Here's a board I designed for use with Stellaris 32-bit ARM Cortex-M3 MCUs from Texas Instruments.
It's meant to be used with either LM3S3748 (USB device/host) or LM3S6938 (Ethernet), but it will probably work with other models as well, because most of them have similar pinouts.
The design is based on the schematics of evaluation boards for LM3S3748 and LM3S6965.
My board with LM3S6938 (left) and LM3S748.
I've had it manufactured by iTead studio and I'm very satisfied with the result.
The boards were manufactured in 3 days, and shipping via airmail took less than two weeks.
There are some stories about how they mess up boards sometimes, but I don't see any problems with mine, even though I used thin 8 mil traces.
The N900 is a great device, capable of running many game system emulators.
Unfortunately, playing on its keyboard is not very comfortable.
I've decided to do something about it...
I've built a gamepad that connects to the usb port and fits nicely over the keyboard.
It features 8 buttons and a PSP joystick, the device emulates a USB keyboard so it works out of the box with all games/programs.
At the heart of the gamepad is an ATmega8A running V-USB software USB stack.
I recently bough a very nice and very cheap WiFi router - Amit CDE530AM-S.
It's based on the Ralink RT3050 chipset, with 8MB of flash, 32MB of RAM and USB host.
Motivated by Arran Short, who's managed to run OpenWrt (a modified Fonera 2.0n image) on an Edimax NS-1500 (also based on RT3050), I decided to try running OpenWrt on the Amit.
The device has a bootloader, but it has no documentation, and there are no official firmware images available to try to decipher the required format.
I've managed to set up a JTAG connection using OpenOCD, here's a little HOWTO.
Hardware connection
First of all, the CDE530AM-S has two serial ports, one nicely brought out on a pin header, unfortunately it's not used for anything. The one used as a serial console is just two tiny pads on the underside of the board near the chip, fortunately they are marked RX and TX, the baud rate is 57600.
As for JTAG, there is a standard EJTAG header on the underside of the board, but to make it work you have to populate a small resistor near the TDO pin (I guess you can bridge it with solder, just to be safe I soldered in a 51 Ohm resistor). All the other pads are for pull-downs or pull-ups so you can ignore them.
Don't forget about that resistor (R28)!
Software
I'm using OpenOCD and a Wiggler clone parallel port JTAG adapter.
Connect everything, the nTRST pin can be pulled high all the time if your adapter doesn't control it.
Create a file rt3050.cfg containing (you have to change the contents if you use a different adapter):
1. Open two terminal windows
2. Connect everything and power up the router
3. In one terminal run "openocd -f rt3050.cfg" (you have to that quickly after power up, before the device leaves the bootloader)
4. In the other terminal run "telnet localhost 4444"
5. Use the telnet window to send commands to OpenOCD, start off with writing "halt", which will stop the CPU and allow you to read and edit the memory
Some useful commands:
mdb [phys] addr [count]
Display contents of address addr, as 32-bit words (mdw), 16-bit halfwords (mdh), or 8-bit bytes (mdb).
dump_image filename address size
Dump size bytes of target memory starting at address to the binary file named filename.
load_image filename address [[bin|ihex|elf|s19] min_addrmax_length]
Load image from file filename to target memory offset by address from its load address.
resume [address]
Resume the target at its current code position, or the optional address if it is provided.
Here's an upgraded version of my "Handheld Fonera pentesting device".
This time I was working alone, so I don't have anyone to blame for the outcome. :P
Wifon 2.0
New features:
- Color 320x240 LCD screen with touch panel
- Fast STM32 microcontroller for a more advanced user interface
- Smaller custom case - 150 mm x 100 mm x 28 mm
- External battery pack
Hardware:
Case opened
This time the construction is much simpler, with almost no custom parts.
I'm still using the La Fonera router, but this time with a much better screen and uC - the MINI-STM32 devkit I've posted about earlier.
There are no buttons, everything is controlled by the touch panel.
The screen and micro are powered from the 3.3V supplied by the fonera's linear voltage regulator.
This isn't very efficient, but makes the construction much simpler - all you have to do is connect the UART and power pins from the fonera to the micro.
Everything is powered through the fonera's power socket - accepting 5V nominally.
I built a lithium battery pack supplying 5V using a 4xAA holder and a switching voltage regulator from wifon 1, it can be attached to the back of the device to make it portable.
The firmware on the microcontroller uses ChibiOS/RT real time operating system, which allows for multitasking and made the whole project a lot easier.
The user interface is controlled entirely by the uC, which makes it much more responsive - it's not slowed down by apps running on the router.
Just like in wifon 1, a set of Ruby/shell scrpits for communicating with the display run on the fonera's serial terminal, but I had to write them from scratch because of the different approach to the user interface.
So far I've only managed to implement some simple apps demonstrating that the device works - displaying wifi status and a couple of attacks using mdk3. Doing everything alone is harder than I thought! :P
I hope to add more software in the future.
Main screen with a graph displaying WiFi interface usage
Unfortunately, hardware limits of the fonera are showing - running too many apps at once makes the device run out of RAM and restart. I have to consider doing the RAM upgrade mod...
The PS3 has finally been hacked, but why buy a modchip when you can make your own?
I've decided to make a board with the ATMEGA32U2 chip, because it's cheap and compatible with the popular Teensy 1.0 board, so I don't have to compile my own firmware. :P
It's my second homemade PCB, but my first double-sided one and with a TQFP chip!
I can't believe I've managed to solder all of that by hand.
The ATMEGA32U2 is a bit problematic in that you have to edit avr-gcc and avrdude config files to compile the LUFA bootloader and program it on the chip properly, but it's nothing serious.
$40 for an ARM Cortex M3 microcontroller plus a color LCD touchscreen!
You don't need a programmer to start playing with it, as all STM32 chips come with a software bootloader, allowing for firmware uploading through UART.
Setting up a development environment is a bit complicated, but I've managed to get it working using the free Yagarto toolchain and a modified Makefile from this project.
Before I bought it, I found out on their site (http://www.powermcu.com/) that they are selling a new revision of the board (http://item.taobao.com/item.htm?id=5717559340) for almost the same price, so i asked them how much it would cost me, they said that it's gonna be $10 more.
I decided to buy the cheaper one on eBay and, to my surprise, they sent me the new one! :D
So here is my awesome ARM devkit running a preprogrammed demo:
Introduction "La Fonera" is one of the names for a certain WiFi access point produced by Accton.
It's popular because it's cheap, small and very hackable.
It's got a great Atheros chipset and is well suited for use with "pentesting" software such as aircrack-ng, mdk3 or Karma/Jasager , and there have been attempts at making it portable by adding battery power.
But I've never heard of anyone adding a physical user interface to make the Fonera a truly portable and autonomous device, and I decided to change that...
To get some help and motivation to finish it, I've registered it as a team project for school.
So with 5 people and 6 months of work we came up with this:
I did the hardware and uC firmware, while the rest of the team wrote software that ran on the AP.
The Hardware
- La Fonera WiFi AP running OpenWrt
- ATMEGA88 microcontroller
- 16x4 Character LCD (hd44780 compatible)
- 6 buttons
- power supply
- 2 Li-ion AA sized cells
- box of chocolates, lots of hot glue and tape :P
The total cost (not counting the Fonera) was about $20.
Power
The power supply had to be efficient and provide two voltages - 3.3V for the AP and 5V for the uC and LCD.
3.3V is provided by LM2576 - a switching regulator (for high efficiency), and 5V is provided by a cheap 7805 linear regulator, because the LCD and uC don't require much power.
As a result, the device accepts any voltage above 6V (tested up to 16V), and two 900mAh Li-ion cells allow for 90 minutes of operation.
Microcontroller
No Arduino here, because I'm a cheap anti-arduino bastard ;P
I chose the ATMEGA88 chip, because it's cheap and I'm familiar with it.
The buttons and LCD are directly connected to the uC, which communicates with the AP via UART at 9600 bps. There is a transistor between the TX pin of the uC and the AP to bring down 5V signals to 3.3V, a conversion is not needed for the other UART pin.
The communication protocol between the uC and AP is very simple.
A button press sends a single ASCII symbol followed by a carriage return symbol, for example the UP button sends the letter 'w' (0x77) followed by CR (0x0D) .
The screen is updated by sending a 0x02 ASCII symbol followed by 64 bytes of data - the text to be displayed.
The screen is updated frequently enough that we are not using any error checking or correction.
Software on the Fonera
Most of the software was written in Ruby, because that was the only reasonable scripting language that fits on the flash memory of the Fonera, and to our surprise it wasn't very resource-intensive, even on such limited hardware.
My friend - Kacper, wrote the software to allow other applications to use the screen and buttons.
He also wrote a great menu system used by the rest of the team for their apps.
The interface software runs on the serial port instead of a regular terminal.
It poses as a regular terminal, but with a size of 16x4, so that any existing app can run in it, but you have to modify it to be able to read anything :P
The rest of the team - Adam, Marek and MichaĆ, adapted software to work nicely with the LCD and buttons.
In the end we got these things working:
- displaying networks found by airodump-ng
- deauthentication of a selected client
- connecting to an unsecured network and scanning i with nmap
- several attacks using mdk3
- displaying CPU and memory usage
Example code - script displaying airodump-ng scan results: WifiScan.rb
Conclusion
As with most school projects, some things were rushed to meet the deadline, but we're satisfied with the result.
All in all, it's not really a useful device, more of a proof of concept, but it was fun to build and it's working.
Also, we did it because we could, and that is all that matters!
I will post the full sources as soon as all the team members agree.
