The Firehouse

Case example: the Sony SPK-HCE waterproof case for video cameras. I tried to find a good, in-depth review, or even just a blog post by someone who had used one and could shed some light into wether dumping over 200€ on this thing is worth it. However, searching for “SPK-HCE review” on Google returned 1660 results, of which the third goes to ZDNet, in fact, the Google summary says “Get the full unbiased review of SPK-HCESPK-HCE at ZDNet Reviews. Each review comes complete with video or image galleries, Camcorder Waterhousing …”. Bullshit! Click on the link, and land here (click for full-size version):

So…you are showing me ZERO ratings, and ZERO reviews, but at least a dozen links to online stores where I can’t even buy this accessory, but a whole different camera!! Google: you suck, you cannot tell SEO-laden pages apart from good review sites, and ZDNet: you suck too, for polluting the Internet with shitty useless content designed to fool users and drive revenue.

Had to buy a new DECT cordless phone today, as the kids finally managed to bust the only remaining good unit in the house – so I went shopping for a Siemens, as they have proven to be the most trustworthy and abuse-taking phones. This is the one I got, thinking how nice it would be to use the built-in Bluetooth to sync my agenda and use a headset for long calls:

Or so claimed the blurb, soon to be proven wrong. First attempt, sync my Mac’s address book, should be easy enough. The phone supports exchange of files in vCard format, but it failed to actually receive any, it just sat for ages with a ‘Transferring data’ message on the screen, until it bombed with not even an error message. Sending from the phone to the Mac failed equally well.

I then tried to pair my Jawbone headset with the phone, which was mostly uneventful (although it took two tries to get the headset into the preferred devices list). Dial a number. Press the call button on the headset so that it takes over. Watch nothing happen. Attempt to pick up an incoming call by pressing the headset button – fail again.

So off I went to the Bluetooth SIG to check the PICS on this piece of crap, and lo and behold, there it was – the SL560 supports Bluetooth 1.2, which in itself should not be a problem, if the right profiles are supported (and correctly implemented of course!). This is where things turn south, on the audio side, the phone only supports the Audio Gateway (AG) role, which is confusing to many headsets out there, which expect either a handsfree or headset profile to be available. Headset (HS) is specifically NOT supported on the SL560. Thus, expect many headsets to fail talking to this phone.

On the data front it doesn’t fare much better, with object push client and server supported, but only the basic requisites are implemented, being information on supported content, authentication and PIN exchange, object push, and vCard 2.1 format. Nothing else like business card exchange, or calendaring formats are supported. I have to try sending a contact from a Windows PC, as it wouldn’t be the first time Apple implements something in funny ways (maybe OS X supports vCard 0.1 Beta, who knows!).

Conclusion? This phone is going back to the shop tomorrow, and I’ll be getting a less fancy, more standard Siemens. Bluetooth SIG, it’s about time you start policing manufacturers with some degree of accountability, not merely watching the compliance reports come in. I can certify my Bluetooth device with just one test rig, and not test it with any real-world device, and still claim it is Bluetooth compliant, and I know from experience that such a device is bound to fail.

I wrote before about the Logitech MX5000 Bluetooth keyboard & mouse combo, and there are plenty of posts around the web that confirm that the product sucks – badly.

To recap a bit, the problems are random reboots of the keyboard, disconnections of keyboard and mouse, erratic mouse behavior (including spontaneous motion of the cursor), and repeated keystrokes after the keyboard has not been used for a few minutes (resulting in things like “aaaaaaaafter the news…”). In all, a very frustrating and annoying experience, for a rather expensive combo. Logitech seem to acknowledge the problem, but I have not yet seen any form of update that could fix this, and my theory is that the problem cannot be fixed with a simple software update.

Declaring the keyboard and mouse defunct, I performed an autopsy, which revealed a few interesting facts (details after the jump):

• The Bluetooth dongle has a very very strange RF design – it uses a normal groundplane meander PCB antenna, but then it has a copper-wire loop antenna on top.
• Dongle and keyboard use Bluetooth chipsets from different manufacturers (CSR and Broadcom), in theory interoperable, in reality…well.
• The touchpad uses a very crappy sensor design, which explains the lack of responsiveness and uselesness of the scrolling controls.

Let’s start with the dongle. Below are a couple of photos of the opened device, the first with the loop antenna in place, the second with it removed, showing the meander. If someone with better RF knowledge than me can explain why this makes sense, I would be grateful. The design of the loop itself is wrong for 2.4GHz, having a wire length about 10 times larger than what would be required given its size.

Read the rest of this entry »

It will not surprise some people, but after the online newspaper El Mundo, the most read online news source in Spain, ran a poll to rank the best and worst  companies of 2006, FON came as the winner in the ‘worst’ category (scroll down a bit, about half way down). With comments such as ‘a project with no future’ and ‘hot air’, readers gave enough bad marks to put FON in the spot. The poll was open, so people could vote for any company they wanted, there was no shortlist or closed options.

I have been very critic with FON in the past, and I have also been accused of all sorts of things in relation to the criticism, but I know there are a lot of people out there upset with the way things have been running. They have had many chances to fix their problems, it’s not that hard to implement a decent customer service, or to fulfill orders in reasonable time, it just takes good management and a competent team. I am sure there are many very competent people at FON, who work really hard every day to make things happen, but their efforts have sadly not transpired.

As for the picture, I hope it doesn’t offend anyone, but since there was no response by Martin to my comments on his blog after his acid post, or after reporting the vulnerability in their maps service, I don’t have any moral issue about making fun of FON (no pun intended…well…sort of).

Leaving aside regulatory issues that may turn this particular setup into an illegal operation, I will better not describe the quality of the installation to be polite. Check out this picture:

Spotted the problem yet? Radio antennas are affected by any element that is present around them, even non-metallic elements, such as the ground. In this particular case, kanijo, a Fonero, has attempted to provide more “range” to his FON hotspot, which is in itself commendable, however, the means may not result in the desired end – original FON forum thread here.

You can see that the vertical omni antenna, a carefully tuned radiating element, has been strapped to a metallic pole, which also runs a coaxial cable into a TV antenna right on top. The router is inside a sealed plastic box, with power and Ethernet going into it from below. There is no way that this antenna is radiating correctly, as the pole that supports it is probably grounded (if it has been installed according to regulations), and even if it is not, it is inducing an imbalance into the tuned element, causing a large amount of RF to be attenuated. The user reports good results with it, which are most likely due to good luck.

The second problem with this type of setup is that vertical antennas don’t emit downwards, and thus will provide very limited coverage to users below the antenna. There is some downwards bleed of course, but it will only reach lower users that are some distance away from the antenna.

Recommendations for these sort of setups: install the antenna right at the top of its own pole, and ground the pole. If you have no choice but to use an existing pole, get a T arm fitting and mount the antenna at least 1 meter (3 feet) away from the pole. A perfect example of such as setup, in this case with two supports as the antenna is rather large and care for wind load is needed, is this (credit to Roger Halstead):

Check out Roger’s page, it is a very good read if you are interested in radio installations.

Went to my local Vodafone store to pick up the new Huawei E220 HSDPA USB modem, which with a 49 Euro monthly contract gives you 1GB of transfer at 1Mbps maximum, and free mobile to fixed landline calls – pretty good deal if you ask me. For 59 Euro you get 5GB of transfer, at the full 3.8Mbps that HSDPA offers. These are theoretical rates, as they will depend on a number of factors, such as how many people are also using the same cell, your coverage and the quality of the link.
We can argue all we want about how convenient WiFi is, being omnipresent et al, but in reality, it’s rather hard to get connected while on the road. Let’s examine the following scenarios, and you tell me the chances of getting connected over WiFi:

• Riding the train or bus home.
• Getting a lift from a friend in his/her car.
• Opening your laptop at a random location (cafeteria, bar, etc. that you haven’t before scouted for open WiFi).
• On a plane, waiting for the next free takeoff slot that you hope the pilot won’t miss because he was checking the fatness of his wallet.

Let’s be honest – free open WiFi is great once you have identified the locations where you can get connected, such as a friend’s house or the local coffee shop. Other solid commercial alternatives make it easier to find WiFi, as they tend to be present at well-known locations. Walk into any Starbucks or hotel, and you’re bound to find at least for-pay wireless.
For me, on the 30 minutes to 1 hour it takes to get home on the train or bus, being able to get connected is great. The convenience of simply opening the Mac and getting online beats the guesswork of WiFi. I tried getting the Mac working with my Nokia N93 over Bluetooth, but it was just too unstable – one day it worked, the next simply refused to even connect. A more in-depth review of the device is coming, once I get a chance to roam about with it for a while.

So far, installation on the Mac was pretty straightforward, download the setup package from Vodafone’s site (they don’t tell you this in the manual), which then enables the modem as a networking device. If you don’t follow this step, it can get recognized as a storage device, which is not particularly useful for a modem. The one thing I don’t understand is why it comes with a miniUSB cable that ends in two USB connectors, my guess is it’s power-related (some USB ports don’t provide the full 500mA they are supposed to provide).

Yesterday, I posted a few pictures of the opened Fonera, with a few initial views on the device. When I tried to plug it in, it failed to work, only the power LED lighting up. Neither the WiFi signal was coming up, nor the ethernet port was tickling the switch.

The only course of action? To open it up even more. So, the aluminium chassis came off, and that’s when I realized I had seen this before. The WiFi section, which includes the Atheros AR2315, crystal, filters, power amplifiers and ancilliary circuitry are housed inside this casing, and correspond to a reference design provided most likely by Atheros themselves. Check out the Meraki Mini router. For reference, I provide a side-by-side picture below (click for large image).

This is further confirmed by looking closely at the Atheros website section on the AR2315, where we find the following picture:

There is nothing wrong with using reference designs per se, as it is the fastest and easiest way to bring a product to market. If you don’t need to customize your design much, simply use what the manufacturer suggests, and you will be playing on the safe side. A perfect example is Bluetooth headsets, where CSR dominates the market. Virtually all headsets in the market use their reference design, with very little changes between them, other than physical placement of LEDs and buttons.

Block-by-block, here is an overview of the Fonera.

Power

Power is supplied to the Fonera via jack SK1, and is fed through a rapid fuse (Polychem type) to a simple drop-down regulator, which drops voltage from around 5V (4.85V as measured on the wall power supply, using a Fluke 179 multimeter) to 3.3V. The regulator appears to be an AME1117 (though the package markings read AME117), in its CCCT configuration, TO-252 form factor. The regulator is stabilized using three electrolyic capacitors. In these types of regulators, ESR (equivalent series resistance) of the input decoupling capacitors is very important, and this can usually be controlled nicely with tantalum capacitors. These are very expensive compared to electrolytic, however.

There is a second stage of regulation, this time done by an Anpec APL1117, which further drops the voltage to 2.5V. This supply appears to be used by the wireless subsection. Two ceramic capacitors stabilize the regulator.

Without the Atheros chip in place, the PCB drew 90mA at 5V, or 450mW. Since the device was not functioning, the total supply current with WiFi active could not be determined.

Memory

Two memory ICs are available on the Fonera, the first is an ST M25P64 serial flash, with a 50MHz SPI bus and 64Mbit capacity (8MB), in 300mil SO16 format. The fact that SPI has been chosen has the advantage that extra memory devices could be attached to the bus, but it has the caveat that it is slower than a parallel bus. Thus, flashing a new firmware could take a rather long time. Interestingly, there are two footprints on the PCB, presumably to fit a different size and format memory IC, one SO16 and one SO8.
The second memory IC is a Hynix HY57V281620E synchronous DRAM, with a capacity of 128Mbit organized in 16bit blocks. In practice, this results in 16MB of RAM available to the processor.

Ethernet

At the heart of the wired ethernet subsystem is an Altima AC101 ethernet transceiver, capable of 10/100 full duplex operation. The IC is placed on the bottom layer of the PCB, and runs off a 25MHz crystal, strangely placed next to the main power regulator, where it could absorb electrical noise. Usually, crystals are placed well away from sources of interference. Nothing else too exciting here, the transceiver is connected to a standard RJ45 socket, TP1.

Wireless

The wireless section is the most interesting. This is where the Atheros AR2315 single-chip WiFi processor lives. Little public information is available about this or any other Atheros chipset, so it is hard to figure out exactly how it is put in place, but a few details are clear.

First, the chip gets hot. This is why a double heat-conductive adhesive tape bonds the surface to the metal cover, and in turn to the heatsink placed on top. The processor runs from a 40MHz clock source. After the Atheros core, come a couple of filters, and a power amplifier stage. This then runs off to the two antenna tracks. The first antenna exits the aluminium cage and runs up to a test connector. This connector breaks the antenna track when the right mating plug is inserted, which is then fed into a dedicated RF analyzer, which validates that the device is within constraints.

After the antenna test point, there is a split, which can be configured using a zero-ohm resistor, to run to an internal solder pad, or to a PCB-mounted right-angle SMA connector. It is unclear why they chose to use the solder pad, as an in-place soldered connector needs less handling than soldering a pigtail by hand. Besides, my intuition tells me the losses would be lower – I will test this when I get a working Fonera. Both tracks run through an impedance matching network, consisting of two capacitors to ground from the RF track, and an inductor between the capacitors . The purpose if this small circuit is to get the impedance of the PCB track as close to 50 ohms as possible. If the track impedance is mismatched to the antenna, losses take place.

The second antenna runs straight to a PCB pad, where a pigtail may be soldered, also passing a matching network. Below is a picture showing the details of this subsection.

Interfaces

There are two IDC-style connectors on the PCB, one 2×5, and one 2×7 but unpopulated. The 2×5 looks like a serial connector, as only power, ground and two tracks lead out from it. The layout has to be studied in more detail to confirm this assumption.
It can be speculated that this is in fact a serial port, but without the AR2315 pinout, this cannot be determined for sure. The 2×7 header seems to be a JTAG interface, possibly compliant with MIPS EJTAG 2.6. The mapping of the header pins to the AR2315 BGA balls is shown below (thanks for adding a row/column silkscreen for the Atheros chip, and thanks to the OpenWRT project wiki for the JTAG information!):

Between the Ethernet jack and the empty SMA footprint, there is a footprint of 6-way header, which needs a bit more study to determine where it leads internally [I will update the post when I find out --Mike].

Conclusion

This is a very compact and simple WiFi router, designed not for being easy to hack, but for lowest cost. The cheap power regulator, use of large SMDs and choice of pigtail rather than board-mounted SMA connector point in this direction. There is only one port which could be used for something useful, if it is indeed a serial port, the only two GPIOs available being the WLAN and Ethernet LEDs – as long as the Ethernet LED is not controlled by the Altima but by the Atheros. The power LED is on as long as there is power applied to the device, so there is no control over this by the Atheros processor. Power consumption is a bit high, considering the wireless device was not present. The PCB layout is very professional, except in a few particular cases such as the large crystal, but overall, quite nice.

In all, a very small device which could have a lot of potential, had it not been for its lack of I/O. It is unclear whether the router will accept custom firmware, as there are rumors that an encryption & signature system is used. The Fonera is probably OK for regular use by Foneros, but it does not have the hackable edge of the Linksys WRT54Gx. The only suprise could come from the edge connector, as of yet of unknown usefulness.

References

Atheros AR2315 chipset website section and product brief.

Altima AC101 ethernet transceiver.

ST M25P64 serial flash.

Hynix HY57V281620E synchronous DRAM.

AME1117 regulator.

Anpec APL1117 regulator.

After a few days of silence, digesting the hubbub created by my analysis of Fon’s status, I’ve put my head back into more useful things than answering hate mail and out-of-line comments (thanks to those who provided balanced views, either for or against!). So, I decided to open a Fonera and see what lives inside.

A full review is coming, but first impressions:

• The plastic casing looks and feels very nice, the molds must have been expensive, as the different parts mate very well.
• Inside lives a single PCB, with components on both sides. The top holds the bulkier components, such as power regulator, RAM and WiFi section, inside an aluminium RF shield.
• The PCB looks professional and well laid out on first inspection.
• Components used (I haven’t opened the aluminium chassis yet) are older SOIC and TSSOP, thus cheaper to handle and solder. Balled components require from special handling, such as baking in hydrogen for 24 hours to dry them before soldering, etc.

Here are some pics (click each photo for bigger views on Flickr) I have taken with a Nokia N93 (really nice phone btw, mini-review coming):

The underside of the case, with screws off.

Perspective view of the top PCB.

Bottom side of the PCB.

Sticker on the flash IC showing the firmware version.

Finally, after months and months of hype and excitement, AllPeers launched. In Beta of course, lest it not be considered a Web 2.0 company.

Me and a friend installed the FireFox plugin, and fired it up. To start with, the buddy search mechanism is terrible. I actually typed my friend’s name, got a result, and added it to my roster – turns out it wasn’t even his profile. You cannot see details about the search results, which is a problem. With Skype, for example, sometimes you can turn up a dozen of hits on a buddy search, but at least you can get an idea of who is behind each result.

Once added a friend, it was time to share some files. I added a couple to my shared folder, and the files showed up there. My friend could not see them. I refreshed, and the files dissapeared. By the time I ended the test and decided to remove the plugin, I still hadn’t managed to get the files to stay put. My friend shared one file. It showed up twice on my screen (?!). The actual download of the file went well, but after that, the files also dissapeared from his screen.
There are a lot of bugs as it stands – at one stage, I had a buddy selected, but the screen showed “When ABC shares some files, you will see them here”, where ABC was my nickname. When I removed a buddy from my list, I could still see his shared files until I changed the folder view!
Frankly, platforms such as Pando work much better in terms of stability and ease of use. I am sure AllPeers will eventually iron out the issues, but right now, the service is a non-starter. This post also talks about the system being built upon a bug in FireFox, which when fixed will kill its ability to work as a P2P endpoint – any confirmation on this?

I have just returned from a vacation, interluded by a couple of trips – one of them to DEFCON, the world’s largest hacker conference. This year, it ran at the Riviera hotel and casino in Las Vegas at the beginning of august.

There was plenty to see and do, from conferences as interesting as war-rocketing to an insight into the US-VISIT program, and it’s plans to implement RFID tags into the green visa waivers, or the 2D barcode receipts given out at airports.

I participated in the wardriving events, organised by Thorn, and which consisted of the Running Man and Fox Hunt competitions. Our team was led by Renderman, and we had some backup that put up some noise (fake APs, floods, etc.) to make the contest more interesting.

The Running Man started well, but unfortunately the other team tripped casino security by walking past their booth with a magmount omni antenna on each shoulder, a laptop, several WiFi cards dangling from their belts, a YellowJacket, and other gear – apparently, the IT guys freaked out, and they wanted the contest shut down. After the intervention of Ross and Priest, we were allowed to carry on, but limiting the search area to the venue, and not the whole casino. After the contest resumed, we found the Running Man in around 15 minutes, and won!

The second contest, Fox Hunt, consisted of a hidden WRT54G that was only on for 15 seconds every minute. One was supposed to locate the fox, connect to it, and change the SSID after brute-forcing admin account. 15 seconds to do all that is not a lot! So, our plan was to locate the fox….and make a run with it to a safe place, so we could kill the 15 second timer circuit, reduce the amount of RF leaking out and have a go at changing the SSID. The first part of the plan went well, but then the other team got slightly miffed, called Thorn, who in turn called us to go back to the contest table with the WRT so the other team could also have a go at it.

Interestingly, Thorn had taped the admin password to the bottom of the router, but neither team noticed it! In fact, the other team ended up brute-forcing the AP and changing the SSID. We contested that since when we removed and reapplied power to the AP, the SSID went back to its default, we had in fact won, but Thorn wasn’t having any of it. The contest was a tie, which was decided by the question “Who owns the OID 00:00:00?”, the answer to which is Xerox. We got it wrong, and so we lost. Next year we will be better prepared for sure.

Here are a few pictures from the event:

Thorn and Renderman giving their presentation on the Church of Wifi, with CoWPatty, the WPA rainbow table generator, and the WRT54G mods, which included my WaRThog.

The war-rocketing guys, and their awsome rocket. I wonder how they got that thing past airport security.

The WaRThog on the left, with two more of CoWF’s modified WRT54Gs.

If you used DEFCON’s wireless network to check your email, access your corporate network, etc., but didn’t use any form of security (VPN, SSH…), you are bound to be in the Wall of Sheep. It displays captured user names, passwords, domains and access methods – I actually had the two colleagues travelling with me show up here, even though I told them to not even open their laptops while at the con.

See you next year!