D-Link DFE-570TX and Broadcom BCM5821

I have just acquired a used 4-port D-Link fast ethernet PCI board from a seller on eBay. I have been looking for one of these for my ‘new’ firewall for ages and was about to give up.

The firewall is an old crate of a Dell GX240 with PCI slots but it still has plenty of grunt to do what I need without consuming too much power. It’s one of the old Dells that I bought years ago for peanuts that has been upgraded with a 2.6Ghz Celeron.

I have been experienting with a Broadcom crypto accelerator in pfSense and I was about to give up on the GX240 and move up to a newer old machine with PCI-X slots.

The BCM5821 already delivers 24x performance improvent on 2048 bit RSA in the 33Mhz PCI bus and I am intrigued to find out how fast it will go in a 64 bit, 66Mhz slot. Now that I have the D-Link, I will crack on with the original plan and save the PCI-X upgrade for later.

More to follow…

W3C, please don’t screw up the World Wide Web.

Stop the Hollyweb! No DRM in HTML5.

FOXSAT-HDR Dropbear SSH with keys

WARNING: This article relates to the dropbear package version 2012.55 and not the updated package 2012.55-1 that now includes the ability to login with keys. It is no longer necessary to use these instructions to modify the dropbear installation on your FOXSAT-HDR. The instructions on how to generate and distribute client keys are still valid.

I have just upgraded the functionality of my Humax FOXSAT-HDR with some custom firmware. The new firmware came with Telnet active but I prefer to use SSH with RSA or DSA keys. Dropbear is the installable package that provides SSH for the custom firmware but I couldn’t find any documentation with the firmware that explained how to get it working with client keys.

Following an evening of research and experimentation, I found a way of getting it to work. Ubuntu/Linux/BSD users can use this process to configure Dropbear on the FOXSAT-HDR to use SSH authorized_keys instead of passwords. I worked around the read-only file system by changing the root account home directory to /tmp.

Install Dropbear on your custom firmware FOXSAT-HDR using opkg or the web interface. Test that it works using a password. Dropbox appears to be configured to use only the root account. From my Ubuntu machine I login from a terminal session using:-

ssh root@foxsat-hdr

When you are happy it is working OK. Open another terminal session and create a DSA public key file on your Ubuntu PC. The file will be ~/.ssh/id_dsa.pub

cd
cd .ssh
ssh-keygen -t dsa
ls

Copy the key(s) to the FOXSAT-HDR. You may already have a public RSA key present in the .ssh folder.

scp id_*.pub root@foxsat-hdr:/tmp

If you are not already logged in to the FOXSAT-HDR via SSH, do so now to create the two authorized_keys files required.

cd /opt/etc
mkdir .ssh
chmod 700 .ssh
cd .ssh
cat /tmp/id_*.pub >> authorized_keys
chmod 600 authorized_keys
ln -s /opt/etc/.ssh/authorized_keys /opt/etc/.ssh/authorized_keys2

Create an init.d script to fix the keys on startup. The root account will have it’s home directory moved to /tmp so that the hidden key folder can be found in there. The ‘echo’ command line is quite long and ends in ‘fix’, it is not two lines.

echo -e "#!/bin/sh\n\nln -s /opt/etc/.ssh /tmp/.ssh">/opt/etc/init.d/S55sshpubkeyfix

chmod 755 /opt/etc/init.d/S55sshpubkeyfix

Now edit the password file using vi to change the root account home directory from ‘/’ to ‘/tmp’. If you don’t know how to use vi, read this first. Otherwise, here is a command list to refresh your memory.

cp /opt/etc/passwd /opt/etc/passwd.old
vi /opt/etc/passwd

When you have saved the file. Check it, then reboot if it is good.

cat /opt/etc/passwd
reboot

Your FOXSAT-HDR will reboot and you should be able to login using SSH. This time switch on debugging to check the authentication sequence during login. If it works, you will not have to use a password to establish a secure shell.

ssh -vv root@foxsat-hdr

Telnet can be deactivated using ‘Service Management’ in the web interface.

I have more than one SSH client

If you want to use SSH from another Ubuntu PC it is easy to copy its DSA client key to the FOXSAT-HDR now that the authorized_keys file has been created.

ssh-keygen -t dsa
ssh-copy-id root@foxsat-hdr

Improvement

This could be incorporated into the Dropbear package if the maintainer emptied the authorized_keys file (zero length) before sealing the package file. Users would then only need to use ssh-keygen and ssh-copy-id to make use of the additional security.

Custom firmware for Humax FOXSAT-HDR

I have been using my Humax FOXSAT-HDR since I bought it new in 2009 and functionally it hasn’t changed much bar the addition of BBC and ITV catch-up TV services. I have always hoped that the manufacturer would issue a DLNA server upgrade to the firmware, but it never came. That is until today…

While searching the internet to find if the Freesat+ YouTube player was available for the FOXSAT-HDR, I found a custom firmware distribution that has been in development and use for some years that could be used to provide web access and DLNA services.

There is no dedicated website for the firmware but it appears the www.avforums.com is the place to go for community support and the latest downloads.

The version that I downloaded and installed was v4.1.1 . It came in a RAR file that I decompressed into a folder on one of my Ubuntu machines. I copied the files to a 1.1GB USB stick formatted FAT32 as advised in the README but it wouldn’t boot the new firmware installer. I found another stick that was 985MB when formatted and it worked perfectly. The installation was exactly as described in the instructions and when the FOXSAT-HDR rebooted there was no visible change other than the firmware version being displayed on the front panel during boot up.

Pointing a web browser at the box, I continued to install the full web interface. When complete I could see that the DLNA server was an installable package but I couldn’t get the package list to update from the web interface. No problem, I telneted into the box and used the command line instead.

opkg update
opkg list
opkg install dropbear

I installed dropbear so that I could deactivate Telnet and use SSH instead. More on this later.

After installing dropbear via the command line the web interface tabs for ‘Installed’, ‘Available’ and ‘Upgrades’ worked but the main ‘Update package list from internet’ still doesn’t work from the web interface.

I am currently experimenting with MediaTomb uPNP to serve recordings to my son’s PS3 but I think I will try the TwonkyMedia 5 DLNA server as originally planned. Twonky charge 15 Euros for the licence activation but I guess it’s probably worth it.

If you wish to rollback to the original firmware, you will need an installable image of it. I found one that I could download v1.00.21 from here.

Do you use self service checkouts?

I don’t. It’s not that I don’t think that they offer any benefit to me, it’s more about the harm that they do to the store’s local economy.

The primary function of a self service checkout is to reduce the cost of having staff at a store. The more customers that use them, the less staff the store needs to employ to work at traditional checkouts. The savings of which are usually passed on to investors as dividends than to the customers as lower prices.

A store that employs real people to perform their checkout function will usually pay a local person to perform this job. That person will in turn spend a proportion of their earnings locally, which will have the knock on effect of providing employment for someone else in their community that serves them.

Conversely, a store that uses self service checkouts provides fewer local jobs, potentially increasing the number of unemployed people locally by denying them this work. For those that are in work and paying taxes, self service checkouts contribute to the burden of unemployment benefit payments locally.

So, if you are a tax payer and use self service checkouts, you only have yourself to blame for increasing the unemployment burden on your tax contributions. The next time you go to a store that has self service checkouts and you get shuffled into using one by ‘helpful’ staff, politely decline by saying “I would rather give a local person the opportunity to be paid for serving me”.

Sometimes using a human operated checkout can take longer than a self service checkout, particularly if you have to queue to be served. It is worth taking the time to queue. I usually make a point of using the checkout nearest to the self service machines and letting the person at the checkout know that I chose to spend the time waiting to be served so that they had a reason to keep their job. If there are people using the self service checkouts I will often comment “The people that use those self service checkouts are causing more unemployment in this town”. It makes some people stop and think.

Companies that I no longer do business with…

Apple
I have used many Macs before and I have setup quite a few Mac based corporate networks before owning my own Mac. I used to love my Macintosh but I hated the fact that it was designed to be only upgradeable by Apple technicians. This lock-in experience pushed me away from the company and all of it’s subsequent ‘i’ product range. My family members have bought Apple products since, but they do so knowing that I won’t give them any support.

Sony
Following the Sony BMG Root-Kit incident, Sony lost my trust and I stopped recommending their PC kit. After experiencing the dissapointment when both of my sons Playstations developed serious faults just out of warranty (Motherboards, Heat Sinks, GPU’s, RSOD) my perception of Sony is very poor. In the UK the sale of goods act does protect consumers against premature product failure but this protection only exists if the original retailer is still in business. Frequent failure of our Sony audio devices when they are just out of warranty has convinced me that Sony products are no longer designed to last.

Microsoft
I have always found it quite interesting to see the performance of Microsoft software products degrade over a period of time. For me this was most apparent on Windows Mobile 6.1 . I have only owned one mobile phone running a Microsoft operating system and my experience was so bad that I have not bought a Microsoft product since Vista for my own use. I probably never will again. I have informed all of my family that I will not be providing support for any new Windows Phone, Windows 8 or any other Microsoft products after 2012. I am already seeing a change of attitude from my family. The realisation that buying a Microsoft product without my taken-for-granted free tech support may force them into learning how to use and maintain that product themselves or pay for someone else to help them.

Acer
A company that has yet to realise that their Product Managers have a duty to stay committed to their products after launch day and for the life expectancy of that product in service. This company has possibly the worst customer support I have yet to experience, they just can’t be bothered. My bad experience with the Acer DX900 phone was probably as much Microsoft’s fault as Acer’s but it was clear to me that they don’t give a ….!

Sky
After cancelling my Sky+ subscriptions, I was very disappointed to find that the Sky+ Hard Disk Recorders that I owned would no longer let me watch my recordings or record any of the Free to Air channels. I didn’t think it fair that Sky had the ability to strip the record and playback function from my HDRs turning them into ordinary satellite TV receivers. Cancelling my Sky+ subscription should have only resulted in an inability to watch or record subscription channels. MythTV is working out just fine as a replacement.

Ryobi
Most people buy powered garden tools to make the job easier. I bought a Ryobi petrol strimmer with multiple tool attachments last year but it is probably the worse power tool I own. It is unreliable and makes me angry every time I have to use it. The strimmer is nice to look at but it is very difficult to start hot or cold.

I own a few low-end petrol powered tools and after running them in properly they all start usually first time, cut well and run with very little smoke when using synthetic two stroke oil. I hate the way it makes me angry when I have to use it, I wont ever by Ryobi again.

Since writing this I have found a technique to keep the throttle wide open during starting and this seems to work hot or cold. The engine still doesn’t perform properly and I suspect that this is a carburetion or a heat soak problem.

DrayTek
I liked DrayTek products but the company now requires an account/login for access to support resources such as setup guides. I often read setup guides before I purchase products and I don’t like having to create another login to do so. This information should be freely accessible on manufacturers websites. I wont be buying anymore DrayTek products until their support policy changes back to an open one.

Unable to enumerate USB device on port…

I have an old PC with what appears to be a broken implementation of USB. I cannot obtain a BIOS update and there is no BIOS setting to switch off USB either. Very old Linux distributions would run on this PC, but only on those with USB support as loadable modules. For later kernels with direct USB support I would get continuous error messages to the console.

After spending some time Googling, I found this useful post

For Ubuntu 10.04 LTS I used the advice to create rules to deactivate USB entirely on this host. The first file that I created was /etc/udev/rules.d/20-disable-ehci.rules which contained the following code:-

ACTION=="add", SUBSYSTEM=="pci", DRIVER=="ehci_hcd", \
        RUN+="/bin/sh -c 'echo -n %k > %S%p/driver/unbind'"

When I rebooted the PC, it disabled one of the troublesome USB hubs but I was still getting error messages for another but much more frequently now. I experimented by creating a similar file to deactivate ohci but this didn’t do anything. I tried again with uhci and that worked, USB completely disabled.
/etc/udev/rules.d/30-disable-uhci.rules

ACTION=="add", SUBSYSTEM=="pci", DRIVER=="uhci_hcd", \
        RUN+="/bin/sh -c 'echo -n %k > %S%p/driver/unbind'"

So if you have two or more USB hubs throwing enumeration errors, try disabling both EHCI and UHCI, it worked for me.

Obviously, if you have any USB devices that you need to use with this host, forget it. You will need a new motherboard.

What to do with an OldWorld Mac?

PowerMac 8500 (CK6391DE8FA)During our recent house move I found my old and dusty PowerMac 8500/180 while we were packing up the contents of my garage. It had been placed on the bottom shelf of my car spares shelving for a time when I could either make a VGA adapter cable or acquire another old Mac monitor to replace the one that died. That was back in 2004, and as time passed by storage crates piled up in front of it and it was soon forgotten.

A long time ago I was a NetWare specialist and I had a variety of non intel computers in my private lab that I used for working on interoperability projects. Many of my customers had a small number of Macintosh computers in their organisations and I acquired my 8500 second hand when one of them switched to Windows a year after purchase.

I can’t say that I was a Mac specialist in any sense. My interest was purely interoperability with NetWare, Unix and other corporate host based systems. I tinkered a lot with Applescript and had a lot of fun with my 8500. However, I didn’t like the fact that Apple built the machine to be supported only by their own engineers. There weren’t any manuals for DIY upgrades as you were supposed to take the 8500 to an Apple technician for things like RAM upgrades. I soon learned that Apple products were all about lock-in. I found this aspect of Mac ownership distasteful to the point that I probably wouldn’t buy another Mac again even though I liked my 8500.

So time moves on. It’s 2011 and the 8500 is sitting in my new garage. I don’t want to leave it there to deteriorate for another seven years so I dust it off and bring it into the house to see if it still works. I still don’t have a Mac to VGA adapter but the 8500 has TV output. I connect it to my 42″ LCD TV using an RCA composite TV cable (Yellow-Red-White). After plugging the onboard Ethernet into a live switch on my LAN, and completing the remaining connections for power, keyboard and mouse, the Mac powers up and the familiar chime is heard all over the house through the TV speakers.

I was really pleased that it still worked after all this time. I found some old QuickTime video clips of the kids when they were younger in a folder on the hard drive. I guess when the monitor died I didn’t have any way of accessing my files to save them back then. I set about copying off the files I wanted to keep by uploading to my file storage using Internet Explorer 5 that was still on the Mac and then I began depersonalising the machine ready for disposal. While I was dragging files to the Wastebasket, I started to think that maybe I could use this machine with Ubuntu or Debian as part of my CCTV system. After all, it had on-board analogue video capture that was too fast for any hard-drives produced at the time. Perhaps someone had developed the necessary drivers for V4L2. I didn’t stop too check first, I downloaded a copy of Debian 6.0.2.1 as I thought this would work with an OldWorld Mac and set about installing it.

Oh dear. It appears that a Mac monitor is necessary to install Linux as the TV display doesn’t work when Bootx is used to start the Debian installation. The next problem I have is that I don’t have any Mac OS installation media any more to resize the Apple partitions. A house flood in 2009 saw a lot of my stuff go in the rubbish skip never to be replaced. All my obsolete computer manuals, books and software were either destroyed or water damaged and I’m fairly certain that my Mac OS 8 install disks went in the same skip. I pack up for the day and think about how I can resolve this problem overnight.

The following morning I have an idea. Another old PC that was similarly shelved had a Matrox Mystique card inside. This had a Mac display port so I thought It may have originally been Mac compatible. I relieve the PC of the Matrox card and install it in the Mac with a USB 2.0 + FireWire PCI card. A 60GB portable hard drive is connected to the USB port and a flat panel LCD display to the Mystique’s VGA port before rebooting the Mac.

Mac OS 8.1 starts up and is displayed on the TV. I pop in the Debian CD-ROM and copy the installation kernel and ramdrive to the Linux Kernel folder in the Mac System Folder and configure Bootx to use them. Starting Debian from Bootx the TV display loses its signal and shows the default blue screen. The LCD monitor is now showing a familiar penguin and I can see that Linux is booting and in the hardware detection phase.

I manage to successfully create a Linux partition and swap partition on the USB hard drive but the installation always stalls at some point when unpacking an archive on the CD-ROM. Looking at the logs, the installation is almost there, but the live kernel has not been created in /boot and it’s not good enough to even try building it by hand. Disappointed, I abandon this project yet again to think about it overnight.

Next morning I have an idea. I downloaded the last Ubuntu distribution that officially supported the PowerPC architecture. The Alternate install image for Ubuntu 6.06 LTS PPC seemed most appropriate considering that my Mac has only 96MB of RAM. I replaced the Bootx kernel and ramdrive from this CD and recommenced installation.

Screenshot of Ubuntu 6.06 on my PowerMacSuccess! The installation is plodding along well. I let it run on its own all day, coming back now and again to check progress and answer any waiting prompts. When it finished I rebooted and logged in to Ubuntu at 640×480 resolution. I started up the System Monitor and had a played a game of Solitaire before tweaking a few settings one by one.

Disaster strikes! Somewhere during the installation I failed to notice that the Mac didn’t have a network connection when running Linux. My Ethernet switch indicates that the on-board MACE (Mac Ethernet) is present at 10Mbps but it won’t DHCP or accept a static IP address. I try installing an Intel E100B PCI adapter and it’s the same. Booting back into Mac OS 8.1 there’s no network now. I just can’t get it to connect. I tried zapping the PRAM and NV but I couldn’t check the OpenFirmware on the serial port as I don’t have a Mac serial lead anymore.

Without a network connection, this 8500 is useless to me. So, the final enjoyment I got from my Mac was using Ubuntu 6.06 on it. I’m not sure if it was any quicker than Mac OS 8.1 as I only have 96MB of RAM installed but it was an interesting exercise on how to get Ubuntu running on a Mac without the Mac OS install discs.

Sadly, I don’t have a use for a Mac that cannot connect to my LAN. I can’t explain why the MACE shows a connection on my switch but refuses to load TCP/IP. Maybe the logic board got a static zap when I was plugging in PCI boards. Maybe I have pressed some key sequence that has deactivated the board in OpenFirmware without my knowledge. If I don’t find a way of getting the onboard Ethernet running again under Mac OS this Mac will be going to the recycling centre very soon.

Installing Zoneminder on Ubuntu 11.04

I have been experimenting with Zoneminder recently, using the pre-built package for Ubuntu 11.04. I couldn’t get the package to work properly but found some very useful instructions in the Zoneminder Wiki that made it work.

When I finish the installation I will put this into an install script.

 

 

MythTV Preshutdown check for UPnP AV clients

I have reconfigured my MythTV backend server to shutdown automatically when there are no recordings within the next couple of hours. It does this using ACPI and wakes up automatically using the NVRAM Alarm function built in to the computer’s motherboard. However, one annoying aspect that I found quite quickly afterwards was that my backend would shutdown while I was watching recordings on my PlayStation3 or WD TV Live.

I found that the MythTV event mechanism for detecting clients and playback only seems to work for MythTV frontends and not for UPnP AV clients like the PS3.

After thinking about the problem for a while, I realised that all I needed was a script that could detect my UPnP AV clients and tell MythTV not to shutdown just yet.

Fortunately, MythTV has the ability to specify such a script to be called. It only needs to return ‘1’ to the calling process to inhibit the reboot, or ‘0’ to let it go ahead.

UPnP AV clients connect to the backend using port 6544. The netstat program reports UPnP clients as ‘ESTABLISHED’ if they are in use. It also reports other states when a recording has ended but I don’t care if my backend powers down on an idle playback device so my preshutdown check script is really simple. It probably needs some modification if you use a MythTV Frontend. I only use MythWeb with UPnP clients so I can’t test a frontend with it.


#!/bin/bash
# Pre shutdown check command should return one of the following values
# 0 : Allows the backend to reboot
# 1 : Sends the backend around the idle timeout again
# 2 : Resets the Client Connected flag (not set in any case for UPNP clients)
# This script detects UPnP AV clients so the return value of 2 is never used.

netstat -tun | grep :6544 | grep -i established
if [ $? = "0" ] ; then
# Grep found a match
exit 1
else
# Grep found nothing
exit 0
fi

# End of file

The output of the grep’d netstat is recorded in /var/log/mythtv/backend.log so you can see a history of it working.