Hi @hairdresser,
Awesome work! Like I suspected, the Cozytouch architecture is really similar with the one of the TaHoma: same processor family, same firmware layout, same radio “daughterboard” (STM32F101 + SI4463). I think we have nearly the same firmware, with just some features different (for example the TaHoma has 2 “daughterboards”: one for io-homecontrol and the other for RTS).
If you follow the guide I wrote for the TaHoma, I would not be surprised if you had also an access through the USB port (but you don’t need to anymore :p). But if you want to get another way, here you go: GitHub - Aldohrs/tahoma-jailbreak: Instructions and scripts to jailbreak the Somfy TaHoma
SAM-BA can flash the NAND flash using the nandflash applet. At least, the process is straightforward through the USB or Serial connection (if the Serial you found is DBGU). It may be simpler than your approach if you’re able to jump into SAM-BA at will.
Regarding SSH: you can also just replace the authorized_keys file in /etc/security to use your own key (this is why the root account has no password); also be careful if you then connect your box to the Internet because the status of the SSH service is sent to Overkiz. And Overkiz can also remotely control the state of the SSH service, maybe that’s why your device closed itself (though an update can also do that because updates are images directly flashed to the UBI volumes).
I worked on the dbus approach but not quite as much as you. I wish I found out about your blog before. I also tried the lighttpd step without much success, but didn’t want to bother patching the lua part.
At the moment, I’m working on the CloudLink protocol (and I made some significant progress since my last post). Hopefully, that will allow me to have a simple access to the dbus because all data exchanged between the Overkiz cloud and the TaHoma is encoded in XML and JSON and thus is simple to reverse engineer. The only thing I had to overcome was the TLS mutual authentication and the fact that the TaHoma expects a sort of “server hello” from the server before sending any data (it is just a 0x03 byte sent by the server after the TLS handshake).
@ennergei is working on the firmware of the STM32F101 I dumped from my unit. You should be able to find yours under /apps/ (look for something named like stm32). We were able to pull some information on the io-homecontrol protocol itself mostly with the information that were pulled by Thomas Buck in this thread: Is io-homecontrol decodng feasible - #5 by tobu42
I’ll give you some more information in DM if you’re interested in taking part in the research.
Regards,
Aldohr