Wink Hub – Rooting via JTAG

The Wink Hub is a really impressive embedded linux system. For $50 you get a device that can handle 6 different wireless protocols: Wifi, Bluetooth, Z-Wave, ZigBee, Kidde, Lutron.

The hub was initially rooted by a simple SQL injection attack. Once that was patched by a software update users then resorted to a brute-force nand-glitch method to interrupt u-boot. While this certainly works, a close look at the bare PCB reveals a safer and even more powerful way to gain unrestricted access to the system: JTAG

Wink Hub JTAG and UART connectors

Wink Hub JTAG and UART connectors

While the UART header has been helpfully labeled (dear Wink, not a good idea!), the JTAG pinout is not only unlabeled, it’s non-standard. Here’s how I reverse engineered the connector pinout. If you just want the pinout, feel free to skip to the image at the very bottom of this post.

First, I needed to remove the RF shield over the CPU. This pries off easily with a screwdriver. Next, I used an SLR camera on a tripod to take high resolution photos of the front and back of the PCB. These were then imported into the GIMP where I flipped the bottom PCB layer, set the top layer to 50% transparent, and aligned the two layers.

PCB layer photos imported into GIMP

PCB layer photos imported into GIMP

Next I grabbed an image of the CPU ball map from the datasheet and imported that as another layer, resizing it to match the physical outline of the CPU.

GIMP screenshot with cpu ball map added

GIMP screenshot with cpu ball map added

This allowed me to examine the bottom layer at the highest possible zoom, looking for vias in the area of the CPU JTAG balls. In the image below you can see where I scraped the solder mask from these vias to make them stand out better.

Bottom of board with vias exposed.

Bottom of board with vias exposed.

Now I was able to use a multimeter to find connections between these vias and the pins of the JTAG header. Here’s what I found:

JTAG pins overlayed on vias

JTAG pins overlayed on vias

Finally, a bit of educated guessing and some luck shows you which header pin maps to which JTAG signal:

JTAG connections

JTAG connections

I connected my Olimex ARM-USB-OCD and got a successful connection on the first try!

openocd connecting the the i.mx28 cpu

openocd connecting the the i.mx28 cpu

The connections are as follows:
Pin – Signal
1 – Vref
2 – N/C
3 – TDI
4 – TMS
5 – TCK
6 – TRST
7 – TDO
8 – SRST
9 – N/C
10 – GND

Diagram showing the JTAG pin header:

Wink hub JTAG pinout

Wink hub JTAG pinout

Next up: loading a custom u-boot and getting root! Click here for Part II.

Leave a Reply

Your email address will not be published. Required fields are marked *