Oneplus 3 Nougat with R/W System

I recently upgraded my Oneplus 3 to OxygenOS 4.0.3 – which runs Android 7.0.

I discovered that I could no longer write to the hosts file to do ad blocking and this was driving me crazy, so I set about changing the OS to allow me to do this – it required a single letter tweak to a file – but, unfortunately this file is embedded in the heart of the ROM.   Other then tweeking the fstab file in the initial ramdisk image to mount /system rw I have made no changes to the source code.  (Of-course, it is possible that when I repackaged this I did something slightly wrong, being that I’ve never done this before)

Subsequent to installing this file (and SuperSu, of-course), Adaway again happily does its thing and adverts have vanished.

I am uncertain of the security implications of allowing /system to be rw – but I am sure its less of a frustration then being bombarded with adverts (and, come to think of it, it must be safer as well).  I wrote a question on android.stackexchange, which suggests the threat is not that great – certainly less then the alternative hack I came up with which required disabling selinux.

If anyone wants it, they can download it here. This file has an md5 sum of 0729ae4ba8d30ccf2a5ec0982021abb6  and a sha512 sum of e8c8e4bdbe960cfcbd0ce564710144bfac8ba663de6fd9df8a858a567f7317309bf6bad5645142feede6ae8741a5b3eaced2c4fd1214fdc6476d808f4f9b1dd9. Its a drop-in replacement for from the OnePlus 3 website.  I expect it is smaller then the Oneplus 3 file because of different zip file compression ?  The file is about 1.5 gigs compressed.  Usage is, of-course, at your own risk.  If you brick your device, don’t come running to me.  The only guarantee I make is that I flashed this firmware on my system and it behaved as expected.

Resolving shared WordPress Email issue

I like using a database to directly drive my virtual webhosting – this means that each account on the system has a UID and GID, but no username associated with it (ie in /etc/passwd or getent passwd)

Because of this, when users try and send an email in WordPress (eg to reset their password), WordPress does not send the message, complaining “Possible reason: your host may have disabled the mail() function.”

The underlying cause of the problem can be found by looking at the Postfix mail Logs – where you get errors like “fatal: no login name found for user ID XXXX

Fixing this problem – without relying on WordPress plugins or tweeks is simple – modify the php.ini file apache is using by adding the following line:

sendmail_path = /usr/sbin/sendmail -t -i


Secret of Oneplus 3

The OnePlus 3 has had some interesting reviews and press coverage, and its very much a mixed bag, but, nowhere online have I read about its killer feature – FANTASTIC (Almost unbelievable) RECEPTION.

I am blessed to live on a lifestyle block (ie semi rural), which gets marginal coverage from 2 Degrees Mobile – my preferred provider.  So marginal, in fact, that the deciding factor in purchasing my cellphones is the ability to handle 2 SIM cards, so I can fall over onto Vodafone so I can reliably receive calls at home.

With this, my desire for a technically advanced phone and particularly my spendthrift nature, the OnePlus 3 was the obvious choice.

I’ve been disappointed in its Bluetooth and software issues, but on the flipside, the ease of rooting the phone – and keeping it rooted, along with the snappy performance for the everyday things I do have made it a reasonable purchase.   So reasonable, I’ve just used it – without thinking about it.

THEN I REALISED – In the 3 months I’ve had the phone, I’ve never not been able to make or receive a call from home on my primary 2 Degrees SIM.   (As opposed to issues about once a week on all my previous phones).   The list of phones where people have had issues includes Samsung Note 4 (My wifes and my earlier phone),  LG G3 – H858HK – the dual sim phone I managed to brick while trying to re-root it after a software upgrade, as well as a plethora of guest phones including late model IPhones and various new Samsung devices.

Just how superior my phones reception is (to my Wifes Note 4, also on 2 Degrees) – and what has prompted me to write this note – is we went for a drive to Shakespeare park – she had no coverage, yet I had strong cellphone coverage.  My coverage was still excellent in the brick enclosed water closet onsite !


Hangsun S80 Lamp

I purchased one of these lamps in 2016.  Below details my findings and some help to others (maybe).

The product is not good at all – indeed if returning it were a practical option I would – but because I live down-under, shipping costs make this prohibitive – so I’ve tried to make the best I can.

Problems I encountered –

I could not download the Android App, no matter how hard I tried – I assume this is because of country restrictions set by the developer.   Luckily, I reached out to them, and they responded, and they responded with a QR code to download the app (not sure if this is a different one to the one on the base of the unit and manual, or if they updated there permissions), but here it is:

QR Code

This app seems to work a lot better then the IPad app I previously needed to use – specifically it fixes a bug where you could not set maximum brightness on the lamp, and has a cleaner interface.

The display

The display on the unit is backlit – and the backlighting only comes on when you are interacting with it – it is also blindingly bright white light – particularly in a dark room.   This means that you can’t simply look over at the clock to see its 3am.    I greatly greatly reduced this issue by adding a small red LED to the back-light (in conjunction with a 150 ohm resistor, which I attached to the top and bottom pins of the conveniently located CON6 connector to the left of the display board).   This allows me to read the light without having to turn it off.    Next time I open the unit, I intend to disconnect one of the 2 white LEDs which power the backlighting.  (Its not possible to simply replace one of these with a red LED, as they are merged into the display).

The hardware

Although very, very let down by the software, the hardware appears to be OK – although it is all plastic.  The design appears to be modular and thus somewhat hackable.

One confusing and disappointing thing though is the maximum lamp voltage is supposedly 6 watts (according to the package this is the size of the replacement lamp, and according to an email from them this is the maximum size).   The problem with this theory is that the lamp included is a 7 watt warm white dimmable LED.    While more-or-less adequate, its not fantastic, and certainly not as good as my previous jerry-rigged system which used the equivalent of a 100 watt CFL bright white light.

Other notes and letdowns

The promotional video seems to imply you can program a significant number of on-off events – this is incorrect – you are limited to a maximum of 2 events.  You can not specify which days, although you can turn the alarm on and off manually – this is nowhere near as convenient as a 7 day timer for example.

You can’t have the light come on  without an alarm – the alarm level can be set to low, but not off.  This is irritating.  I intend to install a switch so I can disconnect the speaker.

The light seems to turn on at random times – but without sound.  Interestingly this has stopped after I unplugged the unit for an extended period out of frustration of it coming on in the middle of the night.

On my unit, you can’t output sound over Bluetooth to the device.  (You are supposed to be able to do this according to the manual).  Not sure why this is, the unit is paired, just no sound output, regardless of volume!

The amazon  account has a number of 5 star reviews – if you look at the reviewers though, they are all (as of the time of this post) shills, having all posted exactly 2 reviews on the same 2 products.   The other reviews stand at 1 – except for mine, which I need to upgrade to 2 (I’m doing  that as part of a deal I’ve done with them to get the QR code and confirmation of the maximum wattage – and to be honest, the unit is kinda useable)

Samsung 840 EVO Geometry

I recently had a need to upgrade a 500 gig (raided) hard drive to an SSD.   I noted that the standard geometry for a 500 gig hard drive presents as 500.1 gigs, while the data sheet for the Samsung 840 EVO MZ-7TE500BW SSD claims to be fractionally smaller on the detailed spec sheets I found.

Happily this is not the case, and it shares the same size as most 500 gig hard drives, ie RawCHS=16383/16/63

Swap and Encfs mounting on Startup in Ubuntu

I use Ubuntu 14.04 on my laptop and I have a somewhat unique setup, whereby I use DRBD and encfs to mirror and secure my data as I understand that when SSD drives fail they tend to do so catastrophically and without warning.   I thus have a rather complex boot process.

I spent the morning tidying up the boot process so it looks professional (* which is not to say that this is the professional or best way to do it – but it works)

I discovered there is a dearth of information on the kinds of things I want to do, but needed to become familiar with the following –

Plymouth – The fancy boot screen that Ubuntu throws up when it boots – thats run by plymouthd. It is possible to interact with plymouthd by using plymouth.  Your mileage may vary, but i discovered that when plymouthd is running it has a pid file in /dev/.initramfs/ – so by checking for that file I can request the passphrase using plymouth or a command prompt as appropriate.

encfs – Using the -S switch allows the command prompt to be read from stdin. rc.local – I run this entire script from rc.local – because its easy enough to do, and happens automatically and before plymouth exits.

The script is as follows:

#! /bin/bash
ifconfig eth0 my.internal.ip
/etc/init.d/drbd start
/bin/mount /dev/drbd0 /media/drbd0

if [ -f "/dev/.initramfs/" ]
        /bin/plymouth ask-for-password --prompt "Passphrase: " | /usr/bin/encfs /media/drbd0/ /data/ssd --public -S -o nonempty
        /usr/bin/encfs /media/drbd0/ /data/ssd --public -o nonempty

while [ $? -ne 0 ]
        if [ -f "/dev/.initramfs/" ]
                /bin/plymouth ask-for-password --prompt "Passphrase was not accepted.  Please enter Passphrase: " | /usr/bin/encfs /media/drbd0/ /data/ssd --public -S -o nonempty
                echo "Incorrect Password"
                /usr/bin/encfs /media/drbd0/ /data/ssd --public -o nonempty

# We have all sorts of problems if /tmp is not mounted before X
# but we want to ensure its encrypted !!

#echo "Note: We destroy /tmp on restart as good Linux systems do, but "
#echo "there is a backup of the last boot at /data/ssd/tmp-old"

echo "Stopping services that need /tmp or a network and fixing these"
/etc/init.d/openvpn stop
/etc/init.d/ssh stop

rm -r /data/ssd/tmp-old
mv /data/ssd/tmp /data/ssd/tmp-old
mkdir /data/ssd/tmp
chmod 777 /data/ssd/tmp
rm -r /tmp
ln -s /data/ssd/tmp /tmp

dhclient eth0 &

echo "Restarting services that need /tmp  or a network"
/etc/init.d/ssh start
/etc/init.d/openvpn start


In addition I did the following:

Stopped display managers from starting under system control on boot. This is a bit weird because they exist in /etc/init, rather then /etc/init.d where I would have expected. Anyway, I moved gdm.conf, lightdm.conf and lxdm.conf out of /etc/init (and into a new directory called /etc/notinit which I created).

I also took steps to encrypt the swap space on startup.  This does not appear to be well documented, but is quite easy.  Simply make the following modifications to

/etc/crypttab  (Create it if it does not exist)

swap /dev/mapper/ubuntu--vg-swap_1	/dev/urandom swap,cipher=aes-cbc-essiv:sha256

This line creates “/dev/mapper/swap” using the backing device “/dev/mapper/ubuntu–vg-swap_1”, along with a random password it creates on the fly

and /etc/fstab

/dev/mapper/swap none            swap    sw              0       0

Which mounts /dev/mapper/swap  (Remember to comment out the old swap)

If you look through my rc.local script, you will see I jump through all kinds of hoops to move /tmp into encrypted space after startup.  An easy alternative might be to do something similar for /tmp as I did for /swap above – the downside being that it requires a fixed amount of diskspace which is carved out of my ssd.

Its worth noting that all sorts of wonderfully weird and non-obvious failures occur if /tmp is not mounted and readable by all (including X window managers crashing and issues with sound).  /tmp really needs to be useable BEFORE X is loaded.


BD-F6500 region free upgrade – Firmware 1010 / 1017 note

In case anyone has the same issue –

A few months ago I purchased a SamsungBD-F6500 from Noel Leemings (A whiteware retailer in New Zealand).   A few days ago, we purchased some DVDs which were “region 2” and would not play on our NZ/AU – region 4 player(s).

I attempted to region unlock the DVD using the method on the Internet, ie Start the DVD player, open and close [empty] dvd drive, press repeat, enter in “7 6 8 8 4“, then “9” for region free.   This failed to work a number of times.

With nothing to loose I upgraded the firmware to 1017, and was able to unlock the drive using the above process without issue on the first attempt.

(Of-course, friends who download their content using filesharing networks don’t have these issues – and the media industry wonder why movie piracy is so common ?)


Adding Perfect Forward Secrecy to OpenVPN

Perfect Forward Secrecy is a methodology applied to encryption to frustrate the decoding of traffic captured and stored prior to the discovery of the secret key by an adverse party.  This is done by generating a new random key every time data is transmitted.

Enabling this in OpenVPN is quite easy, but does not appear to be well documented.  The steps to do this are:

Create a common private key, eg

openvpn --genkey --secret /path/to/store/pfs.key

Securely distribute this key to each OpenVPN client, then add the following to the server

tls-auth /path/to/store/pfs.key 0

and this to each client

tls-auth /path/to/store/pfs.key 1


It is also possible to embed the tls-auth certificate in the configuration file itself. To do this
open a <tls-auth> tag, embed the key and add a closing tag. Then add another directive key-direction X, where X is 0 for the server or
1 for the client (ie the same as the second argument on the tls-auth line when using a certificate file.

So the appropriate snipped would look something like:

# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-------
-----END OpenVPN Static key V1-------

Windscreen Flyer Solution

I am one of those people who get irritated when I come to my car and find a flyer has been stuck under the windscreen. I discovered a (at least partial) solution to the problem – one which is so obvious I wonder why I have not heard of it before.   (That I have been dealing with some frustrating spam related issues probably helped focus my mind)

I was recently at a favorite watering hole one evening, and had parked my car in a public car park. When I returned to my vehicle I noticed a local restaurant had placed a flyer under my windscreen. (I was, of-course, aware of the restaurant – it was within 200 meters of where I parked).

As I was inconvenienced to get out of my car to remove the flyer the solution was obvious. Armed with a few sweet wrappers and the flyer, I walked in to the restaurant, caught a waiters attention and sprinkled my advertising for the sweets (and their flyer) while protesting the placement of litter on my car, across an unoccupied table at the restaurant before leaving. From the deeply satisfying protestations I heard as I exited, I believe I made my point.

In hind site, I could have done this a little better. Looking back, I realize I should have torn the flier into small pieces and scattered that instead of depositing my own “sweet advertisement”. Of-course, in addition to the Litter act of 1979 (*assuming the flyer or “sweet advertisement” can be defined as litter), Auckland Council also has a bylaw – preventing the placement of flyers on cars.  You can find it here – the key is the definition of poster “means a temporary sign of 1.5 square meter or less, including a placard, leaflet, flyer or communication device of a like nature, which is directly affixed (without the need for a supporting structure) to walls, buildings or structures, furniture, utilities, traffic signage or placed on any car windscreen, the message of which does not relate to the site or public place where the poster is displayed.” and section 27.3.7 prevents the displaying of the poster – interestingly this includes private land  – so I don’t think there will be too much push-back.

Fail2Ban and Brute-Force Password attacks on WordPress

I maintain a server hosting a fair number of WordPress blogs and I get inundated with brute-force password attempts.    In order to minimize the likelyhood of success of an attack, I have taken to limiting the number of login attempts I’ve customised some Fail2Ban rules to provide “overriding” lockout of accounts.

The code certainly has its limitations – for example it will – without warning –  temporarily lock out people who have forgotten their passwords, however for the most part it works pretty well.

One of the things I’ve noticed recently is that some attempts are persistent – they will continue to try log in even when null-routed, and for long periods of time.  I’ve thus written a second rule which looks through the fail2ban logs and bans – for an extended period – anyone which has been banned more then a few times.   This further reduces the likelyhood of a compromise, and also reduces the amount of “fail2ban spam” I receive, ie notifications of a ban being put in place.

Additionally, I’ve come up with a custom rule to ban IP’s sniffing around for a wordpress site where none exists.

The appropriate Fail2Ban rules are as follows –


# Fail2Ban configuration file
# Author: Tim Connors
# Tweeked by David Go


# Ignore specific client who often forgets password.
ignoreip = XXX.XXX.XXX.XXX

# Option:  failregex
# Notes.:  Regexp to catch Apache dictionary attacks on Wrodpress wp-login
# Values:  TEXT
failregex = :80 <HOST> -.*(GET|POST).*/wp-login.php.*(HTTP)
:443 <HOST> -.*(GET|POST).*/wp-login.php.*(HTTP)


# Fail2Ban configuration file
# Author:  David Go


# Option:  failregex
# Notes.:  Regexp to catch Apache dictionary attacks on Wrodpress wp-login
# Values:  TEXT
#failregex = <HOST>.*] "POST /wp-login.php

failregex = \[client <HOST>\] script \'/PATH/TO/VIRTUALHOSTSl/(.*)/wp-login.php\' not found or unable to stat


# Fail2Ban configuration file


# Make sure we never lock ourselves out.

failregex = fail2ban.actions: WARNING.* Ban <HOST

And, of-course, the appropriate lines in jail.conf

maxretry = 3
findtime = 180
bantime = 14400
enabled = true
port    = http,https
filter  = apache-wp-probe
logpath = /var/log/apache2/error.log
action  = iptables-multiport[name=wpprobe, port="80,443", protocol=tcp]

maxretry = 3
#findtime = 14400
bantime = 14400
enabled = true
port    = http,https
filter  = apache-wp-probe2
logpath = /var/log/apache2/error.log
action  = iptables-multiport[name=wpprobe2, port="80,443", protocol=tcp]

maxretry = 3
enabled = true
filter = persistentban
findtime = 3600
bantime = 86400
logpath = /var/log/fail2ban.log
action = iptables-multiport[name=multiban, port="80,443,21", protocol=tcp]