Thursday, October 5, 2017

Mounting bootable image file under linux with offset

Use fdisk to see the partitions and their offset of the image file:
# fdisk -l router-devuan-jessie-diskless-2017.img
Disk router-devuan-jessie-diskless-2017.img: 3.7 GiB, 3980394496 bytes, 7774208 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7b19da02

Device                                                 Boot Start     End Sectors  Size Id Type
router-devuan-jessie-diskless-2017.img    *     2048 7772159 7770112  3.7G 83 Linux
According to fdisk each sector of the image has 512 bytes. We need that so we can calculate the right offset when mounting it.

The image has one linux partition starting at offset of 2048. The right offset is 512*2048.

Here is how to mount it:
# mount -o loop,offset=$((2048*512)) router-devuan-jessie-diskless-2017.img /mnt/

Wednesday, October 4, 2017

Mediatek LinkIt Smart 7688 with DHT22/11 sensor on custom LEDE/OpenWRT image

Examples will be with LEDE-Project latest sources from git.

check-humidity-7688 is a fork of Onion Omega2p checkHumidity which reads temperature values directly from memory.

We need LEDE Project / OpenWRT source configured for LinkIt Smart 7688 and compiled at least once. Kernel should be compiled with /dev/mem support as this is the way check-humidity-7688 works.

The checkHumidity binary should work on mediatek 7688 without problems but if you need to recompile it for different arch/platform here is how it is done:

getting the source and compiling it:
$ git clone https://github.com/devane/check-humidity-7688
$ cd check-humidity-7688
$ make clean
$ sh xCompile.sh -buildroot /home/user/lede

Cleaning...
 rm -f -r build bin
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/fastgpioomega2.o src/fastgpioomega2.cpp
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/main.o src/main.cpp
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/module.o src/module.cpp
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/dht_read.o src/dht_read.cpp
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/common_dht_read.o src/common_dht_read.cpp
 Linking...
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ build/fastgpioomega2.o build/main.o build/module.o build/dht_read.o build/common_dht_read.o -o bin/checkHumidity


We can check if it is compiled for the right architecture:
$ file bin/checkHumidity
bin/checkHumidity: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-mipsel-sf.so.1, with debug_info, not stripped
Now just copy the binary on your mt7688 and it should work just fine.

Notes:

xCompile.sh is a shell script (included in source) from MediaTek documentation page on how to cross-compile your own program. You should only point where is the source of the LEDE-Project / OpenWRT with -buildroot option.

Wiring diagram connecting DHT11 sensor to LinkIt Smart 7688, signal (data) wire is connected to pin 26 - GPIO19.






DHT11 Pinout




Example output of checkHumidity:


root@LEDE:~# ./checkHumidity 19 DHT11
33.000000
26.000000


Wednesday, September 27, 2017

LEDE Project/OpenWRT DHT11/22 humidity and temperature sensor on Raspberry Pi 3

Using latest developement version of LEDE Project from git

Kernel config rpi3: lede-project-kernel-config-rpi3.txt (rename it to .config and put it in lede main directory)

Differences between DHT11 and DHT22 are in accuracy of returned values. DHT11 works with interger values (example: 23 C) and DHT22 is more precise (23.6 C)

Pins connected (DHT22):
DHT22 - RPI3
=========
Data - GPIO4
Vcc - Vcc
Gnd - Gnd

Boot rpi3 image and then edit /boot/config.txt adding the following line:

dtoverlay=dht11,gpiopin=4

Save and exit and then reboot the rpi3

Under /sys/devices/platform/dht11@0/iio:device0/ you will find two files

in_temp_input
in_humidityrelative_input

By reading them you will get current values of the dht11/22 sensor.

Thursday, July 20, 2017

Build netqmail-1.06 with TLS support Devuan / Debian package

Before you start you need libssl-dev and  qmail-uids-gids packages installed (or you can create qmail users/groups manually according to qmail README.

Make the debian package:

$ git clone https://github.com/devane/netqmail-1.06-tls
$ cd netqmail-1.06-tls
$ dpkg-buildpackage -uc

Source contains extracted source from Debian Testing package of netqmail-1.06 + debian patches + TLS patch (from http://inoa.net/qmail-tls/)

Install the package:

# dpkg -i ../qmail_1.06-6_amd64.deb

Make the package 'hold' so it won't be updated in next qmail update.

# echo "qmail hold" |dpkg --set-selections

To generate certificates for TLS change to netqmail-1.06-tls directory and then:

$ make cert

Answer the questions and then copy generated .pem file in /var/qmail/control/servercert.pem . Clientcert.pem is the same so make a link:

# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem

If there is no certificates in control directory the server will answer on EHLO that there is no TLS supported:

$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.

220 mail.domain.com blah-blah ready SMTP
ehlo
250-mail.domain.com blah-blah ready SMTP
250-PIPELINING
250 8BITMIME
If there is correct pem file in control dir EHLO will show STARTTLS support:

$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.

220 mail.domain.com blah-blah ready SMTP
ehlo
250-mail.domain.com blah-blah ready SMTP
250-STARTTLS
250-PIPELINING
250 8BITMIME

When a 2048 bit RSA key is provided in /var/qmail/control/rsa2048.pem this key will be used instead of (slow) on-the-fly generation by qmail-smtpd.

Generate DH file:

# openssl genrsa -out /var/qmail/control/rsa2048.pem

That is all. Qmail now is ready for STARTTLS connections. You should see in message source of every mail something like this:

Received: from unknown (HELO mail.superhosting.bg) (195.191.148.117) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 18 Jul 2017 13:34:05 -0000

You can test if smtp server supports STARTTLS with openssl command line (example is for google.bg mx):

$ openssl s_client -connect google.com.s9a2.psmtp.com:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = mx.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGoTCCBYmgAwIBAgIIYOJxdtm1IIIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNzEyMTIyNjQ1WhcNMTcxMDA0MTE1NzAw
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKoxfLCz
daupDLdRGgdWDoaRQyGcMBSfAocOmRu1lqUZsyi0lpahF5wwu3p07QUY5TFfGkmh
K3vM8MRwDYsUYicromAsbknZiPjYJyHHrZE/XzmLkcPI+bBHGvE+O+iJDpwvGk3Z
Yfs3/GIBywP+CPUAnDSkPNumvY6A4gWLKzFTVtBCnOFMxD9KMwJvFi3PfLIgavn8
sLlpZZf6RAsZB5zskMpaMvjsl4ta83eTO4MAkAQmBN5xQIXtCHtt6atyIcy1i+sA
PKqtwb4wuAaPLGl90BFdb7F357R4Vb53UThr7k/3yt8kyCwfp0Y9/m3M2Pc5ZWdC
pKvRmwkhhnqB/WECAwEAAaOCA20wggNpMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjCCAjkGA1UdEQSCAjAwggIsgg1teC5nb29nbGUuY29tghdhbHQxLmFz
cG14LmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNv
bYIdYWx0MS5nbXItc210cC1pbi5sLmdvb2dsZS5jb22CF2FsdDIuYXNwbXgubC5n
b29nbGUuY29tgh9hbHQyLmdtYWlsLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQy
Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIXYWx0My5hc3BteC5sLmdvb2dsZS5j
b22CH2FsdDMuZ21haWwtc210cC1pbi5sLmdvb2dsZS5jb22CHWFsdDMuZ21yLXNt
dHAtaW4ubC5nb29nbGUuY29tghdhbHQ0LmFzcG14LmwuZ29vZ2xlLmNvbYIfYWx0
NC5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0NC5nbXItc210cC1pbi5s
Lmdvb2dsZS5jb22CEmFzcG14LmwuZ29vZ2xlLmNvbYIVYXNwbXgyLmdvb2dsZW1h
aWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29nbGVtYWls
LmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tghpnbWFpbC1zbXRwLWluLmwuZ29v
Z2xlLmNvbYIRZ21yLW14Lmdvb2dsZS5jb22CGGdtci1zbXRwLWluLmwuZ29vZ2xl
LmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29v
Z2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5n
b29nbGUuY29tL29jc3AwHQYDVR0OBBYEFI3zlxPuB6qYk5LY0mZT0tGcvNP1MAwG
A1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYD
VR0gBBowGDAMBgorBgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ah
hh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUA
A4IBAQADKHpAjici5XzZXXaTzfFsOe0Kmib+FI+TECQVS4qBgvZ4hRhG3robiSyR
0RJBadT+swzTu96nE7Np9pAgZ6VT7fapCWnxR9ETslqo237X+6v6Jbuv3/EqHUey
43VGs+10cZPGC5+zZ/hOlizwM5mSjtv/8byp7MFiGEBpIvyub+dLHVh6C3OgRmd3
REC/ta8FmQ2mWieTr/iCoY2+ywwKmvfw/04KaBTosUt9Ah8jtcTIjkK2tUl8ZrCE
/0ezZXGYO+C7CReDLjQWDDdUOPntx7AcjhkPf3V6BhTjWXhwF5Z2EFkFgGbJMOJC
q6hLiGRQPeo3e2OQ5uxk5gY6qO2H
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4598 bytes and written 294 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 9C4C99B3836290C5DF1F7375390EE4D827601E06A0E05B7BCBA863610722895E
    Session-ID-ctx:
    Master-Key: 92BFA180AE310D72FF0A94F1D56DAF802FB37FB78EAC9EB91D7909949AE53E943A593DCDC314FFB01F923B9EC1906D6B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 36 a0 e1 35 64 47 64-26 f7 d9 dc d5 0f cc 03   .6..5dGd&.......
    0010 - 18 b1 15 ed 44 ba 2a 20-01 9c b2 d7 9a d0 f2 07   ....D.* ........
    0020 - 21 7c 03 a0 13 b8 ec 5d-d4 a5 6d 44 48 db d3 02   !|.....]..mDH...
    0030 - ef 3e d5 64 80 b6 a6 e2-dd 1a 74 15 b0 9d e8 d2   .>.d......t.....
    0040 - d0 da 18 4a a1 86 40 df-4a 8f 53 41 1c 85 20 08   ...J..@.J.SA.. .
    0050 - b5 f9 c3 3c 8a b9 99 c9-a2 9c df 8b f4 02 34 65   ...<..........4e
    0060 - 28 4e 30 71 fe c7 7b b1-cc ee 21 32 c5 c9 77 f2   (N0q..{...!2..w.
    0070 - 7e 6d 6d fe f2 5c 1e fb-bf 12 23 8c 08 18 c3 46   ~mm..\....#....F
    0080 - 15 40 7a 16 3a d1 48 24-06 f5 84 fa b9 4e eb c3   .@z.:.H$.....N..
    0090 - 39 d2 22 9b ec 31 10 f9-69 29 0b 9c cb 87 a1 22   9."..1..i)....."
    00a0 - f9 68 58 fa 4e 53 e1 e3-03 e2 44 e2 17 6e 56 d2   .hX.NS....D..nV.
    00b0 - a4 83 b0 a4 7f 7b ca dc-78 7d 51 dd 3d 1c 8f 86   .....{..x}Q.=...
    00c0 - 36 4d 30 47 e6 6e cf 96-fb 96 9a d0 d3 e3 06 a5   6M0G.n..........
    00d0 - 00 60 b0 12 97 e9 a3 de-28 cf                     .`......(.

    Start Time: 1500646890
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
250 SMTPUTF8

Teach apt-get not to use IPv6 addresses

Create a file in /etc/apt/apt.conf.d/ starting with 90 or higher.
Example /etc/apt/apt.conf.d/90ipv6only

Put inside the following:
Acquire::ForceIPv4 "true"; 
and the do apt-get update.

This works on Debian Jessie/Devuan Jessie.

Tuesday, July 11, 2017

Running JBOSS with Daemontools / Runit

JBOSS is installed in /usr/local/jboss
Jboss user is created for that purpose with home directory = /usr/local/jboss

daemontools/runit run script for jboss server:

#!/bin/sh

# clean the working dirs
/bin/rm -fr /usr/local/jboss/server/app1/work
/bin/rm -fr /usr/local/jboss/server/app1/tmp

JBOSS_HOST="10.10.0.25"

# next lines are fix for cyrillic letters inserted in database
# with AMERICAN_AMERICA.WE8ISO8859P1
NLS_LANG="AMERICAN_AMERICA.WE8ISO8859P1"
export LNS_LANG
LANG="bg_BG"
export LANG

exec /usr/bin/chpst -u jboss:jboss -U jboss:jboss /usr/lib/jvm/java-1.7.0-openjdk-i386/bin/java -Xms512m -Xmx1536m -XX:PermSize=256m -XX:MaxPermSize=512 -XX:+CMSClassUnloadingEnabled -XX:StackShadowPages=20 -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=30 -Djava.net.preferIPv4Stack=true -Djava.endorsed.dirs=/usr/local/jboss/lib/endorsed -classpath /usr/local/jboss/bin/run.jar:/usr/lib/jvm/java-1.7.0-openjdk-i386/lib/tools.jar org.jboss.Main -c app1 -b $JBOSS_HOST

daemontools/runit script for logging:

#!/bin/sh
exec setuidgid jboss /usr/bin/svlogd -tt n35 s511048576 /var/log/jboss-app1

Thursday, January 12, 2017

OpenVPN renew expired CA, revoke certificate and other notes

OpenVPN and OpenSSL notes

View contents of a certificate file:

# openssl x509 -noout -text -in certificate-file.crt

Generate new CA file from expired file (This is not a good practice!!!):

# openssl x509 -in ca.crt -days 4650 -out ca_new.crt -signkey ca.key

Verify crt file agains CA:

# openssl verify newserver.crt -CAFile ca.crt

Revoking certificate:

# . ./vars
# ./revoke-full name_of_cert_file

Result is in "keys/crl.pem". You need to copy it in /etc/openvpn/


Checking contents of crl.pem file:

openssl crl -text -noout -in /etc/openvpn/crl.pem
Regenerate expired CRL file

# openssl ca  -gencrl -keyfile ca.key -cert ca.crt -out new-crl.pem -config ./openssl.cnf

you also need to do this in openssl.cnf if you want to change default expire days (1 month)

default_crl_days= 3650         # how long before next CRL