Wink Hub – Rooting via JTAG

The Wink Hub is a really impressive embedded linux system. For $50 you get a device that can handle 6 different wireless protocols: Wifi, Bluetooth, Z-Wave, ZigBee, Kidde, Lutron.

The hub was initially rooted by a simple SQL injection attack. Once that was patched by a software update users then resorted to a brute-force nand-glitch method to interrupt u-boot. While this certainly works, a close look at the bare PCB reveals a safer and even more powerful way to gain unrestricted access to the system: JTAG

Wink Hub JTAG and UART connectors

While the UART header has been helpfully labeled (dear Wink, not a good idea!), the JTAG pinout is not only unlabeled, it’s non-standard. Here’s how I reverse engineered the connector pinout. If you just want the pinout, feel free to skip to the image at the very bottom of this post.

First, I needed to remove the RF shield over the CPU. This pries off easily with a screwdriver. Next, I used an SLR camera on a tripod to take high resolution photos of the front and back of the PCB. These were then imported into the GIMP where I flipped the bottom PCB layer, set the top layer to 50% transparent, and aligned the two layers.

PCB layer photos imported into GIMP

Next I grabbed an image of the CPU ball map from the datasheet and imported that as another layer, resizing it to match the physical outline of the CPU.

GIMP screenshot with cpu ball map added

This allowed me to examine the bottom layer at the highest possible zoom, looking for vias in the area of the CPU JTAG balls. In the image below you can see where I scraped the solder mask from these vias to make them stand out better.