Teddycloud CC3235 Newbie HowTo

@Quoc Hey inonoob here, I helped Marco79cgn to flash his box.

If I see correctly you have a TTL to USB module. I think that won’t work. You need the CH341A as it uses the SPI protocol. The CH341A can be put into TTL to USB mode by removing the bridge.

I highly doubt that your module will work. But I might be wrong.

Best Regards

PS: I usually use the TTL to USB to connect to the raspberry pi serial port.

1 Like

@Martin_Gubin,

Did you set in the Fritzbox under Internet the DNS server or under Lokal Network ?

The one option in DNS server under Internet will take all request from the client to your Fritzbox ip and send the dns request to your Pi-hole. BUT your pi-hole will see all the request coming from the fritzbox. If you want that each client in your network has the Pi-hole as DNS entry you need to edit it in the network part and define “LOKALER DNS”

@Martin_Gubin

Quick question is your Pi-hole on the pi directly installed on also running on docker ?

I would suggest to have Pi-hole & Teddycloud running in docker and adapte the port of Pihole . Issue here Pi-hole docker is not the best. If you can, take a look at adguard it is way easier comparing to pi-hole.

As a quick solution, you can edit the file /etc/lighttpd/lighttpd.conf and change server.port from 80 to 81. Then do a restart of this service:

sudo systemctl restart lighttpd.service

The problem is that you have to repeat this on every Pihole update in the future. Could be solved by a cron job, but a better solution would be to use e.g. macvlan and assign a dedicated ip address to your teddycloud docker container.

Port 80 on Pihole is „just“ the web interface, so it works nontheless for dns, blocking ads etc. even if there‘s a port conflict.

I’ve changed to AdGuard and it states pretty clear that when the box is requesting rtnl.bxcl.de, the response is rewritten to my raspi IP.

There’s one thing I noticed on step 7. It won’t let me generate certs because faketime is required and not installed. What I did was just “sudo apt install faketime”, is that correct?

I think it’s either Port 443 is blocked somehow or my certs are not accepted by my TonieBox

Edit: Just for clarification. If I’d setup the DNS correctly with the original firmware on my Toniebox. Would it do the owl error or “tada”?

Also, when patching the firmware, the last info is “File /cert/ca.der could not be verified”. Is that normal?

My teddycloud logs are like this:

NFO |cloud_request.c:0178:web_request| Cloud requests generally blocked in settings

ERROR|handler_reverse.c:0029:handleReverse| cloud_request_get() failed

INFO |cloud_request.c:0178:web_request| Cloud requests generally blocked in settings

ERROR|handler_reverse.c:0029:handleReverse| cloud_request_get() failed

INFO |server.c:0929:server_init| 1 open HTTPS Web connections

WARN |tls_server_fsm.c:0260:tlsPerformServerHandshake| TLS handshake failure!

INFO |server.c:0929:server_init| 2 open HTTPS Web connections

WARN |tls_server_fsm.c:0260:tlsPerformServerHandshake| TLS handshake failure!

INFO |server.c:0929:server_init| 1 open HTTPS Web connections

INFO |server.c:0929:server_init| 2 open HTTPS Web connections

WARN |tls_server_fsm.c:0260:tlsPerformServerHandshake| TLS handshake failure!

INFO |server.c:0929:server_init| 1 open HTTPS Web connections

INFO |server.c:0929:server_init| 2 open HTTPS Web connections

WARN |tls_server_fsm.c:0260:tlsPerformServerHandshake| TLS handshake failure!

@Martin_Gubin

To Recap you status:

  • Created the certifications and flashed your Toniebox and copied files to Teddycloud
  • Setup Adguard with DNS redirection for the Toniebox to hit the Teddybox IP

Current problem ?

  • Toniebox can’t connect to the Teddycloud ?
  • You can’t connect to Teddycloud via Browser ?
  • Do you have a browser error that won’t let you connect at all with the Teddycloud ?

Your error shows that the Box is not talking to the teddycloud. It looks like the Certificates on the box is not right.

Could you explain how you did the flashing process with focus on from the creation process of the certificates until copying the cert to the box and to the teddycloud.

I might have an idea what it could be but I need more details here.

That’s correct, I’ll add this to the instructions.

If you’d setup your box with the original/unmodified firmware and still point the dns of prod.de.tbs.toys and rtnl.bxcl.de to your local Raspberry Pi ip, than you would for sure get an “owl” exception when doing a freshness check or trying to play a Tonie which is not already on the SD card of your Toniebox. Because you cut the connection to the original Toniecloud with these DNS rules.

This is normal, was the same in my case. And btw, if the diff shows nothing, it means the files are identical.

Nothing special in the log part you posted. It just means that access to the original Boxine cloud is disabled (which is default) and that you obviuosly tried to access the Teddycloud GUI via https (port 8443), which leads to this warning:

WARN |tls_server_fsm.c:0260:tlsPerformServerHandshake| TLS handshake failure!

I don’t thins it’s something with port 443. You can double-check by running this command on your Pi: sudo ss -ltnp | grep :443. Should be in use only by docker (Teddycloud).

As @inonoob already asked, it’s difficutl to understand what’s your current problem. Your Toniebox doesn’t appear in Teddycloud and always says “Owl”?

Sorry for the confusion. I’m just trying to provide as much info as possible.

Yes, I always get “owl” after flashing the patched firmware.

For the flashing process:

I’m pretty much just following the guide:
Creating Certs:

cd && mkdir toniebox && cd toniebox
wget "https://raw.githubusercontent.com/toniebox-reverse-engineering/teddycloud/master/contrib/gencerts.sh" -O gencert.sh
chmod 755 gencert.sh
./gencert.sh # -> faketime error
sudo apt install faketime
./gencert.sh # -> again, but this time its working and in comparison to the teddycloud cert creation, pretty fast

then I’m copying these to the teddycloud, but with sudo, because otherwise I did receive an error:

sudo docker cp ~/toniebox/certs/server/ca.der teddycloud:/teddycloud/certs/server/ca.der
sudo docker cp ~/toniebox/certs/server/ca-key.pem teddycloud:/teddycloud/certs/server/ca-key.pem
sudo docker cp ~/toniebox/certs/server/ca-root.pem teddycloud:/teddycloud/certs/server/ca-root.pem
sudo docker restart teddycloud

Then doing a cd certs which is a small detail missing in the guide, I think.

Then I’m extracting the firmware from the box with:

sudo flashrom -p ch341a_spi -r backupCC3235.bin

Confirm the 4mb and Boxine Sigings.

Then extracting in virtual environment:

pi@raspi:~/toniebox/certs $ source ~/.venv/bin/activate
pi@raspi:~/toniebox/certs $ cc3200tool -if backupCC3235.bin -d cc32xx read_all_files extract/

I Copy the extracted certs to teddycloud (I can confirm that I am able to connect to Boxine cloud)

Then I’m patching the firmware with the given command, again in virtual environment (My username is pi, too) And I’m flashing with “sudo flashrom -p ch341a_spi -w cc3235-flash.customca.bin”

That is my flashing process. I have the exact same CH341A programmer bought as mentioned in the beginning.

I just did a factory reset on my pi and my router and reflashed my teddybox with the backup. I’m thinking about doing a small video with my process, maybe someone can find out what I’m doing wrong. I already feel bad to spam this section…

This looks perfect, so I’d guess everything is alright with your box flashing process.

So let’s get back to the DNS which I assume is (still) your problem:
How do you make sure that your Toniebox is aware of your DNS changes? This is kind of a blackbox as you can’t really see what’s happening on the Toniebox itself. So the most important thing is that your DHCP server in the Fritzbox is configured to set your Adguard/Pihole DNS to all clients automatically (including your Toniebox). This is how it looks in my case (*.10 is my Pihole):

Be aware that changing this value might take a little time until it reaches the clients in your network. The DHCP lease for the client (especially the Toniebox) has to be renewed. Don’t know how to force this for the Toniebox. Might need some patience.

Now that you switched to Adguard and followed @inonoob instructions, you first have to make sure that your Toniebox always gets the same ip address from your DHCP server. Activate this checkbox:

Finally you have to set up this rule in Adguard home, replacing [TEDDYCLOUD-IP] and [TONIEBOX-IP] with your ip addresses:

||prod.de.tbs.toys^$dnsrewrite=NOERROR;A;[TEDDYCLOUD-IP],client=[TONIEBOX-IP]
||rtnl.bxcl.de^$dnsrewrite=NOERROR;A;[TEDDYCLOUD-IP],client=[TONIEBOX-IP]

As an example, this is how it would look like in my case, where Teddybox is using 192.168.178.11 and the Toniebox has the static ip address 192.168.178.191:

||prod.de.tbs.toys^$dnsrewrite=NOERROR;A;192.168.178.11,client=192.168.178.191
||rtnl.bxcl.de^$dnsrewrite=NOERROR;A;192.168.178.11,client=192.168.178.191

I don’t know why it is not working. I have started over, everything is running smooth, except the teddycloud connection to the box :sob:

(.venv) pi@raspberrypi:~/toniebox/certs $ sudo ss -ltnp | grep :443
LISTEN 0      4096         0.0.0.0:443       0.0.0.0:*    users:(("docker-proxy",pid=25817,fd=4))
LISTEN 0      4096            [::]:443          [::]:*    users:(("docker-proxy",pid=25823,fd=4))

And I still have the “Owl” Error and cant find any box in teddycloud.

Maybe someone can send me their working cert files I can patch to test them? I dont know what else I can do to make it work.

Edit: As a new user I could only add one image, thats why its made in paint :sweat_smile:

On your Teddycloud Pi, could you please start tailing the logs of your container:

docker logs -f teddycloud

After that, please restart your teddycloud (e.g. from the Browser GUI → Settings → Restart server) and then post the complete logs from the server startup?

2024-11-16T22:19:20.098649569Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:19:20.849023046Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:19:38.859743498Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:19:39.609973623Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:19:57.872169530Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:19:58.622449492Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:20:16.633498128Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:20:17.383839577Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:20:35.394763287Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:20:36.145026389Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:20:54.156368198Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:20:55.156731198Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:21:13.168492592Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:21:13.918910261Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:23:46.516778730Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:23:47.517004804Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:23:48.517560321Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:23:49.267912323Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:23:49.518082780Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:23:50.268442058Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:23:50.715451000Z WARN |tls_server_fsm.c:0260:tlsPerformServerHandshake| TLS handshake failure!
2024-11-16T22:23:50.768786805Z INFO |server.c:0929:server_init| 1 open HTTPS Web connections
2024-11-16T22:23:51.010022979Z WARN |tls_server_fsm.c:0260:tlsPerformServerHandshake| TLS handshake failure!
2024-11-16T22:23:51.018889262Z INFO |server.c:0929:server_init| 2 open HTTPS Web connections
2024-11-16T22:23:53.020313058Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:23:53.770664333Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:24:00.023938749Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:24:00.774330442Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:24:04.025711232Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:24:04.776085124Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:24:10.530212393Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:24:11.280353743Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:24:29.541445120Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:24:30.541769229Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:24:48.552765124Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:24:49.303126219Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:25:07.313596529Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:25:08.314034324Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:25:26.324132146Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:25:27.074472847Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:25:45.085010184Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:25:45.835234616Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:26:03.598969157Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:26:04.349192748Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:26:22.360231879Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:26:23.360677349Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:26:41.374583467Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:26:42.124886790Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:27:00.136243217Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:27:00.886662604Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:27:18.897919899Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:27:19.898135108Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:27:37.909219198Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:27:38.659628916Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:27:40.309349618Z TeddyCloud v0.6.2 (203f12d) - 2024-10-26 18:14:34 +0000 ubuntu linux-aarch64(64)
2024-11-16T22:27:40.309476210Z 
2024-11-16T22:27:40.312434850Z INFO |settings.c:0848:settings_load_ovl| Load settings from /teddycloud/config/config.overlay.ini
2024-11-16T22:27:40.315566045Z INFO |settings.c:0848:settings_load_ovl| Load settings from /teddycloud/config/config.ini
2024-11-16T22:27:40.316351260Z INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/ca-root.pem' assumed PEM style
2024-11-16T22:27:40.317028125Z INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/ca-key.pem' assumed PEM style
2024-11-16T22:27:40.317696860Z INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/teddy-cert.pem' assumed PEM style
2024-11-16T22:27:40.318335261Z INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/server/teddy-key.pem' detected as DER style RSA PRIVATE KEY
2024-11-16T22:27:40.319227235Z INFO |tls_adapter.c:0197:read_certificate| File '/teddycloud/certs/client/ca.der' detected as DER style CERTIFICATE
2024-11-16T22:27:40.319927432Z INFO |tls_adapter.c:0197:read_certificate| File '/teddycloud/certs/client/client.der' detected as DER style CERTIFICATE
2024-11-16T22:27:40.320962127Z INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/client/private.der' detected as DER style RSA PRIVATE KEY
2024-11-16T22:27:40.321591603Z INFO |settings.c:0848:settings_load_ovl| Load settings from /teddycloud/config/config.overlay.ini
2024-11-16T22:27:40.325367125Z INFO |tls_adapter.c:0390:tls_adapter_init| Loading certificates...
2024-11-16T22:27:40.325460995Z INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/ca-root.pem' assumed PEM style
2024-11-16T22:27:40.325549550Z INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/ca-key.pem' assumed PEM style
2024-11-16T22:27:40.325700622Z INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/teddy-cert.pem' assumed PEM style
2024-11-16T22:27:40.325865454Z INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/server/teddy-key.pem' detected as DER style RSA PRIVATE KEY
2024-11-16T22:27:40.326119600Z INFO |tls_adapter.c:0197:read_certificate| File '/teddycloud/certs/client/ca.der' detected as DER style CERTIFICATE
2024-11-16T22:27:40.326331450Z INFO |tls_adapter.c:0197:read_certificate| File '/teddycloud/certs/client/client.der' detected as DER style CERTIFICATE
2024-11-16T22:27:40.326572559Z INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/client/private.der' detected as DER style RSA PRIVATE KEY
2024-11-16T22:27:40.351919113Z INFO |toniesJson.c:0280:tonies_readJson| Trying to read /teddycloud/config/tonies.custom.json with size 2
2024-11-16T22:27:40.352012316Z INFO |toniesJson.c:0280:tonies_readJson| Trying to read /teddycloud/config/tonies.json with size 5051239
2024-11-16T22:27:41.092863887Z INFO |toniesJson.c:0100:tonies_update| Updating tonies.json from api.revvox.de...
2024-11-16T22:27:41.092955276Z INFO |cloud_request.c:0200:web_request| Connecting to HTTP server api.revvox.de:443...
2024-11-16T22:27:41.108457065Z INFO |cloud_request.c:0252:web_request|   trying IP: 157.90.183.226
2024-11-16T22:27:41.359212059Z INFO |cloud_request.c:0382:web_request| Redirecting to: https://raw.githubusercontent.com/toniebox-reverse-engineering/tonies-json/release/tonies.json
2024-11-16T22:27:41.359366928Z INFO |cloud_request.c:0200:web_request| Connecting to HTTP server raw.githubusercontent.com:443...
2024-11-16T22:27:41.375772635Z INFO |cloud_request.c:0252:web_request|   trying IP: 185.199.111.133
2024-11-16T22:27:43.672904931Z INFO |toniesJson.c:0124:tonies_update| ... success updating tonies.json from api.revvox.de, reloading
2024-11-16T22:27:43.735083015Z INFO |toniesJson.c:0280:tonies_readJson| Trying to read /teddycloud/config/tonies.custom.json with size 2
2024-11-16T22:27:43.735236032Z INFO |toniesJson.c:0280:tonies_readJson| Trying to read /teddycloud/config/tonies.json with size 5051239
2024-11-16T22:27:44.486278039Z INFO |toniesJson.c:0211:tonieboxes_update| Updating tonies.json from api.revvox.de...
2024-11-16T22:27:44.486368557Z INFO |cloud_request.c:0200:web_request| Connecting to HTTP server api.revvox.de:443...
2024-11-16T22:27:44.500942281Z INFO |cloud_request.c:0252:web_request|   trying IP: 157.90.183.226
2024-11-16T22:27:44.750198837Z INFO |cloud_request.c:0382:web_request| Redirecting to: https://raw.githubusercontent.com/toniebox-reverse-engineering/tonies-json/release/tonieboxes.json
2024-11-16T22:27:44.750297003Z INFO |cloud_request.c:0200:web_request| Connecting to HTTP server raw.githubusercontent.com:443...
2024-11-16T22:27:44.766086180Z INFO |cloud_request.c:0252:web_request|   trying IP: 185.199.111.133
2024-11-16T22:27:44.950759969Z INFO |toniesJson.c:0238:tonieboxes_update| ... success updating tonieboxes.json from api.revvox.de, reloading
2024-11-16T22:27:45.016296284Z INFO |toniesJson.c:0280:tonies_readJson| Trying to read /teddycloud/config/tonies.custom.json with size 2
2024-11-16T22:27:45.016783168Z INFO |toniesJson.c:0280:tonies_readJson| Trying to read /teddycloud/config/tonies.json with size 5051239
2024-11-16T22:27:55.820407182Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:27:56.571054264Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:28:14.584680203Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:28:15.334970242Z INFO |server.c:0959:server_init| 0 open HTTPS API connections
2024-11-16T22:28:33.346001662Z INFO |server.c:0959:server_init| 1 open HTTPS API connections
2024-11-16T22:28:34.346369524Z INFO |server.c:0959:server_init| 0 open HTTPS API connections

Looks good. Now what happens in the logs when you do a freshness check? Or place a Tonie on the Box?

INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
WARN |tls_server_fsm.c:0260:tlsPerformServerHandshake| TLS handshake failure!
WARN |tls_server_fsm.c:0260:tlsPerformServerHandshake| TLS handshake failure!
WARN |tls_server_fsm.c:0260:tlsPerformServerHandshake| TLS handshake failure!
INFO |server.c:0929:server_init| 3 open HTTPS Web connections
WARN |tls_server_fsm.c:0260:tlsPerformServerHandshake| TLS handshake failure!
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |server.c:0959:server_init| 0 open HTTPS API connections

Also, the only time I see Requests from the box in AdGuard is when the box turns on. I cant see anything new in Adguard when I do a freshness check or use a non-downloaded Tonie.

Hey,

that still looks like with issue of the certificates. The DNS and network settings looks good but your certificates are still the issue.

Could you post each command you put in your console. And explain here again your step by step.

I know it is annoying but I think it all comes down to the flashing and copying process.

@Martin_Gubin

This is how my cert folder for Teddycloud looks like:

Client:

~/teddycloudfolder/certs/client$ ls
ca.der  client.der  private.der

Those files are from the extract of your Toniebox firmware the original one.

Server:

~/teddycloudfolder/certs/server$ ls
ca-key.pem  ca-root.pem  ca-root.srl  ca.der  teddy-cert.pem  teddy-key.csr  teddy-key.pem

All those files are from the gensert.sh program. The ca.der is the one I flashed the toniebox with.

Does your folder looks the same ?

One last thing, How do you copy your cert into the docker ? Can you please show your docker config.

@Martin_Gubin

This is my docker config. I put the cert in a dedicated folder and then pass them through the volume option. I never used the “docker cp” function. Maybe that is the topic ? Be advice, I use the develop branch.

version: '3'
services:
  teddycloud:
    container_name: teddycloud
    hostname: teddycloud
    image: ghcr.io/toniebox-reverse-engineering/teddycloud:develop
    ports:
      - 80:80 #optional (for the webinterface)
      - 8443:8443 #optional (for the webinterface)
      - 443:443 #Port is needed for the connection for the box, must not be changed!
    volumes:
      - /home/XXX/teddycloudfolder/certs:/teddycloud/certs
      - /home/XXX/teddycloudfolder/config:/teddycloud/config
      - /home/XXX/teddycloudfolder/data/content:/teddycloud/data/content
      - /home/XXX/teddycloudfolder/data/library:/teddycloud/data/library
      - /home/XXX/teddycloudfolder/data/firmware:/teddycloud/data/firmware
      - /home/XXX/teddycloudfolder/data/cache:/teddycloud/data/cache
    restart: unless-stopped

Edit: Could it be if you copy the cert into docker and then destroy the docker by restarting it, the files are lost ? I’m not an expert in docker but the files within the docker container are not persistent if not linked via the volume option. Please correct if I’m wrong.

Actually that’s not the case. There are two ways for volume mounts in Docker:

  1. native Docker volumes: - certs:/teddycloud/certs
  2. explicitly mounted directories: - /home/xxx/teddy/certs:/teddycloud/certs

In both cases, the data is not lost when you shut down, restart or update the container. Both of them even persist when you delete the container.

In case 1, the Docker daemon will create a dedicated folder for each defined volume inside its own directories. So at the end, this is also a directory on your host system, but owned by docker or root. The default directory for Docker volumes is /var/lib/docker/volumes/ (on Linux). So if you define your docker-compose.yaml like in example 1. , your certificate volume will be created at /var/lib/docker/volumes/teddycloud_certs/_data on your host system. Any files that you copy or move into this directory will be available inside the container (and vice-versa).

So at the end, 1 and 2 are basically the same, the only difference is that in case 1, Docker will take care of creating the folders. Whereas in case 2, the file handling is a little bit more convenient, as this directory might already belong to your user (e.g. pi instead of root).

I suspect that your error is here. Can you please post this step in more detail? Are you sure that you patch the ca.der of Teddycloud (→ result of gencerts.sh) into your dumped firmware?

cc3200tool -if backupCC3235.bin -of cc3235-flash.customca.bin -d cc32xx write_file /home/pi/toniebox/certs/server/ca.der /cert/ca.der

The second last parameter (/home/pi/toniebox/certs/server/ca.der) has to be the Teddy CA, not the Boxine CA that you read from your Toniebox. Here’s a picutre how it has to be at the end, after you flashed your modified firmware onto your Toniebox:

@Martin_Gubin I think I know why. Please put the both domains on your allowlist in Adguard so they dont‘t get blocked!

prod.de.tbs.toys 
rtnl.bxcl.de

THIS! OMG IT WORKED! Thank you so much!

I have no idea why, but I completely removed teddycloud from docker. Then I created the folders
/home/pi/teddycloudfolder/certs/client
and
/home/pi/teddycloudfolder/certs/server

And I added my Toniebox certs to the client folder and the generated ones to server BEFORE creating the teddycloud. Then I created teddycloud with your options:

version: '3'
services:
  teddycloud:
    container_name: teddycloud
    hostname: teddycloud
    image: ghcr.io/toniebox-reverse-engineering/teddycloud:develop
    ports:
      - 80:80 #optional (for the webinterface)
      - 8443:8443 #optional (for the webinterface)
      - 443:443 #Port is needed for the connection for the box, must not be changed!
    volumes:
      - /home/pi/teddycloudfolder/certs:/teddycloud/certs
      - /home/pi/teddycloudfolder/config:/teddycloud/config
      - /home/pi/teddycloudfolder/data/content:/teddycloud/data/content
      - /home/pi/teddycloudfolder/data/library:/teddycloud/data/library
      - /home/pi/teddycloudfolder/data/firmware:/teddycloud/data/firmware
      - /home/pi/teddycloudfolder/data/cache:/teddycloud/data/cache
    restart: unless-stopped

develop branch and latest are working fine. Teddycloud instantly recognized my Toniebox!

…I have no idea why it didnt work the initial way. I was able to copy the client certs from the box without issues, I was even able to activate boxine cloud.
I also extracted the patched firmware and did a diff command with the docker server file and they said they were identical…

Anyways, thank you so much for your support. I really, really appreciate it.