How secure are Allwinner SOC we use in our OLinuXino boards?

spyware

From time to time customers ask us:

You are using Chinese SOCs. I’ve heard that Chinese government forces all Chinese vendors to place back-doors in their SOCs which to spy on you. Can you guarantee that your Linux boards have no back doors to spy on us”

I already posted about Linux-Sunxi community, which develops the Allwinner SOC mainline Linux support. What I forgot to mention is that most of the SOC features and tuning they do is done almost without any official help or documentation from Allwinner and based mostly on tips from Allwinner employees and reverse engineering.

I do remember A20 CAN module was not mention at all as existent in Allwinner datasheets at the beginning and Linux-Sunxi developers found it while hacking the chip.

So I will have to disappoint people, who believe in such myths that no, A20 chips are for quite some time now and there is nothing hidden inside, even the Boot ROM which resides in the SOC internal ROM code and is executed first is disassembled and known code.

This for sure do not give any warranty that these SOCs are bug free and that someone latter may not find and exploit some bugs (I already wrote about the level of the SOC software developers in my previous post) and to create back door to install malware or spyware, but this is not done intentional and IMO above the capacity of the software developers working in the SOC vendors.

I still do remember Allwinner released few years ago SDK where they were forgotten to remove the debug flags and if you send message “rootmydevice” to /proc/sunxi_debug/sunxi_debug, you get root privileges, but was this intentional and forced by Chinese government? I doubt so.

We build our Linux Images from Armbian project sources using their repositories and our images has MD5, so if you load our Linux Images and use in our boards we are sure there are no back doors. I know the guys who are behind Armbian project and I can guarantee they do not work for the Chinese government.

Now you can say if you found undocumented CAN inside the SOC, there may be other undocumented modules as well which to spy on us. Yes, this is possible, but even if there are such hidden resources the software we run on the SOC does not take advantage of them and activate them, you can always monitor your USB/LAN etc traffic packets and see what information go outside the chip and so far for the last 6 years A20 is existent no one ever has detected such suspicious traffic.

Participate in our Weekend Brainstorm Discussion and you have chance to win Pioneer-FreedomBox-HSK!

Internet-of-Things-IoT-e1521969062826

This week we started the sales of Pioneer-FreedomBox-Home-Server-Kits, and got lot of exposure in the social networks. Immediately people start to send us ideas of how to improve and make the product even better.

This is the beauty of the Open Source – everything is open, everyone can check and review the sources and advice what and how can be done better.

Even regular users who has no great knowledge of Software and Hardware contribute with ideas and tips what they miss as features.

We are already thinking for design special hardware which to have four SATA interfaces and allow 2 or 4 HDDs to work in RAID, thus improving the data storage capacity and reliability.

Another direction we think is how to release lower cost version with only SD card, no battery UPS backup and slower Ethernet interface which to get closer to Mr. Moglen (FreedomBox Foundation founder) dream for $29 plug server.

Many people asked why FreedomBox software does not included private e-mail server, but only client. The major problem to implement it is how to keep such service clean, as spammers may compromise your ISP by infecting computers to send emails and your ISP IP addresses to be blacklisted, so you can loose your ability to send e-mails for reasons behind your control. We would love to hear your ideas about this.

We got interesting tip to add possibility two or more Pioneer-FreedomBox-HSK to work in-sync and backup/mirror the data, being physically separated by long distance. The idea is to keep your information safe even if one of the server is stolen, broken or bombed 🙂 This would be easy to do with rsync.

Our challenge for you this weekend is to provoke discussion about what would be useful new feature, which you want to see in Pioneer-FreedomBox-HSK software or  hardware improvement.

You can discuss here on our blog, in Twitter, Facebook or Mastodon.

One Pioneer-FreedomBox-HSK will be given away in Monday to random participant.

Have a nice weekend!

UPDATE-2019-04-30: sorry Monday was part Easter Holidays so we couldn’t update the recap for the Weekend Discussion, but here is summary of your feedback:

About the Software:

  1. Number of people requested PiHole to be included. What is PiHole? It’s DNS sinkhole that protects your devices from unwanted content, without installing any client-side software. It’s Network level ad and spyware blocker.
  2. Many requested  NextCloud to be add in FreedomBox. It duplicated some of the existing software in FreedomBox.
  3. Some requested home Git server to be included, but if you want to work on Open Source project hiding your code in private Home Git may be not best approach.
  4. LibreSSL as alternative to OpenSSL.
  5. Diaspora pod may be good but I have no idea how much resources it needs.
  6. WireGuard as alternative to OpenVPN.
  7. IPFS we admit we never hear before for it but it look cool.
  8. Snips  this looks like nice open source alternative to Alexa and Google assistant.
  9. Btrfs
  10. FreshRSS
  11. Matrix/Riot
  12. HomeAssistant not sure how this relates to FreedomBox targets for distributed Internet and Privacy, but well related to Home server.
  13. Bitwarden
  14. Federation i.e. two FreedomBoxes to may replicate/backup each others data without having access to each others data.
  15. Containerized services (not sure how fast will work virtualization on our current processor and memory).
  16. encrypted email server

About the Hardware:

  1. RAID.
  2. Kill switch to wipe encryption key.
  3. Low cost model just SD-card and Ethernet.
  4. Dual Ethernet.
  5. Option for more RAM.
  6. WiFi/Ble this may be a conflict with Debian as they do not allow binary blobs firmware.
  7. mSATA / M.2
  8. miniPCIe.
  9. USB 3.0.
  10. Microphone, Speaker.
  11. UFS cards support.
  12. solar panel power supply support.

Wow a lot to consider 🙂 Thanks for your incredible feedback!

Random.org selected @Benjaminlj@mastodon.social as our winner!

FreedomBox – your private Box of Freedom for Decentralizing the Internet and keeping your privacy away from the Big Brother

FB-HSK-0-s

We are pleased to announce that Pioneer-FreedomBox Home Server Kit is now in stock.

You can read more about how FreedomBox free open source software project started in the FreedomBox Foundation press release.

FroodomBox software is developing 8 years and got lot of coverage in USA, India, Russia:

Olimex’s OLinuXino Open Source Hardware Linux Single Board Computers are natural match for FreedomBox Free Open Source Software.

We are very proud that we have been selected by FreedomBox Foundation for Hardware manufacturing partner of Pioneer-FreedomBox Home Server Kit.

What makes OLinuXino LIME2 good platform for Home Server Kit is:

  • The Low Power ARM Dual core Cortex-A7 processor running blob free mainline Linux;
  • Native SATA interface for connecting external SATA HDDs with power supply backup;
  • LiPo battery UPS power backup supply with Power Management Unit and Stepp Up convertors which allow Pioneer-FreedomBox-HSK to run 4-5 hours on battery;
  • Metal enclosure;
  • power supply adapter with plug adapters for EU, US, UK power supply sockets;
  • 32GB micro SD-card for file storage;

What do you get with FreedomBox is:

  • Tor browser
  • Private encrypted file sharing
  • Private encrypted chat
  • Peer to Peer file sharing
  • Voice chat
  • Web proxy
  • Virtual Private Network
  • IRC client
  • Private Calendar and Address book
  • File synchronization
  • Distributed File Storage
  • Your own hosted Wiki and Blog

All these features are made configurable with simple mouse click:

Screenshot from 2019-03-27 16-01-05

 

Open Source Hardware ESP32-POE-ISO is now in stock and we are very proud with the result

ESP32-POE-ISO-2

We are very proud of our new ESP32-POE-ISO and delighted to announce it’s already in stock ready for order!

What we did with this improved version of the low cost ESP32-POE power over ethernet solution for IoT?

  1. As many requested we add 3000VDC galvanic insulation. Now you can program / debug while connected to PoE switch or router;
  2. Many asked for more GPIOs so we set SD-card in 1 bit mode and this way released 3 GPIO pins for other use;
  3. We got hints that new Espressif SDK allow ultra deep sleep modes for ESP32 and we re-designed the power supply part that now the ESP32-POE-ISO has consumption down to 200 uA (130uA of which are taken from ESP32-WROOM-32D module). The rest board without the module consumes just 70uA;
  4. As per your request now battery level has option to be monitored with the ESP32 ADC;
  5. There is External power detection option, so your software will be aware when run sole on battery and when have plenty of power.
  6. The Isolated DCDC we use is 2W and provides 400mA @5V, 100mA are reserved for the battery charge (available if no battery is connected) and 100mA are provided for ESP32, which leaves up to 200mA @5V for your additional circuit.

We love to listen to our customers and we did our the best to complete most of the requests we got with this new version.

A64-OLinuXino got mainline Linux Kernel 5.0 images

Linux-Kernel-5-featured

Linux kernel 5.0 was just released and as we were working this week to the release of mainline Linux image for A64-OLinuXino (as till now it has the ugly android based 3.10 kernel) we decided to release latest kernel.

The images are available on our FTP.

There are two images Debian headless or Ubuntu desktop.

Known issues with these images:

  • LCDs are not supported yet, HDMI output is only available, we need one more week to figure out how to automatically detect if the Ethernet or LCD are enabled (there is jumper on the board which switch between LCD or Ethernet as both share pins and can’t work together). So to make the DTS configurations  automatic at boot time.
  • eMMC do not work in the fastest possible mode yet. We need some time, right now 50MB/s is the max speed to read write instead of 100-200MB/s which the installed eMMC supports, we will update the image soon with HS200/400 modes enabled.
  • No CPU thermal. A64 has 3 thermal zones – CPU, GPU0 and GPU1. The driver doesn’t support monitoring them.

How to build the images is explained here.

Mainline Linux Kernel 5.0 images for A13, A20 and A33 OLinuXino and SOMs is in progress.

LoRa experiments in Plovdiv

Screenshot from 2019-02-20 12-24-46

We are working for some months on OSHW LoRa nodes and our goal is to bring up free to use for non for profit Smart City solutions LoRaWAN network which to cover city of Plovdiv .

Yesterday we installed our First LoRaWAN Gateway made with T2-OLinuXino-LIME2-e16GBs16MB + RK831 + +6dBi rod antenna on Rilon Building which is about in the city center and with height good for antenna installation.

You can see on above map – the “Raspberry Pi” is hardcoded in RK831 firmware but do not worry there is industrial grade Linux computer in the gateway.

 

rilon

We start experimenting with our LoRa868 and MOD-LoRa868 modules and made portable GPS tracker device like this:

LoRa-GPS

The results are nice. We cover almost 2km circle around the antenna. With few spots which are shadowed by tall building.

range

The secret in the big distance is the good gain gateway antenna!

We really are impatient to release these LoRa gadgets as soon as possible, but unfortunately it takes much more time than we expected.

There were lot of issues with the Semtech/ARMmbed reference designs like the RF part of their 868Mhz design actually has components values which make 915Mhz device and vice versa. We spent weeks to understand why the communication distance is not as good as expected, before we realize that we use 915Mhz LoRa nodes with 868Mhz antennas! Once we get everything complete and tested will put our boards on the web for sale and publish OSHW their correct schematics and component values, so other will not waste their time like we did.

One issue we encountered with RK831 Gateway is that it freeze from time to time when receive malformed packets and need to restart. As RK831 firmware is not open source we can’t debug the cause of this problem. The workaround now is when host lose connection with gateway just reboot latter. Really not most elegant solution, but so far we can’t do anything else.

We are preparing two more Gateways to install in the next days, which will cover more parts of the city.

 

 

How to use A20 CAN interface with the A20 universal Armbian image for OLinuXino

CAN-Network-Diagram

To use A20 CAN interface you need A20-OLinuXino board and A20-CAN board.

Then you have to install the armbian A20 CAN overlay:

 

$ sudo armbian-add-overlay <path_to_the_dts_file>

 

  • connect A20-CAN to your OLinuXino and reboot.

You can see if CAN is available now:

$ ifconfig -a

   can0     Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
            NOARP MTU:16 Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:10
            RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
            Interrupt:51

 

To use CAN interface you can install can-utils and setup the CAN interface:

$ sudo apt-get install can-utils 
$ ip link set can0 down
$ ip link set can0 type can bitrate 100000 triple-sampling on loopback off
$ ip link set can0 up

 

Now conect A20-CAN to the CAN network two wire interface.

To send a packet over CAN use :

cansend <can_interface> <packet>

 

For instance:

$ cansend can0 5AA#10.10.10

 

To sniff for CAN network messages you can use candump :

$ candump can0

 

Now you can log your car CAN networking messages and interpret them. There is plenty of info on the web about the different CAN messages which are exchanged on car CAN bus.

Previous Older Entries