{"id":43734033,"url":"https://github.com/obruns/gelee","last_synced_at":"2026-02-05T10:35:47.007Z","repository":{"id":230199016,"uuid":"777972790","full_name":"obruns/gelee","owner":"obruns","description":"gelee - Gigaset Elements LifetimE Extension","archived":false,"fork":false,"pushed_at":"2024-03-31T10:29:02.000Z","size":30,"stargazers_count":8,"open_issues_count":1,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-03-31T11:28:22.661Z","etag":null,"topics":["cloud-services","doorbell","gigaset-elements","home-automation"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsl-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/obruns.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2024-03-26T21:00:00.000Z","updated_at":"2024-03-31T09:50:11.000Z","dependencies_parsed_at":"2024-03-31T11:28:07.741Z","dependency_job_id":"6e4542b0-076b-4793-89b2-2a7e2da33dd5","html_url":"https://github.com/obruns/gelee","commit_stats":null,"previous_names":["obruns/gelee"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/obruns/gelee","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/obruns%2Fgelee","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/obruns%2Fgelee/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/obruns%2Fgelee/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/obruns%2Fgelee/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/obruns","download_url":"https://codeload.github.com/obruns/gelee/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/obruns%2Fgelee/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29119232,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-05T09:40:36.738Z","status":"ssl_error","status_checked_at":"2026-02-05T09:36:49.977Z","response_time":65,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-services","doorbell","gigaset-elements","home-automation"],"created_at":"2026-02-05T10:35:46.895Z","updated_at":"2026-02-05T10:35:47.000Z","avatar_url":"https://github.com/obruns.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# gelee - Gigaset Elements LifetimE Extension\n\n**Gigaset Elements GmbH shut down their services at around 10pm CET on\nFriday, March 29th, 2024. As things are looking now, we can only\ncontinue with what we can extract from our devices.**\n\nOn March, 25th, 2024 - with a period for action of just four days -\ncustomers of Gigaset Elements got informed that the cloud service would\nbe shut down on March 29th due to insolvency of the company.\n\nThis project aims to collect as much data as possible while the service\nis still active and then - eventually - provide a service that can be\nself-hosted on-prem or in the cloud.\n\n## The missing bits\n\n* [This security report](https://www.av-test.org/fileadmin/pdf/publications/avtest_2014-04_smart_home_deutsch.pdf#25)\n  (in German) documents a bunch of findings in the Gigaset Elements\n  implementation. AFAICS, all of them had been fixed. In particular, I\n  was unable to downgrade from TLSv1.2 to a prior protocol version or\n  force the server to accept weak(er) ciphers.\n* The security report also mentions that update tarballs got downloaded\n  from a server unencrypted via HTTP. The Wireshark dump that I ran for\n  the final ~24h did not record connection attempts apart from the long-\n  lived connection to `api-bs.gigaset-elements.de:443` (78.137.103.62).\n* As a consequence, I did not know where to download update tarballs\n  from and thus could not fetch them. I also don't know the latest\n  firmware version. It has to be newer than 29 (mentioned in the\n  security report).\n\n## Accessing the hardware\n\n* The row of five large test pads (see [osmocom](https://osmocom.org/projects/misc-dect-hacks/wiki/Gigaset_Elements_Base))\n  is accessible from the outside as soon as you open the lid on the back.\n* To open the case and access the PCB you need to unhinge six plastic\n  hooks that firmly hold the front and the back. I was only able to do\n  this with a bunch of slotted screwdrivers and brute force at the\n  expense of scratching the plastic (of hardware that is bricked anyway\n  as things are looking right now).\n\n## Tools\n\n### download-all-opensource.sh\n\nThis script scrapes all archives from the iframe that is embedded at\n[gigaset.com/opensource](https://www.gigaset.com/de_de/cms/lp/open-source.html)\nthat is mentioned in the license agreements that come with Gigaset\nproducts.\n\nYou'll need approx. 35GiB for all archives. The script creates three\nfiles named `checksums.sha{1,256,512}` which are also part of this\nrepository. The more mirrors we create, the more trust anchors there\nare. To verify, use\n\n```sh\nsha512sum -c checksums.sha512\n```\n\n## TODO\n\n* [osmocom](https://osmocom.org/projects/misc-dect-hacks/wiki/Gigaset_Elements_Base) provides a good starting point for the hardware.\n  Unfortunately, they do not mention the exact download URL but it appears to be either [bl17](https://cms.gigaset.com/opensource/GigasetElements/gigaset_elements_bl17_opensource.tar.gz) and/or [bl26](https://cms.gigaset.com/opensource/GigasetElements/gigaset_elements_bl26_opensource.tar.gz)\n  - Whenever sourcecode/tarball is mentioned, it refers to these\n    archives which are from 2013-10-18 and 2013-10-31.\n* Comparing the output from the serial console (final snippet on the osmocom page), there are a couple of keywords that I could not find in either of the source tarballs:\n  - rxdect452\n  - rtxdectstack\n  - jbusserver\n  - ...\n* There is a file `src/init_rootfs/etc/init.d/S60private.sh` which would execute `/mnt/data/private.sh` if it exists\n  - a `private.sh`\n* conclusion: it is important to create a proper dump of the existing firmware image and/or copy the files before wiping anything\n* cr16 is a CPU of the CompactRISC family\n  - there does not appear to be a Qemu emulation for that\n* see search results for [bflt executable](https://duckduckgo.com/?q=bflt+executable\u0026ia=web)\n* use [mitmproxy](https://github.com/mitmproxy/mitmproxy) ([documentation](https://docs.mitmproxy.org/stable/) to\n  - sniff the communication between the base station and the cloud service\n  - sniff the comminucation between the app and the cloud service (less important because of [gigaset-elements-api](https://github.com/matthsc/gigaset-elements-api))\n* Which tarballs are required for\n  - button\n  - door bell\n  - camera\n  - climate sensor\n  - door/window sensor\n* Is the DECT-ULE code part of the open-source tarballs?\n  - Kind-of: These are some shell scripts and some bflt binaries.\n* Identify versions of the shipped OSS.\n\n### Extract patches and turn them into commits\n\nThe changes made to particular files were added as a footer to the file\nitself. See e.g. `src/dialog/cr16boot/common/display_options.c`:\n\n```cpp\n//\n//Changes introduced by Gigaset Elements GmbH:\n//Modification date:  2013-10-31 10:54:49.652221564\n//@@ -31,22 +31,22 @@\n//\n// void display_banner(bd_t *bd)\n// {\n```\n\nThis is easily extractable and can be turned into individual commits\ngrouped by modification date *if* the modification date differs at all.\n\n```sh\nrg --files-with-matches '^//Changes introduced by Gigaset Elements GmbH:' | less\n\nrg --files-with-matches '^//Modification date:  2013-10-31 10:5[34]:' | wc -l\n```\n\nConclusion: The timestamp was created as archive creation time. Create\none commit per OSS project.\n\n### CompactRISC CR16C\n\n```sh\n# search inside the directory extracted from the source tarball\nrg --files-with-matches mcr16c gigaset_elements_bl26_opensource\n```\n\n### Basestation API\n\nThe client-facing API is visible when watching the activity of\n`https://app.gigaset-elements.com/#/events/` through the browsers'\ndeveloper tools.\n\nWhat's more difficult is the API used by the basestation to publish\nevents. When trying to sniff the network communication with\n[mitmproxy](https://mitmproxy.org/), an attempt is made to talk to\n`https://api-bs.gigaset-elements.de`. However, that URL is referenced just\nonce in the image: `src/init_rootfs/usr/bin/simulate_delete.sh`:\n\n```sh\n# $1 - sensorId\n# $2 - deviceId\necho {\"method\":\"POST\", \"uri\":\"https://api-bs.gigaset-elements.de/api/v1/endnode/$2/$1/sink/ev\", \"payload\": {\"payload\": \"deleted\"}, \"clientId\": 138} | sender 127.0.0.1 \"CloudTX\"\n```\n\nThis leaves a couple of questions:\n\n* Is this really just guarded by the \"deviceId\"?\n  - see `deviceid=CFE8D287ED60B4B8393398706788C121` in the kernel commandline at [osmocom](https://osmocom.org/projects/misc-dect-hacks/wiki/Gigaset_Elements_Base)\n* What is \"CloudTX\" (also vs. the other topics; see below)?\n  - are the topics case-insensitive (\"cloudTX\" vs \"CloudTX\")\n* The file is called `simulate_delete.sh` - does this mean that `sender`\n  (and `receiver`) are just debugging tools left in the image?\n  - this does not appear to be the case because there are quite some\n    results for \"sender\" and \"receiver\" (limited to the relevant dir):\n\n```sh\nrg --files-with-matches 'sender|receiver' src/init_rootfs\nsrc/init_rootfs/bin/send2ule\nsrc/init_rootfs/bin/listenall\nsrc/init_rootfs/usr/bin/fw_lib\nsrc/init_rootfs/usr/bin/gotosleep.sh\nsrc/init_rootfs/usr/bin/sensor_version.sh\nsrc/init_rootfs/usr/bin/led_lan.sh\nsrc/init_rootfs/usr/bin/delete_sensor.sh\nsrc/init_rootfs/usr/bin/sirenon.sh\nsrc/init_rootfs/usr/bin/sirenoff.sh\nsrc/init_rootfs/usr/bin/simulate_delete.sh\nsrc/init_rootfs/usr/bin/sensor_update.sh\nsrc/init_rootfs/usr/bin/regoff.sh\nsrc/init_rootfs/usr/bin/fw_prepare.sh\nsrc/init_rootfs/usr/bin/regon.sh\n```\n\nI tried `rg --text` and ran `strings` on the binary blobs (`uleapp`,\n`receiver`, ...) but the URL was present nowhere else. I also searched\nGitHub for `api-bs.gigaset-elements` but also no results\n\nAll(?) CA certificates at `./src/opensource/certs/` are expired. I'm\ntherefore certain that basestations have received updates of various\nfiles in the meantime.\n\nI wasn't successful in using [mitmproxy](https://mitmproxy.org/), yet.\nAbsent proper tools to use the serial console via UART I can only try to\ngo via different routes:\n\n* The images `./src/dialog/cr16boot/image452.bin` and `./src/dialog/cr16boot/image452_service.bin`\n  contain `bootargs=.*ipaddr=192.168.1.10.*serverip=192.168.1.34`\n* This appears to be baked by some files in `src/dialog/cr16boot/` or\n  maybe `src/opensource/u-boot-env-tools/fw_env.c`\n* The `serverip` is used like in `src/init_rootfs/bin/stauleapp`:\n\n```sh\nfw_printenv -n serverip\n```\n\n* This may allow us to place arbitrary files and start them, like [dropbear](http://matt.ucc.asn.au/dropbear/dropbear.html)\n  or alternative CA certificates.\n\n### DECT-ULE communication\n\n`src/init_rootfs/bin/listenall` contains topics, some of which are not\nactive:\n\n```sh\nTOPICS=\"ulecontrol uleevent watchdog\"\n# coma cloud cloudTX cloudRX\n```\n\nSome of the files below `src/init_rootfs/usr/bin/` (see previous\nsection) appear to be dedicated to sensor control based on DECT-ULE.\n\n### System Startup\n\nSee `src/init_rootfs/etc/init.d/S40reef.sh` and other scripts.\n\nInetd has telnet open if `system_locked=false`, see `./src/init_rootfs/etc/inetd.conf`.\n\n`./src/init_rootfs/etc/udhcpc.scr`\n\n### Non-volatile storage?\n\n```sh\nsrc/init_rootfs/usr/bin/nvs_backup.sh\n\nnc -w 30 -p 5600 -l \\\u003e backup.file.name\nnc -w 2 $1 5600 \u003c /mnt/data/nvs.bin\n```\n\n### Bootargs\n\n```sh\nxxd ./src/dialog/cr16boot/image452.bin \u003e| /tmp/x_production\nxxd ./src/dialog/cr16boot/image452_service.bin \u003e| /tmp/x_service\n```\n\n```\n# from /tmp/x_service\nbootargs=noinitrd root=/dev/ram0 rw init=/linuxrc earlyprintk=serial console=ttyS0.bootcmd=bootm E8000.bootdelay=1.baudrate=115200.ethaddr=02:4e:ef:10:51:10.ipaddr=192.168.1.10.serverip=192.168.1.34.netmask=255.255.255.0.bootfile=\"vmlinuz\".boot_from=flash.board_rev=RevB.1st_boot_pos=E8000.2nd_boot_pos=46F000.rec_boot_pos=20000.boot_from_image_no=1\n\n# from /tmp/x_production\nbootargs=noinitrd root=/dev/ram0 rw init=/linuxrc earlyprintk=serial console=ttyS0.bootcmd=bootm E8000.bootdelay=1.baudrate=115200.ethaddr=02:4e:ef:10:51:07.ipaddr=192.168.1.10.serverip=192.168.1.34.netmask=255.255.255.0.bootfile=\"vmlinuz\".boot_from=flash.board_rev=RevB.1st_boot_pos=E8000.2nd_boot_pos=46F000.rec_boot_pos=20000.boot_from_image_no=1\n```\n\n### cr16boot bootloader configuration\n\nThe build-time configuration of the bootloader is done in the following\nheaders.\n\n`src/dialog/cr16boot/include/configs/config_sc14452reef.h`\n`src/dialog/cr16boot/include/configs/config_sc14452reef_32MB_service.h`\n\nThere are a couple noteworthy snippets here:\n\n```cpp\n// How to craft this ethernet frame?\n// see src/dialog/cr16boot/common/unlock.c\n// and src/dialog/cr16boot/net/net.c\n#define CONFIG_SYSTEM_LOCK_DEF      \"true\"          ///\u003c (true|false)default value. When \"true\", serial console is disabled. Can be unlocked by ethernet frame.\n\n// how can we toggle these?\n#define CONFIG_BOOT_FROM_IMAGE_NO       1                       ///\u003c (env) which image should be booted first \"1\" or \"2\" or \"R\" (recovery)\n\n//= feature: longpress button detection\n#define CFG_BUTTON_DETECTION            1                       ///\u003c (feat) (0|1) enable button driven behavior\n#if (CFG_BUTTON_DETECTION)\n/** (export) if defined CONFIG_FACTORY_RESET variable will be exported to linux environment but not stored in u-boot's env settings */\n        #define CONFIG_FACTORY_RESET            \"factory_reset\"\n        #define CFG_LONGPRESS_RESET                     (10*10) /// (feat) 10 seconds in 100ms ticks\n        #define CFG_LONGPRESS_RECOVERY          (30*10) /// (feat) 30 seconds in 100ms ticks\n        #define CFG_LONGPRESS_MAXIMUM_WAIT      (32*10) /// (feat) when button is pressed wait maximum 6 seconds\n#endif\n```\n\n```sh\nvim `rg --files-with-matches -i system_locked`\n```\n\nHere is a utility to [craft arbitrary ethernet frames](https://gist.github.com/lethean/5fb0f493a1968939f2f7).\nI was not successful unlocking the system with a button press (while\nconnecting the power plug) and sending the packets in fast succession:\n\n```sh\ngcc -Wall -Wextra -Wpedantic -o sendRawEth -O2 sendRawEth.c\nfor i in seq 1 50 ; do ./sendRawEth; done\n```\n\n### Sniffing the traffic while using mitmproxy/mitmdump\n\nI have a couple of pcap-ng dumps from\n\n  * a \"normal\" boot sequence\n  * a boot sequence with the button pressed while connecting the power plug\n  * (TODO) a boot sequence while having `sendRawEth` running\n  * (TODO) a boot sequence followed by all sensors firing\n  * (TODO) with iptables `REDIRECT` to `mitmdump` active\n\nFrom looking at the packets, I am pleasantly surprised to see the connection\nbeing TLSv1.2-secured. After all, the CR16C isn't the most powerful CPU.\nThere appear to be client certificates in use, too. My hope is that once\nI get my fingers on the client certificate (key pair) I can use\nWireshark to decrypt that TCP session - [see](https://packetpushers.net/blog/using-wireshark-to-decode-ssltls-packets/).\n\nIn summary: Without being able to manipulate the list of trusted CA\ncertificates on the basestation, I am (of course!) unable to decrypt the\ntraffic on-the-fly with `mitmproxy`.\n\n### Creating backups\n\n* `src/init_rootfs/usr/bin/sysdump_create.sh`\n\n### Available tools\n\n* `ifplugd`, `ifup`, `ifdown`\n* `inetc`\n* `nc` (netcat client and server)\n  - see `src/opensource/busybox/include/bbconfigopts.h`\n* `sha256sum`\n  - see `src/opensource/busybox/include/bbconfigopts.h`\n* `telnetd`\n* `tftp` (client only)\n  - see `src/opensource/busybox/include/bbconfigopts.h`\n* `udhcpc`\n* `wget`\n  - see `src/opensource/busybox/include/bbconfigopts.h`\n\nFor the full config see:\n\n```sh\nrg -v '^\"#' src/opensource/busybox/include/bbconfigopts.h | less\n```\n\n### Attacking via recoveryfs\n\n`src/init_recoveryfs/etc/start.sh` attempts to download `recovery.bin`\nand `recoveryfs.bin` from `recovery.gigaset-elements.de`.\n\n```sh\n# WARNING: based on the example at https://osmocom.org/projects/misc-dect-hacks/wiki/Gigaset_Elements_Base\necho Reef BS version \"'bas-001.000.026'\" tagged at: \"'unknown'\" version status: \"'NOT REPOSITORY VERSION'\" \u003e| /tmp/txt\nBAS_TAG=`cat /tmp/txt | grep -w \"Reef BS version\" | cut -d \\' -f 2`\ncurl --remote-name --get --header \"User-Agent: Basestation/${BAS_TAG}\" --verbose 'http://recovery.gigaset-elements.de/recoveryfs.bin'\ncurl --remote-name --get --header \"User-Agent: Basestation/${BAS_TAG}\" --verbose 'http://recovery.gigaset-elements.de/recovery.bin'\n```\n\nThe idea here would be to use local DNS spoofing to make the system\ndownload and flash a different recovery filesystem and kernel image that\nsuites our needs.\n\n### Attacking via self-signed certificates\n\nI strongly doubt this will work but it is worth a try. Use OpenSSL's\n`x509`, `gencrl`, `rsa`, ... subcommands as needed to create a (self-\nsigned) server certificate and see what happens.\n\n## Other projects and references\n\n* [1](https://github.com/matthsc/gigaset-elements-api)\n* [2](https://github.com/matthsc/ioBroker.gigaset-elements)\n* [3](https://github.com/ycardon/gigaset-elements-proxy)\n* [4](https://github.com/dynasticorpheus/gigasetelements-h)\n* [5](https://static.digitecgalaxus.ch/Files/7/7/1/3/8/6/0/Gigaset_elements_alarm%20system%20M_1_DE_Datasheet.pdf)\n* [6](https://osmocom.org/projects/misc-dect-hacks/wiki/Gigaset_Elements_Base)\n* [7](https://community.home-assistant.io/t/gigaset-elements/222444/21)\n* [8](https://stadt-bremerhaven.de/elektroschrott-gigaset-smart-home-care-wird-eingestellt/)\n* [9](https://old.reddit.com/r/de_EDV/comments/1bnj2ww/gigaset_smart_home_elements_etc_wird_per_294/)\n* [10](https://old.reddit.com/r/smarthome/comments/1bngnz1/gigaset_elements_insolvency_any_ideas_to_keep_the/)\n* [11](https://raw.githubusercontent.com/bdarmofal/proc_manual/master/ghidra_manuals/prog16c.pdf)\n* [bflt-utils](https://code.google.com/archive/p/bflt-utils/source/default/source)\n* [GitHub clone of bflt-utils](https://github.com/nihilus/bflt-utils)\n* [other auto-exports of bflt-utils from Google Code](https://github.com/search?q=bflt-utils\u0026type=repositories)\n* [GCC newer than v12 lacks support for CompactRISC](https://www.phoronix.com/news/GCC-Dropping-CompactRISC-CR16)\n* [the patch landed as eb6358247a9386db2828450477d86064f213e0a8](https://gcc.gnu.org/pipermail/gcc-patches/2022-August/600296.html)\n* [dropbear](http://matt.ucc.asn.au/dropbear/dropbear.html)\n* [GitHub: dropbear](https://github.com/mkj/dropbear)\n* [Gigaset Elements WebApp](https://app.gigaset-elements.com/#/unauthorized)\n* [craft arbitrary ethernet frames](https://gist.github.com/lethean/5fb0f493a1968939f2f7)\n* [alternative](https://gist.github.com/austinmarton/1922600)\n* [blog](https://austinmarton.wordpress.com/2011/09/14/sending-raw-ethernet-packets-from-a-specific-interface-in-c-on-linux/)\n* [... via](https://old.reddit.com/r/C_Programming/comments/gygbs6/how_to_send_raw_bits_over_an_ethernet_interface/)\n* [Using Wireshark to Decode SSL/TLS Packets](https://packetpushers.net/blog/using-wireshark-to-decode-ssltls-packets/)\n* [ssldump](https://github.com/adulau/ssldump/)\n* [Capture, Analyze and Debug HTTPS traffic with MITMProxy](https://www.youtube.com/watch?v=7BXsaU42yok)\n* [Read and Manipulate Network Traffic on Android with mitmproxy](https://media.ccc.de/v/camp2023-57313-read_and_manipulate_network_traffic_on_android_with_mitmproxy)\n* [Deploying TLS 1.3: the great, the good and the bad](https://media.ccc.de/v/33c3-8348-deploying_tls_1_3_the_great_the_good_and_the_bad)\n* [The Rocky Road to TLS 1.3 and better Internet Encryption](https://media.ccc.de/v/35c3-9607-the_rocky_road_to_tls_1_3_and_better_internet_encryption)\n* [goto fail; exploring two decades of transport layer insecurity - Chapter \"Downgrade Attack\"](https://media.ccc.de/v/32c3-7438-goto_fail#t=2115)\n* [7 Smart-Home-Starter-Kits im Sicherheits-Test](https://www.av-test.org/fileadmin/pdf/publications/avtest_2014-04_smart_home_deutsch.pdf#25)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fobruns%2Fgelee","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fobruns%2Fgelee","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fobruns%2Fgelee/lists"}