Post a video on YouTube and it will be featured here!
Do you have a brand new device you want me to hack?
Send it to me!
Are you producing a device and want me to check it's security?
Send me an email!
As of now more than 3500 people unlocked Huawei E585, E5830,
E5832S, E583C and HW-01C successfully!





Monday, March 23, 2009

Powerline Ethernet fun and secrets.

Many 200 Mb/s powerline adapters nowadays are based on the INTELLON 6300 chipset.
Despite what can be thought looking at them, they are all using the same hardware and firmwares.
I heard many people with Netgear XAV101 or Linksys PLK 200 or PLE 200 having problems after firmware updates and many other people with other brands having much more problems because of lack of support or configuration/upgrade utilities.

So let me explain a few things I learnt studying them.

Many of 200 Mb/s powerline ethernet adapters follow the "HomePlug AV" standard. (85 Mb adapters use HomePlug 1.0 standard which is completely different).
This standard uses ethernet broadcast packets using the HomePlug AV protocol.

The interesting thing is that their firmware is made of two different parts:
a .PIB file (Parameter Information Block) and a .NVM file (the code itself).
In the P.I.B. there are many interesting things:
The branding (mac address, device name, etc) and the tone map.

I tested many firmwares and many PIBs and benchmarked them.
The best one so far was 3.0.5.2 you can find here.
You can download the setup and upgrade utility from here.
(no matter what powerline adapter you have if it's INT6300 based)

Something you may not know:
there is no actual difference between the adapter without the security button and the ones that feature it.
Since the have no such button (if you open them you can easily solder one inside it) they tell you they can only be paired as they are sold, but that's a lie.
The button press can also be simulated using the utility, so you can make a big network also with units that don't have the button.

For your information, a total of 15 units can be connected in the same house.

For the braves and people who know what they are doing I finally found the
complete device manager from intellon.
This utility works with firmwares up to 3.0 and can be very useful and very dangerous.

With 'device manager' you can fully customize the powerline adapter and even dump and modify the tonemap!
The tonemap is a list of attenuations, one per carrier, so the adapter can comply with emission rules of any country and can support longer cables, worst conditions, best conditions, etc.

I made a few 'real world' speed tests using wget and a single ftp session on my lan.
Here are the results:

Direct ethernet connection (100 Mb/s): 11.25Mb/s
Connection with 2 adapters on the same wall socket: 4.20 Mb/s - 4.40 Mb/s
Connection with 2 adapters on opposite sides of my house: 3.24 Mb/s

Note
When they say 200 Mb they are meaning RX+TX RAW DATA rate.
During the ftp transfer I was, as a matter of fact, reading these values on the adapter diagnostic interface:

120 / 80 (raw)
90 / 60 (coded)

Caveat
For the best results, all your powerline adapters in your network
must have the same firmware version and the same PIB.

Mods
Testing, I uploaded different tone maps and a few custom ones.
I achieved 5 Mb/s - 5.3 Mb/s with 2 adapters close to each other but the speed
went down to 2.24 Mb/s when they were distant from each other.
The best PIB so far I tested was the "ClassB" one but this may differ in your country or in your house.

Warning
With firmwares above version 3.0, the device manager works in a reduced feature set.
Be careful on what you do.
They can anyhow be downgraded if needed to 3.0.5.2 and reupgraded as many times as you want. Don't ever take them off the power outlet for a minute during and after the firmware upgrade or you will brick them in a non recoverable way!

Now some firmwares:

Version   Date      Comment

1.4.5.4 2007/02/26
2.0.5.2 2007/05/31
3.0.3.1 2007/??/?? Found on Pirelli/Onda adapters
3.0.4.2 2007/08/07
3.0.5.2 2007/08/16 Fully supported by device manager
3.3.0.5 2008/06/06 Tested
3.3.4.8 2008/08/08 Tested
4.1.0.0 2009/09/03 Untested
4.1.1.1 2009/10/01 Untested
4.1.2.0 2009/09/12 Untested
4.2.0.0 2011/05/04 Untested
4.4.0.2 2010/03/11 Untested (latest so far)
Utility for firmware update (Supports all windows versions):
Download

A very interesting document (for very skilled people):
Download

Device manager for 4.x FW:
Download


Linux configuration utility:
Download