It’s been a while since I reported to you last time.
I am still in the TaHoma approach and I have some feedback.
First of all, I still don’t have a protocol specification. Nevertheless, I have managed to root the box by reflashing the NAND memory. I did that because the static analysis is quite time consuming for little benefits.
An io-homecontrol installation uses AES-128 to assure protocol authentication. On the TaHoma, the installation key is stored along the node database (the list of the characteristics of all installed io-homecontrol devices) directly on the NAND Flash.
All the applications to manage protocols are ARM-compiled + Luajit (bytecode). I decompiled some with enough details to have a basic understanding of io-homecontrol’s principles. That said, this isn’t enough for me to fully describe an io-homecontrol frame. I am considering to use a SDR approach to sniff data on the network given the fact I know the encryption key.
The good news is that I can activate debugging on TaHoma’s applications. Moreover, they communicate using a dbus message broker I can also sniff. RPCs by this way are the basis of all communications on the box. So it seems to be possible to intercept a message at different levels (application to the SPI bus of the io-homecontrol chip).
BTW (speaking of SPI), I discovered this a long time ago when I began this project, but here is the device tree of the TaHoma that may be useful to understand the TaHoma platform: https://github.com/torvalds/linux/blob/master/arch/arm/boot/dts/at91-kizbox.dts
At this time I have unfortunately no jailbreak without hardware attack. But I have some ways still to explore… It may be possible, even if the developers did a good job securing the OS. Moreover when you have the control over the system, it is possible to redirect the cloud link to an on premise server. Setting a full test environment with a private server is my next priority, it will make me able to fully control the command chain.
I’m still looking for help on this project. Contact me by PM for details.