Wednesday, July 26, 2023

DWR-921 C1/C3 OpenWRT Ordeal

Recently I've got my hands on a few DWR-921 routers with, those routers are nothing special

but they do have a 4G modem built-in so you can use them as a regular router or 4G one.
















Checked the OpenWRT site and it is supported on the C1 and C3 revisions of the routers,
I had 4 C1 revision and 2 C3 revision.

after trying to put OpenWRT for a week this is what I've discovered,

There are 2 Flash layouts to these devices,

Older layout (Versions 1 - 3.0.0)
0x000000000000-0x000000010000 : "Bootloader" - JBOOT
0x000000010000-0x000000150000 : "Kernel"
0x000000180000-0x000000f10000 : "RootFS"
0x000000f10010-0x000000ff0000 : "UI"
0x000000ff0000-0x000001000000 : "Config"

Newer layout (Versions 3.0.X+)
mtd1: 00030000 00010000 "Bootloader" - UBOOT
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 00150000 00010000 "Kernel"
mtd5: 00e60000 00010000 "RootFS"
mtd6: 00fb0000 00010000 "Linux"

Also each layout is supported by a different Bootloader (seems strange for D-Link to switch bootloaders on the same hardware)

OpenWRT only supports the older layout, so if you have update to a newer version of the Firmware
it will be much more difficult to downgrade and install OpenWRT.

UBOOT does not support OpenWRT in any shape or form, so lets see how to downgrade 
and what does JBOOT expects.


The JBOOT bootloader when loading looking for the Config memory space and it must be unmodified 
the CRC checks must be passed, without this partition the bootloader will not update to any version.

So if your Config partition is intact, you can hold reset on the device and turn it on, connect a computer with DHCP enabled and wait for the router to boot for a bit, navigate to any site and you will be redirected to firmware upload page, select the correct version of OpenWRT (C1/C3 with a -factory.bin ending)  and upload it you are done.

But you have a later version of the Firmware already installed, you will need a way to dump/flash the flash chip directly, something like CH341 device with the clip and the NeoProgrammer 2.X software 

First thing you do is backup your flash and save it in some place you remember.

Here is the firmware that you need to upload to your device using the programmer (unzip it first)
this firmware is for the C1 revision of hardware only, it will not work (for some reason on the C3)
The problem is there is no way that I've found to change the MAC address in the firmware since each update requires re calculating the CRC and editing it, after many tries I could not find how to correctly do it.

After flashing the firmware you can update to the OpenWRT version by holding Reset button and waiting for the process to start as written above.







Sunday, August 11, 2019

Reverse Engineering Smart Wristband LM707

Recently bought a couple of "Smart bracelets"  LM707

to try RE so that I can put my own Firmware.
They have some nice features such as:
1. Color IPS LCD 80x160
2. Accelerometer
3. Pulse sensor
4. fast CPU...
5. BLE
6. Motor

I read some of articles about this and they usually have a NRF51/52 micro with BLE.
Sometimes they have the TLRS8266 by Telink.
So I thought get one open it up, see whats inside, *RE*, profit!

Got mine, opened it up and this what I got.
That weird chip is the MCU with markings 05PUN2 and a date code, and nothing else.

I had no idea what type of micro that is (still don't).
I've RE the APK that comes with it (luckily it was not protected), the app supports different types of 
MCUs (about 49 models), some are based on TELINK MCUs there are a mentions in the code.
and something called MAXSCEND, and this is what it's based on. 
No SDK no Datasheets, not info whatsoever, I have a method of uploading Firmware over OTP
(D/L of all the firmwares from the site). but they are of unknown Architecture so no idea.
I'm stuck, if anybody has any info, write in comments.

R.


Sunday, May 19, 2019

ESP8266 GameBoy Emulator, attempt.

I had an idea, to port a GameBoy emulator to an ESP8266 with an LCD screen.
found a good candidate for porting Peanut-GB, it's only a single file (.H) and with
plenty of examples.



Very little setup required and a single lcd_draw_line callback, implement LCD drawing
there and voila, GB emulator on the ESP8266 (node MCU clone), but it seems
the raw power of C is not sufficient for this task, and the LCD library
that I've chosen (TFT_eSPI) and modified was also insufficient to make
the emulator run at adequate speeds.

Games are stored in the flash using bin2hex.

The LCD in use is ST7789 based 240x240 connected to the SPI bus running at 40 Mhz.

Pinout:
NodeMCU - LCD
GND -> GND
3.3V -> VCC
3.3V -> BLK
D3 -> DC
D4 -> RES
D5 -> SCL
D7 -> SDA

So what do we have:
1. The emulator runs, tried with "super mario land", Tetris and a demo.
2. Uhm... Profit ?

What we don't have.
1. Good frame time, each frame takes between 70~200 ms which translates between 14~5 FPS.
2. Audio (There was not enough time for smooth frame rates.. so ...)
3. Key input (Yeah.. no..)


It seems that no matter how hard I tried to optimize the code the drawing part
would always lag, if we remove the LCD part, the core did have enough
time to emulate the game, but I think an emulator without a screen
is not a good emulator :)





What did I try to do:
1. ESP runs at 160 MHz, I can try to use NO_SDK (run at 340 Mhz) by CNLohr but the SPI bus is        affected by it.
2. Optimize the gb_draw_line up the wazoo, replaced all multiplications with right shifts.
3. Added per line hash drawing capabilities, so if the pixels of the line did not change, don;t draw            them, helpful with static games, not so much with scrolling.
4. Moving the game code to DRAM, did not produce significant speed ups. *
5. DynaRec? will probably require a lot of RAM and we have only 32000 bytes left.

* One of the issues that I've encountered is that the game needs to reside on the flash,  but because of alignment issues (the game is a an array of bytes [8-bit] but the memory of the ESP is 32Bit) the reading is slower.



Everything was developed using Sloeber, highly recommended for Android development.
Sources: primary project.
Sources: TFT_eSPI modified library
Hope that helps anybody.

R.

Thursday, November 29, 2018

Blue Pill (stm32f103c) as SPI programmer

I had a need to program SPI eeproms so looked around and found this for Arduino and off-course
it requires a 3.3V Arudino, I only had the Blue pill clone so I adapted the code and modified it
slightly to work with the pill attached is the connection schematics and code.

You will need to program the Pill with a bootloader for it to work as Arduino board.




Chip pinBlue pill pin
1 /SSPA4
2 MISOPA6
3 /WP+3.3V
4 GNDGND
5 MOSIPA7
6 SCKPA5
7 /HOLD+3.3V
8 VDD+3.3V

Also add a clip into the mix and create an ICSP.

You can use a serial console directly on the pill or the python script on the original repo
tested on Windows and Linux.

Code

Saturday, September 23, 2017

Modular Smart Array 500 G2 LCD - C51343NFU OPTREX

I was rummaging through my collection of old hardware and came across a HP storage module labeled:
HP StorageWorks
Modular smart array 500 G2

and it had a nice LCD on it so decided to see if we can use for something.

After extracting it, it became obvious that it was a separate module with:
* LCD
* Microcontroller
* buttons
* Dual color leds
* EEPROM memory

all in the small board !
Printed on the board :
C51343NFU
OPTREX Made in taiwan 284-3



Let the hacking commence.

So what's inside it:
* Microcontroller - PIC16F877 , (Not the A variant)
* LCD - HD44780 variance
* EEPROM - 24c32 I2C 4K
* 3 Dual color leds. (green and red)
2 - single leds, connected to the same output pin. (red)
A RC Oscilator of unknown speed.

That's great they even left pads for in circuit programming.

Here are the connections:

You will need an ICSP capable programmer, to program it.
Word of warning while programming, connect the 5V line to an external power source, most
programmers have insufficient current to supply the board.
I successfully programmed it with Pickit 3 and the Minipro programmer.

The LCD has weird display ROM the character map is "funky" to say the least, only space numbers and English letters are where they supposed to be, everything else requires some searching.


Attached is the source code which is in C, for MLAB X ide.
I have modified my version and added a 20Mhz crystal, I've removed a resistor (R24) from the RC circuit and added a resistor between MCLR and 5V, the code is written for the Crystal, should work for RC but the config bits need to be changed.

R.K.

Saturday, September 2, 2017

Orange PI PC + TFT ILI9341

Here is a quick way to configure a TFT display with a ILI9341 driver.
This should work with most (if not all) of Orange PI boards that are based on H3 (no Pi Zero).
I use Armbian as the OS.
such as:
to:

here are the connections that are needed:

Once connected, install Armbian for your board and connect to a network.
Find the IP of the device (connect to a screen and a keyboard, use the log of the router and etc.)
Putty/ssh to it, login (user: root pass:1234 , it's the default values - please change the password to something more secure)

The TFT screen should be ON (white or black screen) with nothing on it.

Create a new file /etc/modules-load.d/fbtft.conf with the following content:

fbtft_device

Create another file /etc/modprobe.d/fbtft.conf with the 
configuration for the fbtft_device device:

options fbtft_device custom name=fb_ili9341 gpios=dc:6,reset:9 speed=48000000 fps=25 busnum=0 rotate=270

restart device:
shutdown -r now

wait for boot,login again (the screen should be black)

Goto /etc/X11/xorg.conf and edit it, change the line that says
 Option                  "fbdev" "/dev/fb0"

to:
 Option                  "fbdev" "/dev/fb8"

And restart again,
shutdown -r now

When the device boots you should have a working screen.

Friday, February 17, 2017

RS232 to TTL level shifter using transistors

Here is a schematic for a convenient circuit to connect a micro to RS232 (COM) port using only common parts, no MAX232 and such.


BOM:
C1         220pF
D1         1N4007 - Can be almost any regular diode
J1         DB9
P1         CONN_4 - Can just use wires
Q1         BC558  -  PNP Transistor can probably use any PNP transistor
Q2         BC547 - NPN Transistor can probably use any NPN transistor
R1         10K
R2         10K
R3         10K
R4         3.3K
R5         3.3K
R6         3.3K

PIN 1 requires VCC the same voltage that the Microcontroller uses

Tested up to speeds 115200, used in many projects, ESP8266,sniffing router ports and the likes.