Dell Venue 11 pro (7139) as a Linux Tablet – with full disk encryption !

I can’t stomach the “telemetry” in Windows 10, and wanted a cheap hybrid laptop / tablet for when I go travelling.  I really love the concept of the Dell Venue 11, and managed to pick up a mint condition second hand i5/250gig/8gig model – replete with keyboard and docking station for NZ$400 including shipping.

A couple of years ago I previously struggled to get an i3 model working with Linux touch-screen and WIFI, and I’m quite happy with how far things have come – All the hardware worked out of the box on Ubuntu 16.04.2 (Partly, I suspect, due to the Intel AC WIFI adaptor the unit came with) – unfortunately it did not work well as a tablet.

There are 2 enhancements I’ve implemented which I believe will make the unit a usable tablet –

Full Disk Encryption

Credit where its due: The idea came from https://ranzbak.nl/tpmluks/ which I used as a starting point – unfortunately it required quite a bit of work (particularly extracting initrd and rebuilding it is probably not ideal, and sha1 – while not fantastic, is probably better then using md5 hashes and TPM is based on sha1 hashes.    Also the provided diffs did not work and the PCRs are in a different place)

While its easy enough to enable FDE when setting up Linux, it requires a keyboard to enter the passphrase, however the system does have an onboard keyboard for for entering a (BIOS) password.    Leveraging TPM its possible to set a boot password in the BIOS, and then use TPM to ensure the disk is encrypted.

First step is to take control of tpm:

apt-get install tpm-tools trousers

tpm_takeownership

In order to do this some modifications are needed in the initrd files.  The idea here is to use a hash of the TPM PCRs – which should be unique to the device to decrypt the disk if available (If not,we can always fall back to a regular passphrase).

Changes to /usr/share/initramfs-tools/scripts/local-top/cryptroot:

265c265,266
< cryptopen=”$cryptopen open –type luks $cryptsource $crypttarget –key-file=-”

> cryptopen=”$cryptopen open –type luks $cryptsource $crypttarget ”
> # cryptopen=”$cryptopen open –type luks $cryptsource $crypttarget –key-file=-”
300,303c301,320
< if ! crypttarget=”$crypttarget” cryptsource=”$cryptsource” \
< $cryptkeyscript “$cryptkey” | $cryptopen; then
< message “cryptsetup: cryptsetup failed, bad password or options?”
< continue

>
> # Check against TPM
>
> if [ $count -eq 1 ] && [ -e “/sys/class/tpm/tpm0/device/pcrs” ]
> then
> cryptmd5hash=`cat “/sys/class/tpm/tpm0/device/pcrs” | sha1sum | cut -f1 -d’ ‘`
>
> pcrs=`cat /sys/class/tpm/tpm0/devices/pcrs`
>
> if ! crypttarget=”$crypttarget” cryptsource=”$cryptsource” \
> echo $cryptmd5hash | $cryptopen; then
> message “cryptsetup: Setting up Crypt from TPM hash failed – $pcrs – $cryptmd5hash”
> continue
> fi
> else
> if ! crypttarget=”$crypttarget” cryptsource=”$cryptsource” \
> $cryptkeyscript “$cryptkey” | $cryptopen; then
> message “cryptsetup: cryptsetup failed, bad password or options?”
> continue
> fi

This also required the addition of 2 files to the initrd – sha1sum and cut.   To add these, find the lines “copy_exec” near the bottom of /usr/share/initramfs-tools/hooks/cryptroot and add

copy_exec /bin/cut

copy_exec /usr/bin/sha1

Then run “update-initramfs -u” to rebuild the inittab file for your kernel.

You will also need to add the sha1 passphrase to your LUKS device (in an unused keyslot.  (My LUKS device is /dev/sda3).  There is no doubt a better way to do this, but I simply did this:

cat /sys/class/tpm/tpm0/device/pcrs | sha1sum | cut -f1 -d” “

This produced a rather long string which represents a hash of the pcrs and what we use as a passphrase – it should be unique to the system.

I then set this by copying-and-pasting the passphrase into the second slot using the command

cryptsetup luksAddKey /dev/sda3 -S1

Note that S1 is slot 1 (second slot – the first one is lot 0).  There are 8 slots you can use.

Note:  This is not as secure as using FDE directly – one attack would be for someone to “borrow” the system, remove the ssd,  install a compromised initrd file, replace the drive, wait for you to enter your phrase and then they will have the hash which can be used for FDE.    Of-course, this is not significantly different to someone putting a keylogger on your system – and does provide protection if a thief simply steals the device.

Onscreen Keyboard on login –

Although it should work, it appears that the “Onboard” keyboard does not correctly work with the default lightdm manager.   I eventually discovered that replacing it with gdm3  (apt install gdm3) fixed it.  A gotcha – You need to reboot the system after installing GDM3 – not just log out and in again.

 

Oneplus 3 Nougat with R/W System

I recently upgraded my Oneplus 3 to OxygenOS 4.0.3 – which runs Android 7.0.

I discovered that I could no longer write to the hosts file to do ad blocking and this was driving me crazy, so I set about changing the OS to allow me to do this – it required a single letter tweak to a file – but, unfortunately this file is embedded in the heart of the ROM.   Other then tweeking the fstab file in the initial ramdisk image to mount /system rw I have made no changes to the source code.  (Of-course, it is possible that when I repackaged this I did something slightly wrong, being that I’ve never done this before)

Subsequent to installing this file (and SuperSu, of-course), Adaway again happily does its thing and adverts have vanished.

I am uncertain of the security implications of allowing /system to be rw – but I am sure its less of a frustration then being bombarded with adverts (and, come to think of it, it must be safer as well).  I wrote a question on android.stackexchange, which suggests the threat is not that great – certainly less then the alternative hack I came up with which required disabling selinux.

If anyone wants it, they can download it here. This file has an md5 sum of 0729ae4ba8d30ccf2a5ec0982021abb6  and a sha512 sum of e8c8e4bdbe960cfcbd0ce564710144bfac8ba663de6fd9df8a858a567f7317309bf6bad5645142feede6ae8741a5b3eaced2c4fd1214fdc6476d808f4f9b1dd9. Its a drop-in replacement for OnePlus3Oxygen_16_OTA_041_all_1702081756_f9fb218af59d4aa6.zip from the OnePlus 3 website.  I expect it is smaller then the Oneplus 3 file because of different zip file compression ?  The file is about 1.5 gigs compressed.  Usage is, of-course, at your own risk.  If you brick your device, don’t come running to me.  The only guarantee I make is that I flashed this firmware on my system and it behaved as expected.

Resolving shared WordPress Email issue

I like using a database to directly drive my virtual webhosting – this means that each account on the system has a UID and GID, but no username associated with it (ie in /etc/passwd or getent passwd)

Because of this, when users try and send an email in WordPress (eg to reset their password), WordPress does not send the message, complaining “Possible reason: your host may have disabled the mail() function.”

The underlying cause of the problem can be found by looking at the Postfix mail Logs – where you get errors like “fatal: no login name found for user ID XXXX

Fixing this problem – without relying on WordPress plugins or tweeks is simple – modify the php.ini file apache is using by adding the following line:

sendmail_path = /usr/sbin/sendmail -t -i -fwww@defaultwebaddress.goes.here

 

Secret of Oneplus 3

The OnePlus 3 has had some interesting reviews and press coverage, and its very much a mixed bag, but, nowhere online have I read about its killer feature – FANTASTIC (Almost unbelievable) RECEPTION.

I am blessed to live on a lifestyle block (ie semi rural), which gets marginal coverage from 2 Degrees Mobile – my preferred provider.  So marginal, in fact, that the deciding factor in purchasing my cellphones is the ability to handle 2 SIM cards, so I can fall over onto Vodafone so I can reliably receive calls at home.

With this, my desire for a technically advanced phone and particularly my spendthrift nature, the OnePlus 3 was the obvious choice.

I’ve been disappointed in its Bluetooth and software issues, but on the flipside, the ease of rooting the phone – and keeping it rooted, along with the snappy performance for the everyday things I do have made it a reasonable purchase.   So reasonable, I’ve just used it – without thinking about it.

THEN I REALISED – In the 3 months I’ve had the phone, I’ve never not been able to make or receive a call from home on my primary 2 Degrees SIM.   (As opposed to issues about once a week on all my previous phones).   The list of phones where people have had issues includes Samsung Note 4 (My wifes and my earlier phone),  LG G3 – H858HK – the dual sim phone I managed to brick while trying to re-root it after a software upgrade, as well as a plethora of guest phones including late model IPhones and various new Samsung devices.

Just how superior my phones reception is (to my Wifes Note 4, also on 2 Degrees) – and what has prompted me to write this note – is we went for a drive to Shakespeare park – she had no coverage, yet I had strong cellphone coverage.  My coverage was still excellent in the brick enclosed water closet onsite !

 

Hangsun S80 Lamp

I purchased one of these lamps in 2016.  Below details my findings and some help to others (maybe).

The product is not good at all – indeed if returning it were a practical option I would – but because I live down-under, shipping costs make this prohibitive – so I’ve tried to make the best I can.

Problems I encountered –

I could not download the Android App, no matter how hard I tried – I assume this is because of country restrictions set by the developer.   Luckily, I reached out to them, and they responded, and they responded with a QR code to download the app (not sure if this is a different one to the one on the base of the unit and manual, or if they updated there permissions), but here it is:

QR Code

This app seems to work a lot better then the IPad app I previously needed to use – specifically it fixes a bug where you could not set maximum brightness on the lamp, and has a cleaner interface.

The display

The display on the unit is backlit – and the backlighting only comes on when you are interacting with it – it is also blindingly bright white light – particularly in a dark room.   This means that you can’t simply look over at the clock to see its 3am.    I greatly greatly reduced this issue by adding a small red LED to the back-light (in conjunction with a 150 ohm resistor, which I attached to the top and bottom pins of the conveniently located CON6 connector to the left of the display board).   This allows me to read the light without having to turn it off.    Next time I open the unit, I intend to disconnect one of the 2 white LEDs which power the backlighting.  (Its not possible to simply replace one of these with a red LED, as they are merged into the display).

The hardware

Although very, very let down by the software, the hardware appears to be OK – although it is all plastic.  The design appears to be modular and thus somewhat hackable.

One confusing and disappointing thing though is the maximum lamp voltage is supposedly 6 watts (according to the package this is the size of the replacement lamp, and according to an email from them this is the maximum size).   The problem with this theory is that the lamp included is a 7 watt warm white dimmable LED.    While more-or-less adequate, its not fantastic, and certainly not as good as my previous jerry-rigged system which used the equivalent of a 100 watt CFL bright white light.

Other notes and letdowns

The promotional video seems to imply you can program a significant number of on-off events – this is incorrect – you are limited to a maximum of 2 events.  You can not specify which days, although you can turn the alarm on and off manually – this is nowhere near as convenient as a 7 day timer for example.

You can’t have the light come on  without an alarm – the alarm level can be set to low, but not off.  This is irritating.  I intend to install a switch so I can disconnect the speaker.

The light seems to turn on at random times – but without sound.  Interestingly this has stopped after I unplugged the unit for an extended period out of frustration of it coming on in the middle of the night.

On my unit, you can’t output sound over Bluetooth to the device.  (You are supposed to be able to do this according to the manual).  Not sure why this is, the unit is paired, just no sound output, regardless of volume!

The amazon  account has a number of 5 star reviews – if you look at the reviewers though, they are all (as of the time of this post) shills, having all posted exactly 2 reviews on the same 2 products.   The other reviews stand at 1 – except for mine, which I need to upgrade to 2 (I’m doing  that as part of a deal I’ve done with them to get the QR code and confirmation of the maximum wattage – and to be honest, the unit is kinda useable)

Samsung 840 EVO Geometry

I recently had a need to upgrade a 500 gig (raided) hard drive to an SSD.   I noted that the standard geometry for a 500 gig hard drive presents as 500.1 gigs, while the data sheet for the Samsung 840 EVO MZ-7TE500BW SSD claims to be fractionally smaller on the detailed spec sheets I found.

Happily this is not the case, and it shares the same size as most 500 gig hard drives, ie RawCHS=16383/16/63

Swap and Encfs mounting on Startup in Ubuntu

I use Ubuntu 14.04 on my laptop and I have a somewhat unique setup, whereby I use DRBD and encfs to mirror and secure my data as I understand that when SSD drives fail they tend to do so catastrophically and without warning.   I thus have a rather complex boot process.

I spent the morning tidying up the boot process so it looks professional (* which is not to say that this is the professional or best way to do it – but it works)

I discovered there is a dearth of information on the kinds of things I want to do, but needed to become familiar with the following –

Plymouth – The fancy boot screen that Ubuntu throws up when it boots – thats run by plymouthd. It is possible to interact with plymouthd by using plymouth.  Your mileage may vary, but i discovered that when plymouthd is running it has a pid file in /dev/.initramfs/plymouth.pid – so by checking for that file I can request the passphrase using plymouth or a command prompt as appropriate.

encfs – Using the -S switch allows the command prompt to be read from stdin. rc.local – I run this entire script from rc.local – because its easy enough to do, and happens automatically and before plymouth exits.

The script is as follows:

#! /bin/bash
ifconfig eth0 my.internal.ip
/etc/init.d/drbd start
/bin/mount /dev/drbd0 /media/drbd0

if [ -f "/dev/.initramfs/plymouth.pid" ]
then
        /bin/plymouth ask-for-password --prompt "Passphrase: " | /usr/bin/encfs /media/drbd0/ /data/ssd --public -S -o nonempty
else
        /usr/bin/encfs /media/drbd0/ /data/ssd --public -o nonempty
fi

while [ $? -ne 0 ]
do
        if [ -f "/dev/.initramfs/plymouth.pid" ]
        then
                /bin/plymouth ask-for-password --prompt "Passphrase was not accepted.  Please enter Passphrase: " | /usr/bin/encfs /media/drbd0/ /data/ssd --public -S -o nonempty
        else
                echo "Incorrect Password"
                /usr/bin/encfs /media/drbd0/ /data/ssd --public -o nonempty
        fi
done

# We have all sorts of problems if /tmp is not mounted before X
# but we want to ensure its encrypted !!

#echo "Note: We destroy /tmp on restart as good Linux systems do, but "
#echo "there is a backup of the last boot at /data/ssd/tmp-old"

echo "Stopping services that need /tmp or a network and fixing these"
/etc/init.d/openvpn stop
/etc/init.d/ssh stop

rm -r /data/ssd/tmp-old
mv /data/ssd/tmp /data/ssd/tmp-old
mkdir /data/ssd/tmp
chmod 777 /data/ssd/tmp
rm -r /tmp
ln -s /data/ssd/tmp /tmp

dhclient eth0 &

echo "Restarting services that need /tmp  or a network"
/etc/init.d/ssh start
/etc/init.d/openvpn start

/usr/sbin/lxdm

In addition I did the following:

Stopped display managers from starting under system control on boot. This is a bit weird because they exist in /etc/init, rather then /etc/init.d where I would have expected. Anyway, I moved gdm.conf, lightdm.conf and lxdm.conf out of /etc/init (and into a new directory called /etc/notinit which I created).

I also took steps to encrypt the swap space on startup.  This does not appear to be well documented, but is quite easy.  Simply make the following modifications to

/etc/crypttab  (Create it if it does not exist)

swap /dev/mapper/ubuntu--vg-swap_1	/dev/urandom swap,cipher=aes-cbc-essiv:sha256

This line creates “/dev/mapper/swap” using the backing device “/dev/mapper/ubuntu–vg-swap_1”, along with a random password it creates on the fly

and /etc/fstab

/dev/mapper/swap none            swap    sw              0       0

Which mounts /dev/mapper/swap  (Remember to comment out the old swap)

If you look through my rc.local script, you will see I jump through all kinds of hoops to move /tmp into encrypted space after startup.  An easy alternative might be to do something similar for /tmp as I did for /swap above – the downside being that it requires a fixed amount of diskspace which is carved out of my ssd.

Its worth noting that all sorts of wonderfully weird and non-obvious failures occur if /tmp is not mounted and readable by all (including X window managers crashing and issues with sound).  /tmp really needs to be useable BEFORE X is loaded.

 

BD-F6500 region free upgrade – Firmware 1010 / 1017 note

In case anyone has the same issue –

A few months ago I purchased a SamsungBD-F6500 from Noel Leemings (A whiteware retailer in New Zealand).   A few days ago, we purchased some DVDs which were “region 2” and would not play on our NZ/AU – region 4 player(s).

I attempted to region unlock the DVD using the method on the Internet, ie Start the DVD player, open and close [empty] dvd drive, press repeat, enter in “7 6 8 8 4“, then “9” for region free.   This failed to work a number of times.

With nothing to loose I upgraded the firmware to 1017, and was able to unlock the drive using the above process without issue on the first attempt.

(Of-course, friends who download their content using filesharing networks don’t have these issues – and the media industry wonder why movie piracy is so common ?)

nn1

Adding Perfect Forward Secrecy to OpenVPN

Perfect Forward Secrecy is a methodology applied to encryption to frustrate the decoding of traffic captured and stored prior to the discovery of the secret key by an adverse party.  This is done by generating a new random key every time data is transmitted.

Enabling this in OpenVPN is quite easy, but does not appear to be well documented.  The steps to do this are:

Create a common private key, eg

openvpn --genkey --secret /path/to/store/pfs.key

Securely distribute this key to each OpenVPN client, then add the following to the server

tls-server
tls-auth /path/to/store/pfs.key 0

and this to each client

tls-client
tls-auth /path/to/store/pfs.key 1

 

It is also possible to embed the tls-auth certificate in the configuration file itself. To do this
open a <tls-auth> tag, embed the key and add a closing tag. Then add another directive key-direction X, where X is 0 for the server or
1 for the client (ie the same as the second argument on the tls-auth line when using a certificate file.

So the appropriate snipped would look something like:

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-------
.
.
-----END OpenVPN Static key V1-------

Windscreen Flyer Solution

I am one of those people who get irritated when I come to my car and find a flyer has been stuck under the windscreen. I discovered a (at least partial) solution to the problem – one which is so obvious I wonder why I have not heard of it before.   (That I have been dealing with some frustrating spam related issues probably helped focus my mind)

I was recently at a favorite watering hole one evening, and had parked my car in a public car park. When I returned to my vehicle I noticed a local restaurant had placed a flyer under my windscreen. (I was, of-course, aware of the restaurant – it was within 200 meters of where I parked).

As I was inconvenienced to get out of my car to remove the flyer the solution was obvious. Armed with a few sweet wrappers and the flyer, I walked in to the restaurant, caught a waiters attention and sprinkled my advertising for the sweets (and their flyer) while protesting the placement of litter on my car, across an unoccupied table at the restaurant before leaving. From the deeply satisfying protestations I heard as I exited, I believe I made my point.

In hind site, I could have done this a little better. Looking back, I realize I should have torn the flier into small pieces and scattered that instead of depositing my own “sweet advertisement”. Of-course, in addition to the Litter act of 1979 (*assuming the flyer or “sweet advertisement” can be defined as litter), Auckland Council also has a bylaw – preventing the placement of flyers on cars.  You can find it here – the key is the definition of poster “means a temporary sign of 1.5 square meter or less, including a placard, leaflet, flyer or communication device of a like nature, which is directly affixed (without the need for a supporting structure) to walls, buildings or structures, furniture, utilities, traffic signage or placed on any car windscreen, the message of which does not relate to the site or public place where the poster is displayed.” and section 27.3.7 prevents the displaying of the poster – interestingly this includes private land  – so I don’t think there will be too much push-back.