After checking away the requirements (one of which was not to go down in resolution to the crap they sell nowadays), I decided on a T6x series.

A T60 with a 1400×1050 screen was about RMB2500 on Taobao with fairly decent spec’s – DVD Writer, Bluetooth, Fingerprint Reader, SATA, Extended Battery. 3 month warranty, with a replacement 7 day swap for another unit. I sent my staff to go take a look at the shop, they liked, and I was soon the owner of an ex-corporate laptop that looked like it came from Singapore originally (according to the model / software licence sticker on the laptop). It even came with a legitimate licenced copy of Windows.

As I had ordered one for test purposes to see what the quality was like, I was pleasantly suprised. The one I received is pretty much in mint condition. In fact its in such good condition, that I decided I would keep it for myself!

I’m justifying it as I need a PC for development work. Although my collection of Mac’s are nice, sometimes you still need something with ‘old skool’ outputs – eg Parallel, Serial* for development work.
*No serial onboard but the docking bay has.

While I was doing the research into what exactly to get, I noticed a small piece in the Thinkpad Wiki where they mentions briefly that the screens on the 15" models can be replaced with higher resolution ones.

This was also something that was brought up on a recent Slashdot post where people mention the lack of good higher resolution screens.

I checked out the model number that they referenced – IAQX10N, and my favourite online site had sellers. As I’m in China, certain things are cheap, and luckily this happened to be one of them.

I ordered a suitable 15" donor screen from Taobao for the princely sum of 800rmb.
The LCD took a while to get here, mostly as it was shipped from Japan. We ordered on Friday, and it arrived Tuesday afternoon.

This screen is an original IPS IDTech, which is priced insanely well, considering what they used to charge for these!

Although I performed this upgrade on a T60 series, this upgrade can be done on any of the 15″ IBM (non-widescreen models), from the T43p -> T61p (post T61, they went lo-res widescreen, which sucked). Older Thinkpad laptops, and laptops with 1024×768 resolution also need a replacement LCD cable (which is roughly 100RMB on Taobao).

Removing the old LCD was easy (as IBM engineering is excellent).

I recommend you prepare by unplugging the power adaptor, and also removing the battery from the laptop, so that you don’t accidentally turn it on while disassembling it. Once you’ve done that, you can start.

First step was to remove the 3 bottom screws on the front.
Those are hidden behind round stickers, so use a small screwdriver, and gently nudge the stickers off.
Once you have those off, unscrew and place the screws / stickers into something suitable for storage (a clean ashtray is ideal).

Now do the same to the 3 sticker / screws located at the left side of the screen, and the 3 sticker / screws on the right side of the screen.

Put all the stickers and screws into your container. As all the screws are the same size, we don’t need to separate them.

The front cover will still be clipped in, pick a corner, and gently pull away using fingernails or a credit card inbetween the front / back edge. Keep going up until you have one side unclipped, then continue until the whole front is unclipped. The bottom part of the screen has some double sided tape affixed at the bottom. If the front doesn’t want to come off easily, be patient. Mine took about a minute to take apart (once the screws were off). Take your time, and don’t break anything.

Eventually you should have separated the cover from the front.

Here’s what my screen looked like sans cover.

Once the cover is off, you should be able to slowly push the existing screen downwards towards the keyboard (make sure that you don’t drop it, use a hand to support it on its way down).
The IBM keylight is attached at the top of the case (connected to the LCD cable), it should pop out of its seat on its own, but if it doesn’t, carefully unlatch it while you pull the LCD downward.

You should see something similar to this now:

The LCD should be facedown flat on the keyboard by now, so lets unplug the connectors.
There are 2 connectors – 1 for power, and 1 for the screen. Lets start with the screen cable.

Peel the plastic covering the back up slightly, and you’ll see the cable and connector. In the photo below I’ve already unplugged the cable. Pull gently levering side to side to pull the connector out. In my case it was fairly easy to do.

Here’s a closer look at the connector:

The bit hanging off the top of the connector is the ThinkLight. (aka the Keyboard light most people don’t know about!)

The other connector (the power one), should be fairly straightforward – pull gently, and unplug.
(No photo’s, as I forgot!).

The LCD should be removable now.

We’ll also need the side mounts, so unscrew those from the LCD.

Place the old LCD somewhere safe face up. By this point, I’d unpacked my other LCD, so I placed it into the same packaging that the new one came in – an antistatic bag, and a boatload of bubble-wrap.

Start off by putting the new LCD facedown on the keyboard in the same orientation as the old LCD.
Plug in the screen connector, and the power connector.
Although the ThinkWiki said I’d need to bend a cable, my unit fit perfectly.

We’re ready to test now.
Carefully place the screen faceup, and plug in the power adaptor.

Hopefully you don’t see any magic smoke, and your Thinkpad makes the appropriate noises.
In my case, I lucked out, and I didn’t even need to flash the LCD EDID (as per the Wiki).
I booted into my OS (Linux Mint in this instance), and saw a login screen. Yay!

Note that the screen still has its protective shipping cover on, so looks a little dull.

More test shots below:

As you can see, the laptop recognizes the resolution – both Gizmodo, and Engadget fit nicely side by side, and the control panel shows our 2048 x 1536 QXGA goodness.

Sadly, we now have to shut everything down again.

Unplug the power again, and place the screen face down again.
Carefully screw in the side mounts to both sides of the LCD. Remember, be gentle.

Put the LCD face up again, and lift into place in the case. Don’t force anything, everything goes in cleanly. You may need to route some of the cabling again – in my case I had to use a small screwdriver to push the left cabling back into the original positions.

Also don’t do what I did, and forget about the Keyboard light. In the photo below, you’ll see that although I have the screen installed nicely, I neglected to put the light in the top. Doh!

The light should fit into the top reasonably easily. Its a tight fit for the cable to reach, and would probably be easier with 3 hands helping out, but its doable on your own. Again, take it slowly, and carefully. If you get frustrated, take a break, and come back to it.

Once you have the LCD in, start by screwing in 1 screw on each side. You’ll need to lift the LCD slightly so that the screw holes line up. Once the first ones are in, the rest are easy. Do the sides (left, right) first.

We’re almost done.

Plug in the power again, and do another test run without the front facia, to make a final check.
All good?

Put the side stickers back on.

The front facia clicks onto the front. Line up the front facia carefully in its original position, and start pressing down. It should click nicely back into place. Go around the edges again, and push / click into place. Pay careful attention to the side cabling. If any cabling is in the way, use a small screwdriver to reposition the cable out of the way. Once the front is clicked into place, screw the remaining 3 bottom screws into place. Go around again, and make doubly sure that the front facia is clipped in 100%.

Slowly push the laptop lid closed, and make sure it all lines up ok.

From start to finish, mine took about 10 minutes total, so its relatively quick to do the replacement.
If you’ve never done something like this before, I’d estimate about 30 minutes max. Just remember – Be calm, go slowly, and be careful.

I’m now the proud owner of a laptop with a screen resolution that dates back to… 2002.
Yes, thats when they started making these screens.

Sadly, its all gone downhill from there, I’d love to be using something along the lines of 4096 x 4096 on my 24″ iMac, rather than having a laptop with better than HD resolution in a much smaller package.

Here’s the finished laptop –

Everything works perfectly, and the alignment / case fit is 100% perfect, which it should be, as IBM made the panels too!

As a non-vendor approved upgrade, this is probably the easiest upgrade I’ve done on a laptop too. Usually doing this stuff is fiddly.

Thankfully IBM Thinkpads (+-pre-Lenovo) are engineered properly..

So, after all this I now have a dual core laptop with a QXGA screen ( en.wikipedia.org/wiki/QXGA )

Total cost – RMB3300

Next step – upgrade it to a T61 motherboard, so I can install 8G ram…

References / Further Reading:
http://www.thinkwiki.org/wiki/Installing_a_QXGA_display_in_a_R/T60_or_61
http://forum.fatmanandcircuitgirl.com/forum_posts.asp?TID=590
http://wiki.keithl.com/index.cgi?QxGa – Flashing EDID (with i2C)
http://forum.thinkpads.com/viewtopic.php?f=29&t=77733

Thanks to Eric Rucker for taking the time to add to the Thinkpad wiki about it (otherwise I’d never have known!)

More pictures of the entire process below:

If I take a look at a sample kernel – eg
lr_cmos_11_14_1_46.bin

ls -al lr_cmos_11_14_1_46.bin
-rw-r--r-- 1 lawrence staff 1350539 Mar 15 13:47 lr_cmos_11_14_1_46.bin


Our file size for the file i have is 1350539 bytes.

A hexdump of the header shows:

00000000 42 4e 45 47 01 00 00 00 01 00 00 00 77 cb 0b 00 |BNEG……..w…|
00000010 00 d0 08 00 50 4b 03 04 14 00 00 00 08 00 3a 2e |….PK……..:.|
00000020 87 3b 3b e7 b8 16 03 cb 0b 00 bc d9 18 00 09 00 |.;;………….|

PK is the standard file header for Zip compression (as Zip was invented by Phil Katz)
Zip fingerprint in hex is – 0x04034b50, which matches nicely in our second line – 50 4b 03 04

On the offchance it contained a zip file, I tried unzipping from the start of the PK.

We can totally misuse dd to write from an offset of 20 bytes to a test.zip file as follows:


lawrence$ dd if=lr_cmos_11_14_1_46.bin of=test.zip skip=0x14 bs=1

Unfortunately this didn’t unzip.

However…

zipinfo test.zip
Archive: test.zip 1350519 bytes 1 file
-rw------- 2.0 fat 1628604 b- defN 7-Dec-09 05:49 linux.bin
1 file, 1628604 bytes uncompressed, 772867 bytes compressed: 52.5%

Says there is a valid zip file there, so we’re getting somewhere. It should be something like 772867 bytes + whatever Zip header / footer file bits in size.

If we take a look at the Zip file format, it says that the end of directory (aka end of zip file) marker is 0x06054b50

ZIP end of central directory record

Offset Bytes Description[4]
 0 4 End of central directory signature = 0x06054b50
 4 2 Number of this disk
 6 2 Disk where central directory starts
 8 2 Number of central directory records on this disk
10 2 Total number of central directory records
12 4 Size of central directory (bytes)
16 4 Offset of start of central directory, relative to start of archive
20 2 ZIP file comment length (n)
22 n ZIP file comment

If we search the file for that, we get:
000bcb70 78 2e 62 69 6e 50 4b 05 06 00 00 00 00 01 00 01 |x.binPK………|

So, from our Start PK 03 04 through to PK 05 06 we’re at position 0×14 through 0x0bcb79

If we write that out now –
dd if=lr_cmos_11_14_1_46.bin of=test.zip skip=0×14 bs=1 count=0x0bcb79

Then try unzip test.zip – we have a winner!

lawrence$ unzip test.zip
Archive: test.zip
inflating: linux.bin
lawrence$ ls -al test.zip
-rw-r--r-- 1 lawrence staff 772985 Apr 30 03:28 test.zip
lawrence$ ls -al linux.bin
-rw-------@ 1 lawrence staff 1628604 Dec 7 05:49 linux.bin


So, we know that the file has a header, then a zip file (which uncompresses to linux.bin, and has our linux binary), then more data.

If we take a look at what follows – ie the rest of the data in the original file after the end of the zip, it doesn’t look compressed

000bcb79 00 00 00 00 01 00 01 00 37 00 00 00 2a cb 0b 00 |……..7…*…|
000bcb89 00 00 2d 72 6f 6d 31 66 73 2d 00 08 cf a0 98 16 |..-rom1fs-……|
000bcb99 76 dd 72 6f 6d 20 34 62 31 63 62 36 38 66 00 00 |v.rom 4b1cb68f..|
000bcba9 00 00 00 00 00 49 00 00 00 20 00 00 00 00 d1 ff |…..I… ……|
000bcbb9 ff 97 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
000bcbc9 00 00 00 00 00 60 00 00 00 20 00 00 00 00 d1 d1 |…..`… ……|
000bcbd9 ff 80 2e 2e 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
000bcbe9 00 00 00 00 00 c9 00 00 00 80 00 00 00 00 8c 88 |…………….|
000bcbf9 9d 47 73 77 61 70 00 00 00 00 00 00 00 00 00 00 |.Gswap……….|

…

000bd969 50 7d 64 68 63 70 63 00 00 00 00 00 00 00 00 00 |P}dhcpc………|
000bd979 00 00 62 46 4c 54 00 00 00 04 00 00 00 40 00 01 |..bFLT…….@..|
000bd989 11 70 00 01 37 60 00 01 50 e8 00 00 28 00 00 01 |.p..7`..P…(…|
000bd999 37 60 00 00 02 b5 00 00 00 05 00 00 00 00 00 00 |7`…………..|
000bd9a9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
000bd9b9 00 00 1f 8b 08 00 f4 6b 45 3f 02 03 dc 5b 0f 70 |…….kE?…[.p|
000bd9c9 14 d7 79 7f bb 77 a7 bf 07 9c fe f0 c7 48 a0 95 |..y..w.......H..|
000bd9d9 50 88 5c 23 b3 02 19 64 23 e0 84 30 76 72 b8 9c |P.\#...d#..0vr..|
000bd9e9 31 50 6c 2b 58 06 d7 25 84 d6 ea 80 6d 02 8c 7d |1Pl+X..%....m..}|
000bd9f9 48 02 64 17 b0 00 91 12 17 fb b6 29 ed 60 86 c6 |H.d........).`..|
000bda09 4c aa 74 34 0e 71 0e 90 03 d3 d2 54 fc 51 87 30 |L.t4.q.....T.Q.0|

In fact it looks like more files...

bFLT is our flat ELF header..., and the other bits in-between look suspiciously like more files, and folders.
So, we probably have a filesystem in there.

Its late, and thats all for today, but it looks like we might even get to play around with both the linux image and the web UI image.

Just had another thought though - if you recall, our romfs size was 0x0008D000

Image: 6 name:romfs.img base:0x7F0E0000 size:0x0008D000 exec:0x7F0E0000 -a

What do we see here - in our header? 00000010 00 d0 08 00


00000000 42 4e 45 47 01 00 00 00 01 00 00 00 77 cb 0b 00 |BNEG……..w…|
00000010 00 d0 08 00 50 4b 03 04 14 00 00 00 08 00 3a 2e |….PK……..:.|


Seem to have a match, no? 0x 08 d0 00
I'm going to bet that our 0x 00 0b cb 77 also has some meaning too in our header 20 bytes, especially as the linux.bin zip file size is close to that at 0x00 0b cb 79.

Its highly probable I've miscounted something with the offset, and thats going to turn out to be the zip file size.

Now I've gotten this far, I'm too excited to go to sleep (its 4am here now!)

Lets try the filesystem from where we left off (aka from 0x0bcb79)
dd if=lr_cmos_11_14_1_46.bin of=unsure_what_filesystem.img skip=0x0bcb79 bs=1

mount -r unsure_what_filesystem.img
mount: unsure_what_filesystem.img: unknown special file or file system.

Nope.

Kyle's blog comment has this gem in

however the ‘-romfs-’ tag is offset by 0×14

so I used the line

fx 6 romfs.img 0x7f0a0000 0x7f0a0014 -a

the system then rebooted correctly…”

Lets use that as the start.

hexdump -C unsure_what_filesystem.img |more
00000000 00 00 00 00 01 00 01 00 37 00 00 00 2a cb 0b 00 |........7...*...|
00000010 00 00 2d 72 6f 6d 31 66 73 2d 00 08 cf a0 98 16 |..-rom1fs-......|
00000020 76 dd 72 6f 6d 20 34 62 31 63 62 36 38 66 00 00 |v.rom 4b1cb68f..|

-rom1fs- starts at position 0x12 [which is another indicator that I'm off by 2 bytes somewhere - as they mention 0x14 bytes, and the 12bytes prefix I have prior to the -rom1fs- are going to be from our second file header, I'll bet...
0x0bcb79 - 2 = 0x0bcb77, which is what the previous header said, so that really makes me think thats the filesize now!

Our ROMFS works out to be 577 536 bytes, which is 0x8D000, which is also what the boot loader said, so getting a lot of good confirmation on these figures!]

Write that out to another file:
dd if=unsure_what_filesystem.img of=still_unsure.img skip=0×12 bs=1

Still doesn’t mount on my Mac, however, some more googling for rom1fs uclinux got me here

http://romfs.sourceforge.net/

Which specifically mentions –

Embedded projects using romfs

uClinux, the microcontroller Linux, is a port of the kernel, and selected user-space programs to capable, embedded processors, like some “smaller” Motorola m68k, and ARM systems.

ROMFS looks like:

offset content
+—+—+—+—+
0 | – | r | o | m | \
+—+—+—+—+ The ASCII representation of those bytes
4 | 1 | f | s | – | / (i.e. “-rom1fs-”)
+—+—+—+—+
8 | full size | The number of accessible bytes in this fs.
+—+—+—+—+
12 | checksum | The checksum of the FIRST 512 BYTES.
+—+—+—+—+
16 | volume name | The zero terminated name of the volume,
: : padded to 16 byte boundary.
+—+—+—+—+
xx | file |
: headers :

struct romfs_super_block
{

__u32 word0;

__u32 word1;

__u32 size;

__u32 checksum;

char name[0]; /* volume name */

};

Which looks to be a *very* good match for what that header has!
So, its in ROMFS format from the -rom1fs- start header.

(Mostly from here – http://zhwen.org/?p=articles/romfs)

Unfortunately my OSX box appears to be missing romfs support, so I can’t check it without going back to the office.

mount -o loop -t romfs still_unsure.img /mnt
mount: exec /System/Library/Filesystems/romfs.fs/Contents/Resources/mount_romfs for /mnt: No such file or directory

Booted up my Debian VM, and tried again.

debian:/mnt/hgfs/FI8908，FI8908W# mount -o loop -t romfs still_unsure.img /mnt/test -r
debian:/mnt/hgfs/FI8908，FI8908W# cd /mnt/test/
debian:/mnt/test# ls -al
total 4
drwxr-xr-x 1 root root 32 1969-12-31 18:00 .
drwxr-xr-x 4 root root 4096 2010-04-29 16:19 ..
drwxr-xr-x 1 root root 32 1969-12-31 18:00 bin
drwxr-xr-x 1 root root 32 1969-12-31 18:00 dev
drwxr-xr-x 1 root root 32 1969-12-31 18:00 etc
drwxr-xr-x 1 root root 32 1969-12-31 18:00 flash
drwxr-xr-x 1 root root 32 1969-12-31 18:00 home
drwxr-xr-x 1 root root 32 1969-12-31 18:00 proc
drwxr-xr-x 1 root root 32 1969-12-31 18:00 swap
drwxr-xr-x 1 root root 32 1969-12-31 18:00 usr


We have a winner!

Full file listing below:

.
|-- bin
| |-- camera
| |-- dhcpc
| |-- ifconfig
| |-- init
| |-- iwconfig
| |-- iwpriv
| |-- mypppd
| | |-- chap-secrets
| | |-- options
| | |-- pap-secrets
| | `-- pppd
| |-- route
| |-- rt73.bin
| |-- sh
| |-- wetctl
| `-- wpa_supplicant
|-- dev
| |-- console
| |-- display
| |-- dsp -> dsp1
| |-- dsp0
| |-- dsp1
| |-- fb0
| |-- hda
| |-- hda1
| |-- hda2
| |-- hdb
| |-- i2c0
| |-- i2c1
| |-- key
| |-- keypad
| |-- lp0
| |-- mixer -> mixer1
| |-- mixer0
| |-- mixer1
| |-- mouse
| |-- mtd0
| |-- mtd1
| |-- mtdblock0
| |-- mtdblock1
| |-- nftlA1
| |-- nftla
| |-- null
| |-- ppp
| |-- ppp1
| |-- ptmx
| |-- pts
| |-- ptyp0
| |-- ptyp1
| |-- ptyp2
| |-- ptyp3
| |-- ptyp4
| |-- ptyp5
| |-- ptyp6
| |-- ptyp7
| |-- ptyp8
| |-- ptyp9
| |-- ptz0
| |-- rom0
| |-- rom1
| |-- rom2
| |-- sda
| |-- sda1
| |-- sda2
| |-- sdb
| |-- sdb1
| |-- sdb2
| |-- smartcard0
| |-- smartcard1
| |-- tty
| |-- tty1
| |-- ttyS0
| |-- ttyS1
| |-- ttyS2
| |-- ttyS3
| |-- ttyp0
| |-- ttyp1
| |-- ttyp2
| |-- ttyp3
| |-- ttyp4
| |-- ttyp5
| |-- ttyp6
| |-- ttyp7
| |-- ttyp8
| |-- ttyp9
| |-- urandom
| |-- usb
| | |-- lp.sh
| | |-- lp0
| | |-- lp1
| | |-- lp2
| | |-- lp3
| | |-- lp4
| | |-- lp5
| | |-- lp6
| | |-- lp7
| | |-- lp8
| | `-- lp9
| |-- usi
| |-- video0
| `-- video1
|-- etc
|-- flash
|-- home
|-- proc
|-- swap
|-- usr
`-- var
`-- run

13 directories, 97 files

While I obviously can’t run any binaries locally, I can look at the text files to confirm that the ROMFS hasn’t just gotten the filesystem correct.

debian:/mnt/test/bin# cat init
mount -t proc none /proc
mount -t ramfs none /usr
mount -t ramfs none /swap
mount -t ramfs none /var/run
mount -t ramfs none /etc
mount -t ramfs none /flash
mount -t ramfs none /home
camera&
sh


debian:/mnt/test/bin# file camera
camera: BFLT executable - version 4 ram gzip


Looking *very* good.

Thats all for tonight, but it looks like we can easily add bits to the firmware using genromfs, dd, and a hex editor, or just genromfs, and someone willing to test a rebuilt user rom with an extra binary. Probably going to be telnetd as ssh requires a kernel recompile

Next step, actually doing that, and testing.

I’m definitely going to bed now – its 5:30am.

Tomorrow is a holiday though (in China), so happy May holidays!

High resolution photos of the board are below:

Main parts used are:

RAM – Winbond W9812G61H-6 (2M)
According to the data sheet, that 2M X 4 BANKS X 16 BITS SDRAM @ 3.3V / 166MHz/CL3
Data sheet is here – http://jp.ic-on-line.cn/IOL/datasheet/w9812g6ih_4223255.pdf

Flash – Spansion S29AL016D (2M)
Other boards are populated with different providers – some people have Samsung flash…
Mine has the Spansion onboard both units. Its programmable onboard (via the uBoot)
Data sheet here – http://www.datasheetpro.com/259722_view_S29AL016D_datasheet.html

Sound Card – ALC203
This is obviously used as the BSP for the Novotel provides sample code for that card, making their life easier…
Data sheet here – http://realtek.info/pdf/alc203.pdf

Wired Ethernet – Davicom DM9161AEP (10/100 Ethernet)
Data sheet here –
http://www.davicom.com.tw/userfile/24247/DM9161AEPProductBrief_v1.0.pdf

8 Port Relay Driver (for the motors etc) – ULN2803
Data sheet here – http://www.rentron.com/Files/uln2803.pdf
More info / explanation here – http://wiki.answers.com/Q/What_is_Relay_driver_ULN2803

Wifi – RALINK 2571 (on daughterboard). Wireless G
This is a USB based chipset, so we’re using 4 usb connector pins for this one.
No datasheet, as Ralink are dicks.

CPU – ARM7 N745CDG (Arm 7 by Nuvoton)
Lot of info for chip available at Nuvoton.

W90N745 makes use of the ARM7TDMI microprocessor core of ARMR and 0.18um production to achieve standard operation at 80MHz. 128-Pin LQPF packing is also used to save electricity and lower costs. The built-in 4KBytes I-Cache and 4KBytes D-Cache of W90N745 can also be set as On-Chip RAM according to the needs of product developers. With regards to system integration, W90N745 is suitable for network-related applications such as management switch, IP cameras, VoIP and printer servers.
Features
* One Ethernet MAC
* One USB 2.0 full speed Host controller
* One USB 2.0 full speed Host/Device controller
* AC97/I2S
* 4 UARTs
* I²C Master
* 31 GPIOs
* Power Management

Data sheets – http://www.nuvoton.com/hq/enu/ProductAndSales/ProductLines/ConsumerElectronicsIC/ARMMicrocontroller/ARMMicrocontroller/NUC745A.htm
The uclinux sample distribution and files can be downloaded here – http://www.metavert.com/public/NO-SUPPORT/NUC700%20Series%20MCU%20uCLinux%20BSP.zip

I’m just waiting on a JLINK USB adaptor, then I’m ready to roll.

[Updates]

David M from comments at http://irishjesus.wordpress.com/2010/03/30/hacking-the-foscam-fi8908w/#comments provided his rom sizing from his device, I’ve got some notes on that here.

MAC Address : 00:30:10:C1:D0:39
IP Address : 0.0.0.0
DHCP Client : Enabled
CACHE : Enabled
BL buffer base : 0×00300000
BL buffer size : 0×00100000
Baud Rate : -1
USB Interface : Disabled
Serial Number : 0xFFFFFFFF

For help on the available commands type ‘h’

Press ESC to enter debug mode …

bootloader > ls
Image: 0 name:BOOT INFO base:0x7F010000 size:0×00000038 exec:0x7F010000 -af
Image: 7 name:linux.bin base:0x7F020000 size:0x000BB334 exec:0×00008000 -acxz
Image: 6 name:romfs.img base:0x7F0E0000 size:0x0008D000 exec:0x7F0E0000 -a

My notes:

Image: 0 name:BOOT INFO base:0x7F010000 size:0×00000038 exec:0x7F010000 -af

[Image 0 is 38 bytes (small!).
Boot info is not the bootloader - 38bytes is way too small for that.
It actually stores our bootloader config settings.
eg ip address, cache setting, boot loader buffer address etc.
Our initial settings are below:

MAC Address : 00:30:10:C1:D0:39 (should be changed, this Mac range belongs to Cisco!)
IP Address : 0.0.0.0 (unset)
DHCP Client : Enabled (pulls ip from dhcp..)
CACHE : Enabled (onboard chip cache)
BL buffer base : 0×00300000
BL buffer size : 0×00100000
Baud Rate : -1 (unset / so defaults to 115,200,8,n,1)
USB Interface : Disabled (NC745 has no USB for bootloader)
Serial Number : 0xFFFFFFFF (unset)

-af indicates Active (a) , and is a Filesystem image (f)]

Image: 7 name:linux.bin base:0x7F020000 size:0x000BB334 exec:0×00008000 -acxz
[Image 7 is our OS - Linux 2.4.20 ucLinux Not sure why Maverick didn't build on 2.6, there is more hardware support. Probably time dependant - 2.6 may not have been available, plus the Nuvoton sample code is also 2.4 based...

-axcz says active (a) executable (x) copied to ram (c) compressed (z) ]

Image: 6 name:romfs.img base:0x7F0E0000 size:0x0008D000 exec:0x7F0E0000 -a

[Our rom image - aka userland stuff. This is where we'll be putting our own code. Looks like its stuck quite high up in the flash, although doesn't need to be given size of the Linux rom. We have plenty of room available.

We'll need to make appropriate changes to Image 6 size on flashing

-a says active partition.]

This one is a little bit smarter than the previous one – its running off an ARM5ARM7 CPU (Nuvoton NUC745ADN), so has a bit more oomph. 16M ram is a whole lot more to play with for a start! The last device only had 16KB, so this puppy can be taught to do some tricks!

Serial was a little bit trickier to solder on this time – my initial connectors were too small, so had to resolder with larger ones, and I managed to mess up a tad. Never said my soldering was any good
Getting it to talk to the computer was a bit painful too – eventually I settled on 115,200 8,n,1, xon/xoff which should have worked the first time around, but I was getting garbage.

Probably flow control (xon/xoff), as fiddling with the connections got it going eventually.

First output from the board is below – this is from a clean boot (with no ethernet or wifi).


W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Dec 10 2009
Memory Size is 0x1000000 Bytes, Flash Size is 0x200000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:

Wait for auto-negotiation complete...ResetPhyChip Failed
video0 opened
1
1
1
1
1
1
set resolution 5
set brightness 144
set contrast 3
set sharpness 3
set mode 2
__pthread_initial_thread_bos:34c000
manage pid:16
audio_dev.state not AU_STATE_RECORDING
wb_audio_start_record
=> usb_rtusb_open
retide_ddns.c: can not get server dns.camcctv.com ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
get oray info
upnp get ip error
inet_sr.c INET_rinput 321
action===1
options==33
inet_sr.c INET_setroute 75
*args===255.255.255.255
*args===netmask
*args===eth1
inet_sr.c INET_rinput 321
action===1
options==33
inet_sr.c INET_setroute 75
*args===default
*args===gw
*args===eth1
MlmeAssocReqAction(): WPA2/WPA2PSK fill the ReqVarIEs with CipherTmp!
3
3
3
3
3
3


Initially I had the board setup on its own without the camera attached, but the boot scripts require it connected, otherwise they reboot..
Ostensibly, this is the same hardware as the fi8908w (who are just reselling the OEM version with marginally different firmware as far as I can tell).

Next step is to setup a cross compiler for uclinux so I can make some binaries, and test.
Luckily all the available tools are open source / free. Yay!

I’m in contact with the factory, and they’ll be sending an SDK over at some point soonish, although its only in Chinese.
Luckily for me, that shouldn’t be a problem, as i’m reasonably capable at groking both code, and simplified chinese

ucLinux should be easy enough to build a rom image for though – tons of examples, and I already have a few firmware files to compare.

It shouldn’t be too hard for me to roll another firmware with ssh installed, so that we can get in without serial, that would be more useful for others too.

I’ve had a quick look inside the folders in the device from the device itself – fairly minimal, pretty much the only binaries are the necessary ones.
My initial aim is to redo the UI to a nicer one, and fix some of the more glaring bugs. The factory people are at a trade show in Taiwan this week, so hopefully next week I’ll get some dev tools (otherwise its reverse engineering, bleh…).

Some more people are playing with these as well (links below):

http://irishjesus.wordpress.com/2010/03/30/hacking-the-foscam-fi8908w/

http://www.gadgetvictims.com/2009/12/bring-your-fi8908w-paperweight-back-to.html

Unfortuanately for me, both are variably accessible. WordPress is available this week woohoo, but its an on / off dealio with the GFW…, so I might have to stop commenting there once the government decides if WordPress is “teh evil” again.

The irishjesus blog guy has done some of the harder bits like file extraction already (although not strictly necessary, as there are existing tools for that kind of thing).

—

Updates

Have some docs from the factory now, see attached file for the CGI spec.

IP Camera CGI 应用指南-1.11

I have others, but not so relevant especially for those than don’t read Chinese!

Data sheet for the Chip and build instructions here -

http://www.nuvoton.com/hq/enu/ProductAndSales/ProductLines/ConsumerElectronicsIC/ARMMicrocontroller/ARMMicrocontroller/NUC745A.htm

This last few weeks I’ve been playing with IP Camera’s for a pet project that started off as a request over Skype for info about surveillance.
As the ever useful Taobao is full of vendors selling the same 4 or 5 camera’s for reasonable prices I ordered a couple to take a peek at.

I’ve only taken one apart so far – the really really cheap one that I installed in the office so I can get a look at who comes up the stairs without having to move my fat ass out of the chair.  A quick shortcut in FF, and it works quite nicely as a separate browser window in the corner of the desktop.

Onto the discovery phase

I had a quick spin with NMAP, but other than discovering that they rather naughtily misuse a Mac Address assigned to the evil Cisco, not much help.
Also nothing appeared to be running on any other ports than the web port
nmap -A 192.168.0.88

\r\n\r\n</BODY>\r
SF:\n</HTML>\r\n");
MAC Address: 00:0A:42:33:66:54 (Cisco Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop


Next up is the usual dissection. I had done some minor googling on the device I bought, which is basically this below:

As its an OEM product, this is available under a whole bunch of different names – mostly with IP-510 or similar in the title, eg LTI-510 etc.

For a cheap OEM product, it actually seems to be reasonably well made though – the Case is an nice and solid aluminium sheath that looks like its been repurposed from something else, and the board itself is suprisingly well diagrammed. Its almost made for hacking!

Chips onboard are as follows:

25.0618mhz crystal from TXC – bonus points for why its 25mhz. Reply in the comments
Davicom DM9008AEP, TRC9016NLE (both for Ethernet. imho Davicom is a second-rate Realtek)
ViMicro VC0528BRVC (Camera processor / CCD Controller)
And last, but not least, our CPU, which is an 8051, although not from ATMEL.
Part number on that is C8051F340. My first guess is that it incorporates some integrated flash on there for firmware. Unfortunately its likely to be all C and Assembler, and the last time I did embedded 8051 stuff was in the early 90′s.

Google confirms it – basically its an all in one controller with 32 or 64KB onboard, and roughly 4k ram. Woohoo!

Datasheet here – http://www.alldatasheet.com/datasheet-pdf/pdf/182721/SILABS/C8051F340.html

Good news is that the board has serial out clearly labeled on the top left side. Better news is that the chip has an onboard debug mode, so I don’t even need any ICE (In Circuit Emulation) tools should I want to take a look. Bad news is that I’m probably going to be too lazy to do it, as its more work and less fun than the second one I bought, which has Linux running on it.

That said, this one is cheap. Real cheap. Cheap enough that its probably worth knocking out a decent firmware, and reselling it with a better UI, and more features.
Might be possible, although anything more than whats there is probably stretching it given the ram / storage constraints. Looks like its all offboard processing/streaming for this model!

There are also some unpopulated spots on the board, which I strongly suspect would be for audio, given the board has a MIC input and no Mic, and the main controller is a ViMicro, which supports MP3 output also…

I’ll see if I can find a firmware file, and do a disassembly, or more probably see what I get out of the serial port connection in the near future.

Photos below. [Excuse the pasty white hands, its still winter for some reason in Shanghai, despite being April... Oh global warming. Where art thou, when I needest thee!]:

Some further files for the curious here –

http://kuklin.ru/ip400cam

I took one apart to take a look, and the issue is the oh too familiar someone bought cheap capacitors that use the wrong formula. Tsk tsk Apple!

Here are some photos of a faulty power supply from a Time Capsule I’ve taken apart to demonstrate -

If you look closely, you’ll see that the middle capacitor on the right has leaked, and the others are bulging slightly.  Its a little hard to see unless you look closely, but they are faulty!

WARNING

There are high voltages present in the PSU even when it has been off for a while, so do _not_ take it apart unless you know what you are doing. Otherwise, you are liable to shock yourself!

To take a Time Capsule apart, you need to carefully remove the plastic underpart first – some of these are easy to remove, some not. One was a complete nightmare – took ages and ages to remove the plastic, and of course I managed to gouge my fingers in the process!

Once removed, its a matter of unscrewing the 3 thousand tiny screws that hold the metal base in, and popping the metal base out.

Time Capsule plastic undergarments and my patented "pad extraction tool, which I also use for opening Mac Mini's."

In the two I fixed this week, I decided the easiest course of action was not to replace the power supply caps, but instead to remove the PSU completely, and re-use the existing connectors.

If you look at the left corner of the PSU (I’ve already destroyed mine removing the connectors), there should be 3 separate cables bunched together.

The Black power connector with only 1 cable is the 12v line.
The power line with 4 wires is the 5v line
and the power line with the most wires +-5 cables? is the ground.

As 5v / 12v is a fairly easy PSU type to find, I’ve just cannibalized some old 3.5″ HDD case PSU’s to remake the cable. Those are really cheap to buy – 30-40RMBish locally USD$5+-

The Apple PSU is a 12v 1.2A and 5v 3A. The PSU’s I used are 2A, but seem to be ok. Worst case, I can replace them if the Time Capsule draws too much current. I think it should be fine though, as the drives don’t really draw that much juice anyway. Only real current draw is when the drive initially powers up, and the Time Capsule seems to delay that till after its finished booting, so its less of a power draw.

The 2 PSU’s I used were fairly similar. I chopped the connector end off, both had 3 wires inside, so it was just a matter of using a multimeter to work out what wire carried what voltage, and then soldering the relevant ones to the connectors I removed from the PSU.

Tip – Push the new cable through the old power cable hole, then make a small loop on the other side with the cable *before* you solder the connectors. That way the cable can’t pull through and possibly break some / strain something later.
Bear in mind that the fan also mounts just above the power, so it might be a bit of a squeeze putting it all back together!

Solder the 3 wires to the relevant connectors, wrap up with electrical tape, and test without the HDD initially to make sure the yellow power light comes on.

If that comes up ok, power down again, connect the HDD, and recheck. If all is good, then put it back together!
I didn’t bother putting the plastic mat back under my Time Capsule.

Here’s how my completed Repaired Time Capsule looks -

So far its been working fine. I also took the opportunity to replace the HDD with a new 2TB drive, as mine was a 500G.
I’m enjoying the free space…

I think this is actually a better way of doing things for the Apple Time Capsule, as the PSU gets to be external, and there is less heat inside.

In theory this really should be something that Apple does a recall for, as its definitely an epidemic.  I’ve personally seen a couple, and there are continual reports on the web for the same things.  As Apple China is… not very good in our extensive experience -  http://www.badappleservice.cn/ cough, cough, I tend to fix this stuff myself.

Good links on all this here -

http://forums.whirlpool.net.au/forum-replies-archive.cfm/1267631.html

There is also a PDF document on how to do this, but as its on that heinous den of iniquities (Google), its not accessible in China.
Should be on this link, but I can’t check, and I do no illegal evil, so no bypassing the most glorious firewall, that blocketh half the damn internet for me…
http://sites.google.com/site/lapastenague/a-deconstruction-of-routers-and-modems

This year someone in China misconfigured something which effectively exported China’s main method of implementing blocks (man in the middle DNS spoofing) semi globally over the Global Crossing backbone for the last few weeks.

Effectively, China’s blocking, went global (for certain providers).

This is a little technical, so bear with me while I try to put in into laymans terms!

When you ask for www.somesite.com, a query is sent to your ISP’s DNS servers asking for the i.p. address. If those DNS servers don’t know, they in turn who then ask their upstream DNS servers (if they exist) and so on, until one of them will then ask the root servers who is responsible for that domain.
These root level servers are based geographically, and are the arbiters of whether a domain is resolvable or not.
If they don’t know about a domain, then essentially that domain doesn’t exist, as they are the servers that other servers rely on.
If for instance a root level server suddenly decided it didn’t know who it should send CN names to, then that entire section of the net would be unresolvable for anyone who used those root servers.

This has actually happened at least once already; Swedish .se domains dropped off the internet completely for a few hours to a day (dependent on caching) due to a misplaced full stop in October 2009.

This is not what was happened with this instance, but hey, its the _same_ company (different division) again with another DNS issue.

I’ll start with the infrastructure -

Swedish company NetNod (aka Autonomica) has a DNS root server* here in China – I.ROOT-SERVERS.NET / 192.36.148.17

*Server in this case actually refers to many servers providing a DNS service as i.root-servers.net
i.root-servers.net servers are geographically located all over Asia (and other places).

(See below for a map)

A root server as stated, is almost the final arbiter of any DNS lookup. It knows which servers service top level domains (TLD’s). So its the one that gets to tell your DNS server where .com, .net, .cn, .hk, queries should be sent to.
All these root servers also provide caching, so if (as is probable), someone else asks for that domain again, it knows how to answer.

Netnod, like other companies that provide root level servers, use a mechanism called anycast to deliver users to the best destination server for the DNS query.

[ From Wikipedia - In anycast, there is a one-to-many association between network addresses and network endpoints: each destination address identifies a set of receiver endpoints, but only one of them is chosen at any given time to receive information from any given sender. ]

Anycast operates over BGP to delegate best routing to a destination based on AS (automated system) rules.
Anycast by design, is inherently insecure, as anyone at the right stage of the chain can intercept packets for the anycast address.  This is really able to be done by routers at the BGP level of routing, so AS owners rely on each other not to mess around.
Essentially, if you are trusted enough to have an AS, you are trusted enough not to screw up.

[ From Wikipedia - On the Internet, anycast is usually implemented by using BGP to simultaneously announce the same destination IP address range from many different places on the Internet. This results in packets addressed to destination addresses in this range being routed to the "nearest" point on the net announcing the given destination IP address.

AS - An autonomous system (AS) is a collection of connected IP routing prefixes under the control of one or more network operator that presents a common, clearly defined routing policy to the Internet (cf. RFC 1930, Section 3.]

Ok, so now you have a pseudo glossed over idea about BGP, AS, and Anycast, I can continue

Computers in other countries (mostly on Global Crossing networks, as noted above) were starting to get spurious DNS results.

If you remember above, the NetNod root server based in China, uses AnyCast via BGP to talk to things asking about DNS.  If we look at the BGP routing for the I.ROOT-SERVERS.NET, we can get an idea of how things are laid out from a network perspective

I.ROOT-SERVERS.NET sits in AS29216
Robtex (which is unfortunately blocked in China), shows the connectivity for that block here -
http://www.robtex.com/as/as29216.html#graph

AS29216 apparently only links to AS8674 (NETNOD-IX).
That AS block talks to quite a few others, including one named AS24151.
AS24151 is controlled by CNNIC.

CNNIC is a China government run .cn domain management organization*
(*In practice. They may or may not be government owned in what passes for “reality” here).

What happened (allegedly, as I haven’t read up completely about this on the dns-operations list), is that another DNS server upstream of AS8674 (most probably on AS2151) came along and said hey! I’m a root level server.

This “rogue” root server sat in the anycast block in use by I.ROOT-SERVERS.NET, and advertised themselves as a root node, randomly intercepting traffic (as by design this is supposed to happen in Anycast).  This shouldn’t happen, but as AS2151 is trusted by the other AS’s they accepted its announcement about having a root node server, and the other nodes started caching its queries.

This started causing all sorts of sporadic mischief, as other servers started caching those “bad” (China firewalled) results from the I.ROOT-SERVERS.NET rogue server.

Normally this would be a regional issue, but as BGP is not best distance based, but AS based, other AS’s close (from a network perspective) that also use Anycast via BGP would take answers from that node for queries too.

This “rogue” root node was configured to do its DNS in standard China Firewall style, and null route/ block servers – eg Youtube, Facebook, Twitter…

As it was responding to DNS queries via Anycast in the Root level server AS, other secondary DNS servers and upward were querying it, caching the bad responses, and then null routing those major US based internet services within their own regions.

This started happening intermittently over Global Crossing nodes until the problem was spotted and resolved.

Users locations as far away as California, Chile, and China (although admittedly here its broken by design) were getting DNS results “China style”.

Lots of finger pointing went on until the people running NetNod/Autonomica eventually twigged that this was happening, and stopped accepting BGP / Anycast routes from AS2151 at AS29216, which meant that things would get back to normal after caching expired.

Its quite possible this was just a screwup on someones part here within CNNIC, but the tin foil hat wearing brigade may think otherwise.  Personally I put this down to either testing purposes, or user error.  Understanding the intricacies of implementation and its implications is harder than it first appears, and its easy to screw up.  That said, it did take a lot of coincidence for this to happen like that, and acting like a root server would put a noticeable amount of additional load on the server(s) doing the replies, so it would be noticed as least on that level.

This isn’t the first time this *exact* issue has happened on a global scale either. Network operators in Pakistan did a similar thing in 2008 which affected Youtube globally, with users getting similar bad routing as far away as UK.

What does this mean for the future?

Trust is a delicate issue, and it looks like people will eventually no longer implicitly trust upstream or downstream providers on BGP to do the right thing.

Ironically Autonomica / NetNod are some of the people involved with making sure this kind of thing *doesn’t* happen again!

Autonomica are involved quite heavily in something called DNSSEC.

DNS queries don’t mandate security, so a query can be resolved by a server in the right place, at the wrong time (as seen above). With DNSSEC, the queried server will be the one that answers you using a signed key, so any rogue server in place should not be able to work as it doesn’t have the correct credentials. It also means that a rogue server would be more easily spotted as the keys can be readily identified for a given server.

DNSSEC is in the process of being rolled out, and it looks like things like this will only mandate the rollout goes faster.

Unsuprisingly China is not quite convinced this is a solution, mostly I suspect, as this will break their DNS firewalling methods..

DNSSec rollout map, and a rather excellent talk about this and other DNS issues by Paul Wouter is here:

http://www.xelerance.com/dnssec/

http://www.xelerance.com/talks/sector/Sector2007DNSSEC.pdf

China is also not without its own DNS issues (other than the deliberately implemented ones) as anyone who lives here has experienced.

Last year May saw most of China’s DNS completely collapse for a day as provider DNSPOD was subject to an inadvertent DoS attack via queries against Baofeng.com. Good PDF on that here by China Telecom Guangzhou staff Ziqian Liu – https://www.dns-oarc.net/files/workshop-200911/Ziqian_Liu.pdf

Further reading and research materials below:

http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6VNT-4S807WG-G&_user=10&_coverDate=04%2F30%2F2008&_rdoc=1&_fmt=high&_orig=browse&_sort=d&view=c&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=ccc0471388f3fb33fcecdd3409f4f9cc Pakistan DNS security weakness

http://en.wikipedia.org/wiki/DNSSEC DNS Security

http://royal.pingdom.com/2009/10/13/sweden%25E2%2580%2599s-internet-broken-by-dns-mistake/ Sweden disappears from the net

http://www.netnod.se/dns_root_nameserver.shtml – NetNod’s website

http://www.isoc.org/briefings/020/ – DNS Root server FAQ’s

http://blogs.csoonline.com/1179/chile_nic_explains_great_firewall_incident

https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005267.html – DNS issue list where this was noted.

While he slightly re-invents the wheel, its fairly similar to what we do over at Computer Solutions as a solution for Backup.

How do we do it?

Step 1 – Database backups (snapshot dump of the database)

First is to backup the database(s) to the filesystem in a common folder.
We run MySQL daily backups to a folder under /home/dbbackup on all our servers using an easy to install backup shell script:

http://sourceforge.net/projects/automysqlbackup/

Debian users can easily install via:

apt-get install automysqlbackup

On our servers we run automysqlbackup at midnight; and it automatically handles daily, weekly, monthly folders + rotation (no need to reinvent the wheel).
Thanks to the wonders of logging, we can spot a visual effect of whats happening on our daily logs.

The astute will notice that mysql usage goes a little ballistic as the script kicks in.
A weekly view shows this in a clear manner also.

The backup script runs on all our servers daily. This essentially provides a daily snapshot of all the databases on that server. If any issues occur during the backup, I get emailed a copy of the problems.
This is useful for letting me know when a database table is corrupt, or something else went wonky.

Sample errors below:

mysqldump: Got error: 1044: Access denied for user ‘debian-sys-maint’@'localhost’ to database ‘information_schema’ when using LOCK TABLES
mysqldump: Got error: 1146: Table ‘consumer_aware.mw_category’ doesn’t exist when using LOCK TABLES
mysqldump: Got error: 1146: Table ‘counselasia.wp_email’ doesn’t exist when using LOCK TABLES
mysqldump: Got error: 1146: Table ‘joomla_versatility.jos_bannertrack’ doesn’t exist when using LOCK TABLES
mysqldump: Got error: 1146: Table ‘wp_counselasia.wp_counselterm_taxonomy’ doesn’t exist when using LOCK TABLES

(Errors above were corrupt tables, and a MySQL 5.1 issue that AutoMySQLBackup needs a small change for)

(We use the debian-sys-maint as backup user, so it needs lock tables privileges for information_schema)

mysql -u root -p
use mysql;
update user set lock_tables_priv='Y' where host='localhost' and user='debian-sys-maint';
exit;

That works for me, but others have also had to do this small addition to their automysqlbackup config file:

# OPT string for use with mysqldump ( see man mysqldump )
OPT="--quote-names --skip-opt --add-drop-table --create-options --disable-keys --extended-insert --quick --set-charset"

It doesn’t cover all issues that might occur though (see my notes at the bottom for things that have/can happen)

Step 2 – RSync

We then rsync the entire home folder system (which is where I store all the user specific data) to another pseudo-dedicated backup server.
The rsync is setup to run an hour or two after the mysql backup script. From experience, the MySQL backup usually takes about 15 minutes max even on the largest MySQL database server we have (mostly as clients DB’s compress nicely, and the total data size is usually a few hundred megabytes at max per user).

Rsync runs daily (usually in our early 2am – 4am period).
Its setup as a service on each of our servers, and I have 3 separate folders we backup.

/etc
[I've found it useful to backup conf specific stuff, and it typically runs in less than a second]

/var/qmail
[We use qmail, so I backup the entire qmail folder structure. The queue will need to be rebuilt in case of a hardware failure, but configuration, and other settings are nice to have. Our user mail is actually stored in /home/vpopmail (as are user accounts), so that goes in a separate backup. This usually completes in a few seconds]

/home
[As we also run backups across multiple servers I specifically exclude any /home/backup folder, as this is usually my dumping ground for the backups. This backup typically takes anywhere from 5 minutes to a few days depending on the amount of changes to be synced over.]

rsync is set to run via cron in /etc/cron.daily or /etc/cron.weekly or /etc/cron.monthly as applicable.

In our case we have a number of servers to backup over a few continents, and web + mysql takes roughly 600GB in total (still fairly easy to stick onto a single drive though).
As machines are scattered around different / regions it can take a few days to complete an initial backup if I deploy a new backup server.
To avoid issues, I do a simple file test in my rsync cron script which gets deleted at the finish of the script. If the script gets run a second time it checks for the file, and aborts if found. This prevents multiple instances being run each day, which can cause issues for the initial long running backup.

Step 3 – Backing up the backups!

I also do a weekly backup of the complete backup folder to a different server so I have some “history”.
This is fairly easy to setup – I just backup the backup folder from our “central” backup to a different server by sticking an rsync script in an appropriate folder – /etc/cron.weekly/monthly…,
To facilitate, I setup, stick a spare 1TB or larger drive in mounted at /home/backup, and let it run.

As I’m still a little paranoid, to make it _even_ safer, I also do a monthly off-site of the backups. This sits in a live-spare server in our office.

I also maintain multiple backup copies of certain data in different locations, just in case(tm).
These are all kept in non user accessible drives on specific servers.

As mentioned in the blog post I linked to, no backup regimen is actually useful until you’ve actually had to use it!
We get at least 1 request a month to restore data or database(s), so I get to use this quite often.

The only time I’ve really needed multiple levels of backup was during our week of repeated Seagate drives failures (multiple hardware failures due to a faulty batch of bad drives); we got to test the backup infrastructure repeatedly, so I know that it all works well!

Notes

If your database is in iffy condition – eg latin1 encoding, with UTF-8 data, or similar, the backup will be what MySQL thinks the encoding is.
This may not mesh with what it actually is.
Corrupt tables or filesystem issues can also cause errors.

AutoMySQLBackup can be configured to email you on issues, as can Rsync.
Encoding related ones will not be seen until a restore is attempted, but other issues will be.
I have successfully restored databases even with “corrupt” encoding data, whether it was latin1 -> utf8 or utf8 double encoding.
MySQL does need some handholding though if that needs to happen though.

Having different snapshots of your data from different time periods (eg, daily, weekly, monthly) is important (and thats why I do it!).
The number of times clients have come back with “oh I deleted something 2 weeks ago”, and I’ve been able to restore it has meant that they’re happy.

That said, it does mean you need to use a whack of drives for backup purposes.
Luckily drive sizes get larger each year, and prices drop, so its an acceptable expense!

Some of you may question why we don’t use RAID for the above.
We do use RAID hardware in some of our servers (usually 3ware 9000 series controllers), however RAID only protects against hardware failure, not against user mishap, or malicious intent. RAID is not a replacement for backup!

Lawrence.

First I needed tools.
Luckily China is pretty awesome when it comes to getting electronic bits and pieces so most of what I needed was a mere Taobao away.

As the crap soldering irons in the office weren’t going to hack it, my first purchase was a decent soldering iron.
I took a look at the Wellers (which I used in a previous lifetime), and decided that the pricing was a little too steep for my liking!
Taobao had plenty of cough, cough ‘clone’ Hako 936′s though, so I bought one of those, 10 tips and some solder for a little less than 200RMB delivered to the office.

I could have gone to buy it over in the electronics mall over in Beijing lu, but seriously, Taobao is easier.

While I was at it, I also orderd a Rek DC power supply, and some JTAG cables.
The PSU isn’t totally useful for router hacking, but we do have a lot of people that forget to bring laptop chargers with them, so it will come in handy for that. Looks pretty nifty too.

Hako 936 and Rek DC PSU

Next up was a serial to ttl adaptor, as the TP-Link uses TTL voltage apparently, and I needed to convert into standard pc serial.
I bought 2 adaptors, one USB one, with rather crappily made headers, and a rather nicer serial one with pin’s.

As I’m rather crap at soldering, I totally expected things to bork something up, but amazingly I got the headers installed relatively easily, and even managed to bridge pad (R356) to enable serial first go (as per the wiki).

I plugged in my serial adaptor to the computer, and powered up the router.
Suprisingly everything worked first time around, and I got some serial output in HyperTerminal.

A few nanoseconds later I got to experience again how much I hated HyperTerminal.
Grumble cpu usage grumble frozen input grumble mutter,… and installed PuttyTel instead.

Putty also seems to autodetect the kernel speed nicely (as boot changes from 9600 to 115,200baud), which is a bonus.

I still need to time it right so I can catch the u-boot in time to stop it, and, I also still need to reflash it, but the hard part is done!

Total cost – roughly 250RMB for parts (soldering iron, tips, serial ttl adaptor, pin headers, jtag stuff etc), plus about an hour of time, most of which emcompassed clearing my desk enough so I could solder

I’m all setup for more journeys into equipment though, and I can now completely recover borked equipment handily.

Useful pages:
http://wiki.openwrt.org/inbox/tp-link.tl-wr941nd (Pinouts)
https://forum.openwrt.org/viewtopic.php?id=18354&p=1 (Thread on TL-WR941 hacking)

Firmware files:
http://downloads.openwrt.org/snapshots/trunk/ar71xx/

Taobao shopping:
http://item.taobao.com/auction/item_detail-db1-3fbe7be878a7aa35dd4ec1e4260113e8.jhtml (RS232 TTL)
http://item.taobao.com/auction/item_detail-db2-3c9886e66da40119a6c72fe03c4b8d38.jhtml (Hakko 936 + tips)
http://item.taobao.com/auction/item_detail-0db1-4fbc4e80f96ae37dbd34b9cb466aa642.jhtml?cm_cat=0 (Wiggler JTAG)

The Mini3i runs an Android variant called OPhone.

The 3i is a little underwhelming software wise.

Its quite crap at the moment as its sitting on Android 1.0 (OPhone 1.0), but for all intents and purposes Android = Ophone its pretty much the same underneath.

There are a bunch of similar phones to this – the Lenovo O1, LG GW880, Motorola something or other (can’t be hassled to go look) etc.

While I haven’t rooted mine just yet, I have been playing around, and reading the Chinese forums.

Boot loader appears to be similar on all the devices – its made by BORQ’s in Beijing, and appears to be quite basic.

Motorola and O1 seem to have the best support for now, the main problem in the Chinese forums is people bitching about being stuck on older versions.

Some are running 1.6, most on 1.5, and the unlucky few 1.0 “Ophone”
2.0 and 2.1 has yet to hit the mainstream here.

There are people with N1/G5′s (Nexus 1 / HTC G5) on 2.1 though (yes, thats you in Beijing Tom!), pretty much any phone is available, although anything with wifi is essentially grey import from overseas (HK mostly)

Back to the phone -

Thankfully you can install any apps as apk’s, no need to hack for that – so its fairly easy to get info on the innards.

RootExplorer is your friend

RootExplorer also allows you to remount partitions r/w, so root access is fairly easy too. There are precompiled su binaries for 1.5 out there, although I’ve yet to do my phone.

The Dell mini3 is running on a Marvell Tabor. Fast chip, nice touchscreen, decent resolution, just crap on 1.0.

Firmware files for most of the “ophones” (except motorola) are mff files.

The mff files appear to just be compressed images with instructions for how to write the various partitions out.

eg the Lenovo O1 mff has this in the “mff” zip

2010/02/25 10:53 147,111,936 factory_CHERRY.fbf
2010/02/25 10:53 249 factory_CHERRY.mff.mlt
2010/02/25 10:53 364 JADE_EVB_RawNANDx16.ini
2010/02/25 10:53 327 magic_fbf.ini
2010/02/25 10:53 2,692 magic_fbf_inner.ini
2010/02/25 10:53 10,236,719 mfw.pac
2010/02/25 10:53 54,180 MHLV_NTDKB_h.bin
2010/02/25 10:53 176 MHLV_NTDKB_TIM.bin
2010/02/25 10:53 858 NTIM_td.ini

magic_fbf_inner.ini has the layout

[INTEL_FLASH_DEVICE_INPUT_FILE]
Number_of_Images=24

[IMAGE_HEADER_0]
Start_Address=0×240000
Image_Length=0×40000
EraseBlocks=1
WriteImage=0
VerifyWrite=0

[IMAGE_HEADER_1]
Start_Address=0×6900000
Image_Length=0xf00000
EraseBlocks=1
WriteImage=0
VerifyWrite=0

(etc)

Different phones have different firmware writing software, the Motorola’s are using RSDLite, LG – SML_OMS, CTHall, others something homegrown called Firebolt, which is written by BORQS. I have all the firmware tools already, despite the Ophone8 forums lack of courtesy in sharing, grrr.

Most firmware tools appear similar though functionality wise.
Haven’t played around inside the phone yet to see if its easy to get jtag access, although that was mostly because i couldn’t work out how to remove the top part without breaking it.

If anyone wants more info, or a firmware dump let me know.

Hopefully there is some interest out there in the English speaking world for these!