News items for tag english - Koos van den Hout

2022-10-29 Trying to figure out the Ethernet over Cable in the Corinex CXWC-HD200-WNeH
Another attempt at trying to understand the Ethernet over Cable stuff in the Corinex CXWC-HD200-WNeH that I have been working on. I found this on the device:
# /app/plcStatus 
Socket creation success.
Socket binding to vlan1 success.
Send success (22).
Send success (22).

Node type: 01
Ip address: 0.0.0.0
Parent mac: 00:00:00:00:00:00
Up speed: 00
Down speed: 00
Child count: 00
# 
The use of 'plc' (PowerLine Communications) and the way this works suggests to me this is indeed an ethernet-over-coax device (so no docsis). But I can't figure out where the ethernet-coax bridge is. I thought plcStatus would use some ethernet protocol to communicate with the bridge (just as the devolo dlan tools do) but I can't find any trace of the traffic on the wifi interface.

Tags: ,
2022-10-16 Chasing DX!
This weekend turns out to be a weekend for making radio contacts with countries / entities I haven't contacted before. Or especially trying to get more of those countries contacted in morse.

Friday evening I got Dodecanese contacted in morse, and already confirmed. Dodecanese is part of Greece, but counts as a separate entity for amateur radio. I have had contacts with Dodecanese before on all kinds of frequencies, but it turned out I didn't have it in morse yet. Time to fix that, and I managed to ge the contact.

Saturday I got the Comores in morse on the 12 and 17 meter amateur band. The 12 meter contact was easy with clear signals, the 17 meter contact was in the noise and hard. So I'm not completely surprised the logbook of the Comores dxpedition D60AE only shows the 12 meter contact.

I also managed to get a contact with Guadeloupe, a French oversees department in the Caribian. I had Guadeloupe before in digital modes but adding morse is good. This contact took a lot of tries, I think I was trying to get this one for nearly two hours. Other people probably are working longer at this, so I am not complaining.

Sunday morning I saw the Russian DXpedition team in Benin TY0RU active on 17m FT8. It also took a while of trying and paying attention to the radio to get this contact in the log.

There were also other contacts to special event stations or other activities, mostly in morse.

Radio contacts with dxpeditions can take a while to get through because a lot of radio amateurs in the world want the special contact, and when the contact finally happens it is ultra short. Exchanging callsigns and a default signal report is enough, and the dxpedition wants to get on to the next contact!

I also don't have the ideal callsign for noisy morse contacts: it could be shorter and the H at the end (in morse: ....) can be confused for an S (in morse: ...). Yes, PE4KS is in a few logs out there!

Tags: , ,
2022-10-12 Peeking a bit at Kea DHCP server
Yesterday I learned that ISC DHCP server will be end of life at the end of this year. For a package I started using around 1998 with one of the first versions I expected a bit more announcement time. At the same time I'm so used to using ISC dhcp server in my home network I never subscribed to any mailing list or other announcements about ISC dhcp server, it's just there, I can configure it to do what I want including supporting pxe booting systems for installation or diagnostics or supporting special dhcp options for APC AP7920 rackmount power distribution units. And all the virtual lans of my home network.

ISC suggests using Kea DHCP server to replace it in most server implementations. Kea DHCP server should be able to get a lot of configuration data from databases and allow for dynamic updates of the configuration. That is an improvement over ISC dhcp as it is at the moment, which needs a full restart for every change.

So time to peek at Kea DHCP server. I don't think ISC dhcp server will be unavailable after 31 December 2022 but I don't expect updates anymore and when a good replacement is normalized I expect ISC dhcp server to slowly fall away from linux distributions.

Currently it's not even available for Debian or Devuan stable or oldstable strangely enough. I wonder what happened there. But there are distribution packages for debian buster at Cloudsmith - Repositories - ISC - Internet Systems Consortium (isc) - kea-2-3 (kea-2-3) - Packages / format:deb.

Time to install the latest and let apt fix the dependencies:
koos@testrouter:~$ sudo dpkg -i isc-kea-dhcp4_2.3.1-isc20220928105532_amd64.deb isc-kea-dhcp6_2.3.1-isc20220928105532_amd64.deb isc-kea-common_2.3.1-isc20220928105532_amd64.deb 
Selecting previously unselected package isc-kea-dhcp4.
(Reading database ... 46609 files and directories currently installed.)
Preparing to unpack isc-kea-dhcp4_2.3.1-isc20220928105532_amd64.deb ...
Unpacking isc-kea-dhcp4 (2.3.1-isc20220928105532) ...
Selecting previously unselected package isc-kea-dhcp6.
Preparing to unpack isc-kea-dhcp6_2.3.1-isc20220928105532_amd64.deb ...
Unpacking isc-kea-dhcp6 (2.3.1-isc20220928105532) ...
Selecting previously unselected package isc-kea-common.
Preparing to unpack isc-kea-common_2.3.1-isc20220928105532_amd64.deb ...
Unpacking isc-kea-common (2.3.1-isc20220928105532) ...
dpkg: dependency problems prevent configuration of isc-kea-dhcp4:
 isc-kea-dhcp4 depends on libboost-system1.67.0; however:
  Package libboost-system1.67.0 is not installed.
[..]
koos@testrouter:~$ sudo apt install -f
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Correcting dependencies... Done
The following additional packages will be installed:
  libboost-system1.67.0 liblog4cplus-1.1-9 libmariadb3 libpq5 mariadb-common
  mysql-common
The following NEW packages will be installed:
  libboost-system1.67.0 liblog4cplus-1.1-9 libmariadb3 libpq5 mariadb-common
  mysql-common
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
3 not fully installed or removed.
Need to get 760 kB of archives.
After this operation, 4,001 kB of additional disk space will be used.
[..]
Looking at the sample configuration makes me think I can do this with a text-based configuration (it's actually JSON) and get it going fast. For my home network that is probably the best solution. Kea does have options to use MariaDB or PostgreSQL backends for storage which does look really nice for my home network but at the same time adds a dependency and a layer of complexity.

I can see IPAM systems totally going to Kea DHCP and give a full interface on managing the databases directly including APIs for adding/removing objects as they are added in other systems.

Tags: , , ,
2022-10-09 LetsEncrypt found a certificate signing request with a sha1 hash and rejected it
Encrypt all the things meme One of my oldest certificate signing request files was still using a sha1 hash and LetsEncrypt started rejecting it. As soon as I realized it used the old hash I redid it and wondered why it was still accepted in 2022.

This also mean the private key of this service is showing age. Maybe time to regenerate it.

The announcement is at Rejecting SHA-1 CSRs and validation using TLS 1.0 / 1.1 URLs - API Announcements - Let's Encrypt Community Support.

Tags: , ,
2022-10-09 I moved the 1-wire interface to a Raspberry Pi
After the problems with detaching and attaching the USB 1-wire interface from a kvm virtual machine to fix an interference issue showed up again I decided to move the USB 1-wire interface to a different machine, one where kvm virtualisation isn't in the mix. The closest available machine that can deal with the 1-wire interface is a Raspberry Pi which also has other monitoring tasks.

This move worked fine and the 1-wire temperatures are showing up again in influxdb. I decided not to update the rrdtool temperature database. I will have to find time to migrate the rrdtool history to influxdb. Ideally there will be some aggregation for older measurements but I'd like an "infinite" archive of a daily average.

Tags: , , , ,
2022-10-07 Grabbing the firmware from the Corinex CXWC-HD200-WNeH and extracting the root filesystem
My dive into the Corinex CXWC-HD200-WNeH continues. After getting root on the serial console of the Corinex CXWC-HD200-WNeH I ordered similar gear as used in the hardware hacking course to do my own hardware hacking. It arrived this week and today I had some time to play with it.

Using the techniques from the course I found the serial console interface again. The CPU board has 4 through-holes, that is a likely candidate. Next step is finding which pin is which using a multimeter. Ground pin has continuity to any other shield. One pin is at 0 volts without continuity to ground: the receive data pin (from the viewpoint of the chip), another pin has a varying voltage near the maximum voltage, this is the transmit data pin (again from the viewpoint of the chip) and the fourth one has the constant maximum voltage, which was 3.3 volts in this case.

I switched my USB to serial interface to 3.3 volts and connected the TX on the system to the RX on the serial interface and the RX on the system to the TX on the serial interface. I used Dupont cables to make this connection. With minicom as communications program I opened the right interface: minicom -D /dev/ttyUSB0.

After powering the router I got unreadable characters on the screen, I had to adjust the serial port rate. This router has a serial console at 57600 bps, 8 bits, no parity, 1 stopbit.

And messages came out:
U-Boot 1.1.3 (Jan 31 2013 - 17:23:55)

Board: Ralink APSoC DRAM:  32 MB
relocate_code Pointer at: 81fa8000
flash_protect ON: from 0xBF000000 to 0xBF02435F
Read the rest of Grabbing the firmware from the Corinex CXWC-HD200-WNeH and extracting the root filesystem

Tags: , ,
2022-09-28 I participated in the CQWW RTTY 2022 contest
RTTY Contest on websdr Past weekend was the 2022 version of the CQ World Wide RTTY DX Contest and I participated. Not with any preparation: on Saturday after some other tasks I sat behind radio and computer and looked up which set of macros would work for this contest.

But propagation cooperated, especially on the 20 meter band. On Sunday evening after dark I got a nice set of stations in the USA and Canada in the log. I also saw a station from Brunei active but that station never managed to decode my callsign while I tried for a quarter of an hour as this would have been a new country in amateur radio for me.

I made 106 contacts in total: 70 on the 20 meter band and 36 on the 40 meter band.

Tags: , , ,
2022-09-25 Found a "Corinex CXWC-HD200-WNeH"? Let me know!
Officially the "Corinex CXWC-HD200-WNeH" cable modem is out of support for years and deployments should have migrated to newer solutions. That is the reason I got my hands on one: it was replaced by a docsis-based modem. For as far as I can tell these modems are based on homepna or homeplug, over coax networks (the tools on the router don't tell what kind of standards the coax side uses).

I'd like to know if any of these are still used in the wild. If you find this post because you got bored and looked at the underside of the wifi box in your holiday park, get in touch!

My e-mail address is at the bottom of this page and I'm on twitter as @khoos.

Tags: , ,
2022-09-24 Can't live-attach a USB device to a kvm virtual host after upgrades
I have a DS2490 USB 1-wire interface on the home server conway which is rerouted to one of the virtual machines so that that virtual machine can read the sensors on the 1-wire network. This rerouting works when the machine is started, the DS2490 USB 1-wire shows up in the virtual machine fine. From time to time this DS2490 USB 1-wire interface gets confused when I am transmitting on the radio so the solution is to detach it from the virtual machine, unplug it from the server, plug it in again and attach it to the virtual machine again. Today this had to be done and I got an unexpected error message:
root@conway:~# virsh attach-device --live gosper /etc/onewire-for-gosper.xml
error: Failed to attach device from /etc/onewire-for-gosper.xml
error: internal error: unable to execute QEMU command 'device_add': failed to find host usb device 2:8
In logfile /var/log/libvirt/libvirtd.log:
2022-09-24 21:16:38.655+0000: 10923: error : qemuMonitorJSONCheckError:395 : internal error: unable to execute QEMU command 'device_add': failed to find host usb device 2:8
To be complete about it: usb device 2:8 is exactly the right one!
root@conway:~# lsusb | grep 2490
Bus 002 Device 008: ID 04fa:2490 Dallas Semiconductor DS1490F 2-in-1 Fob, 1-Wire adapter
This seems to be new since I upgraded the homeserver to Devuan beowulf giving me versions:
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                  Version         Architecture Descripti
+++-=====================================-===============-============-=========
ii  libvirt-clients                       5.0.0-4+deb10u1 amd64        Programs 
ii  libvirt-daemon                        5.0.0-4+deb10u1 amd64        Virtualiz
un  libvirt-daemon-driver-storage-gluster                  (no descr
un  libvirt-daemon-driver-storage-rbd                      (no descr
un  libvirt-daemon-driver-storage-zfs                      (no descr
ii  libvirt-daemon-system                 5.0.0-4+deb10u1 amd64        Libvirt d
ii  libvirt-glib-1.0-0:amd64              1.0.0-1         amd64        libvirt G
ii  libvirt0:amd64                        5.0.0-4+deb10u1 amd64        library f

First idea: AppArmor

The first search result that came up was Bug #1552241 “libvirt-bin apparmor settings for usb host device” : Bugs : libvirt package : Ubuntu. So I tried changing the /etc/apparmor.d/abstractions/libvirt-qemu file. After a few tries and reading the warnings in the rest of the file I made sure the source was AppArmor by completely disabling it. The error did not go away so I reverted the libvirt-qemu rules to the original settings, restarted AppArmor and kept debugging.

Second idea: usb rights

Based on QEMU USB passthrough broken after Ubuntu 18.04 upgrade I added udev rules to make sure group libvirt-qemu had read and write rights on the usb device, with /lib/udev/rules.d/51-qemu-usb-passthrough.rules containing:
SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ATTRS{idVendor}=="04fa", ATTRS{idProduct}=="2490", MODE="0664", GROUP="libvirt-qemu"
And doing the
root@conway:~# udevadm control --reload-rules
And verifying the resulting rule:
root@conway:~# udevadm test -a -p  $(udevadm info -q path -n /dev/bus/usb/002/008)
calling: test
version 3.2.9
This program is for debugging only, it does not run any program
specified by a RUN key. It may show incorrect results, because
some values may be different, or not available at a simulation run.

[..]

GROUP 110 /lib/udev/rules.d/51-qemu-usb-passthrough.rules:1
MODE 0664 /lib/udev/rules.d/51-qemu-usb-passthrough.rules:1
handling device node '/dev/bus/usb/002/008', devnum=c189:135, mode=0664, uid=0, gid=110
[..]
Indeed the right groupid, but still the same error message when trying the attach-device command.

Interesting find: it's specific to the virtual machine that had the device before

Small update: I can attach the USB device to a different host and detach it from that host again. I just can't attach it to the 'original' host again.

I also posted this question on serverfault: Can't live-attach a USB device to a kvm virtual host again after upgrades.

Update: After a complete reboot of the homeserver the USB 1-wire interface worked again (as I could imagine). But after another interference problem it's now in the same state again. I did change the definition in both the virthost configuration and the xml file from managed='no' to managed='yes' before the reboot but that hasn't helped. Contents of the /etc/onewire-for-gosper.xml file now:
    <hostdev mode='subsystem' type='usb' managed='yes'>
      <source>
        <vendor id='0x04fa'/>
        <product id='0x2490'/>
      </source>
    </hostdev>

Tags: , , ,
2022-09-22 Getting further into the Corinex CXWC-HD200-WNeH: I got root!
Corinex CXWC-HD200-WNeH side with warrantylabel
Corinex CXWC-HD200-WNeH side with warrantylabel. The warranty was voided.
Picture by Koos van den Hout, license CC-BY-SA
This week I was attending a course in hardware hacking: HackLab: Hardware Hacking at the Deloitte office in Den Haag.

How to find the right pins to get a commandline on a router-like device was part of this course, and the last day there was an option to Bring Your Own Device, to hack it. So I brought this router as I thought it was an ideal target to get access to it, since on the earlier try I could not get into the webinterface of the Corinex CXWC-HD200-WNeH device.

Corinex CXWC-HD200-WNeH opened boards visible
Corinex CXWC-HD200-WNeH opened boards visible
Picture by Koos van den Hout, license CC-BY-SA
So this time I took out the screwdriver, voided the warranty of the device by breaking the little sticker on the side and opening it. It has a board with the powersupply and cable interface parts. The powersupply is shielded with some plastic.

There is a smaller board with the main chip which contains the processor, ram, wifi module. The first task was to find the uart interface which should give a serial console. That's a skill I learned in the hacklab: first find out which pins have continuity to ground with the device switched off. With a simple multimeter which has a beeping continuity meter this is simple. The beep makes it possible to test the device without looking at the meter.

After that it's a matter of switching the multimeter to voltage and checking other pins for voltage. Usually there are 4 pins on a uart port: ground which is physically connected to the device ground, receive data and send data and a reference voltage. On measuring the pins the reference voltage will be at the steady maximum voltage, the data transmitting from the device will be varying and the pin where the device expects data will be at 0 volt.

Uart ports can be 5 volt, 3.3 volt, 2.5 volt or 1.8 volt in recent devices. 5 and 3.3 volt are the most common. USB serial interfaces that support 5 and 3.3 volt are cheap (3 euro), USB serial interfaces that support all 4 are somewhat more expensive (10 euro).

For the Corinex router the voltage is 3.3 Volt. There was a 3.3 Volt ftdi USB to serial interface available, so I was able to access the uart port. I connected to the uart port, used a terminal program and searched for the right serial port settings and ended up at 57600 baud, 8 bits, no parity, 1 stopbit.

After looking at all the boot messages I was greeted with a root prompt. No more hacking, just full access. The system boots using the U-Boot bootloader. The system runs linux with a 2.6.21 kernel. I looked around on the filesystem and started looking for the configuration for the webserver hoping to find the username/password. I found this in /flash/config so I could get into that interface as well.

I also found it was running a telnet server, but not on the standard port. The port was 32560. Without commands like netstat or ss I had to learn this from /proc/net/tcp. Browsing the iptables listing shows that port 80 is supposed to be allowed and other ports aren't, but 32560 reacts fine.

Chip found: Ralink RT3052F processor with embedded ram and flash and with 2.4 GHz wifi and a network switch for 1 gigabit port and 5 100 mbit ports.

Things I'd still like to do: copy the entire filesystem to another computer so I can research it and check around the web interface for security issues.
Read the rest of Getting further into the Corinex CXWC-HD200-WNeH: I got root!

Tags: , , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newstag.cgi,v 1.39 2022/11/18 15:23:48 koos Exp $ in 0.049737 seconds.