pmeerw's blog

Mon, 10 Apr 2017

GL.iNet AR150 WiFi AP with PoE (803.3af) and OpenWrt pre-installed

GLi's AR150 is a 802.11n WiFi router with two ethernet ports (WAN, LAN). It comes with OpenWrt pre-installed. The unique features (for a 25€ device) is PoE 802.3af support.

Other features: 400 MHz Atheros MIPS CPU, 64 MB RAM, 16 MB SPI flash, 1x USB 2.0, 4 GPIOs + UART on a 2.54 mm header (nicely marked)

posted at: 23:04 | path: /review | permanent link

Sat, 21 Jan 2017

DNS CAA

DNS CAA allows the holder of a domain to specify which certificate authorities are allowed to issue certificates for that domain.

Let's encrypt support is, as do recent versions of the bind DNS server. https://sslmate.com/labs/caa/ helps to get the DNS record correct. SSL Labs already checks for the CAA record.

Put this in your BIND zone file:

@	CAA	0 issue "letsencrypt.org"

posted at: 14:30 | path: /configuration | permanent link

Mon, 04 Jul 2016

Adventures with a Chinese PoE IP camera: Jooan JA-703KRB-T-P

It is a 1 MP IP camera (bullet design) with PoE (IEEE 802.3af) support. Hardware looks good, software is crap. Web interface is Chinese and requires Active-X or something to become functional.

One can telnet to port 9527 to get some kind of console with a login (admin / [blank]); there is a help command:

----------------------Console Commands----------------------------
                 232 Comm dump
              485Pro 485 Protocol!
             ability Net Ability Utility!
                  ad AD debug interface!
               alarm Alarm status!
            autoshut auto shut the DVR

             bitrate Dump BitRate infomation!
                 cfg Config Help Utility!
                comm Comm Input String
              encode Encode commands!
               front front board utility!

                  fs Fs debug interface!
                heap Dump heap status!
                help Try help!
           infoframe InfoFrame Console Utility!
                 log Log utility!
              netitf NetInterFace Dump!
                netm NetManager Dump!
               onvif Onvif debug msg!
              packet Packet usage!
                 ptz ptz dump!
                quit Quit!
              reboot Reboot the system!
              record Record console utility!
            resource CPU usage!
                 rtp RTP Dump!
               shell Linux shell prompt!
            shutdown Shutdown the system!
                snap Snap Console Utility!
              thread Dump application threads!
                time Set SystemTime!
               timer Dump application timers!
             upgrade Upgrade utility!
                user Account Information!
                 ver version info!
             xmcloud XmCloud Dump!
To see details, please use 'cmd -h'
My firmware version seems to be:
V4.02.R12.00006510.10010.140300, BuildTime: 2015-09-10 10:20:36
One can see available users and permissions with user -a, even passwords are shown:
{
   "Groups" : [
      {
         "AuthorityList" : [
            "ShutDown",
            "ChannelTitle",
            "RecordConfig",
            "Backup",
            "StorageManager",
            "Account",
            "SysInfo",
            "QueryLog",
            "DelLog",
            "SysUpgrade",
            "AutoMaintain",
            "GeneralConfig",
            "TourConfig",
            "TVadjustConfig",
            "EncodeConfig",
            "CommConfig",
            "NetConfig",
            "AlarmConfig",
            "VideoConfig",
            "PtzConfig",
            "PTZControl",
            "DefaultConfig",
            "Talk_01",
            "IPCCamera",
            "ImExport",
            "Monitor_01",
            "Replay_01"
         ],
         "Memo" : "administrator group",
         "Name" : "admin"
      },
      {
         "AuthorityList" : [ "Monitor_01", "Replay_01" ],
         "Memo" : "user group",
         "Name" : "user"
      }
   ],
   "Users" : [
      {
         "AuthorityList" : [
            "ShutDown",
            "ChannelTitle",
            "RecordConfig",
            "Backup",
            "StorageManager",
            "Account",
            "SysInfo",
            "QueryLog",
            "DelLog",
            "SysUpgrade",
            "AutoMaintain",
            "GeneralConfig",
            "TourConfig",
            "TVadjustConfig",
            "EncodeConfig",
            "CommConfig",
            "NetConfig",
            "AlarmConfig",
            "VideoConfig",
            "PtzConfig",
            "PTZControl",
            "DefaultConfig",
            "Talk_01",
            "IPCCamera",
            "ImExport",
            "Monitor_01",
            "Replay_01"
         ],
         "Group" : "admin",
         "Memo" : "admin 's account",
         "Name" : "admin",
         "NoMD5" : null,
         "Password" : "tlJwpbo6",
         "Reserved" : true,
         "Sharable" : true
      },
      {
         "AuthorityList" : [ "Monitor_01" ],
         "Group" : "user",
         "Memo" : "default account",
         "Name" : "default",
         "NoMD5" : null,
         "Password" : "OxhlwSG8",
         "Reserved" : false,
         "Sharable" : false
      }
   ]
}
In order to play a video stream (Stream 0, 1280x720, 15 fps):
vlc rtsp://192.168.1.17:554/user=admin_password=tlJwpbo6_channel=1_stream=0.sdp?real_stream
or (Stream 1, 704x576, 25 fps):
vlc rtsp://192.168.1.17:554/user=admin_password=tlJwpbo6_channel=1_stream=1.sdp?real_stream

The camera seems to be based on a Hisilicon Hi3518E.pdf SoC (ARM9 with H.264/MJPEG). Hacking already done, seems easys to get serial. buildroot is available...

Telnet password for root is: xmhdipc Here we go:

# cat /proc/cpuinfo
Processor       : ARM926EJ-S rev 5 (v5l)
BogoMIPS        : 218.72
Features        : swp half thumb fastmult edsp java 
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant     : 0x0
CPU part        : 0x926
CPU revision    : 5

Hardware        : hi3518
Revision        : 0000
Serial          : 0000000000000000

posted at: 22:58 | path: /configuration | permanent link

Tue, 17 May 2016

IEEE 802.1x port authentication

Run wpa_supplicant using sudo wpa_supplicant -i eth7 -D wired -c /tmp/802/wpa_supplicant.conf

Notes
HP 1920 switch: configure to CHAP to make MD5 work
Zyxel GS1900 switch: local authentication doesn't seem to work
wpa_supplicant MD5
ap_scan=0
eapol_version=2
network={
    key_mgmt=IEEE8021X
    identity="test"
    password="test"
    eap=MD5
}
wpa_supplicant EAP-TLS
Generate keys using Debian/Ubuntu's /usr/share/doc/freeradius/examples/certs; here is an edited variant without requiring passphrases
DH_KEY_SIZE	= 2048
CA_DEFAULT_DAYS = 3650

.PHONY: all
all: index.txt serial dh random server client ca

.PHONY: client
client: client.pem

.PHONY: ca
ca: ca.der

.PHONY: server
server: server.pem

#  Diffie-Hellman parameters
dh:
	openssl gendh -out dh -2 $(DH_KEY_SIZE)

#  Create a new self-signed CA certificate
ca.key ca.pem: ca.cnf
	@[ -f index.txt ] || $(MAKE) index.txt
	@[ -f serial ] || $(MAKE) serial
	openssl req -nodes -new -x509 -keyout ca.key -out ca.pem \
		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf

ca.der: ca.pem
	openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der

#  Create a new server certificate, signed by the above CA.
server.csr server.key: server.cnf
	openssl req -nodes -new -out server.csr -keyout server.key -config ./server.cnf

server.crt: server.csr ca.key ca.pem
	openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf

server.p12: server.crt
	openssl pkcs12 -nodes -export -in server.crt -inkey server.key -out server.p12 -passout pass:

server.pem: server.p12
	openssl pkcs12 -nodes -in server.p12 -out server.pem -passin pass:

#  Create a new client certificate, signed by the the above CA
client.csr client.key: client.cnf
	openssl req -nodes -new -out client.csr -keyout client.key -config ./client.cnf

client.crt: client.csr ca.pem ca.key
	openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

client.p12: client.crt
	openssl pkcs12 -nodes -export -in client.crt -inkey client.key -out client.p12 -passout pass:

client.pem: client.p12
	openssl pkcs12 -nodes -in client.p12 -out client.pem -passin pass:

#  Miscellaneous rules.
index.txt:
	@touch index.txt

serial:
	@echo '001' > serial

random:
	@if [ -c /dev/urandom ] ; then \
		dd if=/dev/urandom of=./random count=10 >/dev/null 2>&1; \
	else \
		date > ./random; \
	fi

print:
	openssl x509 -text -in server.crt

printca:
	openssl x509 -text -in ca.pem

ap_scan=0
eapol_version=2
network={
    key_mgmt=IEEE8021X
    identity="test"
    password="test"
    eap=TLS
    ca_cert="/tmp/802/ca.pem"
    client_cert="/tmp/802/client.pem"
    private_key="/tmp/802/client.key"
}
Debugging
wireshark filter: eap || eapol

posted at: 00:06 | path: /projects | permanent link

Mon, 04 Jan 2016

Unboxing TP-Link TL-POE10R PoE splitter

Got a TP-Link TL-POE10R Power-over-Ethernet (PoE) splitter (Ver: 4.0), complying with IEEE 802.4af; output is selectable: 5V/9V/12V into a 5.5mm OD, 2.1mm ID center positive barrel receptacle. Ethernet supports up to 1000Mbps.

It is not galvanically isolated and has a ground loop issue.

PCB top

There is a Feeling Technology FP5001 PWM (pulse width modulation) controller with SCP (short-circuit protection) / DTC (duty control); click to enlarge.

PCB bottom

There is a Linear LTC4257 PoE interface controller; click to enlarge.

Images courtesy Armin Langhofer.

posted at: 21:55 | path: /review | permanent link

Made with PyBlosxom