Tag Archives: technology

ZPA ZE312 counter RF output descriptopn

Some time ago i been able to read data from the ZPA ZE312 power meter, which seems to be popular in CZ. Data now automatically imported to Arduino every 5 minutes, i am planning to make a blog post about it. For now – just a description of the values which this device returns:

['/ZPA5ZE312.v10_022'
 'C.1.0(XXXXXXXXX)' # Meter serial number
 '0.0.0(XXXXXXXXXXXX)' # customer number = barcode
 '0.3.0(10000*imp/kWh)' # Active energy meter constant [imp/kWh]
 'F.F(000000)' # Error code
 '1.8.0(0010332.677*kWh)' # Energy a in total: a = |+a|+|-a|
 '1.8.1(0005757.422*kWh)' # Positive active energy (A+) in tariff T1 [kWh]
 '1.8.2(0004575.255*kWh)' # Positive active energy (A+) in tariff T2 [kWh]
## Registers of active energy per phases
 '21.8.0(0008995.585*kWh)' # Positive active energy (A+) in phase L1 total [kWh]
 '41.8.0(0001014.588*kWh)' # Positive active energy (A+) in phase L2 total [kWh]
 '61.8.0(0000322.503*kWh)' # Positive active energy (A+) in phase L3 total [kWh]
 '2.8.0(0000000.000*kWh)' # Negative active energy (A+) total [kWh]
 '22.8.0(0000000.000*kWh)' # Negative active energy (A-) in phase L1 total [kWh]
 '42.8.0(0000000.000*kWh)' # Negative active energy (A-) in phase L2 total [kWh]
 '62.8.0(0000000.000*kWh)' # Negative active energy (A-) in phase L3 total [kWh]
 'C.8.1(0207212145)' # Operating period of tariff register t1. Format RRMMDDhhmm, RR-year, MM-month, DD-date, hh-hours, mm-min.
 'C.8.2(0103181249)' # Operating period of tariff register t2. Format RRMMDDhhmm, RR-year, MM-month, DD-date, hh-hours, mm-min.
 'C.8.0(0305140414)' # Operating period in total +a. Format RRMMDDhhmm, RR-year, MM-month, DD-date, hh-hours, mm-min.
 'C.82.0(0000000000)' # Operating period in total -a. Format RRMMDDhhmm, RR-year, MM-month, DD-date, hh-hours, mm-min.
 'C.7.1(00000001)' # the number of power failures in phase L1
 'C.7.2(00000001)' # the number of power failures in phase L2
 'C.7.3(00000002)' # the number of power failures in phase L3
 '0.2.1(ver.02,100830,B526)' # SW version
 'C.2.1(1112221302)' # Date and time of the last parameterization. Format RRMMDDhhmm, RR-year, MM-month, DD-date, hh-hours, mm-min.
 'C.2.9(1112221302)' # Date and time of the last read-out. Format RRMMDDhhmm, RR-year, MM-month, DD-date, hh-hours, mm-min.
 'C.3.9(0000000000)' # number of trials of attacking by magnetic field (scaler, counter)
Advertisements
Tagged , ,

Using TK103A GPS tracker with traccar server

TK-103A tracker

Some time ago i decided to install on my car GPS tracker to get information about my routes, car location, etc. After quick research i found “Mini TK103A” tracker on the eBay, which is costs about 30$.

s-l1600

Device looks solid and can be configured by sms commands. Most important are “begin123456” (initialization), “admin123456 (adds numbers to the trusted list) and adminip (gprs settings). Full command list is provided in the documentation.

“USB” port

Tracker do have micro-USB socket, however it is not real USB, it is just serial port soldered on microusb plug. I been able to get information from it using USB-Serial TTL converter. It sends a lot of debug information on 115200/8N1 speed. Debugging information is useful when you configuring and testing the tracker.

04-26 15-63-40  EINT PWR CONNECT
04-26 15-63-40  motion_close
01-15 00-00-00  SENDDATA:0
01-15 00-00-00  NO SERVICE
01-15 00-00-00  T-card not ready!
01-15 00-00-00  FILE2222:
                         01-15 00-00-00:

01-15 00-00-00  password1=:123456
01-15 001-15 00-00-00  CENTER NUMER1:+420123123123
01-15 00-00-00  CENTER NUMER2:
01-15 00-00-00  CENTER NUMER3:
01-15 00-00-00  CENTER NUMER4:
01-15 00-00-00  CENTER NUMER5:
01-15 00-00-00  heartbeat time:3
01-15 00-00-00  SENDDATA:0
01-15 00-00-00  send Packet time:15
01-15 00-00-00  sms_gprs=1
01-15 00-00-00  time_zone:2,8,0
01-15 00-00-00  voice_temp:1
01-15 00-00-00  shave alarm:0,35
01-15 00-00-00  ACC:0
01-15 00-00-00  speed alarm:0,120
01-15 00-00-00  speed alarm time:5
01-15 00-00-00  s alarm time:5
01-15 00-00-00  move alarm=0
01-15 00-00-00  JT=0
01-15 00-00-00  JT TIME=3
01-15 00-00-00  TRACE :2
01-15 00-00-00  lang=1
01-15 00-00-00  APN=1
01-15 00-00-00  ���ϴ�ʱ��:1
01-15 00-00-00  powr=1
01-15 00-00-00  weilan:0
01-15 00-00-00  num:255
01-15 00-00-00  loud_spe=1
01-15 00-00-04  NO SERVICE
01-15 00-00-04  NO SERVICE
01-15 00-00-04  NO SERVICE
01-15 00-00-04  NO SERVICE
01-15 00-00-04  NO SERVICE
01-15 00-00-05  NO SERVICE
01-15 00-00-07  NETWORK NORMAL
01-15 00-00-07  NETWORK NORMAL
01-15 00-00-10  T-card not ready!
01-15 00-00-10  FILE2222:
                         01-15 00-00-10:

01-15 00-00-12   IMEI��:352887072123123
01-15 00-00-12   IP/PORT:1.2.3.4/9000
01-15 00-00-12   VER:MAUI.10A.W11.08.MP.V25 2015/09/11 12:38
01-15 00-00-12   ---------------------------------------------------
01-15 00-00-12   SIM CARD------------------OK!
01-15 00-00-12   GSM Signal----------------OK!
01-15 00-00-12   SOCKET----------------NG
01-15 00-00-12   G-Senser------------------OK!
01-15 00-00-12   GPS Location----------NG
01-15 00-00-12   PWR EINT--------------NG
01-15 00-00-12   ACC EINT--------------NG
01-15 00-00-12   SOS EINT--------------NG
01-15 00-00-12   BATTER/Vin-----------4.11/11.97
01-15 00-00-12   ---------------------------------------------------
01-15 00-00-12   GPS Location:86,Satellite:2-----------
01-15 00-00-12  num:255

I also found some references that this port can be used to reflash the tracker, however i never tried that.

Sending data to the server

After GPRS host/port configuration you can enable GPRS mode where all data will be sent to the remote server. I found that OpenSource TracCar software supports such devices and provides web+android interfaces. It was found that this specific tracker using GT06 binary protocol. Traccar supports it out of the box, you just have to choose correct port on the server/client. Traccar also supports data logging to the external database (MySQL, Pg, etc.), so it should be easy to integrate it with anything you need.

Some security considerations

All data from tracker to the monitoring system is sent unencrypted and can be easily decoded on transit if traffic is captured. This device also allows to add some “security alarm” features, including ignition and oil pump control. I personally feel that it is very dangerous and should not be used at all. I think such features are good example of the InternetOfShit coming 🙂

Tagged , , , ,

JVPN 0.6.0 – new feature and bug fix

Script to connect Juniper firewall updated. Most important change – bug with hanging after “sending disconnect packet” should be now fixed. Also added new feature – scripting support. It allows to run custom script on connect/disconnect events.
Script page is https://smallhacks.wordpress.com/2012/07/15/jvpn-perl-script-to-connect-to-the-juniper-vpn-with-host-checker-enabled/. Please test and let me know if it works for you.

Tagged , , ,

MCI730 – rescue mode found + self compiled kernel failed to load

I found that device has a “rescue” mode. To enable it you need to power off device completely, press “Eject” button, plug power cord to socket and wait. It will start USB update procedure. I think it was done to rescue devices if update fail for some reason. This mode using kernel and file-system from different partitions, so it works without primary kernel. Using this mode it flashed mtd5 partition with custom kernel. I just added some debugging support to the i2c driver. Unfortunately kernel was not able to load for unknown reasons. Good news is that i was able to debrick device using rescue mode (i did backup of the original kernel).

So probably i will stop my kernel hacking efforts until getting serial connection. May be i will also try to recompile kernel w/o any modifications to check if it works.
Update: i was able go load self-compiled kernel. but it does not work as expected now

Tagged , , , ,

MCI730 Linux status update

After getting root access i was able to do a lot of interesting tricks with my sound system. Some of them:

  • I was able to compile and run mplayer and mpg123. Mplayer perfectly plays audio in all known formats. It also able to play from remote streams, seems to be more reliable then player software. CPU seems to be to slow to play video (running at 150Mhz).
  • Sound interface is OSS, but mixer is controlled not (or at least not only) with /dev/mixer, so it is not yet known how to control volume.
  • Mount my NAS music folder by NFS. It is also possible to browse it and play files from it (supported by firmware formats only). With mplayer it possible to play any format. Tried FLAC, MP3 and WAVPACK without any issues.
  • Player software is keeping /dev/dsp open only while playing, so it is possible to use it without unloading it.
  • WIFI problem caused by buggy WIFI driver. After some time device may hang completely. Currently i completely disabled internal WIFI by unloading driver.
  • In the “Sleep” mode (when clocks are displayed) device is not really sleeping – Linux is functioning as usual.
  • Its possible to record from FM Radio (!) to the file, by reading /dev/dsp. I tried with  “/dev/dsp > /tmp/sda1/nfs/123/out.raw” and then reading this file on desktop with aplay -f dat  /nfs/out.raw and it works fine (Signed 16 bit Little Endian, Rate 48000 Hz, Stereo)

And a lot of other interesting findings. I will do  “rooting device” post a little later. Now, to consolidate all knowledge and to share Philips GPL code i created SourceForge project.

Tagged , , , , ,

MCI 730 – got root access!

Finally was able to get the root. It was done via “fake” update from USB + some modifications on the configuration partition. I will post more details and root package later. Now some output:

# uname -a
Linux (none) 2.6.10_dev-VT8610 #295 Wed Oct 13 11:48:35 CST 2010 armv5tejl unknow

# cat /proc/cpuinfo
Processor       : ARM926EJ-Sid(wb) rev 5 (v5l)
BogoMIPS        : 151.60
Features        : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ

# cat /proc/meminfo
MemTotal:       110868 kB
MemFree:         56164 kB

# cat /proc/mtd
dev: size erasesize name
mtd0: 00c50000 00010000 "filesystem"
mtd1: 00280000 00010000 "mini_filesystem"
mtd2: 00180000 00010000 "mini_kernel"
mtd3: 00400000 00010000 "font_lib"
mtd4: 00050000 00010000 "sysconf"
mtd5: 00170000 00010000 "kernel"
mtd6: 00180000 00010000 "wifi"
mtd7: 00010000 00010000 "ECD_key"
mtd8: 00030000 00010000 "uboot"
mtd9: 00010000 00010000 "uboot var1"
mtd10: 00010000 00010000 "uboot var2"
mtd11: 00010000 00010000 "vload"

Continue reading

Tagged , , , , ,

Updates on Philips MCI 730

I finally was able to get source code package from Philips. Initially my request (via support) was denied. Then i sent message to the open.source@philips.com and finally got source tar. It contains a lot of interesting, including user interface binaries and kernel source/tool-chain. Currently i am far from my home, but soon will return and will try to root this device. The package also contains some scripts to create firmware update package and uboot source code. Firmware is based on MontaVista Linux 4.0 with 2.6.10 kernel. I think it should be possible to get root access without serial console. Stay tuned 🙂

Tagged , , , , , ,

IPv6 is Here!

Facebook turned on IPv6 on the main domain:

samm@samm-dell:~$ dig +short -t aaaa facebook.com
2a03:2880:2110:3f01:face:b00c::
2a03:2880:10:1f02:face:b00c:0:25
2a03:2880:10:8f01:face:b00c:0:25

Tagged ,

Philips MCI730 hacking – preparation

I am owner of the Philips MCI730 device. It runs Linux inside and has WIFI and Ethernet ports. It supports MP3 and Internet Radio. Also device supports UPNP/DLNA, so i am able to listen music directly from my NAS. Device is working mostly fine, but there are some very annoying problems.

  • WIFI works VERY unstable. I tried with 2 different routers. Sometime it just loosing AP. As workaround i am using Ethernet-connected access point in the “Client” mode.
  • No compressed lossless formats are supported. For me it sounds very stupid – there is MP3/WMA support, but no FLAC, wavepack or ape. As workaround my NAS converts lossless files to the LPCM on the fly.
  • No gap-less playback from UPNP device. I think it is limitations of the Firware.
  • Control point is implemented with a lot of bugs.

Despite all this problems i like the device, because it works good with my favorite radio-stations and FM tuner is also very good, i had much more expensive receiver before, but quality of radio was poor (bad reception zone). I think that WIFI problem should be easy-to-fix. Probably software is one-big-blob, so it would not be possible to add more formats. For control point interface probably some telnet-based workaround could be found. Problem is lack of  root access. I tried several options to get root on the device, but no luck so far. Some findings:

  1. There is no web interface. NMAP shows that ports 111/tcp, 1024/tcp and 8888/tcp are open. On 8888 Mediabolic UPNP/DLNA server is running. It is unclear what is on 1024 ports, tcp connection could be established, but it is closed in a short time.
  2. According to NMAP system is running Linux 2.6.X.
  3. I used tcpdump on my router to capture protocol between device and Philips servers. Protocol is HTTP (no TLS) with all data sent in the message body. Data is encrypted somehow.
  4. On USB only FAT formatted drives are detected.
  5. There is no GPL code or firmware sources/binaries on the vendor web site.

So i assume that only way to hack this device is to physically open it.What could be done then:

  • There should be somewhere serial interface, soldered or not.
  • JTAG (likely) or removable flash (unlikely).
  • If CPU is not hidden there will be more chances to find what is running on this box.

I am going to open the box in the nearest time. I found no stickers on the case, so warranty should not be affected. If you have positive experience with hacking this type of the devices – please drop me a comment.

Tagged , , , , ,

Exploring Servis24 certificate card from the Česká spořitelna bank

Česká spořitelna is one of the the largest banks in Czech Republic. I am client of this bank for a long time and satisfied with their services. One of the services I am using is an internet-bank (Servis24).

It is web-based and works from Firefox without problem. Only issue for me was SMS confirmation for every transaction – i found that SMS delivery in roaming is not always reliable. Also i dislike password-based authentication. So I decided to order card for certificate.

Image

Continue reading

Tagged , , , , , , ,