236
I Use This!
Moderate Activity

News

Analyzed 28 days ago. based on code collected 28 days ago.
Posted about 1 month ago
Last week I visited thomasdotwtf from eventphone who has a jura coffee machine. We took one evening to look into it, how easy it is, to use a generic BLE device like a raspberry pi to control it. He has a Jura Z8 Automatic Coffee Machine which ... [More] supports an IOS/Android app via Bluetooh LE. Jura released (at least) two different apps to control it. pl.mkssystems.juracoffee.household (Jura Coffee) ch.toptronic.joe (J.O.E.) Both apps supports ordering, changing properties of a coffee (e.g. how much water do you want to have or how much coffee should be in there?). mkssystems.pl seems to went out-of-service, but the internet archive still have an old version and they show a lot of coffee machine related products. As well as a small blue device [1]. This is the BlueFrog a bluetooth dongle to control Jura coffee machines. What can you do with the Apps? Configure your Coffee Produce a Coffee Statistics Firmware updates How we looked into? bluetooth packettrace: We used the android btsnoop.log to retrieve a packet trace which we loaded into wireshark. decompiled with different tools the .apk loaded the source code into android studio What we found out? The J.O.E. application is using XML files to be configured for the different coffee machines. The XML defines products (e.g. a coffee, a green tea, ...), there are properties (e.g. how much coffee should be produced), statistics and settings. The article number defines the XML file to be used. A firmware process including the update urls and the new firmware. We tried to find the same commands which should work on the RS232/serial in the bluetooth packet trace, but there wasn't any. After looking further in the code, we found a lot UUIDs for characteristics including a human readable name. We discovered also an "encryption" method which uses 2x hardcoded keys as well an additional input of 8 bit from the BLE advertisment. The encryption look like a static key. In the BLE advertisment, there are manufactoring data. In our case, the manufactoring data contains 27 bytes. If 16 bit will be used, it's little endian. manufactoring data as hex (27 byte): aa 05 06 03 d73a yyyy xxxx 5836 4435 01 c0 00 00 00 00 00 00 00 00 00 00 00 aa: key 05: BlueFrog Major Version 06: BlueFrog Minor Version 03: unused (maybe Patch Version?) d73a: article number (the specific type of the machine) yyyy: machine number xxxx: serial number 5836: production date (Feb. 2017) 4435: production date UHCI (does UHCI means the bluefrog?) (Okt. 2016) 01: unused c0: bitmask, define supported features The production dates can be decoded and also validated using the application where it's shown in the connection fragment: days: (i & 31) month: ((i & 480) >> 5) year: ((i & 65024) >> 9) + 1990; What to do next? Write a decrypt function which can parse pcap files and shows the message or write a dissector (lua) for wireshark with decryption function. Find out how to map the XML files into commands towards the BlueFrog. Bluetooth Interface The good thing of BLE is, it's standarzied in the communication. BLE uses Bluetooth Attribute Protocol to communicate. The Bluetooth Attribute Protocol uses services and characteristics. A service is an object which can hold multiple characteristics. A characteristic can support one or more of the following operations read, write, notification, indication. Every service has a UUID as well a characteristic has a UUID. The Bluetooth Attribute Protocol has it's own methods to discover avaiable services and characterics. For more information please take a closer look into Bluetooth Low Energy. As a general BLE device, the BlueFrog annouce itself on the BLE. > hcitool lescan LE Scan ... C9:26:E8:4B:72:02 TT214H BlueFrog > HCI Event: LE Meta Event (0x3e) plen 43 #8 [hci0] 8.466202 LE Advertising Report (0x02) Num reports: 1 Event type: Scan response - SCAN_RSP (0x04) Address type: Random (0x01) Address: C9:26:E8:4B:72:02 (Static) Data length: 31 Company: Ingenieur-Systemgruppe Zahn GmbH (171) Data: aa050603d73a080402005836443501c00000000000000000000000 RSSI: -78 dBm (0xb2) And further more we can also look for the services and characteristics via the gatttool. > gatttool -b C9:26:E8:4B:72:02 --services -t random attr handle = 0x0001, end grp handle = 0x0007 uuid: 00001800-0000-1000-8000-00805f9b34fb attr handle = 0x0008, end grp handle = 0x0008 uuid: 00001801-0000-1000-8000-00805f9b34fb attr handle = 0x0009, end grp handle = 0x0033 uuid: 5a401523-ab2e-2548-c435-08c300000710 attr handle = 0x0034, end grp handle = 0x003a uuid: 5a401623-ab2e-2548-c435-08c300000710 attr handle = 0x003b, end grp handle = 0xffff uuid: 00001530-1212-efde-1523-785feabcd123 > gatttool -b C9:26:E8:4B:72:02 --characteristics -t random handle = 0x0002, char properties = 0x0a, char value handle = 0x0003, uuid = 00002a00-0000-1000-8000-00805f9b34fb handle = 0x0004, char properties = 0x02, char value handle = 0x0005, uuid = 00002a01-0000-1000-8000-00805f9b34fb handle = 0x0006, char properties = 0x02, char value handle = 0x0007, uuid = 00002a04-0000-1000-8000-00805f9b34fb handle = 0x000a, char properties = 0x02, char value handle = 0x000b, uuid = 5a401524-ab2e-2548-c435-08c300000710 handle = 0x000d, char properties = 0x08, char value handle = 0x000e, uuid = 5a401525-ab2e-2548-c435-08c300000710 handle = 0x0010, char properties = 0x08, char value handle = 0x0011, uuid = 5a401529-ab2e-2548-c435-08c300000710 handle = 0x0013, char properties = 0x08, char value handle = 0x0014, uuid = 5a401528-ab2e-2548-c435-08c300000710 handle = 0x0016, char properties = 0x0a, char value handle = 0x0017, uuid = 5a401530-ab2e-2548-c435-08c300000710 handle = 0x0019, char properties = 0x02, char value handle = 0x001a, uuid = 5a401527-ab2e-2548-c435-08c300000710 handle = 0x001c, char properties = 0x02, char value handle = 0x001d, uuid = 5a401531-ab2e-2548-c435-08c300000710 handle = 0x001f, char properties = 0x0a, char value handle = 0x0020, uuid = 5a401532-ab2e-2548-c435-08c300000710 handle = 0x0022, char properties = 0x0a, char value handle = 0x0023, uuid = 5a401535-ab2e-2548-c435-08c300000710 handle = 0x0025, char properties = 0x0a, char value handle = 0x0026, uuid = 5a401533-ab2e-2548-c435-08c300000710 handle = 0x0028, char properties = 0x02, char value handle = 0x0029, uuid = 5a401534-ab2e-2548-c435-08c300000710 handle = 0x002b, char properties = 0x02, char value handle = 0x002c, uuid = 5a401536-ab2e-2548-c435-08c300000710 handle = 0x002e, char properties = 0x02, char value handle = 0x002f, uuid = 5a401537-ab2e-2548-c435-08c300000710 handle = 0x0031, char properties = 0x02, char value handle = 0x0032, uuid = 5a401538-ab2e-2548-c435-08c300000710 handle = 0x0035, char properties = 0x02, char value handle = 0x0036, uuid = 5a401624-ab2e-2548-c435-08c300000710 handle = 0x0038, char properties = 0x08, char value handle = 0x0039, uuid = 5a401625-ab2e-2548-c435-08c300000710 handle = 0x003c, char properties = 0x04, char value handle = 0x003d, uuid = 00001532-1212-efde-1523-785feabcd123 handle = 0x003e, char properties = 0x18, char value handle = 0x003f, uuid = 00001531-1212-efde-1523-785feabcd123 Bluetooth Services and Characteristics service table start end uuid name   0x0001 0x0007 0x1800 Generic Access Profile   0x0008 0x0008 0x1801 Generic Attribute Profile   0x0009 0x0033 5a401523-ab2e-2548-c435-08c300000710     0x0034 0x003a 5a401623-ab2e-2548-c435-08c300000710     0X003b 0xffff 00001530-1212-efde-1523-785feabcd123     Generic Access Profile (GAP) 0x0001 .. 0x0007 handle value handle properties uuid description 0x0002 0x0003 RW (0xa) 00002a00-0000-1000-8000-00805f9b34fb   0x0004 0x0005 R (0x2) 00002a01-0000-1000-8000-00805f9b34fb   0x0006 0x0007 R (0x2) 00002a04-0000-1000-8000-00805f9b34fb   5a401523-ab2e-2548-c435-08c300000710 0x0009 .. 0x0033a handle value handle properties uuid description 0x000a 0x000b R (0x2) 5a401524-ab2e-2548-c435-08c300000710 Machine Status 0x000d 0x000e W (0x8) 5a401525-ab2e-2548-c435-08c300000710 Product Start 0x0010 0x0011 W (0x8) 5a401529-ab2e-2548-c435-08c300000710 Service Control 0x0013 0x0014 W (0x8) 5a401528-ab2e-2548-c435-08c300000710 Update Product Progress 0x0016 0x0017 RW (0xa) 5a401530-ab2e-2548-c435-08c300000710 Product Progress 0x0019 0x001a R (0x2) 5a401527-ab2e-2548-c435-08c300000710 About 0x001c 0x001d R (0x2) 5a401531-ab2e-2548-c435-08c300000710   0x001f 0x0020 RW (0xa) 5a401532-ab2e-2548-c435-08c300000710   0x0022 0x0023 RW (0xa) 5a401535-ab2e-2548-c435-08c300000710   0x0025 0x0026 RW (0xa) 5a401533-ab2e-2548-c435-08c300000710 Statistics command 0x0028 0x0029 R (0x2) 5a401534-ab2e-2548-c435-08c300000710 Statistics data 0x002b 0x002c R (0x2) 5a401536-ab2e-2548-c435-08c300000710   0x002e 0x002f R (0x2) 5a401537-ab2e-2548-c435-08c300000710   0x0031 0x0032 R (0x2) 5a401538-ab2e-2548-c435-08c300000710 Service Control Response 5a401623-ab2e-2548-c435-08c300000710 0x0034 .. 0x003a handle value handle properties uuid description 0x0035 0x0036 R (0x2) 5a401624-ab2e-2548-c435-08c300000710   0x0038 0x0039 W (0x8) 5a401625-ab2e-2548-c435-08c300000710   Nordic DFU 00001530-1212-efde-1523-785feabcd123 0x003b .. 0xffff handle value handle properties uuid description 0x003c 0x003d W- (0x4) 00001532-1212-efde-1523-785feabcd123 Nordic DFU_PACKET_CHARACTERISTI 0x003e 0x003f W N (0x18) 00001531-1212-efde-1523-785feabcd123 Nordic DFU_CONTROL_POINT_CHARACTERISTIC R means read W mean write with response W- means write without response N means notification Additional sources [1] https://www.thomas-electronic-online-shop.de/JURA-Smart-Connect [2] https://forum.fhem.de/index.php?topic=76957.0 [3] https://community.home-assistant.io/t/control-your-jura-coffee-machine/26604 [4] https://gitlab.com/Blueforcer/HA2JURA/snippets/1674496 [5] https://github.com/hn/jura-coffee-machine [6] https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.sdk5.v15.3.0%2Flib_dfu_transport_ble.html [Less]
Posted about 1 month ago
Last week I visited thomasdotwtf from eventphone who has a jura coffe machine. We took one evening to look into it, how easy it is, to use a generic BLE device like a raspberry pi to control it. He has a Jura Z8 Automatic Coffee Machine which ... [More] supports an IOS/Android app via Bluetooh LE. Jura released (at least) two different apps to control it. pl.mkssystems.juracoffee.household (Jura Coffee) ch.toptronic.joe (J.O.E.) Both apps supports ordering, changing properties of a coffee (e.g. how much water do you want to have or how much coffee should be in there?). mkssystems.pl seems to went out-of-service, but the internet archive still have an old version and they show a lot of coffe machine related products. As well as a small blue device [1]. This is the BlueFrog a bluetooth dongle to control Jura coffe machines. What can you do with the Apps? Configure your Coffee Produce a Coffee Statistics Firmware updates How we looked into? bluetooth packettrace: We used the android btsnoop.log to retrieve a packet trace which we loaded into wireshark. decompiled with different tools the .apk loaded the source code into android studio What we found out? The J.O.E. application is using XML files to be configured for the different coffe machines. The XML defines products (e.g. a coffee, a green tea, ...), there are properties (e.g. how much coffe should be produced), statistics and settings. The article number defines the XML file to be used. A firmware process including the update urls and the new firmware. We tried to find the same commands which should work on the RS232/serial in the bluetooth packet trace, but there wasn't any. After looking further in the code, we found a lot UUIDs for characteristics including a human readable name. We discovered also an "encryption" method which uses 2x hardcoded keys as well an additional input of 8 bit from the BLE advertisment. The encryption look like a static key. In the BLE advertisment, there are manufactoring data. In our case, the manufactoring data contains 27 bytes. If 16 bit will be used, it's little endian. manufactoring data as hex (27 byte): aa 05 06 03 d73a yyyy xxxx 5836 4435 01 c0 00 00 00 00 00 00 00 00 00 00 00 aa: key 05: BlueFrog Major Version 06: BlueFrog Minor Version 03: unused (maybe Patch Version?) d73a: article number (the specific type of the machine) yyyy: machine number xxxx: serial number 5836: production date (Feb. 2017) 4435: production date UHCI (does UHCI means the bluefrog?) (Okt. 2016) 01: unused c0: bitmask, define supported features The production dates can be decoded and also validated using the application where it's shown in the connection fragment: days: (i & 31) month: ((i & 480) >> 5) year: ((i & 65024) >> 9) + 1990; What to do next? Write a decrypt function which can parse pcap files and shows the message or write a dissector (lua) for wireshark with decryption function. Find out how to map the XML files into commands towards the BlueFrog. Bluetooth Interface The good thing of BLE is, it's standarzied in the communication. BLE uses Bluetooth Attribute Protocol to communicate. The Bluetooth Attribute Protocol uses services and characteristics. A service is an object which can hold multiple characteristics. A characteristic can support one or more of the following operations read, write, notification, indication. Every service has a UUID as well a characteristic has a UUID. The Bluetooth Attribute Protocol has it's own methods to discover avaiable services and characterics. For more information please take a closer look into Bluetooth Low Energy. As a general BLE device, the BlueFrog annouce itself on the BLE. > hcitool lescan LE Scan ... C9:26:E8:4B:72:02 TT214H BlueFrog > HCI Event: LE Meta Event (0x3e) plen 43 #8 [hci0] 8.466202 LE Advertising Report (0x02) Num reports: 1 Event type: Scan response - SCAN_RSP (0x04) Address type: Random (0x01) Address: C9:26:E8:4B:72:02 (Static) Data length: 31 Company: Ingenieur-Systemgruppe Zahn GmbH (171) Data: aa050603d73a080402005836443501c00000000000000000000000 RSSI: -78 dBm (0xb2) And further more we can also look for the services and characteristics via the gatttool. > gatttool -b C9:26:E8:4B:72:02 --services -t random attr handle = 0x0001, end grp handle = 0x0007 uuid: 00001800-0000-1000-8000-00805f9b34fb attr handle = 0x0008, end grp handle = 0x0008 uuid: 00001801-0000-1000-8000-00805f9b34fb attr handle = 0x0009, end grp handle = 0x0033 uuid: 5a401523-ab2e-2548-c435-08c300000710 attr handle = 0x0034, end grp handle = 0x003a uuid: 5a401623-ab2e-2548-c435-08c300000710 attr handle = 0x003b, end grp handle = 0xffff uuid: 00001530-1212-efde-1523-785feabcd123 > gatttool -b C9:26:E8:4B:72:02 --characteristics -t random handle = 0x0002, char properties = 0x0a, char value handle = 0x0003, uuid = 00002a00-0000-1000-8000-00805f9b34fb handle = 0x0004, char properties = 0x02, char value handle = 0x0005, uuid = 00002a01-0000-1000-8000-00805f9b34fb handle = 0x0006, char properties = 0x02, char value handle = 0x0007, uuid = 00002a04-0000-1000-8000-00805f9b34fb handle = 0x000a, char properties = 0x02, char value handle = 0x000b, uuid = 5a401524-ab2e-2548-c435-08c300000710 handle = 0x000d, char properties = 0x08, char value handle = 0x000e, uuid = 5a401525-ab2e-2548-c435-08c300000710 handle = 0x0010, char properties = 0x08, char value handle = 0x0011, uuid = 5a401529-ab2e-2548-c435-08c300000710 handle = 0x0013, char properties = 0x08, char value handle = 0x0014, uuid = 5a401528-ab2e-2548-c435-08c300000710 handle = 0x0016, char properties = 0x0a, char value handle = 0x0017, uuid = 5a401530-ab2e-2548-c435-08c300000710 handle = 0x0019, char properties = 0x02, char value handle = 0x001a, uuid = 5a401527-ab2e-2548-c435-08c300000710 handle = 0x001c, char properties = 0x02, char value handle = 0x001d, uuid = 5a401531-ab2e-2548-c435-08c300000710 handle = 0x001f, char properties = 0x0a, char value handle = 0x0020, uuid = 5a401532-ab2e-2548-c435-08c300000710 handle = 0x0022, char properties = 0x0a, char value handle = 0x0023, uuid = 5a401535-ab2e-2548-c435-08c300000710 handle = 0x0025, char properties = 0x0a, char value handle = 0x0026, uuid = 5a401533-ab2e-2548-c435-08c300000710 handle = 0x0028, char properties = 0x02, char value handle = 0x0029, uuid = 5a401534-ab2e-2548-c435-08c300000710 handle = 0x002b, char properties = 0x02, char value handle = 0x002c, uuid = 5a401536-ab2e-2548-c435-08c300000710 handle = 0x002e, char properties = 0x02, char value handle = 0x002f, uuid = 5a401537-ab2e-2548-c435-08c300000710 handle = 0x0031, char properties = 0x02, char value handle = 0x0032, uuid = 5a401538-ab2e-2548-c435-08c300000710 handle = 0x0035, char properties = 0x02, char value handle = 0x0036, uuid = 5a401624-ab2e-2548-c435-08c300000710 handle = 0x0038, char properties = 0x08, char value handle = 0x0039, uuid = 5a401625-ab2e-2548-c435-08c300000710 handle = 0x003c, char properties = 0x04, char value handle = 0x003d, uuid = 00001532-1212-efde-1523-785feabcd123 handle = 0x003e, char properties = 0x18, char value handle = 0x003f, uuid = 00001531-1212-efde-1523-785feabcd123 Bluetooth Services and Characteristics service table start end uuid name   0x0001 0x0007 0x1800 Generic Access Profile   0x0008 0x0008 0x1801 Generic Attribute Profile   0x0009 0x0033 5a401523-ab2e-2548-c435-08c300000710     0x0034 0x003a 5a401623-ab2e-2548-c435-08c300000710     0X003b 0xffff 00001530-1212-efde-1523-785feabcd123     Generic Access Profile (GAP) 0x0001 .. 0x0007 handle value handle properties uuid description 0x0002 0x0003 RW (0xa) 00002a00-0000-1000-8000-00805f9b34fb   0x0004 0x0005 R (0x2) 00002a01-0000-1000-8000-00805f9b34fb   0x0006 0x0007 R (0x2) 00002a04-0000-1000-8000-00805f9b34fb   5a401523-ab2e-2548-c435-08c300000710 0x0009 .. 0x0033a handle value handle properties uuid description 0x000a 0x000b R (0x2) 5a401524-ab2e-2548-c435-08c300000710 Machine Status 0x000d 0x000e W (0x8) 5a401525-ab2e-2548-c435-08c300000710 Product Start 0x0010 0x0011 W (0x8) 5a401529-ab2e-2548-c435-08c300000710 Service Control 0x0013 0x0014 W (0x8) 5a401528-ab2e-2548-c435-08c300000710 Update Product Progress 0x0016 0x0017 RW (0xa) 5a401530-ab2e-2548-c435-08c300000710 Product Progress 0x0019 0x001a R (0x2) 5a401527-ab2e-2548-c435-08c300000710 About 0x001c 0x001d R (0x2) 5a401531-ab2e-2548-c435-08c300000710   0x001f 0x0020 RW (0xa) 5a401532-ab2e-2548-c435-08c300000710   0x0022 0x0023 RW (0xa) 5a401535-ab2e-2548-c435-08c300000710   0x0025 0x0026 RW (0xa) 5a401533-ab2e-2548-c435-08c300000710 Statistics command 0x0028 0x0029 R (0x2) 5a401534-ab2e-2548-c435-08c300000710 Statistics data 0x002b 0x002c R (0x2) 5a401536-ab2e-2548-c435-08c300000710   0x002e 0x002f R (0x2) 5a401537-ab2e-2548-c435-08c300000710   0x0031 0x0032 R (0x2) 5a401538-ab2e-2548-c435-08c300000710 Service Control Response 5a401623-ab2e-2548-c435-08c300000710 0x0034 .. 0x003a handle value handle properties uuid description 0x0035 0x0036 R (0x2) 5a401624-ab2e-2548-c435-08c300000710   0x0038 0x0039 W (0x8) 5a401625-ab2e-2548-c435-08c300000710   Nordic DFU 00001530-1212-efde-1523-785feabcd123 0x003b .. 0xffff handle value handle properties uuid description 0x003c 0x003d W- (0x4) 00001532-1212-efde-1523-785feabcd123 Nordic DFU_PACKET_CHARACTERISTI 0x003e 0x003f W N (0x18) 00001531-1212-efde-1523-785feabcd123 Nordic DFU_CONTROL_POINT_CHARACTERISTIC R means read W mean write with response W- means write without response N means notification Additional sources [1] https://www.thomas-electronic-online-shop.de/JURA-Smart-Connect [2] https://forum.fhem.de/index.php?topic=76957.0 [3] https://community.home-assistant.io/t/control-your-jura-coffee-machine/26604 [4] https://gitlab.com/Blueforcer/HA2JURA/snippets/1674496 [5] https://github.com/hn/jura-coffee-machine [6] https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.sdk5.v15.3.0%2Flib_dfu_transport_ble.html [Less]
Posted 11 months ago
ramips mt7628nn 4 MB flash 32 MB Memory
Posted 11 months ago
I joined the MirageOS retreat in March 2019. It's an 1 week event in Marrakech, Marocco. It's a real nice house in the old city of Marrakech, the medina. The event itself doesn't have much structure than a morning meeting and sometimes talks in the ... [More] evening. MirageOS is unikernel written in OCaml. MirageOS can run ontop of many backends, e.g. Unix process or xen, kvm, bhyve. This retreat I took care of the Internet uplink. We had a slow and leaky 4MBit ADSL line from Marocco Telecom which we used as backup, while using LTE as main uplink. We used first imwi as provider. But imwi changes the IPs quites often and the implementation in OpenWrt uqmi does not follow the IP changes, which resulted in a stale LTE connection. Imwi is also filtering all UDP DNS queries, except those going to their own servers. We then switched to Orange as provider, because someone had a card available. Orange was fast enough, pretty stable 5MBit up&down. We consumed roughly 20 GB a day. This brought us the nice daily ritual, a walk to a small and nice mobile shop in the medina. 1 GB cost 10 Dh (1 Euro). Our router, an APU2, runs OpenWrt, but we disabled DNS & DHCP and ran these services on a seperate APU using MirageOS. Even I'm not such familiar with OCaml and functional languages, I tried to fix a bug in the DHCP Server implementation PR#97. It worked for me, however after deploying it, it turned out, it only worked for me, I broke it for everybody else ;). This motivated me to start looking on TTCN-3, a ETSI language to test network protocols. Later together with Hannes, we fixed the DHCP for real. Adding some TTCN-3 tests and create a simple base is still on my TODO. Another really nice OCaml service on side was a learn-ocaml instance. An interactive teaching web application for beginners and advances OCaml programmers including an annotate OCaml compiler. Sadly there is no instance in the internet yet, as the projects is not ready for release. While there I also worked a lot on reproducible builds for OpenWrt. I fixed 2 packages. All OpenWrt base packages are 100 % reproducible. Thanks to Daniel Golle, OpenWrt images can be cryptographically signed. This signature must be removed before looking for differences, this is also done in the reproducible builds setup for OpenWrt. 100% of ar71xx images are reproducible and 98% of ramips. The remaining 2% are also signature problems, but these signatures are in the middle instead of the end of the image. I also found the time to integrate my package index parser into reproducible builds. It's much easier to just parse two packages list, than looking on the all package files to determine if they are reproducible or not. The package index files also contain metadata of the packages which it inserts into the reproducible builds database. Some people from the QubesOS projects joined the retreat. For example there is a MirageOS firewall which replaces the QubesOS own one. There is also a Pong game, which can run as QubesOS-vm. Thanks to the QubesOS people for their help on my problems with disposable vms. Furthermore I brought a beaglebone black with me to investigate bugs reported for that platform. While looking at it, I found out the last release of OpenWrt (18.06.2) doesn't work on this board (fs: squashfs), while master works. I also fixed builds issues with u-boot in OpenWrt for the beaglebone black when using a modern toolchain. Since we used LTE as uplink, we wanted to know how much of our data volume was consumed. OpenWrt might have statistics, but those are stored only in memory and not saved anywhere. I didn't looked for any OpenWrt packages which fixes this problem, because the provider (Orange) is supporting a USSD code to retrieve the remaining volume. What is USSD? USSD stands for Unstructured Supplementary Service Data. It's used on mobile phones to retrieve balance, your phone number, your IMEI, [..]. Most people have used them. Take your phone, open the phone application and call *#06#, it will return your phone unique identifier (IMEI). While SMS is a store-and-forward scheme, like email. USSD is real time message protocol, similiar to a TCP connection. The USSD codes are simple, do a request, get a response. Done. But Orange implemented a menu via USSD. So the USSD session will look like: Request, Response, Choose Your Menu, Response, Go Back, Choose different Point. I've started writing USSD support for libqmi. Simple USSD codes can be requested and decoded, but not menus with user input. And the biggest problem is: OpenWrt doesn't support USSD at all. Not even the simple ones. [Less]
Posted over 1 year ago
Sometimes, when I'm not directly around or I forgot to put the powersupply into my laptop. My laptop runs into the critical power action. Because I'm using upowerd, my machine try to does this: HibernateSuspend (fails) Hibernate (fails) PowerOff ... [More] Great! My machine shuts down, in the middle of doing something. It would take 2 minutes to get a powersupply, but too late!! But there might be a solution for this: Suspend. My machine can survive more than 1 hour in suspend with this low battery. It would help me NOT loosing my current unsaved work. After looking into the upowerd, it's just a 1 line code change to allow this. It is not a good default, but there are people who like to use this. But .. upowerd doesn't like. They not even want to allow the user to take this option. Indepentent that I agree, this shouldn't be the default. We're discussing this issue for years. Without any solution. Upowerd want to decide what users should do with there laptop and what not. Discussion Bugtracker How to resolve it? [Less]
Posted over 2 years ago
From time to time you need to test things with the old image. But how do you test thing when the original build environment is lost and you want to test sysuprade against this old release (actually 12.09). First you've to create a flashdump of the ... [More] firmware paritition. # grep firmware /proc/mtd mtd5: 003d0000 00010000 "firmware" # ssh root@192.168.1.1 dd if=/dev/mtd5 > /tmp/firmware_backup Afterwards you can use binwalk to get the actual offsets of the different parts inside. # binwalk /tmp/firmware_backup DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 512 0x200 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 2813832 bytes 930352 0xE3230 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2194094 bytes, 728 inodes, blocksize: 262144 bytes, created: 2014-03-05 14:58:48 3145728 0x300000 JFFS2 filesystem, big endian So sysupgrade images for ar71xx is still using the (old) layout of ---------- |KERNEL | ---------- |squashfs| ---------- |jffs2 | ---------- While a sysupgrade image contains for those platforms: -------------- |KERNEL | -------------- |squashfs | -------------- |jffs2-dummy | -------------- So we will split-off the jffs2 Part and replace it with jffs2. # dd if=/tmp/firwmare_backup bs=3145728 count=1 of=/tmp/sysupgrade.img Next we add this jffs2-dummy by using the same tool LEDE is using it: # /home/lynxis/lede/staging_dir/host/bin/padjffs2 /tmp/sysupgrade.img 64 The 64 means the padding size in kb. It's important to choose the right one, but for most devices this is 64k at least for ar71xx. ssh root@192.168.1.1 dd if=/dev/mtd5 > /tmp/firmware_backup binwalk /tmp/firmware_backup dd if=/tmp/firwmare_backup bs=3145728 count=1 of=/tmp/sysupgrade.img /home/lynxis/lede/staging_dir/host/bin/padjffs2 /tmp/sysupgrade.img 64 [Less]
Posted over 2 years ago
A friend gave me the his x1 carbon gen1 some time ago. The x1 carbon is little bit different from other Thinkpad because it's a combination of a Thinkpad and a Ultrabook. It has a Trackpoint (and even Trackpoint buttons). It has soldered memory ... [More] (only Elpida memory is support atm). It has Full-HD. (missed that on x2xx). Looking under the hood. The x1 carbon gen1 look very likely as x230. [Less]
Posted about 3 years ago
A graphic can describe a thing more than 1000 words. This is how mksquashfs 4.3 works. mksquashfs source
Posted over 3 years ago
This howto will get your through a LEDE to create your own kernel patch using the LEDE infrastructure. It's based on LEDE reboot-1279-gc769c1b. LEDE has already a lot of patches. They are all applied on one tree. We will create a new patch for ... [More] lantiq. To get started, let see how LEDE organize the patches. First of all we take a look on /target/linux/* All of these folders represent a architecture target, except generic. The generic target is used by all targets. To continue, we need to know which kernel version your target architecture is running on. This is written down into target/linux/lantiq/Makefile. We're running a 4.4.Y kernel. The Y is written down into /include/kernel-version.mk. We will use .15. Ok. Now let's see. When LEDE is preparing the kernel build directory, it search for a matching patch directory. download the kernel 4.4.x (x from /include/kernel-version.mk) unpack the kernel under /build_dir/target-../linux-lantiq/linux-4.4.15 apply generic patches apply lantiq patches create .config But which is the right patches directory? It use the following make snippet from /include/kernel.mk Meaning it will use /patches-4.4 if exists or if not try to use /patches. Now we know how patches are applied to the linux kernel tree. We could go into the directory, create a new patches directory and use quilt... Or we use the quilt target for that. make target/linux/clean -> to clean up the old directory. Now make target/linux/prepare QUILT=1 will unpack the source, copy all present patches into ./patches and use quilt to apply. With quilt you can move forwards and backwards between patches, aswell as modifying those. cd ./build_dir/target-mips_34kc+dsp_uClibc-0.9.33.2/linux-lantiq/linux-4.5.15/ to switch into the linux directory. quilt push -a to apply all patches from LEDE. quilt new platform/999-mymodification.patch to add a new patch quilt add net/l2tp/l2tp_core.c to track this file. Call your editor to modify this file. With quilt refresh it adds your modifcation to the patch platform/999-mymodification.patch. Your modification is under ./build_dir/../linux-4.4.15/patches/platform/. With make target/linux/refresh it will refresh all patches and copy them to the correct folder under target/linux/*/patches. [Less]
Posted almost 4 years ago
The TP-Link CPE510, a nice outdoor device, got a bad rx behaviour when using it with LEDE. I want to give a short overview how to debug those problems. It could also help you finding problems when facing ath9k pci cards. To get down to the device. ... [More] The CPE510 based on a AR9344 SoC. The integrated wireless part is supported by the ath9k driver. To get more knowledge about the AR9344 you should take a look into the public available datasheet. (google for ar9344 datasheet ;) The AR9344 supports using GPIOs for special purposes it's called a GPIO function. If the function is enabled, the gpio is internally routed to the special purpose. Now the simple part comes if you know which register to look into, just look into it. After reading the pages 52/53 of the datasheet, it's clear that it can route everything signal to every gpio. Remember the table, because it explains what value means what it's routed to the gpio. We suggest LNA are missing because the receiving part of the CPE510 is bad. So the value 46 and 47 are the important ones, 46 LNA Chain 0, 47 LNA Chain 1. LNA stands for low noice amplifier. Now we know how the GPIOs works, let's find the register controlling the GPIO function. The GPIO section start at 130, but the interesting part is the GPIO IO Function 0 register at address 0x1804002c. It give you 8 bit to describe it's function, if it's 0x0 no function is selected and the GPIO is used as normal output. So if you write 46 into the bit 0-7 you set the GPIO to become the LNA Chain 0 signal. Every GPIO from GPIO0 to GPIO19 can configured using those register. We know what registers are interesting (0x1804002c - 0x1804003c). We know which values are interesting (decimal 46 and decimal 47). But how can we read out those value from a running system? First answer I hear is JTAG, but JTAG isn't easy to archive and more difficult to use on ar71xx, because the bootloader usally deactivate JTAG as one of the first commands. But we can ask the kernel. /dev/mem is quite usefull for that. It's a direct way to the memory, very dangerous, but also handy ;). The easiest way to interface with /dev/mem is the simple utility called devmem or devmem2. To compile a compatible devmem2 you should use the GPL sources of the firmware, but you can also download the binary from here [1]. Copy devmem2 to /tmp via scp and start reading the values. Because mips is a 32bit architecture we have to read the register Back to our LNA value. 46 and 47. In hex are those 0x2E and 0x2F. We have to look for those values aligned to 8bit. # ./devmem2 0x1804002c /dev/mem opened. Memory mapped at address 0x2aaae000. Value at address 0x1804002C (0x2aaae02c): 0x0 # ./devmem2 0x18040030 /dev/mem opened. Memory mapped at address 0x2aaae000. Value at address 0x18040030 (0x2aaae030): 0xB0A0900 # ./devmem2 0x18040034 /dev/mem opened. Memory mapped at address 0x2aaae000. Value at address 0x18040034 (0x2aaae034): 0x2D180000 # ./devmem2 0x18040038 /dev/mem opened. Memory mapped at address 0x2aaae000. Value at address 0x18040038 (0x2aaae038): 0x2C # ./devmem2 0x1804003c /dev/mem opened. Memory mapped at address 0x2aaae000. Value at address 0x1804003C (0x2aaae03c): 0x2F2E0000 # Found it in 0x1804003C. LNA 0 is GPIO 18 and LNA1 is GPIO 19. [1] https://lunarius.fe80.eu/blog/files/lede/devmem2 [Less]