search

Aldohrs / tahoma-jailbreak

Instructions and scripts to jailbreak the Somfy TaHoma
29 stars 2 forks source link

Firmware dump #3

Open 26didi89 opened 2 years ago

26didi89 commented 2 years ago

Hi Aldohrs,

I discovered your work from Home Assistant forum. I am looking information about IO Homecontrol part. I would supplement SDR capture analysis with firmware analysis. What are your last discoveries?

Thanks

Aldohrs commented 2 years ago

Hi 26didi89,

I'm still working on it. I'm currently working on a custom OS for the TaHoma to make it an easy development and hacking platform.

I also want to reverse the io-homecontrol protocol. I actually managed last year to sniff io-homecontrol frames on the air using a RTL-SDR a year ago. I decoded the bottom layers but I still have work to do with the upper ones and the pairing process.

On the software side, I did not much yet. Most of the information should come from io-homecontrol libraries and the firmware of the STM32 chip.

Aldohrs commented 2 years ago

I'm considering releasing publicly my Gnuradio workflow and my findings on the protocol itself, but as I'm digging back the project, I need some time to do checks to make sure to release non-sensitive information.

paller commented 2 years ago

This is very related to https://github.com/merbanan/rtl_433/issues/1376

I have io-homecontrol windows, two 1-way remotes, and an older Tahoma box which unfortunately doesn't have the same PCB as yours. What I would like to look at is how the CMAC/AES-signing is done. Trying to obtain some data for investigation I have captured some different scenarios with an SDR.

  1. Cloning one remote to another (surely, they must exchange AES keys in the process)
  2. Used the TaHoma to scan for devices in the home (doesn't seem very secure. It locates both windows and is able to control them without any human approval)

While some of the packets seems to be about 128 bits bigger than "normal" I can't say if it really is the key in plain sight. Trying to figure out how the CMAC is calculated is hard enough, using a key that may or may not be correct doesn't help.

Some SDR captures with a known AES key would make a great start. I might have to give the jailbreak a try on my older unit to obtain the key, unless someone would be willing to share their extracted key and SDR captures.

Another thing I would like to try is disassembling the io-homecontrol application. I know AES is done in hardware, but if we can see what is loaded into the block and more importantly how the output is used to construct a full io-homecontrol packet that probably would be the easiest way to reverse the protocol. Would it be possible to share that binary?

Aldohrs commented 2 years ago

Hi,

Unfortunately, all firmware, including STM32, are protected by copyright laws and I cannot share any of it. However, if you jailbreaked your Kizbox, the STM32 firmware should lie in /apps/overkiz/share/io-homecontrol/bin/

On the current progress I've made on the radio protocol (which I didn't touch for a while), I am pretty close to what is specified in https://github.com/merbanan/rtl_433/issues/1376#issuecomment-868440943

At the moment, I'm focusing on my custom OS to be able to boot on a USB key and use one TaHoma as a sniffer. With an extended toolset not limited to the 128MB NAND space.

Regards,