tuya-cloudcutter / lightleak Goto Github PK
View Code? Open in Web Editor NEWFirmware version-agnostic PoC exploit for smart devices
Firmware version-agnostic PoC exploit for smart devices
thanks for making such a great tool!
Go through entire process and receive a notification that device is exploitable. when i choose "dump firmware" the screen changes and there is a rolling circle on the screen. after about 5 minutes of no change, I connect to phone and traverse to the device directory and see that the dump file is 0 bytes. there is a JSON file in there as well
any logs or advice on what to do?
Hell, i have a pair of cheap smart plug Elivca LSPA9 that seems based on BK7231S, i tried to install the app but i was only T and S version on the chip, i tried the first 10 profiles but the app seems stuck at Wait for CustomerAP termination and then gives an error "Timed out while scanning for SSID "LightleadIdle"". What can i do?
Thanks!
Poundland Ultrabrite UK Smart Wifi Plug 20J ST3 (WB2S)
Got the device open but the wifi board labelled WB2S is very close to some capacitors so I only have access to one side.
tried lightleak setup and 2 profiles get further than instant error. the one labelled LightLeak BK7231T and one of the N profiles marked XOR JTAG. Both go through the connection process and report exploitable success and go to the dump screen, but this just spins a while then says " Error Couldn't receive packets from device"
I am Running Lightleak, trying to get a flash dump for my LSC Smart Power Plug 970761.1 (tuya-cloudcutter/tuya-cloudcutter#607)
Possibly related to #15 .
The chip inside is probably a WB2S, based on ARM Cortex M4.
Both the BK7231N - Type 1 / Addr 1 (XOR)
and BK72131T
profile will run all the steps but fail when trying to read flash, getting "Couldn't receive packets from the device"
Processing esp32 (platform: espressif32; board: esp32dev; framework: arduino)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Verbose mode can be enabled via -v, --verbose
option
CONFIGURATION: https://docs.platformio.org/page/boards/espressif32/esp32dev.html
PLATFORM: Espressif 32 (5.3.0) > Espressif ESP32 Dev Module
HARDWARE: ESP32 240MHz, 320KB RAM, 4MB Flash
DEBUG: Current (cmsis-dap) External (cmsis-dap, esp-bridge, esp-prog, iot-bus-jtag, jlink, minimodule, olimex-arm-usb-ocd, olimex-arm-usb-ocd-h, olimex-arm-usb-tiny-h, olimex-jtag-tiny, tumpa)
PACKAGES:
So, managed to complete the steps and am searching for the dump to upload.
Unfortunately the app does not create its directory in /data (or any place of that matter).
Also the my dumps tab does not work, probably because of that.
Checked if the app requested additional permissions, but it did not.
Hi,
I keep getting the error "Couldn't receive packages from the device" while trying to read the flash from a bulb.
Tried selecting BK7231N - Variant 1 ( Standard), BK7231N - Variant 1 ( XOR) and BK7231N - Variant JTAG ( XOR) but they all get the same error.
-- UPDATE--
I opened one of the bulbs and it's using a WB2L chip, from what I found online the WB2L is a BK7231T chip, I tried selecting the BK7231T profile just gives me an "The device doesn't respond to ping requests" error.
I thought that my device was different than the one dumped by @blakadder below so I tried dumping with Lightleak. none of the profiles were able to run the LightLeak exploit. turns out it is the same device and i was able to use the profile built.
In the platformio.ini it is using platform: libretuya,
This causes it to fail to compile on win11 64 (not sure about others).
Issue:
Trying to run lightleak, but receive error "device doesn't respond to packets" after the exploit payload is sent for all profiles.
I have 8 of these bulbs, and have so far been able to run cloudcutter with a similar profile to flash the OpenBK app without issue, but I would like to get the dump so that I can share with the community.
I would try the UART method, but don't believe I can do so without destroying the bulb.
I am using a Wemos D1 Mini as my Custom AP device.
Thoughts?
I see a release in 2023. The readme has a link that says Tuya patched the vunerability.
Does this still work on all firmware? Or only those unpatched firmware?
Thank you.
"The platformio-custom-ap directory contains a PlatformIO project that can be compiled on any of the platforms mentioned above. You need to download this code, build it, and upload to your device of choice."
I'm confused on how to do this exactly.
Greetings!
I encountered the same "Couldn't receive packets, TODO describe this better" error as other people. Is there a way for me to help solve this, even if it's just for my specific device?
I entered the "cloudcutter community" only yesterday, so I might have overlooked something. I did follow the steps though, and the device seems to be exploitable.
I inspected the logs and didn't find anything interesting, but if anyone wants me to post them, I will.
Thanks in advance!
Executing task: platformio run --environment esp32
Processing esp32 (platform: espressif32; board: esp32dev; framework: arduino)
-----------------------------------------------------------------------------------------------------------------------------------------------------
Verbose mode can be enabled via `-v, --verbose` option
CONFIGURATION: https://docs.platformio.org/page/boards/espressif32/esp32dev.html
PLATFORM: Espressif 32 (3.5.0) > Espressif ESP32 Dev Module
HARDWARE: ESP32 240MHz, 320KB RAM, 4MB Flash
DEBUG: Current (esp-prog) External (esp-prog, iot-bus-jtag, jlink, minimodule, olimex-arm-usb-ocd, olimex-arm-usb-ocd-h, olimex-arm-usb-tiny-h, olimex-jtag-tiny, tumpa)
PACKAGES:
- framework-arduinoespressif32 @ 3.10006.210326 (1.0.6)
- tool-esptoolpy @ 1.30100.210531 (3.1.0)
- toolchain-xtensa32 @ 2.50200.97 (5.2.0)
LDF: Library Dependency Finder -> https://bit.ly/configure-pio-ldf
LDF Modes: Finder ~ chain, Compatibility ~ soft
Found 29 compatible libraries
Scanning dependencies...
Dependency Graph
|-- CRC32 @ 2.0.0
|-- WiFi @ 1.0
Building in release mode
Compiling .pio/build/esp32/src/customap.cpp.o
Generating partitions .pio/build/esp32/partitions.bin
Compiling .pio/build/esp32/libaa3/CRC32/CRC32.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/ETH.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/WiFi.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/WiFiAP.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/WiFiClient.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/WiFiGeneric.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/WiFiMulti.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/WiFiSTA.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/WiFiScan.cpp.o
src/customap.cpp: In function 'void setup()':
src/customap.cpp:19:35: error: 'ARDUINO_EVENT_WIFI_AP_STACONNECTED' was not declared in this scope
WiFi.onEvent(onStationConnected, ARDUINO_EVENT_WIFI_AP_STACONNECTED);
^
*** [.pio/build/esp32/src/customap.cpp.o] Error 1
============================================================ [FAILED] Took 1.88 seconds ============================================================
Environment Status Duration
------------- -------- ------------
esp32 FAILED 00:00:01.877
======================================================= 1 failed, 0 succeeded in 00:00:01.877 =======================================================
Haven't touched the platformio.ini, and I see the arduino framework is already in the [env]
block, so unsure why it's complaining at build.
It would be nice if you can add support to it since it was a lot cheaper than esp8266 and esp32, at least here in my place.
Its funny that esp32-s2 is cheaper now compared to back then with esp8266 which only cost 2bucks, now it cost around 8bucks and esp32-s2 only cost around 2bucks.
Device details are here: tuya-cloudcutter/tuya-cloudcutter#233
Got a chance to work on this device again today, im using the Lightleak BK7231N Variant JTAG (XOR) profile and it successfully performs the exploit. i get an error when i try to dump the firmware. tried 2 different switches (one that was added to Tuya, on that was new in box) and got the same error on both. used newest version of Lightleak 0.6.1
Trying to dump flash.
Have Sonoff SV that I flashed with the custom ap, the wifi network is visible.
The android app says device is nor responding...
Is the custom ap not ok? Or the device I am trying to exploit is not answering?
Do the instructions miss a part where I somehow connect the victim device manually to the custom ap or would that come later? I cannot understand/find out when and how to do that.
What am I doing wrong :P
Official vendor's product page
This device runs Tuya. I tried to read out flash today by using the Cloudcutter app and then selecting Lightleak - BK7231N - Type 2 (Standard)
.
This works until the last step, getting the error Error: Couldn't receive packets from the device
Is it worth trying the other BK7231N / BK7231T profiles?
I'd like to flash one of my BK7231N devices to the lightleak/LibreTuya binary. Is it possible to reflash it after using it for its purpose back to e.g. OpenBeken (without manually flashing the device)?
The device is a Nedis Smart Plug WIFIP110FWT.
When connected to the Tuya app both main and MCU versions are reported as 1.0.0. Opening the device revealed the chip is a BK7231N, but the existing cloudcutter profiles for this combination did not seem to do the trick. So I thought I'd dump the firmware and create a profile for this particular device. After using the Tuya app, I disconnected and wiped the device in the app so it should be good to go. The CustomAP I'm using is a esp8266-based NodeMCU.
Dumping the flash with Lightleak fails and does not seem to receive any packets from the plug. I can get to the flash dump screen after selecting unconfigured device, all actions are successful. Device exits AP mode and the app connects successfully to it after reboot to AP mode. I used the BK7231N - Variant 1 (Standard)
profile: other N-profiles did not seem to exploit correctly and froze the plug, so at least something is happening.
Let me know if you need more information. Disassembling the device enough to get a dump needs a bit more prying but I'll do that if needed.
log_lightleak.txt
log_exploit.txt
The number of profiles and general items is getting rather long.
Request for a search function and this thing is about perfect!
Good job everyone!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.