Trane XL950 Thermostat

Ouch. it sucks she broke it but at least you have a “guinea pig” now. Do you happen to have the hardware to solder to the nand so you can read/write? that would be awesome. I have been able to run some commands as root! ;D
I have been able to unpack > modify > repack and run the 3.0 update. For now I am playing with the updater portion (b_138271353801) by injecting my own script into init.d. My goal at the moment is to dump the nand. I had the first success last night and was able to dump out some common things. I didn’t learn tooo much more than I already knew from them but something is better than nothing. The script ran way too early in the boot process so syslog wasn’t even up yet. Below is that info. For anyone who did not know… the tstat is based on the Freescale IMX35PDK: i.MX35 Product Development Kit… there is a plethora of info on their website.

offsets of NAND "partitions" 0x00000000-0x00200000 : "nand.redboot" 0x00200000-0x00700000 : "nand.kernel" 0x00700000-0x10100000 : "nand.rootfs" 0x10100000-0x29100000 : "nand.upgrade" 0x29100000-0x40000000 : "nand.factory" <- im guessing this is going to hold the magic data we want to get our hands on.

output of uname -a Linux ComfortControl 2.6.26-466-ga04670e #1 Thu Oct 17 01:35:01 CDT 2013 armv6l unknown

output of ps aux PID Uid VSZ Stat Command 1 root 2800 SW init 2 root SW< [kthreadd] 3 root SW< [ksoftirqd/0] 4 root SW< [watchdog/0] 5 root SW< [events/0] 6 root SW< [khelper] 89 root SW< [kblockd/0] 92 root SW< [cqueue] 100 root SW< [mxc_spi.0] 120 root SW< [kmmcd] 127 root SW< [mc13892/0] 190 root SW [pdflush] 191 root SW [pdflush] 192 root SW< [kswapd0] 234 root SW< [aio/0] 239 root SW< [nfsiod] 865 root SW< [mtdblockd] 894 root SW< [rpciod/0] 896 root SW< [mmcqd] 908 root SW [mxc_ts] 909 root SW [pdflush] 912 root 2800 SW init 913 root 2800 SW /bin/sh /etc/rc.d/rcS 935 root 1600 SW< udevd --daemon 1717 root 2800 RW /bin/sh /etc/rc.d/init.d/filesystems start 1740 root 2804 RW ps aux

whoami - root

id - uid=0(root) gid=0(root)

as you can see the system is barely booted at the point I was in last night. Since I am injecting before the update actually runs I can just hit cancel when it gets to that point so pretty much no chance of bricking… getting there… I need to get it to load the mtd kernel module… load the “partitions” and then dump them with the following…

#dump the nand partitions ###0x00000000-0x00200000 : "nand.redboot" nanddump -f /media/sd-mmcblk0p1/mtd0 /dev/mtd0

###0x00200000-0x00700000 : “nand.kernel”
nanddump -f /media/sd-mmcblk0p1/mtd1 /dev/mtd1

###0x00700000-0x10100000 : “nand.rootfs”
nanddump -f /media/sd-mmcblk0p1/mtd2 /dev/mtd2

###0x10100000-0x29100000 : “nand.upgrade”
nanddump -f /media/sd-mmcblk0p1/mtd3 /dev/mtd3

###0x29100000-0x40000000 : “nand.factory”
nanddump -f /media/sd-mmcblk0p1/mtd4 /dev/mtd4

I think a wiki is a great idea. Im going out of town for the weekend so I can’t do it just yet. I have attached a zip with the outputs that actually returned things. The logs are named after the command ran as you can see from my “payload” below.

###dump all the things! dmesg > /media/sd-mmcblk0p1/dmesg df > /media/sd-mmcblk0p1/df du > /media/sd-mmcblk0p1/du free > /media/sd-mmcblk0p1/free id > /media/sd-mmcblk0p1/id ps aux > /media/sd-mmcblk0p1/ps uname -a > /media/sd-mmcblk0p1/uname whoami > /media/sd-mmcblk0p1/whoami wreep -h > /media/sd-mmcblk0p1/wreep boardrev -r > /media/sd-mmcblk0p1/boardrev lsmod > /media/sd-mmcblk0p1/lsmod

EDIT:
PS… i noticed last night that dropbear (the ssh server) is started with the -w argument. -w = no root login. So the only way in even with the password on a “stock” firmware will be with the raptor21 user… which from groups file doesn’t have much permissions. One thing at a time though… Hopefully once SSH’d into the raptor21 acct I/we can exploit something to escalate privileges. Ideally I could modify the jffs2 image in the update and remove the -w switch from the init.d script that loads dropbear… but I have not had the balls to do that yet =P

My “end goal” at the moment is to be able to format a portion of the SD card as an ext partition that the tstat can use, inject into one of the startup scripts in the jffs2 img in the update and then install it so that when it boots it will attempt to mount the ext2 partition on the sd card and run an “init.sh” script from it if it exists… then we can put anything we want to do/run on the card and start it from the script. I think that’s the safest way as it doesn’t modify the stock firmware much… the init.sh script could do something like killall dropbear > adduser > restart dropbear etc. thoughts?

Phorkus - think it might be possible to add a SD card with the directory clii_logs on it, in a fat32 partition, and see if it writes interesting things there (like passwords, seeds, hashes, etc.). I'll see about setting up a full emulated environment and package it as a VM for folks once I figure out how to do so. Anyone interested in a compiler image, as well, to write custom "applets" for the XL? I know I'd love to know how to install additional applications, and since it's Linux with XML configuration files, I think it's most likely very possible to do.

Ill have to give the clii_logs dir a try… the VM image and compiler sound awesome! keep us updated. Also let me know what you can figure out from IDA… I had to stop staring at it… it was making my brain hurt haha. It made me REALLY appreciate high level languages! The functions I listed the other day are pretty short… so im sure that someone who understands assembly will have no problem identifying exactly what it does to generate the password before issuing the ‘passwd’ cmd.

I have never tried to “hack” into anything before… im having a blast with this =) I wish I had a second one… the GF gives me the “look” everytime I stick an SD card into it… ill be in the dog house if I break it =P

Well im looking at the XXL upgrade binary with IDA to see how it handles the flashing of the nand.

.text:0000B748
.text:0000B748 ; =============== S U B R O U T I N E =======================================
.text:0000B748
.text:0000B748
.text:0000B748 ; load_nand_modules(void)
.text:0000B748                 EXPORT _Z17load_nand_modulesv
.text:0000B748 _Z17load_nand_modulesv                  ; CODE XREF: proceedWithUpgradeCallback(_GtkWidget *,_GdkEvent *,void *)+18Cp
.text:0000B748
.text:0000B748 var_4           = -4
.text:0000B748
.text:0000B748                 STR     LR, [SP,#var_4]!
.text:0000B74C                 SUB     SP, SP, #4
.text:0000B750                 LDR     R3, =upgrade_from_nandpart_scheme
.text:0000B754                 LDR     R0, [R3]        ; s1
.text:0000B758                 LDR     R1, =a1         ; s2
.text:0000B75C                 BL      strcmp
.text:0000B760                 CMP     R0, #0
.text:0000B764                 BNE     loc_B774
.text:0000B768                 LDR     R0, =aFound5Partitio ; "Found 5 partitions in installed system\n"...
.text:0000B76C                 BL      g_print
.text:0000B770                 B       loc_B7BC
.text:0000B774 ; ---------------------------------------------------------------------------
.text:0000B774
.text:0000B774 loc_B774                                ; CODE XREF: load_nand_modules(void)+1Cj
.text:0000B774                 LDR     R0, =aFound3Partitio ; "Found 3 partitions in installed system\n"...
.text:0000B778                 BL      g_print
.text:0000B77C                 LDR     R0, =aModprobeModarg ; "modprobe modargspart -r"
.text:0000B780                 MOV     R1, #1
.text:0000B784                 BL      _Z7sysCallPKci_0 ; sysCall(char  const*,int)
.text:0000B788                 LDR     R0, =aModprobeMxc_nd ; "modprobe mxc_nd2 -r"
.text:0000B78C                 MOV     R1, #1
.text:0000B790                 BL      _Z7sysCallPKci_0 ; sysCall(char  const*,int)
.text:0000B794                 MOV     R0, #1          ; seconds
.text:0000B798                 BL      sleep
.text:0000B79C                 LDR     R0, =aModprobeModa_0 ; "modprobe modargspart cmdline='NAND 1GiB"...
.text:0000B7A0                 MOV     R1, #1
.text:0000B7A4                 BL      _Z7sysCallPKci_0 ; sysCall(char  const*,int)
.text:0000B7A8                 LDR     R0, =aModprobeMxc__0 ; "modprobe mxc_nd2"
.text:0000B7AC                 MOV     R1, #1
.text:0000B7B0                 BL      _Z7sysCallPKci_0 ; sysCall(char  const*,int)
.text:0000B7B4                 MOV     R0, #2          ; seconds
.text:0000B7B8                 BL      sleep
.text:0000B7BC
.text:0000B7BC loc_B7BC                                ; CODE XREF: load_nand_modules(void)+28j
.text:0000B7BC                 ADD     SP, SP, #4
.text:0000B7C0                 LDMFD   SP!, {PC}
.text:0000B7C0 ; End of function load_nand_modules(void)
.text:0000B7C0
.text:0000B7C0 ; ---------------------------------------------------------------------------

.rodata:0000E058 aModprobeModa_0 DCB "modprobe modargspart cmdline='NAND 1GiB 3,3V 8-bit:2M(nand.redbo"
.rodata:0000E058                                         ; DATA XREF: load_nand_modules(void)+54o
.rodata:0000E058                                         ; .text:off_B7DCo
.rodata:0000E058                 DCB "ot),5M(nand.kernel),250M(nand.rootfs),400M(nand.upgrade),-(nand."
.rodata:0000E058                 DCB "factory)'",0
.rodata:0000E0E2                 ALIGN 4
.rodata:0000E0E4 aModprobeMxc__0 DCB "modprobe mxc_nd2",0
.rodata:0000E0E4                                         ; DATA XREF: load_nand_modules(void)+60o
.rodata:0000E0E4                                         ; .text:off_B7E0o

so…

modprobe modargspart cmdline=‘NAND 1GiB 3,3V 8-bit:2M(nand.redboot),5M(nand.kernel),250M(nand.rootfs),400M(nand.upgrade),-(nand.factory)’ ← pseudo partition setup?
modprobe mxc_nd2 ← nand handling module
<dump mtd’s commands>
modprobe modargspart -r
modprobe mxc_nd2 -r

guess ill have to give it a shot!

EDIT:

truncated output of 'ls -la /dev'

drwxr-xr-x 6 root root 12700 May 16 23:37 .
drwxr-xr-x 18 root root 1024 May 16 23:37 …
drwxr-xr-x 6 root root 140 May 16 23:37 .udev
lrwxrwxrwx 1 root root 4 May 16 23:37 XOR → null
crw-r–r-- 1 root root 192, 0 May 16 23:37 cliimac0
crw------- 1 root root 5, 1 May 16 23:37 console
crw-rw---- 1 root root 10, 62 May 16 23:37 cpu_dma_latency
drwxr-xr-x 3 root root 60 May 16 23:37 disk
lrwxrwxrwx 1 root root 3 May 16 23:37 fb → fb0
crw-rw---- 1 root root 29, 0 May 16 23:37 fb0
crw-rw---- 1 root root 29, 1 May 16 23:37 fb1
crw-rw---- 1 root root 249, 0 May 16 23:37 fsl_shw
crw-rw-rw- 1 root root 1, 7 May 16 23:37 full
crw-rw---- 1 root root 89, 0 May 16 23:37 i2c-0
crw-rw---- 1 root root 89, 1 May 16 23:37 i2c-1
drwxr-xr-x 2 root root 100 May 16 23:37 input
crw-r----- 1 root kmem 1, 2 May 16 23:37 kmem
crw-rw---- 1 root root 1, 11 May 16 23:37 kmsg
brw-r----- 1 root disk 7, 0 May 16 23:37 loop0
brw-r----- 1 root disk 7, 1 May 16 23:37 loop1
brw-r----- 1 root disk 7, 2 May 16 23:37 loop2
brw-r----- 1 root disk 7, 3 May 16 23:37 loop3
brw-r----- 1 root disk 7, 4 May 16 23:37 loop4
brw-r----- 1 root disk 7, 5 May 16 23:37 loop5
brw-r----- 1 root disk 7, 6 May 16 23:37 loop6
brw-r----- 1 root disk 7, 7 May 16 23:37 loop7
crw-r----- 1 root kmem 1, 1 May 16 23:37 mem
brw-r----- 1 root users 179, 0 May 16 23:37 mmcblk0
brw-r----- 1 root users 179, 1 May 16 23:37 mmcblk0p1
crw-rw---- 1 root root 90, 0 May 16 23:37 mtd0
crw-rw---- 1 root root 90, 1 May 16 23:37 mtd0ro
brw-r----- 1 root disk 31, 0 May 16 23:37 mtdblock0
crw-rw---- 1 root root 253, 0 May 16 23:37 mxc_ipu
crw-rw---- 1 root root 251, 0 May 16 23:37 mxc_ipu_pf
crw-rw---- 1 root root 10, 61 May 16 23:37 network_latency
crw-rw---- 1 root root 10, 60 May 16 23:37 network_throughput
crw-rw-rw- 1 root root 1, 3 May 16 23:37 null
crw-rw---- 1 root root 250, 0 May 16 23:37 pmic
crw-rw-rw- 1 root tty 5, 2 May 16 23:37 ptmx
drwxr-xr-x 2 root root 0 Jan 1 1970 pts
crw-rw---- 1 root tty 2, 176 May 16 23:37 ptya0
crw-rw---- 1 root tty 2, 177 May 16 23:37 ptya1
crw-rw---- 1 root tty 2, 178 May 16 23:37 ptya2
crw-rw---- 1 root tty 2, 179 May 16 23:37 ptya3

crw-rw---- 1 root tty 2, 174 May 16 23:37 ptyze
crw-rw---- 1 root tty 2, 175 May 16 23:37 ptyzf
brw-r----- 1 root disk 1, 0 May 16 23:37 ram0
lrwxrwxrwx 1 root root 4 May 16 23:37 ramdisk → ram0
crw-rw-rw- 1 root root 1, 8 May 16 23:37 random
lrwxrwxrwx 1 root root 4 May 16 23:37 rtc → rtc0
crw-r–r-- 1 root root 254, 0 May 16 23:37 rtc0
lrwxrwxrwx 1 root root 7 May 16 23:37 sd-mmcblk0 → mmcblk0
lrwxrwxrwx 1 root root 9 May 16 23:37 sd-mmcblk0p1 → mmcblk0p1
crw-rw---- 1 root root 153, 0 May 16 23:37 spidev1.0
crw-rw-rw- 1 root tty 5, 0 May 16 23:37 tty
crw–w---- 1 root tty 4, 0 May 16 23:37 tty0
crw–w---- 1 root tty 4, 1 May 16 23:37 tty1
crw–w---- 1 root tty 4, 10 May 16 23:37 tty10

crw-rw---- 1 root tty 3, 254 May 16 23:37 ttyee
crw-rw---- 1 root tty 3, 255 May 16 23:37 ttyef
crw-rw---- 1 root root 207, 16 May 16 23:37 ttymxc0
crw-rw---- 1 root root 207, 17 May 16 23:37 ttymxc1
crw-rw---- 1 root root 207, 18 May 16 23:37 ttymxc2
crw-rw---- 1 root tty 3, 0 May 16 23:37 ttyp0
crw-rw---- 1 root tty 3, 1 May 16 23:37 ttyp1
crw-rw---- 1 root tty 3, 2 May 16 23:37 ttyp2

crw-rw---- 1 root tty 3, 173 May 16 23:37 ttyzd
crw-rw---- 1 root tty 3, 174 May 16 23:37 ttyze
crw-rw---- 1 root tty 3, 175 May 16 23:37 ttyzf
crw-rw---- 1 root root 10, 63 May 16 23:37 ubi_ctrl
crw-rw-rw- 1 root root 1, 9 May 16 23:37 urandom
crw-rw---- 1 root tty 7, 0 May 16 23:37 vcs
crw-rw---- 1 root tty 7, 128 May 16 23:37 vcsa
crw-rw---- 1 root root 81, 16 May 16 23:37 video16
crw-rw---- 1 root root 10, 130 May 16 23:37 watchdog
crw-rw-rw- 1 root root 1, 5 May 16 23:37 zero

full output over there if interested → drwxr-xr-x 6 root root 12700 May 16 23:37 .drwxr-xr-x 18 root - Pastebin.com

Have not been able to get nanddump to work for some reason, but dd does. =)

mtdblock0-dd - bootloader - uboot
mtdblock1-dd - kernel - duh…
mtdblock2-dd - main - system… duh…
mtdblock3-dd - upgrade partition - storage for settings and things during an upgrade.
mtdblock4-dd - factory - 16,777,216 bytes of absolutely NOTHING. FF FF FF FF FF…

So instead of making a full VM with toolchains and SDKs that will be huge to distribute I have made a script you can run after setting up your own VM. Plus this way doesn’t step on anyones licenses. You will have to grab the SDK from Freescales website which will require you to sign up (free) and the accept their agreement.

I used VirtualBox running on my Xubuntu 14.04 x64 system and installed Xubuntu 14.04 (i386) in the VM. grab it from there → http://mirror.anl.gov/pub/ubuntu-iso/CDs-Xubuntu/14.04/release/xubuntu-14.04-desktop-i386.iso It should work on all Ubuntu variants but I personally like Xubuntu. I think it’s safer to stick with an x86(i386) ubuntu version because I borked up my x64 install after forcing it to install soo many i386 libs that the LTIB needs. I think ubuntu 10.04 was the “norm” when the SDK was released. It took a bit of work to get it to work with 14.04. That’s what the script is for, so nobody else has to figure this crap out haha.

I gave it 15gb total and after all said and done ive got around 5gb free space. Once Xubuntu is installed in the VM go ahead and sudo apt-get update && sudo apt-get upgrade and bring the system up to current. Then install the VBoxGuestAdditions and reboot the VM You should be looking at a totally up to date fresh install with a full screen.

Then go grab the SDK from Freescale. → Sign in to NXP.com | NXP Semiconductors

I just placed it on the desktop and extracted it. you will need to run the install script (./install) and accept its terms. then tell it where to put it. I did /home/imx/Desktop (imx is the vm username) and it will install to a folder called ltib on your desktop.

Copy my script into the new ltib folder, chmod +x it and run it… I have tested it twice from a clean system so it works.

I think it might be possible to add a SD card with the directory clii_logs on it, in a fat32 partition, and see if it writes interesting things there (like passwords, seeds, hashes, etc.). I'll see about setting up a full emulated environment and package it as a VM for folks once I figure out how to do so. Anyone interested in a compiler image, as well, to write custom "applets" for the XL? I know I'd love to know how to install additional applications, and since it's Linux with XML configuration files, I think it's most likely very possible to do.

Looking at a file called /bin/ciliilogger… it scans the SD card for a file called “mode.cliilog” if found it will run debug logs. looks intresteing…

nothing really interesting there… if you know how to reverse assembly then load up the scc binary and look for the setlinuxpassword sub routine. which is called by setpassword which is called by start i think (not at home right now). start at the start routine and follow it through the set linux password. The passwords are not stored they are generated and changed each time it boots. so knowing how it generates them is the key in. Ive dumped out the password and shadow files from it multiple times and they definitely change.

ive booted my own kernel and minimal linux off the sd card… built with the SDK i posted how to setup. but considering this is not a piece of hardware someone is going to buy as a toy we need a way into the stock system so that it still functions as a thermostat. Im fairly confident that i could modify the actual system img in the update and “update” to it… but until i know i can recover from a brick ive only booted a kernel and filesystem from the sd card.

Im pretty sure that a properly formatted sd card will enter the update process from a clean boot. I have not managed it yet though.

I outlined the offsets of those functions in this post in case you missed it. → http://forum.micasaverde.com/index.php/topic,7017.msg175814.html#msg175814

Assembly is frustrating to a n00b. I semi understand what is going on in those functions… but where it’s initial values come from alludes me. They may come from memory somewhere… the initial values could be completely random which would make writing a “keygen” practically impossible… the easiest thing once comfortable with actually modifying the installed system through an update and making scc return a static password or nullify the routine entirely so that it doesn’t change the password at all.

in the stock system the SSH server (dropbear) is started with the -w flag which means no root login. So at the very least that needs to be changed, as the raptor21 user pretty much only has Clii abilities.

EDIT* i had not thought about it until now… i suppose it’s entirely possible that the passwords remain the same but since they are regenerated every time it boots the salt changes therefore the whole hash changes…

Did you happen to get anywhere with this?

I wish they would have an API, but I guess that won’t happen. I hate that I need to use a separate app just to view and change my thermostat settings.

I work for a HVAC company. We are authorized Trane dealers.

I thought it might be worth noting that these 950 Thermostats DO have a built in z-wave chip.

What I have seen:

When they were released, there was still a wait on ANY wireless communication. They had to release the stats quickly to allow people to use the 18+ seer, communicating system technology… Basically variable blower speeds, variable valves for gas heat, and variable volume control of the compressor…

Later they were, after an upgrade administered through the SD card, enabled to have Wi-Fi… but to use them with any home automation, you had to have a Nexia bridge…

NOW the xl950 thermostats, come with the Z-wave chip enabled. The idea is that the 950 eliminates the need for a Nexia bridge in the home. The way they describe it, is that it has a Nexia Bridge inside… :

What I do know is that the chip has existed the whole time in the system… so it would seem that maybe one of you folks who are well versed in Linux and unhashing this and that… might be able to compare the two, and see if instead of using the system as a master, it could be used as a slave.

I would assume there should be some easy workaround, because I’ve installed multiple 950’s at a single location… one has to be the master and the other the slave…

I’ve no idea how it’s actually implemented… but if one of YOU could figure it out… maybe we’d be closer to an API or a Z-WAVE profile, that would apply to this little bugger…

I LOVE these stats, and the systems they control, from a HVAC pro point of view, they INSANELY efficient and wonderful.

except I’m a Vera control kinda guy, because lets face it, who wants to be locked into TRANE or INGERSOL RAND products, when there are things like Vera out there, with so many more options? But, with the system I have in mind for my house (a 20 seer system) only a 950 t-stat can control it… If there is anything I can do to help, please let me know…

I have access to a large Trane Knowledgebase

Wait. So you’re saying that the XL950 thermostats do have a zwave chip? If so, how do we enable them?

I see on Trane’s website that they have an XL850 coming soon with the Nexia Bridge built in. I have a XL950 at home that I was contemplating switching out for the 850 just for this feature. I have a communicating system so my thermostat options are very limited for remote access.

[quote=“Dominic, post:49, topic:168631”]Wait. So you’re saying that the XL950 thermostats do have a zwave chip? If so, how do we enable them?

I see on Trane’s website that they have an XL850 coming soon with the Nexia Bridge built in. I have a XL950 at home that I was contemplating switching out for the 850 just for this feature. I have a communicating system so my thermostat options are very limited for remote access.[/quote]

I also would be interested to know if this device really does z-wave and all access is within the home network and not calling APIs outside to the internet

[quote=“djrakso, post:50, topic:168631”][quote=“Dominic, post:49, topic:168631”]Wait. So you’re saying that the XL950 thermostats do have a zwave chip? If so, how do we enable them?

I see on Trane’s website that they have an XL850 coming soon with the Nexia Bridge built in. I have a XL950 at home that I was contemplating switching out for the 850 just for this feature. I have a communicating system so my thermostat options are very limited for remote access.[/quote]

I also would be interested to know if this device really does z-wave and all access is within the home network and not calling APIs outside to the internet[/quote]

I would be interested also if it does z-wave…

Don

Looks Like a new version was just released in april 4.0, has anyone checked it out and noticed any differences ?

Has anyone been able to get the Trane XL850 or XL950 “communicating” thermostat to work with any versions of Vera? I just bought the veraplus and would love to get this connected to it?

Regarding the trane XL 850, can I connect that to the Wi-Fi network at the thermostat and then install some sort of plug-in to manage it through vera? If so, what are the steps?

I have the new veraplus that I guess can now talk to Wi-Fi devices do hopefully someone knows.

Thanks again!

Looks like someone discovered the hardcode credentials and released the password

This is not surprising, awesome, and horrible all at the same time. It’s of course why I choose to run my XL950’s, and any other equipment I would never trust, in its own private SSID/VLAN at home, so they can’t talk to my other more important devices. I’m anxious to see if anything of use can be accessed via ssh, such as control over settings, downloading logs, etc. Even though not as convenient as a real app, I could build a web interface to ssh/expect to log into the device and make changes for me.

Have you tried to gain access using the Cold,2100 credentials? I have tried with several different firmware releases from 3.x to 4.x. Would really like to gain accesses to i can make temp changes but I would really like the ability to graph runtimes and room temp.

Just got in. It appears it is buggy in that it will not let you access SSH from a remote subnet. I was trying from my normal home wired vlan to the vlan where the thermostats are (since I don’t trust them) and was getting either connection reset or connection closed. I ssh’d to the router and from there to the XL950 via that network’s interface and was able to log in with the raptor21 account:

ssh raptor21@192.0.2.102 Warning: Permanently added '192.0.2.102' (RSA) to the list of known hosts. raptor21@192.0.2.102's password:

BusyBox v1.6.1 () Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

raptor21@ComfortControl ~$ uname -a
Linux ComfortControl 2.6.26-466-ga04670e #1 Fri Oct 25 10:29:57 CDT 2013 armv6l unknown
raptor21@ComfortControl ~$ ls
text
raptor21@ComfortControl ~$ pwd
/home/raptor21
raptor21@ComfortControl ~$ su - root
Password:

BusyBox v1.6.1 () Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

~ $ pwd
/root

I haven’t had time to dig around further to see what interesting utilities there may be. Not a lot of mem; 256 MB. Disk is negligible but SD card would probably resolve that issue.

I can’t get it to give me a full width ‘ps’ output regardless of arguments, ps -efww, ps -auxww, etc. What I have, in case it’s of interest:

PID Uid VSZ Stat Command 1 root 2788 SW init 2 root SW< [kthreadd] 3 root SW< [ksoftirqd/0] 4 root SW< [watchdog/0] 5 root SW< [events/0] 6 root SW< [khelper] 88 root SW< [kblockd/0] 91 root SW< [cqueue] 99 root SW< [mxc_spi.0] 123 root SW< [mc13892/0] 186 root SW [pdflush] 187 root SW [pdflush] 188 root SW< [kswapd0] 230 root SW< [aio/0] 235 root SW< [nfsiod] 862 root SW< [mtdblockd] 916 root SW< [rpciod/0] 925 root SW [mxc_ts] 939 root 2788 SW /bin/sh /bin/kickthedog 959 root 1604 SW< udevd --daemon 1807 root SWN [jffs2_gcd_mtd2] 1828 root 3812 SW syslogd -C1024 1829 root 3684 SW logread -f 1847 root SW< [kmmcd] 1879 root SW< [unifi_workq] 1880 root 2788 SW /bin/sh /usr/sbin/unififw 1 2 1881 root 2788 SW /bin/sh /usr/sbin/unififw 1 2 1884 root 2792 SW logger -t unififw -p daemon.notice 1888 root SW< [ksdiorqd] 1899 root 1912 SW /usr/sbin/unifi_helper -dev=/dev/unifi1 -wifion -mib= 1918 root RW< [uf_bh_thread] 1945 root 2060 SW /usr/sbin/dropbear -w 1975 nobody 1924 SW /usr/bin/mdnsd 1981 root 3012 SW ./ccilogger_arm 2018 root 2788 SW /bin/ash /bin/XCC -x -c -z -b -a 0x0010ff40 -m TZONE9 2020 root 2792 SW logger -t XCC 2027 root 77840 SW /bin/scc -x -c -z -b -a 0x0010ff40 -m TZONE950AC52ZAA 2028 root 3036 SW /usr/local/sbin/wpa_supplicant -i eth1 -W -c /etc/wpa 2068 root 3016 SW ./dss_arm 2069 root 2792 SW logger -t dss_arm 2075 root 3016 SW ./watchdog_arm 2078 root 2792 SW logger -t watchdog_arm 2083 root 6864 SW ./ioc_arm 2084 root 2792 SW logger -t ioc_arm 2088 root 9688 SW ./weather_arm 2089 root 2792 SW logger -t weather_arm 2093 root 18480 SW ./wifi_arm 2094 root 2792 SW logger -t wifi_arm 2101 root 6192 SW ./diagnostics_arm 2102 root 2792 SW logger -t diagnostics_arm 2108 root 2788 RW /bin/ash ./XDIAGNOSTICS 2109 root 2792 SW logger -t XDIAGNOSTICS 2112 root 2788 SW /bin/ash ./XWEATHER 2114 root 2792 SW logger -t XWEATHER 2120 root 2788 SW /bin/ash ./XIOC 2123 root 2792 SW logger -t XIOC 2129 root 2788 SW /bin/ash ./XWIFI 2130 root 2792 SW logger -t XWIFI 2157 root 2788 SW /bin/ash ./XWATCHDOG 2160 root 2792 SW logger -t XWATCHDOG 2173 root 89656 SW ./flashlitedirectfb /root/xLink.swf 2178 root 2792 SW logger -t CCI 2207 root SW< [ubi_bgt0d] 2318 root 2788 SW /bin/ash ./XFLASH 2320 root 2792 SW logger -t XFLASH 2337 root 2788 SW /bin/sh /bin/cliilogger start 2338 root 2792 SW logger -t CLIILOG 2352 root 2792 SW /sbin/getty -L ttymxc0 115200 vt100 2432 root 2132 SW ntpclient -s -l -i 600 -c 0 -h 0.north-america.pool.n 10437 root 2132 RW /usr/sbin/dropbear -w 10550 raptor21 2792 SW -sh 12853 root 3716 SW /usr/etc/stunnel/xl-live.mynexia.com:443:123456.c 13185 root 2792 SW sh 13206 root 3716 SW /usr/etc/stunnel/xxl.trane.com:443:123456.conf /u 15645 root 2656 SW sleep 300 16515 root 2656 SW sleep 5 16525 root 2656 SW sleep 2 16530 root 2656 SW sleep 2 16535 root 2656 SW sleep 2 16540 root 2656 SW sleep 2 16545 root 2656 SW sleep 2 16550 root 2656 SW sleep 2 16551 root 2792 RW ps -alxww 17743 root 2792 SW /sbin/udhcpc --interface eth1 --background --release

There was what is probably a number unique to my XL950 in the two remote connection lines (to trane and nexia), so I replaced those with 123456.

Anyone else think the captcha on this site is a nightmare?!

What version firmware are you running? I have 4.0.1 it looks like ssh over port 22 isn’t open.

Can you tell me where to find that? I was trying to dig around but got nervous about going into the software updates menu to see if it was there.