Implementing EAP-SIM at Home

What is EAP-SIM?

EAP-SIM is one of the authentication methods that can be used in an 802.1x or WPA Enterprise network. Specifically, it relies on the user’s SIM card to process a presented challenge. This has been used by some telcos to provide WiFi service without having to maintain a separate set of credentials. However, not all phones support EAP-SIM.

Phone displaying EAP-SIM as a WiFi authentication method

Since I’m already using a RADIUS setup at home, the use of EAP-SIM will eliminate the need to install my CA certs onto each device. But of course, there is still a fair bit of work to do…

Continue reading

Advertisements

Hacking Functionality into ASUSWRT Routers

This weekend, I spent some time to replace my aged Linksys WRT54G wireless router, which is running DD-WRT. The WRT54G is slow by today’s wireless standards and since I sync my iOS devices wirelessly, the speed was getting quite unbearable. When I bought my Macbook Pro in 2007, it already has draft 802.11n support and fast-forward to 2012, my iPad (1st generation) and iPhone 5 both support the 5GHz band.

The ASUS RT-N56U wireless router ranks up there on wireless performance, and the “feature” I was really after was a router that can run an alternative firmware such as Tomato or DD-WRT. The really good news is, I figured out how to get the functionality I wanted while still using the official ASUS firmware.

ASUS router photo

For proper reviews and better photos, you might want to check out these other reviews:

Read on to find my short review, as well as how you can run your own programs on the router without using a third-party firmware.

Continue reading

SFF Server Build (Part 1): Short Cables

After 10 years, I decided to replace my 633MHz home server with something more modern. The fans on the system were making a lot of noise, especially the Slot-1 CPU cooler fan, which I don’t think I can find a replacement for. Also, the motherboard was very choosy about the power supply, meaning I could not use the newer, more energy efficient supplies; the voltage monitors claim the voltage is out of the acceptable range and refuses to continue beyond the POST screen.

I chose the MicroATX form factor, and the most compact case is the Silverstone SG02F because it places the power supply on top of the board. Most other cases I’ve seen have a similar layout to an ATX tower, but with a height reduction.

The wires are long and unwieldy because they assume you are using a normal ATX case, in which case you need relatively long cables depending on how the case is laid out. However when building a SFF machine like this, it gets really untidy. I decided to reduce the length of the cables.

Here’s the before photo of the wiring – the worst offenders are the SATA cables, the case front panel wires, and the SATA power connector.

Continue reading

GNU patch and Windows UAC

If you’re looking for the GNU patch on Windows, you would probably have found the GnuWin32 project. If you try to run this program on Windows Vista or 7, you will be prompted with the UAC dialog, asking you to run the program with administrative rights.

Windows Vista, when they introduced the User Access Control (UAC) feature, tried not to break existing programs by detecting which ones require administrative access. The usual suspects are installers that are probably named *setup.exe or *install.exe. For some reason they also thought they’d throw in *patch*.exe, which matches the patch.exe.

To fix this problem, I found a page at the OOMMF project at NIST, which talks about embedding a manifest file into the executable. Embedding it is actually not necessary, you just need to name it patch.exe.manifest and have it in the same directory as patch.exe.

The other alternative is to disable this system-wide “smart” detection behavior using a Security Policy: “User Account Control: Detect application installations and prompt for elevation“. If you do this, it means you will need to manually right-click older installer applications and select the “Run as administrator” option. Failing to do this means the installer will not be able to correctly write into directories like “Program Files” and alter system registry settings. Note that when I say “correctly write”, it’s because of the UAC virtualization, but that’s another story.

If you use MSYS (from the MingW project), it uses the patch.exe.manifest file technique, which is less intrusive than embedding it into the executable.

If you’re an application developer, you should read Windows Vista Application Development Requirements for User Account Control (UAC), which describes in detail the different options I have just talked about.

tl;dr

If you need just GNU patch, follow the OOMMF page to create the manifest file, but don’t bother embedding it. If you come from a UNIX background, just use MSYS to get all the other UNIX tools.

iOS Profiles & Encrypted Backups

When I got my iPhone, it uses a 4-digit passcode to protect its contents. Unsatisfied with this, I found the iPhone Configuration Utility (iPCU), which was the only way at that time to enable complex passcodes (passwords) on the phone. After creating a profile and uploading it to the phone using the iPCU, my backups were all forced to be encrypted.

Encrypted backups are not good for tinkering because you need to decrypt the files before you can edit them, and you need to re-encrypt them for it to be restored to the phone. I’m not sure about the encryption scheme, or which programs can access encrypted backups since the encryption happens on the phone.

I don’t remember seeing an option in the iPCU that says “Force iTunes encryption” or similar, so why was this happening? Recently when I was digging through the iPhone OS Enterprise Deployment Guide, I found an important note, under “Backing Up a Device with iTunes”, that reads “If the device being backed up has any encrypted profiles installed, iTunes requires the user to enable backup encryption.”

If you upload any profiles using iPCU, it’s convenient – it goes into the phone directly, but at the same time it also encrypts the configuration for the phone.

For my new iOS devices I simply signed it, and uploaded onto a web server and accessed it from the device. This prevents the backups from being forced to be encrypted, but at the same time it creates a chicken and egg problem – how does my device access the web server without the WiFi profile settings?

I’ll look into that another time.