Vodafone R205: opening it up

I have posted about using an R205 without a Vodafone blessed network, and I wrote a quick software inspection of the device. This time I’m writing some notes about the hardware itself.

I have originally expected to just destroy the device to try to gain access to it, but it turns out it’s actually simpler than expected to open: the back of the device is fastened through four Torx T5 screws, and then just a bit of pressure to tear the back apart from the front. No screws behind the label under the battery. I have managed to open and re-close the device without it looking much different, just a bit weathered down.

Unfortunately the first thing that becomes obvious is that the device is not designed to turn on without the battery plugged in. If you try to turn it on with just the USB connected – I tried that before disassembly, of course – the device only displays “BATTERY ERROR” and refuses to boot. This appears to be one of the errors coming from the bootloader of the board, as I can find it next to “TEMP INVALID” in the firmware strings.

Keeping the battery connected while the device is open is not possible by design. Particularly when you consider that all the interesting-looking pads are underneath the battery itself. The answer is thus to just go and solder some cables on the board and connect them to the battery — I care about my life enough not to intend to solder on the battery, that one can be connected with physical placement and tape. This is the time I had to make a call and sacrifice the device. Luckily, the answer was easy: I already have a backup device, another Vodafone Pocket WiFi, this time a R208, that my sister dismissed. Plus if I really wanted, I could get myself a newer 4G version as that’s what my SIM card supports.

There are two sets of pads that appear promising, and so I took a look at them with a simple multimeter. The first group is a 5-pads group, in which one of them correspond to ground, two appear to idle around 3V, and one appears to idle around 4V. This is not exactly your usual configuration of a serial port, but I have not managed to get more details yet. The other group is a 10-pad group with two grounds, and a number of idling pads at 1.85V, which is significantly more consistent with JTAG, but again I have not managed to inspect it yet.

Annotated image of the E586 board.

So I decided to get myself some solid core wires, and try to solder them on the five-pad configuration I saw on the board. Unfortunately the end result has been destructive, and so I had to discard the idea of getting any useful data from that board. Bummer. But, then I thought to myself that this device has to be fairly common, since Vodafone sold it anywhere from Ireland, to Italy to Australia at least. And indeed a quick look at eBay showed me a seller having, not the R205, but the Huawei E586 available for cheap. Indeed, a lot of four devices was being sold for $10 (plus €20 for postage and customs, sigh!). These were fully Huawei-branded E586 devices, with a quite different chassis and a Wind logo on them. Despite coming from New York State, this particular Wind-branded company was Canadian (now goes by Freedom Mobile); I’m not sure on the compatibility of the GSM network, but the package looked promising: four devices, but only one “complete” (battery and back cover). I bought it and it arrived just the other day.

An aside, it’s fun to note that I found just recently that Wind was used as a brand in Canada. The original brand comes from Italy, and I have been a customer of theirs for a number of years there. Indeed, my current Italian phone number is subscribed with Wind. The whole structure of co-owned brands seems to be falling apart though, with the Canadian brand gone, and with the Italian original company having been merged with Tre (Three Italy). I’m not sure on who owns what of that, but they appear to still advertise the Veon app, which matches the new name of the Russian company who owned them until now so who knows.

Opening the Wind devices is also significantly easier as it does not require as much force and does not have as many moving parts. Indeed, the whole chassis is mostly one plastic block, while the front comes away entirely. So indeed after I got home with them I opened one and looked into it, comparing it with the one I had already broken:

//platform.twitter.com/widgets.js

If you compare the two boards, you can see that on the top-right (front-facing) there is a small RF connector, which could be a Hirose U.FL or an otherwise similar connector; on the R205, this connector is on the back, making it not reachable by the user. The pad for both RF connectors are visible on as not used in the opposite board.

Next to the connector there is also a switch that is not present in the R205, which on the chassis is marked as reset. On the R205 the reset switch is towards the bottom, and there is nothing on the top side. The lower switch is marked as WPS on the chassis on the Wind device, which makes me think these are programmable somehow. I guess if I look at this deeply enough I’ll find out that these are just GPIOs for the CPU and they are just mapped differently in the firmware.

I have not managed to turn them up yet, also because I do not trust them that much. They appear to have at least the same bootloader since the BATTERY ERROR message appears on them just the same. On the other hand this gives me at least a secondary objective I can look into: if I can figure out how to extract the firmware from the resources of the update binary provided by Vodafone, and how the firmware upgrade process works, I should be able to flash a copy of the Vodafone firmware onto the Wind device as well, since they have the same board. And that would be a good starting point for it.

Having already ruined one of the boards also allows me to open up the RF shielding that is omnipresent on those boards and is hiding every detail, and it would be an interesting thing to document, and would allow to figure out if there is any chance of using OpenWRT or LEDE on it. I guess I’ll follow up with more details of the pictures, and more details of the software.

Personal Infrastructure Services Security and Reliability

I started drafting this post just before I left Ireland for Enigma 2017. While at ENIGMA I realized how important it is to write about this because it is too damn easy to forget about it altogether.

How secure and reliable are our personal infrastructure services, such as our ISPs? My educated guess is, not much.

The start of this story I already talked about: my card got cloned and I had to get it replaced. Among the various services that I needed it replaced in, there were providers in both Italy and Ireland: Wind and Vodafone in Italy, 3 IE in Ireland. As to why I had to use an Irish credit card in Italy, it is because SEPA Direct Debit does not actually work, so my Italian services cannot debit my Irish account directly, as I would like, but they can charge (nearly) any VISA or MasterCard credit card.

Changing the card on Wind Italy was trivial, except that when (three weeks later) I went to restore to the original Tesco card, Chrome 56 reported the site as Not Secure because the login page is served on a non-secure connection by default (which means it can be hijacked by a MITM attack). I bookmarked the HTTPS copy (which load non-encrypted resources, which makes it still unsafe) and will keep using that for the near future.

Vodafone Italy proved more interesting in many ways. The main problem is that I could not actually set up the payment with the temporary card I intended to use (Ulster Bank Gold), the website would just error out on me providing a backend error message — after annoying Vodafone Italy over Twitter, I found out that the problem is in the BIN of the credit card, as the Tesco Bank one is whitelisted in their backend, but the Ulster Bank is not. But that is not all; all the pages of the “Do it yourself” have mixed-content requests, making it not completely secure. But this is not completely uncommon.

What was uncommon and scary was that while I was trying to force them into accepting the card I got to the point where Chrome would not auto-fill the form because not secure. Uh? Turned out that, unlike news outlets, Vodafone decided that their website with payment information, invoices, and call details does not need to be hardened against MITM, and instead allows stripping HTTPS just fine: non-secure cookies and all.

In particular what happened was that the left-side navigation link to “Payment methods” used an explicit http:// link, and the further “Edit payment method” link is a relative link… so it would bring up the form in a non-encrypted page. I brought it up on Twitter (together with the problems with changing the credit card on file), and they appear to have fixed that particular problem.

But almost a month later when I went out to replace the card with the new Tesco replacement card, I managed to find something else with a similar problem: when going through the “flow” to change the way I receive my bill (I wanted the PDF attached), the completion stage redirects me to an HTTP page. And from there, even though the iframes are then loaded over HTTPS, the security is lost.

Of course there are two other problems: the login pane is rendered on HTTP, which means that Chrome 56 and the latest Firefox consider it not secure, and since the downgrade from HTTPS to HTTP does not log me out, it means the cookies are not secure, and that makes it possible for an attacker to steal them with not much difficulty. Particularly as the site does not seem to send any HTTP headers to make the connection safe (Archive.is of Mozilla Observatory).

Okay so these two Italian providers have horrible security, but at least I have to say that they mostly worked fine when I was changing the credit cards — despite the very cryptic error that Vodafone decided to give me because my card was foreign. Let’s now see two other (related) providers: Three Ireland and UK — ironically enough, in-between me having to replace the card and writing this post, Wind Italy has completed the merge with Three Italy.

Both the Threes websites are actually fairly secure, as they have a SAML flow on a separate host for login, and then a separate host again for the account management. Even though they also get a bad grade on Mozilla Observatory.

What is more interesting with these two websites is their reliability, or lack thereof. For now almost a month, the Three Ireland website does not allow me to check my connected payment cards, or change them. Which means the automatic top-up does not work and I have to top-up manually. Whenever I try to get to the “Payment Cards” page, it starts loading and then decides to redirect me back to the homepage of the self-service area. It also appears to be using a way to do redirection that is not compatible with some Chrome policy as there is a complicated warning message on the console when that happens.

Three UK is slightly better but not by much. All of this frustrating experience happened just before I left for my trip to the USA for ENIGMA 2017. As I wrote previously I generally use 3 UK roaming there. To use the roaming I need to enable an add-on (after topping up the prepaid account of course), but the add-ons page kept throwing errors. And the documentation suggested to call the wrong number to enable the add-ons on the phone. They gave me the right one over Twitter, though.

Without going into more examples of failures from phone providers, the question for me would be, why is that all we hear about security and reliability comes from either big companies like Google and Facebook, or startups like Uber and AirBnb, but not from ISPs.

While ISPs stopped being the default provider of email for most people years and years ago, they are still the one conduit we need to connect to the rest of the Internet. And when they screw up, they screw up big. Why is it that they are not driving the reliability efforts?

Another obvious question would be whether the open source movement can actually improve the reliability of ISPs by building more tools for management and accounting, just as they used to be more useful to ISPs by building mail and news servers. Unfortunately, that would require admitting that some times you need to be able to restrict the “freedom” of your users, and that’s not something the open source movement has ever been able to accept.

Avoiding captive redirects on Libero/Wind/Infostrada

New chapter of my router project if you don’t care to follow it you probably don’t want to read this at all.

Libero – or Infostrada, Wind, how the heck do you want to call it today – is my provider. Like other providers in Italy, who have probably noticed their users using OpenDNS instead of the standard DNS they provide, they started providing “captive redirects” on failed urls: when you mistype an URL or you try to access an hostname that does not exist, they redirect to their own servers, using their own “search engine” (nowadays just a Google frontend!).

This breaks quite a few assumption, included the fact that the .local domains won’t resolve in the standard DNS servers, which in turn makes nss-mdns almost unusable.

Up to a couple of months ago, Libero only provided this service in the primary nameserver, and if you switched around primary and secondary servers, you sidestepped the issue (that was the actual advertised procedure by the Libero staff, on the public page that was linked from within the search results). Unfortunately this had other side effects, for instance the time needed for the update of records more than doubled, which was quite boring with dynamic DNS and with newly-created domains.

Luckily, pdnsd supports blocking particular IP returned by the results to avoid the fake records created for captive redirects, and the example configuration file itself provides an example for using that with OpenDNS to avoid falling into their redirected Google host (quite evil of them in my opinion). And in particular, at the time, there was only one host used for captive redirect, so the rule was quite simple.

Fast forwards to today, the rule have changed; first of all it seems like Libero now uses redirects on both servers (or the secondary fails so often that it always responds from the primary), and most importantly they increased the number of IPs the redirects respond from. After counting four different IPs I decided to go with something more drastic, and ended up blacklisting the whole /24 network that they belong to (which is assigned, in RIPE, to Tiscali France… which is quite strange). I’m not sure if I ended up blacklisting more than I should have; for now it blacklists just enough for me to keep on browsing the net without adverse effects that I can see, and it also no longer stop me from enjoying .local domains… and Firefox auto-search with Google when the hostname does not exist.

For those interested, the configuration section is this one:

server {
 label= “libero”;
 ip = 193.70.152.15, 193.70.152.25;
 proxy_only=on;
 timeout=4;
 reject = 195.210.87.131/32, 62.210.183.0/24;
}

The first IP (a single host) is the one that was used earlier, I keep it on the blacklist just to be on the safe side.

Idiozie, poste ed Enel

Della serie, siamo proprio in Italia, oggi mi sono scontrato con un bel po’ di idiozie burocratico-amministrative dei nostri cari fornitori nazionali.

Oggi scadono le bollette di Enel e Wind, visto che in questa casa eravamo fermi ancora al secolo scorso, abbiamo mantenuto finora l’uso di pagarle con bollettino postale (anche se a me disgusta per una serie di motivi). Solo che la bolletta di Wind non è arrivata, e quindi non abbiamo il bollettino postale.

Chiama la Wind, ci chiedono di verificare che l’indirizzo sia corretto. Ovviamente non lo è. Io abito in comune di Venezia, fuori Zelarino, alla periferia di Mestre, CAP 30174 da sempre… ma il CAP copre mezza Mestre Nord e zone limitrofe, quindi è abbastanza esteso. Nel riordinare l’anagrafica, Wind ha aggiornato il nostro indirizzo a 30174 Gazzera Venezia. Gazzera è una zona dall’altra parte di Mestre.

Il centro meccanografico di Padova ignora completamente il CAP pare, e invece utilizza la città per indicare dove smistare la posta. E ha smistato la nostra bolletta dall’altra parte della città.. il che ha causato ritardi tali che alla data di scadenza non sta ancora qua. Non che sia la prima volta (solo che di solito i ritardi c’erano pure con l’indirizzo giusto!).

Vabbé è venuto il momento di adeguarsi al nuovo secolo, e visto che i miei hanno cambiato banca, mi metto a guardare per attivare le domiciliazioni di Wind ed Enel. Prendo in mano la bolletta dell’Enel e vedo “30174 Zalarino Venezia”. Non è possibile, pure questo è sbagliato!

Vaaaa bene, www.prontoenel.it e vediamo di pagare ‘sta bolletta con domiciliazione. Inserisco tutti i dati (notare che se uso Ò sul cognome, che va segnato in maiuscolo, mi dà errore, devo usare ò e lasciare che la trasformi lui se vuole), e mi viene fuori una bella pagina di AVVISO (sic) che mi dice “DOMICILIAZIONE BANCARIA:Nessuna segnalazione predisposta”… ho come l’impressione che sia un errore della loro webapp.

Vabbé modulistica e si fa a mano come sempre. Intanto vediamo di cambiare l’indirizzo della bolletta che almeno arrivi giusto. Inserisco l’indirizzo di casa (tra l’altro ti fanno selezionare Via in mezzo ad un elenco di possibili toponomastiche), metto come indirizzo 30174 Mestre, che è il più sensato. No, mi dice che Mestre non è comune… grazie eh, lo so. Seleziono Venezia e buonanotte…. no, manca Via Scaramuzza a Venezia. Però c’è Via Scaramuzza Everardo… solo che per il limite del modulo, esplicitato anche sui campi la via può essere lunga 14 caratteri massimo. Ovviamente “Scaramuzza Everardo” sono più di 14 caratteri, lo tronca automaticamente in “Scaramuzza Eve”… solo che non esiste a Venezia.

Una telefonata al callcenter dopo (cosa che dovrebbe prendere più tempo che utilizzare il sistema online se avesse funzionato), e la domiciliazione è a posto e l’indirizzo è cambiato.. voglio far notare che all’operatore al telefono Mestre risulta un’opzione valida per la città, mentre tramite il loro sito no.

Per fortuna ora con la domiciliazione posso attivare l’arrivo via e-mail della fattura, quindi l’indirizzo servirà più probabilmente per i reclami che faccio ogni anno per via della pessima fornitura di corrente che mi ritrovo.

Italiani, popolo di presi in giro

Non sono solito scrivere post politici, o meglio, preferirei non farlo, perché la politica non è il mio ambito, anche se ho delle opinioni abbastanza forti. Giusto per inquadrare la questione, posso dire che sì, sono di sinistra, marcatamente di sinistra, anche se sto sinceramente pensando di cambiare il mio voto alle prossime elezioni per un partito un po’ più centrista, ma con un’etica più spiccata di quella che vedo negli attuali partiti di sinistra.

Ad ogni modo, quando Bersani ha annunciato il famoso decreto per rimuovere il costo di ricarica, ho festeggiato: «Finalmente se ne va una tassa ingiustificata». Se si pensa che già in Italia si paga l’IVA sui serivzi, pagare pure un extra per poter spendere i soldi pare molto stupido.. specie se si tratta di una percentuale più alta del 2% sul totale.

Poi sono iniziati i rialzi tariffari di Wind e delle altre compagnie… Wind era (e in parte è tutt’ora) la compagnia che utilizziamo a casa per i cellulari: io ne avevo uno, mia madre due, mia sorella pure due. La mia precedente tariffa (Wind10) mi permetteva di chiamare tutti gli operatori a €.10/min e mandare SMS a €.10 pure, non male. Dopo l’entrata in vigore del decreto, Wind aveva deciso di portarmi ad una tariffa quasi raddoppiata: €.19/min e €.15 a messaggio.

Okay, visto che il numero di lavoro era già poco usato di suo, e avevo già un numero personale che non riceve abbastanza chiamate per giustificarne la separazione, ho deciso di abbandonare Wind e restare con 3, l’operatore dell’altro mio numero. Poi con il Nokia E61 dovrei riuscire ad inserire un call screening per evitare di essere disturbato dai contatti di lavoro mentre non ho intenzione di rispondere.

3 al tempo mi offriva la stessa identica tariffa di Wind: €.10/min verso tutti, €.10 gli SMS. E all’arrivo del decreto avevano deciso solo di annullare l’offerta di “Ricarica Power” (visto che scadeva ad un mese dalla ricarica, non era permessa dal decreto) e basta.

L’altro ieri mi arriva un messaggio da parte di 3, dicendomi che dal primo settembre la mia tariffa sarà cambiata. Le nuove tariffe, oltre a ridurre la validità della cosiddetta “autoricarica” per le chiamate in ingresso ai mese in cui si è ricaricato il cellulare (io ricarico €50 una volta sola ogni tre/quattro mesi), cosa che mi interessa relativamente perché non ricevo comunque tante chiamate, il costo degli SMS aumenta del 50%: €.15, come per Wind, Vodafone e TIM.

Dire che sia ridicolo è dir poco.

Nell’informatica (o IT se vogliamo essere cool e anglofoni), i prezzi scendono, non salgono, perché per la maggior parte di stratta di servizi, o di tecnologia che con il progresso e la produzione su vasta scala diminuisce di costo. Le tariffe telefoniche solitamente calano, e Skype (come tanti altri servizi di VoIP) hanno dimostrato che si tratta di un costo perlopiù virtuale. Ci sono tariffe forfettarie, ad oggi, anche per le chiamate in tutta Europa e in Nord America, per indicare quanto anche i costi delle chiamate intercontinentali siano irrisori.

Eppure, un SMS costa €.15, quanto un quarto d’ora di conversazione con Tokyo.

Spesso si è parlato di quanto un SMS abbia un costo sproporzionato all’invio di dati tramite ADSL o altri metodi di connessione. Senza andare a confrontare mele con melograni, proviamo a fare un confronto tra due servizi “over the air”: SMS e connessione UMTS, sempre di 3 in questo caso.

Non è vero che un SMS sono solo 160 bytes: anche se il limite è di 160 caratteri, vengono inviati diversi metadati assieme a questo, come minimo i numeri del mittente e del destinatario, il numero del centro messaggi di partenza, il tipo di messaggio (ai primi tempi del GSM, quando mia sorella aveva un cellulare ma a casa avevamo solo un Fax, solitamente utilizzavamo il servizio di invio Fax via SMS: allo stesso prezzo, il messaggio veniva spedito al nostro numero di telefono dove stampavamo il testo), probabilmente la codifica, le informazioni di ritorno, e altre informazioni simili. Assumiamo come peggior caso che un SMS abbia una PDU (Protocol Data Unit) di 1KB.

Il costo di 1KB di dati scaricati via UMTS senza alcuna particolare offerta è di €.001, un decimo di centesimo. Un SMS costerebbe 150 volte il prezzo di un servizio over-the-air quasi equivalente. La differenza quindi non sta nella tecnologia di trasmissione: sta nel costo di routing, di inoltro sulle altre reti, mentre per una connessione ad Internet si tratta di un servizio abbastanza economico anche su enormi volumi (se ricordo bene in Francia Free.fr lo fornisce pure gratuitamente ai service providers) in Italia per gli SMS bisogna rivolgersi alle compagnie presenti: Wind, Vodafone, TIM e 3. E logicamente se tre su quattro hanno un dato prezzo per i messaggi, non possono consentire alla quarta di continuare a tenere un prezzo più basso mantenendo i margini di guadagno.

Se questa non è la definizione di cartello, non saprei dire cosa possa esserlo. Dov’è il garante Antitrust quando serve?

A questo punto, mi converrebbe attivare una flatrate UMTS, e utilizzare MSN per contattare le persone che mi interessa contattare. Peccato che gli SMS in genere mi servano per contattare quelle persone che non posso contattare online (sono quasi sempre a casa) o mia madre che al massimo potrei raggiungere via email (e pure quello non sempre perché non sta sempre di fronte all’iBook che le ho regalato, ovviamente).

Anzi forse non mi servirebbe neanche la flatrate! Con il prezzo suicida degli SMS, anche usare IRC mi costerebbe poco niente via UMTS piuttosto.

New phone – looking for a new provider

So, today I received my new phone, a shiny (well, not shiny because it’s opaque) Motorola V1075. I love it, good form factor, big but not too big, and I hear well during phone calls.

Now the problem is to choose a provider. I originally thought of using Vodafone, as that’s what most of my friends use, but I got a bad surprise when I looked up for a tariff plan: all the old ones, that were created with the name Omnitel, before Vodafone acquired it from Olivetti group, are still in place (and are the ones used by my friends), but cannot be activated; all the new ones have all the calls, to any provider, at the same price (like I have now on the Wind number).. but to one time and a half the price I have now! The only good things are the promotions, but they are temporised, and I should still pay a monthly quota even if I don’t use them.. yes, maybe I would pay less on some things, like SMS to Vodafone users, but whenever I actually do a phone call, I would spend all my savings.

I’ve asked my sister to procure me a SIM for my current provider, Wind, that although having limited services, it’s quite good with respect to tariffs it seems. My current plan is €.10/minute to every national provider (with €.10 at the answer), and €.10 for SMSs to any provider, national and international (tried that already, and it’s true). The bad side is that the coverage on this area is pretty bad on its own, and there’s no UMTS signal here.

The other alternative it 3, that covers this area with 3G signal, and has a similar tariff, but I’m not sure about this either. I got reports of bad practises from them in the past, and that causes my doubts.