Wink Hub 2 teardown

So for a while I’ve been looking at hacking into the wink hub 2. I’ve had it for a number of years and so far it has just worked for what I needed it for. Then wink starts with the subscription nonsense and this morning it refused to connect at all. So time to take it apart.

It’s a pretty easy disassemble.

  1. 2 screws under the rubber bumper on the device.
  2. Pull the base free, you’ll see the bottom edge of the PCB.
  3. The one side snaps of with a little bit of pressure separating the 2 halves. I used a spudger to help it along.

Awesome looks like there are headers on the board again. Lets see the other side.

Front side

They were even kind enough to label all of them. So I soldered on a UART header and connected up my FTDI cable.

No surprise here, it’s running u-boot


U-Boot 2015.04 (Sep 02 2016 - 20:09:54)

CPU:   Freescale i.MX6UL rev1.1 at 396 MHz
CPU:   Temperature 30 C
Reset cause: POR
Board: MX6UL Flex Wink Hub V2
I2C:   ready
DRAM:  512 MiB
NAND:  128 MiB
In:    serial
Out:   serial
Err:   serial
Net:   FEC0
Normal Boot
Hit any key to stop autoboot:  0
UBI: attaching mtd1 to ubi0
UBI: scanning is finished
UBI: attached mtd1 (name "mtd=2", size 10 MiB) to ubi0
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 80, bad PEBs: 0, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 1444/964, WL threshold: 4096, image sequence number: 720637420
UBI: available PEBs: 0, total reserved PEBs: 80, PEBs reserved for bad PEB handling: 20
Loading file 'DO_UPDATE' to addr 0x83000000 with size 1 (0x00000001)...
Done
Total of 1 word(s) were the same

Loading from nand0, offset 0x3700000
   Image Name:   Linux-3.14.52
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    50856042 Bytes = 48.5 MiB
   Load Address: 80800000
   Entry Point:  80800000
Secure boot on, reading 50868256 bytes to get SRK data

Authenticate image from DDR location 0x80800000...

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!

and Linux


Booting Linux on physical CPU 0x0
Linux version 3.14.52 (ubuntu@a1b25e96d169) (gcc version 5.3.0 (Buildroot 2016.05) ) #2 PREEMPT Tue Jun 11 19:47:11 UT9
CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c53c7d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine model: Wink Hub2 / Flex 40-00041-01
cma: CMA: reserved 192 MiB at 94000000
Memory policy: Data cache writeback
CPU: All CPU(s) started in SVC mode.
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 130048
Kernel command line: console=ttymxc0,115200 mtdparts=gpmi-nand:3m(boot),32m(updater),10m(database),10m(dbBackup),-(app)
PID hash table entries: 2048 (order: 1, 8192 bytes)
Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Memory: 269128K/524288K available (6092K kernel code, 309K rwdata, 1888K rodata, 44846K init, 378K bss, 255160K reserv)
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0xa0800000 - 0xff000000   (1512 MB)
    lowmem  : 0x80000000 - 0xa0000000   ( 512 MB)
    modules : 0x7f000000 - 0x80000000   (  16 MB)
      .text : 0x80008000 - 0x807d32a0   (7981 kB)
      .init : 0x807d4000 - 0x8339f9f4   (44847 kB)
      .data : 0x833a0000 - 0x833ed5a0   ( 310 kB)
       .bss : 0x833ed5ac - 0x8344bdbc   ( 379 kB)
SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Preemptible hierarchical RCU implementation.
NR_IRQS:16 nr_irqs:16 16
Switching to timer-based delay loop
sched_clock: 32 bits at 3000kHz, resolution 333ns, wraps every 1431655765682ns
clocksource_of_init: no matching clocksources found
Console: colour dummy device 80x30
Calibrating delay loop (skipped), value calculated using timer frequency.. 6.00 BogoMIPS (lpj=30000)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
CPU: Testing write buffer coherency: ok
Setting up static identity map for 0x805d2980 - 0x805d29d8
devtmpfs: initialized
VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5
pinctrl core: initialized pinctrl subsystem
regulator-dummy: no parameters
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
cpuidle: using governor ladder
cpuidle: using governor menu
Use WDOG1 as reset source
syscon 20c8000.anatop: regmap [mem 0x020c8000-0x020c8fff] registered
vdd3p0: 2625 <--> 3400 mV at 3000 mV
cpu: 725 <--> 1450 mV at 1150 mV
vddsoc: 725 <--> 1450 mV at 1175 mV
syscon 20e4000.iomuxc-gpr: regmap [mem 0x020e4000-0x020e7fff] registered
syscon 21ac000.romcp: regmap [mem 0x021ac000-0x021affff] registered
syscon 21bc000.ocotp-ctrl: regmap [mem 0x021bc000-0x021bffff] registered
hw-breakpoint: found 5 (+1 reserved) breakpoint and 4 watchpoint registers.
hw-breakpoint: maximum watchpoint size is 8 bytes.
imx6ul-pinctrl 20e0000.iomuxc: initialized IMX pinctrl driver
20dc000.gpc supply pu not found, using dummy regulator
bio: create slab <bio-0> at 0
mxs-dma 1804000.dma-apbh: initialized
wlreg_on: 3300 mV
i2c-core: driver [max17135] using legacy suspend method
i2c-core: driver [max17135] using legacy resume method
SCSI subsystem initialized
i2c i2c-0: IMX I2C adapter registered
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
PTP clock support registered
MIPI CSI2 driver module loaded
Bluetooth: Core ver 2.18
NET: Registered protocol family 31
Bluetooth: HCI device and connection manager initialized
Bluetooth: HCI socket layer initialized
Bluetooth: L2CAP socket layer initialized
Bluetooth: SCO socket layer initialized
Switched to clocksource mxc_timer1
cfg80211: Calling CRDA to update world regulatory domain
NET: Registered protocol family 2
TCP established hash table entries: 4096 (order: 2, 16384 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP: reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
Bus freq driver module loaded
futex hash table entries: 256 (order: -1, 3072 bytes)
NFS: Registering the id_resolver key type
Key type id_resolver registered
Key type id_legacy registered
jffs2: version 2.2. (NAND) �© 2001-2006 Red Hat, Inc.
fuse init (API version 7.22)
msgmni has been set to 909
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
imx-weim 21b8000.weim: Driver registered.
MIPI DSI driver module loaded
MIPI DSI driver module loaded
imx-sdma 20ec000.sdma: no event needs to be remapped
imx-sdma 20ec000.sdma: loaded firmware 3.2
imx-sdma 20ec000.sdma: initialized
Serial: IMX driver
2018000.serial: ttymxc6 at MMIO 0x2018000 (irq = 71, base_baud = 5000000) is a IMX
2020000.serial: ttymxc0 at MMIO 0x2020000 (irq = 58, base_baud = 5000000) is a IMX
console [ttymxc0] enabled
21e8000.serial: ttymxc1 at MMIO 0x21e8000 (irq = 59, base_baud = 5000000) is a IMX
21ec000.serial: ttymxc2 at MMIO 0x21ec000 (irq = 60, base_baud = 5000000) is a IMX
21f0000.serial: ttymxc3 at MMIO 0x21f0000 (irq = 61, base_baud = 5000000) is a IMX
21f4000.serial: ttymxc4 at MMIO 0x21f4000 (irq = 62, base_baud = 5000000) is a IMX
serial: Freescale lpuart driver
[drm] Initialized drm 1.1.0 20060810
[drm] Initialized vivante 1.0.0 20120216 on minor 0
brd: module loaded
loop: module loaded
nand: device found, Manufacturer ID: 0x2c, Chip ID: 0xf1
nand: Micron MT29F1G08ABAEAWP
nand: 128MiB, SLC, page size: 2048, OOB size: 64
gpmi-nand 1806000.gpmi-nand: enable the asynchronous EDO mode 5
Bad block table found at page 65472, version 0x01
Bad block table found at page 65408, version 0x01
5 cmdlinepart partitions found on MTD device gpmi-nand
Creating 5 MTD partitions on "gpmi-nand":
0x000000000000-0x000000300000 : "boot"
0x000000300000-0x000002300000 : "updater"
0x000002300000-0x000002d00000 : "database"
0x000002d00000-0x000003700000 : "dbBackup"
0x000003700000-0x000008000000 : "app"
gpmi-nand 1806000.gpmi-nand: driver registered.
spi_imx 2008000.ecspi: probed
2188000.ethernet supply phy not found, using dummy regulator
pps pps0: new PPS source ptp0
libphy: fec_enet_mii_bus: probed
fec 2188000.ethernet eth0: registered PHC device 0
snvs_pwrkey 20cc000.snvs-pwrkey: can't get snvs clock
input: 20cc000.snvs-pwrkey as /devices/soc0/soc.0/2000000.aips-bus/20cc000.snvs-pwrkey/input/input0
snvs_pwrkey 20cc000.snvs-pwrkey: i.MX snvs powerkey probed
snvs_rtc 20cc034.snvs-rtc-lp: can't get snvs-rtc clock
snvs_rtc 20cc034.snvs-rtc-lp: rtc core: registered 20cc034.snvs-rtc-lp as rtc0
i2c /dev entries driver
i2c-core: driver [mag3110] using legacy suspend method
i2c-core: driver [mag3110] using legacy resume method
imx2-wdt 20bc000.wdog: IMX2+ Watchdog Timer enabled. timeout=60s (nowayout=0)
Bluetooth: HCI UART driver ver 2.2
Bluetooth: HCI H4 protocol initialized
Bluetooth: HCI BCSP protocol initialized
Bluetooth: HCIATH3K protocol initialized
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
sdhci-pltfm: SDHCI platform and OF driver helper
sdhci-esdhc-imx 2190000.usdhc: assigned as wifi host
mmc0: no vqmmc regulator found
mmc0: no vmmc regulator found
mmc0: SDHCI controller on 2190000.usdhc [2190000.usdhc] using ADMA
caam 2140000.caam: Instantiated RNG4 SH0
caam 2140000.caam: Instantiated RNG4 SH1
caam 2140000.caam: device ID = 0x0a160300 (Era 8)
caam 2140000.caam: job rings = 3, qi = 0
caam algorithms registered in /proc/crypto
caam_jr 2141000.jr0: registering rng-caam
platform caam_sm: blkkey_ex: 8 keystore units available
platform caam_sm: 64-bit clear key:
platform caam_sm: [0000] 00 01 02 03 04 0f 06 07
platform caam_sm: 64-bit black key:
platform caam_sm: [0000] b1 01 3c 01 e6 9f 29 08
platform caam_sm: [0008] 2f 69 a6 64 1d f3 6b cc
platform caam_sm: 128-bit clear key:
platform caam_sm: [0000] 00 01 02 03 04 0f 06 07
platform caam_sm: [0008] 08 09 0a 0b 0c 0d 0e 0f
platform caam_sm: 128-bit black key:
platform caam_sm: [0000] 74 8e 55 37 ba 98 77 d0
platform caam_sm: [0008] 8d f9 26 49 cd a9 f8 8d
platform caam_sm: 192-bit clear key:
platform caam_sm: [0000] 00 01 02 03 04 0f 06 07
platform caam_sm: [0008] 08 09 0a 0b 0c 0d 0e 0f
platform caam_sm: [0016] 10 11 12 13 14 15 16 17
platform caam_sm: 192-bit black key:
platform caam_sm: [0000] 61 6b 5f 74 d5 e9 57 76
platform caam_sm: [0008] 73 b1 5f 36 fa 8e 22 94
platform caam_sm: [0016] dc 02 a9 90 b6 8c f0 19
platform caam_sm: [0024] f3 c6 97 5a eb 0a b0 da
platform caam_sm: 256-bit clear key:
platform caam_sm: [0000] 00 01 02 03 04 0f 06 07
platform caam_sm: [0008] 08 09 0a 0b 0c 0d 0e 0f
platform caam_sm: [0016] 10 11 12 13 14 15 16 17
platform caam_sm: [0024] 18 19 1a 1b 1c 1d 1e 1f
platform caam_sm: 256-bit black key:
platform caam_sm: [0000] d5 bd 4b c6 48 da 05 f7
platform caam_sm: [0008] 7f 87 21 1c e9 23 35 72
platform caam_sm: [0016] ff 57 5d 54 3f b8 56 ef
platform caam_sm: [0024] 8b 66 bd ae de e9 30 40
platform caam_sm: 64-bit unwritten blob:
platform caam_sm: [0000] 00 00 00 00 00 00 00 00
platform caam_sm: [0008] 00 00 00 00 00 00 00 00
platform caam_sm: [0016] 00 00 00 00 00 00 00 00
platform caam_sm: [0024] 00 00 00 00 00 00 00 00
platform caam_sm: [0032] 00 00 00 00 00 00 00 00
platform caam_sm: [0040] 00 00 00 00 00 00 00 00
platform caam_sm: [0048] 00 00 00 00 00 00 00 00
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 128-bit unwritten blob:
platform caam_sm: [0000] 00 00 00 00 00 00 00 00
platform caam_sm: [0008] 00 00 00 00 00 00 00 00
platform caam_sm: [0016] 00 00 00 00 00 00 00 00
platform caam_sm: [0024] 00 00 00 00 00 00 00 00
platform caam_sm: [0032] 00 00 00 00 00 00 00 00
platform caam_sm: [0040] 00 00 00 00 00 00 00 00
platform caam_sm: [0048] 00 00 00 00 00 00 00 00
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 196-bit unwritten blob:
platform caam_sm: [0000] 00 00 00 00 00 00 00 00
platform caam_sm: [0008] 00 00 00 00 00 00 00 00
platform caam_sm: [0016] 00 00 00 00 00 00 00 00
platform caam_sm: [0024] 00 00 00 00 00 00 00 00
platform caam_sm: [0032] 00 00 00 00 00 00 00 00
platform caam_sm: [0040] 00 00 00 00 00 00 00 00
platform caam_sm: [0048] 00 00 00 00 00 00 00 00
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 256-bit unwritten blob:
platform caam_sm: [0000] 00 00 00 00 00 00 00 00
platform caam_sm: [0008] 00 00 00 00 00 00 00 00
platform caam_sm: [0016] 00 00 00 00 00 00 00 00
platform caam_sm: [0024] 00 00 00 00 00 00 00 00
platform caam_sm: [0032] 00 00 00 00 00 00 00 00
platform caam_sm: [0040] 00 00 00 00 00 00 00 00
platform caam_sm: [0048] 00 00 00 00 00 00 00 00
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 64-bit black key in blob:
platform caam_sm: [0000] 58 4f 4e fa 09 9e 64 82
platform caam_sm: [0008] 1b d9 73 32 64 a2 c8 86
platform caam_sm: [0016] 3c 8f 96 4c 12 3d 03 df
platform caam_sm: [0024] c6 5f 0b e5 45 e6 25 cb
platform caam_sm: [0032] 46 2b c4 de 9a 6f d1 a3
platform caam_sm: [0040] 32 1a fd 8a 85 73 fb 3e
platform caam_sm: [0048] 52 1a 8c 14 1b 91 34 69
platform caam_sm: [0056] 00 00 00 00 00 00 00 00
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 128-bit black key in blob:
platform caam_sm: [0000] b1 ce cb b1 b1 4f 98 79
platform caam_sm: [0008] 06 28 f1 89 d9 fe aa 7f
platform caam_sm: [0016] 0b 33 49 18 d7 ae e6 6e
platform caam_sm: [0024] 96 4c 10 68 41 94 4b 50
platform caam_sm: [0032] 27 63 54 0f 8e af 14 b9
platform caam_sm: [0040] 43 e9 de 90 ba 6c c0 d4
platform caam_sm: [0048] 8b 95 5b 2c fe 0c 1d 7f
platform caam_sm: [0056] 14 c2 01 c3 b6 cd 82 11
platform caam_sm: [0064] 00 00 00 00 00 00 00 00
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 192-bit black key in blob:
platform caam_sm: [0000] 1a 95 36 5d 3f fb 19 58
platform caam_sm: [0008] 98 32 c3 2c fc 73 9f 43
platform caam_sm: [0016] 5c a5 30 c2 b2 14 57 8f
platform caam_sm: [0024] ff 4e 1b 67 79 42 a8 ad
platform caam_sm: [0032] 47 f0 22 5a ff 63 d0 23
platform caam_sm: [0040] 75 73 c6 da 23 03 40 8c
platform caam_sm: [0048] d2 50 2d 64 cb 22 9d 0c
platform caam_sm: [0056] dd a4 67 4f 3e f9 fd f0
platform caam_sm: [0064] bd 2e 47 14 85 59 fc 80
platform caam_sm: [0072] 00 00 00 00 00 00 00 00
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: 256-bit black key in blob:
platform caam_sm: [0000] fd 6a a3 76 12 d8 11 61
platform caam_sm: [0008] 7f b3 5d a1 6c 86 08 03
platform caam_sm: [0016] 36 f4 dc 55 cd 03 1f 4a
platform caam_sm: [0024] e4 99 24 e6 ab 1e a9 96
platform caam_sm: [0032] 7f 3c aa a9 52 3f 1b f0
platform caam_sm: [0040] 31 99 fb 84 42 e9 33 02
platform caam_sm: [0048] 51 13 dd 5d 3a ff d5 37
platform caam_sm: [0056] d2 00 6c 28 40 2c 8e d1
platform caam_sm: [0064] a9 71 34 69 39 57 46 5e
platform caam_sm: [0072] ae e9 fa 20 61 1e 16 3a
platform caam_sm: [0080] 00 00 00 00 00 00 00 00
platform caam_sm: [0088] 00 00 00 00 00 00 00 00
platform caam_sm: restored 64-bit black key:
platform caam_sm: [0000] 7d 43 74 34 c3 f0 d4 c0
platform caam_sm: [0008] 30 dd bf a6 d4 09 5e c5
platform caam_sm: restored 128-bit black key:
platform caam_sm: [0000] 74 8e 55 37 ba 98 77 d0
platform caam_sm: [0008] 8d f9 26 49 cd a9 f8 8d
platform caam_sm: restored 192-bit black key:
platform caam_sm: [0000] 61 6b 5f 74 d5 e9 57 76
platform caam_sm: [0008] 73 b1 5f 36 fa 8e 22 94
platform caam_sm: [0016] 45 10 62 b4 5d ca 9a 2c
platform caam_sm: [0024] 5a db 0f 5c 12 10 b7 4a
platform caam_sm: restored 256-bit black key:
platform caam_sm: [0000] d5 bd 4b c6 48 da 05 f7
platform caam_sm: [0008] 7f 87 21 1c e9 23 35 72
platform caam_sm: [0016] ff 57 5d 54 3f b8 56 ef
platform caam_sm: [0024] 8b 66 bd ae de e9 30 40
snvs-secvio 20cc000.caam-snvs: can't get snvs clock
snvs-secvio 20cc000.caam-snvs: violation handlers armed - trusted state
NET: Registered protocol family 26
TCP: cubic registered
NET: Registered protocol family 10
sit: IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
Bluetooth: RFCOMM TTY layer initialized
Bluetooth: RFCOMM socket layer initialized
Bluetooth: RFCOMM ver 1.11
Bluetooth: BNEP (Ethernet Emulation) ver 1.3
Bluetooth: BNEP filters: protocol multicast
Bluetooth: BNEP socket layer initialized
Bluetooth: HIDP (Human Interface Emulation) ver 1.2
Bluetooth: HIDP socket layer initialized
8021q: 802.1Q VLAN Support v1.8
Key type dns_resolver registered
cpu cpu0: dev_pm_opp_get_opp_count: device OPP not found (-19)
wlreg_on: disabling
regulator-dummy: disabling
snvs_rtc 20cc034.snvs-rtc-lp: setting system clock to 1970-01-01 00:00:01 UTC (1)
Freeing unused kernel memory: 44844K (807d4000 - 8339f000)
Creating symlinks in /dev
Starting RGB LED control deamon.
Mounting database
UBI: attaching mtd3 to ubi0
UBI: scanning is finished
UBI: attached mtd3 (name "dbBackup", size 10 MiB) to ubi0
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 80, bad PEBs: 0, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 3500/2311, WL threshold: 4096, image sequence number: 1098468252
UBI: available PEBs: 0, total reserved PEBs: 80, PEBs reserved for bad PEB handling: 20
UBI: background thread "ubi_bgt0d" started, PID 146
UBI device number 0, total 80 LEBs (10158080 bytes, 9.7 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0)
UBIFS: background thread "ubifs_bgt0_0" started, PID 148
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 0, volume 0, name "database_backup"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 5840896 bytes (5 MiB, 46 LEBs), journal size 1015809 bytes (0 MiB, 6 LEBs)
UBIFS: reserved for root: 275879 bytes (269 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 8DE4614F-E3DC-432A-8AB1-B1F386BEDD5A, small LPT model
/database_backup mounted Ok on: 1 attempt(s)
UBI: attaching mtd2 to ubi1
UBI: scanning is finished
UBI: attached mtd2 (name "database", size 10 MiB) to ubi1
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 80, bad PEBs: 0, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 1444/964, WL threshold: 4096, image sequence number: 720637420
UBI: available PEBs: 0, total reserved PEBs: 80, PEBs reserved for bad PEB handling: 20
UBI: background thread "ubi_bgt1d" started, PID 161
UBI device number 1, total 80 LEBs (10158080 bytes, 9.7 MiB), available 0 LEBs (0 bytes), LEB sizUBIFS: background thr3
e 126976 bytes (124.0 KiB)
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 1, volume 0, name "database"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 5840896 bytes (5 MiB, 46 LEBs), journal size 1015809 bytes (0 MiB, 6 LEBs)
UBIFS: reserved for root: 275879 bytes (269 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 91FBBF89-8591-4596-B9B4-0D331602A906, small LPT model
/database mounted Ok on: 1 attempt(s)
Attempting to backup database
sending incremental file list
random: nonblocking pool is initialized

Unfortunately it looks like secure boot has been enabled. It’s an imx6 so hopefully we can get it into SDP mode.

No surprise that there isn’t source code published by wink.

https://github.com/winkapp/wink-hub-kernel-public

I’ve already contacted them twice about releasing new code but no response from their support yet.

https://www.wink.com/help/contact/

Maybe if we all ask nicely they will release some.

Ubuntu 20.04 focal secure boot

I was trying to install a dkms package on focal and it would ask for the MOC signing password but then on reboot it would not confirm it so I still couldn’t load the module

I figured out how to manually add the signing key. I likely broke the whole secure boot thing while I was at it but that’s a problem for another day.

First make sure that a key has been generated


sudo update-secureboot-policy --new-key

Then copy that key to somewhere accessible during boot


sudo cp /var/lib/shim-signed/mok/MOK.der /boot/efi/EFI/ubuntu

Now force the MOK shim to run during boot


sudo mokutil --disable-validation

During boot you should get a nice blue screen that says add key from disk. Find the MOK.der you copied above.

Now you should be able to load DKMS signed modules.

CHIP Pro TNC

So I finally have a design of the TNC I’ve been working on that I think is ready for release. Initially this started with me wanting a replacement for my mobilinkd and AP510. With feature creep it has turned into much more.

The current board has a VHF radio module, a CHIP Pro computer module running Linux ( NTC calls it gadget OS ) and a Mikrobus slot. I’m currently using the Mikrobus for a GPS module but there are lots of variants.

 

Features

I’m going to split the features into ones I’ve had the time to test with the current design and features that did work on previous designs but haven’t been tested on the current design or haven’t been tried at all.

Current features

  • The OS is a slightly modified Gadget OS
  • There is a web server that can display maps, receive APRS beacons and send APRS messages ( receive was broken last time I checked )
  • Send and receive APRS messages using direwolf
  • APRX interface for viscous digipeating
  • Mikrobus slot that supports 3.3V serial modules for GPS
  • 1W VHF module

Previously working features

  • WiFi access point
  • mobilnkd type interface for connecting to HT radios for higher power TX – I used the same interface as the mobilinkd so their cable will work
  • messaged.py module for sending and receiving APRS messages

Untested HW features

  • UHF radio module
  • IO output including solid sate relays capable of switching 12V 1.5A DC
  • SD card
  • 2nd USB port

Possible Additional Software Features

  • Cross band audio repeater
  • Cross band digipeater
  • BT/WiFi to APRS/AX25 modem

Design Files

I’ve decided to open source all of the design including the hardware and software.
You can view the schematic and layout at upverter.

There are a few different software repositories

The CHIP Pro gadget OS is on github.

There is a repository that contains the gadget OS configuration files and install scripts for the webserver environment on gitlab.

Getting and Building the Design

The PCBs can be ordered from OSH Park

Order from OSH Park

Here is the assembly drawing

The full BOM is available from upverter but for the currently working features there is a much smaller subset.

Current BOM

Here is a digikey version of the BOM.The total BOM cost including the PCB but excluding the antenna is around $60.

Assembling the Boards

Some of the parts are small ( 0805 ) so you will need soldering gear that can do finer parts. All of the fine parts get mounted on the top side of the board near the RF module. The connectors all go on the back of the board.

Next Steps

The software needs some polishing so if anyone wants to contribute patches please do.

It also needs a case designed for it so I’ll likely start doing that in openscad soon.

Since I’ve started this design NTC has become less and less responsive so I don’t know is there’s any future in the CHIP or CHIP Pro boards. I hope there is but I’ve been waiting for a year fro the CHIP pro’s I ordered and it’s been more than 4 months since I received any email from them. If anyone else has actually got an email from them I’d be interested in hearing about it.

Thanks goes out to Herb Peyerl andRob Riggs for design assistance and motivation during the project.

BTW there is also an original NTC CHIP design.

Socat, sslh and stunnel to share https port 443

The instructions below assume you are using Ubuntu 16.04 but they will work for other Linuxes with minor modifications. The instructions below will also conflict with a webserver listening on port 443 ( https ) so you’ll need to disable it. Once the setup below is complete your https connections will get seamlessly forwarded to port 80.

Setup letsencrypt keys

For the SSL connection to be secure and trusted by browsers and other software you need to have a certificate signed by a recognised certificate authority. The easiest way to do this is to use letsencypt’s certbot. I’m not going to go into how to get the certificate as there are too many ways depending on your configuration. Just follow letsencrypt’s documentation to generate a key for your "servernname.com" that will get used in the rest of these instructions.

You could also use a self signed key but that may cause you problems with stateful firewalls.

Setup stunnel

With your certificate installed on the server you can now setup stunnel to use it. crow shows a partial setup here. I think he’s limited the ciphers for increased security but I found it was not necessary.

Install stunnel4

sudo apt-get install stunnel4

So the setup in /etc/stunnel/stunnel.conf I am using looks like this

pid = /var/run/stunnel.pid
cert = /etc/letsencrypt/live/servername.com/fullchain.pem
key = /etc/letsencrypt/live/servername.com/privkey.pem
[ssh]
accept = servername.com:443
connect = localhost:80

You also need to enable stunnel in /etc/default/stunnel4.conf by setting ENABLED=1

restart stunnel to use the new configuration.

systemctl restart stunnel4

At this point you can test the stunnel setup by going to “http://servername.com” with your browser and you will have a secure connection to your http server.

To prep for the sslh configuration change

connect = localhost:80

in /etc/stunnel/stunnel.conf to

connect = localhost:1022

and then restart stunnel again.

Setup sslh

sslh will redirect the sessions decrypted by stunnel to the correct port on your server.

You need to install sslh

sudo apt-get install sslh

The minimum services I wanted are ssh and http so my configuration in /etc/default/sslh looks like this.

RUN=yes

# binary to use: forked (sslh) or single-thread (sslh-select) version
DAEMON=/usr/sbin/sslh

DAEMON_OPTS="--user sslh --listen 127.0.0.1:1022 --http 127.0.0.1:80 --ssh 127.0.0.1:22 --pidfile /var/run/sslh/sslh.pid"

The sslh documentation says that OpenVPN, tinc, XMPP are also supported but I didn’t need those so my configuration doesn’t support them. You can now restart sslh

sudo systemctl restart sslh

This would be another good time to test the stunnel -> sslh -> httpd redirection by visiting “http://servername.com” in your browser.

Client side ssh setup

Once all of the above is complete and assuming that you have an ssh server that you can connect to on port 22 of your server the ssh client can be setup to use the ssl tunnel. The ssh session needs to wrapped in the ssl session to be able to connect to the server so I used the ssh ProxyCommand to accomplish this. Add the section below to your ~/.ssh/config on your client machine

Host servername.com
ProxyCommand /usr/bin/socat - OPENSSL:servername.com:443

From the client you should now be able to connect to your server by doing

ssh servername.com

If you get errors from ProxyCommand about your keys or if you used a self signed certificate you will need to turn off key verification.

Host servername.com
ProxyCommand /usr/bin/socat - OPENSSL:servername.com:443,verify=0

There is usually one other modification I have in my ssh config and that is a DynamicProxy so that stateful packet inspection doesn’t interfere. So the final configuration looks like this.

Host servername.com
DynamicForward localhost:2121
ProxyCommand /usr/bin/socat - OPENSSL:servername.com:443

The interested reader should look into FoxyProxy to see how this might be used.

CHIP TNC

 

I’ve had a mobilinkd for a couple of years now and I like the small form factor and the mobility of the device. I’ve always wanted it to have some additional features such as a connected mode ( either USB or serial ) and the ability to track without the need for a cell phone. Wifi would also be a preferred wireless interface.

I tried using the AP510 to fill some of these features but it’s under powered and prone to burning out it’s LDO.

At the urging of a friend, Herb, I sat down and designed one that fit our needs.

The hardware feature set we decided on

  • Arm SOC module running Linux for TNC
  • Audio/PTT interface for Yaesu and Kenwood/BaoFeng
  • 1W RF module ( could be VHF or UHF )
  • GPS expansion port
  • XBee header

For the ARM module we chose the C.H.I.P. by Next Thing Co. I has a nice small form factor and the site claims you can order 1 – 1 million with very little lead time ( it turns out they are limiting you to 5 at a time right now ). A couple of other nice features of the module are WiFi, bluetooth, Lipo charger and 2 USB ports.

I used the same audio/PTT interface as the mobilinkd so I could reuse the audio cables.

We chose the SR FRS 1W for the on board RF interface. It’s got a nice small form factor but there are some issues with it’s PTT that we are still debugging.

The GPS expansion port is just a slot in the board with serial RX/TX, i2c, 3V3, 5V and GND. I’ve looked at a few GPS modules but haven’t started designing anything yet. Part of the reason I’m holding off is that the side of the board I wanted to put the expansion on would interfere with the USB ports from the CHIP. Until I design a GPS interface module I’m just using a small ND-105 MicroUSB adapter.

I chose the XBee header because there are a number of boards that are already designed for that form factor that support a large number of RF protocols. Now, because of the issues with the GPS expansion slot I might just design a GPS module to plug in there.

Running the audio interface and the GPS dongle from a 2500mAH battery the board can run for about 4 hours. I need to do some optimisation to try and get that into the 8 hours range.

 

 

 

 

 

 

 

 

 

 

 

Software features

  • Debian – standard CHIP install
  • Direwolf – so the device can function as a TNC/digipeater/X25 modem
  • Lighttpd webserver for configuration and UI
  • Host AP and wifi client simultaneously
  • APRX for viscous digipeating

I had to make some modifications to Direwolf to get it to handle multiple TCPIP clients, as APRX, the web ui and a message daemon all share Direwolf.

The UI is written in python using the web.py framework and currently supports these features.

  • List of recent APRS beacons
  • Settings for APRX, Direwolf and PTT
  • Send and receive APRS messages
  • Maps for to show beacon locations
  • Display Direwolf logs for debugging

These all need cleaning up but for the most part are functional.

For the message interface a message daemon is needed to store messages for the interface and handle message ACKs. It attempts to re-transmit the message 3 times or until it is properly ACKed. The UI can also re-send failed messages.

I want to add a feature that failed messages will be re-transmitted when the messaged receives a beacon from the intended recipient.

Moving forward

The boards arrived a week ago and apart from a few minor difficulties ( wrong parts, reversed RF module foot prints , you know the usual ) are working working well. So a second rev will be required. But a new rev means new features , right ?


REV2 features

  • Concurrent RF module and audio interface. The unit could be across band digipeater or repeater
  • LED TX/RX indicator
  • Squelch tied to an interrupt for low power modes
  • CHIPProadapter to mitigate CHIP supply issues

The code is all hosted on gitlab right now in a private repo but I’ll probably open that up if there are any others interested in helping out.

Booting the i.MX7 Sabre board from the mikroBUS SPI flash

dsc_0199
I’ve been working with the Freescale i.MX7 Sabre board and I wanted to free up the SD card so I could do some SDIO testing. I decided to boot the board from SPI flash ( I needed to test that out anyway ) and then load a kernel and rootfs across the network.

On the i.MX7 board there is a mikroBUS connector which basically just breaks out SPI/I2C/serial and a couple of GPIOs. There is a 8Mb SPI flash that you can get for this bus called the flash click. Just what I needed so I ordered one.

The documentation the board comes with claims the flash chip is a M25P80, no problem u-boot supports that. I added the config below into “include/configs/mx7dsabresd.h” to enable the u-boot SPI flash tools.

#define CONFIG_CMD_SF
#define CONFIG_MXC_SPI

Also enable SPI flash in the defconfig “configs/mx7dsabresd_secure_defconfig”

CONFIG_SPI_FLASH=y

You also need to add some code to your machine initialisation “board/freescale/mx7dsabresd/mx7dsabresd.c” so that the pads get configured properly.

define SPI_PAD_CTRL \
  (PAD_CTL_HYS | PAD_CTL_DSE_3P3V_49OHM | PAD_CTL_SRE_FAST)

static iomux_v3_cfg_t const ecspi3_pads[] = {
  MX7D_PAD_SAI2_RX_DATA__ECSPI3_SCLK | MUX_PAD_CTRL(SPI_PAD_CTRL),
  MX7D_PAD_SAI2_TX_SYNC__ECSPI3_MISO | MUX_PAD_CTRL(SPI_PAD_CTRL),
  MX7D_PAD_SAI2_TX_BCLK__ECSPI3_MOSI | MUX_PAD_CTRL(SPI_PAD_CTRL),
  MX7D_PAD_SAI2_TX_DATA__GPIO6_IO22 | MUX_PAD_CTRL(NO_PAD_CTRL),
};

int board_spi_cs_gpio(unsigned bus, unsigned cs)
{
       return (bus == 2 && cs == 0) ? (IMX_GPIO_NR(6, 22)) : -1;
}

static void setup_spi(void)
{
       imx_iomux_v3_setup_multiple_pads(ecspi3_pads, ARRAY_SIZE(ecspi3_pads));
}

One more edit to “board/freescale/mx7dsabresd/mx7dsabresd.c” to get the code above called. Into the function board_init add this

#ifdef CONFIG_MXC_SPI
       setup_spi();
#endif

So then I built myself a new u-boot

make mx7dsabresd_secure_defconfig         
CROSS_COMPILE=arm-linux-gnueabihf- make

Now take your newly minted u-boot, burn it to an SD card.

sudo dd if=u-boot.imx of=/dev/mmcblk0 seek=1 bs=1024

and it boots the board

U-Boot 2016.11-rc3-00044-g38cacda-dirty (Nov 09 2016 - 15:59:35 -0700)

CPU:   Freescale i.MX7D rev1.1 996 MHz (running at 792 MHz)
CPU:   Commercial temperature grade (0C to 95C) at 35C
Reset cause: POR
Board: i.MX7D SABRESD in secure mode
I2C:   ready
DRAM:  1 GiB
PMIC: PFUZE3000 DEV_ID=0x30 REV_ID=0x11
MMC:   FSL_SDHC: 0, FSL_SDHC: 1
Video: 480x272x24
In:    serial
Out:   serial
Err:   serial
switch to partitions #0, OK
mmc0 is current device
Net:   FEC0
Hit any key to stop autoboot:  0 
=>

Excellent now I want to scan for the flash chip so that I can burn my new u-boot to it.

=> sf probe 2:0
SF: Unsupported flash IDs: manuf 1c, jedec 3014, ext_jedec 1c30
Failed to initialize SPI flash at 2:0

WTF that’s not the jedec id for a N25P80. So if you go back to the link near the top of the page the mikroBUS flash click actually uses the EN25Q80B which is not in mainline u-boot. Back to the code we go.

Edit “drivers/mtd/spi/sf_params.c” and right after “#ifdef CONFIG_SPI_FLASH_EON /* EON */” add the line below.

  {"EN25Q80B",        0x1c3014, 0x0, 64 * 1024,  16, 0},

You’ll also nee to edit your config again “include/configs/mx7dsabresd.h” and add EON SPI to the configuration.

#define CONFIG_SPI_FLASH_EON

Rebuild it and burn it back to the SD card and try the probe again.

=> sf probe 2:0
SF: Detected EN25Q80B with page size 256 Bytes, erase size 64 KiB, total 1 MiB

So now u-boot can understand the flash, lets erase enough space for u-boot it and flash it.

=> sf erase 0 80000 
SF: 524288 bytes @ 0x0 Erased: OK
=> mmc read 0x80000000 2 400

MMC read: dev # 0, block # 2, count 1024 ... 1024 blocks read: OK
=> sf write 0x80000000 400 80000
device 0 offset 0x400, size 0x80000
SF: 524288 bytes @ 0x400 Written: OK

Now set the jumpers to boot from the SPI flash, remove the SD card and reset the board.dsc_0201

Here’s the mikroBUS flash click patch that should apply to mainline u-boot.

Scaling an STL in FreeCAD

I found a new way to scale STLs in FreeCAD where you don’t need to use the Python console.

Import the STL.
Go to the Part Workbench.
Select the STL in the Model list
Menu: Part->Create shape from mesh…
Select the new part
Menu: Part->convert to solid
Select the new part
Menu: Part->Refine shape
Change to the Draft Workbench
Menu: Draft->Clone

Now you can adjust the scale in the properties window of the clone.

Scaling Upverter STL Output in FreeCAD

Upverter has a nice STL export ( when it works ) of your board so you can do mechanical modelling for your design. Unfortunately when it gets imported into FreeCAD the scale is 10 times too small.

FreeCAD as of 0.15 does not have menu item that allows you to scale mesh imports. Luckily the python console can do the scaling of imported meshes.

First import the mesh ( STL file ) that you want to add to the current design. Select it in the “Combo view->Model” tree on the left of the FreeCAD screen. Then use the python console ( View->Views->Python console ) with the code below to scale it up 10 times.

import Mesh,BuildRegularGeoms
mat=FreeCAD.Matrix()
mat.scale(10.0,10.0,10.0)
mesh=App.ActiveDocument.ActiveObject.Mesh.copy()
mesh.transform(mat)
Mesh.show(mesh)

Now you should have a correctly sized copy of the STL board that you imported.

Here is the original post on importing and scaling ( I wanted to scale a mesh I had already imported ).

Aerogarden Bulb Mod

DSC_0220I’ve had this Aerogarden for a while but most of it’s life has been spent in a box in the garage because the lights quit working shortly after the 1 year warranty ran out. I decided to take it out this weekend and figure out what the issue was.

DSC_0217I disassembled the the light fixture and pulled out the power board and there are 2 250V 3A fuses on there. Both of then were blown. I de-soldered those thinking I would just replace them and the board would work. Then I got to thinking why do I want to fix the power supply for the proprietary ( and not very long lasting ) bulbs so instead I hacked it to take A19 ( “standard” ) light bulbs.

I didn’t take pictures along the way but the hack is pretty simple.

  1. Disassemble the light fixture – 2 of the bolts are Torx. You don’t need to remove the 2 screws next to the power plug
  2. Remove the old power supply and CFL mounting brackets
  3. Mark the size of the holes for the new light fixtures – medium socket
  4. Cut out the holes with a Dremel. I left the original CFL mounting holes in case I wanted to go back to the old bulbs.
  5. Cut a piece of aluminium L bracket to length and height. Notice there is a notch part way though the light fixture that you need to make room for. I also added 4 holes for alignment to the old screw mounts. I would check to make sure that the fixture has room to close properly at this point.
  6. Attach some 14 gauge wire to the bases and mount them to the L bracket.
  7. Attach the new wire to the power plug on the fixture.
  8. Slide the bases through the holes from step 3.
  9. Mount the L bracket to the fixture with 2 Tek self taping bolts.
  10. Re-assemble the fixture and you’re all done.

DSC_0214

DSC_0215
DSC_0213

I’ve currently got 3 60W incandescent grow bulbs in there but I’m on the lookout for some LED or CFL grow lights.