So a couple of years ago I bought some KK-SP3 (from ikonke). They are ‘wireless smart plugs’, and despite their pretty-sketch appearance, work.
Its a tiny little white box that plus into your electrical outlet, and contains a relay and small linux board.
The only real issue that i had initially was that it came with Chinese power pins (angled). So I did what you would expect, gave them a twist with some pliers, and, well, it works (see below, twisty!). The ground pin was in the wrong spot, but, well, after checking it wasn’t connected internally anyway, so I didn’t feel bad about making that disappear.
OK, so we ran that for a while. I integrated these w/ home-assistant in a very simple way, by putting a bash-script cgi/json file in /www/cgi-bin. Life was good. (Did i mention the hacking of the device initially was trivial: turn it on, it exposes a WiFi SSID as OK-SP3. Connect, ssh as root, the password is ‘p9z34c’.
A couple of other minor changes (enable wifi on ‘wwan’, etc), and we were golden. Lights were automated, everyone was happy.
When suddenly a wild vulnerability appeared. Dropbear is cracked wide open. CVE-2016-7406. OK, no problem, let me just go back to the manuf… crap. That didn’t work.
OK, next step is, we’re already pretty much in, lets just rebuild it all from upstream OSS.
It turns out this wasn’t that bad. If we use the WR703N config from Lede (the fork of OpenWRT), it just works. Enable it, add uhttpd, and build away.
Now, one thing to watch out for, there is no Ethernet port, and the image by default disables WiFi. So, when running sysupgrade, edit /etc/sysupgrade.conf first. Or, put the files u want in files/… dir in the build-root before you build.
Now, one minor niggle, the original image has this nicely named GPIO ‘relay’ to toggle the relay. But this is not defined in the BSP for the WR703N. So, well, lets hunt it down. Turns out its GPIO 26.
So we can just use it as-is w/o the nice name.
echo 26 > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio26/direction
echo 1 > /sys/class/gpio/gpio26/value # on
echo 0 > /sys/class/gpio/gpio26/value # off
And we are done! Now we are back to fully secure on this device.
Oh yeah, want to see the wild interior of this ‘highly safe’ device? Here it is, de-spudged. Its a tiny board (removed here) w/ the SOC/radio on it, an a 120V-3.3V power supply wedged around the plug.
So yeah, after ~2 hours of playing w/ this to get it fixed, uh, do you think the original $15 price was worth it?
When I was a kid my pride and joy was a TRS-80 Model III. It was used when it came to me, and I didn’t have floppy drives (although the cassette interface was fast).
It spent a lot of its life w/ the top off (tipped sideways) to get at its glorious internals, where it was integrated to various hackeries of my early teen mind, the pièce de résistance being an integration to the Radio Shack Mobile Armatron (below).
Now, one of the key debugging techniques I used to use (other than the common ‘debug print’) was an AM radio. Yes you heard that right. It turns out that you could construct ‘spin’ loops that would make tones on a nearby AM radio, and you could use those to figure out where your code was (this predates debuggers, I had no printer, nothing else with a serial port, etc). This predates me having a modem, but it was the same sort of glorious 8-bit noise. Lots of distortion and static, but glorious.
Fast forward in my career a three decades, and the AM radio is no longer commonly used. Or is it?
You see, this technique can still be useful. First, lets talk about Van Eck Phreaking. Its like science fiction, but in fact was what I was using in the very early 80’s. You see, people can ‘sniff’ the inadvertent radio emissions of nearby devices. You can use it to figure out keystrokes, even what is showing on a monitor. Here’s a bit of an example, through 2 walls, someone viewed a monitor.
OK, great, but, what else can it do? Well, have you considered covert exfiltration? What if you have a computer on an isolated network. Maybe its where you store the caramilk secret in your manufacturing process (go on, if you are a child of the 80’s click that link for some sweet nostalgia). But you feel pretty secure since that machine is not on the Internet. But what if i showed you a way that it could send data outside the building, as-is, with no wires, no wifi, using only JavaScript?
Here’s an implementation of an AM radio tone-system, just like back in my TRS-80 days. All in JavaScript. And now you can send info to a listener that is nearby, but difficult to find. From that mission-impossible air-gapped network.
Another day another data breach. (Have you checked yourself on https://haveibeenpwned.com/? I’m thinking of making “have i not been pwned” and the answer is NO). OK, we are getting inured to this by now. Yawn, change the password on that site, we are good right?
Well, no. The media reporting always has the same things in it “they didn’t get financial information” so we don’t worry. After all, with today’s Bell Canada breach, what could anyone use my ExpressVu info for? So we go down this logical fallacy path of “did i share that password with other sites” etc. And the advice we are always given causes us to keep going the wrong way… “no financial info”… “only email + name + phone number + address + account number”. Who cares what my ExpressVu account number is? I make my phone number available to people, so…
OK, here’s where they get you. Ever switched carriers? You go to carrier B, buy a sim, and the number is ported over. Or maybe you’ve lost a phone/sim, get a new one, and they move it. What info did u provide to make that happen? What? the same info as in the breach? Oh, this means someone could ‘take over’ my sim (maybe with a little social engineering hacks). Hmm. OK, that would be an irritant but… Wait, I use that phone number as a 2-factor-authentication w/ SMS on another site. And, the phone number is the ‘backup’ for ‘I forgot my password’ at my bank.
And then the penny drops. You see, the mundane info of your phone company relationship is not interesting. But, it can be used to take over something that is interesting, like your banking. You see, it likely needs very little info to have a bank rep call you on the number on file, or SMS you, with a new password. So if I can get your SIM, I can get your life. And phone company info is prime for that, but also lots of sites have those ‘mundane’ details.
One defence which you would think would work would be to call the mobile company and have them put a note on your file “do not port out this sim”. Well, it turns out, that doesn’t always work. The scammer will keep calling the call centre until someone is busy, or doesn’t notice. Check this thread for this happening w/ t-mobile (t-mobile has this page about how to protect yourself, and tons of threads of angry people who didn’t read it.). Want to know more? Click here. This is an excellent blog post on the subject and motivations, and the blogger actually tests the UK carriers (hint, they fail).
So, next time you see a data breach, and a bunch of text about how some low-level risk can be mitigated, ask yourself, what about the risks they are not mentioning? Social engineering is powerful, and getting that account info makes it not too hard.
And maybe look into with your carrier how to put a lock on porting your sim out (or adding a second line).
I’m a big fan of “the invisible hand“, an economics concept coined by Adam Smith. The concept is that your individual selfish action can cause (good) social benefits elsewhere. An example would be putting a $0.05 tax on a plastic grocery bag. You being the cheapskate you are now reuse bags, and that causes a huge benefit for the environment and society. It was’t about raising that $0.05/bag for revenue, it was about people suddenly seeing that bag as a cost.
Now, lets talk about two of my favourite domains… the security (or lack thereof) on the army of IoT devices that inhabit our lives, and, the huge ongoing maintenance effort associated with them. Could we apply an invisible hand to make society safer and more efficient?
Look around your house, do a nose-count. How many devices are somewhat Internet-enabled? Smart-tv? Tablet? Receiver? Stereo? Thermostat? Alarm? Various kids toys? Drone? Cat-feeder? Dog-treat-launcher? Car? Smart-Speaker? Security Camera? It doesn’t take long to get 30+.
Now, ask yourself, honestly. When you bought all that, did you look at each vendor critically from a lens of:
which has better security practises (and thus is likely to be more secure in the long run)
which was easier to manage/upgrade in the long run
Of course you didn’t. Instead you used ‘features’ and ‘cost’. You have no means of even evaluating those other items.
Now, what if, there were some way you could evaluate those two things, and, vote with your wallet? This would have a dramatic affect on the manufacturers.
First, lets talk about one of the extremely inconvenient truths about the consumer IoT gadget space. The business model. As a consumer, you want to buy it once, own it for life, and not have an ongoing fee. And this is a huge disincentive to stick around and make a device secure for life. it creates the flip-side behaviour of ‘develop it fast, get it to market, and move on while selling it’. Any development post initial sale is seen as a waste of time, a cost.
Now lets talk about that second inconvenient truth. Management. Its hard to make things easy to manage. That same business problem above, as a manufacturer, I can just shift all the costs to you with complex upgrade approaches.
Now, lets look at a device which has a pretty good track record here. The Nest Thermostat. Or its better cousin, the Ecobee. They are pretty strong in the 2nd category (they upgrade themselves automatically). And, we have not yet seen them be hacked, so presumably strong in the first categoy. One of the ‘bellwether’ things I look for is how often things are upgraded, and, if we look at my Nest, it was upgraded 2 hours ago! All by itself.
So why black out the serial/mac? Well, its because the security is somewhat opaque. Yes I think Google cares about security, yes I think they have strong practises. But, no one really knows how this device works, perhaps there is some backdoor that uses something calculated from the two.
So how would I score these devices? 9/10 on management, and 6/10 on security. How would I make that 6 be a 10? Well, transparency, a published policy on ‘what will we do when we give up patching’, ‘how long will we patch’, etc.
So, could we construct a score, something the typical consumer could internalise, and allow them to vote with their wallet? E.g. if two similar price/feature devices, one is cheaper to run and more secure, that manufacturer would be rewarded? Many say this is too complex to understand. But, well, nutrition labels took off, and they are not simple. EnergyStar took off. So yes, voluntary labelling, and consumer awareness, have had positive affects in other complex areas of industry.
Any input on what factors one would look for?
Lifecycle policy (how many years will this be supported)
End-of-life policy (will it be open-sourced? bricked?)
Update cycle (how often, how quickly in response to problems)
Is the firmware signed? How are the keys managed? Is there an external ‘ca’ that manages? Is that audited? Is there ‘transparency’ on the keys issued?
Versions of software installed, is there a list made available of all the components?
ISO 27001 facility?
Secure-by-default? Or well-known initial password?
And for ease-of-use (which is coupled with security in my mind, after all, how often do you update the complex devices? Not often you lazy sod!)
Is it automatic update, on-by-default?
Warning if updates fail?
Does it work the same way ‘the other devices’ do, or is it different?
Others?
I think there are some business opportunities here:
CA/signing authority for 3rd party firmware
Blockchain… sign the chain of software (e.g. linux-kernel->libc->libssl->nginx->camera app)
Standardised ‘update as a service’, some modular method each piece can be independently upgraded (e.g. upgrade OS vs app)
Standardised ‘get initial WiFi SSID and password’ configured instead of all the weird and wonderful apps to ‘find’ your new device
3rd party monitoring/audit/certification
Others? The next stage in this grand-master plan would be, after launch of the score, and consumer education, we’d start to charge a ‘tax’ for the weak products. And then Darwin would take over!
The Xiaomi XiaoFang. Its a cheap IP camera (~$20-$30) that delivers decent quality. Is it a candidate to be ‘improved’ with a bit of hacking? You betcha!.
Spurred on by some external impetus, I acquired a WyzeCam. And of course, before turning it on, we took it apart!
A bit of squeezing, prying, and a small Philips screwdriver, and the contents were revealed. We can see the RX/TX/GND for the serial port, so lets assume its TTL and solder it up. I’m going to route the cables externally, so I hot-glue a header to the side of the USB-A connector and reach for the dremmel to expand the hole a little bit.
Inside, we have two PCB (the CPU etc board, and the camera board) connected by a pair of ribbon cables. Tweeze them out, and we are left with the individuals ready for the solder.
OK, reassemble, you can’t even tell the mod is there, the headers just peak through the case above the USB port.
Hacking it is embarrassingly simple. Place a SD card in, and it sells you its looking for a script to run. Or, you can just modify files in /etc since its jffs2 mounted overtop of the rootfs. OK, well that was simple.
Now. I’m not super interested in the embedded app, so we apply fang-hacks. These are very basic, and zero security (not even a thin patina of guessable password), so we’ll have to address that in a bit. The fang-hacks revectors the snx_rtsp_server to send a single stream locally. So i guess that’s better. But I really would prefer this have multiple streams, save to the NAS when there is motion, and have a snapshot interface for home-assistant. So, naively, I assume there will be a great OSS project that has something, perhaps from the Raspberry Pi folks. Something w/a simple web interface, and exposing the uvc video endpoints (the hardware does support multiple simultaneously). Sadly, this was not to be, closest i can find is mjpg-streamer which is somewhat out of date.
So, I’ll dive in and create a cross-compilation environment, get libjpeg going etc, and see where this ends up. If you know of anything (I mean anything) as an OSS project that would handle a HTTP snapshot interface, an RTSP streaming interface, and a simple web UI, let me know (maybe I’ll see if vlc can fit?)
PS, the default method of config for this device is a ‘novel’ concept. You press a button on the bottom, it says something in Chinese, you run the Mi home app, it then gives you a QR code, you hold that in front of the camera, and it reads it. Um, novel, but not that convenient for me. So I think putting the initial password/wifi info on the sdcard will be the way I go. Or, maybe, pressing the button starts a WiFi AP for the next minute and connect via web interface.
pps for you u-boot /dmesg junkies:
U-Boot 2011.09 (Sep 15 2017 - 20:19:00)
DRAM: 64 MiB
MMC: MMC: 0
SPI FLASH: 16 MB
In: serial
Out: serial
Err: serial
GPIO[2] is high
Hit any key to stop autoboot: 0
roofsr size = 0x6d3070
## Booting kernel from Legacy Image at 00008000 ...
Image Name: Linux-2.6.35.12
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 3038112 Bytes = 2.9 MiB
Load Address: 00008000
Entry Point: 00008040
Verifying Checksum ... OK
XIP Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
Linux version 2.6.35.12 (fedora@localhost.localdomain) (gcc version 4.5.2 (SONiX GCC-4.5.2 Release 2011-12-06) ) #27 Thu Dec 22 18:48:16 6
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00057177
CPU: VIVT data cache, VIVT instruction cache
Machine: SONiX SN98600 Development Platform
Memory policy: ECC disabled, Data cache writeback
CPU: found ITCM 16k @ ffff4000, enabled
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
Kernel command line: console=ttyS0,115200 root=/dev/mtdblock2 init=/linuxrc mem=64M isp=10M vc=12M vo=0M mtdparts=snx-spi:768k(uboot),307)
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 64MB = 64MB total
Memory: 36836k/36836k available, 28700k reserved, 0K highmem
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
DMA : 0xffa00000 - 0xffe00000 ( 4 MB)
vmalloc : 0xc4800000 - 0xe0000000 ( 440 MB)
lowmem : 0xc0000000 - 0xc4000000 ( 64 MB)
modules : 0xbf000000 - 0xc0000000 ( 16 MB)
.init : 0xc0008000 - 0xc0026000 ( 120 kB)
.text : 0xc0026000 - 0xc04ec000 (4888 kB)
.data : 0xc050a000 - 0xc0535440 ( 174 kB)
SLUB: Genslabs=11, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Hierarchical RCU implementation.
RCU-based detection of stalled CPUs is disabled.
Verbose stalled-CPUs detection is disabled.
NR_IRQS:96
Console: colour dummy device 80x30
console [ttyS0] enabled
Calibrating delay loop... 200.29 BogoMIPS (lpj=1001472)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
NET: Registered protocol family 16
0x00a00000 bytes system memory reserved for isp device at 0x005ec000
0x00c00000 bytes system memory reserved for vc device at 0x00fec000
bio: create slab at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Linux media interface: v0.10
Linux video capture interface: v2.00
Advanced Linux Sound Architecture Driver Version 1.0.23.
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource ft_clocksource
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
exFAT: Version 1.2.9
JFFS2 version 2.2. (NAND) 2001-2006 Red Hat, Inc.
fuse init (API version 7.14)
msgmni has been set to 71
async_tx: api initialized (async)
io scheduler noop registered (default)
SONIX UART driver, (c) 2013 Sonix
snx_uart.0: ttyS0 at MMIO 0x98a00000 (irq = 8) is a SONiX
snx_uart.1: ttyS1 at MMIO 0x98b00000 (irq = 10) is a SONiX
brd: module loaded
loop: module loaded
6 cmdlinepart partitions found on MTD device snx-spi
Creating 6 MTD partitions on "snx-spi":
0x000000000000-0x0000000c0000 : "uboot"
0x0000000c0000-0x0000003c0000 : "kernel"
0x0000003c0000-0x000000ac0000 : "rootfs"
0x000000ac0000-0x000000ec0000 : "rescue"
0x000000ec0000-0x000000fc0000 : "etc"
0x000000fc0000-0x000001000000 : "userconfig"
snx_spi_init register
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
usbcore: registered new interface driver zd1211rw
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
snx_ehci snx_ehci.0: snx_ehci
snx_ehci snx_ehci.0: new USB bus registered, assigned bus number 1
snx_ehci snx_ehci.0: irq 24, io mem 0x90800000
snx_ehci snx_ehci.0: USB 0.0 started, EHCI 0.96
usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb1: Product: snx_ehci
usb usb1: Manufacturer: Linux 2.6.35.12 ehci_hcd
usb usb1: SerialNumber: sonix-ehci
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver usbserial
USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
usbserial: USB Serial Driver core
USB Serial support registered for GSM modem (1-port)
usbcore: registered new interface driver option
option: v0.7.2:USB Driver for GSM modems
mice: PS/2 mouse device common for all mice
i2c /dev entries driver
SONIX SNX I2C adapter driver, (c) 2012 Sonix
snx_i2c.0: SNX I2C0 controller at 0x98300000 (irq = 1)
I2C GPIO driver INIT
snx_i2c.1: SNX I2C1 controller at 0x98400000 (irq = 2)
snx_hdma snx_hdma: SNX AHB DMA Controller (memcpy memset), 4 channels
SNX AHB DMA driver register
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
usbcore: registered new interface driver snd-usb-audio
ALSA device list:
No soundcards found.
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (575 buckets, 2300 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
ctnetlink v0.93: registering with nfnetlink.
xt_time: kernel timezone is -0000
IPv4 over IPv4 tunneling driver
GRE over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team
arp_tables: (C) 2002 David S. Miller
TCP cubic registered
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
tunl0: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver
sit0: Disabled Privacy Extensions
ip6tnl0: Disabled Privacy Extensions
NET: Registered protocol family 17
lib80211: common routines for IEEE802.11 drivers
VFS: Mounted root (cramfs filesystem) readonly on device 31:2.
Freeing init memory: 120K
hub 1-0:1.0: /run/media/fedora/software/SN986_1.50_P2P_TUTK_050a_20160921_1712/snx_sdk/kernel/linux-2.6.35.12/src/drivers/usb/core/hub.c 0
hub 1-0:1.0: port 1, status 0503, change 0000, 480 Mb/s
Create device file
snx_crypto driver loaded.
sonix crypto diver register
sonix_nvram_init
Init nvram id: 1303281516
Init nvram_crc id: 0x65535
nvram_check crc = 64197 crc_ref = 65535
[nvram_check:725] CRC error
SONIX Kernel NVRAM initialized
starting pid 529, tty '': '/etc/init.d/rcS'
Load drivers...
usb 1-1: new high speed USB device using snx_ehci and address 2
Sonix GPIO Driver
driver loaded.
sonix snx_aud_gpio diver register
usb 1-1: New USB device found, idVendor=0bda, idProduct=0179
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: 802.11n NIC
usb 1-1: Manufacturer: Realtek
usb 1-1: SerialNumber: C06D1AFB799D
Load audio drivers...
Load video drivers...
SNX_AUDIO: driver register.
SNX_SIGMA: adc submod driver init ok.
snx_isp snx_isp.0: [ISP] isp_camera_probe
soc-camera-pdrv soc-camera-pdrv.0: Probing soc-camera-pdrv.0
scan:sc2135
SNX_R2R: dac submod driver init ok.
sc2135 stop streaming
0x0103 = 0x00
0x0100 = 0x00
0x3e03 = 0x03
0x3e01 = 0x46
0x3e08 = 0x00
0x3e09 = 0x10
0x3416 = 0x11
0x3300 = 0x20
0x3301 = 0x08
0x3303 = 0x30
0x3306 = 0x78
0x330b = 0xd0
0x3309 = 0x30
0x3308 = 0x0a
0x331e = 0x26
0x331f = 0x26
0x3320 = 0x2c
0x3321 = 0x2c
0x3322 = 0x2c
0x3323 = 0x2c
0x330e = 0x20
0x3f05 = 0xdf
0x3f01 = 0x04
0x3626 = 0x04
0x3312 = 0x06
0x3340 = 0x03
0x3341 = 0x68
0x3342 = 0x02
0x3343 = 0x20
0x3333 = 0x10
0x3334 = 0x20
0x3621 = 0x18
modprobe: module 'mt7601Ust0x3626 = 0x04
a' not found
0x3635 = 0x34
0x3038 = 0xa4
0x3630 = 0x84
0x3622 = 0x0e
0x3620 = 0x62
0x3627 = 0x08
0x3637 = 0x87
0x3638 = 0x86
0x3034 = 0xd2
0x5780 = 0xff
0x5781 = 0x0c
0x5785 = 0x10
0x3d08 = 0x01
0x3640 = 0x00
0x3662 = 0x82
0x335d = 0x00
0x4501 = 0xa4
0x3333 = 0x00
0x3627 = 0x02
0x3620 = 0x62
0x5781 = 0x04
0x3333 = 0x10
0x3306 = 0x69
0x3635 = 0x52
0x3636 = 0x7c
0x3631 = 0x84
0x3637 = 0x88
0x3306 = 0x6b
0x330b = 0xd0
0x3630 = 0x84
0x303a = 0x07
0x3039 = 0x76
0x3343 = 0x40
0x3f04 = 0x02
0x3f05 = 0x04
0x3340 = 0x03
0x3341 = 0xe5
0x3207 = 0x4e
0x335d = 0x20
0x3368 = 0x02
0x3369 = 0x00
0x336a = 0x04
0x336b = 0x65
0x330e = 0x20
0x3367 = 0x05
0x3620 = 0x92
0x3634 = 0xd2
0x3633 = 0x17
0x3315 = 0x02
0x3334 = 0xa0
0x3312 = 0x00
0x335e = 0x02
0x335f = 0x0a
0x3306 = 0x60
0x3f04 = 0x01
0x3f05 = 0xf7
0x303a = 0x15
0x3039 = 0x2e
0x3035 = 0x25
0x3034 = 0x2e
0x3036 = 0x00
0x320c = 0x04
0x320d = 0x65
0x320e = 0x04
0x320f = 0xb0
0x3368 = 0x02
0x3369 = 0x4b
0x363a = 0x04
0x336b = 0xb0
0x3306 = 0x70
0x3640 = 0x01
0x3034 = 0x2e
0x3633 = 0x16
0x3211 = 0x14
sensor:sc2135 (id:0x2135) driver loadded
sc2135 start streaming
IQ.bin OK!
ubIdx = 6, fps = 25
priv->uwMaxExpL = 1440, info->frame_rate = 25
snx_isp snx_isp.0: ISP Camera driver loaded
snx_sd_initial:1289: SD initialisation done.
mmc_rescan:1159 = 0
mmc0: new high speed SDHC card at address e624
mmc_add_card:259 = 0
mmcblk0: mmc0:e624 ACLCF 119 GiB
mmcblk0: p1 p2
mmc_add_card:265 = 0
snx_vc snx_vc: sonix_vc device registered as /dev/video1
snx_vc snx_vc: sonix_vc device registered as /dev/video1
snx_vc snx_vc: sonix_vc device registered as /dev/video2
snx_vc snx_vc: sonix_vc device registered as /dev/video2
RTL871X: module init start
RTL871X: rtl8188eu v4.3.24_16705.20160509
RTL871X: build time: Jan 19 2017 06:53:17
RTL871X:
usb_endpoint_descriptor(0):
RTL871X: bLength=7
RTL871X: bDescriptorType=5
RTL871X: bEndpointAddress=81
RTL871X: wMaxPacketSize=512
RTL871X: bInterval=0
RTL871X: RT_usb_endpoint_is_bulk_in = 1
RTL871X:
usb_endpoint_descriptor(1):
RTL871X: bLength=7
RTL871X: bDescriptorType=5
RTL871X: bEndpointAddress=2
RTL871X: wMaxPacketSize=512
RTL871X: bInterval=0
RTL871X: RT_usb_endpoint_is_bulk_out = 2
RTL871X:
usb_endpoint_descriptor(2):
RTL871X: bLength=7
RTL871X: bDescriptorType=5
RTL871X: bEndpointAddress=3
RTL871X: wMaxPacketSize=512
RTL871X: bInterval=0
RTL871X: RT_usb_endpoint_is_bulk_out = 3
RTL871X: nr_endpoint=3, in_num=1, out_num=2
RTL871X: USB_SPEED_HIGH
RTL871X: CHIP TYPE: RTL8188E
RTL871X: rtw_hal_config_rftype RF_Type is 3 TotalTxPath is 1
RTL871X: Chip Version Info: CHIP_8188E_Normal_Chip_TSMC_D_CUT_1T1R_RomVer(0)
RTL871X: _ConfigNormalChipOutEP_8188E OutEpQueueSel(0x05), OutEpNumber(2)
RTL871X: EEPROM type is E-FUSE
RTL871X: Boot from EFUSE, Autoload OK !
RTL871X: SetHwReg8188E: bMacPwrCtrlOn=1
bFWReady == _FALSE call reset 8051...
RTL871X: =====> _8051Reset88E(): 8051 reset success .
RTL871X: efuse_read_phymap_from_txpktbuf bcnhead:0
RTL871X: efuse_read_phymap_from_txpktbuf len:111, lenbak:111, aaa:111, aaabak:111
RTL871X: efuse_read_phymap_from_txpktbuf read count:109
RTL871X: EEPROM ID=0x8129
RTL871X: VID = 0x0BDA, PID = 0x0179
RTL871X: Customer ID: 0x00, SubCustomer ID: 0xCD
RTL871X: Hal_ReadPowerSavingMode88E...bHWPwrPindetect(0)-bHWPowerdown(0) ,bSupportRemoteWakeup(1)
RTL871X: ### PS params=> power_mgnt(0),usbss_enable(0) ###
RTL871X: ======= Path 0, Channel 1 =======
RTL871X: Index24G_CCK_Base[0][1] = 0x2e
RTL871X: Index24G_BW40_Base[0][1] = 0x30
RTL871X: ======= Path 0, Channel 2 =======
RTL871X: Index24G_CCK_Base[0][2] = 0x2e
RTL871X: Index24G_BW40_Base[0][2] = 0x30
RTL871X: ======= Path 0, Channel 3 =======
RTL871X: Index24G_CCK_Base[0][3] = 0x2d
RTL871X: Index24G_BW40_Base[0][3] = 0x2f
RTL871X: ======= Path 0, Channel 4 =======
RTL871X: Index24G_CCK_Base[0][4] = 0x2d
RTL871X: Index24G_BW40_Base[0][4] = 0x2f
RTL871X: ======= Path 0, Channel 5 =======
RTL871X: Index24G_CCK_Base[0][5] = 0x2d
RTL871X: Index24G_BW40_Base[0][5] = 0x2f
RTL871X: ======= Path 0, Channel 6 =======
RTL871X: Index24G_CCK_Base[0][6] = 0x2c
RTL871X: Index24G_BW40_Base[0][6] = 0x2e
RTL871X: ======= Path 0, Channel 7 =======
RTL871X: Index24G_CCK_Base[0][7] = 0x2c
RTL871X: Index24G_BW40_Base[0][7] = 0x2e
RTL871X: ======= Path 0, Channel 8 =======
RTL871X: Index24G_CCK_Base[0][8] = 0x2c
RTL871X: Index24G_BW40_Base[0][8] = 0x2e
RTL871X: ======= Path 0, Channel 9 =======
RTL871X: Index24G_CCK_Base[0][9] = 0x2c
RTL871X: Index24G_BW40_Base[0][9] = 0x2e
RTL871X: ======= Path 0, Channel 10 =======
RTL871X: Index24G_CCK_Base[0][10] = 0x2c
RTL871X: Index24G_BW40_Base[0][10] = 0x2e
RTL871X: ======= Path 0, Channel 11 =======
RTL871X: Index24G_CCK_Base[0][11] = 0x2c
RTL871X: Index24G_BW40_Base[0][11] = 0x2e
RTL871X: ======= Path 0, Channel 12 =======
RTL871X: Index24G_CCK_Base[0][12] = 0x2c
RTL871X: Index24G_BW40_Base[0][12] = 0x2e
RTL871X: ======= Path 0, Channel 13 =======
RTL871X: Index24G_CCK_Base[0][13] = 0x2c
RTL871X: Index24G_BW40_Base[0][13] = 0x2e
RTL871X: ======= Path 0, Channel 14 =======
RTL871X: Index24G_CCK_Base[0][14] = 0x2c
RTL871X: Index24G_BW40_Base[0][14] = 0x2e
RTL871X: EEPROMRegulatory = 0x0
RTL871X: hal_com_config_channel_plan chplan:0x20
RTL871X: CrystalCap: 0x21
RTL871X: EEPROM Customer ID: 0x 0
RTL871X: EEPROM : AntDivCfg = 0, TRxAntDivType = 3
RTL871X: Board Type: 0x 0
RTL871X: ThermalMeter = 0xf
RTL871X: rtw_hal_read_chip_info in 270 ms
RTL871X: init_channel_set((null)) ChannelPlan ID:0x20, ch num:13
RTL871X: NR_RECVBUFF: 8
RTL871X: MAX_RECVBUF_SZ: 4000
RTL871X: NR_PREALLOC_RECV_SKB: 16
RTL871X: Enable CONFIG_FIX_NR_BULKIN_BUFFER
RTL871X: rtw_alloc_macid((null)) if1, hwaddr:ff:ff:ff:ff:ff:ff macid:1
RTL871X: rtw_macaddr_cfg mac addr:c0:6d:1a:fb:79:9d
RTL871X: bDriverStopped:True, bSurpriseRemoved:False, bup:0, hw_init_completed:0
RTL871X: rtw_ndev_init(wlan0) if1 mac_addr=c0:6d:1a:fb:79:9d
usbcore: registered new interface driver rtl8188eu
RTL871X: module init ret=0
Set hostname ...
Executing script (enabled: 1)
Cloud apps are disabled
Mounting /media/mmcblk0p1
Starting boa webserver...
1:0: SD power up.
right_count=3 value=0 last_value=0
1:0: SD power up.
1:0: SD power up.
Linking /media/mmcblk0p1/bootstrap/www/action -> /tmp/www/cgi-bin/action
right_count=3 value=0 last_value=0
ln: /tmp/www/cgi-bin/action: No such file or directory
Linking /media/mmcblk0p1/bootstrap/www/func.cgi -> /tmp/www/cgi-bin/func.cgi
ln: /tmp/www/cgi-bin/func.cgi: No such file or directory
right_count=3 value=0 last_value=0
Linking /media/mmcblk0p1/bootstrap/www/network -> /tmp/www/cgi-bin/network
ln: /tmp/www/cgi-bin/network: No such file or directory
Linking /media/mmcblk0p1/bootstrap/www/scripts -> /tmp/www/cgi-bin/scripts
ln: /tmp/www/cgi-bin/scripts: No such file or directory
right_count=3 value=0 last_value=0
Linking /media/mmcblk0p1/bootstrap/www/status -> /tmp/www/cgi-bin/status
ln: /tmp/www/cgi-bin/status: No such file or directory
Failed to find hacks in /media/mmcblk0p2/data!
0:0: SD power up.
0:0: SD power up.
0:0: SD power up.
EXT2-fs (mmcblk0p2): warning: mounting unchecked fs, running e2fsck is recommended
right_count=3 value=0 last_value=0
Mounted /media/mmcblk0p2/data
Running startup scripts
right_count=3 value=0 last_value=0
find snx_autorun.sh
Cloud is disabled
Welcome to XiaoFang Hacks :-)
Starting Network...
WiFi Client mode: using wpa_supplicant.conf
right_count=3 value=0 last_value=0
right_count=3 value=0 last_value=0
right_count=3 value=0 last_value=0
right_count=3 value=0 last_value=0
rfkill: Cannot open RFKILL conRTL871X: +871x_drv - drv_open, bup=0
trol device
RTL871X: Set RF Chip ID to RF_6052 and RF type to 3.
RTL871X: rtl8188e_FirmwareDownload fw:NIC, size: 15414
RTL871X: rtl8188e_FirmwareDownload: fw_ver=16 fw_subver=0000 sig=0x88e1, Month=11, Date=58, Hour=16, Minute=3c
RTL871X: polling_fwdl_chksum: Checksum report OK! (1, 0ms), REG_MCUFWDL:0x00030005
RTL871X: =====> _8051Reset88E(): 8051 reset success .
RTL871X: _FWFreeToGo: Polling FW ready OK! (1, 10ms), REG_MCUFWDL:0x000300c6
RTL871X: FWDL success. write_fw:1, 80ms
not in singleboard test
starting pid 734, tty '/dev/ttyS0': '/sbin/getty -L ttyS0 115200 vt100'
iSmartAlarm login: ==> rtl8188e_iol_efuse_patch
RTL871X: pDM_Odm TxPowerTrackControl = 1
RTL871X: pDM_Odm TxPowerTrackControl = 1
RTL871X: rtl8188eu_hal_init in 1070ms
RTL871X: wlan0Port-0 set opmode = 2
RTL871X: MAC Address = c0:6d:1a:fb:79:9d
RTL871X: -871x_drv - drv_open, bup=1
ADDRCONF(NETDEV_UP): wlan0: link is not ready
RTL871X: [rtw_wx_set_pmkid] IW_PMKSA_FLUSH!
RTL871X: set_mode = IW_MODE_INFRA
RTL871X: wlan0Port-0 set opmode = 2
RTL871X: set bssid:00:00:00:00:00:00
ioctl[SIOCSIWAP]: Operation not permitted
RTL871X: [rtw_wx_set_pmkid] IW_PMKSA_FLUSH!
udhcpc (v1.22.1) started
Sending discover...
RTL871X: SetHwReg8188E:(HW_VAR_CHECK_TXBUF)TXBUF Empty(1) in 0 ms
RTL871X: survey done event(42) band:0 for wlan0
RTL871X: rtw_indicate_scan_done(wlan0)
RTL871X: wpa_set_auth_algs, AUTH_ALG_OPEN_SYSTEM
RTL871X: set_mode = IW_MODE_INFRA
RTL871X: wlan0Port-0 set opmode = 2
RTL871X:
wpa_ie(length:22):
RTL871X: 0x30 0x14 0x01 0x00 0x00 0x0f 0xac 0x04
RTL871X: 0x01 0x00 0x00 0x0f 0xac 0x04 0x01 0x00
RTL871X: 0x00 0x0f 0xac 0x02 0x00 0x00 0x42 0x42
RTL871X: SetHwReg8188E, 4840, RCR= 700060ca
RTL871X: rtw_wx_set_freq: set to channel 11
RTL871X: =>rtw_wx_set_essid
RTL871X: ssid=197mohawk-iot, len=13
RTL871X: set ssid [197mohawk-iot] fw_state=0x00000008
RTL871X: Set SSID under fw_state=0x00000008
RTL871X: [by_bssid:0][assoc_ssid:197mohawk-iot][to_roam:0] new candidate: 197mohawk-iot(f0:b4:29:d9:9e:98, ch1) rssi:-76
RTL871X: [by_bssid:0][assoc_ssid:197mohawk-iot][to_roam:0] new candidate: 197mohawk-iot(06:25:9c:13:d4:36, ch11) rssi:-42
RTL871X: rtw_select_and_join_from_scanned_queue: candidate: 197mohawk-iot(06:25:9c:13:d4:36, ch:11)
RTL871X: link to new AP
RTL871X: <=rtw_wx_set_essid, ret 0
RTL871X: rtw_chk_start_clnt_join(wlan0) req: 11,0,0
RTL871X: rtw_chk_start_clnt_join(wlan0) union: 11,0,0
RTL871X: set bssid:06:25:9c:13:d4:36
RTL871X: Set BSSID under fw_state=0x00000088
RTL871X: OnBeacon: beacon keys ready
RTL871X: link to new AP
RTL871X: start auth
RTL871X: issue_auth
RTL871X: OnAuthClient
RTL871X: auth success, start assoc
RTL871X: network.SupportedRates[0]=82
RTL871X: network.SupportedRates[1]=84
RTL871X: network.SupportedRates[2]=8B
RTL871X: network.SupportedRates[3]=96
RTL871X: network.SupportedRates[4]=2C
RTL871X: network.SupportedRates[5]=0C
RTL871X: network.SupportedRates[6]=12
RTL871X: network.SupportedRates[7]=18
RTL871X: network.SupportedRates[8]=24
RTL871X: network.SupportedRates[9]=30
RTL871X: network.SupportedRates[10]=48
RTL871X: network.SupportedRates[11]=60
RTL871X: network.SupportedRates[12]=6C
RTL871X: issue_assocreq(): the rate[4]=2C is not supported by STA!
RTL871X: bssrate_len = 12
RTL871X: OnAssocRsp
RTL871X: report_join_res(5)
RTL871X: rtw_joinbss_update_network
RTL871X: rtw_alloc_macid(wlan0) if1, hwaddr:06:25:9c:13:d4:36 macid:0
RTL871X: rtw_joinbss_update_stainfo
RTL871X: supp_mcs_set = 00, 00, 00, rf_type=195, tx_ra_bitmap=0000000000000fff
RTL871X: ### Set STA_(0) info ###
RTL871X: assoc success
RTL871X: recv eapol packet
ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
RTL871X: send eapol packet
RTL871X: ODM_Get_Rate_Bitmap ==> rssi_level:0x01, WirelessMode:0x03, rate_bitmap:0x00000f00
RTL871X: UpdateHalRAMask8188E => mac_id:0, rate_id:4, networkType:0x03, mask:0x00000fff
==> rssi_level:1, rate_bitmap:0x00000f00
RTL871X: HW_VAR_BASIC_RATE: 0x15f -> 0x15f -> 0x15f
RTL871X: WMM(0): 0, a446
RTL871X: WMM(1): 0, a496
RTL871X: WMM(2): 0, 5e4332
RTL871X: WMM(3): 0, 2f3232
RTL871X: wmm_para_seq(0): 0
RTL871X: wmm_para_seq(1): 1
RTL871X: wmm_para_seq(2): 2
RTL871X: wmm_para_seq(3): 3
RTL871X: HTOnAssocRsp
RTL871X: ODM_Get_Rate_Bitmap ==> rssi_level:0x01, WirelessMode:0x03, rate_bitmap:0x00000f00
RTL871X: UpdateHalRAMask8188E => mac_id:0, rate_id:4, networkType:0x03, mask:0x00000fff
==> rssi_level:1, rate_bitmap:0x00000f00
RTL871X: ### MacID(31),Set Max Tx RPT MID(32)
RTL871X: SetHwReg8188E(wlan0): [HW_VAR_MACID_WAKEUP] macid=0, org reg_0x48c=0x00000000
RTL871X: rtl8188e_set_FwJoinBssReport_cmd mstatus(1)
RTL871X: rtw_hal_set_fw_rsvd_page PageSize: 128, RsvdPageNUm: 8
RTL871X: LocPsPoll: 2
RTL871X: LocNullData: 3
RTL871X: LocQosNull: 4
RTL871X: rtw_hal_set_fw_rsvd_page PageNum(5), pktlen(578)
RTL871X: rtw_hal_set_fw_rsvd_page: Set RSVD page location to Fw ,TotalPacketLen(578), TotalPageNum(5)
RTL871X: RsvdPageLoc: ProbeRsp=0 PsPoll=2 Null=3 QoSNull=4 BTNull=0
RTL871X: wlan0: 1 DL RSVD page success! DLBcnCount:1, poll:1
RTL871X: Set RSVD page location to Fw.
RTL871X: =>mlmeext_joinbss_event_callback - End to Connection without 4-way
RTL871X: phydm_rssi_report mac_id:0, mac:06:25:9c:13:d4:36, rssi:61
RTL871X: phydm_rssi_report RAINFO - TP:UL, TxBF:DIS, STBC:DIS, Noisy:True, Firstcont:True
RTL871X: recv eapol packet
RTL871X: send eapol packet
RTL871X: recv eapol packet
RTL871X: send eapol packet
RTL871X: ~~~~set sta key:unicastkey
RTL871X: set pairwise key camid:4, addr:06:25:9c:13:d4:36, kid:0, type:AES
RTL871X: ~~~~set sta key:groupkey
RTL871X: ==> rtw_set_key algorithm(4),keyid(2),key_mask(0)
RTL871X: set group key camid:5, addr:06:25:9c:13:d4:36, kid:2, type:AES
RTL871X: SetHwReg8188E, 4836, RCR= 700060ce
Sending discover...
Sending select for 10.255.254.108...
Lease of 10.255.254.108 obtained, lease time 7200
deleting routers
route: SIOCDELRT: No such process
adding dns 10.255.254.1
Starting ntpd...
Starting dropbear on port 22...
Starting RTSP server...
Starting IR script...
Finished
channel 0 buffer count=2, size=3133440
snx_vc snx_vc: snx_vc_open: Created instance c339a000, m2m_ctx: c3346800
snx_vc snx_vc: snx_vidioc_s_parm: snx_vidioc_s_parm: OUTPUT fps == 30
snx_vc snx_vc: snx_vidioc_s_parm: snx_vidioc_s_parm: CAPTURE fps == 30
snx_vc snx_vc: s_fmt: Setting format for type 2, wxh: 1920x1080, fmt: 808596563
snx_vc snx_vc: s_fmt: Setting format for type 1, wxh: 1920x1080, fmt: 875967048
<<>> alloc size=6266880 reduce size=3133440
sc2135 start streaming
So a couple of years ago I bought some KK-SP3 (from ikonke). They are ‘wireless smart plugs’, and despite their pretty-sketch appearance, work.
