Unbricking a Vivifi - Just add cable.

When I bricked my Vivifi by enabling bridged mode, I immediately realised the sensible thing to do would be to send it back for a service; with the right story they'd probably even send a straight-out replacement device.

Luckily for the internet, I am not and nor have I ever been sensible.

My first "hit" while researching a solution was this article: http://hackspot.net/iSpotBlog/?p=11

While Paul's teardown deals with an iSpot device, the Vivifi is internally no different to the iSpot, both are re-branded IMW-C600W-series devices from the Korean manufacturer Infomark. Indeed quite a few telco's around the world are rebranding this device as their own, so this blog should more rightly be called "Unbricking a slightly modified IMW-C600W-series blablabla..."

In any case, the first drama I hit was that I don't have a serial port anywhere in my house. But no problem right, RS-232 can easily be converted to USB, and those FTDI chips even support multiple voltage levels, so the 3.3v requirement of the TTL connection to the Vivifi should ordinarily be no problem.

But the second drama I hit was that it was the weekend, small robotics stores were closed and the larger electronics parts stores in the area (the ones that actually stocked the necessary components) only wanted to deal with bulk clients. Can you imagine walking into a huge warehouse with forklifts zipping around and asking the foreman (pissed off because he has to work a Saturday afternoon) for a single FTDI USB to Serial chip and a breadboard, and hmm a couple of lengths of wire? I could, and the imaginary me felt very silly indeed.

So it was either wait, or keep looking for a solution. That's when, thankfully, I stumbled on the DKU-5 tutorial by Neo at http://www.neolics.com/pdfs/dku-5.pdf

All of a sudden, the two resources fused in my mind, and that's when I realised both hacks could be combined to make an Uber-Vivifi-of-Doom (tm).


Obviously this has voided my warranty (as per Vivid's terms and conditions outlined at http://www.vividwireless.com.au/broadband-phone-terms-and-conditions), so if you're following on and also thinking "hmmmm, I should do this", realise that this is a risk you need to be willing to take for the sake of education and a slight electronic challenge. Also, there were a couple of situations where I almost completely destroyed the device and had to spend a few hours cleaning up after a second of carelessness (vodka and electronics don't mix), so be warned.

Now that's out of the way, lets get hold of the key ingredient...

The Cable (tm)

The first challenge was of course obtaining the required cable. I finally found one, the CA-42 variety, at a local mall (a small booth called SkyTech in the Garden City shopping center, Perth). The bigger stores were quite rude when I asked for a data cable (I guess they get their commission from contract sales). Of course, I understand why everyone thought I was crazy when I said what I needed the cable for. So it might be easier next time not to do that, and somehow get hold of the actual phone so as not to appear out of place. Or at least remember the name of one of the compatible phones.

Here is the cable alongside the Vivifi:

A gotcha with the cable is that you need a CA-42 / DKU-5 type cable as these contain the circuitry for translating between USB and Serial connections. Later phones have in-built USB support so the cables naturally dropped serial conversion from their repertoire.

Once I had the cable, I had to tear it down (since someone stole my multimeter). I did this in order to find the order of the pins, and which colored cable went where.

I guess this also voids the warranty on the cable, so yeah, redundant warnings & such.

After tracing each cable color to its pin, I needed to find which logical function the pin-outs served, at which point http://pinouts.ru came to the rescue: http://pinouts.ru/CellularPhonesCables/nokia_dku-5_cable_pinout.shtml

I found in my case (you better check for yourself however) that:
Blue = RX
Red = TX
Orange = GND

Sadly, there doesn't seem to be any standard in these matters, so you are wise to check the color-to-pin mappings yourself.

The Software

Since I was using the computer at this point anyway, I took the opportunity to install the drivers for the cable. I'd suggest manually getting the driver, since Windows 7 automatically installed an older one for me. I found the driver at http://www.prolific.com.tw/eng/downloads.asp?id=31

You'll also want to download a terminal application that supports serial connections, unless you have one already. Windows XP has Hyper Terminal already installed. I personally use Putty, since it's an excellent all round piece of software.

Vivisection & Reassembly

The hackspot blog I mentioned at the start does a pretty good job of explaining how to tear down an iSpot / Vivifi, and really if you're taking on this challenge it should be self-evident to you based on experience, so instead of a long winded explanation, here's some work-in-progress pictures for you:

That was fun! And easy too!

So now we get to the tricky part - soldering all the right bits together. Having the proper gear for this step will make all the difference between destroying your device or successfully completing this step within a few minutes.

Again, final warning, if you are not confident with electronics or don't want to break your warranty, stop right now unless you're willing to potentially waste the cost of a new Vivifi. You could probably still put it all back together and send it back for a replacement at this point, but not if you continue...

As per the Paul's hackspot.com blog, you need to bridge the "0 Ohm resistors" then connect your RX, TX and GND cables from the cable to the appropriate pins on the Vivifi. I've circled the "resistors" here, for reference purposes.

These both need to be bridged vertically. Be careful, if you screw up the pads it's very difficult to continue onwards. A soldering iron that is too hot will pretty much immediately suck the solder off these so be warned.

Also, before you solder across these, just double check to make sure that the foam block didn't leave behind its double sided tape. It did on mine, so watch out for this:

After the resistors are bridged (which, by the way, if you flip the board you can see they correspond directly to the TX and RX pins on the header), it's time to solder the wires onto the header strip.

Taking the square pin as pin 1, the following details I lifted from Paul's blog are:

  • Pin 4 – GND
  • Pin 11 – UART TX (output of iSpot CPU’s serial port - to PC)
  • Pin 12 – UART RX (input to iSpot CPU’s serial port – from PC)

Here's a handy image reference for where to solder each wire:

If you succeed, you'll have something that looks kind of like the following.

If you're observant you will note the wires coming from the top of the board. I messed up the pads so had to solder directly on the exposed wires after excavating away some un-needed PCB layers. Note to self, get some real soldering gear.

The next step is to make it look pretty (and hide all the horrible hack-work inside a nice shiny case). I found the usb connector end was a good place to hang the cable out. The compression of the top of the case seems to hold the cable nicely in place too, once a small hole is filed for it. This should reduce the risk of accidental tugs tearing the fragile solder from the PCB. Here's the result:

Stop that Boot-Script!

Connect your newly-wired Vivifi (make sure it's off at this point), and go to your device manager to find which COM port has been configured. Then using your favorite program (I like Putty), connect to that port with 115200 baud, 8 data bits, 1 stop bit, no parity and no flow control.

Now, turn on the Vivifi. If everything is working, you'll see writing coming up on the screen. If not, go back over everything until it works (or you give up and decide to go and find something that will make you drunk in a hurry instead. Danger Will Robinson! Danger!).

If you're still here, I'll assume everything worked. If you let the boot sequence run to its full extent, you'll notice it ends at a password prompt. We don't have a password for this yet, and I doubt Vivid will give it away. So what we want to do is interrupt the boot sequence. To do this, you have about 1 second to furiously hit control-c when the modem is first switched on or reset. If you miss this narrow window of opportunity, you'll have to reset and try again. When you succeed in interrupting the boot, you'll get into a RedBoot prompt, which looks sorta like this:

To see what we can get up to in here, use"help" to see the available commands:

You can also use "help [command]" for further information on some of the commands.

Yeah I know, too many warnings already. But pay attention, it's very possible to completely erase your flash from here. If you really do want to play around I suggest you read the RedBoot User's Guide first, over at http://ecos.sourceware.org/docs-latest/redboot/redboot-guide.html

The command "fis list" will show you the available firmware images, and "fis select" shows which one has the highest value and therefore is used for boot. Hackspot comes to the rescue again, telling us all about the dual images setup the device uses, if you're interested: http://hackspot.net/iSpotBlog/?p=154

Here are the images on my device, plus the output of "fis select", showing which is in use:

Now the problem I was having was that my Vivifi was bricked and wouldn't let me do a firmware reset. Since this is obviously an OS configuration error, I was determined to find a way to log into Linux and play around in there. Thankfully, I was able to use the "fconfig -l" (l for Larry, not capital I for Irene, damn fonts), which showed the current boot script:

I manually executed each of those boot script commands, with one notable difference. I added the "single" switch to the end of the exec command, which resulted in Linux being booted in single-user login mode, bypassing the request for a password:

And so I gained access to Linux.

Linuxy goodness

Yes, within its crispy shell, the Vivifi houses a soft, creamy Linux prompt. A quick list of the /bin directory shows the available programs, if you feel like poking around (not that there's much that interests me, other than getting the device back to factory settings):

Execute the Factory Reset

Ah, there it is, the command I was looking for. Execute "system_program f_reset" to force a firmware reset. The program seems to reset all the system settings including the access password to default. Then you must reboot your Vivifi once the command has finished executing and wait for the device to download and re-flash the firmware for you. This only takes a minute or two, after which you will have a factory-clean Vivifi (with any luck).

Handy time-saving tip #239:

You can change the root login password so you don't need to mess around with RedBoot in order to access the Linux shell. Just be aware that the factory reset wipes the password back to the default value.

Wrap up

And there you have it. One un-bricked Vivifi. Plus a console terminal in case one is ever needed (such as for future un-bricking?).

Granted, this took "A few more steps" than packing it in the mail, paying postage and waiting a few days for a replacement. Also it voided my warranty. But it was definitely educational and managed to kill an otherwise uneventful weekend.

In any case, I'm putting this on the net for posterity, and maybe someone one day who's as mad as I am will actually find something useful in here...