Free the Meraki

February 22nd, 2017

So, around 3 years ago, we had some Meraki access points at work. I was pretty keen on the tech, but less so on the licence model, where you pay the going rate for an access point, and then have to pay for a licence to use it, or it becomes useless, because it will only work if connected to Meraki’s cloud managment.

This is no longer true, and became untrue a while ago, and as the Meraki APs we had have come due for renewal, and have been replaced, I had one thrown in my direction.

A bit of searching threw up a few pages suggesting OpenWRT will work just fine, with a couple of caveats about the difficulty of rooting the device to gain enough access to overwrite the Meraki firmware: they’d really rather not let you do this- they give away sample access points, so maintaining their licence model is the way they make money.

Anyway, I already had a CP2102 USB-Serial (TTL level) converter I’d bought to have a play with one of those dodgy webcams, so I bought a PSU from Ebay, and got out the soldering iron, PuTTY, and an ethernet crossover cable.

The basic instructions are here, but to get root, I had to follow the procedure here, and indeed root the standard firmware (to get a reboot command, as my AP would not boot properly with the UART connected to the laptop).

The first challenge was getting the UART cabled correctly: the phrase

an UART adapter wired to the MR18 (speed is 115200). Pinout (left to right): VCC/RX/TX/GND

was misleading for me: first of all, that is corrrect if you hold the AP with the connector at the top like in this picture, and secondly, the RX/TX desgnation refers to which pins you need to connect from the CP2102, rather than their function on the AP, so I had some fun getting the UART cabled.

The second, but not hard, challenge was installing a web server, and realising that openwrt-ar71xx-nand-mr18-initramfs.bin had changed name to openwrt-ar71xx-nand-mr18-initramfs-kernel.bin in a later version.

The third challange was that the AP got stuck in a boot loop from cold with the UART connected, though a warm boot was fine. That wasn’t a problem for the initial rooting (where you hold down “S”), as there’s enough time during the boot cycle after powering up the AP, but when it came to booting the OpenWRT image, I couldn’t hit “2” in time: I resolved this by rooting the Meraki firmware to get a reboot command, then hitting “2”.

With those out the way, it was as simple as setting an appropriate fixed IP on the laptop, connecting the ethernet crossover, logging in to the newly booted image’s LUCI interface, and applying the full firmware image, which erases the Meraki firmware once and for all, and you have a free MR18 🙂

Disable Cheat Mode

January 25th, 2017

My newish-to-me car was one of the many vehicles with the EA827 CR engine affected by the VW NOx scandal, AKA Dieselgate, and I got my recall letter. After questioning my favourite local independent VW specialist, and learning that the claims in the recall letter of no adverse affects on economy, power, torque, or noise, I booked it in and went to Johnsons VW in the people’s republic of Wilenhall: what used to be Willenhall Coachcraft.

A surprisingly pleasant experience: the staff were nice, the work was carried out, and they didn’t find anything else to try to talk me in to (good, given that there’s a few things due now), and to be honest, all seems the same. Presumably, there’s been a flash of the engine ECU (which I’ll confirm with VCDS soon), but it does make me wonder what has been tweaked? Presumably the rolling road test detection has gone, but has anything affected the actual, real-world emissions? The car has never visibly smoked (it has a DPF, which hasn’t needed regen in the time I’ve had the car), but of course, the one everyone is upset about, NOx, is invisible.

Information on that on the web is hard to find, between all the scandal stories and lawyers looking to get a compensation case :-/. What I can say is that the advice I was given seems correct: economy seems around the same, still no smoke, and it seems to perform as before.

Open the Box

January 12th, 2017

Andy presented me with an interesting challenge:

Your mission, should you decide to accept it, is to get Linux on this accursed box.

The accursed box was a Sumvision Cyclone Mini PC: an Intel Atom SoC based PC, in a nice little box about the size of a domestic router. It has been quite popular for a Windows Media playerbox, with wireless built in, and a HDMI-out, but this one was hopefully destined for more geeky things: an easily deployable network monitor, so first thing is Linux.

Apparently others had given up in frustration, and powering it up gave me a particularly unfriendly UEFI shell that didn’t have a scroll-lock, so you couldn’t see the available commands. Nice. I found a way into the BIOS-style setup, and checked all the obvious things; secure boot disabled, clear the secure boot keys, etc. What was notably odd was a OS/BOM seletion screen (that is their typo, not mine) that was set to Windows 8, and all greyed out, and no CSM (or Legacy) boot modes.
Read the rest of this entry »

Chilly Out

January 5th, 2017

I realise it’s winter, but tonight’s cold snap surprised me: I got changed, got gloves on, and got the bike out, and then when setting off had a surprise: the front gear mechanism literally would not move, and investigation found that it was frozen mud, rather than any mechanical failure. It seems this time I strayed too far the other side of sensible cleaning, and was foiled in my attempt tonight by the fact the outside tap had frozen too…

The ride itself was “bracing”, but it was a lovely still, crisp night, and the cold means fewer disturbances on the towpath: two brave souls fishing, and on the way back, one fellow cyclist, one deer, and a pussy cat that bolted and was about to consider trying to jump the canal at the narrow bit here, but reconsidered, and happily didn’t try to cross the ice, as it didn’t look that thick.

Getting to Chasewater, the gears had re-frozen partially, making the climb to the dam hard going, but a shove freed it, and the park itself was deserted: I would have stopped a while and enjoyed the peace, but the cold was also knackering the batteries in my lights, the front one of which doesn’t last long on full brightness (which would be very antisocial on the road) on a warmer night. Thankfully they lasted out, and I got home, then having to heat the shed padlock before I could lock it…

Thirteen

January 1st, 2017

This blog has just passed it’s thirteenth birthday, and we’re at the start of a new year, a year that’s to be honest, brought little to be happy about in many ways: the loss of many celebrities (and for once, the word celebrity is actually valid here), and, perhaps more importantly for some of us, the unexpected loss in November of Steph Clarke, who should be an inspiration to anyone wanting to do stuff in their community. I was lucky enough to meet her a few times, and her energy and commitment to help people was just unreal. A sad loss to the local community, both online and off. I usually use this post to say how strong the online community is (which is still true), so it’s sad to lose such a big part of it. There’s an ongoing drive to do something good, however small, in her memory- #stuffforsteph, which I’d urge anyone to take part in.

2016 has, generally, been pretty poor- personally, nothing major at all- but we’ve had the idiocy of Brexit, with the corresponding rise of hate crime, a quite spectacularly inept prime minister, and the election of a dangerous halfquarter-wit in the US. In the computing world, we saw the IP Bill pass into law, so someone besides me knows you’re reading this, and the Digital Economy Bill is on its way. The future’s so bright, I gotta wear shades.

Looking forward to 2017, I’d like to wish everyone a happy new year: let’s hope for a better one: as Brownhills Bob said online recently, we can at least hope that Trump might fall out of an aeroplane and hit Farage on the way down.

Taphouse Tour: Summary

December 28th, 2016

The Taphouse Tour is over, and here’s a summary:

Name Score
The Duke William 9.75
The Old Bulls Head 9.37
Green Duck Brewery Badelynge Bar 8.75
Beacon Hotel 8.66
The Fountain 8.44
Hail to the Ale 8
The Sow and Pigs 7.525
The Park Inn 6.98
The Windsor Castle 6.8
The Gunmakers Arms 6.542

A less hectic pace than 100 pubs, but still presented it’s challenges. We made this mistake of visiting the logistically easy ones first, leaving us with complex trips to the darkest Black Country.

Taphouse 10: The Old Bulls Head

December 28th, 2016

Pubblog Link
Whatpub Link
Brewery Site

Taphouse 10, again with a brewery actually onsite- Black Country Ales.

[Photo to follow as mine is terrible]

BCA have made quite an impact around here, with their beer and pubs being held in high regard.

A lovely pub with great food, staff, and beer. Less of a trek than some, with a 2/3 bus journey, not too bad for darkest Black Country. Welcoming, warm, relaxing and a great spot for the end of our tap house tour on a cold day.

Ambience 10
Beer choice/quality 8.5
Architecture 8.67
Cobs/Pies/Snacks 10
Toilets 9.67

Which means an overall score of 9.37, making it the runner-up, behind The Duke William, sadly the hardest to get to….

Merry Christmas

December 25th, 2016

It’s Christmas morning. Festivity took a while to kick in this year, but when work was finished, a couple of pub trips with good friends and the traditional Christmas eve curry did the trick. I’m hangover-free, and I’ve had bacon too.

Happy Christmas everyone.

A Day Out

December 15th, 2016

I was off work, and as is traditional, we went off to Birmingham for a couple of pints. A start by dropping off the 51 at The Tennis Court, a diversion to The Woodman, a bus ride to Balsall Heath and the lovely Old Moseley Arms, another diversion (because of gridlock in Digbeth to the every lovely Anchor, and home via a curry. Some lovely beer (though this was perhaps a bit stronger than would be adviseable after 5-6 pints, even if it was delicious), and a pleasant day out.

Make Tech Difficult

December 12th, 2016

One of the things non-techies hate about tech is the complexity of setting some things up, and the rise of IoT, and the ubiquity of smartphones and home broadband has meant that our homes have more and more tech, and that tech is expected to talk to the cloud, and perhaps talk back.

Manually configuring this gear can be a bit tricky, so there’s a bunch of things making it easier. Your ISP may well provide a router, with default passwords. IP cameras will “phone home” to the manufacturer’s site to register themselves, so you don’t have to manually set up dynamic DNS. That router from your ISP will probably use UPnP so it can open ports for the camera and any other devices. Things like Nest or Hive bypass that by depending on a server in the cloud on someone else’s computer to make the connection.

All nice so far. Even better, these things are putting my favourite OS, Linux out there. As Linux is free, and powerful, and efficient on the low-power chips in these devices, it gets used a lot.

You’d think I’d be pleased.

But there’s a problem. Lots of these devices have poorly implemented security. Others depend on a hosted service, so if someone decides to stop supporting it, or indeed changes the API you have an expensive paperweight.

The Mirai attacks first turned IP cameras into a huge botnet, and now malware has got its hands on routers: the very device you expect to secure your home network, and let’s not forget that if your IP camera (inside your firewall/router) is compromised, it could be used as a tool to attack your PC, and the router will happily help out by opening ports for it: many cameras have poor web interfaces and hardcoded “root” passwords (I have one myself with a password of “123456”)

I realise I’m sounding a little like a luddite here; or perhaps the techie complaining about tech doing stuff itself and therefore meaning people need fewer techies, but here’s the rub: the more of this stuff that gets out there, the bigger the attack surface, the bigger the gain, and the bigger the effect on everyone. So, a little advice:

1. Think if you really need that IoT device.
2. Change default passwords.
3. Consider tossing your ISP-supplied router. It’s probably shit anyway. Turn off UPnP, even if that means you have to get help opening and forwarding ports. There’s a fucking good reason a firewall closes ports, so why bypass that?
4. Consider not buying the very cheapest IP cam like mine 🙂
5. If you invest in cloud-connected devices, entertain the fact that you just lost control of them.
6. If there’s updated firmware, use it.
7. Linux does not mean secure. The kernel itself probably is, but a lot of embedded devices are poorly secured.


This blog is protected by Spam Karma 2: 40914 Spams eaten and counting...