Jailbreaking Control4

Thursday, January 2, 2020

In a previous post I talked about Control4 and mentioned that you can jailbreak it. This lets you do things like add/delete/rename rooms and add/delete/rename devices. Things you'd probably expect to be able to do anyway.

That process was kind of hard and there was a lot of misinformation when you searched, which made it even harder.

So I took a few hours to find out how it all worked, then a few more to write a tool to make it all much easier.

The Old Way

This post describes the old way to do it.

The New Way

I put the tool on github, you can find it here. I feel like it's pretty self explanatory and tries to explain what's happening so you don't get too scared when using it.

For those that are confused, you start it up and press this button

It works on v3.1.0 right now - I haven't updated to v3.1.1 yet (which has made jailbreaking a tad harder).

How it works

The director has a list of public keys that are allowed to connect to it. We generate one and add it to the list.

On the composer side the normal thing is that when a dealer logs in it connects to Control4's servers and downloads a certificate that matches up with an existing one on the server. We're skipping that step by generating matching certificates ourselves.

The composer has some restrictions on the key, the password needs to be "R8lvpqtgYiAeyO8j8Pyd" and the subject needs to start with "Composer_". Once those conditions are satisfied you're free.

Restrictions

You can do everything a dealer can do now.. apart from spend money buying hardware and buying thirdparty drivers. If you want to give Control4 more money you need to do it via a dealer.

Turn your phone to view blog list