GitHub - Ripthulhu/harmony-hub-root: Gets root access on a harmony hub and installs dropbear · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

Ripthulhu

harmony-hub-root

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star<br>25

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>5 Commits<br>5 Commits

.gitattributes

.gitattributes

.gitignore

.gitignore

README.md

README.md

SHA256SUMS.txt

SHA256SUMS.txt

Start_XMPP_Root_Shell.cmd

Start_XMPP_Root_Shell.cmd

dropbearmulti

dropbearmulti

harmony_xmpp_root_shell.py

harmony_xmpp_root_shell.py

run_xmpp_root_shell.ps1

run_xmpp_root_shell.ps1

run_xmpp_root_shell.sh

run_xmpp_root_shell.sh

View all files

Repository files navigation

Harmony Hub LAN Root SSH Tool

For an owned Logitech Harmony Hub on the same LAN as your computer. The tool<br>gains root access, installs Dropbear, and starts persistent SSH access.

Files

Start_XMPP_Root_Shell.cmd - double-click launcher

run_xmpp_root_shell.ps1 - PowerShell wrapper

run_xmpp_root_shell.sh - Linux/macOS shell wrapper

harmony_xmpp_root_shell.py - LAN installer

dropbearmulti - MIPS Dropbear binary for Harmony Hub

SHA256SUMS.txt - integrity hashes

Requirements

Windows 10/11, Linux, or macOS

Python 3.10 or newer

OpenSSH client tools: ssh and ssh-keygen

Harmony Hub IP address

PC and hub on the same LAN

The hub has completed normal first-time setup in the Harmony phone app

XMPP/local network control is enabled in the Harmony phone app

Run

Finish setup in the Harmony phone app first. The hub must already be joined to<br>Wi-Fi, linked to the app, and reachable on the local network with XMPP enabled.

Windows

Double-click:

Start_XMPP_Root_Shell.cmd

Enter the hub IP address when prompted.

The tool creates or reuses an SSH key at:

%USERPROFILE%\.ssh\harmony_owner_ed25519

Linux/macOS

From the repository root:

">./run_xmpp_root_shell.sh --host hub-ip>

Or call Python directly:

">python3 harmony_xmpp_root_shell.py --host hub-ip>

The tool creates or reuses an SSH key at:

~/.ssh/harmony_owner_ed25519

It installs persistent root SSH and then opens a root shell:

ssh -i ~/.ssh/harmony_owner_ed25519 root@">ssh -i %USERPROFILE%\.ssh\harmony_owner_ed25519 root@<br>ssh -i ~/.ssh/harmony_owner_ed25519 root@

Tested Firmware

This tool was tested on Logitech Harmony Hub firmware 4.15.600.

Why This Exploit Works

This is a LAN-only post-setup exploit chain. It depends on the hub already being<br>provisioned through the Harmony phone app because normal setup joins the hub to<br>Wi-Fi and enables Logitech's local XMPP/HBus control interface. Without that<br>local service, there is nothing on the network for this tool to talk to.

The chain works because several legacy/debug features trust each other too much:

The local XMPP service accepts a legacy local-client login.

The hub exposes XMPP on TCP port 5222 for older Harmony local control<br>clients. After opening an XMPP stream, the tool authenticates with SASL PLAIN<br>as a local client identity. On affected firmware this is accepted by the<br>local service and gives access to the internal HBus command bridge.

XMPP forwards commands into privileged HBus handlers.

XMPP messages contain command stanzas such as connect.sysinfo?get,<br>harmony.log?put, and connect.jsonfiletransfer?get. The hub forwards those<br>into the Harmony application layer. That application layer is not a tiny<br>unprivileged web API; it has access to internal configuration paths and the<br>vendor debug/update plumbing.

harmony.log?put has a path traversal bug.

The log-write API accepts a client supplied fileName and data. It should<br>restrict writes to the intended log/cache directory, but affected firmware<br>does not sufficiently canonicalize or sandbox the filename before writing.<br>Supplying a filename like ../etc/tdeenable makes the log writer escape its<br>normal directory and create /etc/tdeenable with controlled contents.

/etc/tdeenable is a real vendor debug-mode switch.

This is not a made-up marker. Harmony firmware checks /etc/tdeenable<br>through its own...