Saturday, 6 August 2016

Wireless home alarm system from ebay

Following on with my faulty alarm problems at home (The X10 system) I've been looking for an alternative, waiting for when the current one acts up enough to warrant buying a replacement.
This week it did just that, making strange noises from the sounder and forgetting the remote fobs. So I decided to look around.
I had a few requirements:

  • wireless (to avoid the need for long wiring runs to the sensors)
  • gsm/remote alerting (to sms or ring me during alarm conditions or let me remotely check status, arm/disarm, etc)
  • keychain/remote arm/disarm (Wife and daughter prefer these to tapping in a code)
  • Interface with my home automation systems (More tricky, but basically have some I/O I can tap into)
  • "nice" appearance. It'll be in a prime location in the house so don't want it to look terrible.
  • Cheap (ish) as I'm a cheap-skate so don't want to spend a lot of money on a solution that I'll never be 100% happy with (I also have a high expectation for electronics, so I'm never happy!)
So after a lot of searching, I found a system that might fit the majority of my requirements, and have the potential for expansion and tinkering. It's also not mega-expensive which gives me more incentive to take a look inside and tinker with it!
The ebay listing I found was this one, so the unit came with the control box (and PSU), 3 door sensors, 3 motion/pir sensors, 1 smoke sensor, two keychain remotes, one additional sounder and an outside bell/sounder box. Not a bad package for the price I feel.

Delivery was in a couple of days, so now I have the unit I've started to play with it. So here are my findings on the unit. Firstly it's not the best plastic casing I've ever encountered. It's distinctly cheap, but rounded corners and smooth edges so it's not going to win a fashion award, but it's also not too hideous to put in your hallway!

This is the main control unit, front. At the front you have the two speaker grills either side (As I found out, one is a microphone and one is a speaker). Behind the clip down door is the push button keypad. At the top you have the LCD screen and a series of LED indicators either side for constant system status.

This is the rear view. You can see the 12v power cable going in, the SIM slot and the various I/O screw terminals. To the left you can see an on/off switch. This worried me slightly immediately when I found it, assuming it would turn the whole system on and off. However as it turns out this is only the battery master switch, normal power was not controlled by this switch!
The screw terminals provide 8 wired inputs (and can take normally open or normally closed with the use of a set of resistors supplied), it also has a sounder +/- terminal, a constant 9v output for supplying alarm boxes, etc. Two GND terminals for the I/O ports, then the final two are COM and NO which I've yet to work out their function or use.

Powering it up for the first time, I found the speaker to be VERY loud, even normal arm/disarm and voice prompts were at a volume unbearable for setting it up. The volume level I suspect was fixed so it always ran at that level, no configuration to set it either which was disappointing. So the first job I'd have to do was change this, as it was almost unusable in this state as soon as it was put up it would annoy me!
So, the back came off and I discovered some very recognisable components inside:

Looking at the board, top left (blue square) is a relay, which I think will be the alarm output switched contact.
Below it is a ZTE cellular modem which supports SMS and telephone calls. The coil to the left of it I think is the internal antenna for it (There is also the on-chip connector for external antenna if you need it). To the right of it is the SIM card (with mine inserted). NOTE: This is 2G only (EDGE/GPRS) so you need to find a mobile company that supports this (So O2, T-Mobile/EE I believe should be OK. Three is NOT an option - I tested this). So the potential here is that this won't work very well, and not for long as mobile networks phase out their 2G networks, so something to be aware of here. However chances are you can just swap the board for a newer equivalent that uses the same AT command set.

Over to the top right (with the yellow outline) is a small backup battery, this probably keeps power to the EEPROM for storage of data, time, system state, etc.
The to the very right of the board (which has the black wire coming out of it) is a very recognisable part! It is a 477Mhz receiver that is commonly used in Arduino and hobby electronics, soldered on as a daughterboard. The black wire is the antenna.
If you then look to the bottom left, you'll see the matching 477Mhz transmitter board with it's own black antenna wire running along the left towards the top. So these two are standard boards that you can buy for Arduino development.
Here are similar modules you can buy easily for Arduino development:

Above the transmitter board is a two-pin connector, this connects to the speaker round the front.
Here is the front of the board:

Here you can see the microphone to the top right (I've flipped the board) and the LCD screen and various status LEDs. You can also see the copper contacts for the buttons.
These may need to be altered as the key button presses aren't very accurate, so probably need some better contacts here which i'll work on another time.

This is the front casing, showing the 8 Ohm 5W speaker and plastic casing and buttons.
So, first job is to reduce the volume output of the speaker. Since it's not used much and doesn't carry high current I'm going to simply wire a resistor in series with one of the leads.

The final soldering and resistor work looks like this:

That was a larger value than I'd wanted to apply (120 ohm) but it should reduce the volume appropriately. I powered it up and it reduced the volume pretty well, perhaps a little low (as it had distorted the spoken voice slightly) but that should do for now (It was the lowest resistor value I had!)

Now onto the 433Mhz sensors. These attached to the doors/windows and had a magnet one side and a reed switch a the other, very simple typical design really, so taking a look inside it:

Top left is the red LED which flashes when triggered. Top right is the 433Mhz transmitter crystal, the spring to the right is the antenna.
The push button is brought to the front of the unit as a press button (This is for setting, to trigger a signal). At the bottom is a 12v battery, and above it is a set of 4 jumper pin positions. I'm assuming these set a unique code for the unit so you can change it if so desired, adding a little more security to your setup. Naturally, no instructions on this! To the left you can see the reed switch soldered in there (and without trimming the excess wire!), so quite a simple design once again.

On the other side of the board is all of the transmitter electronics:

Which I was actually surprised it was so complex, as again this is just a simple 477Mh transmitter when the reed switch was activated. I'll dig into the wiring at some future date.

So there it is, all in all there are good points and bad points. For example, 477Mhz is hobby electronics, so you CAN sniff the traffic and protocols, and no doubt spend enough time to watch the data and decode/decrypt them. But for the average user and average building security this unit will do the job nicely.

I've noted down all the relevant chips I've discovered and looked up so far:

Wednesday, 3 August 2016

BT DSL, FTTC and a rant about BTO engineers

Here we go again, another blog comment about the copper-wires service BT provides and the DSL services on top of them. As most of you know I work for an independent ISP, who are BT wholesale customers. That means we buy in bulk off the carrier (BT Wholesale). BT still maintain the copper pair (wires to your premises), the street cabinet that these copper pairs terminate into and then get patched back to the exchange (Also BT). Once at the exchange they are fed over BT's core network back to their central hubs where we then take a bulk feed off them and service our DSL customers from our own network, IP space, etc.

So, in this case my DSL drops regularly. I'm in a new housing development (2yrs old) which is part of a larger older estate (+10yrs). The rest of the estate cabinets were upgraded to FTTC and were really good quality (I lived in one of the other houses/roads in the same estate and got 80Mb down on FTTC, really good!). But BT and the builders Bellway in their infinite wisdom decided NOT to upgrade the cabinet that's serving a large number of the new houses that were built.

Now this to me isn't an oversight. These buildings were planned for some time as part of the overall estate development. The plans had been in at the council, residents associations, etc, so it was clear this development would take place and would provide a large number of additional houses. In our street there are around 40-50 houses. There are then additional streets, probably 5-10 in number so that makes quite a considerable number of houses.
These are fed from an old, standard BT cabinet. No FTTC. And broadband is VERY poor to this cabinet due to it's copper wiring distance back to the exchange. 1-2Mb is the stated maximum potential speed. It's also not very reliable and drops regularly.

This gets me onto part one of my rant. Why didn't BT and Bellway agree and upgrade this cabinet during the upgrade rollout for the area? It seems there is joint blame here as the building company have a say/input into services from the telcos. (Before anyone asks, no it's not Virgin Media cabled area either as they're not doing any new rollouts at present). BT's continual statement when I press them about it is that the cabinet only services two business premises in their planning, and so wasn't fit for FTTC upgrades. OK, I can see what they're on about, there are two businesses along the same road that have been there for 20+years. So it appears their plans weren't updated, or provided by the builders, or were ignored. Either way these homes are without high speed internet, which to be honest is shocking considering the push for digital futures, etc.

We're probably a more than typical family. We're quite high-tech, all our kids use electronics and the internet. My wife and I use the internet for pretty much everything in our personal and professional lives. I also work from home at times and doing so on a slow connection is tricky, especially with VOIP calls which for the most part work, providing nothing else is happening on the line at the time.

Then there is the terrible stability problems. The line drops quite regularly. At least once per week, and when it drops the speed drops (both the download and upload sync) and quite often becomes more unstable. It seems when the line is at a good sync speed and stable for a long period of time it's fine and usable. As soon as it drops and re-syncs it becomes unstable.
This is my biggest complaint. The fact that when it drops it comes back and has high packet loss (20-30% usually) and then I have to run a BTW KBD to get the thing sync'd back at anything sensible and to stop the packet loss.

I have made a correlation though with when it drops. There is one period on a Sunday morning early hours (between 2am-5am I've noted) that it seems common to do this action. But the other time, is whenever a BT van/engineer is in the cabinet! EVERY TIME they are in the cab our broadband drops momentarily and resyncs with this poor/unusable connection.

This leads me to think that the jumpering in the cabinet is poor, as whenever an engineer is in there it must take the lightest of touch and the cables must move and cause a resync.
I've had numerous engineer callouts that we've arranged through BTW at work, to get this investigated, checked. They've remade the connections, swapped pairs and ultimately give up and just say it's as good as it'll get due to the long distance from the exchange and that it'll always be unstable.

I've also submitted to BT many times the request for FTTC and investigation into feasibility, polled my MP and tried every path I can into trying to get an idea on if/when that cabinet can be upgraded, or if not, why not! And so far I've got nothing. I've got various email communications from BT who repeatedly say it's not on their rollout plan, etc, and so won't go any further.

So come on BT. You're trying to give rural communities FTTC and better broadband. What about a large housing development, in an already converted exchange. Look at where you've deployed and check, did the deployment reach all the locations? Does it do what you want?

Monday, 1 August 2016

Halfords Diesel Emissions Cleaner - with results

This is a quick review of the Halfords Diesel Emissions Cleaner from . These are in metal cans that you add to your fuel and will help reduce exhaust emissions, combustion chamber cleaner, cleans fuel system, removes soot deposits and is advised to be used pre-MOT to help ensure your emissions are within legal limits.
Generally it's a cleaner that helps keep your engine running better by cleaning out some of the deposits left on cylinder walls and piston heads due to combustion.

So I'm going to use it on my Chrysler Grand Voyager, 2.8 CRD engine, it's a big 2.8 engine with an automatic gearbox, so not a very efficient engine, and it's pulling around a big 1.5tonne (ish) car too.

I was sceptical, as I know a little about how these work and didn't see that it would make much difference, but at the same time wanted to give them a try and see how I got on.
(I also have the petrol version which I'll test out on my wifes car soon and show the results too)

So, the instructions are wait until you're down to 1/3 of a tank left, add the Halfords Diesel Emissions Cleaner to the tank then drive for a further 20-30 miles before filling up as normal. No need to drive differently, etc, so pretty straight forward.

So to test how it performed, I have my previous car computer miles to the gallon indicator, which before the cleaner was showing up at 28. This is a big diesel people carrier I drive so it doesn't get great fuel economy so let's see how it does!
After driving with the fuel cleaner in for 25 miles, I then got to refuel, so reset the trip counter

Then started to use the car as normal, I had a few town drives and a couple of longer journeys so used up around half a tank again, and at the end was quite impressed! The fuel economy was showing 33.7 which is quite a move up from 28.

A lot more than I was expecting to be honest! So all in all I think this is a good product, it definitely made a difference in this VERY unscientific test (So don't tell me how wrong/flawed my testing was, I know it wasn't scientific!) and to me any sort of improvement on a big old diesel engine like mine is a good thing.

I'll post a full video up soon on my testing and the results so you can see what you think.
Why not try it yourself and tell me how you get on, I'd love to hear back and see your results.

Disclaimer: I received this product in exchange for a fair and unbiased review. The review/opinions above are my own review on this product.

EDIT: Also I've recorded a quick video on this test:

Wednesday, 27 July 2016

To purchase pressure washer or not?

A few people have been buying pressure washers recently, and I'm wondering if they're worth getting.
The main jobs would be for washing the cars (Mine takes ages as it's a people carrier, so anything that helps would be good), cleaning the drive, paths, etc (They get a bit grubby as I do my car fixes on the drive, so they end up with coolant stains, oil patches, etc) so not a huge number of tasks but I'd want it to work well for these jobs.

Therefore looking at the type of pressure washer is important. Recently I've seen deals for them such as the Bosch AQT 33-11 which keeps going on offer down to around £50 which is a good value price. However as most deals, the devil is in the detail and looking closely you need to check a few specifications on them.
Here's what I've found out:
Power output - The energy consumed by the washer, in rough terms the higher the wattage the more power it will draw and vaguely the more powerful the motor will be.
Flow rate - Probably the key, this is the amount of liquid it will transfer within a specific time. This is normally in litres per hour, so the higher the value the higher pressure/volume of liquid is being pushed.
Mains fed/Tank fed - To allow you to run it from a water butt or tank, a handy option if you've got additional water storage and don't want to use the mains-fed water.

So based on that, you can start to make a choice on washers. The cheapo Bosch AQT 33-11 is predictably not that great. From the few that I've seen doing the rounds I've put the following together:

Bosch AQT 33-11 approx £50, 110bar, 1300watt, 330l/hr.
Nilfisk C120 approx £100, 120bar, 1400watt, 440l/hr.
Bosch AQT 35-10 approx £99, 120bar, 1500watt, 350l/hr.
Karcher K2 classic approx £120, 110bar, 1400watt, 360l/hr.
Karcher K4 approx £150, 140bar, 1800watt, 420l/hr.

So pricing varies by £100 and there isn't a huge difference in the pressure or water rates, although the £50 Bosch shows it really is underpowered compared to the rest.

So all in all, I'm still unsure about buying one at the moment as prices vary a lot and there isn't a huge difference for the money from what I can tell.

Oh and when you can get your car washed for £5 to a decent standard, that gives me 20 washes and 0 effort relating to the £100 pressure washer!

Tell me what you think, especially if you have one and like/hate it.

Scratch removal courtesy of TurtleWax and

I was lucky enough to be sent a few car products from the kind people at so here is the first video from the set that I'll be doing.

This full range is available from #halfords #motoring so let me know which one you'd like to see tested out next:

Disclaimer: I received these products in exchange for an honest unbiased opinion.

Friday, 22 July 2016

Fencing and outdoor stuff

Well over the past few weeks myself and my dad have been working on the fence at the back of the house. It's been a while in coming, over 2 years ago we bought this house from the developers and there wasn't a dividing fence between us and one of our neighbours (Just a few posts and rails to show the marker) and so this summer I decided it really was about time to get a bit of privacy and security to the house.
I'd kind of planned on how much it was going to cost us, pricing up timber, screws, etc, and it wasn't a cheap amount, the area was quite large to cover and especially as I wanted to 'cover' more of the other areas.

It's probably easier to show a before photo to explain what I was doing:

Along the left was the original fence post and rails put in do divide between us and the neighbours. Then along the back was this half wall half fence (Those neighbours path was at the brick height, so when walking along they were clearly visible) which the gaps inbetween the panels.
This was another thing I wanted to tackle, I wanted to block out the gaps, so decided to 'back' panel these fences and completely cover using my own fencing material the gaps.
So the job involved putting new posts in along the left (Quite easy, long fence posts, some postcrete that you just pour in dry into the hole and fill with water) and then create and attach the rails. Getting the height and position of the rails took a little work, then each of the wooden panels needed cutting and fitting to the right height.
The rear 'back' panel covers weren't too bad, just cut to the right height and then pushing them so they sit snugly.

Here's an in-progress shot:
As you can see the back panels are all in and covering nicely with my own fencing. The left posts and initial rails were in place (the two supports were just whilst the postcrete set fully).

We've now put in most of the panels on the left fence and just have the final parts of the posts and rails to continue down the side of the house.
After all of that, we then need to paint them as we want a slightly darker wood stain colouring on them, so plenty of tubs and paint brushes will be needed soon!

All in all, a lot of work, but I'm pleased with the effort and again much more satisfied doing the job ourselves than getting somebody else in to do it. It is true, DIY becomes a bit of a hobby and something I look forward to doing now.

Friday, 3 June 2016

maildrop and postfix

This is quite a short entry, it's mainly to help out anybody that needs to debug the same as me, as it took me a while to find the right information online.
If you're using postfix, and use maildrop you probably also use mailfilter rules to move your mail into the relevant folders on IMAP for you. Well if things don't go where you expect, or don't seem to drop into the folders you need to debug. Telling maildrop to debug and what to look for isn't exactly intuitive.
I'm using postfix, maildrop and ispconfig, so your config may be a little different, but the debugging should be the same. In your postfix you should have your maildrop line, something like:
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
Which puts it into delivery mode with user vmail. So in your /home/vmail (or whatever user folder it's set to) will be your .mailfilter generic file. It's in here you can setup the logging location:
logfile "/tmp/maildrop.log"
Seemed to work nicely for me, it was only a temporary log I wanted to look at. No need to restart postfix as it's called on the fly. Reading that file you'll see something like:
Date: Fri Jun  3 20:10:51 2016
From: Homebase <>
Subj: Be BBQ ready
File: /home/mydomain/myuser/.                                (154696)
Which in this case shows the email was dropped into the default inbox folder. If it was filtered into an alternative folder you'd see:
Date: Fri Jun  3 20:10:51 2016
From: Homebase <>
Subj: Be BBQ ready
File: /home/mydomain/myuser/./SOMEFOLDER/                                (154696)
Or similar to that. Easy!
Also if you want to log bits in the filter itself, open up the .mailfilter for your user account, and add in lines like:
log "== some log words =="
And that will literally log that to the file. Good to check your if conditions are working or to dump out some temporary fields.

That's it really!

Wednesday, 1 June 2016

Home improvement - painting and such like

I'm opening up a blog post for a slightly unusual topic. Decorating. We're planning on finally getting round to decorating our house (It was a new build 2yrs ago, so everywhere is builders magnolia that's as thin as skimmed milk) and so the choices of what to do, where and how are all starting to bubble up between me and my wife. (We've not even asked the kids yet, as who knows how many more options and choices that will open up!)
So, the main choices we're trying to come up with are:

  • Where to start - What room should we try first!
  • What to do - painting, a bit of wall art, wallpaper
  • How to do it - Tips and tricks on making it easy (!) and the right way to do things.
So I'm also after comments too, so feel free to let me know tips or tricks or any suggestions you have on how we should do this to give a good result.
My thinking so far:
Where to start - Probably our master bedroom, it's at the top of the house with adjoining en-suite and has low ceilings and strange angles/corners (It's built into the roofspace of the house). Initial thinking is just to paint, but for a bedroom what colours to go for. Light colours would make sense, it's not got a huge window so increasing the room light by paint would be better (No dark oaky types), our furniture is also light wood colours so keeping it light. Light grey colours with a feature wall with extra colour seem to be an idea that keeps coming into my head, because of the strange shapes of the ceiling though not sure how you would approach this. Other colours such as light pastel colours would maybe be an option?
What to do - I think wallpaper is discounted, as I hate the stuff, hate putting it up and removing it, so I reckon this one isn't going to be an option. Wall art, possibly, we did this in the children rooms and it looks really good, but not sure it would fit with what we want for our bedroom.
How to do it - This is the thing. I've never been a great painter or decorator, so I just do what I think is right. Go and buy a load of masking tape, and mask along the skirting board, and along the ceiling, around light fittings and electrical sockets. Then get a roller, slop some paint in the tray and roller away, trying to keep it even. Do you keep the strokes up and down or side to side? How thick do you apply the paint? And when I get to the fiddly bits and get a paint brush, how do you make it look the same, brush strokes always look different and it looks like you've 'highlighted' the socket you've painted around since the brush strokes stick out more! This is the bit that I always struggle with! So this is the part that needs the most input from those that know better, so I'm hoping somebody hears my struggle and tells me the right thing to do!

I look forward to comments or suggestions :-)

Tuesday, 3 May 2016

Another follow up to Marmitek/Haibrain SC9000 PSU (PS90U) failure

Here we go again, I've had another SC9000 power supply failure. For those that have been following my blog before you'll know I use an SC9000 X10 alarm system, and last year the power supply PS90U failed on it.
The power supply fails in an odd way, it still provides power to the alarm system, so everything appears fine, however when it fails it stops sending or receiving X10 commands, which is critical as the X10 commands trigger the siren/sounders and show the alarm as triggered.
I noticed that the timed lights weren't coming on and off when they are supposed to. These are controlled by the timer light functions on the SC9000, and so this made me suspect it yet again.

Sure enough, checking the PSU out, I found it wasn't sending/receiving the X10 commands through it. So time to check what's wrong.
Firstly. This is the 2nd unit I've had to purchase. The first failed in the same way, and now this one, less than one year since I bought it (Purchased 04/06/2016, failed 17/04/2016). So these units really aren't reliable. Originally I thought this was due to heat and so put heat vents in this PSU last year, however it looks like this hasn't helped.

Opening the unit up, again it has the stench of burnt electronics. They are comprised of a large transformer, some mains filter circuitry (and DC step-down) and then the X10 circuitry.

The first photo shows the transformer and the mains side of the circuit. You can see to the lower part of the board the discolouration of the circuit board, which is where the transformer sits, so the transformer obviously runs hot.

After stripping away some plastic covers/heatshrink, I revealed a glass fuse (I was expecting a resistor that was being 'used' as a resistor). Other components on there such as the capacitors, etc, looked OK, they weren't bulging and putting the meter on them showed the 'correct' resistance rising up to infinity, so they appeared OK.
The larger yellow component (visible in the photo) MPX275-X2 is a surge AC capacitor, small blue circle (to the right of the first photo) 
Various transistors are there 2SC667 which is an NPN transistor used for switching high current from a low current source (So most likely output from the chips on board)

Anyway, after various tests, none of the components appeared to have failed, which was odd. So I then started probing parts of the board for continuity, thinking heat may have fractured a trace. I wasn't getting much continuity from the mains leads (red and black in the photo) to anywhere, and then I tested the fuse. It was open circuit, so it had blown. It's a small 250mA 250v fuse, so a very small value.
Following the wiring of it, I realised that the mains wires (red and black) come in, directly connect to the two brown wires (to power the transformer) but then go through a fuse, choke, etc, and into the circuitry. So the transformer IS NOT protected by the fuse, but the small electronics ARE! How strange. So what was happening was the transformer was still working and stepping down/providing the low voltage to power the SC9000 alarm, but the fuse had blown and so the X10 circuitry in the PSU weren't getting any power. Hence the failure mode of these units, when they fail I suspect that is always the weak point, but rather than stop the whole thing working (A much better failure mode to me, in that you'll know it's failed. Rather than waiting until you need the alarm, and it not sounding!).

I did a small test, I bridged the fuse with a replacement, and hey presto, it started working. Now why the fuse failed I'm unsure, it was a very small current (250mA) which makes me think even a small electrical surge would cause it (The fuse was directly on the mains input, not after the smoothing capacitors, etc) so that's what I'm thinking. Especially as I've found that this does seem vulnerable to electrical surges.

So a quick replacement fuse and it's working again. But for how long?!

PIR Motion sensor circuit for kitchen lighting

A quick and simple little circuit but hopefully will help others out who want to achieve this. This is a little circuit I've knocked together for a friend.
The idea, he has LED downlight strips that are powered from a 5-12v DC supply. To add a clever touch to it, he'd like it when somebody walks into the kitchen the downlighters will come on and stay on whilst there is still movement (and after a delay) switch themselves off again.
* PIR sensor, from ebay which is around £3
* RELAY, from ebay again around £3-5
* BC547B NPN transistor (NOT gate), ebay around £1
* 10k resistor
* 1k resistor
* wires, casing and connectors

The circuit is very simple and will work like this. The PIR is supplied with power from the power supply constantly. When it senses movement it triggers it's middle pin and drives it LOW. (No movement and it drives it to 5v). So we connect the NPN base through the 10k resistor to the PIR signal output. Connect the collector via a 1k resistor to the +ve rail, and the emitter to ground.

The basic circuit diagram looks like this:
(The PIR is indicated by the switch to the left, and the output is connected to the relay)

And the actual components I've used look like this:

This is the small PIR with it's output going to the 10k resistor.
Above is the small relay board (It's a dual relay board, but I'm just using one). These boards are designed for Arduino and others as they are low-voltage signalling, so don't need a high current to switch the relay (They're opto-isolated). So you supply the board with +ve, ground and then the signal wire. When the signal is driven high it'll switch the relay on, and low switches it back off. The red LED indicates when the relay is energised.
At the top of the photo are the relay contacts, so centre takes the +ve feed, and the right (of the three terminals) takes the connection out to the LED downlights (normally open).

The image above shows the BC547B transistor with the 1k resistor to +ve and the connection to the relay board.
That's about all there is to it. I've contained it in a small plastic food container, and added fly leads with a DC jack socket and plug so you can simply plug it inline to the LED downlighters.

Monday, 11 April 2016

Project: Heating timer/thermostat replacement with Arduino

This is something I've been planning on and off for many years now and finally managed to make a start on the planning and design of this.
(Sorry for the long wordy blog entry!)

The project goal is to have a system that runs alongside the original programmer (And can be removed without damaging/affecting the existing system) and will supplement it's operation with a more dynamic control system. By dynamic I mean, by taking temperature readings from the majority of rooms in the house, taking outdoor temperatures and by allowing remote devices (Smartphones) the ability to interact with it, we should have a smarter heating system, and in theory save money by only having heating and hot water on when we actually need it and not warm an empty house, or over-heat the house.

The downside to traditional heating systems: This is an easy one, most existing systems have one temperature sensor/thermostat, a timer and a boiler (We'll ignore the pump, valves, etc, as those are all semi-automated from the boiler itself). Since there is only one temperature sensor/thermostat then we 'assume' this is a good judge of the house temperature. If that room is warm or cold then it will influence the heat through the entire house. It also doesn't take into account the outside temperature, or whether the house is occupied or not. In addition to that the hot water is a 'set and guess' method. You set what times you think you'll need hot water (or more accurately 30 minutes before you want it) and then heat up the hot water tank and hope it holds heat long enough until you need it, otherwise the heat is wasted.

The improvement plan: To add a controller alongside the existing one. This one will take temperature readings from all over the house and outside and make a calculation based on the average temperature in the house and also the outside temperature. For example, if the outside temperature is 5oC and inside we're only on 18oC then we know it'll take the house longer to warm up, so bring the heating on at an earlier time that morning (Also checking if people are in the house, if not then don't bother).

The equipment: To do this I'm going to use several Arduino programmable I/O boards. These are cheap, easily programmed and flexible to do what I need. There will be one installed beside the existing timer/controller which is beside the boiler. This will be the master and will have two relays connected up, to control the two functions on the boiler (Heating and Hot Water). These relays will be switching the 240v mains boiler, the current programmer is rated at 3Amp switching so my relays need to be at least the same. I'll wire them into the same outputs as the current programmer with a common LIVE to switch. These relays will need to be opto-isolated from their inputs to protect my Arduino against the high voltage that would kill it. I would also like a mains voltage 'sense' coming back into the Arduino, the idea being I can sense these two functions and see if the existing programmer has the heating or hot water already on. (Not sure how to 'sense' this voltage safely yet. Possibly solid-state mains powered relays?) This Arduino will also have a plain 16x2 LCD display to show current status, and will talk to my network using an ESP8266 wifi module. I'll also put two buttons on there, one for BOOST (1hr) for heating and the same for hot water, so you can also manually force the system ON (A function lacking on my existing controller).

Testing: So far I've only done a few concept tests. Firstly removing the existing controller and checking what connections are there. On mine there are 8. First two are LIVE and NEUTRAL (supply), the next two are NC contacts (one for HTG and HTW) which are unused, then there are the NO HTG and NO HTW which are the contacts closed to LIVE when the heating or hot water are requested by the programmer. The remaining two wires are for the temperature thermistor in the hallway (The only temperature sensor the manufacturer fits/supports).
Then I tested the LCD module and ESP8266 wifi module. I've had a lot of trouble with the ESP8266 modules in the past, I'm sure I've burnt out two now. First thing to remember, they are 3v units, and the Arduino drives at 5v so trying to talk serial to them over the digital I/O will over-volt the ESP8266, so this time I'm using a 4-channel Bi-Directional Logic Level Shifter, which allows 3.3v to 5v and vice versa conversion. I'm also using a 5v to 3.3v step down supply to power the ESP8266 based on the AMS1117-3.3 chip. That should keep the ESP8266 running happily, though I'll power it from my separate 5v supply rather than the 5v pins on the Arduino as these aren't particularly high current and the ESP8266 suffers when fed with low current supplies.
Also to remember, when testing the ESP8266 I used a USB serial adapter FTDI232 that runs at 3v3 or 5v for testing. That lets me connect straight into my laptop and to the ESP8266 to send AT commands and make sure it's working, etc. One other thing to remember, minicom on linux doesn't send CR+LF at end of line. You have to force it by pressing Ctrl-M then J (Annoying!)
So, that meant I had a working LCD and ESP8266 ready for the next parts.

I was also running out of digital I/O, luckily I'm not using analogue here so can use those as digital I/O too.
So the pins I've allocated so far are:

 * A0  = D14 BUTTON - heating boost (Boost for 1hr)
 * A1  = D15 BUTTON - water boost (Boost for 1hr)
 * A2  = DHW sense
 * A3  = HTG sense
 * A4  =
 * A5  =
 * D0  = n/a (serial comms)
 * D1  = n/a (serial comms)
 * D2  = lcd(14)
 * D3  = lcd(13)
 * D4  = lcd(12)
 * D5  = lcd(11)
 * D6  = RELAY (DHW) Hot Water
 * D7  = RELAY (HTG) Heating
 * D8  = ESP8211 RX
 * D9  = ESP8211 TX
 * D10 =
 * D11 = lcd(6)
 * D12 = lcd(4)
 * D13 = heartbeat LED light

As you can see, I'm now a little low on pins, so cannot add much more to this unit, good job this should cover almost everything here!

The next stage is the code which will involve quite a bit of tweaking, as there are several conditions I need to handle:
Heating on/off from temperatures (average) around the house
Heating on/off from remote control (app/webpage)
Hot water on/off from remote control (app/webpage)
Boost button for heating
Boost button for hot water
When people are home (Detect they're home by checking for either bluetooth mac address ping, wifi association, or house alarm isn't turned on) then switch heating on if temperatures are needed, or turn on hot water if within certain times.

There are also several safeguards to build in:
If heating is on constantly for more than 2hrs, perhaps we should switch it off as maybe something got stuck (Perhaps Arduino should stop making change and wait for manual intervention?)
Don't switch on and off heating quickly within an hour
Don't switch on and off hot water quickly within an hour

So the Arduino code will need to take the above into account. My basic code plan is to run in loop and keep polling my home linux server for the current state request.

That's where I'm up to for now, I'll continue to add more as I write the code and build the hardware. The next part is to find suitable hardware to enclose it in, this needs to be able to sit alongside the existing heating controller and not look out of place, but contain all the required Arduino, space for the LCD front screen, Heating on, Hot water on and two buttons for manual boost.
I'll also need to figure out how to sense mains voltage safely.

Hopefully more updates soon!

Sunday, 13 March 2016

Ford Fiesta Style 2007 remote boot release

Just a quick post for anybody with a similar problem. We have a Ford Fiesta Style 2007, similar to the photo below:
Recently the remote wouldn't pop the boot open, neither would the button on the car dashboard. For anyone that doesn't know, the car boot has a pop release on it, so it won't pop fully open but will unlock and release the catch so you can then lift the boot easily, or let somebody else do so (This is because there is no manual release button on the boot, the only alternative way to open the boot is to use the keylock which also releases the boot).
The electric boot release stopped working recently, and although you can hear the motor whirr nothing happens, so we decided to take a look and find out how it fits together and what was wrong.

Opening the boot you can see the locking mechanism, held in by two substantial hex bolts.

Here you can see the locking mechanism and I've removed the hex bolts (Two either side of the lock mechanism). DO NOT DO THIS! You don't need to for this repair/fix, that unit doesn't have anything interesting in. It contains the mechanical movement, an electric switch (for the alarm and boot lights) which you can see in the top right of the lock mechanism with the red tab (That is a push/pull connector) and two steel cables. These two steel cables are the release mechanism.
To get to these and the motor you need to remove the boot inner cover. This is the plastic cover with the handle to pull the boot shut. It has 3 cross-head screws and then it is pop-clipped shut, so take the screws out and just gently pull around the edges and the whole panel will come off.

Once you've removed the cover you'll see the rear wiper motor, electrical wiring and another black cover (in the middle of the photo, and photo below) which contains the locking mechanism and motor. This comes off with another couple of hex screws and then pops open.

Once you've removed the cover, you will see the motor and locking mechanism:

The two steel cables are then split, one comes into the servo motor shown above for the electrical release. The other feeds to the mechanical switch just up off to the right (out of shot) from the photo above.
As you can see it's a simple mechanism and uses a standard door lock servo to pull on the cable via a metal pivot. The springs them return the servo back to it's extended position.
The servo itself doesn't have many markings on it, the only ones I had are shown above on the photo. These will probably be standard, and I'd hope they match the servo's used in the door locks too to make it all standard and simple.
I found the servo was working, but it wasn't strong enough, so I think the servo is on it's last legs as it didn't have enough fore to exert against the spring. So as a quick/simple fix I decided to reduce the strength of the spring by cable-tying some of the coils together. This isn't exactly a fix, just a bodge job for now!
That's after I put the cable ties on and reduces the strength of the spring and for now opens the boot again using the electrical release. It'll fail again fairly soon but now I know I'll need a replacement servo motor to repair it properly.

Hope that helps somebody else wondering why their boot won't pop open, it should be an easy fix once you can identify the spare part to order and will only take about 30 minutes to change.

Friday, 11 March 2016

Tesco Hudl2 battery problems and teardown - Part2

Following on from my previous post (Tesco Hudl2 battery problems and teardown) I ordered a replacement Li-Ion battery (from eBay) to compare and test if this was the problem.
The battery was identical to the original one I had (Apart from the screenprinting wasn't quite a clear, so I'm not sure if it was genuine or a chinese copy. Doesn't really matter!), and so the first thing I did was tested the voltages I was getting on the pins.
Again on the black and red wires I was getting around 3.9v which looked good. I then tested the yellow and green wires. As you may remember these were the two I was most interested in as I think they were 'sense' wires to the Hudl2 to perhaps control if it should power on, check for 'safe' state of the battery, etc.
These did the same as the original battery, same low voltage output and same floating values, however after a bit of thought I tried the test but against the red (positive) wires, and lo and behold I got values! I got the same 3.9v on both of these wires. Comparing to the old battery, that did the same, so now I know, both batteries are giving the same output.
Therefore I wasn't very hopeful at this making the Hudl2 work.
Connecting it up, and sure enough the Hudl2 wouldn't power on. Connecting the charger up it again didn't light the charge light. No luck.

I then took the main board out of the Hudl2 to look for any other signs of problems, couldn't find anything, many many probe pins are on the board underneath marked power, signal, etc, and probing almost all of these showed voltage and signal so the board was getting power, etc, and all looked OK, so it appears to be something a lot more fundamentally wrong with the board now.

My suspicion is that when the fault PSU/wire started shorting out the usb input, there wasn't enough protection on the board and it damaged some key components (Not just in the charge circuit/components) and effectively bricked the unit.

Friday, 4 March 2016

Tesco Hudl2 battery problems and teardown

The Hudl2 is an excellently priced android-based tablet sold by Tesco in the UK for a while. Unfortunately they have now discontinued the range and so no more will be produced. Their price-point of under £100 and has an 8.1" screen, full HD, stereo speakers, quad-core 1.8Ghz processor, 2Gb RAM, 16Gb storage built-in and a 5 megapixel rear camera and 1.2 megapixel front-facing camera. So a pretty decent spec for the money.
My youngest had one and it's done well, lasted around 2 years of abuse, mainly around the charge socket as usual it's micro-usb and this is the weak point, the cables were abused quite badly and over time gave up, so swapping cables quite often solved it. That was until the last time, when the cable seemed to have shorted, so the tablet was left for a few weeks totally flat.
Plugging it in to charge wouldn't give the red charging light, which worried me as normally charge lights are hard-wired to the voltage input, so it not coming on was a bad sign, was the usb port damaged or worse.

What makes it more complicated is the hudl2 comes with a USB charger, but with non-standard specs, it's the usual 5v output but it's 2.0A which is a lot higher than normal (usb port is 0.5A), so that would suggest the hudl2 uses fast/high-powered charge. I therefore wasn't sure what the cable needed to be (We'd thrown out the damaged cable, a stupid move in hindsight!). Luckily the charger itself was OK and charging other USB devices fine.

So I suspected the hardware, popping the cover off is easy, just a flat screwdriver gently prising around the outside of the case at the seam will take the back cover off, just pop it open and it comes into two neat halves (no wires to worry about popping out, etc, the rear cover is purely a cover).

There in the middle you can see the 'battery pack'. This consists of two 3.8v li-ion batteries in parallel which I assume is to provide longer life/capacity. The connector is curious, it's 10 wires, 4 red, 4 black, one yellow and one green. All the red wires are tied together (so I suspect just to carry higher current on small wires) as are all the black wires. The yellow and green are interesting.
Upon initial opening, the red and black wires were giving 0v output. This made me think the 'battery pack' had li-ion protection circuit in there and had gone into full discharge protection (i.e. shutting the batteries down). So the first trick was to get them to charge. Plugging the USB power lead in initially didn't show any voltage on these wires either, which really confused me, as I'd assume the tablet would provide power to try and charge the batteries and rely on the charge circuitry to protect it.
In hindsight, I suspect this isn't the case, and the tablet does have sense on it (through the yellow and green wires I think) and so didn't start charging.

I then pulled apart the battery pack (very carefully. Li-ion are very unstable batteries, any damage could cause a cascade accident so please read up on them and do this with caution, know what you're playing with!) and found the control circuit. This was also when I found that the 'battery pack' was two li-ion packs joined together at the top with the control circuitry.
Testing the cell themselves (the metal tabs at the top of the cells) I got a low voltage (around 3.0v) which I'd guess was too low for the circuit to allow output/charge, so it was 'dead'. Reading around, there are ways to revive this circuit, unfortunately I didn't really document how I recovered the battery but it was a combination of keeping the charge on it and probing the sense circuits (My suspicion is my meter combined with voltage applied caused the charge circuit to 'see' a voltage which kicked things back off). I then saw 3.7v on the red and black wires from the Hudl2 cables, which was a good start. Watching it over a minute or so I saw the voltage slowly going up, by 0.01v every few seconds, so it got to 3.9v and hovered for a while. This looked hopeful.
Meanwhile I took it off charge a few times to test the Hudl2 power supply, the adapter gave out 5v as expected, and it had the middle two data pins shorted out, which is a common way of signalling to devices that it was a 'fast/high capacity' charger, so that's why other chargers didn't work right, they did slow/low charging rates.
Over about 30 minutes the voltage went up and up to around 4.0v which looked a good charge voltage for the cells, and it stayed around there, the charger got quite warm (I couldn't check current unfortunately) but I guessed this meant it was charging at a decent rate.
Over a few hours the voltage stayed around 4/4.1v and when removing the charger, I saw the voltage drop to the correct 3.8v supplied on the black and red wires to the Hudl2. However, the charge light would still not come on and the tablet wouldn't power on.
I was using the 'recovery' way of turning it on, that is holding the volume up and power in for 15 seconds, then just power for 15 seconds. This is supposed to recover it should it stop charging. However this wouldn't work. I've tried many combination of power and volume buttons without success now. None will show either the charge light or the power coming on to the tablet (Normally even when low on battery plugging the charge cable in would light the screen up and show a charging battery animation, this didn't trigger either).
So I'm back to suspecting the 'sense' circuitry either in the battery (unlikely as the batteries seemed happy now) or in the Hudl2 itself (most likely now I think). So I turned my attention to the strange additional two wires. The Yellow and Green that came from the battery into the Hudl2 motherboard.
When testing these wires, the yellow shows a constant 0.5v (when tested to black/ground) and the green showed a jumping voltage, my meter only showed around 0.5v for about a second, then 0 then back up again, approx every second changing. This is confusing, I'm unsure what both of these values should be, so cannot determine if these are giving the right output to the Hudl2 to tell it 'all is well'.

This is where I'm up to, the tablet won't power on or show it's charging, I think it's to do with these two sense cables, but not knowing their purpose or correct values cannot 'trick' it into booting or charging, which I suspect will kick a chain reaction and get it back to life.
I've ordered a replacement Li-Ion battery pack for it (Around £10 from eBay) as my suspicion is that if the pack is still damaged/faulty, then these sense wires may be causing the problem. When the new pack arrives the first thing I'll be doing is testing these two leads and see what voltage they give out and what sequence they do, as that may unlock the key to why the unit won't power back up.

As always, I'd appreciate your feedback and comments, if you've had similar problems and solved them please do post back to me, or if you know what the mystery Yellow and Green wires are for let me know in the comments!

Thursday, 11 February 2016

Cheap Chinese IP cameras (Wanscam) and their network activity

Here's a curious item, I've had quite a few of these over the years, not just IP Cameras but home automation relays, thermostats, etc. They all generally have IP connectivity and I duly just connect them into my LAN and start to use them.
However, I've been looking at why my internet connection keeps spiking and trying to cut down on anything not required to chatter to the internet, as my home connection is a very poor ADSL that cannot sustain much traffic, so cutting any junk out will help lots!

So running packet traces on my public connection (All devices on the LAN default gateway to my home server (A linux server) and then this does NAT to the public IPs I have), and started to notice a pattern of requests constantly going out over the public interface.

The first one is shown below:

12:33:47.668240 IP OBSCURED.2614 > OBSCURED.domain: 6038+ A? (34)
12:33:47.686932 IP OBSCURED.domain > OBSCURED.2614: 6038 NXDomain* 0/0/0 (34)
12:33:47.690643 IP OBSCURED.2614 > OBSCURED.domain: 6039+ A? (34)
12:33:47.709829 IP OBSCURED.domain > OBSCURED.2614: 6039 NXDomain* 0/0/0 (34)
12:33:47.723202 IP OBSCURED.2614 > OBSCURED.domain: 6042+ A? (34)
12:33:47.742344 IP OBSCURED.domain > OBSCURED.2614: 6042 NXDomain* 0/0/0 (34)
12:33:47.746075 IP OBSCURED.2614 > OBSCURED.domain: 6043+ A? (34)
12:33:47.764766 IP OBSCURED.domain > OBSCURED.2614: 6043 NXDomain* 0/0/0 (34)
12:33:47.777307 IP OBSCURED.2614 > OBSCURED.domain: 6046+ A? (34)
12:33:47.796293 IP OBSCURED.domain > OBSCURED.2614: 6046 NXDomain* 0/0/0 (34)
12:33:47.801283 IP OBSCURED.2614 > OBSCURED.domain: 6047+ A? (34)
12:33:47.819959 IP OBSCURED.domain > OBSCURED.2614: 6047 NXDomain* 0/0/0 (34)
12:33:47.832231 IP OBSCURED.2614 > OBSCURED.domain: 6050+ A? (34)
12:33:47.850810 IP OBSCURED.domain > OBSCURED.2614: 6050 NXDomain* 0/0/0 (34)

(I've OBSCURED my IP/hostname and my upstream DNS providers resolver here)
So what was happening is something was asking for the dns entry for and constantly being told this doesn't exist. So this capture was done on my external interface, switching to my internal interface (for my LAN on the NAT server) I then tracked this down to an IP Camera was making this constant request. Logging into the web interface of the camera I couldn't find anything referring to this, but clearly it has some process where it tries to 'phone home' so that was the first one tracked down. I simply put a block in my local caching DNS to stop this external request, so that stopped it from asking externally and wasting bandwidth (It was doing this every 60 seconds).

The next one I then spotted was this:

12:38:47.545925 IP OBSCURED.3203 > UDP, length 24
12:38:47.546216 IP OBSCURED.3203 > UDP, length 24
12:38:47.546402 IP OBSCURED.3203 > UDP, length 24
12:38:49.354353 IP OBSCURED.3208 > UDP, length 44
12:38:49.354574 IP OBSCURED.3208 > UDP, length 44
12:38:49.354774 IP OBSCURED.3208 > UDP, length 44
Again OBSCURED was my cameras IP address. So this was more interesting. The camera was constantly (every minute again) trying to contact something in the Amazon AWS cloud. This indicates somebody has a server on Amazon's cloud that these units are contacting. I have two IP cameras both different manufacturers and different interfaces but they were both doing this, so there must be a common firmware package being used that was making this communication.
Interestingly the machine at the other end was refusing the UDP connection, but still, why was it there?
First thing, I blocked this from making it out of my firewall, then set about looking to see what it's doing. The payload is UDP therefore it's stateless, so most likely it's just squirting a bit of info about itself (perhaps firmware, version, date/time) back to it's manufacturer. Possibly it was also used as a 'cloud' solution for viewing or managing your camera as I have seen this principle, but again this was all disabled on my unit, but this suggests even when disabled it still makes the initial phone-home even if nothing else was passed. As you can also see it's trying to talk to a few IP addresses in Amazon. I'm unsure if these are hard-coded in or if it's a DNS request the device makes, so next step was to sniff it's traffic and see what DNS requests it was making. In this case it didn't appear to be making any DNS requests, which suggests these hosts are hardcoded into it.
Viewing the actual payload didn't help much either:

13:17:00.226305 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 52)
    OBSCURED.3203 > [udp sum ok] UDP, length 24
 0x0000:  4500 0034 0000 4000 4011 a06c c0a8 3709  E..4..@.@..l..7.
 0x0010:  36f6 6ba5 0c83 7d64 0020 f89b f191 0014  6.k...}d........
 0x0020:  4a57 4556 0000 0000 0003 95fe 4545 4343  JWEV........EECC
 0x0030:  4300 0000                                C...
13:17:01.942156 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 72)
    OBSCURED.3208 > [udp sum ok] UDP, length 44
 0x0000:  4500 0048 0000 4000 4011 aa32 c0a8 3709  E..H..@.@..2..7.
 0x0010:  36f3 61ce 0c88 7d64 0034 bf8e f110 0028  6.a...}d.4.....(
 0x0020:  4a57 4556 0000 0000 0003 95fe 4545 4343  JWEV........EECC
 0x0030:  4300 0000 0200 0721 0002 880c 0937 a8c0  C......!.....7..
 0x0040:  0000 0000 0000 0000                      ........
13:17:01.942371 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 72)
    OBSCURED.3208 > [udp sum ok] UDP, length 44
 0x0000:  4500 0048 0000 4000 4011 99fd c0a8 3709  E..H..@.@.....7.
 0x0010:  36fb 71fb 0c88 7d64 0034 af59 f110 0028  6.q...}d.4.Y...(
 0x0020:  4a57 4556 0000 0000 0003 95fe 4545 4343  JWEV........EECC
 0x0030:  4300 0000 0200 0721 0002 880c 0937 a8c0  C......!.....7..
 0x0040:  0000 0000 0000 0000
Which I couldn't work out what this was containing. It was always the same length and contained similar information, only one or two characters changed, but I couldn't see any correlation between what the camera was doing and this value, so I don't think I'll spot what it is.

One final thing, was I port scanned the camera, which showed 23 (telnet), 99 (metagram), 8600 (asterisk). Now the first telnet port was correct as I could telnet and get a login prompt. Port 99 was the web port (I'd changed it to that) and 8600 seemed to answer telnet then immediately close it again. So I thought I'd try telnet:

Escape character is '^]'.

(none) login: root

BusyBox v1.12.1 (2012-11-20 15:16:24 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# ps
    1 root      1528 S    init       
    2 root         0 SWN  [ksoftirqd/0]
    3 root         0 SW<  [events/0]
    4 root         0 SW<  [khelper]
    5 root         0 SW<  [kthread]
    6 root         0 SW<  [kblockd/0]
    7 root         0 SW<  [khubd]
    8 root         0 SW<  [kswapd0]
    9 root         0 SW   [pdflush]
   10 root         0 SW   [pdflush]
   11 root         0 SW<  [aio/0]
   12 root         0 SW<  [scsi_tgtd/0]
   13 root         0 SW   [mtdblockd]
   14 root         0 SW<  [kmmcd]
   20 root      1092 S    nvram_daemon 
   23 root         0 SWN  [jffs2_gcd_mtd6]
   25 root         0 SWN  [jffs2_gcd_mtd7]
   28 root      1528 R    telnetd 
   29 root      1696 S    /system/system/bin/daemon.v5.12 
   30 root      1480 S    /system/system/bin/cmd_thread 
   31 root      1480 S    /system/system/bin/gmail_thread 
   32 root      1532 S    /bin/sh 
   33 root      1696 S    /system/system/bin/daemon.v5.12 
   36 root      1480 S    /system/system/bin/cmd_thread 
   39 root      1480 S    /system/system/bin/gmail_thread 
   40 root      1696 S    /system/system/bin/daemon.v5.12 
   41 root      1696 S    /system/system/bin/daemon.v5.12 
   43 root      1480 S    /system/system/bin/cmd_thread 
   44 root      1480 S    /system/system/bin/gmail_thread 
   50 root         0 SW   [RtmpCmdQTask]
   51 root         0 SW   [RtmpWscTask]
   89 root      1696 S    /system/system/bin/daemon.v5.12 
  135 root      1524 S    /sbin/udhcpc -i eth2 -n 
  140 root      1696 S    /system/system/bin/daemon.v5.12 
  141 root      1696 S    /system/system/bin/daemon.v5.12 
  142 root      1696 S    /system/system/bin/daemon.v5.12 
  145 root      1696 S    /system/system/bin/daemon.v5.12 
  146 root      1696 S    /system/system/bin/daemon.v5.12 
  147 root      1696 S    /system/system/bin/daemon.v5.12 
  151 root     11528 S    /system/system/bin/encoder 
  158 root     11528 S    /system/system/bin/encoder 
  159 root     11528 S    /system/system/bin/encoder 
  160 root     11528 S    /system/system/bin/encoder 
  161 root     11528 S    /system/system/bin/encoder 
  164 root     11528 S    /system/system/bin/encoder 
  165 root     11528 S    /system/system/bin/encoder 
  167 root     11528 S    /system/system/bin/encoder 
  168 root     11528 S    /system/system/bin/encoder 
  169 root     11528 S    /system/system/bin/encoder 
  170 root     11528 S    /system/system/bin/encoder 
  171 root     11528 S    /system/system/bin/encoder 
  172 root     11528 S    /system/system/bin/encoder 
  173 root     11528 S    /system/system/bin/encoder 
  178 root     11528 S    /system/system/bin/encoder 
  179 root     11528 S    /system/system/bin/encoder 
  180 root     11528 S    /system/system/bin/encoder 
  181 root     11528 S    /system/system/bin/encoder 
  182 root     11528 S    /system/system/bin/encoder 
  183 root     11528 S    /system/system/bin/encoder 
  184 root     11528 S    /system/system/bin/encoder 
  185 root     11528 S    /system/system/bin/encoder 
  186 root     11528 S    /system/system/bin/encoder 
  187 root     11528 S    /system/system/bin/encoder 
  188 root     11528 S    /system/system/bin/encoder 
  189 root     11528 S    /system/system/bin/encoder 
  190 root     11528 S    /system/system/bin/encoder 
  191 root     11528 S    /system/system/bin/encoder 
  192 root     11528 S    /system/system/bin/encoder 
  193 root     11528 S    /system/system/bin/encoder 
  194 root     11528 S    /system/system/bin/encoder 
  195 root     11528 S    /system/system/bin/encoder 
  196 root     11528 S    /system/system/bin/encoder 
  197 root     11528 S    /system/system/bin/encoder 
  198 root     11528 S    /system/system/bin/encoder 
  199 root     11528 S    /system/system/bin/encoder 
  200 root     11528 S    /system/system/bin/encoder 
  201 root     11528 S    /system/system/bin/encoder 
  202 root     11528 S    /system/system/bin/encoder 
  203 root     11528 S    /system/system/bin/encoder 
  204 root     11528 S    /system/system/bin/encoder 
  205 root     11528 S    /system/system/bin/encoder 
  206 root     11528 S    /system/system/bin/encoder 
  207 root     11528 S    /system/system/bin/encoder 
  208 root     11528 S    /system/system/bin/encoder 
  209 root     11528 S    /system/system/bin/encoder 
  210 root     11528 S    /system/system/bin/encoder 
  211 root     11528 S    /system/system/bin/encoder 
  213 root     11528 S    /system/system/bin/encoder 
  214 root     11528 S    /system/system/bin/encoder 
  215 root     11528 S    /system/system/bin/encoder 
  216 root     11528 S    /system/system/bin/encoder 
  217 root     11528 S    /system/system/bin/encoder 
  218 root     11528 S    /system/system/bin/encoder 
  221 root     11528 S    /system/system/bin/encoder 
  222 root     11528 S    /system/system/bin/encoder 
  223 root     11528 S    /system/system/bin/encoder 
  224 root     11528 S    /system/system/bin/encoder 
  225 root     11528 S    /system/system/bin/encoder 
  226 root     11528 S    /system/system/bin/encoder 
  227 root     11528 S    /system/system/bin/encoder 
  228 root     11528 S    /system/system/bin/encoder 
  229 root     11528 S    /system/system/bin/encoder 
  230 root     11528 S    /system/system/bin/encoder 
  231 root     11528 S    /system/system/bin/encoder 
  236 root     11528 S    /system/system/bin/encoder 
  237 root     11528 S    /system/system/bin/encoder 
  238 root     11528 S    /system/system/bin/encoder 
  239 root     11528 S    /system/system/bin/encoder 
  240 root     11528 S    /system/system/bin/encoder 
  252 root     11528 S    /system/system/bin/encoder 
  253 root     11528 S    /system/system/bin/encoder 
 1891 root     11528 S    /system/system/bin/encoder 
 1892 root     11528 S    /system/system/bin/encoder 
 3553 root     11528 S    /system/system/bin/encoder 
 3554 root     11528 S    /system/system/bin/encoder 
 3821 root      1532 S    -sh 
 3824 root      1528 R    ps 

As you can see, I logged in! I tried using the username and password I'd set using the web interface, but this failed. So I tried the default it shipped with, 'root' and password '123456' and it let me in! So it seems these all have this as a default, and once in it runs a basic busybox linux system. I've not had much time to look any further, but if you're interested here is the filesystem and what looks like the init script that is ran at system bootup to start the daemons
# df
Filesystem           1k-blocks      Used Available Use% Mounted on
rootfs                    3008      3008         0 100% /
/dev/root                 3008      3008         0 100% /
/dev/mtdblock6            3072      1892      1180  62% /system
/dev/mtdblock7             512       208       304  41% /param
# ls /system
system    daemon    Wireless  init      www
# cat /system/init/ 
export LD_LIBRARY_PATH=/system/system/lib:$LD_LIBRARY_PATH
export PATH=/system/system/bin:$PATH
/system/system/bin/daemon.v5.12 &
/system/system/bin/cmd_thread &
/system/system/bin/gmail_thread &
So there looks to be 3 daemons that I'd like to have a look inside, so may do at some point in the future.