Archive

Posts Tagged ‘hack’

AMLogic S802 TV Boxes Board Pictures

March 6th, 2014 11 comments

AMLogic S802 Android TV Boxes are currently available for pre-order, and are expected to ship by the end of the month. Last time I wrote Tronsmort Vega S89 and Eny ES8 featuring the latest quad core SoC from AMLogic. Geekbuying currently has test samples for both Vega S89 and M8 (similar to ES8), has open them, and taken some pictures of the boards. The good news, if you want to tinker, is that both of them appear to give relatively access to the UART port.

Tronsmart Vega S89 Board

There are two models: Vega S89 and Vega S89 Elite. The former is the high-end version with dual band Wi-Fi (2.4/5.0GHz) and 16 GB flash, and the latter only supports 2.4 GHz Wi-Fi and comes with 8GB flash. Price: $120 and $105.

Vega S89 Board (Click To Enlarge)

Vega S89 Board (Click To Enlarge)

The serial port appears to be on the left side of the board (TBC), just above the two USB ports. You’d need to solder small cables to add a USB to TLL board but with the through holes it should be easy. On the bottom right, we have the Wi-Fi module which happens to be AP6330 (Vega S89 only) like in many previous devices. I could not see any sort of cooling in the pictures published by GeekBuying.

M8 Board

The device comes with 8GB flash, 2GB RAM, and a dual band Wi-Fi module. Price: $103.79. ES8 is also available for $99, but pictures are not available.

Top of M8 Board (Click to Enlarge)

Top of M8 Board (Click to Enlarge)

Bottom of M8 Board (Click to Enlarge)

Bottom of M8 Board (Click to Enlarge)

On the top picture, we’ll find a 4-pin connector (soldered) which according to the marking on the back of the board is definitely the serial console port with GND, 3.3V, Tx and Rx. Contrary to Vega S89, there’s a heatsink, so the device is less likely to overheat. The same AP6330 Wi-Fi module is used in this board. The silkscreen shows M9_V0.91, although the board is sold as M8. In this sample at least, the company has decided not to solder the IR sensor.

If you are interested in getting one, Geekbuying pre-sells four models based on S802 SoC. You can also find sellers on Aliexpress with prices starting just below $100.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

Categories: Android, Hardware Tags: amlogic, hack, media player

How to Install XBMC on D-Link Boxee Box

January 28th, 2014 4 comments
D-Link Boxee

D-Link Boxee

D-Link Boxee Box is a Linux based media player powered by Intel Atom CE4100 processor that became available in 2010, and features a dual sided  RF remote / QWERTY keyboard that probably inspired many of the air mouse that are available today.

The box features many of the ports and connectors that are available on most Android STB today, namely an HDMI port, an optical S/PDIF) out, a stereo analog audio out, Ethernet and 802.11n Wi-Fi, two USB ports, and an SD card slot. Many people however got disappointed with the firmware at launch time, and even if subsequent firmware updates have improved the user experience, some people have considered it was worth the effort to port XBMC to the device.

Myles McNamara wrote the instructions to install XBMC on D-Link Boxee Box. I’ll summarize the steps below, and it appears to be relatively easy.

  1. Installing Boxee+Hacks to gain root access
    The first thing you’ll have to do is to gain root access by following these steps:

    1. Download install.zip (Boxee+Hacks) from http://boxeed.in/
    2. Format a USB flash drive or SD card to FAT32 using the label BOXEE (case sensitive)
    3. Copy the files from the zip files to the USB drive or SD card.
    4. Plug it into the device, and boot Boxee Box
    5. Go into ‘Settings’->’Network’->’Servers’ to enable ‘Windows File Sharing’
    6. Add ‘;sh /media/BOXEE/install.sh‘ to your ‘Host Name’. Make sure it looks like ‘boxeebox;sh /media/BOXEE/install.sh‘ after you’re done.
    7. Reboot the device to start the install process.
    8. Once it’s complete, you’ll have a device with root access.
  2. Installing XBMC on Boxee Box
    There are two ways to install XBMC on D-Link media player: building XBMC from source using code and instructions available on https://github.com/quarnster/boxeebox-xbmc, or much simpler, download the latest version from devil-strike.com which as of today is xbmc13.alpha12.boxeebox2014.01.18.early_alpha2_92146e8.zip. You’ll notice this is an alpha version, and this XBMC port to Boxee Box is new, so although the system will run, you can’t expect everything to magically work out of the box.

    Once you’ve downloaded the zip file, extract the files to the root of a storage device (USB flash drive or SD card) making sure xbmc.bin is in the root folder, insert the storage device in Boxee Box, power the device, and it should automatically boot into XBMC. If you remove the storage device, it will just boot Boxee+Hacks you’ve installed previously.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

Google Chromecast Gets a Custom ROM: PwnedCast

December 3rd, 2013 3 comments

If you’ve got a ChromeCast, and are disappointed by its limited features, XDA member ddggttff3 has released a custom ROM for the device based on the 13300 stock image. It is rooted, has its own OTA system, and features a dedicated recovery and a custom kernel in order to enhance the user experience.

PwnedCast
Main features:

  1. Root SSH/Telnet Access
  2. Uses DHCP DNS Servers
  3. Google OTA’s Disabled
  4. Custom Boot Image
  5. PwnedCast OTA Update Engine!
  6. PwnedCast Recovery Image, based on FlashCast V1.1.1
  7. KyoCast Built In!

Currently the most interesting feature is the addition of KyoCast which provides access to services like AOL, HBO, Post, Rev3, and Songza. But more work and features are certainly on the way.

If you want to give it a try, download the image, and flash it as follows:

  1. Setup and Install FlashCast V1.1.1 on a USB Drive in Windows or Linux. Don’t use another FlashCast version, or it may fail.
  2. Rename the 13300.010.zip to eureka_image.zip, and place in the root folder on the USB Drive.
  3. Plug the USB drive into the ChromeCast, hold the button, and plug in power to boot the device. Release the button.
  4. Flashing will take about 6 minutes, and the device will reboot automatically.
  5. Done

Further information, including methods to disable OTA, and link to source code, is available on XDA Developers Forum.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

Binwalk Utility Helps You Analyze and Reverse-Engineer Firmware Files

November 18th, 2013 3 comments

Binwalk is a “firmware analysis tool designed for analyzing, reverse engineering and extracting data contained in firmware images”.  This tool written in python supports Linux, and somewhat Mac OS X, can scan firmware files for files signature, and can be useful for hacking firmware files, and finding hidden information.

binwalk_firmware_analysis_tool

Partial output from a scan of a firmware image for file signatures

Let’s install binwalk first. It’s very easy in a Debian or Ubuntu machine, as you just have to download the package, and run a script for installation:

wget https://binwalk.googlecode.com/files/binwalk-1.2.2-1.tar.gz
tar xzvf binwalk-1.2.2-1.tar.gz
cd binwalk-1.2.2-1/src
sudo ./debian_quick_install.sh

If you have another Linux ditributions, it’s just a little more complicated. You still need to download and extract the release package as above, but you’ll have to install the following package depending on the features your need:

  • Minimal installation – python 2.6 or greater, and  python-magic
  • To generate entropy plot graphs – python-matplotlib
  • For automated extraction:
    • Packages – mtd-utils zlib1g-dev liblzma-dev gzip bzip2 tar unrar arj p7zip p7zip-full openjdk-6-jdk
    • Build and install firmware-mod-kit

Once, this is done, run sudo python ./setup.sh install in src directory to complete the installation.

You can also checkout the latest source code from github:

git clone https://github.com/devttys0/binwalk.git

Once we’ve got binwalk installed, let’s test with the firmware for SJ1000 camera.

Just running binwalk with the firmware file as argument will scan the file for known data representations.

binwalk FW96650A.bin 

DECIMAL       HEX           DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
2158492       0x20EF9C      JPEG image data, JFIF standard  1.02

Right, did not find much apart from a JPEG file. I tried to extract it with binwalk -e FW96650A.bin, but it just created and empty directory (_FW96650A.bin.extracted). However, I’ve tried the scan with an Android firmware (MK908 mini PC), and the scan output is extremely verbose, it will find the Linux kernel strings, and apparently list all files. There may be options to better analyze this type of firwmare, as there are many many options, and it may take a while to be familiar with the tool.

Let’s carry on with one of the other option: ASCII string scan. In theory, the same can be achieved with strings utility, but binwalk will also provide the offset for each string in the file. In the command below, S is for string scan, and -s5  sets the minimum string size to 5 characters.

binwalk -S -s5 FW96650A.bin

DECIMAL         HEX             Strings
-------------------------------------------------------------------------------------------------------------------
80              0x50            NT96650 1000000020100701
192             0xC0            DRAMINFO
256             0x100           STRGINFO
116470          0x1C6F6         B0%HI
125959          0x1EC07         '^G   Section-%.2ld: Range[0x%08X~0x%08X] Size=0x%08X (LOAD)
126024          0x1EC48         ^R*** StackOverflow task[%d][%s] stk start[0x%08x] size[0x%08x]
126092          0x1EC8C         ^R*** Math error: type=%d name="%s" arg1=%f arg2=%f retval=%f err=%d
126164          0x1ECD4         ^R*** CPU Exception! cause=0x%08x, by [%s:0x%08x] [%c]

Let’s plot an entropy chart. To be honest I’m not 100% sure sure how to exploit this feature, but I understand that it will help locate where useful data may be, as well as areas filled with 0xFF or 0×00 with no useful information.
binwalk_entropyBinwalk has lots of other features, and you can do things such as scanning a firmware image for executable opcodes, diffing multiple firmware headers, using a custom signature, and so on.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

Categories: Linux, Testing Tags: Linux, binwalk, firmware, hack, tools

$27 TP-LINK TL-MR10U is an Hackable OpenWRT Wi-Fi Router with a Power Bank

September 29th, 2013 3 comments

TP-Link WR703N is a cheap 802.11 b/g/n router (you can now get it for about $20) that can easily be hacked to run openWRT and for example, act as an home automation gateway, printer server and more.  But if you need a battery powered router for your application, TP-Link TL-MR10U,  based on similar hardware as TL-703WR, should be a better match as it comes with a 2600 mAh battery, and costs just about $27 on DealExtreme.

Here are the specifications of the devTPLink_TL-MR10Uice:

  • CPU – Atheros AR9331 CPU @ 400Mhz
  • System Memory – 32MB RAM
  • Storage – 4 MB Flash
  • Connectivity:
    • 10/100 Mbit Ethernet port
    • 802.11 b/g/n 150Mbps
    • 3G support via external USB dongle
  • USB – USB 2.0 port + micro-USB port for power
  • Misc – Serial port access
  • Dimensions – 91mm x 43mm x 25.85mm(L x W x H)

The device comes with a microUSB cable and a user’s manual in English and Chinese.

TP-Link_TL_MR10U_PCB

TL-MR10U Internals (Click to Enlarge)

Instructions to install openWRT, perform hardware mods (including upgrading to 64MB RAM), and more are available on OpenWRT MR10U page. You can also visit TP-Link TL-MR10U page for further details about the product in Chinese.

If you need more battery capacity, another model called TL-MR12U comes with twice as much battery capacity (5200 mAh), but at $42 it does not seem as attractive price-wise.

Arnd who shared this product in G+ mini PC community, also mentioned that it could be used as a SqueezeBox slave when combined with a USB speaker, and after installing squeezeslave-alsa_1.2-r365AA_ar71xx.ipk.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

Categories: Hardware, Linux Tags: Linux, hack, mips, openwrt, router, tplink, wifi

Developers Are Working on Chromecast Functionality From Any Android Apps via Any Android Devices

August 10th, 2013 2 comments

If you don’t just come back from (too long) holidays, you should know Google has released the Chromecast, a $35 HDMI TV Stick that uses a protocol called DIAL to let users stream online videos on the TV via your mobile device or mirror your Chrome browser on the TV. However, there are currently quite a few limitations. It can only be used with apps specifically designed for Chromecast (e.g. YouTube, Netflix,…), and Chromecast is the only available receiver, and can only be purchased in the US. Luckily these may not be an issue soon…

Koushik Dutta (Kouch) has taken care of the first issue by modifying Cyanogenmod to allow any video or audio app to stream the media files via the TV, using Android notifications.

Perfect. Moving to the second issue. If you don’t live in the US, you’re still stuck, and if you do live in the US, and already have too many Android device lying around, you may not want to spend $35 on another device. This is all good, because Sebastian Mauer is working on CheapCast, a ChromeCast Emulator that enables Android devices to act as target for ChromeCast apps. So if you’ve already got an Android tablet, smartphone, or mini PC, you may already have a Chromecast capable receiver.

Things related to Google Chromecast API need approval before they can be released in the open. But if those two can get the green light that means you could get Chromecast functionality from any media Apps via any Android devices. It also remains to be seen if there are specific limitations to these two implementations.

Thanks to CSilie and Onebir.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

Hacking MK908 mini PC for Serial Console Access

July 10th, 2013 3 comments

Thanks to Omegamoon (and this brother) we already have instructions to connect the UART pins on MK808 in order to access the serial console. He’s done it again with MK908 mini PC featuring Rockchip RK3188.

Tx and Rx pads are located on the RAM chips side, and he has connected the green wire to Tx (Going to Rx on TTL debug board), and a yellow wire to Rx (Tx on debug TTL board).

MK908_Tx_Rx_UART

A ground pad is available on the other side of the board.

MK908_UART_GND

Since I got a sample for review from Geekbuying, I decided to give a try myself. The pad are quite small, so this may require patience, but it’s perfectly feasible. I wanted to keep the device closed, so I passed the wires through the ventilation holes (enlarging them a bit with a precision screwdriver), put back the main heatsink on RK3188, and reassembled the enclosure. I did not include the thin heatsink on the other side of the board. Finally, I inserted a 3-pin right angle header in the casing, solder the wires, and connected a USB to TTL debug board.

MK908_with_TTL_USB_Debug_Board

Final check is to check the connection is fine with minicom configured on /dev/ttyUSB0 with 115200 8N1:

BUILD=====4                                                                     
GetRemapTbl flag = 0                                                            
OK! 53209                                                                       
unsigned!                                                                       
SecureBootEn = 0                                                                
Boot ver: 2013-02-01#1.02                                                       
start_linux=====64906                                                           
 1609103 Starting kernel...@0x60408000                                          

[    0.000000] Initializing cgroup subsys cpu                                   
[    0.000000] Linux version 3.0.36+ (ouyang_V_101j1) (gcc version 4.4.3 (GCC) 3
[    0.000000] CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=10c5387d  
[    0.000000] CPU: VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine: RK30board                                               
[    0.000000] memory reserve: Memory(base:0x91800000 size:80M) reserved for 
[    0.000000] memory reserve: Memory(base:0x90d00000 size:11M) reserved for 
[    0.000000] memory reserve: Memory(base:0x90700000 size:6M) reserved for 
[    0.000000] memory reserve: Total reserved 97M                               
[    0.000000] Memory policy: ECC disabled, Data cache writeback                
[    0.000000] bootconsole [earlycon0] enabled                                  
[    0.000000] CPU SRAM: copied sram code from c0c17000 to fef00100 - fef01f10  
[    0.000000] CPU SRAM: copied sram data from c0c18e10 to fef01f10 - fef02640  
[    0.000000] sram_log:     $1     f     -  .    jZiYhX            @           
[    0.000000] L310 cache controller enabled                                    
[    0.000000] l2x0: 16 ways, CACHE_ID 0x4100c0c8, AUX_CTRL 0x76050001, Cache sB
[    0.000000] DDR DEBUG: version 1.00 20130130                                 
[    0.000000] DDR DEBUG: DDR3 Device                                           
[    0.000000] DDR DEBUG: Bus Width=32 Col=10 Bank=8 Row=16 CS=1 Total CapabiliB
[    0.000000] DDR DEBUG: init success!!! freq=396MHz                           
[    0.000000] DDR DEBUG: DTONE=0x1, DTERR=0x0, DTIERR=0x0, DTPASS=0x4, DGSL=1 0
[    0.000000] DDR DEBUG: DTONE=0x1, DTERR=0x0, DTIERR=0x0, DTPASS=0x4, DGSL=1 0
[    0.000000] DDR DEBUG: DTONE=0x1, DTERR=0x0, DTIERR=0x0, DTPASS=0x4, DGSL=1 0
[    0.000000] DDR DEBUG: DTONE=0x1, DTERR=0x0, DTIERR=0x0, DTPASS=0x4, DGSL=1 0
[    0.000000] DDR DEBUG: ZERR=0, ZDONE=0, ZPD=0x0, ZPU=0x0, OPD=0x0, OPU=0x0   
[    0.000000] DDR DEBUG: DRV Pull-Up=0xb, DRV Pull-Dwn=0xb                     
[    0.000000] DDR DEBUG: ODT Pull-Up=0x2, ODT Pull-Dwn=0x2
....        

Good! I can also type in the console, so both Tx and Rx are working fine. I love when everything goes according to plans!

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter