mirko / SonOTA

Flashing Itead Sonoff devices with custom firmware via original OTA mechanism
GNU General Public License v2.0
721 stars 103 forks source link

Sonoff dropping connection after receiving SSL certificate #58

Open ratedz opened 7 years ago

ratedz commented 7 years ago

I have two of these devices, one worked just fine and the other fails all the time. It gets to the point where it connects back to my local network after connecting to the ITEAD network. Then it never downloads the new firmware. It just sits and repeats ( see below) The unit that did work, I never used with ewlink and never upgraded the firmware. The unit that fails I did set up with ewlink first and upgraded the firmware to 1.7.0. When the failed unit is in the phase of starting the webserver on 8080 and 8443, you can browse to 8080 and it just gives a 404. I have tried everything and cant get this thing to work. Ideas ? I have tried both on OSX and linux.. The successful unit was done on linux.

Using the following configuration: Server IP Address: 192.168.0.185 WiFi SSID: TP-Link WiFi Password: **** Platform: linux Now connect via WiFi to your Sonoff device. Please change into the ITEAD WiFi network (ITEAD-100001XXXX). The default password is 12345678. To reset the Sonoff to defaults, press the button for 7 seconds and the light will start flashing rapidly. ** This application should be kept running and will wait until connected to the Sonoff... ...................................................Current IPs: [] ..Current IPs: ['10.10.7.2'] ~~ Connection attempt

HTTP GET /10.10.7.1/device << { "deviceid": "1000114fee", "accept": "post", "apikey": "0a2c5628-a925-4dce-81d9-033715d15f3b" } HTTP POST /10.10.7.1/ap { "ssid": "TP-Link_1920", "version": 4, "password": "****", "serverName": "192.168.0.185", "port": 8443 } << { "error": 0 } ~~ Provisioning completed Starting stage2... The IP address of (192.168.0.185) is not assigned to any interface on this machine. Please change WiFi network to TP-Link_1920 and make sure 192.168.0.185 is being assigned to your WiFi interface. ** This application should be kept running and will wait until connected to the WiFi... .........Current IPs: [] ..............................Current IPs: ['192.168.0.185'] ~~ Starting web server (HTTP port: 8080, HTTPS port 8443) ~~ Waiting for device to connect

IMPORTANT! AFTER the first download is COMPLETE, with in a minute or so you should connect to the new SSID "FinalStage" to finish the process. ONLY disconnect when the new "FinalStage" SSID is visible as an available WiFi network. This server should automatically be allocated the IP address: 192.168.4.2. If you have successfully connected to "FinalStage" and this is not the IP Address you were allocated, please ensure no other device has connected, and reboot your Sonoff. ......^@........................ IMPORTANT! AFTER the first download is COMPLETE, with in a minute or so you should connect to the new SSID "FinalStage" to finish the process. ONLY disconnect when the new "FinalStage" SSID is visible as an available WiFi network. This server should automatically be allocated the IP address: 192.168.4.2. If you have successfully connected to "FinalStage" and this is not the IP Address you were allocated, please ensure no other device........... and goes on and one like this forever

sillyfrog commented 7 years ago

Unlikely given it's a brand new release, but can you try running with --legacy, and see what you get? If that does not work, it would also be good to get a tcpdump of the Sonoff IP to see if it's trying at all to hit the server.

ratedz commented 7 years ago

I had run with legacy and slow stream previously and neither or both worked. IT was the same issue. Running with normal mode and looking at tcpdump it looks like its trying to hit my server/host on 8443 , Is that what your looking for ? If I hit my laptop doing the upgrade on that port it just gives a 404.

08:57:44.639452 IP (tos 0x0, ttl 128, id 876, offset 0, flags [none], proto TCP (6), length 44) 192.168.0.163.6372 > 192.168.0.185.8443: Flags [S], cksum 0x1e88 (correct), seq 632377, win 5840, options [mss 1460], length 0 08:57:44.639559 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44) 192.168.0.185.8443 > 192.168.0.163.6372: Flags [S.], cksum 0xf2ec (correct), seq 313179551, ack 632378, win 29200, options [mss 1460], length 0 08:57:44.649025 IP (tos 0x0, ttl 128, id 877, offset 0, flags [none], proto TCP (6), length 124) 192.168.0.163.6372 > 192.168.0.185.8443: Flags [P.], cksum 0xbe5a (correct), seq 1:85, ack 1, win 5840, length 84 08:57:44.649157 IP (tos 0x0, ttl 64, id 46757, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.185.8443 > 192.168.0.163.6372: Flags [.], cksum 0x0a56 (correct), seq 1, ack 85, win 29200, length 0 08:57:44.652101 IP (tos 0x0, ttl 64, id 46758, offset 0, flags [DF], proto TCP (6), length 1059) 192.168.0.185.8443 > 192.168.0.163.6372: Flags [P.], cksum 0xa1b7 (correct), seq 1:1020, ack 85, win 29200, length 1019 08:57:44.657903 IP (tos 0x0, ttl 128, id 878, offset 0, flags [none], proto TCP (6), length 40) 192.168.0.163.6372 > 192.168.0.185.8443: Flags [F.], cksum 0x6595 (correct), seq 85, ack 1020, win 4821, length 0 08:57:44.658210 IP (tos 0x0, ttl 64, id 46759, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.185.8443 > 192.168.0.163.6372: Flags [F.], cksum 0x0659 (correct), seq 1020, ack 86, win 29200, length 0 08:57:44.660330 IP (tos 0x0, ttl 128, id 879, offset 0, flags [none], proto TCP (6), length 40) 192.168.0.163.6372 > 192.168.0.185.8443: Flags [.], cksum 0x6595 (correct), seq 86, ack 1021, win 4820, length 0

sillyfrog commented 7 years ago

It's weird, it appears to drop the connection after making it. Can you please run it with -s0 -w dump .pacp, and send me the resulting file? I'd like to open up in WireShark and see if there is anything happening at the SSL negotiation phase.

You could also try a curl -k against HTTPS port 8443, and make sure you get the 404 page back.

ratedz commented 7 years ago

Sorry , tcpdump doesnt like a .pacp ?

ratedz commented 7 years ago

dump.txt Curl output.. curl -k https://192.168.0.185:8443404: Not Found404: Not Found

I attached a dump file.. its dump.txt

sillyfrog commented 7 years ago

Hmmm, well that's a worry, the Sonoff disconnected after getting the certificate - so they may now be doing certificate verification, which would mean we can't do SonOTA any more :(

I'm planning on buying a basic for testing (and I'll backup the original firmware), so will see if there is a way to work around this... (But that will be a few weeks away).

ratedz commented 7 years ago

Thats a bummer.. Is there an easy way to back up my firmware on the unit that works and load it on this one.. Without using and ftdi serial interface ? Can you point me to a link or anything that might help me out. Also, thanks a lot for looking into my issue.. Great software .

sillyfrog commented 6 years ago

Unfortunately not as all of the strategies involve breaking apart the SSL connection. I have a Basic on order so it should arrive in the next few weeks and I'll check it out. I'll also keep trying to update my test Dual and see if there is a new release for it with the same issue and let you know.

vponomarev commented 6 years ago

@sillyfrog Do you have any news? I'm building similar tool (replacement of eWeLink cloud server) and today received Sonoff RF which also don't want to connect to my server - it breaks SSL handshake exactly after receiving server Hello packet with certificate.

I plan to check if new firmware really analyze SSL certificate fingerprint or it only looks into some fields like commonName. Maybe you already made such investigations?

ro-76 commented 6 years ago

I'm having the same issue with a TH16. Any likelihood of a fix?

sillyfrog commented 6 years ago

I'm travelling at the moment - I have a new basic to test this - but it was not updating before I left (no idea why!). I'll be giving this a go again next week - hopefully I can get it updated, and try and replicate the issue. I'll then try a number of SSL inspection strategies and see if one works.

ulab commented 6 years ago

Just "subscribing" to this issue with another TH16 that shows the same issues. eWeLink shows Firmware version 2.0.1 with 2.0.4 available.

ulab commented 6 years ago

And I take that back. While fiddling around with it some more (after having tested variations with --legacy and --slowstream earlier) I noticed that it suddenly connected to the sonota.py that was running while I was looking for more info. But it failed, mentioning to try --slowstream again.

And after trying again it suddenly worked without switching back to the itead-Wifi, etc.

Now I am really confused as why it didn't work before?

debug_1512685512.log debug_1512685748.log

andyjenkinson commented 6 years ago

Sounds like something different @ulab .

I just did a little more digging, I setup an HTTPS proxy (via cloudflare) which uses a real Comodo signed certificate (and modified the script slightly to relax the hostname-IP checking). Just in case having a proper cert matching the hostname would be enough. This time I don't even see the device attempt to connect via tcpdump.

vponomarev commented 6 years ago

@andyjenkinson Can you give me an URL with this certificate? I issued self-signed certificate with CN='*.coolkit.cc' (the same cert is used for real cloud service) and by Sonoff Basic breaks SSL connection to this cert.

andyjenkinson commented 6 years ago

Not really, it is on my private network and not accessible externally, but because I own the domain I can use a Cloudflare shared certificate. If you own a domain you can do the same (or if you have your own SSL cert just use that - you could try https://letsencrypt.org/ but it might not be a trusted CA).

I gather that the cloud service was (at least in the past) passing IP addresses as the download URL, which suggests the device doesn't compare the hostname to the cert, but is instead checking for a trusted certificate in a specific domain. Unless the behaviour of the server has changed and it now sends coolkit.cc hostnames in the download URL?

It could be something else though - we don't know at this stage do we?

neuman1812 commented 6 years ago

Just commenting to track this. I have purchased 10 devices,. They all have the .1.6 version and I have the same issue.

mirko commented 6 years ago

Just a shot in the dark: could it be a cert validity issue which might be solved by date/time settings?

sillyfrog commented 6 years ago

I have tried a number of certificate combinations, including using about 100 years into the future (matching the upstream), matching the number of bits (1024 rather than 2048) etc.

I'm also going to try creating a CA that matches upstream and have a signed cert under that, however I have a bad feeling that they are pinning the certificate :(

The next best thing I think we could do is ask Sonoff if they can have an option in the app to downgrade the software to v1.5 for those looking to do this.

tjmaru commented 6 years ago

I have sonoff basic with firmware 1.6.0. I'm sorry, but why are you think the problem is in the ssl? I'm trying to analyse the traffic on the sonoff. I see the sonoff connecting to the 52.28.157.61 but I didn't see dns request for this address. So I think sonoff doesn't use any domain for it, so they can't use ssl verification. And I think the ip address is hardcode in the firmware. Unfortunatelly I can't find name to the ip address 52.28.157.61. The ip address 52.28.157.61 has ssl certificate to *.coolkit.cc by coolkit.cn. But coolkit.cn is verificated root ca, the same we can use self signed ssl. Also the site coolkit.cc use ssl with expired date. I tryed to use my own domain name with ssl as @andyjenkinson wrote with cloudflare and letsencrypt it doesn't sucsessfull too. I have a bit of free time to analisy the situation. I trying to use small network with local network 52.28.157.0/24 to trying to cheat and sign 52.28.157.61 network adapter. Also I don't have any other sonoff devices with sucessfull uprgading firmware to analyse traffic to compare them.

PS sorry for my english, I don't have enough practice. I would be glad if i could help you

vponomarev commented 6 years ago

And I think the ip address is hardcode in the firmware.

@tjmaru Here is normal connection procedures for old Sonoff Basic firmware (should be similar for other devices): https://github.com/vponomarev/Sonoff-Server/blob/master/doc/ServerExchange.log.txt This address should be configured by your eWeLink app, but previous versions of eWeLink configured DNS name eu-disp.coolkit.cc instead of IP address.

So I think sonoff doesn't use any domain for it, so they can't use ssl verification

They can save fingerprint directly into firmware.

mirko commented 6 years ago

I do not believe they do cert pinning, as as a AWS customer AFAIK you don't have control about the SSL setup. Therewith a cert change would break the entire setup. Different story with a CA though..

mattlward commented 6 years ago

So... before I buy more of these, is this likely to be a long term deal breaker for the platform?

sillyfrog commented 6 years ago

If we can't figure out how to convince the Sonoff to connect to us, then yes, if you received hardware with v1.6 it won't be able to update this way. However using the traditional serial method will still work. When I get a chance (probably in the New Year), I'll want to try and put in a feature request in with ITEAD to allow downgrading of the devices (no idea if they will listen, but it can't hurt). I do also have some more ideas as to how to generate the certificate, again however I won't have time for a bit to look at it.

mirko commented 6 years ago

When I was MITM-ing the devices I was generating certificates for each request on the fly to keep the connection flowing and as transparent as possible. Unfortunately I don't have any Sonoff with original firmware lying around anymore. A dump from an original Sonoff won't help btw, as they are device specific and I don't have any more dumps from back then lying around. So I won't be able to look into this either before the next order at ITEAD.

tjmaru commented 6 years ago

I tried to MITM too and I suppose in Sonoff-device ITEAD check the certificate. Probably they do it by fingerprint or they have CA certificate in it generated by themself. Cause after device turned on it must connect to server ITEAD without it you can not manage device. They send just one package but nobody knows what in it.

sillyfrog commented 6 years ago

They do now have a certificate trust chain, which to me implies they now have their own CA, and are verifying it :(

I have put in a feature request on their forum - however they have not actually "approved" it yet. I'm also not hopeful they will. My suggestion was to support downgrading in the eWeLink app, so at least there would be some way to get to a version we can MITM.

andyjenkinson commented 6 years ago

In one sense I think it's a good thing to see security improvements, just a shame I'm halfway through converting a bunch of devices! I'm lazy these days, who knows how long it'll take me to break out the serial adapter :)

On 19 Dec 2017 04:17, "sillyfrog" notifications@github.com wrote:

They do now have a certificate trust chain, which to me implies they now have their own CA, and are verifying it :(

I have put in a feature request on their forum - however they have not actually "approved" it yet. I'm also not hopeful they will. My suggestion was to support downgrading in the eWeLink app, so at least there would be some way to get to a version we can MITM.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mirko/SonOTA/issues/58#issuecomment-352635397, or mute the thread https://github.com/notifications/unsubscribe-auth/ABxn0p3lHiQvDHqCSzk9xjFh6-Kc38YKks5tBzjWgaJpZM4QjtAq .

zibous commented 6 years ago

Hi, Same problem here, i have purchased 4 devices SONOFF POW,. They all have the .1.6 version and I have the same issue.

2017-12-19 11:27:30,011: DEBUG: Current IPs: ['10.1.1.39', '10.1.1.40']
2017-12-19 11:27:50,498: INFO: Using the following configuration:
2017-12-19 11:27:50,498: INFO:  Server IP Address: 10.1.1.39
2017-12-19 11:27:50,499: INFO:  WiFi SSID: *******
2017-12-19 11:27:50,499: INFO:  WiFi Password: ************
2017-12-19 11:27:50,505: INFO: ** Now connect via WiFi to your Sonoff device.
2017-12-19 11:27:50,505: INFO: ** Please change into the ITEAD WiFi network (ITEAD-100001XXXX). The default password is 12345678.
2017-12-19 11:27:50,505: INFO: To reset the Sonoff to defaults, press the button for 7 seconds and the light will start flashing rapidly.
2017-12-19 11:27:50,505: INFO: ** This application should be kept running and will wait until connected to the Sonoff...
2017-12-19 11:28:28,681: DEBUG: Current IPs: ['10.1.1.39']
2017-12-19 11:28:36,713: DEBUG: Current IPs: ['10.1.1.39', '10.10.7.2']
2017-12-19 11:28:36,716: DEBUG: ~~ Connection attempt
2017-12-19 11:28:36,716: DEBUG: >> HTTP GET /10.10.7.1/device
2017-12-19 11:28:36,722: DEBUG: << {
2017-12-19 11:28:36,722: DEBUG:     "deviceid": "100016aa70",
2017-12-19 11:28:36,722: DEBUG:     "apikey": "94676db5-88f3-4dc0-8573-5e6615eaacc4",
2017-12-19 11:28:36,722: DEBUG:     "accept": "post"
2017-12-19 11:28:36,722: DEBUG: }
2017-12-19 11:28:36,722: DEBUG: >> HTTP POST /10.10.7.1/ap
2017-12-19 11:28:36,722: DEBUG: >> {
2017-12-19 11:28:36,722: DEBUG:     "version": 4,
2017-12-19 11:28:36,723: DEBUG:     "ssid": "McNessi",
2017-12-19 11:28:36,723: DEBUG:     "password": "************",
2017-12-19 11:28:36,723: DEBUG:     "serverName": "10.1.1.39",
2017-12-19 11:28:36,723: DEBUG:     "port": 8443
2017-12-19 11:28:36,723: DEBUG: }
2017-12-19 11:28:36,873: DEBUG: << {
2017-12-19 11:28:36,873: DEBUG:     "error": 0
2017-12-19 11:28:36,873: DEBUG: }
2017-12-19 11:28:36,873: INFO: ~~ Provisioning completed
2017-12-19 11:28:36,874: INFO: Starting stage2...
2017-12-19 11:28:36,877: INFO: ~~ Starting web server (HTTP port: 8080, HTTPS port 8443)
2017-12-19 11:28:36,950: INFO: ~~ Waiting for device to connect
2017-12-19 11:28:36,954: INFO: *** IMPORTANT! ***
2017-12-19 11:28:36,954: INFO: ** AFTER the first download is COMPLETE, with in a minute or so you should connect to the new SSID "FinalStage" to finish the process.
2017-12-19 11:28:36,954: INFO: ** ONLY disconnect when the new "FinalStage" SSID is visible as an available WiFi network.
2017-12-19 11:28:36,955: INFO: This server should automatically be allocated the IP address: 192.168.4.2.
2017-12-19 11:28:36,955: INFO: If you have successfully connected to "FinalStage" and this is not the IP Address you were allocated, please ensure no other device has connected, and reboot your Sonoff.
2017-12-19 11:28:52,999: DEBUG: Current IPs: ['10.1.1.39']
2017-12-19 11:29:37,125: INFO: *** IMPORTANT! ***
2017-12-19 11:29:37,125: INFO: ** AFTER the first download is COMPLETE, with in a minute or so you should connect to the new SSID "FinalStage" to finish the process.
2017-12-19 11:29:37,126: INFO: ** ONLY disconnect when the new "FinalStage" SSID is visible as an available WiFi network.
2017-12-19 11:29:37,126: INFO: This server should automatically be allocated the IP address: 192.168.4.2.
2017-12-19 11:29:37,126: INFO: If you have successfully connected to "FinalStage" and this is not the IP Address you were allocated, please ensure no other device has connected, and reboot your Sonoff.
2017-12-19 11:29:55,165: DEBUG: Current IPs: ['10.1.1.39', '10.1.1.40']
2017-12-19 11:30:11,654: INFO: Quitting.
sillyfrog commented 6 years ago

I have posted another request to be able to downgrade the firmware. If people can please "Vote up" the post here: http://disq.us/p/1oqbm8m (Click on the ^ under the comment). There is a tiny chance they'll read it and allow it to happen...

subascha commented 6 years ago

Same problem here. Is serial way a workaround or doesn‘t it work with 1.6 either?

eyegr commented 6 years ago

I believe I also face the same problem, although I never installed the ewelink app. I don't know what firmware I'm on, is there any way to check without installing ewelink?

boilermanc commented 6 years ago

To follow on with eyegr, how do you tell what version you are on without connecting it? Just got six new ones in the mail i want to flash and a couple of t16's on the way.

thanks!

subascha commented 6 years ago

Just get out the soldering iron. Has worked wonderfully!

mattlward commented 6 years ago

just connect them to wifi and check the version on your phone. It will not auto upgrade. My latest dual shipped with 1.55

timbiotic commented 6 years ago

Before I purchase the usb connector can someone confirm it still works with 1.6 using physical method?

subascha commented 6 years ago

@timbiotic: Works. Soldered five ones the last weeks which could not be updated the sonota way.

reloxx13 commented 6 years ago

with soldering you are gonna take the direct way to the chip pins which cannot be blocked by itead with firmware (still they could block the rx tx connections by blocking the chip physically, but i dont think this will ever happen e.g. cutting the pins off from the chip).

timbiotic commented 6 years ago

Got it done. But wasn’t fun soldering pin header the desoldering it for toggle wires. I need to find jumpers I can tape down next time for the initial flash. Great product though!

XCame commented 6 years ago

Great news everyone. Seems like ITEAD reacted. Just successfully flashed a POW OTA!

Had to use the ewelink app to update the firmware to 2.0.4 (2.0.2 was preinstalled)

2.0.2 wasn't working, so I wanted to check which firmware version ist installed, saw there is an upgrade available and thought I should give it a try before opening and soldering .

reloxx13 commented 6 years ago

@XCame sorry, read the wiki: https://github.com/mirko/SonOTA/wiki Not all Sonoffs are using the same Firmware. POW is another FW. And 2.0.2 is working, too.

thomashondema commented 6 years ago

I have the same issue with the RF bridge. I have a R2 v1.0 dated 2017.11.23 which came with fw version v1.1.0 and the app says its the latest. Would it be helpful if I uploaded the .pcap files?

reloxx13 commented 6 years ago

their is no way to get the cert, so poorly, no, no need to upload the pcaps.

just order 3 cheap usb flasher from aliexpress (1/3 was defect by me). paid 1,34€ each and flash with atom.

yuyoyuppe commented 6 years ago

I have sonoff b1 with 2.0.3(ewelinks says it's latest) firmware, and dnsspoofing doesn't work. Could it be worth waiting for 2.0.4 before smoldering?

MimbaMonkeyHouse commented 6 years ago

Correct address for the feature request: http://support.iteadstudio.com/support/discussions/topics/11000017070

Now, in the past Itead has responded to feature requests. Let's hope they do once enough users like the downgrade feature at the right place. Right now, there are only 20 likes... I really want to avoid soldering. I've also burnt some Basic by feeding 5V, duh!

joydeepsaha05 commented 6 years ago

@MimbaMonkeyHouse You could avoid soldering by directly plugging in the male end of a jumper wire into the Sonoff board and flashing using the USB method. That's how I did it. I even connected an external light switch the same way by using a male to male jumper wire, one end directly in the board and the other screwed into the light switch. Since it isn't moved around at all, works perfectly.

MimbaMonkeyHouse commented 6 years ago

Yea, for sure I need to do something. I've got 6 POW, 2 RF, 2 Basic, 1 4CH Pro & 2 SV waiting in a drawer. The POW and RF just flash once on boot and then nothing. Cannot put these in AP mode with either long press or 5 presses. They went through Sonota update up to stage 2 and then never connected to the Wifi. On a positive note I somehow managed to flash 3 POW and 3 TH16 with Sonota yesterday using legacy and slowstream. Straight out of the shipping box so not sure what firmware was on these. Manufacturing dates were all October and November 2017!

Heptagon404 commented 6 years ago

I just used it with firmware >1.6. For sonoff T1 UK or EU 1-3 Gang (and other devices) press 7 second the (left) front panel button. While you press the device will beep twice. Some other sonoff device do not beep. Release the button for a second and press again for 7 second (another two beeps). Now the WLAN led should blink with plain symetic on / off pattern. After a few second you will find the sonoff wlan. If the led does a different pattern like blink blink pause … you are not if the correct mode. I hope this helps and good luck

mattlward commented 6 years ago

I was able to get connected to the itead AP, but it would not go to finalstage. I just flashed both via serial and they are on 5.12 now.

stixpunk commented 6 years ago

Latest fw 1.7.0 on T1 still not working :( any news on this issue or waiting for itead is only one option now?