diff --git a/README.md b/README.md
index e795788..76dc695 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,14 @@
 
 ## Research
 
-## Research: File/Drive Access by Action Manager 1.3
+### Hardware
+
+  * SOC: `Ambarella, A7L-B1-RH, A1402, N6T96-AN8, 1N1`
+  * WiFi: `Atheros AR6103G-BM2D, P0BV68.2BE5, P0BV68.2B, 1441`
+  * Flash: `ATO,  1440N, MST5F08G16G, NH-2106, 5FGHG46V17W`
+
+
+### Research: File/Drive Access by Action Manager 1.3
 
 Opening Drive/Device:
 ```
@@ -20,8 +27,143 @@ Sending Command:
 Windows Application sends `IOCTL_SCSI_PASS_THROUGH` with `DeviceIoControl()`.
 
 
+### Research: Access Point
+
+After connecting to the access point (AP), it is possible to connect to the camera via telnet.
+
+  * Host: `192.168.42.1`
+  * Username: `root`
+  * Password: _no password required_
+
+```
+$ telnet 192.168.42.1
+Trying 192.168.42.1...
+Connected to 192.168.42.1.
+Escape character is '^]'.
+
+buildroot login: root
+# uname -a
+Linux buildroot 2.6.38.8 #1 PREEMPT Mon Dec 15 21:04:04 KST 2014 armv6l GNU/Linux
+# ps
+PID   USER     TIME   COMMAND
+    1 root       0:02 init
+    2 root       0:00 [kthreadd]
+    3 root       0:00 [ksoftirqd/0]
+    4 root       0:00 [kworker/0:0]
+    5 root       0:00 [kworker/u:0]
+    6 root       0:00 [khelper]
+  351 root       0:00 [sync_supers]
+  353 root       0:00 [bdi-default]
+  355 root       0:00 [kblockd]
+  356 root       0:00 [ipc_bh 0]
+  357 root       0:00 [ipc_bh 1]
+  448 root       0:00 [kworker/u:2]
+  452 root       0:00 [rpciod]
+  453 root       0:01 [kworker/0:1]
+  462 root       0:00 [kswapd0]
+  463 root       0:00 [fsnotify_mark]
+  464 root       0:00 [aio]
+  465 root       0:00 [nfsiod]
+  468 root       0:00 [crypto]
+  512 root       0:00 [mtdblock0]
+  519 root       0:00 [mtdblock1]
+  524 root       0:00 [mtdblock2]
+  529 root       0:00 [mtdblock3]
+  534 root       0:00 [mtdblock4]
+  539 root       0:00 [mtdblock5]
+  544 root       0:00 [mtdblock6]
+  549 root       0:00 [mtdblock7]
+  554 root       0:00 [mtdblock8]
+  559 root       0:00 [mtdblock9]
+  564 root       0:00 [mtdblock10]
+  569 root       0:00 [mtdblock11]
+  574 root       0:00 [mtdblock12]
+  579 root       0:00 [mtdblock13]
+  584 root       0:00 [mtdblock14]
+  593 root       0:00 [ubi_bgt0d]
+  597 root       0:00 [mmcqd/0]
+  604 root       0:00 [lkvfs_bh 0]
+  609 root       0:00 {rcS} /bin/sh /etc/init.d/rcS
+  617 root       0:00 [ubifs_bgt0_1]
+  636 dbus       0:00 dbus-daemon --system
+  648 root       0:00 {S50service} /bin/sh /etc/init.d/S50service start
+  656 root       0:06 vffs /tmp/fuse_a -l a -C 1 -o big_writes -s
+  659 root       0:00 vffs /tmp/fuse_d -l d -C 1 -o big_writes -s
+  662 root       0:00 vffs /tmp/fuse -l f -s
+  674 root       0:00 ombra
+  677 root       0:00 dvf2web --daemon
+  678 root       0:00 /usr/bin/AmbaStreamSVC
+  680 root       0:00 amba_mq_handler
+  683 root       0:00 network_message_daemon
+  691 root       0:00 /usr/bin/lu_lnxfio_stream
+  703 root       0:15 [AR6K Async]
+  711 root       0:18 [ksdioirqd/mmc1]
+  780 nobody     0:00 dnsmasq --nodns -5 -K -R -n --dhcp-range=192.168.42.2,192.168.42.6,infinite
+  814 root       0:05 hostapd -B /tmp/hostapd.conf
+  829 root       0:00 telnetd
+  842 root       0:00 cherokee-worker -a -C /etc/cherokee.conf -j -s -d
+  848 root       0:00 cgiBridge
+  854 root       0:00 remote_ctrl
+ 1493 root       0:00 -sh
+ 1498 root       0:00 ps
+# mount
+rootfs on / type rootfs (rw)
+ubi0:linux on / type ubifs (ro,relatime)
+devtmpfs on /dev type devtmpfs (rw,relatime,size=18668k,nr_inodes=4667,mode=755)
+none on /dev type tmpfs (rw,relatime)
+proc on /proc type proc (rw,relatime)
+devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620)
+tmpfs on /dev/shm type tmpfs (rw,relatime,mode=777)
+tmpfs on /tmp type tmpfs (rw,relatime)
+sysfs on /sys type sysfs (rw,relatime)
+ubi0:pref on /pref type ubifs (rw,sync,relatime)
+1 on /tmp/fuse_a type fuse.1 (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
+1 on /tmp/fuse_d type fuse.1 (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
+f on /tmp/fuse type fuse.f (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
+f on /var/www/shutter type fuse.f (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
+tmpfs on /var/www/live type tmpfs (rw,relatime)
+1 on /var/www/pref type fuse.1 (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
+tmpfs on /var/www/mjpeg type tmpfs (rw,relatime)
+# lsmod
+ar6000 370159 0 - Live 0x7f000000
+# ifconfig 
+lo        Link encap:Local Loopback  
+          inet addr:127.0.0.1  Mask:255.0.0.0
+          UP LOOPBACK RUNNING  MTU:16436  Metric:1
+          RX packets:295 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:295 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0 
+          RX bytes:15356 (14.9 KiB)  TX bytes:15356 (14.9 KiB)
+
+wlan0     Link encap:Ethernet  HWaddr 1C:4A:F7:00:6F:E4  
+          inet addr:192.168.42.1  Bcast:192.168.42.255  Mask:255.255.255.0
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:38148 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:3815 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000 
+          RX bytes:15639749 (14.9 MiB)  TX bytes:632131 (617.3 KiB)
+
+# iwconfig 
+lo        no wireless extensions.
+
+wlan0     AR6000 802.11ng  ESSID:"X7APP"  Nickname:""
+          NWID:off/any  Mode:Master  Frequency:2.462 GHz  
+          Access Point: 1C:4A:F7:00:6F:E4   Bit Rate:52 Mb/s   Tx-Power=15 dBm   
+          Sensitivity=0/3  
+          RTS thr=0 B   Fragment thr=0 B   
+          Encryption key:00   Security mode:open
+          Power Management:on
+          Link Quality:95  Signal level:0  Noise level:0
+          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
+          Tx excessive retries:0  Invalid misc:0   Missed beacon:0
+
+#
+```
+
 ### Research: Code Snippets using ioctl()
 
+Trying to reproduce `IOCTL_SCSI_PASS_THROUGH` with Linux.
+
 Code example #1:
 ```
 #define DEF_TIMEOUT 5000 // 5 seconds
@@ -56,29 +198,6 @@ if (ioctl(fd, SG_IO, &io_hdr) < 0)
 // Code returned here without any errors but cIOBuffer remains unchanged.
 ```
 
-```
-#include <stdio.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/ioctl.h>
-#include <linux/usbdevice_fs.h>
-
-void main(int argc, char **argv)
-{
-    const char *filename;
-    int fd;
-
-    filename = argv[1];
-
-    fd = open(filename, O_WRONLY);
-    ioctl(fd, USBDEVFS_RESET, 0);
-
-    close(fd);
-
-    return;
-}
-```
-
 ```
 #define BUFF_SIZE 100 // - Buffersize
 
@@ -122,3 +241,56 @@ if (ioctl(fd, SG_IO, p) < 0)
 Use for `scsi/sg.h` and `ioctl`.
 
 
+### Research: USB data transfer
+
+Is it possible to just write to the usb interface instead?
+
+
+#### USBPcap: Linux Host and Windows Guest
+
+Identify the bus where the camera is connected to:
+```
+Bus 005 Device 017: ID 4255:1000 GoPro 9FF2 [Digital Photo Display]
+```
+
+Load usbmon to capture usb traffic with Wireshark:
+```
+modprobe usbmon
+```
+
+With Wireshark the `usbmon<busid>` (e.g. `usbmon5`) is selected as packet capture source.
+
+After filtering the following filter rule will only display relevant packets:
+```
+(usb.device_address == 17 ) && (scsi.spc.opcode == 0xfd || scsi.spc.opcode == 0xfe || scsi.spc.opcode == 0xff)
+```
+
+Vendor specific commands:
+
+  * `0xfd`: set AP ssid
+  * `0xfe`: set AP passphrase
+  * `0xff`: syncronize time
+
+
+Example packets:
+
+`0xfd`:
+```
+0000   fd 00 58 37 41 50 50 00 00 00 00 00 00 00 00 00   ..X7APP.........
+```
+
+`0xfe`:
+```
+0000   fe 00 58 37 41 50 50 41 53 53 00 00 00 00 00 00   ..X7APPASS......
+```
+
+Synchrize time `0xff`:
+```
+0000   ff 00 07 e5 08 0a 0b 24 00 00 00 00 00 00 00 00   .......$........
+
+# 3 seconds later:
+0000   ff 00 07 e5 08 0a 0b 24 03 00 00 00 00 00 00 00   .......$........
+
+# 3 seconds later:
+0000   ff 00 07 e5 08 0a 0b 24 06 00 00 00 00 00 00 00   .......$........
+```