Aercus WeatherSleuth Weatherstation / MQTT / Security thoughts

I recently got my hands on an Aercus Weathersleuth Weatherstation. This is a fairly nice piece of kit.

One of its benefits is it can talk to the internet or an arbitrary server. A bit of poking around revealed it communicates by way of an HTTP post request which looks as follows –

http://ADDRESS.SPECIFIED.IN.CONFIG/weatherstation/updateweatherstation.php?ID=IDINCONFIG&PASSWORD=PWINCONFIG&tempf=64.8&humidity=79&dewptf=58.1&windchillf=64.8&winddir=48&windspeedmph=2.46&windgustmph=2.46&rainin=0.00&dailyrainin=0.00&weeklyrainin=0.00&monthlyrainin=0.00&yearlyrainin=0.00&solarradiation=152.45&UV=1&indoortempf=-9999&indoorhumidity=-9999&baromin=-9999&lowbatt=0&dateutc=20165-10-0%202:29:46&softwaretype=Weather%20logger%20V2.1.9&action=updateraw&realtime=1&rtfreq=5

On the back of this I wrote a trivial script (which does not yet do authentication) –

<?php

# Script to take data from Aecus weather station and convert to MQTT

# Stations is an array which defines the devices we accept.
# Format of each sub-array is “Name”,”Password”,”IP address”

#
# This script requires php-mqtt – see https://github.com/php-mqtt/client
# Acquired with “composer require php-mqtt/client”

 

$mqttserver = ‘MQTTSERVER’;
$mqttport = 1883;
$mqttClientID = ‘WeatherStnToMQTT01’;
$mqtttopic = ‘WeatherStation’;

# List of attributes not to send to MQTT
$DontPublish = array (‘ID’,’PASSWORD’);

require_once ‘vendor/autoload.php’;

$mqtt = new \PhpMqtt\Client\MQTTClient($mqttserver,$mqttport,$mqttClientID);
$mqtt->connect();

$PostedVals=$_REQUEST;
$StationID=$_REQUEST[‘ID’];

# Clean up array
$key=array_search(‘ID’,$PostedVals);
unset($PostedVals[$key]);
# $key=array_search(‘ID’,$PostedVals);
#unset($PostedVals[$key]);

print_r($key);
echo “<hr />”;

foreach ($PostedVals as $PostKey=>$PostVal)
{
# Ignore the following keys:
if (!in_array($PostKey,$DontPublish))
{
$topic=$mqtttopic.’/’.$StationID.’/’.$PostKey;
$mqtt->publish($topic,$PostVal,0);
}
}


$mqtt->close();

 

This script needs to be placed in (documentroot)/weatherstation/updateweatherstation.php – and (from the same path” composer require php-mqtt/client” needs to be run to install the MQTT library

 

On the version I got – software version 2.1 The security on this device is pretty much non-existent.  The web interface for the device can be accessed without a username or password, and telnet access username and password are both, by default admin.   Communication takes place on http (no obvious option for https).    The password to the publish to the webserver is sent as part of a request which will turn up in the servers log files. 

I guess publishing this to a local server at least means that to access the url someone needs to have breached the local network.  

TZT AT89C2051 Digital LED Display 4 Bits Electronic Clock Electronic Production Suite DIY Kit 0.56 Inch Red Two Alarm Programming / Instruction

I purchased a kit-set clock/alarm kit for my kids to build to learn to solder. Unfortunately, while it came with soldering instructions (which it didn’t need), it did not come with programming instructions and the supplier is no more. Below are partial instructions I’ve discovered through the web and playing around.

The clock has 2 buttons – S1 and S2.

Clicking S2 cycles through different settings A-I. When you click S2 the left digit on the screen represents A,B (8), C, D (0), E,F,G,H and I

Clicking S1 then cycles through the options for that setting. The corresponding settings are roughly (and slightly incorrectly still) –

A = Clock Hour

B = Clock Minute

C = Beep on hour ?

D = Supposedly Alarm 2 On/Off ??? I think this is wrong. I suspect it is Alarm 1 On/Off

E = Alarm 1 Hour

F = Alarm 1 Minute

G = Alarm 2 On/Off ??? This makes sense I think

H = Alarm 2 Hour ?

I = Alarm 2 Minute ?


Owners Manual for ProRunner 310R Motorized Treadmill

I purchased said Treadmill from Torpedo 7 a few months ago, and the manual has been sitting around the machine, looking ugly. As its only 16 pages, black and white, I cant be bothered finding a place to keep it. (It would make my library of exercise machinery manuals to large), so I’ve digitized a copy for myself.

I have emailed Torpedo 7 confirming I am OK to redistribute this work for free. ( I doubt this is an issue as they have not asserted copyright, so hopefully we are helping each other)

The manual number is 4130K3-90004-1400, and can be found here.

Dissecting a cheap Time Release Lock

Some months ago I acquired a dead-on-arrival time release lock – the type that typically sells on Aliexpress and eBay for about US$20, appropriately described as “Multipurpose Time Lock” but more commonly “Fetish Electronic Timer” or, in the type of English unique to China “Adult Game Fetish Handcuffs”. Unfortunately there does not seem to be a lot of choice if you want an inexpensive electronically controlled time-release lock.

The issue with the unit I got my hands on was clearly a dead battery – as best I can tell the unit contains a small lithium polymer battery which must have been sitting in a state of discharge in a warehouse somewhere causing permanent damage – it no longer held charge.

As there were no apparent screws, I took to the unit with a thin screwdriver and excessive force. I record my discovery for creative soles who wish to either repair or modify one of these units – or even for those just curious as to how they are constructed. As a picture is worth 1k words, here is the 3k version –

Exposed Time release Lock

My observations are as follows –

I could almost certainly have opened the lock without damaging brute-force had I known to peal the back the black frame surrounding the display. This would have revealed the 2 screws which were used to hold the unit together (I went in through the top of the unit where the cable fits in, and leveraged the unit apart with a screwdriver – breaking the lock in the process.

Similarly there are 4 small screws holding the circuit board to the frame. 3 screws are fairly apparent but I missed the fourth one which was hiding behind the tangle of wires to the bottom left of the unit. As lock was already dead, I used brute force again!

The battery is labelled as XC401020, 3.7 55mAh – so a 55mAh 3.7 volt battery. I’m not sure that there is place internally for a larger battery, but as its 3.7 volts I expect with some creativity it might be possible to jerry-rig a larger external unit if you can secure it properly. As far as replacement of the existing battery goes, a search for 401020 on Aliexpress revealed a plethora of replacement batteries starting at about US$5 including shipping and very quickly rising in price to a almost the replacement price of the lock.

NOTE THAT THIS PARAGRAPH IS SPECULATION. DO NOT RELY ON ANYTHING IN IT WITHOUT FIRST SATISFYING YOURSELF THAT IT IS CORRECT (corrections and confirmations welcome) – The core of the locking mechanism is a simple high torque motor with a rectangular shaped piece on the end. When this piece lies horizontally the lock is closed. When it is vertical the motor is open. When powered (looking from the top as per below image) the motor spins clockwise. This configuration does not appear to be a “fail open” arrangement I would have expected in this type of device- ie if the motor stops in the wrong position the lock will not be able to be opened without opening it or getting the motor to move. Conversely I posit ( As my unit is now totally destroyed I can’t test) it would be practical to modify the lock to self-release at the end of the lockout period by using an elastic band wrapped around the button to push it in automatically. In this instance it would still require force on the chain to remove it from the lock.

The below image shows the motor and screw holes once the front plate is disassembled.

Re

Removed face-plate and top view of motor.

DIY IOT Heated Towel Rail Timer

In order to save electricity I made a heated towel rail timer, and, because its 2019, made it controllable through a web page available on my home network. This project cost less then half the price of a basic timer. Here is how I did it and how you can leverage my experience and avoid some pitfalls. NOTE THIS PROJECT USES MAINS VOLTAGES, COULD BE DANGEROUS AND MAY NOT BE LEGAL TO IMPLEMENT IN YOUR COUNTRY.

The heart of the project is a Sonoff Basic – which comprises of an ESP8266 micro-controller with its 802.11n WIFI, some power handling circuitry and a relay. It nominally takes 2 wires in with mains voltage (ie live & neutral) and turns on/off the output depending on its program. I purchased a couple of these units from Ali-express for around US$5 each. I also purchased an FT232RL controller for about US$1.50 to program them.

There are a number of instructions on wiring and programming the SonOff using the Arduino platform online, and this is what I followed. I followed an instruction at https://randomnerdtutorials.com/reprogram-sonoff-smart-switch-with-web-server/ which worked well, although my board layout was slightly different, and I elected to use a male rather then female header on the board, and did not bother with the switch.

Here is a picture of my board, hooked up to the FT232RL controller –

The next step was upgrading my version of Arduino platform to 1.8.9 and adding the ESP8266 libraries. (The Sonoff presents as a generic ESP8266 board).

I decided I wanted my towel rail to, by default, turn on for 30 minutes and off for 90, always turning on at startup so that it could easily be used manually. Integrating this with the simple ESP8266 was a bit of a challenge, and not ideal, but the following solution works well for me:

/*********
  Rui Santos
  Complete project details at https://randomnerdtutorials.com  
  Modifyed by DavidGo to work as a controllable monostable vibrator.
*********/

#include <ESP8266WiFi.h>
#include <WiFiClient.h>
#include <ESP8266WebServer.h>
#include <ESP8266mDNS.h>

MDNSResponder mdns;

// Replace with your network credentials
const char* ssid = "SSID";
const char* password = "PASSWORD;

// Duty cycles in seconds
int timeon = 60;
int timeoff = 120;
// 100 - centiseconds taken to process web server
int processwait = 10;

ESP8266WebServer server(80);

// String webPage = "";
// int dgstatus = 0;

int gpio13Led = 13;
int gpio12Relay = 12;

void setup(void){


  // preparing GPIOs
  pinMode(gpio13Led, OUTPUT);
  pinMode(gpio12Relay, OUTPUT);
  RelayOn();


  Serial.begin(115200);
  delay(5000);
  WiFi.begin(ssid, password);
  Serial.println("");

  // Wait for connection
  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }
  Serial.println("");
  Serial.print("Connected to ");
  Serial.println(ssid);
  Serial.print("IP address: ");
  Serial.println(WiFi.localIP());

  if (mdns.begin("esp8266", WiFi.localIP())) {
    Serial.println("MDNS responder started");
  }

  server.on("/", [](){
    server.send(200, "text/html", ShowStatus());

  });
  server.on("/on", [](){
    RelayOn();
    server.send(200, "text/html", ShowStatus());
    delay(1000);
  });
  server.on("/off", [](){
    RelayOff();
    server.send(200, "text/html", ShowStatus());
    delay(1000);
  });
  server.begin();
  Serial.println("HTTP server started");
}

void loop(void){

  RelayOn();
  for ( int i=1; i<timeon*100; i++)
  {
       delay(processwait);
       server.handleClient();

  }
  RelayOff();
  for ( int i=1; i<timeoff*100; i++)
  {
       delay(processwait);
       server.handleClient();

  }
}

After extensive tweeking and testing, I was ready to install this behind my heated towel rail. Surprisingly this turned out to be the hardest part of the project.

One step not mentioned above is going into my router and assigning the SonOff a static IP address. This allows me to go to the HTTP webpage, view its status, turn it on and off and modify the on/off duty cycle. Of-course, less sophisticated users can simply turn the device off and on again to restart it with an on time of 30 minutes.

FIRST OFF, MAKE SURE TO TURN OFF THE MAINS POWER BEFORE DOING THIS. Also be cognizant that you are working in a bathroom and water and electricity do play nicely together.

The Sonoff is fairly big, and was very difficult to mount behind the faceplate. Were I to do this again, I would ensure longer leads on both sides of the device to give it more play.

I also added a pilot indicator light (which I also bought from Ali Express. The nice thing was that this was 10mm round, so easy enough to install on the faceplate. The negatives are (a) It is aa green light, but look yellow when on, (b) is quite deep, and I did not take this into account when mounting it in the faceplate – I had to mount the faceplate upside-down as I did not want to drill through tile.

My final project looks as follows:



Free Roundcube Skin

I am quite used to the “Larry” Roundcube skin, and did not find the default theme to be as comfortable to use – however I have 2 mail boxes which I want to keep separate, but still use with Roundcube.   Looking for alternative themes did not yield an awful lot of options, and the ones which were available were either extremely overpriced or just did not work right.

So I went down a small rabbit hole – cloning the “Larry Skin” and then modifying it.   This worked – sort of.   After a frustratingly large amount of time I realised that (a) Larry appears to be special and the plugins have specific support for that skin – which are not available to modified versions of the larry skin without a lot of fiddling and (b) Roundcube supports child themes – so the solution is to make a child theme with just my modifications and link it to the Larry theme – which allows my plethora of plugins to continue to work – and would seem to substantially future proof it.

The documentation is fairly clear on how to extend a theme, but a few trivial gotchas – “Purple Larry” can be used to expose pretty close to the minimal set of changes required to make a child theme.

Anyone is welcome to use my extended skin (theme?) for free – just download it and extract it to the Roundcube skins directory.

 

 

Dell Venue 11 pro (7139) as a Linux Tablet – with full disk encryption !

I can’t stomach the “telemetry” in Windows 10, and wanted a cheap hybrid laptop / tablet for when I go travelling.  I really love the concept of the Dell Venue 11, and managed to pick up a mint condition second hand i5/250gig/8gig model – replete with keyboard and docking station for NZ$400 including shipping.

A couple of years ago I previously struggled to get an i3 model working with Linux touch-screen and WIFI, and I’m quite happy with how far things have come – All the hardware worked out of the box on Ubuntu 16.04.2 (Partly, I suspect, due to the Intel AC WIFI adaptor the unit came with) – unfortunately it did not work well as a tablet.

There are 2 enhancements I’ve implemented which I believe will make the unit a usable tablet –

Full Disk Encryption

Credit where its due: The idea came from https://ranzbak.nl/tpmluks/ which I used as a starting point – unfortunately it required quite a bit of work (particularly extracting initrd and rebuilding it is probably not ideal, and sha1 – while not fantastic, is probably better then using md5 hashes and TPM is based on sha1 hashes.    Also the provided diffs did not work and the PCRs are in a different place)

While its easy enough to enable FDE when setting up Linux, it requires a keyboard to enter the passphrase, however the system does have an onboard keyboard for for entering a (BIOS) password.    Leveraging TPM its possible to set a boot password in the BIOS, and then use TPM to ensure the disk is encrypted.

First step is to take control of tpm:

apt-get install tpm-tools trousers

tpm_takeownership

In order to do this some modifications are needed in the initrd files.  The idea here is to use a hash of the TPM PCRs – which should be unique to the device to decrypt the disk if available (If not,we can always fall back to a regular passphrase).

Here are the diff (For Linux 16.04) which has the appropriate changes (and a downloadable replacement cryptroot file) – it more-or-less replicates the code block starting at line 311 with an additional block to check if the TPM is enabled and to try and mount the system using it if it is.
298a299,311
> # Attempt to decrypt using PCRS
> if [ -e /sys/class/tpm/tpm0/device/pcrs ]
> then
> sha1hash=`cat "/sys/class/tpm/tpm0/device/pcrs" | sha1sum | cut -f1 -d' '`
> if [ ! -e "$NEWROOT" ]; then
> if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
> echo $sha1hash | $cryptopen; then
> message "cryptsetup Invalid TPM hash ($sha1hash)"
> continue
> fi
> fi
> fi
>

 

This also required the addition of 2 files to the initrd – sha1sum and cut.   To add these, find the lines “copy_exec” near the bottom of /usr/share/initramfs-tools/hooks/cryptroot and add

copy_exec /bin/cut

copy_exec /usr/bin/sha1

Then run “update-initramfs -u” to rebuild the inittab file for your kernel.

You will also need to add the sha1 passphrase to your LUKS device (in an unused keyslot.  (My LUKS device is /dev/sda3).  There is no doubt a better way to do this, but I simply did this:

cat /sys/class/tpm/tpm0/device/pcrs | sha1sum | cut -f1 -d” “

This produced a rather long string which represents a hash of the pcrs and what we use as a passphrase – it should be unique to the system.

I then set this by copying-and-pasting the passphrase into the second slot using the command

cryptsetup luksAddKey /dev/sda3 -S1

Note that S1 is slot 1 (second slot – the first one is lot 0).  There are 8 slots you can use.

Note:  This is not as secure as using FDE directly – one attack would be for someone to “borrow” the system, remove the ssd,  install a compromised initrd file, replace the drive, wait for you to enter your phrase and then they will have the hash which can be used for FDE.    Of-course, this is not significantly different to someone putting a keylogger on your system – and does provide protection if a thief simply steals the device.

Onscreen Keyboard on login –

Although it should work, it appears that the “Onboard” keyboard does not correctly work with the default lightdm manager.   I eventually discovered that replacing it with gdm3  (apt install gdm3) fixed it.  A gotcha – You need to reboot the system after installing GDM3 – not just log out and in again.

OTHER:

I subsequently needed to do something similar with a Dell Latitude 7200 using Ubuntu 20.04 and TPM2.  I found instructions at https://run.tournament.org.il/ubuntu-20-04-and-tpm2-encrypted-system-disk/

Oneplus 3 Nougat with R/W System

I recently upgraded my Oneplus 3 to OxygenOS 4.0.3 – which runs Android 7.0.

I discovered that I could no longer write to the hosts file to do ad blocking and this was driving me crazy, so I set about changing the OS to allow me to do this – it required a single letter tweak to a file – but, unfortunately this file is embedded in the heart of the ROM.   Other then tweeking the fstab file in the initial ramdisk image to mount /system rw I have made no changes to the source code.  (Of-course, it is possible that when I repackaged this I did something slightly wrong, being that I’ve never done this before)

Subsequent to installing this file (and SuperSu, of-course), Adaway again happily does its thing and adverts have vanished.

I am uncertain of the security implications of allowing /system to be rw – but I am sure its less of a frustration then being bombarded with adverts (and, come to think of it, it must be safer as well).  I wrote a question on android.stackexchange, which suggests the threat is not that great – certainly less then the alternative hack I came up with which required disabling selinux.

If anyone wants it, they can download it here. This file has an md5 sum of 0729ae4ba8d30ccf2a5ec0982021abb6  and a sha512 sum of e8c8e4bdbe960cfcbd0ce564710144bfac8ba663de6fd9df8a858a567f7317309bf6bad5645142feede6ae8741a5b3eaced2c4fd1214fdc6476d808f4f9b1dd9. Its a drop-in replacement for OnePlus3Oxygen_16_OTA_041_all_1702081756_f9fb218af59d4aa6.zip from the OnePlus 3 website.  I expect it is smaller then the Oneplus 3 file because of different zip file compression ?  The file is about 1.5 gigs compressed.  Usage is, of-course, at your own risk.  If you brick your device, don’t come running to me.  The only guarantee I make is that I flashed this firmware on my system and it behaved as expected.

Resolving shared WordPress Email issue

I like using a database to directly drive my virtual webhosting – this means that each account on the system has a UID and GID, but no username associated with it (ie in /etc/passwd or getent passwd)

Because of this, when users try and send an email in WordPress (eg to reset their password), WordPress does not send the message, complaining “Possible reason: your host may have disabled the mail() function.”

The underlying cause of the problem can be found by looking at the Postfix mail Logs – where you get errors like “fatal: no login name found for user ID XXXX

Fixing this problem – without relying on WordPress plugins or tweeks is simple – modify the php.ini file apache is using by adding the following line:

sendmail_path = /usr/sbin/sendmail -t -i -fwww@defaultwebaddress.goes.here

 

Secret of Oneplus 3

The OnePlus 3 has had some interesting reviews and press coverage, and its very much a mixed bag, but, nowhere online have I read about its killer feature – FANTASTIC (Almost unbelievable) RECEPTION.

I am blessed to live on a lifestyle block (ie semi rural), which gets marginal coverage from 2 Degrees Mobile – my preferred provider.  So marginal, in fact, that the deciding factor in purchasing my cellphones is the ability to handle 2 SIM cards, so I can fall over onto Vodafone so I can reliably receive calls at home.

With this, my desire for a technically advanced phone and particularly my spendthrift nature, the OnePlus 3 was the obvious choice.

I’ve been disappointed in its Bluetooth and software issues, but on the flipside, the ease of rooting the phone – and keeping it rooted, along with the snappy performance for the everyday things I do have made it a reasonable purchase.   So reasonable, I’ve just used it – without thinking about it.

THEN I REALISED – In the 3 months I’ve had the phone, I’ve never not been able to make or receive a call from home on my primary 2 Degrees SIM.   (As opposed to issues about once a week on all my previous phones).   The list of phones where people have had issues includes Samsung Note 4 (My wifes and my earlier phone),  LG G3 – H858HK – the dual sim phone I managed to brick while trying to re-root it after a software upgrade, as well as a plethora of guest phones including late model IPhones and various new Samsung devices.

Just how superior my phones reception is (to my Wifes Note 4, also on 2 Degrees) – and what has prompted me to write this note – is we went for a drive to Shakespeare park – she had no coverage, yet I had strong cellphone coverage.  My coverage was still excellent in the brick enclosed water closet onsite !