The Wink Hub is a really impressive embedded linux system. For $50 you get a device that can handle 6 different wireless protocols: Wifi, Bluetooth, Z-Wave, ZigBee, Kidde, Lutron.
The hub was initially rooted by a simple SQL injection attack. Once that was patched by a software update users then resorted to a brute-force nand-glitch method to interrupt u-boot. While this certainly works, a close look at the bare PCB reveals a safer and even more powerful way to gain unrestricted access to the system: JTAG
While the UART header has been helpfully labeled (dear Wink, not a good idea!), the JTAG pinout is not only unlabeled, it’s non-standard. Here’s how I reverse engineered the connector pinout. If you just want the pinout, feel free to skip to the image at the very bottom of this post.
First, I needed to remove the RF shield over the CPU. This pries off easily with a screwdriver. Next, I used an SLR camera on a tripod to take high resolution photos of the front and back of the PCB. These were then imported into the GIMP where I flipped the bottom PCB layer, set the top layer to 50% transparent, and aligned the two layers.
Next I grabbed an image of the CPU ball map from the datasheet and imported that as another layer, resizing it to match the physical outline of the CPU.
This allowed me to examine the bottom layer at the highest possible zoom, looking for vias in the area of the CPU JTAG balls. In the image below you can see where I scraped the solder mask from these vias to make them stand out better.
Now I was able to use a multimeter to find connections between these vias and the pins of the JTAG header. Here’s what I found:
Finally, a bit of educated guessing and some luck shows you which header pin maps to which JTAG signal:
I connected my Olimex ARM-USB-OCD and got a successful connection on the first try!
The connections are as follows:
Pin – Signal
1 – Vref
2 – N/C
3 – TDI
4 – TMS
5 – TCK
6 – TRST
7 – TDO
8 – SRST
9 – N/C
10 – GND
Diagram showing the JTAG pin header:
Next up: loading a custom u-boot and getting root! Click here for Part II.