Das Blog zu IT, Mobilfunk & Internet
The guys at Pobletewireless have been busy with the Fonera lately, and have now posted a step-by-step hack to add a DB9 connector that allows easy access to the built-in serial port, without having to make IDC cable headers and so on. [Link]
The hack gives access to the console, with which you can do all sorts of nice and interesting things.
Went to my local Vodafone store to pick up the new Huawei E220 HSDPA USB modem, which with a 49 Euro monthly contract gives you 1GB of transfer at 1Mbps maximum, and free mobile to fixed landline calls – pretty good deal if you ask me. For 59 Euro you get 5GB of transfer, at the full 3.8Mbps that HSDPA offers. These are theoretical rates, as they will depend on a number of factors, such as how many people are also using the same cell, your coverage and the quality of the link.
We can argue all we want about how convenient WiFi is, being omnipresent et al, but in reality, it’s rather hard to get connected while on the road. Let’s examine the following scenarios, and you tell me the chances of getting connected over WiFi:
Let’s be honest – free open WiFi is great once you have identified the locations where you can get connected, such as a friend’s house or the local coffee shop. Other solid commercial alternatives make it easier to find WiFi, as they tend to be present at well-known locations. Walk into any Starbucks or hotel, and you’re bound to find at least for-pay wireless.
For me, on the 30 minutes to 1 hour it takes to get home on the train or bus, being able to get connected is great. The convenience of simply opening the Mac and getting online beats the guesswork of WiFi. I tried getting the Mac working with my Nokia N93 over Bluetooth, but it was just too unstable – one day it worked, the next simply refused to even connect. A more in-depth review of the device is coming, once I get a chance to roam about with it for a while.
So far, installation on the Mac was pretty straightforward, download the setup package from Vodafone’s site (they don’t tell you this in the manual), which then enables the modem as a networking device. If you don’t follow this step, it can get recognized as a storage device, which is not particularly useful for a modem. The one thing I don’t understand is why it comes with a miniUSB cable that ends in two USB connectors, my guess is it’s power-related (some USB ports don’t provide the full 500mA they are supposed to provide).
You probably remember the post I made regarding FON’s figures, and how much I thought they differed from reality. It got quite a lot of attention, particularly from detractors, and from Martin Varsavsky himself. Many comments were posted on my blog and some others, which pointed towards the fact that I am involved in a startup which supposedly is a clone of FON, and thus I was biased and in no position to comment on FON. To cut a long story short, Martin posted a rather vicious personal attack on his blog, which I answered, he counter-commented, to which I again answered, but he never conceded a bit.
During my investigations that led to the statistics post, I also discovered a serious flaw in the maps management system, which would allow anyone to re-position any FON hotspot and change its address without first logging into the user area.
All that was required was the node’s ID and the hotspot owner’s user ID, both easily obtainable from the public queries that maps.fon.com launches against the database where hotspot data is held, and which I used to gather the statistics. For a determined attacker, it would have been very easy to place every single FON hotspot right in the middle of 1600 Pennsylvania Avenue, Washington DC.
I could have very easily posted about this, but I refrained from doing so for a reason – while I do not work full-time in the IT security industry, I have done quite a bit of consultancy work in the past, related to IT security, particularly in the wireless field. This means that I am fully aware of the industry-approved vulnerability disclosure procedure, which can be explained simply as:
You can find more references to this policy at Microsoft’s Security Response Center, here and here. A PDF from oisafety.org also describes this process in detail. A perfect example on how not to do things is the recent disclosure of a code injection vulnerability, which allowed manipulation of FON’s routers without even having to open them – even though their points are valid, they should have given FON the chance to fix the problem before going public.
In this case, I contacted FON’s support email first September 27th, and received a response on the 29th. This was really generic, only wanting to know about the details, and not acknowledging the normal procedure as I have explained above. On October 2nd, I emailed them again, asking to confirm that they understood the procedure, and on the 3rd they replied that they agreed on following the procedure.
I started compiling the information I had into a working document, but after becoming so frustrated at the attacks received as a result on my post about the statistics, the decision was to simply let the issue go, forget about FON, and concentrate on my own project. A couple of days ago, browsing around for stuff to clean up on the laptop, I came across the half-written report, and decided to finish it and send it to FON support, with CC to Martin, just to close the case. I received a reply today that they have in fact fixed the vulnerability, with a short ‘thanks’ (actually, quoting his email in full: “thanks Mike, i understand its been fixed”) from Martin.
The public acknowledgement of the discovery posted by FON is found in this forum post. Only in the English forums, by a user created apparently for this particular purpose, as this is his first post ever, where it is not likely to draw much attention. This would be fine by me, had not there been the precedent of Martin’s fierce replies to my statistics post, followed by countless attacks by FON’s followers, including an unfortunate incident better left forgotten. What I really cannot understand is that, when I criticize FON, I get such a huge public lashing, whereas when I help them out, I get a three-line remark in a forum where it will go mostly unnoticed. The end result may well be that other vulnerabilities, and it is likely they exist, go unreported.
Whatever the case, this should show those who accused me of unfair, biased attacks on FON that I really just call the shots as I see them, when I smell bullshit, I will point to it, when I see a hole, I will help them fix it – again, IMHO, blogging is not about being or not biased, it is about being ethical and maintaining a set of standards. In my view, it should also prompt Martin to write an apology, but I am not holding my breath. Not that I care much either, what is most important is my work; this is my blog, where I spend part of my spare time, which is not actually that much.
Robert Scoble writes about whether having a decent WiFi connection at a conference is something that important, and concludes that if you can afford the $3500 price tag to get in, you can also afford a $80 a month Verizon mobile data plan. Ethan Kaplan thinks it is important, and I agree, but for different motives.
What Robert fails to appreciate is, that while Web 2.0 may be more US-centered in terms of visitor origin, there are many conferences where the bulk of atendees come from abroad. In this case, it makes little sense to get into a Verizon plan just for the few days when you are visiting. Roaming data charges (when roaming data connections such as GPRS even work, which I found impossible around California) are astronomical.
I am in favor of event organizers providing a good quality, solid and stable WiFi connection, even though it can be very expensive. An example was the WOMMA conference at the San Francisco Hilton, which didn’t provide WiFi, as the hotel wanted $20.000 to put a router in the hall. However, a compromise between the two postulates would be for Verizon to offer a rent-a-card service. Just like I pick up my car at Hertz for a week at SFO, I could also pick up a Verizon card, use it while moving about, and return it at the airport before leaving the country. I can already hear critics saying “but people would just keep the cards” – maybe, but what good would they be to them? Additionally, just like you have a retainer placed on your credit card when you rent a car, the same could apply to the card, if you don’t return it, Verizon actually could make more money!
Yesterday, I posted a few pictures of the opened Fonera, with a few initial views on the device. When I tried to plug it in, it failed to work, only the power LED lighting up. Neither the WiFi signal was coming up, nor the ethernet port was tickling the switch.
The only course of action? To open it up even more. So, the aluminium chassis came off, and that’s when I realized I had seen this before. The WiFi section, which includes the Atheros AR2315, crystal, filters, power amplifiers and ancilliary circuitry are housed inside this casing, and correspond to a reference design provided most likely by Atheros themselves. Check out the Meraki Mini router. For reference, I provide a side-by-side picture below (click for large image).
There is nothing wrong with using reference designs per se, as it is the fastest and easiest way to bring a product to market. If you don’t need to customize your design much, simply use what the manufacturer suggests, and you will be playing on the safe side. A perfect example is Bluetooth headsets, where CSR dominates the market. Virtually all headsets in the market use their reference design, with very little changes between them, other than physical placement of LEDs and buttons.
Block-by-block, here is an overview of the Fonera.
Power
Power is supplied to the Fonera via jack SK1, and is fed through a rapid fuse (Polychem type) to a simple drop-down regulator, which drops voltage from around 5V (4.85V as measured on the wall power supply, using a Fluke 179 multimeter) to 3.3V. The regulator appears to be an AME1117 (though the package markings read AME117), in its CCCT configuration, TO-252 form factor. The regulator is stabilized using three electrolyic capacitors. In these types of regulators, ESR (equivalent series resistance) of the input decoupling capacitors is very important, and this can usually be controlled nicely with tantalum capacitors. These are very expensive compared to electrolytic, however.
There is a second stage of regulation, this time done by an Anpec APL1117, which further drops the voltage to 2.5V. This supply appears to be used by the wireless subsection. Two ceramic capacitors stabilize the regulator.
Without the Atheros chip in place, the PCB drew 90mA at 5V, or 450mW. Since the device was not functioning, the total supply current with WiFi active could not be determined.
Memory
Two memory ICs are available on the Fonera, the first is an ST M25P64 serial flash, with a 50MHz SPI bus and 64Mbit capacity (8MB), in 300mil SO16 format. The fact that SPI has been chosen has the advantage that extra memory devices could be attached to the bus, but it has the caveat that it is slower than a parallel bus. Thus, flashing a new firmware could take a rather long time. Interestingly, there are two footprints on the PCB, presumably to fit a different size and format memory IC, one SO16 and one SO8.
The second memory IC is a Hynix HY57V281620E synchronous DRAM, with a capacity of 128Mbit organized in 16bit blocks. In practice, this results in 16MB of RAM available to the processor.
Ethernet
At the heart of the wired ethernet subsystem is an Altima AC101 ethernet transceiver, capable of 10/100 full duplex operation. The IC is placed on the bottom layer of the PCB, and runs off a 25MHz crystal, strangely placed next to the main power regulator, where it could absorb electrical noise. Usually, crystals are placed well away from sources of interference. Nothing else too exciting here, the transceiver is connected to a standard RJ45 socket, TP1.
Wireless
The wireless section is the most interesting. This is where the Atheros AR2315 single-chip WiFi processor lives. Little public information is available about this or any other Atheros chipset, so it is hard to figure out exactly how it is put in place, but a few details are clear.
First, the chip gets hot. This is why a double heat-conductive adhesive tape bonds the surface to the metal cover, and in turn to the heatsink placed on top. The processor runs from a 40MHz clock source. After the Atheros core, come a couple of filters, and a power amplifier stage. This then runs off to the two antenna tracks. The first antenna exits the aluminium cage and runs up to a test connector. This connector breaks the antenna track when the right mating plug is inserted, which is then fed into a dedicated RF analyzer, which validates that the device is within constraints.
After the antenna test point, there is a split, which can be configured using a zero-ohm resistor, to run to an internal solder pad, or to a PCB-mounted right-angle SMA connector. It is unclear why they chose to use the solder pad, as an in-place soldered connector needs less handling than soldering a pigtail by hand. Besides, my intuition tells me the losses would be lower – I will test this when I get a working Fonera. Both tracks run through an impedance matching network, consisting of two capacitors to ground from the RF track, and an inductor between the capacitors . The purpose if this small circuit is to get the impedance of the PCB track as close to 50 ohms as possible. If the track impedance is mismatched to the antenna, losses take place.
The second antenna runs straight to a PCB pad, where a pigtail may be soldered, also passing a matching network. Below is a picture showing the details of this subsection.
Interfaces
There are two IDC-style connectors on the PCB, one 2×5, and one 2×7 but unpopulated. The 2×5 looks like a serial connector, as only power, ground and two tracks lead out from it. The layout has to be studied in more detail to confirm this assumption.
It can be speculated that this is in fact a serial port, but without the AR2315 pinout, this cannot be determined for sure. The 2×7 header seems to be a JTAG interface, possibly compliant with MIPS EJTAG 2.6. The mapping of the header pins to the AR2315 BGA balls is shown below (thanks for adding a row/column silkscreen for the Atheros chip, and thanks to the OpenWRT project wiki for the JTAG information!):
Between the Ethernet jack and the empty SMA footprint, there is a footprint of 6-way header, which needs a bit more study to determine where it leads internally [I will update the post when I find out –Mike].
Conclusion
This is a very compact and simple WiFi router, designed not for being easy to hack, but for lowest cost. The cheap power regulator, use of large SMDs and choice of pigtail rather than board-mounted SMA connector point in this direction. There is only one port which could be used for something useful, if it is indeed a serial port, the only two GPIOs available being the WLAN and Ethernet LEDs – as long as the Ethernet LED is not controlled by the Altima but by the Atheros. The power LED is on as long as there is power applied to the device, so there is no control over this by the Atheros processor. Power consumption is a bit high, considering the wireless device was not present. The PCB layout is very professional, except in a few particular cases such as the large crystal, but overall, quite nice.
In all, a very small device which could have a lot of potential, had it not been for its lack of I/O. It is unclear whether the router will accept custom firmware, as there are rumors that an encryption & signature system is used. The Fonera is probably OK for regular use by Foneros, but it does not have the hackable edge of the Linksys WRT54Gx. The only suprise could come from the edge connector, as of yet of unknown usefulness.
References
Atheros AR2315 chipset website section and product brief.
After a few days of silence, digesting the hubbub created by my analysis of Fon’s status, I’ve put my head back into more useful things than answering hate mail and out-of-line comments (thanks to those who provided balanced views, either for or against!). So, I decided to open a Fonera and see what lives inside.
A full review is coming, but first impressions:
Here are some pics (click each photo for bigger views on Flickr) I have taken with a Nokia N93 (really nice phone btw, mini-review coming):
The underside of the case, with screws off.
Perspective view of the top PCB.
Bottom side of the PCB.
Sticker on the flash IC showing the firmware version.