Support

Blog

Browsing all articles from March, 2010

When DNS goes bad

This year someone in China misconfigured something which effectively exported China’s main method of implementing blocks (man in the middle DNS spoofing) semi globally over the Global Crossing backbone for the last few weeks.

Effectively, China’s blocking, went global (for certain providers).

Read more »

Mar
23

Cube vs Cube

Obviously I’ve had waaaaaaaaaay too much fun with my newly purchased coffee machine today.
Photo’s (and story) below.

Its a match of the titans.

Frog design vs A+P Cahen.

No rolls barred, its Cube vs Cube.

In the left corner, we have the old, the venerable…

G4 Cube

Part frakkin Toaster, part computer, (ex) fishtank, part space heater.

VS

The newcomer with an attitude, he’s shiny, and he isn’t afraid to show it off.

Le Cube

Read more »

I was reading a post up at Carsonified (http://carsonified.com/blog/dev/bulletproof-backups-for-mysql/), which talked about MySQL backups.

While he slightly re-invents the wheel, its fairly similar to what we do over at Computer Solutions as a solution for Backup.

How do we do it?

Read more »

As its been a while since I did any hardware stuff (other than some dabbling in Arduino), I decided I would try and resuscitate a bricked 941n router. I had given it to the staff to fiddle with, but they needed a push in the right direction for where to start.

First I needed tools.
Luckily China is pretty awesome when it comes to getting electronic bits and pieces so most of what I needed was a mere Taobao away.

As the crap soldering irons in the office weren’t going to hack it, my first purchase was a decent soldering iron.
I took a look at the Wellers (which I used in a previous lifetime), and decided that the pricing was a little too steep for my liking!
Taobao had plenty of cough, cough ‘clone’ Hako 936’s though, so I bought one of those, 10 tips and some solder for a little less than 200RMB delivered to the office.

I could have gone to buy it over in the electronics mall over in Beijing lu, but seriously, Taobao is easier.

While I was at it, I also orderd a Rek DC power supply, and some JTAG cables.
The PSU isn’t totally useful for router hacking, but we do have a lot of people that forget to bring laptop chargers with them, so it will come in handy for that. Looks pretty nifty too.

Hako 936 and Rek DC PSU

Next up was a serial to ttl adaptor, as the TP-Link uses TTL voltage apparently, and I needed to convert into standard pc serial.
I bought 2 adaptors, one USB one, with rather crappily made headers, and a rather nicer serial one with pin’s.

As I’m rather crap at soldering, I totally expected things to bork something up, but amazingly I got the headers installed relatively easily, and even managed to bridge pad (R356) to enable serial first go (as per the wiki).

I plugged in my serial adaptor to the computer, and powered up the router.
Suprisingly everything worked first time around, and I got some serial output in HyperTerminal.

A few nanoseconds later I got to experience again how much I hated HyperTerminal.
Grumble cpu usage grumble frozen input grumble mutter,… and installed PuttyTel instead.

Putty also seems to autodetect the kernel speed nicely (as boot changes from 9600 to 115,200baud), which is a bonus.

I still need to time it right so I can catch the u-boot in time to stop it, and, I also still need to reflash it, but the hard part is done!

Total cost – roughly 250RMB for parts (soldering iron, tips, serial ttl adaptor, pin headers, jtag stuff etc), plus about an hour of time, most of which emcompassed clearing my desk enough so I could solder 🙂

I’m all setup for more journeys into equipment though, and I can now completely recover borked equipment handily.

Useful pages:
http://wiki.openwrt.org/inbox/tp-link.tl-wr941nd (Pinouts)
https://forum.openwrt.org/viewtopic.php?id=18354&p=1 (Thread on TL-WR941 hacking)

Firmware files:
http://downloads.openwrt.org/snapshots/trunk/ar71xx/

Taobao shopping:
http://item.taobao.com/auction/item_detail-db1-3fbe7be878a7aa35dd4ec1e4260113e8.jhtml (RS232 TTL)
http://item.taobao.com/auction/item_detail-db2-3c9886e66da40119a6c72fe03c4b8d38.jhtml (Hakko 936 + tips)
http://item.taobao.com/auction/item_detail-0db1-4fbc4e80f96ae37dbd34b9cb466aa642.jhtml?cm_cat=0 (Wiggler JTAG)

Currently I have an iPhone (ancient 2G), and have just bought a Dell Mini3i (600RMB with an 18month contract @ China Telecom), as I donated my 3G iPhone to one of the extended family back home.

The Mini3i runs an Android variant called OPhone.

The 3i is a little underwhelming software wise.

Its quite crap at the moment as its sitting on Android 1.0 (OPhone 1.0), but for all intents and purposes Android = Ophone its pretty much the same underneath.

There are a bunch of similar phones to this – the Lenovo O1, LG GW880, Motorola something or other (can’t be hassled to go look) etc.

While I haven’t rooted mine just yet, I have been playing around, and reading the Chinese forums.

Boot loader appears to be similar on all the devices – its made by BORQ’s in Beijing, and appears to be quite basic.

Motorola and O1 seem to have the best support for now, the main problem in the Chinese forums is people bitching about being stuck on older versions.

Some are running 1.6, most on 1.5, and the unlucky few 1.0 “Ophone”
2.0 and 2.1 has yet to hit the mainstream here.

There are people with N1/G5’s (Nexus 1 / HTC G5) on 2.1 though (yes, thats you in Beijing Tom!), pretty much any phone is available, although anything with wifi is essentially grey import from overseas (HK mostly)

Back to the phone –

Thankfully you can install any apps as apk’s, no need to hack for that – so its fairly easy to get info on the innards.

RootExplorer is your friend 🙂

RootExplorer also allows you to remount partitions r/w, so root access is fairly easy too. There are precompiled su binaries for 1.5 out there, although I’ve yet to do my phone.

The Dell mini3 is running on a Marvell Tabor. Fast chip, nice touchscreen, decent resolution, just crap on 1.0.

Firmware files for most of the “ophones” (except motorola) are mff files.

The mff files appear to just be compressed images with instructions for how to write the various partitions out.

eg the Lenovo O1 mff has this in the “mff” zip

2010/02/25 10:53 147,111,936 factory_CHERRY.fbf
2010/02/25 10:53 249 factory_CHERRY.mff.mlt
2010/02/25 10:53 364 JADE_EVB_RawNANDx16.ini
2010/02/25 10:53 327 magic_fbf.ini
2010/02/25 10:53 2,692 magic_fbf_inner.ini
2010/02/25 10:53 10,236,719 mfw.pac
2010/02/25 10:53 54,180 MHLV_NTDKB_h.bin
2010/02/25 10:53 176 MHLV_NTDKB_TIM.bin
2010/02/25 10:53 858 NTIM_td.ini

magic_fbf_inner.ini has the layout

[INTEL_FLASH_DEVICE_INPUT_FILE]
Number_of_Images=24

[IMAGE_HEADER_0]
Start_Address=0x240000
Image_Length=0x40000
EraseBlocks=1
WriteImage=0
VerifyWrite=0

[IMAGE_HEADER_1]
Start_Address=0x6900000
Image_Length=0xf00000
EraseBlocks=1
WriteImage=0
VerifyWrite=0

(etc)

Different phones have different firmware writing software, the Motorola’s are using RSDLite, LG – SML_OMS, CTHall, others something homegrown called Firebolt, which is written by BORQS. I have all the firmware tools already, despite the Ophone8 forums lack of courtesy in sharing, grrr.

Most firmware tools appear similar though functionality wise.
Haven’t played around inside the phone yet to see if its easy to get jtag access, although that was mostly because i couldn’t work out how to remove the top part without breaking it.

If anyone wants more info, or a firmware dump let me know.

Hopefully there is some interest out there in the English speaking world for these!

Archives

Categories

Tags

PHOTOSTREAM