Roger Binns — Tue 19 May 2015
I recently decided to get a multipurpose device. They can do all this:
Large battery to recharge other devices over USB (eg your phone and tablet)
Provide wifi access to a network in front of it
A wifi network is provided behind the device with a name and
password of your choosing. You connect one or more of your devices
to that.
In front of it you can have no network at all, a wifi network
(unrelated to the one behind), or a wired ethernet network. You do
have to configure access to the network, but only for this device.
Your devices are behind it blissfully ignorant of the real network.
Exports attached storage (eg USB stick, USB hard drive, sdcard) via
both SMB
(aka "Windows network file sharing" supported by virtually
everything these days) and DLNA
(a multimedia network protocol, supported by many although the Apple
ecosystem prefers "iTunes")
On Android and desktop systems, you'll find that Kodi works for both SMB and DLNA, as does Android
ES File Explorer
(SMB only).
They are cheap ($40 - $60 depending on battery capacity)
Can run completely off the battery so no additional power is needed.
They will run for many hours. They will also run
while being charged.
Similar in size to a pack of cards
They use popular standards - eg they charge using standard
micro-USB,
provide power for devices with standard USB port, use existing
filesystems, standard protocols etc. There is no need to carry
different cables or chargers, and any software speaking SMB or DLNA
works.
After some agonizing over Amazon reviews, and reading the manuals, I
ended up with two.
How they do all this turns out to be quite simple. The battery
provides power, and there is a small Linux based computer attached.
It is running a MIPS based
processor (the manuals even tell you the exact manufacturer and model
number), 32MB of RAM, and 8MB of builtin storage for their software.
For some reason MIPS cores seem very popular in network access
devices - if you have a box at home from the likes of Linksys, DLink,
Netgear etc, it is almost certainly using MIPS.
They fundamentally do what they say. Both RAVPower and Hootoo provide
Android and iOS apps to help access and configure the devices.
However neither requires it and you can do all the configuration work
in a web browser by going to the device address (default
10.10.10.254). It looks like the apps are really just some logic to
find the device on the network, and then show the admin pages in a
WebView. Note
that I have never tried the apps.
Each device has some nice highlights the other doesn't. (If only
someone made something combining the best of both.) The Hootoo has
some lights on top to see battery level (they only light when you
press the button as I did before taking the photo). The RAVPower has
a micro-sdcard slot. The Hootoo can stand up. The RAVPower has a
label giving default username, passwords and IP address. The Hootoo
web admin pages are nicer, simpler and mobile optimised. The RAVPower
ones tell me the device's external IP address. The Hootoo's lights go
on or off in sequence during power on and power off so you have
progress feedback.
As a test I left the HT-TM05 10,400mAh device on and connected to the
wifi network. I didn't have anything connected to it, so this is a
measure of the longest it can continuously run. After 45 hours (3
hours short of two full days) it had dropped to one battery led (out
of four), and I decided to recharge it rather than deplete the battery
completely. That is an impressive runtime. The RTP-WD02 has a
6,000mAh battery so you would expect a proportionate maximum runtime
around 28 hours.
The RAVPower has ports on 3 sides, which can lead to cables sticking
out in all directions. The Hootoo is nicer with ports on two sides
next to each other. Sadly the micro-USB for charging is right next to
the USB for connecting storage. If the cables connecting either are
anything but skinny heads then you can't have both connected. If you
use an sdcard reader on the Hootoo then it will overlap the charging
port. You get a choice of too dense ports (Hootoo) or not dense
enough (RAVPower).
Hootoo really should have a builtin sdcard reader.
The web admin UIs have no help. When you want to safely remove
attached storage, you'll end up at a page with a button labeled
"Delete". It takes a lot of courage to press the button, to confirm
that it really means "remove" or "eject" (it does). Firmware updates
on both devices added an "auto jump service", you can enable or
disable. Good luck on figuring out what that does!
It didn't take me long to get access into the devices. Here is what
the Hootoo said it is running:
$ cat /proc/version
Linux version 2.6.36 (gcc version 3.4.2) #8 Fri Jul 11 10:44:45 CST 2014
$ /usr/sbin/smbd --version
Version 3.0.24
RAVPower:
$ cat /proc/version
Linux version 2.6.21 (gcc version 3.4.2) #5 Fri Nov 1 13:36:46 CST 2013
$ /usr/sbin/smbd --version
Version 3.0.24
The Linux kernels date from 2007 and 2010. Neither version is long
term supported, and
both have various known security holes, although remote security holes
are very rare.
smbd is the main component of Samba and
provides networked file access. Version 3.0.24 was released in 2007,
and there have been numerous releases since then, including 3.0.25 a few
months later which fixed 3 security holes. Virtually all Samba
security holes are remote since that is what it does.
I didn't check the versions of other accessible services (eg DLNA
server, NTP), but this pattern of older versions with known problems
is most likely. (The gcc version above is from 2008.)
Why do the versions matter? Both vendors (RAVPower update) made a very bad decision - all network services
including the web admin pages, Samba, DLNA, and even a telnet server are accessible from in front
of the device. If for example you are at an airport, campus, coffee
shop, hotel or somewhere else with a network, and connect the device,
then anyone on those networks can connect to the network services on
the device. They do not need to connect to the wifi on it. A bad guy
has more than 5 years of published security holes to choose from, and
can have complete control over it. (The default usernames and
passwords also make this a breeze.)
Complete control means they can extract your saved wifi password (eg
if last on your home network, or for the current network), redirect or
monitor your traffic, replace the firmware etc. To a certain extent
this is no different than connecting to someone else's network which
you have to assume is hostile, but this is something that goes around
with you. (Both vendors use the word 'secure' in their Amazon
descriptions.) While that kind of exploitation sounds far fetched,
bad guys are already doing it.
Have a quick skim of these two pages:
Note especially how seriously RAVPower take their intellectual
property rights. Hootoo aren't quite as extreme but do also comically
believe they can limit your links to their site.
They have lawyers who can compose those extreme pages, and deeply care
about their rights. That is the standard they should be judged
against, when they deal with the rights of others.
Standard copyright law is that the creator of something has moral
rights - roughly
speaking things can't be copied, distributed, altered etc unless the
creator explicitly grants those actions. The vast majority of
software on the devices was created by others, and hence can't be
copied, distributed or altered.
But those creators chose to allow copying, distribution, and
modification providing certain rules were followed. Those rules are
known as a license, and if choosing not to comply with a license then
the copyright applies. Hootoo, RAVPower and the resellers are neither
complying with copyright law, nor with the licenses.
For example several of the pieces (eg kernel, Samba) are covered by
the GNU Public License 2. Here is a quote from
section 3:
3. You may copy and distribute the Program (or a work based on it, under
Section 2) in object code or executable form under the terms of Sections 1
and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source
code, which must be distributed under the terms of Sections 1 and 2
above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to
give any third party, for a charge no more than your cost of physically
performing source distribution, a complete machine-readable copy of the
corresponding source code, to be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to
distribute corresponding source code. (This alternative is allowed only
for noncommercial distribution and only if you received the program in
object code or executable form with such an offer, in accord with
Subsection b above.)
The web admin server is under the BSD
license which
includes this requirement:
- Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
Neither company does any of these requirements, or other sections such
as copyright notices, warranty etc. Requirements in similar areas are
part of other licenses covering other parts of the device's software.
Both could do a lot better job. They could have the necessary notices
in the documentation, they could have links next to firmware downloads
etc. There are guides on how to comply.
Both products' Amazon pages claim to support a bridge mode, but this
marketing fluff and not the term as understood by networking people. They never
bridge in the sense that those behind the device and the network in
front are joined making a unified LAN. The devices always do network
address translation (NAT)
and never any form of bridging.
As far as I can tell, Hootoo are the firmware developers. Their older
products as well as the RAVPower use a fairly clunky web interface.
It looks like a singe page application but doesn't
do it well.
The Hootoo has a newer web interface where the URL changes as you
navigate around pages, making it much easier to see what is going on,
send links to others or other devices etc. It is also mobile centric
giving the same pages that look good on a phone, as to a large
monitor.
I had a quick look at authentication to see if there were any simple
holes. Both use their own login screen, which means your browser
can't prompt you nor remember the password. They set a session id
cookie and require it to be present for other web accesses.
The pages are always over http, and not https, although there isn't much of
an alternative. (Browsers are getting very hostile to self signed
certificates.)
Both devices ended up with a second web server on port 81 (standard
http is port 80), that appears to be related to the admin server.
There is no need for it, and I'd be concerned about what it does.
Many changes cause the device to reboot and your browser to show a
many minute "please wait" message. This gets very annoying. I
understand why it is done (far simpler to code and test), but not
doing it so much would be a more pleasant experience.
Firmware updates require storage to be connected as the devices don't
have temporary storage. On both devices they also wiped out all
settings.
20 May, 2015
I sent an email to RAVPower support around the network exposing and
GPL issues. There was no response. A few days later there was a
comment on my Amazon reviewing asking me to email support, so I did a
second time.
They claimed the issue had been fixed with new firmware, and a pointer
to some source. I can confirm that the new firmware does indeed stop
exposing network services to the public.
The source link was to Hootoo's website and looked like an effort had
been made for some GPL awareness. It included a document outlining
components, their version numbers, and license. It also included the
kernel source code and Samba (including patches). I did verify the
kernel and Samba versions matched, but did not verify they could be
built or were exactly what was on the device (both GPL requirements).
There didn't appear to be much other source present.
I did have more interaction with support, who didn't understand the
difference between telling me about that source drop and actually
complying with the GPL. It needs to be available to all users
(without having to ask), requires copyright notices be present, be
complete and more.
28 May, 2015
Email to Hootoo support went unanswered. However I did see new
firmware appear, which claimed to add exFAT support.
On the network exposed front, the telnet server
was disabled, but another web admin server appeared on port 81.
Category: misc
– Tags:
review
