Hi again,
If you look for the instructions to read/write the NAND flash memory of the TaHoma without having to desolder it, look here: https://github.com/Aldohrs/tahoma-jailbreak
Here’s a bit more context.
With the help of several persons, I was able to dump the firmware of the TaHoma box more than 3 years ago. It may be valid for other Somfy boxes (like the Conexoon) as the Linux Kernel source code contains several Device Trees following the same architecture for all Somfy’s boxes (search for Overkiz in the Linux Kernel).
Dumping the firmware required to desolder the NAND flash memory, read it, apply a specific and custom ECC, and backdoor the firmware with specific manipulations to prevent it from bricking itself at the next reboot.
As this was only reserved to advanced users with no practical way to get fast modifications on the firmware for analysis, I did only disclose the process to a few people.
A more practical (more like less difficult in reality) way to jailbreak TaHoma’s firmware consists in exploiting a flaw in the boot process of the ATSAMA5D31, as it is configured, that runs the board.
The ATSAMA5D31 boot process is as follow:
- Internal ROM (burnt into the SoC) is ran at address 0x0
- It lists all memory devices attached to the SoC (in our case, the NAND flash memory)
- It calls the second stage bootloader from the boot memory device if it finds a valid pattern at the beginning of it
- If it does not find that pattern, it boots into a recovery/program mode called SAM-BA
By default, the SAM-BA monitor mode is not secured. Details for securing it are under NDA but I don’t think Overkiz followed that specification.
During my tests, I noticed that when a blank NAND flash memory is connected to the SoC, it boots to SAM-BA mode. It then gets accessible via USB (A-to-A cable) to a host. The host is then able to send commands and data through the USB port.
As described on the Github link at the top of this post, the trick consists in blocking the normal operation of the NAND flash memory. As per the specification of the memory, the CE# pin should be pulled low to enable it.Thus to bypass this, feeding 3.3V to the CE# pin deactivates the NAND chip. As a matter of fact, the SoC doesn’t detect the NAND flash and boots the SAM-BA monitor.
Using a utility from Atmel, I was able to dump and to write data from and to the NAND flash memory directly through the SoC. That solves several problems, like the ECC and the need for a NAND Flash memory programmer.
It is unlikely that this vulnerability will ever be corrected, though not impossible.
I still have at the moment other means to retrieve the firmware that are less practical.
Several things should be determined at the moment but here is my master plan:
- Get the TaHoma to work with unofficial servers
- Get a reverse-engineered specification of io-homecontrol to work with a device inspired from the STM32/transceiver in use in the TaHoma
So, if you want to get on the train you may want to check:
- There is a web server embedded. On older versions, it was monkey with a static website calling cgi-bin endpoints. Most recent versions use lighthttpd with only the API. It is authenticated and I didn’t find yet where the credentials are stored. The API calls are made to a socket owned by the “local” application. My main hypothesis is that this web server can be used to manage the domotic functionalities, but it is disabled by default.
- Most high-level applications are developed in lua and compiled with luajit.That can be decompiled quite easily.
- The /apps/overkiz/share/ folder contains specifications for each product supported by each protocol in SQLite databases
- The /apps folder contains also the node database for each protocol. The io-homecontrol database contains the AES-128 key for the io-homecontrol network
- The /sys/next file allows to choose to boot from a USB stick (but a proper root filesystem and Linux is necessary)
And that’s all for today. Enjoy owning (or bricking) your device.