Tuesday, December 4, 2018

Android 4.2.2 how to set default install path to external SD card

You don't need root access to do this. All you need is to enable Developer Options and then enable USB debugging. Once this is done connect adb to your phone:

root@bender:~# adb shell
shell@android:/ $ pm get-install-location
shell@android:/ $ pm set-install-location 2
shell@android:/ $ pm get-install-location
shell@android:/ $ logout


as you can see from pm help page:

pm get-install-location: returns the current install location.
    0 [auto]: Let system decide the best location
    1 [internal]: Install on internal device storage
    2 [external]: Install on external media

You need to set this value to 2

Monday, March 19, 2018

Jboss / Wildfly errors when accepting socket java.io.IOException: Bad file descriptor problem

Jboss/Wildfly random crashes under heavy load:


Jboss/Wildfly crashes randomly with  java.io.IOException: Bad file descriptor. Undertow HTTp server does not restart but admin console and everything else is working and nothing in log files.

How to debug it:

Put this in your configuration file (standalone.xml for Wildfly)
        <logger category="org.xnio.nio">
        <level name="DEBUG"/>
The error:
2018-03-03 17:19:15,273 DEBUG [org.xnio.nio.tcp.server] (default Accept) Exception accepting request, closing server channel TCP server (NIO) <69a407dd>: java.io.IOException: Bad file descriptor
    at sun.nio.ch.IOUtil.configureBlocking(Native Method)
    at sun.nio.ch.ServerSocketChannelImpl.accept(ServerSocketChannelImpl.java:264)
    at org.xnio.nio.QueuedNioTcpServer.handleReady(QueuedNioTcpServer.java:477)
    at org.xnio.nio.QueuedNioTcpServerHandle.handleReady(QueuedNioTcpServerHandle.java:38)
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

What is the reason for that:

The reason is that you are probably running a BSD and the bug is in Java implementation of KQueueSelectorImpl.java in latest OpenJDK for BSD (openjdk-1.8.162 at the moment). This was tested on NetBSD 7.1.


There is no solution at the moment. You need to move your Jboss/Wildfly to Linux. You can try changing default selector with java command line arguments (example is solution for Solaris):

java -Dxnio.nio.selector.provider=sun.nio.ch.PollSelectorProvider .......

At the moment the only solution to this is not to run it under BSD. Under Linux with EPollSelectorProvider everything works just fine.

Tuesday, February 13, 2018

How to filter 99.99% of ssh brute force attacks

Recently I've decided to experiment with ssh ciphers / key exchange algorithms to raise the security of my servers. This is the /etc/ssh/sshd_config I've got:

HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256@libssh.org

If you don't have HostKey for Ed25519 generate it:

# ssh-keygen -t ed25519

You need to use recent version of ssh / pyTTY to be able to login to this server.
It seems that using only this Cipher/Kex filters all brute force scanners probably because they do not support it. I see only this kind of messages:

Feb 13 14:41:39 horizon9 sshd[22849]: SSH: Server;Ltype: Version;Remote: xxx.x.xx.xxx-53810;Protocol: 2.0;Client: libssh2_1.7.0
Feb 13 14:41:39 horizon9 sshd[22849]: fatal: ssh_dispatch_run_fatal: no matching cipher found [preauth]

More information about ciphers/algorithms read here:


Thursday, October 5, 2017

Mounting bootable image file under linux with offset

Use fdisk to see the partitions and their offset of the image file:
# fdisk -l router-devuan-jessie-diskless-2017.img
Disk router-devuan-jessie-diskless-2017.img: 3.7 GiB, 3980394496 bytes, 7774208 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7b19da02

Device                                                 Boot Start     End Sectors  Size Id Type
router-devuan-jessie-diskless-2017.img    *     2048 7772159 7770112  3.7G 83 Linux
According to fdisk each sector of the image has 512 bytes. We need that so we can calculate the right offset when mounting it.

The image has one linux partition starting at offset of 2048. The right offset is 512*2048.

Here is how to mount it:
# mount -o loop,offset=$((2048*512)) router-devuan-jessie-diskless-2017.img /mnt/

Wednesday, October 4, 2017

Mediatek LinkIt Smart 7688 with DHT22/11 sensor on custom LEDE/OpenWRT image

Examples will be with LEDE-Project latest sources from git.

check-humidity-7688 is a fork of Onion Omega2p checkHumidity which reads temperature values directly from memory.

We need LEDE Project / OpenWRT source configured for LinkIt Smart 7688 and compiled at least once. Kernel should be compiled with /dev/mem support as this is the way check-humidity-7688 works.

The checkHumidity binary should work on mediatek 7688 without problems but if you need to recompile it for different arch/platform here is how it is done:

getting the source and compiling it:
$ git clone https://github.com/devane/check-humidity-7688
$ cd check-humidity-7688
$ make clean
$ sh xCompile.sh -buildroot /home/user/lede

 rm -f -r build bin
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/fastgpioomega2.o src/fastgpioomega2.cpp
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/main.o src/main.cpp
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/module.o src/module.cpp
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/dht_read.o src/dht_read.cpp
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/common_dht_read.o src/common_dht_read.cpp
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ build/fastgpioomega2.o build/main.o build/module.o build/dht_read.o build/common_dht_read.o -o bin/checkHumidity

We can check if it is compiled for the right architecture:
$ file bin/checkHumidity
bin/checkHumidity: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-mipsel-sf.so.1, with debug_info, not stripped
Now just copy the binary on your mt7688 and it should work just fine.


xCompile.sh is a shell script (included in source) from MediaTek documentation page on how to cross-compile your own program. You should only point where is the source of the LEDE-Project / OpenWRT with -buildroot option.

Wiring diagram connecting DHT11 sensor to LinkIt Smart 7688, signal (data) wire is connected to pin 26 - GPIO19.

DHT11 Pinout

Example output of checkHumidity:

root@LEDE:~# ./checkHumidity 19 DHT11

Wednesday, September 27, 2017

LEDE Project/OpenWRT DHT11/22 humidity and temperature sensor on Raspberry Pi 3

Using latest developement version of LEDE Project from git

Kernel config rpi3: lede-project-kernel-config-rpi3.txt (rename it to .config and put it in lede main directory)

Differences between DHT11 and DHT22 are in accuracy of returned values. DHT11 works with interger values (example: 23 C) and DHT22 is more precise (23.6 C)

Pins connected (DHT22):
DHT22 - RPI3
Data - GPIO4
Vcc - Vcc
Gnd - Gnd

Boot rpi3 image and then edit /boot/config.txt adding the following line:


Save and exit and then reboot the rpi3

Under /sys/devices/platform/dht11@0/iio:device0/ you will find two files


By reading them you will get current values of the dht11/22 sensor.

Thursday, July 20, 2017

Build netqmail-1.06 with TLS support Devuan / Debian package

Before you start you need libssl-dev and  qmail-uids-gids packages installed (or you can create qmail users/groups manually according to qmail README.

Make the debian package:

$ git clone https://github.com/devane/netqmail-1.06-tls
$ cd netqmail-1.06-tls
$ dpkg-buildpackage -uc

Source contains extracted source from Debian Testing package of netqmail-1.06 + debian patches + TLS patch (from http://inoa.net/qmail-tls/)

Install the package:

# dpkg -i ../qmail_1.06-6_amd64.deb

Make the package 'hold' so it won't be updated in next qmail update.

# echo "qmail hold" |dpkg --set-selections

To generate certificates for TLS change to netqmail-1.06-tls directory and then:

$ make cert

Answer the questions and then copy generated .pem file in /var/qmail/control/servercert.pem . Clientcert.pem is the same so make a link:

# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem

If there is no certificates in control directory the server will answer on EHLO that there is no TLS supported:

$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.

220 mail.domain.com blah-blah ready SMTP
250-mail.domain.com blah-blah ready SMTP
If there is correct pem file in control dir EHLO will show STARTTLS support:

$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.

220 mail.domain.com blah-blah ready SMTP
250-mail.domain.com blah-blah ready SMTP

When a 2048 bit RSA key is provided in /var/qmail/control/rsa2048.pem this key will be used instead of (slow) on-the-fly generation by qmail-smtpd.

Generate DH file:

# openssl genrsa -out /var/qmail/control/rsa2048.pem

That is all. Qmail now is ready for STARTTLS connections. You should see in message source of every mail something like this:

Received: from unknown (HELO mail.superhosting.bg) ( by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 18 Jul 2017 13:34:05 -0000

You can test if smtp server supports STARTTLS with openssl command line (example is for google.bg mx):

$ openssl s_client -connect google.com.s9a2.psmtp.com:25 -starttls smtp
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = mx.google.com
verify return:1
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
SSL handshake has read 4598 bytes and written 294 bytes
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 9C4C99B3836290C5DF1F7375390EE4D827601E06A0E05B7BCBA863610722895E
    Master-Key: 92BFA180AE310D72FF0A94F1D56DAF802FB37FB78EAC9EB91D7909949AE53E943A593DCDC314FFB01F923B9EC1906D6B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 36 a0 e1 35 64 47 64-26 f7 d9 dc d5 0f cc 03   .6..5dGd&.......
    0010 - 18 b1 15 ed 44 ba 2a 20-01 9c b2 d7 9a d0 f2 07   ....D.* ........
    0020 - 21 7c 03 a0 13 b8 ec 5d-d4 a5 6d 44 48 db d3 02   !|.....]..mDH...
    0030 - ef 3e d5 64 80 b6 a6 e2-dd 1a 74 15 b0 9d e8 d2   .>.d......t.....
    0040 - d0 da 18 4a a1 86 40 df-4a 8f 53 41 1c 85 20 08   ...J..@.J.SA.. .
    0050 - b5 f9 c3 3c 8a b9 99 c9-a2 9c df 8b f4 02 34 65   ...<..........4e
    0060 - 28 4e 30 71 fe c7 7b b1-cc ee 21 32 c5 c9 77 f2   (N0q..{...!2..w.
    0070 - 7e 6d 6d fe f2 5c 1e fb-bf 12 23 8c 08 18 c3 46   ~mm..\....#....F
    0080 - 15 40 7a 16 3a d1 48 24-06 f5 84 fa b9 4e eb c3   .@z.:.H$.....N..
    0090 - 39 d2 22 9b ec 31 10 f9-69 29 0b 9c cb 87 a1 22   9."..1..i)....."
    00a0 - f9 68 58 fa 4e 53 e1 e3-03 e2 44 e2 17 6e 56 d2   .hX.NS....D..nV.
    00b0 - a4 83 b0 a4 7f 7b ca dc-78 7d 51 dd 3d 1c 8f 86   .....{..x}Q.=...
    00c0 - 36 4d 30 47 e6 6e cf 96-fb 96 9a d0 d3 e3 06 a5   6M0G.n..........
    00d0 - 00 60 b0 12 97 e9 a3 de-28 cf                     .`......(.

    Start Time: 1500646890
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes