Ivo's blog

I recently bought a Zolid “wireless mobile router” at a local ALDI store. It’s a nifty little device with 2xUSB, 2xUTP, and b/g/n wireless. You can plug it directly in a socket or power it through micro usb. It also claims to have support for a wide range of 3G dongles so you can use it as a mobile 3G access point. It resembles some of the Linux plug servers like Sheevaplug and Guruplug. Here are some of my findings:

Versions

The Zolid (an ALDI brand) is a rebranded “Amigo 3R161N”, which is also sold by Solwise as the 3g11nmrw and as the E-Top 3r161n, though I can’t find it on the e-top website

Software details

As I expected, it runs linux:

Linux version 2.6.19 (root@localhost.localdomain) (gcc version 3.4.6-1.3.5) #1 Fri Feb 26 17:00:34 CST 2010

It has firmware “ver1.1.5″ installed.

It uses the “GoAheader-Webs” webserver

It uses Pure-FTPd as FTP server

Firmware

It didn’t ship with a firmware on the CD. Unisupport.net (responsible for Zolid support) doesn’t offer anything for download either, and neither does Amigo. However, Solwise does have two firmwares available at the bottom of their product page.

I haven’t yet succeeded in dissecting the firmware (which helps to find backdoors, exploits, and so on, and may provide an opportunity to create a customized firmware). I think it starts with a “config.dat” file, but I have to research this further.

Hacks, details

Appending a .asp url with %00 (other characters will also work, i.e. ///) will give you the unrendered source of the ASP page. I.e. http://192.168.1.132/status.asp%00

nmap reports the following open ports and fingerprint:

Interesting ports on default.fritz.box (192.168.1.132):
Not shown: 994 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
515/tcp   open  printer
49152/tcp open  unknown
MAC Address: 00:08:A1:C8:C9:C4 (CNet Technology)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=7/14%OT=21%CT=1%CU=32750%PV=Y%DS=1%G=Y%M=0008A1%TM=4C3D6DD
OS:3%P=i686-pc-linux-gnu)SEQ(SP=CE%GCD=1%ISR=CE%TI=Z%CI=Z%II=I%TS=U)OPS(O1=
OS:M5B4NNS%O2=M5B4NNS%O3=M5B4%O4=M5B4NNS%O5=M5B4NNS%O6=M5B4NNS)WIN(W1=16D0%
OS:W2=16D0%W3=16D0%W4=16D0%W5=16D0%W6=16D0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4N
OS:NS%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=4
OS:0%W=16D0%S=O%A=S+%F=AS%O=M5B4NNS%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T
OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(
OS:R=Y%DFI=N%T=40%CD=S)

I have been able to find the following additional pages that are not part of the current navigation:

• opmode.asp
• one_button.asp
• ap_one_button.asp
• wifi_one_button.asp
• tcpipwan.asp
• qos.asp
• downloadserver.asp (*)
• stats.asp

(*) may crash the internal web server.

Crashing the web server is easy (no authentication required):

wget 'http://192.168.1.132/goform/foo

Accessing “config.dat” will offer a download containing, I assume, the devices configuration. It’s probably related to the saveconf.asp page. This file resembles the start of the firmwares I’ve been able to find.

Update

Thanks to info provided by Remco van Mook I’ve found the a page on the Sapido gr-1102 which mentions an “obama.asp” page which also works on the Zolid, it allows you to exexcute arbitrary commands!

Executing /usr/sbin/telnetd -l /bin/sh as command will give you an immediate root shell through telnet.

Related links

• Dutch article about the Zolid
• E-top
• Article about the Solwise version
• Dutch supportsite

Remaining questions

• How can we dissect the firmware?
• Shouldn’t there be sources and licenses be provided somewhere?
• How can we hack/exploit this device?

Please keep an eye on this page for futher updates. Respond in the comments if you have found anything interesting

I purchased the Samsung Galaxy i7500 about 6 months ago. I blogged before on how disappointed I was with it, and that hasn’t changed. Recently I took my losses and replaced it with an HTC Desire, which turns out to be the perfect Android phone - I totally love it.

Summarized, here are some of the issues I’ve had with the i7500:

• The screen locks/blocks when dialing, and can’t be unlocked. This means you can’t use the touch screen to navigate through phone menu’s. I’ve met a fellow i7500 who suffered from the same problem, and his workaround was to use the trackpad to navigate through the numerical on-screen keyboard. But sometimes even this doesn’t work.
• Photo’s are sometimes corrupted. You end up with missing pictures and strange files with numerical id’s. Sometimes they also seem to come back again, so perhaps they are still correctly stored on the filesystem, though when accessing the storage remotely you will see the strange files as well.
• WIFI is flakey/buggy. It will sometimes not recognize previously accessed/stored networks and it weel keep asking for a key. Turning wifi off/on again sometimes solves this issue.
• Battery life is really poort, and actually simply not acceptable for a device with features such as the galaxy. Why put in 3G, Wifi, GPS and an oled screen if the device doesn’t have enough power to last a working day?

All of these issues persist after a full factory reset

Samsung has completely ignored its “early android adopters” and chose to focus on supporting “cheaper” Galaxy Spica in stead. This is the support you get for a device that has cost € 450,- half a year ago (and now costs less than half of that).

I don’t even care for an Android 1.6 or 2.x update, I just want a usable Phone.

I recently checked to see if there were any updates available. The only software that’s available on the Samsung Mobile site is “Samsung NEW PC Studio”, which I previously ranted about. I’ve tried downloading the update, but the installer is actually failing to install due to a “configuration file error”. I’ve tried contacting Samsung Mobile about this and all they came back with was to contact Samsung Netherlands. It’s unclear why they can’t forward support requests internally themselves.

Eventually Samsung Customer service (after I forwarded the mail myself) replied that there are no updates and there is no reason to use New PC Studio, which makes me wonder why they offered the download in the first place.

This whole experience has made me reconsider my appreciation for Samsung in general. I used to be a fan of their products - I have had Samsung flatscreen TV’s, printers, mp3 players (one of the few ones with ogg support back then) and I have always been really happy. Until now that is

Summary

If you want a buggy, overly expensive Android phone and terrible customer service / support, pick Samsung. I can’t imagine anything will improve with the new models so you should be save. However, if you want your money’s worth from a company that truly believes and supports Android, pick an HTC device like de THC Desire or HTC Legend

It seems iRiver has put up a webpage containing the source to the iRiver story firmware, or at least (some?) GPL copylefted parts of it.

It’s a rather strange page however. Text is embedded in images (in stead of plain text / html) and an imagemap with javascript to download the actual files. It’s almost as if they don’t want the page to be indexed. They even manage to misspell their product name.

On the other hand, iRiver *is* linking (again through javascript, so it can’t be followed by crawlers) to the open source page from its frontpage.

So just to be sure I’ll be making copies of the provided source, and to help google a bit I’ll provide some indexable direct links:

• iRiver Story kernel source
• iRiver Story boot loader source
• iRiver Story busybox source
• iRiver Story mtools source
• iRiver Story cairo source
• iRiver Story newlib source
• iRiver Story freetype source
• iRiver Story libjpeg source
• iRiver Story libpng source
• iRiver Story iconv source
• iRiver Story expat source
• iRiver Story zlib source

I will also provide a mirror of the iRiver story GPL source files, though I haven’t checked them thorougly yet.

It’s unclear if my previous posts and/or if Mikhail Gusarov’s gpl-violations.org work has been of any influence, but it’s good to see some source being released. Hopefully this will enable the openinkpot.org developers to hack the iRiver story a bit more :)

When using Twitter I sometimes wonder how I’m “related” to other users. Usually I will know if I follow them directly or if they follow me, but do we share any followers / people we follow?

Twitter is considered a social networking application, but I find it really hard to find this information directly. Impossible actually. That’s why I’ve created a small twitter application, “Litter Social”. Given two twitter screen names (doesn’t have to be your own), it will find shared connections, one level deep. The application was written using Pylons and Mike Verdone’s twitter api. The latter has some shortcomings which I’ve reported back, most importantly lack of out-of-the-box support foor the v1 Twitter Api, but that’s quite easy to work around.

So go ahead, give Litter Social a try. Let me know what you think. It’s actually a bit addictive :)

About (litter).scritch.org

Litter isn’t a very flattering name for a site but it rhymes with Twitter and it points out that you shouldn’t take it too seriously. They’re just small twitter experiments (more to follow). Scritch.org is the site I run all my experiments (they “scratch” my “itch”) on, which also includes Fetch, an HTTP header analyzer and Guess, a tool to detect the software (cms, framework) a site is using.

Mikhail Gusarov contacted me today about my iRiver story findings.

He’s involved in openinkpot, a Linux e-reader distro. Based on my initial findings he’s been able to execute arbitrary code based on the elisamake_sh script

You can read more about his findings and details here

I hadn’t heard of openinkpot before. It looks like a interesting and useful project that I’ll be following closely, even though the iRiver story won’t be supported for a while.

I’m knee deep in web development. I also always like to look at websites from a security point of view. This often means I end up looking at http headers, source code, error pages and so on to see what software a site is running and what its vulerabilities might be.

Eventhough this may sound like an odd hobby, I bet there are other people who do something similar, and to save me and those others some time I’ve written two tools to help in figuring out what kind of software a site is running: Fetch, a tool to fetch and analyze HTTP headers / responses and Guess, a tool to detect the web software stack used on a site

I hope these tools can be of use to web developers, SEO consultants and security consultants, or just anyone who’s interested in seeing what’s happening behind the (browser) screens

All of this has also allowed me to develop a powerful toolkit to scan/analyze websites which I plan to use for other future projects, SEO and security related, but I can for example also imagine an ISP may find it useful to analyze what kind of software their users are actually running

Fetch

I’ve blogged about Fetch before so I won’t get into too much detail. It’s basically the web equivalent of telnet host.tld 80 and doing a GET or HEAD by hand, but then a lot more user friendly, verbose and feature-rich.

Guess

Guess analyzes a site and tries to figure out what Webserver, language and framework a site is running. If possible, it will also attempt to find the versions used

Guess is learning about new software stacks each day and it already has an impressive hit rate (at least the sites that I usually try it on), though some very obvious systems still aren’t detected.

I’ve also planned much more features such as

• Javascript library detection
• Details about stats tools used
• OS details
• Plugins, options, modules used/installed

Currently, it detects a large range of CMS’s and frameworks, open and close source, such as:

• Wordpress
• Drupal
• Joomla
• Zope, Plone (of course ;)
• Zine (duh!)
• Django
• Squarespace
• GX
• MovableType
• Ruby on rails
• And many more (and adding new ones each eh.. week)…

Bookmarklets, extensions

Both tools can be used as bookmarklets, simply copy the url to your bookmarks toolbar and clicking it will open the site you have open a new window with either Fetch or Guess

• Fetch bookmarklet
• Guess bookmarklet

I’m also planning on developing simple Chrome and Firefox extensions, but adding more software stacks and features have a higher priority; the bookmarklets actually work really well.

I’ve moved my old blog to a new domain and new software. Popular postings have been migrated, the rest remains at the old blog/site as an archive. As a bonus, comments are now finally supported.

blog.m3r.nl started as a quick hack - I just wanted to share some thoughts and code, but it’s time to give it a more appropriate name and more suitable software. The old blog ran Plone and eventhough there are sufficient blogging products for it it’s always pretty hard to not make it look like Plone anymore.

I wanted the new blog to run some sort of Python blogging software. I have considered Django Mingus, but it looks too alpha for easy deployment. I ended up using Zine which seems pretty mature and feature complete. However, now that I am using it there are some things I’d like to improve, such as:

• I don’t like the included text parsers. I actually like WYSIWYG editors in stead of learning yet another markup language (which Zine-markup can’t actually be considered)
• There’s no way to add images to a posting. You need to upload them elsewhere.
• A modified skin probably, although the default looks fine for now
• Migration options are really limited, migrating to the database directly is not really supported. I’ve hand migrated some articles so that’s not really an issue anymore.
• It uses the retarded US date format M/D/Y in the admin interface, and I see no option to fix this. Probably setting a locale somewhere in the WSGI publication chain.
• The editing workflow is rather primitive, no real preview option.
• It’s too hard to link to another blog entry - you have to copy/craft the url by hand.

Usually I end up considering writing my own variation of the software. Lack of time is what keeps me from reinventing these wheels over and over again :)

All of these things can be accompilished using Zine’s plugin mechanism so it’s worh looking into that. Unfortunately, documentation is seriously lacking.

My old blog is dead, it won’t get updates. You can unsubscribe from the RSS feed and subscribe to this blogs Atom feed in stead.

I just received the iRiver Story EB02 e-reader I blogged about earlier. The first steps of course are:

• hook it up (to load the battery and to upload some books)
• update the firmware (this really is a must)

Hooking it up

You need to explicitly select if it connects as a storage device or if it should just charge. I'm not sure if it charges when used as an external disk.

Disconnecting on OSX (unmounting) seems to be a problem - it immediately reconnects.

Updating the firmware

Make sure you save the firmware in UPPERCASE! It explicitly checks foor EBOOK.HEX, ebook.hex won't work!

It's unclear to me how to properly turn the device off (you don't really need to actually!). Sliding the hold key to the right will simply lock the device.

Other findings

• There's no mention anywhere of GPL'd or otherwise OSS being used/licensed (it uses at least the linux kernel and busybox)
• while reading selecting options->reflow (on->off) will greatly improve readability, at least with the PDF documents I tried.
• I'm positively surprised by the responsiveness and speed of the device. It's snappy enough for me.
  

I recently purchased an iRiver Story EB02 e-reader. I haven't actually received it yet but I was curious about its details and the type of software it would run.

I learned it's an abolute must to download / install the latest firmware so I decided to have a look at that for now as I didn't have a device to install it on anyway.

The firmware is called "ebook.hex" which is a bit mysterious. It turns out to be an ordinary zipfile with some (128 bytes) leading garbage:

0000000   i   r   i   v   e   r       N   e   t   w   o   r   k       T
0000020   e   a   m       Y   o   o       H   y   u   n   g       S   e
0000040   o   u   n   g       a   j   f   e   o   q   n   a   n   g   h
0000060   o   q   p   o   e   a   ]   [   [   k   l   m   .   /   .   .
0000100   ,   m   z   l   l   o   e   =   -   0   j   . 376   _   @ 324
0000120  \b 206 236 351 026 242 036   n 350 335   Q   a   c   1   8  \0
0000140   .   \   _   p   r   e   _   w   o   r   k   .   b   a   t  \0
0000160   .   \   E   B   O   O   K   .   y   h   s  \0   C   r   e   a
0000200   P   K 003 004 024  \0  \t  \0  \b  \0 261   m   3   <   (   G

Unpacking the zipfile will prompt for a password, however. You'll be able to find the password relatively easy using the following command, though:

$ fcrackzip -c "a" -p aaaaaaaa -v ebook.hex

The OS

The OS the iRiver Story appears to be running is (big surprise!) Linux! It appears to be for an ARM based system, using Cairo for rendering the e-books. The most suprising however is that I didn't see any GPL notices or links to source code anywhere. Let's hope that's handled better in the package when it arrives, this is starting to smell a bit like a GPL violation.

It contains a ramfs which you can easily mount

# mount -o loop rootfs.cramfs /mnt/iriver-mnt

Some observations

• on the rootfs, /tmp/status_managers is responsible for handling upgrades (and general system startup probably). Using "strings -a" you will again find the ZIP password. It also appears to try something with "ebook.yhs.
  
• the zipfile itself contains an app/ directory with some "real" binaries (book2pngd, Jmp3_player_copy and mattrib). The other files are ".feb" files and I'm not sure what they are. They're binary with some plaintext strings included. Perhaps native ARM, perhaps interpreted. The binary "/flow_copy" appears to be responsible for starting "start.feb" which in turn may be responsible for starting the other .febs.
  
• booting (or at least starting stuff) from sdcard seems possible. The following snippet comes from rootfs' /etc/init.d/rcS

############ Detect SD Booting Movi Booting ###
echo 157 > /sys/class/gpio/export
if [ "`cat /sys/class/gpio/gpio157/value`" != "0" ]; then
#SD Booting
        mount -t vfat -o shortname=mixed /dev/mmcblk1p1 /mnt/SDFAT
        # SD Card에 elisamake_sh 가 있다면 
        if [ -f /mnt/SDFAT/factory/elisamake_sh ]; then
        echo "##### SD Booting #####"
        echo "##### Run script /mnt/SDFAT/factory/elisamake_sh #####"
        dos2unix /mnt/SDFAT/factory/elisamake_sh
        /mnt/SDFAT/factory/elisamake_sh
        sync
        else
        #MOVI NAND fdisk
        echo "##### SD Booting Start Fdisk MOVI NAND #####"
        fdisk -u -S 16 -H 1 /dev/mmcblk0 < /etc/init.d/sfdisk
        mkfs.vfat -n Story -F 16 /dev/mmcblk0p1
        /tmp/mke2fs /dev/mmcblk0p2
        sync
        fi
fi

• firmware 1.61 uses Linux kernel 2.6.28.6, Linux version 2.6.28.6 (root@jang) (gcc version 4.3.2 (GCC) ) #706 PREEMPT Tue Dec 15 11:59:43 KST 2009
  
• it uses/runs busybox
• it uses SQLite
• There may be WIFI support someday. Perhaps in this device (if it carries the hardware) or else some future device. The following is the contents of the settings.xml file:

<?xml version="1.0" encoding="utf-8"?>
<system_setting>
<setting_info>
  <passwd>NULL</passwd>
  <title1>NULL</title1>
  <title2>NULL</title2>
  <name>iriver</name>
  <phone>0000</phone>
  <time>200901010900am</time>
  <lang>2</lang>
  <shortkey>YURTF</shortkey>
  <font>NULL</font>
  <power>15</power>
  <dic>DD</dic>
  <wifi>NULL</wifi>
</setting_info>
</system_setting>

More may follow once I actually have the device :)

Misc.

A happy blogging iRiver Story user

iRiver story firmware download

 

 

One of my toy projects has been running nicely over the past few months so I guess it's time to release it into the wild:

Fetch! 

It fetches url's and provides all kinds of information such as:

• headers
• embedded links, images
• encoding information
• script references

It turns out to be a pretty usefull tool when doing simple SEO analysis, investigating what kind of platform a site uses, testing encoding issues, testing authorization, etc. I've been using it quite alot and I hope it can be useful to others as well.

A bookmarklet is provided - copying it to your bookmark toolbar will allow you to analyze the site you're currently visiting.

 

This tool is not unique. Besides the obvious tools that provide alot of similar functionality (i.e. Firebug) there are also online services that provide similar functionality. However, most of the online tools aren't as extended as Fetch.

Some improvements I have planned:

• coloured html
• working redirect handling, POST/HEAD support
• cookie decoding
• P3P decoding

Let me know if you find it useful!