hack on irq5 test

Custom Firmware for the Xiaomi AX3600 Wireless Router

Mon, 10 Aug 2020 23:53:00 +0000

As I have mentioned in the review, the stock firmware on the Xiaomi AX3600 wireless router is extremely limiting. On top of that, the firmware is also locked to install only authorized updates from the manufacturer. If you have been following the blog, you will know that I like the flexibility that ASUSWRT provides for customizing my router.

While there is currently an on-going effort to try and port vanilla OpenWRT for this router, I suspect that might take some time. In this post, I describe how to workaround the lousy firmware and configure the router with the advanced features I need.

Router Disassembly

It is recommended to have UART access handy, in case something bad happens and you need to recover your router, or if you want access to U-Boot, the bootloader. This would require you to crack open your router, so you might only want to do this if necessary. Feel free to skip this section if you are not interested in the hardware, or don’t need low-level access.

You need to unscrew 5 screws, 4 of which are hidden under the rubber feet, and one under the center sticker label. In the disassembled top view photo here, you can see the screw holes at the corners, as well as a missing chunk in the center of the heatsink for the mating screw post, directly aligned with the AIoT antenna and indicator LEDs.

Extending ASUSWRT Functionality, Part 2

Fri, 28 Dec 2018 00:11:00 +0000

Following up from my earlier post, Asus has released faster and beefier routers. But perhaps the more important change here is that they have moved from MIPS in the RT-N56U to ARM in newer routers. I have also upgraded to the RT-AC68U for better reception and hopefully to fix the poor battery life experienced by my Android tablet.

After upgrading, I noticed that the method I described back then no longer works. Someone also noticed this, as they translated key portions of my post into Chinese, while pointing out some of the steps that didn’t work.

In this post, I’ll summarize the key changes required to get it working again.

Decoding BCARD Conference Badges

Sat, 13 Apr 2013 01:28:00 +0000

Last month, I had the opportunity to fly halfway around the world to attend RSA Conference 2013. Everyone was given a lanyard and badge which contains your information entered during registration. When you visit booths, they can then scan your badge to collect your information and follow up by sending you spam.

The scanner varies across different booths, but mostly it’s an Android device that ran a custom software. Since it had a large NXP logo, let’s try to read it with the NFC TagInfo app. Looks like the tag identifies itself as a NDEF message but the data is gibberish.

Hacking Functionality into ASUSWRT Routers

Mon, 10 Dec 2012 00:10:00 +0000

This weekend, I spent some time to replace my aged Linksys WRT54G wireless router, which is running DD-WRT. The WRT54G is slow by today’s wireless standards and since I sync my iOS devices wirelessly, the speed was getting quite unbearable. When I bought my Macbook Pro in 2007, it already has draft 802.11n support and fast-forward to 2012, my iPad (1st generation) and iPhone 5 both support the 5GHz band.

The ASUS RT-N56U wireless router ranks up there on wireless performance, and the “feature” I was really after was a router that can run an alternative firmware such as Tomato or DD-WRT. The really good news is, I figured out how to get the functionality I wanted while still using the official ASUS firmware.

For proper reviews and better photos, you might want to check out these other reviews:

SmallNetBuilder: ASUS RT-N56U Black Diamond Dual-Band Gigabit Wireless-N Router Reviewed
FoxNetwork: ASUS RT-N56U or hardware NAT acceleration
(I quite like their professionally taken product photos and their reverse-engineering work)

Read on to find my short review, as well as how you can run your own programs on the router without using a third-party firmware.

Mac Battery Firmware Hacking

Sun, 20 Nov 2011 16:36:00 +0000

[youtube=http://www.youtube.com/watch?v=bc1EU5GTbLE] Charlie Miller reverse engineers the Mac battery firmware updater, sniffs battery communications on the SMBus, writes an IDA processor plugin (in IDAPython) for the CoolRISC 816 processor in the bq20z80, and mucks around with the its firmware. All the source code and presentation materials are provided. [via Dangerous Prototypes]

Enable iOS 5 Multitasking Gestures on iPad 1

Sun, 16 Oct 2011 22:29:00 +0000

Now that iOS 5 has been released, it’s easy to enable multitasking gestures on the iPad 1, using the same trick as before for display mirroring. Edit the /System/Library/CoreServices/Springboard.app/K48AP.plist file and add a boolean key multitasking-gestures in the capabilities dict, and set its value to true. You can add both display mirroring and multitasking gestures to the iPad 1 using this method. That’s it! Alternatively you can use Cydia or redsn0w to do this for you.

Apple's RAOP is Cracked

Mon, 11 Apr 2011 23:34:00 +0000

For a long time now, apps can stream high-quality audio to an Airport Express or an Apple TV using the RAOP protocol. However, the reverse cannot be done due to the fact that the protocol uses asymmetric encryption, which means the private key is baked into the firmware of the Apple (or Apple-licensed) device. Finally, someone has done something about it. James Laird dumped the ROM of his Airport Express and extracted the private key.

Removing read-only protection from MS Word

Wed, 04 Aug 2010 21:02:00 +0000

Recently I needed to fill up some form for submission, in soft copy. The template file provided was a MS Word document, but for some really stupid reason it was marked read-only. When I tried to edit the document, this helpful sidebar appeared.

When I clicked the “Stop protection” button I was prompted for a password. I didn’t want to waste time trying to recreate this whole form, nor do I wish to hand-write it.

Reverse-engineering the Clicker

Tue, 06 Jul 2010 16:51:00 +0000

A few semesters back, our school started trial runs to use these “clickers” as well. At that time I was thinking of cracking it open to see what makes it tick, as well as evil plans like trying to impersonate other clickers or sniffing what other people’s responses were. I only managed to peel back a bit of the plastic in front, but since the clicker was brand-new and I had to return it in a good condition, I didn’t dare to proceed any further than that.