Friday, November 25, 2011

How to get Push notifications working properly on your iPhone.

Push notifications (as used by the facebook app, or Find My iPhone) on the iPhone rely on valid and unique certificates on the iphone that are tied to that particular iPhones UUID number. These certificates are handed out by the apple servers when a phone is first activated through iTunes, and when an the first app that uses push notification is run. As such, a “hack-tivated” does not have valid certs, resulting in Push not working, the iPhone quickly draining its battery as it continuously contacts the apple servers with invalid certs, or both.  To get valid certificates, you have three choices:
  1. Get valid certificates using ”Push Doctor” from cydia. A guide is available here: http://www.redmondpie.com/fix-push-notifications-on-iphone-3.1.3-hacktivated-unlocked-9140492/. I have had great success with the method, and am very grateful for them for giving the valid certificates for free. Unfortunately it is becoming increasingly rare to find valid certificates on the server to grab. You will get an error during the installation if there //www.cmdshft.ipwn.me/blog/?p=791 and checking the “remaining” counter on the left hand side.
  2. You can also pay for valid certificates using PushFix. First pay the $6 at the PushFix website here: http://www.pushfix.info/purchase, and then install PushFix from Cydia using the guide here: http://www.pushfix.info/forum/viewtopic.php?f=4&t=39. I have had mixed results with this method. Although I did get valid certificates on my iPhone and thus Push notification worked, the batter began to drain very quickly. I have my suspicions that the certificates handed out by PushFix are not unique, causing the iPhone to keep trying the Apple Push servers until it gets a response, which is especially shitty considering they are charging money for them.
  3. The other option is to return the iPhone to a pre-activated state, and get an official activation and thus Push certificates by using iTunes to activate it. In the next post, Il outline just how to do that.

How to restore an iPhone that is stuck in DFU/recovery mode


I was given an iPhone 3GS on IOS 4.3.3, baseband 6.15.00 that required a restore to delete all the users data before the resold it. Now, as many of you reading this know, you cant just click "restore" in iTunes on a jailbroken or unlocked iPhone as iTunes will restore the iPhone with the latest iPhone iOS software, removing the lock and the jailbreak from the device. So I put the device into DFU mode and attempted a manual restoration (ctrl-click or alt-click on restore in iTunes) of a 4.3.3 firmware to the device. I then went off for a cup of tea. Unfortunately, when I returned, the iPhones screen was black, and iTunes was reporting an error. It wouldnt even charge from a wall adapter. The phone was also unresponsive to a hard reset (hold down the home and on/off button for 15 seconds). The "exit recovery" button in the application Tinyumbrella wouldnt work, and I had no SHSH blobs for the iPhone saved locally. However, it would show up as a "iPhone in recovery mode" in iTunes. After a good bit of trial and error, I finally got it working again.
  1. First off, you will need to get the iphones ECID. On the mac, click on the little apple logo in the top left corner and then “About this mac”. Then click on “more info” and then “system report”. Click on “USB” in the top left and then on the iPhone. Look for “ECID”, and the number should be beside it. (you may need to have the iphone in DFU mode for this number to show up)
  2. Power up tinyumbrella. Click on Manual ECID, and enter in the one that you got from the previous step. Click on the newly added iphone on the left and then “Save ALL SHSHs”. If you click on the log, it should tell you if it finds any previously backed up SHSH blobs on the Cydia server. If it doesnt, you may be able to use “iFaith” to recover the curent SHSH blob on the iPhone.
  3. If tinyumbrella does find a SHSH blog on the server, it will save it to your local drive. If you click on the iPhone on the left, under the general tab, you should see a list of firmwares that the SHSH blog has been saved for. Make a note of one that you wish to restore your iPhone to.
  4. Download the the corresponding firmware for your iPhone off the internet (google is your friend). If you wish, use PwnageTool to customise the firmware to your liking (unlock your phone, etc)
  5.  Go back to tinyumberalla. Click on “Start TSS Server”. This will enable tinyumberella to serve the SHSH blob(s).
  6. Open iTunes. Under the iphone menu, alt-click (or ctrl-click) on “restore” and select your firmware. Follow the instructions. If you have Tinyumberella open in the background, click on “log”, and you should see iTunes requesting the SHSH blob and TinyUmberella returning the blob.
  7. If during the restore you get a “10**” error in iTunes, use Tinyumberella to exit the phone out of recovery mode.
  8. Congratulations, the phone should be working now. If the phone needs to be jailbroken activated or unlocked at this stage, you can use redSn0w along with the firmware file.

Saturday, April 30, 2011

Recovering an Xbox 360 from a bad NAND flash

Many moons ago, I bought an xbox 360 for cheap that I was hoping to hack to play homebrew games on. A hack was discovered for xbox 360's ("the jtag hack12625") that allowed them to run unsigned code on the consoles. However, microsoft released a software update that permanently stopped this hack, and stopped the consoles from being downgraded to an earlier, hack-friendly software version. They did this utilising "efuses", developed by IBM for the 360's Xenon CPU. IBM had originally developed efuses as a method to "reroute chip logic, much the way highway traffic patterns can be altered by opening and closing new lanes". The idea was that a chip could regulate speed or power consumption issues by simply tripping a fuse, or more impressively, "repair unexpected, potentially costly flaws". 

Microsoft, who had one of the first implementation of this technology, had a more sinister plan when it utilised this efuses. Microsoft were "blowing" efuses after a significant software/kernal update. This would prevent hackers from downgrading to a previous version of the Xbox OS and exploiting potential bugs. The console's security measures relied on the status of these eFuses; attempt to run an older software revision, and those checks would fail. Therefore only xbox 360's that had the kernel version of 2.0.7371.0 or below could be exploited with the jtag hack. 

So if I just dont update the software on my jtag hacked xbox 360, I will be fine, right?  -> No, unfortunately its not that simple. I wanted to play the new "Portal: 2" game on the xbox. When I went to try and play the game, I just got a blank screen. After reading up a bit, it turns out that the newer games require the newer software/kernel/dashboard on the xbox. The newest in this case was dashboard version 12625. Well I cant update the dashboard as this will blow the efuses thus breaking my jtag hack, so what to do? 
Well, as it turns out, another hack was discovered a while ago called a "re-booter". To put it simply, this allows you to upgrade your dashboard to the latest version while still keeping your jtag hack. The latest version is employed in a piece of software called "Easy Freeboot 5.10". So to get your jtag hacked xbox running the latest dashboard, you will need to do the following:

 First off, you will meed to disable the ability for microsoft to burn the efuses. This is done by removing a resistor labelled r6t3 on the motherboard that supplies the power to burn the efuses, or disabling it as shown in the image.
 
Then, upgrade the dash by following the same guide here:
http://www.instructables.com/id/How-to-JTAG-your-Xbox-360-and-run-homebrew/

..until you get to step 6. Instead of doing this step (where you put an older dashboard on the xbox), download a program called Easy Freeboot 5.10. This program will create a NAND image that has the newest dashboard on it (it will only run on windows vista/windows 7). You will need your CPU key and original NAND for this. Once you have created your newNAND image, just flash it onto the xbox using the command:

nandpro lpt: -w16 newNAND.bin

(taken from the instructables guide). Because of the speed of the parallel port, it usually takes anywhere between 30min to 90min to flash the xbox.

Overall, its not too difficult, just a bit of work. The only really important step is to make sure that you get a good NAND dump before you put the replacement on it. You should have a the latest dashboard on your xbox 360 then. 


Except, that first time around, it didnt work for me. Because of a bad flash (probably caused by a loose cable and moving the xbox while it was being flashed, the memory on the NAND was corrupted. When i tried to turn on the xbox, it wouldnt even turn on. I knew i needed to reflash the NAND chip, except that it wasnt being recognised by nandpro now. According to this guide, I needed to reset the NAND chip. Unfortunately, after numerous attempts, I could not get either method in the guide to work. In the end, I tried running the command to erase the NAND:

nandpro lpt: -e16 0 400 

over and over again while plugging in the xbox 360. I was hoping to catch the NAND chip just as it was powering up. After another couple attempts, it recognised the chip, and began to erase it. Then it was just a simple case of flashing the newNAND image to the xbox again with the command: 

nandpro lpt: -w16 newNAND.bin

When it was done, i unplugged the xbox for a minute, put it all back together, turned it back on, and was greeted to the new dashboard splash screen!. As well as that Portal 2 ran without any issues.

Tuesday, August 10, 2010

Unbricking a Belkin Wireless Router

I have been doing a good deal of messing with OpenWRT the last few weeks trying to getter a better grasp of embedded linux and linux in general. I have had good success in the past installing and modifying OpenWRT on FON and Linksys routers in the past. However, I had some issues with trying to install it on my cheap and cheerful Belkin F5D9230 router. Firstly, I tried to install it by uploading the firmware image for the Airlink router (they have similar hardware specifications) with the guide here:


  • 1) Go to the router config page (ex. https://192.168.2.1/), log in, and then go to ver.htm (ex. https://192.168.2.1/ver.htm).
  • 2) Set firmware header checking to 0, apply, and wait for it to reboot.
  • 3) Use the firmware upgrade page to upload the OpenWrt firmware intended for the Airlink AR525W (ex. openwrt-rdc-squashfs-ar525w.img). Do not use the -web.img version.
  • 4) OpenWrt should be working after it reboots. 
Unfortunately, this did not work. So then I cracked open the router and soldered some jumpers onto the connection onto the routers motherboard. This allowed me to access the routers console using my trusty nokia serial cable. The connections were as follows:
[   ] [RX   ] [       ] [       ] [TX   ]
       [GND1] [GND2] [Vcc1] [Vcc2]

settings are 38400, 8, N, 1, no flow. Using this, I was able to view the boot sequence of the router:

+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05


...and so on. From here, I was able to see that it was using RedBoot for its boot environment. Restartin the router again, i got a prompt at redboot y pressing ctrl + c (there is only like a 1second window so you have to be fast.). In the serial console i typed:
tftpd
Then on the laptop I flashed it with OpenWRT KAMIKAZE (8.09.2, r18961)using the using the openwrt-rdc-squashfs-ar525w.img tftp method outlined here. It booted up fine, and everything worked except wireless. It turned out that it was because Kamikaze 8.09 kernel had very little support with the wireless chipset driver needed by the Belkin router. So I flashed over a newer OpenWRT Backfire 10.03 image. But this firmware would not even boot up properly:

+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05

# Activate RDC-Keilven's RS232 Patch V2
RedBoot> @
** Error: Illegal command: ""
RedBoot>
# Kernel size = 851936 bytes
# FW size = 2686980 bytes

# fwcheck: base = 0x00400000, size = 0x00000400
# Firmware Checksum O.K
# Kernel copying......BEGIN
# Kernel copying......FINISH

mem_size: 1000000


...and then it would hang. It turns out that there is a bug in the compiled version of OpenWRT for devices that use the RDC processor, which includes the Belkin F5D9230 v4. At this stage, I gave up, because i really needed to get this router working for the home network. At this stage it was bricked, as I could not get it working at all. So I set about trying to install the old Belkin software back onto the router.
This was not as straightforward as it sounds. For starters, there was no web interface, so i could not upload an official Belkin image downloaded off their website. Secondly, when I tried just to tftp over the official image  to the router, redboot would balk:

+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05

# Activate RDC-Keilven's RS232 Patch V2
RedBoot> 0^C
RedBoot> ^C
RedBoot> ^C
RedBoot> ^C
RedBoot> tftpd
# Dante's tiny tftpd is ready......
WRequest from 192.168.1.100: [f5d9230-4v3_uk_3.01.53.bin, octet]

# Error: invalid magic


What the duck does "Invalid Magic" mean? It must be in relation to the magic numbers used in the header of a file to identify what type of file it is. After having a wee think about this, I thought that redboot must be doing some kind of checking of the firmware. Delving a bit deeper, It turns out that we need to strip off some header information on the official Belkin firmware file to get at the firmware file that we need.  So i did the following on the terminal on the laptop:

dd if=input.bin of=output.bin bs=1 skip=X count=Y

Where X is the number of bytes you want to remove from the beginning, and Y is the number of bytes you want to process before the end of file.

Suppose you have a binary files which is 100 bytes in size and you want to remove the first 10 bytes and the last 5 bytes, obtaining an 85 bytes output.
The value of X will be 10, while the value of Y will be 85 (=100-10-5). You can find file size with a simple "ls" or "wc -c" command. In our case, we wish to remove the first 8 bytes of the file. Then TFTP over the edited file as normal:


+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug  4 2005

Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003  05-24-05



# Activate RDC-Keilven's RS232 Patch V2
RedBoot> ^C
RedBoot> ^C
RedBoot> ^C
RedBoot> ftfpd
** Error: Illegal command: "ftfpd"
RedBoot> tftpd
# Dante's tiny tftpd is ready......
WRequest from 192.168.1.100: [f5d9230-4v3_uk_3.01.53-edit.bin, octet]

# Firmware Checksum O.K
# DFLASH: SRC=0x00400000, DST=0xFFC00000, LEN=0x0022A520
# Decide to use AMD/Fujitsu Standard command set.
# MFG ID = 0x007F, DEV ID = 0x22F6
Flash size = 4 MB
# Erasing...................................
# Writing...................................
# Finishing successfully...
# Firmware Upgrade Finished, and shotdown the TFTPD......
RedBoot> reset


And lo and behold after restarting, the router worked successfully. I have the edited firmware file available if anyone wants it.

Monday, July 26, 2010

Repairing an Apple IPhone 2G that wont charge

I received an IPhone the other day that would not charge. My first thought was that the logic board was fried from a dodgy charger, since I had come across a similar problem before.
However, there was something different going on in this situation: Whenever the phone was turned on, the apple "i need to charge" (see pic) came up on the screen. When plugged into a charger, it said that it was charging. However, no matter how long it was left charging for, the battery only ever held a charge for a few seconds.
Two things could cause this. A dodgy battery that cannot hold a charge (unlikely, as that would be a very gradual problem: this iphone suddenly couldnt hold a charge) or two, the white wire that monitors the temperature of the battery to help it charge was broken, making the IPhone refuse to charge the battery. Sure enough, after opening it up, this was the problem. The white wire bad broken off the Comms board. I didnt have my trustly weller soldering iron with me at the time, so I set about soldering the wire back on with a cheap 10 dollar fire-starter iron. Of coarse, I got solder all over the pad and the shielding on the comms board. So, as I was feeling quite lazy, i tried to remove the excess solder from the shielding with a small wire snips.

Good Idea? ->Bad Idea.

The force of the snips had caused the white wire solder pad on the comms board to break off, leaving no where to solder the wire onto.I opened up my own IPhone to try and trace where the pad led to on the board to try and find a new pad that I could solder onto to no avail. After much cursing and swearing, I finally found some information on the net about the pad. As the board is multi-layered, the only place that the pad circuits seems to resurface is at the connecter between the comms board and the logic board. The bad point? The pitch of the connector was very small, and there was no redundancy, i.e normally manufacturers might carry the signal across a few of the connector pins that I could solder to, however, in this situation, there was only one. So I removed some of the shielding with my Dremmel tool, and with a careful hand, soldered some wire-wrap wire onto the pin. I did accidentally short one of the neighbouring pins to it with solder, but with careful use of a sharp Stanley blade, I separated them again. (I had tried solder braid to remove the solder short to no avail). So I powered up the IPhone, tried to charge it for a while, and was delighted to see that it was charging again.

White Pad circuit, secondary point

Apple Rant: Function follows Form?

In not an Apple fanboy per-say, but when I first tried the IPhone when it first came out, I was pretty impressed. Here was the first touch-screen phone that did not feel gimmicky, did not require a stupid stylus, looked....well, class, felt even nicer, and was really really easy to use. So when I spotted a 16Gb broken one on Ebay, I jumped at the chance to buy and repair it.

Unfortunately, as a Hardware Geek, there are one or two issues that I had with the phone. One is that the touchy-feely "real" glass on the screen is notorious at cracking when the phone is dropped. I have repaired about four phones where this happened, and in each situation, it wasnt even dropped from a large height. Secondly, the glass, touch digitiser, and LCD are glued together and cannot easily be seperated. This means that if one element breaks (i.e the glass), the whole expensive assembly has to be replaced. This was lazy hardware design by Steve Jobs and Jonathan Ive IMHO. Any portable device with a touch screen has a tough time at keeping dust from entering between the layers. The IPod touch had a robber bezel around the two layers to do just that. Nokia phones have a foam inlay to do the same. Why couldnt the IPhone be the same?
Thankfully, the later versions of the IPhone separated out the layers similiarly to the IPod Touch. However, Apple went back to old habits with the IPhone 4. This led to the much publicised "yellow spots" appearing on the screen caused by the glue not curing properly before being shipped. From all the hassle and complaints that Apple receive due to their glue addiction, you would assume that they would learn their lesson. Unfortunately, I think not. From the strain-relief gromits on their magsafe chargers that dont do any strain-relieving, to the notorious antenna issues of the IPhone 4, Apple will continue to give preference to design over hardware function. This is an Apple problem that will not go away any time soon.

Tuesday, July 20, 2010

Installing a SD card (MMC) on your Fonera Router

Im a big fan of Linux: the embedded stuff, not the Ubuntu crap you spend 3 months configuring before you can use the interwebs and thats marginally better than Winblows for ease of use. Thus when OpenWRT released "Backfire" i.e version 10.03, I was pretty excited. I had used a few versions before this, from 7.0 onwards, and was pretty happy with the results. Except for one or two points. Version 8 wouldnt boot on my Belkin router due to some RDC processor related bug, and I couldnt get it to support MMC (SD cards) on my Fonera router. Having the additional memory on your router is useful for cracking networks, installing additional packages such as a file server, web server, etc. However, that last problem has been solved with the new release, which I will outline here.

Fonera 2100 Router
Serial Pin-out for Fonera
First off, you will need to install OpenWRT on your fonera router. There are countless guides for doing this on the net, so here is another. You will need to build a serial cable. The easiest way to do this is to go onto ebay and buy yourself a Nokia DKU-5 data cable. This cable was used back in the day of tear-aways to hook a nokia phone up to a PC. To this, it needs to shift the serial Tx and Rx lines of the pc (anything from 3v to 15v), to 3.3v ttl for the phone. Thankfully, this is levels that we need to communicate with the router. A modifying the cable for our use is available here. You will just need 3 wires: Gnd, Tx, and Rx. Connect them up to the fonera as shown here. Fire up your terminal program (hyperterminal on the PC, ZTerm on the mac, or minicom or putty on Ubuntu) with the settings: 9600 baud, 8N1, no flow control. When you power cycle the fonera, you should be greeted with a load of text output from the fonera starting up. If not, try swapping the Tx and Rx lines. I have also experienced some problems with the fonera not booting up properly when there is a serial cable connected up: try leaving the serial cable disconnected for a second or two after you power cycle, and then connect it up again.



Once you have serial working, use the OpenWrt flashing guide available here: http://wiki.openwrt.org/toh/fon/fonera (scroll down to near the end). Note, for the "fis create" step, I had to use:

fis create -l 0x006D0000 rootfs

...due to the size left for the Backfire filesystem.
Larsens MMC Hardware setup (given in link)
Now, you have OpenWrt installed on your router. You will need to wire up a MMC card to the general input/output pins (GPIO) on the router. A guide is available here. Just follow the harware steps: I left the resistors, I just removed the capacitors
When you have that done, go to the web interface at 192.168.1.1, and enable wireless. Select client mode, save and apply settings, then scan for wireless networks, and connect to your local wireless internet. Then go to network-interfaces-wan and add "wifi0" as your wan connection, and DHCP as your protocol. If you reboot the router, it should connect to your local wireless network. Go back to your terminal, and see if you have successfully connected the device to the internet by pinging google:

ping www.google.com

You should get a response. Now, go to the software tab under administration, and click on update packages. Then install the luci-app-mmc-over-gpio package. This should install all the required dependencies. Reboot the router (type "reboot" in the terminal window or power cycle) and go to the newly available "MMC" tab under administration. Click on "enable", leave the other values alone, save and reboot the router again. In your terminal, OpenWRT should boot normally. Leave it for an additional minute or two. At the end, you should see something like:

gpio-mmc: Failed to request mmc_spi module.
mmc_spi spi32766.0: ASSUMING 3.2-3.4 V slot power
mmc_spi spi32766.0: SD/MMC host mmc0, no DMA, no WP, no poweroff
gpio-mmc: MMC-Card "default" attached to GPIO pins di=1, do=3, clk=4, cs=7
mmc_spi spi32766.0: can't change chip-select polarity
mmc0: host does not support reading read-only switch. assuming write-enable.
mmc0: new SD card on SPI
mmcblk0: mmc0:0000 SU128 120 MiB
 mmcblk0: p1

If you go to the /dev folder, you should see a new  mmcblk0 and a mmcblk0p1. The latter is the first partition found on the MMC card (assuming that you formatted the card correctly: i stuck it in a windows machine and formatted it fat32). From the guide available here, you will need to install the some packages in the terminal:


opkg update
opkg install kmod-fs-vfat kmod-nls-cp437 kmod-nls-cp850 kmod-nls-iso8859-15
 
Now, create a folder to mount the MMC card in your /mnt folder:  

mkdir /mnt/mmc

Now, mount the MMC card and hopefully you will get no errors:

mount /dev/mmcblk0p1 /mnt/mmc

Congrats! You now have plenty of additional (albeit a bit slow) external storage (I did get an unknown char error when i first tried to mount, but after I installed kmod-nls-iso8859-1 I think it was, it worked fine). This extra space will be handy for running Aircrack-ng to hack wireless networks and for other uses.
Handy post: https://forum.openwrt.org/viewtopic.php?id=21590&p=1