Author Archives: Ivan Vučica

About Ivan Vučica

Google+ - ivan.vucica.net/

mFI mPower basic use without cloud and controller

After getting the mFI mPower unit, I saw that it really wasn’t planned for standalone use. I was also surprised at seeing no ethernet port; I’m not sure why I thought it’s going to have one.

This is a wifi IP power strip that seems to be designed neither fully for a consumer (why would a consumer need a IP power strip?) nor for an expert. After plugging it in and waiting for it to boot, you’re greeted with a new completely unprotected wifi network. After connecting to it, you’re hijacked in the same way captive portals technologies work. It seems pretty painless to configure a device to connect to a wifi network, and then either to cloud or to a local controller — a chunk of proprietary software that, based on the quick guide booklet, seems to be written in Java. Booklet mentions versions for Windows and OS X, but the website offers download for Linux as well.

I’m however uninterested in having a home machine run 24/7 and waste electricity just to occasionally control a power strip. I opted for the (for obvious reasons less secure) variant of going into the cloud. Unfortunately, the built-in web UI doesn’t give you an option to register nor a hint on doing so. Quick guide does mention the website, which reveals a login panel but no registration.

At least I could configure wifi connectivity without either controller software or cloud — but that seems to be all.

That’s because in October 2013 the service was shut down for new registrations, with promises of coming back. Seeing that was 10 months ago, I began to think I may have purchased a brick.

Luckily, apart from what’s served to the customer on the surface, the device seems to be rather open. I’m unfamiliar with how free and open source it is, but it seems to be built out of relatively understandable components. BusyBox is there, the usual UNIX-like directory structure is there. I also spotted dropbear, which means aside from a telnet daemon, it’s also providing an SSH service.

Default username and password set is ubnt/ubnt. Ouch. First obstacle: How do we change that?

We can use vi to edit /tmp/system.cfg. There it is! Username and password. But wait — what kind of a password hash is that?

Turns out it’s the output of crypt(3). This gets used to generate /etc/passwd.

PHP has the crypt() function as well. PHP’s numerous flaws are irrelevant for such simple use case, so we’ll be forgiven for using:

php <<< '<?php echo crypt("my_password", "SL");'

where “SL” is the salt. (In the stock password, it was “KQ”.)

You can add new users as well (although I’d highly advise changing at least the password of the default user), like so:

users.1.name=ubnt
users.1.password=KQiBBQ7dx8sx2
users.1.status=enabled
users.2.name=ivucica
users.2.password=AEPbWtbh7XaS.   
users.2.status=enabled

That’s really nice and flexible. But they could have either documented all this (and in an obvious place), or created a web UI (of course, while letting us deal directly through telnet and ssh, too).

To save these settings, punch in save. (Alternative command seems to be cfgmtd -f /tmp/system.cfg -w.) To give the system a chance to apply the settings, reboot.

While at it, you may want to disable the default unprotected wifi network, which for me was numbered 2:

wireless.2.status=disabled

What I also like in this device is that it seems to have the Linux-friendly Atheros chipset in it.

So next. How do we actually read stats or switch an outlet on or off?

cd /proc/power
# enable outlets we want to read stats from or that we want to control
for i in $(seq 1 3) ; do
  echo 1 > enabled${i}
done
# get current power usage
for i in $(seq 1 3) ; do
  echo "active_pwr$i: ${i}"
done
# turn off and on a slot
echo 0 > relay1
sleep 1
echo 1 > relay1

Other functionality is demonstrated and explained by forum member Sequim.

  • active_pwr – power factor corrected power demand
  • v_rms – RMS voltage – zero if outlet is off
  • i_rms – RMS current, as currently delivered
  • pf – power factor
  • energy_sum – totalized energy in Watt-hours delivered via this outlet, probably since last boot

And the /proc/led directory contains some nice controls for the LED.

Really lovely design. It’d have been even nicer if it had been properly documented and if it had a proper web UI shipped in case you don’t feel like dealing with all the power that these controls exposed as a filesystem provide.

Proxying Camlistore through nginx

I’ve went through this in order to secure access to Camlistore and delegate authorization to nginx. This doesn’t help, as I don’t yet have a securely stored password set up to protect it, but the first steps are there. Moving to something like LDAP-backed authorization for authentication on my machine and authentication of Camlistore is probably the way to go.

Without further ado, here is my partial nginx configuration, which should be useful if you already have a domain set up and you’d just like to direct toward Camlistore. I didn’t want to set up a subdomain, as I would have to get a new SSL certificate.

I’m bound to have made a mistake in configuration, so comments are welcome.

server {
        server_name ivan.vucica.net;
        access_log /var/log/nginx/ivan.vucica.net_access.log;
        error_log /var/log/nginx/ivan.vucica.net_error.log;
        root /somewhere/on/my/disk;
        listen 80;
        # skipped...

        location /camli {
                return 302 https://ivan.vucica.net:3180$request_uri;
        }
}
server {
        server_name ivan.vucica.net;
        access_log /var/log/nginx/ivan.vucica.net_access.log;
        error_log /var/log/nginx/ivan.vucica.net_error.log;
        root /somewhere/on/my/disk;
        listen 443 ssl;
        # skipped...

        location /camli {
                return 302 $scheme://ivan.vucica.net:3180$request_uri;
        }

        ssl_certificate /ssl/directory/on/my/disk/startssl-vucica.net.chained.crt;
        ssl_certificate_key /ssl/directory/on/my/disk/startssl-vucica.net.key;
        # ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        # ssl_ciphers         HIGH:!aNULL:!MD5;

        # from: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy#comment-3794
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

        # for ssl cache - see http://nginx.org/en/docs/http/configuring_https_servers.html 
        keepalive_timeout   70;
}
server {
        server_name ivan.vucica.net;
        access_log /var/log/nginx/ivan.vucica.net_camli_access.log;
        error_log /var/log/nginx/ivan.vucica.net_camli_error.log;
        root /somewhere/on/my/disk;
        listen 3180 ssl;

        location /camli {
                rewrite ^/camli/(.*) /$1 redirect;
                rewrite ^/camli$ / redirect;
        }
        location / {
                proxy_pass http://127.0.0.1:3179;
                proxy_connect_timeout 5;

                # not using after all, as it would need access to /etc/shadow.
                # see http://web.iti.upv.es/~sto/nginx/ngx_http_auth_pam_module-1.3/README.html
                # auth_pam "Secured Camli";
                # auth_pam_service_name "nginx";

                auth_basic "Secured Camli";
                auth_basic_user_file /path/to/ivucica-camli-user_file;
        }

        ssl_certificate /ssl/directory/on/my/disk/startssl-vucica.net.chained.crt;
        ssl_certificate_key /ssl/directory/on/my/disk/startssl-vucica.net.key;
        # ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        # ssl_ciphers         HIGH:!aNULL:!MD5;

        # from: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy#comment-3794
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

        # for ssl cache - see http://nginx.org/en/docs/http/configuring_https_servers.html 
        keepalive_timeout   70;
}

Camlistore itself is configured to listen only on 127.0.0.1. It doesn’t handle authentication, as using localhost authentication would require running nginx and camlistored under the same user. Adding a username+password authentication and using internal SSL would limit my long-term options for configuring authentication.

{
    "auth": "none",
    "listen": "localhost:3179",
    "identity": "AC5742DD",
    "identitySecretRing": "/path/to/camlistore/identity-secring.gpg",
    "blobPath": "/path/to/camlistore/blobs",
    "sqlite": "/path/to/camlistore/camli-index.db",
    "baseURL": "https://ivan.vucica.net:3180/",

    "shareHandler": true

}

To generate the .htpasswd file, refer to nginx documentation. Here follows an example; consider hard whether this is secure enough and appropriate for you.

printf "John:$(openssl passwd -crypt V3Ry)\n" >> .htpasswd # this example uses crypt encryption

Don’t forget that this will store the line in your .bash_history. (One way to avoid this specific issue is to prefix the command line with a space. Think hard whether this is enough for you.)

Mails appearing from d1stkfactory

If you have a Debian machine and emails appear to be coming from hostname @d1stkfactory, edit /etc/mailname and set this to your actual FQDN. Another instance where I found it locally is in /etc/exim4/update-exim4.conf.conf, which is almost certainly not read by my installation of Postfix (which does explicitly refer to /etc/mailname in one place).

This appeared on a machine running on DigitalOcean, so I presume “d” refers to DigitalOcean, and “factory” refers to their internal disk image building service. That’s just speculation though.

A European’s experience in [NOT] buying a MacBook Pro in US

I’m visiting NYC this week. I’ve come to US thinking hard whether or not I want to buy a MacBook Pro. I decided that yes, I do. Now I changed my mind. Why?

I wanted to do a couple of things. Use employee discount, pay with my Irish card, and I absolutely required a European-style keyboard layout. This last thing is the ultimate reason why I decided to skip it.

Apple is excellent if you are an average customer. Walk into one of the stores (there’s one 5 minutes of walk from me), pick up what you want, walk out happy. I could have done that. I can still do that. I don’t want to.

First, I want my discount. It saves me a non-insignificant an interesting amount of money. I doubt I can apply the discount from within the store. [UPDATE: Americans love to apply sales tax AFTER quoting you the price. So my total savings are a bit less than expected. Still, they exist. And my estimates include Irish VAT, because I’m nice like that. Smugglers would really save a lot.]

Second, I want a European-style keyboard (British at the very least). I have a US layout wireless keyboard, and if I switch to Croatian layout in software, I cannot type < and > on it.

Turns out that Apple does not stock laptops with different layouts in their stores. Turns out that I need to wait 1-3 business days for them to build the custom laptop (!!!) and then another 1-3 business days for them to expedite-ship it. Oh you want standard shipping? 3-5 days. You dared to desire to pick it up at the store (which should actually be easier for them)? Well, feelin’ bad for you buddy — it’s as if you picked standard shipping.

Maybe you wanted to pay with your Irish card? No go — they want your billing address phone number to be a US number, and your billing address zip code to be a US zip code and a US address.

Especially if you include the fact I’d need to deal with Irish customs people as well, that’s enough divine signs telling me I should skip this purchase. Maybe I change my mind, but I doubt it.

What kind of bullshit is not stocking some British-layout MBPs somewhere in NYC? What kind of bullshit is “it takes 1-3 days to replace a keyboard”? With minimum training, it could be done in-store, even if you couldn’t stock 2 variants in each store. They don’t sell often enough? Don’t keep 50 of them, but do keep 2 of them.

And I was so looking forward to a Mac with a decent GPU.

Ubuntu, touchscreen and dualscreen: HD Touchscreen on the left, laptop on the right

If you read about calibrating touchscreen with X11 and are capable of simple addition and division, you won’t have a problem building the transformation matrix and applying it. I won’t cover the same details on how to set the matrix using xinput set-prop since I just want to write down the resulting matrix and, perhaps, save people some time if they have a setup similar to mine.

To get the name of the device, open Terminal and punch in:

xinput

In the output I found that my “Acer T232HL”‘s input component is actually called “Advanced Silicon S.A CoolTouch(TM) System”. I can see all of its properties with:

xinput list-props Advanced Silicon S.A CoolTouch(TM) System

Since I’ve set up the screen to be on the left site, that means top-left corner of my touch area is simply offset by 0,0, and bottom-right is 1920,1080. Considering that the total width of the usable X area is 1920+1280, I get 1920/3600=0.6 as the c0 constant on the above link.

My usable area’s height is max(1080, 800) (the respective y component of the resolutions of the two displays). Considering that touch area’s height is also 1080, then the c2 component does not need to be scaled and should be exactly 1.

I also have absolutely no offsets, so c1 and c3 stay 0.

Result:

xinput set-prop "Advanced Silicon S.A CoolTouch(TM) System" --type=float "Coordinate Transformation Matrix" 0.6 0 0 0 1 0 0 0 1
# And if needed, to make the display configured as described above:
xrandr --output DP-0 --auto --left-of LVDS-0

From the times when I was trying to get Linux to run on iPaq H3800 devices using the kernel and distributions published at the now-defunct handhelds.org, I remember the “tslib” which included a touchscreen calibration tool. I wonder if that can and should be used to calibrate the modern multitouch displays.

Update (April 5th 2014): I just dug out package ‘xinput_calibrator’ by random googling, but have not tried it out yet.

Importing laptop into Ireland from outside EU

I am not a lawyer nor an accountant. This is not legal advice. I may be wrong.

Bureaucracy == exercise in exploration!

First, you want to read the general information for individuals, including PN 1878a – Customs and Excise Information for Travellers Arriving in Ireland from Countries Outside the European Union.

In PN 1878a there is an odd reference to digital cameras being 0% duty, and VAT 23%. Where does that come from?

In the section intended for businesses we can find the document A Guide to Customs Import Procedures (PDF) which mentions a system called TARIC. What is TARIC?

Apparently TARIC is an EU-wide system for determining duty on imports. Customs Directorate of Croatia (or whatever the name in English is) apparently also maintains their own TARIC query system with matching data.

Now we need the appropriate code. What is the code for laptops?

It’s 8471410000. If you enter this code and then drill down into ‘for use in civil aircraft’ and ‘other’, you’ll see that in both cases the duty is 0%, in most countries. (In Croatian mirror site, pick ‘Section XVI’ and ‘Chapter 84′. I find it curious that the Croatian system’s UI seems cleaner than the official EU system. More outdated, but nonetheless cleaner.)

Since USA is not on the list, I would presume it fits under the ‘Erga Omnes’ list.

Alright, what about VAT? There is a list of tax rates maintained by the Irish Tax and Customs. Laptops seem to fit under Computer Hardware – Supply, which has a Standard VAT rate. As of 1 January 2014, this rate is 23%.

My conclusion is that the duty is 0%, and that only VAT of 23% is paid.

Considering top-of-the-line 15″ Macbook Pro Retina costs $2.599 = 1877.21 EUR * 1.23 = approx 2309 EUR – versus 2649.00 EUR – we get the difference of 339 EUR that are still saved by buying the laptop from the US.

Fun. :-)

For the record, no, I did not choose to buy a laptop (nor this laptop in particular) — but exploring my options is good.