Posted
about 4 years
ago
CPU mediatek 7621AT - a ramips based cpu with 2 cores
RAM: winbond w632... (too small to read ;)
flash: 128 MByte NAND winbond w29n01hvsinf
wifi: ax with a mt7915dan (2T2R 2.4 Ghz, 2T2R 5Ghz) + mt7975dn
|
Posted
over 4 years
ago
I was asked to take a look on a supermicro server which has been damaged by an firmware update.
It was an Supermicro X10DRW-IT. The firmware update was tried by USB storage, but somehow failed.
After powering the system, it went like this:
On with
... [More]
all fans for 5 sec
Off for 5 sec
On with all fans for 5 sec
[..]
However it seems the IPMI is still booting through and won't be disconnected from the power as the remaining
mainboard does, but the IPMI doesn't accept any bios update anymore.
As preparation I read up on the coreboot support for the Supermicro X10SLM+-F [0]
The bios chip is hidden under the raid controller if you've one.
First I've taken a look on the BIOS flash. To read the bios flash out, I've used a raspberry pi 3 with a SOIC-8 clip using the SPI bus.
Required tools:
raspberry pi with raspian (apt-get install flashrom)
some wire cables to the SOIC8 test clip
a SOIC-8 test clip (either the cheap ones from aliexpress or the expensive, high quality pomona 5250 [1]).
How you have to connect the SPI SOIC chip is described in [2].
Pin 1 of the SPI chip is where the small hole is on the.
Ensure you Disconnect both power supplies from the mainboard.
sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r bios
sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r bios2
sha256sum bios bios2
# ensure the checksum is equal, to ensure you read real things.
strings -n 16 bios
# try to get some strings out of it, ensure you not only read 0xffff or 0x0000.
Next I downloaded the supermicro bios update. Here you can find:
tree .
.
├── DOS
│ ├── AFUDOSU.SMC
│ ├── CHOICE.SMC
│ ├── FDT.smc
│ ├── FLASH.BAT
│ ├── Readme for X10 AMI BIOS-DOS+UEFI.txt
│ └── X10DRW9.B22
└── UEFI
├── Readme for X10 AMI BIOS-DOS+UEFI.txt
├── X10DRW9.B22
├── afuefi.smc
├── fdt.smc
└── flash.nsh
ls -al X10DRW9.B22
-rw------- 1 lynxis users 16777216 Nov 22 16:07 X10DRW9.B22
Sound good, it's size is exact 16 MB, the same size as the bios flash. file also tell me what it is.
file X10DRW9.B22
X10DRW9.B22: Intel serial flash for PCH ROM
Great we found a firmware image with ifd (intel firmware descriptor).
Now I've looked on the BIOS backup we read with the raspberry pi.
I used hexdump -C bios to see if the end contains a lot of 1s (or 0xffff in hex). Why?
Because if you want to write a SPI flash, you can not just write to it like a hard drive.
SPI flash chips are organised in blocks. A block is usally 64 kbyte.
A single bit on a flash chip can only be written to a 0. If you want to write a single bit with a 1
where a 0 was before (0 -> 1), you've to erase the whole block, not only the address.
An erase blocked is full of 1.
To find out, if we have a half written flash, we can try to look on the end of the flash if there are a lot of 1s (or 0xffffffff).
hexdump -C is showing it quite nice
00c2ee20 4d 50 44 54 00 01 00 00 10 00 00 00 00 00 10 00 |MPDT............|
00c2ee30 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
01000000
This means, it only written up to 0x00c2ee30 (12.2 MB).
Now we can look into the downloaded image, if it looks similiar. Maybe here starts configuration data.
But no, it's missing some data here.
Next task is to flash the bios section. Bios section? The intel firmware description contains section. Similiar to a partition layout on a
hard drive. On this platform there are 3 different sections
00000000:00000fff fd
00400000:00ffffff bios
00011000:003fffff me
fd stands for firmware descriptor
bios stands for the x86 firmware or UEFI
me for the management engine (also called on servers "Server Platform Services")
To flash only the partition you either have to use a recent flashrom version (at least 1.0) or you've to extract the layout file using
the ifdtool (from coreboot). You can also use the last code snipped as layout.
flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -l layout -i bios -w X10DRW9.B22
It verifies it after writing to it. But still it doesn't work. My next thought was maybe the IPMI flash got damaged as well. The SPI flash
of the IPMI is close by. So let's have a look. I was lucky to also have a SOIC-16 test clip available. I did the same procedure on the
IPMI flash. However the flashrom in raspian was too old. The flash chip wasn't known to this version flashrom. I had to compile it myself.
sudo apt install git build-essential
git clone https://review.coreboot.org/flashrom.git
cd flashrom
make CONFIG_ENABLE_LIBPCI_PROGRAMMERS=no CONFIG_ENABLE_LIBUSB1_PROGRAMMERS=no
./flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r ipmi
But it looks good so far. Running binwalk on it shows us
binwalk ipmi
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
103328 0x193A0 CRC32 polynomial table, little endian
1048576 0x100000 JFFS2 filesystem, little endian
4194304 0x400000 CramFS filesystem, little endian, size: 15216640, version 2, sorted_dirs, CRC 0xB1031FF3, edition 0, 8613 blocks, 1099 files
20971520 0x1400000 uImage header, header size: 64 bytes, header CRC: 0x3F1E0DA5, created: 2019-11-15 08:36:11, image size: 1537512 bytes, Data Address: 0x40008000, Entry Point: 0x40008000, data CRC: 0x310498CA, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: gzip, image name: "21400000"
20971584 0x1400040 gzip compressed data, maximum compression, has original file name: "linux.bin", from Unix, last modified: 2019-11-15 07:25:15
24117248 0x1700000 CramFS filesystem, little endian, size: 7458816, version 2, sorted_dirs, CRC 0xF5B9463B, edition 0, 3108 blocks, 466 files
Looks also good, however I want to be sure, it's the fine. I did first a backup, second overwritten with a file from the IPMI firmware update.
Still no change.
So what's wrong here? Is the power management controller damaged? The power supply are controller digital via I2C. Maybe it's somehow
telling me something is wrong?
I was lucky, I didn't had a i2c sniffer around, otherwise I would have digged into it.
I nearly gave it up, before I found out, that the backup file didn't worked with ifdtool. I exported the layout using the firmware update file, and not with the backup file.
Usually firmware updates do not touch the ifd. It seems server boards are different. So the backup didn't contained an ifd. It wasn't only damaged in the end, also in the beginning. Not sure if this is a safety feature of the
update. It might ensure at the beginning of an update the partial flash wouldn't be recognized as a working image. It's not a good thing booting a half working image.
I flashed the bios firmware update image and the board is back. To be sure, I flashed the ipmi backup on the SPI chip.
TLDR; So the fast way to recover a partial bios, do a backup first! Then flash the full image. At least for this generation it works.
Note: Depending on your specific hardware setup (cable length, test clip) you can increase or decrease the spispeed. spispeed=10000 => 10 MHz should
be still ok. You'll notice the wrong spispeed if the reading or flashing fails.
[0] https://doc.coreboot.org/mainboard/supermicro/x10slm-f.html
[1] https://www.pomonaelectronics.com/products/test-clips/soic-clip-8-pin
[2] https://github.com/bibanon/Coreboot-ThinkPads/wiki/Hardware-Flashing-with-Raspberry-Pi [Less]
|
Posted
almost 5 years
ago
Similiar to lolamby' regular post on his free software contribution, I want to start a similiar post.
The big chunk of the December I prepared together with the GSM team the celluar network at the 36c3 (36. Chaos Communication Congress).
Every year
... [More]
we're building our own celluar network using free software project osmocom & open5gs. Osmocom is a community project around mobile communication. We used osmocom to run our core network (CN) of our 2G and 3G network.
Open5gs is our LTE CN, which was interconnected to the osmocom CN.
Here is a overview, every buble is an own daemon.
The 36c3 was a nice testing ground. We had to extend a couple of the services (e.g. osmomsc, osmogsup2dia, osmohnbgw). While the event we
also like to enjoy the congress, so this is our excuse to not upstream our patches right a away. However we push our branches as it is to
https://git.osmocom.org. Upstreaming will be more seen in January. [Less]
|
Posted
almost 5 years
ago
Last week I visited thomasdotwtf from eventphone who has a jura coffee machine.
We took one evening to look into it, how easy it is, to use a generic BLE device like a raspberry pi to control it.
He has a Jura Z8 Automatic Coffee Machine which
... [More]
supports an IOS/Android app via Bluetooh LE.
Jura released (at least) two different apps to control it.
pl.mkssystems.juracoffee.household (Jura Coffee)
ch.toptronic.joe (J.O.E.)
Both apps supports ordering, changing properties of a coffee (e.g. how much water do you want to have or how much coffee should be in
there?).
mkssystems.pl seems to went out-of-service, but the internet archive still have an old version
and they show a lot of coffee machine related products. As well as a small blue device [1].
This is the BlueFrog a bluetooth dongle to control Jura coffee machines.
What can you do with the Apps?
Configure your Coffee
Produce a Coffee
Statistics
Firmware updates
How we looked into?
bluetooth packettrace: We used the android btsnoop.log to retrieve a packet trace which we loaded into wireshark.
decompiled with different tools the .apk
loaded the source code into android studio
What we found out?
The J.O.E. application is using XML files to be configured for the different coffee machines.
The XML defines products (e.g. a coffee, a green tea, ...), there are properties (e.g. how much coffee should be produced), statistics and
settings. The article number defines the XML file to be used.
A firmware process including the update urls and the new firmware.
We tried to find the same commands which should work on the RS232/serial in the bluetooth packet trace, but there wasn't any.
After looking further in the code, we found a lot UUIDs for characteristics including a human readable name.
We discovered also an "encryption" method which uses 2x hardcoded keys as well an additional input of 8 bit from the BLE advertisment.
The encryption look like a static key.
In the BLE advertisment, there are manufactoring data.
In our case, the manufactoring data contains 27 bytes. If 16 bit will be used, it's little endian.
manufactoring data as hex (27 byte):
aa 05 06 03 d73a yyyy xxxx 5836 4435 01 c0 00 00 00 00 00 00 00 00 00 00 00
aa: key
05: BlueFrog Major Version
06: BlueFrog Minor Version
03: unused (maybe Patch Version?)
d73a: article number (the specific type of the machine)
yyyy: machine number
xxxx: serial number
5836: production date (Feb. 2017)
4435: production date UHCI (does UHCI means the bluefrog?) (Okt. 2016)
01: unused
c0: bitmask, define supported features
The production dates can be decoded and also validated using the application where it's shown in the connection fragment:
days: (i & 31)
month: ((i & 480) >> 5)
year: ((i & 65024) >> 9) + 1990;
What to do next?
Write a decrypt function which can parse pcap files and shows the message
or write a dissector (lua) for wireshark with decryption function.
Find out how to map the XML files into commands towards the BlueFrog.
Bluetooth Interface
The good thing of BLE is, it's standarzied in the communication.
BLE uses Bluetooth Attribute Protocol to communicate.
The Bluetooth Attribute Protocol uses services and characteristics.
A service is an object which can hold multiple characteristics. A characteristic can support one or more of the following operations
read, write, notification, indication.
Every service has a UUID as well a characteristic has a UUID. The Bluetooth Attribute Protocol has it's own methods to discover avaiable
services and characterics. For more information please take a closer look into Bluetooth Low Energy.
As a general BLE device, the BlueFrog annouce itself on the BLE.
> hcitool lescan
LE Scan ...
C9:26:E8:4B:72:02 TT214H BlueFrog
> HCI Event: LE Meta Event (0x3e) plen 43 #8 [hci0] 8.466202
LE Advertising Report (0x02)
Num reports: 1
Event type: Scan response - SCAN_RSP (0x04)
Address type: Random (0x01)
Address: C9:26:E8:4B:72:02 (Static)
Data length: 31
Company: Ingenieur-Systemgruppe Zahn GmbH (171)
Data: aa050603d73a080402005836443501c00000000000000000000000
RSSI: -78 dBm (0xb2)
And further more we can also look for the services and characteristics via the gatttool.
> gatttool -b C9:26:E8:4B:72:02 --services -t random
attr handle = 0x0001, end grp handle = 0x0007 uuid: 00001800-0000-1000-8000-00805f9b34fb
attr handle = 0x0008, end grp handle = 0x0008 uuid: 00001801-0000-1000-8000-00805f9b34fb
attr handle = 0x0009, end grp handle = 0x0033 uuid: 5a401523-ab2e-2548-c435-08c300000710
attr handle = 0x0034, end grp handle = 0x003a uuid: 5a401623-ab2e-2548-c435-08c300000710
attr handle = 0x003b, end grp handle = 0xffff uuid: 00001530-1212-efde-1523-785feabcd123
> gatttool -b C9:26:E8:4B:72:02 --characteristics -t random
handle = 0x0002, char properties = 0x0a, char value handle = 0x0003, uuid = 00002a00-0000-1000-8000-00805f9b34fb
handle = 0x0004, char properties = 0x02, char value handle = 0x0005, uuid = 00002a01-0000-1000-8000-00805f9b34fb
handle = 0x0006, char properties = 0x02, char value handle = 0x0007, uuid = 00002a04-0000-1000-8000-00805f9b34fb
handle = 0x000a, char properties = 0x02, char value handle = 0x000b, uuid = 5a401524-ab2e-2548-c435-08c300000710
handle = 0x000d, char properties = 0x08, char value handle = 0x000e, uuid = 5a401525-ab2e-2548-c435-08c300000710
handle = 0x0010, char properties = 0x08, char value handle = 0x0011, uuid = 5a401529-ab2e-2548-c435-08c300000710
handle = 0x0013, char properties = 0x08, char value handle = 0x0014, uuid = 5a401528-ab2e-2548-c435-08c300000710
handle = 0x0016, char properties = 0x0a, char value handle = 0x0017, uuid = 5a401530-ab2e-2548-c435-08c300000710
handle = 0x0019, char properties = 0x02, char value handle = 0x001a, uuid = 5a401527-ab2e-2548-c435-08c300000710
handle = 0x001c, char properties = 0x02, char value handle = 0x001d, uuid = 5a401531-ab2e-2548-c435-08c300000710
handle = 0x001f, char properties = 0x0a, char value handle = 0x0020, uuid = 5a401532-ab2e-2548-c435-08c300000710
handle = 0x0022, char properties = 0x0a, char value handle = 0x0023, uuid = 5a401535-ab2e-2548-c435-08c300000710
handle = 0x0025, char properties = 0x0a, char value handle = 0x0026, uuid = 5a401533-ab2e-2548-c435-08c300000710
handle = 0x0028, char properties = 0x02, char value handle = 0x0029, uuid = 5a401534-ab2e-2548-c435-08c300000710
handle = 0x002b, char properties = 0x02, char value handle = 0x002c, uuid = 5a401536-ab2e-2548-c435-08c300000710
handle = 0x002e, char properties = 0x02, char value handle = 0x002f, uuid = 5a401537-ab2e-2548-c435-08c300000710
handle = 0x0031, char properties = 0x02, char value handle = 0x0032, uuid = 5a401538-ab2e-2548-c435-08c300000710
handle = 0x0035, char properties = 0x02, char value handle = 0x0036, uuid = 5a401624-ab2e-2548-c435-08c300000710
handle = 0x0038, char properties = 0x08, char value handle = 0x0039, uuid = 5a401625-ab2e-2548-c435-08c300000710
handle = 0x003c, char properties = 0x04, char value handle = 0x003d, uuid = 00001532-1212-efde-1523-785feabcd123
handle = 0x003e, char properties = 0x18, char value handle = 0x003f, uuid = 00001531-1212-efde-1523-785feabcd123
Bluetooth Services and Characteristics
service table
start
end
uuid
name
0x0001
0x0007
0x1800
Generic Access Profile
0x0008
0x0008
0x1801
Generic Attribute Profile
0x0009
0x0033
5a401523-ab2e-2548-c435-08c300000710
0x0034
0x003a
5a401623-ab2e-2548-c435-08c300000710
0X003b
0xffff
00001530-1212-efde-1523-785feabcd123
Generic Access Profile (GAP) 0x0001 .. 0x0007
handle
value handle
properties
uuid
description
0x0002
0x0003
RW (0xa)
00002a00-0000-1000-8000-00805f9b34fb
0x0004
0x0005
R (0x2)
00002a01-0000-1000-8000-00805f9b34fb
0x0006
0x0007
R (0x2)
00002a04-0000-1000-8000-00805f9b34fb
5a401523-ab2e-2548-c435-08c300000710 0x0009 .. 0x0033a
handle
value handle
properties
uuid
description
0x000a
0x000b
R (0x2)
5a401524-ab2e-2548-c435-08c300000710
Machine Status
0x000d
0x000e
W (0x8)
5a401525-ab2e-2548-c435-08c300000710
Product Start
0x0010
0x0011
W (0x8)
5a401529-ab2e-2548-c435-08c300000710
Service Control
0x0013
0x0014
W (0x8)
5a401528-ab2e-2548-c435-08c300000710
Update Product Progress
0x0016
0x0017
RW (0xa)
5a401530-ab2e-2548-c435-08c300000710
Product Progress
0x0019
0x001a
R (0x2)
5a401527-ab2e-2548-c435-08c300000710
About
0x001c
0x001d
R (0x2)
5a401531-ab2e-2548-c435-08c300000710
0x001f
0x0020
RW (0xa)
5a401532-ab2e-2548-c435-08c300000710
0x0022
0x0023
RW (0xa)
5a401535-ab2e-2548-c435-08c300000710
0x0025
0x0026
RW (0xa)
5a401533-ab2e-2548-c435-08c300000710
Statistics command
0x0028
0x0029
R (0x2)
5a401534-ab2e-2548-c435-08c300000710
Statistics data
0x002b
0x002c
R (0x2)
5a401536-ab2e-2548-c435-08c300000710
0x002e
0x002f
R (0x2)
5a401537-ab2e-2548-c435-08c300000710
0x0031
0x0032
R (0x2)
5a401538-ab2e-2548-c435-08c300000710
Service Control Response
5a401623-ab2e-2548-c435-08c300000710 0x0034 .. 0x003a
handle
value handle
properties
uuid
description
0x0035
0x0036
R (0x2)
5a401624-ab2e-2548-c435-08c300000710
0x0038
0x0039
W (0x8)
5a401625-ab2e-2548-c435-08c300000710
Nordic DFU 00001530-1212-efde-1523-785feabcd123 0x003b .. 0xffff
handle
value handle
properties
uuid
description
0x003c
0x003d
W- (0x4)
00001532-1212-efde-1523-785feabcd123
Nordic DFU_PACKET_CHARACTERISTI
0x003e
0x003f
W N (0x18)
00001531-1212-efde-1523-785feabcd123
Nordic DFU_CONTROL_POINT_CHARACTERISTIC
R means read
W mean write with response
W- means write without response
N means notification
Additional sources
[1] https://www.thomas-electronic-online-shop.de/JURA-Smart-Connect
[2] https://forum.fhem.de/index.php?topic=76957.0
[3] https://community.home-assistant.io/t/control-your-jura-coffee-machine/26604
[4] https://gitlab.com/Blueforcer/HA2JURA/snippets/1674496
[5] https://github.com/hn/jura-coffee-machine
[6] https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.sdk5.v15.3.0%2Flib_dfu_transport_ble.html
[Less]
|
Posted
almost 5 years
ago
Last week I visited thomasdotwtf from eventphone who has a jura coffe machine.
We took one evening to look into it, how easy it is, to use a generic BLE device like a raspberry pi to control it.
He has a Jura Z8 Automatic Coffee Machine which
... [More]
supports an IOS/Android app via Bluetooh LE.
Jura released (at least) two different apps to control it.
pl.mkssystems.juracoffee.household (Jura Coffee)
ch.toptronic.joe (J.O.E.)
Both apps supports ordering, changing properties of a coffee (e.g. how much water do you want to have or how much coffee should be in
there?).
mkssystems.pl seems to went out-of-service, but the internet archive still have an old version
and they show a lot of coffe machine related products. As well as a small blue device [1].
This is the BlueFrog a bluetooth dongle to control Jura coffe machines.
What can you do with the Apps?
Configure your Coffee
Produce a Coffee
Statistics
Firmware updates
How we looked into?
bluetooth packettrace: We used the android btsnoop.log to retrieve a packet trace which we loaded into wireshark.
decompiled with different tools the .apk
loaded the source code into android studio
What we found out?
The J.O.E. application is using XML files to be configured for the different coffe machines.
The XML defines products (e.g. a coffee, a green tea, ...), there are properties (e.g. how much coffe should be produced), statistics and
settings. The article number defines the XML file to be used.
A firmware process including the update urls and the new firmware.
We tried to find the same commands which should work on the RS232/serial in the bluetooth packet trace, but there wasn't any.
After looking further in the code, we found a lot UUIDs for characteristics including a human readable name.
We discovered also an "encryption" method which uses 2x hardcoded keys as well an additional input of 8 bit from the BLE advertisment.
The encryption look like a static key.
In the BLE advertisment, there are manufactoring data.
In our case, the manufactoring data contains 27 bytes. If 16 bit will be used, it's little endian.
manufactoring data as hex (27 byte):
aa 05 06 03 d73a yyyy xxxx 5836 4435 01 c0 00 00 00 00 00 00 00 00 00 00 00
aa: key
05: BlueFrog Major Version
06: BlueFrog Minor Version
03: unused (maybe Patch Version?)
d73a: article number (the specific type of the machine)
yyyy: machine number
xxxx: serial number
5836: production date (Feb. 2017)
4435: production date UHCI (does UHCI means the bluefrog?) (Okt. 2016)
01: unused
c0: bitmask, define supported features
The production dates can be decoded and also validated using the application where it's shown in the connection fragment:
days: (i & 31)
month: ((i & 480) >> 5)
year: ((i & 65024) >> 9) + 1990;
What to do next?
Write a decrypt function which can parse pcap files and shows the message
or write a dissector (lua) for wireshark with decryption function.
Find out how to map the XML files into commands towards the BlueFrog.
Bluetooth Interface
The good thing of BLE is, it's standarzied in the communication.
BLE uses Bluetooth Attribute Protocol to communicate.
The Bluetooth Attribute Protocol uses services and characteristics.
A service is an object which can hold multiple characteristics. A characteristic can support one or more of the following operations
read, write, notification, indication.
Every service has a UUID as well a characteristic has a UUID. The Bluetooth Attribute Protocol has it's own methods to discover avaiable
services and characterics. For more information please take a closer look into Bluetooth Low Energy.
As a general BLE device, the BlueFrog annouce itself on the BLE.
> hcitool lescan
LE Scan ...
C9:26:E8:4B:72:02 TT214H BlueFrog
> HCI Event: LE Meta Event (0x3e) plen 43 #8 [hci0] 8.466202
LE Advertising Report (0x02)
Num reports: 1
Event type: Scan response - SCAN_RSP (0x04)
Address type: Random (0x01)
Address: C9:26:E8:4B:72:02 (Static)
Data length: 31
Company: Ingenieur-Systemgruppe Zahn GmbH (171)
Data: aa050603d73a080402005836443501c00000000000000000000000
RSSI: -78 dBm (0xb2)
And further more we can also look for the services and characteristics via the gatttool.
> gatttool -b C9:26:E8:4B:72:02 --services -t random
attr handle = 0x0001, end grp handle = 0x0007 uuid: 00001800-0000-1000-8000-00805f9b34fb
attr handle = 0x0008, end grp handle = 0x0008 uuid: 00001801-0000-1000-8000-00805f9b34fb
attr handle = 0x0009, end grp handle = 0x0033 uuid: 5a401523-ab2e-2548-c435-08c300000710
attr handle = 0x0034, end grp handle = 0x003a uuid: 5a401623-ab2e-2548-c435-08c300000710
attr handle = 0x003b, end grp handle = 0xffff uuid: 00001530-1212-efde-1523-785feabcd123
> gatttool -b C9:26:E8:4B:72:02 --characteristics -t random
handle = 0x0002, char properties = 0x0a, char value handle = 0x0003, uuid = 00002a00-0000-1000-8000-00805f9b34fb
handle = 0x0004, char properties = 0x02, char value handle = 0x0005, uuid = 00002a01-0000-1000-8000-00805f9b34fb
handle = 0x0006, char properties = 0x02, char value handle = 0x0007, uuid = 00002a04-0000-1000-8000-00805f9b34fb
handle = 0x000a, char properties = 0x02, char value handle = 0x000b, uuid = 5a401524-ab2e-2548-c435-08c300000710
handle = 0x000d, char properties = 0x08, char value handle = 0x000e, uuid = 5a401525-ab2e-2548-c435-08c300000710
handle = 0x0010, char properties = 0x08, char value handle = 0x0011, uuid = 5a401529-ab2e-2548-c435-08c300000710
handle = 0x0013, char properties = 0x08, char value handle = 0x0014, uuid = 5a401528-ab2e-2548-c435-08c300000710
handle = 0x0016, char properties = 0x0a, char value handle = 0x0017, uuid = 5a401530-ab2e-2548-c435-08c300000710
handle = 0x0019, char properties = 0x02, char value handle = 0x001a, uuid = 5a401527-ab2e-2548-c435-08c300000710
handle = 0x001c, char properties = 0x02, char value handle = 0x001d, uuid = 5a401531-ab2e-2548-c435-08c300000710
handle = 0x001f, char properties = 0x0a, char value handle = 0x0020, uuid = 5a401532-ab2e-2548-c435-08c300000710
handle = 0x0022, char properties = 0x0a, char value handle = 0x0023, uuid = 5a401535-ab2e-2548-c435-08c300000710
handle = 0x0025, char properties = 0x0a, char value handle = 0x0026, uuid = 5a401533-ab2e-2548-c435-08c300000710
handle = 0x0028, char properties = 0x02, char value handle = 0x0029, uuid = 5a401534-ab2e-2548-c435-08c300000710
handle = 0x002b, char properties = 0x02, char value handle = 0x002c, uuid = 5a401536-ab2e-2548-c435-08c300000710
handle = 0x002e, char properties = 0x02, char value handle = 0x002f, uuid = 5a401537-ab2e-2548-c435-08c300000710
handle = 0x0031, char properties = 0x02, char value handle = 0x0032, uuid = 5a401538-ab2e-2548-c435-08c300000710
handle = 0x0035, char properties = 0x02, char value handle = 0x0036, uuid = 5a401624-ab2e-2548-c435-08c300000710
handle = 0x0038, char properties = 0x08, char value handle = 0x0039, uuid = 5a401625-ab2e-2548-c435-08c300000710
handle = 0x003c, char properties = 0x04, char value handle = 0x003d, uuid = 00001532-1212-efde-1523-785feabcd123
handle = 0x003e, char properties = 0x18, char value handle = 0x003f, uuid = 00001531-1212-efde-1523-785feabcd123
Bluetooth Services and Characteristics
service table
start
end
uuid
name
0x0001
0x0007
0x1800
Generic Access Profile
0x0008
0x0008
0x1801
Generic Attribute Profile
0x0009
0x0033
5a401523-ab2e-2548-c435-08c300000710
0x0034
0x003a
5a401623-ab2e-2548-c435-08c300000710
0X003b
0xffff
00001530-1212-efde-1523-785feabcd123
Generic Access Profile (GAP) 0x0001 .. 0x0007
handle
value handle
properties
uuid
description
0x0002
0x0003
RW (0xa)
00002a00-0000-1000-8000-00805f9b34fb
0x0004
0x0005
R (0x2)
00002a01-0000-1000-8000-00805f9b34fb
0x0006
0x0007
R (0x2)
00002a04-0000-1000-8000-00805f9b34fb
5a401523-ab2e-2548-c435-08c300000710 0x0009 .. 0x0033a
handle
value handle
properties
uuid
description
0x000a
0x000b
R (0x2)
5a401524-ab2e-2548-c435-08c300000710
Machine Status
0x000d
0x000e
W (0x8)
5a401525-ab2e-2548-c435-08c300000710
Product Start
0x0010
0x0011
W (0x8)
5a401529-ab2e-2548-c435-08c300000710
Service Control
0x0013
0x0014
W (0x8)
5a401528-ab2e-2548-c435-08c300000710
Update Product Progress
0x0016
0x0017
RW (0xa)
5a401530-ab2e-2548-c435-08c300000710
Product Progress
0x0019
0x001a
R (0x2)
5a401527-ab2e-2548-c435-08c300000710
About
0x001c
0x001d
R (0x2)
5a401531-ab2e-2548-c435-08c300000710
0x001f
0x0020
RW (0xa)
5a401532-ab2e-2548-c435-08c300000710
0x0022
0x0023
RW (0xa)
5a401535-ab2e-2548-c435-08c300000710
0x0025
0x0026
RW (0xa)
5a401533-ab2e-2548-c435-08c300000710
Statistics command
0x0028
0x0029
R (0x2)
5a401534-ab2e-2548-c435-08c300000710
Statistics data
0x002b
0x002c
R (0x2)
5a401536-ab2e-2548-c435-08c300000710
0x002e
0x002f
R (0x2)
5a401537-ab2e-2548-c435-08c300000710
0x0031
0x0032
R (0x2)
5a401538-ab2e-2548-c435-08c300000710
Service Control Response
5a401623-ab2e-2548-c435-08c300000710 0x0034 .. 0x003a
handle
value handle
properties
uuid
description
0x0035
0x0036
R (0x2)
5a401624-ab2e-2548-c435-08c300000710
0x0038
0x0039
W (0x8)
5a401625-ab2e-2548-c435-08c300000710
Nordic DFU 00001530-1212-efde-1523-785feabcd123 0x003b .. 0xffff
handle
value handle
properties
uuid
description
0x003c
0x003d
W- (0x4)
00001532-1212-efde-1523-785feabcd123
Nordic DFU_PACKET_CHARACTERISTI
0x003e
0x003f
W N (0x18)
00001531-1212-efde-1523-785feabcd123
Nordic DFU_CONTROL_POINT_CHARACTERISTIC
R means read
W mean write with response
W- means write without response
N means notification
Additional sources
[1] https://www.thomas-electronic-online-shop.de/JURA-Smart-Connect
[2] https://forum.fhem.de/index.php?topic=76957.0
[3] https://community.home-assistant.io/t/control-your-jura-coffee-machine/26604
[4] https://gitlab.com/Blueforcer/HA2JURA/snippets/1674496
[5] https://github.com/hn/jura-coffee-machine
[6] https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.sdk5.v15.3.0%2Flib_dfu_transport_ble.html
[Less]
|
Posted
over 5 years
ago
ramips mt7628nn
4 MB flash
32 MB Memory
|
Posted
almost 6 years
ago
I joined the MirageOS retreat in March 2019. It's an 1 week event in Marrakech, Marocco.
It's a real nice house in the old city of Marrakech, the medina. The event itself doesn't
have much structure than a morning meeting and sometimes talks in the
... [More]
evening.
MirageOS is unikernel written in OCaml. MirageOS can run ontop of many backends, e.g. Unix process or xen, kvm, bhyve.
This retreat I took care of the Internet uplink. We had a slow and leaky 4MBit ADSL line from Marocco Telecom which we used as backup, while using LTE as main uplink. We used first imwi as provider. But imwi changes the IPs quites often and the implementation in OpenWrt uqmi does not follow the IP changes, which resulted in a stale LTE connection. Imwi is also filtering all UDP DNS queries, except those going to their own servers. We then switched to Orange as provider, because someone had a card available. Orange was fast enough, pretty stable 5MBit up&down. We consumed roughly 20 GB a day. This brought us the nice daily ritual, a walk to a small and nice mobile shop in the medina.
1 GB cost 10 Dh (1 Euro).
Our router, an APU2, runs OpenWrt, but we disabled DNS & DHCP and ran these services on a seperate APU using MirageOS.
Even I'm not such familiar with OCaml and functional languages, I tried to fix a bug in the DHCP Server implementation PR#97.
It worked for me, however after deploying it, it turned out, it only worked for me, I broke it for everybody else ;). This motivated me to start
looking on TTCN-3, a ETSI language to test network protocols. Later together with Hannes, we fixed the DHCP for real. Adding some TTCN-3 tests and create a simple base is still on my TODO. Another really nice OCaml service on side was a learn-ocaml instance. An interactive teaching web application for beginners and advances OCaml programmers including an annotate OCaml compiler. Sadly there is no instance in the internet yet, as the projects is not ready for release.
While there I also worked a lot on reproducible builds for OpenWrt. I fixed 2 packages. All OpenWrt base packages are 100 % reproducible.
Thanks to Daniel Golle, OpenWrt images can be cryptographically signed. This signature must be removed before looking for differences, this is also done
in the reproducible builds setup for OpenWrt. 100% of ar71xx images are reproducible and 98% of ramips. The remaining 2% are also signature problems, but these signatures are in the middle instead of the end of the image. I also found the time to integrate my package index parser into reproducible builds. It's much easier to just parse two packages list, than looking on the all package files to determine if they are reproducible or not. The package index files also contain metadata of the packages which it inserts into the reproducible builds database.
Some people from the QubesOS projects joined the retreat. For example there is a MirageOS firewall which replaces the QubesOS own one. There is also a Pong game, which can run as QubesOS-vm. Thanks to the QubesOS people for their help on my problems with disposable vms.
Furthermore I brought a beaglebone black with me to investigate bugs reported for that platform. While looking at it, I found out the last release of OpenWrt (18.06.2) doesn't work on this board (fs: squashfs), while master works. I also fixed builds issues with u-boot in OpenWrt for the beaglebone black when using a modern toolchain.
Since we used LTE as uplink, we wanted to know how much of our data volume was consumed. OpenWrt might have statistics, but those are stored only in memory and not saved anywhere. I didn't looked for any OpenWrt packages which fixes this problem, because the provider (Orange) is supporting a USSD code to retrieve the remaining volume.
What is USSD? USSD stands for Unstructured Supplementary Service Data. It's used on mobile phones to retrieve balance, your phone number, your IMEI, [..]. Most people have used them. Take your phone, open the phone application and call *#06#, it will return your phone unique identifier (IMEI). While SMS is a store-and-forward scheme, like email. USSD is real time message protocol, similiar to a TCP connection. The USSD codes are simple, do a request, get a response. Done. But Orange implemented a menu via USSD. So the USSD session will look like: Request, Response, Choose Your Menu, Response, Go Back, Choose different Point.
I've started writing USSD support for libqmi. Simple USSD codes can be requested and decoded, but not menus with user input.
And the biggest problem is: OpenWrt doesn't support USSD at all. Not even the simple ones. [Less]
|
Posted
over 6 years
ago
Sometimes, when I'm not directly around or I forgot to put the powersupply into my laptop.
My laptop runs into the critical power action. Because I'm using upowerd, my machine
try to does this:
HibernateSuspend (fails)
Hibernate (fails)
PowerOff
... [More]
Great! My machine shuts down, in the middle of doing something. It would take 2 minutes to get a powersupply,
but too late!!
But there might be a solution for this: Suspend.
My machine can survive more than 1 hour in suspend with this low battery.
It would help me NOT loosing my current unsaved work.
After looking into the upowerd, it's just a 1 line code change to allow this.
It is not a good default, but there are people who like to use this.
But .. upowerd doesn't like. They not even want to allow the user to take this option. Indepentent that
I agree, this shouldn't be the default.
We're discussing this issue for years. Without any solution. Upowerd want to decide what users should do with there laptop and what not.
Discussion Bugtracker
How to resolve it? [Less]
|
Posted
over 7 years
ago
From time to time you need to test things with the old image.
But how do you test thing when the original build environment is lost
and you want to test sysuprade against this old release (actually 12.09).
First you've to create a flashdump of the
... [More]
firmware paritition.
# grep firmware /proc/mtd
mtd5: 003d0000 00010000 "firmware"
# ssh [email protected] dd if=/dev/mtd5 > /tmp/firmware_backup
Afterwards you can use binwalk to get the actual offsets of the different
parts inside.
# binwalk /tmp/firmware_backup
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
512 0x200 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 2813832 bytes
930352 0xE3230 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2194094 bytes, 728 inodes, blocksize: 262144 bytes, created: 2014-03-05 14:58:48
3145728 0x300000 JFFS2 filesystem, big endian
So sysupgrade images for ar71xx is still using the (old) layout of
----------
|KERNEL |
----------
|squashfs|
----------
|jffs2 |
----------
While a sysupgrade image contains for those platforms:
--------------
|KERNEL |
--------------
|squashfs |
--------------
|jffs2-dummy |
--------------
So we will split-off the jffs2 Part and replace it with jffs2.
# dd if=/tmp/firwmare_backup bs=3145728 count=1 of=/tmp/sysupgrade.img
Next we add this jffs2-dummy by using the same tool LEDE is using it:
# /home/lynxis/lede/staging_dir/host/bin/padjffs2 /tmp/sysupgrade.img 64
The 64 means the padding size in kb. It's important to choose the right one, but for most devices this is 64k at least for ar71xx.
ssh [email protected] dd if=/dev/mtd5 > /tmp/firmware_backup
binwalk /tmp/firmware_backup
dd if=/tmp/firwmare_backup bs=3145728 count=1 of=/tmp/sysupgrade.img
/home/lynxis/lede/staging_dir/host/bin/padjffs2 /tmp/sysupgrade.img 64
[Less]
|
Posted
over 7 years
ago
A friend gave me the his x1 carbon gen1 some time ago.
The x1 carbon is little bit different from other Thinkpad because it's a combination
of a Thinkpad and a Ultrabook.
It has a Trackpoint (and even Trackpoint buttons).
It has soldered memory
... [More]
(only Elpida memory is support atm).
It has Full-HD. (missed that on x2xx).
Looking under the hood. The x1 carbon gen1 look very likely as x230.
[Less]
|