Taking Apart the Monoprice 3G USB WiFi Router

Written 2013-07-28

Tags:GPL Ralink Teardown Wifi Bococom Linux Monoprice USB 

Today I take apart a Monoprice 3G USB WiFi Router. Actually, it is made by Bococom.


Front Case

If you flip it over, there are two screws under the feet.
Rear Case and Screws Exposed

It opens pretty easily, not sure if there were any plastic catches
Just sort of pops open

The CPU is a Ralink RT3050, which is also used on the Asus WL-330N3G. We also see some MXIC flash, and 32MB of EtronTech SD-DRAM. There's also a 4-pin, 3.3 volt console near the CPU.
PCB Front
PCB Rear

So the device is running u-boot, linux, and busybox. However, there is no reference of the GPL anywhere in the documentation. You can log into the shell, but it appears that every command is somehow blocked. It is possible to use tab-completion to explore the filesystem. Since I bought it, this unit has been discontinued by monoprice, and with the device out of production the chance of GPL source release is greatly diminished.

Modifying a Monoprice USB Wall Brick to Support DCP

Written 2013-07-20

Tags:Monoprice Charge USB DCP 


Monoprice sells a neat wall-brick that takes two sockets and provides three sockets and two USB charging sockets.
Converting a MonoPrice Wall Brick to USB DCP

However, it did not charge my phone, so I took it apart. The first step is to remove the center screw that normally attaches to the wall sockets. After that, there's a large number of plastic clips to deal with.
Converting a MonoPrice Wall Brick to USB DCP

Once the case is cracked all the way around, it opens up easily. The device has two separate sections - one for AC and one for USB. There is also a green LED that is driven directly from the 120 Volt input with a diode and a resistor. I cut it off because it was too bright for my bedroom.
Converting a MonoPrice Wall Brick to USB DCP

It appears the AC-DC conversion is done by first rectifying the AC into high voltage DC pulses, which are filtered through some larger capacitors. I think that the yellow box on the right is not a transformer, but is a giant coil used for the DC-DC conversion process to generate 5 Volts.
Converting a MonoPrice Wall Brick to USB DCP

Now to the task at hand - converting this charger to charge my phone. The USB interface is on a small daughterboard perpendicular to the AC-DC-DC converter board. It is fed 5 Volts by the headers in each corner. The two copper planes on the daughterboard are 5 Volt power and Ground. Following the 5 Volt, ground, and USB lines, we see that R19, R20, R21, R22, and R23 are resistors or at least resistor pads for the left-hand USB port. R15, R16, R17, R18, and R24 are the pads for the right side port.
Converting a MonoPrice Wall Brick to USB DCP

For USB-DCP, at most one resistor is required per port. This means that this charger is using some sort of weird proprietary charger. The ePanorama Blog confirms that this is an Apple compatible charger. However, Apple compatible chargers are incompatible with my phone, which requires either USB-DCP, or it must enumerate before charging. The solution is simple, remove the Apple resistors and bridge the data+ and data- lines yourself. I had a little trouble with a solder-bridge that I could not find, so instead of using R23 and R24, I soldered the data+ and data- lines directly, and cut the traces to the voltage divider network. And now my phone charges.
Converting a MonoPrice Wall Brick to USB DCP

ActionTec MegaPlug Teardown

Written 2013-07-20

Tags:Networking ActionTec Teardown MegaPlug PowerLine Ethernet 

I found some 85Mbps ActionTec to ethernet adapters at a yard sale for a few dollars. I've always been curious about these things. Here's what they look like:
ActionTec Plug TeardownActionTec Switch TeardownBack of ActionTec Plug

I'll start with the single ethernet port device. After removing the two screws, there's a pair of plastic fins you can see below. Just squeeze the case to get them loose.
Two plastic clippies

Once inside, we see a clear delineation between the powerline networking side, and the low-voltage and ethernet side. There's an INT5500 on the board, which is standard for the 85Mbps devices, along with some companion chips. Nonvolatile storage for the INT5500 is provided by the serial flash near the crystal. There is little public documentation on the INT5500, but it is more than a simple bus converter. The INT5500 can also communicate over ethernet. This is primarily used to configure encryption for the powerlink links, which is very useful if you live in an apartment or duplex. The AC fins are soldered directly to the PCB, so I did not take photos of the reverse of the board.
ActionTec Plug Teardown

Now on to the larger device. Pull the three screws. One is hidden under the sticker, and two are under the furthest feet.
ActionTec Switch Teardown

Once the screws are released, the whole case flips open like a clam. The front edge acts like a hinge. Once the top case is off, the board slides out easily.
ActionTec Switch Teardown

The front of the board is where all the good bits are. Backside photos are up on flickr too though. The same INT5500 chip and friends are present for powerline network conversion. In addition, the 4-port switch is provided by a Marvell 88e6060 6-port switch chip. The 88E6060 is designed for precisely these switching applications - it has 4 ethernet ports configured for external access and two ports that support RMII or MII interfaces for interfacing to a microcontroller.
ActionTec Switch Teardown

That about wraps it up. These units appear to work pretty well, but only if placed on the same half of the power lines. Usually AC power comes in to a house at 220 Volts that is generated by two opposite phases. These phases are split to make 110 Volt circuits for different parts of the house. However, I suspect that if you have a pair of utility sockets where your power comes in to the house, you may be able to place a powerline network adapter on each phase, and connect them with ethernet to ensure a good connection.

Adding USB tuning support to a Kenwood TS-680s

Written 2013-06-10

Tags:USB Ham Radio FTDI Kenwood Circuit Hack 

So, a few weeks ago I bought a ham radio. Kenwood made a series of these radios, TS-680, TS-680s, TS-140, and several others during the late 80s and early 90s. They're mostly solid-state with tube-based final amplifiers. However, there are a few niceties missing that are available on current radios. These include the lack of a simple computer-control port.

Kenwood did add a small expansion slot though, that can hold a card called an IF-10C. The IF-10C consists of an 8251 USART configured asynchronously, a clock generator and divider circuit, and some inverters. This must be coupled with an IF-232 device that sits outside the radio and converts the inverted logic back and then level shifts it to normal RS-232 levels. Finally, you need another device - a USB to serial adapter to connect to a legacy-free PC. Lastly, Kenwood doesn't sell the IF-10C any more, and they are around $80 used. I can do better.

Over the last week, my TS-680s has been flipped on its back, Z80 CPU bus wired into a breadboard. Instead of wiring up a USART and level-shifter, a faster and more direct solution is to use an FTDI USB FIFO like the FT245R. However, the FT245R is not a direct replacement for the 8251 CPU interface - some external logic is required. Here's what the control lines look like when just combining the read and chip-select lines, along with the write and chip-select lines.

FTDI8251

Here's what happens:

  • The RXF line goes low to signal that there is a byte available.
  • Nearly 40 microseconds later, the Z80 responds to the interrupt, chip-selects the UART, and reads a byte from the FIFO, clearing the RXF event
  • The Z80 reconfigures the 8251 interface for command/status mode, and reads the status register. It is important to note that the Z80 bus uses pull-up resistors.
  • Due to the lack of a status register, the Z80 sees the following: Framing error, break signal, parity error, and overrun error.
  • Due to the error condition, the Z80 sends the following bytes to the UART, a byte with the reset bit set, a mode-configuration byte, and a command-byte to enable the UART
  • Due to the error and break signals, the Z80 ignores input

So it appears that an emulated status register is also required. The proper solution would be to use a tri-state buffer, but one can also take advantage of the bus pull-ups by using simple NPN transistors to pull the lines low when needed.

And after adding the transistors, here's what happens:

fifo_working

And now the radio responds with IF00014249290, which is the current frequency, and some additional status text.

Modifying a USB-CLA to support DCP

Written 2013-02-21

Tags:USB CLA 

Today I was on the highway for about three hours, trying to travel about 15 miles. While waiting for the road to clear up, I tried to charge my phone with a cigarette lighter adapter(CLA) to USB port I had purchased some time ago, but had never used - my phone refused to charge.

The device contained a few capacitors, a coil, and what appeared to be a switching regulator. When I traced the USB data pins on the PCB, I found two pull-down resistors. Each data line pulled low with a 15kOhm resistor is the normal configuration for a USB1.1 host.

My phone will charge from a PC USB port or from a USB dedicated charge port(like the wall-wart that comes with most phones, D+ and D- shorted together). However, if the host port is configured for communication, and the phone cannot enumerate, then it will not charge.

The fix for this ended up being very simple. After reassembling the CLA, I tore a gum wrapper down to a rectangle about 2.5 USB pins wide. This gum wrapper, inserted conductive-side towards D+ and D- of my USB cable, convinced my phone that the CLA was a real USB-DCP, and I was finally able to charge it.

Older