Saturday, March 23, 2013

Repairing an Oxygen/Lambda sensor on a Toyota Yaris

The orange engine error light
For the last year or so an orange engine error light came up on my 2001 1.0L Toyota Yaris. Even though the car seemed to run the same as normal, and was properly serviced, the small orange light kept nagging me glowing in the corner of the dashboard console while I was driving. Not wanting to pay for a garage to repair the fault, I decided to try and tackle the issue myself. 

CAN<->Bluetooth adapter
and Torque Pro running on a
Google Nexus
The orange light lights on the console whenever the vehicles Engine Control Unit (ECU, the cars inbuilt computer) detects a fault with the vehicle. To find out what issue the light was indicating, you have to read the error code produced by the ECU on the CAN bus of the vehicle (The CAN bus is akin to a USB network that traverses through the vehicle). To help mechanics read these fault codes, vehicle manufacturers leave a connection point to the CAN bus somewhere within easy access in the vehicle. On the Yaris this is located at the top of the drivers footwell. This connection point is a large connector called a OBD connector. Mechanics can buy CAN to USB converters to connect the vehicle to a PC and using suitable PC software, read the error code off the vehicle. These connectors and software can run anywhere from a couple of euros for the most basic generic adapter with free software, to a couple of thousand for standalone readers that are specific to particular brands and error codes of vehicles. 
The CAN<->bluetooth adapter (top of footwell) with the Nexus pad

As I wanted to repair this fault the cheapest way possible, I went onto Ebay and bought a CAN to Bluetooth adapter for about 15 euros. I also downloaded a great piece of software called "Torque pro" for my google Nexus Android pad that can interface with the adapter for reading and resetting error codes. 

Plugging in the adapter into the OBD connector and pairing it with the Nexus, I was able to run Torque Pro and read the error code. The code that was shown was  "P0141 - Powertrain O2 Sensor Heater Circuit (Bank 1 Sensor 2)". Googling this error code informed me that the Yaris has a two 02 sensor on the exhaust of the vehicle. One sits before the catalyst converter, and one after the catalyst converter to make sure that it is doing its job correctly. These sensors have an inbuilt heater that heats the sensor up to its correct working temperature when the vehicle is started. In my case, the sensor after the catalyst had burnt out its heater circuit leading to the error reported by the ECU. Using the "Haynes repair manual" for the toyota Yaris, I was able to successfully locate and remove the broken sensor. After another browse on ebay, I was able to source a second hand sensor for 30 euro, a much cheaper price than the 150 euros I was quoted for a new one from a toyota dealership. I replaced the O2 sensor and powered up the engine. 
Resetting the error codes after the fault has been repaired
Reading the error codes


A error of "P0141 - Powertrain O2 Sensor
 Heater Circuit (Bank 1 Sensor 2)"
 is shown in Torque.  
The tools of the job
The new 02 sensor is fitted in place
At first I was confused to still see the orange error code on the console of the vehicle. However, after a bit of playing around with the app on the nexus tap, I was able to find a menu to reset the error codes on the vehicle. After turning the ignition of the vehicle on a off again, I was happily not greeted by the orange warning light. So all in all the whole operation cost me around 60 euros, as I just had to buy the CAN adapter, the android app, and the replacement O2 sensor. Not too bad a saving if I say so myself. 


No more warning light!













Saturday, July 14, 2012

A guide on what to check on an second hand iPhone before buying.


After trading in iphones and iphone repairs for a few years, I have often come across some phones in mint condition, and some right lemons. As such, ive compiled a list of a few things to keep an eye out for when you go to buy an iPhone second hand, in particular for when you are buying an iphone off a dodgy lad in trekkies in an even dodgier neighborhood.




Tools you will need to bring with you:

  1. A sim card on a network that the phone will accept (if the phone is unlocked, you can bring any network sim card). 
  2. A sim card removal tool, such as a paperclip or a thumbtack. 
  3. Optional: A small torch
  4. Optional: A second iphone, to enable a "wifi hotspot" with. 
  5. Optional: A set of headphones
How to check if the iphone is functioning fine (these are in descending order of importance):
  1. Put in a sim card (make sure its a micro sim card for the iPhone 4) ring someone, and ask them to ring you back. This tests the ringer, speaker, microphone, network signal, and most importantly, if the phone isnt blocked. 
  2. Hold your finger down on an icon to move it, and move it all around the screen. If it springs away from you at the same point repeatedly, then the digitizer may be damaged.
  3. Take a picture. This checks the camera.
  4. Turn silent switch to speaker and then switch it back to vibrate. If the phone doesn't vibrate, then either the vibrator is bad or the switch is bad.
  5. If available, check to see if wifi is working by making a search for networks nearby. If you have a second iphone, you could enable "hotspot" and see if you can find that.
  6. Press the on/off button to see if it wakes and goes into sleep to ensure that the button is working correctly. 
  7. Press home button to go to SpringBoard (the normal background) a few times to ensure its working correctly and isn't stuck.
  8. Check the water damage indicators with a small torch: http://support.apple.com/kb/ht3302
  9. Plug in headphones, and ring someone, and have a quick conversation. This checks the headphone jack. 
  10. Change the volume up and down. Check if the volume icon changes accordingly on the screen. This checks the volume buttons. 
  11. Remove any screen protector or case. Look at the cosmetic condition. Look for scratches on screen, back, scuffing on the trim, cracks near earphone jack and charger. 







Friday, November 25, 2011

Using SAM to officially activate an iPhone and receive valid Push Certificates.

As mentioned in the last post, Push notifications (as used by the facebook app, or Find My iPhone) on the iPhone rely on valid and unique certificates on the iphone that are tied to that particular iPhones UUID number. These certificates are handed out by the apple servers when a phone is first activated through iTunes, and when an the first app that uses push notification is run. As such, a “hack-tivated” does not have valid certs, resulting in Push not working, the iPhone quickly draining its battery as it continuously contacts the apple servers with invalid certs, or both. To get valid certificates, you will need to do the following:
  1. Follow the guide available here:
  2. I got an “invalid sim” error in iTunes when I went to try and activate the iPhone. There is a way around this by specifying the original carrier that the phone is locked to in the Sam Prefs settings. However, if, like me, you dont know which carrier the iPhone is originally locked to, and you are unsuccessful in getting your phone activated in this way, you can do the following:
  3. Go to Settings->About->Model, and make a note of the model number.
  4. Go to http://forum.gsmhosting.com/vbb/archive/t-1007919.html and look up the model number to see which carrier the iPhone was originally on.
  5. Under Settings->SAM, click on “method”, and change to country and carrier. Then under “method” you should be enter in the original carrier and country details. If even that doesnt work, change back to “automatic” and it should work.
  6. Install an application that uses Push to finalise the process. You can download “iPusher” from the app store, or “Push Checker” from cydia (add the http://cydia.pushfix.info repo) from to test if your push notifications are working.
  7. If iPusher reports an error, make sure that the iphone is disconnected from the computer, go to Settings->SAM->Utilities and click on “Backup activation”. Then wait a minute, and click on Restore Activation. Restart the iPhone, and connect it up to iTunes again. Run iPusher or Push Checker again and you should have valid and unique certificates.
  8. To backup your certificates, you can use the guide here: http://modblog101.wordpress.com/2010/03/07/how-to-backup-your-push-certificates/


This will allow you to restore the official push certificates back onto the iphone again if you restore the iphone in future.

How to get Push notifications working properly on your iPhone.

Push notifications (as used by the facebook app, or Find My iPhone) on the iPhone rely on valid and unique certificates on the iphone that are tied to that particular iPhones UUID number. These certificates are handed out by the apple servers when a phone is first activated through iTunes, and when an the first app that uses push notification is run. As such, a “hack-tivated” does not have valid certs, resulting in Push not working, the iPhone quickly draining its battery as it continuously contacts the apple servers with invalid certs, or both.  To get valid certificates, you have three choices:
  1. Get valid certificates using ”Push Doctor” from cydia. A guide is available here: http://www.redmondpie.com/fix-push-notifications-on-iphone-3.1.3-hacktivated-unlocked-9140492/. I have had great success with the method, and am very grateful for them for giving the valid certificates for free. Unfortunately it is becoming increasingly rare to find valid certificates on the server to grab. You will get an error during the installation if there //www.cmdshft.ipwn.me/blog/?p=791 and checking the “remaining” counter on the left hand side.
  2. You can also pay for valid certificates using PushFix. First pay the $6 at the PushFix website here: http://www.pushfix.info/purchase, and then install PushFix from Cydia using the guide here: http://www.pushfix.info/forum/viewtopic.php?f=4&t=39. I have had mixed results with this method. Although I did get valid certificates on my iPhone and thus Push notification worked, the batter began to drain very quickly. I have my suspicions that the certificates handed out by PushFix are not unique, causing the iPhone to keep trying the Apple Push servers until it gets a response, which is especially shitty considering they are charging money for them.
  3. The other option is to return the iPhone to a pre-activated state, and get an official activation and thus Push certificates by using iTunes to activate it. In the next post, Il outline just how to do that.

How to restore an iPhone that is stuck in DFU/recovery mode


I was given an iPhone 3GS on IOS 4.3.3, baseband 6.15.00 that required a restore to delete all the users data before the resold it. Now, as many of you reading this know, you cant just click "restore" in iTunes on a jailbroken or unlocked iPhone as iTunes will restore the iPhone with the latest iPhone iOS software, removing the lock and the jailbreak from the device. So I put the device into DFU mode and attempted a manual restoration (ctrl-click or alt-click on restore in iTunes) of a 4.3.3 firmware to the device. I then went off for a cup of tea. Unfortunately, when I returned, the iPhones screen was black, and iTunes was reporting an error. It wouldnt even charge from a wall adapter. The phone was also unresponsive to a hard reset (hold down the home and on/off button for 15 seconds). The "exit recovery" button in the application Tinyumbrella wouldnt work, and I had no SHSH blobs for the iPhone saved locally. However, it would show up as a "iPhone in recovery mode" in iTunes. After a good bit of trial and error, I finally got it working again.
  1. First off, you will need to get the iphones ECID. On the mac, click on the little apple logo in the top left corner and then “About this mac”. Then click on “more info” and then “system report”. Click on “USB” in the top left and then on the iPhone. Look for “ECID”, and the number should be beside it. (you may need to have the iphone in DFU mode for this number to show up)
  2. Power up tinyumbrella. Click on Manual ECID, and enter in the one that you got from the previous step. Click on the newly added iphone on the left and then “Save ALL SHSHs”. If you click on the log, it should tell you if it finds any previously backed up SHSH blobs on the Cydia server. If it doesnt, you may be able to use “iFaith” to recover the curent SHSH blob on the iPhone.
  3. If tinyumbrella does find a SHSH blog on the server, it will save it to your local drive. If you click on the iPhone on the left, under the general tab, you should see a list of firmwares that the SHSH blog has been saved for. Make a note of one that you wish to restore your iPhone to.
  4. Download the the corresponding firmware for your iPhone off the internet (google is your friend). If you wish, use PwnageTool to customise the firmware to your liking (unlock your phone, etc)
  5.  Go back to tinyumberalla. Click on “Start TSS Server”. This will enable tinyumberella to serve the SHSH blob(s).
  6. Open iTunes. Under the iphone menu, alt-click (or ctrl-click) on “restore” and select your firmware. Follow the instructions. If you have Tinyumberella open in the background, click on “log”, and you should see iTunes requesting the SHSH blob and TinyUmberella returning the blob.
  7. If during the restore you get a “10**” error in iTunes, use Tinyumberella to exit the phone out of recovery mode.
  8. Congratulations, the phone should be working now. If the phone needs to be jailbroken activated or unlocked at this stage, you can use redSn0w along with the firmware file.

Saturday, April 30, 2011

Recovering an Xbox 360 from a bad NAND flash

Many moons ago, I bought an xbox 360 for cheap that I was hoping to hack to play homebrew games on. A hack was discovered for xbox 360's ("the jtag hack12625") that allowed them to run unsigned code on the consoles. However, microsoft released a software update that permanently stopped this hack, and stopped the consoles from being downgraded to an earlier, hack-friendly software version. They did this utilising "efuses", developed by IBM for the 360's Xenon CPU. IBM had originally developed efuses as a method to "reroute chip logic, much the way highway traffic patterns can be altered by opening and closing new lanes". The idea was that a chip could regulate speed or power consumption issues by simply tripping a fuse, or more impressively, "repair unexpected, potentially costly flaws". 

Microsoft, who had one of the first implementation of this technology, had a more sinister plan when it utilised this efuses. Microsoft were "blowing" efuses after a significant software/kernal update. This would prevent hackers from downgrading to a previous version of the Xbox OS and exploiting potential bugs. The console's security measures relied on the status of these eFuses; attempt to run an older software revision, and those checks would fail. Therefore only xbox 360's that had the kernel version of 2.0.7371.0 or below could be exploited with the jtag hack. 

So if I just dont update the software on my jtag hacked xbox 360, I will be fine, right?  -> No, unfortunately its not that simple. I wanted to play the new "Portal: 2" game on the xbox. When I went to try and play the game, I just got a blank screen. After reading up a bit, it turns out that the newer games require the newer software/kernel/dashboard on the xbox. The newest in this case was dashboard version 12625. Well I cant update the dashboard as this will blow the efuses thus breaking my jtag hack, so what to do? 
Well, as it turns out, another hack was discovered a while ago called a "re-booter". To put it simply, this allows you to upgrade your dashboard to the latest version while still keeping your jtag hack. The latest version is employed in a piece of software called "Easy Freeboot 5.10". So to get your jtag hacked xbox running the latest dashboard, you will need to do the following:

 First off, you will meed to disable the ability for microsoft to burn the efuses. This is done by removing a resistor labelled r6t3 on the motherboard that supplies the power to burn the efuses, or disabling it as shown in the image.
 
Then, upgrade the dash by following the same guide here:
http://www.instructables.com/id/How-to-JTAG-your-Xbox-360-and-run-homebrew/

..until you get to step 6. Instead of doing this step (where you put an older dashboard on the xbox), download a program called Easy Freeboot 5.10. This program will create a NAND image that has the newest dashboard on it (it will only run on windows vista/windows 7). You will need your CPU key and original NAND for this. Once you have created your newNAND image, just flash it onto the xbox using the command:

nandpro lpt: -w16 newNAND.bin

(taken from the instructables guide). Because of the speed of the parallel port, it usually takes anywhere between 30min to 90min to flash the xbox.

Overall, its not too difficult, just a bit of work. The only really important step is to make sure that you get a good NAND dump before you put the replacement on it. You should have a the latest dashboard on your xbox 360 then. 


Except, that first time around, it didnt work for me. Because of a bad flash (probably caused by a loose cable and moving the xbox while it was being flashed, the memory on the NAND was corrupted. When i tried to turn on the xbox, it wouldnt even turn on. I knew i needed to reflash the NAND chip, except that it wasnt being recognised by nandpro now. According to this guide, I needed to reset the NAND chip. Unfortunately, after numerous attempts, I could not get either method in the guide to work. In the end, I tried running the command to erase the NAND:

nandpro lpt: -e16 0 400 

over and over again while plugging in the xbox 360. I was hoping to catch the NAND chip just as it was powering up. After another couple attempts, it recognised the chip, and began to erase it. Then it was just a simple case of flashing the newNAND image to the xbox again with the command: 

nandpro lpt: -w16 newNAND.bin

When it was done, i unplugged the xbox for a minute, put it all back together, turned it back on, and was greeted to the new dashboard splash screen!. As well as that Portal 2 ran without any issues.

Tuesday, August 10, 2010

Unbricking a Belkin Wireless Router

I have been doing a good deal of messing with OpenWRT the last few weeks trying to getter a better grasp of embedded linux and linux in general. I have had good success in the past installing and modifying OpenWRT on FON and Linksys routers in the past. However, I had some issues with trying to install it on my cheap and cheerful Belkin F5D9230 router. Firstly, I tried to install it by uploading the firmware image for the Airlink router (they have similar hardware specifications) with the guide here:


  • 1) Go to the router config page (ex. https://192.168.2.1/), log in, and then go to ver.htm (ex. https://192.168.2.1/ver.htm).
  • 2) Set firmware header checking to 0, apply, and wait for it to reboot.
  • 3) Use the firmware upgrade page to upload the OpenWrt firmware intended for the Airlink AR525W (ex. openwrt-rdc-squashfs-ar525w.img). Do not use the -web.img version.
  • 4) OpenWrt should be working after it reboots. 
Unfortunately, this did not work. So then I cracked open the router and soldered some jumpers onto the connection onto the routers motherboard. This allowed me to access the routers console using my trusty nokia serial cable. The connections were as follows:
[   ] [RX   ] [       ] [       ] [TX   ]
       [GND1] [GND2] [Vcc1] [Vcc2]

settings are 38400, 8, N, 1, no flow. Using this, I was able to view the boot sequence of the router:

+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05


...and so on. From here, I was able to see that it was using RedBoot for its boot environment. Restartin the router again, i got a prompt at redboot y pressing ctrl + c (there is only like a 1second window so you have to be fast.). In the serial console i typed:
tftpd
Then on the laptop I flashed it with OpenWRT KAMIKAZE (8.09.2, r18961)using the using the openwrt-rdc-squashfs-ar525w.img tftp method outlined here. It booted up fine, and everything worked except wireless. It turned out that it was because Kamikaze 8.09 kernel had very little support with the wireless chipset driver needed by the Belkin router. So I flashed over a newer OpenWRT Backfire 10.03 image. But this firmware would not even boot up properly:

+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05

# Activate RDC-Keilven's RS232 Patch V2
RedBoot> @
** Error: Illegal command: ""
RedBoot>
# Kernel size = 851936 bytes
# FW size = 2686980 bytes

# fwcheck: base = 0x00400000, size = 0x00000400
# Firmware Checksum O.K
# Kernel copying......BEGIN
# Kernel copying......FINISH

mem_size: 1000000


...and then it would hang. It turns out that there is a bug in the compiled version of OpenWRT for devices that use the RDC processor, which includes the Belkin F5D9230 v4. At this stage, I gave up, because i really needed to get this router working for the home network. At this stage it was bricked, as I could not get it working at all. So I set about trying to install the old Belkin software back onto the router.
This was not as straightforward as it sounds. For starters, there was no web interface, so i could not upload an official Belkin image downloaded off their website. Secondly, when I tried just to tftp over the official image  to the router, redboot would balk:

+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05

# Activate RDC-Keilven's RS232 Patch V2
RedBoot> 0^C
RedBoot> ^C
RedBoot> ^C
RedBoot> ^C
RedBoot> tftpd
# Dante's tiny tftpd is ready......
WRequest from 192.168.1.100: [f5d9230-4v3_uk_3.01.53.bin, octet]

# Error: invalid magic


What the duck does "Invalid Magic" mean? It must be in relation to the magic numbers used in the header of a file to identify what type of file it is. After having a wee think about this, I thought that redboot must be doing some kind of checking of the firmware. Delving a bit deeper, It turns out that we need to strip off some header information on the official Belkin firmware file to get at the firmware file that we need.  So i did the following on the terminal on the laptop:

dd if=input.bin of=output.bin bs=1 skip=X count=Y

Where X is the number of bytes you want to remove from the beginning, and Y is the number of bytes you want to process before the end of file.

Suppose you have a binary files which is 100 bytes in size and you want to remove the first 10 bytes and the last 5 bytes, obtaining an 85 bytes output.
The value of X will be 10, while the value of Y will be 85 (=100-10-5). You can find file size with a simple "ls" or "wc -c" command. In our case, we wish to remove the first 8 bytes of the file. Then TFTP over the edited file as normal:


+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05



# Activate RDC-Keilven's RS232 Patch V2
RedBoot> ^C
RedBoot> ^C
RedBoot> ^C
RedBoot> ftfpd
** Error: Illegal command: "ftfpd"
RedBoot> tftpd
# Dante's tiny tftpd is ready......
WRequest from 192.168.1.100: [f5d9230-4v3_uk_3.01.53-edit.bin, octet]

# Firmware Checksum O.K
# DFLASH: SRC=0x00400000, DST=0xFFC00000, LEN=0x0022A520
# Decide to use AMD/Fujitsu Standard command set.
# MFG ID = 0x007F, DEV ID = 0x22F6
Flash size = 4 MB
# Erasing...................................
# Writing...................................
# Finishing successfully...
# Firmware Upgrade Finished, and shotdown the TFTPD......
RedBoot> reset


And lo and behold after restarting, the router worked successfully. I have the edited firmware file available if anyone wants it.