Mar 4, 2014

Arduino The Simpliest JTAG Adapter

3:40 PM  pakitong  No comments

A good while ago I won one of the free PCBs regularly given away by DIY hardware shop Dangerous Prototypes. My board of choice was a CPLD breakout board, for the Xilinx XC9572XL. CPLDs are the smaller brother of FPGAs: "programmable logic" chips that can be made to act as any integrated circuit within the device's limits. The XC9572XL is programmed via a standard JTAG interface. I did not have anything that speaks JTAG so went looking if my Arduino can be turned into an appropriate programmer. The solution that I found, however, did not work; so I built my own.

"Normally", to program a CPLD, or FPGA, one buys an expensive interface cable and uses it with the software development suite supplied by the particular chip's vendor. Of course there are plenty of DIY alternatives; in fact, Dangerous Prototypes sell one or two. One of my goals with this project was, however, to spend next to no money on it. I got the circuit board for free, the parts cost around 3EUR, and I had already done a similar job with my Arduino Atmel programmer.

So after soldering the board I flashed the abovementioned JTAG code onto the Arduino. This was my second time SMD-soldering so I was not expecting the board to work on first try. But even after checking every connection with a multimeter, JTAGWhisperer would do apparently nothing after receiving the first chunk of data. I eventually gave up searching for the cause.

Instead I decided to write a very simple Arduino program that allows direct interaction with the JTAG interface from a serial terminal. It is called jtagbang because it is essentially bit-banging on the JTAG pins. By pure coincidence, it also requires frequent use of the exclamation mark ("bang") when talking to it.

I didn't know anything about JTAG until three days ago. Now I know that it is awesome. The point of JTAG is to connect to any number of chips in some circuit design, taking up next to no space on the board, requiring only very simple support from the chip, and allowing the user to inspect and manipulate virtually every pin and connection at any time without touching anything. I call it f*cking magic.


These LEDs are lit because I told the chip I needed those outputs on for testing purposes.

Unfortunately I cannot explain the magic in the space of this post, however, here is a link to the IEEE specification. While IEEE doesn't want you to read their standards, someone has helpfully put the 2001 version on slideshare… Reading that spec is still not much fun, but I made a drawing of the important part.


So, long story short: Upload the attached sketch to an Arduino, take a peek at the top of the file maybe, and connect to it with a terminal emulator (read minicom) or the Arduino IDE's serial monitor (set to line-ending "Newline"). Enter a capital X and it will interrogate the JTAG interface to find all the connected devices (chips). It lists their built-in identification codes which take the form of 32 bits in four groups:

59604093 [0101 1001011000000100 00001001001 1]

The groups are, from most to least significant bit: 4-bit product version (5), 16-bit product code (9604 is the XC9572XL), 11-bit manufacturer code (00001001001 is Xilinx), and one bit that is always 1 for thaumaturgic reasons.


I should find a PC mainboard to try this with.

Next, I need to get the CPLD programmed. Xilinx uses (X)SVF files for this, a file format that describes what to do on a JTAG interface in a more high-level fashion than my bit-banging. I need a "player" for this format that translates standard SVF commands into "bang language" and vice-versa. The good thing is that I can now do this in a high-level programming language of my choice entirely on the host instead of cramming it into the Arduino.

The adventure after that will be learning VHDL and designing an actual integrated circuit.

Attachment: jtagbang.ino (v0.1)

I am releasing the code under the terms of the quite permissive ISC license.

Read More

How-To Protect The MediaTek Firmware Destroyer

3:33 PM  pakitong  No comments

Just recently last December 2013 there have been so many releases of  MediaTek 4G WiMAX modem firmware both Huawei BM622m and myBRO DV235T of Green Packet Technology are among has the tutorials given for free by Netizens via forums on how-to tweak this both devices. These two (2) CPEs are the latest 4G WiMAX modem of Globe Telco and Smart/PLDT ISP for their wireless broadband subscribers claimed to be the high speed internet connection.

After the released of the firmwares and the tutorials, now there are so many 4G WiMAX wireless broadband modem are facing the so-called firmware destroyer. Screenshot below attached the Globe Huawei BM622m being remoted and uploaded by a malicious script.

image credit to turbotor

Another 4G WiMAX modem is myBRO DV235T manufactured by Green Packet Technology used by Smart/PLDT, since they used same MediaTek chipset they belong to same vulnerabilities. These two (2) 4G WiMAX CPEs are both insecured, if you are using this wireless home residential gateways make sure this device is fully patched, you must do something to safeguard this modem otherwise this could be a headache for you.

image credit to orl4nd

Of course, there is a solution for this exploit you can manually closed all the unprotected ports for the remoter not being able to get inside to your myBRO likewise the BM622m. Alternatively, changing the default username and password can also help you CPEs tweak by unauthorized person from the outside of your network zone.

Read More

Feb 28, 2014

How-To Change Admin Password PLDT MyDSL SpeedSurf 504AN

12:16 AM  pakitong  3 comments

This Tutorial is on How-to change the default PLDT myDSL username Admin Password of  residential gateway model SpeedSurf 504AN wireless modem router.


Because the Philippines Giant Telco uses many different modem router devices for their internet broadband subscriber they have also several default username and password for the different residential gateway. If you try Googling it via any search engine you can find too many results that give the credentials for the username user and admin for PLDT myDSL modem router.

Here's my few step-by-step on how-to change the default username Admin Password of PLDT myDSL SpeedSurf 504AN.

1. Once the PLDT myDSL SpeedSurf 504AN device is power on and all the LEDs light stable, plug the LAN cable to any LAN port of the modem router directly to your PC/ Lappy Network Interface Controller (NIC) card aka LAN Card. Make sure that the LEDs of both modem router and you PC/Lappy is blinking otherwise you can not open the graphical user interface (gui) of the device.

Open any of your favorite web browser and  point it to http://192.168.1.1 you will be prompted to a login page. And you will be ask for a username and  password you may use the default credentials below given.

User Name: adminpldt
Password: 1234567890


2. Next is navigate your mouse to the Admin Main Menu,  then click the Password sub-menu, now you can select the Admin and by dropping down the Privilege by choosing one of those given.


This only proves that the default PLDT myDSL username Admin Password can be changed showing the hidden elements.


All PLDT myDSL modem router that has built-in wireless LAN has the same default WiFi password format and it look like this, PLDTWIFI + the last five (5) characters of the device MAC address of the PLDT router modem.

Read More

Feb 27, 2014

Motorola Netopia 3347-02 Insecured

10:54 PM  pakitong  No comments


The Motorola Netopia 3347-02 is a router that offers both wireless and traditional wired capabilities. This makes it possible to connect to a standard fast Ethernet connection all while providing the option of wireless connectivity. The slim 1.5 x 7.7 x 6.7-inch Motorola Netopia 3347-02 weighs at a modest 4 lbs, which makes it easy for storage almost anywhere inside the office or home. The 4-port wireless router is capable of supporting four separate desktop or laptop computers on a given network. A detachable antenna makes the Motorola router easy to use as a wireless device when needed. The Motorola Netopia 3347-02 has a maximum file transfer rate of 100 Mbps, and it includes Wireless G technology. Firewall protection is included in the Motorola router for automatic security from network intruders and potential technology threats while surfing the Web. Four LED indicators on the front face of the wireless router feature lights for the power, status, activity, and link of the system.


If you use Motorola Netopia 3347-02 for DVR or NVR of your IP Cameras remotely this modem router is not a good choice, your public IP address will be exposed to the public on the net.

Product Identifiers
Brand
Motorola
Model
Netopia 3347-02
UPC
666947008372, 666947008907
Key Features

Wireless Technology
Wireless G
Port Speed
10/100
Built in Modem
Yes
Connectivity
Wired & Wireless
Router Functionalities
Cable Modem, DHCP Server, Firewall, VPN Pass-Thru
Port Qty
4-port Built-In Switch
Antenna Type
Detachable Antenna x 1
Interfaces

LAN Interfaces
10 Base-T, 10/100 Base-T, 100Base-TX
WAN Interfaces
1 x 10 Base-T/100 Base-TX, 1 x RJ-11 for ADSL
Standards

WLAN Standards
IEEE 802.1 Q, IEEE 802.11b, IEEE 802.11g, IEEE 802.11g/b, IEEE 802.11i, IEEE 802.3, IEEE 802.3u
DSL Standards
ADSL Full Rate (G.DMT ITU G.992.1), ADSL Lite (G.Lite ITU G.992.2), ADSL2 DMT (ITU G.992.3), ADSL2 G.lite (ITU G.992.4), ADSL2+ (ITU G.992.5)
Protocols

General Protocols
AAL5, DHCP, IP, IPSec, L2TP, PPPoA, PPPoE, PPTP
Remote Management Protocols
HTTP, SNMP 1, SNMP 2, Telnet
Routing Protocols
IGMPv2, IGMPv3, RIP Version 1, RIP Version 2, Static Routing
VPN Protocols
IPSec Pass-Thru, L2TP Pass-Thru, PPTP Pass-Thru
Firewall / VPN

Firewall Features
DoS Prevention, MAC Address Filtering, NAT
Authentication
Radio Service Set ID (SSID)
VPN Encryption
3DES, DES, IKE, MD5, SHA-1
VPN Protocols
IPSec Pass-Thru, L2TP Pass-Thru, PPTP Pass-Thru
Wireless

802.11b Data Rates
11 Mbps, 5.5 Mbps, 2 Mbps, 1 Mbps
802.11g Data Rates
54 Mbps, 48 Mbps, 36 Mbps, 24 Mbps, 28 Mbps, 12 Mbps, 9 Mbps, 6 Mbps, 5.5 Mbps, 2 Mbps, 1 Mbps
Max Transfer Rate
54 Mbps
Nonstandard Data Rate
11Mbps (802.11b), 54 Mbps (802.11g)
Upstream Speed
1 Mbps
Modulation
16QAM, 64QAM, BPSK, CCK, DBPSK, DQPSK, DSSS, OFDM, QPSK
Security
802.1x, AES, DES, MD5, WEP, WEP 128-bit, WEP 256-bit, WEP 64-bit, WPA, WPA - PSK, WPA2, Wireless MAC Address Filtering
WEP Encryption Length
128 bit, 256 bit, 40 bit (=64 bit)
Other Features

LED Indicators
Activity, Link, Power, Statu
Additional Features
DMZ Support
Dimensions

Height
1.5 in.
Width
7.7 in.
Depth
6.7 in.
Weight
4 lb

Read More

How-To : Setup PLDT DSL With Wireless Router

9:29 PM  pakitong  No comments

I’ve been planning on getting the house Wi-Fi enabled for the past few months now and have only been able to purchase a wireless router just last weekend. Got tired of seeing too many cables lying around so I got rid of those and went the Wi-Fi way. Plus, I don’t want to add another network cable for my new toy coming next week. I had the entire setup planned months ago but to my surprise it didn’t work like I expected. Searching around Google for instructions and guides turned up nil so here’s a guide to help those that are having the same problems that I had setting up a wireless network.

Note: This how-to is only for those that are on PLDT myDSL’s legacy lines. How would you know if you’re on a legacy line? Legacy lines are those still using PPPoE/PPPoA connection protocols (or in more simple terms, you still need a username/password to get connected).

I have a Linksys WRT54G for a wireless router but this should work for most routers out there as well. If you’re on a legacy line then most likely you’ll have a ZyXEL P-600 series modem/router that was provided by PLDT together with your DSL. Make sure your PC is connected to the ZyXeL modem first then proceed below.
  • Access the web control panel of your ZyXeL modem by typing in the IP address of your modem in a browser. (i.e. http://192.168.1.1)
  • Login to the web control panel (default username/password: admin/1234) of the modem and go to the WAN settings.
  • Change the settings to the following and save:
    • Routing mode: Bridge
    • Encapsulation: RFC 1483
    • Multiplex: LLC
  • Disconnect the ZyXeL modem from your PC and connect it to the WAN/Internet port of your wireless router (refer to the manual of your wireless router to locate the Internet/WAN port).
  • Connect your PC to one of the ports in your wireless router. Your setup should look something like this now: DSL -> ZyXeL modem -> Wi-Fi Router -> PC
  • Now you need to access the web control panel of your wireless router the same way you accessed the ZyXeL modem. With mine, the default ip address of the router was 192.168.1.1 and the default username/password is /admin (just leave the username blank).
  • Once you’re in the control panel, set the connection protocol to PPPoE/PPPoA and input the username and password of your DSL account. Your username should be in this format: xxxxx@pldt. Call PLDT if you don’t know your username and password.
  • Now here’s the most important part. Make sure you change the IP address of your wireless router so that it will not be the same with your ZyXeL modem and make sure they’re in the same network. (i.e. your ZyXeL modem’s IP is 192.168.1.1, change your wireless router’s IP to 192.168.1.2)
  • Save the changes you’ve made.
  • Now go to the Wireless settings of your wireless router and enable it. Provide any necessary information needed like SSID and such. Make sure to turn on the security for your Wi-Fi by using either WPA or WEP to avoid someone hacking into your router.
  • Save the changes and you should be ready to surf wirelessly anywhere as far as the router’s signal can take you. ^^
Some tips for your new wireless router:
  1. Make sure to change the default username/password of your wireless router.
  2. I suggest using WPA or WPA2 for your wireless security as it makes hacking a lot harder than WEP.
  3. Also, try adding a MAC Address filter to prevent unauthorized PCs from connecting to your access point.
  4. Disable SSID broadcasting so that others will not see your wireless router (including you I’m afraid). Since you know your SSID you can easily connect to it anyway.

Read More

Overunity Magnet Motor Plans And The Significance Involving Over Unity

3:04 PM  pakitong  No comments

Building an over unity device making use of overunity magnet motor plans. Over unity is known as a expression for every machine that will create additional electric power than it uses. The electric power output of the system is greater then almost any electricity source to run the machine. Nowadays, there is a large amount of desire for the permanent magnetic motor a lot of individuals are finding this a viable, low priced alternative to augment the residential home electric costs with the aid of a superb set of overunity magnet motor plans regarding building a over unity magnetic generator.


A strong over unity system usually has magnets set up on the disk together with a further group of magnets that happen to be in a predetermined layout on a base across the circumference according to the specs in the overunity magnet motor plans you're using. These kind of magnets tend to be set up in order that they are alternately attracted and repulsed and thus rotating the disk by the magnetic properties of the magnets.

Big oil Disapproves To "Overunity Magnet Motor Plans"

It appears a very simple scientific discipline, and a person could speculate exactly why nobody has considered this in the past. Well, the idea was considered prior to now, take note, that not anyone but us, "free thinking people" would like a no cost power source. Big business and government prefers you reliant in them pertaining to our own electrical power necessities. Not surprisingly, where might "these companies" end up being without having "us all" stuck directly into paying for their particular consumable electrical goods. The worst thing they want is a zero cost energy source, unless of course, "they" manage it.

Over Unity Over Unity Magnetic Generator - How It Works

In simple terms, this particular device operates by having a series of permanent magnetic force fields that will be produced by way of the magnets opposing North and Southern poles. I'm sure you've kept a couple of magnets together in the course of your daily life. One particular side opposes the opposite magnet, the other side attracts the other magnets.

Quite simply, this is why the magnet continuous motor operates to be able to make over unity constantly, at the least for four hundred years, that is the length of time that your standard magnet can keep it's magnetic charge. Using a detailed and step-by-step group of overunity magnet motor plans meant for constructing this specific motor, the typical do-it-yourselfers can conclude this undertaking inside a weekend plus be minimizing their particular month to month energy payment simultaneously.

Read More