Firmware downgrading using a programmer? #29
Comments
|
If possible. Has anyone have a dump of the rom of a downgraded hub? we should also patch the firmware, changing the name of the dns entry, so that the device never connect to the internet again (and upgrades)… |
|
I know the docs are a bit scattered, but @plambrechtsen did patch the firmware in the older version. The problem now, as I understand it, is that we can't downgrade to that firmware and they now do certificate stapling so DNS poisoning doesn't work. |
|
I think he's asking about downgrading using a pickit3, 4 or 5 ICSP debugger/programmer instead of using PetHubLocal's firmware downgrading method. Since the later option is no longer possible at the moment. I'm wondering this myself too... Like, can we hookup a pickit to the HUB's CPU (PIC32MX695F512H) and download the firmware, modify it, and upload the modified version. Or did they enable the read-protect bit to block this? If we can download the firmware using a pickit we should be able to modify the SSL verification function and/or CA certificate in order to make the new firmware version connect to our PetHubLocal instance. I'm thinking about ordering a pickit and try this myself... Unless anyone already tried and failed? ;) |
|
I (obviously) know nothing about this. Does read-protect prevent you from writing? Because I don't think you need to read it. @plambrechtsen already unlocked most of the secrets of the old firmware. He was able to patch in a new domain name, and was able to generate the cert unlock key. I'm totally out of my depths here, so ignore if none of this is even related. :) |
|
I don't think there would be an issue writing the older firmware to the hub and my repo does have both versions of the firmware there. You will just need a pickit 3 or similar to hook up to the correct pins and flash the firmware. I never purchased a pickit but they are fairly cheap on Ali as my hub has been local so I never got the updated firmware but it does look like they have completely locked out downgrading. Seems like it's time I revive the project and get a pickit. I still think it's worth the effort in building the custom esp32 hub. Just had a major project on for the last 8 months at work that still has another two months to run so haven't been spending any time on pet projects. (See what I did there 😁) |
|
Check out. https://github.com/PetHubLocal/pethublocal/tree/firmware201/pethublocal/firmware as that is where the decrypted firmware is. |
|
Looking at these files it looks like they have some kind of header in the top. I guess removing this header and concatenating all files results in a complete firmware file? |
|
Yes the header points to the flash offset it needs to be programmed onto. The other thing to consider is you don't want to trash the volatile settings of your serial number and long serial number when you flash it. But it's doable if you have the right equipment (pickit) and I can help with reassembly of the flash. But I would download the current firmware from the hub before you begin as well in case. |
|
I'll look to add some further details to this page about how the firmware header is constructed. |
|
Ok. Well, I'm ordering a pickit v4 as we speak, together with a 3.3v FTDI serial cable. The first thing I'll try is to hook up the pickit and try to extract the firmware from the flash and let you know if that works. |
|
I don't think it was for the main firmware back when I was looking at it 3 years ago only for the volatile serial and long serial. Who knows what they have done with the new firmware. I should stop procrastinating and get myself a pickit as well or see if I can borrow one from a friend of mine who lent me one before. The issue is he's isn't living in the same city as me anymore. |
|
Sounds good. I'll let you know my findings as soon as my pickit arrives. It's said to arrive tomorrow but I won't be surprised if it takes another day due to delays at the shipping company. |
|
Check out the hub pins in https://pethublocal.github.io/devices As I fully documented the pins you need to solder onto for the pickit but it is a little tricky however I found using the side connector easier. Perhaps I should just solder on a connector instead. |
|
Yes, I found the pin description on your page already. It might be a bit tricky to solder but I will mange ;) In theory I should be able to just download the firmware, patch it to accept the SSL connection, upload it and it should connect to PHL. Unless they changed the communication protocol in 233.364 too, but I guess not. |
Maybe we should fund you one 😏 These Petsure guys are bonkers! Instead of being happy people buying their stuff and not use their cloud resources ... |
I would be interested if you did a network trace of the traffic and see if it is still connecting to AWS MQTT as some of the original firmware builds I managed to download back in the day was using a completely different MQTT provider than AWS. It's quite unlikely but who knows. My hub has been locked to the old firmware as surepet knew what I was up to. A few attempts I made with a number of different tricks over the last few months hasn't been fruitful for me to download the newer firmware. |
|
I temporarily enabled logging in my firewall to log every connection the HUB is making and I see it's currently connected to 44.217.31.180:8883 (which is amazon). |
|
@plambrechtsen I read somewhere that you already had a ghidra decompiled version? Can you tell me where to find that one? I want to peek inside the assembly of a previous firmware while waiting for my pickit to arrive ;) |
|
So @SanderM2 best plan is to add in DNS logging as that is all that really matters. It should be to |
|
The pickit arrived but trying to read the chip I get this in MPLAB: The requested operation failed because the device is code protected. |
|
OK, late to the party. Guess nobody actually dared to try re-programming their hub using PIC programmer? I'm starting to get pretty annoyed by my stock hub being offline like 1/3 of the time and really want to investigate local options. |
|
I think the issue will be finding the bootloader. It's on my todo list to try flashing but the issue I have is that I don't have the bootloader firmware. |
|
I assume all hubs in the wild have read protection enabled and in-circuit debugging disabled? Sometimes companies slips things during early shipping when production tests etc. isn't always fully in place. |
Would it be possible to downgrade the firmware using a chip programmer? If so, has anyone done this yet?
i will happily buy a programmer to do this. I have experience in programming and electronics.
The text was updated successfully, but these errors were encountered: