Exploring two different battery wifi hubs

Fundamentals

I recently decided to get a multipurpose device. They can do all this:

  • Large battery to recharge other devices over USB (eg your phone and tablet)

  • Provide wifi access to a network in front of it

    A wifi network is provided behind the device with a name and password of your choosing. You connect one or more of your devices to that.

    In front of it you can have no network at all, a wifi network (unrelated to the one behind), or a wired ethernet network. You do have to configure access to the network, but only for this device. Your devices are behind it blissfully ignorant of the real network.

  • Exports attached storage (eg USB stick, USB hard drive, sdcard) via both SMB (aka "Windows network file sharing" supported by virtually everything these days) and DLNA (a multimedia network protocol, supported by many although the Apple ecosystem prefers "iTunes")

    On Android and desktop systems, you'll find that Kodi works for both SMB and DLNA, as does Android ES File Explorer (SMB only).

  • They are cheap ($40 - $60 depending on battery capacity)

  • Can run completely off the battery so no additional power is needed. They will run for many hours. They will also run while being charged.

  • Similar in size to a pack of cards

  • They use popular standards - eg they charge using standard micro-USB, provide power for devices with standard USB port, use existing filesystems, standard protocols etc. There is no need to carry different cables or chargers, and any software speaking SMB or DLNA works.

After some agonizing over Amazon reviews, and reading the manuals, I ended up with two.

/galleries/From%20Posts/battwifi.jpg

The left red one is a HT-TM05 TripMate Versatile Wireless N Travel Router (Amazon page) although the packaging and internal names say Tripmate Sith. The right white one is a RAVPower RP-WD02 Wireless Filehub / Portable Travel Router (Amazon page). They are sold by the same company, and the underlying products are substantially similar except for the hardware layout.

How they do all this turns out to be quite simple. The battery provides power, and there is a small Linux based computer attached. It is running a MIPS based processor (the manuals even tell you the exact manufacturer and model number), 32MB of RAM, and 8MB of builtin storage for their software. For some reason MIPS cores seem very popular in network access devices - if you have a box at home from the likes of Linksys, DLink, Netgear etc, it is almost certainly using MIPS.

Praise

They fundamentally do what they say. Both RAVPower and Hootoo provide Android and iOS apps to help access and configure the devices. However neither requires it and you can do all the configuration work in a web browser by going to the device address (default 10.10.10.254). It looks like the apps are really just some logic to find the device on the network, and then show the admin pages in a WebView. Note that I have never tried the apps.

Each device has some nice highlights the other doesn't. (If only someone made something combining the best of both.) The Hootoo has some lights on top to see battery level (they only light when you press the button as I did before taking the photo). The RAVPower has a micro-sdcard slot. The Hootoo can stand up. The RAVPower has a label giving default username, passwords and IP address. The Hootoo web admin pages are nicer, simpler and mobile optimised. The RAVPower ones tell me the device's external IP address. The Hootoo's lights go on or off in sequence during power on and power off so you have progress feedback.

As a test I left the HT-TM05 10,400mAh device on and connected to the wifi network. I didn't have anything connected to it, so this is a measure of the longest it can continuously run. After 45 hours (3 hours short of two full days) it had dropped to one battery led (out of four), and I decided to recharge it rather than deplete the battery completely. That is an impressive runtime. The RTP-WD02 has a 6,000mAh battery so you would expect a proportionate maximum runtime around 28 hours.

Suggested Improvements

The RAVPower has ports on 3 sides, which can lead to cables sticking out in all directions. The Hootoo is nicer with ports on two sides next to each other. Sadly the micro-USB for charging is right next to the USB for connecting storage. If the cables connecting either are anything but skinny heads then you can't have both connected. If you use an sdcard reader on the Hootoo then it will overlap the charging port. You get a choice of too dense ports (Hootoo) or not dense enough (RAVPower).

Hootoo really should have a builtin sdcard reader.

The web admin UIs have no help. When you want to safely remove attached storage, you'll end up at a page with a button labeled "Delete". It takes a lot of courage to press the button, to confirm that it really means "remove" or "eject" (it does). Firmware updates on both devices added an "auto jump service", you can enable or disable. Good luck on figuring out what that does!

Censure

Software versions

It didn't take me long to get access into the devices. Here is what the Hootoo said it is running:

$ cat /proc/version
Linux version 2.6.36 (gcc version 3.4.2) #8 Fri Jul 11 10:44:45 CST 2014
$ /usr/sbin/smbd --version
Version 3.0.24

RAVPower:

$ cat /proc/version
Linux version 2.6.21 (gcc version 3.4.2) #5 Fri Nov 1 13:36:46 CST 2013
$ /usr/sbin/smbd --version
Version 3.0.24

The Linux kernels date from 2007 and 2010. Neither version is long term supported, and both have various known security holes, although remote security holes are very rare.

smbd is the main component of Samba and provides networked file access. Version 3.0.24 was released in 2007, and there have been numerous releases since then, including 3.0.25 a few months later which fixed 3 security holes. Virtually all Samba security holes are remote since that is what it does.

I didn't check the versions of other accessible services (eg DLNA server, NTP), but this pattern of older versions with known problems is most likely. (The gcc version above is from 2008.)

Network exposed

Why do the versions matter? Both vendors (RAVPower update) made a very bad decision - all network services including the web admin pages, Samba, DLNA, and even a telnet server are accessible from in front of the device. If for example you are at an airport, campus, coffee shop, hotel or somewhere else with a network, and connect the device, then anyone on those networks can connect to the network services on the device. They do not need to connect to the wifi on it. A bad guy has more than 5 years of published security holes to choose from, and can have complete control over it. (The default usernames and passwords also make this a breeze.)

Complete control means they can extract your saved wifi password (eg if last on your home network, or for the current network), redirect or monitor your traffic, replace the firmware etc. To a certain extent this is no different than connecting to someone else's network which you have to assume is hostile, but this is something that goes around with you. (Both vendors use the word 'secure' in their Amazon descriptions.) While that kind of exploitation sounds far fetched, bad guys are already doing it.

Bridge mode

Both products' Amazon pages claim to support a bridge mode, but this marketing fluff and not the term as understood by networking people. They never bridge in the sense that those behind the device and the network in front are joined making a unified LAN. The devices always do network address translation (NAT) and never any form of bridging.

Admin Pages

As far as I can tell, Hootoo are the firmware developers. Their older products as well as the RAVPower use a fairly clunky web interface. It looks like a singe page application but doesn't do it well.

The Hootoo has a newer web interface where the URL changes as you navigate around pages, making it much easier to see what is going on, send links to others or other devices etc. It is also mobile centric giving the same pages that look good on a phone, as to a large monitor.

I had a quick look at authentication to see if there were any simple holes. Both use their own login screen, which means your browser can't prompt you nor remember the password. They set a session id cookie and require it to be present for other web accesses.

The pages are always over http, and not https, although there isn't much of an alternative. (Browsers are getting very hostile to self signed certificates.)

Both devices ended up with a second web server on port 81 (standard http is port 80), that appears to be related to the admin server. There is no need for it, and I'd be concerned about what it does.

Many changes cause the device to reboot and your browser to show a many minute "please wait" message. This gets very annoying. I understand why it is done (far simpler to code and test), but not doing it so much would be a more pleasant experience.

Firmware updates require storage to be connected as the devices don't have temporary storage. On both devices they also wiped out all settings.

RAVPower update

20 May, 2015

I sent an email to RAVPower support around the network exposing and GPL issues. There was no response. A few days later there was a comment on my Amazon reviewing asking me to email support, so I did a second time.

They claimed the issue had been fixed with new firmware, and a pointer to some source. I can confirm that the new firmware does indeed stop exposing network services to the public.

The source link was to Hootoo's website and looked like an effort had been made for some GPL awareness. It included a document outlining components, their version numbers, and license. It also included the kernel source code and Samba (including patches). I did verify the kernel and Samba versions matched, but did not verify they could be built or were exactly what was on the device (both GPL requirements). There didn't appear to be much other source present.

I did have more interaction with support, who didn't understand the difference between telling me about that source drop and actually complying with the GPL. It needs to be available to all users (without having to ask), requires copyright notices be present, be complete and more.

Hootoo update

28 May, 2015

Email to Hootoo support went unanswered. However I did see new firmware appear, which claimed to add exFAT support.

On the network exposed front, the telnet server was disabled, but another web admin server appeared on port 81.

Comments

Comments powered by Disqus