[Solved] CC3200 Box cannot establish TLS connection to TeddyCloud

Toniebox Hardware CC3200 (V1, V2)
1

Think i have a box with a new firmware version: PD_V3.1.0_BF5-0

Is not mentioned here. Unfortunately i do not know how to make a pull request… Maybe some can do this for me?

user@host~/Teddycloud/cc3200/sys # python3 firmware_info.py mcuimg1.bin
Firmware Version:       PD_V3.1.0_BF5-0
Firmware Version:       master

Creation Date:          15 Feb 13:41

Read SHA256:            5a25756293f7263013ad70f875ed35412cae1b1d6662e5860bf36b81292a807e
Calculated SHA256:      5a25756293f7263013ad70f875ed35412cae1b1d6662e5860bf36b81292a807e
GIT Shorthash:          b6e1515

If additional information is needed, let me know.

Seems that patches are not working. I try to add this box to my TeedyCloud server, but without luck until now. I start OFW2 with altCa.305 and altUrl.305 patch applied. I put Teddycloud ca.der to flash on /cert/c2.der. Certificate is present an double checked.

I can see that the CC3200 box contacts local TC server via TLS:

  1. Client Hello
  2. Server Hello
  3. Server send certificat (the right one from TC server)
  4. Client sends a TCP RST

Bild 563
Bild 5631392×176 21.8 KB

Is this maybe related to the new firmware, or is something else not well configured?
I have a running ESP32 box which works fine.

2

Thank you for sharing your finding.

It is a PD firmware which seems to be a production firmware. I am pretty sure this is not the firmware booted by the box. OFW2 simulates the otw bootloader and boots the active slot

As soon as the box is online it will update to the EU 3.1.0 BF2.
But I am pretty sure it is already on the bf2.

Please check if your c2.der is identical to your server/ca.der from teddyCloud.

Please split your last question into a new topic and create it in the teddyCloud section.

3

i checked it via wget "http://ip/api/ajax?cmd=get-flash-file&filepath=/cert/c2.der" -O c2.der
and openssl x509 -in c2.der -noout -text
Serial is identical to cert in tcpdump sent from server.

4

Then you didn’t boot the slot with the applied altCA patch or the patch wasn’t applied (because of a typo for example)

5

I am lost. No idea where is my problem. I will post my settings. If someone can check them would be very nice.

Flash:/cert/c2.der:
I have now tripple checked. Its the same ca cert as in teddycloud/certs/server/ca.der

Content on SD-Card:
Bild 564
(I have also tried mcuimg2.bin (from original image, is EU_V3.1.0_BF2-0) as ng-ofw2.bin)

This are my configs:

ngCfg.json 
    "general": {
        "activeImg": "ofw1",
        "_descWaitForPress": "Waits for an earpress on startup",
        "waitForPress": false,
        "_descWaitForBoot": "Waits for an earpress before firmware boot",
        "waitForBoot": false,
        "waitTimeoutInS": 60,
        "_descMinBatteryLevel": "Divide through 2785 to get voltage",
        "minBatteryLevel": 8869,
        "ofwFixFlash": "/sys/pre-img.bin",
        "_descSerialLog": "Logging only works with the debug build!",
        "serialLog": false,
        "_descLogLevel": "0:Trace - 5:Fatal",
        "logLevel": 0,
        "_descLogColor": "Use colors in log output",
        "logColor": false
    },
    "ofw1": {
        "checkHash": false,
        "hashFile": false,
        "watchdog": true,
        "bootFlashImg": true,
        "flashImg": "/sys/pre-img.bin"
    },
    "ofw2": {
        "checkHash": true,
        "hashFile": false,
        "watchdog": true,
        "ofwFix": true,
        "ofwSimBL": true,
        "patches": ["altCa.305", "altUrl.305"]
    },
    "ofw3": {
        "checkHash": true,
        "hashFile": false,
        "watchdog": true,
        "ofwFix": true,
        "patches": ["altCa.305", "altUrl.tc.fritz.box"]
    },
    "cfw1": {
        "checkHash": false,
        "hashFile": false,
        "watchdog": true
    },
    "cfw2": {
        "checkHash": false,
        "hashFile": false,
        "watchdog": true
    },
    "cfw3": {
        "checkHash": false,
        "hashFile": false,
        "watchdog": true
    },
    "add1": {
        "checkHash": true,
        "hashFile": false,
        "watchdog": true,
        "ofwFix": true,
        "ofwSimBL": false,        
        "patches": ["blockCheck.310", "noCerts.305", "noPass3.310", "noPrivacy.305", "uidCheck.307"]
    },
    "add2": {
        "checkHash": true,
        "hashFile": false,
        "watchdog": true,
        "ofwFix": true,
        "ofwSimBL": false,
        "patches": ["altCa.305", "altUrl.305"]
    },
    "add3": {
        "checkHash": true,
        "hashFile": false,
        "watchdog": true,
        "ofwFix": true,
        "ofwSimBL": false,
        "patches": ["altCa.305", "altUrl.305"]
    }
}
altCa.305.json 
    "general": {
        "_desc": "Change CA from /cert/ca.der to /cert/c2.der",
        "_memPos": "",
        "_fwVer": "3.0.5+"
    },
    "searchAndReplace": [{
        "_desc": "ca.der to c2.der",
        "search":  ["2f", "63", "65", "72", "74", "2f", "63", "61", "2e", "64", "65", "72", "00"],
        "replace": ["??", "??", "??", "??", "??", "??", "??", "32", "??", "??", "??", "??", "??"]
    }]
}
altUrl.305.json 
    "general": {
        "_desc": "Changes Boxine URLs to custom ones.",
        "_memPos": "",
        "_fwVer": "3.0.5+"
    },
    "searchAndReplace": [{
        "_desc": "prod.de.tbs.toys to prod.revvox",
        "search":  ["70", "72", "6f", "64", "2e", "64", "65", "2e", "74", "62", "73", "2e", "74", "6f", "79", "73", "00"],
        "replace": ["31", "30", "2e", "30", "2e", "30", "2e", "31", "39", "00", "??", "??", "??", "??", "??", "??", "??"]
    }, {
        "_desc": "rtnl.bxcl.de to rtnl.revvox",
        "search":  ["72", "74", "6e", "6c", "2e", "62", "78", "63", "6c", "2e", "64", "65", "00"],
        "replace": ["31", "30", "2e", "30", "2e", "30", "2e", "31", "39", "00", "??", "??", "??"]
    }]
}

activeImg is set to OFW1. I boot into OFW2 using the Ears on start.

Any idea, what i have missed?

6

Due to the settings, slot ofw1 and ofw2 won’t boot from the files you placed there.
ofw1 is just a backup (this slots usually boots the more bootloader from flash) and ofw2 simulates the bootloader’s behavior by selecting the same file from flash the ofw bootloader would.
https://tonies-wiki.revvox.de/docs/custom-firmware/cc3200/hackieboxng-bl/bootloader/#additional

I would suggest to connect and check the log output over the UART of the hackiebox-ng bootloader. Maybe there is a typo somewhere.

7

Yes i will do so. Thanks again!
Do i need the debug version of the loader or is there a basic logging in the release version?

8

There is no need for the debug version of the preloader (flash). Just replace the hackiebox-ng bootloader on your microSD.

9

I changed hackiebox-ng bootloader to debug to create a log.

altCA.305 = replace = ?? ?? ?? ?? ?? ?? ??|32 ?? ?? ?? ?? ??
altURL.305 = replace = |31|30|2e|30 2e|30|2e|31|39|00 ?? ?? ?? ?? ?? ?? ??

Does a | in front of the hex value mean that a replace was done?

Here is the full Output:

Debug Log 
                       DEBUG main.c:825:main(): Open flash:/sys/mcuimg2.bin ...
                                                                               DEBUG main.c:832:main(): Read 164013 bytes
                                                                                                                         DEBUG main.c:609:prepareRun(): Read hash from the end of the image
                                                                                                                                                                                           INFO  main.c:629:prepareRun(): SHA256 hash=36ef76a6937a128d3bf125d7f08c0c120387e44f7b0d346203a7171f828dafbe
                                                                                                  INFO  main.c:665:prepareRun(): Found following OFW metadata:
                                                                                                                                                              INFO  main.c:667:prepareRun():  version1=EU_V3.1.0_BF2-0
                 INFO  main.c:669:prepareRun():  version2=3.1.0_BF2_EU
                                                                      INFO  main.c:671:prepareRun():  git hash=2640c1f
                                                                                                                      INFO  main.c:674:prepareRun():  creationDate=06 May 20:21
                                                                                                                                                                               DEBUG main.c:693:prepareRun(): Read OfwFix from ofw bl flash:/sys/pre-img.bin
                                                       DEBUG main.c:717:prepareRun(): Apply OFW fix 0x00100318
                                                                                                              INFO  patch.c:497:Patch_Apply(): Read patch altCa.305
                                                                                                                                                                   DEBUG patch.c:148:doSearchAndReplace(): Replace 13b @0x23213
                          TRACE patch.c:149:doSearchAndReplace(): search  =  2f 63 65 72 74 2f 63 61 2e 64 65 72 00
                                                                                                                   TRACE patch.c:160:doSearchAndReplace(): replace =  ?? ?? ?? ?? ?? ?? ??|32 ?? ?? ?? ?? ??
       INFO  patch.c:497:Patch_Apply(): Read patch altUrl.305
                                                             DEBUG patch.c:148:doSearchAndReplace(): Replace 17b @0x232b8
                                                                                                                         TRACE patch.c:149:doSearchAndReplace(): search  =  70 72 6f 64 2e 64 65 2e 74 62 73 2e 74 6f 79 73 00
                         TRACE patch.c:160:doSearchAndReplace(): replace = |31|30|2e|30 2e|30|2e|31|39|00 ?? ?? ?? ?? ?? ?? ??
                                                                                                                              DEBUG patch.c:148:doSearchAndReplace(): Replace 13b @0x26782
                                                                                                                                                                                          TRACE patch.c:149:doSearchAndReplace(): search  =  72 74 6e 6c 2e 62 78 63 6c 2e 64 65 00
                                                                              TRACE patch.c:160:doSearchAndReplace(): replace = |31|30|2e|30 2e|30|2e|31|39|00 ?? ?? ??
                                                                                                                                                                       DEBUG main.c:342:BoardDeinitCustom(): Prepare board deinitialization...
                                         INFO  main.c:753:prepareRun(): Start firmware flash:/sys/mcuimg2.bin ...
                                                                                                                 !       (�88�QO        (�72-�3�`FW2640c1f06 May 20:21  E�3�`J2640c1f42 (�2EU_V3.1.0_2.1.0_BF2_EUE�3�`J2640c1f&$      (�92    (�:28�(&       (�/2�E�3�`J2640c1f      (�B25            (�
         (�A2
H�#2    T (�5\+ [ (�9-�z[(�/2`  _ (�/2\ c (�72\ d (�@2EUK (�/2\ e (�B2?=M (�B\  h (�2)<ssid><pwd>   i (�/�  r (�C2�!53      y  (B2
                                                                                                                                                               3
                                                                                                                                                                &$      z! (�@2
38AB413D0ED0    l' (�/��i% (�A#!o( (�/� p) (�/��        p* (�A2 p+ !(�02q, !(�02q- (�2  q. (�@0.        s/ (�210.0.0.19                                                         {" (�/�;9       �# (�
                                                                                                                       "        0 �C2�!���42    �1 (�A20.0.0.19�/v1/timee���8�  �2 (�62�8w      �3 (�02�8�   �4 (�02 �5 (�02�8�      �6 (�2  �7 (�/� �8 (�62>.,      �9 (�A2����     �: (�2  �; (�&2�        �< (�&2;        �= (�&2�)       �> (�&2�)N      �? (�&2�        �@ (�&2 �A (�&<�        �B (�2       �C (�/� �D (�/� iE (�/��        jF (�02�        jG (�A2 jH #(�02-       kI #(�02-       kJ (�A2 kK (�72 lL (�5` lM (�2  lN (�C86        }O (�22"content/00000001/00000000%���   �P (��+�X   �Q (�9%�"        �R (�52 �S (�52 �T (�5�+�X      �U (�C28*(      �V (�C28@       �W (�/2_        �X (�B_ �\ (�/2_
                                                                                                                        ] (�%20.        �
                                                                                                                                         ^ %(�210.0.0.19
10

This looks totally fine.

Yes, this indicates the replacement.

What do you mean by serial?

What is the issue of the /certs/server/ca.der and your c2.der on the box?
Maybe the CA is defective. So you may try to regenerate it by clearing the server folder.

11

Ther Serial Number of the Certificate.

Here are both certs next to next:
→ ca.der was copied from the TeddyCloud folder
→ c2.der was downloaded via API from CC3200 box

Bild 565
Bild 5651920×1158 72.4 KB

MD5sum is identical and dump of both looks equal too.

Cert is working fine with my ESP32 box

12

This doesn’t mean it is okay or compatible. Please try it with a fresh CA with the cc3200 box.

13

You are absolutly right! i created now new certs, an now it works for the CC3200 box. Now i will add new certs to the ESP32 box and hope it will work too. :smiley:

Thank you very much for your great support and your time!

1 Like
14

Good News ! (Espacially for me :joy:)
I finished flashing the ESP32 Box with the new certs and it works too. Now i have connected both boxes (CC3200+ESP32) to my teddyCloud instance.
Thanks a lot!