-
Notifications
You must be signed in to change notification settings - Fork 0
Dump stock firmware #1
Comments
I've made some progress here, though I've not had a chance to write up instructions within the wiki.
|
Thanks to @atc1441 for taking an initial look at the dumps shared above as well as sharing a quick tip on OpenOCD.
cgg1-bank0-stock-1.1.2_0020.bin.zip -- As a tip to anyone else using OpenOCD for the first time, beware that the last official release (v10.0.0) is from 2017 (!). Simply installing the latest HEAD version solved all the issues I had initially run into and exposed all the commands I was expecting to have available. |
I was also able to grab a firmware update archive by using a MITM HTTPS proxy while checking for updates in the Qingping+ App. The request to check for firmware updates appears to have multiple types of authentication, the OTA update itself appears to be freely available for download (more details below). _update_param__1_1_2_0036_1.zip (Backup) checkUpdate Request Example (click to expand)curl -H 'Host: qingplus.cleargrass.com' \
-H 'app-id: com.cleargrass.app.Air' \
-H 'app-tvoc-unit: ppm' \
-H 'app-timezone: America/New_York' \
-H 'user-agent: QingpingPlus/202101192257 CFNetwork/1220.1 Darwin/20.3.0' \
-H 'app-lang: en' \
-H 'timezone-offset: -50' \
-H 'app-timestamp: 1613277163' \
-H 'app-temp-unit: °F' \
-H 'authorization: Bearer XXXXXXXXXXXXXXXXXXXX' \
-H 'accept-language: en-us' \
-H 'app-sign: XXXXXXXXXXXXXXXXXXXX' \
-H 'phone-id: XXXXXXXXXXXXXXXXXXXX' \
-H 'app-reading-standard: cn' \
-H 'accept: */*' \
-H 'app-version: 2.2.8' \
-H 'app-build: 202101192257' \
-H 'app-platform: ios' \
'https://qingplus.cleargrass.com/firmware/checkUpdate?mac=XXXXXXXXXXXX&model=Goose-Mijia&type=Goose-Mijia&version=1.1.2_0020&version_type=release' checkUpdate Response Example (click to expand){
"data": {
"id": 151,
"type": 0,
"upgrade_sign": 1,
"version": "1.1.2_0036",
"file_md5": "3aaf5dd1e14f7bb46a47b83d07d213ba",
"app_url": "https://qingfs.oss-cn-beijing.aliyuncs.com/firmwares/202008/_update_param__1_1_2_0036_1.zip",
"desc": "\u63d0\u5347\u4e86\u8bbe\u5907\u7684\u7a33\u5b9a\u6027\u3002"
},
"code": 0
} Archive Contents
At a glance, this structure does seem to match what would be expected for an OTA update archive generated with EDIT: As a quick test, I tried uploading this OTA update via nRF Connect, but it fails with the following error:
The Nordic S132 v3.0.0 documentation helps explain the meaning of this error a bit further:
|
Great to see you make some progress here - unfortunately I can´t be of much help, as my know-how in that area is not up to par! |
You will most likely need to do the handshake as in the Telink thermometers first to be able to upload OTA at least there it is that way. Need to get my hands on one CGG1 as this gets intresting and nRF52832 is just the favorite SOC |
The firmware is signed / is using secure DFU so getting OTA working is probably not that useful, only taking apart and reflashing via SWD is the way.
BTW any cheap sources of this device? See it for ~$15 here so not exactly cheap when compared to $4 Telink one. |
I agree that is the case, but I still want to prove it out definitively myself. Since this is the first time working on anything like this, I'm largely treating this as an educational process and trying to take my time and learn as much as possible along the way.
I'm not able to view the AliExpress link (I guess it's geoblocked), but unfortunately that's about the going rate for the CGG1. I paid ~$22 including shipping for mine from Amazon in the US. They definitely are a tier above the alternatives in build quality and visual appeal though. |
Unfortunately I´m not aware of any cheaper source - I bought mine at aliexpress for this price. |
Sure. In theory they could still have signature check disabled in bootloader but it is quite unlikely. The package can be examined with nrfutil tool by Nordic (so it is softdevice S132 3.0.0 = SDK12)
Thanks, just checking what is good price. e-ink probably looks much better so may be worth it indeed. The telink one is indeed small and hard to read. But I don't mind as I have one outside hidden from the rain in a box and another one under the bed in cold corner and one is similar damp corner in a wardrobe :-) |
Is there a Nordic OTA ready for Chrome (javascript)? |
Nordic legacy DFU is on the WebBluetooth Blocklist so can not be accessed, only the secure Nordic DFU can be accessed, that is why i never build a web flasher for nordic DFU. Just as info https://github.com/WebBluetoothCG/registries/blob/master/gatt_blocklist.txt Hope it helps |
There is. Some version is part of Espruino Web IDE https://github.com/espruino/EspruinoWebIDE/blob/master/js/libs/secure-dfu.js and it is based on https://thegecko.github.io/web-bluetooth-dfu/examples/web.html BTW legacy DFU (using different service IDs) is blocked by web bluetooth https://github.com/WebBluetoothCG/registries/blob/master/gatt_blocklist.txt#L19 , the 'secure' one is not (so far). |
I bought an old version of CGG1 (with the NRF chip) at a local store with delivery on the same day for $14.5. |
Service UUID: 0000fe59-0000-1000-8000-00805f9b34fb -> https://pvvx.github.io/CGG1_old/uuid.txt Alternate OTA for all mijia:
|
The UUID 8ec90003-f315-4f60-9fb8-838830daea50 |
Now we need a test program with BLE access to all Flash and without erasing the old OTA. Read the entire flash and the previous version, and if mijia, then the keys. |
The DFU is a secure one, so there is currently no way of flashing a new firmware to it without the Private key to sign it. the private key is not in the OTA Bootloader or firmware sadly |
The software from the manufacturer cannot change the version? 8-( The public key is in the firmware. Data blocks for private key recovery are given in OTA. |
https://crypto.stackexchange.com/questions/47809/why-havent-any-sha-256-collisions-been-found-yet |
Example from links: https://eprint.iacr.org/2008/270.pdf PS: 2005 - my x65PapuaSoft/JokerA70 for Siemens phone MD5 - all PC 8 seconds :) |
yeah, I've seen it but you need to find collision to existing data, not to generate new pair, there is also the length extension attack, but here you have signed dat file with length and sha256 hash of the binary, so you need your new binary with same length and same hash |
Do you think the key certificate itself is filled with randoms? :) I don't like ARM. It's boring - there is all the documentation for it. And the CGG1 of this version is on nRF... :( |
only the dat file/init packet is signed, the firmware binary is not, binary is only hashed and it's sha256 hash (and length) is in init packet/dat file
not sure what you mean but you can generate new private key via |
The hash is definitely faster to calculate up. Moreover, there are probably source codes for the ota-bootloader... |
sure, just get any sdk>=12 from https://developer.nordicsemi.com/nRF5_SDK/ and see components/libraries/bootloader/ and examples/dfu/bootloader_secure inside, the crypto libraries used is in external/micro-ecc/micro-ecc You can of course build new bootloader and replace it in the device via SWD or replace just the public key in it with your own or disable the signature check, but that is not the point here I guess? |
Before poking around with OTA Nordic keys, you need to find out - 2. Secure Boot Validation
My CGG1 product date 2018.11 |
Disassembled the device: https://pvvx.github.io/CGG1_old
Looks like this version of CGG1 are not required keys. Interest is gone... Next, you need to create the firmware in the SDK. PS: Next: https://pvvx.github.io/LYWSD02 |
Thumbs down for 52810 ... bad chip :D +1 for LYWSD02 Finally a Dialog custom firmware would be good |
If you have dfu update package, SoftDevice version is in sd_req field see #1 (comment) If the only way is to update via swd you can also pick any sdk you like and replace everything. |
This means that it is impossible for the user to determine the version of the SDK without disassembling the device with a hot air gun and then throw it away? |
If a stock firmware is available yes |
It follows from this that if the device has nRF - no alternative firmware. |
Yes, unless there is any other exploit in the firmware or swd pins available |
Installed additional Flash 1 MB (MD25D80SIG) |
@fanoush and i are quite active in the nRF52 smartwatch hacking "scene" just as info The 1MB aditional flash make it possible to use but its a hassle and hard to use default SoftDevice then. There where also mi thermometers with nRF52832 available if i remember correctly, but as it looks like the switch to tlsr on many of them i would care about nRF anymore |
How long does Nordic's minimum BLE stack code size? The Chinese have a lot more BLE chips with government support, that is, cheaper and with normal performance. For example PHY62x2. RTL8762C_mijia_ble_standard113-HT_Demo - All listings and objs for assembly are specially left in it, for those who are not given the mijia libraries. |
fccid 2AQ3F-CGG1 2018-09-04 (nRF52810) Original Full-Flash (SEGGER JFlash) No fccid! CGG1 (nRF52832) cgg1-stock-1.1.2_0020.hex.zip https://github.com/kelchm/cgg1-thermometer-firmware/wiki/Stock-Firmware -> cgg1-bank0-stock-1.1.2_0020.bin |
list of softdevice ids is in nrfutil, --help option fo package creation, also most of them are here https://devzone.nordicsemi.com/f/nordic-q-a/1171/how-do-i-access-softdevice-version-string |
nrf52 chips are nice if you want good software support in projects like micropython, espruino or arduino, also there are two opensource certified bluetooth stacks one in Zephyr OS and one i Apache Newt - NimBLE. If you are ok with chinese vendor's sdk and can just modify some example then you won't appreciate that. best chips worth of hacking are 52832,52840,52833 - lot of ram and flash. those cutdown cheap ones like 52810/11 are not best choices but still may be good for small C project - like thermometer :-) |
Does this mean there are no hashes in the OTA?
Everything described does not make sense in the reality of working devices. You can screw everything up, but this is not a working option - just a game. I do not need Arduino. Arduino for children, for the game only. :) 52810 low power (vs 52832). |
First of all -- it's super exciting to see everyone chiming in to discuss the nRF based CGG1. I've been very torn on what I whether I wanted to pursue this project any further after @pvvx reported receiving a Telink based CGG1 (and since receiving one myself). I'm not an embedded developer, and while I was looking forward to using this project to get myself a bit outside of my comfort zone, it's also somewhat demotivating to know that the remaining supply of nRF based CGG1s is likely limited and that there's clearly a cheaper/easier path to the same end goal via the Telink based hardware. Finding a way to exploit Nordic's secure OTA DFU would definitely be a bit of a game changer in making this project more viable -- there's really no getting around how much of a pain it is to disassemble the CGG1. 😅 I wouldn't be at all surprised if someone was able to exploit Nordic's secure OTA DFU implementation -- just look at the APPROTECT bypass as an example of how seemingly secure systems can be trivially bypassed. This is admittedly something that's well outside my own existing skillset, but I'd love to be contribute if anyone wants to really dig into investigating this further. |
SDK12 and up uses secure OTA so both are new enough to have this unfortunately. |
SEGGER Embedded Studio for ARM Release 5.42 (Windows x64) When writing a new firmware, SES writes that everything is fine. Check 'Verify' - ok. But the firmware is wrong - no chunks. When dancing with a tambourine around Jtag from SEGGER, normal firmware is successful, but sometimes. S312 for 52810 and S332 for 52832 require registration ... In this regard, the creation of an alternative firmware for the NRF has been postponed indefinitely. |
why would you use S312? That's one with additional ANT protocol (which needs license). I use gcc and cheap STLINK clone or CMSIS-DAP with openocd and gdb so cannot comment on SEGGER (And IDEs are for kids ;-)) |
It is clearly smaller, which Nordic throws out for its users.
Yes, yes, I have weeks of my life to write scripts for boiled porridge for decades at Nordic. They themselves have not been able to do this in decades. Alternative programming of nRF chips is only for the dedicated and not suitable for DIY. I tested a couple of examples - everything is bad with the nRF52810. The amount of Flash for the program is small and you can only repeat what has already been done by ‘Cleargrass’. The original advertising packages are not encrypted, data is transmitted constantly. It has no meaning in alternative firmware, except for the game. |
the softdevice numbering is a bit complicated but mostly makes sense Sxyz - x=1 BLE, x=2 ANT x=3 both, y=1 peripheral, 2 central 3 both, last number is mostly related to supported chip 0-nrf51 2-nrf52 or some minor feature difference (e.g. S113 has DLE extensions, S112 not). Also for nrf52840 it ends with 40 So for 52810 you could use S132 or S113 or S112 , also visible on chip page https://www.nordicsemi.com/Products/Low-power-short-range-wireless/nRF52810 - compatible soft devices on the bottom.
It takes a bit of time to understand, like anything else. Documentation is pretty good and extensive (unlike Chinese stuff) - https://infocenter.nordicsemi.com/topic/struct_nrf52/struct/nrf52.html |
Indeed :-) What you did with Telink chips so far is great so maybe it is better for everyone if you just continue doing what you like instead of fighting with nrf52 :-) |
I have not seen any differences in different chips for a long time. @fanoush - You write that a lot of fanats and everything in nRF is simple and even without IDE - then throw in the source of a power-optimized example of working with a temperature and humidity sensor using i2c (typical SHT30) and with DFU / OTA for nRF52810 and nRF52832. And this would help the author of this repository. |
There is no 'nordic SDK initialization' as such. I am guessing it can be bootloader validating your application at boot time. bootloader is optional or you can disable the check in its source or some SDK versions can be configured how/if the check is done as linked docs mention. if you use SWD now then to verify it is this case you can clear bootloader settings in UICR so the softdevice runs your app directly (easiest may be to mass erase and then flash just softdevice and your app. but UICR can be cleared via toggling few bits in NVMC controller registers) |
This is the start of the official firmware from "Cleargrass". The 1 bits SPI Flash read speed of the slowest CPUs is about 5..10 MiB per second. |
https://devzone.nordicsemi.com/f/nordic-q-a/29658/what-is-operating-voltage-for-nrf52832-flash-memory |
As a first step, we should ensure that it is possible to dump the stock firmware of the device.
The text was updated successfully, but these errors were encountered: