Post a video on YouTube and it will be featured here!
Do you have a brand new device you want me to hack?
Send it to me!
Are you producing a device and want me to check it's security?
Send me an email!
As of now more than 3500 people unlocked Huawei E585, E5830,
E5832S, E583C and HW-01C successfully!

Tuesday, December 15, 2009

Chrome+YouTube=ZiTube ! :)

Image and video hosting by TinyPic

Hello again!
As you can see from the image above I coded a simple
extension for Chrome.
After installing the extension from HERE you will have
more fun and freedom on youtube.
I know there are many extensions and script around,
but, believe it or not, this extension is made
of only 7 lines of javascript (for now).
It also grabs the download URL in a very different way.
As of now, this script won't work if you enabled the "feather"
option on youtube, but I keep updating the extension, so it will.
Feel free to leave me a feedback and any suggestion.

Have fun,

Friday, December 11, 2009

Native TomTom for Windows & Mac!

Many of you are surely familiar with the image above, but if you inspect the image carefully you will notice something 'weird'...

Yep! No tricks.
This image is 960x544 (without the footer with the buttons). How did that happen?! :)
Well this "TomTom" is running natively under windows. I know, there's no such a thing.
And NO, it's not windows emulating something that is running tomtom! Thrilled?
Many people think that the application TomTomHOME connects to the device and "somehow" runs the software in there...
TTHome uses a DLL which is,
as a matter of fact, the FULL TomTom navcore application compiled for windows and mac!
So, I modified the TTHome application to get the coordinates from a GPS! As simple as that!
All that is needed is the tomtom application and your original tomtom SD card containing maps and firmware (which is checked but not used).
The image above is a cropped screenshot of my PC with just my sdcard in my cardreader.
Obviously this works with any 'simulated' navcore version (dll). The only drawback is that as you may have noticed in TTHome,
the emulated device is a bit slow because it doesn't use your graphic card, but your CPU.
By the way, the output resolution is limited by your monitor and will...
As of now there is still much to do but it's a start.

Stay tuned for more to come!


Friday, November 6, 2009

Obfuscation will never work.

Hello again, sweet readers !

OpenRG is an embedded OS for routers.
It's based on Linux and it's inside many ISP
routers out there.

Inside OpenRG configuration file,
passwords appear in a way that can seem
to be crypted, but it's just obfuscated.

For example:

Above you can see a simple deobfuscator.

You can try it with:



Thursday, September 24, 2009

Success! :)

Serial Output

I successfully connected the

Uncle Milton's Force Trainer

to my PC..

It was easier than expected.

Here's a sample interface, but

you can also use a cellular cable like the CA-42

And connect it to RX,TX and GND on the base.

Sample TTL/RS232 interface

The serial speed is 57600 8N1 and the data stream

is pretty easy to understand.

I also (lousily) coded a sample application

which gives the two brain 'parameters' the headset

sends to the main game station.


In the above example I was focusing

on a particular thought very intensely.


In this other example I was relaxing

and focusing on my breath with my eyes closed.

Stay tuned for more about this!

Saturday, September 19, 2009

May the force be with you :)

Yes.. I bought this game.
Fun aside, both the headset
both the base have a nice JTAG port
and maybe a serial interface.
I got it this morning and I just started
inspecting the devices.
They communicate on 2.478 and 2.408 Ghz frequencies
it's not bluetooth but a normal serial over
the air. If you are curious like me,
the FCC site has FULL documentation
and pictures of the inside.
You will find them under these
FCC IDs: XCY150511UMI2009 and XCY150512UMI2009.
I'll keep you posted.

The 'unknown' chip on the base
you can't see on FCC site is a PIC16F727 44 pin.
The other 'blank' chip on the headset
is a PIC16F722 28 pin.

Thursday, August 20, 2009

Hidden things are usually the best :)

Well, what to say? The best feature I've seen
in blackberry phones is hidden!
Let's unhide it!
On 8900 and 9000 (for example)
press ALT+CAP+H.
You will get to the "Help Me!" screen.
That screen is not really what you think
it is. It's a crippled engineering screen.
How to uncripple it?
Enter on the above form
the data you see on your 'crippled' screen.
For App Version you must include
the space and parethesis.
For Uptime, just enter the number.
After filling all the form, you'll
get your key.
To enter it just press the keys.
(You won't see anything)
Use ALT for numbers and
normal keys for the characters.
To enter C8, for example, you
will have to type: c then ALT+x
As soon as you have entered all 8
characters you will see the above
screen every time you will
press ALT+CAP+H
Stay tuned,

Wednesday, August 12, 2009


When I heard the new blackberry 8900 was
'difficult to unlock' I got curious.
The BB security is nothing compared to the iPhone's.
Do you want to laugh?
I initially thought this unit had a defective display..
do you see that strange stripe of dotted vertical lines?
Well.. putting a ruined image as the default background
is a really nice joke... RIM, you got me on this.
If anyone else have "secure" devices for me to test,
you're welcome to send them in ;)
Happy holidays,

Tuesday, July 21, 2009

Qualcomm chips insecurity.

Since I can't be too far from phones and alikes,
I started studying Qualcomm chips.
These chips are included in a LOT of data cards
and MANY phones (blackberry,
android based phones, etc)
Well Security on these chips (all of them)
is ridiculous compared to competitors.
Now, let me tell you one thing:
I found a way to know the unlock code
(SP lock, sim lock, network lock, whatever)
directly from the card with a simple procedure.
For now I won't spread this information.
I will wait sometime and give time to
qualcomm or any company producing
phones or cards based on qualcomm chips
to contact me.
If you want to contact me,
you can write your message and
contact as a comment to this post.

Monday, June 29, 2009

He's growing...and learning... :)


Sunday, June 21, 2009

A shell script..

wget "" -q -O -|grep iPod|grep ipsw|cut -d ">" -f 2|cut -d "<" -f 1|sort -u|grep Protect


Friday, May 15, 2009


Monday, May 4, 2009


Jailbreaking consequences
I kept this image for a long time know, but I knew
I would have used it for a post sooner or later.
Finally developers fought back piracy of iPhone apps:
with a simple yet effective method they are securing
their apps so that if you crack them (any of them) your iPhone will be blacklisted.
As a bonus, any developer can choose not to allow anyone who cracked ANY app to run theirs.
To get deleted from the blacklist, fairly enough, you have to buy all cracked apps.
As I already told you, I stopped developing ZiPhone when I noticed the MAIN reason the most of you used it was to install cracked applications.
In short:
I am the one who allowed you to use the iPhone worldwide when that wasn't possible.
The "others" are the ones allowing you to run cracked apps.
And stop bragging about "freedom" since the "alternate" download services are now just a hypocritical way to circumvent the AppStore.
In a single word: black market.
To Apple:
learn from developers: it's time you implement the same mechanism
and stop this theft. Developers need to be rewarded for their work and for offering very cheap apps that contribute to make your product one of the best seen so far.

Monday, March 23, 2009

Powerline Ethernet fun and secrets.

Many 200 Mb/s powerline adapters nowadays are based on the INTELLON 6300 chipset.
Despite what can be thought looking at them, they are all using the same hardware and firmwares.
I heard many people with Netgear XAV101 or Linksys PLK 200 or PLE 200 having problems after firmware updates and many other people with other brands having much more problems because of lack of support or configuration/upgrade utilities.

So let me explain a few things I learnt studying them.

Many of 200 Mb/s powerline ethernet adapters follow the "HomePlug AV" standard. (85 Mb adapters use HomePlug 1.0 standard which is completely different).
This standard uses ethernet broadcast packets using the HomePlug AV protocol.

The interesting thing is that their firmware is made of two different parts:
a .PIB file (Parameter Information Block) and a .NVM file (the code itself).
In the P.I.B. there are many interesting things:
The branding (mac address, device name, etc) and the tone map.

I tested many firmwares and many PIBs and benchmarked them.
The best one so far was you can find here.
You can download the setup and upgrade utility from here.
(no matter what powerline adapter you have if it's INT6300 based)

Something you may not know:
there is no actual difference between the adapter without the security button and the ones that feature it.
Since the have no such button (if you open them you can easily solder one inside it) they tell you they can only be paired as they are sold, but that's a lie.
The button press can also be simulated using the utility, so you can make a big network also with units that don't have the button.

For your information, a total of 15 units can be connected in the same house.

For the braves and people who know what they are doing I finally found the
complete device manager from intellon.
This utility works with firmwares up to 3.0 and can be very useful and very dangerous.

With 'device manager' you can fully customize the powerline adapter and even dump and modify the tonemap!
The tonemap is a list of attenuations, one per carrier, so the adapter can comply with emission rules of any country and can support longer cables, worst conditions, best conditions, etc.

I made a few 'real world' speed tests using wget and a single ftp session on my lan.
Here are the results:

Direct ethernet connection (100 Mb/s): 11.25Mb/s
Connection with 2 adapters on the same wall socket: 4.20 Mb/s - 4.40 Mb/s
Connection with 2 adapters on opposite sides of my house: 3.24 Mb/s

When they say 200 Mb they are meaning RX+TX RAW DATA rate.
During the ftp transfer I was, as a matter of fact, reading these values on the adapter diagnostic interface:

120 / 80 (raw)
90 / 60 (coded)

For the best results, all your powerline adapters in your network
must have the same firmware version and the same PIB.

Testing, I uploaded different tone maps and a few custom ones.
I achieved 5 Mb/s - 5.3 Mb/s with 2 adapters close to each other but the speed
went down to 2.24 Mb/s when they were distant from each other.
The best PIB so far I tested was the "ClassB" one but this may differ in your country or in your house.

With firmwares above version 3.0, the device manager works in a reduced feature set.
Be careful on what you do.
They can anyhow be downgraded if needed to and reupgraded as many times as you want. Don't ever take them off the power outlet for a minute during and after the firmware upgrade or you will brick them in a non recoverable way!

Now some firmwares:

Version   Date      Comment 2007/02/26 2007/05/31 2007/??/?? Found on Pirelli/Onda adapters 2007/08/07 2007/08/16 Fully supported by device manager 2008/06/06 Tested 2008/08/08 Tested 2009/09/03 Untested 2009/10/01 Untested 2009/09/12 Untested 2011/05/04 Untested 2010/03/11 Untested 

Latest firmware is 4.40.05. You can found it on latest Devolo Mini D200 firmware archive.
(available here:
Just unzip the exe, and you'll found a .scm file which his the actual firmware.

Utility for firmware update (Supports all windows versions):

A very interesting document (for very skilled people):

Device manager for 4.x FW:

Linux configuration utility:

Friday, February 27, 2009

Unleash your ADSL horses!

Hello! I just made a discovery I want to share with you:
As a few of you may know, on broadcom based adsl modems/routers there is a command line utility which allows to tweak the adsl physical connection.
This command is adslctl and accepts many parameters.
One of them is SNR which is used to force a lower (or higher) SNR.
On the information page you will see that there is a maximum speed achievable on your own line due to noise, distance and quality and then you read the actual connection speed.
An example:
Max(Kbps): 18420 1027
Rate (Kbps): 17972 1013
If you issue the command
adslctl configure --snr 1
You are telling the modem to set the minimum SNR
(it may not give you any performance improves on a very noisy line)
thus allowing the modem to 'hook' at higher speed.
Since my line performed very well with snr=1 I wondered if it could be possible to lower the snr below 1. Then I thought that the variable used in the code is a signed WORD so
since a negative value is not possible why not trying an overflow ?
adslctl configure --snr 65440
This corresponds to -106 and it proved to be the best value on my line.
Now my connection details are:
Max(Kbps): 17740 1027
Rate (Kbps): 22237 1027
Yes! You read it right!
You can try values from 65400 to 65500.
Don't push the lower or the line will be so noisy that the remote dslam will degradate it's connection parameters and it will take long to come back to normal without a dslam reset!
Some stats:
Completed 698.82 M
Total Time 00:05:16
Average Speed 2264.53 KB/s
$ wget -O /dev/null
Length: 13,477,400 (13M) [text/plain]
100%[====================================>] 13,477,400 2.25M/s ETA 00:00

Sunday, February 1, 2009

Microsoft suicidal? :)

Well, see for yourself!
Isn't this a MacBookPro?
Believe it or not this was captured from a
MicroSoft commercial for SongSmith.
SongSmith is the Microsoft way to try
to destroy the music industry :)
Oh by the way,
get a HEX editor and search for:
20 60 54 00 00
inside SongSmith.exe
change it to:
20 FF FF FF 7F
(6 occurences)
You will have a lifetime trial time :D
(Product security must be revised)
To get rid of the annoying
splash screen search for:
2D 5B 14 73 27 02 00 06
and change 2D into 2C.

Saturday, January 31, 2009

Google: Hack or Bug ?

For a few minutes GOOGLE today
suffered of a denial of service.
Every search was redirected to a page
stating that the site (ANY!) could harm your computer.
Was this a stupid glitch/bug or a hack ?
Lucky for them it's Saturday and stock exchange is closed.
I wonder what will happen on monday.

Sunday, January 25, 2009

Knight Rider phone...

What's this ?
The UI looks like the iPhone's..
The phone doesn't.
(Spotted in episode 12 of first season)

Thursday, January 22, 2009

Nostalgy :,)

I'm a nostalgic, I know.
Since David changed the layout of the old site.
Here you have a backup of the original ZiPhone site.
Not much of fun, but much better than google cache :)

The new address is:


Wednesday, January 14, 2009

R.I.P. Ricardo Montalban

Monday, January 12, 2009

New playlist...

I'm setting up a new playlist..
Let me know what you think about it..
And enjoy!