Press "Enter" to skip to content

Category: electronics

The Energy Detective TED 5000-G Teardown

Published February 2, 2011

Back when I owned a TED 5000-G, before realizing that it has a critical software design flaw which makes it unusable on my network, I decided to open up the enclosures and see what’s inside. Since it’s a power monitoring system which uses PLC (power line communication, one type of which is the familiar X10) to communicate to a data logger and an embedded webserver I figured it would be fairly interesting.

Here’s the teardown photos, with the more interesting chips called out. Links to full-res photos are in the top right corner of each page:

MTU:
    · Unopened
    · Enclosure Opened
    · PCB Top
    · PCB Bottom
        – Microchip PIC24FJ64GA004: Microcontroller.
        – NXP TD5051AT: Home automation modem. Used for PLC.
        – Cirrus Logic CS5461: Power measurement device; does the monitoring itself. EOL’d on 15-Dec-2006, Data Sheet Mirror (PDF).

Gateway:
    · Unopened
    · Enclosure Opened: ZigBee Daughter Board plugged into mainboard.
    · Mains Connection: Ground / earth pin is not connected.
    ZigBee Daughter Board:
        · PCB Top
        · PCB Bottom: Note printed antenna near bottom of photo.
            – Microchip PIC24FHJ64GA106: Microcontroller.
            – Microchip MRF24J40: IEEE 802.15.4 radio, used for ZigBee communications.
    Mainboard
        · PCB Top
            – Microchip ENC28J60: Ethernet Controller.
            – Microchip PIC24FHJ256xxnnn: Microcontroller. Can’t read entire part number.
            – Macronix MS25L3205D (PDF): 32Mbit Serial Flash
        · PCB Bottom
            – Vossel VS1307Z (PDF): Real-time clock, keeps time with main power off by automatically switching to backup source (CR2032).
            – NXP TD5051AT: Home automation modem used for PLC; same as in the MTU.
CTs:
    · CTs: Sealed, not easy to disassemble. Likely nothing interesting inside.

I was really looking forward to getting a TED, and save for the PLC quirks and the webserver bug that made it unusable, I really liked the device. The PCBs themselves also appear to be very well made, and I particularly appreciated that they were closed with simple Philips and Torx fasteners and thus easy to look inside of. If Energy, Inc. releases an updated version with the firmware fixed I’ll consider buying another one, particularly if they stop using PLC and move to all-ZigBee (or some other PAN) for communications from the MTU(s) to the Gateway.

9 Comments

CF Card Hole in Netgate alix2d13 Enclosure

Published January 28, 2011

This morning when a beta version of pfSense on my PC Engines alix2d13-based firewall crashed I decided to make it easier to swap the CompactFlash card from which the OS runs. While physical access to the card is not normally required to upgrade the OS, there have been a few cases recently where I had to remove the card and image it. After the third time of removing 12 fasteners just to remove the card I decided to follow pfSense developer Jim-P’s example cut a hole in my firewall’s enclosure.

After marking the CF card location in the case and stripping it, only three cuts with a small cut-off wheel were needed to make the long cuts, then the remaining bits of metal were easy to bend out of the way with a flat-blade screwdriver. A bit of quick smoothing and deburring work with small files resulted in a nice, smooth hole through which the CF card easily fits. While the card remains not hot swappable, it’ll be much easier to remove the card should I need to access the card from another machine. Since the card sits a bit inside the face of the enclosure I had to add a tape flag to make it easy to remove. Pushing it back in is a little awkward as well, but as this won’t be done much it shouldn’t be a problem.

Here’s a few photos taken tonight while cutting the hole in the case:

· After marking the enclosure was clamped to some very dense foam for cutting with a cutoff wheel.
· More cuts made with the cutoff wheel. After this point the metal was gently bent away and the hole was filed.
· Looking at the Netgate enclosure from inside showing the nice alignment with the CF card slot.
· Front view of the Netgate enclosure with a CF card hole cut in it.
· The CF card fits very nicely in the hole.
· View from inside showing how well the CF card fits.
· Because the CF card will not hang out of the slot tape was added to facilitate extraction.
· CF card placed in the alix2d13 board via the hole in the Netgate enclosure.

Now to wait for the next build to come out and reimage my CF card. This build should contain three ftp helper changes that should resolve the issue I had this morning. Hopefully a problem that I had with disappearing certificate authorities is also fixed.

Leave a Comment

TED 5000-G Webserver is a Deal-Breaker

Published January 19, 2011

Last week I received a TED 5000-G from Energy, Inc., one of their The Energy Detective products. This home power monitoring device sits in one’s electrical panel and logs energy consumption, calculates cost, and displays all this info in near-real time via some web-based software called Footprints. This software runs off of the Gateway piece of the system, and a live demonstration of it can be seen here.

Unfortunately, this software has one fatal flaw in that it in normal use in my network it responds to HTTP requests with HTTP/1.1 414 Request-URI Too Long. After not very much digging I found that this happens every time the HTTP request to the Gateway includes a cookie. When your browser has a cookie for a website any websites that are visited that are on subdomains of where the cookie was set will also be sent the cookie. Therefore, cookies set by my site (https://nuxx.net) also get set when visiting the Gateway’s internal address on my network (http://ted.home.nuxx.net) and thus the device doesn’t work.

Specifically, here’s Firefox on my main machine accessing the Gateway immediately after clearing cookies. Text in red is the request from my browser, and text in blue is the response from the Gateway redirecting my browser to Footprints.html. This is normal, expected behavior:

GET / HTTP/1.1
Host: ted.home.nuxx.net
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
Expires:0
pragma:no-cache

<meta http-equiv="refresh" content="0;url=Footprints.html">

After this I visited nuxx.net where some simple Google Analytics tracking cookies were set and tried to access the gateway again. Note that the only difference is cookies being sent, and the 414 response:

GET / HTTP/1.1
Host: ted.home.nuxx.net
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: __utma=23010084.1066362494.1295494794.1295494794.1295494794.1; __utmb=23010084.1.10.1295494794; __utmc=23010084; __utmz=23010084.1295494795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

HTTP/1.1 414 Request-URI Too Long
Connection: close

414 Request-URI Too Long: Buffer overflow detected

This problem makes the device unusable for me. There are two discussions about this issue in TED’s support forums about this issue (#1, #1 PNG Mirror, #2, #2 PNG Mirror) which indicate that there is only 100 bytes available to service the request and that the developers may be adding another 20 bytes.

As a workaround it’s proposed that the Gateway instead be accessed by only its hostname (without the domain name, eg: http://ted) or IP address (eg: http://192.168.0.17), which ensures that no cookies are sent because it’s unlikely that any would have ever been set for those addresses. I feel these workarounds are a stopgap at best and seriously fail if one ever wishes to access the TED data from the public internet or on a well-managed, convenient network. After all, we have DNS so that (potentially changing) IPs don’t need to be remembered and/or discovered, and FQDNs because hierarchal naming is good. It would be possible to use a proxy sitting in front of the Gateway to remove cookies and make the requests more acceptable to the firmware, but I’m not particularly interested running another server just to work around this device’s shortcomings.

Since a variety of cookies could end up being sent by a modern browser I don’t think that the developer’s proposed solution of adding 20 bytes to the buffer will not solve the problem. While I’ve got a limited knowledge of embedded development, I’d think that the developers should instead should simply discard the cookie when reading it into the buffer. After all, the cookie is plaintext in the frame, begins with Cookie:, is terminated with a standard \r\n, and just comes across from the Ethernet controller as serial data. I can’t see why it couldn’t be parsed out if it’s too large to stuff into a buffer. Then again, I suppose this issue could also be caused by clients that have a particularly long User-Agent, really long hostnames, or any other number of other things which could expand the size of the request.

(Thinking about this further, I also believe that only the GET / HTTP/1.1 is the URI which is the same length in both cases. Perhaps the Gateway should really be returning a 413 Request Entity Too Large if it feels the length of the request itself is too long?)

Today I called for an RMA for my TED 5000-G, and after receiving it called back to speak with tech support. I mentioned this issue to the person with whom I spoke, and unfortunately I don’t think he quite understood the problem and instead seemed to be offering to try upgrading the firmware to resolve it. He also stated that he doesn’t have access to firmware changelogs so he can’t tell me if the issue is fixed in a future or beta release, or even if it will be fixed. When I send the device back I’ll be including this letter explaining why I’m returning it. Save for this hugely annoying issue the device seemed to work rather well, so if Energy, Inc. can resolve the problem I’d love to keep it. However, something that doesn’t function with modern browsers and network setups isn’t worth $199.95.

(Mirrored forum discussions were captured at 23:09 EST on 19-Jan-2011. Software versions as reported in Footprints are as follows: Gateway Version 1.0.400, Daughterboard Version 1.0.48, Footprints Version 1.0.222, MTU Version 1.0.0. All information above is only representative of these versions.)

7 Comments

Angry Birds Without Ads Coming In 2011

Published January 19, 2011

A month ago I posted about my frustrations with video ads in Angry Birds on Android and how there was no pay option. At the same time I emailed Rovio to inform them of my frustration with the video ads and asked when a for-pay version of their software may be available. A couple days ago I received the following response from Rovio informing me that an option to pay and opt out of ads will become available later this year:

Hello Steve,

and thanksd for contacting us.

Sorry hear you decided to uninstall the game.

A payment option to opt out of the ads will be introduced worldwide this year.

Best Regards,

Oona Hilkamo
Angry Birds Community Champ
Rovio Mobile Ltd.

I’m anxiously looking forward to this because I do enjoy playing Angry Birds, but I simply do not want to support the software’s authors by viewing commercials.

1 Comment

Salty microSD Card

Published January 9, 2011

On Friday while out at lunch I found a microSD reader and card in the parking lot of a local Biggby Coffee. While it had been run over, was caked in salt, and appeared to have a cracked microSD card, I decided that I should try and see if it’ll work anyway. Unfortunately, after washing it in water and alcohol and drying it I found that the crack damaged the chip inside. Thus, when placed in a microSD reader, the card wasn’t detected and no data could be read.

Comparing the image above to this one (from Bunnie Huang‘s excellent article On MicroSD Problems) shows that the crack ran through the area where silicon lies. This photo, where I finished breaking open the card after failing to read it shows a thin silver line which I believe to be the chip itself.

If you’d like to see more photos of the microSD card that I found and my attempt at recovering data from it, check them out here: Salty microSD Card.

Leave a Comment

Roomba is Not So Smart

Published January 5, 2011

Upon arriving home today I found this. Danielle’s Roomba had driven away from next to its dock, leaving telltale tire marks the whole way, and died. Before leaving for work I set the Roomba up with a virtual wall so that it’d run in a small part of my living room and the kitchen, all of which is within sight of the dock and no more than 20′ long. Once again the Roomba died before it found its way back to the dock.

I’m starting to think the battery is going dead. Thus far it hadn’t docked successfully except for the few times that I placed it in front of the dock and commanded it to charge itself.

Leave a Comment

Geiger Counter Headphone Jack Fixed

Published December 30, 2010

Thanks to my dad, many years ago I came into possession of a fair amount of cold war-era Civil Defense radiological monitoring equipment. One such item is the CDV-700 Geiger counter pictured above. For years the headphone jack had been broken which meant that I couldn’t use it to hear the telltale clicks whenever it detected radiation.

After a friend stopped by tonight to pick up some parts (a box of tubes that had been collecting dust) our conversation had me wondering if some of the things around my house are radioactive, so I set to work fixing the rather odd headphone jack. After fixing it I was able to establish that none of the odd tubes or aircraft equipment in my living room was radioactive.

Hopefully in the next few days (or weeks) I’ll find the time to photograph all of this old gear just to document it. It’s not particularly special or rare equipment, but it was a very physical tool through which I learned about both the fear of nuclear war and how a society can be placated by giving it the perception of control in the face of overwhelming force. I love having this stuff around for both the technical and historical aspect of such detection equipment and the memories of playing around with it while growing up.

2 Comments

Old Computers: Recycled

Published December 29, 2010

With today’s trip to Best Buy to take advantage of their recycling program I have completely done away with all my old computers, cases, and monitors. While I was able to give some away, most of it was dropped off at Best Buy where they (in Michigan) accept up to seven hard drive-less items per day (including CRTs) at zero cost.

Despite not having used some of this equipment in over ten years (such as the Dell Dimension XPS P90 pictured above, the first computer that I ever bought for myself) I can’t help but feel like I’ve given up something important. These are (were?) tools that I’d spent tens of thousands of hours building, using, and maintaining. Still, it’s just old stuff, and getting rid of it is for the best. I was not using this equipment and now instead of being clutter it’s being disposed of properly. Also, it’s probably best for me to dispose of this stuff now instead of in a few years when electronics recycling might not be so accessible or affordable.

1 Comment

Successful Ceiling Fan Modification

Published December 21, 2010

For the last two or three works the ceiling fan in my bedroom hasn’t been responding to signals sent by the remote control leaving us with only a dim table lamp to illuminate the room. Not long after cleaning the contacts in the remote the fan would occasionally fail to respond to signals from the remote unless its power was cycled by the light switch under the remote holder. After flipping the switch off then on it would then work for a few days before needing another reset, but this failing state only lasted for a few weeks before the system simply failed leaving neither the light nor fan usable.

Frustrated by this I decided to bypass the wireless entirely and switch the unit to a typical fan/light dual switch setup on the wall. I figured that the light kit and fan motor itself were still fine so I set to work eliminating the failed fan control module. Having a spare dual-switch for the wall and a third (red) wire already between the electrical boxes made the house wiring part easy, but I still had some work to do modifying the fan. By reading Ken L. Klaser’s article Ceiling Fan Capacitor Solutions I was able to understand the basics of fan speed control, but this this schematic which he linked to was most helpful.

After looking over the control board to understand how the wires to the two coils in the motor were connected I came up with this schematic of how I felt the fan would be powered when set to run slow and in reverse. Removing the capacitors and building a test assembly showed that my initial thought was right, and this resulted in my building the assembly shown above. The fan now runs in reverse and on slow speed when powered and the wireless circuitry has found its place in the trash.

I could have purchased a new selector switch and capacitor assembly to have variable speeds and fitted both it and DPDT switch into the housing to offer the original control selection, but throughout its life the fan was almost exclusively used on low and in reverse, so I didn’t see the need. The fan also looks as it originally did with no new switches sticking out of the side or bits hanging off. I may add these selectors in the future if they are needed, but I don’t see that happening. Thus this was a $0 modification, costing only a few hours of time to learn something new and then redo the wiring.

(Yes, I realize that I should have used a longer piece of clear shrink tubing to better facilitate potting the ends. By the time I realized this I had most of the harness together and decided that simple stress relief and a bit of insulation should be sufficient.)

15 Comments

Video Ads in Angry Birds on Android

Published December 17, 2010

Angry Birds (Rovio’s Site), the extremely popular (and quite fun) physics / artillery / puzzle game, is only available in ad-supported format on Android. Initially I didn’t mind this, as the ads started out as simple banners taking up a small portion of the top of the screen. Within the past few days (perhaps after an update?) there are now video ads present in the game. One plays on game launch and then another will play every few levels.

While the video ads can be skipped I find the idea of them terribly irritating. They play sound even if the game itself has been muted and eat up bandwidth. I’d much rather pay for the game than have to see this crap in order to play, so I’ve uninstalled it.

UPDATE: Rovio has responded to the note that I send about this, and apparantly starting some time in 2001 it will be possible to pay to circumvent the ads in Angry Birds.

6 Comments