Thursday, October 5, 2017

Mounting bootable image file under linux with offset

Use fdisk to see the partitions and their offset of the image file:
# fdisk -l router-devuan-jessie-diskless-2017.img
Disk router-devuan-jessie-diskless-2017.img: 3.7 GiB, 3980394496 bytes, 7774208 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7b19da02

Device                                                 Boot Start     End Sectors  Size Id Type
router-devuan-jessie-diskless-2017.img    *     2048 7772159 7770112  3.7G 83 Linux
According to fdisk each sector of the image has 512 bytes. We need that so we can calculate the right offset when mounting it.

The image has one linux partition starting at offset of 2048. The right offset is 512*2048.

Here is how to mount it:
# mount -o loop,offset=$((2048*512)) router-devuan-jessie-diskless-2017.img /mnt/

Wednesday, October 4, 2017

Mediatek LinkIt Smart 7688 with DHT22/11 sensor on custom LEDE/OpenWRT image

Examples will be with LEDE-Project latest sources from git.

check-humidity-7688 is a fork of Onion Omega2p checkHumidity which reads temperature values directly from memory.

We need LEDE Project / OpenWRT source configured for LinkIt Smart 7688 and compiled at least once. Kernel should be compiled with /dev/mem support as this is the way check-humidity-7688 works.

The checkHumidity binary should work on mediatek 7688 without problems but if you need to recompile it for different arch/platform here is how it is done:

getting the source and compiling it:
$ git clone
$ cd check-humidity-7688
$ make clean
$ sh -buildroot /home/user/lede

 rm -f -r build bin
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/fastgpioomega2.o src/fastgpioomega2.cpp
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/main.o src/main.cpp
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/module.o src/module.cpp
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/dht_read.o src/dht_read.cpp
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ -c -g  -I include -c -o build/common_dht_read.o src/common_dht_read.cpp
 /home/user/lede/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl/bin/mipsel-openwrt-linux-g++ build/fastgpioomega2.o build/main.o build/module.o build/dht_read.o build/common_dht_read.o -o bin/checkHumidity

We can check if it is compiled for the right architecture:
$ file bin/checkHumidity
bin/checkHumidity: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/, with debug_info, not stripped
Now just copy the binary on your mt7688 and it should work just fine.

Notes: is a shell script (included in source) from MediaTek documentation page on how to cross-compile your own program. You should only point where is the source of the LEDE-Project / OpenWRT with -buildroot option.

Wiring diagram connecting DHT11 sensor to LinkIt Smart 7688, signal (data) wire is connected to pin 26 - GPIO19.

DHT11 Pinout

Example output of checkHumidity:

root@LEDE:~# ./checkHumidity 19 DHT11

Wednesday, September 27, 2017

LEDE Project/OpenWRT DHT11/22 humidity and temperature sensor on Raspberry Pi 3

Using latest developement version of LEDE Project from git

Kernel config rpi3: lede-project-kernel-config-rpi3.txt (rename it to .config and put it in lede main directory)

Differences between DHT11 and DHT22 are in accuracy of returned values. DHT11 works with interger values (example: 23 C) and DHT22 is more precise (23.6 C)

Pins connected (DHT22):
DHT22 - RPI3
Data - GPIO4
Vcc - Vcc
Gnd - Gnd

Boot rpi3 image and then edit /boot/config.txt adding the following line:


Save and exit and then reboot the rpi3

Under /sys/devices/platform/dht11@0/iio:device0/ you will find two files


By reading them you will get current values of the dht11/22 sensor.

Thursday, July 20, 2017

Build netqmail-1.06 with TLS support Devuan / Debian package

Before you start you need libssl-dev and  qmail-uids-gids packages installed (or you can create qmail users/groups manually according to qmail README.

Make the debian package:

$ git clone
$ cd netqmail-1.06-tls
$ dpkg-buildpackage -uc

Source contains extracted source from Debian Testing package of netqmail-1.06 + debian patches + TLS patch (from

Install the package:

# dpkg -i ../qmail_1.06-6_amd64.deb

Make the package 'hold' so it won't be updated in next qmail update.

# echo "qmail hold" |dpkg --set-selections

To generate certificates for TLS change to netqmail-1.06-tls directory and then:

$ make cert

Answer the questions and then copy generated .pem file in /var/qmail/control/servercert.pem . Clientcert.pem is the same so make a link:

# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem

If there is no certificates in control directory the server will answer on EHLO that there is no TLS supported:

$ telnet 25
Connected to
Escape character is '^]'.

220 blah-blah ready SMTP
ehlo blah-blah ready SMTP
If there is correct pem file in control dir EHLO will show STARTTLS support:

$ telnet 25
Connected to
Escape character is '^]'.

220 blah-blah ready SMTP
ehlo blah-blah ready SMTP

When a 2048 bit RSA key is provided in /var/qmail/control/rsa2048.pem this key will be used instead of (slow) on-the-fly generation by qmail-smtpd.

Generate DH file:

# openssl genrsa -out /var/qmail/control/rsa2048.pem

That is all. Qmail now is ready for STARTTLS connections. You should see in message source of every mail something like this:

Received: from unknown (HELO ( by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 18 Jul 2017 13:34:05 -0000

You can test if smtp server supports STARTTLS with openssl command line (example is for mx):

$ openssl s_client -connect -starttls smtp
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN =
verify return:1
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
SSL handshake has read 4598 bytes and written 294 bytes
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 9C4C99B3836290C5DF1F7375390EE4D827601E06A0E05B7BCBA863610722895E
    Master-Key: 92BFA180AE310D72FF0A94F1D56DAF802FB37FB78EAC9EB91D7909949AE53E943A593DCDC314FFB01F923B9EC1906D6B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 36 a0 e1 35 64 47 64-26 f7 d9 dc d5 0f cc 03   .6..5dGd&.......
    0010 - 18 b1 15 ed 44 ba 2a 20-01 9c b2 d7 9a d0 f2 07   ....D.* ........
    0020 - 21 7c 03 a0 13 b8 ec 5d-d4 a5 6d 44 48 db d3 02   !|.....]..mDH...
    0030 - ef 3e d5 64 80 b6 a6 e2-dd 1a 74 15 b0 9d e8 d2   .>.d......t.....
    0040 - d0 da 18 4a a1 86 40 df-4a 8f 53 41 1c 85 20 08   ...J..@.J.SA.. .
    0050 - b5 f9 c3 3c 8a b9 99 c9-a2 9c df 8b f4 02 34 65   ...<..........4e
    0060 - 28 4e 30 71 fe c7 7b b1-cc ee 21 32 c5 c9 77 f2   (N0q..{...!2..w.
    0070 - 7e 6d 6d fe f2 5c 1e fb-bf 12 23 8c 08 18 c3 46   ~mm..\....#....F
    0080 - 15 40 7a 16 3a d1 48 24-06 f5 84 fa b9 4e eb c3   .@z.:.H$.....N..
    0090 - 39 d2 22 9b ec 31 10 f9-69 29 0b 9c cb 87 a1 22   9."..1..i)....."
    00a0 - f9 68 58 fa 4e 53 e1 e3-03 e2 44 e2 17 6e 56 d2   .hX.NS....D..nV.
    00b0 - a4 83 b0 a4 7f 7b ca dc-78 7d 51 dd 3d 1c 8f 86   .....{..x}Q.=...
    00c0 - 36 4d 30 47 e6 6e cf 96-fb 96 9a d0 d3 e3 06 a5   6M0G.n..........
    00d0 - 00 60 b0 12 97 e9 a3 de-28 cf                     .`......(.

    Start Time: 1500646890
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes

Teach apt-get not to use IPv6 addresses

Create a file in /etc/apt/apt.conf.d/ starting with 90 or higher.
Example /etc/apt/apt.conf.d/90ipv6only

Put inside the following:
Acquire::ForceIPv4 "true"; 
and the do apt-get update.

This works on Debian Jessie/Devuan Jessie.

Tuesday, July 11, 2017

Running JBOSS with Daemontools / Runit

JBOSS is installed in /usr/local/jboss
Jboss user is created for that purpose with home directory = /usr/local/jboss

daemontools/runit run script for jboss server:


# clean the working dirs
/bin/rm -fr /usr/local/jboss/server/app1/work
/bin/rm -fr /usr/local/jboss/server/app1/tmp


# next lines are fix for cyrillic letters inserted in database
export LNS_LANG
export LANG

exec /usr/bin/chpst -u jboss:jboss -U jboss:jboss /usr/lib/jvm/java-1.7.0-openjdk-i386/bin/java -Xms512m -Xmx1536m -XX:PermSize=256m -XX:MaxPermSize=512 -XX:+CMSClassUnloadingEnabled -XX:StackShadowPages=20 -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.awt.headless=true -Djava.endorsed.dirs=/usr/local/jboss/lib/endorsed -classpath /usr/local/jboss/bin/run.jar:/usr/lib/jvm/java-1.7.0-openjdk-i386/lib/tools.jar org.jboss.Main -c app1 -b $JBOSS_HOST

daemontools/runit script for logging:

exec setuidgid jboss /usr/bin/svlogd -tt n35 s511048576 /var/log/jboss-app1

Thursday, January 12, 2017

OpenVPN renew expired CA, revoke certificate and other notes

OpenVPN and OpenSSL notes

View contents of a certificate file:

# openssl x509 -noout -text -in certificate-file.crt

Generate new CA file from expired file (This is not a good practice!!!):

# openssl x509 -in ca.crt -days 4650 -out ca_new.crt -signkey ca.key

Verify crt file agains CA:

# openssl verify newserver.crt -CAFile ca.crt

Revoking certificate:

# . ./vars
# ./revoke-full name_of_cert_file

Result is in "keys/crl.pem". You need to copy it in /etc/openvpn/

Checking contents of crl.pem file:

openssl crl -text -noout -in /etc/openvpn/crl.pem
Regenerate expired CRL file

# openssl ca  -gencrl -keyfile ca.key -cert ca.crt -out new-crl.pem -config ./openssl.cnf

you also need to do this in openssl.cnf if you want to change default expire days (1 month)

default_crl_days= 3650         # how long before next CRL