Archive

Posts Tagged ‘hack’

Add a 2.5″ Hard Drive to Voyo VMac Mini mini PC with a $20 Custom SATA Cable

January 27th, 2017 4 comments

When I tore down Voyo VMac Mini mini PC, I noticed a 2.5″ mounting mechanism, and some weird 9-pin SATA connector, but since the hard drive would be so close to the components I assumed this specific case was not designed for a drive, but the board would be compatible. However, it’s now possible to purchase a $20 custom SATA cable from “Voyo Official Store” on Aliexpress to do just that.All you have to do is to open the case, connect the cable to the motherboard, and the hard drive, and mounting the hard drive to the mechanism with four screws. I’m not sure whether you should also use some kind of insulation between the drive and motherboard, as it will be really close, but the company does not mention anything about that. Cooling might also be an issue even though there’s a fan in the mini PC.

It’s not difficult to do, but should probably be attempted by the most adventurous. I’d also expect the cable to become cheaper overtime if this little hack become common among VMac mini owners, or maybe even offered for free with the mini PCs during promotions.

Thanks to Jake for the tip.

Xiaomi WiFi IP Cameras Hacked to Run RTSP Server, Disable Cloud Service

January 13th, 2017 12 comments

Xiaomi 720p and 1080p IP cameras include night vision, motion detection, WiFi connectivity, and can save videos locally, and send them to a cloud server in China for you to check your camera from anywhere. The 720p camera sells for about $50, while the 1080p camera goes for around $30 on GearBest and other websites, but comes with less IR LEDs and no optical zoom. [Update: The black version of the 720p camera goes for $29.99 on Amazon US]

Xiaomi-IP-CamerasThey works fine, but you need a specific mobile app to configure and control the camera, and if you’d rather not have the videos streamed to some server outside of your local network, github user “Fritz” has developed a set of scripts for the camera to disable cloud service, run a standard RTSP server, as well as HTTP and FTP servers on the camera.

He did his work on Yi Ants Camera (720p), but other members of the community have been helping, and some are currently working on supporting the cheaper 1080p model. The RSTP server is now working on the 1080p. However, everything is still working in progress, and you may want to join the fun on github, but if you want an easy to use SD card image this will take a little longer. The camera and corresponding hack are also being discussed on HotUKDeals.com.

Thanks to Rob for the tip.

YokaTV KB2 Review – Amlogic S912 TV Box with 32 GB Flash

December 15th, 2016 14 comments

CNXSoft: This is another review by Karl about Amlogic S912 based YokaTV KB2 TV box.

Introduction

Today we will be looking at Videostrong YokaTV KB2. Below are the specs from Videostrong website.

yokatv-kb2-specifications

This is my first S912 device so I had high expectation. I have been using it for quite some time now with no major issues. I received approximately 6 OTA updates since I started testing and some welcome updates have come.

yokatv-kb2-package

yokatv-kb2-remote-control-power-supply

Click to Enlarge

Click to Enlarge

Build

When I receive a box first thing I do is take it apart and check out the inside. I was excited when I found out it had 32 gig of storage. It is not too common.

yokatv-kb2-bottom-case

Click to Enlarge

Click to Enlarge

Then when I opened the box I was really happy to see an antenna that wasn’t soldered on. Makes it easy to add a different one. +1 for KB2. Then I noticed the heat sink. It seemed a little small. I was right, it runs warm.

Click to Enalrge

Click to Enlarge

Simple Mod

First thing to do: get this baby running cooler. When stressing the box, the temperature got over 80+°C a couple times. It ran between 70 and 75 °C on average before the mod. The case is mostly plastic except the bottom cover. Bingo! A couple squares of 5mm thermal pads between the board and the bottom of the case and thermal issues are gone.

yokatv-kb2-thermal-hack

I started SetCPU and ran the built-in stress test, it tops out around 72 °C, and quickly cools after stopping the test. I put a square approximately where the CPU is and while I had it open, where the memory is although I don’t think it is necessary. After the mod, the box runs about 60 deg Celsius.

Antutu

For this test I use SetCPU to set the Min and Max frequency for the CPU to 1.5 GHz which is the max for this processor. It will give the best score.

yokatv-kb2-antutu

Network Test

I am not sure why my WiFi was slow on the tests below. I don’t have an AC access point yet. The best I have is N, maybe that is the cause. Some friends over on Freaktab are getting some really good speeds on AC with this box. I might have damaged something when I opened the box.

Below are the results but take them with a grain of salt. I do a simple file transfer test of a large movie with optimum conditions for WiFi then one in more real world scenario.  

5ghz 3ft from NAS to internal SD

kb2-5ghz-wifi-nas-to-flash

2.4ghz 3ft from NAS to internal SD

kb2-2-4ghz-wifi-nas-to-flash

Gigabit Ethernet from NAS to internal SD (This is as fast as my NAS can transfer)

kb2-gbe-nas-to-flash

Next is more real world where AP’s have more obstruction.

5ghz 30ft from NAS to internal SD

kb2-5ghz-wifi-nas-to-flash-30feet2.4ghz 30ft from NAS to internal SD

kb2-2-4ghz-wifi-nas-to-flash-30feetSome More Benchmarks and Info

Click to Enlarge

Click to Enlarge

Click to Enlarge

Click to Enlarge

Apps

I’ve used several apps and only Netflix and Direct Now had some issues:

  • Sling TV
  • Netflix (SD) – Stopped working after updating the app
  • Kodi
  • Chrome – Chrome works really well. I open a bunch of heavy URL’s and it performs excellent. Nothing scientific here. Go to several sites that I visit daily and I felt no lag.
  • Plex
  • Emby
  • HDHomeRun
  • Crackle
  • DirectTV Now – Worked with some hacking
  • Player-MediaCenter App – I will admit it has been a while since I tested out this app. It acts as a DLNA receiver and Airplay receiver. I didn’t have much luck in the past but I tested on my one Apple device the screen mirroring worked.

At some point Netflix stopped working. Keep getting few seconds of video then error 0013 “Sorry, we could not reach the Netflix service….” Not sure if it is Netflix update or box update that caused the issue. I went back and did some more testing to narrow the issue down. If I reverted back to the Netflix that came pre-installed I had no issue.

DirectTV Now is a new service in the US. With some persistence I was able to get it running. Video wasn’t perfect but neither was it on any devices I tested. It was surprising that it plays better on KB2 then Nvidia Shield. It is mostly watchable but stutters some. It is new so hopefully ATT will get this fixed soon. I had to do a couple things to get it working. After Googleing and a lot of experimenting I used 2 apps from play store: Hide My Root and Fake GPS. I also had to make 2 build.prop changes: ro.build.type=userdebug to ro.build.type=user and ro.build.tags=test-keys to ro.build.tags=release-keys. I tried on a couple different boxes after figuring this out and seems to work universally.

Remote Control

The remote is big but there is a built in app that is pretty convenient. There are 4 color coded buttons on the remote that you can customize to launch the apps that you want through an app on the box. There is also a dedicated app button that brings up a listing of all the apps. Everything else is pretty standard. You can also program the remote to turn your TV on and off through a learning feature. But alas I still prefer either an air mouse or touchpad with full keyboard.

yokatv-kb2-remote-control-configuration

Status Bar

Thank the gods…there is an option to turn the navigation buttons at the bottom of the screen off and on in Android settings…It is about a 50/50 split for people that like them and those that don’t. This was the first box that I have tested that gives the user an option.

Click to Enlarge

Click to Enlarge

Audio Passthrough

All the below tests worked. I set Android to SPDIF. I tested with latest SPMC 16.4.2 and Kodi 16.1. Turned on pass-through DTS and AC3 and all the videos below worked with no clipping. I have a 5.1 system. If I didn’t have the AC3 ticked I would get no audio on some. First box with 100% working that I have tested on stock firmware.

yokatv-kb2-kodi-audio-pass-through-settings audio-file-list-dts-dolby-truehd4K Video

4k testing went well. I was able to play all videos smoothly with one player or another that it was supposed to play. Below are the test results. This box does not play 4k H.264 video @ 60fps per sec, so stutter is expected. Kodi and derivatives play best with amcodec turned off. The box ships with Kodi 17 beta but since it is beta, it is not very stable. I uninstalled it, and tested with Kodi 16.1 from the Play Store instead. I am not sure why 4k 8bit H.265 works better with amcodec turned on. I found the same results on S905x boxes. For the testing, I wanted to find the best overall solution and that is Kodi with amcodec turned off.

Test File Name With Amcodec Without Amcodec MX Player
23.976fps (in MP4) GoPro Epic Russian Wingsuit in 4K good
24fps (in MP4) SPRING 4K (ULTRA HD) good
25fps (in MP4) Burj Khalifa Pinnacle BASE Jump – 4K good
29.970fps, 51Mbps (hdmkv’s iPhone 6S 4K clip) iphone6s_4k good
59.940fps (in MKV) samsung_seven_wonders_of_the_world_china_uhd-DWEU wont play stutter stutter
60fps (in MP4) COSTA RICA IN 4K 60fps (ULTRA HD) w Freefly Movi wont play good
H264, up to 30fps Sony_Alpha_7R_II_video-test-4K good
H264, 50-60fps linkin_park_ultra-hd wont play stutter stutter
H265 8bit, up to 30fps LG_4K_View-the-Feeling good stutter good
H265 10bit, up to 30fps Samsung_UHD_Dubai good
H265 10bit, 50-60fps Samsung_UHD_7Wonders_of_the_World_Italy good
UltraHD HDR 10bit HEVC, 24fps Exodus_UHD_HDR_Exodus_draft good
VP9 The Curvature of Earth 4K 60FPS good not as good best

Alternate Firmware

Super Celeron has put together a nice modification of the latest stock firmware from 11/23. He cleaned up the firmware and made some adjustments to boot to bring idle down to about 1% and got auto frame rate switch working. See full changelog.

So to get 100% working pass-through and auto frame rate switching after installing the firmware above, as well as SPMC version 16.5.2. Codec acceleration is a little muddy at times. 4K files work best with amcodec off, and anything less work best with amcodec on. Below are my settings.

yokatv-kb2-custom-firmware-automatic-frame-rate-switching yokatv-kb2-custom-firmware-audio-pass-through yokatv-kb2-custom-firmware-video-codecsConclusion

I had this box for a while now and used it as my main box and it has performed really well. Consistent updates from Videostrong is much needed in the box world. I hope it continues. Gigabit Ethernet performed really well. Pass-through working 100% is fantastic and will make a lot of people happy. Video support in Kodi is really good. VP9 support is not 100% but MX player gives everyone an option if they have movies in that format.

I would like to thank Videostrong for sending a review sample. YokaTV KB2 can be purchased on Gearbest, Geekbuying, and Aliexpress for about $68.

VGA Output Hack on $2 PADI IoT Stamp & Other Realtek RTL8710AF Modules

December 10th, 2016 3 comments

It’s pretty amazing what you can do with those cheap WiFi modules coming from Espressif and Realtek. You may remember CNLohr getting ESP8266 to broadcast video to your TV though NTSC, and that was impressive. But developer kissste, who has been very active since the announcement of a $2 Realtek RTL8710 module, has now developed a VGA driver demo for Realtek Ameba WiFi SoCs, and successfully tested it on Pine64 PADI IoT Stamp.

Click to Enlarge

Click to Enlarge

Just like on ESP8266, there’s no hardware display block on RTL8710AF, RTL8711AF, and RTL8195AF SoCs, so instead he had to connect the signals to GPIOs with the video signal connected to GA1 via a resistor, H-Sync to GC2, and V-Sync to GA5. Video and H-Sync data is actually transfered over an SPI connection using DMA transfer for better performance. Normally the video signal for VGA is divided into red, green, and blue signal, so I understand he mixed all three into a single signal to output black or white on the display, and color is not possible at least not using 800×600 @ up to 63 Hz as possible in black & white.

Currently, the code just output some pre-defined characters once the board receives ATVG AT command, but you could modify the code – released on Github – to do whatever fancy stuff you want.

Categories: Hardware, Realtek RTD Tags: hack, IoT, pine64, rtl8710, vga, wifi

How to Play Netflix HD on any Android Device with Widevine Level 1 DRM

November 28th, 2016 29 comments

A while ago I wrote an article entitled “Why Doesn’t your Android TV Box Play Full HD or 4K Videos in Netflix?” basically explaining that most TV boxes running Android could only play SD quality, because HD and higher quality requires both Widevine Level 1 DRM, and Netflix certification, and the second part is the most difficult since Netflix need to spend time testing a given product, and may not agree to do so for smaller manufacturers. The end result is that only a small subset of devices can play Netflix HD.

netflix-hd-tabletSamsung Tab S2 is one of the device with Widevine Level 1, but is not certified by Netflix, and by default can only play SD quality. But XDA Forum user chenxiaolong apparently found a workaround and as the photo above shows is now able to reach HD resolutions (e.g. 1920×1080) with Netflix using his tablet. After analyzing packets between the server and his two Samsung tablets, he noticed that he could set “enableWidevineL1” from the JSON response to true, and provided a method showing how to change the app without uploaded a modded apk. But others followed his instructions and released a modified Netflix HD apk.

Although it might or might not breach Netflix TOS, please note that this has nothing to do with piracy at all, nor does it skip DRM, as it still requires both a Netflix HD subscription and a device supporting Widevine Level 1 DRM. Sadly that also means the trick will still not work on most cheap Android TV boxes that are limited to Level 3 security. It’s also quite possible Netflix eventually notices and changes the code to prevent this little hack. You can check Widevine DRM support with DRM Info app.

Thanks to Theguyuk for the tip.

Categories: Android Tags: Android, hack, netflix, tablet, TV box

Nintendo NES Classic is Powered by Allwinner R16 SoC, Likely Hackable

November 8th, 2016 34 comments

Nintendo NES Classic Edition is a small replica of Nintendo NES, both adapted to modern times with an HDMI output, and keeping with nostalgia thanks to connectors for original game controllers, and pre-loaded with 30 classic games.

Nintendo_NES_Classic

If you planned to add your own games however, the lack of USB ports, micro SD card slot, or any other storage or network interface could make it impossible. But based on a recent photo tweeted by Peter Brown, senior review editor at GameSpot, there may be light out of the tunnel, as while the main storage device (4Gbit NAND flash) is soldered to the board, the main board is powered by Allwinner R16 quad core Cortex A7 processor with a Mali-400MP2, and it’s quite likely UART / serial console and/or FEL interfaces are exposed on the board, making it possible to hack the device and potentially load your own games.

Click to Enlarge

Click to Enlarge

The other side of the board would really help finding out whether the UART pins are indeed available where I marked them [Update: Correct. NES Classic Hacked, see comments section]. If so, it would still be quite inconvenient to hack the board, as you’d need to connect a USB to serial debug board (normally a couple of dollars) in order to access the terminal, and either copy/paste code, or transfer data to the board. If some of the other connectors are carrying USB signal, it might also be possible to do some hardware hacking to add USB ports.

Software-wise, some references for Allwinner R16 Parrot board can be found in mainline Linux. Allwinner also released Linux based Tina OS for the processor on Github a few weeks ago.

Thanks to Zoobab for the tip.

Hacking ARM TrustZone / Secure Boot on Amlogic S905 SoC

October 6th, 2016 4 comments

Amlogic S905 processor used in many Android TV boxes and ODROID-C2 development board implements ARM TrustZone security extensions to run a Trusted Execution Environment (TEE) used for DRM & other security features.

amlogic-s905-security

He explains the steps they went through and how they managed to exploit vulnerability to bypass secure boot in a detailed technical blog post.

They first started by looking for info in Amlogic S905 datasheet, but most info about TrustZone had been removed from the public version. So not that much help here except a potential address for BOM Root (ROMBOOT_START   0xD9040000). The next step was to connect the UART pins in order to access the serial console, but he could not read the BootROM from there most probably because you can’t access secure code from an non-secure memory.

However, a closer look at the boot log lead them to find the bootloaders were based on the ARM Trusted Firmware (ATF) reference implementation, which include BL1x (BootROM in SoC), BL2, and BL3x bootloaders as shown in the diagram below.

arm-trusted-firmware-architecture

At this point everything becomes much more technical, as he explains various attempts using U-Boot bootloader, SMC (Secure Monitor Call) interface, and bypassing the Secure Boot chain. The first attempt was a non-stater, the second could have been exploitable but might have required some expert skills and time, but the third one was successful after an analysis of  the mechanism used by BL2 to parse and authenticate the BL31 image, and finding out the cryptographic code came from OSS PolarSSL/mbed TLS project.

Further reverse-engineering of the “authentication” header revealed that BL2 is only using SHA-256 hash to verify the integrity of the firmware, and that there’s no actually authentication. To confirm their findings, they customized a BL31 firmware, updated the SHA-256 hash (using aml-bootloader-tool script), and it would boot, and eventually they managed to dump the BootROM from Amlogic S905 SoC.

That’s the conclusion:

The S905 SoC provides hardware features to support Secure Boot, however OEMs can still choose to enable it or not. But even when Secure Boot is enforced, a flaw in the current version of Amlogic’s BL2 allows to bypass it. So Trusted Execution Environment cannot be trusted. The good news is BL2 can be patched, unlike BootROM.

Routers, IP Cameras/Phones & IoT Devices can be Security Risks even with the Latest Firmware, and a Strong Admin Password

October 6th, 2016 43 comments

I’ve just read an interesting article entitled “who makes the IoT things under attack“, explaining that devices connected to the Internet such as router, IP cameras, IP Phones, etc.. may be used by Botnet to launch DDoS attacks, and they do so using the default username and password. So you may think once you’ve updated the firmware when available, and changes the default admin/admin in the user interface, you’d be relatively safe. You’d be wrong, because the malware mentioned in the article, Mirai, uses Telnet or SSH trying a bunch of default username and password.

That made me curious, so I scanned the ports on my TP-Link wireless router and ZTE ZXHN F600W fiber-to-the-home GPON modem pictured below, and installed by my Internet provider, the biggest in the country I live, so there may be hundred of thousands or millions of such modems in the country with the same default settings.

zte-zxhn-f600wI’ve started by scanning the TP-Link router in the local network:

UPnP and the web interface ports are open, plus an extra post likely opened by UPnP, which looked fine.

Now I did the same on the ZTE modem in the local network first:

The telnet port is opened that’s not good… I would be much worse if  it was also open with the public IP:

Oh boy…. That’s not good at all. Can I access it from the outside?

No, because I don’t know the password. That is until I do a quick web search and find this video telling me to use root and Zte521 to login to ZTE modem. Bingo!

That’s huge as it means millions of modem routers can be access (likely) around the world with minimal knowledge, I would not even consider this a hack…. Telnet is also kind enough to return the modem model number (F600W), so any script would be able to detect that and try the default username / password. This little trick should also works on other ZTE modems/routers, and since the HTTP server is also running by default, you don’t even need to check the model number as the server field indicates it’s a ZTE device…

I don’t know if the Internet provided uses telnet for any purpose, but it could be a good idea to at least change the password or completely disable the service. However the rootfs is in read-only mode:

Normally, this is no problem as you can remount the root partition in read/write mode:

But it’s not working in this case… I’m not there must be a way to remount the system to change the password, or edit the configuration to disable telnet, but I have not found a solution yet. Those are the command at our disposal:

busybox
BusyBox v1.01 (2015.01.15-08:36+0000) multi-call binary

Currently defined functions:
[, ash, awk, brctl, busybox, cat, chmod, chrt, cmp, cp, cut, date,
df, diagput, echo, egrep, free, fuser, getty, grep, hexdump, hostname,
ifconfig, init, insmod, kill, killall, linuxrc, ln, login, ls,
lsmod, mkdir, mknod, mount, mv, passwd, ping, ping6, ps, pwd,
reboot, rm, rmdir, rmmod, sed, sh, sleep, sync, taskset, test,
tftp, top, traceroute, umount, wget

A temporary solution is to kill telnet:

But obviously telnet will run again, at next boot time…

Anyway, it would be good if the service providers could make sure to change the default password before installing them on the customer premise, and hopefully, they’ll be able to change the password, or disable them remotely in due time…