pmeerw's blog

Tue, 06 Oct 2020

Flashing a 10 GBit NIC: Aquantia AQC107

Checking the current version:
$ ethtool -i enp3s0

driver: atlantic
version: 5.4.0-49-generic-kern
firmware-version: 3.0.33
bus-info: 0000:03:00.0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: yes
supports-priv-flags: no

I had some difficulties to locate firmware and Linux flash tool, here is my local copy: atlflashupdate-1.8.0_AQC107-FW-3.1.109.tgz (FW 3.1.109, flash tool 1.8.0 for x64). The official one might be here (Windows).

Flashing new firmware: $ sudo ./atlflashupdate

Aquantia AQtion Firmware Update Tool [Version 1.8.0]

*** Important notice ***
Update utility is only supported for certain systems.
Please refer README file for supported systems.

Proceed with update? (y/n): y
No  Name    Firmware  Update status        Device         MAC address
1   enp3s0  3.0.33    Available: 3.1.109   07B1-07B11BAA  24:5e:be:xx:xx:xx

*** Important notice ***
The network connection may be dropped during the update process.
Please complete all network activity before updating.
Enter adapter number or 'q' for quit without update

+ Adapter: enp3s0
|-- Backing up... [OK]
|-- Updating... [OK]
|-- New firmware version: 3.1.109
|-- Trying to reload firmware... [OK]
|-- Restarting device driver... [OK]

Firmware update finished!

posted at: 23:26 | path: /configuration | permanent link

Wed, 12 Jun 2019

Ubuntu 19.04, two monitor setup

Using two 27" monitors now: one Iiyama (3840x2160), one BenQ (1920x1080). The first has way higher DPI. To compensate, I use fractional scaling (175% and 100%). This needs to be enabled for X11, requires Ubuntu 19.04:

gsettings set org.gnome.mutter experimental-features "['x11-randr-fractional-scaling']"
See here for more details.

posted at: 21:28 | path: /configuration | permanent link

Mon, 20 May 2019

Debugging a WWAN USB stick

What to do when a USB WWAN (UMTS) stick doesn't work? That is, network manager shown broadband as not enabled...

The kernel log looks good:

[ 3313.057520] usb 2-1: New USB device found, idVendor=0e8d, idProduct=00a5, bcdDevice= 3.00
[ 3313.057528] usb 2-1: New USB device strings: Mfr=9, Product=10, SerialNumber=0
[ 3313.057536] usb 2-1: Manufacturer: MediaTek Inc
[ 3313.085587] cdc_mbim 2-1:1.0: cdc-wdm0: USB WDM device
[ 3313.086142] cdc_mbim 2-1:1.0 wwan0: register 'cdc_mbim' at usb-0000:00:14.0-1, CDC MBIM, d2:9c:37:32:10:73
[ 3313.086885] option 2-1:1.2: GSM modem (1-port) converter detected
[ 3313.087140] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB0
[ 3313.087520] option 2-1:1.3: GSM modem (1-port) converter detected
[ 3313.087654] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB1
[ 3313.087924] option 2-1:1.4: GSM modem (1-port) converter detected
[ 3313.088050] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB2
[ 3313.088322] option 2-1:1.5: GSM modem (1-port) converter detected
[ 3313.090237] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB3
[ 3313.090693] usb-storage 2-1:1.6: USB Mass Storage device detected
[ 3313.143856] cdc_mbim 2-1:1.0 wwp0s20u1: renamed from wwan0
[ 3314.109400] scsi 3:0:0:0: Direct-Access     MEDIATEK  FLASH DISK      6225 PQ: 0 ANSI: 0 CCS
[ 3314.110360] sd 3:0:0:0: Attached scsi generic sg1 type 0
[ 3314.128902] sd 3:0:0:0: [sdb] 0 512-byte logical blocks: (0 B/0 B)
[ 3314.131013] sd 3:0:0:0: [sdb] Attached SCSI removable disk
The ModemManager has a useful command-line tool, mmcli, that can be used to show status of the modem. Try mmcli -v -m 6 where 6 is an index of the modem:
[20 Mai 2019, 18:56:55] [Debug] ModemManager process found at ':1.2'
[20 Mai 2019, 18:56:55] [Debug] Assuming '6' is the modem index
[20 Mai 2019, 18:56:55] [Debug] Modem found at '/org/freedesktop/ModemManager1/Modem/6'

[20 Mai 2019, 18:56:55] [Debug] Printing modem info...
  General  |      dbus path: /org/freedesktop/ModemManager1/Modem/6
           |      device id: a67f08189ddc6295ad23160780ebeb06a0925a6c
  Hardware |   manufacturer: MediaTek Inc
           |          model: Product
           |       revision: UW980_42M_ESMT_V101R01B08
           |   h/w revision: MTK2
           |      supported: gsm-umts
           |        current: gsm-umts
           |   equipment id: 355128006541593
  System   |         device: /sys/devices/pci0000:00/0000:00:14.0/usb2/2-1
           |        drivers: cdc_mbim, option1
           |         plugin: Generic
           |   primary port: cdc-wdm0
           |          ports: ttyUSB0 (at), ttyUSB1 (at), cdc-wdm0 (mbim), wwp0s20u1 (net)
  Status   |          state: failed
           |  failed reason: sim-missing
           |    power state: on
           | signal quality: 0% (cached)
  Modes    |      supported: allowed: 2g, 3g; preferred: none
           |        current: allowed: any; preferred: none
  IP       |      supported: ipv4, ipv6, ipv4v6
In this case, the SIM card seem to be missing (failed reason: sim-missing); or defective rather.

posted at: 21:26 | path: /configuration | permanent link

Mon, 04 Feb 2019

Setting up DANE

DANE (RFC 6698) basically allows to publish the hash of server certificate as a TLSA record in DNS, signed with DNSSEC. A client can validate that a server's TLS certificate is owned by the same entity which controls DNSSEC signed zone.

The idea is to add a new DNS record of type TLSA to the zone, in particular a Certificate Usage DANE-EE (3).

25._tcp.mail IN TLSA 3 1 1 2c788de8eaf09f6b1f5a704a5e0718206c668f00dfca8f8112608dc25571553c
In the example, 3 is the usage (DANE-EE), 1 the selector (subject public key), 1 the matching type (SHA-256). This for my MX record,, port 25 (wildcard port number * would also be possible). The hash can be conveniently generated (taken from Viktor Dukhovni's tlsagen script):
openssl x509 -in /etc/letsencrypt/live/ -noout -pubkey | \
    openssl pkey -pubin -outform DER | \
    openssl dgst -sha256 -binary | \
    hexdump -ve '/1 "%02x"'

Since my server certificate is issued by Let's Encrypt, the certificate is renewed every 90 days or so. Because DANE essentially puts the certificate's public key into DNS, the DNS record needs to be updated whenever the key changes. Luckily, recent letsencrypt scripts (since >= 0.25.0, June 2018) support the argument renew --reuse-key, so the same keys are reused. The certificate is renewed, but not the underlying keys. Here is my weekly cron job script /etc/cron.weekly/letsencrypt:

letsencrypt renew --reuse-key --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"
res=$(find /etc/letsencrypt/live/ -type l -mtime -1)
if [ -n "$res" ]; then
  echo "letsencrypt: new cert"
  systemctl restart apache2
  systemctl restart postfix
  systemctl restart dovecot
  echo "letsencrypt: nothing to do"
Weirdly, the documentation is to be found with certbot -h automation, not certbot -h renew.

To verify, use the DANE SMTP validator (, see the results for

posted at: 00:24 | path: /configuration | permanent link

Sun, 03 Feb 2019

Security checkup for web and email: has a nice & tidy check for IPv6, TLS, HTTPS, DNSSEC, DANE (DNS-based Authentication of Named Entities), DMARC (Domain-based Message Authentication, Reporting & Conformance), DKIM (DomainKeys Identified Mail), SPF (Sender Policy Framework) on web and mail servers.

See the results for web and email.

posted at: 23:44 | path: /configuration | permanent link

Made with PyBlosxom