L’iphone e i suoi protocolli di sicurezza

Apple-hacked_620x350

iphone

 

Sappiamo tutti che la Apple ha delle backdoor installate nei dispositivi iphone con le quali spia gli utenti da remoto, ormai si sa, i software per lo spionaggio da remoto sono diffusi anche in Italia, ringraziamo l’incompetenza dell’hacking team nel proteggere le loro email,;ritornando alla Apple, il problema principale per scoprire le backdoor è bypasare i loro protocolli di sicurezza dei quali non si sa nulla di ufficioso, è questo che contraddistingue la Apple da tutti quanti, ha un elevata sicurezza proprio perchè non trapela nulla di compromettente dai loro uffici e inoltre nel caso di vulnerabilità scovate nei loro software, riescono a intervenire tempestivamente dopotutto creano nuovi dispositivi con ios aggiornato nel giro di pochi mesi; dunque questa è la Apple.

apple inc

Se spostiamo la nostra attenzione sull’iphone diciamo dal 4s in poi, troviamo una maggiore difficoltà nel fare qualsiasi cosa, solo facendo il jailbreak possiamo ottenere la possibilità di installazione di applicazioni non ufficiali ma soprattuto non a pagamento, ciò non toglie che con il jaibrek non si possa arrivare a capire come la Apple spia il proprio dispositivo ma dato che lo sappiamo non è difficile formulare una tesi realisitica sul loro modo operandi, allora ecco ve lo spiego.

Iniziamo dall’analisi delle fonti ufficiali: TCP and UDP ports used by Apple software products,

Nella pagina troverete le porte usate dalla Apple dichiarate ufficialmente, fin qui direte bhe significa che non ha backdoor ma non è vero anzi è perfetamente una copertura che poi viene confermata quando si prova a cercare le backdoor nei file system dell’iphone scaricando il terminale da Cydia ma dopotutto è impossibile accedervi.

Il motivo dell’impossibilità di vederle è dato dalla mancanza di informazioni per poter hackerare i loro protocolli di sicurezza e quelle poche volte in cui sono state rilevate vunerabilità la Apple ha sempre reagito velocemente:

A questo punto avete capito che il controllo del vostro dispositivo è da remoto e sopratutto simile a quello che faceva la Blackberry ai tempi d’oro, eccovi la dimostrazione:

Re: Fw: Fwd: [Analytical & Intelligence Comments] RE: Above the Tearline:BlackBerry Security

from: [email protected]

to: [email protected], [email protected]

Fascinating and supports my suspicion that all blackberry is doing is
“controlling the entire channel” and there is nothing special here. I can
defeat the Saudi’s just as easily with an iPhone and a SSL certificate for
my mail server.

Windows Mobile phones, android phones, and iPhones can use ActiveSync
protocol, which uses 128bit or 256bit AES encryption from device to server
via SSL (over port 80). The different devices vary on their support for
256bit AES (some purposely don’t because it make things slower).

In other words depending on the devices chosen you can achieve an EQUAL
level of security with a non-blackberry phone. And as an extra positive
you have the keys, not blackberry.

It looks like the iPhone 4 is using 256bit AES, but that’s really
irrelevant, even governments cannot crack 128bit AES over SSL. Without
some sort of exploit it would still take every computer on the planet a
long time working together. NIST still stands behind the AES algorithm.

–Mike

Cos’è AES ?:

AES is based on a design principle known as a substitution-permutation network, combination of both substitution and permutation, and is fast in both software and hardware.[10] Unlike its predecessor DES, AES does not use a Feistel network. AES is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. By contrast, the Rijndael specification per se is specified with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits.

AES operates on a 4×4 column-major order matrix of bytes, termed the state, although some versions of Rijndael have a larger block size and have additional columns in the state. Most AES calculations are done in a special finite field.

The key size used for an AES cipher specifies the number of repetitions of transformation rounds that convert the input, called the plaintext, into the final output, called the ciphertext. The number of cycles of repetition are as follows:

  • 10 cycles of repetition for 128-bit keys.
  • 12 cycles of repetition for 192-bit keys.
  • 14 cycles of repetition for 256-bit keys.

Each round consists of several processing steps, each containing four similar but different stages, including one that depends on the encryption key itself. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key.

Dunque l’iphone è caraterizzato da protocolli inaccessibili a noi “comuni mortali” dato che il protocollo AES è stato ufficilamente nel 2002 è stato adottato dal governo federale americano, ma ci sono stati problemi di vulnerabilità nel loro protocollo nell’anno 2014 come riporta l’articolo preso da the hacker news:

Just two days before Apple has disclosed a critical Security flaw in the SSL implementationon the iOS software that would allow man-in-the-middle attacks to intercept the SSL data by spoofing SSL servers.
Dubbed as CVE-2014-1266, the so-called ‘goto fail;’ vulnerability in which the secure transport failed to validate the authenticity of the connection has left millions of Apple users vulnerable to Hackers and Spy Agencies, especially like the NSA.
Concludendo è possibile conoscere i dati rubati dai dispositivi solo attraverso l’attacco man in the middle e questo conferma la fama di Apple come “sicura” .

FT232RL USB Serial sound card hack

Did you know that you could play sound using an usb to uart/serial converter , by just using an FT232RL usbserial and an external speaker with amplifier?
Let’s take a look at the software side first, the basic idea is to send bytes purposedly crafted to create some sort of PWM.
So we have 8 bits each byte sent, which mean 8 levels, kinda crappy if you like hi-fi sound , but that’s not the purpose of this hack obviously.

So the easiest way is to send these bytes for each level

Level Bits
-4 00000000
-3 10000000
-2 11000000
-1 11100000
0 11110000
1 11111000
2 11111100
3 11111110
4 11111111

A simple python script with pyserial can easily do it, by taking bytes from stdin coming from a raw mono s8 pcm file , to the usbserial

To create the raw file use the following command:

The 58000 sample rate value is obtained experimentally by looking at the script output , to see how much bytes/sec are actually sent

To play it:

Connect the GND pin of the serial converter to the ground of the amplifier cable, and the TX pin to the signal pin.

If you get strange interference because your amplifier is class D and it is not filtered, you need to add a lowpass filter with cutoff frequency of 22 Khz

Result:

Thanks to Valerio “Gurzo” Morgante ( latanadelgurzo.blogspot.it ) who was working on doing the opposite ( Emulating a serial port using a sound card ) and that gave me the idea of obtaining sound output using an inexpensive FT232RL usb-serial

Installare CyanogenMod 12.1 su Mediacom MP10S4

Premetto subito che questa ROM si basa in gran parte sul lavoro di crewrktablets e su delle modifiche che ho apportato io per adattarla allo smartpad MP10S4 il quale è da 10 pollici.

Inoltre come sempre: non sono responsabile di eventuali tablet trasformati in roba utile come un tagliere o un ipad ( si intende tablet brickato  )

Fatta questa premessa veniamo al dunque, per installare cyanogenmod 12.1 su questo tablet abbiamo bisogno di un sistema linux oppure di un sistema Windows XP o 7.

Windows 8, 8.1 e 10 a causa di un bug nello stack usb di suddetti sistemi operativi, non sono supportati.

Prima di fare qualsiasi cosa salvate eventuali foto o altri sul pc, questa procedura ELIMINA TUTTI I DATI SUL DISPOSITIVO, NEANCHE L’FBI POTREBBE RECUPERARLI

Aggiornamento 6 Marzo 2016 : Nuova system.img https://drive.google.com/file/d/0B9QKN6BD1yJeRFhXTzVIS2FoaEU/view?usp=sharing 
Fix: Sistemata la rotazione iniziale dello schermo, Impostata la densità corretta, Aggiunte le Open Gapps in modo da sistemare il crash sul play store, espansione del filesystem di system in modo da coprire l’intera partizione.

Chi volesse installarla senza fare wipe, esegua solo il comando per il flash di system.img senza eseguire la formattazione

Non funziona attualmente:

  • Applicazione Email

Questa procedura inoltre aggiunge il Play Store.

Screenshot_2016-03-06-01-33-24

 

Linux

  1. Scaricare le utility di flash rockchip ufficiali per Linux : https://drive.google.com/file/d/0B9QKN6BD1yJeSkFDUmF0NFZ6WG8/view?usp=sharing
  2. Scaricare i file della rom: https://drive.google.com/file/d/0B9QKN6BD1yJeTm5PRWxvT0xIUDQ/view?usp=sharing
  3. Caricare il tablet completamente e metterlo in modalità bootloader.
  4. Per metterlo in modalità bootloader , è necessario con il tablet spento e scollegato dal caricatore e dall’usb , premere il tasto [volume +] ed senza lasciarlo allo stesso tempo inserire un cavetto usb collegato al proprio PC.
  5. Eseguire la formattazione a basso livello ( Tutti i comandi vanno eseguiti da dentro la cartella Linux_Upgrade_Tool_v1.2 ):
    sudo ./upgrade_tool lf
  6. Flashare i vari file
  7. Scollegare il cavo usb e tenere premuto il pulsante di accensione per 20 secondi oppure meno se dovessero comparire dei pinguini sullo schermo ( non scherzo, compaiono veramente in caso 4 pinguini che sono il logo di linux ), se non compaiono, trascorsi i 20 secondi, lasciare il pulsante e poi premerlo di nuovo e lasciarlo non appena compaiono.
  8. A questo punto vi dovreste trovare nella classica clockworkmod recovery, dalla recovery va eseguito il factory reset ( wipe data ), che in questo caso non serve per cancellare i dati, ma solo per creare i filesystem per /data e /cache .
  9. Fatto ciò selezionate reboot e rispondete No ad eventuali domande, il tablet si dovrebbe riavviare
  10. Il primo avvio richiederà diversi minuti dopo ciò dovrebbe essere tutto funzionante. Se il touch dovesse dare problemi, spegnere e riaccendere lo schermo con il tasto accensione un paio di volte.

Windows

  1. Scaricare RKDevelopTool ed i file della rom : https://drive.google.com/file/d/0B9QKN6BD1yJeUTNvbGcwQXhkYkU/view?usp=sharing
  2. Eseguire dentro la cartella Rockchip_Driver_Installer il file DriverInstall.exe e cliccare Install Driver , verrà richiesto se l’origine dei drivers è fidata, rispondere sempre si.
  3. Caricare il tablet completamente e metterlo in modalità bootloader.
  4. Per metterlo in modalità bootloader , è necessario con il tablet spento e scollegato dal caricatore e dall’usb , premere il tasto [volume +] ed senza lasciarlo allo stesso tempo inserire un cavetto usb collegato al proprio PC.
  5. Eseguire dentro RKDevelopTool_v1.37  il file RKAndroidTool.exe
  6. Togliere la spunta dalla riga verde con scritto Loader
  7. Cliccare Erase IDB per eseguire la formattazione a basso livello
  8. Cliccare Run ed attendere il termine dell’operazione
  9. Al termine dell’operazione il tablet dovrebbe andare da solo in recovery
  10. A questo punto vi dovreste trovare nella classica clockworkmod recovery, dalla recovery va eseguito il factory reset ( wipe data ), che in questo caso non serve per cancellare i dati, ma solo per creare i filesystem per /data e /cache .
  11. Fatto ciò selezionate reboot e rispondete No ad eventuali domande, il tablet si dovrebbe riavviare
  12. Il primo avvio richiederà diversi minuti dopo ciò dovrebbe essere tutto funzionante. Se il touch dovesse dare problemi, spegnere e riaccendere lo schermo con il tasto accensione un paio di volte.

Note aggiuntive

  • Ho modificato le partizioni per avere 12 GB su /data, quindi qualora eseguiate il reset di fabbrica, andranno persi anche documenti e foto nella memoria interna.
  • Attualmente ci sono dei difetti di visualizzazione sull’icona della batteria in carica a tablet spento, ma comunque il tablet si carica lo stesso
  • Per andare nella recovery su questi tablet è molto difficile, la cosa che consiglio, invece del classico premere Volume+ e Accensione insieme, premere volume+ ed inserire il cavo del caricatore tenendo premuto volume+ ( Non il cavo usb, il cavo del caricatore quello con il jack )

In caso di hardbrick

Nel malaugurato caso di hardbrick scrivetemi nei commenti e vedremo insieme come risolvere ( generalmente i tablet Rk3188 possono fare boot dalla scheda microsd se su di essa è presente un bootloader rockchip valido )

 

 

TP Link WA801ND v3 OpenWRT Install guide

WA801ND v3 Hardware overview

Some weeks ago i’ve succesfully ported OpenWRT to the TP-Link TL WA801ND v3, that access point features 2×2 MIMO, detachable antennas, 32 MBytes of ram and 4 Mbytes of flash.
It is based, like most new tp-link devices on a qualcomm atheros system on chip ( QCA9533-BL3A)  which integrates the MIPS core, ethernet switch and wifi hardware.

Accessing the WA801ND serial port

Out of the box even if the serial header is present and has the typical TP-Link pinout, it won’t work, because some resistors are missing from the board, namely R105 and R107.

TL-WA801ND v3 solder bridge required
Solder bridge on R105 required to receive data from the serial port
TL-WA801ND v3 solder bridge required
Solder bridge on R107 to allow sending to serial port

The serial port settings are, as usual 115200 baud and to enter uboot prompt you have to quickly type “tpl” when it says that it is waiting 1 second.

Installing from the web interface

OpenWRT trunk builds can be installed using the original tp-link firmware from the web interface.
In order to do that download openwrt trunk build for the device, under the directory ar71xx there should be in trunk a file named openwrt-ar71xx-generic-tl-wa801nd-v3-squashfs-factory.bin , download it and rename it to a.bin ( tested working, but maybe anything works ), and use it to upgrade the access point from the web interface.
Once you uploaded the file, wait for the device to reboot, when it reboots currently , no leds will be lit.
That’s because by default no led is assigned to anything, maybe i should do some patch to fix that in the future.
To configure it connect with ssh to 192.168.1.1 ( DHCP should be enabled by default too ), or if you have built an image with luci, just navigate to http://192.168.1.1 .

 

Come rubare un profilo facebook? basta un po’ di ingegneria sociale e un piccolo trucchetto

face

Come rubare un profilo facebook? basta un po’ di ingegneria sociale e un piccolo trucchetto

facebook-sign-89

Eccoci ragazzi e ragazze, se siete arrivati a questo articolo significa che avrete intenzioni di conoscere come rubare un profilo facebook, premetto che questo articolo vuole solo dimostrare quanto i nostri profili facebook, email e password non siano al sicuro, dunque non sono responsabile dell’utilizzo di questa tecnica, ognuno è libero di farne ciò che vuole valutandone i rischio.

Il primo passo da fare è trovare l’utente di cui si vuole cercare di entrare nel profilo:

  1. Trovate l’id dell’utente facebook :
    FacebookpageID2
  2. Andate nella pagina facebook di login :
    Facebook_Login

 

3.Scrivete l’id nella casella identificata con email, cliccate forgot your password e vi ritroverete su questa schermata:

facebook-recupero-password_X

4.Scrivete nella casella che vi appare l’id dell’utente facebook e cliccate cerca, vi ritroverete in questa schermata:                                                                                                                         625x316xfb1129.jpg.pagespeed.ic.ftZsRxxO7r

5.A questo punto avrete in bella vista la prima e ultima lettere dell’email dell’utente,oltre che il servizio email che utilizza (gmail,yahoo,tiscali,ecc) se siete fortunati anche il numero di cellulare associato all’account ma visibile solo parzialmente. Se l’email è nome cognome allora siete a cavallo altrimenti potreste cercare di indovinarla.

6.Ora che sapete a quale servizio email utilizza l’utente, potete inviare un email con annesso link collegato ad un fake login facebook,semplicemente utilizzando l’email facebook di quell’utente, vi spiego meglio.Ogni utente ha un email facebook associata quella famosa che compare delle volte nelle info del profilo, ma questo non è rilevante perchè anche se non ci fosse si potrebbe lo stesso scoprirla, infatti basta copiare l’id dell’utente e aggiungere @facebook.com , inviando l’email l’utente la riceverà nella sua posta email con cui ha creato l’account facebook.

Ora questa falla non è grave ma se implementata con l’ingegneria sociale, può mietere vittime, infatti consideriamo questi dati :

GMAIL

YAHOO EMAIL:

Questi dati ci danno indicazioni preziose su come l’utente di yahoo e gmail può ricevere l’email, in che ora della giornata utilizza l’email (dato di gmail), se la può ricevere su smartphone o meno, come l’utente si approccia all’utilizzo delle diverse piattaforme social.

Ricordate che più informazioni personali riuscite a ricavare dall’account facebook di un utente più potete personalizzare l’email in modo che la probabilità che l’utente la apra, salga.

Ora analizziamo i dati sottratti  al sito di incontri Ashley Madison:

 

1440792234_AshleyMadison

troviamo in percentuale quanti utenti hanno utilizzato i diversi servizi email:


  •  

Nei primi tre troviamo gmail, hotmail e yahoo come riportato su questo articolo su gmail e yahoo è possibile capire come l’utente possa essere vulnerabile ad alcuni tipi di email che ad altre, mentre per hotmail non ho trovato statistiche, sorprende l’utilizzo di outlook segno che gli smartphone windows phone si stiano diffondendo, quindi attenzione utenti di outlook (il servizio è abbastanza insicuro ).

In conclusione si può dire che ogni utente facebook può essere soggetto ad email di phishing senza che si accorga di nulla, basta semplicemente studiare il suo account facebook, sottrarre qualche informazione ad amici, parenti (ricordo che esiste la possibilità di vedere gli amici in comune di un utente di cui non siamo amici e di cui non abbiamo nessuna relazione), se vi capita la sfiga di avere un parente diciamo “chiacchierone” sapete che siete a rischio che il vostro account venga hackerato con un email phishing , inoltre vorrei citare questo articolo ai fini di farvi capire quanto la vostra identità non sia al sicuro:  The science of password selection

Ubiquiti Nanostation M5 Loco Repairs

Since very few information is available on repairing UBNT Nanostation M5 Loco ( probably the same for M2 ), i am going to post here and keep updating that post with the main kinds of failure encountered with their eventual repair

To do these repairs since the board contains big ground planes, you absolutely need to preheat it to at least 120 C° before using soldering iron or smd rework station.

ubnt
UBNT Nanostation loco m5 PCB

Types of failure

PoE shorted, power supply led blinks as a consequence of that

This can be caused by shorted D5 diode ( look for the big black square diode on the left of the ethernet port ), replace it with another one or if you are in an hurry and willing to risk, just remove it.

Ethernet port goes only at 10 Mbit ( but usually won’t work at all even if it says that ) , or no link is detected

This is the trickiest damage, i’ve tried replacing ethernet transformer where it was evidently burned ( one winding open ), but even after that i only got from “no link” to “10Mbit” , so either other components shorted or in that case the SoC is damaged and no repair is worth to do.

The nanostation will only go into firmware recovery mode ( 4 leds blinking )

That kind of failure can be caused by remote reset NPN transistor damaged, replace or remove ( if you don’t need remote reset ) Q503 , you can find it on the right of the reset switch, beware that this kind of failure can be also caused by broken switch, so check first with a multimeter if the switch is working properly, also check that the one on the PoE injector is not broken.

 

High speed photography: popping soap bubble

Have you ever wondered how a bubble looks like while popping? if you think it just “disappears”, you are wrong, and provided you have a decent flash and a camera that allows you to use something like 10sec shutter speed, then you can take such photos with just a relay module and an Arduino.
The idea to trigger the flash at the right moment is to form with the end of a wire an “O” shape and then with another wire, when the bubble touches the wire, it will shortly conduct some current that can be used to trigger the flash.

rect3336

But as you can imagine it’s not that easy doing it, the bubble is very thin and it will conduct only for a fraction of second before poppin, its resistance will be around 10 megaohms, so either you need to build a GOOD low noise amplifier or just use the trick i’m going to explain.
If you have some experience with electronics you already know that a wire has a certain capacitance caused by surrounding stuff and air as dielectric, otherwise, well, now you do.

To be able to detect the bubble touching both wires at the same time, the trick is charging the “wire capacitor” to +5V, then switch the pin to high impedence input and measure how much it takes to discharge because of leakage current of your arduino.
Since that parameter may vary for each board, wire length, wire insulation and other stuff, you have to find the open circuit value experimentally.

Untitled Sketch_bb

If you have it, you can use an SCR too instead of the relay, but be sure to add a delay in the arduino sketch to get the correct timing on photo ( a relay typically takes 6-15ms to trigger the flash ).
.

 

Below is my setup with a flash set to the lowest power ( lowest power means less duration too, so more sharp photos of moving objects ) and triggered by the arduino with a relay

DSC_0686

For these photos i’ve used SIGMA 70-300mm lens set at f/16 together with a Nikon d40 body with iso set to 400, the procedure to take a photo is like that, start the exposure using an IR remote, blow a bubble and make it pop while triggering the flash, wait for the remaining exposure time to finish, and enjoy the result.
Needless to say, you need to do that outside at night or in some very dark room otherwise.

Now it’s time for some results

bubble1_comp

DSC_0679

DSC_0678

Sitecom WL-326 OpenWrt update

Earlier i’ve written a post on how to install OpenWrt on that router, now it’s time to start fixing broken stuff, especially the reset button and the usb port, along with default switch/network configuration.
After some work i’ve managed to reverse engineer the GPIOs of that router, GPIO0 is used on the wps button on top of the case which is the only button the router has , so we’ll be using it as reset/failsafe button.
Also who has tried installing openwrt on that router may have noticed that the usb port has no power, turns out that GPIO6 is the one which enables the DC-DC converter on the board ( probably they did that to allow resetting the 3G modem without physically removing it from the port ).

So i’ve created a new dts file for that router finally, instead of using the WR5123ng image, below there’s the patch to apply on openwrt source tree

After that work, reset button works ok ( to get into failsafe mode wait for an udp packet from the router then shortly press the button once ), usb port power is tied to a dummy usbpower led, set brightness to 0 to power on, brightes to 1 to power off
Like:

 

Still usb is not working, on dmesg dwc2 driver is constantly reporting an overcurrent condition that i think it is caused by VBUS being supplied from an external power supply instead of the SoC, so it thinks that there’s a short circuit, probably some driver work is still needed, so more updates are likely to follow

Convert your cheap “unmanaged” switch to a VLAN capable layer 2 managed switch for just $2

pcb

The title of that post may look crazy at first, but it’s not, it is entirely possible to convert your cheap 100M 8 port switch or stuff like that to a managed switch.

That’s possible simply because, if you open up one of these and look at the datasheet, you will find out that they use the same switch chips used frequently inside of routers ( which they can be reprogrammed as you like with openwrt ).

The switch i’ve used this time is a “digicom 10/100” switch, digicom is an italian rebrand of some other stuff probably, but anyway, let’s get straight to the point, below you can see the PCB of that switch

 

Switch chip is IP178CH, and since today luck is on our side, its datasheet can easily be found there http://www.icplus.com.tw/Data/Datasheet/IP178Cx-DS-R13-20080925.pdf .

Serial management interface timing diagram and command format

Now by taking a quick look at the datasheet some important things for that modification are easily found:

  • The switch chip can be programmed by pulling up or down it’s pins but only basic features are programmable that way
  • The switch chip can be programmed from the EEPROM ( which on that switch board is not present, but there are unpopulated pads for it ), for the switch to take in account the EEPROM , first two bytes must be 0x55AA
  • The switch chip can be programmed using a synchronous serial interface at pins MDC & MDIO, on the fly.
    This one is the most useful one to create a managed switch

The serial interface is similiar to I2C but much simpler, it does not support multiple devices on the same bus and devices don’t have an address.
MDC Clock has to be generated from CPU side ( in that case an arduino ) , so you can operate it at whatever speed you want provided you don’t exceed maximum ratings.

Now once you know how to operate communicate with the switch it’s just matter of programming an arduino.
To do that, if you want just to test and you are going to power the arduino over usb. you are going to need to modify an USB cable to give arduino 3.3v instead of 5v.
You could also use a level shifter for that, but i prefer powering the entire arduino at 3.3v because it’s simpler and cheaper.
To power an arduino with 3.3v you can simple take an usb cable and cut red and black wires and insert a regulator between PC side and arduino side.

Arduino usb cable modification

After doing that modification, just adjust the regulator to give 3.3v and you are ready to go
On that switch , since again , we are lucky today, the IC pins of the serial management interface were already routed to an unpopulated header, on which i soldered a 3 pin strip header

The pinout is the following:
1 :   GND
2 :   MDIO
3 :   MDC

MDIO must be pulled high using a 2.2k resistor or some similiar value, again, if you are using a level shifter instead of the 3.3 cable mod, be sure to connect pullup resistor to 3.3v and not 5V.
To protect I/O lines also add two 100 ohm resistors or 200 ohm at most between MDIO,MDC and arduino pins ( 2,3 )

After doing that the HW part is done, if you want to make it permanent, just buy an arduino pro mini ( NOT NANO ) , and an usb-serial, the two should be around $2 total, max 3$.
You can also easily find on the board the 3.3v power rail and power the pro-mini from there, DO NOT power the arduino pro mini from usb or use an arduino nano or you will fry everything.
When connecting usb-serial adapter to it you will only connect GND, RX, TX wires , also DTS if you want to be able to program it from usb.

Now let’s take a look of a basic software to have a managed switch which can save configuration on arduino eeprom and restore it at boot.

 

outBit and inBit generate a clock cycle on MDC while reading or writing an output value to/from MDIO

readReg reads an entire register by submitting read command, phy address and reg address

writeReg writes an entire register by submitting a write command together with phy address, reg address and the 16 bit value to write.

The switch itself works in a fairly simple way, you can assign which ports belongs to a VLAN ( that is independent from whether the packets will be tagged or not) and then you can configure how to treat untagged packet and what to do when a packet from a VID port group goes out of a port.

For example if you want to use port 1 as trunking port ( multiple vlan tagged networks on the same physical port ) , and you want to tag untagged traffic from ports 2,3,4 with vlan ids 2,3,4 you have to:

  • Assign ports 1,2 to VID 2
  • Assign ports 1,3 to VID 3
  • Assign ports 1,4 to VID 4
  • Set ports 2,3,4 to remove VLAN tags from outgoing packets
  • Set port 1 to add VLAN tag to outgoing packets
  • Set default VID for untagged traffic of port 2 to 2
  • Set default VID for untagged traffic of port 3 to 3
  • Set default VID for untagged traffic of port 4 to 4

With that configuration for example you will be able to connect 3 different networks to a single ethernet cable, which may be useful when you have a radio tower with multiple devices on it and only a single cable going to the ground equipment.

That’s just the beginning, similiar mods can in most of the cases be done on all switches and probably with more features on newer ( gigabit ones ) switches.

You could also use a raspberry to manage the switch instead of an arduino to be able to work on it from ethernet with some nice web interface.

 

Calibrating YIHUA 898D soldering station

step1

When you buy an 898D soldering station there’s a very high chance that it is completely uncalibrated, leading to burnt/damaged parts and other kinds of problems since most of the times it is calibrated to give much higher temperature.

For that procedure you are going to need:

  • A cross-head screwdriver to open the 898D
  • A flat-head screwdriver at most 2 mm wide to rotate the potentiometers
  • A thermocouple thermometer
  • An IR thermometer

First of all , set both temperatures at 230 C° and disconnect the power cord because part of the board is directly connected to mains

To open the soldering station , remove the four screws around the front panel

Once removed the front panel you should have a board like the one below:

That board has two trimmers, one is to adjust smd rework gun , the other one is to adjust soldering iron temperature.
First start with hot air gun, after you made sure that no metal is touching the board and you are not touching the board, plug the power again, and heat a piece of paper with the hot air gun.
Place on one side of the paper the hot air gun, on the other side an IR thermometer.
If you read 220-235 C° it’s ok, if you read temperatures like 260 or 280 C° or 200 C° you definetely need to adjust it.
To do that take a small flathead screwdriver and with the soldering station disconnected from mains if the air is hotter than it should be , rotate like 1-2 turns the potentiometer counter-clockwise, otherwise rotate it of the same amount clockwise, and plug again the power and check if the temperature is in an acceptable range, if not repeat the above step with smaller adjustements.

When you have done with hot air gun start working on the soldering iron, place some excess solder on it’s tip and put it in contact of a shielded thermocouple
Let it stay like 3-4 mins and then check the temperature reading of the thermocouple, if it is less than 210 C° or more than 240 C° you need to calibrate that too, proceed as follows:
  1. If temperature is higher than it should be, rotate like 1/4 of turn the soldering iron potentiometer clockwise ( contrary to the hot air gun one ), you should do that with the power connected so BE VERY CAREFUL to not touch any part on the board except the potentiometer with the screwdriver when doing that.
    If the temperature is lower than it rotate it 1/4 of turn counter-clockwise.
  2. If temperature was higher than needed, blow some air at the thermocouple+soldering iron tip to lower the temperature and wait for it to rise
  3. After like 2 minutes, check if temperature still needs adjustement, if yes repeat from step1 with smaller rotations.
I’m using a pid controller as a thermometer because it’s the only thermocouple based thermometer that i have at the moment
After that reassemble everything and you are done.