Vinn nätagg från Seasonic
Forum Datorer och system Smarta hem Tråd Inlägg

Tellstick ZNet Lite V2 teardown/reverse engineering

1
Skriv svar
Permalänk
Medlem

Tellstick ZNet Lite V2 teardown/reverse engineering

(In english if someone outside of sweden finds this post usefull)

So I'm getting into trying to automate my home a bit with home assistant, and happend to stumble apon a second hand tellstick, which sounded good with booth 433Mhz and z-wave support.
It seems like the local api for home assistant by telldus has been depricated so you now have to use their cloud service to coontrol things.
So I thought i migth do a teardown and a bit of reverse engineering to se if its hackable in any way.

the inside of the Tellstick ZNet Lite V2:

The board part:

There is a debug 3 pin "debug" port next to the z-vawe module that is a TTL 115200 8N1 serial port staright into the tellstick openwrt console without password.

there is a python firmware update script cyclic running with a 86400 second interval
also a python tellstick-znet script
dropbear as ssh-server
udhcp for dhcp
ntpd for time
msdns for bonjour edtection.

Senast redigerat
Redigera
Citera flera Citera
Permalänk
Medlem

a bit of digging in the pythonscripts gave the firmware URL for telldus:
http://fw.telldus.com/versions.xml
http://fw.telldus.com/tellstick-znet-lite-v2/tellstick-znet-l...

it seems the python script tellstick-znet.py is the telldus client

Redigera
Citera flera Citera
Permalänk
Medlem

all the python files regarding telldus are bytecompiled .pyc files, possible to decompile with uncompyle6 though.

ports listened to on the tellstick:

root@OpenWrt:/# netstat -nap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1743/dropbear
tcp 0 0 10.0.2.22:59759 16.170.51.134:45000 ESTABLISHED 995/python
tcp 0 0 :::80 :::* LISTEN 995/python
tcp 0 0 :::22 :::* LISTEN 1743/dropbear
tcp 0 0 ::ffff:10.0.3.22:80 ::ffff:10.0.2.37:58554 ESTABLISHED 995/python
udp 0 0 0.0.0.0:42314 0.0.0.0:* 995/python
udp 0 0 0.0.0.0:30303 0.0.0.0:* 995/python
udp 0 0 0.0.0.0:56282 0.0.0.0:* 984/mdnsd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 984/mdnsd
udp 0 0 :::546 :::* 1651/odhcp6c
udp 0 0 :::59699 :::* 984/mdnsd
udp 0 0 :::5353 :::* 984/mdnsd
raw 0 0 ::%1:58 ::%4438220:* 58 1651/odhcp6c
raw 0 0 ::%1:58 ::%4438220:* 58 913/odhcpd
raw 0 0 ::%1:58 ::%4438220:* 58 913/odhcpd

killing dropbear and starting it with
/usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
instead makes login in as root possible with:
ssh -oPubkeyAcceptedAlgorithms=+ssh-rsa -oHostkeyAlgorithms=+ssh-rsa root@<tellstick ip-adress>

Senast redigerat
Redigera
Citera flera Citera
1
Skriv svar