Tag Archives: hacking

How to monitor NVMe drives in the OSX

NVMe support in OSX

After upgrade to the latest Macbook Pro i found that smartctl is not able to find any smart capable drive. This is because Apple replaces SATA SSD with NVMe one and old SMART API is not working (it is very ATA specific). Smartmontools itself includes NVMe support for the Linux, Windows and FreeBSD, so i decided to try to add it to the Darwin as well. However it was not as easy as expected – Apple did not published any source code or documentation about NVMe device support or monitoring. Moreover – there is no any tool in OSX to show such statistic and old tools from SDK are useless because of API Change.

Starting to search for the API provider

After looking on the file tree i have found good candidate: /System/Library/Extensions/NVMeSMARTLib.plugin. Its done more or less similar to the /System/Library/Extensions/SMARTLib.plugin/ which provides SATA/ATA SMART support. As i mentioned – there is no documentation, so i had to use otool, nm and lldb to deal with it. As expected, it was found that API is similar to the ATA one. You can get list of the symbols and functions using this command: nm NVMeSMARTLib | c++filt -p -i. So i tried to connect to it using modified example from SDK for the SMART. Tricky part was to find kIONVMeSMARTUserClientTypeID and kIONVMeSMARTInterfaceID values which are using by CFPLUGIN infrastructure in the IOKit to initialize API interface. Fortunately library comparing this data during runtime, so with disasm i been able to find them. After successful connect to the interface i been able to reconstruct missing headers and use some of the functions (see below)

What is working and what is not.

The most important functions SMARTReadData and GetIdentifyData are working and result is provided in the structures matching with NVMe standard. I was not able to get GetLogPage function running, probably it expects pointer to some structure with defined data. If apple will release any consumer of it it would be easy to find this out.

Also there are some other, unknown functions in this API: GetFieldCounters (always returns error), ScheduleBGRefresh (no parameters, returns ok), GetSystemCounters and GetAlgorithmCounters (some driver info? or vendor-specific log pages?). Another interesting finding was string “Sandisk 401Z128G-4p-MLC” in the SMART log page, so possibly this NVMe is originally from this vendor.

SmartMontools support

I am working to add limited NVMe support to the smartctl and smartd for OSX. Now i already have working prototype, but need to cleanup and refactor some code. I am planning to add this before the next release. Below is an output from my disk:

smartctl 6.6 2017-09-14 r4434M [Darwin 16.7.0 x86_64] (local build)
Copyright (C) 2002-17, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF INFORMATION SECTION ===

Model Number:                       APPLE SSD AP0512J
Serial Number:                      XXXXXX
Firmware Version:                   16.14.01
PCI Vendor/Subsystem ID:            0x106b
IEEE OUI Identifier:                0x000502
Controller ID:                      0
Number of Namespaces:               2
Local Time is:                      Wed Sep 20 08:56:36 2017 CEST
Firmware Updates (0x02):            1 Slot
Optional Admin Commands (0x0004):   Frmw_DL
Optional NVM Commands (0x0004):     DS_Mngmt
Maximum Data Transfer Size:         256 Pages

Supported Power States
St Op     Max   Active     Idle   RL RT WL WT  Ent_Lat  Ex_Lat
 0 +     0.00W       -        -    0  0  0  0        0       0

=== START OF SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

SMART/Health Information (NVMe Log 0x02, NSID 0x0)
Critical Warning:                   0x00
Temperature:                        33 Celsius
Available Spare:                    90%
Available Spare Threshold:          2%
Percentage Used:                    0%
Data Units Read:                    19,311,330 [9.88 TB]
Data Units Written:                 11,653,167 [5.96 TB]
Host Read Commands:                 50,388,833
Host Write Commands:                37,404,327
Controller Busy Time:               0
Power Cycles:                       2,320
Power On Hours:                     23
Unsafe Shutdowns:                   7
Media and Data Integrity Errors:    0
Error Information Log Entries:      0

Reconstructed API

If you want to play with the API yourself – you can use this header. Please let me know if you found how to use GetLogPage or any other useful information:

// NVMe definitions, non documented, experimental

// Constant to init driver
#define kIONVMeSMARTUserClientTypeID       CFUUIDGetConstantUUIDWithBytes(NULL,      \
                                        0xAA, 0x0F, 0xA6, 0xF9, 0xC2, 0xD6, 0x45, 0x7F, 0xB1, 0x0B, \
                    0x59, 0xA1, 0x32, 0x53, 0x29, 0x2F)

// Constant to use plugin interface
#define kIONVMeSMARTInterfaceID        CFUUIDGetConstantUUIDWithBytes(NULL,                  \
                    0xcc, 0xd1, 0xdb, 0x19, 0xfd, 0x9a, 0x4d, 0xaf, 0xbf, 0x95, \
                    0x12, 0x45, 0x4b, 0x23, 0xa, 0xb6)

// interface structure, obtained using lldb, could be incomplete or wrong
typedef struct IONVMeSMARTInterface
{
        IUNKNOWN_C_GUTS;

        UInt16 version;
        UInt16 revision;

                // NVMe smart data, returns nvme_smart_log structure
        IOReturn ( *SMARTReadData )( void *  interface,
                                     struct nvme_smart_log * NVMeSMARTData );

                // NVMe IdentifyData, returns nvme_id_ctrl per namespace
        IOReturn ( *GetIdentifyData )( void *  interface,
                                      struct nvme_id_ctrl * NVMeIdentifyControllerStruct,
                                      unsigned int ns );

                // Always getting kIOReturnDeviceError
        IOReturn ( *GetFieldCounters )( void *   interface,
                                        char * FieldCounters );
                // Returns 0
        IOReturn ( *ScheduleBGRefresh )( void *   interface);

                // Always returns kIOReturnDeviceError, probably expects pointer to some
                // structure as an argument
        IOReturn ( *GetLogPage )( void *  interface, void * data, unsigned int, unsigned int);


                /* GetSystemCounters Looks like a table with an attributes. Sample result:

                0x101022200: 0x01 0x00 0x08 0x00 0x00 0x00 0x00 0x00
                0x101022208: 0x00 0x00 0x00 0x00 0x02 0x00 0x08 0x00
                0x101022210: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x101022218: 0x03 0x00 0x08 0x00 0xf1 0x74 0x26 0x01
                0x101022220: 0x00 0x00 0x00 0x00 0x04 0x00 0x08 0x00
                0x101022228: 0x0a 0x91 0xb1 0x00 0x00 0x00 0x00 0x00
                0x101022230: 0x05 0x00 0x08 0x00 0x24 0x9f 0xfe 0x02
                0x101022238: 0x00 0x00 0x00 0x00 0x06 0x00 0x08 0x00
                0x101022240: 0x9b 0x42 0x38 0x02 0x00 0x00 0x00 0x00
                0x101022248: 0x07 0x00 0x08 0x00 0xdd 0x08 0x00 0x00
                0x101022250: 0x00 0x00 0x00 0x00 0x08 0x00 0x08 0x00
                0x101022258: 0x07 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x101022260: 0x09 0x00 0x08 0x00 0x00 0x00 0x00 0x00
                0x101022268: 0x00 0x00 0x00 0x00 0x0a 0x00 0x04 0x00
                .........
                0x101022488: 0x74 0x00 0x08 0x00 0x00 0x00 0x00 0x00
                0x101022490: 0x00 0x00 0x00 0x00 0x75 0x00 0x40 0x02
                0x101022498: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                */
        IOReturn ( *GetSystemCounters )( void *  interface, char *, unsigned int *);


                /* GetAlgorithmCounters returns mostly 0
                0x102004000: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004008: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004010: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004018: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004020: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004028: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004038: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004040: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004048: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004050: 0x00 0x00 0x00 0x00 0x80 0x00 0x00 0x00
                0x102004058: 0x80 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004060: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004068: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004070: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004078: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004080: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004088: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004090: 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00
                0x102004098: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

                */
        IOReturn ( *GetAlgorithmCounters )( void *  interface, char *, unsigned int *);
} IONVMeSMARTInterface;


Advertisements
Tagged , , , ,

Home Automation – WIFI connected FAN in the bathroom with humidity sensor

Why do i need that?

To avoid mold in the house it needs to be properly ventilated. Bathrooms are in the danger zone, because of the high humidity and temperature. Some time ago i bough a ventilator which automatically turns on/off based on the humidity, but it was never working good. It has variable resistors to tune it + some complex analog electronic and in fact was never working as intended and in about 1 year controller completely died. So, i had to find a replacement and decided that this is a perfect task for the HA. First part of the task was to define the requirements:

  • Ventilator must be able to turn on when some humidity value is reached (e.g. 80%) and turn off on low threshold (e.g. 60%)
  • It should be easy to change this thresholds. I would expect that its possible for them to be different at winter/summer seasons, may be not.
  • It would be great to monitor Temperature/Humidity in the bathroom with the same device and report it to the DomoticZ server.
  • Additionally it should be possible to start ventilator by pressing a button (e.g. to test if it works or for manual action)
  • And to have a lot of fun it should be built on cheap and open source components.

Choosing the right platform

Initially i had an idea (and prototype) on the Arduino Nano + Relay board + DHT21 sensor + 5V power supply + some connectivity board (wifi or bluetooth). However, i found that there will be a lot of connected components + wifi boards for the Arduino are very limited and sometime expensive, a lot of custom code needs to be written, etc. So i decided to try ESP8266 platform based devices.
One of the known devices based on this chipset is Sonoff TH10/TH16 (only relay is different, 10A and 16A):
sonoff TH10

I found controller on the Ali Express, because on the official web site it was out of stock.

What is inside?

  1. ESP8266 module which provides SoC with wifi connectivity. Serial port (3.3v, be careful!) soldered on the board, but no pins connected (but easy to add)
  2. Internal power supply circuit to power 3.3V SoC from the 220V power line
  3. Mini audio jack socket to connect different sensors. DHT21 and few others are available from the vendor. I ordered mine with DHT21 which is Humidity + Temperature (and is much better compared to DHT11)
  4. Relay (10 or 16A) connected to the SoC GPIO and manageable from it.

Flashing Sonoff TH16

Native firmare works using a cloud and is integrated with the vendor services. This was not something i would like to have, so i decided to re-flash it. There are many options for the ESP8266 (Arduino sketches, NodeMCU, firmware from vendor, etc). After quick research i decided to use an ESP Easy firmware based on such features:

  • It is free and opensource
  • Comes with a handy web interface and support of many different sensors, so very easy to start with.
  • Supports DomoticZ, MTTQ and other connectivity options.
  • Allows limited scripting (Rules engine) to implement device-side logic

I decided to use version 2.0 (ESP Easy Mega) which is still under development, because release was lacking some of the functionality i need. It is very easy to flash firmware to the device – all you have to do is to solder 4 pins in front of the board, which are VCC, RX, TX, GND. To flash it you will need 3.3V TTL Serial converted with a 3.3v output to power the board.

⚠WARNING⚠!!! never try to flash the device when it is connected to the 220V powerline. There is no proper ground isolation and most likely it will kill your device, serial converter and PC. You should disconnect device from the 220v and power it from the TTL converted instead (or any other 3.3v source)

To flash the firmware i been using esptool.py tool and such command:

esptool.py -b 115200 --port /dev/tty.usbserial-A900ZKU9 write_flash 0x0000 ESPEasy_v2.0.0-dev8_normal_1024.bin

Device needs to be programmed in the flash mode, which is entered by powering on device with the button pressed.

Of course serial port name will depend on your OS and controller. After flash you should reboot the device and it will automatically create an SSID ESP_0 with a WPA password configesp. On 192.168.4.1 address there is a web interface to setup connection to the home WIFI network.

EasyESP initial configuration

After Sonoff device is connected to the wifi you can access it from the browser. First think i would recommend to do is to assign blue led to the WIFI status indication. This could be done in the Hardware section, by setting wifi status led to GPIO-13 ESP Easy - status led. Next thing is to define devices available on the board: button (GPIO-0), and DHT21 sensor (GPIO-14). Additionally i defined dummy device, which will be later used in the rules engine:
ESPEasy - devices

To report values to the DomoticZ controller you have to define it in the controller section:
Controller. Additionally you will have to create virtual devices (using virtual switch) in the DomoticZ for the Temperature + Humidity sensor and the switch. ID in devices section should match one from DomoticZ. Also you may want to setup syslogd ip to see logs from the device when not using serial. This is important, because in my case DHT sensor was not working properly when powered from TTL converter (properly not enough current) but its not possible to use serial when 220V is connected.

EasyESP rules

To avoid any dependency on DomoticZ controller i decided to put this simple logic in the device. There is a Rules engine (it needs to be enabled in the Advanced menu) which allows to define some simple device-side rules. It is very limited, but for my task it is enough. Some of the features i been using:

  • Virtual device as variable holder and event loop provider. Every virtual device allow to store up to 4 values and creates own event loop (loop time is set by “Delay” value).
  • Timers, which allows to call user-defined callback on specified timeout (and set a new one if needed)
  • Events from the device (button, temperature sensors, etc). Events can be used in the rules.
  • System startup event to define actions on a startups.
  • Simple (no nested) if/else controls.
  • Many functions which can be called from the code, e.g. to manager GPIO, do HTTP calls, etc.

Below is a ruleset i created. It defines threshold to turn on/off, reports FAN status to the DomoticZ, supports button which turns on ventilator for a 3 minutes even if conditions are not met:

On System#Boot do
  TaskValueSet,3,1,75.00 // temperature on dummy sensor
  TaskValueSet,3,2,70.00 // humidity on dummy sensor
  event FanOff
endon

// main loop
On OnOffValues#HumidityOn do
  If [Temp#Humidity]>[OnOffValues#HumidityOn]
    event FanOn
  EndIf
  If [Temp#Humidity]<[OnOffValues#HumidityOff]
    event FanOffIfNotTimer // workaround for no nestled if
  EndIf
endon

On FanOffIfNotTimer do
  If  [OnOffValues#TimerActive]=0
    event FanOff
  EndIf
EndOn

// timer button is pressed
On Button#Switch=0.00 do
  If [OnOffValues#FanOn]=0 // do nothing if FAN is already on
    TaskValueSet,3,4,1
    event FanOn
    timerSet,1,180 // turn off in a 3 minutes
  EndIf
EndOn

// turn off FAN after timer
On Rules#Timer=1 do
   TaskValueSet,3,4,0
   If [Temp#Humidity]<[OnOffValues#HumidityOn] // do not turn off if Humidity is High
     event FanOff
   EndIf
EndOn

// command to turn on fan
On FanOn do
  TaskValueSet,3,3,1 // FAN is on
  gpio,12,1
  SendToHTTP 192.168.1.1,8080,/json.htm?type=command¶m=switchlight&idx=12&switchcmd=On
EndOn

// command to turn off fan
On FanOff do
  If [OnOffValues#FanOn]=1
    TaskValueSet,3,3,0 // FAN is off
    gpio,12,0
    SendToHTTP 192.168.1.1,8080,/json.htm?type=command¶m=switchlight&idx=12&switchcmd=Off
  EndIf
endon

Additionally i can turn on FAN from the DomoticZ using HTTP call to the http://bath.local/tools?cmd=event+Button%23Switch URL. I used this as “On Action” for the “Push On” button switch. Of course, nice looking visualization is available:
Temperature/Humidity graph

Notes

Everything works as it should, however some of the things i would like to improve in the feature:

  • Solution is not secured properly. I am planning to use own SSID for the HA devices to solve this problem, ESP Easy do have password protection, but it is to secure only web access, API calls are still not secured.
  • Thresholds can be easily changed remotely using TaskValueSet command call
  • Should threshold depend on the temperature or it is overkill? How long will DHT21 survive in such wet environment ? Subject to test… Anyway, its cheap.
  • May be MQTT is better compared to DomoticZ HTTP API? Any comments on that?

As always, comments and suggestions are welcome 🙂

Tagged , , , ,

MCI730 status update – bootable kernel and mplayer package

Some updates on my Philips status: I finally was able to get bootable kernel. Problem was in supplied kernel configuration (.config) – it does not contain references to the required GPIO devices. After enabling them – kernel loads. But it does not work as expected – screen resolution is wrong, there are some problems with I2C bus. Now its clear that provided package is not containing up to date sources for the device. I requested updates from Philips, but it is not clear if they will provide them (they should by GPL).

Also for testers I did binary package with mplayer 1.1. I tested it with some sound formats (MP3, AAC+, FLAC, WAVPACK, APE and OGG) – everything works fine. Only problem I had was AAC+ with bitrate > 128k – seems that this CPU is not powerful enough for this job, everything else is good, including network playing. To use it – unpack it on your flash drive, insert it to the device and use mplay.sh wrapper from telnet. E.g.

/tmp/sda1/mplayer/mplay.sh http://sc1.abacast.com:8240

One note – I am not [yet] aware how to switch device inputs, so before first run switch to the “Internet Radio” mode. Please drop me a not it it works for you.

Update: it is also possible possible to run mplayer with output on the screen:
openvt 1 /tmp/sda1/mplayer/mplay.sh http://sc1.abacast.com:8240

Tagged , , ,

jvpn – Perl script to connect to the Juniper VPN with Host Checker enabled

Overview

To access some company resources i need to use Network Connect  VPN from Juniper.  Network Connect is a software package that interfaces with its Secure Access hardware and provides a Virtual Private Network (VPN) solution. There are two software products that connect to Secure Access servers: Windows Secure Application Manager which, as you might guess, runs on Microsoft Windows; and Network Connect which runs on other platforms, in particular GNU/Linux. All  clients are closed source, without open source alternative.

I personally think that all closes source VPN clients should die one day – typically it is a perfect example of security by obscurity – internally they are using known algorithms and typically built with OpenSSL inside so there are no “secret” technologies. But closed source form will not allow to audit the code or to connect from non-supported OS (including non-x86 Linux, e.g. ARM). Also i`m  sure that code security level is very low – often such clients contains statically linked outdated libraries or input parameter validation is bad. In the worst case such clients including kernel modules (some s..t from Cisco) and then you forced to use only supported kernel. In Juniper case native Linux client requires Java + web browser installed. Also its built with JNI (Java Native Interface) so it will run only on 32-bit platforms. To run it on my Linux/x86_64 i installed 32 bit versions of the Firefox and Oracle  Java. It was very annoying to keep all this blobs in the RAM, so i decided to understand how it works and write some alternative.

How Network Connect works

After debugging with strace, java decompiler and tcpdump i got a clear view how Network Connect works:

  1. In the web browser client opening VPN page and entering Login/Password (in my case password generated from RSA Secure device)
  2. If authorization successful browser checks if VPN software is installed using Java applet. If it is not installed – ncLinux.jar file is downloaded and installation script is running. Client is installed to ~/.juniper_networks/network_connect. Also it will set SUID bit on ncsvc binary using su or sudo (password is prompted)
  3. Then optionally host checker (tncc.jar) client is running. This package validating if your system conforms policies configured on VPN host. In my case HC  is running but probably is not strict – i am able to logon to VPN from my home Linux.
  4. On next step Java Applet launcing NC.jar and passing some parameters to it. Most important one is DSID – dynamic session key, taken from the browser cookie.
  5. NC.jar will start Java (AWT based) GUI and console client (ncsvc) using JNI (code is inside libncui.so). I found that after ncsvc startup it listening on TCP port 4242 (127.0.0.1 address). Then Java GUI starts and connecting to the ncsvc (port 4242).
  6. After connecting Java GUI sending configuration to the ncsvc using non-documented protocol and ncsvc establishing remote connection. In configuration packet i found DSID, certificate md5 fingerprint, hostname and some other data.
  7. When connection is established Java GUI getting reply and communicating with ncsvc to get connection statistic (number of data transferred, VPN algorithm, etc.).
  8. On disconnect GUI sends special command to ncsvc process and it disconnecting from the remote host and doing some cleanup (e.g. reverting /etc/resolv.conf and /etc/hosts).

ncsvc client

Connection is established and maintained with ncsvc client. I found some information in the network (e.g. mad-scientist.us/juniper.html or www.joshhardman.net/juniper-network-connect-vpn-linux-64-bit/) on how to run it from command line, including some scripts. In my case all this scripts failed. If this scripts are working for you than you don`t need jvpn 🙂  Reason of fail was a Host Checker – related Juniper KB contains “Launch Network Connect only through the Internet browser on the supported Linux platforms” text. But i was not satisfied with this  and decided to emulate Java GUI to run client from command line, without web browser. Command line interface of ncsvc (see ncsvc -h) will not help in this case, because there is no possibility to pass DSID , and all other CLI options failing in my case. So i wrote a perl script – jvpn.pl, and hooray – i was able to establish connection.

jvpn.pl script – description

  • To use this script you need Perl (with some modules) and openssl binary. Also unzip is required if client is not installed.
  • jvpn.pl using configuration file jvpn.ini – before usage you will need to setup host name, login, password and realm. If you don`t know your realm – read HTML source for the login page – it will contain hidden “REALM” input element.
  • If ncsvc client is not installed – jvpn will download it to the current directory automatically from your VPN host
  • Then it logging in to the web site using your username/password and getting DSID. It handles some advanced scenarios like “active sessions found” and “additional code required” pages from VPN. It also getting md5 fingerprint of the SSL certificate using “openssl” binary.
  • If Host Checker support is enabled in configuration it is also download and starts tncc.jar to get host checker authentication from the server
  • After getting DSID it starts ncsvs and sending configuration commands to it using TCP protocol (port 4242). On this stage ncsvs establishing VPN connection. Then jvpn.pl entering statistic loop, like Java GUI.
  • On Ctrl+C jvpn.pl sending disconnect command to the ncsvs and also logging out from the VPN web site, to make sure that DSID is invalidated.

Screenshot

Download

Version 0.7.0 – samm.kiev.ua/jvpn/jvpn-0.7.0.tar.bz2. If you found some bugs or did some improvements – drop me a note.

Tagged , , , , , ,

Rooting MCI730/12 device

Promised post about getting root on Philips MCI730/12 media center. As always – no warranty, anything could happens with your device, you are doing this on your own risk.

  1. You will need USB flash formatted to FAT or FAT32.
  2. Put file firmware2010_102h.tgz to the root folder of the disk. This is not a real firmware and it will not modify your device. Only purpose of this package is to provide root access on boot.
  3. Unplug AC cord to power off the device. Insert USB flash in the device. Press and hold EJECT key then plug AC cord. After some time device will start booting in the “Rescue” mode.
  4. If everything done right you will see something like this: Image
  5. To telnet device you need to connect to the Ethernet port. Device address is 192.168.101.211/255.255.255.0, telnetd is running on standard port (23). Password is root/root.
  6. If you want to start telnetd in normal (non-rescue) mode permanently add line
    “/usr/sbin/telnetd -p 23 &” to the /usr/local/etc/mnetwork.conf file using command
    echo '/usr/sbin/telnetd -p 23 &' >> /usr/local/etc/mnetwork.conf
  7. Reboot the device. Telnet will be running on standard (e.g. DHCP) device address, on port 23, with root/root login.

Some background information:

File firmware2010_102h.tgz emulate firmware update. When device booting in the “rescue” mode it extracting content of this file to the temporary directories and starts ./install shell script. In normal update tarball this script re-flashing device, but in our case it just configuring network interface and starting telnetd. I am using /usr/local/etc/mnetwork.conf to start telnetd because it only file located on r/w partition. This file is included by /etc/netinit.sh from the read-only (cramfs) rootfs. Also it is used by mediabolic server, but it seems that it silently ignoring this line, so this hack works fine.

Tagged , , , ,

MCI730 – rescue mode found + self compiled kernel failed to load

I found that device has a “rescue” mode. To enable it you need to power off device completely, press “Eject” button, plug power cord to socket and wait. It will start USB update procedure. I think it was done to rescue devices if update fail for some reason. This mode using kernel and file-system from different partitions, so it works without primary kernel. Using this mode it flashed mtd5 partition with custom kernel. I just added some debugging support to the i2c driver. Unfortunately kernel was not able to load for unknown reasons. Good news is that i was able to debrick device using rescue mode (i did backup of the original kernel).

So probably i will stop my kernel hacking efforts until getting serial connection. May be i will also try to recompile kernel w/o any modifications to check if it works.
Update: i was able go load self-compiled kernel. but it does not work as expected now

Tagged , , , ,

MCI730 – status and plans

So far I did a big progress with this device, so decided to write some summary post:

  • Source code and root access is obtained, hooray.
  • WIFI bug is kernel related.
  • It is possible to run non-vendor software, but before it will be useful – a lot of R&D needs to be done. CPU is powerful enough to play all popular audio formats.
  • Vendor software is closed source blob without documentation, scripts or SDK. It is unlikely that it would be possible to improve it, e.g. by adding new formats. But it is possible to suspend it and do anything you want with hardware

It is yet unknown how to control FM, CD and sound mixer. Other hardware is pretty standard. I see  some different ways on improving knowledge about hardware:

  1. It is possible to use strace (kernel supports it), but in current strace code there is no support for I2C and SPI ioctl`s. It should be not very hard to add this code to strace.
  2. It would be even easer to add more debug in the kernel itself. Only problem is that we will need to write new kernel to the flash – in case of problems we will get a dead device. It should be much safer if I will be able to get serial data to control uboot. Also it should be possible to get kernel from tftp then to avoid any risks.
  3. To find specification on the used chips. I don`t think that it will help a lot without full schematic, but it may help to 1. and 2.

For me primary goal is to have some “magic” button sequence causing switching to my software (and back). It also interesting to find some easy-to-program frame buffer interface (something like curses “dialog”) to simplify this task.

Currently I do not have a lot of time to continue this efforts, so if you owner of such device and want to join to development – please drop me a note.

Tagged , , , ,

MCI730 Linux status update

After getting root access i was able to do a lot of interesting tricks with my sound system. Some of them:

  • I was able to compile and run mplayer and mpg123. Mplayer perfectly plays audio in all known formats. It also able to play from remote streams, seems to be more reliable then player software. CPU seems to be to slow to play video (running at 150Mhz).
  • Sound interface is OSS, but mixer is controlled not (or at least not only) with /dev/mixer, so it is not yet known how to control volume.
  • Mount my NAS music folder by NFS. It is also possible to browse it and play files from it (supported by firmware formats only). With mplayer it possible to play any format. Tried FLAC, MP3 and WAVPACK without any issues.
  • Player software is keeping /dev/dsp open only while playing, so it is possible to use it without unloading it.
  • WIFI problem caused by buggy WIFI driver. After some time device may hang completely. Currently i completely disabled internal WIFI by unloading driver.
  • In the “Sleep” mode (when clocks are displayed) device is not really sleeping – Linux is functioning as usual.
  • Its possible to record from FM Radio (!) to the file, by reading /dev/dsp. I tried with  “/dev/dsp > /tmp/sda1/nfs/123/out.raw” and then reading this file on desktop with aplay -f dat  /nfs/out.raw and it works fine (Signed 16 bit Little Endian, Rate 48000 Hz, Stereo)

And a lot of other interesting findings. I will do  “rooting device” post a little later. Now, to consolidate all knowledge and to share Philips GPL code i created SourceForge project.

Tagged , , , , ,

MCI 730 – got root access!

Finally was able to get the root. It was done via “fake” update from USB + some modifications on the configuration partition. I will post more details and root package later. Now some output:

# uname -a
Linux (none) 2.6.10_dev-VT8610 #295 Wed Oct 13 11:48:35 CST 2010 armv5tejl unknow

# cat /proc/cpuinfo
Processor       : ARM926EJ-Sid(wb) rev 5 (v5l)
BogoMIPS        : 151.60
Features        : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ

# cat /proc/meminfo
MemTotal:       110868 kB
MemFree:         56164 kB

# cat /proc/mtd
dev: size erasesize name
mtd0: 00c50000 00010000 "filesystem"
mtd1: 00280000 00010000 "mini_filesystem"
mtd2: 00180000 00010000 "mini_kernel"
mtd3: 00400000 00010000 "font_lib"
mtd4: 00050000 00010000 "sysconf"
mtd5: 00170000 00010000 "kernel"
mtd6: 00180000 00010000 "wifi"
mtd7: 00010000 00010000 "ECD_key"
mtd8: 00030000 00010000 "uboot"
mtd9: 00010000 00010000 "uboot var1"
mtd10: 00010000 00010000 "uboot var2"
mtd11: 00010000 00010000 "vload"

Continue reading

Tagged , , , , ,

Updates on Philips MCI 730

I finally was able to get source code package from Philips. Initially my request (via support) was denied. Then i sent message to the open.source@philips.com and finally got source tar. It contains a lot of interesting, including user interface binaries and kernel source/tool-chain. Currently i am far from my home, but soon will return and will try to root this device. The package also contains some scripts to create firmware update package and uboot source code. Firmware is based on MontaVista Linux 4.0 with 2.6.10 kernel. I think it should be possible to get root access without serial console. Stay tuned 🙂

Tagged , , , , , ,