Huawei E5186 (prototype) reviewed
Thursday, March 12. 2015
As I mentioned earlier, a reader of this blog got a Huawei E5186 and I got to test drive it. The model is still in prototype and the semi-official rumour is, that it will be released Q2/2015. As usual, they are not sold directly by Huawei, but by telcos. The one I had was from Germany, T-mobile. The mobile side is pretty much same as in B593s-22, the exact model I had was in fact E5186s-22. Frequencies and modulations are: LTE FDD DD800/900/1800/2100/2600 and TDD 2600. It is very likely, that inside the box is a HiSilicon Android running on a ARM-chip.
It looks exactly like a B593. Here are the pics:
The first things I noticed, that the Tel1 and Tel2 RJ-11 connectors are missing. Also: no USB!! What! I found information from discussion boards, that this particular T-Mobile version is a "poor man's model". There does exist other E5186 models, which have USB and the Tel-connectors.
As a B593 has, there are dual antenna connectors and they are SMA:
For testing this router I didn't need external antennas, the RF-side is much more sensitive than in a B593. In a location where I normally have one bar (without external antenna), this one got three (out of five). Nice!
If you'd want to pop the hood, it opens like B593 does, from the bottom:
All Huawei-hardware has a thin paper on top of one screw. This is to indicate if that screw was removed to void any warranty. I didn't open it, it wasn't my own box.
The web-GUI is completely new:
Everything looked brand new, so had to port-scan the thing:
PORT STATE SERVICE 53/tcp open domain 80/tcp open http MAC Address: 38:F8:89:03:1C:36 (Unknown)
What a surprise! Nothing there. Nothing! No SSH, no FTP, no Samba, no HTTPS. A B593 has plenty of ports open, but this beast is closed as a clam.
A cursory check on the HTML and JavaScript prooved, that entire front was re-written. B593 front has issues on security and functionality, this thing is entirely jQuery / AJAX -based thing. All the requests transfer XML. I was expecting JSON, but hey, it works. I guess there is something on back-end, which runs better on XML.
As the stripped-down hardware suggests, the web-GUI has very little options:
No real surprises there. The only thing, that really caught my eye, was the 5GHz WLAN which B593 doesn't have. There must be some new electronics inside.
This is the device information screen:
As it happened, also Finnish magazine happened to review the E5186. I don't have a permission for reprint, but here is a small glimpse what they said:
As a conclusion, the mag loved the box. I don't know which version they had, but this one without USB I don't especially love. It's too pricey without the port. Under the hood, the AJAX-API has a ton of features not available via your web browser. I'll get back to that subject later.
ZTE MF910 Wireless Router reviewed
Sunday, March 1. 2015
I had a chance to setup a modern 4G/3G/2G router. Of course I took pics and share the details here!
This is what a ZTE MF910 looks like:
Pretty much the first thing that comes to my mind is: "It's a cell phone!" Yes, indeed. It is. It is an Android phone. My guess is, it is 99% of a cell phone when compared to an Android in your pocket. It is small, it has an USB-charger, runs hours from a battery. It is shiny (pretty difficult to get decent pictures of it). It has a display (no touching or anything expensive). And it costs 99,- €. There is very little differentiating it, except that it doesn't have a speaker and a microphone. I didn't pop the hood of it (that thing isn't mine, I was just helping to set it up), but I'm thinking it has all the chips and electronics a phone would have.
Screen will indicate connection type (2G/3G/4G), bars, Internet status (ok, both arrows up and down), Wi-Fi enabled, how many clients are connected to the Wi-Fi, battery charge level, operator name, cumulative time connected and the cumulative transmitted bytes.
On the back there are out-of-the-box defaults and mandatory IMEI-information. The TAC-code for this one is 86415402 and I couldn't find it from any TAC databases. Must be quite a new one. What I didn't find is how to replace the battery. I guess you cannot, it is like a cell phone. It doesn't feel hot or anything when running, looks like the electronics design is also modern. It puts all the electrons where you'd expect them to go, not to dissipate heat.
Here is a clear difference to a phone:
There are two antenna connectors (TS9) on the sides. As all LTE equipment always has 2 antennas (your phone does, you just won't see them), there needs to be connectors for both of them. The intended purpose for this is to convert cellular connection into Wi-Fi. As sometimes the cell network connection is poor, adding a proper antenna (or two) can make a difference. Power button has one extra feature including the obvious one. If you press it shortly, it will display the default WLAN SSID and password on the screen. Funny thing: if you change them, the screen won't display the new ones. On the as-expected, there is a mini-SIM -slot and mini-A USB for the charger.
The antenna connector is a quirky one:
I couldn't find anything to connect to it. Any typical small appliance (like Huawei USB-sticks) have CRC9-connector, or the bigger routers (like Huawei B593) have SMA-connectors. I guess the new TS9 is suiting better for some reason.
When the SIM-card in inserted, power button pressed and box is up and running, it connects automatically to internet. It distributes an IP-address to any client devices and enables the management web-console. It looks like this:
There is a decent selection of langauges for the GUI:
And the top right corner status indicator is good one:
It provides a lot of information without need to login. This is what it looks like once in:
There is no need to look for Wi-Fi settings. They are right there after a login. In general I really love their approach, lot of useful features and really well thought web-GUI implemented. Also the existence of 5 GHz WLAN tells about a modern design. A while ago only 2,4 GHz existed in routers such as this.
The Internet connection details are:
APN I didn't touch, it just worked. Network mode (2G/3G/4G) may be necessary if reception has issues. The most important thing is, that this box has a built-in freq lock in it. No need of hacking or any quirks. This is by far the most commonly asked question nowadays, how do you lock B593 into a frequency. With this el-cheapo box, setting is right there! Nice.
I also love the status screens:
Lot of relevant information right at your screen! This is exactly what everybody else should be doing. Unfortunately the network status screen is optimized heavily for LTE-connections and on UMTS it won't tell much.
As a conclusion I have to recommend this cheaply built piece of plastic for any router needs. It certainly is worth the money and has just the right features in it. The only thing that worries me is the constant charging: will it survive future years? I don't care if the thing wouldn't run from the battery, but will the charger alone be enough to run it?
First B593 s-22 exploit: Setup FTP to get /var/sshusers.cfg
Monday, February 23. 2015
I have a new version of B593_exploit.pl published. See this article about previous info.
This version has s-22 FTP hack added to it. u-12 has the classic FTP USB-share flaw where it is possible to create a FTP share of the /. Unfortunately in this box Huawei guys made the web GUI a bit smarter, you cannot do such a nice share anymore. The fortunate part is, that the guys don't check for that at the save. If you manage to lure the ../.. past the GUI, you can do it. That's what the exploit is about.
Example run:
./B593_exploit.pl 192.168.1.1 admin --ftp-setup \ ftpuser ftppassword
That command will share the first USB-device found at the filesystem root of the box. You have to have a physical USB-storage attached. It doesn't have to have anything on it and it won't be affected during the process. But setting a path will fail, if there is no USB-storage.
I had problems with the FTP-client, it kept complaining about FTP passive mode. I switched the client into NcFTP and that solved my problem.
When in the box the SSH passwords are at the classic /var/sshusers.cfg
. If configuration is of interest to you, it can be found from /app/curcfg.xml
. When the admin user's password is known, it is only a trivial task to SSH into the box and gain a shell access.
While looking around the box, I got carried away with the lteat
-command. I managed to brick the box. But that's an another story.)
iPhone (cell) Field Test mode
Saturday, February 21. 2015
A reader of this blog contacted me and wanted me to take a look at his Huawei E5186. During the meeting he showed the Field Test mode of his iPhone. I haven't done any iPhone hacks, and had never heard of such thing. In this mode you can see details of the cellular connection. It is completely limited to that, there is no "root"-mode, nor details about Wi-Fi connection, nor details of the phone itself. But if any of the SIM, GSM, UMTS or LTE details are of interest, this one is for you.
Every iPhone has this. Really! There are details of this Field Test mode in The Net from year 2009 (iPhone 3GS), maybe earlier if you'd really want to look close. My iPhone 6 has this, so I'm pretty sure your (whatever model) has it too.
How to get there? Easy. Dial *3001 # 12345#*. Like this:
As a result you will see either the 2G/3G (GSM/UMTS) or 4G (LTE) Field Test menu:
As you can see, the 2G/3G menu has more stuff in it. It is because this is the really old stuff back from the 90s. LTE menu is light, as it is the 2010s spec. Please remember, that it is a snapshot of the situation when menu was opened.
Also notice how there is no more bars on top of the screen, there is a number in dBm. The number will indicate RSSI (in 2G) or RSCP (in 3G) or RSRP (in 4G). See article Some GSM, UMTS and LTE Measurement Units for clarification of the units.
RSSI translation:
- -40 dBm - theorethical max., you won't get this even if you'd be right next to the cell tower
- -50 to -75 dBm - High
- -76 to -90 dBm - Medium
- -91 to -100 dBm - Low
- -101 to -120 dBm - Poor
RSRP translation:
- theorethical max. ? dBm
- -75 and -88 dBm - Very High
- -89 and -96 dBm - High
- -97 and -105 dBm - Medium
- -106 and -112 dBm - Low
- -113 and -125 dBm - Poor
As I didn't find much information about the actual contents of these menus, I'll try to gather here a comprehensive list. Not all of the items have a value in my phone, if there is a value recorded, but I don't know what it is for, there is a ?.
Menu / Submenu | Description | ||||
---|---|---|---|---|---|
SIM Info | |||||
(sub level 1) |
EF-FPLMN | ||||
EF-ICCID | |||||
EF-OPLMNAcT | |||||
EF-HPPLMN SEARCH PERIOD | |||||
EF-MSISDN | |||||
EF-3GPP MAIL BOX DIALING NUMBER | |||||
EF-ACCESS CONTROL CLASS | |||||
EF-OPERATOR PLMN LIST | |||||
EF-ACTING HPLMN | |||||
EF-ADMINISTRATIVE DATA | |||||
EF-RAT MODE | |||||
EF-LOCI | |||||
EF-GPRS/PS-LOCI | |||||
PDP Context Info | (List) Packet Data Protocol (PDP) Context (in GPRS), see http://developer.nokia.com/community/wiki/PDP for details of PDP | ||||
APN | Access Point Name: Connection setting | ||||
IPv4 | IPv4 address of the access point to connect to | ||||
GSM Cell Environment | [UMTS only] 2G/2.5G information | ||||
GSM RR Info | |||||
DTX Used | ? | ||||
RR State | |||||
Rx Quality Sub | |||||
RR Mode | |||||
RR Sub State | |||||
Serving Rx Level | |||||
DRX used | |||||
RR Status | |||||
Rx Quality Full | |||||
GSM Cell Info | |||||
GSM Serving Cell | |||||
(sub level 3) |
C1 Value | ||||
RSSI | |||||
ARFCN | Absolute radio-frequency channel number | ||||
Cell ID | http://en.wikipedia.org/wiki/Cell_ID Gather MCC, MNC, LAC and go http://opencellid.org/ to see where you are at |
||||
Mobile Allocation | |||||
(sub level 4) |
ARFCNs | (List) | |||
HSN | |||||
C2 Value | |||||
BSIC | ? bits | ||||
MA Dedicated ARFCN | |||||
Neighboring Cells | (List) | ||||
GPRS Information | |||||
Priority Access Threshold | ? | ||||
SI13 Location | ? | ||||
Ext Measurement Order | |||||
Access Burst Type | ? | ||||
DRX Timer Max | ? | ||||
Network Operating Mode | ? | ||||
PBCCH Present | |||||
Count LR | |||||
Packet PSI Status | |||||
PFC Supported | ? | ||||
Cell Reselect Hysteresis | |||||
Count HR | |||||
Packet SI Status | |||||
Network Control Order | ? | ||||
T3192 Timer | http://www.rfwireless-world.com/Terminology/GSM-timers.html [milliseconds] | ||||
UMTS Cell Environment | [UMTS only] 3G information | ||||
Neightbor Cells | |||||
Active Set | (List) | ||||
Detected Set | (List) | ||||
Monitored Set | (List) | ||||
UMTS Set | (List) The only one I have anything listed | ||||
Scrambling Code | Your "identifier" in the cell. See UMTS Quick Reference - Scrambling Code for more info | ||||
RSCP | Received signal code power: The number on top left of your screen. See UARFCN below. | ||||
Energy Per Chip | EcNo: RSCP divided by RSSI. See Some GSM, UMTS and LTE Measurement Units for details about RCSP and EcNo. | ||||
UARFCN | See UMTS RR Info below. In this set one of the cells has same scrambling code as UMTS RR Info has. That cell has the exact same RSCP what is displayed as your received signal strenght. | ||||
Virtual Active Set | (List) | ||||
GSM Set | (List) | ||||
HSDPA Info | |||||
Version | |||||
Primary HARQ Process | |||||
Sub Frames | |||||
Secondary HARQ Process | |||||
Carrier Info | |||||
UMTS RR Info | Information of the Radio Relay (cell tower) who is serving you | ||||
UARFCN | UTRA Absolute Radio Frequency Channel Number: The channel number you're currently at. Decimal number, see http://niviuk.free.fr/umts_band.php for listings of bands. | ||||
BLER | Block Error Rate (my phone displays nothing here) | ||||
Cell ID | http://en.wikipedia.org/wiki/Cell_ID Gather MCC, MNC, LAC and go http://opencellid.org/ to see where you are at |
||||
RRC State | See UMTS RCC States (my phone displays nothing here) | ||||
Downlink Frequency | (my phone displays nothing here) | ||||
Scrambling Code | Your "identifier" in the cell. See UMTS Quick Reference - Scrambling Code for more info | ||||
Uplink Frequency | (my phone displays nothing here) | ||||
Ciphering | (my phone displays nothing here) | ||||
Transmit Power | (my phone displays nothing here) | ||||
MM Info | [UMTS only] | ||||
Serving PLMN | Public land mobile network information | ||||
Location Area Code | LAC (decimal): http://en.wikipedia.org/wiki/Location_area_identity | ||||
Routing Area Code | ? | ||||
PLMN Sel Mod | |||||
Mobile Network Code | MNC (decimal): http://en.wikipedia.org/wiki/Mobile_country_code | ||||
Mobile Country Code | MCC (decimal): http://en.wikipedia.org/wiki/Mobile_country_code | ||||
Service Type | ? | ||||
Process PS | |||||
MM Sub State | |||||
MM State | |||||
MM Service State | |||||
Attach Reject Cause | |||||
Process CS | |||||
MM Sub State | |||||
MM State | |||||
MM Service State | |||||
LU Reject Cause | |||||
Equivalent PLMN List | |||||
Process CO | |||||
MM State | |||||
MM Service State | |||||
Neighbor Measurements | [LTE only] | ||||
E-ARFCN | |||||
Version | |||||
Neighbor Cells List | (List) | ||||
(sub level 2) |
Measured RSSI | ||||
Ant 0 Sample Offset | |||||
Physical Cell ID | |||||
Ant 0 Frame Offset | |||||
Average RSRP | |||||
Average RSRQ | |||||
Ant 1 Frame Offset | |||||
Srxlev | |||||
Ant 1 Sample Offset | |||||
Measured RSRP | |||||
Frequenct Offset | Typo? Frequency Offset | ||||
Measured RSRQ | |||||
Qrxlevmin | |||||
Connected mode LTE Intra-frequency Measurement | [LTE only] | ||||
Detected Cells | (List) | ||||
Measured Neighbor Cells | (List) | ||||
Serving Filtered RSRQ | |||||
Serving Physical Cell ID | |||||
Subframe Number | |||||
Serving Filtered RSRP | |||||
E-ARFCN | |||||
Serving Cell Info | [LTE only] | ||||
Download Bandwidth | |||||
Freq Band Indicator |
The frequency band you're at. See UARFCN for exact frequency. See http://niviuk.free.fr/umts_band.php for listings of bands and frequencies. Short list:
|
||||
Download Frequency | |||||
Num Tx Antennas | |||||
UARFCN | UTRA Absolute Radio Frequency Channel Number: The channel number you're currently at. Decimal number, see http://niviuk.free.fr/umts_band.php for listings of bands and frequencies. | ||||
Tracking Area Code | TAC | ||||
Cell Identity | LCID of the serving cell | ||||
Physical Cell ID | http://en.wikipedia.org/wiki/Cell_ID MCC, MNC and TAC is the exact location where the serving cell is located. |
||||
Upload Frequency | |||||
Upload Bandwidth | |||||
Reselection Candidates | [LTE only] | ||||
Version | |||||
Serving Cell ID | |||||
Serving EARFCN | |||||
Reselection Candidates List | (List) | ||||
Serving Cell Measurements | [LTE only] | ||||
Measured RSSI | |||||
Qrxlevmin | |||||
P_Max | |||||
Max UE Tx Power | |||||
Version | |||||
S Non Intra Search | |||||
Physical Cell ID | |||||
Average RSRP | |||||
Measurement Rules | |||||
Average RSRQ | |||||
Serving Layer Priority | |||||
Srxlev | |||||
Measured RSRP | |||||
Num of Consecutive DRX Cycles of S < 0 | |||||
Measurement Rules Updated | |||||
Measured RSRQ | |||||
E-ARFCN | |||||
S Intra Search |
Please help me complete this (at least all the good stuff). If you find something incorrect or missing, please drop me a comment.
My Weather Station setup
Monday, January 26. 2015
As you already know, I love all kinds of gadgets. When it comes to weather, simply having a reading of outside temperature isn't nearly enough for me. I've had a weather station running for a while, but now that I connected into the on-line world, its time to publish my setup.
The unit I'm running is a WS2357 from La Crosse Technology. They say its a "Pro family" product, but still is very affordable. I paid 150,- € for mine. On the link there's all the tech specs, but it is your basic unit having temperature, pressure, humidity measurements indoors and outdoors. Also for outdoors, there is a wind direction and speed meters and a rain gauge. It is mainly battery powered and data from outside to inside can be transmitted either wirelessly (that's how I do it) or with a wire. Apparently the max. length for the wire would be 20 meters, which exceeds my setup. But for a wireless transmission, the limit is 100 meters. It works well trough house walls.
This is what the outdoors temp, humidity, pressure unit looks like:
This is the "central unit" of outdoors. The size is surprisingly small, but it still holds 2 AA-sized batteries and RJ-11 connectors for wind, rain and indoors. When installed outdoors, it comes with a rain cover which also should insulate it from direct sunlight. This small box is battery powered, but as I never want to climb to my roof to change the batteries, I drilled a small hole for an electric cord, which I soldered into the battery contacts. On the other end of the cord I have a 3,3 VDC transformer acting a battery.
I'm not happy with the temperature measurement, it reacts too fast when sun starts to shine on it. A properly ventilated cover would do better job. In my previous unit this wasn't an issue.
The rain gauge looks like this:
How this operates is very simple. At the bottom of the funnel, there is a small seesaw. When there is enough weight (in form of water) at the seesaw, it will tilt. This empties a cup on the other end and makes the seesaw tilt to the other direction. As it is known exactly how much weight is needed for the action to take place and the area of the unit's intake, it is possible to calculate the amount of water that has rained on that particular area and extrapolate that into WMO specs. On the minus side of the rain gauge, it had zero installation brackets. I ended up gluing it into a metal T-bar connected to my setup.
This is the wind gauge:
With this one I have no complaints. It is very sensitive and seems to give accurate enough readings. Once when weather turned from +2 into -4 it froze for a couple of days. As there was very little wind, the wind direction didn't change at all. Normally wind direction is a scattercloud, but in this instance wind direction was fixed. The problem was solved when wind picked up. So, it wasn't that bad.
This is how my entire setup looks like as installed:
The temperature gauge could be couple of meters higher just to make sure, it wouldn't pick up any extra heat from the roofing on sunny days. I did do some measurements and that could give a boost to my outside temp readings if there is no wind at all.
To get the unit connected into on-line world, I created an account at Weather Underground. I'll transmit the readings from the unit there. To hook the unit up into my Linux-box, I had to a lengthy cable between the indoors unit and my computer. I lucked out with the protocol, as it is RS-232. I simply cut the cable at the D-9 -connector, and soldered an extension cord of 17 meters. The pin ordering is as follows:
The rule-of-thumb max. length for 2400 bps data rate is 60 meters (according to this table), so my cabling worked out perfectly.
For the software at Linux-end I went for Open2300. It is an open-source set of tools to extract necessary information from my station and publish them to The Net. I'm using a simple cron-job for it:
# Weather Underground update
*/10 * * * * ~/Open2300/wu2300 ~/Open2300/lacrosse.conf
On the Wunderground-end I had major issues. First it didn't receive any of my transmissions. It kept insisting "INVALIDPASSWORDID|Password and/or id are incorrect", which wasn't true. I knew exactly what the password was. After couple of hours, it started working. I'm guessing their data receiving front-end gets the new accounts in a batches, and they are nowhere near real-time.
When my data started flowing, the web-front said:
... which was more than funny. If it wasn't getting any readings, why it says that the most recent one was received a minute ago.
After solving all these minor glitches I was real happy with this setup. Now my station participates in a community of 60k stations all over the world. Also I can check what's the weather like while still keeping my eyes on my precious computer.
HOWTO: Build a Proper LAN with Copper Ethernet Cabling
Wednesday, January 21. 2015
Having a reliable LAN is an essential part of your Internet connection. Going for a wireless solution is fast to build (pretty much plug and use), but as everybody is running one nowadays, the 2,4 GHz band is getting crowded. It is possible to go 5 GHz which is less crowded, has more capacity and is less prone to be blocked by your household microwave oven sending noise to 2 GHz band.
The only real option is to use the wireless toys for mobile devices and tablets, but use old fashioned wired connections for real computers. The catch is, that it is pretty difficult to build and costs more than your average Wi-Fi access point.
Part 1: Planning
What is needed for LAN-build:
- Cabling:
- Lots of it! I rolled over 130 meters of siamese copper cable into my project.
- With siamese cable I get two Ethernet connections on a one cable.
- Patch panel:
- This is the other end of the line. Typically placed into server room or rack.
- Here is the one I got.
- RJ-45 wall sockets:
- This is where you connect your equipment into. I used twin-sockets for twin-cabling.
- The recommendaton I had was to go for LexCom 250 (apparently same as Actassi here). I couldn't use them in my project as they had very long delivery time. They were bit more expensive too, but I've gladly paid for them if only I had gotten any.
- I went for ABB FOT6208 which were easily available. I later learned, that they are not so handy to install as LexCom would be.
- Ethernet switch:
- That will distribute your LAN into every wall socket.
- Any gigabit ethenrnet switch will do, even the cheapest ones.
- I got a HP 1910-24G. It has management via web in it and a fan. When running, the fan makes noise, but I'm placing it in a dedicated room inside a rack, so I need it to function at all temperatures.
- (optional) 19" Rack:
- This is handy for the patch panel and switch. A small 4-5 U telco-sized rack will do.
- This is the one I got.
- Cable routing plan:
- An idea where you can route the cables and where to place the wall sockets.
- Lastly:
- Basic cabling skills and lot of enthusiasm.
- Typical environments will require drilling holes, cutting cables and combing the twisted pairs ouf of them.
- To hide the cables in rooms, I used plastic cord cover. On tight corners I drilled hole into it and used a screw. The cover I used is self-sticking, but I know from experience, that the glue won't stand the test of time. Ethernet cable is quite heavy for any sticker to carry.
All that should cost less than 1k €.
Part 2: Implementation
I started by drilling couple of holes for the cable. Then I attached the wall sockets into drywall:
This is what my siamese cabling look like:
That's your basic 4 twisted pairs in a cable. In the middle of the cable there is a plus-shaped plastic filler. It makes the cable flex a little bit better. Ethernet cabling shouldn't have too tight corners anyway, but its different story to lure the cable through ceiling or wall if it doesn't give way at all.
My sockets and RJ-45 connectors are ABB FOT6208 toolless:
It is quite easy to hook one up:
I used T568A pin-to-pair assignment. You can notice that from the connector pic. The colour coding of cables match the upper row at the connector.
My siamese cabling had text on one of them. It was possible to identify the other pair when connecting. See how it contains the amount of meters rolled out:
At the patch panel I have Krone connectors:
A specific tool is required to make the cabling stick:
Even though a single cable is quite thin, the connection is robust. This is how the patch panel will look like when all the pairs have been connected:
I always tested every connection before proceeding:
When confirmation was made, that the connection would work ok, it was time to put the wall socket together:
That was it. It was just about repeating the same thing for every cable and wall socket.
Part 3: Wrap-up
Was it worth it? Absolutely!
Now I have properly functioning gigabit Ethernet in every room at the house. It works so much better at high speeds than any Wi-Fi I've ever tested.
A collegue really loved my home LAN. He said, that not all businesses have installation of that scale:
"The most overkill home LAN installation"
- Thomas C.
Adding capacity to Samsung Story USB-drive
Saturday, December 13. 2014
To make sure my data is properly protected, I keep a habit of lifting off monthly backups from my NAS to an external drive. I have couple of Samsung Story USB-drives dedicated for that purpose. This worked nicely for many years until I hit the brick wall. My combined monthly backup didn't fit the capacity of 1,5 TiB. It sure would be nice to have a "shingled" 8 TiB drive for that kind of storage, but unfortunately they are not available yet. See article New “Shingled” Hard Drives Hold Terabytes For Pennies A Gig.
In case you don't know what a Samsung Story drive is, it looks like this:
What I did was to pop the hood of my Story-drive to see what it had eaten. Very simple setup indeed, I went to a nearby store and got replacement 3 TiB WD Green drives (WD30EZRX).
Here is how the process goes. First pop the hood:
Quirk warning! The aluminium hood is held in place by 4 pieces of T9 Torx screws. The quirk here is, that T9 is not a common size. If you go to an average store, you'll find them having the smallest size of T10 (which is too big for this). Even my Apple repair kit doesn't have a T9, it has T8 and T10 pieces. I've taken apart Nokia phones, and they tend to have weird Torx-sizes, that's why I also have a kit which has T 4, 5, 6, 7, 8, 9 and 10. So, your biggest hurdle is to find a T9 somewhere.
When you have the aluminium cover removed, it'll look like this:
I included a blow-up of the warranty void -disclaimer sticker. I don't think Story drives have been manufactured for a while, so the warranty should be void anyway. Un-surprisingly, inside the box there is a Samsung 3,5" HD-drive, a HD154UI. Under the aluminium hood you will also find a plastic bracket. It just fills up the space making the actual drive fitting nicely and not moving. The bracket has a total of 8 plastic tabs holding it in place. I simply pushed one pair simultaneously from both sides, and I was able to lift the plastic holder up a bit. Then I just moved my fingers to the next pair and it moved more. The plastic thingie will look like this:
When the plastic bracket is gone, you can simply lift the drive upwards. It is held in place only by some rubber tabs, but the drive is essentially loose at this point:
Beware, that the S-ATA to USB -adapter (JMicron) is connected to the front-panel with a wire. That acts as a power on/off -switch for the entire thing. There are 4 wires in the connector, but I think only 2 of them are in use:
It is a pretty common connector and comes off easily by simply pulling it. The next thing is to remove the S-ATA / USB -converter -thingie from the drive. It is attached by a single #1 Phillips screw:
After the scew is gone, the entire converter-board will come loose from S-ATA -connector. Now that you have the hard drive almost completely stripped of all extra goodies, the last thing is to remove the rubber tabs and the kind-of-screws that hold them in place:
The rubber tabs or "pillows" come off by simply pulling them off from the sides. The metal "poles" are another story. They look like #1 Phillips, but the alloy they're made of is of poor quality. You can assume that a screwdriver isn't the primary tool here. I actually used pliers to turn them loose. Now everything is removed from the Samsung-drives, it's time to go big:
Just put the 4 metal screws back, fix the S-ATA / USB -converter board, attach the power-switch -cable, the rubber tabs and put the drive back to it's place. Like this:
After attaching the aluminium cover, it was a moment of truth. Does it still work? I plugged the power-cable and USB-cable back and went to my Linux:
kernel: usb 3-1.2: new high-speed USB device number 5 using xhci_hcd
kernel: usb 3-1.2: New USB device found, idVendor=04e8, idProduct=5f06
kernel: usb 3-1.2: Product: Samsung STORY Station
kernel: usb 3-1.2: Manufacturer: JMicron
kernel: usbcore: registered new interface driver usb-storage
kernel: scsi 9:0:0:0: Direct-Access Samsung STORY Station PQ: 0 ANSI: 2 CCS
kernel: sd 9:0:0:0: [sde] Very big device. Trying to use READ CAPACITY(16).
Looked really good! Checking to see what my new drive had out-of-the-box:
# parted /dev/sde print
Error: /dev/sde: unrecognised disk label
Model: Samsung STORY Station (scsi)
Disk /dev/sde: 3001GB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:
It had nothing. Full of zeros. Not even a partition table. I'd launched the parted and went for GPT and a new Btrfs partition:
# parted /dev/sde
GNU Parted 3.1
Using /dev/sde
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) mklabel gpt
(parted) mkpart "Backups" ext2 17.4kB -1
Warning: You requested a partition from 16.9kB to 3001GB (sectors
33..5860531215).
The closest location we can manage is 17.4kB to 3001GB (sectors
34..5860531215).
Is this still acceptable to you?
Yes/No? yes
Warning: The resulting partition is not properly aligned for best performance.
Ignore/Cancel? i
(parted) quit
Information: You may need to update /etc/fstab.
Continuing with setup:
# ls -l /dev/sde*
brw-rw----. 1 root disk 8, 64 Dec 8 23:07 /dev/sde
brw-rw----. 1 root disk 8, 65 Dec 8 23:06 /dev/sde1
# mkfs.btrfs /dev/sde1
Btrfs v3.17
See http://btrfs.wiki.kernel.org for more information.
Turning ON incompat feature 'extref': increased hardlink limit per file to 65536
fs created label (null) on /dev/sde1
nodesize 16384 leafsize 16384 sectorsize 4096 size 2.73TiB
Looking perfect! The JMicron thingie could handle all of the new capacity, Linux saw the USB-converter nicely:
# mount /dev/sde1 /mnt/usb/
# df -k /mnt/usb/
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sde1 2930265588 16896 2928139456 1% /mnt/usb
Cool! Really big numbers for capacity. Now I can manage with these couple years more.
Unboxing iPhone 6
Tuesday, October 21. 2014
My iPhone 4S spent a while in the bottom of the lake. It worked under water and I got it out dried it, and it seems to work. Apparently something is short-circuiting as it doesn't stay turned off for more than a second. Mostly it does work, but I wanted a new one and went for a iPhone 6. It is impossible to get one without queueing for weeks. So, I put my order to Apple's on-line store and waited the weeks and then TNT-guy dropped the thing at my door. Nice! New toys!
It looks like this in a box:
The phone is wrapped into plastic and there is the Apple-tab at the end:
In the box there are also charger, Lightning USB-cable and ear-plugs/headphones (I don't much like them):
The first idea that comes to my mind, is that "darn it's light!". Because the phone is much lighter than 4S. It is much bigger phone, but still so light. Nice! Here's the comparison:
One thing I had to do was to drive to my telco's store and get my SIM-card changed. 4S eats micro-SIMs, but this one wants a nano-SIM. Darn! There is the traditional Apple SIM-slot in the side:
Finally I got the first smoke out of it:
I chose to go for iTunes, but it didn't like me:
Crap! That's really not encouraging to see that kind of message. My solution was to un-plug it and try again. It worked! I got to the point where it was possible to set up the phone from my previous backup:
Yet another cold shower. It really paid off to upgrade into iOS 8.1! NOT!
The solution was to set the phone as a new and do an upgrade:
After iOS 8.1 was running, I did a full reset to the phone and tried the iTunes restore-thing again. This time everything was ok. The restore ran much faster then on 4S. I have over 10 gigs of stuff to restore. Finally:
Nice! The screen is much bigger, and restore did place my icons to their original locations. That sure looks funny on a much bigger screen!
Now that the phone was running, it was time to look some bonus things. I got a Vaja case for it:
That should protect the very expensive phone (unless dropped into a lake).
Plugging cords is not nice at office environment, so I normally sync and charge my stuff with a lighting-dock. It was visible in couple of earlier pics, but here are more:
My choice is Macally charge & sync dock Designed for Lightning iDevices and it works nicely on my iPad too:
They don't sell those in Europe for reason unknown to me. I guess it has something to do with electricity. As I ordered mine from US, it has an US transformer in it. Luckily a dock doesn't need electricity for anything, and charging fully works from my PC.
Ok, enough accessories, back to iPhone 6. It's a darn good one. It has to be the best iPhone so far! It does well on Carat battery statistics, they don't actually give out the results, but it was the best of iPhones in that. There are some results in Finnish newspaper article. On top of that, the screen (altough it is too big) is really good, camera is good and the thing runs apps very fast. I totally recommend gettin one!
Asus mobo BIOS upgrade loses Intel RAID-configuration
Monday, October 20. 2014
One of these days, I went to see if my motherboard has a newer BIOS. It had, and since I had not upgraded the BIOS after building my PC, I chose to go for upgrade.
This is one of the newer model PCs. You download the file, put it into a FAT-32 formatted USB-stick. Reboot the computer and enter UEFI-setup screens. One of them has an option to display the contents of the USB-stick and load the file, upgrade the BIOS and ... reset the settings and reboot. Wait a minute! Did I just say reset the settings. Yes.
Guess what happened to my Intel Rapid Storage Technology RAID-1 -setup.
Crapper! I didn't see that one coming. Now I remember again why I typically don't use motherboard "fake" RAIDs. Also, by the looks of it I wasn't alone with this: RAID1 changed to AHCI after BIOS update. Also, somebody with a Dell computer was experiencing something similar in the Intel's own discussion boards: Raid 1 rebuild with Rapid Storage Technology. I checked the manuals Intel® Rapid Storage Technology (Intel® RST) User guides, but didn't see anything that would help. Self-help seems always to be the best option anyway.
I turned the S-ATA mode back to RAID:
... but trying to re-create the RAID-1 volume seemed a bit dangerous:
The part where it says "Warning: All data on selected disks will be lost" kind of gets my attention. I didn't want to go that way.
Booting to Windows worked. Looks like drive(s) don't have any headers and if necessary, can act as a single drive:
Naturally when Windows sees two drives instead of one, it means that there is no RAID. To get this one fixed I started Interl Rapid Storage Technology user interface. It has the option to create RAID volume on RAID-ready drives:
More importantly, it has the possibility of not erasing data on a single disc:
When accepted, the rebuild process starts. It will migrate data for hours:
When it finishes, there will be only one drive left:
As the end result, the BIOS was upgraded, RAID-1 was rebuilt and I was happy again. All it took was 6 hours of rebuild time and a lot of stress!
New features to curcfg_tool [Failure]
Sunday, October 19. 2014
The original post about curcfg_tool.
So I decided to add couple of new features to my tool. However, neither of of them work.
Asiantuntijakaveri-blog introduced hack to run commands on boot: Persistent customizations to Huawei B593u with stock firmware. I added a feature to do that:
./curcfg_tool -rc "update-westerneurope.huaweidevice.com ; /upgflash/init.d/rc.local" -w
The flaw is in the httpupg-command startup. It takes the server address from curcfg.xml, but it doesn't escape it properly. This makes it possible to piggy-back any command on it. The thing is, that in my B593, the automatic firmware upgrade does not run automatically. I can go trigger it manually. At that point it runs my script I created at /upgflash/init.d/rc.local. My hope was, that system would run it automatically on bootup, but it doesn't.
Another thing I added was NTP-server change. I don't know where the list comes from, in my case it is completely ridiculous. However, the source for information is not from curcfg.xml. For example:
./curcfg_tool -ntp1 ntp.dnainternet.fi -ntp2 fi.pool.ntp.org -w
... doesn't change anything. The new servers don't appear at the list in GUI, nor the system doesn't update time from them.
Crap! Both attempts failed miserably. Please drop me a comment if you have anything to add to those ones.
iOS 8 upgrade on iPhone 4S
Saturday, September 20. 2014
Being an old geezer, I typically upgrade my iPhone firmware via USB-cable. Wireless users need to wait for the upgrade to happen, USB-people simply plug the cable and go. Also it is a very robust method and less things will go wrong than doing it wireless. Yeah, right!
So I plugged my phone in. Made sure, that I had latest iTunes version running and that a recent backup was made. Then, DÄNG!
Yeah. Crap! The iPhone could not be updated. An unknown error occurred. Really? Is it possible to be more vague? Next to frustration, the next thought that goes through my mind is: "Did I brick it!!! Is it still salvageable?".
Quite soon I had a positive signal:
Phew! iTunes announced, that the device is in recovery mode. Somewhere before it actually started the process, there was a question "Do you want to upgrade software and restore backup?" In reality it was a non-question, pretty much the only choice was "Ok". Looks like I didn't manage to get a screenshot of that.
The actual recovery process took a very long time. At the time I didn't realize, that it wasn't a "recovery" by definition. It was a simple iOS install. The next iTunes said was:
I'm not sure if this is part of the iOS 8 kill-switch -procedure or is that a regular thing to gain Internet access via 3G, but the installation refused to continue before I had successfully entered the PIN-code for my SIM-card. Then iTunes was ready to start restoring my precious data to the device:
At Apple there is a known reality distortion field, making a nice guestimate of 3 minutes for the restore time. After 15 minutes, the best guestimate was less than 1 minute. Nevertheless, I really had nothing else to but to wait for the restore to complete. Finally it said:
Oh yes!! I didn't brick it after all. I simply took the long route to the end.
It really wasn't worth the update. The only really noticeable thing is the voice button in messaging and the fact, that it drains my battery much faster than my previous iOS 7 did. But who would have guessed that would happen, or ... iOS 7.1 makes everything faster — including your battery drain @ 9to5mac.com. So, does that really happen every time they release an upgraded iOS-version?
Introducing curcfg_tool: Utility to make changes to your configuration
Tuesday, September 16. 2014
As I have promised a number of times to number of people. Here it finally is! The first version of my tool to alter your B593 configuration. With this tool you can change admin passwords for web GUI and SSH to something of your liking. It does not (yet) convert plaintext passwords into encrypted ones, but it successfully writes the changes to flash, thus making them permanent.
Prerequisites
- Huawei B593 u-12
- Access to your box for running commands, telnet/SSH are really good options for this
- While at Busybox sh prompt, internet connectivity via the mobile interface (4G/3G/2G)
Getting the tool
The MIPS32 binary version suitable for running at your B593 is at http://opensource.hqcodeshop.com/Huawei%20B593/curcfg/latest. The C source code is also available at: http://opensource.hqcodeshop.com/Huawei%20B593/curcfg/
- Log into your box
- (recommended) Change into directory /upgflash/
- Download the binary into your box:
wget -g -v -l curcfg_tool -r "/Huawei%20B593/curcfg/latest" opensource.hqcodeshop.com - As you can see, Busybox has a mighty quirky wget!
- Anyway, that command will download the tool from the above URL and place it to the current directory with local name curcfg_tool.
- Also note, that your box must have a functioning Internet access for download. The only other viable option is via FTP-hack. The environment is very limited and file transfers are restricted heavily.
- Make sure, that the file is executable:
chmod a+x curcfg_tool
Running the tool
Now that you have the thing sitting there, run it:
# ./curcfg_tool
Usage:
-V - Print version information
-cw <base64 encoded web gui password> - set password
-cs <base64 encoded SSH password> - set password
-w - write changes to flash (default: don't write)
-fi <file name> - input file (default: read from flash)
-fo <file name> - write changes (default: /tmp/flashinfo.bin)
An example of resetting the web-GUI password would be:
# ./curcfg_tool -cw f5338SA1kb4= -w
Read data: addr = 0xe00000, len = 0x4 ...
Begin write to file
Export done
Reading 25785 bytes of config
Read data: addr = 0xe00000, len = 0x64bd ...
Begin write to file
Export done
Writing 25785 bytes of config
/tmp/flashinfo.bin size = 25790 Bytes
Read file done
Begin write to flash
Load file done
The magicical Base64 encoded 3-DES encrypted string f5338SA1kb4= is "admin" in plain text. After a reboot (just say reboot at prompt), you can login into your web-GUI and change the password into something of your liking.
What next?
That's pretty much it as of now. If you don't like your operator designated passwords, you can change them.
How do I ...
- ... see what my current password is:
You cannot. Encryption key is not known for pre-SP100 firmware and SP100+ firmware is using double encryption with 3-DES and AES and entire flow of information is not yet known. - ... access the prompt of my box:
See B593_exploit.pl for details. - ... access the prompt of my box, but I have SP100+ firmware and don't know any of my passwords:
You cannot. Yet. Currently known exploits have been fixed preventing access.
However, in this case the real question seems to be: "How did you get your box running in the first place?" - ... run the B593_exploit.pl -tool, my Perl isn't working:
You may want to install all CPAN-modules the script requires. Also skip the Windows and use a proper computer.
u-12 pre-SP100 exploits in a single tool
Monday, September 15. 2014
I created a new tool to obsolete the classic B593cmd.pl ping-exploit tool. I wrote that one almost a year ago to run any commands on your B593. That could be used to lift IPtables restrictions or get your sshusers.cfg contents.
Now that Mr. Ronkainen found out that pre-SP100 firmwares have another flaw, which is much more simpler to exploit, I wrote a tool to combine both of them into a single package.
Neither one of these work in SP100+ firmwares, but not to worry! They have SSH-port open for full access anyway. So ... getting a SP100+ firmware into your box should be your target anyway. This tool can help you gain access to your box.
The B593_exploit.pl tool is at http://opensource.hqcodeshop.com/Huawei%20B593/exploit/latest.pl. In the top of the file there is a list of Perl-modules it requires to run. You will get the complaints, if any are missing. Usage:
./B593_exploit.pl --help
Usage: B593_exploit.pl
--help|-h This help
--run-cmd Run a command: pre SP-100 ping-exploit
to run any command via web-console
--telnet-login Login via telnet: lift IPtables firewall from telnet and login
Ping-exploit -mode
This is the classic. Run example:
./B593_exploit.pl --run-cmd 192.168.1.1 admin "iptables -nL INPUT"
There are couple of bugs fixed, it should be more robust and has --debug -mode in it.
Telnet-exploit -mode
This is the newer one. Run example:
./B593_exploit.pl --telnet-login 192.168.1.1
Attempt 1 telnetting to 192.168.1.1
BusyBox vv1.9.1 (2012-03-01 14:00:34 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# iptables -nL INPUT
Ok. It's not a full telnet-client like you'd a regular telnet to be. This emulates one with Perl's Term::Readline, so your vi won't work or tab-based command-line completion. However, it has enough power in it to allow you to run commands and display contents of the files or fiddle with your IPtables.
In my next post I'm about to release a tool for editing and storing values of your curcfg.xml. This is a prerequisite, getting to the prompt and running stuff on the prompt is a must-have.
Is Apple iPhone screen size really too small?
Friday, August 29. 2014
The common consensus is that iPhone screen is too small. For example a Finnish journalist wrote (article is in Finnish), that "Soon iPhone will suit me too". As everybody is expecting a bigger screen iPhone to be released. I've had enough and will blog about that.
I'm saying, that the iPhone screen-size is pretty good and doesn't need to grow much bigger. I'm agreeing what Tim Cook says Apple struck on right screen size with iPhone 5. Currently 4S and 5S -sized phones fit into everybody's pocket. Example:
Image courtesy of iClothing.
Or in a Wired review Samsung Galaxy Note - Big Phone, Big Hassle:
Image courtesy of Wired
If that doesn't look ridiculous, then I don't know what does. That's the direction you want to go by crying "too small screen" all the time!
Let's study history a bit. In May 2014 Apple Insider had an article Before Apple's iPhone was too small, it was it was too "monstrously" big. Yeah, that's right! There is evidence, that the screen size was never just the right size. Still a number of studies show, that people are not happy with current screen sizes. Example:
In this article How would you feel if the iPhone 6 didn't have a bigger screen?
"I can say my iPhone usage has decreased over time because it's just too small for me now"
- Chris Parsons
Or example 2:
People want their next phone to have a big-a** screen, survey says
Or example 3, Sales of those ridiculously big phables are way up:
Phablets Will Outnumber Tablet Sales Three To One By 2018
So, pretty much everything is in line with people screaming to have bigger screens for their mobile appliance. How about a reality check. ZDnet has a review of best tablets (Top Android tablets (April 2014 edition)), their list is:
- Samsung Galaxy Tab PRO 10.1
- EVGA Tegra Note 7
- Amazon Kindle Fire HD
- Amazon Kindle Fire HDX
- The Google Nexus 7
Or Amazon Best Sellers in Tablets:
- Kindle Fire HD 7", HD
- Apple iPad Mini 16GB
- Apple iPad Mini 16GB
- Apple IPAD AIR WI-FI
- Cheapest Android KitKat
- Apple Silver IPAD AIR WI-FI
- Kindle Fire HD 7"
- Apple 7.9-inch iPad Mini Retina
- Apple IPAD AIR WI-FI 32GB
- Asus Google Nexus 7
Now there is a pattern. People want something that has 7" screen. In ZDnet top-5 has only one 10" tablet, in Amazon #4, #6 and #9 are all iPad Airs with 10" screen. Everything else is 7".
It looks like iPhone has too small screen, because it is not 7". Feel free to say I'm wrong, but I think general consensus has it wrong. They're expecting iPhone to be something that it isn't.
Supermicro IPMI BIOS upgrade fail [Solved!]
Sunday, August 24. 2014
I tried to upgrade my Supermicro SuperServer 5015A-EHF-D525 IPMI BIOS to have the Heartbleed fixed in it. It failed on me. Badly. When I run:
lUpdate -f SMT_316.bin -i kcs -r y
The not-so-friendly response is:
If the FW update fails,PLEASE TRY AGAIN
update part 0, the size is 0x800000 bytes
Transfer data ................
40K bytes 1%ERROR !! BMC did not in correct state
ERROR:SEND "ReceiveFWData" COMMAND TO BMC FAILED
It looks like Supermicro's Linux upgrade tool is the culprit. It enters BMC upgrade mode, starts pushing bits to FlashROM, and then segfaults. I tried couple of BIOS-versions, but to make things worse, I was going from version 2.x to 3.x and there was no downgrade possibility anymore. The BMC was semi-concious, but it really couldn't do much. For example, it didn't have a proper MAC-address, and its networking was effectively out of play.
The worst part of this failing upgrade is, that to get the BMC upgrade mode disabled, you need to pull the plug. If there is electricity connected to the machine, the BMC will stay on.
Update:
Also the ipmitool bmc reset cold helps.
Luckily, there are couple of options for accessing the BMC directly from OS-side. One of them is IPMItool, but it didn't yield any results. The BMC was stuck somehow. Same story with manufacturer's IPMICFG.
I was almost going to give on on this and was planning to RMA it to Supermicro support in Netherlands. Then a newer version of IPMI BIOS was released and I attempted to upgrade into it. Same story, Linux utility crashes badly causing havoc. As the last move, I USB-booted the hardware into DOS-mode. There is a flash-utility in their ZIP-file for DOS. IT WORKED!! How lucky was that!
The new BIOS-version was sane, it knew its own MAC-address and started operating properly. I was so happy!
Who would have thought, that DOS was abandoned almost 20 years ago, and it once more saves the day.