Getting root password - Hacking the (Silvercrest) Lidl Smart Home Gateway

Revealing the root password

Overview

The root password is set to the last 8 characters of AUSKEY which is some kind of identifier for the cloud services. The AUSKEY is stored, encrypted, in the SPI flash. (in the "tuya-label" partition.) The decryption key is also stored here so it is possible to recover the AUSKEY and thus also the root password for the device.

Get the root password

Getting the root password comprises three steps. 1. Accessing the bootloader. 2. Using it to read the raw encoded values from the flash. 3. Decoding the values.

Read the raw encoded values from flash.

Notes for newbies: You must use a 3.3V TTL serial port to connect to this device. Connect only Ground (GND), TX and RX. Do not connect Vcc. Do not be tempted to connect the device directly to a PC serial port. Failure to observe these notes may damage your device.

To get the required values, you need to have attached a TTY3v3 serial port to the J1 connector on the board. The serial port parameters are 38400 baud, 8, N, 1 and no flow control. (If you find you can't type, check flow control is turned off.)

Accessing the bootloader

  1. Power cycle the device whilst at the same time pressing the ESC key on the serial console. You should interrupt the boot process and end up at the RealTek bootloader prompt.

  2. Press ENTER to get a fresh prompt.

It should look something like this:

---RealTek(RTL8196E)at 2020.04.28-13:58+0800 v3.4T-pre2 [16bit](400MHz)
P0phymode=01, embedded phy
check_image_header  return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!

---Escape booting by user
P0phymode=01, embedded phy

---Ethernet init Okay!
<Real
<RealTek>

Reading the key-encryption-key (KEK)

The AUSKEY is itself encrypted by another key that we'll call the KEK. To read the KEK, type the following commands into the bootloader. The first command reads the value from flash into RAM. The next one displays the contents.

    FLR 80000000 401802 16
    DW 80000000 4

Make a note of the single line of output. This is your KEK.

Read the encrypted AUSKEY

Use the following commands

   FLR 80000000 402002 32
   DW 80000000 8

Make a note of the two lines of output. They are your encrypted AUSKEY.

Decode the values

The script linked below can be used to decode the AUSKEY and root password.

Start the python script and, when prompted, paste the lines obtained above to reveal your auskey and root password.

Example decode run :

Example of script run