Wednesday, 30 December 2015

Recovering from a hard bricked LG Optimus G E975.

Something a tad different this time. I am writing this so I would remember not to fix bricked android phones anymore. Soft brick is easy, boot into download mode, flash the stock firmware and bingo. Hard brick is trickier; the phone is basically a paperweight. The bootloader is messed up so the phone is completely unresponsive – no download mode, no fast boot, no nothing.

So the adventure starts at the beginning.

I managed to get my hands on a bricked LG Optimus G E975. During a wipe in recovery mode, the user rendered the phone useless. Now was my time to work my magic.




 

THE UNBRICK GUIDE

  1. Download BoardDiag3.99c.zip

  2. Download E975 firmware.bin

  3. Install drivers

  4. Open the program


 9Hbvjqt

  1. Select the downloaded firmare.bin file.

  2. Find a good location where to extract the files(for example C:\lg)

  3. Click Extract and wait.

  4. Make sure AP chipset is G.

  5. Choose the right COM port (whatever port Windows assigned)

  6. Find the location specified in step 2. (C:\lg)

  7. Check

  8. Check

  9. Check

  10. START


If it works the first try you are in luck. If it does not work on the first try just smash buttons and pray!




 

THE STORY

Forums contain a lot of information but the problem is that typically those post were made couple of years ago, so the majority of those links in the posts are now dead. Meaning, if we are lucky we find those thingies via Google.

I was reading about the cases where that exact same phone was dead and I noticed the similarities. Then I found even more threads with the same problem. People said JTAG was the only option. In a nutshell, you send the phone to some workshop to replace the motherboard or they rewrite the bootloader using a JTAG. Not a financially good option because the phone is not completely worthless but worthless enough not to drown it with money.

The only sign of life – connect the phone using a USB cable and we have a device called QHSUSB_BULK. This is some kind of QUALCOMM’s fallback recovery system or something. All phones that have QUALCOMM chips in them, use this feature. Because of that there were a lot of posts about people with their not-so-useful phones.

But I did not find anything useful or something that would give me some hope to revive this phone. Couple of days later while traveling with the public transport I had an idea to google my problem in an another language, specifically - Russian. From personal experiences you can find a lot of obscure and not-easy-to-find information in those Russian forums. Maybe because they are tinkerers, they like to fix stuff. Anyways, I came across this Ultimate Optimus G thread, all in RUSSIAN, woo.

To access downloadable content, you need to register, problem is the language barrier. But it is easy enough to overcome if you have learned a tiny bit of Russian. (What do you know, it was not completely useless.) And my favorite part - captchas that were in Russian.

So I found a guide.

I followed it and nothing. Tried all kinds of button combinations - nothing. Error popped up, nothing, again back to Google, nothing. Some people said that in that case the EMMC was dead = the game was ending. But I don’t know why I did not give up at that point, maybe because I had already invested so much time into it. So tried again, nothing. Again, nothing. Then started listening music, tried again, nothing. Started smashing the power button in the rhythm of the music, the windows did not like that so it just started making those noises, when you disconnect/connect a device. Tried again, the error went away. So it rewrote the bootloader and then I saw life, the LG logo popped on the screen. Next thing I know I was in download mode.  And Bob is your uncle! So, how did I fix it? It’s a mystery to me. (smash the power button)

Monday, 17 August 2015

My take on the PA0RDT Mini Whip antenna.

I like shortwave radio because you can receive signals from all over the world, also there are all kinds of mysterious signals to explore.

In the grand scheme - the lower the frequency, the bigger antenna you would need. Well, there are all kinds of antenna designs but I like to think like that way. For example, I have a 27 MHz dipole on my roof that is around 5.3 meters long. If I wanted to listen to lower frequencies ~ around 3 MHz, for optimal performance I would need around 50 meter antenna, so using dipole for lower frequencies is not very space efficient, especially if you do not have any room.

So I decided to build the Mini Whip antenna. It is popular, simple to build and on paper receives frequencies from 10 kHz to 30 MHz, and also it is super tiny.

There are some variations between different designs, but the basic idea is the same.

The schematic I followed.

mini_whip_000

 

2015-08-17_22-30-49

During my tests it performed well, I was able to receive DCF77 signal for the first time. All other bands seemed to work as well.

2015-08-17_22-27-54

Overall fun little nifty antenna.

2015-08-17_22-28-22

For permanent outdoor use - one should probably use an enclosure.

 

 

Tuesday, 7 July 2015

MIRRORCROCODILE - a tool that helps to mess around with 433Mhz devices

I think the coolest thing to do with computers is to interact with the real world. Computers used to have parallel ports. Parallel ports made it super easy for tinkerers to interface with the real world. I have seen a lot of projects around parallel port but they are the thing of the past. New computers do not ship with parallel ports – nobody uses them – only people, who want to flash LEDs, when they receive a new email etc.

What is the next best thing? What is the thing that every computer has? USB is hard mess around because it is too advanced for simple projects. You need to use controllers and it gets complicated fast - at least for me.

So then, inspired from that triggertrap post I realized – SOUNDCARD. Every computer/phone has a headphone jack. But what happens if you want to listen to music and flash LEDs? Then you buy a cheap USB soundcard from eBay and use that as a platform (You do not want to fry your onboard soundcard, I think).

Soundcard is basically an ADC and a DAC (microphone and headphone jack).

So I had an idea to strap a 433 MHz transmitter and a receiver to the soundcard. In my head it played out like this :

  • You can record devices that use simple modulations (AM/OOK).

  • You can send signals from the computer(GNURadio).

  • You can use replay (transmit, what was received).


So this project needed a cool codename, NSA has l33t codenames so I came up with MIRRORCROCODILE courtesy of nsanamegenerator.com

 

2015-07-02_16-39-21


2015-07-02 21.25.50

Mirror attack is the simplest, you only have to record and press play.

Here is a video, where I mimic my wireless doorbell signal. Technically it should work most of the 433 MHz devices that do not use rolling code or not use some other signal modulation.
[youtube http://www.youtube.com/watch?v=BpOdoevWoJY]

Or if you want to edit/analyze the data more or even send out completely new stuff - GNURadio should be useful enough.

2

 

Thursday, 30 April 2015

Homemade Triggertrap remote trigger

I was reading an article about a Kickstarter project that failed miserably, and found out a company called Triggertrap. Their project failed but they were already selling remote triggers for cameras. Remote triggers are fun, they allow to control camera remotely……..

I have never owned a proper remote trigger, I have always used the time trigger function on my camera.
The remote costs around 42 euros but the app is free. So I thought it should not be hard to build my own remote that works with the app.

The schematic:

2015-04-29_21-57-54

av15121_soldesr
Well, ideally you should use optocouplers to separate the electric circuits, but I like to live dangerously.

2015-03-16 01.05.11

It fits neatly in this little red box. Now I can take selfies 10 meters away.

2015-04-29 22.18.36

Well really, quite useful thing while doing time lapse photography.

 

Wednesday, 8 April 2015

RFID experiments

Radio-frequency identification (RFID) is a way to use electromagnetic fields to send and receive data wirelessly. The system consists of two parts: reader and a tag.  Tags can be passive or active. I think the most popular are passive tags. Meaning, there are no batteries needed, the power comes from the reader. The reader constantly sends out an interrogation signal and when a tag absorbs the energy and powers up, it radiates back information from the embedded chip.

Then it divides further - different frequencies, generations, encryptions etc.

Also one popular part is NFC (Near Field Communication) which has better security and other improvements. Latest phones usually come with NFC read/write capabilities built in.  So you can pay with your phone or touch phones together to share information. A lot of possibilities.




 

RFID/NFC is quite popular in our commercial world.

  • Anti-theft – stores use it to stop people stealing stuff.

  • Tracking people - putting tags inside shoes to track people, some festivals or nightclubs but them inside wristbands.

  • Payment – all kinds of simple payments systems or paying with a phone

  • Transportation - tag on a car so you will be charged automatically etc.

  • Security – opening doors, gates etc.

  • Public transport

  • Passports and other cards – rumored bombs that only explode when there is a US passport nearby.

  • Animal identification

  • Sporting events – games, lap times etc.






 

Homemade 125 kHz FSK tag reader


 

So of course there are two ways to approach this problem. The first way is to build your own goods, second way is to buy necessary stuff. I went with the third way – buying stuff and meanwhile building my own stuff.

Went with scanlime’s “World's simplest RFID reader” design and there is also an Arduino implementation of the same thing.

 

im8888

 

FSK-RFID-reader-v2 (1)

Lately I like to build these “development” beds, where it would be easy to add/remove stuff and also it adds rigidness without having a case.

Blue Plexiglas is pretty hip, got to unleash my artistic skills....

Arduino generates a 125 KHz carrier.





 

Antenna design.

At first I went pretty loose on the antenna design luckily/obviously that did not work.

Source

inductor

The coil needs to resonate at 125 KHz. I chose a random capacitor - 10nF. Working out the inductance gave me 162µH.

If that is done we need to calculate the coil's dimensions that correspond to 162µH.

Source

coil

I used an old bottle with a diameter of 6.9 cm. With that diameter I needed to make a coil with 33 turns.

I also experimented with various diameters and capacitor values – weirdly enough all of them worked.

The biggest problem is that I do not have the right tags. The system detects a tag but it does not decode it (yet?). But it does detect a tag so that is a win I guess.

Here is it in action:
[youtube http://www.youtube.com/watch?v=uIPWu6yvwJM]

Monday, 16 March 2015

Voice inversion with GNU radio

Voice inversion is security through obscurity. It is an analogue way to obscure transmission content.

There are all kinds of variations of this scrambling, offering different levels of security. The general idea is they take a signal and as the name recommends - inverts it. Meaning low frequencies become high and vice versa.

This scrambling is a pretty old technique. It prevents people from just listening in. Nowadays with fancy software and computers it is pretty obsolete. IT IS OBSOLETE *cough*Elion*cough*.

Software has been floating on the internet a long time, probably used by HAM radio operators. Basic rule is that you take the output from the radio receiver and pipe it to the computer. Computer with its magic outputs it as human understandable information. Now ,for example, it is useful to use a SDR.

GENERAL IDEA:

Wikipedia suggests:

In the simplest form of voice inversion, the frequency "p" of each component is replaced with "s-p " , where "s"  is the frequency of a carrier wave. This can be done by amplitude modulating the speech signal with the carrier, then applying a low-pass filter to select the lower sideband.

When I read the last sentence I realized, how simple would I it be to demodulate signals with GNU Radio.

Wikipedia suggest the most common carrier frequencies are : 2.632 kHz, 2.718 kHz, 2.868 kHz, 3.023 kHz, 3.107 kHz, 3.196 kHz, 3.333 kHz, 3.339 kHz, 3.496 kHz, 3.729 kHz and 4.096 kHz.

 

DEMODULATION:

 

My flow graph:

voiceinverisongrc

 

MODULATION:

 

Technically works the same way as demodulation, only reversed. Simply taking a descrambled audio and it scrambles it. The same flow graph works great.

 

Screen Shot 2015-03-15 at 21.03.34

 

EXAMPLE:

Carrier frequency - 3496 Hz

Scrambled:

Descrambled:

Saturday, 14 February 2015

Infrared black magic

Lately I have been fascinated by devices that use infrared. Quite old technology but fun anyways. IR remote controls are quite popular because that’s the cheapest way to remotely control a device. Negative sides? – Line-of-sight range.

So I stumbled across this thing called TV-B-Gone. It turns off/on every TV known to man. Quite cheap and popular thing. So I was interested to make my own little device using Arduino. Using sample sketches with libraries – easy.

Two TVs / Samsung and Philips

[youtube http://www.youtube.com/watch?v=JIaN5j3LZXQ]

Next idea was to capture IR codes and then replay them. Transmission part stays the same but now we need input. I used commonly available IR photo-detector module. It has everything in one package. Again using a library – nothing fancy.

[youtube http://www.youtube.com/watch?v=BBtoPneoi_4]

So my friend has a Samsung phone that has an IR blaster built in. That thing works great, a lot of apps and easy to use, works great. I don’t have that luck with me so I decided to build my own implementation.  So I thought using headphone jack. The sample rate should be at least 48 kHz. IR uses 38 kHz as clock so it SHOULD WORK in theory. Rather that reinventing the wheel I started searching for similar projects. Found a thing called “IRdroid”. Using one channel is out because it is 22 kHz. With some dual channel trickery it is possible to generate 38 kHz.

IR_transmitter_schematic

Usually they use two IR LEDs connected directly to a phone, that seemed too brutal to me. Found a schematic that seemed a bit safer + signal is amplified using transistors. I had my own idea first to use two LEDs and two transistors but this schematic was a more elegant solution.

ir_boost

 

 

BREADBOARD TIME!

 



 

 

With phone i found it to be quite fiddly, it depends also on the TV, how tolerant it is. Using a laptop it worked better.

Wednesday, 7 January 2015

Wiring little wires to stuff or “How did I get fingerprint scanner”

So I had/have a semi-old dead laptop. The motherboard is dead, everything else works. It’s a Dell XPS M1330. It has a fingerprint scanner that made my curious. How does it work? How is it connected and can I use it?


I ripped the laptop open and extracted all kinds of fun stuff including the fingerprint sensor.


It has a little chip with a writing  / / TCD42A1DN0 / /


So I started investigating.


First thing that threw me off was the 6 pin ribbon cable (USB typically uses 4).

  • Finding ground pin is the easiest – Found that.

  • Found the power pin- It was a line that had a capacitor connected with the ground. So I assumed this was the power pin.

  • Two pins are unpopulated.

  • Two pins are connected to resistors – starts to seem like USB data lines~.


 

THE PINOUT

blogpinout

 

Interfacing it.

Typically all internal laptop stuff uses 3.3V. So that seemed a safe way to go. I need to use a voltage converter to step down from 5V.

It has a ribbon cable, so that’s a no go. Removed that and the plug and decided to connect wires directly to it.

This needs some soldering under a microscope because this stuff is tiny.



Soldered everything up and time to test.

USB data + and –  //connected it randomly, 50/50 chance that it goes correctly the first time. (But in real life I connect it always backwards the first time.)

 

 

Connected it a perforated board and hooked up the USB cable.



 

 

Time to roll

Connected to a computer. Windows detected it (Data+ and Data- went right ways the first time). Windows installed drivers automatically and restarted the computer.

 

Voila, it is working!

2015-01-07_16-09-53