Technically minded Weblog

A quick update on my AC810 adventures.

I’ve decided against zRAM – that would require a kernel rebuild and this device has no recovery mode.
Even though “free” showed only a few MB free (max I saw was like 20 MB, usually it shows 5-6 MB), I’ve never ran out of memory when running any software on the device.

Installed some additional software on the device, all built from source, including dependencies:
TUN driver, bash shell, latest hostapd, latest OpenSSL, nano editor and OpenVPN.
I didn’t overwrite any stock binaries just to be safe and instead used a simple wrapper script (which uses LD_LIBRARY_PATH) to run newly installed software.

An interesting idea came to mind when building OpenVPN – what if I could just take one of the WiFi APs (this device has two, one for 2.4 GHz and one for 5 GHz band) and bridge it to a TAP interface instead of doing routing to a tunnel ? Devices connecting to the bridged WiFi would then connect directly to my home network instead of being routed through a tunnel.
A true home WiFi away from home experience without any setup required !
Since OpenVPN is CPU-bound, I’m not expecting to get full speed, but around 40 mbps should be achievable with good 4G reception. More than enough for my needs (remote work and game streaming).

At first, I wanted to preserve dual-band WiFi and create a third SSID (WiFi driver claims to supports this) for the VPN bridge, but Qualcomm’s binary driver has a bug which causes WPA authentication responses from the client device to always be sent to the primary WiFi SSID instead of the secondary SSID, which causes authentication failures. Third SSID only works as Open WiFi which won’t do for me.
I have explored a possibility of using ath10k open source driver from Driver Backports instead of the binary blob (this device seems to use Atheros QCA6174 for WiFi) but again, I cannot install it without rebuilding the kernel due to cfg80211.ko being built into kernel which conflicts with Driver Backports.

So in the end, I had to dedicate one of the existing WiFi APs for VPN bridge. I’ve decided to use the 5 GHz AP for VPN bridge for now and leave 2.4 GHz AP for normal WiFi use but I’m not sure whether I will leave it that way.

UPDATE: OpenVPN was doing 24mbps max with CPU maxed out and a lot of packet loss. Switching from OpenVPN to SoftEther increased speeds to over 40mbps (and zero packet loss). Maybe it can do even more, will need to test in a different location with better 4G reception.
SoftEther was pain in the but to cross-compile (required manual editing of Makefile) and get working though and I also needed to use preloadable_libiconv hack to get past the iconv() stuff as libc on the modem did not have gconv enabled.

I’ve recently bought myself a Netgear AC810 mobile hostpot. It is a rather old model but it’s lightyears better than those cheap Huawei soapbar-style modems which our ISPs provide. Also, since 4G is not my main connection and is only used on-the-go, I didn’t want to invest in a higher-end model, like Nighthawk M1 or M2.

Now, since I’m a computer geek, I wanted to take a look what’s under the hood of that small black box with an LCD screen on it.
I know that this thing, like most 4G routers out there runs some version of Linux. Now how do I access the shell ?
After some research, I found that there’s an AT terminal running on port 5510. Since this modem uses a Qualcomm chipset, it is probably based on the same software as those Sierra Wireless modems. Fortunately, the unit I have had all advanced AT commands (which are usually locked by a password, which in case of my model should be “whistler”) unlocked out the box.
But AT!CUSTOM=? returned an error. So there is some lock present. Fortunately, a keygen is available to enable custom commands on Qualcomm/Sierra Wireless modems.
https://github.com/bkerler/SierraWirelessGen (use model MDM9x40)

With this keygen, I was able to unlock AT!CUSTOM commands (commands will again be locked after a reboot). On my particular unit, AT!CUSTOM=”ADBENABLE”,1 succeeded but did not actually enable ADB. But AT!CUSTOM=”ENABLETELNET”,1 did enable Telnet. I was able to get a password-less root shell on port 23. Bingo !

Now, for the specs:
SoC: Qualcomm MDM9640 (aka. Snapdragon X12), single core ARM Cortex-A7, 1.19 GHz
RAM: 160 MB
Storage: 512 MB, divided into multiple partitions, usable space is formatted as UBIFS. There’s a total of about 126 MB of usable free space available. Root is writable as are most other locations.
Kernel: Linux 3.10.49

Router’s interface is purely web-based. Even the LCD interface is done using a tiny DirectFB based web browser (WebKit based, judging from the logs) which simply loads a web page (http://127.0.0.1/lcd/index.html) during boot. This browser seems to have some kind of custom API accessible via JavaScript. I have not yet fully reverse-engineered it but I do plan to do so.

For compiling custom software, Linaro v13.08 ARM toolchain should work, it has the same version of libc (eglibc 2.17) as that used on the router:
https://releases.linaro.org/archive/13.08/components/toolchain/binaries/
There are GPL sources provided, but compiling GCC toolchain from schratch is a large amount of work and the result probably wouldn’t work any better than the Linaro toolchain.

I was pleasantly surprised that Netgear developers have enabled the option to include a kernel configuration in /proc/config.gz, this should help greatly when building new modules for modem’s kernel. /proc/config.gz is a very rare sight on production devices. This modem is the first device I’ve ever seen to have /proc/config.gz enabled out of the box.

What I’ve done so far:
* Customized dropbear SSH server, https://github.com/zcutlip/dropbear-hacks (replace MIPS compilers with ARM ones in the build script) which works without relying on getpwnam(). Now, I can add a password and stop relying on Telnet for shell access.

Ideas:
* zRAM module. OS is extremely poorly optimized. With GUI and SSH running there’s only about 5 MB of RAM free !
* DnsCrypt for secure DNS lookups.
* OpenVPN client for VPN passthrough.
* Password lock for LCD UI

Will update.

Neighbor of mine (who is a part-time video editor) recently had his Mac Book die on him and asked me to do some data recovery for him from a bunch of old HDDs, all, of course, formatted as Apple HFS+. Since he plans to replace his dead Mac with a Dell XPS, he needed me to extract all data from his old drives and reformat them as NTFS. Even though I’ve never ever owned any Apple hardware, I have no problem recovering data from Mac formatted drives, thanks to Paragon’s NTFS/HFS+ Linux driver (free version with limited functionality available here).

But there was one small problem. Two of the hard drives (2TB WD Blacks) were originally used as an Apple software RAID-0 array. While Paragon’s driver can mount HFS+ file systems, it cannot reconstruct or operate RAID arrays. Also, Apple’s RAID format is proprietary and there is no support for it on OS’es outside of OS X/macOS. Since I don’t have access to a Mac, I had no way to recover data from those two HDDs.

Out of curiosity, I’ve plugged in both RAID-0 HDDs to my main rig (booted to Ubuntu 18.04) anyway to check how they’re formatted. Both drives showed as GPT partitioned disks with three partitions on them: EFI, “Apple RAID” and “Apple boot”. It was pretty clear to me that the actual data I needed to extract was on “Apple RAID” partitions. Now how to I get Linux to recognize them as a RAID-0 array ?

I do know that RAID-0 is basically a stripe, alternating chunks of data between multiple drives.
Linux has it’s own RAID implementation in form of mdadm, which, apart from it’s own format, is also capable of reading some other RAID array formats, like Intel’s firmware RAID. But unfortunately, it does not support Apple RAID.
Since RAID-0 is just a stripe, that got me thinking: is there another way to get Linux to treat two block devices as a stripe ? Why yes there is. Say hello to Device mapper. Device mapper is a kernel driver (more precisely – a kernel framework) which allows you to remap physical block devices into virtual ones, including mapping multiple devices as a single device and even doing transparent block device encryption (in form of dm-crypt). This framework is widely used in various Linux-based OSes. For example Android uses dm-crypt for adoptable storage and app containers on SD cards. Device mapper is also used by LVM as a more flexible way to partition HDDs.
And, you probably guessed it, Device mapper supports mapping disks as stripes !

Could it be that Apple just uses a simple stripe for RAID-0 instead of some custom format ?
Again, out of curiosity I’ve tried mapping the two “Apple RAID” partitions as a Device mapper stripe using a simple script which I found online (can’t find the link right now, sorry). And to my pleasant surprise, the resulting stripe was happily recognized by Paragon’s driver as an HFS+ volume ! I did try to open a few files and all were perfectly readable.

I’m now in the process of copying all data from that RAID-0 array to another location, after which I will dismantle the array and reformat both HDDs as NTFS.

So it turns that at least Level 0 of Apple’s software RAID isn’t as proprietary as it seems.

This is a guide (which isn’t short, unfortunately, sorry) on how to enable Samba support in your LG WebOS Smart TV.
If you want to know the story on how I came up with this, read part 1, part 2 and part 3.

If you just want the instructions, read on.
For those willing to build their own binaries for WebOS TVs, I’ve created a GCC toolchain which should work for most TVs. You can download it here.

Read mode

This part is about making Samba work in WebOS. If you want to know how it began and how to root WebOS, read part 1 and part 2.
If you just want the instructions, read part 4.

——

Now when I finally had complete and unrestricted access to the TVs OS, I started exploring the internals to check what was available and how to get Samba working.
My TV (LG 43UH603V-ZE) appears to be based on a Realtek RTD2999 chipset which has a four core ARM Cortex-53 CPU and PowerVR graphics. For short-term memory, the TV has 1.5 GB of RAM (of which about 1.1 GB are user-accessible) and for long-term storage, there’s a 4 GB eMMC flash module divided into several partitions (with only 635 MB for apps and media). Kernel version is 3.10.19.

Fortunately, the TVs kernel already had CIFS (which is a version of SMB) support built-in. But the helper program required for mounting (mount.cifs) was missing. For testing CIFS and possibly other ARM stuff in the future, I’ve installed an ARM port of Ubuntu 16.04 in a chroot, with an old 16 GB flash drive for storage (since the TV had very little free space).
Now I that I had Ubuntu with mount.cifs (cifs-utils) installed, I could start testing Samba on my TV. As expected, everything worked fine and I was able to mount all of my server’s Samba shares and access them inside Ubuntu.
Next part was to get the shares visible in WebOS built-in media player (or I should say players as there is one for Photos and Videos and one for Music).
The first problem was that I wanted my shares to be mounted at TV startup and outside of Ubuntu chroot and Ubuntu’s mount.cifs would not run outside chroot. I temporarily solved this with ugly LD_LIBRARY_PATH and ld.so hack (I do not recommend using it, I will put a link to a proper mount.cifs binary which would work without Ubuntu in part 4).
Second, I needed a location to mount the shares on so WebOS media player could seen them.
First, I tried to play with WebOS’s screenshot capture function, find the directory where it places the screenshots and mount my Samba shares there. But this did not work.
Then I’ve remembered about that small FAT32 partition which I’ve created on my USB flash drive (mainly so that the TV would not complain about unformatted flash) which was visible in WebOS media player.
I thought: what if I mounted my Samba shares onto folders inside that partition ? And.. IT WORKED ! WebOS media player could see all the files as if they were inside that small FAT32 partition. All my media played just fine, even that 4K BDRip (whooping 65mbps bitrate !) which I’ve mentioned earlier. Samba download speed was about 11.2 MB/s (close to maxing out TVs 100mbps ethernet) which is more that enough for pretty much anything the TV can play.

I now had a working way of using Samba in WebOS.
For persistence, I wrote a small script to automount shares at TV boot so that I could use them without having to manually mount them first. More about this in part 4.

If you also want to get Samba working on your WebOS TV, continue to part 4 where I’ll put a detailed guide on how to get this to work.

P. S.: You don’t need Ubuntu chroot for Samba. But if you also choose to use Ubuntu chroot, you will have the entire Ubuntu software library available on your TV. You could for example, fire up a BitTorrent client, run a Web server, PHP, Python or anything else you want. This is nice if you are a tinkerer, like me. If you need a guide for creating a chroot, let me know.

If you want to know how it began and what this is all about, do read part 1 of the post.
If you just want the instructions on how to root WebOS and add Samba support, read part 4.

———

I knew that my smart TV had Linux under the hood. At first, I needed to figure out how to get some kind of shell access to the TV. It turns out, LG does have an app called Developer Mode which offers shell access via SSH. I did try the app out and it did work but the shell access it offered was very limited.
All I had was access to an OpenSSH instance running as unprivileged user in a chroot-like jail.
To add Samba support, I needed root access to the TV’s OS. Since LG’s app did not offer any way of getting root, the only way was to try some kind of exploit, just like you do when rooting Android without custom recovery.
My first thought was to exploit CVE-2016-5195 (aka. the Dirty Cow bug) since it had source code available. So I’ve build the exploit and it out. And… it didn’t work. It turned out that my TVs firmware (version 05.30.01, released on October 31st, 2017) had a patched kernel which wasn’t vulnerable. Since I could not find any other public root exploits, I wasn’t able to root the TV with the firmware it had. The only thing I could think of is downgrading the TVs firmware to an earlier version (with a vulnerable kernel). Which isn’t straightforward, since WebOS normally only supports installing newer firmware versions, not older ones.
Fortunately, with the help of my skills and a tutorial available here: http://webos-forums.ru/post23624.html (in Russian, Google Translate link) I was able to downgrade the firmware to version 04.31.00.
I’ve also found a pre-packed exploit (based on the same Dirty Cow bug which I’ve tried to exploit before) for rooting WebOS with instructions here: http://webos-forums.ru/topic4650.html (again in Russian, Google Translate link). With it, I was able gain root access to WebOS.

That’s when the fun began. Read on to part 3.

I’ve always treated my TVs simply as monitors with some additional functionality, like a built-in tuner or a simple media player. I never treated them as real computers.
Even when my family bought our first smart TV back in 2014, I still treated it as a monitor, even though I did know that it had a real Unix-like OS under the hood.
That has changed when I got (well, inherited) my own Smart TV, an 2016 model LG 43UH603V-ZE running WebOS 3.3.1. I previously had an old LG feature TV and used a separate device (a Raspberry Pi 3 with Kodi) to play all my media.
But since I now had a smart TV, I wanted to play everything directly on it, without using a separate device. My main sources of media are IPTV and my home server (which also acts as a NAS). IPTV viewing wasn’t a problem as WebOS had several apps for that. Connecting my server to the TV was a different story. It turned out that WebOS does not have any kind of support for NAS devices at all. No Samba, no FTP and no way of streaming HTTP links. Nothing.
At first, I tried to resort to using Emby media server via TVs built-in browser (tried Emby’s app as well), but it was too cumbersome to use with a remote. Not to mention the flaws, like really long loading times, buggy resuming and totally unnecessary transcoding of media that my TV could play directly. For example, I could not play a 4K H265 BDRip without Emby trying to transcode it to H264 resulting in choppy video and overloaded server.

This got me thinking: is there any way to mod the TV to retrofit Samba support in a way which would play nice with WebOS ?
And I did find a way. Now on to part 2.

P.S.: Happy 2018, the year of the Yellow Dog ! (sadly the Linux distro with the same name died long ago…)

Finally found some time to write a blog post.

First, some background. I’ve had an ancient Pentium 3 PC (upgraded with Intel Gigabit NIC and USB 2.0 card) with Windows 2003 running as my home server for many years. This old beast had many uses in the past, including being my web code testing sandbox, torrenting box, IPTV multicast bridge and others. Recently however, the server was only being used as a DNS filter (mostly for ad blocking and mapping local IPs to hostnames) and DHCP.

I’ve been thinking of transferring these duties to my Asus RT-N66U router (running DD-WRT and Debian) for a while but never found time to do it. Well, I finally did it. For those interested in how to do transfer DNS and DHCP from Windows 2003 to Linux, read below.

First, the easy part: DHCP. I mostly used Windows 2003 DHCP to map MAC addresses to static IPs. Since DD-WRT has this functionality built-in (heck, even most stock router firmwares have this built-in), all I had to do is copy existing static IP assignments to DD-WRT configuration (Services -> Static Leases). I know this method isn’t very suitable for those with a lot of assignments.

For users with a lot of assignments, the best way to go would be to export DHCP configuration and process it to generate a database of static leases (eg. using a script). But how to do it is outside the scope of this post.

Now the hard part: DNS. Like I mentioned before, I mostly used my local DNS server to do Ad domain blocking and mapping LAN IPs to hostnames. To block a domain (and all of it’s subdomains) using a local DNS, all you need to do is create a zone record for that domain in your local DNS server (you can optionally point it to a local IP, eg. for displaying an error message to the user).

There are a lot of domains hosting Ads out there. Over the years, my zone count grew to nearly 200 domains. Copying all these zone records manually to Linux BIND server (which is what I wanted to use) would have been a pain-in-the-a**, so I started looking for a more automated way of doing this.

Here’s what I found:

For those not using Active Directory for DNS, dumping zone files is very easy. They are stored as text files in C:\Windows\System32\DNS.

Unfortunately, I was using unknowingly AD for my DNS zones because this was the default setting when creating new zones. So I had no zone files in C:\Windows\System32\DNS. I had to use a shell script to dump all the zones from AD. I’ve used powershell, but any other language will work as well. Basically, what you need is to run:

dnscmd /enumzones

Then process the output of this command to get a zone list and run this for each zone:

dnscmd /zoneexport <zone name> <export file>

eg. dnscmd /zonnexport example.com example.com.txt

This will export the zone files to C:\Windows\System32\DNS (I strongly suggest using zone name as export file name).

To use these zone files, you’ll also need to generate a config file for BIND. I did this by just getting list of all zone files in generating a config entry for each of them, using file name as zone name. Entries look like this:

zone “example.com” {
type master;
file “/etc/bind/zones/example.com.zone”;
};

After generating the config file, all you need to do is copy all your exported zone files to /etc/bind/zones/ and include your generated config file in BINDs configuration.

This is a rough guide. If you need any help with this guide, do contact me dds[alpha]ddscentral.org.

I’ve compiled Samba server (yes, the same server commonly found in Linux) under Windows using Cygwin.
Did not have time to test it yet (need to configure it), but I’ve found out that in fact some people are using samba for sharing on Windows (Google for “smbd.exe”). Perhaps the main benefit is the separate user account system which does not depend on Windows user accounts (you can create users just like in FTP server).
Will test the server later and update the blog with the results.

For those willing to compile samba themselves, the latest build (from samba.org) compiles fine under a complete Cygwin install (all packages), but the makefile might need to be tweaked to correct the output binary filenames (some filenames of samba binaries in the makefile will be without .exe extension) or samba might refuse to install (er. “make install”).

I have created a couple of web services (soap) for one of my projects. They can be used to get info about domains and IPs. Although, I’ve created those services mostly for my own internal use, you can try them too.
Service listing (with source code for each service) can be found here.
All services use old rpc/encoded soap, except “WhoisIpV2 (ASMX)”, which is document/literal standard service.
Sample client (with source code) for WhoisIPV2 service is available in the Creations section.
I might add more services in the future.

I do not provide any kind of support for any of these services. If you want to know more about them, see their source code.