tuya-cloudcutter / cloudcutter-android Goto Github PK

Android app providing tuya-cloudcutter functionality

Kotlin 100.00%

cloudcutter-android's Introduction

Tuya Cloudcutter

This repository contains the toolchain to exploit a wireless vulnerability that can jailbreak some of the latest smart devices built with the bk7231 chipset under various brand names by Tuya. The vulnerability as well as the exploitation tooling were identified and created by Khaled Nassar and Tom Clement with support from Jilles Groenendijk.

Our tool disconnects Tuya devices from the cloud, allowing them to run completely locally. Additionally, it can be used to flash custom firmware to devices over-the-air.

ℹ️ Do you like this tool? Please consider giving it a star on Github so it reaches more people. ✨

⚠️ WARNING⚠️

Using cloudcutter means that you will NO LONGER be able to use Tuya's apps and servers. Be absolutely sure that you are never going to use them again!

Additionally, please be aware that this software is experimental and provided without any guarantees from the authors strictly for peronal and educational use. If you will still use it, then you agree that:

You understand what the software is doing
You choose to use it at your own risk
The authors cannot be held accountable for any damages that arise

How does it work?

If you're curious about the vulnerability and how the exploit chain works, here's the detailed writeup and the proof of concept script.

Requirements

A device with a stand-alone wifi adapter (but not be your primary source of networking, ethernet is preferred for that)
An account with sudo / elevated privlidges - An account capable of making network setting changes.
NetworkManager / nmcli - This is used to scan for Tuya APs, connect to them, and host a CloudCutter AP to run the exploit. If you run into issues, make sure your NetworkManager service is started. You may need to use the -r parameter if you continue to have issues.
Docker / Docker CLI package - This is used to create a controlled python environment to handle and run the exploit
An active internet connection (Somewhat optional) - This is used to download the packages to build the docker container and to download new device profiles.

Usage

Check out usage instructions for info about flashing custom firmware and local cloud-less usage (detaching). There are also some host specific instructions for setups on devices like a Raspberry Pi.

FAQ

Please see the FAQ section of the wiki for the most up-to-date questions and answers. This will cover many things like how to get your device into pairing mode, how to find more information about your device like the current firmware installed, and is expanding as new questions are asked/answered. Additionally, you may want to consider searching issues.

Patched devices

Tuya has patched their SDK as of February 2022. Any device with a firmware compiled against a patched SDK will not be exploitable, but you can still apply 3rd party firmware via serial. For a list of known patched firmware/devices, see the known patched firmware wiki page.

Contribution

We'd be happy to receive your contributions! One way to contribute if you already know your way around some binary exploitation or would like to get your hands into it is by building device profiles to support more exploitable devices. Check out the detailed writeup for the information about the vulnerability and exploit chain.

Additional work on expanding the Lightleak project, which can dump unexploited firmware, could use additional attention, as well as possibly expanding it to flash firmware, similiar to regular cloud-cutter as well. A port to bash/linux may also be useful.

Device dumps

You can also contribute device dumps by making an issue with a your device dump attached, but be aware if your device was already onboarded on your WiFi AP:

If you don't want your SSID and/or SSID password to be out there, then it's best to dump a device that was onboarded on a dummy AP that you don't mind leaking the parameters for. Otherwise, you may also configure it on a dummy access point a few times before dumping it. This will greatly lower the chances of accidental leakage to anyone working on the building a profile from your device flash dump, but it is never zero in this case. As a rule of thumb, it's better to dump a fresh device which has been configured with a dummy AP, but if you still want to dump one that's in use on your home AP then know that you always run the risk of leaking your SSID and password.
Another option, when having a device paired to SmartLife/TuyaSmart, is to open the app, click the pencil icon in the top-right corner, choose Remove Device and click Disconnect and wipe data.

Note that a dump made on a device which has been already activated on Tuya's app using any working SSID and password would simplify profile building a lot for contributors, so if possible please try to do so. Flash dumps of devices that have never been joined to Smart Life (or disconnected with a data wipe) are now generally acceptable. In order to not potentially leak personal information, that may be the preferred way.

Tools to dump flash from devices:

ltchiptool - universal flashing/dumping GUI tool
BK7231Flasher - GUI tool for firmware backup and flashing OpenBeken
bk7231tools - original toolset for dumping and analyzing Beken binaries
Lightleak - wireless dumping, still in development; testing is appreciated

Note: other tools, such as hid_download_py or BkWriter, create incomplete dumps, or have data out-of-order which makes processing more difficult. Please use the tools outlined above instead.

Example dump command: bk7231tools read_flash -d COM5 device-make-and-model.bin
Since bk7231tools v1.0.0, the -s and -c parameters are not needed (additionally, -c is deprecated in favor of -l/--length <bytes>). The program now reads the entire flash contents by default.
A valid dump for a standard 2M BK7231 should be 2,097,152 bytes. If your dump is any other size, it is probably incomplete!

Additionally, device profiles require a proper Datapoint ID (DPID) schema for local configuration with stock firmware. These can be pulled directly from flash on a device (config region starts at 0x1EF000 on BK7231 devices) if it has been configured to communicate with Tuya servers at least once, or through the profiler-builder scripts with the aid of an active Smart Life account. Profile builder's pull-schema.py script will walk you through the process. If you are not comfortable with this, just submit the full 2 MiB bin in an issue and a schema will be pulled and added.

Testing if a device is exploitable

If you'd like to check if a device is exploitable, one way to lower the chance of having to pry open a device that's not exploitable is testing it out with this test script. The downside to this test is that it won't tell you if the device is BK7231 based or not, since it seems that RTL87{1,2}0 devices are also exploitable but so far no work has been done to support them.

Previous work

Smart Home - Smart Hack (35c3 talk) by Michael Steigerwald from VRUST.
tuya-convert - MQTT code for triggering firmware updates inspired by their work.
tinytuya - modified version of the library is used to communicate with devices after exploitation.

cloudcutter-android's People

Contributors

Stargazers

Watchers

cloudcutter-android's Issues

"The device does not respond to ping requests" is the device the tuya one or the custom ap?

Help! I cannot figure this out, any help? What component of the chain is the likely cuplrit, where to aim debugging effort?
tuya-cloudcutter/lightleak#23

License question

As I didn't see any license mentioned I just wonder if you'll adopt the MIT license from the linked project for the Android app as well?

Crashes immediately after "Read Flash" selected

I was trying to pull the firmware on a Daybetter RGBCW bulb (which seems to have had an update to PSK 02, so that the established profile no longer works) with release 0.40 and got through most of the process successfully. The screen with "Read Flash", "Read Storage", etc. came up, and when I hit "Read Flash" the app crashed. This happened pretty reliably, so I did it while running logcat to see what was causing it. Here are the last few entries:

12-06 08:30:41.539 22979 22979 D LightleakService: Awaiting response: io.github.cloudcutter.work.service.lightleak.command.FlashReadCommand@ea1adb2
12-06 08:30:41.539 22979 23451 D LightleakService: Running command: io.github.cloudcutter.work.service.lightleak.command.FlashReadCommand@ea1adb2
12-06 08:30:41.564 22979 23451 D LightleakService: Reading data #0, offset=0x0, count=8
12-06 08:30:41.589 22979 23451 E AndroidRuntime: FATAL EXCEPTION: DefaultDispatcher-worker-5
12-06 08:30:41.589 22979 23451 E AndroidRuntime: Process: io.github.cloudcutter, PID: 22979
12-06 08:30:41.589 22979 23451 E AndroidRuntime: java.net.ConnectException: Network is unreachable
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at sun.nio.ch.Net.connect0(Native Method)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at sun.nio.ch.Net.connect(Net.java:466)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at sun.nio.ch.DatagramChannelImpl.connect(DatagramChannelImpl.java:771)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at io.ktor.network.sockets.UDPSocketBuilderJvmKt.connectUDP(UDPSocketBuilderJvm.kt:23)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at io.ktor.network.sockets.UDPSocketBuilder.connect(UDPSocketBuilder.kt:27)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at io.github.cloudcutter.work.protocol.UtilsKt.send(Utils.kt:44)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at io.github.cloudcutter.work.service.lightleak.LightleakService.flashRead(LightleakService.kt:173)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at io.github.cloudcutter.work.service.lightleak.LightleakService.access$flashRead(LightleakService.kt:40)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at io.github.cloudcutter.work.service.lightleak.LightleakService$onCommand$1.invokeSuspend(LightleakService.kt:127)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at kotlinx.coroutines.internal.LimitedDispatcher.run(LimitedDispatcher.kt:42)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:95)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:570)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:677)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:664)
12-06 08:30:41.589 22979 23451 E AndroidRuntime: 	Suppressed: kotlinx.coroutines.DiagnosticCoroutineContextException: [StandaloneCoroutine{Cancelling}@a687bf1, Dispatchers.IO]
12-06 08:30:41.648 22979 23451 I Process : Sending signal. PID: 22979 SIG: 9

This is on a Moto X4 phone running a nightly build of LineageOS 19 (Android 12).

I know this is very much experimental software and crashes are to be expected, but I'm really hoping there's a fix/workwaround, since it looks like I'm really close to success here.

Hangs at connecting to smart device wifi

When I try to use the app on my Jasco Enbrighten WFD4105E (with the Tuya CB2s featuring the BK7231N), it hangs at the step of connecting to the device.

I get a log like this:

03-05 22:12:46.457  9460  9460 V WifiUtils: START SCANNING....
03-05 22:12:46.458  1509  2535 I WifiService: startScan uid=10167
03-05 22:12:46.460  1509  2237 I WifiScanRequestProxy: Scan request from io.github.cloudcutter throttled
03-05 22:12:46.461  1509  2535 E WifiService: Failed to start scan
03-05 22:12:46.469  1509  6033 I WifiService: getConfiguredNetworks not allowed for uid=10167
03-05 22:12:46.470  9460  9460 V WifiUtils: ERROR COULDN'T SCAN
03-05 22:12:46.472  9460  9460 D Logger/Exploit: [2023-03-05 22:12:46] [ExploitFragment] Wi-Fi scan results: []
03-05 22:12:46.681  9460  9460 D WorkFragment: Event: WiFiScanResponse
03-05 22:12:46.682  9460  9556 D Extensions: Event: WiFiScanResponse
03-05 22:12:46.684  9460  9556 D Extensions: Awaiting WiFiScanResponse
03-05 22:12:46.688  9460  9460 D WorkFragment: Event: WiFiScanRequest
03-05 22:12:46.691  9460  9460 D Logger/Exploit: [2023-03-05 22:12:46] [ExploitFragment] Wi-Fi scan performed
03-05 22:12:46.693  9460  9460 D WifiExtensions: Scanning networks
03-05 22:12:46.696  9460  9460 V WifiUtils: WIFI ENABLED...
03-05 22:12:46.696  9460  9460 V WifiUtils: START SCANNING....
03-05 22:12:46.697  1509  6033 I WifiService: startScan uid=10167
03-05 22:12:46.699  1509  2237 I WifiScanRequestProxy: Scan request from io.github.cloudcutter throttled
03-05 22:12:46.700  1509  6033 E WifiService: Failed to start scan
03-05 22:12:46.706  1509  6033 I WifiService: getConfiguredNetworks not allowed for uid=10167
03-05 22:12:46.707  9460  9460 V WifiUtils: ERROR COULDN'T SCAN
03-05 22:12:46.709  9460  9460 D Logger/Exploit: [2023-03-05 22:12:46] [ExploitFragment] Wi-Fi scan results: []
03-05 22:12:46.838 28837  6124 W MdnsSocket: Failed to retrieve interface index for socket. [CONTEXT service_id=168 ]
03-05 22:12:46.919  9460  9460 D WorkFragment: Event: WiFiScanResponse
03-05 22:12:46.920  9460  9556 D Extensions: Event: WiFiScanResponse
03-05 22:12:46.921  9460  9556 D Extensions: Awaiting WiFiScanResponse
03-05 22:12:46.925  9460  9460 D WorkFragment: Event: WiFiScanRequest
03-05 22:12:46.928  9460  9460 D Logger/Exploit: [2023-03-05 22:12:46] [ExploitFragment] Wi-Fi scan performed
03-05 22:12:46.930  9460  9460 D WifiExtensions: Scanning networks
03-05 22:12:46.935  9460  9460 V WifiUtils: WIFI ENABLED...
03-05 22:12:46.936  9460  9460 V WifiUtils: START SCANNING....
03-05 22:12:46.937  1509  6033 I WifiService: startScan uid=10167
03-05 22:12:46.939  1509  2237 I WifiScanRequestProxy: Scan request from io.github.cloudcutter throttled
03-05 22:12:46.939  1509  6033 E WifiService: Failed to start scan
03-05 22:12:46.945  1509  6033 I WifiService: getConfiguredNetworks not allowed for uid=10167
03-05 22:12:46.946  9460  9460 V WifiUtils: ERROR COULDN'T SCAN
03-05 22:12:46.948  9460  9460 D Logger/Exploit: [2023-03-05 22:12:46] [ExploitFragment] Wi-Fi scan results: []

It seems to be trying to scan as fast as possible and hitting the wifi scanning rate limit as noted here.

A workaround may be to disable wifi scan throttling in the developer options, but if it is possible to work within the throttle the app should detect if it is being throttled and slow down/back off on the scans.

Fails after "Unprotect flash" within the app's UI output (BK7231N—1.3.21) - Type 2 / Addr 1

After running this on my Globe E26/G25 lightbulbs and uploading the profile, I've tried following the same process for a Doogan E12.
Link: https://www.amazon.com/dp/B07WGL5L8Q?ref=ppx_yo2ov_dt_b_product_details&th=1

Outside documentation indicates that these bulbs went from ESP to BK7231N.
For testing purposes, I was able to flash ESP Kickstart using cloudcutter with the 7231N build. Before flashing this one, I retrieved the firmware from SmartLife (1.3.21).

The bulb itself has never connected to SmartLife AFAIK. It was purchased new from Amazon.

Because the firmware version seems to be used with N/T, I've tried running the app multiple times across all lightleak profiles.
The only one that makes it past "Check if device is exploitable" is the "BK7231N-Type 2 / Addr 1 (Standard)" option.

Using this profile, it will actually provide this message message at the usual failure point:
"Good news, your device is exploitable"
I'm assuming this affirms that this is the correct profile? Especially since the others repeatedly fail at this step.

Here's a screen capture showing the failure point from the GUI:

Here's the log for showing how each session plays out:

[2023-05-15 14:37:29] [ExploitFragment] State+: Action(progress, Prepare environment)
[2023-05-15 14:37:29] [ExploitViewModel] Profile: io.github.cloudcutter.data.model.ProfileLightleak@cfa9f3c
[2023-05-15 14:37:29] [ExploitViewModel] Preparing action graph
[2023-05-15 14:37:29] [ExploitViewModel] Building action graph
[2023-05-15 14:37:29] [ExploitViewModel] Action graph OK
[2023-05-15 14:37:29] [ExploitFragment] State%: Action(done, Prepare environment)
[2023-05-15 14:37:32] [ExploitViewModel] Action run: MessageAction(message_custom_ap_connect)
[2023-05-15 14:37:32] [ExploitViewModel] Action OK
[2023-05-15 14:37:32] [ExploitViewModel] Action run: WorkStateAction(work_state_raw)
[2023-05-15 14:37:32] [ExploitViewModel] Action OK
[2023-05-15 14:37:32] [ExploitFragment] State+: Action(progress, Connect to CustomAP device (LightleakIdle))
[2023-05-15 14:37:32] [ExploitViewModel] Action run: WiFiConnectAction(custom_ap_connect)
[2023-05-15 14:37:32] [ExploitFragment] Device new state: Unconfigured
[2023-05-15 14:37:32] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:37:35] [ExploitFragment] Wi-Fi scan results: [SpectrumSetup-C3, REMOVED, REMOVED, SmartLife-B179, WIFIC6B4B0, SpectrumSetup-CF, MySpectrumWiFid0-2G, LightleakIdle, NTGR_VMB_9265170951, SpectrumSetup-DB, CenturyLink2739-Guest, CenturyLink2739, 36787B-2.4, Brenna 2G, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:37:35] [ExploitFragment] State+: Action(done, Found network: LightleakIdle)
[2023-05-15 14:37:35] [ExploitFragment] State%: Action(done, Found network: LightleakIdle)
[2023-05-15 14:37:35] [ExploitFragment] Wi-Fi connection attempt: LightleakIdle / cl0udcutt3r!@#
[2023-05-15 14:37:38] [ExploitFragment] Wi-Fi connection attempt: LightleakIdle / cl0udcutt3r!@#
[2023-05-15 14:37:42] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-69
[2023-05-15 14:37:42] [ExploitFragment] IP addresses changed: 10.0.0.2/24 / 10.0.0.1
[2023-05-15 14:37:42] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-69
[2023-05-15 14:37:42] [ExploitFragment] IP addresses changed: 10.0.0.2/24 / 10.0.0.1
[2023-05-15 14:37:42] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-69
[2023-05-15 14:37:42] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-69
[2023-05-15 14:37:42] [ExploitFragment] State+: Action(done, Connected: LightleakIdle)
[2023-05-15 14:37:42] [ExploitFragment] State%: Action(done, Connected: LightleakIdle)
[2023-05-15 14:37:42] [ExploitViewModel] Action OK
[2023-05-15 14:37:42] [ExploitFragment] State%: Action(done, Connect to CustomAP device (LightleakIdle))
[2023-05-15 14:37:42] [ExploitFragment] State+: Action(progress, Establish connection with the device)
[2023-05-15 14:37:42] [ExploitViewModel] Action run: PingAction(ap_ping_found_1)
[2023-05-15 14:37:45] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-66
[2023-05-15 14:37:45] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-66
[2023-05-15 14:37:45] [ExploitViewModel] Action OK
[2023-05-15 14:37:45] [ExploitFragment] State%: Action(done, Establish connection with the device)
[2023-05-15 14:37:45] [ExploitFragment] State+: Action(progress, Setup CustomAP credentials)
[2023-05-15 14:37:45] [ExploitViewModel] Action run: WiFiCustomAPAction(custom_ap_setup)
[2023-05-15 14:37:45] [ExploitViewModel] CustomAP connected
[2023-05-15 14:37:45] [ExploitViewModel$runWiFiCustomAPAction$2] Wrote packet: 63 63 74 72 68 4c 69 67 68 74 6c 65 61 6b 43 75 73 74 6f 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 31 b0 16 67 46 be 84 01 fe 6d b3 c0 68 4d 87 e8 e2 d9 c5 65 4a f5 b7 38 46 f6 d7 06 e2 61 9b 09 ce 51 c1 47 2f 20 2e 81 ac 38 4e 44 13 0c e2 60 fb 01 ce 43 0f 22 2e 81 8c f1 93 b9 34 00 40 1f 00 00 3f 9d f4 ea
[2023-05-15 14:37:45] [ExploitViewModel$runWiFiCustomAPAction$2] Got response: 222
[2023-05-15 14:37:45] [ExploitViewModel] Action OK
[2023-05-15 14:37:45] [ExploitFragment] State%: Action(done, Setup CustomAP credentials)
[2023-05-15 14:37:45] [ExploitViewModel] Action run: MessageAction(message_device_connect_1)
[2023-05-15 14:37:45] [ExploitViewModel] Action OK
[2023-05-15 14:37:45] [ExploitFragment] State+: Action(progress, Connect to smart device WiFi)
[2023-05-15 14:37:45] [ExploitViewModel] Action run: WiFiConnectAction(connect_default_1)
[2023-05-15 14:37:45] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:37:46] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, SmartLife-B179, WIFIC6B4B0, pebbles2010, SpectrumSetup-CF, LightleakIdle, 013, NTGR_VMB_9265170951, MySpectrumWiFi8c-2G, Hembree, Harwoods 5G-1, CenturyLink2739-Guest, CenturyLink2739, SpectrumSetup-D8, TammysWifi, Brenna 2G, ARRIS-5855-5G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:37:46] [ExploitFragment] State+: Action(done, Found network: SmartLife-B179)
[2023-05-15 14:37:46] [ExploitFragment] State%: Action(done, Found network: SmartLife-B179)
[2023-05-15 14:37:46] [ExploitFragment] Wi-Fi connection attempt: SmartLife-B179 / null
[2023-05-15 14:37:50] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-38
[2023-05-15 14:37:50] [ExploitFragment] IP addresses changed: 192.168.175.100/24 / 192.168.175.1
[2023-05-15 14:37:50] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-38
[2023-05-15 14:37:50] [ExploitFragment] IP addresses changed: 192.168.175.100/24 / 192.168.175.1
[2023-05-15 14:37:50] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-38
[2023-05-15 14:37:50] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-38
[2023-05-15 14:37:50] [ExploitFragment] State+: Action(done, Connected: SmartLife-B179)
[2023-05-15 14:37:50] [ExploitFragment] State%: Action(done, Connected: SmartLife-B179)
[2023-05-15 14:37:50] [ExploitViewModel] Action OK
[2023-05-15 14:37:50] [ExploitFragment] State%: Action(done, Connect to smart device WiFi)
[2023-05-15 14:37:50] [ExploitFragment] State+: Action(progress, Establish connection with the device)
[2023-05-15 14:37:50] [ExploitViewModel] Action run: PingAction(ping_found_1)
[2023-05-15 14:37:52] [ExploitViewModel] Action OK
[2023-05-15 14:37:52] [ExploitFragment] State%: Action(done, Establish connection with the device)
[2023-05-15 14:37:52] [ExploitFragment] State+: Action(progress, Connect smart device to CustomAP)
[2023-05-15 14:37:52] [ExploitViewModel] Action run: PacketAction(exploit_stager)
[2023-05-15 14:37:52] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-36
[2023-05-15 14:37:52] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-36
[2023-05-15 14:37:53] [ExploitViewModel] Action OK
[2023-05-15 14:37:53] [ExploitFragment] State%: Action(done, Connect smart device to CustomAP)
[2023-05-15 14:37:53] [ExploitFragment] State+: Action(progress, Wait for device to stop responding)
[2023-05-15 14:37:53] [ExploitViewModel] Action run: PingAction(ping_lost_1)
[2023-05-15 14:37:59] [ExploitViewModel] Action OK
[2023-05-15 14:37:59] [ExploitFragment] State%: Action(done, Wait for device to stop responding)
[2023-05-15 14:37:59] [ExploitFragment] State+: Action(progress, Wait for CustomAP termination)
[2023-05-15 14:37:59] [ExploitViewModel] Action run: WiFiScanAction(custom_ap_scan)
[2023-05-15 14:37:59] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:37:59] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, SmartLife-B179, WIFIC6B4B0, NETGEAR19, pebbles2010, MySpectrumWiFid0-2G, LightleakCustom, NTGR_VMB_9265170951, SpectrumSetup-CF, Harwoods, NETGEAR-Guest Essex, 36787B-2.4, TammysWifi, Brenna 2G, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARLO_VMB_8909912109]
[2023-05-15 14:38:00] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:03] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, WIFIC6B4B0, Poohbear0716-2.4, Bohland, SpectrumSetup-CF, MySpectrumWiFid0-2G, HP-Setup>b7-M277 LaserJet, LightleakCustom, NTGR_VMB_9265170951, MySpectrumWiFi8c-2G, Harwoods 5G-1, CenturyLink2739-Guest, Harwoods, NETGEAR-Guest Essex, CenturyLink2739, SpectrumSetup-D8, 36787B-2.4, TammysWifi, Brenna 2G, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARLO_VMB_8909912109]
[2023-05-15 14:38:03] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:05] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, WIFIC6B4B0, NETGEAR19, SpectrumSetup-CF, MySpectrumWiFid0-2G, LightleakCustom, 013, NTGR_VMB_9265170951, SpectrumSetup-CF, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:38:06] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:09] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, WIFIC6B4B0, Poohbear0716-2.4, o_brother, Bohland, SpectrumSetup-CF, Nulls2021, MySpectrumWiFid0-2G, LightleakIdle, SpectrumSetup-86, NTGR_VMB_9265170951, SpectrumSetup-CF, MySpectrumWiFi8c-2G, SpectrumSetup-DB, CenturyLink2739-Guest, CenturyLink2739, SpectrumSetup-D8, MySpectrumWiFi70-2G, MySpectrumWiFi38-2G, ARRIS-5855-5G, ChooChooPie, ARLO_VMB_8909912109]
[2023-05-15 14:38:09] [ExploitViewModel] Action OK
[2023-05-15 14:38:09] [ExploitFragment] State%: Action(done, Wait for CustomAP termination)
[2023-05-15 14:38:09] [ExploitViewModel] Action run: MessageAction(message_device_reboot)
[2023-05-15 14:38:09] [ExploitViewModel] Action OK
[2023-05-15 14:38:09] [ExploitViewModel] Action run: WorkStateAction(work_state_with_stager)
[2023-05-15 14:38:09] [ExploitViewModel] Action OK
[2023-05-15 14:38:09] [ExploitFragment] State+: Action(progress, Connect to smart device WiFi)
[2023-05-15 14:38:09] [ExploitViewModel] Action run: WiFiConnectAction(connect_default_2)
[2023-05-15 14:38:09] [ExploitFragment] Device new state: Configured to join CustomAP
[2023-05-15 14:38:09] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:12] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, WIFIC6B4B0, Alyson-2G, SpectrumSetup-CF, Nulls2021, MySpectrumWiFid0-2G, our_house, LightleakIdle, 013, NTGR_VMB_9265170951, SpectrumSetup-CF, MySpectrumWiFi8c-2G, SpectrumSetup-DB, Hembree, CenturyLink2739-Guest, SpectrumSetup-5D, CenturyLink2739, SpectrumSetup-D8, Brenna 2G, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855-5G, MySpectrumWiFi50-2G, ARLO_VMB_8909912109]
[2023-05-15 14:38:12] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:15] [ExploitFragment] Wi-Fi scan results: [Wireless, REMOVED, REMOVED, moontide2-2.4, SpectrumSetup-60, WIFIC6B4B0, , o_brother, SpectrumSetup-68, Bohland, SpectrumSetup-CF, MySpectrumWiFid0-2G, LightleakIdle, NTGR_VMB_9265170951, MySpectrumWiFi8c-2G, Hembree, Harwoods 5G-1, Harwoods, NETGEAR-Guest Essex, CenturyLink2739, SpectrumSetup-D8, Brenna 2G, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:38:15] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:18] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, MySpectrumWiFiCB-2G, SpectrumSetup-CF, MySpectrumWiFid0-2G, LightleakIdle, NTGR_VMB_9265170951, SpectrumSetup-CF, MySpectrumWiFi8c-2G, CenturyLink2739-Guest, CenturyLink2739, SpectrumSetup-D8, TammysWifi, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:38:18] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:21] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, MySpectrumWiFiCB-2G, WIFIC6B4B0, NETGEAR19, SpectrumSetup-CF, MySpectrumWiFid0-2G, HP-Setup>b7-M277 LaserJet, LightleakIdle, NTGR_VMB_9265170951, SpectrumSetup-CF, SpectrumSetup-DB, Hembree, Harwoods 5G-1, CenturyLink2739-Guest, SpectrumSetup-5D, CenturyLink2739, SpectrumSetup-D8, WIFIF741BE, CenturyLink3315, MySpectrumWiFi38-2G, ARRIS-5855, MySpectrumWiFi50-2G, ARLO_VMB_8909912109]
[2023-05-15 14:38:21] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:24] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, SmartLife-B179, WIFIC6B4B0, SpectrumSetup-CF, LightleakIdle, NTGR_VMB_9265170951, SpectrumSetup-CF, SpectrumSetup-DB, Hembree, SpectrumSetup-D8, 36787B-2.4, MySpectrumWiFi70-2G, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARRIS-5855, MySpectrumWiFi50-2G, ARLO_VMB_8909912109]
[2023-05-15 14:38:24] [ExploitFragment] State+: Action(done, Found network: SmartLife-B179)
[2023-05-15 14:38:24] [ExploitFragment] State%: Action(done, Found network: SmartLife-B179)
[2023-05-15 14:38:24] [ExploitFragment] Wi-Fi connection attempt: SmartLife-B179 / null
[2023-05-15 14:38:28] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-40
[2023-05-15 14:38:28] [ExploitFragment] IP addresses changed: 192.168.175.100/24 / 192.168.175.1
[2023-05-15 14:38:28] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-40
[2023-05-15 14:38:28] [ExploitFragment] IP addresses changed: 192.168.175.100/24 / 192.168.175.1
[2023-05-15 14:38:28] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-40
[2023-05-15 14:38:28] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-40
[2023-05-15 14:38:29] [ExploitFragment] State+: Action(done, Connected: SmartLife-B179)
[2023-05-15 14:38:29] [ExploitFragment] State%: Action(done, Connected: SmartLife-B179)
[2023-05-15 14:38:29] [ExploitViewModel] Action OK
[2023-05-15 14:38:29] [ExploitFragment] State%: Action(done, Connect to smart device WiFi)
[2023-05-15 14:38:29] [ExploitFragment] State+: Action(progress, Establish connection with the device)
[2023-05-15 14:38:29] [ExploitViewModel] Action run: PingAction(ping_found_2)
[2023-05-15 14:38:31] [ExploitViewModel] Action OK
[2023-05-15 14:38:31] [ExploitFragment] State%: Action(done, Establish connection with the device)
[2023-05-15 14:38:31] [ExploitFragment] State+: Action(progress, Configure stager payload)
[2023-05-15 14:38:31] [ExploitViewModel] Action run: PacketAction(exploit_check)
[2023-05-15 14:38:31] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-41
[2023-05-15 14:38:31] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-41
[2023-05-15 14:38:31] [ExploitViewModel] Action OK
[2023-05-15 14:38:31] [ExploitFragment] State%: Action(done, Configure stager payload)
[2023-05-15 14:38:31] [ExploitFragment] State+: Action(progress, Check if device is exploitable)
[2023-05-15 14:38:31] [ExploitViewModel] Action run: PingAction(ping_found_3)
[2023-05-15 14:38:33] [ExploitViewModel] Action OK
[2023-05-15 14:38:33] [ExploitFragment] State%: Action(done, Check if device is exploitable)
[2023-05-15 14:38:33] [ExploitViewModel] Action run: MessageAction(message_exploitable)
[2023-05-15 14:38:34] [ExploitViewModel] Action OK
[2023-05-15 14:38:34] [ExploitFragment] State+: Action(progress, Open flash device)
[2023-05-15 14:38:34] [ExploitViewModel] Action run: PacketAction(ddev_open)
[2023-05-15 14:38:34] [ExploitViewModel] Action OK
[2023-05-15 14:38:34] [ExploitFragment] State%: Action(done, Open flash device)
[2023-05-15 14:38:34] [ExploitFragment] State+: Action(progress, Unprotect flash)
[2023-05-15 14:38:34] [ExploitViewModel] Action run: PacketAction(ddev_control)
[2023-05-15 14:38:34] [ExploitViewModel] Action OK
[2023-05-15 14:38:34] [ExploitFragment] State%: Action(done, Unprotect flash)
[2023-05-15 14:38:34] [ExploitFragment] State+: Action(progress, Check if device still responds)
[2023-05-15 14:38:34] [ExploitViewModel] Action run: PingAction(ping_found_4)
[2023-05-15 14:38:50] [ExploitFragment] State%: Action(error, Check if device still responds, kotlinx.coroutines.TimeoutCancellationException: Timed out waiting for 16000 ms)
[2023-05-15 14:38:50] [UIExtensionsKt] Error: The device doesn't respond to ping requests.

This usually means that an exploit is incompatible, making the device freeze instead of continuing running.

It can also mean that writing the payload didn't succeed, in which case you can try again.

I've observed the following after "Check if device is exploitable":

When it reaches the "Open flash device" stage, the bulb stops flashing and turns off.
Following the "Check if device still responds", my phone's Wi-Fi disconnects. After a brief moment, a tiny purple progress bar quickly depletes and immediately presents the error shown in the image above.
After the error, the bulb remains off for about 20-30 seconds and powers on to solid.
I quickly checked the APs after the error and saw no Smart Device AP. When the device powers on to solid, it still shows no AP.
Not sure if it's worth mentioning, but these bulbs always require 6 cycles to reach AP mode.

Worst case scenario—I'll crack one of these open and dump the flash using UART if needed, but it would be pretty neat to avoid sacrificing a device and soldering.

Error couldn't receive packages from the device

Is this because of the wrong chip selection or what could be the reason?

After selecting Profile, then selecting file location, app restarts back at profiles listing

When I select the Profile for "1.3.21 - BK7231N" "oem_bk7231n_light_ty", it takes me to the page to choose the output directory, but when I both select or create a new directory, it takes me back to the Profiles tab. I'm trying to dump the data for this Maelrsrlg E17 RGB bulb . I was able to successfully exploit several of the same bulbs using tuya-cloudcutter and a Raspberry Pi, but I believe I'll need the firmware dump to move forward. Selecting the first in the list of profiles did alllow me to go through the whole process and fail at the end, which is good.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.