When DNS goes bad
This year someone in China misconfigured something which effectively exported China’s main method of implementing blocks (man in the middle DNS spoofing) semi globally over the Global Crossing backbone for the last few weeks.
Effectively, China’s blocking, went global (for certain providers).
Obviously I’ve had waaaaaaaaaay too much fun with my newly purchased coffee machine today.
Photo’s (and story) below.
Its a match of the titans.
Frog design vs A+P Cahen.
No rolls barred, its Cube vs Cube.
In the left corner, we have the old, the venerable…
Part frakkin Toaster, part computer, (ex) fishtank, part space heater.
The newcomer with an attitude, he’s shiny, and he isn’t afraid to show it off.
I was reading a post up at Carsonified (http://carsonified.com/blog/dev/bulletproof-backups-for-mysql/), which talked about MySQL backups.
While he slightly re-invents the wheel, its fairly similar to what we do over at Computer Solutions as a solution for Backup.
How do we do it?
As its been a while since I did any hardware stuff (other than some dabbling in Arduino), I decided I would try and resuscitate a bricked 941n router. I had given it to the staff to fiddle with, but they needed a push in the right direction for where to start.
First I needed tools.
Luckily China is pretty awesome when it comes to getting electronic bits and pieces so most of what I needed was a mere Taobao away.
As the crap soldering irons in the office weren’t going to hack it, my first purchase was a decent soldering iron.
I took a look at the Wellers (which I used in a previous lifetime), and decided that the pricing was a little too steep for my liking!
Taobao had plenty of cough, cough ‘clone’ Hako 936’s though, so I bought one of those, 10 tips and some solder for a little less than 200RMB delivered to the office.
I could have gone to buy it over in the electronics mall over in Beijing lu, but seriously, Taobao is easier.
While I was at it, I also orderd a Rek DC power supply, and some JTAG cables.
The PSU isn’t totally useful for router hacking, but we do have a lot of people that forget to bring laptop chargers with them, so it will come in handy for that. Looks pretty nifty too.
Next up was a serial to ttl adaptor, as the TP-Link uses TTL voltage apparently, and I needed to convert into standard pc serial.
I bought 2 adaptors, one USB one, with rather crappily made headers, and a rather nicer serial one with pin’s.
As I’m rather crap at soldering, I totally expected things to bork something up, but amazingly I got the headers installed relatively easily, and even managed to bridge pad (R356) to enable serial first go (as per the wiki).
I plugged in my serial adaptor to the computer, and powered up the router.
Suprisingly everything worked first time around, and I got some serial output in HyperTerminal.
A few nanoseconds later I got to experience again how much I hated HyperTerminal.
Grumble cpu usage grumble frozen input grumble mutter,… and installed PuttyTel instead.
Putty also seems to autodetect the kernel speed nicely (as boot changes from 9600 to 115,200baud), which is a bonus.
I still need to time it right so I can catch the u-boot in time to stop it, and, I also still need to reflash it, but the hard part is done!
Total cost – roughly 250RMB for parts (soldering iron, tips, serial ttl adaptor, pin headers, jtag stuff etc), plus about an hour of time, most of which emcompassed clearing my desk enough so I could solder 🙂
I’m all setup for more journeys into equipment though, and I can now completely recover borked equipment handily.
https://forum.openwrt.org/viewtopic.php?id=18354&p=1 (Thread on TL-WR941 hacking)
http://item.taobao.com/auction/item_detail-db1-3fbe7be878a7aa35dd4ec1e4260113e8.jhtml (RS232 TTL)
http://item.taobao.com/auction/item_detail-db2-3c9886e66da40119a6c72fe03c4b8d38.jhtml (Hakko 936 + tips)
http://item.taobao.com/auction/item_detail-0db1-4fbc4e80f96ae37dbd34b9cb466aa642.jhtml?cm_cat=0 (Wiggler JTAG)
Currently I have an iPhone (ancient 2G), and have just bought a Dell Mini3i (600RMB with an 18month contract @ China Telecom), as I donated my 3G iPhone to one of the extended family back home.
The Mini3i runs an Android variant called OPhone.
The 3i is a little underwhelming software wise.
Its quite crap at the moment as its sitting on Android 1.0 (OPhone 1.0), but for all intents and purposes Android = Ophone its pretty much the same underneath.
There are a bunch of similar phones to this – the Lenovo O1, LG GW880, Motorola something or other (can’t be hassled to go look) etc.
While I haven’t rooted mine just yet, I have been playing around, and reading the Chinese forums.
Boot loader appears to be similar on all the devices – its made by BORQ’s in Beijing, and appears to be quite basic.
Motorola and O1 seem to have the best support for now, the main problem in the Chinese forums is people bitching about being stuck on older versions.
Some are running 1.6, most on 1.5, and the unlucky few 1.0 “Ophone”
2.0 and 2.1 has yet to hit the mainstream here.
There are people with N1/G5’s (Nexus 1 / HTC G5) on 2.1 though (yes, thats you in Beijing Tom!), pretty much any phone is available, although anything with wifi is essentially grey import from overseas (HK mostly)
Back to the phone –
Thankfully you can install any apps as apk’s, no need to hack for that – so its fairly easy to get info on the innards.
RootExplorer is your friend 🙂
RootExplorer also allows you to remount partitions r/w, so root access is fairly easy too. There are precompiled su binaries for 1.5 out there, although I’ve yet to do my phone.
The Dell mini3 is running on a Marvell Tabor. Fast chip, nice touchscreen, decent resolution, just crap on 1.0.
Firmware files for most of the “ophones” (except motorola) are mff files.
The mff files appear to just be compressed images with instructions for how to write the various partitions out.
eg the Lenovo O1 mff has this in the “mff” zip
2010/02/25 10:53 147,111,936 factory_CHERRY.fbf
2010/02/25 10:53 249 factory_CHERRY.mff.mlt
2010/02/25 10:53 364 JADE_EVB_RawNANDx16.ini
2010/02/25 10:53 327 magic_fbf.ini
2010/02/25 10:53 2,692 magic_fbf_inner.ini
2010/02/25 10:53 10,236,719 mfw.pac
2010/02/25 10:53 54,180 MHLV_NTDKB_h.bin
2010/02/25 10:53 176 MHLV_NTDKB_TIM.bin
2010/02/25 10:53 858 NTIM_td.ini
magic_fbf_inner.ini has the layout
Different phones have different firmware writing software, the Motorola’s are using RSDLite, LG – SML_OMS, CTHall, others something homegrown called Firebolt, which is written by BORQS. I have all the firmware tools already, despite the Ophone8 forums lack of courtesy in sharing, grrr.
Most firmware tools appear similar though functionality wise.
Haven’t played around inside the phone yet to see if its easy to get jtag access, although that was mostly because i couldn’t work out how to remove the top part without breaking it.
If anyone wants more info, or a firmware dump let me know.
Hopefully there is some interest out there in the English speaking world for these!
- February 2017
- September 2016
- June 2016
- May 2016
- September 2015
- August 2015
- June 2015
- April 2015
- December 2014
- October 2014
- September 2014
- July 2014
- June 2014
- April 2014
- October 2013
- July 2013
- May 2013
- April 2013
- March 2013
- January 2013
- December 2012
- October 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- December 2011
- November 2011
- October 2011
- September 2011
- July 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- Arcade Machines
- China Related
- Cool Hunting
- General Talk
- IP Cam
- Service Issues
- Tao Bao
- Technical Mumbo Jumbo
- Things that will get me censored
- Useful Info
Most Popular Posts
- BMW Keys and Transponders E36 E38 E46 etc (EWS2) (6541)
- Repairing a Nespresso Cube (Krups XN5005) (5806)
- Blog博客 (5700)
- RoundCube login attack prevention with Fail2ban (5602)
- Home首页 (4027)