Sunday, December 11, 2011

Nokia N900 Gamepad

The N900 is a great device, capable of running many game system emulators.
Unfortunately, playing on its keyboard is not very comfortable.
I've decided to do something about it...


I've built a gamepad that connects to the usb port and fits nicely over the keyboard.
It features 8 buttons and a PSP joystick, the device emulates a USB keyboard so it works out of the box with all games/programs.

At the heart of the gamepad is an ATmega8A running V-USB software USB stack.

Video of it in action:


Schematic


Schematics, board and code:
https://sites.google.com/site/emeryth/n900_gamepad.zip?attredirects=0&d=1

Thursday, July 14, 2011

JTAG on Amit/Zalip CDE530AM-S

I recently bough a very nice and very cheap WiFi router - Amit CDE530AM-S.
It's based on the Ralink RT3050 chipset, with 8MB of flash, 32MB of RAM and USB host.

Motivated by Arran Short, who's managed to run OpenWrt (a modified Fonera 2.0n image) on an Edimax NS-1500 (also based on RT3050), I decided to try running OpenWrt on the Amit.

The device has a bootloader, but it has no documentation, and there are no official firmware images available to try to decipher the required format.

I've managed to set up a JTAG connection using OpenOCD, here's a little HOWTO.

Hardware connection

First of all, the CDE530AM-S has two serial ports, one nicely brought out on a pin header, unfortunately it's not used for anything. The one used as a serial console is just two tiny pads on the underside of the board near the chip, fortunately they are marked RX and TX, the baud rate is 57600.

As for JTAG, there is a standard EJTAG header on the underside of the board, but to make it work you have to populate a small resistor near the TDO pin (I guess you can bridge it with solder, just to be safe I soldered in a 51 Ohm resistor). All the other pads are for pull-downs or pull-ups so you can ignore them.
Don't forget about that resistor (R28)!


Software

I'm using OpenOCD and a Wiggler clone parallel port JTAG adapter.
Connect everything, the nTRST pin can be pulled high all the time if your adapter doesn't control it.

Create a file rt3050.cfg containing (you have to change the contents if you use a different adapter):

set  _CHIPNAME rt3050
set  _ENDIAN little

#daemon configuration
telnet_port 4444
gdb_port 3333
#interface
interface parport
parport_port 0
parport_cable wiggler
#jtag_speed 0
set _CPUTAPID 0x1335024F
jtag_nsrst_delay 100
jtag_ntrst_delay 100

# jtag scan chain
# format L IRC IRCM IDCODE (Length, IR Capture, IR Capture Mask, IDCODE)
jtag newtap $_CHIPNAME cpu -irlen 5  -ircapture 0x1 -irmask 0x1

set _TARGETNAME [format "%s.cpu" $_CHIPNAME]
target create $_TARGETNAME mips_m4k -endian $_ENDIAN -chain-position $_TARGETNAME



How to use JTAG:

1. Open two terminal windows
2. Connect everything and power up the router
3. In one terminal run "openocd -f rt3050.cfg" (you have to that quickly after power up, before the device leaves the bootloader)
4. In the other terminal run "telnet localhost 4444" 
5. Use the telnet window to send commands to OpenOCD, start off with writing "halt", which will stop the CPU and allow you to read and edit the memory

Some useful commands:

mdb [phys] addr [count]
Display contents of address addr, as 32-bit words (mdw), 16-bit halfwords (mdh), or 8-bit bytes (mdb).

dump_image filename address size
Dump size bytes of target memory starting at address to the binary file named filename.

load_image filename address [[bin|ihex|elf|s19] min_addr max_length]
Load image from file filename to target memory offset by address from its load address.

resume [address]
Resume the target at its current code position, or the optional address if it is provided.

Refer to OpenOCD documentation for more info.

Refer to the RT3050/52 datasheet for memory mapping information:
qasdfdsaq.com/files/RT3050_5x_V2.0_081408_0902.pdf

Sunday, April 10, 2011

Wifon 2.0

Wifon is back! Smaller and better!

Here's an upgraded version of my "Handheld Fonera pentesting device".
This time I was working alone, so I don't have anyone to blame for the outcome. :P
Wifon 2.0

New features:
- Color 320x240 LCD screen with touch panel
- Fast STM32 microcontroller for a more advanced user interface
- Smaller custom case - 150 mm x 100 mm x 28 mm
- External battery pack


Hardware:

Case opened
This time the construction is much simpler, with almost no custom parts.
I'm still using the La Fonera router, but this time with a much better screen and uC - the MINI-STM32 devkit I've posted about earlier.
There are no buttons, everything is controlled by the touch panel.

The screen and micro are powered from the 3.3V supplied by the fonera's linear voltage regulator.
This isn't very efficient, but makes the construction much simpler - all you have to do is connect the UART and power pins from the fonera to the micro.
Everything is powered through the fonera's power socket - accepting 5V nominally.
I built a lithium battery pack supplying 5V  using a 4xAA holder and a switching voltage regulator from wifon 1, it can be attached to the back of the device to make it portable.

Battery pack inside
I've tried adding an SD card to the fonera for additional storage (http://deve.loping.net/files/fon_mmc/), but it's too slow to be of any use.

Software:

The firmware on the microcontroller uses ChibiOS/RT real time operating system, which allows for multitasking and made the whole project a lot easier.
The user interface is controlled entirely by the uC, which makes it much more responsive - it's not slowed down by apps running on the router.

Just like in wifon 1, a set of Ruby/shell scrpits for communicating with the display run on the fonera's serial terminal, but I had to write them from scratch because of the different approach to the user interface.

I'm using the Jasager firmware for the fonera (http://www.digininja.org/jasager/index.php) to be able to demonstrate the Karma attack.

So far I've only managed to implement some simple apps demonstrating that the device works - displaying wifi status and a couple of attacks using mdk3. Doing everything alone is harder than I thought! :P
I hope to add more software in the future.

Main screen with a graph displaying WiFi interface usage
Unfortunately, hardware limits of the fonera are showing - running too many apps at once makes the device run out of RAM and restart. I have to consider doing the RAM upgrade mod...


Sources:
https://sites.google.com/site/emeryth/files/wifon2_source.zip