here first

Hey Mate,
Great to read that there are stil ppl working with the device, we worked 
hard to free the device but I dont see many ppl benefit from it.

I am excited to test your downgrade method, I also already found a way 
to upgrade to a specific version on purpose, which is necessary since 
the root shell was only introduced with the wifi firmware.

Feel free to contact me and also checkout the subreddit :p

Edit:
I originally planed to make some polished showcase video about what you 
can do with the tm, but there was no time for that. So instead I am 
sharing some bad recordings I found on my hard drive, maybe it will 
motivate someone to work with the tm, we are still missing a DOOM build 
:)

Hans H. schrieb:

>
> Edit:
> I originally planed to make some polished showcase video about what you
> can do with the tm, but there was no time for that. So instead I am
> sharing some bad recordings I found on my hard drive, maybe it will
> motivate someone to work with the tm, we are still missing a DOOM build
> :)

Wow! That interface looks neat! Would love to have that on my TM5 as 
well. I have a really old version installed right now, 2014something. 
But as far as I have seen, I first need a cook-key/cookido for 
rooting/to gain access.

Would you provide your modified firmware?

Jonas W. schrieb:
> Hans H. schrieb:
>
>>
>> Edit:
>> I originally planed to make some polished showcase video about what you
>> can do with the tm, but there was no time for that. So instead I am
>> sharing some bad recordings I found on my hard drive, maybe it will
>> motivate someone to work with the tm, we are still missing a DOOM build
>> :)
>
> Wow! That interface looks neat! Would love to have that on my TM5 as
> well. I have a really old version installed right now, 2014something.
> But as far as I have seen, I first need a cook-key/cookido for
> rooting/to gain access.
>
> Would you provide your modified firmware?

I dont have a pre-wifi firmware dump to analyze, but as far as I 
remember the serial number exploit was also introduced with the wifi 
firmware, so I think you at least need version 201605230000 to have some 
fun.

The good news: you can update to a specific firmware version, even 
without a real cookidoo, by simulating the wifi cookidoo with a 
raspberry pi zero and placing the update package on the simulated 
cookidoo. I will release a step by step tutorial for this very soon. 
After the update you can use the serial exploit to run scripts on the 
tm5. With an USB hub you can also mount another usb drive to dump files.

Regarding my UI image: this is just a joke, sorry :D it only shows a 
static image of the new TM6 UI. Maybe we will do some custom UI in the 
future.

The injection through the serial USB number was fixed around March/April 
2019 so any version before that will do.

There is also an unpublished way (MSD TOCTTOU-based) of rooting the TM5 
on version prior to around March 2021.

Hans (check your priv messages :) )

Hans H. schrieb:
> The good news: you can update to a specific firmware version, even
> without a real cookidoo, by simulating the wifi cookidoo with a
> raspberry pi zero and placing the update package on the simulated
> cookidoo. I will release a step by step tutorial for this very soon.
> After the update you can use the serial exploit to run scripts on the
> tm5. With an USB hub you can also mount another usb drive to dump files.
>

Hans, are you able to downgrade the device with your method ?
From what I've searched it doesn't look possible "easily", yet I haven't 
analyzed the possibilities of the AX88772/72A/72B adapter.

Thank you Schang too for the report of TOCTTOU, I was about to spend 
some time on it, do you think they fixed the problem after having read 
my message of 14.11.2020 15:13 ?

Something else, does anyone know if the rootfs is signed and checked at 
bootup ?

Truggy M. schrieb:
> Hans H. schrieb:
>> The good news: you can update to a specific firmware version, even
>> without a real cookidoo, by simulating the wifi cookidoo with a
>> raspberry pi zero and placing the update package on the simulated
>> cookidoo. I will release a step by step tutorial for this very soon.
>> After the update you can use the serial exploit to run scripts on the
>> tm5. With an USB hub you can also mount another usb drive to dump files.
>>
>
> Hans, are you able to downgrade the device with your method ?
> From what I've searched it doesn't look possible "easily", yet I haven't
> analyzed the possibilities of the AX88772/72A/72B adapter.
>
> Thank you Schang too for the report of TOCTTOU, I was about to spend
> some time on it, do you think they fixed the problem after having read
> my message of 14.11.2020 15:13 ?
>
> Something else, does anyone know if the rootfs is signed and checked at
> bootup ?

I thought you know a downgrade method :D

I will make further investigations to check the OTP fuses that are 
meaned to be burned with updates. Idk if its possible to bypass them 
atm.

I also played around with the AX88772/72A/72B adapter but could not find 
anything useful yet.

Well, based on a single test for now, downgrade method looks to be 
working !

I strongly advise not to update to the latest firmware if you want to 
free your device ;)

More information to come...

hey guys, I've read through this thread with great interest and wondered 
if you would be interested to join a discord server for easier 
information sharing. I've just created one here for any RE discussions 
regarding TM5, TM6, ...:

https://discord.gg/FrhGSQyWJp

Would be appreciated if you join and probably boost progress :)

Yet another discord? 🤨

Didnt know there is already one? In case there is, please share the 
invitation link, I'll delete the obsolete post then

You'll be glad to hear that we have found another good vulnerability, 
tests are really promising, stay tuned ;)

Truggy M. schrieb:
> You'll be glad to hear that we have found another good vulnerability,
> tests are really promising, stay tuned ;)

Chad Truggy strikes again :3

Tobias C. schrieb:
> Yet another discord? 🤨

If a discord available please share the link.

The Discord link from @SK F. now links to the old Discord, once you 
join.

Hello back there !

Good, we've now got working 2 proofs of concept to root the TM5.
Before releasing it publicly, I'd like to give Vorwerk the opportunity 
to have a look at them and evaluate the risks for them, as a responsible 
vulnerability disclosure.
So, if anyone working at Vorwerk (security, IT, support, ...) is still 
reading this thread, I'm willing to first share with you the details.
Please write me a private message through the forum messaging, or in 
discord.

The last vulnerability was marked here the 25th of march, I'll wait 
until the 25th of June (3 months after) and will release it publicly if 
no contact is made.

Thank you !

Hello @truggy.
Any update??

Hello,

I've been contacted by Vorwerk, so I won't be releasing details of the 
POCs until agreed with Vorwerk, sorry for those who were waiting for it 
with a lot of hope...
I'll post the news here or in Discord when possible.

Cheers!

Gilbert H. schrieb:
> The Discord link from @SK F. now links to the old Discord, once
> you
> join.

Hi Gilbert, It is impossible to be added to the Discord. My user is 
somo19976#0329

New TM5 firmware is released.

V2.13

```
Build date: 202208220000
Comment: RELEASEXXXX
Forced update: False

SHA256: 512b58965e8d8018a4cb5fc834c114a7a1cfb2861a5e9d16df323553c9fbd37b 
tm5.img
```

- New safety warnings added

Source: 
https://www.vorwerk.com/de/de/c/home/service/thermomix/sicherheitshinweise?utm_source=Cookidoo&utm_medium=Vorwerk&utm_campaign=Organic_Vorwerk_Broad_Brand_Cookidoo_Thermomix-Profile_TM6_2022-08-Messbecher&utm_content=Cookidoo_2022-08-Messbecher_x__x

Enrique S. schrieb:
> Gilbert H. schrieb:
>> The Discord link from @SK F. now links to the old Discord, once
>> you
>> join.
>
> Hi Gilbert, It is impossible to be added to the Discord. My user is
> somo19976#0329

You should be able to join the discord server with this link:
https://discord.gg/3XX2PQxWBv

Hans H. schrieb:
> We can do:
> - decrypt cook-sticks, modify and add recipes with a python library
> - simulate cook-sticks with rpi zero
> - download recipes from cookidoo and add them to a cook-stick
> - make TM accept modified cook-sticks on firmware 2.4 and before
> - gain root access on firmware 2.4 and before
> - emulate firmware with qemu, unpack update packages

Are there any sources for that, a Github repo with tutorials or 
something similar?

Was mich mal interessieren würde an alle die sowas zu Hause haben: Wie 
oft nutzt ihr das wirklich zum kochen?

Raul K. schrieb:
> Was mich mal interessieren würde an alle die sowas zu Hause haben:
> Wie
> oft nutzt ihr das wirklich zum kochen?

Mehrmals wöchentlich. Allerdings per HW-Downgrade auf den TM31.
(Der ist nicht smart und gängelt daher der User auch nicht mit 
Zwangspausen beim Öffnen des Deckels, usw, ...)

PS: Diese ganzen Geräte sind total nutzlos, außer man befasst sich 
damit. Bei den smarten Teilen geht der Einstieg natürlich etwas 
leichter.

Der für mich einzig sinnvolle Hack wäre, mich per Wi-Fi mit dem TM 
verbinden zu können und alternativ zu den offiziellen Rezepten eine 
eigene Datenbank hierfür zu nutzen, die von der Community gepflegt wird.

Alles Andere ist sicherlich eine tolle Leistung, aber der WAF ist 
suboptimal ;-)

Das Kaufargument für das Teil ist ja gerade, dass es einfach 
funktionieren soll.

Wir nutzen den TM übrigens täglich. Frau und Kinder machen sich da von 
der Suppe über Kakao vieles. Das Einzige, dass die Lieblingsfrau nervt, 
ist, dass sie den TM5 kurz vor Erscheinen des 6ers gekauft hat und nun 
einige Funktionen nicht vorhanden sind, was permanent in Vorwerk 
Mailings klar wird. Ist halt nicht, wie bei AVM, wo die Fritz!Boxen auch 
nach Erscheinen neuer Modelle liebevoll gepflegt werden.

Raul K. schrieb:
> Was mich mal interessieren würde an alle die sowas zu Hause haben: Wie
> oft nutzt ihr das wirklich zum kochen?

Bitte hier jetzt keine Diskussion über Sinn und Unsinn von dem Gerät. 
Mach dafür gerne irgendwo ein Offtopic auf, aber bitte nicht hier in 
diesem Thread.

Hallo zusammen,

ich bin leider auch gerade mit dem Thema Rezeptchips von Vorwerk 
beschäftigt.
Ich habe hier leider einige Chips meiner Frau, die den Geist aufgegeben 
haben und da mich das total anstinkt, das Vorwerk hier so billige 
USB-Chips verbaut hat und ich auch etwas versiert bin in der 
Elektrotechnik, suche ich eben Lösungen und nicht nur reinen 
"Neukauf"... zumal die Produktion ja schon eingestellt wurde und die 
gebrauchten Teile bei z.B. bekannten Kleinanzeigen-Portalen leider auch 
nicht alle des Gelbe vom Ei sind (leider nun auch schon einige defekte 
daher erhalten -.-).

Ich habe mir mit meinem 3D Drucker nun eine Lesestation gebaut, wo ich 
funktionierende Chips auslesen kann .... -> funktioniert

Ich habe mir nun von meinen Bekannten einige Chips ausgeliehen, die bei 
uns defekt sind und habe ein Image davon gezogen .... -> funktioniert

Jetzt möchte ich probieren, ob die Teile auch am TM5 geclont 
funktionieren.
Hierfür habe ich eine Werbestick rausgekramt, der aber leider nicht mit 
einem Controller von SMI, sondern von FirstChip bestückt ist.
Nunja, es gibt ja die bekannten MpTools auch für FirstChip.
Leider aber ist es mir noch nicht gelungen, eine funktionsfähige Kopie 
meines Rezeptchips zu erzeugen.

Hat hier schon jemand Erfahrungen darin, ob auch andere 
Controller-Hersteller neben SMI funktionieren?
Weiter oben habe ich ja bereits gelesen, dass es nicht auf den genauen 
Chiptyp selbst ankommt aber leider habe ich nichts zu anderen 
Herstellern gelesen.

Ich würde mir gern von China ein paar USB-UDP-Chips kaufen wollen, dann 
habe ich Ruhe vor dem Ausfall der Rezeptchips.
Ein Backup von jedem Kochbuch auf die Festplatte und wenn wieder mal ein 
Chip ausfällt, einfach einen der UDPs beschrieben, fertig.
Leider aber bieten einschlägige Auktionshäuser nur Chips mit Controllern 
von Alcor an. Hat vielleicht schon jemand Erfahrung damit?

VG MH

My TM5 currently shows an error code (C150) followed by an automatic
shutdown. This is related to a mechanical problem which already has been
repaired. Did the research on the debug port yield any results towards
resetting stored errors?

Hi all

sorry to write in english ,
I'm french and I wrote a topic to fix one of the issue of TM5 (lost of 
temp sensor)
have a look here if you wish (it is in french) 
:https://www.abcelectronique.com/forum/showthread.php?t=107314

I also discovered the video from my compatriote JM Besnard.... amazing

I don't anderstand nothing in linux and all that fancy stuff that you 
did here.

today I wonder if you could tell me how to reset errors like the C72 . 
BEcause even if I fix the root cause (C72 stand for relays errors) tm5 
refuse to recover properlly
at least one guy know how to : 
https://www.youtube.com/watch?v=9CnJbHa2bwQ at 11:59 it connects a USB 
OTG to ethernet device to TM5
then TM5 starts a console screen where I can read the ip adress 
192.168.76.1

the guy says that he spend a large amount of time to write the code that 
do the job...

my question is ... is it thru or BS?
I guess that vorwerk had a diagnostic tool for that right?

best regards

Hello,
after more than a year, (and no answer from Vorwerk to my last email), 
I've decided to release the vulnerabilities details on the Discord 
channel.
This is for educational purposes as the vulnerabilities found are really 
interesting from technical and mindset points of view.
We have revisited the TOCTTOU concept to trick the Thermomix restore 
process, take a look by yourself!

I hope this will benefit other vendors or software-hardware engineers in 
creating more secure solutions and give ideas to pentesters ;)

Cheers !

Ein Problem ist sicher, dass das Ding in den Mülleimer gehört. Man fühlt 
sich erinnert an Datas Fingerfalle oder an einen Sony DPS F7 
(Effektgerät, Musik).
Prinzipiell kann man mit einem Minimoog auch viel Spaß haben.

Das alte Meal Master Programm war das viel bessere Werkzeug. Gut, wenn 
man eine größere Datenbank zusammen hatte (und das ging damals sehr 
schnell, viele hatten Rezepte aus guten Fernsehsendungen oder auch aus 
bekannten Kochbüchern in das Meal Master Format übertragen).
Das UI war eine DOS-Konsole - aber einfach zu bedienen. Das aufwendigste 
war wirklich die Datenbank anzupassen.
Man konnte dann schauen, was man im Kühlschrank, oder sonst auf Lager 
hat, die Zutaten angeben, und (nicht immer, aber immer öfter) passende 
Rezeptvorschläge oder gute Anregungen finden.

Blättert man ein wenig im Kochkunstführer vom Escoffier herum, und macht 
sich ein paar Gedanken über die Sinnlichkeitswelten damals, verglichen 
mit der Digital und Supermarktwelt heute, kommen einem echt die Tränen.

Crêpes lassen sich auf Jahrmärkten auch nur noch mit Nutella verkaufen 
oder Holunderbüsche nur noch von Fliegern ernten.

(https://github.com/jeraymond/Recipe/blob/master/com.niceprograms.recipe/src/com/niceprograms/recipe/data/MealMasterImporter.java)