Archive for the 'development' Category


Improved bash directory bookmarking

I’d recently found and decided to give it a try.

It’s simple and quite stable. AND you can change it without much thinking (although in bash this could end up in sadness).

To use, just add to your .bashrc. The ZSH and OSX versions are available in the original blogpost!

I’ve updated it to:

export MARKPATH=$HOME/.marks
test -d $MARKPATH || (
    echo "Creating dir MARKPATH=$MARKPATH ..."
    mkdir $MARKPATH
function jump {
    if [[ "$1" != "" ]]; then
        cd -P "$MARKPATH/$1" 2>/dev/null || echo "No such mark: $1"
        echo "Usage: $0 <mark>"
function mark {
    mkdir -p "$MARKPATH"; ln -s "$(pwd)" "$MARKPATH/$1"
function unmark {
    if [[ "$1" != "" ]]; then
        rm -i "$MARKPATH/$1"
        echo "Usage: $0 <mark>"
function marks {
    ls -l "$MARKPATH" | sed 's/ / /g' | cut -d' ' -f9- | sed 's/ -/\t-/g' | grep -v '^$'

_completemarks() {
    if [[ $COMP_CWORD -ne 1 ]]; then
        local curw=${COMP_WORDS[COMP_CWORD]}
        local wordlist=$(find $MARKPATH -type l -printf "%f\n")
        COMPREPLY=($(compgen -W '${wordlist[@]}' -- "$curw"))
    return 0
complete -F _completemarks jump unmark


  • create directory if it does not exist
  • do not accept ‘jump’ and ‘unmark’ without argument
  • do not print empty lines in ‘marks’
  • autocomplete only first argument


  • check if directory of mark is available

Bluetooth TTL module and Murphy

I bought a new Bluetooth Serial TTL module at eBay for a project of mine, which I will probably documenting here.

It is from MDFLY, as can be seen in the pictures below. The model is RF-BT0417CB.

Since at the time I had not yet received my Arduino 2009, a friend of mine suggested I test it with his Bus Pirate v3.5(BP for short).

He had bought one but never really used it, so there were the two of us, trying to get the BP to work. It is accessed through serial through USB, so to talk to it we discovered that screen does emulate serial connections!

screen /dev/ttyUSB0 115200

(BAUD rate does not need to be 115200, could be any other probably, and device may not be /dev/ttyUSB0… check your dmesg)

Obs.: screen is a Linux program, not Windows. Deal with it or install Cygwin. ‘Ctrl+a, k, y’ kills the screen so you can close it if you need to(probably will).

After connecting, screen is black. Hit ENTER to have ‘HiZ>’ appear. Now we need to set the mode that the BP will operate, since it has many available features.

1. HiZ
2. 1-WIRE
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
9. DIO
x. exit(without change)

Set serial port speed: (bps)
1. 300
2. 1200
3. 2400
4. 4800
5. 9600
6. 19200
7. 38400
8. 57600
9. 115200
10. BRG raw value

Data bits and parity:
1. 8, NONE *default
2. 8, EVEN
3. 8, ODD
4. 9, NONE
Stop bits:
1. 1 *default
2. 2
Receive polarity:
1. Idle 1 *default
2. Idle 0
Select output type:
1. Open drain (H=Hi-Z, L=GND)
2. Normal (H=3.3V, L=GND)

UART is so the BP can comunicate through serial, 9600 is normally the default speed, most of the rest are default options, and I prefer to use the ‘Normal’ output type because my Bluetooth module is TTL.

You will also need to connect the pins of the BP to the module:


Now we need to set the BP to power the module:

Power supplies ON

The modules LED should begin to blink. If it stays on steadily it means that the module is connected through Bluetooth to another device. If it is off.. recheck the previous steps.


This sets the BP to listen to incoming serial data. If there is a stream of data that should not be, it usually means that the TX is not connected properly to the MISO pin or that the module is turned off.

To test the communication with the device, send “AT” to it with:

READ: 0x4F
READ: 0x4B

The AT command should return “OK”(O=0x4F, K=0x4B).
If this doesn’t happen, recheck the TX->MISO connection or the BAUD rate for the module may be wrong. Try setting the BAUD rate to other values by redoing the mode setup.
Note: the ‘b’ command for the BP sets the BAUD rate for the pc side communication, not the module side.

Now comes the ‘problem’. Somewhere I read that the command to set/see the BAUD rate of the device was “AT+BAUD1”. This actually sets the BAUD rate to 1200. Great!. The recommended setting is “AT+BAUD4”, which will set it to 9600.

Second problem. The Bluetooth module is kind of picky when sending a ‘complex’ command. “AT” should work at almost any place, “AT+…” will probably not.
As I showed above, sending “AT” will return “OK” but in hex, not as chars. When using “AT+BAUD4” or “AT+VERSION”(check the version), the hex numbers representing the string will be shown, and not characters, which is a pain.
Also, when sending and receiving data through other devices, the data will be shown as hex, which normally isn’t very practical.

You can run the BP in Macro mode.

0.Macro menu
1.Transparent bridge
2. Live monitor
3.Bridge with flow control

2 and 3 can be used on to read. When pressing a key the exit the mode. So pretty useless for normal applications.
The ‘Transparent bridge’ mode connects you ‘directly’ to the module. In this mode you receive the characters normally, not in hex, but everything you write does not appear for you AND every char you send, is sent as you type, not after you press enter. So while “A” and then “T” will work and you will receive “OK” as an answer; “A”, “T”, “+”, and then the command will not work since apparently it takes to long for each char to reach the module, so the command is discarded and you don’t even receive the “OK” for the “AT” part.


New addition: Arduino

W00t! My new and only arduino just arrived!

Ordered it from eBay(HK, cough cough) instead of buying it here in Brazil. Obvious choice because it would cost me 62.6 USD instead of the 15 I payed.

I bought the Duemilanove, discovered later I should have bought the UNO, which has the ATmega8U2 instead of the FTDI to communicate via USB. This is better because the ATmega8U2 is programmable, so you could make it act as any USB device instead of just a virtual com.

Getting started is ridiculous, in ubuntu at least. Just download the arduino software available at, extract and run.

Select your board in Tools, and other minor configurations, paste the LED Tutorial(also available at the official site) onto the sketch and upload. There! Your first arduino code running!(Note that the 2009 already comes with a LED connected to the pin 13, no need to connect another)

The interesting thing is, the USB-TTL used to program the arduino can be used to communicate with your code that’s running inside the arduino! When using this feature, the pins 0 and 1 (digital), which are named RX and TX respectively, are/can be used to connect a serial ttl device directly to the computer.

Why is this so nice? I bought a bluetooth TTL module which I plan to connect to the arduino and make it talk to android!


Further ramblings:
With the launch of the ADK(Open Accessory Development Kit for android, which is basically an arduino with various sensors) you can now connect it via usb on the android an do all sort of stuff.

With a non-official ADK arduino, you must make use of the USB-Host shield and use the new lib.

First, ADK should be able to be host OR client, depending on the power source. Don’t know if the USB-Host shield supports this and/or the android device must be able to provide power via the usb interface. I should look into it… someday.

Second, the arduino UNO allows for USB device ’emulation’. Is the USB-Host shield really needed or could the ATmega8U2 be programmed to act as an ADK device/proxy?



So, a new hope a new turn. I should be posting stuff about the arduino and what I’m trying to do with it in the not that near future.

Some other posts are coming along slowly, when I have the opportunity to write. Must stop procrastinating!


Compiling GnuRadio on RHEL5 (5.6 Tikanga)

Since my android phone is taking a trip to the central technical assistance, I have time to write about some other things.

I’m currently trying to get gnuradio running on a Redhat 5 x64 machine.

Since the machines where I work have a custom repo, which updates all of them concurrently, the objective of this tutorial is to install gnuradio with minimal interference of customized packages which could induce presently or futurely a dependecy hell or any other problems…

If you don’t care for customized packages mayhem, I suggest taking a look at repository, which includes gnuradio and all it’s dependencies.

I’m compiling it onto my own account for now, will try to redistribute to the users in need of the software sometime.

Install via yum:

You need to get the following sources:

package (current version)
boost (1.46)

Extract all of them.


./configure –prefix=~/swig_install/
make install


./ –with-libraries=thread,date_time,program_options –prefix=~/boost_install/
./bjam install


env PATH=~/swig_install/bin/:$PATH ./configure –with-boost=~/boost_install/ –prefix=~/gnuradio_install/ LDFLAGS=”-L~/gnuradio_install/lib64/” –prefix=~/gnuradio_install/
make install

Note: this throws error when trying to install python24 swig libs… Did not overcome those yet…
Obs.: the LDFLAGS=”-L~/gnuradio_install/lib64/” is a bug in gnuradio make install. make install tries to link to the lib without checking that it was installed to a custom prefix…

Testing the install:

env LD_LIBRARY_PATH=~/boost_install/lib/ ~/gnuradio_install/bin/gnuradio-config-info

Would have to test a compile using the libs…

Sorry, it was decided that the best would be to use a more upstream linux and we installed Fedora, so the installation was as complicated as running sudo yum install gnuradio-*.


Motorola XT300/Spice – More about bootable images

As described in the android source, the format of the boot images (boot.img and recovery.img) is simple.

The first 2048 bytes are the header, which contains information about the image.

Then comes the kernel, then the ramdisk, then optionally the second stage.

Since the image is divided into pages, between each of those code segments is a padding(of 0x00).

OF COURSE the images by motorola in the XT300 do NOT follow this standard.

The *_size and *_addr are different. did not manage to understand those. The kernel is compressed in gzip apparently(search for the gzip magic 1f 8b 08 00) with a a binary that handles the decompressing as prefix for the code block.

The binary header code is probably the bootloader. As explained in another post, when erasing the boot partition, fastboot disappears and the device ends unrecoverable from our point of view. Seems to be the same method used in the droid with the mbmloader, etc.

The biggest problem is that at the end of the image is the CERTIFICATE. YAY! The certificate is a encrypted section which stores a kind of checksum of the image. The bootloader decrypts this checksum and then verifies it against the present image.

So, without being able to modify this checksum since it is encrypted by motorola, a custom boot image can’t be run. This sucks. Thanks Motorola…

I made my certs available:

Sorry, I do not know which format they are in and hence how to show them as text with openssl. If someone finds out, please leave a comment.


Motorola XT300/Spice – Juicy Details

Note: This post will be updated on the go as I find new and juicier details about the spice.

Now, the more juicier details about this phone and a small description on how android works.

Canadian build is SESLA_U3_01.53.1_R01 101112. (Moto_Version.01.53.101.XT300.Mobilicity.en.NA)

Brazillian build is SESLA_U3_01.44.4 101026.


(diff tells me a lot of the files in the two rom dumps differ, including system binaries)

Also the APN files(which specify network operator connectivity) are diferent, so using a phone/rom in the wrong country will have drawbacks.(like connecting EDGE/GPRS/UMTS/etc)

Recovery Mode:

Power up pressing POWER+X until exclamation mark appears. Then Alt+L to go to the recovery menu.

Here you can wipe your phone, cache, flash an, run a command or just reboot to normal mode.

Since it’s a MOTOROLA(meh) stock recovery partition, it does not accept unofficial signed update.zips(AFAIK).

USB Flashboot:

Power up holding both volume buttons.

Now, these steps are based on a clean phone, just hard reset(or bought).

Fastboot is a protocol that enables direct maintenance actions from the pc through a PC cable. The greatness of this is that you can flash files directly from your computer.

When booting in fastboot mode, the following will appear:

USB FastBoot: V0.5
Machine ID: 1007002 v0
Build Date: Oct 26 2010, 17:31:11

MSM Id: 21
MSM Version: 2.0
Modem Build Id:76XXM-22220MSNCJOLYM
Serial Number: UNKNOWN

ptn 0 name=’boot’ start=297 len=56
ptn 1 name=’system’ start=353 len=1440
ptn 2 name=’userdata’ start=1793 len=1781
ptn 3 name=’cdrom’ start=3574 len=81
ptn 4 name=’misc’ start=3655 len=3
ptn 5 name=’recovery’ start=3658 len=44
ptn 6 name=’cache’ start=3702 len=320
ptn 7 name=’fota_bbuf’ start=4402 len=3
ptn 8 name=’fota_usd’ start=4025 len=3
ptn 9 name=’fota_bua’ start=4028 len=5
ptn 10 name=’fota_ua’ start=4033 len=5
ptn 11 name=’fota_up’ start=4038 len=48
ptn 12 name=’kpanic’ start=4086 len=3

Flashboot responds to the following getvar keys:

version: 0.5

product: XT300

I tried to boot several kernels/kernel+ramdisks/boot.img/recovery.img and all of the threw the error FAILED (remote: invalid boot image)

This appears to be a sympton of having a locked bootloader… thanks motorola!


It appears that this device does NOT have a locked bootloader(apparently Qualcomm chips do not have this problem). Was told me by #milestone-modding @


I can’t confirm wether the bootloader is really locked or not BUT I know that the recovery and boot partitions are signed, which means that they can’t be tampered with. No yummy custom image loading. It’s weird actually, I tried removing the certificate from the end of the image. Thus, the error ‘CANNOT READ BOOT IMAGE HEADER’ appears in the flashboot screen. But when I flash custom recovery images build with cyanogen it gets stuck at the motorola static logo(probably before the fastboot verification).

For the record, the partition list for the device is(/proc/mtd):

dev: size erasesize name
mtd0: 00700000 00020000 “boot”
mtd1: 0b400000 00020000 “system”
mtd2: 0dea0000 00020000 “userdata”
mtd3: 00a20000 00020000 “cdrom”
mtd4: 00060000 00020000 “misc”
mtd5: 00580000 00020000 “recovery”
mtd6: 02800000 00020000 “cache”
mtd7: 00060000 00020000 “fota_bbuf”
mtd8: 00060000 00020000 “fota_usd”
mtd9: 000a0000 00020000 “fota_bua”
mtd10: 000a0000 00020000 “fota_ua”
mtd11: 00600000 00020000 “fota_up”
mtd12: 00060000 00020000 “kpanic”

The /system/build.prop :

# begin build properties
# autogenerated by Oct 26 17:59:42 BRST 2010
# is obsolete; use ro.product.device
# Do not try to parse or .fingerprint 2.1-update1 SESLA_U3_01.44.4 101026 release-keys
# end build properties
# system.prop for surf
# Set appropriate display density
rild.libargs=-d /dev/smd0
android.keylayout.surf_keypad = /system/usr/keylayout/surf_keypad.kl
android.keychar.surf_keypad = /system/usr/keychars/surf_keypad.kcm
# Define the presence of minipad device
# IKSESAME-73 – Feature 33905 – Enabling software Opengl
# IKSESAME-73 – Feature 33905 – GridView in landscape mode
# IKSESAME-73 – Feature 33905 – flag for enabling VOD for VZW
# IKSESAME-497 – Advanced Photo Editor
# IKSESAME-73 – Feature 33905 – Multimedia permanent de blur for Camera, Media Gallery
# IKSESAME-497 – Advanced Video Editor
# IKSESAME-1689 – PT-CAN: Browser header is incomplete. X_WAP_PROFILE unavailable
# IKSESAME-2650 – Proximity sensor doesn’t work during a call sometime

The /system/default.prop : Nov 18 09:46:28 -0200 2010

Due to a request, here are some details from the About phone screen:

Revision number:0
Model number: XT300
Firmware version: 2.1-update1
Baseband version: A309_U3_01.44.4
Kernel version: 2.6.29 wmm125@zbr05lnxdroid #2
Build number: SESLA_U3_01.44.4

Here is the file list of /system/lib –

And the following is reported by Quadrant:

Vendor: Android
Renderer: Android
PixelFlinger 1.2
Version: OpenGL ES-CM 1.0

Where ‘renderer’ probably indicates that it is down by software, not by the adreno 200, which should be integrated in the MSM7225

When sth goes wrong with the boot, the devices goes into mode 22b8:9002 Motorola PCS, which apparently is a MSM7225 flash interface. Could not find a driver for this in windows, using Motorola’s drivers and RSDlite…
Here is a link to the lsusb info:

Apparently the bootloader resides in the boot partition. Possibly similar to the milestone mbm/mbmloader.
Will check on this after my phone comes back from repair =/

Trying to restore a yaffed system image set me to bootloop. Will try to dump the partition manually, when I get my phone back.



Well, for some time now I’ve wanted to recreate the ‘Upside-Down-Ternet‘ from pete@ex-parrot (reference) but the process used squid to handle the proxying and I didn’t want to install and configure (even if it’s only basic config) squid.

So I was looking for an alternative. I knew that I could create a relatively simple proxy with perl or python and had started the code with perl, where I was using HTTP::Proxy and adding filters. The problem was that the proxy reported the content as chunked. And I found no way to undo this. I tried to add the complete filter, to just pass complete contents to my custom filter but I wasn’t successful sending the modified image to the client. I even asked at perlmonks but no significative answer was left(only one actually answer at all, by the time of this writing).

I started reading the source of an existing webproxy project in perl, which was implemented at a lower level. So I tried that. I created a web server and a lwp agent in my script, and connected the requests to the agent. It worked!

After some tinkering and threading the script  I got something quite decent, but not very stable… Just good enough.


  • flips images(upside-down-ternet)
  • substitutes images for one image file
  • blurs images
  • runs a custom convert(imagemagick) command

The script is available here.

Note: I thought of setting as a sf project, but this script is so insignificant…and unstable… I have another proxy project going however, that may go into sf. Who knows…

Note2: If used as a prank, it is interesting to redirect automatically the traffic from another pc to yours and act as a proxy. The iptables part should be present in pete@ex-parrot. For the redirecting I’d use arpspoofing. Google it.

The Author

Older Ramblings


Linux User Sig