Browsed by
Tag: wireless

D-Link DWL-120 Hacking/Probing

D-Link DWL-120 Hacking/Probing

I found 3 or 4 of these at a garage sale a few years ago for a few bucks, and I am (surprisingly) just cracking them open now.

On the front, it is marked as D-Link DWL-120 11Mbps Wireless USB Adapter, on the back is FCC ID# MXF-WL280, H/W: B2, F/W: 2.25

On the bottom of the PCB, we have the following chips:

  • Atmel AT76C503AWireless LAN MAC Unit with ARM7TDMI RISC Processor
  • Atmel AT25040N4K (512 x 8) SPI Serial EEPROM
  • tmTECH T14L1024N128 x 9 High-Speed CMOS Static RAM
  • Intersil HFA3861BINDirect Sequence Spread Spectrum Baseband Processor

On the top of the PCB (under the RF shield), we have the following chips:

  • Intersil HFA3683AIN2.4GHz RF/IF Converter and Synthesizer
  • Intersil HFA3783INI/Q Modulator/Demodulator and Synthesizer
  • Intersil HFA3983IV2.4GHz Power Amplifier and Detector

I plugged it into my i386-based laptop (My x64 desktop doesn’t have drivers) and got this dmesg:

[   80.592101] usb 1-2: new full speed USB device using uhci_hcd and address 2
[   80.763204] usb 1-2: configuration #1 chosen from 1 choice
[   81.504200] cfg80211: Using static regulatory domain info
[   81.504209] cfg80211: Regulatory domain: US
[   81.504215] 	(start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[   81.504224] 	(2402000 KHz - 2472000 KHz @ 40000 KHz), (600 mBi, 2700 mBm)
[   81.504233] 	(5170000 KHz - 5190000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
[   81.504241] 	(5190000 KHz - 5210000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
[   81.504248] 	(5210000 KHz - 5230000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
[   81.504256] 	(5230000 KHz - 5330000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
[   81.504264] 	(5735000 KHz - 5835000 KHz @ 40000 KHz), (600 mBi, 3000 mBm)
[   81.504290] cfg80211: Calling CRDA for country: US
[   81.654555] cfg80211: Regulatory domain changed to country: US
[   81.654567] 	(start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[   81.654577] 	(2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm)
[   81.654585] 	(5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm)
[   81.654593] 	(5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   81.654601] 	(5490000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   81.654609] 	(5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm)
[   81.912231] Atmel at76x USB Wireless LAN Driver 0.17 loading
[   81.912307] usb 1-2: firmware: requesting atmel_at76c503-i3861.bin
[   81.965349] usb 1-2: using firmware atmel_at76c503-i3861.bin (version 0.90.0-44)
[   81.967174] at76c50x-usb 1-2:1.0: downloading internal firmware
[   84.329808] usb 1-2: reset full speed USB device using uhci_hcd and address 2
[   84.477154] usb 1-2: device firmware changed
[   84.477265] usbcore: registered new interface driver at76c50x-usb
[   84.492786] usb 1-2: USB disconnect, address 2
[   84.604098] usb 1-2: new full speed USB device using uhci_hcd and address 3
[   84.781393] usb 1-2: configuration #1 chosen from 1 choice
[   84.789161] at76c50x-usb 1-2:1.0: downloading external firmware
[   85.032206] phy0: Selected rate control algorithm 'minstrel'
[   85.034924] phy0: USB 1-2:1.0, MAC 00:05:5d:f1:9d:39, firmware 0.90.0-44
[   85.034935] phy0: regulatory domain 0x00: <unknown>
[   85.383777] udev: renamed network interface wlan0 to wlan1
[   89.584738] ADDRCONF(NETDEV_UP): wlan1: link is not ready
WIP: Cantenna

WIP: Cantenna

This shows step by step how I made a Cantenna. This is a simplified tl;dr version of “How to build a tin can waveguide antenna” by Gregory Rehm.

Materials:

  • 1x Can, washed (hapi HOT Wasabi Peas [450g])
  • 1x N-type, Female Chassis-mount connector (Digikey# 367-1081-ND)
  • 1x Piece of copper wire
  • 4x Nuts & bolts

Prep:

  1. Measure diameter of the can -> 3.9″
  2. Calculate wavelength using waveguide calculator found here.
  3. Mark a point 1/4 Wavelength up from the bottom (closed) side of the can.
  4. Measure the hole to be cut (diameter of part of the connector that will be going inside the can) -> 0.43″
  5. Drill marked point to measured diameter (0.43″)
  6. Dry-fit the connector, and mark holes for the screws or nuts/bolts (if any)
  7. Drill marked points to the diameter of your connector’s holes (if any)
  8. Cut a piece of copper wire so that when it is in the copper sleeve on the connector, the total length of the copper sleeve and piece of copper is exactly 1.21″ (or as close as you can humanly get to it), and solder it in place.
  9. Mount the connector in the hole in the can and secure it with screws or nuts/bolts (if any). Make sure to mount the heads of the screws or bolts inside the can to reduce antenna obstruction.
Wii Off-brand Nunchuck Internals

Wii Off-brand Nunchuck Internals

Nyko “Kämä” Wired Remote:
MCU: Atmel ATMega 48 TQFP (The PCB also has pads for MLF package, based on availability?)
Accelerometer: Freescale A7260
EEPROM: Macronix (MXIC) MX25L4005 (4 Mbit)

Definitely a good nunchuck for hacking; it’s well-built, and the analog stick appears to be mostly metal-based, instead of plastic like others.

I wonder if the ATMega is read-locked? If so, I wonder how hard it would be to rewrite/repurpose it…

Biogenik OG1-CHUK:
The only thing of interest was a single epoxy blob on the PCB.

Madcatz Z-CHUK Wireless: (FCCID: P25S1MC5746U1709C, 2.405-2.475Ghz)
MCU: Epoxy blob of unknown origin
Accelerometer: Unknown. “033 A841 013”?
EEPROM: STMicroelectronics M24C02 (2 Kbit)

Wireless is nice, and might make for some interesting projects, and at $10/piece from XSCargo, it’s definitely an affordable way to get into wireless (and accelerometers, etc). The internals of this remote look almost identical to the actual Wii Nunchuck, with the exception of the battery and transmitter.

“Nintendo” and “Wii” are registered trademarks of Nintendo of America Inc. This site is not affiliated with, or endorsed by, Nintendo, Madcatz or Nyko.

Targus RemoteTunes for iPod

Targus RemoteTunes for iPod

This is the Targus RemoteTunes(tm) for iPod. I got it from XSCargo, where they currently have them available for CDN$9.99.

Its guts include a transmitter and receiver pair. Even considering I don’t have an iPod to use this with, for $10.. I’m not arguing.

The receiver has:

The transmitter has:

The receiver and transmitter both have some unused pins on them:

Receiver (Base):

  • J: ICSP Data 
  • C: ICSP Clock
  • V: VPP / !MCLR
  • G: Ground
  • +: 3.3V from iPod

    PIC Pins:

  1. Power (Vcc = 3.3V)
  2. ?
  3. (Something to do with the output jack)
  4. VPP (Programming Voltage) / !MCLR (Reset)
  5. Data (From HiMark Pin 8)
  6. ICSP Clock
  7. ICSP Data / Serial Transmit
  8. Ground

    HiMark Pins: (Pages 11-12 of Datasheet. Pins I especially care about are un-italicized.)

  1. Oscillator 2 (From Tunable Coil)
  2. IF filter output
  3. Comparator input A
  4. Comparator input B
  5. Comparator offset adjustment
  6. Ground
  7. Ground
  8. Data (to PIC Pin 5)
  9. Disable
  10. Comparator input C
  11. Limiter Input
  12. Limiter Feedback A
  13. Limiter Feedback B
  14. RF Amplifier Input (Virf)
  15. RF Amplifier Ground (Vee)
  16. RF Amplifier Output (Vorf) 
  17. Mixer Input
  18. Power (Vcc = 3.3V)
  19. Power (Vcc =.3.3V)
  20. Oscillator 1 (To Tunable Coil)

Transmitter (Remote):

  • J: VPP / !MCLR
  • C: Serial Programming Clock
  • Unlettered: Serial Programming Data
  • G: Ground
  • +: Batteries (6V)

    PIC Pins:

  1. Power (Batteries)
  2. ?
  3. Play/Pause Button (Center)
  4. VPP (Programming Voltage) / !MCLR (Reset)
  5. Volume Down (Bottom Left)
  6. Volume Up (Bottom Right)
  7. ?
  8. LED
  9. ?
  10. Crystal?
  11. ?
  12. Serial Programming Clock / Back Button (Top Left)
  13. Serial Programming Data / Forward (Top Right)
  14. Ground 

See also:
Apple iPod Jack Pinout – Explains the pinout and protocol for 2nd and 3rd Generation iPods.

(iPod is a trademark of Apple Computer, Inc.)