Cubbit was is an Italian startup, born in my Bologna, in 2016 from an idea of some university students. Cubbit wanted to be a geo-distributed cloud based on P2P, ideally the concept was very fascinating.
In the early years the first alpha versions were based on Raspberry then thanks to a Kickstarter campaign they introduced their own well-packaged hardware. I was always very fascinated by this product, but punctually found some shortcomings.
Very interesting are the articles by Daniel Aleksandersen and Gioxx, both talking about some delicate but fundamental aspects of this project. Basically, I never used it. I always thought it was safer, faster and more efficient to use my Synology NAS.
The year 2023, however, brought only bad news for Cubbit users, the project unfortunately did not take off and so the company’s focus turned to the Business world. Consumer users have received the bad news that the old services will be discontinued in November 2023.
Therefore in November 2023 the entire “Cubbit Hatch” infrastructure was shut down and the Cubbit Cells should (but reading on Reddit some users have doubts) be used to guarantee the functioning of the new DS3 service.
DS3 is a geo distributed cloud storage compatible with the S3 protocol. Currently it seems to be used by several very important Italian entities, free access to this technology has also been offered to all consumer Cubbit Cell owners.
However general discontent among private users persists, the project has been totally distorted and there is no longer an easy desktop application to use.
I therefore decided to disassemble and reverse engineer my Cubbit Cell and better understand how it is built.
Hardware
First, I opened the Cubbit Cell to find out its contents. 😱
Inside the cell is a board and a 2Tb mechanical Hard Disk from Western Digital. But also noted is a MicroUSB port and a reset button not visible externally from the packaged.
I immediately thought that the MicroUSB port could be used to get a LOG Console, so I connected the Cubbit to my computer and got more details.
WTMI-devel-18.12.0-a0a1cb8
WTMI: system early-init
SVC REV: 5, CPU VDD voltage: 1.097V
NOTICE: Booting Trusted Firmware
NOTICE: BL1: v1.5(release):1f8ca7e0-dirty (Marvell-devel-18.12.2)
NOTICE: BL1: Built : 12:56:51, Jul 26 2019
NOTICE: BL1: Booting BL2
NOTICE: BL2: v1.5(release):1f8ca7e0-dirty (Marvell-devel-18.12.2)
NOTICE: BL2: Built : 12:56:57, Jul 26 2019
NOTICE: BL1: Booting BL31
NOTICE: BL31: v1.5(release):1f8ca7e0-dirty (Marvell-devel-18.12.2)
NOTICE: BL31: Built : 12:5
U-Boot 2018.03-devel-18.12.3+marvell+gc9aa92ce70 (Jul 26 2019 - 12:55:53 +0000)
Model: Marvell Armada 3720 Community Board ESPRESSOBin (eMMC)
CPU 1000 [MHz]
L2 800 [MHz]
TClock 200 [MHz]
DDR 800 [MHz]
DRAM: 1 GiB
Comphy chip #0:
Comphy-0: USB3 5 Gbps
Comphy-1: PEX0 2.5 Gbps
Comphy-2: SATA0 6 Gbps
Target spinup took 0 ms.
AHCI 0001.0300 32 slots 1 ports 6 Gbps 0x1 impl SATA mode
flags: ncq led only pmp fbss pio slum part sxs
PCIE-0: Link down
MMC: sdhci@d0000: 0, sdhci@d8000: 1
Loading Environment from MMC... OK
Model: Marvell Armada 3720 Community Board ESPRESSOBin (eMMC)
Net: eth0: neta@30000 [PRIME]
Hit any key to stop autoboot: 0
11673 bytes read in 15 ms (759.8 KiB/s)
14729216 bytes read in 12095 ms (1.2 MiB/s)
## Flattened Device Tree blob at 06f00000
Booting using the fdt blob at 0x6f00000
Loading Device Tree to 000000003f614000, end 000000003f619d98 ... OK
Starting kernel ...
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Linux version 4.4.52-armada-17.10.4-armada-17.10.4+g719fc867a76c (oe-user@oe-host) (gcc version 7.3.0 (GCC) ) #1 SMP PREEMPT Fri Jan 8 13:24:09 UTC 2021
[ 0.000000] Boot CPU: AArch64 Processor [410fd034]
[ 0.000000] efi: Getting EFI parameters from FDT:
[ 0.000000] efi: UEFI not found.
[ 0.000000] cma: Reserved 64 MiB at 0x000000003b400000
[ 0.000000] psci: probing for conduit method from DT.
[ 0.000000] psci: PSCIv1.1 detected in firmware.
[ 0.000000] psci: Using standard PSCI v0.2 function IDs
[ 0.000000] psci: MIGRATE_INFO_TYPE not supported.
[ 0.000000] psci: SMC Calling Convention v1.1
[ 0.000000] PERCPU: Embedded 16 pages/cpu @ffffffc03ffc5000 s24984 r8192 d32360 u65536
[ 0.000000] Detected VIPT I-cache on CPU0
[ 0.000000] CPU features: enabling workaround for ARM erratum 845719
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 257536
[ 0.000000] Kernel command line: root=/dev/mmcblk0p3
[ 0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.000000] Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes)
[ 0.000000] Inode-cache hash table entries: 65536 (order: 7, 524288 bytes)
[ 0.000000] software IO TLB [mem 0x36a00000-0x3aa00000] (64MB) mapped at [ffffffc036a00000-ffffffc03a9fffff]
[ 0.000000] Memory: 882140K/1046528K available (10036K kernel code, 628K rwdata, 3268K rodata, 340K init, 290K bss, 98852K reserved, 65536K cma-reserved)
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] vmalloc : 0xffffff8000000000 - 0xffffffbdbfff0000 ( 246 GB)
[ 0.000000] vmemmap : 0xffffffbdc0000000 - 0xffffffbfc0000000 ( 8 GB maximum)
[ 0.000000] 0xffffffbdc0000000 - 0xffffffbdc1000000 ( 16 MB actual)
[ 0.000000] fixed : 0xffffffbffa7fd000 - 0xffffffbffac00000 ( 4108 KB)
[ 0.000000] PCI I/O : 0xffffffbffae00000 - 0xffffffbffbe00000 ( 16 MB)
[ 0.000000] modules : 0xffffffbffc000000 - 0xffffffc000000000 ( 64 MB)
[ 0.000000] memory : 0xffffffc000000000 - 0xffffffc040000000 ( 1024 MB)
[ 0.000000] .init : 0xffffffc000d81000 - 0xffffffc000dd6000 ( 340 KB)
[ 0.000000] .text : 0xffffffc000080000 - 0xffffffc000d801b4 ( 13313 KB)
[ 0.000000] .data : 0xffffffc000def000 - 0xffffffc000e8c000 ( 628 KB)
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[ 0.000000] Preemptible hierarchical RCU implementation.
[ 0.000000] Build-time adjustment of leaf fanout to 64.
[ 0.000000] RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=2.
[ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=64, nr_cpu_ids=2
[ 0.000000] NR_IRQS:64 nr_irqs:64 0
[ 0.000000] GIC: Using split EOI/Deactivate mode
[ 0.000000] CPU0: found redistributor 0 region 0:0x00000000d1d40000
[ 0.000000] Architected cp15 timer(s) running at 12.50MHz (phys).
[ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x2e2049cda, max_idle_ns: 440795202628 ns
[ 0.000004] sched_clock: 56 bits at 12MHz, resolution 80ns, wraps every 4398046511080ns
[ 0.000154] Console: colour dummy device 80x25
[ 0.000819] console [tty0] enabled
[ 0.000845] Calibrating delay loop (skipped), value calculated using timer frequency.. 25.00 BogoMIPS (lpj=50000)
[ 0.000879] pid_max: default: 32768 minimum: 301
[ 0.000946] Security Framework initialized
[ 0.000998] Mount-cache hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.001019] Mountpoint-cache hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.001587] Initializing cgroup subsys io
[ 0.001617] Initializing cgroup subsys memory
[ 0.001654] Initializing cgroup subsys devices
[ 0.001676] Initializing cgroup subsys freezer
[ 0.001698] Initializing cgroup subsys perf_event
[ 0.001718] Initializing cgroup subsys hugetlb
[ 0.001737] Initializing cgroup subsys pids
[ 0.002024] EFI services will not be available.
[ 0.002054] ASID allocator initialised with 65536 entries
[ 0.036163] Detected VIPT I-cache on CPU1
[ 0.036189] CPU1: found redistributor 1 region 0:0x00000000d1d60000
[ 0.036214] CPU1: Booted secondary processor [410fd034]
[ 0.036280] Brought up 2 CPUs
[ 0.036350] SMP: Total of 2 processors activated.
[ 0.036368] CPU features: detected feature: GIC system register CPU interface
[ 0.036390] CPU: All CPU(s) started at EL2
[ 0.036420] alternatives: patching kernel code
[ 0.037081] devtmpfs: initialized
[ 0.041013] DMI not present or invalid.
[ 0.041344] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[ 0.041391] futex hash table entries: 512 (order: 4, 65536 bytes)
[ 0.043432] xor: measuring software checksum speed
[ 0.080251] 8regs : 1918.000 MB/sec
[ 0.120292] 8regs_prefetch: 1710.000 MB/sec
[ 0.160340] 32regs : 2358.000 MB/sec
[ 0.200389] 32regs_prefetch: 1983.000 MB/sec
[ 0.200407] xor: using function: 32regs (2358.000 MB/sec)
[ 0.200448] pinctrl core: initialized pinctrl subsystem
[ 0.201816] NET: Registered protocol family 16
[ 0.212568] cpuidle: using governor ladder
[ 0.224468] cpuidle: using governor menu
[ 0.224651] vdso: 2 pages (1 code @ ffffffc000df5000, 1 data @ ffffffc000df4000)
[ 0.224710] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.
[ 0.225669] DMA: preallocated 256 KiB pool for atomic allocations
[ 0.225830] Serial: AMBA PL011 UART driver
[ 0.227571] d0012000.serial: ttyMV0 at MMIO 0xd0012000 (irq = 7, base_baud = 0) is a mvebu-uart
[ 0.762473] console [ttyMV0] enabled
[ 0.861667] raid6: int64x1 gen() 354 MB/s
[ 0.933680] raid6: int64x1 xor() 385 MB/s
[ 1.005794] raid6: int64x2 gen() 599 MB/s
[ 1.077843] raid6: int64x2 xor() 514 MB/s
[ 1.149935] raid6: int64x4 gen() 913 MB/s
[ 1.221998] raid6: int64x4 xor() 631 MB/s
[ 1.294075] raid6: int64x8 gen() 836 MB/s
[ 1.366147] raid6: int64x8 xor() 629 MB/s
[ 1.438270] raid6: neonx1 gen() 630 MB/s
[ 1.510308] raid6: neonx1 xor() 623 MB/s
[ 1.582405] raid6: neonx2 gen() 1031 MB/s
[ 1.654489] raid6: neonx2 xor() 888 MB/s
[ 1.726555] raid6: neonx4 gen() 1327 MB/s
[ 1.798667] raid6: neonx4 xor() 1012 MB/s
[ 1.870738] raid6: neonx8 gen() 1376 MB/s
[ 1.942803] raid6: neonx8 xor() 1025 MB/s
[ 1.946879] raid6: using algorithm neonx8 gen() 1376 MB/s
[ 1.952450] raid6: .... xor() 1025 MB/s, rmw enabled
[ 1.957484] raid6: using intx1 recovery algorithm
[ 1.963327] gpio-regulator soc:internal-regs:regulator@0: Could not obtain regulator setting GPIOs: -517
[ 1.972913] armada3700-avs d0011500.avs: error getting max cpu frequency, try again later
[ 1.981545] armada3700-avs d0011500.avs: armada_3700_avs_probe: failed initialization
[ 1.989866] vgaarb: loaded
[ 1.992796] SCSI subsystem initialized
[ 1.996883] usbcore: registered new interface driver usbfs
[ 2.002649] usbcore: registered new interface driver hub
[ 2.007902] usbcore: registered new device driver usb
[ 2.013559] pxa2xx-i2c d0011000.i2c: failed to get the clk: -517
[ 2.019514] pxa2xx-i2c d0011080.i2c: failed to get the clk: -517
[ 2.026207] pps_core: LinuxPPS API ver. 1 registered
[ 2.031378] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[ 2.040633] PTP clock support registered
[ 2.045333] dmi: Firmware registration failed.
[ 2.049945] armada37xx-clk-pm d0014018.cpu-pm-clk: error getting max cpu frequency, try again later
[ 2.060218] clocksource: Switched to clocksource arch_sys_counter
[ 2.076679] NET: Registered protocol family 2
[ 2.081870] TCP established hash table entries: 8192 (order: 4, 65536 bytes)
[ 2.089296] TCP bind hash table entries: 8192 (order: 5, 131072 bytes)
[ 2.096259] TCP: Hash tables configured (established 8192 bind 8192)
[ 2.102727] UDP hash table entries: 512 (order: 2, 16384 bytes)
[ 2.108826] UDP-Lite hash table entries: 512 (order: 2, 16384 bytes)
[ 2.115610] NET: Registered protocol family 1
[ 2.120254] RPC: Registered named UNIX socket transport module.
[ 2.126225] RPC: Registered udp transport module.
[ 2.130911] RPC: Registered tcp transport module.
[ 2.135757] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 2.143316] kvm [1]: GICv3: no GICV resource entry
[ 2.148316] kvm [1]: disabling GICv2 emulation
[ 2.152759] kvm [1]: interrupt-controller@ffffffc0000b0784 IRQ14
[ 2.159064] kvm [1]: timer IRQ3
[ 2.162128] kvm [1]: Hyp mode initialized successfully
[ 2.170436] audit: initializing netlink subsys (disabled)
[ 2.175959] audit: type=2000 audit(2.144:1): initialized
[ 2.182188] HugeTLB registered 2 MB page size, pre-allocated 0 pages
[ 2.199702] VFS: Disk quotas dquot_6.6.0
[ 2.203971] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 2.213138] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 2.220841] NFS: Registering the id_resolver key type
[ 2.225962] Key type id_resolver registered
[ 2.230060] Key type id_legacy registered
[ 2.234450] Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
[ 2.241818] ntfs: driver 2.1.32 [Flags: R/W].
[ 2.246593] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[ 2.253024] fuse init (API version 7.23)
[ 2.257848] SGI XFS with security attributes, no debug enabled
[ 2.265248] 9p: Installing v9fs 9p2000 file system support
[ 2.273462] async_tx: api initialized (async)
[ 2.278384] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 249)
[ 2.286072] io scheduler noop registered
[ 2.289995] io scheduler deadline registered
[ 2.294578] io scheduler cfq registered (default)
[ 2.304171] libphy: Fixed MDIO Bus: probed
[ 2.308629] tun: Universal TUN/TAP device driver, 1.6
[ 2.313820] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[ 2.320590] libphy: mdio_driver_register: mv88e6xxx
[ 2.325819] libphy: orion_mdio_bus: probed
[ 2.329763] mdio_bus d0032004.mdio-mi:01: mdio_device_register
[ 2.337058] sky2: driver version 1.30
[ 2.340767] e1000e: Intel(R) PRO/1000 Network Driver - 3.2.6-k
[ 2.346915] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
[ 2.352883] igb: Intel(R) Gigabit Ethernet Network Driver - version 5.3.0-k
[ 2.359994] igb: Copyright (c) 2007-2014 Intel Corporation.
[ 2.366008] igbvf: Intel(R) Gigabit Virtual Function Network Driver - version 2.0.2-k
[ 2.373878] igbvf: Copyright (c) 2009 - 2012 Intel Corporation.
[ 2.380051] ixgbe: Intel(R) 10 Gigabit PCI Express Network Driver - version 4.2.1-k
[ 2.388173] ixgbe: Copyright (c) 1999-2015 Intel Corporation.
[ 2.394228] ixgbevf: Intel(R) 10 Gigabit PCI Express Virtual Function Network Driver - version 2.12.1-k
[ 2.403717] ixgbevf: Copyright (c) 2009 - 2012 Intel Corporation.
[ 2.409984] ixgb: Intel(R) PRO/10GbE Network Driver - version 1.0.135-k2-NAPI
[ 2.417644] ixgb: Copyright (c) 1999-2008 Intel Corporation.
[ 2.423631] usbcore: registered new interface driver asix
[ 2.428994] usbcore: registered new interface driver ax88179_178a
[ 2.435174] usbcore: registered new interface driver cdc_ether
[ 2.441543] usbcore: registered new interface driver net1080
[ 2.447133] usbcore: registered new interface driver cdc_subset
[ 2.453334] usbcore: registered new interface driver zaurus
[ 2.459128] usbcore: registered new interface driver cdc_ncm
[ 2.466370] advk-pcie d0070000.pcie: Failed to obtain clock from DT
[ 2.473341] mv_xor d0060900.xor: Marvell shared XOR driver
[ 2.500950] mv_xor d0060900.xor: Marvell XOR (Descriptor Mode): ( xor cpy intr pq )
[ 2.532959] mv_xor d0060900.xor: Marvell XOR (Descriptor Mode): ( xor cpy intr pq )
[ 2.548112] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
[ 2.556876] Unable to detect cache hierarchy from DT for CPU 0
[ 2.568106] brd: module loaded
[ 2.577894] loop: module loaded
[ 2.583454] VFIO - User Level meta-driver version: 0.3
[ 2.589878] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 2.596782] ehci-pci: EHCI PCI platform driver
[ 2.601263] ehci-platform: EHCI generic platform driver
[ 2.606851] ehci-orion: EHCI orion driver
[ 2.621000] orion-ehci d005e000.usb: EHCI Host Controller
[ 2.626635] orion-ehci d005e000.usb: new USB bus registered, assigned bus number 1
[ 2.634318] orion-ehci d005e000.usb: irq 10, io mem 0xd005e000
[ 2.652232] orion-ehci d005e000.usb: USB 2.0 started, EHCI 1.00
[ 2.659103] hub 1-0:1.0: USB hub found
[ 2.663049] hub 1-0:1.0: 1 port detected
[ 2.667578] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 2.673676] ohci-pci: OHCI PCI platform driver
[ 2.678514] ohci-platform: OHCI generic platform driver
[ 2.684577] usbcore: registered new interface driver usb-storage
[ 2.690943] Failed to detect usb3 device!
[ 2.695320] mousedev: PS/2 mouse device common for all mice
[ 2.705473] i2c /dev entries driver
[ 2.709809] md: linear personality registered for level -1
[ 2.715187] md: raid0 personality registered for level 0
[ 2.720916] md: raid1 personality registered for level 1
[ 2.726402] md: raid10 personality registered for level 10
[ 2.732125] md: raid6 personality registered for level 6
[ 2.737480] md: raid5 personality registered for level 5
[ 2.743133] md: raid4 personality registered for level 4
[ 2.748878] device-mapper: ioctl: 4.34.0-ioctl (2015-10-28) initialised: dm-devel@redhat.com
[ 2.757675] sdhci: Secure Digital Host Controller Interface driver
[ 2.764035] sdhci: Copyright(c) Pierre Ossman
[ 2.768514] sdhci-pltfm: SDHCI platform and OF driver helper
[ 2.774771] xenon-sdhci d00d0000.sdhci: Failed to setup input clk: -517
[ 2.781708] xenon-sdhci d00d8000.sdhci: Failed to setup input clk: -517
[ 2.789209] ledtrig-cpu: registered to indicate activity on CPUs
[ 2.795958] usbcore: registered new interface driver usbhid
[ 2.801777] usbhid: USB HID core driver
[ 2.807606] nf_conntrack version 0.5.0 (7403 buckets, 29612 max)
[ 2.814292] IPVS: Registered protocols ()
[ 2.818556] IPVS: Connection hash table configured (size=4096, memory=64Kbytes)
[ 2.825924] IPVS: Creating netns size=1328 id=0
[ 2.830656] IPVS: ipvs loaded.
[ 2.833817] ipip: IPv4 over IPv4 tunneling driver
[ 2.839802] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 2.845467] Initializing XFRM netlink socket
[ 2.850770] NET: Registered protocol family 10
[ 2.856178] sit: IPv6 over IPv4 tunneling driver
[ 2.861378] NET: Registered protocol family 17
[ 2.866009] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[ 2.878895] Bridge firewalling registered
[ 2.883162] Distributed Switch Architecture driver version 0.1
[ 2.889316] 8021q: 802.1Q VLAN Support v1.8
[ 2.893724] 9pnet: Installing 9P2000 support
[ 2.897907] Key type dns_resolver registered
[ 2.902218] openvswitch: Open vSwitch switching datapath
[ 2.908423] mpls_gso: MPLS GSO support
[ 2.912727] registered taskstats version 1
[ 2.919646] Btrfs loaded
[ 2.922869] Key type encrypted registered
[ 2.928514] i2c i2c-0: PXA I2C adapter
[ 2.933292] i2c i2c-1: PXA I2C adapter
[ 2.939295] mvneta d0030000.ethernet eth0: Using device tree mac address f0:XX:4e:XX:df:XX
[ 3.208602] PCI host bridge /soc/pcie@d0070000 ranges:
[ 3.213615] MEM 0xe8000000..0xe8ffffff -> 0xe8000000
[ 3.218989] IO 0xe9000000..0xe900ffff -> 0xe9000000
[ 4.224374] advk-pcie d0070000.pcie: link never came up
[ 4.229938] advk-pcie d0070000.pcie: PCI host bridge to bus 0000:00
[ 4.236372] pci_bus 0000:00: root bus resource [bus 00-ff]
[ 4.241938] pci_bus 0000:00: root bus resource [mem 0xe8000000-0xe8ffffff]
[ 4.249040] pci_bus 0000:00: root bus resource [io 0x0000-0xffff] (bus address [0xe9000000-0xe900ffff])
[ 5.690671] advk-pcie d0070000.pcie: Posted PIO Response Status: CA, 0xe00 @ 0x0
[ 5.700912] ahci-mvebu d00e0000.sata: AHCI 0001.0300 32 slots 1 ports 6 Gbps 0x1 impl platform mode
[ 5.710226] ahci-mvebu d00e0000.sata: flags: ncq sntf led only pmp fbs pio slum part sxs
[ 5.719694] scsi host0: ahci-mvebu
[ 5.723641] ata1: SATA max UDMA/133 mmio [mem 0xd00e0000-0xd00e0177] port 0x100 irq 13
[ 5.741906] xhci-hcd d0058000.usb3: xHCI Host Controller
[ 5.747274] xhci-hcd d0058000.usb3: new USB bus registered, assigned bus number 2
[ 5.755275] xhci-hcd d0058000.usb3: hcc params 0x0a000998 hci version 0x100 quirks 0x00010090
[ 5.763834] xhci-hcd d0058000.usb3: irq 9, io mem 0xd0058000
[ 5.770483] hub 2-0:1.0: USB hub found
[ 5.774071] hub 2-0:1.0: 1 port detected
[ 5.779323] xhci-hcd d0058000.usb3: xHCI Host Controller
[ 5.784681] xhci-hcd d0058000.usb3: new USB bus registered, assigned bus number 3
[ 5.792397] usb usb3: We don't know the algorithms for LPM for this host, disabling LPM.
[ 5.801274] hub 3-0:1.0: USB hub found
[ 5.804864] hub 3-0:1.0: 1 port detected
[ 5.810167] armada3700_wdt: Initial timeout 343 sec
[ 5.815471] xenon-sdhci d00d0000.sdhci: Got CD GPIO
[ 5.820866] xenon-sdhci d00d0000.sdhci: No vmmc regulator found
[ 5.864384] mmc0: SDHCI controller on d00d0000.sdhci [d00d0000.sdhci] using ADMA
[ 5.872582] xenon-sdhci d00d8000.sdhci: No vmmc regulator found
[ 5.878478] xenon-sdhci d00d8000.sdhci: No vqmmc regulator found
[ 5.916240] mmc1: SDHCI controller on d00d8000.sdhci [d00d8000.sdhci] using ADMA
[ 5.947399] libphy: mv88e6xxx SMI: probed
[ 5.951456] mdio_bus d0032004.mdio-mi: switch 0x341 probed: Marvell 88E6341, revision 0
[ 5.959708] mvneta d0030000.ethernet eth0: [0]: detected a Marvell 88E6341 switch
[ 5.990608] mmc1: MAN_BKOPS_EN bit is not set
[ 6.008039] mmc1: new HS400 MMC card at address 0001
[ 6.017664] mmcblk0: mmc1:0001 DG4008 7.28 GiB
[ 6.022499] mmcblk0boot0: mmc1:0001 DG4008 partition 1 4.00 MiB
[ 6.028885] mmcblk0boot1: mmc1:0001 DG4008 partition 2 4.00 MiB
[ 6.039228] mmcblk0rpmb: mmc1:0001 DG4008 partition 3 4.00 MiB
[ 6.046700] mmcblk0: p1 p2 p3 p4
[ 6.111343] Generic PHY mv88e6xxx-0:01: attached PHY driver [Generic PHY] (mii_bus:phy_addr=mv88e6xxx-0:01, irq=-1)
[ 6.123368] hctosys: unable to open rtc device (rtc0)
[ 6.220252] ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
[ 6.227252] ata1.00: ATA-10: WDC WD20SPZX-22UA7T0, 01.01A01, max UDMA/133
[ 6.234123] ata1.00: 3907029168 sectors, multi 16: LBA48 NCQ (depth 31/32)
[ 6.241804] ata1.00: configured for UDMA/133
[ 6.246794] scsi 0:0:0:0: Direct-Access ATA WDC WD20SPZX-22U 1A01 PQ: 0 ANSI: 5
[ 6.256195] sd 0:0:0:0: [sda] 3907029168 512-byte logical blocks: (2.00 TB/1.82 TiB)
[ 6.264225] sd 0:0:0:0: [sda] 4096-byte physical blocks
[ 6.269487] sd 0:0:0:0: [sda] Write Protect is off
[ 6.274643] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 6.750778] sda: sda1
[ 6.754400] sd 0:0:0:0: [sda] Attached SCSI removable disk
[ 6.759840] md: Waiting for all devices to be available before autodetect
[ 6.766950] md: If you don't use raid, use raid=noautodetect
[ 6.773423] md: Autodetecting RAID arrays.
[ 6.777523] md: Scanned 0 and added 0 devices.
[ 6.782187] md: autorun ...
[ 6.784701] md: ... autorun DONE.
[ 6.790110] EXT4-fs (mmcblk0p3): couldn't mount as ext3 due to feature incompatibilities
[ 6.799509] EXT4-fs (mmcblk0p3): INFO: recovery required on readonly filesystem
[ 6.806851] EXT4-fs (mmcblk0p3): write access will be enabled during recovery
[ 6.930093] EXT4-fs (mmcblk0p3): recovery complete
[ 6.936252] EXT4-fs (mmcblk0p3): mounted filesystem with ordered data mode. Opts: (null)
[ 6.944714] VFS: Mounted root (ext4 filesystem) readonly on device 179:3.
[ 6.951997] devtmpfs: mounted
[ 6.955306] Freeing unused kernel memory: 340K (ffffffc000d81000 - ffffffc000dd6000)
[ 6.963217] Freeing alternatives memory: 72K (ffffffc000dd6000 - ffffffc000de8000)
[ 7.040399] systemd[1]: systemd 234 running in system mode. (-PAM -AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP -LIBCRYPTSETUP -GCRYPT -GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN default-hierarchy=hybrid)
[ 7.062259] systemd[1]: Detected architecture arm64.
Welcome to Cubbit Embedded Linux 2.1!
[ 7.076797] systemd[1]: Set hostname to <cubbit-cell.local>.
[ 7.306251] random: systemd: uninitialized urandom read (16 bytes read, 36 bits of entropy available)
[ 7.316176] systemd[1]: Listening on Syslog Socket.
[ OK ] Listening on Syslog Socket.
[ 7.328443] random: systemd: uninitialized urandom read (16 bytes read, 36 bits of entropy available)
[ OK ] Created slice System Slice.lice System Slice.
[ 7.352581] random: systemd: uninitialized urandom read (16 bytes read, 37 bits of entropy available)
[ 7.362483] systemd[1]: Listening on udev Control Socket.
[ OK ] Listening on udev Control Socket.
[ 7.376675] random: systemd: uninitialized urandom read (16 bytes read, 37 bits of entropy available)
[ 7.400537] systemd[1]: Mounting Kernel Debug File System...
Mounting Kernel Debug File System...
[ 7.420786] random: systemd: uninitialized urandom read (16 bytes read, 37 bits of entropy available)
[ OK ] Listening on Network Service Netlink Socket.ce Netlink Socket.
[ 7.448416] random: systemd: uninitialized urandom read (16 bytes read, 38 bits of entropy available)
[ 7.458017] systemd[1]: Listening on /dev/initctl Compatibility Named Pipe.
[ OK ] Listening on /dev/initctl Compatibility Named Pipe.
[ 7.476392] random: systemd: uninitialized urandom read (16 bytes read, 39 bits of entropy available)
[ 7.487496] systemd[1]: Created slice User and Session Slice.
[ OK ] Created slice User and Session Slice.
[ 7.500399] random: systemd: uninitialized urandom read (16 bytes read, 39 bits of entropy available)
[ 7.509806] systemd[1]: Reached target Slices.
[ OK ] Reached target Slices.
[ 7.520364] random: systemd: uninitialized urandom read (16 bytes read, 40 bits of entropy available)
[ 7.531708] systemd[1]: Created slice system-getty.slice.
[ OK ] Created slice system-getty.slice.
[ 7.544431] random: systemd: uninitialized urandom read (16 bytes read, 40 bits of entropy available)
[ 7.554270] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[ OK ] Started Forward Password Requests to Wall Directory Watch.
[ 7.574337] systemd[1]: Created slice system-systemd\x2dfsck.slice.
[ OK ] Created slice system-systemd\x2dfsck.slice.
[ 7.588723] systemd[1]: Listening on Journal Socket.
[ OK ] Listening on Journal Socket.
[ 7.600742] systemd[1]: Listening on Journal Socket (/dev/log).[ OK ] Listening on Journal Socket (/dev/log).
[ 7.618352] systemd[1]: Created slice system-serial\x2dgetty.slice.
[ OK ] Created slice system-serial\x2dgetty.slice.
[ 7.632533] systemd[1]: Reached target Swap.[ OK ] Reached target Swap.
[ 7.664530] systemd[1]: Mounting Temporary Directory (/tmp)...
Mounting Temporary Directory (/tmp)...
[ 7.684790] systemd[1]: Mounting Huge Pages File System...
Mounting Huge Pages File System...
[ OK ] Started Dispatch Password Requests to Console Directory Watch.e Directory Watch.
[ 7.740857] systemd[1]: Starting File System Check on Root Device...
Starting File System Check on Root Device...
[ 7.761074] systemd[1]: Mounting POSIX Message Queue File System...
Mounting POSIX Message Queue File System...
[ 7.783870] systemd[1]: Starting Load Kernel Modules...
Starting Load Kernel Modules...
[ 7.793746] systemd[1]: Listening on Journal Audit Socket.
[ OK ] Listening on Journal Audit Socket.
[ 7.821046] systemd[1]: Starting Journal Service...
Starting Journal Service...
[ 7.826933] systemd[1]: Listening on udev Kernel Socket.
[ OK ] Listening on ud[ 7.835464] systemd[1]: Reached target Paths.
ev Kernel Socket.
[ OK ] Reached target Paths.
[ 7.852596] systemd[1]: Mounted Kernel Debug File System.
[ OK ] Mounted Kernel Debug File System.
[ 7.876656] systemd[1]: Mounted POSIX Message Queue File System.
[ OK ] Mounted POSIX Message Queue File System.
[ 7.896622] systemd[1]: Mounted Huge Pages File System.
[ OK ] Mounted Huge Pages File System.
[ 7.908631] systemd[1]: Mounted Temporary Directory (/tmp).
[ OK ] Mounted Temporary Directory (/tmp).
[ OK ] Started Journal Service.d Journal Service.
[ OK ] Started File System Check on Root Device.
[ OK ] Started Load Kernel Modules.
Starting Apply Kernel Variables...
Mounting NFSD configuration filesystem...
Mounting Kernel Configuration File System...
Mounting FUSE Control File System...
Starting Remount Root and Kernel File Systems...
[ OK ] Mounted Kernel Configuration File System.
[ 8.087762] EXT4-fs (mmcblk0p3): re-mounted. Opts: (null)
[ OK ] Mounted FUSE Control File System.
[ OK ] Mounted NFSD configuration filesystem.
[ OK ] Started Apply Kernel Variables.
[ OK ] Started Remount Root and Kernel File Systems.
Starting Flush Journal to Persistent Storage...
Starting Create System Users...
Starting Rebuild Hardware Database...
[ 8.214630] systemd-journald[1151]: Received request to flush runtime journal from PID 1
[ OK ] Started Flush Journal to Persistent Storage.
[ OK ] Started Create System Users.
Starting Create Static Device Nodes in /dev...
[ OK ] Started Create Static Device Nodes in /dev.
Starting udev Kernel Device Manager...
[ OK ] Reached target Local File Systems (Pre).
Mounting /var/volatile...
[ OK ] Mounted /var/volatile.
Starting Load/Save Random Seed...
[ OK ] Started Load/Save Random Seed.
[ OK ] Started udev Kernel Device Manager.
[ OK ] Started Rebuild Hardware Database.
Starting udev Coldplug all Devices...
[ OK ] Started udev Coldplug all Devices.
[ OK ] Found device /dev/ttyMV0.
[ OK ] Found device /dev/mmcblk0p1.
[ OK ] Found device /dev/mmcblk0p4.
Mounting /data...
Mounting /uboot...
[ 10.311920] FAT-fs (mmcblk0p1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.
[ OK ] Mounted /uboot.
[ OK ] Found device /dev/internal1.
Starting File System Check on /dev/internal1...
[ 10.460668] EXT4-fs (mmcblk0p4): recovery complete
[ 10.469817] EXT4-fs (mmcblk0p4): mounted filesystem with ordered data mode. Opts: (null)
[ OK ] Mounted /data.
[ OK ] Reached target Local File Systems.
Starting Rebuild Dynamic Linker Cache...
Starting Create Volatile Files and Directories...
Starting Rebuild Journal Catalog...
[ OK ] Started Rebuild Dynamic Linker Cache.
[ OK ] Started Create Volatile Files and Directories.
Starting Update UTMP about System Boot/Shutdown...
Starting Network Time Synchronization...
[ OK ] Started Rebuild Journal Catalog.
Starting Update is Completed...
[ OK ] Started Update UTMP about System Boot/Shutdown.
[ OK ] Started Update is Completed.
[ OK ] Started Network Time Synchronization.
[ OK ] Reached target System Time Synchronized.
[ OK ] Reached target System Initialization.
[ OK ] Started Kibana stats scheduler.
[ OK ] Listening on Avahi mDNS/DNS-SD Stack Activation Socket.
Starting Docker Socket for the API.
Starting Network Service...
Starting sshd.socket.
[ OK ] Listening on D-Bus System Message Bus Socket.
[ OK ] Listening on RPCbind Server Activation Socket.
[ OK ] Started Daily Cleanup of Temporary Directories.
[ OK ] Reached target Timers.
[ OK ] Listening on Docker Socket for the API.
[ OK ] Listening on sshd.socket.
[ OK ] Reached target Sockets.
[ OK ] Reached target Basic System.
Starting Avahi mDNS/DNS-SD Stack...
[ OK ] Started Kernel Lo[ 10.891756] random: nonblocking pool is initialized
gging Service.
[ OK ] Reached target Containers.
[ OK ] Started D-Bus System Message Bus.
[ OK ] Started Avahi mDNS/DNS-SD Stack.
Starting Login Service...
Starting RPC Bind Service...
[ OK ] Started System Logging Service.
[ OK ] Started Network Service.
[ 11.116797] IPv6: ADDRCONF(NETDEV_UP): br0: link is not ready
Starting bridge-mac.service...
Starting Wait for Network to be Configured...
[ OK ] Reached target Network.
Starting Network Name Resolution...
Starting iptables firewall service...
Starting Xinetd A Powerful Replacement For Inetd...
Starting DNS forwarder and DHCP server...
Starting /etc/rc.local Compatibility...
Starting Samba NMB Daemon...
[ OK ] Started RPC Bind Service.
[ OK ] Started Xinetd A Powerful Replacement For Inetd.
[ 11.343002] br0: port 1(wan) entered blocking state
[ OK ] Started Login Service.
[ OK ] Started /etc/rc.local Compatibility.
[ OK ] Started Getty on tty1.
[ OK ] Started Serial Getty on ttyMV0.
[ OK ] Reached target Login Prompts.
[ OK ] Started bridge-mac.service.
[FAILED] Failed to start DNS forwarder and DHCP server.
See 'systemctl status dnsmasq.service' for details.
[ OK ] Started Network Name Resolution.
[ OK ] Started Mender OTA update service.
[ OK ] Started Cubbit cell software.
[ OK ] Started Sends statistics to kibana …ing system via metrics webservice.
Starting Mount and attach external drives for Cubbit...
[ OK ] Reached target Host and Network Name Lookups.
[ OK ] Started NFS status monitor for NFSv2/3 locking..
[ OK ] Started File System Check on /dev/internal1.
Mounting /media/internal...
[ OK ] Mounted /media/internal.
Starting File System Quota Check...
[ OK ] Started File System Quota Check.
Starting Enable File System Quotas...
[ OK ] Started iptables firewall service.
[FAILED] Failed to start Enable File System Quotas.
See 'systemctl status quotaon.service' for details.
[ OK ] Reached target Remote File Systems.
[ OK ] Started Mount and attach external drives for Cubbit.
Cubbit Embedded Linux 2.1 cubbit-cell.local ttyMV0
cubbit-cell login: Through Console LOGs we can understand some Hardware characteristics:
- Marvell Armada 3720 Community Board ESPRESSOBin
- 1GB DDR4 RAM
- 8GB eMMC flash
- 4MB SPI NOR flash
So the producer of the board is ESPRESSObin, another company that was born thanks to Kickstarter. On the official website there are all the details of this board, but the one in the Cubbit appears to be a lightweight version. In fact, two Ethernet ports, one USB port and the JTAG connector are missing. Below is the official image of the board and full specifications.
Software
Having identified the hardware used starting with the LOG console previously indicated, I began to analyze the software.
The Cubbit Cell definitely uses a Linux operating system, fortunately the ESPRESSOBin website is quite document[1, 2] and I could also install a fresh version of Ubuntu on it.
The Linux version installed on board of the cell was customized with the name “Cubbit Embedded Linux”. Cubbit has an active GitHub repository, so I was able to locate SDK of this Linux distribution.
Immediately I was struck by that Unix Shell Script “.sh” file of over 400Mb, I had never seen such a large file. 🤯 I then discovered that this Unix Shell Script contains 381 lines of code while the rest of the file contains a compressed file in the “.tar.xz” format. Then just type this command to get the Linux image:tail -n +381 cubbit-x86_64-aarch64-toolchain-3.0.sh > sdk.tar.xz
From the analysis of this SDK, I found some curiosities and even features that I personally ignored:
- They use a tmate server to have a SSH Reverse Shell;
set -g tmate-server-host "ssh-tmate.cubbit.io"
set -g tmate-server-port 2200
set -g tmate-server-rsa-fingerprint "SHA256:XXXX/XXXX"
set -g tmate-server-ed25519-fingerprint "SHA256:XXXXX/XXXX"- They use a mender server to update cells via OTA.
{
"ArtifactVerifyKey": "/etc/mender/artifact-verify-key.pem",
"InventoryPollIntervalSeconds": 28800,
"RetryPollIntervalSeconds": 300,
"ServerURL": "https://odin.cubbit.io",
"TenantToken": "dummy",
"UpdatePollIntervalSeconds": 1800
}Next, I removed the 2Tb disk and connected it to my Raspberry. The intent was to check the filesystem (ext4) and the directory and file structure.
So finally, this is an nmap scan of the open ports on my cell:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2 (protocol 2.0)
| ssh-hostkey:
| 3072 ba:11:a5:2a:b8:d2:40:e2:85:58:9c:2c:32:45:04:93 (RSA)
| 256 9f:ab:82:93:c0:40:ce:7b:5c:d9:64:c2:82:28:8f:9b (ECDSA)
|_ 256 37:45:91:0b:44:71:3b:38:61:16:c6:b2:5f:c6:68:21 (ED25519)
80/tcp open tcpwrapped
|_http-server-header: Boost.Beast/266
|_http-title: Cubbit Cell Dashboard
|_http-favicon: Unknown favicon MD5: 0FA500DDE9E4C84E96E54D154AA5E4F8
| http-methods:
|_ Supported Methods: OPTIONS
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 42567/tcp status
| 100024 1 50976/udp6 status
| 100024 1 51113/udp status
|_ 100024 1 55239/tcp6 status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open Samba smbd 4.10.18 (workgroup: WORKGROUP)
5355/tcp open llmnr?
42567/tcp open status 1 (RPC #100024)
Service Info: Host: CUBBIT-CELL
Host script results:
| nbstat: NetBIOS name: CUBBIT-CELL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| CUBBIT-CELL<00> Flags: <unique><active>
| CUBBIT-CELL<03> Flags: <unique><active>
| CUBBIT-CELL<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb2-time:
| date: 2024-02-25T11:31:15
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.10.18)
| Computer name: cubbit-cell
| NetBIOS computer name: CUBBIT-CELL\x00
| Domain name: local
| FQDN: cubbit-cell.local
|_ System time: 2024-02-25T11:31:15+00:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
You can find more Cubbit Cells exposed on the Internet thanks to Shodan.
What Next?
I will keep playing with my cell, I might try to connect to the JTAG interface to extract the firmware and study that. Or take advantage of the ESPRESSOBin guides to install a fresh copy of Ubuntu on it and used it to a NextCloud or Syncthing server. Or I cross my fingers and hope for a revival of the initial project! 🤞