Mar 31, 2014

Edison : a Quark-based computer the size of an SD Card

Intel is pushing forward with technology to enable the Internet of Things and wearable technology, by unveiling a tiny computer the same size as an SD card at CES.

Dubbed Edison, it is based on Intel's 22nm Quark processor, which the firm launched at its IDF conference last year, and is intended to be embedded into other devices and objects to make them more intelligent and connected.

Inside Edison, the 400MHz Quark processor is combined with WiFi and Bluetooth low-energy wireless interfaces for connectivity, and also has built-in LPDDR2 memory and flash storage. Because the Quark chip is x86-based, it can support Linux and other operating systems to run sophisticated high-level applications, Intel claimed.

Edison, which is set to be available this summer, will be compatible with developer tools used by the 'maker' community, meaning that it should be relatively quick and simple to build software to run on the device.

Intel intends Edison to enable rapid innovation and product development by a range of inventors, entrepreneurs and product designers, according to chief executive Brian Krzanich.

"Wearables are not everywhere today because they aren't yet solving real problems and they aren't yet integrated with our lifestyles. We're focused on addressing this engineering innovation challenge. Our goal is, if something computes and connects, it does it best with Intel inside," he said.

Autodesk said it was adding support for Edison to its 123D Circuits, an online circuit design and development tool. The move follows Intel's launch of a single-board computer based on Quark technology, called Galileo.

Tubig-powered Machine - green solution to scarce electricity

Aiming to help his Filipino countrymen, Stevenson “Steve” Rejuso invented the LED Lamp Portable DC Generator or simply known as 2BIG POWER. The invention generates electricity and enables to light its LED bulb using water as a fuel.

According to him, 2BIG POWER lights up to 3-4 days depending on the amount of water added and capable of producing 3-10 watts. The device doesn’t need clean water for it to light. It works also with dirty water, seawater, freshwater, buko juice, or even waste water.

Along with 2BIG POWER, he also invented the Tubig-powered Machine prompted with the shortage of electricity in their area. The device can light a flashlight, a lamp post, charge batteries and battery pack of cellular phones or even power a transistor radio and can light a village for two weeks. Same with his 2BIG POWER, it generates electricity using water.

The principle for both of his devices is simple. The production of electricity happens through a reaction between the several metal plates inside the device chamber aided by the addition of water. Water serves as an electrolyte that enables the ions from different plates to pass through. Since it consists of many plates, it produces electricity strong enough to have an economical value.


Sir Rejuso is a member of the Filipino Inventors Society (FIS) and known for his inventions here and abroad. He was featured in ABS-CBN separate programs, IMBENSIYON and Kabuhayang Swak na Swak. He said that many foreign countries are interested for the sale of his inventions. However, he refused the offer because he wants that Filipinos to benefit first.

2BIG POWER is safe to use compared to the candles and oil lamps as source of light. It is more economical and environment-friendly. On the other hand, Tubig-powered Machine is now functioning at Brgy. Greater Lagro, Quezon City, Metro Manila.

His inventions are very useful especially in areas where electricity is scarce. He is aiming to reach far-flung places of the Philippines where service of electricity is not available.

Ismael Aviso Self-Charging Electric Car

Today, the Philippine Department of Energy tested Ismael Aviso’s electric car, showing that running off wall power, the 11 kW DC motor ran at 45% efficiency, but with Aviso’s on-board generator which harvests ambient energy from the surroundings, the motor ran at 133% efficiency (overunity).

A "bare-bones" version of Aviso's Self-Charging Electric Car

by Sterling D. Allan
Pure Energy Systems News

Major, breaking news here. Today in the Philippines, the Department of Energy (DOE) validated a free energy technology we’ve been reporting on recently. This is the first instance that I know of in which a national DOE has validated overunity of any kind outside of the conventional free energy technologies of solar, wind, geothermal, tide, biomass, where the source of energy is always obvious.

Background of the Self-Charging EV

We are talking about an electric vehicle that can drive down the road without having to stop to re-charge, because the energy is derived onboard from the surroundings, in real time; in the tradition of Nikola Tesla’s Pierce Arrow.

The inventor, Ismael Aviso has posted videos showing himself and others driving his electric vehicle down the road, and the single 12-Volt battery that is connected to the 11-kilowatt DC motor doesn’t run down, but stays charged — more than full, at 13 volts, as measured periodically. Aviso estimates that once commercial, a retrofit of an existing vehicle might cost around $4,000 retail – and this would enable a once-petrol vehicle to be electric, with a battery pack that stays charged, even as it is driving down the road.

The energy allegedly comes through an onboard antenna. In our last story, I posted a 1.5-hour interview I had with him in which he described how the system works. Simply put, he said he combines the high frequency shorting effect pursued by Nikola Tesla, with the back EMF from the DC motor, to create a carrier wave to harness ambient energy.

This invention is at the extreme cutting edge of free energy developments; and now it has been validated by the Philippine DOE.


DOE Test Results

The Technology Application and Promotion Institute, a division of the Philippine Department of Energy, tested two technologies developed by Ismael Aviso: his electric car and his repelling force.

In testing the electric car, they compared the efficiency of the DC motor using a conventional power supply (MERALCO), to the efficiency of the DC motor using Aviso’s power source. Their measurement equipment included a dynamometer (which measures the torque produced by the spinning wheel); and oscilloscopes, to measure electrical output. They ran three tests of each type.

Interesting developments Given all the hurricanes /Typhoons they have been bombed with over 12 month period, They Could be in for interesting time. Philippines go for it .

Gigabit WAN – THE FUTURE IS HERE, DON’T WAIT FOR IT

What is the NBN? To most people, it is just another acronym that we have heard of, but it is stored in the ever expanding acronym section of our brain where we have no real understanding of what a random combination of capitalised letters means. NBN (in this instance), stands for National Broadband Network and it essentially refers to the fibre infrastructure being rolled out across the country that will provide us with supersonic high speed Internet. As you have probably been alerted to, the government is spending a considerable amount of tax payers money to create this network with the aim of bringing us in line with the more advanced countries in the world and ensure we are not left behind in the increasingly important world of IT (Information Technology for those who prefer to deal in whole words).


93% of Australian premises will have access to a fibre broadband connection that can provide Internet connection speeds of up to 1 Gigabit per second (or 1000Mbps). Not bad, considering the maximum speed you can get from an ADSL connection is 24Mbps. This roughly equates to speeds that are 40x faster than what most of us are capable of getting now (it’s worth noting that ADSL connections never hit their maximum speed either). So what impact can this have on us? This isn’t all about loading a web page faster, rather we will have a whole suite of applications become available to us with these increased speeds. Watching movies from the web, watching your favourite overseas TV show or sporting event from a streaming site, making HD video calls to your family and friends, accessing a leading doctor in a particular field who is remote to you, taking online video education courses from an institute in another country and downloading multiple files (legally of course), are all applications that will be improved and that can be carried out simultaneously without the bottleneck.

I just mentioned a key word – bottleneck. Just like when three lanes turn into one when you are driving down the freeway and everything comes to an insanely annoying stop, the same can happen with your Internet. Think of the NBN as a three lane freeway. When the NBN gets to your house, you want that three lane freeway to continue – you don’t want all of your Internet merging into one lane.

Connection to your Fibre (NBN) termination point will be through Ethernet. Therefore, whatever you plug into it needs to be able to facilitate these impressive speeds. This is the job for a Gigabit Ethernet WAN port, commonly found on many routers. As the name suggests, a Gigabit Ethernet port is capable of speeds of up to 1 Gigabit per second (the same as NBN) and a Gigabit Ethernet WAN port is the link between the NBN network and the router that provides Internet access around your house.

NetComm Wireless for example have a range of routers that feature a Gigabit Ethernet WAN port that are designed to connect you to your chosen Internet service today and also future proof you for when the NBN rolls out to your area, whenever that may be.

NetComm’s latest WiFi routers have a Gigabit port that will enable you to connect to NBN’s fibre broadband.

NF2 – Also features concurrent dual band N900 WiFi, 2x USB host ports and Gigabit LAN ports NP805N – Also features WiFi N, 1x USB host port and Gigabit LAN ports

Most of you are probably on ADSL or cable and wondering when you’ll have access to NBN’s broadband service.

Well don’t wait for fibre broadband to enjoy the latest in WiFi technology. NetComm’s range of Gigabit routers allow you to connect to ADSL today and Fibre when you’re ready to connect.

Smart LTE Prepaid Simcards

Smart Communications made up to 42Mbps download speed for Filipinos with the introduction of the first prepaid LTE(long-term evolution) Service here in the Philippines.


And it has just the same subscription price as the telco's internet packages: 50PHP for 1 day, 299PHP for a week, and 999PHP for a month. these all come with an unlimited Internet Until June 30, 2013.


Smart Bro Unli surf packages, offer 3G Internet connection speed, is priced at 50PHP a day and 200PHP a week. and rather it makes more sense to be with 4G packages if were on a Smart more-than-a-800 LTE coverage areas.

It makes most likely the telco's way of slowly making everyone to get with the 4G bandwagon. PLDT-Smart Public Affairs Group head Ramon Isberto informed us filipinos on the sidelines of Smart Move Party on 11th of April that they will only be carrying LTE Devices in the near Future.


So if you wanna try out LTE but not wanted to subscribe to a postpaid service. dude! this is your chance!. The Sim-Kit will be available for 350PHP and it comes in two variants: 1st is nano and 2nd will be a dual-cut for devices that require micro or regular SIMs. Take note that the Simcards don't have call functions.

Mar 30, 2014

The Hubbard Coil : Too Good to be True

The Hubbard Coil sounded too good to be true. As it turned out there was a little secret component the inventor neglected to share with the press.

This week’s random article about the seemingly magical energy-producing device demonstrated by Alfred M. Hubbard was found in The Monroe Monitor, Sept. 17, 1920:

MYSTERIOUS COIL PROVES SUCCESS

RUNS AUTOMOBILE ON EVERETT STREETS AND BOAT IN SEATTLE LAKE.

May Reach the Farm to Run Labor-Saving Machinery and Solve Ever-Present Labor Problem.

“In consideration of the telephone, wireless, airplanes and other inventions the man who said ‘there ain’t no such animal,’ when he saw a giraffe should have passed on, but in the face of the claims of a new invention by Alfred M. Hubbard, a Seattle boy, engineers and scientists are reviving the ancient phrase and people generally are waiting to be convinced although willing, so willing, to have the invention develop into a fact.”

“What Hubbard claims to have is a coil that takes its power from the air and turns out an electric current that will run lights, motors, automobiles, stoves, anything where power is needed without money and without price once the coil is installed.”

“An ‘atmospheric power generator’ he calls it for want of a better name.”

No Light Bills

“A coil it is, or a series of coils, a central coil surrounded by smaller coils and all wound to form a big coil. No moving parts, no noise, no battery, a little affair about eight or ten inches long. Hubbard connected it up to an ordinary electric light which immediately began to glow and continued to glow and would continue to glow indefinitely– Hubbard claimed.”

“The light demonstration was given last December in the office of one of the Seattle newspapers. Later Hubbard went to Washington, D.C., to arrange for getting a patent. Then he came back and retired into his laboratory to work out a larger coil and the problems of connecting it up to an automobile or a boat.”

“With no particular training for his work except that which every boy who has an inherent curiosity for mechanical things possesses, Hubbard has taken to the study of electricity and the hours that most boys spend in the swimming pool or at other kinds of pool he puts in working with batteries, motors, wireless and his coil. He says he felt that there was a great deal of electric power free in the atmosphere and set out to harness it. He does not think that he has discovered perpetual motion, he makes no such claim, but thinks he has succeeded in transforming the earth’s lines of magnetic force into electrical energy available for use.”

“One thing is certain, he has stumped all of the electrical engineers and scientists, none of whom have been able to offer any possible explanation for what he has done.”

Drives a Launch

“A short time ago Hubbard invited some Seattle people out to the yacht club and took them for a ride in a launch. There was no engine in the launch, only a small motor. With him Hubbard took a coil, larger than the one he used for the light, but not so large that he couldn’t carry it with him. The coil was connected to the motor and the boat started out from the dock. Around the lake it went and then back to the club house. The people with him lifted the coil and looked at it. Then they started on a still hunt around the boat for storage batteries. Then they sat down and stared at each other.”

“Then Hubbard connected the coil to the motor again and the boat made another trip around the lake. The motor was evidently too small for the coil for the wires connecting the two got hot and to be disconnected occasionally and allowed to cool off.”

“After this Hubbard went up to Everett and put one of his coils in an automobile. The auto was a standard car with the engine left out and a motor, ordinary electric motor, in its place. The coil was small enough to go under the hood of the engine. The auto started off up a steep grade on a dirt road. It ran around the Everett streets. People stared and wondered. They are still wondering.”

“These things have been seen and done. What of the future? Will there be no more transmission lines running up and down the streets and country roads? Will all this legislation about power plant sites be for naught? Will each house have its own coil turning out its heat and light, running the sewing machine and vacuum cleaner and coffee percolator and churn and so on? Will large manufacturing establishments have large coils and no bills for coal or oil fuel and no pall of smoke coming in from their chimneys to burden the atmosphere?”

“Those are questions that are bothering the brains of those who have seen the coil work. What will be the price of copper if every one is trying to buy a coil at once? What about gasoline? Will John D. have a world organization on his hands for which he has no use? Will the coil bring cheap power to the farmer with running water pumped from the well to the barn and the house and for irrigation? Will it be cheaper to pump the rivers here and there than to build long irrigation ditches?”

Years later Hubbard confessed the true source of the energy for his coil. When another inventor produced a similar coil, the young scientist stepped forward and talked to The Seattle Post-Intelligencer. This is quoted from the Feb. 26, 1928 issue:

“In 1919 Hubbard represented the apparatus as being capable of extracting electrical energy directly from the air, but he admitted yesterday that this had been merely a subterfuge to protect his patent rights, and that, as a matter of fact, it had been a device for extracting electrical energy from radium, by means of a series of transformers which stepped up the rays. “

“He declined to go into detail in regard to the exact manner in which he managed to extract power from radium …”

Basically, he produced a sort of nuclear power battery. To this day the exact material he used is not known.

Hubbard’s subsequent career was one wild ride through the shadows. He sold most of the patent rights of his coil to the Radium Chemical Company. In 1929 he took out a patent for radioactive spark plugs, which were actually available on the market from Firestone in the early 1940s.

Hubbard’s path led to running booze in Seattle, which landed him an 18-month prison term. His scientific skills caught the eye of the Office of Strategic Services, and he became a government agent. He somehow became involved with gun-running which attracted the attention of Congress. In order to escape prosecution, he cooled off in Vancouver, B.C. for a few years.

In Canada he created a charter boat service and was a director for a uranium corporation. He became a millionaire but grew bored. In 1951 he discovered LSD and then dubbed himself “The Johnny Appleseed of Acid.” As would be expected, Hubbard’s exact role with any U.S. or Canadian government project is difficult to verify after 1951. When the crazy spiral stopped he was broke and living in a trailer park in Casa Grande, Arizona, definitely not a situation for him that was too good to be true. He died there Aug. 31, 1982.

The Hubbard Energy Transformer

by Gaston Burridge
Fate Magazine, July, 1956, pp. 36-42

One of the interesting experiments made with the Hubbard transformer was the propelling of a 18 feet boat around the Portage Bay near Seattle.

A 35 horse power electric motor was hooked up to a Hubbard transformer measuring maybe 12- 14 inches in diameter and 14 inches in length. It furnished enough energy to drive the boat and a pilot at a good clip around the bay.

The demonstration lasted several hours and created a sensation. The test required enough current for a long enough time to rule out any sort of battery, being housed in the device.

The voltage could be … 220 volts. It seems unlikely a 35 horsepower motor would have as a low voltage of 110 volts.

Soon after the demonstration, Hubbard’s name dropped from the Seattle paper and he went to work for the Radium Chemical Company of Pittsburgh — now of New York.

According to Hubbard’s statement in the newspaper he sold a 50% interest in his device to the Radium Chemical Company and went to Pittsburgh to continue developing the device for them.

Hubbard related that the company had demanded more and more equity in the machine until finally he retained only a 25% interest. Evidently pressure was bought upon him to sign over an additional 5%.

This Hubbard refused to do, and in 1922 he severed connection with Radium Chemical Company and returned to Seattle.

At the present time Hubbard is not inclined to discuss his employment period with the Radium Chemical Company nor will he discuss this device or his experiences with it.

My first letter to the Radium Chemical Company was not answered. A second letter a few months later brought a reply from Mr. Grange Taylor, vice president of the concern.

He stated that none of the employees presently with the company and also with it in the early 1920′s could remember anything about the device or about Hubbard himself. Mr. Taylor letter said “there is no information available on the device you mention.”

Circulating the central tube and its appendages are eight coils of wire wound upon what appears to be eight cores of magnetic upon iron. These eight coils stand parallel to the central tube. Their outer windings appear to be connected in series and probably form something corresponding to the secondary of the transformer.

As there seems to be more windings on this secondary than the primary one would suspect following ordinary electrical practice. That the transformer was a step up variety rather than a step down.


That is the secondary voltage would be higher than its primary voltage and consequently its amperage would be less.

Four leads out wires are showing. How they are connected together — if they are remains a secret.

Around the outside of the windings appears to be a wrapping of some dense material, probably meant to shield or turn aside the rays from the radio active materials within. Such a shield would be necessary so to protect those working with the apparatus.

All of this is set between the roll ends that make the device look like a giant spool.

There are no moving parts. The machine operates silently.

As far as can be determined no US patents ever were issued to Hubbard’s covering the device.

The Radium Chemical Company list of patents is long but no title in their list appears to cover such an apparatus as Hubbard’s.

Either the device was not developed to a point where a patent could be obtained or because of seeming friction which developed between the company and Hubbard it was impossible for either to obtain a patent.

Understanding A Single Phase Induction Motors

In order for an induction motor to operate, we need to have a rotor with a short circuited winding inside a stator with a rotating magnetic field.

The flux from the rotating field cuts through the rotor winding and induces a current to flow. The frequency of the current flowing is equal to the difference between the rotational speed of the stator field and the rotor.

The rotor current causes a rotor magnetic field which is spinning relative to the rotor at the rotor current frequency and relative to the stator, at the same frequency as the stator field. The interaction between these two magnetic fields generates the torque in the rotor. There must always be a small difference in speed between the stator field and the rotor in order to induce a current flow in the rotor. This difference in speed or frequency is known as the slip. If we take a stator with a single winding, and apply a single phase voltage to it, we will have an alternating current flowing and thereby an alternating magnetic field at each pole.

Unfortunately, this does not result in a rotating magnetic field, rather it results in two equal rotating fields, one in the forward direction and one in the reverse direction. If we have a short circuited rotor within the stator, it will carry rotor current induced by the stator field, but there will be two equal and counter rotating torque fields. This will cause the rotor to vibrate but not to rotate. In order to rotate, there must be a resultant torque field rotating in one direction only. In the case of the single winding and a stationary rotor, the resultant torque field is stationary.


If we now add a second stator winding, physically displaced from the first winding, and apply a voltage equally displaced in phase, we will provide a second set of counter rotating magnetic fields and the net result is a single rotating field in one direction. If we reverse the phase shift of the voltage applied to the second winding, the resultant magnetic field will rotate in the reverse direction.


Once the rotor is up to full speed, it will continue to run with the second winding disconnected. This is because the rotor circuit is both resistive and inductive. If we consider the magnetic field rotating in the same direction as the rotor, the frequency of the current will be low, so the rotor current will be primarily limited by the rotor resistance. In the case of the counter rotating field, the frequency of the induced current will be almost twice line frequency and so the inductance of the rotor will play a much greater role in limiting the rotor current. In other words, once the motor is up to speed, it will lock on to one field only and the second winding can be disconnected. If the second winding remains in circuit, the displaced field reduces the magnetic fluctuations in the gap and therefore provides a more even torque and less vibration. Some "start" windings are only designed for intermittent operation and they must be disconnected at the end of the start. Continuous operation using these windings would cause a winding failure. Most single phase motors are fitted with a centrifugal switch to disconnect the start winding once the motor is close to full speed.

1. Capacitor Start

This configuration comprises two windings W1 and W2, a centrifugal switch SW1 and a capacitor.

The two windings are wound with a geometric offset, effectively making a second set of poles phase shifted within the stator. The capacitor provides a phase shift to the current flowing in W1 and we therefore have a "two phase" motor while the switch is closed. When the motor is almost up to speed, the switch opens disconnecting W1 and the capacitor. The motor can be reversed by reversing the connections of either W1 or W2 (but not both!)

The start winding (W1) and the start capacitor provide for a rotating magnetic field in one direction enabling the motor to start.

2. Capacitor Start Capacitor Run

This configuration comprises two windings W1 and W2, a centrifugal switch SW1 and two capacitors C1 and C2.

The two windings are wound with a geometric offset, effectively making a second set of poles phase shifted within the stator. The capacitors provide a phase shift to the current flowing in W1 and we therefore have a "two phase" motor. When the motor is almost up to speed, the switch opens disconnecting the capacitor C1. C2 remains in circuit to provide a continued second phase, reducing torque pulsations and noise. The motor can be reversed by reversing the connections of either W1 or W2 (but not both!)

The start winding (W1) and the capacitors provide for a rotating magnetic field in one direction enabling the motor to start.

3. Capacitor Start/Run

This configuration comprises two windings W1 and W2 and a capacitor C1.

The two windings are wound with a geometric offset, effectively making a second set of poles phase shifted within the stator. The capacitor provides a phase shift to the current flowing in W1 and we therefore have a "two phase" motor. C1 remains in circuit to provide a continued second phase, reducing torque pulsations and noise. The motor can be reversed by reversing the connections of either W1 or W2 (but not both!)

The start winding (W1) and the capacitor provide for a rotating magnetic field in one direction enabling the motor to start.

4. Capacitor Star/Run

This configuration comprises two windings W1 and W2 and a capacitor C1.

The two windings are wound with a geometric offset, effectively making a second set of poles phase shifted within the stator. The capacitor provides a phase shift to the current flowing in W1 and we therefore have a "two phase" motor. C1 remains in circuit to provide a continued second phase, reducing torque pulsations and noise. The motor can be reversed by reversing the connections of either W1 or W2 (but not both!)

The start winding (W1) and the capacitor provide for a rotating magnetic field in one direction enabling the motor to start.

5. Induction Start (Split Phase)

This configuration comprises two windings W1 and W2 and a centrifugal switch SW1.

The two windings are wound with a geometric offset, effectively making a second set of poles phase shifted within the stator. The winding W1 has resistance to provide a phase shift to the current flowing in W1 and we therefore have a "two phase" motor while the switch is closed. The motor can be reversed by reversing the connections of either W1 or W2 (but not both!)

The start winding (W1) provides for a rotating magnetic field in one direction enabling the motor to start.

Mar 10, 2014

SmartBro Motorola Canopy SM 12.1 update

SmartBro Canopy SM (subscriber module) is own by Motorola until it was acquired by Cambium Networks recent years. The Motorola Canopy fixed wireless internet broadband antenna that operates at 5.7GHz is the first and among the oldest wireless product of Smart/PLDT in the Philippines.

My Canopy antenna been years on top of my Mom roof serve as my backup internet connection that provides me even I am at the last mile in the south most of the country. It is just an aggregate of 2Mbps but gives me a reliable link even as far as two (2) miles from the Base Station.


I have just updated it to the new Canopy 12.1 SM DES Official Build package and the above screen shot is to be shared for  you, my guest blog readers. Its has some features that the old version don't have. The logo also change to the Cambium Networks instead of Motorola Canopy. More update of the web interface soon to be uploaded.

Mar 9, 2014

How-To TP-Link TL-WR941ND Revert From DD-WRT firmware

DD-WRT is likely to be many a term, this ingenious router operating system provides endless configuration options for wireless router. I have a Linksys WAP54G and a TP-Link TL-WR1043ND flashed with DD-WRT, which are currently in operation and diligently perform their duties.

Only good, then bad

Especially after the flash of the TL-WR1043ND I was very impressed by the performance that unfolds the router. So I also have my TL-WR941ND 3.0 flashed with DD-WRT. As you can see in the screenshot below, there was only the preSP2 v24 [Beta] 15778 available, but not stable.


After DD-WRT was configured, the router ran about 1.5 weeks until the WLAN failed. While the WLAN LED lit, but there was no Wi-Fi network available. I thought nothing of it and started the router just new, it ran again. A week later the incident repeated again and I was skeptical. At first I thought that it is on the channel, and changed from 3 to 11 At first it went well, but then came the third wireless crash. This story repeated itself again and again, almost regularly. Until I came up with the idea that it could be due to DD-WRT. After a google session it was clear that the TL-WR941ND has problems with the WLAN if DD-WRT is installed. I think the beta is for verwantwortlich. Although I have the TL-WR1043ND flashed with a beta, but that was the 14896 build.

Back to Stock Firmware

Now a flash was on the floor firmware of TP-Link. Unfortunately you can not simply transfer as the BIN file using the DD-WRT web interface, you get an error. After much searching, I had found several methods that should enable the Revert, such as telnet or tftp in conjunction with Ping etc. But all this did not help me further, or was so complicated that I would have needed a lot of time.

Suddenly I came across a thread in the DD-WRT forum, by special firmware files are available for download, which can be loaded directly to the web interface of DD-WRT ("Webrevert"). The offered file for the TL-WR941ND was spot on and brought my router in 5 minutes back to the original state, without further ado with Telnet, SSH, or TFTP.

Downloads

For those who are not registered to the forum, there is the possibility to load the files directly.

TP-Link TL-WA801N/ND v1 Webrevert download here

TP-Link TL-WA901N/ND v1 Webrevert download here

TP-Link TL-WA901N/ND v2 Webrevert download here

TP-Link TL-WR740N v1/v2 Webrevert download here

TP-Link TL-WR740N v3 Webrevert (world wide version only) download here

TP-Link TL-WR741N/ND v1/v2 Webrevert download here

TP-Link TL-WR743N/ND v1 Webrevert download here

TP-Link TL-WR841N/ND v3 Webrevert download here

TP-Link TL-WR841N/ND v5 Webrevert download here

TP-Link TL-WR841N/ND v7 Webrevert download here

TP-Link TL-WR941N/ND v2/v3 Webrevert download here

TP-Link TL-WR941N/ND v4 Webrevert download here

TP-Link TL-WR1043ND v1 Webrevert download here

Fatal: Received unexpected end-of-file from server

Got this error today while using PSCP. I was attempting to move a file from my local computer to a remote server that allows only SCP Transfer Protocol. This was the command I was using:

pscp.exe -p wr740nv1_en_3_12_4_up(100910).bin root@192.168.1.1:/tmp

Digging a little bit into the issue, I found that since I intend to use SCP Transfer Protocol to transfer the file to the remote server, I need to explicitly specify the SCP protocol. I changed my command to the one below, and it worked like charm.

pscp.exe -scp wr740nv1_en_3_12_4_up(100910).bin root@192.168.1.1:/tmp

Please note the ‘-scp’ in the command. This ‘-scp’ forces the PSCP to use the SCP Transfer Protocol. If not specified explicitly, the PSCP will attempt to use the SFTP Protocol by default.

SIMET Box Firmware Analysis: Embedded Device Hacking & Forensics

SIMET is organized by the Brazilian NIC.br in order to test and monitor the Internet speed across the country. For more info (in portuguese) visit their site here. All the data collected is available to the community on reports and heat maps like this.


The organization is now handing out free Wi-Fi routers to Brazilians in order to measure the Internet quality on different regions. The SIMET Box equipment is a custom TL-WR740N pre-installed with OpenWRT. You can also download and install the standalone firmware on other TPLink's SOHO routers.

The project is quite interesting but in times of PRISM and NSA I don't like the idea of using a "black box" at home, so I decided to check its design.

Firmware

As I don't have the actual box, I'll analyze SIMET Box's firmware image. The firmware can be downloaded from http://simet.nic.br/firmware. For this initial analysis I'll be using simetbox-tl-wr740n-v4.bin (MD5 d08798093e1591bece897671e96b5983).

Let's start by using Craig Heffner's binwalk and firmware-mod-kit to unsquash the filesystem:

binwalk -Me simetbox-tl-wr740n-v4.bin


After extracting the files we can browse through the squashfs-root dir and grep files to identify OpenWrt's version base:


We now know that SIMET Box is based on Attitude Adjustment branch (v12.09) for Atheros AR71xx, downloadable on OpenWRT's official site: openwrt-ar71xx-generic-tl-wr740n-v4-squashfs-factory.bin.

After extracting the base firmware (using binwalk) we now have two directory trees to diff. We can use WinMerge or Kdiff3 to compare files.





There are some new init.d scripts like atualiza_arqs, autossh, miniupnpd and zabbix_agentd:


Lots of binaries (/bin/busibox for example) are quite similar: they may have a small version difference or were compiled using particular command line arguments:


List of files created by SIMET Box (not present on the OpenWrt's base firmware):

while read -r i ; do file $i ; done < list.txt


/etc/config/autossh: ASCII text

/etc/config/upnpd: ASCII text

/etc/dropbear/authorized_keys: OpenSSH DSA public key

/etc/dropbear/id_rsa: data

/etc/hotplug.d/button/00-button: ASCII text

/etc/hotplug.d/iface/20-autossh: POSIX shell script, ASCII text executable

/etc/hotplug.d/iface/50-miniupnpd: POSIX shell script, ASCII text executable

/etc/init.d/atualiza_arqs_simet: POSIX shell script, ASCII text executable

/etc/init.d/autossh: POSIX shell script, ASCII text executable

/etc/init.d/miniupnpd: POSIX shell script, ASCII text executable

/etc/init.d/zabbix_agentd: POSIX shell script, ASCII text executable

/etc/rc.d/S11sysctl: symbolic link to `../init.d/sysctl'

/etc/rc.d/S19firewall: symbolic link to `../init.d/firewall'

/etc/rc.d/S45atualiza_arqs_simet: symbolic link to `../init.d/atualiza_arqs_simet'

/etc/rc.d/S60zabbix_agentd: symbolic link to `../init.d/zabbix_agentd'

/etc/rc.d/S80autossh: symbolic link to `../init.d/autossh'

/etc/rc.d/S95miniupnpd: symbolic link to `../init.d/miniupnpd'

/etc/uci-defaults/50-reset: POSIX shell script, ASCII text executable

/etc/uci-defaults/50-reset-wps: POSIX shell script, ASCII text executable

/etc/uci-defaults/50-wifi: POSIX shell script, ASCII text executable

/etc/uci-defaults/99-miniupnpd: POSIX shell script, ASCII text executable

/etc/uci-defaults/luci-i18n-portuguese_brazilian: POSIX shell script, UTF-8 Unicode text executable

/etc/uci-defaults/luci-theme-bootstrap: POSIX shell script, ASCII text executable

/etc/uci-defaults/luci-upnp: POSIX shell script, ASCII text executable

/etc/zabbix_agentd.conf: ASCII text

/lib/libpthread-0.9.33.2.so: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked (uses shared libs), corrupted section header size

/lib/libpthread.so.0: symbolic link to `libpthread-0.9.33.2.so'

/root/.ssh/known_hosts: ASCII text, with very long lines

/sbin/fw3: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size

/usr/bin/auto_upgrade: symbolic link to `simet_tools'

/usr/bin/checa_udhcpc.sh: POSIX shell script, ASCII text executable

/usr/bin/get_mac_address.sh: POSIX shell script, ASCII text executable

/usr/bin/simet_client: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size

/usr/bin/simet_dns: symbolic link to `simet_tools'

/usr/bin/simet_porta25: symbolic link to `simet_tools'

/usr/bin/simet_tools: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size

/usr/bin/sshreversetunnel: POSIX shell script, ASCII text executable

/usr/bin/teste_spoofing.sh: POSIX shell script, ASCII text executable

/usr/bin/wifionoff: POSIX shell script, ASCII text executable

/usr/lib/lua/luci/controller/simet.lua: ASCII text

/usr/lib/lua/luci/controller/upnp.lua: ASCII text

/usr/lib/lua/luci/i18n/base.pt-br.lmo: data

/usr/lib/lua/luci/i18n/upnp.ca.lmo: data

/usr/lib/lua/luci/i18n/upnp.cs.lmo: data

/usr/lib/lua/luci/i18n/upnp.de.lmo: data

/usr/lib/lua/luci/i18n/upnp.es.lmo: data

/usr/lib/lua/luci/i18n/upnp.fr.lmo: data

/usr/lib/lua/luci/i18n/upnp.hu.lmo: data

/usr/lib/lua/luci/i18n/upnp.it.lmo: data

/usr/lib/lua/luci/i18n/upnp.ja.lmo: data

/usr/lib/lua/luci/i18n/upnp.no.lmo: data

/usr/lib/lua/luci/i18n/upnp.pl.lmo: data

/usr/lib/lua/luci/i18n/upnp.pt-br.lmo: data

/usr/lib/lua/luci/i18n/upnp.pt.lmo: data

/usr/lib/lua/luci/i18n/upnp.ro.lmo: data

/usr/lib/lua/luci/i18n/upnp.ru.lmo: data

/usr/lib/lua/luci/i18n/upnp.vi.lmo: data

/usr/lib/lua/luci/i18n/upnp.zh-cn.lmo: data

/usr/lib/lua/luci/model/cbi/upnp/upnp.lua: ASCII text

/usr/lib/lua/luci/sgi/uhttpd.lua: ASCII text

/usr/lib/lua/luci/view/admin_status/index/upnp.htm: ASCII text

/usr/lib/lua/luci/view/simet/simet.htm: HTML document, UTF-8 Unicode text

/usr/lib/lua/luci/view/themes/bootstrap/footer.htm: HTML document, ASCII text

/usr/lib/lua/luci/view/themes/bootstrap/header.htm: HTML document, ASCII text

/usr/lib/lua/luci/view/upnp_status.htm: HTML document, ASCII text

/usr/lib/opkg/info/autossh.conffiles: ASCII text

/usr/lib/opkg/info/autossh.control: ASCII text

/usr/lib/opkg/info/autossh.list: ASCII text

/usr/lib/opkg/info/hping3.control: ASCII text

/usr/lib/opkg/info/hping3.list: ASCII text

/usr/lib/opkg/info/libip6tc.control: ASCII text

/usr/lib/opkg/info/libip6tc.list: ASCII text

/usr/lib/opkg/info/libnfnetlink.control: ASCII text

/usr/lib/opkg/info/libnfnetlink.list: ASCII text

/usr/lib/opkg/info/libopenssl.control: ASCII text

/usr/lib/opkg/info/libopenssl.list: ASCII text

/usr/lib/opkg/info/libpcap.control: ASCII text

/usr/lib/opkg/info/libpcap.list: ASCII text

/usr/lib/opkg/info/libpthread.control: ASCII text

/usr/lib/opkg/info/libpthread.list: ASCII text

/usr/lib/opkg/info/luci-app-simet.control: ASCII text

/usr/lib/opkg/info/luci-app-simet.list: ASCII text

/usr/lib/opkg/info/luci-app-upnp.control: ASCII text

/usr/lib/opkg/info/luci-app-upnp.list: ASCII text

/usr/lib/opkg/info/luci-i18n-portuguese-brazilian.control: ASCII text

/usr/lib/opkg/info/luci-i18n-portuguese-brazilian.list: ASCII text

/usr/lib/opkg/info/luci-sgi-uhttpd.control: ASCII text

/usr/lib/opkg/info/luci-sgi-uhttpd.list: ASCII text

/usr/lib/opkg/info/luci-theme-bootstrap.control: ASCII text

/usr/lib/opkg/info/luci-theme-bootstrap.list: ASCII text

/usr/lib/opkg/info/miniupnpd.conffiles: ASCII text

/usr/lib/opkg/info/miniupnpd.control: ASCII text

/usr/lib/opkg/info/miniupnpd.list: ASCII text

/usr/lib/opkg/info/simet-base-files.control: ASCII text

/usr/lib/opkg/info/simet-base-files.list: ASCII text

/usr/lib/opkg/info/simet-client.control: ASCII text

/usr/lib/opkg/info/simet-client.list: ASCII text

/usr/lib/opkg/info/simet-tools.control: ASCII text

/usr/lib/opkg/info/simet-tools.list: ASCII text

/usr/lib/opkg/info/uhttpd-mod-lua.control: ASCII text

/usr/lib/opkg/info/uhttpd-mod-lua.list: ASCII text

/usr/lib/opkg/info/zabbix-agentd.control: ASCII text

/usr/lib/opkg/info/zabbix-agentd.list: ASCII text

/usr/lib/opkg/info/zlib.control: ASCII text

/usr/lib/opkg/info/zlib.list: ASCII text

/usr/lib/libcrypto.so.1.0.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/lib/libip6tc.so: symbolic link to `libip6tc.so.0.0.0'

/usr/lib/libip6tc.so.0: symbolic link to `libip6tc.so.0.0.0'

/usr/lib/libip6tc.so.0.0.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/lib/libjson-c.so.2: symbolic link to `libjson-c.so.2.0.1'

/usr/lib/libjson-c.so.2.0.1: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/lib/libnfnetlink.so.0: symbolic link to `libnfnetlink.so.0.2.0'

/usr/lib/libnfnetlink.so.0.2.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/lib/libpcap.so: symbolic link to `libpcap.so.1.1'

/usr/lib/libpcap.so.1.1: symbolic link to `libpcap.so.1.1.1'

/usr/lib/libpcap.so.1.1.1: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/lib/libssl.so.1.0.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/lib/libz.so: symbolic link to `libz.so.1.2.7'

/usr/lib/libz.so.1: symbolic link to `libz.so.1.2.7'

/usr/lib/libz.so.1.2.7: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/lib/uhttpd_lua.so: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/sbin/autossh: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size

/usr/sbin/hping3: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size

/usr/sbin/miniupnpd: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size

/usr/sbin/zabbix_agentd: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size

/usr/share/libiwinfo/hardware.txt: ASCII text

/usr/share/miniupnpd/firewall.include: POSIX shell script, ASCII text executable

/www/luci-static/bootstrap/cascade.css: assembler source, ASCII text

/www/luci-static/bootstrap/favicon.ico: MS Windows icon resource - 1 icon

/www/luci-static/bootstrap/html5.js: HTML document, ASCII text, with very long lines

/www/simet/ceptro.png: PNG image data, 78 x 30, 8-bit colormap, non-interlaced

/www/simet/cgi.png: PNG image data, 46 x 30, 8-bit colormap, non-interlaced

/www/simet/nic.png: PNG image data, 47 x 25, 8-bit colormap, non-interlaced

/www/simet/nonet.htm: UTF-8 Unicode text

/www/simet/offline.jpg: JPEG image data, EXIF standard

/www/simet/simetbox_minilogo.png: PNG image data, 111 x 23, 8-bit colormap, non-interlaced

/www/simet/view_tab.css: assembler source, ASCII text

/www/simet/view_tab.js: UTF-8 Unicode text, with very long lines

This simple technique is quite useful for forensic analysis of embedded devices, as you have a white-list of known binaries and config files. It's important to review both created and modified files, but I'll focus on the ones listed above. Each binary and config file can be reviewed separately so we can find interesting entries like:

SSH reverse tunnel settings and authorized_keys:


Password changing scripts and Iptables rules:


The device management starting page has an external iframe and users are identified by their MAC Address via HTTP GET requests:


Cronjobs to test external access to port 25 and if the ISP allows IP spoofing:


Zabbix agent settings:


As a quick advice to SIMET engineers, it would be nice to have HTTPS for those external queries, a bit more of transparency on what the equipment does internally, who's able to access it (whose authorized_keys are those?), what external IP addresses it communicates with and what information is being collected. Securing SOHO modems is very important, specially here in Brazil where lots of recent attacks were targeting these devices (Fabio Assolini's talk "The tale of one thousand and one DSL modems" detailed this a year ago).

On the next post I'll detail how to run those MIPS32 binaries on a virtual environment using QEMU and analyze some of the files with IDA Pro.

Written by Bernardo Rodrigues posted by guest blogger.

TP-LINK WR740N Ver2.1 OpenWrt Revert To Original Firmware

I have been using my TP-LINK WR740N version 2.1 since 2010 for my mini Lab likewise at home with the third party firmware OpenWrt Backfire Trunk. Just recently I wanted to make a simulation for WDS that TP-Link products for their unique non-Standard bridging protocol that capable of doing two jobs i.e. as a bridge and at same time as a wireless access point (WAP). It took me an hour Googling to find on the net on how-to revert the device to it original TP-Link stock firmware.


First I stumble upon on DD-Wrt forum looking for the simplest way on how-to revert the TL-WR740N version2.1 to its original factory stock firmware and I found this.
I bought two TL-WR740N (Hardware v2.1) then I did the firmware update with the following dd-wrt image in this order:

1)http://www.dd-wrt.com/routerdb/de/download/TP-Link/WR740N/2.0/factory-to-ddwrt.bin/3841

2)http://www.dd-wrt.com/routerdb/de/download/TP-Link/WR740N/2.0/tl-wr740n-webflash.bin/3842
I was not lucky enough to get my device work from the above mention because my firmware was OpenWrt.

Another nice article I visited written by goughlui with the same TP-LINK TL-WR740N he did also the experiment both DD-Wrt and OpenWrt firmware but he able to managed to revert it to the original TP-Link stock fimware, unfortunately I fail his procedures didn't work for my device.

I headed back to OpenWrt forum and read the TP-Link WR741N/ND since this is just identical to WR740N, when I follow the how-to's I manage to bring back to its original stock firmware. And here's how I did it.

I assume your TP-LINK WR740N version 2.1 is on third party firmware the OpenWrt.

I use putty to login the device via ssh, just follow the command.

cd /tmp

wget http://everbest.ftpserver.biz/TP-Link/Firmware/WR740N/wr740nv1_en_3_12_4_up(100910).bin

Alternatively if you can not download the stock firmware (wr740nv1_en_3_12_4_up(100910).bin) via wget you can download it to your local drive from official TP-Link website.

Otherwise use the PSCP.EXE utility from your M$ Windows box you can download it from here

PSCP.EXE -scp wr740nv1_en_3_12_4_up(100910).bin root@192.168.1.1:/tmp

The command above will let you send the stock firmware from your local drive that you have downloaded to the TP-Link WR740N OpenWrt third party firmware. Once the file completely uploaded follow the next command below.

cd /tmp

mv wr740nv1_en_3_12_4_up(100910).bin tplink.bin

mtd -r write /tmp/tplink(100910).bin firmware

This is the actual process on the TP-Link WR740N version 2.1

root@OpenWrt:/tmp# mv wr740nv1_en_3_12_4_up(100910).bin tplink.bin
root@OpenWrt:/tmp# mtd -r write /tmp/tplink.bin firmware
Unlocking firmware ...

Writing from /tmp/tplink.bin to firmware ...
Rebooting ...

After the WR740N reboots point your web browser to its default http://192.168.1.1 now you will see the login page.


Congratulations! you have just reverted your TP-LINK WR740N version 2.1 to its original stock firmware from OpenWrt without using the serial debricking kit.

Mar 8, 2014

Partitions, Formatted volumes and Other Disk Disasters

Power Recovery is powerful data recovery software that will scan and find lost partitions, boot sectors and other file system components. Power Recovery can detect drives even if they are not visible in explorer. The full directory structure of the drive is displayed (even on NTFS Drives where it is recoverable) and the built in search feature makes finding files much easier. The Recovery Wizard allows even novice users to successfully recover lost data.

Power Recovery Features :
  • Supported file systems: FAT 12/16/32 (used by hard disks, disks, Smartmedia™, Compact Flash™, Memory Stick and other) and NTFS (used by hard drives)
  • Ability to scan all volumes in a local machine and build a directory tree of all lost and deleted files.
  • Search lost and deleted files matching file name criteria.
  • Fast scanning engine allows the file list to be built in a few minutes.
  • Easy to understand File Manager and typical Save File dialog.
  • Secure undelete: program does no write operation on drive containing files to be undeleted.
  • Saving data to any windows (including network drives, removable media, etc.) drive possible.
  • Supports compressed and encrypted files (for NTFS).
  • Report lists of recovered files (i.e. for forensic use) can be saved to disk or printed.
  • Download Power Recovery

Creating a Recovery Disk on a USB Flash Disk

HP and Compaq PCs with Windows Vista or Windows 7 are configured with a recovery manager that can return the computer to its original operating condition. By default, the Recovery Manager creates a bootable disk on a blank DVD disc in the optical disc drive. HP also provides a USB Recovery Flash Disk Utility to create a bootable disk on a USB Flash Disk.

Using a Flash Disk is helpful for notebooks that do not have an internal optical disc drive. The USB Recovery Flash Disk Utility requirements include :
  • Only one copy of the recovery disk can be created. If you have already created or attempted to make a recovery DVD, do not try to use the Flash Disk Utility.
  • The computer must have the original HP configuration, including the recovery partition, with either Vista or Windows 7.
  • Recovery disk cannot be created if the original operating system has been changed.
  • You cannot use the Flash Disk Utility if the Recovery partition has been removed.
  • The USB Flash Disk must have at least 8 GB of free space available.
A standard 8GB drive may not have the full amount of space available for creating a recovery disk. Depending on the brand, a small amount of the Flash Disk space may be used by the file system, or there may be space lost in bad sectors. Use a 16GB (or larger) Flash Disk for best results.

Because the recovery manager files being created will be used to protect your computer for years to come, you should select a quality Flash Disk product made by a well known manufacturer. Store the recovery disk in a safe place away from the computer.

Download USB Recovery Flash Disk Utility

The utility for creating a recovery image on a USB flash disk is specific to the operating system. To locate and download the correct software click one of the following links to download the HP Recovery Flash Disk Utility for Vista or HP Recovery Flash Disk Utility for Windows 7 softpaq.

When prompted to either save the file to your computer or run the file from the web, select Save and download the softpaq to a convenient location on your hard drive, such as the desktop.

NOTE: Do not select Run during the download. Save the program to your hard drive so you can disconnect from the web and run the disk creation at a time you choose. If you select Run, the disk creation process will start immediately and you cannot use the computer while the recovery disk on the USB Flash Disk is being created.

Run USB Recovery Flash Disk Utility

Creating the recovery disk on an 8GB or larger USB Flash Disk can take 30-60 minutes or more. Do not use the computer for any other activities during the creation process.
You can create the recovery disk by performing the following steps :

CAUTION: This process will involve data loss for anything currently on the USB flash disk as a format will be performed during the creation process.
  • Connect the notebook to the proper AC power supply.
  • Save and close all other computer programs.
  • Insert the 8GB or larger USB Flash Disk in the USB connector.
  • Double-click the Flash Disk USB Recovery Flash Disk Utility , which was downloaded earlier, to launch utility.
  • When prompted, accept the software user agreement.
  • When prompted, select the desired USB Flash Disk.
  • Allow the utility to examine the notebook and then create the USB Flash Disk recovery disk.
During the creation process, the computer will pause periodically and there will be no signs of action for long periods of time. Do not interrupt the disk creation process, or turn off the power, or attempt to remove the USB disk. When the creation process is complete, the computer will restart and prompt you to login to the computer.

You should now have a bootable recovery disk on a USB flash disk that can be used to restore your computer to its original factory condition.

Mar 4, 2014

Arduino The Simpliest JTAG Adapter

A good while ago I won one of the free PCBs regularly given away by DIY hardware shop Dangerous Prototypes. My board of choice was a CPLD breakout board, for the Xilinx XC9572XL. CPLDs are the smaller brother of FPGAs: "programmable logic" chips that can be made to act as any integrated circuit within the device's limits. The XC9572XL is programmed via a standard JTAG interface. I did not have anything that speaks JTAG so went looking if my Arduino can be turned into an appropriate programmer. The solution that I found, however, did not work; so I built my own.

"Normally", to program a CPLD, or FPGA, one buys an expensive interface cable and uses it with the software development suite supplied by the particular chip's vendor. Of course there are plenty of DIY alternatives; in fact, Dangerous Prototypes sell one or two. One of my goals with this project was, however, to spend next to no money on it. I got the circuit board for free, the parts cost around 3EUR, and I had already done a similar job with my Arduino Atmel programmer.

So after soldering the board I flashed the abovementioned JTAG code onto the Arduino. This was my second time SMD-soldering so I was not expecting the board to work on first try. But even after checking every connection with a multimeter, JTAGWhisperer would do apparently nothing after receiving the first chunk of data. I eventually gave up searching for the cause.

Instead I decided to write a very simple Arduino program that allows direct interaction with the JTAG interface from a serial terminal. It is called jtagbang because it is essentially bit-banging on the JTAG pins. By pure coincidence, it also requires frequent use of the exclamation mark ("bang") when talking to it.

I didn't know anything about JTAG until three days ago. Now I know that it is awesome. The point of JTAG is to connect to any number of chips in some circuit design, taking up next to no space on the board, requiring only very simple support from the chip, and allowing the user to inspect and manipulate virtually every pin and connection at any time without touching anything. I call it f*cking magic.


These LEDs are lit because I told the chip I needed those outputs on for testing purposes.

Unfortunately I cannot explain the magic in the space of this post, however, here is a link to the IEEE specification. While IEEE doesn't want you to read their standards, someone has helpfully put the 2001 version on slideshare… Reading that spec is still not much fun, but I made a drawing of the important part.


So, long story short: Upload the attached sketch to an Arduino, take a peek at the top of the file maybe, and connect to it with a terminal emulator (read minicom) or the Arduino IDE's serial monitor (set to line-ending "Newline"). Enter a capital X and it will interrogate the JTAG interface to find all the connected devices (chips). It lists their built-in identification codes which take the form of 32 bits in four groups:

59604093 [0101 1001011000000100 00001001001 1]

The groups are, from most to least significant bit: 4-bit product version (5), 16-bit product code (9604 is the XC9572XL), 11-bit manufacturer code (00001001001 is Xilinx), and one bit that is always 1 for thaumaturgic reasons.


I should find a PC mainboard to try this with.

Next, I need to get the CPLD programmed. Xilinx uses (X)SVF files for this, a file format that describes what to do on a JTAG interface in a more high-level fashion than my bit-banging. I need a "player" for this format that translates standard SVF commands into "bang language" and vice-versa. The good thing is that I can now do this in a high-level programming language of my choice entirely on the host instead of cramming it into the Arduino.

The adventure after that will be learning VHDL and designing an actual integrated circuit.

Attachment: jtagbang.ino (v0.1)

I am releasing the code under the terms of the quite permissive ISC license.

How-To Protect The MediaTek Firmware Destroyer

Just recently last December 2013 there have been so many releases of  MediaTek 4G WiMAX modem firmware both Huawei BM622m and myBRO DV235T of Green Packet Technology are among has the tutorials given for free by Netizens via forums on how-to tweak this both devices. These two (2) CPEs are the latest 4G WiMAX modem of Globe Telco and Smart/PLDT ISP for their wireless broadband subscribers claimed to be the high speed internet connection.

After the released of the firmwares and the tutorials, now there are so many 4G WiMAX wireless broadband modem are facing the so-called firmware destroyer. Screenshot below attached the Globe Huawei BM622m being remoted and uploaded by a malicious script.

image credit to turbotor

Another 4G WiMAX modem is myBRO DV235T manufactured by Green Packet Technology used by Smart/PLDT, since they used same MediaTek chipset they belong to same vulnerabilities. These two (2) 4G WiMAX CPEs are both insecured, if you are using this wireless home residential gateways make sure this device is fully patched, you must do something to safeguard this modem otherwise this could be a headache for you.

image credit to orl4nd

Of course, there is a solution for this exploit you can manually closed all the unprotected ports for the remoter not being able to get inside to your myBRO likewise the BM622m. Alternatively, changing the default username and password can also help you CPEs tweak by unauthorized person from the outside of your network zone.