Tuesday, August 10, 2010

Unbricking a Belkin Wireless Router

I have been doing a good deal of messing with OpenWRT the last few weeks trying to getter a better grasp of embedded linux and linux in general. I have had good success in the past installing and modifying OpenWRT on FON and Linksys routers in the past. However, I had some issues with trying to install it on my cheap and cheerful Belkin F5D9230 router. Firstly, I tried to install it by uploading the firmware image for the Airlink router (they have similar hardware specifications) with the guide here:


  • 1) Go to the router config page (ex. https://192.168.2.1/), log in, and then go to ver.htm (ex. https://192.168.2.1/ver.htm).
  • 2) Set firmware header checking to 0, apply, and wait for it to reboot.
  • 3) Use the firmware upgrade page to upload the OpenWrt firmware intended for the Airlink AR525W (ex. openwrt-rdc-squashfs-ar525w.img). Do not use the -web.img version.
  • 4) OpenWrt should be working after it reboots. 
Unfortunately, this did not work. So then I cracked open the router and soldered some jumpers onto the connection onto the routers motherboard. This allowed me to access the routers console using my trusty nokia serial cable. The connections were as follows:
[   ] [RX   ] [       ] [       ] [TX   ]
       [GND1] [GND2] [Vcc1] [Vcc2]

settings are 38400, 8, N, 1, no flow. Using this, I was able to view the boot sequence of the router:

+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05


...and so on. From here, I was able to see that it was using RedBoot for its boot environment. Restartin the router again, i got a prompt at redboot y pressing ctrl + c (there is only like a 1second window so you have to be fast.). In the serial console i typed:
tftpd
Then on the laptop I flashed it with OpenWRT KAMIKAZE (8.09.2, r18961)using the using the openwrt-rdc-squashfs-ar525w.img tftp method outlined here. It booted up fine, and everything worked except wireless. It turned out that it was because Kamikaze 8.09 kernel had very little support with the wireless chipset driver needed by the Belkin router. So I flashed over a newer OpenWRT Backfire 10.03 image. But this firmware would not even boot up properly:

+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05

# Activate RDC-Keilven's RS232 Patch V2
RedBoot> @
** Error: Illegal command: ""
RedBoot>
# Kernel size = 851936 bytes
# FW size = 2686980 bytes

# fwcheck: base = 0x00400000, size = 0x00000400
# Firmware Checksum O.K
# Kernel copying......BEGIN
# Kernel copying......FINISH

mem_size: 1000000


...and then it would hang. It turns out that there is a bug in the compiled version of OpenWRT for devices that use the RDC processor, which includes the Belkin F5D9230 v4. At this stage, I gave up, because i really needed to get this router working for the home network. At this stage it was bricked, as I could not get it working at all. So I set about trying to install the old Belkin software back onto the router.
This was not as straightforward as it sounds. For starters, there was no web interface, so i could not upload an official Belkin image downloaded off their website. Secondly, when I tried just to tftp over the official image  to the router, redboot would balk:

+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05

# Activate RDC-Keilven's RS232 Patch V2
RedBoot> 0^C
RedBoot> ^C
RedBoot> ^C
RedBoot> ^C
RedBoot> tftpd
# Dante's tiny tftpd is ready......
WRequest from 192.168.1.100: [f5d9230-4v3_uk_3.01.53.bin, octet]

# Error: invalid magic


What the duck does "Invalid Magic" mean? It must be in relation to the magic numbers used in the header of a file to identify what type of file it is. After having a wee think about this, I thought that redboot must be doing some kind of checking of the firmware. Delving a bit deeper, It turns out that we need to strip off some header information on the official Belkin firmware file to get at the firmware file that we need.  So i did the following on the terminal on the laptop:

dd if=input.bin of=output.bin bs=1 skip=X count=Y

Where X is the number of bytes you want to remove from the beginning, and Y is the number of bytes you want to process before the end of file.

Suppose you have a binary files which is 100 bytes in size and you want to remove the first 10 bytes and the last 5 bytes, obtaining an 85 bytes output.
The value of X will be 10, while the value of Y will be 85 (=100-10-5). You can find file size with a simple "ls" or "wc -c" command. In our case, we wish to remove the first 8 bytes of the file. Then TFTP over the edited file as normal:


+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05



# Activate RDC-Keilven's RS232 Patch V2
RedBoot> ^C
RedBoot> ^C
RedBoot> ^C
RedBoot> ftfpd
** Error: Illegal command: "ftfpd"
RedBoot> tftpd
# Dante's tiny tftpd is ready......
WRequest from 192.168.1.100: [f5d9230-4v3_uk_3.01.53-edit.bin, octet]

# Firmware Checksum O.K
# DFLASH: SRC=0x00400000, DST=0xFFC00000, LEN=0x0022A520
# Decide to use AMD/Fujitsu Standard command set.
# MFG ID = 0x007F, DEV ID = 0x22F6
Flash size = 4 MB
# Erasing...................................
# Writing...................................
# Finishing successfully...
# Firmware Upgrade Finished, and shotdown the TFTPD......
RedBoot> reset


And lo and behold after restarting, the router worked successfully. I have the edited firmware file available if anyone wants it.

Monday, July 26, 2010

Repairing an Apple IPhone 2G that wont charge

I received an IPhone the other day that would not charge. My first thought was that the logic board was fried from a dodgy charger, since I had come across a similar problem before.
However, there was something different going on in this situation: Whenever the phone was turned on, the apple "i need to charge" (see pic) came up on the screen. When plugged into a charger, it said that it was charging. However, no matter how long it was left charging for, the battery only ever held a charge for a few seconds.
Two things could cause this. A dodgy battery that cannot hold a charge (unlikely, as that would be a very gradual problem: this iphone suddenly couldnt hold a charge) or two, the white wire that monitors the temperature of the battery to help it charge was broken, making the IPhone refuse to charge the battery. Sure enough, after opening it up, this was the problem. The white wire bad broken off the Comms board. I didnt have my trustly weller soldering iron with me at the time, so I set about soldering the wire back on with a cheap 10 dollar fire-starter iron. Of coarse, I got solder all over the pad and the shielding on the comms board. So, as I was feeling quite lazy, i tried to remove the excess solder from the shielding with a small wire snips.

Good Idea? ->Bad Idea.

The force of the snips had caused the white wire solder pad on the comms board to break off, leaving no where to solder the wire onto.I opened up my own IPhone to try and trace where the pad led to on the board to try and find a new pad that I could solder onto to no avail. After much cursing and swearing, I finally found some information on the net about the pad. As the board is multi-layered, the only place that the pad circuits seems to resurface is at the connecter between the comms board and the logic board. The bad point? The pitch of the connector was very small, and there was no redundancy, i.e normally manufacturers might carry the signal across a few of the connector pins that I could solder to, however, in this situation, there was only one. So I removed some of the shielding with my Dremmel tool, and with a careful hand, soldered some wire-wrap wire onto the pin. I did accidentally short one of the neighbouring pins to it with solder, but with careful use of a sharp Stanley blade, I separated them again. (I had tried solder braid to remove the solder short to no avail). So I powered up the IPhone, tried to charge it for a while, and was delighted to see that it was charging again.

White Pad circuit, secondary point

Apple Rant: Function follows Form?

In not an Apple fanboy per-say, but when I first tried the IPhone when it first came out, I was pretty impressed. Here was the first touch-screen phone that did not feel gimmicky, did not require a stupid stylus, looked....well, class, felt even nicer, and was really really easy to use. So when I spotted a 16Gb broken one on Ebay, I jumped at the chance to buy and repair it.

Unfortunately, as a Hardware Geek, there are one or two issues that I had with the phone. One is that the touchy-feely "real" glass on the screen is notorious at cracking when the phone is dropped. I have repaired about four phones where this happened, and in each situation, it wasnt even dropped from a large height. Secondly, the glass, touch digitiser, and LCD are glued together and cannot easily be seperated. This means that if one element breaks (i.e the glass), the whole expensive assembly has to be replaced. This was lazy hardware design by Steve Jobs and Jonathan Ive IMHO. Any portable device with a touch screen has a tough time at keeping dust from entering between the layers. The IPod touch had a robber bezel around the two layers to do just that. Nokia phones have a foam inlay to do the same. Why couldnt the IPhone be the same?
Thankfully, the later versions of the IPhone separated out the layers similiarly to the IPod Touch. However, Apple went back to old habits with the IPhone 4. This led to the much publicised "yellow spots" appearing on the screen caused by the glue not curing properly before being shipped. From all the hassle and complaints that Apple receive due to their glue addiction, you would assume that they would learn their lesson. Unfortunately, I think not. From the strain-relief gromits on their magsafe chargers that dont do any strain-relieving, to the notorious antenna issues of the IPhone 4, Apple will continue to give preference to design over hardware function. This is an Apple problem that will not go away any time soon.

Tuesday, July 20, 2010

Installing a SD card (MMC) on your Fonera Router

Im a big fan of Linux: the embedded stuff, not the Ubuntu crap you spend 3 months configuring before you can use the interwebs and thats marginally better than Winblows for ease of use. Thus when OpenWRT released "Backfire" i.e version 10.03, I was pretty excited. I had used a few versions before this, from 7.0 onwards, and was pretty happy with the results. Except for one or two points. Version 8 wouldnt boot on my Belkin router due to some RDC processor related bug, and I couldnt get it to support MMC (SD cards) on my Fonera router. Having the additional memory on your router is useful for cracking networks, installing additional packages such as a file server, web server, etc. However, that last problem has been solved with the new release, which I will outline here.

Fonera 2100 Router
Serial Pin-out for Fonera
First off, you will need to install OpenWRT on your fonera router. There are countless guides for doing this on the net, so here is another. You will need to build a serial cable. The easiest way to do this is to go onto ebay and buy yourself a Nokia DKU-5 data cable. This cable was used back in the day of tear-aways to hook a nokia phone up to a PC. To this, it needs to shift the serial Tx and Rx lines of the pc (anything from 3v to 15v), to 3.3v ttl for the phone. Thankfully, this is levels that we need to communicate with the router. A modifying the cable for our use is available here. You will just need 3 wires: Gnd, Tx, and Rx. Connect them up to the fonera as shown here. Fire up your terminal program (hyperterminal on the PC, ZTerm on the mac, or minicom or putty on Ubuntu) with the settings: 9600 baud, 8N1, no flow control. When you power cycle the fonera, you should be greeted with a load of text output from the fonera starting up. If not, try swapping the Tx and Rx lines. I have also experienced some problems with the fonera not booting up properly when there is a serial cable connected up: try leaving the serial cable disconnected for a second or two after you power cycle, and then connect it up again.



Once you have serial working, use the OpenWrt flashing guide available here: http://wiki.openwrt.org/toh/fon/fonera (scroll down to near the end). Note, for the "fis create" step, I had to use:

fis create -l 0x006D0000 rootfs

...due to the size left for the Backfire filesystem.
Larsens MMC Hardware setup (given in link)
Now, you have OpenWrt installed on your router. You will need to wire up a MMC card to the general input/output pins (GPIO) on the router. A guide is available here. Just follow the harware steps: I left the resistors, I just removed the capacitors
When you have that done, go to the web interface at 192.168.1.1, and enable wireless. Select client mode, save and apply settings, then scan for wireless networks, and connect to your local wireless internet. Then go to network-interfaces-wan and add "wifi0" as your wan connection, and DHCP as your protocol. If you reboot the router, it should connect to your local wireless network. Go back to your terminal, and see if you have successfully connected the device to the internet by pinging google:

ping www.google.com

You should get a response. Now, go to the software tab under administration, and click on update packages. Then install the luci-app-mmc-over-gpio package. This should install all the required dependencies. Reboot the router (type "reboot" in the terminal window or power cycle) and go to the newly available "MMC" tab under administration. Click on "enable", leave the other values alone, save and reboot the router again. In your terminal, OpenWRT should boot normally. Leave it for an additional minute or two. At the end, you should see something like:

gpio-mmc: Failed to request mmc_spi module.
mmc_spi spi32766.0: ASSUMING 3.2-3.4 V slot power
mmc_spi spi32766.0: SD/MMC host mmc0, no DMA, no WP, no poweroff
gpio-mmc: MMC-Card "default" attached to GPIO pins di=1, do=3, clk=4, cs=7
mmc_spi spi32766.0: can't change chip-select polarity
mmc0: host does not support reading read-only switch. assuming write-enable.
mmc0: new SD card on SPI
mmcblk0: mmc0:0000 SU128 120 MiB
 mmcblk0: p1

If you go to the /dev folder, you should see a new  mmcblk0 and a mmcblk0p1. The latter is the first partition found on the MMC card (assuming that you formatted the card correctly: i stuck it in a windows machine and formatted it fat32). From the guide available here, you will need to install the some packages in the terminal:


opkg update
opkg install kmod-fs-vfat kmod-nls-cp437 kmod-nls-cp850 kmod-nls-iso8859-15
 
Now, create a folder to mount the MMC card in your /mnt folder:  

mkdir /mnt/mmc

Now, mount the MMC card and hopefully you will get no errors:

mount /dev/mmcblk0p1 /mnt/mmc

Congrats! You now have plenty of additional (albeit a bit slow) external storage (I did get an unknown char error when i first tried to mount, but after I installed kmod-nls-iso8859-1 I think it was, it worked fine). This extra space will be handy for running Aircrack-ng to hack wireless networks and for other uses.
Handy post: https://forum.openwrt.org/viewtopic.php?id=21590&p=1



Sunday, May 9, 2010

File recovery from SD cards

I have had some very bad luck with SD cards and micro SD cards in the past. This is probably caused by build-quality of the cards i buy: normally I just get the cheapest I can find off www.dealextreme.com. As well as that, I never take good care of my gadgets, so when they do finally give up the ghost, i blame it on bad design on the manufacturers part. On more than one occasion I have taken a good few pictures with my digital camera, only for the camera to report that the card has "cannot be accessed". Normally when this happens, I have found that its just a dodgy connection between the contacts on the micro SD card and the camera. By ejecting the micro-SD adapter and the micro-SD  card from the from the adapter and putting the whole lot back together again, Ive got the camera to read the camera again. However, sometimes even this has failed to work. In these situations, the problem was normally caused by a corrupted file-system on the card. When you plug these cards into a PC or Mac using a card reader, the OS will tell you that the "Disk is not formatted" or "The disk is not initialised".  Ive had some pretty good success with Data recovery software such as "Data Rescue II" at recovering the photos off these drives.

Now, a few days ago I was asked by a mate to have a look at a SD card that wouldnt talk to his camera. "Grand", I thought, "Il just use some file recovery software to get the photos back". Unfortunately, It wasnt that easy. The card couldnt be read by either my own camera or my SD card reader. On my Mac, it showed up as a 1Mb drive that couldnt be read or even formatted using Disk Utility. Ubuntu couldnt mount it, and neither could windows. Since i had nothing to loose, i decided to try something a little more drastic.

SD cards and USB flash drives are usually consist of two main chips: The Flash chip that contains the data, and a controller chip to do the communicating between the flash chip and the PC/device. Sometimes the controller chip can get damaged, resulting in an unreadable card, even though the actually data on the flash chip is fine. A few usb flash drive and SD card recovey websites offer file recovery by removing the flash chip from the device and reading the chip directly using an chip reader (http://www.sd-flash.com/ http://www.ssddfj.org/papers/SSDDFJ_V1_1_Breeuwsma_et_al.pdf).
A chip reader was out of my budget, so I thought i could try and use a old USB flash drive. If i remove the old flash chip from the usb drive and replace it with the chip from the SD card, hopefully I can read the data again.

Removing the chip from the SD card was easier than you might think. The pitch of the TSOP flash chip is too small to solder each leg off individually, Instead, you can just flood the whole side of the chip with solder, and gently lift the chip up. The legs can then be cleaned from excess solder using solder braid. A similiar method is used for soldering the chip to the USB flash drives pcb. You just place the chip onto to footprint taken up by the old chip. Then, carefully solder one corner leg on each side of the chip into its correct position. Flood each side of the chip with solder. Then, remove the excess solder using the solder braid. Finally, check each leg of the chip and make sure that there are no visible solder connections between the neighbouring legs.

Unfortunately, even after all this, the flash chip could still not be read by my laptop. Similarly to before, it showed up as a 8mb drive that could not be mounted/formatted on my Mac. From what i could see my soldering was fine, so my only conclusion is that either the flash chip itself is damaged, or else the controller chip on my usb drive wasnt compatible with the larger capacity flash chip on the SD card (1Gb and 4Gb respectively).

Wednesday, May 5, 2010

UPC Free Internet Givaway Extravaganza

About two years ago, I first heard about a few smart UK folks getting free interwebs off their cabling providers on the techwatch forums. At the time I thought it was a pretty nifty thing to try out here in Eire when i got the time. However, I forgot about this potential research project until I happened to come across a cheap NTL cable modem for sale.

The cable modem I bought was a Motorola surfboard 5101e. I made a JTAG cable using the schematic shown here: http://i43.tinypic.com/15wnsk7.jpg, although you can also use the much simplier one http://img255.imageshack.us/img255/4128/sb5100webstarblackcatou7.png (you can even omit the resistors if you want) or buy one for cheap off ebay http://cgi.ebay.co.uk/Blackcat-JTAG-CABLE-MOTOROLA-SURFboard-SB5100-SB5101_W0QQitemZ330423060795QQcmdZViewItemQQptZPCC_Modems?hash=item4ceebfc93b. At the mo mine looks like the cat made it, but give me a week or two and il make a proper one.

I connected it all up, installed "JTAG utility 1.3 by ToM" on the PC, and flashed with haxorwarellrev39-LITE.bin (available in the downloads section of www.sbhacker.net), using the flashing directions that came with the file.

When it said "flashing complete", I rebooted the modem, went to 192.168.100.1, and was happy-out to be greeted with the haxorware web gui.

So I conected the modem up to the "Tv" socket on the "NTL" labelled socket on the wall, and rebooted the modem. After searching for a bit (have a look in the top right corner of the web gui or the overview page for the modems status), it completed the following one after the other:

Acquire Downstream Channel Done
Obtain Upstream Parameters Done
Upstream Ranging Done
Establish IP Connectivity Done
Retrieve Time of Day Done
Negotiate security Done
Receive configuration Done
Register connection Done
Cable modem status Operational

However, further down the page, i noticed that the Configuration file that the device recieved was called "cm_unknown.bin". So I went to the Addresses page of the webgui, and bumped up the mac address of both the ethernet and the HFC by two places i.e "HFC: 34:34:34:34:34:34" became "HFC 34:34:34:34:34:36". I then clicked on save and reboot.

After doing this three times, The modem eventually received a "cm_express.bin" configuration file. Then i unplugged the ethernet from my PC, waited a bit, plugged it back in, and noticed that the PC got a new IP address. Then I was able to connect to the internet.

Im currently downloading at around 1mb (i.e, i get a full 700mb iso in about 5min) I tried bumping up the HFC mac address a few times, and managed to get a "cm_starter.bin" configuration file, but didnt notice any change in speed. I didnt spend much time messing around with this, but Il still look into getting higher speeds. There is probably some configuration file for businesses or high-end connections that should let me do that. Il keep you updated

For good general information on how Cable internet works and how to hack it look for the "Haynes Cable Modem Manual" on google. Just to note, when they say that you have to swap mac addresses with someone else on a different network segment, this isnt the case with UPC ireland as they seem to have less security as the NTL England.

Getting Meteor MMS, Data and Bluetooth tethering to work on an IPhone 2g

Getting my iphone to work properly on Meteor has turned out to be a huge pain in the behind. When i first received the iphone (about 18 months ago), i spent a good 2-3 hours trying everything from editing config files, rebooting the phone, etc. etc. to try and get it to talk to the meteor MMS and data servers. Eventually I did get the data working, only to be stung by meteors really expensive pay-as-you-go data plan at the time: 99c a day for a few megabytes. So I disabled EDGE with bossprefs and gave up....

However, a few things have changed lately that made me give it another go. First off, meteor announced a new PAYG package: Free meteor-meteor texts as well as 250mb data a month. 250mb is pretty poor, but for random browsing and push email, it should hopefully be adequate. Secondly, getting it to work on your iphone 2g has become alot easier on a iphone OS 3.1.2: No SSHing SCPing or editing config files is needed. So i decided to give it a shot:

  1. Fire up Cydia and go to "Manage->Sources->Edit->Add" and add this repository: hxxp://cydia.iphonemod.com.br/ (replace the "xx" with "tt").
  2. Click on "Done" and click on the iphonemod repository
  3. Install "iPhone 2G: Tethering, MMS, bluetooth profile"
  4. Restart your iphone
  5. Go back into Cydia and install the "Meteor Carrier Bundle"
  6. Exit Cydia, go into "Settings->Network->Cellular Data Network-> Reset Settings"
  7. Go to "network->settings->internet tethering" and click to enable it.
  8. Restart the iphone again.
MMS or Data still wouldnt work for me. However, after messing around for a while, I noticed that EDGE was still disabled in the app Bossprefs. So i enabled it and restarted the phone yet again. Finally, edge was working. When i connected the phone up to my MacBook by the usb cable, tethering was also working. However, MMS was not. That required another few steps:

  1. Go into "Settings->Messeges" and click on "MMS Messaging" to disable it.
  2. Go back into "Settings->Messeges" and click on "MMS Messaging" to enable it again
Woohoo, finally, MMS was working. You can test it out for yourself by sending yourself a picture message using the new camera icon in the message composer. Im not a fan of MMS tbh, 30cent a message is too spicy for my student pockets, but for drunken mates pictures or faking music festival wristbands (more on that later), it could prove useful.

Still to do:  Folks on T Mobile over in the Americas are reporting that they are able to get free data by changing their data APN address to a proxy compatible with the carrier network. I will have to try and see if this works on any of the irish carriers.

Stay frosty.