Saturday, March 23, 2013

Repairing an iPad 2 that wont charge

On general, I have found any Apple hardware that I have used as pretty robust little things. I am notorious for not taking care of my stuff: my iPhone is kept in the same pocket as my car keys and is coverless, my iPad is thrown in my schoolbag with my charger and bottles of drinks, and my macbook, being my pride and joy, has taken more knocks than Rihanna. In general, I dont believe that I should have to modify these devices with protective covers, or adjust my ways by changing how I transport them. To me, that would be a consequence of bad design of the product. This is one of the reasons I enjoy Apple devices as they are normally pretty robust to the way I use them.

However, every now and again one of them breaks or malfunctions due to the way that I use them. In this case, my iPad. I do a lot of programming on my iPad. In fact, it is the only way that my iPad gets used: It is continuously plugged into my laptop for developing apps with Xcode. As such, the battery is nearly always kept at 100% charge and is never power cycled. This leads to a problem, which (in my opinion) is caused by the following:

Back in the NiCd days of batteries, which were used in everything rom laptops telephone and power tools, batteries had to be charged fully, then drained fully before the next charging to give the batteries a long life. If you did not do this, they suffered from what was called a "memory effect" where crystals would grow on the anode and result in a diminished capacity of the batteries.

The li-ion batteries of today do away with this memory effect. No longer can these crystals grow to shorten the lifespan from intermittent charging. The batteries can be pretty much charged when and for as long as you like without a significant shortening of their lifespan. Another battery technology that was introduced around the same time was battery management circuitry. These little chips sit in the battery packs and record how much charge goes into the battery during charging, and how much charge goes out of the battery while it is in use. This is useful, as when the chip detects that the battery is taking in no more current while it is in charge, it knows that the battery has reached "100%" charge. Similarly  when the battery cannot produce any more current during use and the voltage drops, it has reached "0%" charge. By keeping a running tally of how much current has left the battery since the last charge, the battery can report to the device how much charge is left in the battery. As such, this technology enables the device to inform you pretty accurately of what percentage charge is left on your device.

The battery management circuitry can also do some other neat tricks such as faster charging times. By knowing that the battery is near 0% charge, it knows that it can take a large amount of current in a short time to take it close to the 90% level, and then reduce the current to "trickle charge" it closer to the %100 mark. This lowers the charging time of the battery while keeping the battery safe from overheating.

However, this technology is not without its flaws. It can re-introduce a similar problem to the Ni-Cd "memory effect". When the battery management's running tally of the battery charge becomes out of sync with the actual charge that the battery, it can lead to some strange results. It can refuse to charge the battery, thinking that the battery is at full capacity already, when the battery is not. This can happen when it cannot measure the complete discharge or charge current that the battery can take. This can be caused by the device being left on charge for long periods of time, keeping the battery is at 100% indefinitely.

This is what happened to my iPad. On one or two occasions it would indicate a certain charge level, say for example "4%". No type of charger would bring it past "4%". All I could do was unplug it and watch the level drop as I used it. No matter if the level was at 3% or 2% or 1%, plugging in the charger would say "Charging", but the percentage level would not increase.

To repair this, I assumed that I would have to let the battery drain itself completely. COMPLETELY. Not at the "you have 10% battery left" level, and not at the "red battery warning symbol" level (see first image). This iPad had to be drained so much that it would be unresponsive when I clicked on the home button or the power on/off button.  This had to be done so that the battery management circuit would know for sure that there was 0% charge left in the battery by the large drop in voltage.

So I had three options. One was to leave the iPad in a drawer for a few days until it drained itself. However, this was not possible as I neeed it for work the next morning. The other option was to open the iPad and drain the battery directly using a suitable load. However, ipads are very difficult to open without damaging the glass display. The final option was to keep pressing the power button so that the screen would light up and display the red battery symbol, and keep doing this until the ipad hadn't enough power to do it anymore.

Specs of motor from microwave oven
Motor from microwave oven
Now, I could either keep pressing the on/off button myself and go mad from the boredom (this could take hours), or I could come up with an automatic way. Choosing the latter, I needed a motor that rotated at a slow enough rate to press the power button at 5 -10 second intervals.

I broke apart an old microwave oven and salvaged the 220v motor that rotates the glass plate around inside. Taking the necessary safety precautions, I soldered a lead and a plug to the motor and insulated the contacts it using some polymorph plastic. Using copious amounts of insulating tape, I mounted the motor just above the power switch in such a way that the teeth of the small gear on the motor would press and depress the power button as it rotated around. Once I had it taped in the correct position, I left the ipad and the motor running overnight. You can see a video of the iPad and motor in action here. Note that I also taped down the home key with some insulating tape and a small coin, hopping that this would also aid the discharging process.


The microwave oven motor in
place above the power on/off switch

When I picked up the iPad in the morning, the iPad was as dead as a dodo. No amount of clicking the home key or the power on/off key would wake it. I plugged the ipad into the official charger and sure enough, about 30min later, the charging symbol came up on the screen. Then the iPad woke, and the charging battery percentage began to climb! I was delighted. To make sure that everything was working as it should, i put the iPad through a few charge cycles before using it again as normal.

Just to note, Apple warn you on their website to discharge your iPad and charge it fully at least once a month. I will be taking heed of this warning in future.



The motor successfully turning the iPad on and off continuously. 





Posted by at 5 comments:
Labels: , , , , , , ,

Repairing an Oxygen/Lambda sensor on a Toyota Yaris

The orange engine error light
For the last year or so an orange engine error light came up on my 2001 1.0L Toyota Yaris. Even though the car seemed to run the same as normal, and was properly serviced, the small orange light kept nagging me glowing in the corner of the dashboard console while I was driving. Not wanting to pay for a garage to repair the fault, I decided to try and tackle the issue myself. 

CAN<->Bluetooth adapter
and Torque Pro running on a
Google Nexus
The orange light lights on the console whenever the vehicles Engine Control Unit (ECU, the cars inbuilt computer) detects a fault with the vehicle. To find out what issue the light was indicating, you have to read the error code produced by the ECU on the CAN bus of the vehicle (The CAN bus is akin to a USB network that traverses through the vehicle). To help mechanics read these fault codes, vehicle manufacturers leave a connection point to the CAN bus somewhere within easy access in the vehicle. On the Yaris this is located at the top of the drivers footwell. This connection point is a large connector called a OBD connector. Mechanics can buy CAN to USB converters to connect the vehicle to a PC and using suitable PC software, read the error code off the vehicle. These connectors and software can run anywhere from a couple of euros for the most basic generic adapter with free software, to a couple of thousand for standalone readers that are specific to particular brands and error codes of vehicles. 
The CAN<->bluetooth adapter (top of footwell) with the Nexus pad

As I wanted to repair this fault the cheapest way possible, I went onto Ebay and bought a CAN to Bluetooth adapter for about 15 euros. I also downloaded a great piece of software called "Torque pro" for my google Nexus Android pad that can interface with the adapter for reading and resetting error codes. 

Plugging in the adapter into the OBD connector and pairing it with the Nexus, I was able to run Torque Pro and read the error code. The code that was shown was  "P0141 - Powertrain O2 Sensor Heater Circuit (Bank 1 Sensor 2)". Googling this error code informed me that the Yaris has a two 02 sensor on the exhaust of the vehicle. One sits before the catalyst converter, and one after the catalyst converter to make sure that it is doing its job correctly. These sensors have an inbuilt heater that heats the sensor up to its correct working temperature when the vehicle is started. In my case, the sensor after the catalyst had burnt out its heater circuit leading to the error reported by the ECU. Using the "Haynes repair manual" for the toyota Yaris, I was able to successfully locate and remove the broken sensor. After another browse on ebay, I was able to source a second hand sensor for 30 euro, a much cheaper price than the 150 euros I was quoted for a new one from a toyota dealership. I replaced the O2 sensor and powered up the engine. 
Resetting the error codes after the fault has been repaired
Reading the error codes
A error of "P0141 - Powertrain O2 Sensor
 Heater Circuit (Bank 1 Sensor 2)"
 is shown in Torque.  
The tools of the job
The new 02 sensor is fitted in place
At first I was confused to still see the orange error code on the console of the vehicle. However, after a bit of playing around with the app on the nexus tap, I was able to find a menu to reset the error codes on the vehicle. After turning the ignition of the vehicle on a off again, I was happily not greeted by the orange warning light. So all in all the whole operation cost me around 60 euros, as I just had to buy the CAN adapter, the android app, and the replacement O2 sensor. Not too bad a saving if I say so myself. 


No more warning light!






Posted by at 7 comments:
Labels: , , , , , , , , , ,

Saturday, July 14, 2012

A guide on what to check on an second hand iPhone before buying.


After trading in iphones and iphone repairs for a few years, I have often come across some phones in mint condition, and some right lemons. As such, ive compiled a list of a few things to keep an eye out for when you go to buy an iPhone second hand, in particular for when you are buying an iphone off a dodgy lad in trekkies in an even dodgier neighborhood.




Tools you will need to bring with you:

  1. A sim card on a network that the phone will accept (if the phone is unlocked, you can bring any network sim card). 
  2. A sim card removal tool, such as a paperclip or a thumbtack. 
  3. Optional: A small torch
  4. Optional: A second iphone, to enable a "wifi hotspot" with. 
  5. Optional: A set of headphones
How to check if the iphone is functioning fine (these are in descending order of importance):
  1. Put in a sim card (make sure its a micro sim card for the iPhone 4) ring someone, and ask them to ring you back. This tests the ringer, speaker, microphone, network signal, and most importantly, if the phone isnt blocked. 
  2. Hold your finger down on an icon to move it, and move it all around the screen. If it springs away from you at the same point repeatedly, then the digitizer may be damaged.
  3. Take a picture. This checks the camera.
  4. Turn silent switch to speaker and then switch it back to vibrate. If the phone doesn't vibrate, then either the vibrator is bad or the switch is bad.
  5. If available, check to see if wifi is working by making a search for networks nearby. If you have a second iphone, you could enable "hotspot" and see if you can find that.
  6. Press the on/off button to see if it wakes and goes into sleep to ensure that the button is working correctly. 
  7. Press home button to go to SpringBoard (the normal background) a few times to ensure its working correctly and isn't stuck.
  8. Check the water damage indicators with a small torch: http://support.apple.com/kb/ht3302
  9. Plug in headphones, and ring someone, and have a quick conversation. This checks the headphone jack. 
  10. Change the volume up and down. Check if the volume icon changes accordingly on the screen. This checks the volume buttons. 
  11. Remove any screen protector or case. Look at the cosmetic condition. Look for scratches on screen, back, scuffing on the trim, cracks near earphone jack and charger. 







Posted by at 1 comment:
Labels: , , , , , , , ,

Friday, November 25, 2011

Using SAM to officially activate an iPhone and receive valid Push Certificates.

As mentioned in the last post, Push notifications (as used by the facebook app, or Find My iPhone) on the iPhone rely on valid and unique certificates on the iphone that are tied to that particular iPhones UUID number. These certificates are handed out by the apple servers when a phone is first activated through iTunes, and when an the first app that uses push notification is run. As such, a “hack-tivated” does not have valid certs, resulting in Push not working, the iPhone quickly draining its battery as it continuously contacts the apple servers with invalid certs, or both. To get valid certificates, you will need to do the following:
  1. Follow the guide available here:
  2. I got an “invalid sim” error in iTunes when I went to try and activate the iPhone. There is a way around this by specifying the original carrier that the phone is locked to in the Sam Prefs settings. However, if, like me, you dont know which carrier the iPhone is originally locked to, and you are unsuccessful in getting your phone activated in this way, you can do the following:
  3. Go to Settings->About->Model, and make a note of the model number.
  4. Go to http://forum.gsmhosting.com/vbb/archive/t-1007919.html and look up the model number to see which carrier the iPhone was originally on.
  5. Under Settings->SAM, click on “method”, and change to country and carrier. Then under “method” you should be enter in the original carrier and country details. If even that doesnt work, change back to “automatic” and it should work.
  6. Install an application that uses Push to finalise the process. You can download “iPusher” from the app store, or “Push Checker” from cydia (add the http://cydia.pushfix.info repo) from to test if your push notifications are working.
  7. If iPusher reports an error, make sure that the iphone is disconnected from the computer, go to Settings->SAM->Utilities and click on “Backup activation”. Then wait a minute, and click on Restore Activation. Restart the iPhone, and connect it up to iTunes again. Run iPusher or Push Checker again and you should have valid and unique certificates.
  8. To backup your certificates, you can use the guide here: http://modblog101.wordpress.com/2010/03/07/how-to-backup-your-push-certificates/


This will allow you to restore the official push certificates back onto the iphone again if you restore the iphone in future.
Posted by at No comments:
Labels: , ,

How to get Push notifications working properly on your iPhone.

Push notifications (as used by the facebook app, or Find My iPhone) on the iPhone rely on valid and unique certificates on the iphone that are tied to that particular iPhones UUID number. These certificates are handed out by the apple servers when a phone is first activated through iTunes, and when an the first app that uses push notification is run. As such, a “hack-tivated” does not have valid certs, resulting in Push not working, the iPhone quickly draining its battery as it continuously contacts the apple servers with invalid certs, or both.  To get valid certificates, you have three choices:
  1. Get valid certificates using ”Push Doctor” from cydia. A guide is available here: http://www.redmondpie.com/fix-push-notifications-on-iphone-3.1.3-hacktivated-unlocked-9140492/. I have had great success with the method, and am very grateful for them for giving the valid certificates for free. Unfortunately it is becoming increasingly rare to find valid certificates on the server to grab. You will get an error during the installation if there //www.cmdshft.ipwn.me/blog/?p=791 and checking the “remaining” counter on the left hand side.
  2. You can also pay for valid certificates using PushFix. First pay the $6 at the PushFix website here: http://www.pushfix.info/purchase, and then install PushFix from Cydia using the guide here: http://www.pushfix.info/forum/viewtopic.php?f=4&t=39. I have had mixed results with this method. Although I did get valid certificates on my iPhone and thus Push notification worked, the batter began to drain very quickly. I have my suspicions that the certificates handed out by PushFix are not unique, causing the iPhone to keep trying the Apple Push servers until it gets a response, which is especially shitty considering they are charging money for them.
  3. The other option is to return the iPhone to a pre-activated state, and get an official activation and thus Push certificates by using iTunes to activate it. In the next post, Il outline just how to do that.
Posted by at No comments:
Labels: , , , , ,

How to restore an iPhone that is stuck in DFU/recovery mode


I was given an iPhone 3GS on IOS 4.3.3, baseband 6.15.00 that required a restore to delete all the users data before the resold it. Now, as many of you reading this know, you cant just click "restore" in iTunes on a jailbroken or unlocked iPhone as iTunes will restore the iPhone with the latest iPhone iOS software, removing the lock and the jailbreak from the device. So I put the device into DFU mode and attempted a manual restoration (ctrl-click or alt-click on restore in iTunes) of a 4.3.3 firmware to the device. I then went off for a cup of tea. Unfortunately, when I returned, the iPhones screen was black, and iTunes was reporting an error. It wouldnt even charge from a wall adapter. The phone was also unresponsive to a hard reset (hold down the home and on/off button for 15 seconds). The "exit recovery" button in the application Tinyumbrella wouldnt work, and I had no SHSH blobs for the iPhone saved locally. However, it would show up as a "iPhone in recovery mode" in iTunes. After a good bit of trial and error, I finally got it working again.
  1. First off, you will need to get the iphones ECID. On the mac, click on the little apple logo in the top left corner and then “About this mac”. Then click on “more info” and then “system report”. Click on “USB” in the top left and then on the iPhone. Look for “ECID”, and the number should be beside it. (you may need to have the iphone in DFU mode for this number to show up)
  2. Power up tinyumbrella. Click on Manual ECID, and enter in the one that you got from the previous step. Click on the newly added iphone on the left and then “Save ALL SHSHs”. If you click on the log, it should tell you if it finds any previously backed up SHSH blobs on the Cydia server. If it doesnt, you may be able to use “iFaith” to recover the curent SHSH blob on the iPhone.
  3. If tinyumbrella does find a SHSH blog on the server, it will save it to your local drive. If you click on the iPhone on the left, under the general tab, you should see a list of firmwares that the SHSH blog has been saved for. Make a note of one that you wish to restore your iPhone to.
  4. Download the the corresponding firmware for your iPhone off the internet (google is your friend). If you wish, use PwnageTool to customise the firmware to your liking (unlock your phone, etc)
  5.  Go back to tinyumberalla. Click on “Start TSS Server”. This will enable tinyumberella to serve the SHSH blob(s).
  6. Open iTunes. Under the iphone menu, alt-click (or ctrl-click) on “restore” and select your firmware. Follow the instructions. If you have Tinyumberella open in the background, click on “log”, and you should see iTunes requesting the SHSH blob and TinyUmberella returning the blob.
  7. If during the restore you get a “10**” error in iTunes, use Tinyumberella to exit the phone out of recovery mode.
  8. Congratulations, the phone should be working now. If the phone needs to be jailbroken activated or unlocked at this stage, you can use redSn0w along with the firmware file.
Posted by at No comments:
Labels: , , , , ,

Saturday, April 30, 2011

Recovering an Xbox 360 from a bad NAND flash

Many moons ago, I bought an xbox 360 for cheap that I was hoping to hack to play homebrew games on. A hack was discovered for xbox 360's ("the jtag hack12625") that allowed them to run unsigned code on the consoles. However, microsoft released a software update that permanently stopped this hack, and stopped the consoles from being downgraded to an earlier, hack-friendly software version. They did this utilising "efuses", developed by IBM for the 360's Xenon CPU. IBM had originally developed efuses as a method to "reroute chip logic, much the way highway traffic patterns can be altered by opening and closing new lanes". The idea was that a chip could regulate speed or power consumption issues by simply tripping a fuse, or more impressively, "repair unexpected, potentially costly flaws". 

Microsoft, who had one of the first implementation of this technology, had a more sinister plan when it utilised this efuses. Microsoft were "blowing" efuses after a significant software/kernal update. This would prevent hackers from downgrading to a previous version of the Xbox OS and exploiting potential bugs. The console's security measures relied on the status of these eFuses; attempt to run an older software revision, and those checks would fail. Therefore only xbox 360's that had the kernel version of 2.0.7371.0 or below could be exploited with the jtag hack. 

So if I just dont update the software on my jtag hacked xbox 360, I will be fine, right?  -> No, unfortunately its not that simple. I wanted to play the new "Portal: 2" game on the xbox. When I went to try and play the game, I just got a blank screen. After reading up a bit, it turns out that the newer games require the newer software/kernel/dashboard on the xbox. The newest in this case was dashboard version 12625. Well I cant update the dashboard as this will blow the efuses thus breaking my jtag hack, so what to do? 
Well, as it turns out, another hack was discovered a while ago called a "re-booter". To put it simply, this allows you to upgrade your dashboard to the latest version while still keeping your jtag hack. The latest version is employed in a piece of software called "Easy Freeboot 5.10". So to get your jtag hacked xbox running the latest dashboard, you will need to do the following:

 First off, you will meed to disable the ability for microsoft to burn the efuses. This is done by removing a resistor labelled r6t3 on the motherboard that supplies the power to burn the efuses, or disabling it as shown in the image.
 
Then, upgrade the dash by following the same guide here:
http://www.instructables.com/id/How-to-JTAG-your-Xbox-360-and-run-homebrew/

..until you get to step 6. Instead of doing this step (where you put an older dashboard on the xbox), download a program called Easy Freeboot 5.10. This program will create a NAND image that has the newest dashboard on it (it will only run on windows vista/windows 7). You will need your CPU key and original NAND for this. Once you have created your newNAND image, just flash it onto the xbox using the command:

nandpro lpt: -w16 newNAND.bin

(taken from the instructables guide). Because of the speed of the parallel port, it usually takes anywhere between 30min to 90min to flash the xbox.

Overall, its not too difficult, just a bit of work. The only really important step is to make sure that you get a good NAND dump before you put the replacement on it. You should have a the latest dashboard on your xbox 360 then. 


Except, that first time around, it didnt work for me. Because of a bad flash (probably caused by a loose cable and moving the xbox while it was being flashed, the memory on the NAND was corrupted. When i tried to turn on the xbox, it wouldnt even turn on. I knew i needed to reflash the NAND chip, except that it wasnt being recognised by nandpro now. According to this guide, I needed to reset the NAND chip. Unfortunately, after numerous attempts, I could not get either method in the guide to work. In the end, I tried running the command to erase the NAND:

nandpro lpt: -e16 0 400 

over and over again while plugging in the xbox 360. I was hoping to catch the NAND chip just as it was powering up. After another couple attempts, it recognised the chip, and began to erase it. Then it was just a simple case of flashing the newNAND image to the xbox again with the command: 

nandpro lpt: -w16 newNAND.bin

When it was done, i unplugged the xbox for a minute, put it all back together, turned it back on, and was greeted to the new dashboard splash screen!. As well as that Portal 2 ran without any issues.

Posted by at 1 comment:
Subscribe to: Posts (Atom)