I recently decided to get a multipurpose device. They can do all this:
Large battery to recharge other devices over USB (eg your phone and tablet)
Provide wifi access to a network in front of it
A wifi network is provided behind the device with a name and password of your choosing. You connect one or more of your devices to that.
In front of it you can have no network at all, a wifi network (unrelated to the one behind), or a wired ethernet network. You do have to configure access to the network, but only for this device. Your devices are behind it blissfully ignorant of the real network.
Exports attached storage (eg USB stick, USB hard drive, sdcard) via both SMB (aka "Windows network file sharing" supported by virtually everything these days) and DLNA (a multimedia network protocol, supported by many although the Apple ecosystem prefers "iTunes")
They are cheap ($40 - $60 depending on battery capacity)
Can run completely off the battery so no additional power is needed. They will run for many hours. They will also run while being charged.
Similar in size to a pack of cards
They use popular standards - eg they charge using standard micro-USB, provide power for devices with standard USB port, use existing filesystems, standard protocols etc. There is no need to carry different cables or chargers, and any software speaking SMB or DLNA works.
After some agonizing over Amazon reviews, and reading the manuals, I ended up with two.
How they do all this turns out to be quite simple. The battery provides power, and there is a small Linux based computer attached. It is running a MIPS based processor (the manuals even tell you the exact manufacturer and model number), 32MB of RAM, and 8MB of builtin storage for their software. For some reason MIPS cores seem very popular in network access devices - if you have a box at home from the likes of Linksys, DLink, Netgear etc, it is almost certainly using MIPS.
They fundamentally do what they say. Both RAVPower and Hootoo provide Android and iOS apps to help access and configure the devices. However neither requires it and you can do all the configuration work in a web browser by going to the device address (default 10.10.10.254). It looks like the apps are really just some logic to find the device on the network, and then show the admin pages in a WebView. Note that I have never tried the apps.
Each device has some nice highlights the other doesn't. (If only someone made something combining the best of both.) The Hootoo has some lights on top to see battery level (they only light when you press the button as I did before taking the photo). The RAVPower has a micro-sdcard slot. The Hootoo can stand up. The RAVPower has a label giving default username, passwords and IP address. The Hootoo web admin pages are nicer, simpler and mobile optimised. The RAVPower ones tell me the device's external IP address. The Hootoo's lights go on or off in sequence during power on and power off so you have progress feedback.
As a test I left the HT-TM05 10,400mAh device on and connected to the wifi network. I didn't have anything connected to it, so this is a measure of the longest it can continuously run. After 45 hours (3 hours short of two full days) it had dropped to one battery led (out of four), and I decided to recharge it rather than deplete the battery completely. That is an impressive runtime. The RTP-WD02 has a 6,000mAh battery so you would expect a proportionate maximum runtime around 28 hours.
The RAVPower has ports on 3 sides, which can lead to cables sticking out in all directions. The Hootoo is nicer with ports on two sides next to each other. Sadly the micro-USB for charging is right next to the USB for connecting storage. If the cables connecting either are anything but skinny heads then you can't have both connected. If you use an sdcard reader on the Hootoo then it will overlap the charging port. You get a choice of too dense ports (Hootoo) or not dense enough (RAVPower).
Hootoo really should have a builtin sdcard reader.
The web admin UIs have no help. When you want to safely remove attached storage, you'll end up at a page with a button labeled "Delete". It takes a lot of courage to press the button, to confirm that it really means "remove" or "eject" (it does). Firmware updates on both devices added an "auto jump service", you can enable or disable. Good luck on figuring out what that does!
It didn't take me long to get access into the devices. Here is what the Hootoo said it is running:
$ cat /proc/version Linux version 2.6.36 (gcc version 3.4.2) #8 Fri Jul 11 10:44:45 CST 2014 $ /usr/sbin/smbd --version Version 3.0.24
$ cat /proc/version Linux version 2.6.21 (gcc version 3.4.2) #5 Fri Nov 1 13:36:46 CST 2013 $ /usr/sbin/smbd --version Version 3.0.24
The Linux kernels date from 2007 and 2010. Neither version is long term supported, and both have various known security holes, although remote security holes are very rare.
smbd is the main component of Samba and provides networked file access. Version 3.0.24 was released in 2007, and there have been numerous releases since then, including 3.0.25 a few months later which fixed 3 security holes. Virtually all Samba security holes are remote since that is what it does.
I didn't check the versions of other accessible services (eg DLNA server, NTP), but this pattern of older versions with known problems is most likely. (The gcc version above is from 2008.)
Why do the versions matter? Both vendors (RAVPower update) made a very bad decision - all network services including the web admin pages, Samba, DLNA, and even a telnet server are accessible from in front of the device. If for example you are at an airport, campus, coffee shop, hotel or somewhere else with a network, and connect the device, then anyone on those networks can connect to the network services on the device. They do not need to connect to the wifi on it. A bad guy has more than 5 years of published security holes to choose from, and can have complete control over it. (The default usernames and passwords also make this a breeze.)
Complete control means they can extract your saved wifi password (eg if last on your home network, or for the current network), redirect or monitor your traffic, replace the firmware etc. To a certain extent this is no different than connecting to someone else's network which you have to assume is hostile, but this is something that goes around with you. (Both vendors use the word 'secure' in their Amazon descriptions.) While that kind of exploitation sounds far fetched, bad guys are already doing it.
Have a quick skim of these two pages:
Note especially how seriously RAVPower take their intellectual property rights. Hootoo aren't quite as extreme but do also comically believe they can limit your links to their site.
They have lawyers who can compose those extreme pages, and deeply care about their rights. That is the standard they should be judged against, when they deal with the rights of others.
Standard copyright law is that the creator of something has moral rights - roughly speaking things can't be copied, distributed, altered etc unless the creator explicitly grants those actions. The vast majority of software on the devices was created by others, and hence can't be copied, distributed or altered.
But those creators chose to allow copying, distribution, and modification providing certain rules were followed. Those rules are known as a license, and if choosing not to comply with a license then the copyright applies. Hootoo, RAVPower and the resellers are neither complying with copyright law, nor with the licenses.
For example several of the pieces (eg kernel, Samba) are covered by the GNU Public License 2. Here is a quote from section 3:
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither company does any of these requirements, or other sections such as copyright notices, warranty etc. Requirements in similar areas are part of other licenses covering other parts of the device's software.
Both could do a lot better job. They could have the necessary notices in the documentation, they could have links next to firmware downloads etc. There are guides on how to comply.
Both products' Amazon pages claim to support a bridge mode, but this marketing fluff and not the term as understood by networking people. They never bridge in the sense that those behind the device and the network in front are joined making a unified LAN. The devices always do network address translation (NAT) and never any form of bridging.
As far as I can tell, Hootoo are the firmware developers. Their older products as well as the RAVPower use a fairly clunky web interface. It looks like a singe page application but doesn't do it well.
The Hootoo has a newer web interface where the URL changes as you navigate around pages, making it much easier to see what is going on, send links to others or other devices etc. It is also mobile centric giving the same pages that look good on a phone, as to a large monitor.
I had a quick look at authentication to see if there were any simple holes. Both use their own login screen, which means your browser can't prompt you nor remember the password. They set a session id cookie and require it to be present for other web accesses.
The pages are always over http, and not https, although there isn't much of an alternative. (Browsers are getting very hostile to self signed certificates.)
Both devices ended up with a second web server on port 81 (standard http is port 80), that appears to be related to the admin server. There is no need for it, and I'd be concerned about what it does.
Many changes cause the device to reboot and your browser to show a many minute "please wait" message. This gets very annoying. I understand why it is done (far simpler to code and test), but not doing it so much would be a more pleasant experience.
Firmware updates require storage to be connected as the devices don't have temporary storage. On both devices they also wiped out all settings.
20 May, 2015
I sent an email to RAVPower support around the network exposing and GPL issues. There was no response. A few days later there was a comment on my Amazon reviewing asking me to email support, so I did a second time.
They claimed the issue had been fixed with new firmware, and a pointer to some source. I can confirm that the new firmware does indeed stop exposing network services to the public.
The source link was to Hootoo's website and looked like an effort had been made for some GPL awareness. It included a document outlining components, their version numbers, and license. It also included the kernel source code and Samba (including patches). I did verify the kernel and Samba versions matched, but did not verify they could be built or were exactly what was on the device (both GPL requirements). There didn't appear to be much other source present.
I did have more interaction with support, who didn't understand the difference between telling me about that source drop and actually complying with the GPL. It needs to be available to all users (without having to ask), requires copyright notices be present, be complete and more.