sigmaris.info

U-Boot for ayn Odin

Sat, 11 Jan 2025 19:21:35 +0000

Last year, I picked up a new ayn Odin gaming handheld, and ended up working on installing Linux on it (regular Linux, not Android). I thought the process and things I learned during it would make for some good blog posts, so part of the way through the process I started writing down what I was doing, in the hope it would be interesting to others when published. This post will be the first in a series hopefully following the journey in getting full, or at least workable, support for it in upstream Linux so that anyone can install Linux on their Odin device and keep it up to date with the latest emulators, graphics drivers and so on.

NanoPC-T6 Notes

Sun, 04 Feb 2024 18:29:00 +0000

Recently I’ve been following progress on support for the Rockchip RK3588 System-on-Chip in mainline Linux. I have been using a RockPRO64 single-board computer based on Rockchip’s previous top-end SoC RK3399 for several years as a media centre running Kodi, on Debian with a mainline Linux kernel (plus some patches for improved multimedia support from the LibreELEC project).

I’ve been pretty satisfied with the support for RK3399 in mainline Linux, as opposed to a vendor BSP based on an old kernel like 4.4. The good level of upstream support is partly due to the fact the RK3399 was used in several Chromebook devices, and thanks to Chromium OS’s “Upstream First” policy they contributed a large amount of support for the RK3399 in the open source projects used in Chromium OS, most importantly Coreboot, ARM Trusted Firmware and the Linux kernel.

Multipath routing with Oracle Cloud IPSec tunnel

Sat, 06 Jan 2024 13:20:35 +0000

This weekend I figured out how to set up multipath routing with Oracle Cloud’s Site-to-Site VPN. I have been using Oracle Cloud for a while as they have a generous “Always Free” plan for their 64-bit ARM virtual servers. To create a site-to-site connection between my home network and the Oracle Cloud network, I use their IPSec Site-to-Site VPN service. This type of VPN is made up of two IPSec tunnels, with different endpoints on the Oracle side, though strangely you can only specify one IP address for the endpoint on your side of the tunnels - Oracle calls this the Customer Premises Equipment or CPE. But in any case, the idea is you establish two tunnels to Oracle for redundancy, even though they both go to one endpoint on the “customer premises”.

Making life easier with Yubikeys for browser TOTP

Sat, 25 Jan 2020 13:49:00 +0000

Following on from the post about AWS logins with Yubikey, I also wanted to share another helpful bit of code to automate typing TOTP codes from a Yubikey into web pages on macOS.

The usefulness of this is hopefully on the decline as websites migrate to WebAuthentication - which interfaces directly with a token like a Yubikey instead of requiring a code input as text, and doesn’t require this approach - but TOTP codes are still used by many sites at the time of writing.

Making life easier with Yubikeys and the AWS CLI

Sat, 07 Dec 2019 11:24:00 +0000

If you’re working with Amazon Web Services, and want the highest level of security around usage of your AWS account, AWS recommends that you use IAM users instead of the account’s root user, set up Multi-Factor authentication (MFA) on the IAM users, and then require MFA for API operations. Typically this requires the person performing operations on AWS to provide a one-time code when they authenticate to AWS, as well as their more permanent password (for the web console) or their Access Key (for the CLI and SDKs).

Automating Debian install in QEMU

Sun, 28 Apr 2019 10:57:12 +0000

I recently wanted to automate building a headless Debian testing (codename “buster”) virtual machine, hosted on macOS, and it turned out to be somewhat more complicated than I expected, so I thought I’d document it here for others’ benefit.

Instead of installing VirtualBox, VMWare Fusion or Parallels which are quite heavyweight virtual machine apps, I wanted to run a headless VM using QEMU, which can be installed easily using Homebrew. QEMU now supports hardware accelerated x86 virtualisation on Macs using the Hypervisor.framework built in to macOS.

The script and preseed file to perform the fully automated install is here, and I’ll explain the details behind what it does in this post.

Cross compiling Rust on Mac OS for an ARM Linux router

Mon, 04 Feb 2019 22:57:12 +0000

Wanting to compile a small program I’d written in Rust to run on my home router, I found this guide to cross compilation of Rust code. The router is a Netgear R7000 with an ARM processor, running FreshTomato, a distribution of Linux for ARM and MIPS architecture consumer routers. The top of that guide shows an example of installing the cross-compilation toolchain for ARM on Ubuntu, but it required some work to adapt to Mac OS High Sierra, my desktop environment.

Make certbot Let’s Encrypt certificates readable by Debian ssl-cert group

Sat, 05 Jan 2019 12:09:15 +0000

On Debian, there’s a group named ssl-cert which grants access to TLS certificates and private keys, so that services that don’t run as the root user can still use TLS certificates. For example, the PostgreSQL Debian package installs PostgreSQL to run as a user named postgres, which is a member of the ssl-cert group, and so it can use certificates and private keys in /etc/ssl.

The certbot Let’s Encrypt client, by default, makes the certificates and private keys it installs only readable by the root user. There is an open issue against certbot, requesting that on Debian, certbot should follow the Debian standard of making the certificates and keys readable by the ssl-cert group as well. In the meantime, until that issue is resolved, the ownership can be set by a post-hook which will be run by certbot after obtaining or renewing a certificate.

Encoding DNS URI records for DNSMASQ

Sat, 21 Apr 2018 11:42:08 +0000

Dnsmasq can be configured to add various types of records like SRV, PTR, and NAPTR to its internal DNS server by various directives in its configuration file. But what if there’s a less common type of DNS record that you want to serve, which dnsmasq doesn’t have a specific configuration directive to handle?

Handily, dnsmasq also supports serving arbitrary DNS resource records using the dns-rr option. However you have to supply the binary value of the response encoded in hexadecimal. Here’s an example of how to do this for a URI record with Python. The URI record type is described in RFC 7553 which describes the binary value of the response (“wire format”) as:

A handy reference list of GSS-API mechanism OIDs

Mon, 12 Dec 2016 23:56:14 +0000

This is more for my own reference, but might be useful for others.

1.2.840.113554.1.2.2 – Kerberos v5 – RFC 1964

1.2.840.48018.1.2.2 – Kerberos V5 (incorrect, used by old Windows versions)

1.3.6.1.5.5.2 – SPNEGO – RFC 4178

1.3.6.1.5.2.5 – IAKERB – draft-ietf-kitten-iakerb-03

1.3.6.1.4.1.311.2.2.10 – NTLM SSP – Heimdal:lib/gssapi/oid.txt

Home IPv6 Tunnel

Sat, 09 Jun 2012 17:34:27 +0000

The news of World IPv6 Launch Day last week prompted me to properly set up IPv6 for my home network. Unfortunately my ISP doesn’t offer native IPv6 connectivity — not many consumer ISPs do — but fortunately there are free services which will provide an IPv6 ‘tunnel’ over the IPv4 internet, to the wider IPv6 world. I signed up to Hurricane Electric’s service at tunnelbroker.net and was soon up and running. Hurricane Electric will issue you a /64 block of IPv6 addresses, which you can allocate as you see fit. You need to set up one system to handle your end of the tunnel, and route all traffic destined for the wider IPv6 internet over the tunnel. I already had a Linux server running that was handling the local end, but since I’ve recently acquired an Asus RT-N16 router running DD-WRT, I decided to enable IPv6 support on it and use it as the tunnel endpoint, so it can serve as the default gateway for both IPv4 and IPv6 on my LAN.

To do this you need to be running one of the DD-WRT builds with IPv6 support, I am using the “mega” build which includes pretty much everything. As well as enabling IPv6 support in the DD-WRT admin web interface, you need to set up a custom script to bring up the tunnel when the router starts up. The script I used is below – you need to replace the following:

(userid): the User ID shown on the tunnelbroker.net page when you log in
(md5password): the MD5 hash of your tunnelbroker.net password
(tunnelid): the Tunnel ID of your tunnel
(remotev4): the IPv4 address of the remote end
(localv6): the IPv6 address of the local end
(lanv6): one IPv6 address, out of your routed IPv6 /64, allocation that you want to use for your router on your LAN

insmod ipv6
WANIP=$(nvram get wan_ipaddr);
wget -O - 'https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&user_id=(userid)&pass=(md5password)&tunnel_id=(tunnelid)'
ip tunnel add he-ipv6 mode sit remote (remotev4) local $WANIP ttl 255
ip link set he-ipv6 up
ip -6 addr add (localv6) dev he-ipv6
ip -6 addr add (lanv6) dev br0
ip -6 route add ::/0 dev he-ipv6
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
radvd -C /tmp/radvd.conf

This image shows where to find some of the information in your tunnelbroker.net page:

The setup script needs to be saved, as a custom startup script, in the Administration -> Commands section of the DD-WRT web interface.

I had also enabled radvd in the DD-WRT web interface to advertise the gateway to the wider IPv6 world on my LAN, but for me it failed to start on boot, so I added the radvd -C /tmp/radvd.conf line to make sure it starts after the tunnel is configured. The configuration file used for radvd is below, replace (routedv6) with your routed IPv6 /64 allocation, including the /64, and paste it into the box for radvd config in the DD-WRT web interface:

interface br0
{
   AdvSendAdvert on;
   prefix (routedv6)
   {
       AdvOnLink on;
       AdvAutonomous on;
   };
};

This setup means that on the other computers on the LAN (all Macs), I can set “Configure IPv6: Automatically” in the Network Preferences and IPv6 connectivity just works. The other machines on the LAN will configure themselves based on the information radvd sends out, using stateless autoconfiguration. However, this ease of use comes with a security risk…

Two-factor authentication with Mac OS X and OpenSC part 2

Sun, 20 Feb 2011 23:11:50 +0000

This is the second part of the guide to smartcard-based authentication on Mac OS X. In this part of the guide, I’m going to assume that following Part 1, you have installed OpenSC, initialised your smartcard, and loaded or generated some certificates and private keys onto it. Now I’m going to show you how to use the card for actual authentication.

Two-factor authentication with Mac OS X and OpenSC part 1

Sat, 13 Nov 2010 22:59:27 +0000

Interested in using a smartcard for secure two-factor authentication on OS X? What about E-mail signing and encryption, SSH key authentication, and more? All of these applications are possible, using the built-in smartcard support in OS X and open source software. What follows is the first part of a guide to using smartcards on OS X, using software from the OpenSC Project.

A Service for unmounting volumes in OS X

Mon, 05 Apr 2010 00:13:47 +0000

A little while ago I had a problem. My phone is a Sony Ericsson K800i, with 64MB of internal storage and a slot for Memory Stick expansion storage. I was using it as an MP3 player, and so had an 8GB memory stick in there to store MP3s.

When I connected it to my Mac in USB drive mode to transfer files, it appeared in the Finder as two storage devices, one for the internal storage and one for the memory stick. When I’d finished transferring files I would click Eject on the memory stick’s device to safely remove it. Then I’d do the same on the internal storage’s device, but this would eventually fail and report an I/O error. The phone’s screen would show that the USB connection had ended, but one of the devices would still show in the Finder. If I then unplugged the USB cable the Finder would tell me that data might have been lost since I didn’t eject the storage device properly.

UnmountService

Mon, 05 Apr 2010 00:11:42 +0000

Services are a means in Mac OS X for the user to pass small pieces of data out of one application to another. The pieces of data may be snippets of text, images or files. Applications can publish Services that accept certain types of data, and these Services can be passed data out of almost any other Mac application.

In Snow Leopard, the role of Services has been expanded somewhat; they can now be accessed through the context menu of items they support. This means I can right-click on a file in the Finder, and get a context menu option “Send File To Bluetooth Device” which is a Service which can be sent files, published by the Bluetooth File Exchange utility. This application does the same kind of thing – it publishes a Service which can be sent volumes and attempts to unmount them.

Student Tech Meetup talk

Thu, 18 Feb 2010 09:13:35 +0000

On Wednesday, I gave a talk at the Student Techmeetup here in Edinburgh on DS homebrew development. As promised, I’ve uploaded the slides from that talk as a PDF here, with links to a few tutorials and resources included in them, along with some notes.

emitSMS plugin update

Sat, 16 Jan 2010 15:10:00 +0000

The emitSMS plugin has been updated with a small new feature – it will now strip out dashes and spaces from your phone numbers in Address Book before sending them to the phone, as most phones don’t seem to accept numbers in this format. Grab the new version here.

Address Book SMS Plugin

Wed, 09 Dec 2009 15:56:48 +0000

In the distant past, the Address Book app in Mac OS X Tiger could send mobile SMS messages directly from within the app, if you paired your mobile phone with your Mac via Bluetooth. Along came Leopard, and the feature mysteriously vanished without trace or explanation, and hasn’t reappeared since. Missing the feature, I found a roundabout replacement in the emitSMS dashboard widget. It offers SMS sending via Bluetooth and can also search the Address Book for phone numbers. Having seen that the source code for emitSMS was released, I adapted the backend into a plugin for Address Book.app to provide the missing former functionality.

emitSMS plugin bug fix

Sun, 25 Oct 2009 23:26:38 +0000

Here’s a new version of the Address Book plugin for SMS sending, with a small bug fix intended to stop it hanging after sending an SMS. If you’ve seen this problem with earlier versions, please let me know if this version has fixed it or not 🙂

emitSMS Address Book Plugin updated

Thu, 01 Oct 2009 11:26:13 +0000

The emitSMS plugin for Address Book has been updated to use native Mac OS methods to access the phone over Bluetooth, rather than using an emulated serial port. This should make it less flaky when used under Snow Leopard. You can get the updated plugin here, and the new source code is here.

emitSMS plugin for Mac OS X Address Book.app

Mon, 14 Sep 2009 16:16:27 +0000

Deflektor remake for Nintendo DS

Sun, 07 Jun 2009 23:32:03 +0000

Here is a project I’ve been working on for a few weeks to learn more about DS homebrew coding. It’s a remake of Deflektor, an old puzzle game that I played on the Amiga. I’ve tried to keep the retro feel of the original while updating it to use the touchscreen interface.

The aim is to rotate the mirrors () to reflect the laser beam from the source () to blow up all the triggers () and then enter the target (). Rotate the mirrors by tapping on them and then dragging to align the mirror at a particular angle. You start with an amount of energy which is constantly declining (the green bar). Directing the beam into a spike () or reflecting the beam back to the source will cause it to overload (represented by the red bar). If the source is overloaded too much or if you run out of energy, you lose a life. There are also rotating blocks which only allow the beam to pass at a certain angle (), teleports () which work in pairs, and blocks which randomize the beam direction (). In addition, in some levels there are gremlins which roam about the board and mess with your stuff. You can get rid of them by tapping on them repeatedly.

DesMuME for Mac OS X with GDB stub support

Mon, 06 Apr 2009 04:00:11 +0000

I’ve built a Mac (Intel) binary of DesMuME, from the latest SVN code, with a patch to enable masscat’s GDB stub. With it you can load a homebrew rom, connect to DesMuME with the copy of GDB that’s provided with devkitARM, and start debugging your homebrew code while it’s running in the emulator. For more details check out this post on the official forums.