Somfy Connexoon/Tahoma jailbreak

I tried the jailbreak on the latest firmware just now. It still works but some things that changed. The biggest change is that rootB is now a static partition. This means that it is read-only. You can change this by repacking the ubi-volume.bin and making it a dynamic partition again.

So, in short, after the step Create local folders on my blog follow the steps listed at Rebuild the firmware.

Then, rename ubi-volume_patched.bin to ubi-volume_dynamic.bin.

Now, continue from the step Prepare the virtual nand, but replace every occurence of ubi-volume.bin with ubi-volume_dynamic.bin

The second change is that there is a script that checks if the partition MD5’s match known hashes and force updates them if they don’t. To prevent this you can either block outgoing traffic from your connexoon with a firewall, or cripple the /usr/local/scripts/systemcheck script (location might differ, I’m writing this from memory).

From there, if you create the proper certificates, you should be able to use the local mode on the connexoon just as you can on the tahoma.

I’m sorry, I don’t follow. If I execute the steps listed at Rebuild the firmware right after creating the local folders it fails (ubinfo:“error!: UBI is not present in the system”). That’s what I would expect, there’s nothing mounted, there are only empty directories.

Oh, yeah, correct. Like I said, writing from memory ;). It obviously needs to be mounted first.

I want to check if I understand the correct procedure.

Dump the firmware
Create directories
Prepare virtual nand
Mount image
Resize
(Don’t do anything to alter the filesystem)
Rebuild firmware

Use that rebuilt firmware to go through the process again, only this time makes the changes with dropbear and ssh.
Flash

Is that the gist of it?

I just went trough the whole process on the latest firmware.

Here are the steps from Donnys Blog with the latest updates for the new FW from Somfy:

Dumping the firmware

./sam-ba -p usb -b sam9xx5-ek -a lowlevel
./sam-ba -p usb -b sam9xx5-ek -a extram
./sam-ba -p serial -d sam9xx5 -a nandflash:1:8:0xc0902405 -c read:bootstrap.bin:0x000000:0x20000 -c read:ubi-volume.bin:0x20000

Create working folders

mkdir ubi-root
mkdir ubi-rootB
mkdir extract

Prepare the virtual NAND to change the partition from static to dynamic

sudo modprobe nandsim first_id_byte=0xec second_id_byte=0xa1 third_id_byte=0x00 fourth_id_byte=0x15;
sudo flash_erase /dev/mtd0 0 0
sudo nandwrite /dev/mtd0 ubi-volume.bin
sudo modprobe ubi
sudo ubiattach -p /dev/mtd0 -O 2048

Make the partitions dynamic

for i in {0..10}; do name=$(ubinfo -d 0 -n $i | grep Name | awk '{print $2}'); sudo dd if=/dev/ubi0_$i of=extract/$name.bin; done

cd extract
for i in {0..5}; do name=$(ubinfo -d 0 -n $i | grep Name | awk '{print $2}');size=$(ubinfo -d 0 -n $i | grep Size | cut -d '(' -f 2 | cut -d ' ' -f 1); echo -en "[$name]\nmode=ubi\nimage=$name.bin\nvol_id=$i\nvol_size=$size\nvol_type=static\nvol_name=$name\nvol_alignment=1\n\n"; done > config.ini
for i in {6..10}; do name=$(ubinfo -d 0 -n $i | grep Name | awk '{print $2}');size=$(ubinfo -d 0 -n $i | grep Size | cut -d '(' -f 2 | cut -d ' ' -f 1); echo -en "[$name]\nmode=ubi\nimage=$name.bin\nvol_id=$i\nvol_size=$size\nvol_type=dynamic\nvol_name=$name\nvol_alignment=1\n\n"; done >> config.ini

ubinize -o ../ubi-volume_dynamic.bin -p 131072 -m 2048 -O 2048 -s 512 -Q 1056559212 config.ini
cd ..

Clean-up (I don’t know if this needed at this point but it worked for me)

sudo umount /dev/ubi0_*
sudo ubidetach -p /dev/mtd0
sudo rmmod ubifs ubi nandsim

Prepare the virtual NAND with the new dynamic partitions

sudo modprobe nandsim first_id_byte=0xec second_id_byte=0xa1 third_id_byte=0x00 fourth_id_byte=0x15;
sudo flash_erase /dev/mtd0 0 0
sudo nandwrite /dev/mtd0 ubi-volume_dynamic.bin
sudo modprobe ubi
sudo ubiattach -p /dev/mtd0 -O 2048

Resize root partition (need for the latest FW)

sudo ubirsvol /dev/ubi0 -n 7 -S 206

Mount the “root” and “rootB” partition

sudo mount -t ubifs -o rw /dev/ubi0_7 ubi-root
sudo mount -t ubifs -o rw /dev/ubi0_9 ubi-rootB

Enable dropbear

cd ubi-root/etc/rc5.d
sudo ln -s ../init.d/dropbear S06dropbear
cd ../../../
cd ubi-root/etc/rc2.d
sudo ln -s ../init.d/dropbear S06dropbear
cd ../../../

cd ubi-rootB/etc/rc5.d
sudo ln -s ../init.d/dropbear S06dropbear
cd ../../../
cd ubi-rootB/etc/rc2.d
sudo ln -s ../init.d/dropbear S06dropbear
cd ../../../

After this continue from here: No clouds, just sunshine. Disconnecting Somfy Connexoon from the cloud. - Unauthorized Access Blog

Do the authentication changes in “ubi-root”.

@dmaasland

Thanks for the updates on this! Could you please explain the process to generate the SSL certificates and how to integrate them?

Also, if you want to use the new developer mode on your Connexoon you will either have to generate SSL certificates yourself. See the configuration files at /etc/lighttpd.d/ssl.conf and /etc/lighttpd.d/8443/devmodesocket.conf for hints.

Can you contact me on Discord? I would be interested to see how we eventually can incorporate this one into core, together with the official Somfy Developer integration.

Hello!

Just so you know. I finally cracked io-homecontrol authentication mechanisms. You will find details here: iown-homecontrol/LinkLayer.md at 6e2361f7971c8f02d9dc1c05b8510109202163fb · Aldohrs/iown-homecontrol · GitHub

And here is the key that keeps everything together (the key used to encrypt other keys sent on the air):

34c3466ed88f4e8e16aa473949884373

As this key is hardcoded, I have no doubt they can’t change it just like that.

Enjoy replaying/forge your own io-homecontrol frames. I don’t have much details on how to have a complete specification for all devices but I figured out while intercepting frames of my devices that once authentication is sorted out, frame replay should be easy.

Hi @dmaasland,
I have been using your tweaked version of ha-tahoma for quite some time now, but after the Home Assistant update on 11.2022 it does not work anymore. Do you intend to fix this anytime soon? This would be much appreciated!
Or even better: maybe @imick could integrate this “tweak” into the official ha-tahoma?!

ha-tahoma is in maintenance mode, thus won’t get any new features (from me). We are working on bringing local support to core and if by the time Connexxoon is still not supported, I will add the jailbreaked support as well.

Hi,

very thanks for all, my old connexoon has jailbreak fine.
But after an update yesterday, nothing atfer re root the conn. ssh disabled all the time with or without modification…
I’d do the proc “”“Note: password authentication”""
can you explain Remove the authorized_keys
… replace it with your own authorized_keys file.

i do sudo ssh-keygen -t rsa from my host but that’s don’t work…

can you explain a little ?

Ok guys no more upgrade result since the last update (202210 in /etc/version).

Now “ssh said always connection refused in port 22”

Regards

hey since the Connexoon also has now Local API enabled … anybody successfully tested and can share a quick start guide?

See Overkiz integration - Local API [Development / Testers topic] - #35 by imick.

@dmaasland Is there a way to get a jailbroken Connexoon to work with the new developer API.

I did a partial reset and let Somfy update the firmware to the latest version. But I don’t seem to get access with @imick latest integration for Home Assistant.

I have a backup of the original firmware before jailbreaking it. But restoring and updating it again doesn’t seem to help.

I get ECONNREFUSED, I have generated tokens via Postman and the new API, but it still doesn’t want to connect.

Any ideas?