Category Archives: sysadmin

Hacking Functionality into ASUSWRT Routers

This weekend, I spent some time to replace my aged Linksys WRT54G wireless router, which is running DD-WRT. The WRT54G is slow by today’s wireless standards and since I sync my iOS devices wirelessly, the speed was getting quite unbearable. When I bought my Macbook Pro in 2007, it already has draft 802.11n support and fast-forward to 2012, my iPad (1st generation) and iPhone 5 both support the 5GHz band.

The ASUS RT-N56U wireless router ranks up there on wireless performance, and the “feature” I was really after was a router that can run an alternative firmware such as Tomato or DD-WRT. The really good news is, I figured out how to get the functionality I wanted while still using the official ASUS firmware.

ASUS router photo

For proper reviews and better photos, you might want to check out these other reviews:

Read on to find my short review, as well as how you can run your own programs on the router without using a third-party firmware.

Continue reading

SFF Server Build (Part 1): Short Cables

After 10 years, I decided to replace my 633MHz home server with something more modern. The fans on the system were making a lot of noise, especially the Slot-1 CPU cooler fan, which I don’t think I can find a replacement for. Also, the motherboard was very choosy about the power supply, meaning I could not use the newer, more energy efficient supplies; the voltage monitors claim the voltage is out of the acceptable range and refuses to continue beyond the POST screen.

I chose the MicroATX form factor, and the most compact case is the Silverstone SG02F because it places the power supply on top of the board. Most other cases I’ve seen have a similar layout to an ATX tower, but with a height reduction.

The wires are long and unwieldy because they assume you are using a normal ATX case, in which case you need relatively long cables depending on how the case is laid out. However when building a SFF machine like this, it gets really untidy. I decided to reduce the length of the cables.

Here’s the before photo of the wiring – the worst offenders are the SATA cables, the case front panel wires, and the SATA power connector.

Continue reading

GNU patch and Windows UAC

If you’re looking for the GNU patch on Windows, you would probably have found the GnuWin32 project. If you try to run this program on Windows Vista or 7, you will be prompted with the UAC dialog, asking you to run the program with administrative rights.

Windows Vista, when they introduced the User Access Control (UAC) feature, tried not to break existing programs by detecting which ones require administrative access. The usual suspects are installers that are probably named *setup.exe or *install.exe. For some reason they also thought they’d throw in *patch*.exe, which matches the patch.exe.

To fix this problem, I found a page at the OOMMF project at NIST, which talks about embedding a manifest file into the executable. Embedding it is actually not necessary, you just need to name it patch.exe.manifest and have it in the same directory as patch.exe.

The other alternative is to disable this system-wide “smart” detection behavior using a Security Policy: “User Account Control: Detect application installations and prompt for elevation“. If you do this, it means you will need to manually right-click older installer applications and select the “Run as administrator” option. Failing to do this means the installer will not be able to correctly write into directories like “Program Files” and alter system registry settings. Note that when I say “correctly write”, it’s because of the UAC virtualization, but that’s another story.

If you use MSYS (from the MingW project), it uses the patch.exe.manifest file technique, which is less intrusive than embedding it into the executable.

If you’re an application developer, you should read Windows Vista Application Development Requirements for User Account Control (UAC), which describes in detail the different options I have just talked about.

tl;dr

If you need just GNU patch, follow the OOMMF page to create the manifest file, but don’t bother embedding it. If you come from a UNIX background, just use MSYS to get all the other UNIX tools.

iOS Profiles & Encrypted Backups

When I got my iPhone, it uses a 4-digit passcode to protect its contents. Unsatisfied with this, I found the iPhone Configuration Utility (iPCU), which was the only way at that time to enable complex passcodes (passwords) on the phone. After creating a profile and uploading it to the phone using the iPCU, my backups were all forced to be encrypted.

Encrypted backups are not good for tinkering because you need to decrypt the files before you can edit them, and you need to re-encrypt them for it to be restored to the phone. I’m not sure about the encryption scheme, or which programs can access encrypted backups since the encryption happens on the phone.

I don’t remember seeing an option in the iPCU that says “Force iTunes encryption” or similar, so why was this happening? Recently when I was digging through the iPhone OS Enterprise Deployment Guide, I found an important note, under “Backing Up a Device with iTunes”, that reads “If the device being backed up has any encrypted profiles installed, iTunes requires the user to enable backup encryption.”

If you upload any profiles using iPCU, it’s convenient – it goes into the phone directly, but at the same time it also encrypts the configuration for the phone.

For my new iOS devices I simply signed it, and uploaded onto a web server and accessed it from the device. This prevents the backups from being forced to be encrypted, but at the same time it creates a chicken and egg problem – how does my device access the web server without the WiFi profile settings?

I’ll look into that another time.

mdns-repeater: mDNS across subnets

Update 21-Sep-2011: Added an Installation section and updated the binaries on Bitbucket.

Update 20-Oct-2020: Moved repository to GitHub

As you may know, I have a couple of Apple devices. Apple is fond of using Multicast DNS (mDNS) for their service discovery. The recent addition to these services being AirPrint (wireless printing service) and AirPlay (wireless audio/video streaming) from your iOS devices.

My home is setup in such a way that the wired and wireless networks are on 2 separate subnets. mDNS uses a multicast address that is “administratively scoped”, meaning the packets will not travel across subnets. I tried fiddling around with iptables rules and looked around for how I can route these packets across the subnets, but to no avail.

There is another solution – a repeater daemon that sits on the router and repeats packets between the 2 subnets. Avahi is used to provide mDNS services and it has a reflector mode that does exactly this. A more lightweight solution was TiVoBridge, which supposedly performs the same task but it’s much smaller. I tried to compile and set up TiVoBridge, but it required a config file and I couldn’t really get it to work the way I wanted it to. There’s an even lighter-weight solution called SAY, but it uses libpcap.

Enter mdns-repeater – a small Linux daemon that does exactly what I want it to do. I have a Linksys WRT54G which runs dd-wrt. This program was intended to be compiled for and installed on the Linksys router. As with all other programs that run on the router, it requires no configuration.

The default dd-wrt configuration has 2 interfaces – vlan1 for the WAN interface and br0 for the wireless interface (and 4-port switch). The program accepts the arguments vlan1 and br0 and begins repeating packets from vlan1 to br0 and vice-versa. I can now get my iOS devices to detect wired servers like a print server for AirPrint.

mdns-repeater is released under GPLv2. Feel free to change it to repeat whatever protocol you want. Patches to add functionality and bug fixes are welcome. You can contact me via bitbucket.orggithub.com, or if you clone the repository my email is in the commits.

Continue reading